malloc.c revision 6e99f9f56f320818d814a5474d76a2849e037c55
1// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s 2 3#include "Inputs/system-header-simulator.h" 4 5void clang_analyzer_eval(int); 6 7typedef __typeof(sizeof(int)) size_t; 8void *malloc(size_t); 9void *valloc(size_t); 10void free(void *); 11void *realloc(void *ptr, size_t size); 12void *reallocf(void *ptr, size_t size); 13void *calloc(size_t nmemb, size_t size); 14char *strdup(const char *s); 15char *strndup(const char *s, size_t n); 16 17void myfoo(int *p); 18void myfooint(int p); 19char *fooRetPtr(); 20 21void f1() { 22 int *p = malloc(12); 23 return; // expected-warning{{Memory is never released; potential leak of memory pointed to by 'p'}} 24} 25 26void f2() { 27 int *p = malloc(12); 28 free(p); 29 free(p); // expected-warning{{Attempt to free released memory}} 30} 31 32void f2_realloc_0() { 33 int *p = malloc(12); 34 realloc(p,0); 35 realloc(p,0); // expected-warning{{Attempt to free released memory}} 36} 37 38void f2_realloc_1() { 39 int *p = malloc(12); 40 int *q = realloc(p,0); // no-warning 41} 42 43void reallocNotNullPtr(unsigned sizeIn) { 44 unsigned size = 12; 45 char *p = (char*)malloc(size); 46 if (p) { 47 char *q = (char*)realloc(p, sizeIn); 48 char x = *q; // expected-warning {{Memory is never released; potential leak of memory pointed to by 'q'}} 49 } 50} 51 52int *realloctest1() { 53 int *q = malloc(12); 54 q = realloc(q, 20); 55 return q; // no warning - returning the allocated value 56} 57 58// p should be freed if realloc fails. 59void reallocFails() { 60 char *p = malloc(12); 61 char *r = realloc(p, 12+1); 62 if (!r) { 63 free(p); 64 } else { 65 free(r); 66 } 67} 68 69void reallocSizeZero1() { 70 char *p = malloc(12); 71 char *r = realloc(p, 0); 72 if (!r) { 73 free(p); // expected-warning {{Attempt to free released memory}} 74 } else { 75 free(r); 76 } 77} 78 79void reallocSizeZero2() { 80 char *p = malloc(12); 81 char *r = realloc(p, 0); 82 if (!r) { 83 free(p); // expected-warning {{Attempt to free released memory}} 84 } else { 85 free(r); 86 } 87 free(p); // expected-warning {{Attempt to free released memory}} 88} 89 90void reallocSizeZero3() { 91 char *p = malloc(12); 92 char *r = realloc(p, 0); 93 free(r); 94} 95 96void reallocSizeZero4() { 97 char *r = realloc(0, 0); 98 free(r); 99} 100 101void reallocSizeZero5() { 102 char *r = realloc(0, 0); 103} 104 105void reallocPtrZero1() { 106 char *r = realloc(0, 12); 107} // expected-warning {{Memory is never released; potential leak of memory pointed to by 'r'}} 108 109void reallocPtrZero2() { 110 char *r = realloc(0, 12); 111 if (r) 112 free(r); 113} 114 115void reallocPtrZero3() { 116 char *r = realloc(0, 12); 117 free(r); 118} 119 120void reallocRadar6337483_1() { 121 char *buf = malloc(100); 122 buf = (char*)realloc(buf, 0x1000000); 123 if (!buf) { 124 return;// expected-warning {{Memory is never released; potential leak}} 125 } 126 free(buf); 127} 128 129void reallocRadar6337483_2() { 130 char *buf = malloc(100); 131 char *buf2 = (char*)realloc(buf, 0x1000000); 132 if (!buf2) { 133 ; 134 } else { 135 free(buf2); 136 } 137} // expected-warning {{Memory is never released; potential leak}} 138 139void reallocRadar6337483_3() { 140 char * buf = malloc(100); 141 char * tmp; 142 tmp = (char*)realloc(buf, 0x1000000); 143 if (!tmp) { 144 free(buf); 145 return; 146 } 147 buf = tmp; 148 free(buf); 149} 150 151void reallocRadar6337483_4() { 152 char *buf = malloc(100); 153 char *buf2 = (char*)realloc(buf, 0x1000000); 154 if (!buf2) { 155 return; // expected-warning {{Memory is never released; potential leak}} 156 } else { 157 free(buf2); 158 } 159} 160 161int *reallocfTest1() { 162 int *q = malloc(12); 163 q = reallocf(q, 20); 164 return q; // no warning - returning the allocated value 165} 166 167void reallocfRadar6337483_4() { 168 char *buf = malloc(100); 169 char *buf2 = (char*)reallocf(buf, 0x1000000); 170 if (!buf2) { 171 return; // no warning - reallocf frees even on failure 172 } else { 173 free(buf2); 174 } 175} 176 177void reallocfRadar6337483_3() { 178 char * buf = malloc(100); 179 char * tmp; 180 tmp = (char*)reallocf(buf, 0x1000000); 181 if (!tmp) { 182 free(buf); // expected-warning {{Attempt to free released memory}} 183 return; 184 } 185 buf = tmp; 186 free(buf); 187} 188 189void reallocfPtrZero1() { 190 char *r = reallocf(0, 12); 191} // expected-warning {{Memory is never released; potential leak}} 192 193 194// This case tests that storing malloc'ed memory to a static variable which is 195// then returned is not leaked. In the absence of known contracts for functions 196// or inter-procedural analysis, this is a conservative answer. 197int *f3() { 198 static int *p = 0; 199 p = malloc(12); 200 return p; // no-warning 201} 202 203// This case tests that storing malloc'ed memory to a static global variable 204// which is then returned is not leaked. In the absence of known contracts for 205// functions or inter-procedural analysis, this is a conservative answer. 206static int *p_f4 = 0; 207int *f4() { 208 p_f4 = malloc(12); 209 return p_f4; // no-warning 210} 211 212int *f5() { 213 int *q = malloc(12); 214 q = realloc(q, 20); 215 return q; // no-warning 216} 217 218void f6() { 219 int *p = malloc(12); 220 if (!p) 221 return; // no-warning 222 else 223 free(p); 224} 225 226void f6_realloc() { 227 int *p = malloc(12); 228 if (!p) 229 return; // no-warning 230 else 231 realloc(p,0); 232} 233 234 235char *doit2(); 236void pr6069() { 237 char *buf = doit2(); 238 free(buf); 239} 240 241void pr6293() { 242 free(0); 243} 244 245void f7() { 246 char *x = (char*) malloc(4); 247 free(x); 248 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 249} 250 251void f8() { 252 char *x = (char*) malloc(4); 253 free(x); 254 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} 255} 256 257void f7_realloc() { 258 char *x = (char*) malloc(4); 259 realloc(x,0); 260 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 261} 262 263void PR6123() { 264 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 265} 266 267void PR7217() { 268 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 269 buf[1] = 'c'; // not crash 270} 271 272void mallocCastToVoid() { 273 void *p = malloc(2); 274 const void *cp = p; // not crash 275 free(p); 276} 277 278void mallocCastToFP() { 279 void *p = malloc(2); 280 void (*fp)() = p; // not crash 281 free(p); 282} 283 284// This tests that malloc() buffers are undefined by default 285char mallocGarbage () { 286 char *buf = malloc(2); 287 char result = buf[1]; // expected-warning{{undefined}} 288 free(buf); 289 return result; 290} 291 292// This tests that calloc() buffers need to be freed 293void callocNoFree () { 294 char *buf = calloc(2,2); 295 return; // expected-warning{{never released}} 296} 297 298// These test that calloc() buffers are zeroed by default 299char callocZeroesGood () { 300 char *buf = calloc(2,2); 301 char result = buf[3]; // no-warning 302 if (buf[1] == 0) { 303 free(buf); 304 } 305 return result; // no-warning 306} 307 308char callocZeroesBad () { 309 char *buf = calloc(2,2); 310 char result = buf[3]; // no-warning 311 if (buf[1] != 0) { 312 free(buf); // expected-warning{{never executed}} 313 } 314 return result; // expected-warning{{never released}} 315} 316 317void nullFree() { 318 int *p = 0; 319 free(p); // no warning - a nop 320} 321 322void paramFree(int *p) { 323 myfoo(p); 324 free(p); // no warning 325 myfoo(p); // expected-warning {{Use of memory after it is freed}} 326} 327 328int* mallocEscapeRet() { 329 int *p = malloc(12); 330 return p; // no warning 331} 332 333void mallocEscapeFoo() { 334 int *p = malloc(12); 335 myfoo(p); 336 return; // no warning 337} 338 339void mallocEscapeFree() { 340 int *p = malloc(12); 341 myfoo(p); 342 free(p); 343} 344 345void mallocEscapeFreeFree() { 346 int *p = malloc(12); 347 myfoo(p); 348 free(p); 349 free(p); // expected-warning{{Attempt to free released memory}} 350} 351 352void mallocEscapeFreeUse() { 353 int *p = malloc(12); 354 myfoo(p); 355 free(p); 356 myfoo(p); // expected-warning{{Use of memory after it is freed}} 357} 358 359int *myalloc(); 360void myalloc2(int **p); 361 362void mallocEscapeFreeCustomAlloc() { 363 int *p = malloc(12); 364 myfoo(p); 365 free(p); 366 p = myalloc(); 367 free(p); // no warning 368} 369 370void mallocEscapeFreeCustomAlloc2() { 371 int *p = malloc(12); 372 myfoo(p); 373 free(p); 374 myalloc2(&p); 375 free(p); // no warning 376} 377 378void mallocBindFreeUse() { 379 int *x = malloc(12); 380 int *y = x; 381 free(y); 382 myfoo(x); // expected-warning{{Use of memory after it is freed}} 383} 384 385void mallocEscapeMalloc() { 386 int *p = malloc(12); 387 myfoo(p); 388 p = malloc(12); 389} // expected-warning{{Memory is never released; potential leak}} 390 391void mallocMalloc() { 392 int *p = malloc(12); 393 p = malloc(12); 394} // expected-warning {{Memory is never released; potential leak}} 395 396void mallocFreeMalloc() { 397 int *p = malloc(12); 398 free(p); 399 p = malloc(12); 400 free(p); 401} 402 403void mallocFreeUse_params() { 404 int *p = malloc(12); 405 free(p); 406 myfoo(p); //expected-warning{{Use of memory after it is freed}} 407} 408 409void mallocFreeUse_params2() { 410 int *p = malloc(12); 411 free(p); 412 myfooint(*p); //expected-warning{{Use of memory after it is freed}} 413} 414 415void mallocFailedOrNot() { 416 int *p = malloc(12); 417 if (!p) 418 free(p); 419 else 420 free(p); 421} 422 423struct StructWithInt { 424 int g; 425}; 426 427int *mallocReturnFreed() { 428 int *p = malloc(12); 429 free(p); 430 return p; // expected-warning {{Use of memory after it is freed}} 431} 432 433int useAfterFreeStruct() { 434 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 435 px->g = 5; 436 free(px); 437 return px->g; // expected-warning {{Use of memory after it is freed}} 438} 439 440void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); 441 442void mallocEscapeFooNonSymbolArg() { 443 struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); 444 nonSymbolAsFirstArg(&p->g, p); 445 return; // no warning 446} 447 448void mallocFailedOrNotLeak() { 449 int *p = malloc(12); 450 if (p == 0) 451 return; // no warning 452 else 453 return; // expected-warning {{Memory is never released; potential leak}} 454} 455 456void mallocAssignment() { 457 char *p = malloc(12); 458 p = fooRetPtr(); 459} // expected-warning {{leak}} 460 461int vallocTest() { 462 char *mem = valloc(12); 463 return 0; // expected-warning {{Memory is never released; potential leak}} 464} 465 466void vallocEscapeFreeUse() { 467 int *p = valloc(12); 468 myfoo(p); 469 free(p); 470 myfoo(p); // expected-warning{{Use of memory after it is freed}} 471} 472 473int *Gl; 474struct GlStTy { 475 int *x; 476}; 477 478struct GlStTy GlS = {0}; 479 480void GlobalFree() { 481 free(Gl); 482} 483 484void GlobalMalloc() { 485 Gl = malloc(12); 486} 487 488void GlobalStructMalloc() { 489 int *a = malloc(12); 490 GlS.x = a; 491} 492 493void GlobalStructMallocFree() { 494 int *a = malloc(12); 495 GlS.x = a; 496 free(GlS.x); 497} 498 499char *ArrayG[12]; 500 501void globalArrayTest() { 502 char *p = (char*)malloc(12); 503 ArrayG[0] = p; 504} 505 506// Make sure that we properly handle a pointer stored into a local struct/array. 507typedef struct _StructWithPtr { 508 int *memP; 509} StructWithPtr; 510 511static StructWithPtr arrOfStructs[10]; 512 513void testMalloc() { 514 int *x = malloc(12); 515 StructWithPtr St; 516 St.memP = x; 517 arrOfStructs[0] = St; // no-warning 518} 519 520StructWithPtr testMalloc2() { 521 int *x = malloc(12); 522 StructWithPtr St; 523 St.memP = x; 524 return St; // no-warning 525} 526 527int *testMalloc3() { 528 int *x = malloc(12); 529 int *y = x; 530 return y; // no-warning 531} 532 533void testStructLeak() { 534 StructWithPtr St; 535 St.memP = malloc(12); 536 return; // expected-warning {{Memory is never released; potential leak of memory pointed to by 'St.memP'}} 537} 538 539void testElemRegion1() { 540 char *x = (void*)malloc(2); 541 int *ix = (int*)x; 542 free(&(x[0])); 543} 544 545void testElemRegion2(int **pp) { 546 int *p = malloc(12); 547 *pp = p; 548 free(pp[0]); 549} 550 551void testElemRegion3(int **pp) { 552 int *p = malloc(12); 553 *pp = p; 554 free(*pp); 555} 556// Region escape testing. 557 558unsigned takePtrToPtr(int **p); 559void PassTheAddrOfAllocatedData(int f) { 560 int *p = malloc(12); 561 // We don't know what happens after the call. Should stop tracking here. 562 if (takePtrToPtr(&p)) 563 f++; 564 free(p); // no warning 565} 566 567struct X { 568 int *p; 569}; 570unsigned takePtrToStruct(struct X *s); 571int ** foo2(int *g, int f) { 572 int *p = malloc(12); 573 struct X *px= malloc(sizeof(struct X)); 574 px->p = p; 575 // We don't know what happens after this call. Should not track px nor p. 576 if (takePtrToStruct(px)) 577 f++; 578 free(p); 579 return 0; 580} 581 582struct X* RegInvalidationDetect1(struct X *s2) { 583 struct X *px= malloc(sizeof(struct X)); 584 px->p = 0; 585 px = s2; 586 return px; // expected-warning {{Memory is never released; potential leak}} 587} 588 589struct X* RegInvalidationGiveUp1() { 590 int *p = malloc(12); 591 struct X *px= malloc(sizeof(struct X)); 592 px->p = p; 593 return px; 594} 595 596int **RegInvalidationDetect2(int **pp) { 597 int *p = malloc(12); 598 pp = &p; 599 pp++; 600 return 0;// expected-warning {{Memory is never released; potential leak}} 601} 602 603extern void exit(int) __attribute__ ((__noreturn__)); 604void mallocExit(int *g) { 605 struct xx *p = malloc(12); 606 if (g != 0) 607 exit(1); 608 free(p); 609 return; 610} 611 612extern void __assert_fail (__const char *__assertion, __const char *__file, 613 unsigned int __line, __const char *__function) 614 __attribute__ ((__noreturn__)); 615#define assert(expr) \ 616 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 617void mallocAssert(int *g) { 618 struct xx *p = malloc(12); 619 620 assert(g != 0); 621 free(p); 622 return; 623} 624 625void doNotInvalidateWhenPassedToSystemCalls(char *s) { 626 char *p = malloc(12); 627 strlen(p); 628 strcpy(p, s); 629} // expected-warning {{leak}} 630 631// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. 632void symbolLostWithStrcpy(char *s) { 633 char *p = malloc(12); 634 p = strcpy(p, s); 635 free(p); 636} 637 638 639// The same test as the one above, but with what is actually generated on a mac. 640static __inline char * 641__inline_strcpy_chk (char *restrict __dest, const char *restrict __src) 642{ 643 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); 644} 645 646void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { 647 char *p = malloc(12); 648 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); 649 free(p); 650} 651 652// Here we are returning a pointer one past the allocated value. An idiom which 653// can be used for implementing special malloc. The correct uses of this might 654// be rare enough so that we could keep this as a warning. 655static void *specialMalloc(int n){ 656 int *p; 657 p = malloc( n+8 ); 658 if( p ){ 659 p[0] = n; 660 p++; 661 } 662 return p; 663} 664 665// Potentially, the user could free the struct by performing pointer arithmetic on the return value. 666// This is a variation of the specialMalloc issue, though probably would be more rare in correct code. 667int *specialMallocWithStruct() { 668 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 669 return &(px->g); 670} 671 672// Test various allocation/deallocation functions. 673void testStrdup(const char *s, unsigned validIndex) { 674 char *s2 = strdup(s); 675 s2[validIndex + 1] = 'b'; 676} // expected-warning {{Memory is never released; potential leak}} 677 678int testStrndup(const char *s, unsigned validIndex, unsigned size) { 679 char *s2 = strndup(s, size); 680 s2 [validIndex + 1] = 'b'; 681 if (s2[validIndex] != 'a') 682 return 0; 683 else 684 return 1;// expected-warning {{Memory is never released; potential leak}} 685} 686 687void testStrdupContentIsDefined(const char *s, unsigned validIndex) { 688 char *s2 = strdup(s); 689 char result = s2[1];// no warning 690 free(s2); 691} 692 693// ---------------------------------------------------------------------------- 694// Test the system library functions to which the pointer can escape. 695// This tests false positive suppression. 696 697// For now, we assume memory passed to pthread_specific escapes. 698// TODO: We could check that if a new pthread binding is set, the existing 699// binding must be freed; otherwise, a memory leak can occur. 700void testPthereadSpecificEscape(pthread_key_t key) { 701 void *buf = malloc(12); 702 pthread_setspecific(key, buf); // no warning 703} 704 705// PR12101: Test funopen(). 706static int releasePtr(void *_ctx) { 707 free(_ctx); 708 return 0; 709} 710FILE *useFunOpen() { 711 void *ctx = malloc(sizeof(int)); 712 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning 713 if (f == 0) { 714 free(ctx); 715 } 716 return f; 717} 718FILE *useFunOpenNoReleaseFunction() { 719 void *ctx = malloc(sizeof(int)); 720 FILE *f = funopen(ctx, 0, 0, 0, 0); 721 if (f == 0) { 722 free(ctx); 723 } 724 return f; // expected-warning{{leak}} 725} 726 727static int readNothing(void *_ctx, char *buf, int size) { 728 return 0; 729} 730FILE *useFunOpenReadNoRelease() { 731 void *ctx = malloc(sizeof(int)); 732 FILE *f = funopen(ctx, readNothing, 0, 0, 0); 733 if (f == 0) { 734 free(ctx); 735 } 736 return f; // expected-warning{{leak}} 737} 738 739// Test setbuf, setvbuf. 740int my_main_no_warning() { 741 char *p = malloc(100); 742 setvbuf(stdout, p, 0, 100); 743 return 0; 744} 745int my_main_no_warning2() { 746 char *p = malloc(100); 747 setbuf(__stdoutp, p); 748 return 0; 749} 750int my_main_warn(FILE *f) { 751 char *p = malloc(100); 752 setvbuf(f, p, 0, 100); 753 return 0;// expected-warning {{leak}} 754} 755 756// <rdar://problem/10978247>. 757// some people use stack allocated memory as an optimization to avoid 758// a heap allocation for small work sizes. This tests the analyzer's 759// understanding that the malloc'ed memory is not the same as stackBuffer. 760void radar10978247(int myValueSize) { 761 char stackBuffer[128]; 762 char *buffer; 763 764 if (myValueSize <= sizeof(stackBuffer)) 765 buffer = stackBuffer; 766 else 767 buffer = malloc(myValueSize); 768 769 // do stuff with the buffer 770 if (buffer != stackBuffer) 771 free(buffer); 772} 773 774void radar10978247_positive(int myValueSize) { 775 char stackBuffer[128]; 776 char *buffer; 777 778 if (myValueSize <= sizeof(stackBuffer)) 779 buffer = stackBuffer; 780 else 781 buffer = malloc(myValueSize); 782 783 // do stuff with the buffer 784 if (buffer == stackBuffer) 785 return; 786 else 787 return; // expected-warning {{leak}} 788} 789// <rdar://problem/11269741> Previously this triggered a false positive 790// because malloc() is known to return uninitialized memory and the binding 791// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. 792struct rdar11269741_a_t { 793 struct rdar11269741_b_t { 794 int m; 795 } n; 796}; 797 798int rdar11269741(struct rdar11269741_b_t o) 799{ 800 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); 801 p->n = o; 802 return p->n.m; // expected-warning {{leak}} 803} 804 805// Pointer arithmetic, returning an ElementRegion. 806void *radar11329382(unsigned bl) { 807 void *ptr = malloc (16); 808 ptr = ptr + (2 - bl); 809 return ptr; // no warning 810} 811 812void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); 813int strcmp(const char *, const char *); 814char *a (void); 815void radar11270219(void) { 816 char *x = a(), *y = a(); 817 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); 818 strcmp(x, y); // no warning 819} 820 821void radar_11358224_test_double_assign_ints_positive_2() 822{ 823 void *ptr = malloc(16); 824 ptr = ptr; 825} // expected-warning {{leak}} 826 827// Assume that functions which take a function pointer can free memory even if 828// they are defined in system headers and take the const pointer to the 829// allocated memory. (radar://11160612) 830int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); 831void r11160612_1() { 832 char *x = malloc(12); 833 const_ptr_and_callback(0, x, 12, free); // no - warning 834} 835 836// Null is passed as callback. 837void r11160612_2() { 838 char *x = malloc(12); 839 const_ptr_and_callback(0, x, 12, 0); 840} // expected-warning {{leak}} 841 842// Callback is passed to a function defined in a system header. 843void r11160612_4() { 844 char *x = malloc(12); 845 sqlite3_bind_text_my(0, x, 12, free); // no - warning 846} 847 848// Passing callbacks in a struct. 849void r11160612_5(StWithCallback St) { 850 void *x = malloc(12); 851 dealocateMemWhenDoneByVal(x, St); 852} 853void r11160612_6(StWithCallback St) { 854 void *x = malloc(12); 855 dealocateMemWhenDoneByRef(&St, x); 856} 857 858int mySub(int, int); 859int myAdd(int, int); 860int fPtr(unsigned cond, int x) { 861 return (cond ? mySub : myAdd)(x, x); 862} 863 864// Test anti-aliasing. 865 866void dependsOnValueOfPtr(int *g, unsigned f) { 867 int *p; 868 869 if (f) { 870 p = g; 871 } else { 872 p = malloc(12); 873 } 874 875 if (p != g) 876 free(p); 877 else 878 return; // no warning 879 return; 880} 881 882int CMPRegionHeapToStack() { 883 int x = 0; 884 int *x1 = malloc(8); 885 int *x2 = &x; 886 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} 887 free(x1); 888 return x; 889} 890 891int CMPRegionHeapToHeap2() { 892 int x = 0; 893 int *x1 = malloc(8); 894 int *x2 = malloc(8); 895 int *x4 = x1; 896 int *x5 = x2; 897 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} 898 free(x1); 899 free(x2); 900 return x; 901} 902 903int CMPRegionHeapToHeap() { 904 int x = 0; 905 int *x1 = malloc(8); 906 int *x4 = x1; 907 if (x1 == x4) { 908 free(x1); 909 return 5/x; // expected-warning{{Division by zero}} 910 } 911 return x;// expected-warning{{This statement is never executed}} 912} 913 914int HeapAssignment() { 915 int m = 0; 916 int *x = malloc(4); 917 int *y = x; 918 *x = 5; 919 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} 920 free(x); 921 return 0; 922} 923 924int *retPtr(); 925int *retPtrMightAlias(int *x); 926int cmpHeapAllocationToUnknown() { 927 int zero = 0; 928 int *yBefore = retPtr(); 929 int *m = malloc(8); 930 int *yAfter = retPtrMightAlias(m); 931 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} 932 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} 933 free(m); 934 return 0; 935} 936 937void localArrayTest() { 938 char *p = (char*)malloc(12); 939 char *ArrayL[12]; 940 ArrayL[0] = p; 941} // expected-warning {{leak}} 942 943void localStructTest() { 944 StructWithPtr St; 945 StructWithPtr *pSt = &St; 946 pSt->memP = malloc(12); 947} // expected-warning{{Memory is never released; potential leak}} 948 949#ifdef __INTPTR_TYPE__ 950// Test double assignment through integers. 951typedef __INTPTR_TYPE__ intptr_t; 952typedef unsigned __INTPTR_TYPE__ uintptr_t; 953 954static intptr_t glob; 955void test_double_assign_ints() 956{ 957 void *ptr = malloc (16); // no-warning 958 glob = (intptr_t)(uintptr_t)ptr; 959} 960 961void test_double_assign_ints_positive() 962{ 963 void *ptr = malloc(16); 964 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}} 965} // expected-warning {{leak}} 966#endif 967 968void testCGContextNoLeak() 969{ 970 void *ptr = malloc(16); 971 CGContextRef context = CGBitmapContextCreate(ptr); 972 973 // Because you can get the data back out like this, even much later, 974 // CGBitmapContextCreate is one of our "stop-tracking" exceptions. 975 free(CGBitmapContextGetData(context)); 976} 977 978void testCGContextLeak() 979{ 980 void *ptr = malloc(16); 981 CGContextRef context = CGBitmapContextCreate(ptr); 982 // However, this time we're just leaking the data, because the context 983 // object doesn't escape and it hasn't been freed in this function. 984} 985 986// Allow xpc context to escape. radar://11635258 987// TODO: Would be great if we checked that the finalize_connection_context actually releases it. 988static void finalize_connection_context(void *ctx) { 989 int *context = ctx; 990 free(context); 991} 992void foo (xpc_connection_t peer) { 993 int *ctx = calloc(1, sizeof(int)); 994 xpc_connection_set_context(peer, ctx); 995 xpc_connection_set_finalizer_f(peer, finalize_connection_context); 996 xpc_connection_resume(peer); 997} 998 999// Make sure we catch errors when we free in a function which does not allocate memory. 1000void freeButNoMalloc(int *p, int x){ 1001 if (x) { 1002 free(p); 1003 //user forgot a return here. 1004 } 1005 free(p); // expected-warning {{Attempt to free released memory}} 1006} 1007 1008struct HasPtr { 1009 char *p; 1010}; 1011 1012char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { 1013 int *s; 1014 char *b = realloc(a->p, size); 1015 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} 1016 return a->p; 1017} 1018 1019// We should not warn in this case since the caller will presumably free a->p in all cases. 1020int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { 1021 int *s; 1022 char *b = realloc(a->p, size); 1023 if (b == 0) 1024 return -1; 1025 a->p = b; 1026 return 0; 1027} 1028 1029// Test realloc with no visible malloc. 1030void *test(void *ptr) { 1031 void *newPtr = realloc(ptr, 4); 1032 if (newPtr == 0) { 1033 if (ptr) 1034 free(ptr); // no-warning 1035 } 1036 return newPtr; 1037} 1038 1039 1040char *testLeakWithinReturn(char *str) { 1041 return strdup(strdup(str)); // expected-warning{{leak}} 1042} 1043 1044// ---------------------------------------------------------------------------- 1045// False negatives. 1046 1047// TODO: This is another false negative. 1048void testMallocWithParam(int **p) { 1049 *p = (int*) malloc(sizeof(int)); 1050 *p = 0; 1051} 1052 1053void testMallocWithParam_2(int **p) { 1054 *p = (int*) malloc(sizeof(int)); 1055} 1056