malloc.c revision 0d53ab4024488d0c6cd283992be3fd4b67099bd3
1// RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.deadcode.UnreachableCode,experimental.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s 2#include "system-header-simulator.h" 3 4void clang_analyzer_eval(int); 5 6typedef __typeof(sizeof(int)) size_t; 7void *malloc(size_t); 8void *valloc(size_t); 9void free(void *); 10void *realloc(void *ptr, size_t size); 11void *reallocf(void *ptr, size_t size); 12void *calloc(size_t nmemb, size_t size); 13char *strdup(const char *s); 14char *strndup(const char *s, size_t n); 15 16void myfoo(int *p); 17void myfooint(int p); 18char *fooRetPtr(); 19 20void f1() { 21 int *p = malloc(12); 22 return; // expected-warning{{Memory is never released; potential leak}} 23} 24 25void f2() { 26 int *p = malloc(12); 27 free(p); 28 free(p); // expected-warning{{Attempt to free released memory}} 29} 30 31void f2_realloc_0() { 32 int *p = malloc(12); 33 realloc(p,0); 34 realloc(p,0); // expected-warning{{Attempt to free released memory}} 35} 36 37void f2_realloc_1() { 38 int *p = malloc(12); 39 int *q = realloc(p,0); // no-warning 40} 41 42void reallocNotNullPtr(unsigned sizeIn) { 43 unsigned size = 12; 44 char *p = (char*)malloc(size); 45 if (p) { 46 char *q = (char*)realloc(p, sizeIn); 47 char x = *q; // expected-warning {{Memory is never released; potential leak}} 48 } 49} 50 51int *realloctest1() { 52 int *q = malloc(12); 53 q = realloc(q, 20); 54 return q; // no warning - returning the allocated value 55} 56 57// p should be freed if realloc fails. 58void reallocFails() { 59 char *p = malloc(12); 60 char *r = realloc(p, 12+1); 61 if (!r) { 62 free(p); 63 } else { 64 free(r); 65 } 66} 67 68void reallocSizeZero1() { 69 char *p = malloc(12); 70 char *r = realloc(p, 0); 71 if (!r) { 72 free(p); // expected-warning {{Attempt to free released memory}} 73 } else { 74 free(r); 75 } 76} 77 78void reallocSizeZero2() { 79 char *p = malloc(12); 80 char *r = realloc(p, 0); 81 if (!r) { 82 free(p); // expected-warning {{Attempt to free released memory}} 83 } else { 84 free(r); 85 } 86 free(p); // expected-warning {{Attempt to free released memory}} 87} 88 89void reallocSizeZero3() { 90 char *p = malloc(12); 91 char *r = realloc(p, 0); 92 free(r); 93} 94 95void reallocSizeZero4() { 96 char *r = realloc(0, 0); 97 free(r); 98} 99 100void reallocSizeZero5() { 101 char *r = realloc(0, 0); 102} 103 104void reallocPtrZero1() { 105 char *r = realloc(0, 12); // expected-warning {{Memory is never released; potential leak}} 106} 107 108void reallocPtrZero2() { 109 char *r = realloc(0, 12); 110 if (r) 111 free(r); 112} 113 114void reallocPtrZero3() { 115 char *r = realloc(0, 12); 116 free(r); 117} 118 119void reallocRadar6337483_1() { 120 char *buf = malloc(100); 121 buf = (char*)realloc(buf, 0x1000000); 122 if (!buf) { 123 return;// expected-warning {{Memory is never released; potential leak}} 124 } 125 free(buf); 126} 127 128void reallocRadar6337483_2() { 129 char *buf = malloc(100); 130 char *buf2 = (char*)realloc(buf, 0x1000000); 131 if (!buf2) { // expected-warning {{Memory is never released; potential leak}} 132 ; 133 } else { 134 free(buf2); 135 } 136} 137 138void reallocRadar6337483_3() { 139 char * buf = malloc(100); 140 char * tmp; 141 tmp = (char*)realloc(buf, 0x1000000); 142 if (!tmp) { 143 free(buf); 144 return; 145 } 146 buf = tmp; 147 free(buf); 148} 149 150void reallocRadar6337483_4() { 151 char *buf = malloc(100); 152 char *buf2 = (char*)realloc(buf, 0x1000000); 153 if (!buf2) { 154 return; // expected-warning {{Memory is never released; potential leak}} 155 } else { 156 free(buf2); 157 } 158} 159 160int *reallocfTest1() { 161 int *q = malloc(12); 162 q = reallocf(q, 20); 163 return q; // no warning - returning the allocated value 164} 165 166void reallocfRadar6337483_4() { 167 char *buf = malloc(100); 168 char *buf2 = (char*)reallocf(buf, 0x1000000); 169 if (!buf2) { 170 return; // no warning - reallocf frees even on failure 171 } else { 172 free(buf2); 173 } 174} 175 176void reallocfRadar6337483_3() { 177 char * buf = malloc(100); 178 char * tmp; 179 tmp = (char*)reallocf(buf, 0x1000000); 180 if (!tmp) { 181 free(buf); // expected-warning {{Attempt to free released memory}} 182 return; 183 } 184 buf = tmp; 185 free(buf); 186} 187 188void reallocfPtrZero1() { 189 char *r = reallocf(0, 12); // expected-warning {{Memory is never released; potential leak}} 190} 191 192 193// This case tests that storing malloc'ed memory to a static variable which is 194// then returned is not leaked. In the absence of known contracts for functions 195// or inter-procedural analysis, this is a conservative answer. 196int *f3() { 197 static int *p = 0; 198 p = malloc(12); 199 return p; // no-warning 200} 201 202// This case tests that storing malloc'ed memory to a static global variable 203// which is then returned is not leaked. In the absence of known contracts for 204// functions or inter-procedural analysis, this is a conservative answer. 205static int *p_f4 = 0; 206int *f4() { 207 p_f4 = malloc(12); 208 return p_f4; // no-warning 209} 210 211int *f5() { 212 int *q = malloc(12); 213 q = realloc(q, 20); 214 return q; // no-warning 215} 216 217void f6() { 218 int *p = malloc(12); 219 if (!p) 220 return; // no-warning 221 else 222 free(p); 223} 224 225void f6_realloc() { 226 int *p = malloc(12); 227 if (!p) 228 return; // no-warning 229 else 230 realloc(p,0); 231} 232 233 234char *doit2(); 235void pr6069() { 236 char *buf = doit2(); 237 free(buf); 238} 239 240void pr6293() { 241 free(0); 242} 243 244void f7() { 245 char *x = (char*) malloc(4); 246 free(x); 247 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 248} 249 250void f8() { 251 char *x = (char*) malloc(4); 252 free(x); 253 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} 254} 255 256void f7_realloc() { 257 char *x = (char*) malloc(4); 258 realloc(x,0); 259 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 260} 261 262void PR6123() { 263 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size.}} 264} 265 266void PR7217() { 267 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size.}} 268 buf[1] = 'c'; // not crash 269} 270 271void mallocCastToVoid() { 272 void *p = malloc(2); 273 const void *cp = p; // not crash 274 free(p); 275} 276 277void mallocCastToFP() { 278 void *p = malloc(2); 279 void (*fp)() = p; // not crash 280 free(p); 281} 282 283// This tests that malloc() buffers are undefined by default 284char mallocGarbage () { 285 char *buf = malloc(2); 286 char result = buf[1]; // expected-warning{{undefined}} 287 free(buf); 288 return result; 289} 290 291// This tests that calloc() buffers need to be freed 292void callocNoFree () { 293 char *buf = calloc(2,2); 294 return; // expected-warning{{never released}} 295} 296 297// These test that calloc() buffers are zeroed by default 298char callocZeroesGood () { 299 char *buf = calloc(2,2); 300 char result = buf[3]; // no-warning 301 if (buf[1] == 0) { 302 free(buf); 303 } 304 return result; // no-warning 305} 306 307char callocZeroesBad () { 308 char *buf = calloc(2,2); 309 char result = buf[3]; // no-warning 310 if (buf[1] != 0) { 311 free(buf); // expected-warning{{never executed}} 312 } 313 return result; // expected-warning{{never released}} 314} 315 316void nullFree() { 317 int *p = 0; 318 free(p); // no warning - a nop 319} 320 321void paramFree(int *p) { 322 myfoo(p); 323 free(p); // no warning 324 myfoo(p); // expected-warning {{Use of memory after it is freed}} 325} 326 327int* mallocEscapeRet() { 328 int *p = malloc(12); 329 return p; // no warning 330} 331 332void mallocEscapeFoo() { 333 int *p = malloc(12); 334 myfoo(p); 335 return; // no warning 336} 337 338void mallocEscapeFree() { 339 int *p = malloc(12); 340 myfoo(p); 341 free(p); 342} 343 344void mallocEscapeFreeFree() { 345 int *p = malloc(12); 346 myfoo(p); 347 free(p); 348 free(p); // expected-warning{{Attempt to free released memory}} 349} 350 351void mallocEscapeFreeUse() { 352 int *p = malloc(12); 353 myfoo(p); 354 free(p); 355 myfoo(p); // expected-warning{{Use of memory after it is freed}} 356} 357 358int *myalloc(); 359void myalloc2(int **p); 360 361void mallocEscapeFreeCustomAlloc() { 362 int *p = malloc(12); 363 myfoo(p); 364 free(p); 365 p = myalloc(); 366 free(p); // no warning 367} 368 369void mallocEscapeFreeCustomAlloc2() { 370 int *p = malloc(12); 371 myfoo(p); 372 free(p); 373 myalloc2(&p); 374 free(p); // no warning 375} 376 377void mallocBindFreeUse() { 378 int *x = malloc(12); 379 int *y = x; 380 free(y); 381 myfoo(x); // expected-warning{{Use of memory after it is freed}} 382} 383 384void mallocEscapeMalloc() { 385 int *p = malloc(12); 386 myfoo(p); 387 p = malloc(12); // expected-warning{{Memory is never released; potential leak}} 388} 389 390void mallocMalloc() { 391 int *p = malloc(12); 392 p = malloc(12); // expected-warning 2 {{Memory is never released; potential leak}} 393} 394 395void mallocFreeMalloc() { 396 int *p = malloc(12); 397 free(p); 398 p = malloc(12); 399 free(p); 400} 401 402void mallocFreeUse_params() { 403 int *p = malloc(12); 404 free(p); 405 myfoo(p); //expected-warning{{Use of memory after it is freed}} 406} 407 408void mallocFreeUse_params2() { 409 int *p = malloc(12); 410 free(p); 411 myfooint(*p); //expected-warning{{Use of memory after it is freed}} 412} 413 414void mallocFailedOrNot() { 415 int *p = malloc(12); 416 if (!p) 417 free(p); 418 else 419 free(p); 420} 421 422struct StructWithInt { 423 int g; 424}; 425 426int *mallocReturnFreed() { 427 int *p = malloc(12); 428 free(p); 429 return p; // expected-warning {{Use of memory after it is freed}} 430} 431 432int useAfterFreeStruct() { 433 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 434 px->g = 5; 435 free(px); 436 return px->g; // expected-warning {{Use of memory after it is freed}} 437} 438 439void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); 440 441void mallocEscapeFooNonSymbolArg() { 442 struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); 443 nonSymbolAsFirstArg(&p->g, p); 444 return; // no warning 445} 446 447void mallocFailedOrNotLeak() { 448 int *p = malloc(12); 449 if (p == 0) 450 return; // no warning 451 else 452 return; // expected-warning {{Memory is never released; potential leak}} 453} 454 455void mallocAssignment() { 456 char *p = malloc(12); 457 p = fooRetPtr(); // expected-warning {{leak}} 458} 459 460int vallocTest() { 461 char *mem = valloc(12); 462 return 0; // expected-warning {{Memory is never released; potential leak}} 463} 464 465void vallocEscapeFreeUse() { 466 int *p = valloc(12); 467 myfoo(p); 468 free(p); 469 myfoo(p); // expected-warning{{Use of memory after it is freed}} 470} 471 472int *Gl; 473struct GlStTy { 474 int *x; 475}; 476 477struct GlStTy GlS = {0}; 478 479void GlobalFree() { 480 free(Gl); 481} 482 483void GlobalMalloc() { 484 Gl = malloc(12); 485} 486 487void GlobalStructMalloc() { 488 int *a = malloc(12); 489 GlS.x = a; 490} 491 492void GlobalStructMallocFree() { 493 int *a = malloc(12); 494 GlS.x = a; 495 free(GlS.x); 496} 497 498char *ArrayG[12]; 499 500void globalArrayTest() { 501 char *p = (char*)malloc(12); 502 ArrayG[0] = p; 503} 504 505// Make sure that we properly handle a pointer stored into a local struct/array. 506typedef struct _StructWithPtr { 507 int *memP; 508} StructWithPtr; 509 510static StructWithPtr arrOfStructs[10]; 511 512void testMalloc() { 513 int *x = malloc(12); 514 StructWithPtr St; 515 St.memP = x; 516 arrOfStructs[0] = St; // no-warning 517} 518 519StructWithPtr testMalloc2() { 520 int *x = malloc(12); 521 StructWithPtr St; 522 St.memP = x; 523 return St; // no-warning 524} 525 526int *testMalloc3() { 527 int *x = malloc(12); 528 int *y = x; 529 return y; // no-warning 530} 531 532void testElemRegion1() { 533 char *x = (void*)malloc(2); 534 int *ix = (int*)x; 535 free(&(x[0])); 536} 537 538void testElemRegion2(int **pp) { 539 int *p = malloc(12); 540 *pp = p; 541 free(pp[0]); 542} 543 544void testElemRegion3(int **pp) { 545 int *p = malloc(12); 546 *pp = p; 547 free(*pp); 548} 549// Region escape testing. 550 551unsigned takePtrToPtr(int **p); 552void PassTheAddrOfAllocatedData(int f) { 553 int *p = malloc(12); 554 // We don't know what happens after the call. Should stop tracking here. 555 if (takePtrToPtr(&p)) 556 f++; 557 free(p); // no warning 558} 559 560struct X { 561 int *p; 562}; 563unsigned takePtrToStruct(struct X *s); 564int ** foo2(int *g, int f) { 565 int *p = malloc(12); 566 struct X *px= malloc(sizeof(struct X)); 567 px->p = p; 568 // We don't know what happens after this call. Should not track px nor p. 569 if (takePtrToStruct(px)) 570 f++; 571 free(p); 572 return 0; 573} 574 575struct X* RegInvalidationDetect1(struct X *s2) { 576 struct X *px= malloc(sizeof(struct X)); 577 px->p = 0; 578 px = s2; 579 return px; // expected-warning {{Memory is never released; potential leak}} 580} 581 582struct X* RegInvalidationGiveUp1() { 583 int *p = malloc(12); 584 struct X *px= malloc(sizeof(struct X)); 585 px->p = p; 586 return px; 587} 588 589int **RegInvalidationDetect2(int **pp) { 590 int *p = malloc(12); 591 pp = &p; 592 pp++; 593 return 0;// expected-warning {{Memory is never released; potential leak}} 594} 595 596extern void exit(int) __attribute__ ((__noreturn__)); 597void mallocExit(int *g) { 598 struct xx *p = malloc(12); 599 if (g != 0) 600 exit(1); 601 free(p); 602 return; 603} 604 605extern void __assert_fail (__const char *__assertion, __const char *__file, 606 unsigned int __line, __const char *__function) 607 __attribute__ ((__noreturn__)); 608#define assert(expr) \ 609 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 610void mallocAssert(int *g) { 611 struct xx *p = malloc(12); 612 613 assert(g != 0); 614 free(p); 615 return; 616} 617 618void doNotInvalidateWhenPassedToSystemCalls(char *s) { 619 char *p = malloc(12); 620 strlen(p); 621 strcpy(p, s); // expected-warning {{leak}} 622} 623 624// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. 625void symbolLostWithStrcpy(char *s) { 626 char *p = malloc(12); 627 p = strcpy(p, s); 628 free(p); 629} 630 631 632// The same test as the one above, but with what is actually generated on a mac. 633static __inline char * 634__inline_strcpy_chk (char *restrict __dest, const char *restrict __src) 635{ 636 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); 637} 638 639void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { 640 char *p = malloc(12); 641 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); 642 free(p); 643} 644 645// Here we are returning a pointer one past the allocated value. An idiom which 646// can be used for implementing special malloc. The correct uses of this might 647// be rare enough so that we could keep this as a warning. 648static void *specialMalloc(int n){ 649 int *p; 650 p = malloc( n+8 ); 651 if( p ){ 652 p[0] = n; 653 p++; 654 } 655 return p; 656} 657 658// Potentially, the user could free the struct by performing pointer arithmetic on the return value. 659// This is a variation of the specialMalloc issue, though probably would be more rare in correct code. 660int *specialMallocWithStruct() { 661 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 662 return &(px->g); 663} 664 665// Test various allocation/deallocation functions. 666void testStrdup(const char *s, unsigned validIndex) { 667 char *s2 = strdup(s); 668 s2[validIndex + 1] = 'b';// expected-warning {{Memory is never released; potential leak}} 669} 670 671int testStrndup(const char *s, unsigned validIndex, unsigned size) { 672 char *s2 = strndup(s, size); 673 s2 [validIndex + 1] = 'b'; 674 if (s2[validIndex] != 'a') 675 return 0; 676 else 677 return 1;// expected-warning {{Memory is never released; potential leak}} 678} 679 680void testStrdupContentIsDefined(const char *s, unsigned validIndex) { 681 char *s2 = strdup(s); 682 char result = s2[1];// no warning 683 free(s2); 684} 685 686// ---------------------------------------------------------------------------- 687// Test the system library functions to which the pointer can escape. 688// This tests false positive suppression. 689 690// For now, we assume memory passed to pthread_specific escapes. 691// TODO: We could check that if a new pthread binding is set, the existing 692// binding must be freed; otherwise, a memory leak can occur. 693void testPthereadSpecificEscape(pthread_key_t key) { 694 void *buf = malloc(12); 695 pthread_setspecific(key, buf); // no warning 696} 697 698// PR12101: Test funopen(). 699static int releasePtr(void *_ctx) { 700 free(_ctx); 701 return 0; 702} 703FILE *useFunOpen() { 704 void *ctx = malloc(sizeof(int)); 705 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning 706 if (f == 0) { 707 free(ctx); 708 } 709 return f; 710} 711FILE *useFunOpenNoReleaseFunction() { 712 void *ctx = malloc(sizeof(int)); 713 FILE *f = funopen(ctx, 0, 0, 0, 0); 714 if (f == 0) { 715 free(ctx); 716 } 717 return f; // expected-warning{{leak}} 718} 719 720static int readNothing(void *_ctx, char *buf, int size) { 721 return 0; 722} 723FILE *useFunOpenReadNoRelease() { 724 void *ctx = malloc(sizeof(int)); 725 FILE *f = funopen(ctx, readNothing, 0, 0, 0); 726 if (f == 0) { 727 free(ctx); 728 } 729 return f; // expected-warning{{leak}} 730} 731 732// Test setbuf, setvbuf. 733int my_main_no_warning() { 734 char *p = malloc(100); 735 setvbuf(stdout, p, 0, 100); 736 return 0; 737} 738int my_main_no_warning2() { 739 char *p = malloc(100); 740 setbuf(__stdoutp, p); 741 return 0; 742} 743int my_main_warn(FILE *f) { 744 char *p = malloc(100); 745 setvbuf(f, p, 0, 100); 746 return 0;// expected-warning {{leak}} 747} 748 749// <rdar://problem/10978247>. 750// some people use stack allocated memory as an optimization to avoid 751// a heap allocation for small work sizes. This tests the analyzer's 752// understanding that the malloc'ed memory is not the same as stackBuffer. 753void radar10978247(int myValueSize) { 754 char stackBuffer[128]; 755 char *buffer; 756 757 if (myValueSize <= sizeof(stackBuffer)) 758 buffer = stackBuffer; 759 else 760 buffer = malloc(myValueSize); 761 762 // do stuff with the buffer 763 if (buffer != stackBuffer) 764 free(buffer); 765} 766 767void radar10978247_positive(int myValueSize) { 768 char stackBuffer[128]; 769 char *buffer; 770 771 if (myValueSize <= sizeof(stackBuffer)) 772 buffer = stackBuffer; 773 else 774 buffer = malloc(myValueSize); 775 776 // do stuff with the buffer 777 if (buffer == stackBuffer) // expected-warning {{leak}} 778 return; 779} 780 781// <rdar://problem/11269741> Previously this triggered a false positive 782// because malloc() is known to return uninitialized memory and the binding 783// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. 784struct rdar11269741_a_t { 785 struct rdar11269741_b_t { 786 int m; 787 } n; 788}; 789 790int rdar11269741(struct rdar11269741_b_t o) 791{ 792 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); 793 p->n = o; 794 return p->n.m; // expected-warning {{leak}} 795} 796 797// Pointer arithmetic, returning an ElementRegion. 798void *radar11329382(unsigned bl) { 799 void *ptr = malloc (16); 800 ptr = ptr + (2 - bl); 801 return ptr; // no warning 802} 803 804void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); 805int strcmp(const char *, const char *); 806char *a (void); 807void radar11270219(void) { 808 char *x = a(), *y = a(); 809 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); 810 strcmp(x, y); // no warning 811} 812 813void radar_11358224_test_double_assign_ints_positive_2() 814{ 815 void *ptr = malloc(16); 816 ptr = ptr; // expected-warning {{leak}} 817} 818 819// Assume that functions which take a function pointer can free memory even if 820// they are defined in system headers and take the const pointer to the 821// allocated memory. (radar://11160612) 822int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); 823void r11160612_1() { 824 char *x = malloc(12); 825 const_ptr_and_callback(0, x, 12, free); // no - warning 826} 827 828// Null is passed as callback. 829void r11160612_2() { 830 char *x = malloc(12); 831 const_ptr_and_callback(0, x, 12, 0); // expected-warning {{leak}} 832} 833 834// Callback is passed to a function defined in a system header. 835void r11160612_4() { 836 char *x = malloc(12); 837 sqlite3_bind_text_my(0, x, 12, free); // no - warning 838} 839 840// Passing callbacks in a struct. 841void r11160612_5(StWithCallback St) { 842 void *x = malloc(12); 843 dealocateMemWhenDoneByVal(x, St); 844} 845void r11160612_6(StWithCallback St) { 846 void *x = malloc(12); 847 dealocateMemWhenDoneByRef(&St, x); 848} 849 850int mySub(int, int); 851int myAdd(int, int); 852int fPtr(unsigned cond, int x) { 853 return (cond ? mySub : myAdd)(x, x); 854} 855 856// Test anti-aliasing. 857 858void dependsOnValueOfPtr(int *g, unsigned f) { 859 int *p; 860 861 if (f) { 862 p = g; 863 } else { 864 p = malloc(12); 865 } 866 867 if (p != g) 868 free(p); 869 else 870 return; // no warning 871 return; 872} 873 874int CMPRegionHeapToStack() { 875 int x = 0; 876 int *x1 = malloc(8); 877 int *x2 = &x; 878 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} 879 free(x1); 880 return x; 881} 882 883int CMPRegionHeapToHeap2() { 884 int x = 0; 885 int *x1 = malloc(8); 886 int *x2 = malloc(8); 887 int *x4 = x1; 888 int *x5 = x2; 889 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} 890 free(x1); 891 free(x2); 892 return x; 893} 894 895int CMPRegionHeapToHeap() { 896 int x = 0; 897 int *x1 = malloc(8); 898 int *x4 = x1; 899 if (x1 == x4) { 900 free(x1); 901 return 5/x; // expected-warning{{Division by zero}} 902 } 903 return x;// expected-warning{{This statement is never executed}} 904} 905 906int HeapAssignment() { 907 int m = 0; 908 int *x = malloc(4); 909 int *y = x; 910 *x = 5; 911 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} 912 free(x); 913 return 0; 914} 915 916int *retPtr(); 917int *retPtrMightAlias(int *x); 918int cmpHeapAllocationToUnknown() { 919 int zero = 0; 920 int *yBefore = retPtr(); 921 int *m = malloc(8); 922 int *yAfter = retPtrMightAlias(m); 923 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} 924 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} 925 free(m); 926 return 0; 927} 928 929void localArrayTest() { 930 char *p = (char*)malloc(12); 931 char *ArrayL[12]; 932 ArrayL[0] = p; // expected-warning {{leak}} 933} 934 935void localStructTest() { 936 StructWithPtr St; 937 StructWithPtr *pSt = &St; 938 pSt->memP = malloc(12); // expected-warning{{Memory is never released; potential leak}} 939} 940 941// Test double assignment through integers. 942static long glob; 943void test_double_assign_ints() 944{ 945 void *ptr = malloc (16); // no-warning 946 glob = (long)(unsigned long)ptr; 947} 948 949void test_double_assign_ints_positive() 950{ 951 void *ptr = malloc(16); 952 (void*)(long)(unsigned long)ptr; // expected-warning {{unused}} expected-warning {{leak}} 953} 954 955 956void testCGContextNoLeak() 957{ 958 void *ptr = malloc(16); 959 CGContextRef context = CGBitmapContextCreate(ptr); 960 961 // Because you can get the data back out like this, even much later, 962 // CGBitmapContextCreate is one of our "stop-tracking" exceptions. 963 free(CGBitmapContextGetData(context)); 964} 965 966void testCGContextLeak() 967{ 968 void *ptr = malloc(16); 969 CGContextRef context = CGBitmapContextCreate(ptr); 970 // However, this time we're just leaking the data, because the context 971 // object doesn't escape and it hasn't been freed in this function. 972} 973 974// Allow xpc context to escape. radar://11635258 975// TODO: Would be great if we checked that the finalize_connection_context actually releases it. 976static void finalize_connection_context(void *ctx) { 977 int *context = ctx; 978 free(context); 979} 980void foo (xpc_connection_t peer) { 981 int *ctx = calloc(1, sizeof(int)); 982 xpc_connection_set_context(peer, ctx); 983 xpc_connection_set_finalizer_f(peer, finalize_connection_context); 984 xpc_connection_resume(peer); 985} 986 987// Make sure we catch errors when we free in a function which does not allocate memory. 988void freeButNoMalloc(int *p, int x){ 989 if (x) { 990 free(p); 991 //user forgot a return here. 992 } 993 free(p); // expected-warning {{Attempt to free released memory}} 994} 995 996struct HasPtr { 997 int *p; 998}; 999 1000int* reallocButNoMalloc(struct HasPtr *a, int c, int size) { 1001 int *s; 1002 a->p = (int *)realloc(a->p, size); 1003 if (a->p == 0) 1004 return 0; // expected-warning{{Memory is never released; potential leak}} 1005 return a->p; 1006} 1007 1008// ---------------------------------------------------------------------------- 1009// False negatives. 1010 1011// TODO: This is another false negative. 1012void testMallocWithParam(int **p) { 1013 *p = (int*) malloc(sizeof(int)); 1014 *p = 0; 1015} 1016 1017void testMallocWithParam_2(int **p) { 1018 *p = (int*) malloc(sizeof(int)); 1019} 1020