malloc.c revision b98c6fe8877b809d4da3020692c9b38f972b92cf
1// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s 2 3#include "Inputs/system-header-simulator.h" 4 5void clang_analyzer_eval(int); 6 7typedef __typeof(sizeof(int)) size_t; 8void *malloc(size_t); 9void *valloc(size_t); 10void free(void *); 11void *realloc(void *ptr, size_t size); 12void *reallocf(void *ptr, size_t size); 13void *calloc(size_t nmemb, size_t size); 14char *strdup(const char *s); 15char *strndup(const char *s, size_t n); 16 17void myfoo(int *p); 18void myfooint(int p); 19char *fooRetPtr(); 20 21void f1() { 22 int *p = malloc(12); 23 return; // expected-warning{{Memory is never released; potential leak of memory pointed to by 'p'}} 24} 25 26void f2() { 27 int *p = malloc(12); 28 free(p); 29 free(p); // expected-warning{{Attempt to free released memory}} 30} 31 32void f2_realloc_0() { 33 int *p = malloc(12); 34 realloc(p,0); 35 realloc(p,0); // expected-warning{{Attempt to free released memory}} 36} 37 38void f2_realloc_1() { 39 int *p = malloc(12); 40 int *q = realloc(p,0); // no-warning 41} 42 43void reallocNotNullPtr(unsigned sizeIn) { 44 unsigned size = 12; 45 char *p = (char*)malloc(size); 46 if (p) { 47 char *q = (char*)realloc(p, sizeIn); 48 char x = *q; // expected-warning {{Memory is never released; potential leak of memory pointed to by 'q'}} 49 } 50} 51 52int *realloctest1() { 53 int *q = malloc(12); 54 q = realloc(q, 20); 55 return q; // no warning - returning the allocated value 56} 57 58// p should be freed if realloc fails. 59void reallocFails() { 60 char *p = malloc(12); 61 char *r = realloc(p, 12+1); 62 if (!r) { 63 free(p); 64 } else { 65 free(r); 66 } 67} 68 69void reallocSizeZero1() { 70 char *p = malloc(12); 71 char *r = realloc(p, 0); 72 if (!r) { 73 free(p); // expected-warning {{Attempt to free released memory}} 74 } else { 75 free(r); 76 } 77} 78 79void reallocSizeZero2() { 80 char *p = malloc(12); 81 char *r = realloc(p, 0); 82 if (!r) { 83 free(p); // expected-warning {{Attempt to free released memory}} 84 } else { 85 free(r); 86 } 87 free(p); // expected-warning {{Attempt to free released memory}} 88} 89 90void reallocSizeZero3() { 91 char *p = malloc(12); 92 char *r = realloc(p, 0); 93 free(r); 94} 95 96void reallocSizeZero4() { 97 char *r = realloc(0, 0); 98 free(r); 99} 100 101void reallocSizeZero5() { 102 char *r = realloc(0, 0); 103} 104 105void reallocPtrZero1() { 106 char *r = realloc(0, 12); 107} // expected-warning {{Memory is never released; potential leak of memory pointed to by 'r'}} 108 109void reallocPtrZero2() { 110 char *r = realloc(0, 12); 111 if (r) 112 free(r); 113} 114 115void reallocPtrZero3() { 116 char *r = realloc(0, 12); 117 free(r); 118} 119 120void reallocRadar6337483_1() { 121 char *buf = malloc(100); 122 buf = (char*)realloc(buf, 0x1000000); 123 if (!buf) { 124 return;// expected-warning {{Memory is never released; potential leak}} 125 } 126 free(buf); 127} 128 129void reallocRadar6337483_2() { 130 char *buf = malloc(100); 131 char *buf2 = (char*)realloc(buf, 0x1000000); 132 if (!buf2) { 133 ; 134 } else { 135 free(buf2); 136 } 137} // expected-warning {{Memory is never released; potential leak}} 138 139void reallocRadar6337483_3() { 140 char * buf = malloc(100); 141 char * tmp; 142 tmp = (char*)realloc(buf, 0x1000000); 143 if (!tmp) { 144 free(buf); 145 return; 146 } 147 buf = tmp; 148 free(buf); 149} 150 151void reallocRadar6337483_4() { 152 char *buf = malloc(100); 153 char *buf2 = (char*)realloc(buf, 0x1000000); 154 if (!buf2) { 155 return; // expected-warning {{Memory is never released; potential leak}} 156 } else { 157 free(buf2); 158 } 159} 160 161int *reallocfTest1() { 162 int *q = malloc(12); 163 q = reallocf(q, 20); 164 return q; // no warning - returning the allocated value 165} 166 167void reallocfRadar6337483_4() { 168 char *buf = malloc(100); 169 char *buf2 = (char*)reallocf(buf, 0x1000000); 170 if (!buf2) { 171 return; // no warning - reallocf frees even on failure 172 } else { 173 free(buf2); 174 } 175} 176 177void reallocfRadar6337483_3() { 178 char * buf = malloc(100); 179 char * tmp; 180 tmp = (char*)reallocf(buf, 0x1000000); 181 if (!tmp) { 182 free(buf); // expected-warning {{Attempt to free released memory}} 183 return; 184 } 185 buf = tmp; 186 free(buf); 187} 188 189void reallocfPtrZero1() { 190 char *r = reallocf(0, 12); 191} // expected-warning {{Memory is never released; potential leak}} 192 193 194// This case tests that storing malloc'ed memory to a static variable which is 195// then returned is not leaked. In the absence of known contracts for functions 196// or inter-procedural analysis, this is a conservative answer. 197int *f3() { 198 static int *p = 0; 199 p = malloc(12); 200 return p; // no-warning 201} 202 203// This case tests that storing malloc'ed memory to a static global variable 204// which is then returned is not leaked. In the absence of known contracts for 205// functions or inter-procedural analysis, this is a conservative answer. 206static int *p_f4 = 0; 207int *f4() { 208 p_f4 = malloc(12); 209 return p_f4; // no-warning 210} 211 212int *f5() { 213 int *q = malloc(12); 214 q = realloc(q, 20); 215 return q; // no-warning 216} 217 218void f6() { 219 int *p = malloc(12); 220 if (!p) 221 return; // no-warning 222 else 223 free(p); 224} 225 226void f6_realloc() { 227 int *p = malloc(12); 228 if (!p) 229 return; // no-warning 230 else 231 realloc(p,0); 232} 233 234 235char *doit2(); 236void pr6069() { 237 char *buf = doit2(); 238 free(buf); 239} 240 241void pr6293() { 242 free(0); 243} 244 245void f7() { 246 char *x = (char*) malloc(4); 247 free(x); 248 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 249} 250 251void f8() { 252 char *x = (char*) malloc(4); 253 free(x); 254 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} 255} 256 257void f7_realloc() { 258 char *x = (char*) malloc(4); 259 realloc(x,0); 260 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 261} 262 263void PR6123() { 264 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 265} 266 267void PR7217() { 268 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 269 buf[1] = 'c'; // not crash 270} 271 272void mallocCastToVoid() { 273 void *p = malloc(2); 274 const void *cp = p; // not crash 275 free(p); 276} 277 278void mallocCastToFP() { 279 void *p = malloc(2); 280 void (*fp)() = p; // not crash 281 free(p); 282} 283 284// This tests that malloc() buffers are undefined by default 285char mallocGarbage () { 286 char *buf = malloc(2); 287 char result = buf[1]; // expected-warning{{undefined}} 288 free(buf); 289 return result; 290} 291 292// This tests that calloc() buffers need to be freed 293void callocNoFree () { 294 char *buf = calloc(2,2); 295 return; // expected-warning{{never released}} 296} 297 298// These test that calloc() buffers are zeroed by default 299char callocZeroesGood () { 300 char *buf = calloc(2,2); 301 char result = buf[3]; // no-warning 302 if (buf[1] == 0) { 303 free(buf); 304 } 305 return result; // no-warning 306} 307 308char callocZeroesBad () { 309 char *buf = calloc(2,2); 310 char result = buf[3]; // no-warning 311 if (buf[1] != 0) { 312 free(buf); // expected-warning{{never executed}} 313 } 314 return result; // expected-warning{{never released}} 315} 316 317void nullFree() { 318 int *p = 0; 319 free(p); // no warning - a nop 320} 321 322void paramFree(int *p) { 323 myfoo(p); 324 free(p); // no warning 325 myfoo(p); // expected-warning {{Use of memory after it is freed}} 326} 327 328int* mallocEscapeRet() { 329 int *p = malloc(12); 330 return p; // no warning 331} 332 333void mallocEscapeFoo() { 334 int *p = malloc(12); 335 myfoo(p); 336 return; // no warning 337} 338 339void mallocEscapeFree() { 340 int *p = malloc(12); 341 myfoo(p); 342 free(p); 343} 344 345void mallocEscapeFreeFree() { 346 int *p = malloc(12); 347 myfoo(p); 348 free(p); 349 free(p); // expected-warning{{Attempt to free released memory}} 350} 351 352void mallocEscapeFreeUse() { 353 int *p = malloc(12); 354 myfoo(p); 355 free(p); 356 myfoo(p); // expected-warning{{Use of memory after it is freed}} 357} 358 359int *myalloc(); 360void myalloc2(int **p); 361 362void mallocEscapeFreeCustomAlloc() { 363 int *p = malloc(12); 364 myfoo(p); 365 free(p); 366 p = myalloc(); 367 free(p); // no warning 368} 369 370void mallocEscapeFreeCustomAlloc2() { 371 int *p = malloc(12); 372 myfoo(p); 373 free(p); 374 myalloc2(&p); 375 free(p); // no warning 376} 377 378void mallocBindFreeUse() { 379 int *x = malloc(12); 380 int *y = x; 381 free(y); 382 myfoo(x); // expected-warning{{Use of memory after it is freed}} 383} 384 385void mallocEscapeMalloc() { 386 int *p = malloc(12); 387 myfoo(p); 388 p = malloc(12); 389} // expected-warning{{Memory is never released; potential leak}} 390 391void mallocMalloc() { 392 int *p = malloc(12); 393 p = malloc(12); 394} // expected-warning {{Memory is never released; potential leak}} 395 396void mallocFreeMalloc() { 397 int *p = malloc(12); 398 free(p); 399 p = malloc(12); 400 free(p); 401} 402 403void mallocFreeUse_params() { 404 int *p = malloc(12); 405 free(p); 406 myfoo(p); //expected-warning{{Use of memory after it is freed}} 407} 408 409void mallocFreeUse_params2() { 410 int *p = malloc(12); 411 free(p); 412 myfooint(*p); //expected-warning{{Use of memory after it is freed}} 413} 414 415void mallocFailedOrNot() { 416 int *p = malloc(12); 417 if (!p) 418 free(p); 419 else 420 free(p); 421} 422 423struct StructWithInt { 424 int g; 425}; 426 427int *mallocReturnFreed() { 428 int *p = malloc(12); 429 free(p); 430 return p; // expected-warning {{Use of memory after it is freed}} 431} 432 433int useAfterFreeStruct() { 434 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 435 px->g = 5; 436 free(px); 437 return px->g; // expected-warning {{Use of memory after it is freed}} 438} 439 440void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); 441 442void mallocEscapeFooNonSymbolArg() { 443 struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); 444 nonSymbolAsFirstArg(&p->g, p); 445 return; // no warning 446} 447 448void mallocFailedOrNotLeak() { 449 int *p = malloc(12); 450 if (p == 0) 451 return; // no warning 452 else 453 return; // expected-warning {{Memory is never released; potential leak}} 454} 455 456void mallocAssignment() { 457 char *p = malloc(12); 458 p = fooRetPtr(); 459} // expected-warning {{leak}} 460 461int vallocTest() { 462 char *mem = valloc(12); 463 return 0; // expected-warning {{Memory is never released; potential leak}} 464} 465 466void vallocEscapeFreeUse() { 467 int *p = valloc(12); 468 myfoo(p); 469 free(p); 470 myfoo(p); // expected-warning{{Use of memory after it is freed}} 471} 472 473int *Gl; 474struct GlStTy { 475 int *x; 476}; 477 478struct GlStTy GlS = {0}; 479 480void GlobalFree() { 481 free(Gl); 482} 483 484void GlobalMalloc() { 485 Gl = malloc(12); 486} 487 488void GlobalStructMalloc() { 489 int *a = malloc(12); 490 GlS.x = a; 491} 492 493void GlobalStructMallocFree() { 494 int *a = malloc(12); 495 GlS.x = a; 496 free(GlS.x); 497} 498 499char *ArrayG[12]; 500 501void globalArrayTest() { 502 char *p = (char*)malloc(12); 503 ArrayG[0] = p; 504} 505 506// Make sure that we properly handle a pointer stored into a local struct/array. 507typedef struct _StructWithPtr { 508 int *memP; 509} StructWithPtr; 510 511static StructWithPtr arrOfStructs[10]; 512 513void testMalloc() { 514 int *x = malloc(12); 515 StructWithPtr St; 516 St.memP = x; 517 arrOfStructs[0] = St; // no-warning 518} 519 520StructWithPtr testMalloc2() { 521 int *x = malloc(12); 522 StructWithPtr St; 523 St.memP = x; 524 return St; // no-warning 525} 526 527int *testMalloc3() { 528 int *x = malloc(12); 529 int *y = x; 530 return y; // no-warning 531} 532 533void testElemRegion1() { 534 char *x = (void*)malloc(2); 535 int *ix = (int*)x; 536 free(&(x[0])); 537} 538 539void testElemRegion2(int **pp) { 540 int *p = malloc(12); 541 *pp = p; 542 free(pp[0]); 543} 544 545void testElemRegion3(int **pp) { 546 int *p = malloc(12); 547 *pp = p; 548 free(*pp); 549} 550// Region escape testing. 551 552unsigned takePtrToPtr(int **p); 553void PassTheAddrOfAllocatedData(int f) { 554 int *p = malloc(12); 555 // We don't know what happens after the call. Should stop tracking here. 556 if (takePtrToPtr(&p)) 557 f++; 558 free(p); // no warning 559} 560 561struct X { 562 int *p; 563}; 564unsigned takePtrToStruct(struct X *s); 565int ** foo2(int *g, int f) { 566 int *p = malloc(12); 567 struct X *px= malloc(sizeof(struct X)); 568 px->p = p; 569 // We don't know what happens after this call. Should not track px nor p. 570 if (takePtrToStruct(px)) 571 f++; 572 free(p); 573 return 0; 574} 575 576struct X* RegInvalidationDetect1(struct X *s2) { 577 struct X *px= malloc(sizeof(struct X)); 578 px->p = 0; 579 px = s2; 580 return px; // expected-warning {{Memory is never released; potential leak}} 581} 582 583struct X* RegInvalidationGiveUp1() { 584 int *p = malloc(12); 585 struct X *px= malloc(sizeof(struct X)); 586 px->p = p; 587 return px; 588} 589 590int **RegInvalidationDetect2(int **pp) { 591 int *p = malloc(12); 592 pp = &p; 593 pp++; 594 return 0;// expected-warning {{Memory is never released; potential leak}} 595} 596 597extern void exit(int) __attribute__ ((__noreturn__)); 598void mallocExit(int *g) { 599 struct xx *p = malloc(12); 600 if (g != 0) 601 exit(1); 602 free(p); 603 return; 604} 605 606extern void __assert_fail (__const char *__assertion, __const char *__file, 607 unsigned int __line, __const char *__function) 608 __attribute__ ((__noreturn__)); 609#define assert(expr) \ 610 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 611void mallocAssert(int *g) { 612 struct xx *p = malloc(12); 613 614 assert(g != 0); 615 free(p); 616 return; 617} 618 619void doNotInvalidateWhenPassedToSystemCalls(char *s) { 620 char *p = malloc(12); 621 strlen(p); 622 strcpy(p, s); 623} // expected-warning {{leak}} 624 625// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. 626void symbolLostWithStrcpy(char *s) { 627 char *p = malloc(12); 628 p = strcpy(p, s); 629 free(p); 630} 631 632 633// The same test as the one above, but with what is actually generated on a mac. 634static __inline char * 635__inline_strcpy_chk (char *restrict __dest, const char *restrict __src) 636{ 637 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); 638} 639 640void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { 641 char *p = malloc(12); 642 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); 643 free(p); 644} 645 646// Here we are returning a pointer one past the allocated value. An idiom which 647// can be used for implementing special malloc. The correct uses of this might 648// be rare enough so that we could keep this as a warning. 649static void *specialMalloc(int n){ 650 int *p; 651 p = malloc( n+8 ); 652 if( p ){ 653 p[0] = n; 654 p++; 655 } 656 return p; 657} 658 659// Potentially, the user could free the struct by performing pointer arithmetic on the return value. 660// This is a variation of the specialMalloc issue, though probably would be more rare in correct code. 661int *specialMallocWithStruct() { 662 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 663 return &(px->g); 664} 665 666// Test various allocation/deallocation functions. 667void testStrdup(const char *s, unsigned validIndex) { 668 char *s2 = strdup(s); 669 s2[validIndex + 1] = 'b'; 670} // expected-warning {{Memory is never released; potential leak}} 671 672int testStrndup(const char *s, unsigned validIndex, unsigned size) { 673 char *s2 = strndup(s, size); 674 s2 [validIndex + 1] = 'b'; 675 if (s2[validIndex] != 'a') 676 return 0; 677 else 678 return 1;// expected-warning {{Memory is never released; potential leak}} 679} 680 681void testStrdupContentIsDefined(const char *s, unsigned validIndex) { 682 char *s2 = strdup(s); 683 char result = s2[1];// no warning 684 free(s2); 685} 686 687// ---------------------------------------------------------------------------- 688// Test the system library functions to which the pointer can escape. 689// This tests false positive suppression. 690 691// For now, we assume memory passed to pthread_specific escapes. 692// TODO: We could check that if a new pthread binding is set, the existing 693// binding must be freed; otherwise, a memory leak can occur. 694void testPthereadSpecificEscape(pthread_key_t key) { 695 void *buf = malloc(12); 696 pthread_setspecific(key, buf); // no warning 697} 698 699// PR12101: Test funopen(). 700static int releasePtr(void *_ctx) { 701 free(_ctx); 702 return 0; 703} 704FILE *useFunOpen() { 705 void *ctx = malloc(sizeof(int)); 706 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning 707 if (f == 0) { 708 free(ctx); 709 } 710 return f; 711} 712FILE *useFunOpenNoReleaseFunction() { 713 void *ctx = malloc(sizeof(int)); 714 FILE *f = funopen(ctx, 0, 0, 0, 0); 715 if (f == 0) { 716 free(ctx); 717 } 718 return f; // expected-warning{{leak}} 719} 720 721static int readNothing(void *_ctx, char *buf, int size) { 722 return 0; 723} 724FILE *useFunOpenReadNoRelease() { 725 void *ctx = malloc(sizeof(int)); 726 FILE *f = funopen(ctx, readNothing, 0, 0, 0); 727 if (f == 0) { 728 free(ctx); 729 } 730 return f; // expected-warning{{leak}} 731} 732 733// Test setbuf, setvbuf. 734int my_main_no_warning() { 735 char *p = malloc(100); 736 setvbuf(stdout, p, 0, 100); 737 return 0; 738} 739int my_main_no_warning2() { 740 char *p = malloc(100); 741 setbuf(__stdoutp, p); 742 return 0; 743} 744int my_main_warn(FILE *f) { 745 char *p = malloc(100); 746 setvbuf(f, p, 0, 100); 747 return 0;// expected-warning {{leak}} 748} 749 750// <rdar://problem/10978247>. 751// some people use stack allocated memory as an optimization to avoid 752// a heap allocation for small work sizes. This tests the analyzer's 753// understanding that the malloc'ed memory is not the same as stackBuffer. 754void radar10978247(int myValueSize) { 755 char stackBuffer[128]; 756 char *buffer; 757 758 if (myValueSize <= sizeof(stackBuffer)) 759 buffer = stackBuffer; 760 else 761 buffer = malloc(myValueSize); 762 763 // do stuff with the buffer 764 if (buffer != stackBuffer) 765 free(buffer); 766} 767 768void radar10978247_positive(int myValueSize) { 769 char stackBuffer[128]; 770 char *buffer; 771 772 if (myValueSize <= sizeof(stackBuffer)) 773 buffer = stackBuffer; 774 else 775 buffer = malloc(myValueSize); 776 777 // do stuff with the buffer 778 if (buffer == stackBuffer) 779 return; 780 else 781 return; // expected-warning {{leak}} 782} 783// <rdar://problem/11269741> Previously this triggered a false positive 784// because malloc() is known to return uninitialized memory and the binding 785// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. 786struct rdar11269741_a_t { 787 struct rdar11269741_b_t { 788 int m; 789 } n; 790}; 791 792int rdar11269741(struct rdar11269741_b_t o) 793{ 794 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); 795 p->n = o; 796 return p->n.m; // expected-warning {{leak}} 797} 798 799// Pointer arithmetic, returning an ElementRegion. 800void *radar11329382(unsigned bl) { 801 void *ptr = malloc (16); 802 ptr = ptr + (2 - bl); 803 return ptr; // no warning 804} 805 806void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); 807int strcmp(const char *, const char *); 808char *a (void); 809void radar11270219(void) { 810 char *x = a(), *y = a(); 811 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); 812 strcmp(x, y); // no warning 813} 814 815void radar_11358224_test_double_assign_ints_positive_2() 816{ 817 void *ptr = malloc(16); 818 ptr = ptr; 819} // expected-warning {{leak}} 820 821// Assume that functions which take a function pointer can free memory even if 822// they are defined in system headers and take the const pointer to the 823// allocated memory. (radar://11160612) 824int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); 825void r11160612_1() { 826 char *x = malloc(12); 827 const_ptr_and_callback(0, x, 12, free); // no - warning 828} 829 830// Null is passed as callback. 831void r11160612_2() { 832 char *x = malloc(12); 833 const_ptr_and_callback(0, x, 12, 0); 834} // expected-warning {{leak}} 835 836// Callback is passed to a function defined in a system header. 837void r11160612_4() { 838 char *x = malloc(12); 839 sqlite3_bind_text_my(0, x, 12, free); // no - warning 840} 841 842// Passing callbacks in a struct. 843void r11160612_5(StWithCallback St) { 844 void *x = malloc(12); 845 dealocateMemWhenDoneByVal(x, St); 846} 847void r11160612_6(StWithCallback St) { 848 void *x = malloc(12); 849 dealocateMemWhenDoneByRef(&St, x); 850} 851 852int mySub(int, int); 853int myAdd(int, int); 854int fPtr(unsigned cond, int x) { 855 return (cond ? mySub : myAdd)(x, x); 856} 857 858// Test anti-aliasing. 859 860void dependsOnValueOfPtr(int *g, unsigned f) { 861 int *p; 862 863 if (f) { 864 p = g; 865 } else { 866 p = malloc(12); 867 } 868 869 if (p != g) 870 free(p); 871 else 872 return; // no warning 873 return; 874} 875 876int CMPRegionHeapToStack() { 877 int x = 0; 878 int *x1 = malloc(8); 879 int *x2 = &x; 880 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} 881 free(x1); 882 return x; 883} 884 885int CMPRegionHeapToHeap2() { 886 int x = 0; 887 int *x1 = malloc(8); 888 int *x2 = malloc(8); 889 int *x4 = x1; 890 int *x5 = x2; 891 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} 892 free(x1); 893 free(x2); 894 return x; 895} 896 897int CMPRegionHeapToHeap() { 898 int x = 0; 899 int *x1 = malloc(8); 900 int *x4 = x1; 901 if (x1 == x4) { 902 free(x1); 903 return 5/x; // expected-warning{{Division by zero}} 904 } 905 return x;// expected-warning{{This statement is never executed}} 906} 907 908int HeapAssignment() { 909 int m = 0; 910 int *x = malloc(4); 911 int *y = x; 912 *x = 5; 913 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} 914 free(x); 915 return 0; 916} 917 918int *retPtr(); 919int *retPtrMightAlias(int *x); 920int cmpHeapAllocationToUnknown() { 921 int zero = 0; 922 int *yBefore = retPtr(); 923 int *m = malloc(8); 924 int *yAfter = retPtrMightAlias(m); 925 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} 926 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} 927 free(m); 928 return 0; 929} 930 931#ifdef __INTPTR_TYPE__ 932// Test double assignment through integers. 933typedef __INTPTR_TYPE__ intptr_t; 934typedef unsigned __INTPTR_TYPE__ uintptr_t; 935 936static intptr_t glob; 937void test_double_assign_ints() 938{ 939 void *ptr = malloc (16); // no-warning 940 glob = (intptr_t)(uintptr_t)ptr; 941} 942 943void test_double_assign_ints_positive() 944{ 945 void *ptr = malloc(16); 946 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}} 947} // expected-warning {{leak}} 948#endif 949 950void testCGContextNoLeak() 951{ 952 void *ptr = malloc(16); 953 CGContextRef context = CGBitmapContextCreate(ptr); 954 955 // Because you can get the data back out like this, even much later, 956 // CGBitmapContextCreate is one of our "stop-tracking" exceptions. 957 free(CGBitmapContextGetData(context)); 958} 959 960void testCGContextLeak() 961{ 962 void *ptr = malloc(16); 963 CGContextRef context = CGBitmapContextCreate(ptr); 964 // However, this time we're just leaking the data, because the context 965 // object doesn't escape and it hasn't been freed in this function. 966} 967 968// Allow xpc context to escape. radar://11635258 969// TODO: Would be great if we checked that the finalize_connection_context actually releases it. 970static void finalize_connection_context(void *ctx) { 971 int *context = ctx; 972 free(context); 973} 974void foo (xpc_connection_t peer) { 975 int *ctx = calloc(1, sizeof(int)); 976 xpc_connection_set_context(peer, ctx); 977 xpc_connection_set_finalizer_f(peer, finalize_connection_context); 978 xpc_connection_resume(peer); 979} 980 981// Make sure we catch errors when we free in a function which does not allocate memory. 982void freeButNoMalloc(int *p, int x){ 983 if (x) { 984 free(p); 985 //user forgot a return here. 986 } 987 free(p); // expected-warning {{Attempt to free released memory}} 988} 989 990struct HasPtr { 991 char *p; 992}; 993 994char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { 995 int *s; 996 char *b = realloc(a->p, size); 997 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} 998 return a->p; 999} 1000 1001// We should not warn in this case since the caller will presumably free a->p in all cases. 1002int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { 1003 int *s; 1004 char *b = realloc(a->p, size); 1005 if (b == 0) 1006 return -1; 1007 a->p = b; 1008 return 0; 1009} 1010 1011// Test realloc with no visible malloc. 1012void *test(void *ptr) { 1013 void *newPtr = realloc(ptr, 4); 1014 if (newPtr == 0) { 1015 if (ptr) 1016 free(ptr); // no-warning 1017 } 1018 return newPtr; 1019} 1020 1021 1022char *testLeakWithinReturn(char *str) { 1023 return strdup(strdup(str)); // expected-warning{{leak}} 1024} 1025 1026// ---------------------------------------------------------------------------- 1027// False negatives. 1028 1029// TODO: This is another false negative. 1030void testMallocWithParam(int **p) { 1031 *p = (int*) malloc(sizeof(int)); 1032 *p = 0; 1033} 1034 1035void testMallocWithParam_2(int **p) { 1036 *p = (int*) malloc(sizeof(int)); 1037} 1038 1039// Pending on removal of the escaping on assignment to struct fields. 1040void testStructLeak() { 1041 StructWithPtr St; 1042 St.memP = malloc(12); 1043 return; // missing warning 1044} 1045 1046void localArrayTest() { 1047 char *p = (char*)malloc(12); 1048 char *ArrayL[12]; 1049 ArrayL[0] = p; 1050} // missing warning 1051 1052void localStructTest() { 1053 StructWithPtr St; 1054 StructWithPtr *pSt = &St; 1055 pSt->memP = malloc(12); 1056} // missing warning 1057 1058 1059 1060