malloc.c revision 6df32e24975ab457fa4b428326076436e48dad06
1// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s 2 3#include "Inputs/system-header-simulator.h" 4 5void clang_analyzer_eval(int); 6 7typedef __typeof(sizeof(int)) size_t; 8void *malloc(size_t); 9void *valloc(size_t); 10void free(void *); 11void *realloc(void *ptr, size_t size); 12void *reallocf(void *ptr, size_t size); 13void *calloc(size_t nmemb, size_t size); 14char *strdup(const char *s); 15char *strndup(const char *s, size_t n); 16int memcmp(const void *s1, const void *s2, size_t n); 17 18void myfoo(int *p); 19void myfooint(int p); 20char *fooRetPtr(); 21 22void f1() { 23 int *p = malloc(12); 24 return; // expected-warning{{Potential leak of memory pointed to by 'p'}} 25} 26 27void f2() { 28 int *p = malloc(12); 29 free(p); 30 free(p); // expected-warning{{Attempt to free released memory}} 31} 32 33void f2_realloc_0() { 34 int *p = malloc(12); 35 realloc(p,0); 36 realloc(p,0); // expected-warning{{Attempt to free released memory}} 37} 38 39void f2_realloc_1() { 40 int *p = malloc(12); 41 int *q = realloc(p,0); // no-warning 42} 43 44void reallocNotNullPtr(unsigned sizeIn) { 45 unsigned size = 12; 46 char *p = (char*)malloc(size); 47 if (p) { 48 char *q = (char*)realloc(p, sizeIn); 49 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}} 50 } 51} 52 53int *realloctest1() { 54 int *q = malloc(12); 55 q = realloc(q, 20); 56 return q; // no warning - returning the allocated value 57} 58 59// p should be freed if realloc fails. 60void reallocFails() { 61 char *p = malloc(12); 62 char *r = realloc(p, 12+1); 63 if (!r) { 64 free(p); 65 } else { 66 free(r); 67 } 68} 69 70void reallocSizeZero1() { 71 char *p = malloc(12); 72 char *r = realloc(p, 0); 73 if (!r) { 74 free(p); // expected-warning {{Attempt to free released memory}} 75 } else { 76 free(r); 77 } 78} 79 80void reallocSizeZero2() { 81 char *p = malloc(12); 82 char *r = realloc(p, 0); 83 if (!r) { 84 free(p); // expected-warning {{Attempt to free released memory}} 85 } else { 86 free(r); 87 } 88 free(p); // expected-warning {{Attempt to free released memory}} 89} 90 91void reallocSizeZero3() { 92 char *p = malloc(12); 93 char *r = realloc(p, 0); 94 free(r); 95} 96 97void reallocSizeZero4() { 98 char *r = realloc(0, 0); 99 free(r); 100} 101 102void reallocSizeZero5() { 103 char *r = realloc(0, 0); 104} 105 106void reallocPtrZero1() { 107 char *r = realloc(0, 12); 108} // expected-warning {{Potential leak of memory pointed to by 'r'}} 109 110void reallocPtrZero2() { 111 char *r = realloc(0, 12); 112 if (r) 113 free(r); 114} 115 116void reallocPtrZero3() { 117 char *r = realloc(0, 12); 118 free(r); 119} 120 121void reallocRadar6337483_1() { 122 char *buf = malloc(100); 123 buf = (char*)realloc(buf, 0x1000000); 124 if (!buf) { 125 return;// expected-warning {{Potential leak of memory pointed to by}} 126 } 127 free(buf); 128} 129 130void reallocRadar6337483_2() { 131 char *buf = malloc(100); 132 char *buf2 = (char*)realloc(buf, 0x1000000); 133 if (!buf2) { 134 ; 135 } else { 136 free(buf2); 137 } 138} // expected-warning {{Potential leak of memory pointed to by}} 139 140void reallocRadar6337483_3() { 141 char * buf = malloc(100); 142 char * tmp; 143 tmp = (char*)realloc(buf, 0x1000000); 144 if (!tmp) { 145 free(buf); 146 return; 147 } 148 buf = tmp; 149 free(buf); 150} 151 152void reallocRadar6337483_4() { 153 char *buf = malloc(100); 154 char *buf2 = (char*)realloc(buf, 0x1000000); 155 if (!buf2) { 156 return; // expected-warning {{Potential leak of memory pointed to by}} 157 } else { 158 free(buf2); 159 } 160} 161 162int *reallocfTest1() { 163 int *q = malloc(12); 164 q = reallocf(q, 20); 165 return q; // no warning - returning the allocated value 166} 167 168void reallocfRadar6337483_4() { 169 char *buf = malloc(100); 170 char *buf2 = (char*)reallocf(buf, 0x1000000); 171 if (!buf2) { 172 return; // no warning - reallocf frees even on failure 173 } else { 174 free(buf2); 175 } 176} 177 178void reallocfRadar6337483_3() { 179 char * buf = malloc(100); 180 char * tmp; 181 tmp = (char*)reallocf(buf, 0x1000000); 182 if (!tmp) { 183 free(buf); // expected-warning {{Attempt to free released memory}} 184 return; 185 } 186 buf = tmp; 187 free(buf); 188} 189 190void reallocfPtrZero1() { 191 char *r = reallocf(0, 12); 192} // expected-warning {{Potential leak of memory pointed to by}} 193 194 195// This case tests that storing malloc'ed memory to a static variable which is 196// then returned is not leaked. In the absence of known contracts for functions 197// or inter-procedural analysis, this is a conservative answer. 198int *f3() { 199 static int *p = 0; 200 p = malloc(12); 201 return p; // no-warning 202} 203 204// This case tests that storing malloc'ed memory to a static global variable 205// which is then returned is not leaked. In the absence of known contracts for 206// functions or inter-procedural analysis, this is a conservative answer. 207static int *p_f4 = 0; 208int *f4() { 209 p_f4 = malloc(12); 210 return p_f4; // no-warning 211} 212 213int *f5() { 214 int *q = malloc(12); 215 q = realloc(q, 20); 216 return q; // no-warning 217} 218 219void f6() { 220 int *p = malloc(12); 221 if (!p) 222 return; // no-warning 223 else 224 free(p); 225} 226 227void f6_realloc() { 228 int *p = malloc(12); 229 if (!p) 230 return; // no-warning 231 else 232 realloc(p,0); 233} 234 235 236char *doit2(); 237void pr6069() { 238 char *buf = doit2(); 239 free(buf); 240} 241 242void pr6293() { 243 free(0); 244} 245 246void f7() { 247 char *x = (char*) malloc(4); 248 free(x); 249 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 250} 251 252void f8() { 253 char *x = (char*) malloc(4); 254 free(x); 255 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} 256} 257 258void f7_realloc() { 259 char *x = (char*) malloc(4); 260 realloc(x,0); 261 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 262} 263 264void PR6123() { 265 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 266} 267 268void PR7217() { 269 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 270 buf[1] = 'c'; // not crash 271} 272 273void mallocCastToVoid() { 274 void *p = malloc(2); 275 const void *cp = p; // not crash 276 free(p); 277} 278 279void mallocCastToFP() { 280 void *p = malloc(2); 281 void (*fp)() = p; // not crash 282 free(p); 283} 284 285// This tests that malloc() buffers are undefined by default 286char mallocGarbage () { 287 char *buf = malloc(2); 288 char result = buf[1]; // expected-warning{{undefined}} 289 free(buf); 290 return result; 291} 292 293// This tests that calloc() buffers need to be freed 294void callocNoFree () { 295 char *buf = calloc(2,2); 296 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 297} 298 299// These test that calloc() buffers are zeroed by default 300char callocZeroesGood () { 301 char *buf = calloc(2,2); 302 char result = buf[3]; // no-warning 303 if (buf[1] == 0) { 304 free(buf); 305 } 306 return result; // no-warning 307} 308 309char callocZeroesBad () { 310 char *buf = calloc(2,2); 311 char result = buf[3]; // no-warning 312 if (buf[1] != 0) { 313 free(buf); // expected-warning{{never executed}} 314 } 315 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 316} 317 318void nullFree() { 319 int *p = 0; 320 free(p); // no warning - a nop 321} 322 323void paramFree(int *p) { 324 myfoo(p); 325 free(p); // no warning 326 myfoo(p); // expected-warning {{Use of memory after it is freed}} 327} 328 329int* mallocEscapeRet() { 330 int *p = malloc(12); 331 return p; // no warning 332} 333 334void mallocEscapeFoo() { 335 int *p = malloc(12); 336 myfoo(p); 337 return; // no warning 338} 339 340void mallocEscapeFree() { 341 int *p = malloc(12); 342 myfoo(p); 343 free(p); 344} 345 346void mallocEscapeFreeFree() { 347 int *p = malloc(12); 348 myfoo(p); 349 free(p); 350 free(p); // expected-warning{{Attempt to free released memory}} 351} 352 353void mallocEscapeFreeUse() { 354 int *p = malloc(12); 355 myfoo(p); 356 free(p); 357 myfoo(p); // expected-warning{{Use of memory after it is freed}} 358} 359 360int *myalloc(); 361void myalloc2(int **p); 362 363void mallocEscapeFreeCustomAlloc() { 364 int *p = malloc(12); 365 myfoo(p); 366 free(p); 367 p = myalloc(); 368 free(p); // no warning 369} 370 371void mallocEscapeFreeCustomAlloc2() { 372 int *p = malloc(12); 373 myfoo(p); 374 free(p); 375 myalloc2(&p); 376 free(p); // no warning 377} 378 379void mallocBindFreeUse() { 380 int *x = malloc(12); 381 int *y = x; 382 free(y); 383 myfoo(x); // expected-warning{{Use of memory after it is freed}} 384} 385 386void mallocEscapeMalloc() { 387 int *p = malloc(12); 388 myfoo(p); 389 p = malloc(12); 390} // expected-warning{{Potential leak of memory pointed to by}} 391 392void mallocMalloc() { 393 int *p = malloc(12); 394 p = malloc(12); 395} // expected-warning {{Potential leak of memory pointed to by}} 396 397void mallocFreeMalloc() { 398 int *p = malloc(12); 399 free(p); 400 p = malloc(12); 401 free(p); 402} 403 404void mallocFreeUse_params() { 405 int *p = malloc(12); 406 free(p); 407 myfoo(p); //expected-warning{{Use of memory after it is freed}} 408} 409 410void mallocFreeUse_params2() { 411 int *p = malloc(12); 412 free(p); 413 myfooint(*p); //expected-warning{{Use of memory after it is freed}} 414} 415 416void mallocFailedOrNot() { 417 int *p = malloc(12); 418 if (!p) 419 free(p); 420 else 421 free(p); 422} 423 424struct StructWithInt { 425 int g; 426}; 427 428int *mallocReturnFreed() { 429 int *p = malloc(12); 430 free(p); 431 return p; // expected-warning {{Use of memory after it is freed}} 432} 433 434int useAfterFreeStruct() { 435 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 436 px->g = 5; 437 free(px); 438 return px->g; // expected-warning {{Use of memory after it is freed}} 439} 440 441void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); 442 443void mallocEscapeFooNonSymbolArg() { 444 struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); 445 nonSymbolAsFirstArg(&p->g, p); 446 return; // no warning 447} 448 449void mallocFailedOrNotLeak() { 450 int *p = malloc(12); 451 if (p == 0) 452 return; // no warning 453 else 454 return; // expected-warning {{Potential leak of memory pointed to by}} 455} 456 457void mallocAssignment() { 458 char *p = malloc(12); 459 p = fooRetPtr(); 460} // expected-warning {{leak}} 461 462int vallocTest() { 463 char *mem = valloc(12); 464 return 0; // expected-warning {{Potential leak of memory pointed to by}} 465} 466 467void vallocEscapeFreeUse() { 468 int *p = valloc(12); 469 myfoo(p); 470 free(p); 471 myfoo(p); // expected-warning{{Use of memory after it is freed}} 472} 473 474int *Gl; 475struct GlStTy { 476 int *x; 477}; 478 479struct GlStTy GlS = {0}; 480 481void GlobalFree() { 482 free(Gl); 483} 484 485void GlobalMalloc() { 486 Gl = malloc(12); 487} 488 489void GlobalStructMalloc() { 490 int *a = malloc(12); 491 GlS.x = a; 492} 493 494void GlobalStructMallocFree() { 495 int *a = malloc(12); 496 GlS.x = a; 497 free(GlS.x); 498} 499 500char *ArrayG[12]; 501 502void globalArrayTest() { 503 char *p = (char*)malloc(12); 504 ArrayG[0] = p; 505} 506 507// Make sure that we properly handle a pointer stored into a local struct/array. 508typedef struct _StructWithPtr { 509 int *memP; 510} StructWithPtr; 511 512static StructWithPtr arrOfStructs[10]; 513 514void testMalloc() { 515 int *x = malloc(12); 516 StructWithPtr St; 517 St.memP = x; 518 arrOfStructs[0] = St; // no-warning 519} 520 521StructWithPtr testMalloc2() { 522 int *x = malloc(12); 523 StructWithPtr St; 524 St.memP = x; 525 return St; // no-warning 526} 527 528int *testMalloc3() { 529 int *x = malloc(12); 530 int *y = x; 531 return y; // no-warning 532} 533 534void testStructLeak() { 535 StructWithPtr St; 536 St.memP = malloc(12); 537 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}} 538} 539 540void testElemRegion1() { 541 char *x = (void*)malloc(2); 542 int *ix = (int*)x; 543 free(&(x[0])); 544} 545 546void testElemRegion2(int **pp) { 547 int *p = malloc(12); 548 *pp = p; 549 free(pp[0]); 550} 551 552void testElemRegion3(int **pp) { 553 int *p = malloc(12); 554 *pp = p; 555 free(*pp); 556} 557// Region escape testing. 558 559unsigned takePtrToPtr(int **p); 560void PassTheAddrOfAllocatedData(int f) { 561 int *p = malloc(12); 562 // We don't know what happens after the call. Should stop tracking here. 563 if (takePtrToPtr(&p)) 564 f++; 565 free(p); // no warning 566} 567 568struct X { 569 int *p; 570}; 571unsigned takePtrToStruct(struct X *s); 572int ** foo2(int *g, int f) { 573 int *p = malloc(12); 574 struct X *px= malloc(sizeof(struct X)); 575 px->p = p; 576 // We don't know what happens after this call. Should not track px nor p. 577 if (takePtrToStruct(px)) 578 f++; 579 free(p); 580 return 0; 581} 582 583struct X* RegInvalidationDetect1(struct X *s2) { 584 struct X *px= malloc(sizeof(struct X)); 585 px->p = 0; 586 px = s2; 587 return px; // expected-warning {{Potential leak of memory pointed to by}} 588} 589 590struct X* RegInvalidationGiveUp1() { 591 int *p = malloc(12); 592 struct X *px= malloc(sizeof(struct X)); 593 px->p = p; 594 return px; 595} 596 597int **RegInvalidationDetect2(int **pp) { 598 int *p = malloc(12); 599 pp = &p; 600 pp++; 601 return 0;// expected-warning {{Potential leak of memory pointed to by}} 602} 603 604extern void exit(int) __attribute__ ((__noreturn__)); 605void mallocExit(int *g) { 606 struct xx *p = malloc(12); 607 if (g != 0) 608 exit(1); 609 free(p); 610 return; 611} 612 613extern void __assert_fail (__const char *__assertion, __const char *__file, 614 unsigned int __line, __const char *__function) 615 __attribute__ ((__noreturn__)); 616#define assert(expr) \ 617 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 618void mallocAssert(int *g) { 619 struct xx *p = malloc(12); 620 621 assert(g != 0); 622 free(p); 623 return; 624} 625 626void doNotInvalidateWhenPassedToSystemCalls(char *s) { 627 char *p = malloc(12); 628 strlen(p); 629 strcpy(p, s); 630 strcpy(s, p); 631 strcpy(p, p); 632 memcpy(p, s, 1); 633 memcpy(s, p, 1); 634 memcpy(p, p, 1); 635} // expected-warning {{leak}} 636 637// Treat source buffer contents as escaped. 638void escapeSourceContents(char *s) { 639 char *p = malloc(12); 640 memcpy(s, &p, 12); // no warning 641 642 void *p1 = malloc(7); 643 char *a; 644 memcpy(&a, &p1, sizeof a); 645 // FIXME: No warning due to limitations imposed by current modelling of 646 // 'memcpy' (regions metadata is not copied). 647 648 int *ptrs[2]; 649 int *allocated = (int *)malloc(4); 650 memcpy(&ptrs[0], &allocated, sizeof(int *)); 651 // FIXME: No warning due to limitations imposed by current modelling of 652 // 'memcpy' (regions metadata is not copied). 653} 654 655void invalidateDestinationContents() { 656 int *null = 0; 657 int *p = (int *)malloc(4); 658 memcpy(&p, &null, sizeof(int *)); 659 660 int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}} 661 ptrs1[0] = (int *)malloc(4); 662 memcpy(ptrs1, &null, sizeof(int *)); 663 664 int *ptrs2[2]; // expected-warning {{Potential memory leak}} 665 ptrs2[0] = (int *)malloc(4); 666 memcpy(&ptrs2[1], &null, sizeof(int *)); 667 668 int *ptrs3[2]; // expected-warning {{Potential memory leak}} 669 ptrs3[0] = (int *)malloc(4); 670 memcpy(&ptrs3[0], &null, sizeof(int *)); 671} // expected-warning {{Potential memory leak}} 672 673// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. 674void symbolLostWithStrcpy(char *s) { 675 char *p = malloc(12); 676 p = strcpy(p, s); 677 free(p); 678} 679 680 681// The same test as the one above, but with what is actually generated on a mac. 682static __inline char * 683__inline_strcpy_chk (char *restrict __dest, const char *restrict __src) 684{ 685 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); 686} 687 688void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { 689 char *p = malloc(12); 690 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); 691 free(p); 692} 693 694// Here we are returning a pointer one past the allocated value. An idiom which 695// can be used for implementing special malloc. The correct uses of this might 696// be rare enough so that we could keep this as a warning. 697static void *specialMalloc(int n){ 698 int *p; 699 p = malloc( n+8 ); 700 if( p ){ 701 p[0] = n; 702 p++; 703 } 704 return p; 705} 706 707// Potentially, the user could free the struct by performing pointer arithmetic on the return value. 708// This is a variation of the specialMalloc issue, though probably would be more rare in correct code. 709int *specialMallocWithStruct() { 710 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 711 return &(px->g); 712} 713 714// Test various allocation/deallocation functions. 715void testStrdup(const char *s, unsigned validIndex) { 716 char *s2 = strdup(s); 717 s2[validIndex + 1] = 'b'; 718} // expected-warning {{Potential leak of memory pointed to by}} 719 720int testStrndup(const char *s, unsigned validIndex, unsigned size) { 721 char *s2 = strndup(s, size); 722 s2 [validIndex + 1] = 'b'; 723 if (s2[validIndex] != 'a') 724 return 0; 725 else 726 return 1;// expected-warning {{Potential leak of memory pointed to by}} 727} 728 729void testStrdupContentIsDefined(const char *s, unsigned validIndex) { 730 char *s2 = strdup(s); 731 char result = s2[1];// no warning 732 free(s2); 733} 734 735// ---------------------------------------------------------------------------- 736// Test the system library functions to which the pointer can escape. 737// This tests false positive suppression. 738 739// For now, we assume memory passed to pthread_specific escapes. 740// TODO: We could check that if a new pthread binding is set, the existing 741// binding must be freed; otherwise, a memory leak can occur. 742void testPthereadSpecificEscape(pthread_key_t key) { 743 void *buf = malloc(12); 744 pthread_setspecific(key, buf); // no warning 745} 746 747// PR12101: Test funopen(). 748static int releasePtr(void *_ctx) { 749 free(_ctx); 750 return 0; 751} 752FILE *useFunOpen() { 753 void *ctx = malloc(sizeof(int)); 754 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning 755 if (f == 0) { 756 free(ctx); 757 } 758 return f; 759} 760FILE *useFunOpenNoReleaseFunction() { 761 void *ctx = malloc(sizeof(int)); 762 FILE *f = funopen(ctx, 0, 0, 0, 0); 763 if (f == 0) { 764 free(ctx); 765 } 766 return f; // expected-warning{{leak}} 767} 768 769static int readNothing(void *_ctx, char *buf, int size) { 770 return 0; 771} 772FILE *useFunOpenReadNoRelease() { 773 void *ctx = malloc(sizeof(int)); 774 FILE *f = funopen(ctx, readNothing, 0, 0, 0); 775 if (f == 0) { 776 free(ctx); 777 } 778 return f; // expected-warning{{leak}} 779} 780 781// Test setbuf, setvbuf. 782int my_main_no_warning() { 783 char *p = malloc(100); 784 setvbuf(stdout, p, 0, 100); 785 return 0; 786} 787int my_main_no_warning2() { 788 char *p = malloc(100); 789 setbuf(__stdoutp, p); 790 return 0; 791} 792int my_main_warn(FILE *f) { 793 char *p = malloc(100); 794 setvbuf(f, p, 0, 100); 795 return 0;// expected-warning {{leak}} 796} 797 798// <rdar://problem/10978247>. 799// some people use stack allocated memory as an optimization to avoid 800// a heap allocation for small work sizes. This tests the analyzer's 801// understanding that the malloc'ed memory is not the same as stackBuffer. 802void radar10978247(int myValueSize) { 803 char stackBuffer[128]; 804 char *buffer; 805 806 if (myValueSize <= sizeof(stackBuffer)) 807 buffer = stackBuffer; 808 else 809 buffer = malloc(myValueSize); 810 811 // do stuff with the buffer 812 if (buffer != stackBuffer) 813 free(buffer); 814} 815 816void radar10978247_positive(int myValueSize) { 817 char stackBuffer[128]; 818 char *buffer; 819 820 if (myValueSize <= sizeof(stackBuffer)) 821 buffer = stackBuffer; 822 else 823 buffer = malloc(myValueSize); 824 825 // do stuff with the buffer 826 if (buffer == stackBuffer) 827 return; 828 else 829 return; // expected-warning {{leak}} 830} 831// <rdar://problem/11269741> Previously this triggered a false positive 832// because malloc() is known to return uninitialized memory and the binding 833// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. 834struct rdar11269741_a_t { 835 struct rdar11269741_b_t { 836 int m; 837 } n; 838}; 839 840int rdar11269741(struct rdar11269741_b_t o) 841{ 842 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); 843 p->n = o; 844 return p->n.m; // expected-warning {{leak}} 845} 846 847// Pointer arithmetic, returning an ElementRegion. 848void *radar11329382(unsigned bl) { 849 void *ptr = malloc (16); 850 ptr = ptr + (2 - bl); 851 return ptr; // no warning 852} 853 854void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); 855int strcmp(const char *, const char *); 856char *a (void); 857void radar11270219(void) { 858 char *x = a(), *y = a(); 859 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); 860 strcmp(x, y); // no warning 861} 862 863void radar_11358224_test_double_assign_ints_positive_2() 864{ 865 void *ptr = malloc(16); 866 ptr = ptr; 867} // expected-warning {{leak}} 868 869// Assume that functions which take a function pointer can free memory even if 870// they are defined in system headers and take the const pointer to the 871// allocated memory. (radar://11160612) 872int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); 873void r11160612_1() { 874 char *x = malloc(12); 875 const_ptr_and_callback(0, x, 12, free); // no - warning 876} 877 878// Null is passed as callback. 879void r11160612_2() { 880 char *x = malloc(12); 881 const_ptr_and_callback(0, x, 12, 0); 882} // expected-warning {{leak}} 883 884// Callback is passed to a function defined in a system header. 885void r11160612_4() { 886 char *x = malloc(12); 887 sqlite3_bind_text_my(0, x, 12, free); // no - warning 888} 889 890// Passing callbacks in a struct. 891void r11160612_5(StWithCallback St) { 892 void *x = malloc(12); 893 dealocateMemWhenDoneByVal(x, St); 894} 895void r11160612_6(StWithCallback St) { 896 void *x = malloc(12); 897 dealocateMemWhenDoneByRef(&St, x); 898} 899 900int mySub(int, int); 901int myAdd(int, int); 902int fPtr(unsigned cond, int x) { 903 return (cond ? mySub : myAdd)(x, x); 904} 905 906// Test anti-aliasing. 907 908void dependsOnValueOfPtr(int *g, unsigned f) { 909 int *p; 910 911 if (f) { 912 p = g; 913 } else { 914 p = malloc(12); 915 } 916 917 if (p != g) 918 free(p); 919 else 920 return; // no warning 921 return; 922} 923 924int CMPRegionHeapToStack() { 925 int x = 0; 926 int *x1 = malloc(8); 927 int *x2 = &x; 928 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} 929 free(x1); 930 return x; 931} 932 933int CMPRegionHeapToHeap2() { 934 int x = 0; 935 int *x1 = malloc(8); 936 int *x2 = malloc(8); 937 int *x4 = x1; 938 int *x5 = x2; 939 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} 940 free(x1); 941 free(x2); 942 return x; 943} 944 945int CMPRegionHeapToHeap() { 946 int x = 0; 947 int *x1 = malloc(8); 948 int *x4 = x1; 949 if (x1 == x4) { 950 free(x1); 951 return 5/x; // expected-warning{{Division by zero}} 952 } 953 return x;// expected-warning{{This statement is never executed}} 954} 955 956int HeapAssignment() { 957 int m = 0; 958 int *x = malloc(4); 959 int *y = x; 960 *x = 5; 961 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} 962 free(x); 963 return 0; 964} 965 966int *retPtr(); 967int *retPtrMightAlias(int *x); 968int cmpHeapAllocationToUnknown() { 969 int zero = 0; 970 int *yBefore = retPtr(); 971 int *m = malloc(8); 972 int *yAfter = retPtrMightAlias(m); 973 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} 974 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} 975 free(m); 976 return 0; 977} 978 979void localArrayTest() { 980 char *p = (char*)malloc(12); 981 char *ArrayL[12]; 982 ArrayL[0] = p; 983} // expected-warning {{leak}} 984 985void localStructTest() { 986 StructWithPtr St; 987 StructWithPtr *pSt = &St; 988 pSt->memP = malloc(12); 989} // expected-warning{{Potential leak of memory pointed to by}} 990 991#ifdef __INTPTR_TYPE__ 992// Test double assignment through integers. 993typedef __INTPTR_TYPE__ intptr_t; 994typedef unsigned __INTPTR_TYPE__ uintptr_t; 995 996static intptr_t glob; 997void test_double_assign_ints() 998{ 999 void *ptr = malloc (16); // no-warning 1000 glob = (intptr_t)(uintptr_t)ptr; 1001} 1002 1003void test_double_assign_ints_positive() 1004{ 1005 void *ptr = malloc(16); 1006 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}} 1007} // expected-warning {{leak}} 1008#endif 1009 1010void testCGContextNoLeak() 1011{ 1012 void *ptr = malloc(16); 1013 CGContextRef context = CGBitmapContextCreate(ptr); 1014 1015 // Because you can get the data back out like this, even much later, 1016 // CGBitmapContextCreate is one of our "stop-tracking" exceptions. 1017 free(CGBitmapContextGetData(context)); 1018} 1019 1020void testCGContextLeak() 1021{ 1022 void *ptr = malloc(16); 1023 CGContextRef context = CGBitmapContextCreate(ptr); 1024 // However, this time we're just leaking the data, because the context 1025 // object doesn't escape and it hasn't been freed in this function. 1026} 1027 1028// Allow xpc context to escape. radar://11635258 1029// TODO: Would be great if we checked that the finalize_connection_context actually releases it. 1030static void finalize_connection_context(void *ctx) { 1031 int *context = ctx; 1032 free(context); 1033} 1034void foo (xpc_connection_t peer) { 1035 int *ctx = calloc(1, sizeof(int)); 1036 xpc_connection_set_context(peer, ctx); 1037 xpc_connection_set_finalizer_f(peer, finalize_connection_context); 1038 xpc_connection_resume(peer); 1039} 1040 1041// Make sure we catch errors when we free in a function which does not allocate memory. 1042void freeButNoMalloc(int *p, int x){ 1043 if (x) { 1044 free(p); 1045 //user forgot a return here. 1046 } 1047 free(p); // expected-warning {{Attempt to free released memory}} 1048} 1049 1050struct HasPtr { 1051 char *p; 1052}; 1053 1054char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { 1055 int *s; 1056 char *b = realloc(a->p, size); 1057 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} 1058 return a->p; 1059} 1060 1061// We should not warn in this case since the caller will presumably free a->p in all cases. 1062int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { 1063 int *s; 1064 char *b = realloc(a->p, size); 1065 if (b == 0) 1066 return -1; 1067 a->p = b; 1068 return 0; 1069} 1070 1071// Test realloc with no visible malloc. 1072void *test(void *ptr) { 1073 void *newPtr = realloc(ptr, 4); 1074 if (newPtr == 0) { 1075 if (ptr) 1076 free(ptr); // no-warning 1077 } 1078 return newPtr; 1079} 1080 1081 1082char *testLeakWithinReturn(char *str) { 1083 return strdup(strdup(str)); // expected-warning{{leak}} 1084} 1085 1086void passConstPtr(const char * ptr); 1087 1088void testPassConstPointer() { 1089 char * string = malloc(sizeof(char)*10); 1090 passConstPtr(string); 1091 return; // expected-warning {{leak}} 1092} 1093 1094void testPassConstPointerIndirectly() { 1095 char *p = malloc(1); 1096 p++; 1097 memcmp(p, p, sizeof(&p)); 1098 return; // expected-warning {{leak}} 1099} 1100 1101void testPassConstPointerIndirectlyStruct() { 1102 struct HasPtr hp; 1103 hp.p = malloc(10); 1104 memcmp(&hp, &hp, sizeof(hp)); 1105 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}} 1106} 1107 1108void testPassToSystemHeaderFunctionIndirectlyStruct() { 1109 SomeStruct ss; 1110 ss.p = malloc(1); 1111 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1112 // Technically a false negative here -- we know the system function won't free 1113 // ss.p, but nothing else will either! 1114} // no-warning 1115 1116void testPassToSystemHeaderFunctionIndirectlyStructFree() { 1117 SomeStruct ss; 1118 ss.p = malloc(1); 1119 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1120 free(ss.p); 1121} // no-warning 1122 1123void testPassToSystemHeaderFunctionIndirectlyArray() { 1124 int *p[1]; 1125 p[0] = malloc(sizeof(int)); 1126 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1127 // Technically a false negative here -- we know the system function won't free 1128 // p[0], but nothing else will either! 1129} // no-warning 1130 1131void testPassToSystemHeaderFunctionIndirectlyArrayFree() { 1132 int *p[1]; 1133 p[0] = malloc(sizeof(int)); 1134 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1135 free(p[0]); 1136} // no-warning 1137 1138int *testOffsetAllocate(size_t size) { 1139 int *memoryBlock = (int *)malloc(size + sizeof(int)); 1140 return &memoryBlock[1]; // no-warning 1141} 1142 1143void testOffsetDeallocate(int *memoryBlock) { 1144 free(&memoryBlock[-1]); // no-warning 1145} 1146 1147void testOffsetOfRegionFreed() { 1148 __int64_t * array = malloc(sizeof(__int64_t)*2); 1149 array += 1; 1150 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1151} 1152 1153void testOffsetOfRegionFreed2() { 1154 __int64_t *p = malloc(sizeof(__int64_t)*2); 1155 p += 1; 1156 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1157} 1158 1159void testOffsetOfRegionFreed3() { 1160 char *r = malloc(sizeof(char)); 1161 r = r - 10; 1162 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}} 1163} 1164 1165void testOffsetOfRegionFreedAfterFunctionCall() { 1166 int *p = malloc(sizeof(int)*2); 1167 p += 1; 1168 myfoo(p); 1169 free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}} 1170} 1171 1172void testFixManipulatedPointerBeforeFree() { 1173 int * array = malloc(sizeof(int)*2); 1174 array += 1; 1175 free(&array[-1]); // no-warning 1176} 1177 1178void testFixManipulatedPointerBeforeFree2() { 1179 char *r = malloc(sizeof(char)); 1180 r = r + 10; 1181 free(r-10); // no-warning 1182} 1183 1184void freeOffsetPointerPassedToFunction() { 1185 __int64_t *p = malloc(sizeof(__int64_t)*2); 1186 p[1] = 0; 1187 p += 1; 1188 myfooint(*p); // not passing the pointer, only a value pointed by pointer 1189 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1190} 1191 1192int arbitraryInt(); 1193void freeUnknownOffsetPointer() { 1194 char *r = malloc(sizeof(char)); 1195 r = r + arbitraryInt(); // unable to reason about what the offset might be 1196 free(r); // no-warning 1197} 1198 1199void testFreeNonMallocPointerWithNoOffset() { 1200 char c; 1201 char *r = &c; 1202 r = r + 10; 1203 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1204} 1205 1206void testFreeNonMallocPointerWithOffset() { 1207 char c; 1208 char *r = &c; 1209 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1210} 1211 1212void testOffsetZeroDoubleFree() { 1213 int *array = malloc(sizeof(int)*2); 1214 int *p = &array[0]; 1215 free(p); 1216 free(&array[0]); // expected-warning{{Attempt to free released memory}} 1217} 1218 1219void testOffsetPassedToStrlen() { 1220 char * string = malloc(sizeof(char)*10); 1221 string += 1; 1222 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}} 1223} 1224 1225void testOffsetPassedToStrlenThenFree() { 1226 char * string = malloc(sizeof(char)*10); 1227 string += 1; 1228 int length = strlen(string); 1229 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1230} 1231 1232void testOffsetPassedAsConst() { 1233 char * string = malloc(sizeof(char)*10); 1234 string += 1; 1235 passConstPtr(string); 1236 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1237} 1238 1239char **_vectorSegments; 1240int _nVectorSegments; 1241 1242void poolFreeC(void* s) { 1243 free(s); // no-warning 1244} 1245void freeMemory() { 1246 while (_nVectorSegments) { 1247 poolFreeC(_vectorSegments[_nVectorSegments++]); 1248 } 1249} 1250 1251// PR16730 1252void testReallocEscaped(void **memory) { 1253 *memory = malloc(47); 1254 char *new_memory = realloc(*memory, 47); 1255 if (new_memory != 0) { 1256 *memory = new_memory; 1257 } 1258} 1259 1260// PR16558 1261void *smallocNoWarn(size_t size) { 1262 if (size == 0) { 1263 return malloc(1); // this branch is never called 1264 } 1265 else { 1266 return malloc(size); 1267 } 1268} 1269 1270char *dupstrNoWarn(const char *s) { 1271 const int len = strlen(s); 1272 char *p = (char*) smallocNoWarn(len + 1); 1273 strcpy(p, s); // no-warning 1274 return p; 1275} 1276 1277void *smallocWarn(size_t size) { 1278 if (size == 2) { 1279 return malloc(1); 1280 } 1281 else { 1282 return malloc(size); 1283 } 1284} 1285 1286char *dupstrWarn(const char *s) { 1287 const int len = strlen(s); 1288 char *p = (char*) smallocWarn(len + 1); 1289 strcpy(p, s); // expected-warning{{String copy function overflows destination buffer}} 1290 return p; 1291} 1292 1293int *radar15580979() { 1294 int *data = (int *)malloc(32); 1295 int *p = data ?: (int*)malloc(32); // no warning 1296 return p; 1297} 1298 1299// ---------------------------------------------------------------------------- 1300// False negatives. 1301 1302void testMallocWithParam(int **p) { 1303 *p = (int*) malloc(sizeof(int)); 1304 *p = 0; // FIXME: should warn here 1305} 1306 1307void testMallocWithParam_2(int **p) { 1308 *p = (int*) malloc(sizeof(int)); // no-warning 1309} 1310 1311void testPassToSystemHeaderFunctionIndirectly() { 1312 int *p = malloc(4); 1313 p++; 1314 fakeSystemHeaderCallInt(p); 1315 // FIXME: This is a leak: if we think a system function won't free p, it 1316 // won't free (p-1) either. 1317} 1318