malloc.c revision 118aa750c5cfe975542dce8e41586b2054d1f5dd
1// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s 2 3#include "Inputs/system-header-simulator.h" 4 5void clang_analyzer_eval(int); 6 7typedef __typeof(sizeof(int)) size_t; 8void *malloc(size_t); 9void *valloc(size_t); 10void free(void *); 11void *realloc(void *ptr, size_t size); 12void *reallocf(void *ptr, size_t size); 13void *calloc(size_t nmemb, size_t size); 14char *strdup(const char *s); 15char *strndup(const char *s, size_t n); 16int memcmp(const void *s1, const void *s2, size_t n); 17 18void myfoo(int *p); 19void myfooint(int p); 20char *fooRetPtr(); 21 22void f1() { 23 int *p = malloc(12); 24 return; // expected-warning{{Memory is never released; potential leak of memory pointed to by 'p'}} 25} 26 27void f2() { 28 int *p = malloc(12); 29 free(p); 30 free(p); // expected-warning{{Attempt to free released memory}} 31} 32 33void f2_realloc_0() { 34 int *p = malloc(12); 35 realloc(p,0); 36 realloc(p,0); // expected-warning{{Attempt to free released memory}} 37} 38 39void f2_realloc_1() { 40 int *p = malloc(12); 41 int *q = realloc(p,0); // no-warning 42} 43 44void reallocNotNullPtr(unsigned sizeIn) { 45 unsigned size = 12; 46 char *p = (char*)malloc(size); 47 if (p) { 48 char *q = (char*)realloc(p, sizeIn); 49 char x = *q; // expected-warning {{Memory is never released; potential leak of memory pointed to by 'q'}} 50 } 51} 52 53int *realloctest1() { 54 int *q = malloc(12); 55 q = realloc(q, 20); 56 return q; // no warning - returning the allocated value 57} 58 59// p should be freed if realloc fails. 60void reallocFails() { 61 char *p = malloc(12); 62 char *r = realloc(p, 12+1); 63 if (!r) { 64 free(p); 65 } else { 66 free(r); 67 } 68} 69 70void reallocSizeZero1() { 71 char *p = malloc(12); 72 char *r = realloc(p, 0); 73 if (!r) { 74 free(p); // expected-warning {{Attempt to free released memory}} 75 } else { 76 free(r); 77 } 78} 79 80void reallocSizeZero2() { 81 char *p = malloc(12); 82 char *r = realloc(p, 0); 83 if (!r) { 84 free(p); // expected-warning {{Attempt to free released memory}} 85 } else { 86 free(r); 87 } 88 free(p); // expected-warning {{Attempt to free released memory}} 89} 90 91void reallocSizeZero3() { 92 char *p = malloc(12); 93 char *r = realloc(p, 0); 94 free(r); 95} 96 97void reallocSizeZero4() { 98 char *r = realloc(0, 0); 99 free(r); 100} 101 102void reallocSizeZero5() { 103 char *r = realloc(0, 0); 104} 105 106void reallocPtrZero1() { 107 char *r = realloc(0, 12); 108} // expected-warning {{Memory is never released; potential leak of memory pointed to by 'r'}} 109 110void reallocPtrZero2() { 111 char *r = realloc(0, 12); 112 if (r) 113 free(r); 114} 115 116void reallocPtrZero3() { 117 char *r = realloc(0, 12); 118 free(r); 119} 120 121void reallocRadar6337483_1() { 122 char *buf = malloc(100); 123 buf = (char*)realloc(buf, 0x1000000); 124 if (!buf) { 125 return;// expected-warning {{Memory is never released; potential leak}} 126 } 127 free(buf); 128} 129 130void reallocRadar6337483_2() { 131 char *buf = malloc(100); 132 char *buf2 = (char*)realloc(buf, 0x1000000); 133 if (!buf2) { 134 ; 135 } else { 136 free(buf2); 137 } 138} // expected-warning {{Memory is never released; potential leak}} 139 140void reallocRadar6337483_3() { 141 char * buf = malloc(100); 142 char * tmp; 143 tmp = (char*)realloc(buf, 0x1000000); 144 if (!tmp) { 145 free(buf); 146 return; 147 } 148 buf = tmp; 149 free(buf); 150} 151 152void reallocRadar6337483_4() { 153 char *buf = malloc(100); 154 char *buf2 = (char*)realloc(buf, 0x1000000); 155 if (!buf2) { 156 return; // expected-warning {{Memory is never released; potential leak}} 157 } else { 158 free(buf2); 159 } 160} 161 162int *reallocfTest1() { 163 int *q = malloc(12); 164 q = reallocf(q, 20); 165 return q; // no warning - returning the allocated value 166} 167 168void reallocfRadar6337483_4() { 169 char *buf = malloc(100); 170 char *buf2 = (char*)reallocf(buf, 0x1000000); 171 if (!buf2) { 172 return; // no warning - reallocf frees even on failure 173 } else { 174 free(buf2); 175 } 176} 177 178void reallocfRadar6337483_3() { 179 char * buf = malloc(100); 180 char * tmp; 181 tmp = (char*)reallocf(buf, 0x1000000); 182 if (!tmp) { 183 free(buf); // expected-warning {{Attempt to free released memory}} 184 return; 185 } 186 buf = tmp; 187 free(buf); 188} 189 190void reallocfPtrZero1() { 191 char *r = reallocf(0, 12); 192} // expected-warning {{Memory is never released; potential leak}} 193 194 195// This case tests that storing malloc'ed memory to a static variable which is 196// then returned is not leaked. In the absence of known contracts for functions 197// or inter-procedural analysis, this is a conservative answer. 198int *f3() { 199 static int *p = 0; 200 p = malloc(12); 201 return p; // no-warning 202} 203 204// This case tests that storing malloc'ed memory to a static global variable 205// which is then returned is not leaked. In the absence of known contracts for 206// functions or inter-procedural analysis, this is a conservative answer. 207static int *p_f4 = 0; 208int *f4() { 209 p_f4 = malloc(12); 210 return p_f4; // no-warning 211} 212 213int *f5() { 214 int *q = malloc(12); 215 q = realloc(q, 20); 216 return q; // no-warning 217} 218 219void f6() { 220 int *p = malloc(12); 221 if (!p) 222 return; // no-warning 223 else 224 free(p); 225} 226 227void f6_realloc() { 228 int *p = malloc(12); 229 if (!p) 230 return; // no-warning 231 else 232 realloc(p,0); 233} 234 235 236char *doit2(); 237void pr6069() { 238 char *buf = doit2(); 239 free(buf); 240} 241 242void pr6293() { 243 free(0); 244} 245 246void f7() { 247 char *x = (char*) malloc(4); 248 free(x); 249 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 250} 251 252void f8() { 253 char *x = (char*) malloc(4); 254 free(x); 255 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} 256} 257 258void f7_realloc() { 259 char *x = (char*) malloc(4); 260 realloc(x,0); 261 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 262} 263 264void PR6123() { 265 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 266} 267 268void PR7217() { 269 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 270 buf[1] = 'c'; // not crash 271} 272 273void mallocCastToVoid() { 274 void *p = malloc(2); 275 const void *cp = p; // not crash 276 free(p); 277} 278 279void mallocCastToFP() { 280 void *p = malloc(2); 281 void (*fp)() = p; // not crash 282 free(p); 283} 284 285// This tests that malloc() buffers are undefined by default 286char mallocGarbage () { 287 char *buf = malloc(2); 288 char result = buf[1]; // expected-warning{{undefined}} 289 free(buf); 290 return result; 291} 292 293// This tests that calloc() buffers need to be freed 294void callocNoFree () { 295 char *buf = calloc(2,2); 296 return; // expected-warning{{never released}} 297} 298 299// These test that calloc() buffers are zeroed by default 300char callocZeroesGood () { 301 char *buf = calloc(2,2); 302 char result = buf[3]; // no-warning 303 if (buf[1] == 0) { 304 free(buf); 305 } 306 return result; // no-warning 307} 308 309char callocZeroesBad () { 310 char *buf = calloc(2,2); 311 char result = buf[3]; // no-warning 312 if (buf[1] != 0) { 313 free(buf); // expected-warning{{never executed}} 314 } 315 return result; // expected-warning{{never released}} 316} 317 318void nullFree() { 319 int *p = 0; 320 free(p); // no warning - a nop 321} 322 323void paramFree(int *p) { 324 myfoo(p); 325 free(p); // no warning 326 myfoo(p); // expected-warning {{Use of memory after it is freed}} 327} 328 329int* mallocEscapeRet() { 330 int *p = malloc(12); 331 return p; // no warning 332} 333 334void mallocEscapeFoo() { 335 int *p = malloc(12); 336 myfoo(p); 337 return; // no warning 338} 339 340void mallocEscapeFree() { 341 int *p = malloc(12); 342 myfoo(p); 343 free(p); 344} 345 346void mallocEscapeFreeFree() { 347 int *p = malloc(12); 348 myfoo(p); 349 free(p); 350 free(p); // expected-warning{{Attempt to free released memory}} 351} 352 353void mallocEscapeFreeUse() { 354 int *p = malloc(12); 355 myfoo(p); 356 free(p); 357 myfoo(p); // expected-warning{{Use of memory after it is freed}} 358} 359 360int *myalloc(); 361void myalloc2(int **p); 362 363void mallocEscapeFreeCustomAlloc() { 364 int *p = malloc(12); 365 myfoo(p); 366 free(p); 367 p = myalloc(); 368 free(p); // no warning 369} 370 371void mallocEscapeFreeCustomAlloc2() { 372 int *p = malloc(12); 373 myfoo(p); 374 free(p); 375 myalloc2(&p); 376 free(p); // no warning 377} 378 379void mallocBindFreeUse() { 380 int *x = malloc(12); 381 int *y = x; 382 free(y); 383 myfoo(x); // expected-warning{{Use of memory after it is freed}} 384} 385 386void mallocEscapeMalloc() { 387 int *p = malloc(12); 388 myfoo(p); 389 p = malloc(12); 390} // expected-warning{{Memory is never released; potential leak}} 391 392void mallocMalloc() { 393 int *p = malloc(12); 394 p = malloc(12); 395} // expected-warning {{Memory is never released; potential leak}} 396 397void mallocFreeMalloc() { 398 int *p = malloc(12); 399 free(p); 400 p = malloc(12); 401 free(p); 402} 403 404void mallocFreeUse_params() { 405 int *p = malloc(12); 406 free(p); 407 myfoo(p); //expected-warning{{Use of memory after it is freed}} 408} 409 410void mallocFreeUse_params2() { 411 int *p = malloc(12); 412 free(p); 413 myfooint(*p); //expected-warning{{Use of memory after it is freed}} 414} 415 416void mallocFailedOrNot() { 417 int *p = malloc(12); 418 if (!p) 419 free(p); 420 else 421 free(p); 422} 423 424struct StructWithInt { 425 int g; 426}; 427 428int *mallocReturnFreed() { 429 int *p = malloc(12); 430 free(p); 431 return p; // expected-warning {{Use of memory after it is freed}} 432} 433 434int useAfterFreeStruct() { 435 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 436 px->g = 5; 437 free(px); 438 return px->g; // expected-warning {{Use of memory after it is freed}} 439} 440 441void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); 442 443void mallocEscapeFooNonSymbolArg() { 444 struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); 445 nonSymbolAsFirstArg(&p->g, p); 446 return; // no warning 447} 448 449void mallocFailedOrNotLeak() { 450 int *p = malloc(12); 451 if (p == 0) 452 return; // no warning 453 else 454 return; // expected-warning {{Memory is never released; potential leak}} 455} 456 457void mallocAssignment() { 458 char *p = malloc(12); 459 p = fooRetPtr(); 460} // expected-warning {{leak}} 461 462int vallocTest() { 463 char *mem = valloc(12); 464 return 0; // expected-warning {{Memory is never released; potential leak}} 465} 466 467void vallocEscapeFreeUse() { 468 int *p = valloc(12); 469 myfoo(p); 470 free(p); 471 myfoo(p); // expected-warning{{Use of memory after it is freed}} 472} 473 474int *Gl; 475struct GlStTy { 476 int *x; 477}; 478 479struct GlStTy GlS = {0}; 480 481void GlobalFree() { 482 free(Gl); 483} 484 485void GlobalMalloc() { 486 Gl = malloc(12); 487} 488 489void GlobalStructMalloc() { 490 int *a = malloc(12); 491 GlS.x = a; 492} 493 494void GlobalStructMallocFree() { 495 int *a = malloc(12); 496 GlS.x = a; 497 free(GlS.x); 498} 499 500char *ArrayG[12]; 501 502void globalArrayTest() { 503 char *p = (char*)malloc(12); 504 ArrayG[0] = p; 505} 506 507// Make sure that we properly handle a pointer stored into a local struct/array. 508typedef struct _StructWithPtr { 509 int *memP; 510} StructWithPtr; 511 512static StructWithPtr arrOfStructs[10]; 513 514void testMalloc() { 515 int *x = malloc(12); 516 StructWithPtr St; 517 St.memP = x; 518 arrOfStructs[0] = St; // no-warning 519} 520 521StructWithPtr testMalloc2() { 522 int *x = malloc(12); 523 StructWithPtr St; 524 St.memP = x; 525 return St; // no-warning 526} 527 528int *testMalloc3() { 529 int *x = malloc(12); 530 int *y = x; 531 return y; // no-warning 532} 533 534void testElemRegion1() { 535 char *x = (void*)malloc(2); 536 int *ix = (int*)x; 537 free(&(x[0])); 538} 539 540void testElemRegion2(int **pp) { 541 int *p = malloc(12); 542 *pp = p; 543 free(pp[0]); 544} 545 546void testElemRegion3(int **pp) { 547 int *p = malloc(12); 548 *pp = p; 549 free(*pp); 550} 551// Region escape testing. 552 553unsigned takePtrToPtr(int **p); 554void PassTheAddrOfAllocatedData(int f) { 555 int *p = malloc(12); 556 // We don't know what happens after the call. Should stop tracking here. 557 if (takePtrToPtr(&p)) 558 f++; 559 free(p); // no warning 560} 561 562struct X { 563 int *p; 564}; 565unsigned takePtrToStruct(struct X *s); 566int ** foo2(int *g, int f) { 567 int *p = malloc(12); 568 struct X *px= malloc(sizeof(struct X)); 569 px->p = p; 570 // We don't know what happens after this call. Should not track px nor p. 571 if (takePtrToStruct(px)) 572 f++; 573 free(p); 574 return 0; 575} 576 577struct X* RegInvalidationDetect1(struct X *s2) { 578 struct X *px= malloc(sizeof(struct X)); 579 px->p = 0; 580 px = s2; 581 return px; // expected-warning {{Memory is never released; potential leak}} 582} 583 584struct X* RegInvalidationGiveUp1() { 585 int *p = malloc(12); 586 struct X *px= malloc(sizeof(struct X)); 587 px->p = p; 588 return px; 589} 590 591int **RegInvalidationDetect2(int **pp) { 592 int *p = malloc(12); 593 pp = &p; 594 pp++; 595 return 0;// expected-warning {{Memory is never released; potential leak}} 596} 597 598extern void exit(int) __attribute__ ((__noreturn__)); 599void mallocExit(int *g) { 600 struct xx *p = malloc(12); 601 if (g != 0) 602 exit(1); 603 free(p); 604 return; 605} 606 607extern void __assert_fail (__const char *__assertion, __const char *__file, 608 unsigned int __line, __const char *__function) 609 __attribute__ ((__noreturn__)); 610#define assert(expr) \ 611 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 612void mallocAssert(int *g) { 613 struct xx *p = malloc(12); 614 615 assert(g != 0); 616 free(p); 617 return; 618} 619 620void doNotInvalidateWhenPassedToSystemCalls(char *s) { 621 char *p = malloc(12); 622 strlen(p); 623 strcpy(p, s); 624} // expected-warning {{leak}} 625 626// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. 627void symbolLostWithStrcpy(char *s) { 628 char *p = malloc(12); 629 p = strcpy(p, s); 630 free(p); 631} 632 633 634// The same test as the one above, but with what is actually generated on a mac. 635static __inline char * 636__inline_strcpy_chk (char *restrict __dest, const char *restrict __src) 637{ 638 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); 639} 640 641void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { 642 char *p = malloc(12); 643 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); 644 free(p); 645} 646 647// Here we are returning a pointer one past the allocated value. An idiom which 648// can be used for implementing special malloc. The correct uses of this might 649// be rare enough so that we could keep this as a warning. 650static void *specialMalloc(int n){ 651 int *p; 652 p = malloc( n+8 ); 653 if( p ){ 654 p[0] = n; 655 p++; 656 } 657 return p; 658} 659 660// Potentially, the user could free the struct by performing pointer arithmetic on the return value. 661// This is a variation of the specialMalloc issue, though probably would be more rare in correct code. 662int *specialMallocWithStruct() { 663 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 664 return &(px->g); 665} 666 667// Test various allocation/deallocation functions. 668void testStrdup(const char *s, unsigned validIndex) { 669 char *s2 = strdup(s); 670 s2[validIndex + 1] = 'b'; 671} // expected-warning {{Memory is never released; potential leak}} 672 673int testStrndup(const char *s, unsigned validIndex, unsigned size) { 674 char *s2 = strndup(s, size); 675 s2 [validIndex + 1] = 'b'; 676 if (s2[validIndex] != 'a') 677 return 0; 678 else 679 return 1;// expected-warning {{Memory is never released; potential leak}} 680} 681 682void testStrdupContentIsDefined(const char *s, unsigned validIndex) { 683 char *s2 = strdup(s); 684 char result = s2[1];// no warning 685 free(s2); 686} 687 688// ---------------------------------------------------------------------------- 689// Test the system library functions to which the pointer can escape. 690// This tests false positive suppression. 691 692// For now, we assume memory passed to pthread_specific escapes. 693// TODO: We could check that if a new pthread binding is set, the existing 694// binding must be freed; otherwise, a memory leak can occur. 695void testPthereadSpecificEscape(pthread_key_t key) { 696 void *buf = malloc(12); 697 pthread_setspecific(key, buf); // no warning 698} 699 700// PR12101: Test funopen(). 701static int releasePtr(void *_ctx) { 702 free(_ctx); 703 return 0; 704} 705FILE *useFunOpen() { 706 void *ctx = malloc(sizeof(int)); 707 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning 708 if (f == 0) { 709 free(ctx); 710 } 711 return f; 712} 713FILE *useFunOpenNoReleaseFunction() { 714 void *ctx = malloc(sizeof(int)); 715 FILE *f = funopen(ctx, 0, 0, 0, 0); 716 if (f == 0) { 717 free(ctx); 718 } 719 return f; // expected-warning{{leak}} 720} 721 722static int readNothing(void *_ctx, char *buf, int size) { 723 return 0; 724} 725FILE *useFunOpenReadNoRelease() { 726 void *ctx = malloc(sizeof(int)); 727 FILE *f = funopen(ctx, readNothing, 0, 0, 0); 728 if (f == 0) { 729 free(ctx); 730 } 731 return f; // expected-warning{{leak}} 732} 733 734// Test setbuf, setvbuf. 735int my_main_no_warning() { 736 char *p = malloc(100); 737 setvbuf(stdout, p, 0, 100); 738 return 0; 739} 740int my_main_no_warning2() { 741 char *p = malloc(100); 742 setbuf(__stdoutp, p); 743 return 0; 744} 745int my_main_warn(FILE *f) { 746 char *p = malloc(100); 747 setvbuf(f, p, 0, 100); 748 return 0;// expected-warning {{leak}} 749} 750 751// <rdar://problem/10978247>. 752// some people use stack allocated memory as an optimization to avoid 753// a heap allocation for small work sizes. This tests the analyzer's 754// understanding that the malloc'ed memory is not the same as stackBuffer. 755void radar10978247(int myValueSize) { 756 char stackBuffer[128]; 757 char *buffer; 758 759 if (myValueSize <= sizeof(stackBuffer)) 760 buffer = stackBuffer; 761 else 762 buffer = malloc(myValueSize); 763 764 // do stuff with the buffer 765 if (buffer != stackBuffer) 766 free(buffer); 767} 768 769void radar10978247_positive(int myValueSize) { 770 char stackBuffer[128]; 771 char *buffer; 772 773 if (myValueSize <= sizeof(stackBuffer)) 774 buffer = stackBuffer; 775 else 776 buffer = malloc(myValueSize); 777 778 // do stuff with the buffer 779 if (buffer == stackBuffer) 780 return; 781 else 782 return; // expected-warning {{leak}} 783} 784// <rdar://problem/11269741> Previously this triggered a false positive 785// because malloc() is known to return uninitialized memory and the binding 786// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. 787struct rdar11269741_a_t { 788 struct rdar11269741_b_t { 789 int m; 790 } n; 791}; 792 793int rdar11269741(struct rdar11269741_b_t o) 794{ 795 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); 796 p->n = o; 797 return p->n.m; // expected-warning {{leak}} 798} 799 800// Pointer arithmetic, returning an ElementRegion. 801void *radar11329382(unsigned bl) { 802 void *ptr = malloc (16); 803 ptr = ptr + (2 - bl); 804 return ptr; // no warning 805} 806 807void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); 808int strcmp(const char *, const char *); 809char *a (void); 810void radar11270219(void) { 811 char *x = a(), *y = a(); 812 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); 813 strcmp(x, y); // no warning 814} 815 816void radar_11358224_test_double_assign_ints_positive_2() 817{ 818 void *ptr = malloc(16); 819 ptr = ptr; 820} // expected-warning {{leak}} 821 822// Assume that functions which take a function pointer can free memory even if 823// they are defined in system headers and take the const pointer to the 824// allocated memory. (radar://11160612) 825int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); 826void r11160612_1() { 827 char *x = malloc(12); 828 const_ptr_and_callback(0, x, 12, free); // no - warning 829} 830 831// Null is passed as callback. 832void r11160612_2() { 833 char *x = malloc(12); 834 const_ptr_and_callback(0, x, 12, 0); 835} // expected-warning {{leak}} 836 837// Callback is passed to a function defined in a system header. 838void r11160612_4() { 839 char *x = malloc(12); 840 sqlite3_bind_text_my(0, x, 12, free); // no - warning 841} 842 843// Passing callbacks in a struct. 844void r11160612_5(StWithCallback St) { 845 void *x = malloc(12); 846 dealocateMemWhenDoneByVal(x, St); 847} 848void r11160612_6(StWithCallback St) { 849 void *x = malloc(12); 850 dealocateMemWhenDoneByRef(&St, x); 851} 852 853int mySub(int, int); 854int myAdd(int, int); 855int fPtr(unsigned cond, int x) { 856 return (cond ? mySub : myAdd)(x, x); 857} 858 859// Test anti-aliasing. 860 861void dependsOnValueOfPtr(int *g, unsigned f) { 862 int *p; 863 864 if (f) { 865 p = g; 866 } else { 867 p = malloc(12); 868 } 869 870 if (p != g) 871 free(p); 872 else 873 return; // no warning 874 return; 875} 876 877int CMPRegionHeapToStack() { 878 int x = 0; 879 int *x1 = malloc(8); 880 int *x2 = &x; 881 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} 882 free(x1); 883 return x; 884} 885 886int CMPRegionHeapToHeap2() { 887 int x = 0; 888 int *x1 = malloc(8); 889 int *x2 = malloc(8); 890 int *x4 = x1; 891 int *x5 = x2; 892 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} 893 free(x1); 894 free(x2); 895 return x; 896} 897 898int CMPRegionHeapToHeap() { 899 int x = 0; 900 int *x1 = malloc(8); 901 int *x4 = x1; 902 if (x1 == x4) { 903 free(x1); 904 return 5/x; // expected-warning{{Division by zero}} 905 } 906 return x;// expected-warning{{This statement is never executed}} 907} 908 909int HeapAssignment() { 910 int m = 0; 911 int *x = malloc(4); 912 int *y = x; 913 *x = 5; 914 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} 915 free(x); 916 return 0; 917} 918 919int *retPtr(); 920int *retPtrMightAlias(int *x); 921int cmpHeapAllocationToUnknown() { 922 int zero = 0; 923 int *yBefore = retPtr(); 924 int *m = malloc(8); 925 int *yAfter = retPtrMightAlias(m); 926 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} 927 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} 928 free(m); 929 return 0; 930} 931 932#ifdef __INTPTR_TYPE__ 933// Test double assignment through integers. 934typedef __INTPTR_TYPE__ intptr_t; 935typedef unsigned __INTPTR_TYPE__ uintptr_t; 936 937static intptr_t glob; 938void test_double_assign_ints() 939{ 940 void *ptr = malloc (16); // no-warning 941 glob = (intptr_t)(uintptr_t)ptr; 942} 943 944void test_double_assign_ints_positive() 945{ 946 void *ptr = malloc(16); 947 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}} 948} // expected-warning {{leak}} 949#endif 950 951void testCGContextNoLeak() 952{ 953 void *ptr = malloc(16); 954 CGContextRef context = CGBitmapContextCreate(ptr); 955 956 // Because you can get the data back out like this, even much later, 957 // CGBitmapContextCreate is one of our "stop-tracking" exceptions. 958 free(CGBitmapContextGetData(context)); 959} 960 961void testCGContextLeak() 962{ 963 void *ptr = malloc(16); 964 CGContextRef context = CGBitmapContextCreate(ptr); 965 // However, this time we're just leaking the data, because the context 966 // object doesn't escape and it hasn't been freed in this function. 967} 968 969// Allow xpc context to escape. radar://11635258 970// TODO: Would be great if we checked that the finalize_connection_context actually releases it. 971static void finalize_connection_context(void *ctx) { 972 int *context = ctx; 973 free(context); 974} 975void foo (xpc_connection_t peer) { 976 int *ctx = calloc(1, sizeof(int)); 977 xpc_connection_set_context(peer, ctx); 978 xpc_connection_set_finalizer_f(peer, finalize_connection_context); 979 xpc_connection_resume(peer); 980} 981 982// Make sure we catch errors when we free in a function which does not allocate memory. 983void freeButNoMalloc(int *p, int x){ 984 if (x) { 985 free(p); 986 //user forgot a return here. 987 } 988 free(p); // expected-warning {{Attempt to free released memory}} 989} 990 991struct HasPtr { 992 char *p; 993}; 994 995char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { 996 int *s; 997 char *b = realloc(a->p, size); 998 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} 999 return a->p; 1000} 1001 1002// We should not warn in this case since the caller will presumably free a->p in all cases. 1003int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { 1004 int *s; 1005 char *b = realloc(a->p, size); 1006 if (b == 0) 1007 return -1; 1008 a->p = b; 1009 return 0; 1010} 1011 1012// Test realloc with no visible malloc. 1013void *test(void *ptr) { 1014 void *newPtr = realloc(ptr, 4); 1015 if (newPtr == 0) { 1016 if (ptr) 1017 free(ptr); // no-warning 1018 } 1019 return newPtr; 1020} 1021 1022 1023char *testLeakWithinReturn(char *str) { 1024 return strdup(strdup(str)); // expected-warning{{leak}} 1025} 1026 1027void passConstPtr(const char * ptr); 1028 1029void testPassConstPointer() { 1030 char * string = malloc(sizeof(char)*10); 1031 passConstPtr(string); 1032 return; // expected-warning {{leak}} 1033} 1034 1035void testPassConstPointerIndirectly() { 1036 char *p = malloc(1); 1037 p++; 1038 memcmp(p, p, sizeof(&p)); 1039 return; // expected-warning {{leak}} 1040} 1041 1042void testPassToSystemHeaderFunctionIndirectly() { 1043 int *p = malloc(4); 1044 p++; 1045 fakeSystemHeaderCallInt(p); 1046} // expected-warning {{leak}} 1047 1048// ---------------------------------------------------------------------------- 1049// False negatives. 1050 1051// TODO: This is another false negative. 1052void testMallocWithParam(int **p) { 1053 *p = (int*) malloc(sizeof(int)); 1054 *p = 0; 1055} 1056 1057void testMallocWithParam_2(int **p) { 1058 *p = (int*) malloc(sizeof(int)); 1059} 1060 1061// Pending on removal of the escaping on assignment to struct fields. 1062void testStructLeak() { 1063 StructWithPtr St; 1064 St.memP = malloc(12); 1065 return; // missing warning 1066} 1067 1068void localArrayTest() { 1069 char *p = (char*)malloc(12); 1070 char *ArrayL[12]; 1071 ArrayL[0] = p; 1072} // missing warning 1073 1074void localStructTest() { 1075 StructWithPtr St; 1076 StructWithPtr *pSt = &St; 1077 pSt->memP = malloc(12); 1078} // missing warning 1079 1080void testPassConstPointerIndirectlyStruct() { 1081 struct HasPtr hp; 1082 hp.p = malloc(10); 1083 memcmp(&hp, &hp, sizeof(hp)); 1084 return; // missing leak 1085} 1086 1087void testPassToSystemHeaderFunctionIndirectlyStruct() { 1088 SomeStruct ss; 1089 ss.p = malloc(1); 1090 fakeSystemHeaderCall(&ss); 1091} // missing leak 1092 1093int *testOffsetAllocate(size_t size) { 1094 int *memoryBlock = (int *)malloc(size + sizeof(int)); 1095 return &memoryBlock[1]; // no-warning 1096} 1097 1098void testOffsetDeallocate(int *memoryBlock) { 1099 free(&memoryBlock[-1]); // no-warning 1100} 1101 1102void testOffsetOfRegionFreed() { 1103 __int64_t * array = malloc(sizeof(__int64_t)*2); 1104 array += 1; 1105 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1106} 1107 1108void testOffsetOfRegionFreed2() { 1109 __int64_t *p = malloc(sizeof(__int64_t)*2); 1110 p += 1; 1111 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1112} 1113 1114void testOffsetOfRegionFreed3() { 1115 char *r = malloc(sizeof(char)); 1116 r = r - 10; 1117 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}} 1118} 1119 1120void testOffsetOfRegionFreedAfterFunctionCall() { 1121 int *p = malloc(sizeof(int)*2); 1122 p += 1; 1123 myfoo(p); 1124 free(p); // no-warning 1125} 1126 1127void testFixManipulatedPointerBeforeFree() { 1128 int * array = malloc(sizeof(int)*2); 1129 array += 1; 1130 free(&array[-1]); // no-warning 1131} 1132 1133void testFixManipulatedPointerBeforeFree2() { 1134 char *r = malloc(sizeof(char)); 1135 r = r + 10; 1136 free(r-10); // no-warning 1137} 1138 1139void freeOffsetPointerPassedToFunction() { 1140 __int64_t *p = malloc(sizeof(__int64_t)*2); 1141 p[1] = 0; 1142 p += 1; 1143 myfooint(*p); // not passing the pointer, only a value pointed by pointer 1144 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1145} 1146 1147int arbitraryInt(); 1148void freeUnknownOffsetPointer() { 1149 char *r = malloc(sizeof(char)); 1150 r = r + arbitraryInt(); // unable to reason about what the offset might be 1151 free(r); // no-warning 1152} 1153 1154void testFreeNonMallocPointerWithNoOffset() { 1155 char c; 1156 char *r = &c; 1157 r = r + 10; 1158 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1159} 1160 1161void testFreeNonMallocPointerWithOffset() { 1162 char c; 1163 char *r = &c; 1164 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1165} 1166 1167void testOffsetZeroDoubleFree() { 1168 int *array = malloc(sizeof(int)*2); 1169 int *p = &array[0]; 1170 free(p); 1171 free(&array[0]); // expected-warning{{Attempt to free released memory}} 1172} 1173 1174void testOffsetPassedToStrlen() { 1175 char * string = malloc(sizeof(char)*10); 1176 string += 1; 1177 int length = strlen(string); // expected-warning {{Memory is never released; potential leak of memory pointed to by 'string'}} 1178} 1179 1180void testOffsetPassedToStrlenThenFree() { 1181 char * string = malloc(sizeof(char)*10); 1182 string += 1; 1183 int length = strlen(string); 1184 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1185} 1186 1187void testOffsetPassedAsConst() { 1188 char * string = malloc(sizeof(char)*10); 1189 string += 1; 1190 passConstPtr(string); 1191 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1192} 1193 1194