malloc.c revision 1bf908df57cc43f3bc7296f4e51f5708bd323c6b
1// RUN: %clang_cc1 -analyze -analyzer-checker=core,experimental.deadcode.UnreachableCode,experimental.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s 2#include "system-header-simulator.h" 3 4void clang_analyzer_eval(int); 5 6typedef __typeof(sizeof(int)) size_t; 7void *malloc(size_t); 8void *valloc(size_t); 9void free(void *); 10void *realloc(void *ptr, size_t size); 11void *reallocf(void *ptr, size_t size); 12void *calloc(size_t nmemb, size_t size); 13char *strdup(const char *s); 14char *strndup(const char *s, size_t n); 15 16void myfoo(int *p); 17void myfooint(int p); 18char *fooRetPtr(); 19 20void f1() { 21 int *p = malloc(12); 22 return; // expected-warning{{Memory is never released; potential leak}} 23} 24 25void f2() { 26 int *p = malloc(12); 27 free(p); 28 free(p); // expected-warning{{Attempt to free released memory}} 29} 30 31void f2_realloc_0() { 32 int *p = malloc(12); 33 realloc(p,0); 34 realloc(p,0); // expected-warning{{Attempt to free released memory}} 35} 36 37void f2_realloc_1() { 38 int *p = malloc(12); 39 int *q = realloc(p,0); // no-warning 40} 41 42void reallocNotNullPtr(unsigned sizeIn) { 43 unsigned size = 12; 44 char *p = (char*)malloc(size); 45 if (p) { 46 char *q = (char*)realloc(p, sizeIn); 47 char x = *q; // expected-warning {{Memory is never released; potential leak}} 48 } 49} 50 51int *realloctest1() { 52 int *q = malloc(12); 53 q = realloc(q, 20); 54 return q; // no warning - returning the allocated value 55} 56 57// p should be freed if realloc fails. 58void reallocFails() { 59 char *p = malloc(12); 60 char *r = realloc(p, 12+1); 61 if (!r) { 62 free(p); 63 } else { 64 free(r); 65 } 66} 67 68void reallocSizeZero1() { 69 char *p = malloc(12); 70 char *r = realloc(p, 0); 71 if (!r) { 72 free(p); 73 } else { 74 free(r); 75 } 76} 77 78void reallocSizeZero2() { 79 char *p = malloc(12); 80 char *r = realloc(p, 0); 81 if (!r) { 82 free(p); 83 } else { 84 free(r); 85 } 86 free(p); // expected-warning {{Attempt to free released memory}} 87} 88 89void reallocSizeZero3() { 90 char *p = malloc(12); 91 char *r = realloc(p, 0); 92 free(r); 93} 94 95void reallocSizeZero4() { 96 char *r = realloc(0, 0); 97 free(r); 98} 99 100void reallocSizeZero5() { 101 char *r = realloc(0, 0); 102} 103 104void reallocPtrZero1() { 105 char *r = realloc(0, 12); // expected-warning {{Memory is never released; potential leak}} 106} 107 108void reallocPtrZero2() { 109 char *r = realloc(0, 12); 110 if (r) 111 free(r); 112} 113 114void reallocPtrZero3() { 115 char *r = realloc(0, 12); 116 free(r); 117} 118 119void reallocRadar6337483_1() { 120 char *buf = malloc(100); 121 buf = (char*)realloc(buf, 0x1000000); 122 if (!buf) { 123 return;// expected-warning {{Memory is never released; potential leak}} 124 } 125 free(buf); 126} 127 128void reallocRadar6337483_2() { 129 char *buf = malloc(100); 130 char *buf2 = (char*)realloc(buf, 0x1000000); 131 if (!buf2) { // expected-warning {{Memory is never released; potential leak}} 132 ; 133 } else { 134 free(buf2); 135 } 136} 137 138void reallocRadar6337483_3() { 139 char * buf = malloc(100); 140 char * tmp; 141 tmp = (char*)realloc(buf, 0x1000000); 142 if (!tmp) { 143 free(buf); 144 return; 145 } 146 buf = tmp; 147 free(buf); 148} 149 150void reallocRadar6337483_4() { 151 char *buf = malloc(100); 152 char *buf2 = (char*)realloc(buf, 0x1000000); 153 if (!buf2) { 154 return; // expected-warning {{Memory is never released; potential leak}} 155 } else { 156 free(buf2); 157 } 158} 159 160int *reallocfTest1() { 161 int *q = malloc(12); 162 q = reallocf(q, 20); 163 return q; // no warning - returning the allocated value 164} 165 166void reallocfRadar6337483_4() { 167 char *buf = malloc(100); 168 char *buf2 = (char*)reallocf(buf, 0x1000000); 169 if (!buf2) { 170 return; // no warning - reallocf frees even on failure 171 } else { 172 free(buf2); 173 } 174} 175 176void reallocfRadar6337483_3() { 177 char * buf = malloc(100); 178 char * tmp; 179 tmp = (char*)reallocf(buf, 0x1000000); 180 if (!tmp) { 181 free(buf); // expected-warning {{Attempt to free released memory}} 182 return; 183 } 184 buf = tmp; 185 free(buf); 186} 187 188void reallocfPtrZero1() { 189 char *r = reallocf(0, 12); // expected-warning {{Memory is never released; potential leak}} 190} 191 192 193// This case tests that storing malloc'ed memory to a static variable which is 194// then returned is not leaked. In the absence of known contracts for functions 195// or inter-procedural analysis, this is a conservative answer. 196int *f3() { 197 static int *p = 0; 198 p = malloc(12); 199 return p; // no-warning 200} 201 202// This case tests that storing malloc'ed memory to a static global variable 203// which is then returned is not leaked. In the absence of known contracts for 204// functions or inter-procedural analysis, this is a conservative answer. 205static int *p_f4 = 0; 206int *f4() { 207 p_f4 = malloc(12); 208 return p_f4; // no-warning 209} 210 211int *f5() { 212 int *q = malloc(12); 213 q = realloc(q, 20); 214 return q; // no-warning 215} 216 217void f6() { 218 int *p = malloc(12); 219 if (!p) 220 return; // no-warning 221 else 222 free(p); 223} 224 225void f6_realloc() { 226 int *p = malloc(12); 227 if (!p) 228 return; // no-warning 229 else 230 realloc(p,0); 231} 232 233 234char *doit2(); 235void pr6069() { 236 char *buf = doit2(); 237 free(buf); 238} 239 240void pr6293() { 241 free(0); 242} 243 244void f7() { 245 char *x = (char*) malloc(4); 246 free(x); 247 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 248} 249 250void f8() { 251 char *x = (char*) malloc(4); 252 free(x); 253 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} 254} 255 256void f7_realloc() { 257 char *x = (char*) malloc(4); 258 realloc(x,0); 259 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 260} 261 262void PR6123() { 263 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size.}} 264} 265 266void PR7217() { 267 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size.}} 268 buf[1] = 'c'; // not crash 269} 270 271void mallocCastToVoid() { 272 void *p = malloc(2); 273 const void *cp = p; // not crash 274 free(p); 275} 276 277void mallocCastToFP() { 278 void *p = malloc(2); 279 void (*fp)() = p; // not crash 280 free(p); 281} 282 283// This tests that malloc() buffers are undefined by default 284char mallocGarbage () { 285 char *buf = malloc(2); 286 char result = buf[1]; // expected-warning{{undefined}} 287 free(buf); 288 return result; 289} 290 291// This tests that calloc() buffers need to be freed 292void callocNoFree () { 293 char *buf = calloc(2,2); 294 return; // expected-warning{{never released}} 295} 296 297// These test that calloc() buffers are zeroed by default 298char callocZeroesGood () { 299 char *buf = calloc(2,2); 300 char result = buf[3]; // no-warning 301 if (buf[1] == 0) { 302 free(buf); 303 } 304 return result; // no-warning 305} 306 307char callocZeroesBad () { 308 char *buf = calloc(2,2); 309 char result = buf[3]; // no-warning 310 if (buf[1] != 0) { 311 free(buf); // expected-warning{{never executed}} 312 } 313 return result; // expected-warning{{never released}} 314} 315 316void nullFree() { 317 int *p = 0; 318 free(p); // no warning - a nop 319} 320 321void paramFree(int *p) { 322 myfoo(p); 323 free(p); // no warning 324 myfoo(p); // TODO: This should be a warning. 325} 326 327int* mallocEscapeRet() { 328 int *p = malloc(12); 329 return p; // no warning 330} 331 332void mallocEscapeFoo() { 333 int *p = malloc(12); 334 myfoo(p); 335 return; // no warning 336} 337 338void mallocEscapeFree() { 339 int *p = malloc(12); 340 myfoo(p); 341 free(p); 342} 343 344void mallocEscapeFreeFree() { 345 int *p = malloc(12); 346 myfoo(p); 347 free(p); 348 free(p); // expected-warning{{Attempt to free released memory}} 349} 350 351void mallocEscapeFreeUse() { 352 int *p = malloc(12); 353 myfoo(p); 354 free(p); 355 myfoo(p); // expected-warning{{Use of memory after it is freed}} 356} 357 358int *myalloc(); 359void myalloc2(int **p); 360 361void mallocEscapeFreeCustomAlloc() { 362 int *p = malloc(12); 363 myfoo(p); 364 free(p); 365 p = myalloc(); 366 free(p); // no warning 367} 368 369void mallocEscapeFreeCustomAlloc2() { 370 int *p = malloc(12); 371 myfoo(p); 372 free(p); 373 myalloc2(&p); 374 free(p); // no warning 375} 376 377void mallocBindFreeUse() { 378 int *x = malloc(12); 379 int *y = x; 380 free(y); 381 myfoo(x); // expected-warning{{Use of memory after it is freed}} 382} 383 384void mallocEscapeMalloc() { 385 int *p = malloc(12); 386 myfoo(p); 387 p = malloc(12); // expected-warning{{Memory is never released; potential leak}} 388} 389 390void mallocMalloc() { 391 int *p = malloc(12); 392 p = malloc(12); // expected-warning 2 {{Memory is never released; potential leak}} 393} 394 395void mallocFreeMalloc() { 396 int *p = malloc(12); 397 free(p); 398 p = malloc(12); 399 free(p); 400} 401 402void mallocFreeUse_params() { 403 int *p = malloc(12); 404 free(p); 405 myfoo(p); //expected-warning{{Use of memory after it is freed}} 406} 407 408void mallocFreeUse_params2() { 409 int *p = malloc(12); 410 free(p); 411 myfooint(*p); //expected-warning{{Use of memory after it is freed}} 412} 413 414void mallocFailedOrNot() { 415 int *p = malloc(12); 416 if (!p) 417 free(p); 418 else 419 free(p); 420} 421 422struct StructWithInt { 423 int g; 424}; 425 426int *mallocReturnFreed() { 427 int *p = malloc(12); 428 free(p); 429 return p; // expected-warning {{Use of memory after it is freed}} 430} 431 432int useAfterFreeStruct() { 433 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 434 px->g = 5; 435 free(px); 436 return px->g; // expected-warning {{Use of memory after it is freed}} 437} 438 439void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); 440 441void mallocEscapeFooNonSymbolArg() { 442 struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); 443 nonSymbolAsFirstArg(&p->g, p); 444 return; // no warning 445} 446 447void mallocFailedOrNotLeak() { 448 int *p = malloc(12); 449 if (p == 0) 450 return; // no warning 451 else 452 return; // expected-warning {{Memory is never released; potential leak}} 453} 454 455void mallocAssignment() { 456 char *p = malloc(12); 457 p = fooRetPtr(); // expected-warning {{leak}} 458} 459 460int vallocTest() { 461 char *mem = valloc(12); 462 return 0; // expected-warning {{Memory is never released; potential leak}} 463} 464 465void vallocEscapeFreeUse() { 466 int *p = valloc(12); 467 myfoo(p); 468 free(p); 469 myfoo(p); // expected-warning{{Use of memory after it is freed}} 470} 471 472int *Gl; 473struct GlStTy { 474 int *x; 475}; 476 477struct GlStTy GlS = {0}; 478 479void GlobalFree() { 480 free(Gl); 481} 482 483void GlobalMalloc() { 484 Gl = malloc(12); 485} 486 487void GlobalStructMalloc() { 488 int *a = malloc(12); 489 GlS.x = a; 490} 491 492void GlobalStructMallocFree() { 493 int *a = malloc(12); 494 GlS.x = a; 495 free(GlS.x); 496} 497 498char *ArrayG[12]; 499 500void globalArrayTest() { 501 char *p = (char*)malloc(12); 502 ArrayG[0] = p; 503} 504 505// Make sure that we properly handle a pointer stored into a local struct/array. 506typedef struct _StructWithPtr { 507 int *memP; 508} StructWithPtr; 509 510static StructWithPtr arrOfStructs[10]; 511 512void testMalloc() { 513 int *x = malloc(12); 514 StructWithPtr St; 515 St.memP = x; 516 arrOfStructs[0] = St; 517} 518 519StructWithPtr testMalloc2() { 520 int *x = malloc(12); 521 StructWithPtr St; 522 St.memP = x; 523 return St; 524} 525 526int *testMalloc3() { 527 int *x = malloc(12); 528 int *y = x; 529 return y; 530} 531 532void testElemRegion1() { 533 char *x = (void*)malloc(2); 534 int *ix = (int*)x; 535 free(&(x[0])); 536} 537 538void testElemRegion2(int **pp) { 539 int *p = malloc(12); 540 *pp = p; 541 free(pp[0]); 542} 543 544void testElemRegion3(int **pp) { 545 int *p = malloc(12); 546 *pp = p; 547 free(*pp); 548} 549// Region escape testing. 550 551unsigned takePtrToPtr(int **p); 552void PassTheAddrOfAllocatedData(int f) { 553 int *p = malloc(12); 554 // We don't know what happens after the call. Should stop tracking here. 555 if (takePtrToPtr(&p)) 556 f++; 557 free(p); // no warning 558} 559 560struct X { 561 int *p; 562}; 563unsigned takePtrToStruct(struct X *s); 564int ** foo2(int *g, int f) { 565 int *p = malloc(12); 566 struct X *px= malloc(sizeof(struct X)); 567 px->p = p; 568 // We don't know what happens after this call. Should not track px nor p. 569 if (takePtrToStruct(px)) 570 f++; 571 free(p); 572 return 0; 573} 574 575struct X* RegInvalidationDetect1(struct X *s2) { 576 struct X *px= malloc(sizeof(struct X)); 577 px->p = 0; 578 px = s2; 579 return px; // expected-warning {{Memory is never released; potential leak}} 580} 581 582struct X* RegInvalidationGiveUp1() { 583 int *p = malloc(12); 584 struct X *px= malloc(sizeof(struct X)); 585 px->p = p; 586 return px; 587} 588 589int **RegInvalidationDetect2(int **pp) { 590 int *p = malloc(12); 591 pp = &p; 592 pp++; 593 return 0;// expected-warning {{Memory is never released; potential leak}} 594} 595 596extern void exit(int) __attribute__ ((__noreturn__)); 597void mallocExit(int *g) { 598 struct xx *p = malloc(12); 599 if (g != 0) 600 exit(1); 601 free(p); 602 return; 603} 604 605extern void __assert_fail (__const char *__assertion, __const char *__file, 606 unsigned int __line, __const char *__function) 607 __attribute__ ((__noreturn__)); 608#define assert(expr) \ 609 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 610void mallocAssert(int *g) { 611 struct xx *p = malloc(12); 612 613 assert(g != 0); 614 free(p); 615 return; 616} 617 618void doNotInvalidateWhenPassedToSystemCalls(char *s) { 619 char *p = malloc(12); 620 strlen(p); 621 strcpy(p, s); // expected-warning {{leak}} 622} 623 624// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. 625void symbolLostWithStrcpy(char *s) { 626 char *p = malloc(12); 627 p = strcpy(p, s); 628 free(p); 629} 630 631 632// The same test as the one above, but with what is actually generated on a mac. 633static __inline char * 634__inline_strcpy_chk (char *restrict __dest, const char *restrict __src) 635{ 636 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); 637} 638 639void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { 640 char *p = malloc(12); 641 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); 642 free(p); 643} 644 645// Here we are returning a pointer one past the allocated value. An idiom which 646// can be used for implementing special malloc. The correct uses of this might 647// be rare enough so that we could keep this as a warning. 648static void *specialMalloc(int n){ 649 int *p; 650 p = malloc( n+8 ); 651 if( p ){ 652 p[0] = n; 653 p++; 654 } 655 return p; 656} 657 658// Potentially, the user could free the struct by performing pointer arithmetic on the return value. 659// This is a variation of the specialMalloc issue, though probably would be more rare in correct code. 660int *specialMallocWithStruct() { 661 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 662 return &(px->g); 663} 664 665// Test various allocation/deallocation functions. 666void testStrdup(const char *s, unsigned validIndex) { 667 char *s2 = strdup(s); 668 s2[validIndex + 1] = 'b';// expected-warning {{Memory is never released; potential leak}} 669} 670 671int testStrndup(const char *s, unsigned validIndex, unsigned size) { 672 char *s2 = strndup(s, size); 673 s2 [validIndex + 1] = 'b'; 674 if (s2[validIndex] != 'a') 675 return 0; 676 else 677 return 1;// expected-warning {{Memory is never released; potential leak}} 678} 679 680void testStrdupContentIsDefined(const char *s, unsigned validIndex) { 681 char *s2 = strdup(s); 682 char result = s2[1];// no warning 683 free(s2); 684} 685 686// ---------------------------------------------------------------------------- 687// Test the system library functions to which the pointer can escape. 688// This tests false positive suppression. 689 690// For now, we assume memory passed to pthread_specific escapes. 691// TODO: We could check that if a new pthread binding is set, the existing 692// binding must be freed; otherwise, a memory leak can occur. 693void testPthereadSpecificEscape(pthread_key_t key) { 694 void *buf = malloc(12); 695 pthread_setspecific(key, buf); // no warning 696} 697 698// PR12101: Test funopen(). 699static int releasePtr(void *_ctx) { 700 free(_ctx); 701 return 0; 702} 703FILE *useFunOpen() { 704 void *ctx = malloc(sizeof(int)); 705 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning 706 if (f == 0) { 707 free(ctx); 708 } 709 return f; 710} 711FILE *useFunOpenNoReleaseFunction() { 712 void *ctx = malloc(sizeof(int)); 713 FILE *f = funopen(ctx, 0, 0, 0, 0); 714 if (f == 0) { 715 free(ctx); 716 } 717 return f; // expected-warning{{leak}} 718} 719 720// Test setbuf, setvbuf. 721int my_main_no_warning() { 722 char *p = malloc(100); 723 setvbuf(stdout, p, 0, 100); 724 return 0; 725} 726int my_main_no_warning2() { 727 char *p = malloc(100); 728 setbuf(__stdoutp, p); 729 return 0; 730} 731int my_main_warn(FILE *f) { 732 char *p = malloc(100); 733 setvbuf(f, p, 0, 100); 734 return 0;// expected-warning {{leak}} 735} 736 737// <rdar://problem/10978247>. 738// some people use stack allocated memory as an optimization to avoid 739// a heap allocation for small work sizes. This tests the analyzer's 740// understanding that the malloc'ed memory is not the same as stackBuffer. 741void radar10978247(int myValueSize) { 742 char stackBuffer[128]; 743 char *buffer; 744 745 if (myValueSize <= sizeof(stackBuffer)) 746 buffer = stackBuffer; 747 else 748 buffer = malloc(myValueSize); 749 750 // do stuff with the buffer 751 if (buffer != stackBuffer) 752 free(buffer); 753} 754 755void radar10978247_positive(int myValueSize) { 756 char stackBuffer[128]; 757 char *buffer; 758 759 if (myValueSize <= sizeof(stackBuffer)) 760 buffer = stackBuffer; 761 else 762 buffer = malloc(myValueSize); 763 764 // do stuff with the buffer 765 if (buffer == stackBuffer) // expected-warning {{leak}} 766 return; 767} 768 769// <rdar://problem/11269741> Previously this triggered a false positive 770// because malloc() is known to return uninitialized memory and the binding 771// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. 772struct rdar11269741_a_t { 773 struct rdar11269741_b_t { 774 int m; 775 } n; 776}; 777 778int rdar11269741(struct rdar11269741_b_t o) 779{ 780 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); 781 p->n = o; 782 return p->n.m; // expected-warning {{leak}} 783} 784 785// Pointer arithmetic, returning an ElementRegion. 786void *radar11329382(unsigned bl) { 787 void *ptr = malloc (16); 788 ptr = ptr + (2 - bl); 789 return ptr; // no warning 790} 791 792void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); 793int strcmp(const char *, const char *); 794char *a (void); 795void radar11270219(void) { 796 char *x = a(), *y = a(); 797 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); 798 strcmp(x, y); // no warning 799} 800 801void radar_11358224_test_double_assign_ints_positive_2() 802{ 803 void *ptr = malloc(16); 804 ptr = ptr; // expected-warning {{leak}} 805} 806 807// Assume that functions which take a function pointer can free memory even if 808// they are defined in system headers and take the const pointer to the 809// allocated memory. (radar://11160612) 810int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); 811void r11160612_1() { 812 char *x = malloc(12); 813 const_ptr_and_callback(0, x, 12, free); // no - warning 814} 815 816// Null is passed as callback. 817void r11160612_2() { 818 char *x = malloc(12); 819 const_ptr_and_callback(0, x, 12, 0); // expected-warning {{leak}} 820} 821 822// Callback is passed to a function defined in a system header. 823void r11160612_4() { 824 char *x = malloc(12); 825 sqlite3_bind_text_my(0, x, 12, free); // no - warning 826} 827 828// Passing callbacks in a struct. 829void r11160612_5(StWithCallback St) { 830 void *x = malloc(12); 831 dealocateMemWhenDoneByVal(x, St); 832} 833void r11160612_6(StWithCallback St) { 834 void *x = malloc(12); 835 dealocateMemWhenDoneByRef(&St, x); 836} 837 838int mySub(int, int); 839int myAdd(int, int); 840int fPtr(unsigned cond, int x) { 841 return (cond ? mySub : myAdd)(x, x); 842} 843 844// Test anti-aliasing. 845 846void dependsOnValueOfPtr(int *g, unsigned f) { 847 int *p; 848 849 if (f) { 850 p = g; 851 } else { 852 p = malloc(12); 853 } 854 855 if (p != g) 856 free(p); 857 else 858 return; // no warning 859 return; 860} 861 862int CMPRegionHeapToStack() { 863 int x = 0; 864 int *x1 = malloc(8); 865 int *x2 = &x; 866 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} 867 free(x1); 868 return x; 869} 870 871int CMPRegionHeapToHeap2() { 872 int x = 0; 873 int *x1 = malloc(8); 874 int *x2 = malloc(8); 875 int *x4 = x1; 876 int *x5 = x2; 877 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} 878 free(x1); 879 free(x2); 880 return x; 881} 882 883int CMPRegionHeapToHeap() { 884 int x = 0; 885 int *x1 = malloc(8); 886 int *x4 = x1; 887 if (x1 == x4) { 888 free(x1); 889 return 5/x; // expected-warning{{Division by zero}} 890 } 891 return x;// expected-warning{{This statement is never executed}} 892} 893 894int HeapAssignment() { 895 int m = 0; 896 int *x = malloc(4); 897 int *y = x; 898 *x = 5; 899 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} 900 free(x); 901 return 0; 902} 903 904int *retPtr(); 905int *retPtrMightAlias(int *x); 906int cmpHeapAllocationToUnknown() { 907 int zero = 0; 908 int *yBefore = retPtr(); 909 int *m = malloc(8); 910 int *yAfter = retPtrMightAlias(m); 911 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} 912 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} 913 free(m); 914 return 0; 915} 916 917// ---------------------------------------------------------------------------- 918// False negatives. 919 920// TODO: This requires tracking symbols stored inside the structs/arrays. 921void testMalloc5() { 922 StructWithPtr St; 923 StructWithPtr *pSt = &St; 924 pSt->memP = malloc(12); 925} 926 927// TODO: This is another false negative. 928void testMallocWithParam(int **p) { 929 *p = (int*) malloc(sizeof(int)); 930 *p = 0; 931} 932 933void testMallocWithParam_2(int **p) { 934 *p = (int*) malloc(sizeof(int)); 935} 936 937// TODO: This should produce a warning, similar to the previous issue. 938void localArrayTest() { 939 char *p = (char*)malloc(12); 940 char *ArrayL[12]; 941 ArrayL[0] = p; 942} 943 944// Test double assignment through integers. 945static long glob; 946void test_double_assign_ints() 947{ 948 void *ptr = malloc (16); // no-warning 949 glob = (long)(unsigned long)ptr; 950} 951 952void test_double_assign_ints_positive() 953{ 954 void *ptr = malloc(16); 955 (void*)(long)(unsigned long)ptr; // expected-warning {{unused}} expected-warning {{leak}} 956} 957 958 959void testCGContextNoLeak() 960{ 961 void *ptr = malloc(16); 962 CGContextRef context = CGBitmapContextCreate(ptr); 963 964 // Because you can get the data back out like this, even much later, 965 // CGBitmapContextCreate is one of our "stop-tracking" exceptions. 966 free(CGBitmapContextGetData(context)); 967} 968 969void testCGContextLeak() 970{ 971 void *ptr = malloc(16); 972 CGContextRef context = CGBitmapContextCreate(ptr); 973 // However, this time we're just leaking the data, because the context 974 // object doesn't escape and it hasn't been freed in this function. 975} 976 977