malloc.c revision 651f13cea278ec967336033dd032faef0e9fc2ec
1// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s 2 3#include "Inputs/system-header-simulator.h" 4 5void clang_analyzer_eval(int); 6 7typedef __typeof(sizeof(int)) size_t; 8void *malloc(size_t); 9void *valloc(size_t); 10void free(void *); 11void *realloc(void *ptr, size_t size); 12void *reallocf(void *ptr, size_t size); 13void *calloc(size_t nmemb, size_t size); 14char *strdup(const char *s); 15char *strndup(const char *s, size_t n); 16int memcmp(const void *s1, const void *s2, size_t n); 17 18void myfoo(int *p); 19void myfooint(int p); 20char *fooRetPtr(); 21 22void f1() { 23 int *p = malloc(12); 24 return; // expected-warning{{Potential leak of memory pointed to by 'p'}} 25} 26 27void f2() { 28 int *p = malloc(12); 29 free(p); 30 free(p); // expected-warning{{Attempt to free released memory}} 31} 32 33void f2_realloc_0() { 34 int *p = malloc(12); 35 realloc(p,0); 36 realloc(p,0); // expected-warning{{Attempt to free released memory}} 37} 38 39void f2_realloc_1() { 40 int *p = malloc(12); 41 int *q = realloc(p,0); // no-warning 42} 43 44void reallocNotNullPtr(unsigned sizeIn) { 45 unsigned size = 12; 46 char *p = (char*)malloc(size); 47 if (p) { 48 char *q = (char*)realloc(p, sizeIn); 49 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}} 50 } 51} 52 53int *realloctest1() { 54 int *q = malloc(12); 55 q = realloc(q, 20); 56 return q; // no warning - returning the allocated value 57} 58 59// p should be freed if realloc fails. 60void reallocFails() { 61 char *p = malloc(12); 62 char *r = realloc(p, 12+1); 63 if (!r) { 64 free(p); 65 } else { 66 free(r); 67 } 68} 69 70void reallocSizeZero1() { 71 char *p = malloc(12); 72 char *r = realloc(p, 0); 73 if (!r) { 74 free(p); // expected-warning {{Attempt to free released memory}} 75 } else { 76 free(r); 77 } 78} 79 80void reallocSizeZero2() { 81 char *p = malloc(12); 82 char *r = realloc(p, 0); 83 if (!r) { 84 free(p); // expected-warning {{Attempt to free released memory}} 85 } else { 86 free(r); 87 } 88 free(p); // expected-warning {{Attempt to free released memory}} 89} 90 91void reallocSizeZero3() { 92 char *p = malloc(12); 93 char *r = realloc(p, 0); 94 free(r); 95} 96 97void reallocSizeZero4() { 98 char *r = realloc(0, 0); 99 free(r); 100} 101 102void reallocSizeZero5() { 103 char *r = realloc(0, 0); 104} 105 106void reallocPtrZero1() { 107 char *r = realloc(0, 12); 108} // expected-warning {{Potential leak of memory pointed to by 'r'}} 109 110void reallocPtrZero2() { 111 char *r = realloc(0, 12); 112 if (r) 113 free(r); 114} 115 116void reallocPtrZero3() { 117 char *r = realloc(0, 12); 118 free(r); 119} 120 121void reallocRadar6337483_1() { 122 char *buf = malloc(100); 123 buf = (char*)realloc(buf, 0x1000000); 124 if (!buf) { 125 return;// expected-warning {{Potential leak of memory pointed to by}} 126 } 127 free(buf); 128} 129 130void reallocRadar6337483_2() { 131 char *buf = malloc(100); 132 char *buf2 = (char*)realloc(buf, 0x1000000); 133 if (!buf2) { 134 ; 135 } else { 136 free(buf2); 137 } 138} // expected-warning {{Potential leak of memory pointed to by}} 139 140void reallocRadar6337483_3() { 141 char * buf = malloc(100); 142 char * tmp; 143 tmp = (char*)realloc(buf, 0x1000000); 144 if (!tmp) { 145 free(buf); 146 return; 147 } 148 buf = tmp; 149 free(buf); 150} 151 152void reallocRadar6337483_4() { 153 char *buf = malloc(100); 154 char *buf2 = (char*)realloc(buf, 0x1000000); 155 if (!buf2) { 156 return; // expected-warning {{Potential leak of memory pointed to by}} 157 } else { 158 free(buf2); 159 } 160} 161 162int *reallocfTest1() { 163 int *q = malloc(12); 164 q = reallocf(q, 20); 165 return q; // no warning - returning the allocated value 166} 167 168void reallocfRadar6337483_4() { 169 char *buf = malloc(100); 170 char *buf2 = (char*)reallocf(buf, 0x1000000); 171 if (!buf2) { 172 return; // no warning - reallocf frees even on failure 173 } else { 174 free(buf2); 175 } 176} 177 178void reallocfRadar6337483_3() { 179 char * buf = malloc(100); 180 char * tmp; 181 tmp = (char*)reallocf(buf, 0x1000000); 182 if (!tmp) { 183 free(buf); // expected-warning {{Attempt to free released memory}} 184 return; 185 } 186 buf = tmp; 187 free(buf); 188} 189 190void reallocfPtrZero1() { 191 char *r = reallocf(0, 12); 192} // expected-warning {{Potential leak of memory pointed to by}} 193 194 195// This case tests that storing malloc'ed memory to a static variable which is 196// then returned is not leaked. In the absence of known contracts for functions 197// or inter-procedural analysis, this is a conservative answer. 198int *f3() { 199 static int *p = 0; 200 p = malloc(12); 201 return p; // no-warning 202} 203 204// This case tests that storing malloc'ed memory to a static global variable 205// which is then returned is not leaked. In the absence of known contracts for 206// functions or inter-procedural analysis, this is a conservative answer. 207static int *p_f4 = 0; 208int *f4() { 209 p_f4 = malloc(12); 210 return p_f4; // no-warning 211} 212 213int *f5() { 214 int *q = malloc(12); 215 q = realloc(q, 20); 216 return q; // no-warning 217} 218 219void f6() { 220 int *p = malloc(12); 221 if (!p) 222 return; // no-warning 223 else 224 free(p); 225} 226 227void f6_realloc() { 228 int *p = malloc(12); 229 if (!p) 230 return; // no-warning 231 else 232 realloc(p,0); 233} 234 235 236char *doit2(); 237void pr6069() { 238 char *buf = doit2(); 239 free(buf); 240} 241 242void pr6293() { 243 free(0); 244} 245 246void f7() { 247 char *x = (char*) malloc(4); 248 free(x); 249 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 250} 251 252void f8() { 253 char *x = (char*) malloc(4); 254 free(x); 255 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} 256} 257 258void f7_realloc() { 259 char *x = (char*) malloc(4); 260 realloc(x,0); 261 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 262} 263 264void PR6123() { 265 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 266} 267 268void PR7217() { 269 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 270 buf[1] = 'c'; // not crash 271} 272 273void cast_emtpy_struct() { 274 struct st { 275 }; 276 277 struct st *s = malloc(sizeof(struct st)); // no-warning 278 free(s); 279} 280 281void cast_struct_1() { 282 struct st { 283 int i[100]; 284 char j[]; 285 }; 286 287 struct st *s = malloc(sizeof(struct st)); // no-warning 288 free(s); 289} 290 291void cast_struct_2() { 292 struct st { 293 int i[100]; 294 char j[0]; 295 }; 296 297 struct st *s = malloc(sizeof(struct st)); // no-warning 298 free(s); 299} 300 301void cast_struct_3() { 302 struct st { 303 int i[100]; 304 char j[1]; 305 }; 306 307 struct st *s = malloc(sizeof(struct st)); // no-warning 308 free(s); 309} 310 311void cast_struct_4() { 312 struct st { 313 int i[100]; 314 char j[2]; 315 }; 316 317 struct st *s = malloc(sizeof(struct st)); // no-warning 318 free(s); 319} 320 321void cast_struct_5() { 322 struct st { 323 char i[200]; 324 char j[1]; 325 }; 326 327 struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning 328 free(s); 329} 330 331void cast_struct_warn_1() { 332 struct st { 333 int i[100]; 334 char j[2]; 335 }; 336 337 struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 338 free(s); 339} 340 341void cast_struct_warn_2() { 342 struct st { 343 int i[100]; 344 char j[2]; 345 }; 346 347 struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 348 free(s); 349} 350 351void cast_struct_flex_array_1() { 352 struct st { 353 int i[100]; 354 char j[]; 355 }; 356 357 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 358 free(s); 359} 360 361void cast_struct_flex_array_2() { 362 struct st { 363 int i[100]; 364 char j[0]; 365 }; 366 367 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 368 free(s); 369} 370 371void cast_struct_flex_array_3() { 372 struct st { 373 int i[100]; 374 char j[1]; 375 }; 376 377 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 378 free(s); 379} 380 381void cast_struct_flex_array_4() { 382 struct foo { 383 char f[32]; 384 }; 385 struct st { 386 char i[100]; 387 struct foo data[]; 388 }; 389 390 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 391 free(s); 392} 393 394void cast_struct_flex_array_5() { 395 struct foo { 396 char f[32]; 397 }; 398 struct st { 399 char i[100]; 400 struct foo data[0]; 401 }; 402 403 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 404 free(s); 405} 406 407void cast_struct_flex_array_6() { 408 struct foo { 409 char f[32]; 410 }; 411 struct st { 412 char i[100]; 413 struct foo data[1]; 414 }; 415 416 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 417 free(s); 418} 419 420void cast_struct_flex_array_warn_1() { 421 struct foo { 422 char f[32]; 423 }; 424 struct st { 425 char i[100]; 426 struct foo data[]; 427 }; 428 429 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 430 free(s); 431} 432 433void cast_struct_flex_array_warn_2() { 434 struct foo { 435 char f[32]; 436 }; 437 struct st { 438 char i[100]; 439 struct foo data[0]; 440 }; 441 442 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 443 free(s); 444} 445 446void cast_struct_flex_array_warn_3() { 447 struct foo { 448 char f[32]; 449 }; 450 struct st { 451 char i[100]; 452 struct foo data[1]; 453 }; 454 455 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 456 free(s); 457} 458 459void cast_struct_flex_array_warn_4() { 460 struct st { 461 int i[100]; 462 int j[]; 463 }; 464 465 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 466 free(s); 467} 468 469void cast_struct_flex_array_warn_5() { 470 struct st { 471 int i[100]; 472 int j[0]; 473 }; 474 475 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 476 free(s); 477} 478 479void cast_struct_flex_array_warn_6() { 480 struct st { 481 int i[100]; 482 int j[1]; 483 }; 484 485 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 486 free(s); 487} 488 489void mallocCastToVoid() { 490 void *p = malloc(2); 491 const void *cp = p; // not crash 492 free(p); 493} 494 495void mallocCastToFP() { 496 void *p = malloc(2); 497 void (*fp)() = p; // not crash 498 free(p); 499} 500 501// This tests that malloc() buffers are undefined by default 502char mallocGarbage () { 503 char *buf = malloc(2); 504 char result = buf[1]; // expected-warning{{undefined}} 505 free(buf); 506 return result; 507} 508 509// This tests that calloc() buffers need to be freed 510void callocNoFree () { 511 char *buf = calloc(2,2); 512 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 513} 514 515// These test that calloc() buffers are zeroed by default 516char callocZeroesGood () { 517 char *buf = calloc(2,2); 518 char result = buf[3]; // no-warning 519 if (buf[1] == 0) { 520 free(buf); 521 } 522 return result; // no-warning 523} 524 525char callocZeroesBad () { 526 char *buf = calloc(2,2); 527 char result = buf[3]; // no-warning 528 if (buf[1] != 0) { 529 free(buf); // expected-warning{{never executed}} 530 } 531 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 532} 533 534void nullFree() { 535 int *p = 0; 536 free(p); // no warning - a nop 537} 538 539void paramFree(int *p) { 540 myfoo(p); 541 free(p); // no warning 542 myfoo(p); // expected-warning {{Use of memory after it is freed}} 543} 544 545int* mallocEscapeRet() { 546 int *p = malloc(12); 547 return p; // no warning 548} 549 550void mallocEscapeFoo() { 551 int *p = malloc(12); 552 myfoo(p); 553 return; // no warning 554} 555 556void mallocEscapeFree() { 557 int *p = malloc(12); 558 myfoo(p); 559 free(p); 560} 561 562void mallocEscapeFreeFree() { 563 int *p = malloc(12); 564 myfoo(p); 565 free(p); 566 free(p); // expected-warning{{Attempt to free released memory}} 567} 568 569void mallocEscapeFreeUse() { 570 int *p = malloc(12); 571 myfoo(p); 572 free(p); 573 myfoo(p); // expected-warning{{Use of memory after it is freed}} 574} 575 576int *myalloc(); 577void myalloc2(int **p); 578 579void mallocEscapeFreeCustomAlloc() { 580 int *p = malloc(12); 581 myfoo(p); 582 free(p); 583 p = myalloc(); 584 free(p); // no warning 585} 586 587void mallocEscapeFreeCustomAlloc2() { 588 int *p = malloc(12); 589 myfoo(p); 590 free(p); 591 myalloc2(&p); 592 free(p); // no warning 593} 594 595void mallocBindFreeUse() { 596 int *x = malloc(12); 597 int *y = x; 598 free(y); 599 myfoo(x); // expected-warning{{Use of memory after it is freed}} 600} 601 602void mallocEscapeMalloc() { 603 int *p = malloc(12); 604 myfoo(p); 605 p = malloc(12); 606} // expected-warning{{Potential leak of memory pointed to by}} 607 608void mallocMalloc() { 609 int *p = malloc(12); 610 p = malloc(12); 611} // expected-warning {{Potential leak of memory pointed to by}} 612 613void mallocFreeMalloc() { 614 int *p = malloc(12); 615 free(p); 616 p = malloc(12); 617 free(p); 618} 619 620void mallocFreeUse_params() { 621 int *p = malloc(12); 622 free(p); 623 myfoo(p); //expected-warning{{Use of memory after it is freed}} 624} 625 626void mallocFreeUse_params2() { 627 int *p = malloc(12); 628 free(p); 629 myfooint(*p); //expected-warning{{Use of memory after it is freed}} 630} 631 632void mallocFailedOrNot() { 633 int *p = malloc(12); 634 if (!p) 635 free(p); 636 else 637 free(p); 638} 639 640struct StructWithInt { 641 int g; 642}; 643 644int *mallocReturnFreed() { 645 int *p = malloc(12); 646 free(p); 647 return p; // expected-warning {{Use of memory after it is freed}} 648} 649 650int useAfterFreeStruct() { 651 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 652 px->g = 5; 653 free(px); 654 return px->g; // expected-warning {{Use of memory after it is freed}} 655} 656 657void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); 658 659void mallocEscapeFooNonSymbolArg() { 660 struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); 661 nonSymbolAsFirstArg(&p->g, p); 662 return; // no warning 663} 664 665void mallocFailedOrNotLeak() { 666 int *p = malloc(12); 667 if (p == 0) 668 return; // no warning 669 else 670 return; // expected-warning {{Potential leak of memory pointed to by}} 671} 672 673void mallocAssignment() { 674 char *p = malloc(12); 675 p = fooRetPtr(); 676} // expected-warning {{leak}} 677 678int vallocTest() { 679 char *mem = valloc(12); 680 return 0; // expected-warning {{Potential leak of memory pointed to by}} 681} 682 683void vallocEscapeFreeUse() { 684 int *p = valloc(12); 685 myfoo(p); 686 free(p); 687 myfoo(p); // expected-warning{{Use of memory after it is freed}} 688} 689 690int *Gl; 691struct GlStTy { 692 int *x; 693}; 694 695struct GlStTy GlS = {0}; 696 697void GlobalFree() { 698 free(Gl); 699} 700 701void GlobalMalloc() { 702 Gl = malloc(12); 703} 704 705void GlobalStructMalloc() { 706 int *a = malloc(12); 707 GlS.x = a; 708} 709 710void GlobalStructMallocFree() { 711 int *a = malloc(12); 712 GlS.x = a; 713 free(GlS.x); 714} 715 716char *ArrayG[12]; 717 718void globalArrayTest() { 719 char *p = (char*)malloc(12); 720 ArrayG[0] = p; 721} 722 723// Make sure that we properly handle a pointer stored into a local struct/array. 724typedef struct _StructWithPtr { 725 int *memP; 726} StructWithPtr; 727 728static StructWithPtr arrOfStructs[10]; 729 730void testMalloc() { 731 int *x = malloc(12); 732 StructWithPtr St; 733 St.memP = x; 734 arrOfStructs[0] = St; // no-warning 735} 736 737StructWithPtr testMalloc2() { 738 int *x = malloc(12); 739 StructWithPtr St; 740 St.memP = x; 741 return St; // no-warning 742} 743 744int *testMalloc3() { 745 int *x = malloc(12); 746 int *y = x; 747 return y; // no-warning 748} 749 750void testStructLeak() { 751 StructWithPtr St; 752 St.memP = malloc(12); 753 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}} 754} 755 756void testElemRegion1() { 757 char *x = (void*)malloc(2); 758 int *ix = (int*)x; 759 free(&(x[0])); 760} 761 762void testElemRegion2(int **pp) { 763 int *p = malloc(12); 764 *pp = p; 765 free(pp[0]); 766} 767 768void testElemRegion3(int **pp) { 769 int *p = malloc(12); 770 *pp = p; 771 free(*pp); 772} 773// Region escape testing. 774 775unsigned takePtrToPtr(int **p); 776void PassTheAddrOfAllocatedData(int f) { 777 int *p = malloc(12); 778 // We don't know what happens after the call. Should stop tracking here. 779 if (takePtrToPtr(&p)) 780 f++; 781 free(p); // no warning 782} 783 784struct X { 785 int *p; 786}; 787unsigned takePtrToStruct(struct X *s); 788int ** foo2(int *g, int f) { 789 int *p = malloc(12); 790 struct X *px= malloc(sizeof(struct X)); 791 px->p = p; 792 // We don't know what happens after this call. Should not track px nor p. 793 if (takePtrToStruct(px)) 794 f++; 795 free(p); 796 return 0; 797} 798 799struct X* RegInvalidationDetect1(struct X *s2) { 800 struct X *px= malloc(sizeof(struct X)); 801 px->p = 0; 802 px = s2; 803 return px; // expected-warning {{Potential leak of memory pointed to by}} 804} 805 806struct X* RegInvalidationGiveUp1() { 807 int *p = malloc(12); 808 struct X *px= malloc(sizeof(struct X)); 809 px->p = p; 810 return px; 811} 812 813int **RegInvalidationDetect2(int **pp) { 814 int *p = malloc(12); 815 pp = &p; 816 pp++; 817 return 0;// expected-warning {{Potential leak of memory pointed to by}} 818} 819 820extern void exit(int) __attribute__ ((__noreturn__)); 821void mallocExit(int *g) { 822 struct xx *p = malloc(12); 823 if (g != 0) 824 exit(1); 825 free(p); 826 return; 827} 828 829extern void __assert_fail (__const char *__assertion, __const char *__file, 830 unsigned int __line, __const char *__function) 831 __attribute__ ((__noreturn__)); 832#define assert(expr) \ 833 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 834void mallocAssert(int *g) { 835 struct xx *p = malloc(12); 836 837 assert(g != 0); 838 free(p); 839 return; 840} 841 842void doNotInvalidateWhenPassedToSystemCalls(char *s) { 843 char *p = malloc(12); 844 strlen(p); 845 strcpy(p, s); 846 strcpy(s, p); 847 strcpy(p, p); 848 memcpy(p, s, 1); 849 memcpy(s, p, 1); 850 memcpy(p, p, 1); 851} // expected-warning {{leak}} 852 853// Treat source buffer contents as escaped. 854void escapeSourceContents(char *s) { 855 char *p = malloc(12); 856 memcpy(s, &p, 12); // no warning 857 858 void *p1 = malloc(7); 859 char *a; 860 memcpy(&a, &p1, sizeof a); 861 // FIXME: No warning due to limitations imposed by current modelling of 862 // 'memcpy' (regions metadata is not copied). 863 864 int *ptrs[2]; 865 int *allocated = (int *)malloc(4); 866 memcpy(&ptrs[0], &allocated, sizeof(int *)); 867 // FIXME: No warning due to limitations imposed by current modelling of 868 // 'memcpy' (regions metadata is not copied). 869} 870 871void invalidateDestinationContents() { 872 int *null = 0; 873 int *p = (int *)malloc(4); 874 memcpy(&p, &null, sizeof(int *)); 875 876 int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}} 877 ptrs1[0] = (int *)malloc(4); 878 memcpy(ptrs1, &null, sizeof(int *)); 879 880 int *ptrs2[2]; // expected-warning {{Potential memory leak}} 881 ptrs2[0] = (int *)malloc(4); 882 memcpy(&ptrs2[1], &null, sizeof(int *)); 883 884 int *ptrs3[2]; // expected-warning {{Potential memory leak}} 885 ptrs3[0] = (int *)malloc(4); 886 memcpy(&ptrs3[0], &null, sizeof(int *)); 887} // expected-warning {{Potential memory leak}} 888 889// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. 890void symbolLostWithStrcpy(char *s) { 891 char *p = malloc(12); 892 p = strcpy(p, s); 893 free(p); 894} 895 896 897// The same test as the one above, but with what is actually generated on a mac. 898static __inline char * 899__inline_strcpy_chk (char *restrict __dest, const char *restrict __src) 900{ 901 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); 902} 903 904void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { 905 char *p = malloc(12); 906 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); 907 free(p); 908} 909 910// Here we are returning a pointer one past the allocated value. An idiom which 911// can be used for implementing special malloc. The correct uses of this might 912// be rare enough so that we could keep this as a warning. 913static void *specialMalloc(int n){ 914 int *p; 915 p = malloc( n+8 ); 916 if( p ){ 917 p[0] = n; 918 p++; 919 } 920 return p; 921} 922 923// Potentially, the user could free the struct by performing pointer arithmetic on the return value. 924// This is a variation of the specialMalloc issue, though probably would be more rare in correct code. 925int *specialMallocWithStruct() { 926 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 927 return &(px->g); 928} 929 930// Test various allocation/deallocation functions. 931void testStrdup(const char *s, unsigned validIndex) { 932 char *s2 = strdup(s); 933 s2[validIndex + 1] = 'b'; 934} // expected-warning {{Potential leak of memory pointed to by}} 935 936int testStrndup(const char *s, unsigned validIndex, unsigned size) { 937 char *s2 = strndup(s, size); 938 s2 [validIndex + 1] = 'b'; 939 if (s2[validIndex] != 'a') 940 return 0; 941 else 942 return 1;// expected-warning {{Potential leak of memory pointed to by}} 943} 944 945void testStrdupContentIsDefined(const char *s, unsigned validIndex) { 946 char *s2 = strdup(s); 947 char result = s2[1];// no warning 948 free(s2); 949} 950 951// ---------------------------------------------------------------------------- 952// Test the system library functions to which the pointer can escape. 953// This tests false positive suppression. 954 955// For now, we assume memory passed to pthread_specific escapes. 956// TODO: We could check that if a new pthread binding is set, the existing 957// binding must be freed; otherwise, a memory leak can occur. 958void testPthereadSpecificEscape(pthread_key_t key) { 959 void *buf = malloc(12); 960 pthread_setspecific(key, buf); // no warning 961} 962 963// PR12101: Test funopen(). 964static int releasePtr(void *_ctx) { 965 free(_ctx); 966 return 0; 967} 968FILE *useFunOpen() { 969 void *ctx = malloc(sizeof(int)); 970 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning 971 if (f == 0) { 972 free(ctx); 973 } 974 return f; 975} 976FILE *useFunOpenNoReleaseFunction() { 977 void *ctx = malloc(sizeof(int)); 978 FILE *f = funopen(ctx, 0, 0, 0, 0); 979 if (f == 0) { 980 free(ctx); 981 } 982 return f; // expected-warning{{leak}} 983} 984 985static int readNothing(void *_ctx, char *buf, int size) { 986 return 0; 987} 988FILE *useFunOpenReadNoRelease() { 989 void *ctx = malloc(sizeof(int)); 990 FILE *f = funopen(ctx, readNothing, 0, 0, 0); 991 if (f == 0) { 992 free(ctx); 993 } 994 return f; // expected-warning{{leak}} 995} 996 997// Test setbuf, setvbuf. 998int my_main_no_warning() { 999 char *p = malloc(100); 1000 setvbuf(stdout, p, 0, 100); 1001 return 0; 1002} 1003int my_main_no_warning2() { 1004 char *p = malloc(100); 1005 setbuf(__stdoutp, p); 1006 return 0; 1007} 1008int my_main_warn(FILE *f) { 1009 char *p = malloc(100); 1010 setvbuf(f, p, 0, 100); 1011 return 0;// expected-warning {{leak}} 1012} 1013 1014// <rdar://problem/10978247>. 1015// some people use stack allocated memory as an optimization to avoid 1016// a heap allocation for small work sizes. This tests the analyzer's 1017// understanding that the malloc'ed memory is not the same as stackBuffer. 1018void radar10978247(int myValueSize) { 1019 char stackBuffer[128]; 1020 char *buffer; 1021 1022 if (myValueSize <= sizeof(stackBuffer)) 1023 buffer = stackBuffer; 1024 else 1025 buffer = malloc(myValueSize); 1026 1027 // do stuff with the buffer 1028 if (buffer != stackBuffer) 1029 free(buffer); 1030} 1031 1032void radar10978247_positive(int myValueSize) { 1033 char stackBuffer[128]; 1034 char *buffer; 1035 1036 if (myValueSize <= sizeof(stackBuffer)) 1037 buffer = stackBuffer; 1038 else 1039 buffer = malloc(myValueSize); 1040 1041 // do stuff with the buffer 1042 if (buffer == stackBuffer) 1043 return; 1044 else 1045 return; // expected-warning {{leak}} 1046} 1047// <rdar://problem/11269741> Previously this triggered a false positive 1048// because malloc() is known to return uninitialized memory and the binding 1049// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. 1050struct rdar11269741_a_t { 1051 struct rdar11269741_b_t { 1052 int m; 1053 } n; 1054}; 1055 1056int rdar11269741(struct rdar11269741_b_t o) 1057{ 1058 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); 1059 p->n = o; 1060 return p->n.m; // expected-warning {{leak}} 1061} 1062 1063// Pointer arithmetic, returning an ElementRegion. 1064void *radar11329382(unsigned bl) { 1065 void *ptr = malloc (16); 1066 ptr = ptr + (2 - bl); 1067 return ptr; // no warning 1068} 1069 1070void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); 1071int strcmp(const char *, const char *); 1072char *a (void); 1073void radar11270219(void) { 1074 char *x = a(), *y = a(); 1075 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); 1076 strcmp(x, y); // no warning 1077} 1078 1079void radar_11358224_test_double_assign_ints_positive_2() 1080{ 1081 void *ptr = malloc(16); 1082 ptr = ptr; 1083} // expected-warning {{leak}} 1084 1085// Assume that functions which take a function pointer can free memory even if 1086// they are defined in system headers and take the const pointer to the 1087// allocated memory. (radar://11160612) 1088int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); 1089void r11160612_1() { 1090 char *x = malloc(12); 1091 const_ptr_and_callback(0, x, 12, free); // no - warning 1092} 1093 1094// Null is passed as callback. 1095void r11160612_2() { 1096 char *x = malloc(12); 1097 const_ptr_and_callback(0, x, 12, 0); 1098} // expected-warning {{leak}} 1099 1100// Callback is passed to a function defined in a system header. 1101void r11160612_4() { 1102 char *x = malloc(12); 1103 sqlite3_bind_text_my(0, x, 12, free); // no - warning 1104} 1105 1106// Passing callbacks in a struct. 1107void r11160612_5(StWithCallback St) { 1108 void *x = malloc(12); 1109 dealocateMemWhenDoneByVal(x, St); 1110} 1111void r11160612_6(StWithCallback St) { 1112 void *x = malloc(12); 1113 dealocateMemWhenDoneByRef(&St, x); 1114} 1115 1116int mySub(int, int); 1117int myAdd(int, int); 1118int fPtr(unsigned cond, int x) { 1119 return (cond ? mySub : myAdd)(x, x); 1120} 1121 1122// Test anti-aliasing. 1123 1124void dependsOnValueOfPtr(int *g, unsigned f) { 1125 int *p; 1126 1127 if (f) { 1128 p = g; 1129 } else { 1130 p = malloc(12); 1131 } 1132 1133 if (p != g) 1134 free(p); 1135 else 1136 return; // no warning 1137 return; 1138} 1139 1140int CMPRegionHeapToStack() { 1141 int x = 0; 1142 int *x1 = malloc(8); 1143 int *x2 = &x; 1144 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} 1145 free(x1); 1146 return x; 1147} 1148 1149int CMPRegionHeapToHeap2() { 1150 int x = 0; 1151 int *x1 = malloc(8); 1152 int *x2 = malloc(8); 1153 int *x4 = x1; 1154 int *x5 = x2; 1155 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} 1156 free(x1); 1157 free(x2); 1158 return x; 1159} 1160 1161int CMPRegionHeapToHeap() { 1162 int x = 0; 1163 int *x1 = malloc(8); 1164 int *x4 = x1; 1165 if (x1 == x4) { 1166 free(x1); 1167 return 5/x; // expected-warning{{Division by zero}} 1168 } 1169 return x;// expected-warning{{This statement is never executed}} 1170} 1171 1172int HeapAssignment() { 1173 int m = 0; 1174 int *x = malloc(4); 1175 int *y = x; 1176 *x = 5; 1177 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} 1178 free(x); 1179 return 0; 1180} 1181 1182int *retPtr(); 1183int *retPtrMightAlias(int *x); 1184int cmpHeapAllocationToUnknown() { 1185 int zero = 0; 1186 int *yBefore = retPtr(); 1187 int *m = malloc(8); 1188 int *yAfter = retPtrMightAlias(m); 1189 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} 1190 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} 1191 free(m); 1192 return 0; 1193} 1194 1195void localArrayTest() { 1196 char *p = (char*)malloc(12); 1197 char *ArrayL[12]; 1198 ArrayL[0] = p; 1199} // expected-warning {{leak}} 1200 1201void localStructTest() { 1202 StructWithPtr St; 1203 StructWithPtr *pSt = &St; 1204 pSt->memP = malloc(12); 1205} // expected-warning{{Potential leak of memory pointed to by}} 1206 1207#ifdef __INTPTR_TYPE__ 1208// Test double assignment through integers. 1209typedef __INTPTR_TYPE__ intptr_t; 1210typedef unsigned __INTPTR_TYPE__ uintptr_t; 1211 1212static intptr_t glob; 1213void test_double_assign_ints() 1214{ 1215 void *ptr = malloc (16); // no-warning 1216 glob = (intptr_t)(uintptr_t)ptr; 1217} 1218 1219void test_double_assign_ints_positive() 1220{ 1221 void *ptr = malloc(16); 1222 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}} 1223} // expected-warning {{leak}} 1224#endif 1225 1226void testCGContextNoLeak() 1227{ 1228 void *ptr = malloc(16); 1229 CGContextRef context = CGBitmapContextCreate(ptr); 1230 1231 // Because you can get the data back out like this, even much later, 1232 // CGBitmapContextCreate is one of our "stop-tracking" exceptions. 1233 free(CGBitmapContextGetData(context)); 1234} 1235 1236void testCGContextLeak() 1237{ 1238 void *ptr = malloc(16); 1239 CGContextRef context = CGBitmapContextCreate(ptr); 1240 // However, this time we're just leaking the data, because the context 1241 // object doesn't escape and it hasn't been freed in this function. 1242} 1243 1244// Allow xpc context to escape. radar://11635258 1245// TODO: Would be great if we checked that the finalize_connection_context actually releases it. 1246static void finalize_connection_context(void *ctx) { 1247 int *context = ctx; 1248 free(context); 1249} 1250void foo (xpc_connection_t peer) { 1251 int *ctx = calloc(1, sizeof(int)); 1252 xpc_connection_set_context(peer, ctx); 1253 xpc_connection_set_finalizer_f(peer, finalize_connection_context); 1254 xpc_connection_resume(peer); 1255} 1256 1257// Make sure we catch errors when we free in a function which does not allocate memory. 1258void freeButNoMalloc(int *p, int x){ 1259 if (x) { 1260 free(p); 1261 //user forgot a return here. 1262 } 1263 free(p); // expected-warning {{Attempt to free released memory}} 1264} 1265 1266struct HasPtr { 1267 char *p; 1268}; 1269 1270char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { 1271 int *s; 1272 char *b = realloc(a->p, size); 1273 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} 1274 return a->p; 1275} 1276 1277// We should not warn in this case since the caller will presumably free a->p in all cases. 1278int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { 1279 int *s; 1280 char *b = realloc(a->p, size); 1281 if (b == 0) 1282 return -1; 1283 a->p = b; 1284 return 0; 1285} 1286 1287// Test realloc with no visible malloc. 1288void *test(void *ptr) { 1289 void *newPtr = realloc(ptr, 4); 1290 if (newPtr == 0) { 1291 if (ptr) 1292 free(ptr); // no-warning 1293 } 1294 return newPtr; 1295} 1296 1297 1298char *testLeakWithinReturn(char *str) { 1299 return strdup(strdup(str)); // expected-warning{{leak}} 1300} 1301 1302void passConstPtr(const char * ptr); 1303 1304void testPassConstPointer() { 1305 char * string = malloc(sizeof(char)*10); 1306 passConstPtr(string); 1307 return; // expected-warning {{leak}} 1308} 1309 1310void testPassConstPointerIndirectly() { 1311 char *p = malloc(1); 1312 p++; 1313 memcmp(p, p, sizeof(&p)); 1314 return; // expected-warning {{leak}} 1315} 1316 1317void testPassConstPointerIndirectlyStruct() { 1318 struct HasPtr hp; 1319 hp.p = malloc(10); 1320 memcmp(&hp, &hp, sizeof(hp)); 1321 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}} 1322} 1323 1324void testPassToSystemHeaderFunctionIndirectlyStruct() { 1325 SomeStruct ss; 1326 ss.p = malloc(1); 1327 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1328 // Technically a false negative here -- we know the system function won't free 1329 // ss.p, but nothing else will either! 1330} // no-warning 1331 1332void testPassToSystemHeaderFunctionIndirectlyStructFree() { 1333 SomeStruct ss; 1334 ss.p = malloc(1); 1335 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1336 free(ss.p); 1337} // no-warning 1338 1339void testPassToSystemHeaderFunctionIndirectlyArray() { 1340 int *p[1]; 1341 p[0] = malloc(sizeof(int)); 1342 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1343 // Technically a false negative here -- we know the system function won't free 1344 // p[0], but nothing else will either! 1345} // no-warning 1346 1347void testPassToSystemHeaderFunctionIndirectlyArrayFree() { 1348 int *p[1]; 1349 p[0] = malloc(sizeof(int)); 1350 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1351 free(p[0]); 1352} // no-warning 1353 1354int *testOffsetAllocate(size_t size) { 1355 int *memoryBlock = (int *)malloc(size + sizeof(int)); 1356 return &memoryBlock[1]; // no-warning 1357} 1358 1359void testOffsetDeallocate(int *memoryBlock) { 1360 free(&memoryBlock[-1]); // no-warning 1361} 1362 1363void testOffsetOfRegionFreed() { 1364 __int64_t * array = malloc(sizeof(__int64_t)*2); 1365 array += 1; 1366 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1367} 1368 1369void testOffsetOfRegionFreed2() { 1370 __int64_t *p = malloc(sizeof(__int64_t)*2); 1371 p += 1; 1372 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1373} 1374 1375void testOffsetOfRegionFreed3() { 1376 char *r = malloc(sizeof(char)); 1377 r = r - 10; 1378 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}} 1379} 1380 1381void testOffsetOfRegionFreedAfterFunctionCall() { 1382 int *p = malloc(sizeof(int)*2); 1383 p += 1; 1384 myfoo(p); 1385 free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}} 1386} 1387 1388void testFixManipulatedPointerBeforeFree() { 1389 int * array = malloc(sizeof(int)*2); 1390 array += 1; 1391 free(&array[-1]); // no-warning 1392} 1393 1394void testFixManipulatedPointerBeforeFree2() { 1395 char *r = malloc(sizeof(char)); 1396 r = r + 10; 1397 free(r-10); // no-warning 1398} 1399 1400void freeOffsetPointerPassedToFunction() { 1401 __int64_t *p = malloc(sizeof(__int64_t)*2); 1402 p[1] = 0; 1403 p += 1; 1404 myfooint(*p); // not passing the pointer, only a value pointed by pointer 1405 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1406} 1407 1408int arbitraryInt(); 1409void freeUnknownOffsetPointer() { 1410 char *r = malloc(sizeof(char)); 1411 r = r + arbitraryInt(); // unable to reason about what the offset might be 1412 free(r); // no-warning 1413} 1414 1415void testFreeNonMallocPointerWithNoOffset() { 1416 char c; 1417 char *r = &c; 1418 r = r + 10; 1419 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1420} 1421 1422void testFreeNonMallocPointerWithOffset() { 1423 char c; 1424 char *r = &c; 1425 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1426} 1427 1428void testOffsetZeroDoubleFree() { 1429 int *array = malloc(sizeof(int)*2); 1430 int *p = &array[0]; 1431 free(p); 1432 free(&array[0]); // expected-warning{{Attempt to free released memory}} 1433} 1434 1435void testOffsetPassedToStrlen() { 1436 char * string = malloc(sizeof(char)*10); 1437 string += 1; 1438 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}} 1439} 1440 1441void testOffsetPassedToStrlenThenFree() { 1442 char * string = malloc(sizeof(char)*10); 1443 string += 1; 1444 int length = strlen(string); 1445 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1446} 1447 1448void testOffsetPassedAsConst() { 1449 char * string = malloc(sizeof(char)*10); 1450 string += 1; 1451 passConstPtr(string); 1452 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1453} 1454 1455char **_vectorSegments; 1456int _nVectorSegments; 1457 1458void poolFreeC(void* s) { 1459 free(s); // no-warning 1460} 1461void freeMemory() { 1462 while (_nVectorSegments) { 1463 poolFreeC(_vectorSegments[_nVectorSegments++]); 1464 } 1465} 1466 1467// PR16730 1468void testReallocEscaped(void **memory) { 1469 *memory = malloc(47); 1470 char *new_memory = realloc(*memory, 47); 1471 if (new_memory != 0) { 1472 *memory = new_memory; 1473 } 1474} 1475 1476// PR16558 1477void *smallocNoWarn(size_t size) { 1478 if (size == 0) { 1479 return malloc(1); // this branch is never called 1480 } 1481 else { 1482 return malloc(size); 1483 } 1484} 1485 1486char *dupstrNoWarn(const char *s) { 1487 const int len = strlen(s); 1488 char *p = (char*) smallocNoWarn(len + 1); 1489 strcpy(p, s); // no-warning 1490 return p; 1491} 1492 1493void *smallocWarn(size_t size) { 1494 if (size == 2) { 1495 return malloc(1); 1496 } 1497 else { 1498 return malloc(size); 1499 } 1500} 1501 1502char *dupstrWarn(const char *s) { 1503 const int len = strlen(s); 1504 char *p = (char*) smallocWarn(len + 1); 1505 strcpy(p, s); // expected-warning{{String copy function overflows destination buffer}} 1506 return p; 1507} 1508 1509int *radar15580979() { 1510 int *data = (int *)malloc(32); 1511 int *p = data ?: (int*)malloc(32); // no warning 1512 return p; 1513} 1514 1515// ---------------------------------------------------------------------------- 1516// False negatives. 1517 1518void testMallocWithParam(int **p) { 1519 *p = (int*) malloc(sizeof(int)); 1520 *p = 0; // FIXME: should warn here 1521} 1522 1523void testMallocWithParam_2(int **p) { 1524 *p = (int*) malloc(sizeof(int)); // no-warning 1525} 1526 1527void testPassToSystemHeaderFunctionIndirectly() { 1528 int *p = malloc(4); 1529 p++; 1530 fakeSystemHeaderCallInt(p); 1531 // FIXME: This is a leak: if we think a system function won't free p, it 1532 // won't free (p-1) either. 1533} 1534