malloc.c revision 84c484545c5906ba55143e212b4a5275ab55889f
1// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s 2#include "Inputs/system-header-simulator.h" 3 4void clang_analyzer_eval(int); 5 6typedef __typeof(sizeof(int)) size_t; 7void *malloc(size_t); 8void *valloc(size_t); 9void free(void *); 10void *realloc(void *ptr, size_t size); 11void *reallocf(void *ptr, size_t size); 12void *calloc(size_t nmemb, size_t size); 13char *strdup(const char *s); 14char *strndup(const char *s, size_t n); 15 16void myfoo(int *p); 17void myfooint(int p); 18char *fooRetPtr(); 19 20void f1() { 21 int *p = malloc(12); 22 return; // expected-warning{{Memory is never released; potential leak of memory pointed to by 'p'}} 23} 24 25void f2() { 26 int *p = malloc(12); 27 free(p); 28 free(p); // expected-warning{{Attempt to free released memory}} 29} 30 31void f2_realloc_0() { 32 int *p = malloc(12); 33 realloc(p,0); 34 realloc(p,0); // expected-warning{{Attempt to free released memory}} 35} 36 37void f2_realloc_1() { 38 int *p = malloc(12); 39 int *q = realloc(p,0); // no-warning 40} 41 42void reallocNotNullPtr(unsigned sizeIn) { 43 unsigned size = 12; 44 char *p = (char*)malloc(size); 45 if (p) { 46 char *q = (char*)realloc(p, sizeIn); 47 char x = *q; // expected-warning {{Memory is never released; potential leak of memory pointed to by 'q'}} 48 } 49} 50 51int *realloctest1() { 52 int *q = malloc(12); 53 q = realloc(q, 20); 54 return q; // no warning - returning the allocated value 55} 56 57// p should be freed if realloc fails. 58void reallocFails() { 59 char *p = malloc(12); 60 char *r = realloc(p, 12+1); 61 if (!r) { 62 free(p); 63 } else { 64 free(r); 65 } 66} 67 68void reallocSizeZero1() { 69 char *p = malloc(12); 70 char *r = realloc(p, 0); 71 if (!r) { 72 free(p); // expected-warning {{Attempt to free released memory}} 73 } else { 74 free(r); 75 } 76} 77 78void reallocSizeZero2() { 79 char *p = malloc(12); 80 char *r = realloc(p, 0); 81 if (!r) { 82 free(p); // expected-warning {{Attempt to free released memory}} 83 } else { 84 free(r); 85 } 86 free(p); // expected-warning {{Attempt to free released memory}} 87} 88 89void reallocSizeZero3() { 90 char *p = malloc(12); 91 char *r = realloc(p, 0); 92 free(r); 93} 94 95void reallocSizeZero4() { 96 char *r = realloc(0, 0); 97 free(r); 98} 99 100void reallocSizeZero5() { 101 char *r = realloc(0, 0); 102} 103 104void reallocPtrZero1() { 105 char *r = realloc(0, 12); // expected-warning {{Memory is never released; potential leak of memory pointed to by 'r'}} 106} 107 108void reallocPtrZero2() { 109 char *r = realloc(0, 12); 110 if (r) 111 free(r); 112} 113 114void reallocPtrZero3() { 115 char *r = realloc(0, 12); 116 free(r); 117} 118 119void reallocRadar6337483_1() { 120 char *buf = malloc(100); 121 buf = (char*)realloc(buf, 0x1000000); 122 if (!buf) { 123 return;// expected-warning {{Memory is never released; potential leak}} 124 } 125 free(buf); 126} 127 128void reallocRadar6337483_2() { 129 char *buf = malloc(100); 130 char *buf2 = (char*)realloc(buf, 0x1000000); 131 if (!buf2) { // expected-warning {{Memory is never released; potential leak}} 132 ; 133 } else { 134 free(buf2); 135 } 136} 137 138void reallocRadar6337483_3() { 139 char * buf = malloc(100); 140 char * tmp; 141 tmp = (char*)realloc(buf, 0x1000000); 142 if (!tmp) { 143 free(buf); 144 return; 145 } 146 buf = tmp; 147 free(buf); 148} 149 150void reallocRadar6337483_4() { 151 char *buf = malloc(100); 152 char *buf2 = (char*)realloc(buf, 0x1000000); 153 if (!buf2) { 154 return; // expected-warning {{Memory is never released; potential leak}} 155 } else { 156 free(buf2); 157 } 158} 159 160int *reallocfTest1() { 161 int *q = malloc(12); 162 q = reallocf(q, 20); 163 return q; // no warning - returning the allocated value 164} 165 166void reallocfRadar6337483_4() { 167 char *buf = malloc(100); 168 char *buf2 = (char*)reallocf(buf, 0x1000000); 169 if (!buf2) { 170 return; // no warning - reallocf frees even on failure 171 } else { 172 free(buf2); 173 } 174} 175 176void reallocfRadar6337483_3() { 177 char * buf = malloc(100); 178 char * tmp; 179 tmp = (char*)reallocf(buf, 0x1000000); 180 if (!tmp) { 181 free(buf); // expected-warning {{Attempt to free released memory}} 182 return; 183 } 184 buf = tmp; 185 free(buf); 186} 187 188void reallocfPtrZero1() { 189 char *r = reallocf(0, 12); // expected-warning {{Memory is never released; potential leak}} 190} 191 192 193// This case tests that storing malloc'ed memory to a static variable which is 194// then returned is not leaked. In the absence of known contracts for functions 195// or inter-procedural analysis, this is a conservative answer. 196int *f3() { 197 static int *p = 0; 198 p = malloc(12); 199 return p; // no-warning 200} 201 202// This case tests that storing malloc'ed memory to a static global variable 203// which is then returned is not leaked. In the absence of known contracts for 204// functions or inter-procedural analysis, this is a conservative answer. 205static int *p_f4 = 0; 206int *f4() { 207 p_f4 = malloc(12); 208 return p_f4; // no-warning 209} 210 211int *f5() { 212 int *q = malloc(12); 213 q = realloc(q, 20); 214 return q; // no-warning 215} 216 217void f6() { 218 int *p = malloc(12); 219 if (!p) 220 return; // no-warning 221 else 222 free(p); 223} 224 225void f6_realloc() { 226 int *p = malloc(12); 227 if (!p) 228 return; // no-warning 229 else 230 realloc(p,0); 231} 232 233 234char *doit2(); 235void pr6069() { 236 char *buf = doit2(); 237 free(buf); 238} 239 240void pr6293() { 241 free(0); 242} 243 244void f7() { 245 char *x = (char*) malloc(4); 246 free(x); 247 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 248} 249 250void f8() { 251 char *x = (char*) malloc(4); 252 free(x); 253 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} 254} 255 256void f7_realloc() { 257 char *x = (char*) malloc(4); 258 realloc(x,0); 259 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 260} 261 262void PR6123() { 263 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 264} 265 266void PR7217() { 267 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 268 buf[1] = 'c'; // not crash 269} 270 271void mallocCastToVoid() { 272 void *p = malloc(2); 273 const void *cp = p; // not crash 274 free(p); 275} 276 277void mallocCastToFP() { 278 void *p = malloc(2); 279 void (*fp)() = p; // not crash 280 free(p); 281} 282 283// This tests that malloc() buffers are undefined by default 284char mallocGarbage () { 285 char *buf = malloc(2); 286 char result = buf[1]; // expected-warning{{undefined}} 287 free(buf); 288 return result; 289} 290 291// This tests that calloc() buffers need to be freed 292void callocNoFree () { 293 char *buf = calloc(2,2); 294 return; // expected-warning{{never released}} 295} 296 297// These test that calloc() buffers are zeroed by default 298char callocZeroesGood () { 299 char *buf = calloc(2,2); 300 char result = buf[3]; // no-warning 301 if (buf[1] == 0) { 302 free(buf); 303 } 304 return result; // no-warning 305} 306 307char callocZeroesBad () { 308 char *buf = calloc(2,2); 309 char result = buf[3]; // no-warning 310 if (buf[1] != 0) { 311 free(buf); // expected-warning{{never executed}} 312 } 313 return result; // expected-warning{{never released}} 314} 315 316void nullFree() { 317 int *p = 0; 318 free(p); // no warning - a nop 319} 320 321void paramFree(int *p) { 322 myfoo(p); 323 free(p); // no warning 324 myfoo(p); // expected-warning {{Use of memory after it is freed}} 325} 326 327int* mallocEscapeRet() { 328 int *p = malloc(12); 329 return p; // no warning 330} 331 332void mallocEscapeFoo() { 333 int *p = malloc(12); 334 myfoo(p); 335 return; // no warning 336} 337 338void mallocEscapeFree() { 339 int *p = malloc(12); 340 myfoo(p); 341 free(p); 342} 343 344void mallocEscapeFreeFree() { 345 int *p = malloc(12); 346 myfoo(p); 347 free(p); 348 free(p); // expected-warning{{Attempt to free released memory}} 349} 350 351void mallocEscapeFreeUse() { 352 int *p = malloc(12); 353 myfoo(p); 354 free(p); 355 myfoo(p); // expected-warning{{Use of memory after it is freed}} 356} 357 358int *myalloc(); 359void myalloc2(int **p); 360 361void mallocEscapeFreeCustomAlloc() { 362 int *p = malloc(12); 363 myfoo(p); 364 free(p); 365 p = myalloc(); 366 free(p); // no warning 367} 368 369void mallocEscapeFreeCustomAlloc2() { 370 int *p = malloc(12); 371 myfoo(p); 372 free(p); 373 myalloc2(&p); 374 free(p); // no warning 375} 376 377void mallocBindFreeUse() { 378 int *x = malloc(12); 379 int *y = x; 380 free(y); 381 myfoo(x); // expected-warning{{Use of memory after it is freed}} 382} 383 384void mallocEscapeMalloc() { 385 int *p = malloc(12); 386 myfoo(p); 387 p = malloc(12); // expected-warning{{Memory is never released; potential leak}} 388} 389 390void mallocMalloc() { 391 int *p = malloc(12); 392 p = malloc(12); // expected-warning {{Memory is never released; potential leak}} 393} 394 395void mallocFreeMalloc() { 396 int *p = malloc(12); 397 free(p); 398 p = malloc(12); 399 free(p); 400} 401 402void mallocFreeUse_params() { 403 int *p = malloc(12); 404 free(p); 405 myfoo(p); //expected-warning{{Use of memory after it is freed}} 406} 407 408void mallocFreeUse_params2() { 409 int *p = malloc(12); 410 free(p); 411 myfooint(*p); //expected-warning{{Use of memory after it is freed}} 412} 413 414void mallocFailedOrNot() { 415 int *p = malloc(12); 416 if (!p) 417 free(p); 418 else 419 free(p); 420} 421 422struct StructWithInt { 423 int g; 424}; 425 426int *mallocReturnFreed() { 427 int *p = malloc(12); 428 free(p); 429 return p; // expected-warning {{Use of memory after it is freed}} 430} 431 432int useAfterFreeStruct() { 433 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 434 px->g = 5; 435 free(px); 436 return px->g; // expected-warning {{Use of memory after it is freed}} 437} 438 439void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); 440 441void mallocEscapeFooNonSymbolArg() { 442 struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); 443 nonSymbolAsFirstArg(&p->g, p); 444 return; // no warning 445} 446 447void mallocFailedOrNotLeak() { 448 int *p = malloc(12); 449 if (p == 0) 450 return; // no warning 451 else 452 return; // expected-warning {{Memory is never released; potential leak}} 453} 454 455void mallocAssignment() { 456 char *p = malloc(12); 457 p = fooRetPtr(); // expected-warning {{leak}} 458} 459 460int vallocTest() { 461 char *mem = valloc(12); 462 return 0; // expected-warning {{Memory is never released; potential leak}} 463} 464 465void vallocEscapeFreeUse() { 466 int *p = valloc(12); 467 myfoo(p); 468 free(p); 469 myfoo(p); // expected-warning{{Use of memory after it is freed}} 470} 471 472int *Gl; 473struct GlStTy { 474 int *x; 475}; 476 477struct GlStTy GlS = {0}; 478 479void GlobalFree() { 480 free(Gl); 481} 482 483void GlobalMalloc() { 484 Gl = malloc(12); 485} 486 487void GlobalStructMalloc() { 488 int *a = malloc(12); 489 GlS.x = a; 490} 491 492void GlobalStructMallocFree() { 493 int *a = malloc(12); 494 GlS.x = a; 495 free(GlS.x); 496} 497 498char *ArrayG[12]; 499 500void globalArrayTest() { 501 char *p = (char*)malloc(12); 502 ArrayG[0] = p; 503} 504 505// Make sure that we properly handle a pointer stored into a local struct/array. 506typedef struct _StructWithPtr { 507 int *memP; 508} StructWithPtr; 509 510static StructWithPtr arrOfStructs[10]; 511 512void testMalloc() { 513 int *x = malloc(12); 514 StructWithPtr St; 515 St.memP = x; 516 arrOfStructs[0] = St; // no-warning 517} 518 519StructWithPtr testMalloc2() { 520 int *x = malloc(12); 521 StructWithPtr St; 522 St.memP = x; 523 return St; // no-warning 524} 525 526int *testMalloc3() { 527 int *x = malloc(12); 528 int *y = x; 529 return y; // no-warning 530} 531 532void testStructLeak() { 533 StructWithPtr St; 534 St.memP = malloc(12); 535 return; // expected-warning {{Memory is never released; potential leak of memory pointed to by 'St.memP'}} 536} 537 538void testElemRegion1() { 539 char *x = (void*)malloc(2); 540 int *ix = (int*)x; 541 free(&(x[0])); 542} 543 544void testElemRegion2(int **pp) { 545 int *p = malloc(12); 546 *pp = p; 547 free(pp[0]); 548} 549 550void testElemRegion3(int **pp) { 551 int *p = malloc(12); 552 *pp = p; 553 free(*pp); 554} 555// Region escape testing. 556 557unsigned takePtrToPtr(int **p); 558void PassTheAddrOfAllocatedData(int f) { 559 int *p = malloc(12); 560 // We don't know what happens after the call. Should stop tracking here. 561 if (takePtrToPtr(&p)) 562 f++; 563 free(p); // no warning 564} 565 566struct X { 567 int *p; 568}; 569unsigned takePtrToStruct(struct X *s); 570int ** foo2(int *g, int f) { 571 int *p = malloc(12); 572 struct X *px= malloc(sizeof(struct X)); 573 px->p = p; 574 // We don't know what happens after this call. Should not track px nor p. 575 if (takePtrToStruct(px)) 576 f++; 577 free(p); 578 return 0; 579} 580 581struct X* RegInvalidationDetect1(struct X *s2) { 582 struct X *px= malloc(sizeof(struct X)); 583 px->p = 0; 584 px = s2; 585 return px; // expected-warning {{Memory is never released; potential leak}} 586} 587 588struct X* RegInvalidationGiveUp1() { 589 int *p = malloc(12); 590 struct X *px= malloc(sizeof(struct X)); 591 px->p = p; 592 return px; 593} 594 595int **RegInvalidationDetect2(int **pp) { 596 int *p = malloc(12); 597 pp = &p; 598 pp++; 599 return 0;// expected-warning {{Memory is never released; potential leak}} 600} 601 602extern void exit(int) __attribute__ ((__noreturn__)); 603void mallocExit(int *g) { 604 struct xx *p = malloc(12); 605 if (g != 0) 606 exit(1); 607 free(p); 608 return; 609} 610 611extern void __assert_fail (__const char *__assertion, __const char *__file, 612 unsigned int __line, __const char *__function) 613 __attribute__ ((__noreturn__)); 614#define assert(expr) \ 615 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 616void mallocAssert(int *g) { 617 struct xx *p = malloc(12); 618 619 assert(g != 0); 620 free(p); 621 return; 622} 623 624void doNotInvalidateWhenPassedToSystemCalls(char *s) { 625 char *p = malloc(12); 626 strlen(p); 627 strcpy(p, s); // expected-warning {{leak}} 628} 629 630// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. 631void symbolLostWithStrcpy(char *s) { 632 char *p = malloc(12); 633 p = strcpy(p, s); 634 free(p); 635} 636 637 638// The same test as the one above, but with what is actually generated on a mac. 639static __inline char * 640__inline_strcpy_chk (char *restrict __dest, const char *restrict __src) 641{ 642 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); 643} 644 645void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { 646 char *p = malloc(12); 647 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); 648 free(p); 649} 650 651// Here we are returning a pointer one past the allocated value. An idiom which 652// can be used for implementing special malloc. The correct uses of this might 653// be rare enough so that we could keep this as a warning. 654static void *specialMalloc(int n){ 655 int *p; 656 p = malloc( n+8 ); 657 if( p ){ 658 p[0] = n; 659 p++; 660 } 661 return p; 662} 663 664// Potentially, the user could free the struct by performing pointer arithmetic on the return value. 665// This is a variation of the specialMalloc issue, though probably would be more rare in correct code. 666int *specialMallocWithStruct() { 667 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 668 return &(px->g); 669} 670 671// Test various allocation/deallocation functions. 672void testStrdup(const char *s, unsigned validIndex) { 673 char *s2 = strdup(s); 674 s2[validIndex + 1] = 'b';// expected-warning {{Memory is never released; potential leak}} 675} 676 677int testStrndup(const char *s, unsigned validIndex, unsigned size) { 678 char *s2 = strndup(s, size); 679 s2 [validIndex + 1] = 'b'; 680 if (s2[validIndex] != 'a') 681 return 0; 682 else 683 return 1;// expected-warning {{Memory is never released; potential leak}} 684} 685 686void testStrdupContentIsDefined(const char *s, unsigned validIndex) { 687 char *s2 = strdup(s); 688 char result = s2[1];// no warning 689 free(s2); 690} 691 692// ---------------------------------------------------------------------------- 693// Test the system library functions to which the pointer can escape. 694// This tests false positive suppression. 695 696// For now, we assume memory passed to pthread_specific escapes. 697// TODO: We could check that if a new pthread binding is set, the existing 698// binding must be freed; otherwise, a memory leak can occur. 699void testPthereadSpecificEscape(pthread_key_t key) { 700 void *buf = malloc(12); 701 pthread_setspecific(key, buf); // no warning 702} 703 704// PR12101: Test funopen(). 705static int releasePtr(void *_ctx) { 706 free(_ctx); 707 return 0; 708} 709FILE *useFunOpen() { 710 void *ctx = malloc(sizeof(int)); 711 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning 712 if (f == 0) { 713 free(ctx); 714 } 715 return f; 716} 717FILE *useFunOpenNoReleaseFunction() { 718 void *ctx = malloc(sizeof(int)); 719 FILE *f = funopen(ctx, 0, 0, 0, 0); 720 if (f == 0) { 721 free(ctx); 722 } 723 return f; // expected-warning{{leak}} 724} 725 726static int readNothing(void *_ctx, char *buf, int size) { 727 return 0; 728} 729FILE *useFunOpenReadNoRelease() { 730 void *ctx = malloc(sizeof(int)); 731 FILE *f = funopen(ctx, readNothing, 0, 0, 0); 732 if (f == 0) { 733 free(ctx); 734 } 735 return f; // expected-warning{{leak}} 736} 737 738// Test setbuf, setvbuf. 739int my_main_no_warning() { 740 char *p = malloc(100); 741 setvbuf(stdout, p, 0, 100); 742 return 0; 743} 744int my_main_no_warning2() { 745 char *p = malloc(100); 746 setbuf(__stdoutp, p); 747 return 0; 748} 749int my_main_warn(FILE *f) { 750 char *p = malloc(100); 751 setvbuf(f, p, 0, 100); 752 return 0;// expected-warning {{leak}} 753} 754 755// <rdar://problem/10978247>. 756// some people use stack allocated memory as an optimization to avoid 757// a heap allocation for small work sizes. This tests the analyzer's 758// understanding that the malloc'ed memory is not the same as stackBuffer. 759void radar10978247(int myValueSize) { 760 char stackBuffer[128]; 761 char *buffer; 762 763 if (myValueSize <= sizeof(stackBuffer)) 764 buffer = stackBuffer; 765 else 766 buffer = malloc(myValueSize); 767 768 // do stuff with the buffer 769 if (buffer != stackBuffer) 770 free(buffer); 771} 772 773void radar10978247_positive(int myValueSize) { 774 char stackBuffer[128]; 775 char *buffer; 776 777 if (myValueSize <= sizeof(stackBuffer)) 778 buffer = stackBuffer; 779 else 780 buffer = malloc(myValueSize); 781 782 // do stuff with the buffer 783 if (buffer == stackBuffer) // expected-warning {{leak}} 784 return; 785} 786 787// <rdar://problem/11269741> Previously this triggered a false positive 788// because malloc() is known to return uninitialized memory and the binding 789// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. 790struct rdar11269741_a_t { 791 struct rdar11269741_b_t { 792 int m; 793 } n; 794}; 795 796int rdar11269741(struct rdar11269741_b_t o) 797{ 798 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); 799 p->n = o; 800 return p->n.m; // expected-warning {{leak}} 801} 802 803// Pointer arithmetic, returning an ElementRegion. 804void *radar11329382(unsigned bl) { 805 void *ptr = malloc (16); 806 ptr = ptr + (2 - bl); 807 return ptr; // no warning 808} 809 810void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); 811int strcmp(const char *, const char *); 812char *a (void); 813void radar11270219(void) { 814 char *x = a(), *y = a(); 815 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); 816 strcmp(x, y); // no warning 817} 818 819void radar_11358224_test_double_assign_ints_positive_2() 820{ 821 void *ptr = malloc(16); 822 ptr = ptr; // expected-warning {{leak}} 823} 824 825// Assume that functions which take a function pointer can free memory even if 826// they are defined in system headers and take the const pointer to the 827// allocated memory. (radar://11160612) 828int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); 829void r11160612_1() { 830 char *x = malloc(12); 831 const_ptr_and_callback(0, x, 12, free); // no - warning 832} 833 834// Null is passed as callback. 835void r11160612_2() { 836 char *x = malloc(12); 837 const_ptr_and_callback(0, x, 12, 0); // expected-warning {{leak}} 838} 839 840// Callback is passed to a function defined in a system header. 841void r11160612_4() { 842 char *x = malloc(12); 843 sqlite3_bind_text_my(0, x, 12, free); // no - warning 844} 845 846// Passing callbacks in a struct. 847void r11160612_5(StWithCallback St) { 848 void *x = malloc(12); 849 dealocateMemWhenDoneByVal(x, St); 850} 851void r11160612_6(StWithCallback St) { 852 void *x = malloc(12); 853 dealocateMemWhenDoneByRef(&St, x); 854} 855 856int mySub(int, int); 857int myAdd(int, int); 858int fPtr(unsigned cond, int x) { 859 return (cond ? mySub : myAdd)(x, x); 860} 861 862// Test anti-aliasing. 863 864void dependsOnValueOfPtr(int *g, unsigned f) { 865 int *p; 866 867 if (f) { 868 p = g; 869 } else { 870 p = malloc(12); 871 } 872 873 if (p != g) 874 free(p); 875 else 876 return; // no warning 877 return; 878} 879 880int CMPRegionHeapToStack() { 881 int x = 0; 882 int *x1 = malloc(8); 883 int *x2 = &x; 884 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} 885 free(x1); 886 return x; 887} 888 889int CMPRegionHeapToHeap2() { 890 int x = 0; 891 int *x1 = malloc(8); 892 int *x2 = malloc(8); 893 int *x4 = x1; 894 int *x5 = x2; 895 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} 896 free(x1); 897 free(x2); 898 return x; 899} 900 901int CMPRegionHeapToHeap() { 902 int x = 0; 903 int *x1 = malloc(8); 904 int *x4 = x1; 905 if (x1 == x4) { 906 free(x1); 907 return 5/x; // expected-warning{{Division by zero}} 908 } 909 return x;// expected-warning{{This statement is never executed}} 910} 911 912int HeapAssignment() { 913 int m = 0; 914 int *x = malloc(4); 915 int *y = x; 916 *x = 5; 917 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} 918 free(x); 919 return 0; 920} 921 922int *retPtr(); 923int *retPtrMightAlias(int *x); 924int cmpHeapAllocationToUnknown() { 925 int zero = 0; 926 int *yBefore = retPtr(); 927 int *m = malloc(8); 928 int *yAfter = retPtrMightAlias(m); 929 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} 930 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} 931 free(m); 932 return 0; 933} 934 935void localArrayTest() { 936 char *p = (char*)malloc(12); 937 char *ArrayL[12]; 938 ArrayL[0] = p; // expected-warning {{leak}} 939} 940 941void localStructTest() { 942 StructWithPtr St; 943 StructWithPtr *pSt = &St; 944 pSt->memP = malloc(12); // expected-warning{{Memory is never released; potential leak}} 945} 946 947// Test double assignment through integers. 948static long glob; 949void test_double_assign_ints() 950{ 951 void *ptr = malloc (16); // no-warning 952 glob = (long)(unsigned long)ptr; 953} 954 955void test_double_assign_ints_positive() 956{ 957 void *ptr = malloc(16); 958 (void*)(long)(unsigned long)ptr; // expected-warning {{unused}} expected-warning {{leak}} 959} 960 961 962void testCGContextNoLeak() 963{ 964 void *ptr = malloc(16); 965 CGContextRef context = CGBitmapContextCreate(ptr); 966 967 // Because you can get the data back out like this, even much later, 968 // CGBitmapContextCreate is one of our "stop-tracking" exceptions. 969 free(CGBitmapContextGetData(context)); 970} 971 972void testCGContextLeak() 973{ 974 void *ptr = malloc(16); 975 CGContextRef context = CGBitmapContextCreate(ptr); 976 // However, this time we're just leaking the data, because the context 977 // object doesn't escape and it hasn't been freed in this function. 978} 979 980// Allow xpc context to escape. radar://11635258 981// TODO: Would be great if we checked that the finalize_connection_context actually releases it. 982static void finalize_connection_context(void *ctx) { 983 int *context = ctx; 984 free(context); 985} 986void foo (xpc_connection_t peer) { 987 int *ctx = calloc(1, sizeof(int)); 988 xpc_connection_set_context(peer, ctx); 989 xpc_connection_set_finalizer_f(peer, finalize_connection_context); 990 xpc_connection_resume(peer); 991} 992 993// Make sure we catch errors when we free in a function which does not allocate memory. 994void freeButNoMalloc(int *p, int x){ 995 if (x) { 996 free(p); 997 //user forgot a return here. 998 } 999 free(p); // expected-warning {{Attempt to free released memory}} 1000} 1001 1002struct HasPtr { 1003 char *p; 1004}; 1005 1006char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { 1007 int *s; 1008 char *b = realloc(a->p, size); 1009 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} 1010 return a->p; 1011} 1012 1013// We should not warn in this case since the caller will presumably free a->p in all cases. 1014int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { 1015 int *s; 1016 char *b = realloc(a->p, size); 1017 if (b == 0) 1018 return -1; 1019 a->p = b; 1020 return 0; 1021} 1022 1023// Test realloc with no visible malloc. 1024void *test(void *ptr) { 1025 void *newPtr = realloc(ptr, 4); 1026 if (newPtr == 0) { 1027 if (ptr) 1028 free(ptr); // no-warning 1029 } 1030 return newPtr; 1031} 1032 1033 1034char *testLeakWithinReturn(char *str) { 1035 return strdup(strdup(str)); // expected-warning{{leak}} 1036} 1037 1038// ---------------------------------------------------------------------------- 1039// False negatives. 1040 1041// TODO: This is another false negative. 1042void testMallocWithParam(int **p) { 1043 *p = (int*) malloc(sizeof(int)); 1044 *p = 0; 1045} 1046 1047void testMallocWithParam_2(int **p) { 1048 *p = (int*) malloc(sizeof(int)); 1049} 1050