search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Run DCE after a LoopFlatten test to reduce spurious output [nfc]
[llvm-project.git] / clang / test / Analysis / malloc.c
bloba3f7a69b8cef347440245db08e6bf59c29adde6a
1 // RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -verify %s \
2 // RUN: -analyzer-checker=core \
3 // RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
4 // RUN: -analyzer-checker=alpha.core.CastSize \
5 // RUN: -analyzer-checker=unix \
6 // RUN: -analyzer-checker=debug.ExprInspection
7
8 #include "Inputs/system-header-simulator.h"
9
10 void clang_analyzer_eval(int);
11 void clang_analyzer_dump(int);
12 void clang_analyzer_dumpExtent(void *);
13
14 // Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
15 // _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
16 // the builtin type: "Using the typedef version can cause portability
17 // problems", but we're ok here because we're not actually running anything.
18 // Also of note is this cryptic warning: "The wchar_t type is not supported
19 // when you compile C code".
20 //
21 // See the docs for more:
22 // https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
23 #if !defined(_WCHAR_T_DEFINED)
24 // "Microsoft implements wchar_t as a two-byte unsigned value"
25 typedef unsigned short wchar_t;
26 #define _WCHAR_T_DEFINED
27 #endif // !defined(_WCHAR_T_DEFINED)
28
29 typedef __typeof(sizeof(int)) size_t;
30 void *malloc(size_t);
31 void *alloca(size_t);
32 void *valloc(size_t);
33 void free(void *);
34 void *realloc(void *ptr, size_t size);
35 void *reallocf(void *ptr, size_t size);
36 void *calloc(size_t nmemb, size_t size);
37 char *strdup(const char *s);
38 wchar_t *wcsdup(const wchar_t *s);
39 char *strndup(const char *s, size_t n);
40 int memcmp(const void *s1, const void *s2, size_t n);
41
42 // Windows variants
43 char *_strdup(const char *strSource);
44 wchar_t *_wcsdup(const wchar_t *strSource);
45 void *_alloca(size_t size);
46
47 void myfoo(int *p);
48 void myfooint(int p);
49 char *fooRetPtr(void);
50
51 void f1(void) {
52 int *p = malloc(12);
53 return; // expected-warning{{Potential leak of memory pointed to by 'p'}}
54 }
55
56 void f2(void) {
57 int *p = malloc(12);
58 free(p);
59 free(p); // expected-warning{{Attempt to free released memory}}
60 }
61
62 void f2_realloc_0(void) {
63 int *p = malloc(12);
64 realloc(p,0);
65 realloc(p,0); // expected-warning{{Attempt to free released memory}}
66 }
67
68 void f2_realloc_1(void) {
69 int *p = malloc(12);
70 int *q = realloc(p,0); // no-warning
71 }
72
73 void reallocNotNullPtr(unsigned sizeIn) {
74 unsigned size = 12;
75 char *p = (char*)malloc(size);
76 if (p) {
77 char *q = (char*)realloc(p, sizeIn);
78 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}}
79 }
80 }
81
82 void allocaTest(void) {
83 int *p = alloca(sizeof(int));
84 } // no warn
85
86 void winAllocaTest(void) {
87 int *p = _alloca(sizeof(int));
88 } // no warn
89
90 void allocaBuiltinTest(void) {
91 int *p = __builtin_alloca(sizeof(int));
92 } // no warn
93
94 int *realloctest1(void) {
95 int *q = malloc(12);
96 q = realloc(q, 20);
97 return q; // no warning - returning the allocated value
98 }
99
100 // p should be freed if realloc fails.
101 void reallocFails(void) {
102 char *p = malloc(12);
103 char *r = realloc(p, 12+1);
104 if (!r) {
105 free(p);
106 } else {
107 free(r);
108 }
109 }
110
111 void reallocSizeZero1(void) {
112 char *p = malloc(12);
113 char *r = realloc(p, 0);
114 if (!r) {
115 free(p); // expected-warning {{Attempt to free released memory}}
116 } else {
117 free(r);
118 }
119 }
120
121 void reallocSizeZero2(void) {
122 char *p = malloc(12);
123 char *r = realloc(p, 0);
124 if (!r) {
125 free(p); // expected-warning {{Attempt to free released memory}}
126 } else {
127 free(r);
128 }
129 free(p); // expected-warning {{Attempt to free released memory}}
130 }
131
132 void reallocSizeZero3(void) {
133 char *p = malloc(12);
134 char *r = realloc(p, 0);
135 free(r);
136 }
137
138 void reallocSizeZero4(void) {
139 char *r = realloc(0, 0);
140 free(r);
141 }
142
143 void reallocSizeZero5(void) {
144 char *r = realloc(0, 0);
145 }
146
147 void reallocPtrZero1(void) {
148 char *r = realloc(0, 12);
149 } // expected-warning {{Potential leak of memory pointed to by 'r'}}
150
151 void reallocPtrZero2(void) {
152 char *r = realloc(0, 12);
153 if (r)
154 free(r);
155 }
156
157 void reallocPtrZero3(void) {
158 char *r = realloc(0, 12);
159 free(r);
160 }
161
162 void reallocRadar6337483_1(void) {
163 char *buf = malloc(100);
164 buf = (char*)realloc(buf, 0x1000000);
165 if (!buf) {
166 return;// expected-warning {{Potential leak of memory pointed to by}}
167 }
168 free(buf);
169 }
170
171 void reallocRadar6337483_2(void) {
172 char *buf = malloc(100);
173 char *buf2 = (char*)realloc(buf, 0x1000000);
174 if (!buf2) {
175 ;
176 } else {
177 free(buf2);
178 }
179 } // expected-warning {{Potential leak of memory pointed to by}}
180
181 void reallocRadar6337483_3(void) {
182 char * buf = malloc(100);
183 char * tmp;
184 tmp = (char*)realloc(buf, 0x1000000);
185 if (!tmp) {
186 free(buf);
187 return;
188 }
189 buf = tmp;
190 free(buf);
191 }
192
193 void reallocRadar6337483_4(void) {
194 char *buf = malloc(100);
195 char *buf2 = (char*)realloc(buf, 0x1000000);
196 if (!buf2) {
197 return; // expected-warning {{Potential leak of memory pointed to by}}
198 } else {
199 free(buf2);
200 }
201 }
202
203 int *reallocfTest1(void) {
204 int *q = malloc(12);
205 q = reallocf(q, 20);
206 return q; // no warning - returning the allocated value
207 }
208
209 void reallocfRadar6337483_4(void) {
210 char *buf = malloc(100);
211 char *buf2 = (char*)reallocf(buf, 0x1000000);
212 if (!buf2) {
213 return; // no warning - reallocf frees even on failure
214 } else {
215 free(buf2);
216 }
217 }
218
219 void reallocfRadar6337483_3(void) {
220 char * buf = malloc(100);
221 char * tmp;
222 tmp = (char*)reallocf(buf, 0x1000000);
223 if (!tmp) {
224 free(buf); // expected-warning {{Attempt to free released memory}}
225 return;
226 }
227 buf = tmp;
228 free(buf);
229 }
230
231 void reallocfPtrZero1(void) {
232 char *r = reallocf(0, 12);
233 } // expected-warning {{Potential leak of memory pointed to by}}
234
235 //------------------- Check usage of zero-allocated memory ---------------------
236 void CheckUseZeroAllocatedNoWarn1(void) {
237 int *p = malloc(0);
238 free(p); // no warning
239 }
240
241 void CheckUseZeroAllocatedNoWarn2(void) {
242 int *p = alloca(0); // no warning
243 }
244
245 void CheckUseZeroWinAllocatedNoWarn2(void) {
246 int *p = _alloca(0); // no warning
247 }
248
249
250 void CheckUseZeroAllocatedNoWarn3(void) {
251 int *p = malloc(0);
252 int *q = realloc(p, 8); // no warning
253 free(q);
254 }
255
256 void CheckUseZeroAllocatedNoWarn4(void) {
257 int *p = realloc(0, 8);
258 *p = 1; // no warning
259 free(p);
260 }
261
262 void CheckUseZeroAllocated1(void) {
263 int *p = malloc(0);
264 *p = 1; // expected-warning {{Use of memory allocated with size zero}}
265 free(p);
266 }
267
268 char CheckUseZeroAllocated2(void) {
269 char *p = alloca(0);
270 return *p; // expected-warning {{Use of memory allocated with size zero}}
271 }
272
273 char CheckUseZeroWinAllocated2(void) {
274 char *p = _alloca(0);
275 return *p; // expected-warning {{Use of memory allocated with size zero}}
276 }
277
278 void UseZeroAllocated(int *p) {
279 if (p)
280 *p = 7; // expected-warning {{Use of memory allocated with size zero}}
281 }
282 void CheckUseZeroAllocated3(void) {
283 int *p = malloc(0);
284 UseZeroAllocated(p);
285 }
286
287 void f(char);
288 void CheckUseZeroAllocated4(void) {
289 char *p = valloc(0);
290 f(*p); // expected-warning {{Use of memory allocated with size zero}}
291 free(p);
292 }
293
294 void CheckUseZeroAllocated5(void) {
295 int *p = calloc(0, 2);
296 *p = 1; // expected-warning {{Use of memory allocated with size zero}}
297 free(p);
298 }
299
300 void CheckUseZeroAllocated6(void) {
301 int *p = calloc(2, 0);
302 *p = 1; // expected-warning {{Use of memory allocated with size zero}}
303 free(p);
304 }
305
306 void CheckUseZeroAllocated7(void) {
307 int *p = realloc(0, 0);
308 *p = 1; // expected-warning {{Use of memory allocated with size zero}}
309 free(p);
310 }
311
312 void CheckUseZeroAllocated8(void) {
313 int *p = malloc(8);
314 int *q = realloc(p, 0);
315 *q = 1; // expected-warning {{Use of memory allocated with size zero}}
316 free(q);
317 }
318
319 void CheckUseZeroAllocated9(void) {
320 int *p = realloc(0, 0);
321 int *q = realloc(p, 0);
322 *q = 1; // expected-warning {{Use of memory allocated with size zero}}
323 free(q);
324 }
325
326 void CheckUseZeroAllocatedPathNoWarn(_Bool b) {
327 int s = 0;
328 if (b)
329 s= 10;
330
331 char *p = malloc(s);
332
333 if (b)
334 *p = 1; // no warning
335
336 free(p);
337 }
338
339 void CheckUseZeroAllocatedPathWarn(_Bool b) {
340 int s = 10;
341 if (b)
342 s= 0;
343
344 char *p = malloc(s);
345
346 if (b)
347 *p = 1; // expected-warning {{Use of memory allocated with size zero}}
348
349 free(p);
350 }
351
352 void CheckUseZeroReallocatedPathNoWarn(_Bool b) {
353 int s = 0;
354 if (b)
355 s= 10;
356
357 char *p = malloc(8);
358 char *q = realloc(p, s);
359
360 if (b)
361 *q = 1; // no warning
362
363 free(q);
364 }
365
366 void CheckUseZeroReallocatedPathWarn(_Bool b) {
367 int s = 10;
368 if (b)
369 s= 0;
370
371 char *p = malloc(8);
372 char *q = realloc(p, s);
373
374 if (b)
375 *q = 1; // expected-warning {{Use of memory allocated with size zero}}
376
377 free(q);
378 }
379
380 // This case tests that storing malloc'ed memory to a static variable which is
381 // then returned is not leaked. In the absence of known contracts for functions
382 // or inter-procedural analysis, this is a conservative answer.
383 int *f3(void) {
384 static int *p = 0;
385 p = malloc(12);
386 return p; // no-warning
387 }
388
389 // This case tests that storing malloc'ed memory to a static global variable
390 // which is then returned is not leaked. In the absence of known contracts for
391 // functions or inter-procedural analysis, this is a conservative answer.
392 static int *p_f4 = 0;
393 int *f4(void) {
394 p_f4 = malloc(12);
395 return p_f4; // no-warning
396 }
397
398 int *f5(void) {
399 int *q = malloc(12);
400 q = realloc(q, 20);
401 return q; // no-warning
402 }
403
404 void f6(void) {
405 int *p = malloc(12);
406 if (!p)
407 return; // no-warning
408 else
409 free(p);
410 }
411
412 void f6_realloc(void) {
413 int *p = malloc(12);
414 if (!p)
415 return; // no-warning
416 else
417 realloc(p,0);
418 }
419
420
421 char *doit2(void);
422 void pr6069(void) {
423 char *buf = doit2();
424 free(buf);
425 }
426
427 void pr6293(void) {
428 free(0);
429 }
430
431 void f7(void) {
432 char *x = (char*) malloc(4);
433 free(x);
434 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
435 }
436
437 void f8(void) {
438 char *x = (char*) malloc(4);
439 free(x);
440 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}}
441 }
442
443 void f7_realloc(void) {
444 char *x = (char*) malloc(4);
445 realloc(x,0);
446 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
447 }
448
449 void PR6123(void) {
450 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
451 }
452
453 void PR7217(void) {
454 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
455 buf[1] = 'c'; // not crash
456 }
457
458 void cast_emtpy_struct(void) {
459 struct st {
460 };
461
462 struct st *s = malloc(sizeof(struct st)); // no-warning
463 free(s);
464 }
465
466 void cast_struct_1(void) {
467 struct st {
468 int i[100];
469 char j[];
470 };
471
472 struct st *s = malloc(sizeof(struct st)); // no-warning
473 free(s);
474 }
475
476 void cast_struct_2(void) {
477 struct st {
478 int i[100];
479 char j[0];
480 };
481
482 struct st *s = malloc(sizeof(struct st)); // no-warning
483 free(s);
484 }
485
486 void cast_struct_3(void) {
487 struct st {
488 int i[100];
489 char j[1];
490 };
491
492 struct st *s = malloc(sizeof(struct st)); // no-warning
493 free(s);
494 }
495
496 void cast_struct_4(void) {
497 struct st {
498 int i[100];
499 char j[2];
500 };
501
502 struct st *s = malloc(sizeof(struct st)); // no-warning
503 free(s);
504 }
505
506 void cast_struct_5(void) {
507 struct st {
508 char i[200];
509 char j[1];
510 };
511
512 struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning
513 free(s);
514 }
515
516 void cast_struct_warn_1(void) {
517 struct st {
518 int i[100];
519 char j[2];
520 };
521
522 struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
523 free(s);
524 }
525
526 void cast_struct_warn_2(void) {
527 struct st {
528 int i[100];
529 char j[2];
530 };
531
532 struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
533 free(s);
534 }
535
536 void cast_struct_flex_array_1(void) {
537 struct st {
538 int i[100];
539 char j[];
540 };
541
542 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
543 free(s);
544 }
545
546 void cast_struct_flex_array_2(void) {
547 struct st {
548 int i[100];
549 char j[0];
550 };
551
552 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
553 free(s);
554 }
555
556 void cast_struct_flex_array_3(void) {
557 struct st {
558 int i[100];
559 char j[1];
560 };
561
562 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
563 free(s);
564 }
565
566 void cast_struct_flex_array_4(void) {
567 struct foo {
568 char f[32];
569 };
570 struct st {
571 char i[100];
572 struct foo data[];
573 };
574
575 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
576 free(s);
577 }
578
579 void cast_struct_flex_array_5(void) {
580 struct foo {
581 char f[32];
582 };
583 struct st {
584 char i[100];
585 struct foo data[0];
586 };
587
588 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
589 free(s);
590 }
591
592 void cast_struct_flex_array_6(void) {
593 struct foo {
594 char f[32];
595 };
596 struct st {
597 char i[100];
598 struct foo data[1];
599 };
600
601 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
602 free(s);
603 }
604
605 void cast_struct_flex_array_warn_1(void) {
606 struct foo {
607 char f[32];
608 };
609 struct st {
610 char i[100];
611 struct foo data[];
612 };
613
614 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
615 free(s);
616 }
617
618 void cast_struct_flex_array_warn_2(void) {
619 struct foo {
620 char f[32];
621 };
622 struct st {
623 char i[100];
624 struct foo data[0];
625 };
626
627 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
628 free(s);
629 }
630
631 void cast_struct_flex_array_warn_3(void) {
632 struct foo {
633 char f[32];
634 };
635 struct st {
636 char i[100];
637 struct foo data[1];
638 };
639
640 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
641 free(s);
642 }
643
644 void cast_struct_flex_array_warn_4(void) {
645 struct st {
646 int i[100];
647 int j[];
648 };
649
650 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
651 free(s);
652 }
653
654 void cast_struct_flex_array_warn_5(void) {
655 struct st {
656 int i[100];
657 int j[0];
658 };
659
660 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
661 free(s);
662 }
663
664 void cast_struct_flex_array_warn_6(void) {
665 struct st {
666 int i[100];
667 int j[1];
668 };
669
670 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
671 free(s);
672 }
673
674 void mallocCastToVoid(void) {
675 void *p = malloc(2);
676 const void *cp = p; // not crash
677 free(p);
678 }
679
680 void mallocCastToFP(void) {
681 void *p = malloc(2);
682 void (*fp)(void) = p; // not crash
683 free(p);
684 }
685
686 // This tests that malloc() buffers are undefined by default
687 char mallocGarbage (void) {
688 char *buf = malloc(2);
689 char result = buf[1]; // expected-warning{{undefined}}
690 free(buf);
691 return result;
692 }
693
694 // This tests that calloc() buffers need to be freed
695 void callocNoFree (void) {
696 char *buf = calloc(2,2);
697 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
698 }
699
700 // These test that calloc() buffers are zeroed by default
701 char callocZeroesGood (void) {
702 char *buf = calloc(2,2);
703 char result = buf[3]; // no-warning
704 if (buf[1] == 0) {
705 free(buf);
706 }
707 return result; // no-warning
708 }
709
710 char callocZeroesBad (void) {
711 char *buf = calloc(2,2);
712 char result = buf[3]; // no-warning
713 if (buf[1] != 0) {
714 free(buf); // expected-warning{{never executed}}
715 }
716 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
717 }
718
719 void nullFree(void) {
720 int *p = 0;
721 free(p); // no warning - a nop
722 }
723
724 void paramFree(int *p) {
725 myfoo(p);
726 free(p); // no warning
727 myfoo(p); // expected-warning {{Use of memory after it is freed}}
728 }
729
730 int* mallocEscapeRet(void) {
731 int *p = malloc(12);
732 return p; // no warning
733 }
734
735 void mallocEscapeFoo(void) {
736 int *p = malloc(12);
737 myfoo(p);
738 return; // no warning
739 }
740
741 void mallocEscapeFree(void) {
742 int *p = malloc(12);
743 myfoo(p);
744 free(p);
745 }
746
747 void mallocEscapeFreeFree(void) {
748 int *p = malloc(12);
749 myfoo(p);
750 free(p);
751 free(p); // expected-warning{{Attempt to free released memory}}
752 }
753
754 void mallocEscapeFreeUse(void) {
755 int *p = malloc(12);
756 myfoo(p);
757 free(p);
758 myfoo(p); // expected-warning{{Use of memory after it is freed}}
759 }
760
761 int *myalloc(void);
762 void myalloc2(int **p);
763
764 void mallocEscapeFreeCustomAlloc(void) {
765 int *p = malloc(12);
766 myfoo(p);
767 free(p);
768 p = myalloc();
769 free(p); // no warning
770 }
771
772 void mallocEscapeFreeCustomAlloc2(void) {
773 int *p = malloc(12);
774 myfoo(p);
775 free(p);
776 myalloc2(&p);
777 free(p); // no warning
778 }
779
780 void mallocBindFreeUse(void) {
781 int *x = malloc(12);
782 int *y = x;
783 free(y);
784 myfoo(x); // expected-warning{{Use of memory after it is freed}}
785 }
786
787 void mallocEscapeMalloc(void) {
788 int *p = malloc(12);
789 myfoo(p);
790 p = malloc(12);
791 } // expected-warning{{Potential leak of memory pointed to by}}
792
793 void mallocMalloc(void) {
794 int *p = malloc(12);
795 p = malloc(12);
796 } // expected-warning {{Potential leak of memory pointed to by}}\
797 // expected-warning {{Potential leak of memory pointed to by}}
798
799 void mallocFreeMalloc(void) {
800 int *p = malloc(12);
801 free(p);
802 p = malloc(12);
803 free(p);
804 }
805
806 void mallocFreeUse_params(void) {
807 int *p = malloc(12);
808 free(p);
809 myfoo(p); //expected-warning{{Use of memory after it is freed}}
810 }
811
812 void mallocFreeUse_params2(void) {
813 int *p = malloc(12);
814 free(p);
815 myfooint(*p); //expected-warning{{Use of memory after it is freed}}
816 }
817
818 void mallocFailedOrNot(void) {
819 int *p = malloc(12);
820 if (!p)
821 free(p);
822 else
823 free(p);
824 }
825
826 struct StructWithInt {
827 int g;
828 };
829
830 int *mallocReturnFreed(void) {
831 int *p = malloc(12);
832 free(p);
833 return p; // expected-warning {{Use of memory after it is freed}}
834 }
835
836 int useAfterFreeStruct(void) {
837 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
838 px->g = 5;
839 free(px);
840 return px->g; // expected-warning {{Use of memory after it is freed}}
841 }
842
843 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
844
845 void mallocEscapeFooNonSymbolArg(void) {
846 struct StructWithInt *p = malloc(sizeof(struct StructWithInt));
847 nonSymbolAsFirstArg(&p->g, p);
848 return; // no warning
849 }
850
851 void mallocFailedOrNotLeak(void) {
852 int *p = malloc(12);
853 if (p == 0)
854 return; // no warning
855 else
856 return; // expected-warning {{Potential leak of memory pointed to by}}
857 }
858
859 void mallocAssignment(void) {
860 char *p = malloc(12);
861 p = fooRetPtr();
862 } // expected-warning {{leak}}
863
864 int vallocTest(void) {
865 char *mem = valloc(12);
866 return 0; // expected-warning {{Potential leak of memory pointed to by}}
867 }
868
869 void vallocEscapeFreeUse(void) {
870 int *p = valloc(12);
871 myfoo(p);
872 free(p);
873 myfoo(p); // expected-warning{{Use of memory after it is freed}}
874 }
875
876 int *Gl;
877 struct GlStTy {
878 int *x;
879 };
880
881 struct GlStTy GlS = {0};
882
883 void GlobalFree(void) {
884 free(Gl);
885 }
886
887 void GlobalMalloc(void) {
888 Gl = malloc(12);
889 }
890
891 void GlobalStructMalloc(void) {
892 int *a = malloc(12);
893 GlS.x = a;
894 }
895
896 void GlobalStructMallocFree(void) {
897 int *a = malloc(12);
898 GlS.x = a;
899 free(GlS.x);
900 }
901
902 char *ArrayG[12];
903
904 void globalArrayTest(void) {
905 char *p = (char*)malloc(12);
906 ArrayG[0] = p;
907 }
908
909 // Make sure that we properly handle a pointer stored into a local struct/array.
910 typedef struct _StructWithPtr {
911 int *memP;
912 } StructWithPtr;
913
914 static StructWithPtr arrOfStructs[10];
915
916 void testMalloc(void) {
917 int *x = malloc(12);
918 StructWithPtr St;
919 St.memP = x;
920 arrOfStructs[0] = St; // no-warning
921 }
922
923 StructWithPtr testMalloc2(void) {
924 int *x = malloc(12);
925 StructWithPtr St;
926 St.memP = x;
927 return St; // no-warning
928 }
929
930 int *testMalloc3(void) {
931 int *x = malloc(12);
932 int *y = x;
933 return y; // no-warning
934 }
935
936 void testStructLeak(void) {
937 StructWithPtr St;
938 St.memP = malloc(12);
939 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}}
940 }
941
942 void testElemRegion1(void) {
943 char *x = (void*)malloc(2);
944 int *ix = (int*)x;
945 free(&(x[0]));
946 }
947
948 void testElemRegion2(int **pp) {
949 int *p = malloc(12);
950 *pp = p;
951 free(pp[0]);
952 }
953
954 void testElemRegion3(int **pp) {
955 int *p = malloc(12);
956 *pp = p;
957 free(*pp);
958 }
959 // Region escape testing.
960
961 unsigned takePtrToPtr(int **p);
962 void PassTheAddrOfAllocatedData(int f) {
963 int *p = malloc(12);
964 // We don't know what happens after the call. Should stop tracking here.
965 if (takePtrToPtr(&p))
966 f++;
967 free(p); // no warning
968 }
969
970 struct X {
971 int *p;
972 };
973 unsigned takePtrToStruct(struct X *s);
974 int ** foo2(int *g, int f) {
975 int *p = malloc(12);
976 struct X *px= malloc(sizeof(struct X));
977 px->p = p;
978 // We don't know what happens after this call. Should not track px nor p.
979 if (takePtrToStruct(px))
980 f++;
981 free(p);
982 return 0;
983 }
984
985 struct X* RegInvalidationDetect1(struct X *s2) {
986 struct X *px= malloc(sizeof(struct X));
987 px->p = 0;
988 px = s2;
989 return px; // expected-warning {{Potential leak of memory pointed to by}}
990 }
991
992 struct X* RegInvalidationGiveUp1(void) {
993 int *p = malloc(12);
994 struct X *px= malloc(sizeof(struct X));
995 px->p = p;
996 return px;
997 }
998
999 int **RegInvalidationDetect2(int **pp) {
1000 int *p = malloc(12);
1001 pp = &p;
1002 pp++;
1003 return 0;// expected-warning {{Potential leak of memory pointed to by}}
1004 }
1005
1006 extern void exit(int) __attribute__ ((__noreturn__));
1007 void mallocExit(int *g) {
1008 struct xx *p = malloc(12);
1009 if (g != 0)
1010 exit(1);
1011 free(p);
1012 return;
1013 }
1014
1015 extern void __assert_fail (__const char *__assertion, __const char *__file,
1016 unsigned int __line, __const char *__function)
1017 __attribute__ ((__noreturn__));
1018 #define assert(expr) \
1019 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
1020 void mallocAssert(int *g) {
1021 struct xx *p = malloc(12);
1022
1023 assert(g != 0);
1024 free(p);
1025 return;
1026 }
1027
1028 void doNotInvalidateWhenPassedToSystemCalls(char *s) {
1029 char *p = malloc(12);
1030 strlen(p);
1031 strcpy(p, s);
1032 strcpy(s, p);
1033 strcpy(p, p);
1034 memcpy(p, s, 1);
1035 memcpy(s, p, 1);
1036 memcpy(p, p, 1);
1037 } // expected-warning {{leak}}
1038
1039 // Treat source buffer contents as escaped.
1040 void escapeSourceContents(char *s) {
1041 char *p = malloc(12);
1042 memcpy(s, &p, 12); // no warning
1043
1044 void *p1 = malloc(7);
1045 char *a;
1046 memcpy(&a, &p1, sizeof a);
1047 // FIXME: No warning due to limitations imposed by current modelling of
1048 // 'memcpy' (regions metadata is not copied).
1049
1050 int *ptrs[2];
1051 int *allocated = (int *)malloc(4);
1052 memcpy(&ptrs[0], &allocated, sizeof(int *));
1053 // FIXME: No warning due to limitations imposed by current modelling of
1054 // 'memcpy' (regions metadata is not copied).
1055 }
1056
1057 void invalidateDestinationContents(void) {
1058 int *null = 0;
1059 int *p = (int *)malloc(4);
1060 memcpy(&p, &null, sizeof(int *));
1061
1062 int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}}
1063 ptrs1[0] = (int *)malloc(4);
1064 memcpy(ptrs1, &null, sizeof(int *));
1065
1066 int *ptrs2[2]; // expected-warning {{Potential memory leak}}
1067 ptrs2[0] = (int *)malloc(4);
1068 memcpy(&ptrs2[1], &null, sizeof(int *));
1069
1070 int *ptrs3[2]; // expected-warning {{Potential memory leak}}
1071 ptrs3[0] = (int *)malloc(4);
1072 memcpy(&ptrs3[0], &null, sizeof(int *));
1073 } // expected-warning {{Potential memory leak}}
1074
1075 // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p.
1076 void symbolLostWithStrcpy(char *s) {
1077 char *p = malloc(12);
1078 p = strcpy(p, s);
1079 free(p);
1080 }
1081
1082
1083 // The same test as the one above, but with what is actually generated on a mac.
1084 static __inline char *
1085 __inline_strcpy_chk (char *restrict __dest, const char *restrict __src)
1086 {
1087 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1));
1088 }
1089
1090 void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) {
1091 char *p = malloc(12);
1092 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s));
1093 free(p);
1094 }
1095
1096 // Here we are returning a pointer one past the allocated value. An idiom which
1097 // can be used for implementing special malloc. The correct uses of this might
1098 // be rare enough so that we could keep this as a warning.
1099 static void *specialMalloc(int n){
1100 int *p;
1101 p = malloc( n+8 );
1102 if( p ){
1103 p[0] = n;
1104 p++;
1105 }
1106 return p;
1107 }
1108
1109 // Potentially, the user could free the struct by performing pointer arithmetic on the return value.
1110 // This is a variation of the specialMalloc issue, though probably would be more rare in correct code.
1111 int *specialMallocWithStruct(void) {
1112 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
1113 return &(px->g);
1114 }
1115
1116 // Test various allocation/deallocation functions.
1117 void testStrdup(const char *s, unsigned validIndex) {
1118 char *s2 = strdup(s);
1119 s2[validIndex + 1] = 'b';
1120 } // expected-warning {{Potential leak of memory pointed to by}}
1121
1122 void testWinStrdup(const char *s, unsigned validIndex) {
1123 char *s2 = _strdup(s);
1124 s2[validIndex + 1] = 'b';
1125 } // expected-warning {{Potential leak of memory pointed to by}}
1126
1127 void testWcsdup(const wchar_t *s, unsigned validIndex) {
1128 wchar_t *s2 = wcsdup(s);
1129 s2[validIndex + 1] = 'b';
1130 } // expected-warning {{Potential leak of memory pointed to by}}
1131
1132 void testWinWcsdup(const wchar_t *s, unsigned validIndex) {
1133 wchar_t *s2 = _wcsdup(s);
1134 s2[validIndex + 1] = 'b';
1135 } // expected-warning {{Potential leak of memory pointed to by}}
1136
1137 int testStrndup(const char *s, unsigned validIndex, unsigned size) {
1138 char *s2 = strndup(s, size);
1139 s2 [validIndex + 1] = 'b';
1140 if (s2[validIndex] != 'a')
1141 return 0;
1142 else
1143 return 1;// expected-warning {{Potential leak of memory pointed to by}}
1144 }
1145
1146 void testStrdupContentIsDefined(const char *s, unsigned validIndex) {
1147 char *s2 = strdup(s);
1148 char result = s2[1];// no warning
1149 free(s2);
1150 }
1151
1152 void testWinStrdupContentIsDefined(const char *s, unsigned validIndex) {
1153 char *s2 = _strdup(s);
1154 char result = s2[1];// no warning
1155 free(s2);
1156 }
1157
1158 void testWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
1159 wchar_t *s2 = wcsdup(s);
1160 wchar_t result = s2[1];// no warning
1161 free(s2);
1162 }
1163
1164 void testWinWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
1165 wchar_t *s2 = _wcsdup(s);
1166 wchar_t result = s2[1];// no warning
1167 free(s2);
1168 }
1169
1170 // ----------------------------------------------------------------------------
1171 // Test the system library functions to which the pointer can escape.
1172 // This tests false positive suppression.
1173
1174 // For now, we assume memory passed to pthread_specific escapes.
1175 // TODO: We could check that if a new pthread binding is set, the existing
1176 // binding must be freed; otherwise, a memory leak can occur.
1177 void testPthereadSpecificEscape(pthread_key_t key) {
1178 void *buf = malloc(12);
1179 pthread_setspecific(key, buf); // no warning
1180 }
1181
1182 // PR12101: Test funopen().
1183 static int releasePtr(void *_ctx) {
1184 free(_ctx);
1185 return 0;
1186 }
1187 FILE *useFunOpen(void) {
1188 void *ctx = malloc(sizeof(int));
1189 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning
1190 if (f == 0) {
1191 free(ctx);
1192 }
1193 return f;
1194 }
1195 FILE *useFunOpenNoReleaseFunction(void) {
1196 void *ctx = malloc(sizeof(int));
1197 FILE *f = funopen(ctx, 0, 0, 0, 0);
1198 if (f == 0) {
1199 free(ctx);
1200 }
1201 return f; // expected-warning{{leak}}
1202 }
1203
1204 static int readNothing(void *_ctx, char *buf, int size) {
1205 return 0;
1206 }
1207 FILE *useFunOpenReadNoRelease(void) {
1208 void *ctx = malloc(sizeof(int));
1209 FILE *f = funopen(ctx, readNothing, 0, 0, 0);
1210 if (f == 0) {
1211 free(ctx);
1212 }
1213 return f; // expected-warning{{leak}}
1214 }
1215
1216 // Test setbuf, setvbuf.
1217 int my_main_no_warning(void) {
1218 char *p = malloc(100);
1219 setvbuf(stdout, p, 0, 100);
1220 return 0;
1221 }
1222 int my_main_no_warning2(void) {
1223 char *p = malloc(100);
1224 setbuf(__stdoutp, p);
1225 return 0;
1226 }
1227 int my_main_warn(FILE *f) {
1228 char *p = malloc(100);
1229 setvbuf(f, p, 0, 100);
1230 return 0;// expected-warning {{leak}}
1231 }
1232
1233 // some people use stack allocated memory as an optimization to avoid
1234 // a heap allocation for small work sizes. This tests the analyzer's
1235 // understanding that the malloc'ed memory is not the same as stackBuffer.
1236 void radar10978247(int myValueSize) {
1237 char stackBuffer[128];
1238 char *buffer;
1239
1240 if (myValueSize <= sizeof(stackBuffer))
1241 buffer = stackBuffer;
1242 else
1243 buffer = malloc(myValueSize);
1244
1245 // do stuff with the buffer
1246 if (buffer != stackBuffer)
1247 free(buffer);
1248 }
1249
1250 void radar10978247_positive(int myValueSize) {
1251 char stackBuffer[128];
1252 char *buffer;
1253
1254 if (myValueSize <= sizeof(stackBuffer))
1255 buffer = stackBuffer;
1256 else
1257 buffer = malloc(myValueSize);
1258
1259 // do stuff with the buffer
1260 if (buffer == stackBuffer)
1261 return;
1262 else
1263 return; // expected-warning {{leak}}
1264 }
1265 // Previously this triggered a false positive because malloc() is known to
1266 // return uninitialized memory and the binding of 'o' to 'p->n' was not getting
1267 // propertly handled. Now we report a leak.
1268 struct rdar11269741_a_t {
1269 struct rdar11269741_b_t {
1270 int m;
1271 } n;
1272 };
1273
1274 int rdar11269741(struct rdar11269741_b_t o)
1275 {
1276 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p));
1277 p->n = o;
1278 return p->n.m; // expected-warning {{leak}}
1279 }
1280
1281 // Pointer arithmetic, returning an ElementRegion.
1282 void *radar11329382(unsigned bl) {
1283 void *ptr = malloc (16);
1284 ptr = ptr + (2 - bl);
1285 return ptr; // no warning
1286 }
1287
1288 void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__));
1289 int strcmp(const char *, const char *);
1290 char *a (void);
1291 void radar11270219(void) {
1292 char *x = a(), *y = a();
1293 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0);
1294 strcmp(x, y); // no warning
1295 }
1296
1297 void radar_11358224_test_double_assign_ints_positive_2(void)
1298 {
1299 void *ptr = malloc(16);
1300 ptr = ptr;
1301 } // expected-warning {{leak}}
1302
1303 // Assume that functions which take a function pointer can free memory even if
1304 // they are defined in system headers and take the const pointer to the
1305 // allocated memory.
1306 int const_ptr_and_callback(int, const char*, int n, void(*)(void*));
1307 void r11160612_1(void) {
1308 char *x = malloc(12);
1309 const_ptr_and_callback(0, x, 12, free); // no - warning
1310 }
1311
1312 // Null is passed as callback.
1313 void r11160612_2(void) {
1314 char *x = malloc(12);
1315 const_ptr_and_callback(0, x, 12, 0);
1316 } // expected-warning {{leak}}
1317
1318 // Callback is passed to a function defined in a system header.
1319 void r11160612_4(void) {
1320 char *x = malloc(12);
1321 sqlite3_bind_text_my(0, x, 12, free); // no - warning
1322 }
1323
1324 // Passing callbacks in a struct.
1325 void r11160612_5(StWithCallback St) {
1326 void *x = malloc(12);
1327 dealocateMemWhenDoneByVal(x, St);
1328 }
1329 void r11160612_6(StWithCallback St) {
1330 void *x = malloc(12);
1331 dealocateMemWhenDoneByRef(&St, x);
1332 }
1333
1334 int mySub(int, int);
1335 int myAdd(int, int);
1336 int fPtr(unsigned cond, int x) {
1337 return (cond ? mySub : myAdd)(x, x);
1338 }
1339
1340 // Test anti-aliasing.
1341
1342 void dependsOnValueOfPtr(int *g, unsigned f) {
1343 int *p;
1344
1345 if (f) {
1346 p = g;
1347 } else {
1348 p = malloc(12);
1349 }
1350
1351 if (p != g)
1352 free(p);
1353 else
1354 return; // no warning
1355 return;
1356 }
1357
1358 int CMPRegionHeapToStack(void) {
1359 int x = 0;
1360 int *x1 = malloc(8);
1361 int *x2 = &x;
1362 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}}
1363 free(x1);
1364 return x;
1365 }
1366
1367 int CMPRegionHeapToHeap2(void) {
1368 int x = 0;
1369 int *x1 = malloc(8);
1370 int *x2 = malloc(8);
1371 int *x4 = x1;
1372 int *x5 = x2;
1373 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}}
1374 free(x1);
1375 free(x2);
1376 return x;
1377 }
1378
1379 int CMPRegionHeapToHeap(void) {
1380 int x = 0;
1381 int *x1 = malloc(8);
1382 int *x4 = x1;
1383 if (x1 == x4) {
1384 free(x1);
1385 return 5/x; // expected-warning{{Division by zero}}
1386 }
1387 return x;// expected-warning{{This statement is never executed}}
1388 }
1389
1390 int HeapAssignment(void) {
1391 int m = 0;
1392 int *x = malloc(4);
1393 int *y = x;
1394 *x = 5;
1395 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}}
1396 free(x);
1397 return 0;
1398 }
1399
1400 int *retPtr(void);
1401 int *retPtrMightAlias(int *x);
1402 int cmpHeapAllocationToUnknown(void) {
1403 int zero = 0;
1404 int *yBefore = retPtr();
1405 int *m = malloc(8);
1406 int *yAfter = retPtrMightAlias(m);
1407 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}}
1408 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}}
1409 free(m);
1410 return 0;
1411 }
1412
1413 void localArrayTest(void) {
1414 char *p = (char*)malloc(12);
1415 char *ArrayL[12];
1416 ArrayL[0] = p;
1417 } // expected-warning {{leak}}
1418
1419 void localStructTest(void) {
1420 StructWithPtr St;
1421 StructWithPtr *pSt = &St;
1422 pSt->memP = malloc(12);
1423 } // expected-warning{{Potential leak of memory pointed to by}}
1424
1425 #ifdef __INTPTR_TYPE__
1426 // Test double assignment through integers.
1427 typedef __INTPTR_TYPE__ intptr_t;
1428 typedef unsigned __INTPTR_TYPE__ uintptr_t;
1429
1430 static intptr_t glob;
1431 void test_double_assign_ints(void)
1432 {
1433 void *ptr = malloc (16); // no-warning
1434 glob = (intptr_t)(uintptr_t)ptr;
1435 }
1436
1437 void test_double_assign_ints_positive(void)
1438 {
1439 void *ptr = malloc(16);
1440 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}}
1441 } // expected-warning {{leak}}
1442 #endif
1443
1444 void testCGContextNoLeak(void)
1445 {
1446 void *ptr = malloc(16);
1447 CGContextRef context = CGBitmapContextCreate(ptr);
1448
1449 // Because you can get the data back out like this, even much later,
1450 // CGBitmapContextCreate is one of our "stop-tracking" exceptions.
1451 free(CGBitmapContextGetData(context));
1452 }
1453
1454 void testCGContextLeak(void)
1455 {
1456 void *ptr = malloc(16);
1457 CGContextRef context = CGBitmapContextCreate(ptr);
1458 // However, this time we're just leaking the data, because the context
1459 // object doesn't escape and it hasn't been freed in this function.
1460 }
1461
1462 // Allow xpc context to escape.
1463 // TODO: Would be great if we checked that the finalize_connection_context actually releases it.
1464 static void finalize_connection_context(void *ctx) {
1465 int *context = ctx;
1466 free(context);
1467 }
1468 void foo (xpc_connection_t peer) {
1469 int *ctx = calloc(1, sizeof(int));
1470 xpc_connection_set_context(peer, ctx);
1471 xpc_connection_set_finalizer_f(peer, finalize_connection_context);
1472 xpc_connection_resume(peer);
1473 }
1474
1475 // Make sure we catch errors when we free in a function which does not allocate memory.
1476 void freeButNoMalloc(int *p, int x){
1477 if (x) {
1478 free(p);
1479 //user forgot a return here.
1480 }
1481 free(p); // expected-warning {{Attempt to free released memory}}
1482 }
1483
1484 struct HasPtr {
1485 char *p;
1486 };
1487
1488 char* reallocButNoMalloc(struct HasPtr *a, int c, int size) {
1489 int *s;
1490 char *b = realloc(a->p, size);
1491 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}}
1492 // We don't expect a use-after-free for a->P here because the warning above
1493 // is a sink.
1494 return a->p; // no-warning
1495 }
1496
1497 // We should not warn in this case since the caller will presumably free a->p in all cases.
1498 int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) {
1499 int *s;
1500 char *b = realloc(a->p, size);
1501 if (b == 0)
1502 return -1;
1503 a->p = b;
1504 return 0;
1505 }
1506
1507 // Test realloc with no visible malloc.
1508 void *test(void *ptr) {
1509 void *newPtr = realloc(ptr, 4);
1510 if (newPtr == 0) {
1511 if (ptr)
1512 free(ptr); // no-warning
1513 }
1514 return newPtr;
1515 }
1516
1517
1518 char *testLeakWithinReturn(char *str) {
1519 return strdup(strdup(str)); // expected-warning{{leak}}
1520 }
1521
1522 char *testWinLeakWithinReturn(char *str) {
1523 return _strdup(_strdup(str)); // expected-warning{{leak}}
1524 }
1525
1526 wchar_t *testWinWideLeakWithinReturn(wchar_t *str) {
1527 return _wcsdup(_wcsdup(str)); // expected-warning{{leak}}
1528 }
1529
1530 void passConstPtr(const char * ptr);
1531
1532 void testPassConstPointer(void) {
1533 char * string = malloc(sizeof(char)*10);
1534 passConstPtr(string);
1535 return; // expected-warning {{leak}}
1536 }
1537
1538 void testPassConstPointerIndirectly(void) {
1539 char *p = malloc(1);
1540 p++;
1541 memcmp(p, p, sizeof(&p));
1542 return; // expected-warning {{leak}}
1543 }
1544
1545 void testPassConstPointerIndirectlyStruct(void) {
1546 struct HasPtr hp;
1547 hp.p = malloc(10);
1548 memcmp(&hp, &hp, sizeof(hp));
1549 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}}
1550 }
1551
1552 void testPassToSystemHeaderFunctionIndirectlyStruct(void) {
1553 SomeStruct ss;
1554 ss.p = malloc(1);
1555 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1556 // Technically a false negative here -- we know the system function won't free
1557 // ss.p, but nothing else will either!
1558 } // no-warning
1559
1560 void testPassToSystemHeaderFunctionIndirectlyStructFree(void) {
1561 SomeStruct ss;
1562 ss.p = malloc(1);
1563 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1564 free(ss.p);
1565 } // no-warning
1566
1567 void testPassToSystemHeaderFunctionIndirectlyArray(void) {
1568 int *p[1];
1569 p[0] = malloc(sizeof(int));
1570 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1571 // Technically a false negative here -- we know the system function won't free
1572 // p[0], but nothing else will either!
1573 } // no-warning
1574
1575 void testPassToSystemHeaderFunctionIndirectlyArrayFree(void) {
1576 int *p[1];
1577 p[0] = malloc(sizeof(int));
1578 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1579 free(p[0]);
1580 } // no-warning
1581
1582 int *testOffsetAllocate(size_t size) {
1583 int *memoryBlock = (int *)malloc(size + sizeof(int));
1584 return &memoryBlock[1]; // no-warning
1585 }
1586
1587 void testOffsetDeallocate(int *memoryBlock) {
1588 free(&memoryBlock[-1]); // no-warning
1589 }
1590
1591 void testOffsetOfRegionFreed(void) {
1592 __int64_t * array = malloc(sizeof(__int64_t)*2);
1593 array += 1;
1594 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1595 }
1596
1597 void testOffsetOfRegionFreed2(void) {
1598 __int64_t *p = malloc(sizeof(__int64_t)*2);
1599 p += 1;
1600 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1601 }
1602
1603 void testOffsetOfRegionFreed3(void) {
1604 char *r = malloc(sizeof(char));
1605 r = r - 10;
1606 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}}
1607 }
1608
1609 void testOffsetOfRegionFreedAfterFunctionCall(void) {
1610 int *p = malloc(sizeof(int)*2);
1611 p += 1;
1612 myfoo(p);
1613 free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}}
1614 }
1615
1616 void testFixManipulatedPointerBeforeFree(void) {
1617 int * array = malloc(sizeof(int)*2);
1618 array += 1;
1619 free(&array[-1]); // no-warning
1620 }
1621
1622 void testFixManipulatedPointerBeforeFree2(void) {
1623 char *r = malloc(sizeof(char));
1624 r = r + 10;
1625 free(r-10); // no-warning
1626 }
1627
1628 void freeOffsetPointerPassedToFunction(void) {
1629 __int64_t *p = malloc(sizeof(__int64_t)*2);
1630 p[1] = 0;
1631 p += 1;
1632 myfooint(*p); // not passing the pointer, only a value pointed by pointer
1633 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1634 }
1635
1636 int arbitraryInt(void);
1637 void freeUnknownOffsetPointer(void) {
1638 char *r = malloc(sizeof(char));
1639 r = r + arbitraryInt(); // unable to reason about what the offset might be
1640 free(r); // no-warning
1641 }
1642
1643 void testFreeNonMallocPointerWithNoOffset(void) {
1644 char c;
1645 char *r = &c;
1646 r = r + 10;
1647 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1648 }
1649
1650 void testFreeNonMallocPointerWithOffset(void) {
1651 char c;
1652 char *r = &c;
1653 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1654 }
1655
1656 void testOffsetZeroDoubleFree(void) {
1657 int *array = malloc(sizeof(int)*2);
1658 int *p = &array[0];
1659 free(p);
1660 free(&array[0]); // expected-warning{{Attempt to free released memory}}
1661 }
1662
1663 void testOffsetPassedToStrlen(void) {
1664 char * string = malloc(sizeof(char)*10);
1665 string += 1;
1666 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}}
1667 }
1668
1669 void testOffsetPassedToStrlenThenFree(void) {
1670 char * string = malloc(sizeof(char)*10);
1671 string += 1;
1672 int length = strlen(string);
1673 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1674 }
1675
1676 void testOffsetPassedAsConst(void) {
1677 char * string = malloc(sizeof(char)*10);
1678 string += 1;
1679 passConstPtr(string);
1680 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1681 }
1682
1683 char **_vectorSegments;
1684 int _nVectorSegments;
1685
1686 void poolFreeC(void* s) {
1687 free(s); // no-warning
1688 }
1689 void freeMemory(void) {
1690 while (_nVectorSegments) {
1691 poolFreeC(_vectorSegments[_nVectorSegments++]);
1692 }
1693 }
1694
1695 // PR16730
1696 void testReallocEscaped(void **memory) {
1697 *memory = malloc(47);
1698 char *new_memory = realloc(*memory, 47);
1699 if (new_memory != 0) {
1700 *memory = new_memory;
1701 }
1702 }
1703
1704 // PR16558
1705 void *smallocNoWarn(size_t size) {
1706 if (size == 0) {
1707 return malloc(1); // this branch is never called
1708 }
1709 else {
1710 return malloc(size);
1711 }
1712 }
1713
1714 char *dupstrNoWarn(const char *s) {
1715 const int len = strlen(s);
1716 char *p = (char*) smallocNoWarn(len + 1);
1717 strcpy(p, s); // no-warning
1718 return p;
1719 }
1720
1721 void *smallocWarn(size_t size) {
1722 if (size == 2) {
1723 return malloc(1);
1724 }
1725 else {
1726 return malloc(size);
1727 }
1728 }
1729
1730 int *radar15580979(void) {
1731 int *data = (int *)malloc(32);
1732 int *p = data ?: (int*)malloc(32); // no warning
1733 return p;
1734 }
1735
1736 // Some data structures may hold onto the pointer and free it later.
1737 void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) {
1738 int *data = (int *)malloc(32);
1739 fake_insque(queue, data); // no warning
1740 }
1741
1742 void testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t *rbt) {
1743 int *data = (int *)malloc(32);
1744 fake_rb_tree_init(rbt, data);
1745 } //expected-warning{{Potential leak}}
1746
1747 void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) {
1748 int *data = (int *)malloc(32);
1749 fake_rb_tree_init(rbt, data);
1750 fake_rb_tree_insert_node(rbt, data); // no warning
1751 }
1752
1753 struct IntAndPtr {
1754 int x;
1755 int *p;
1756 };
1757
1758 void constEscape(const void *ptr);
1759
1760 void testConstEscapeThroughAnotherField(void) {
1761 struct IntAndPtr s;
1762 s.p = malloc(sizeof(int));
1763 constEscape(&(s.x)); // could free s->p!
1764 } // no-warning
1765
1766 // PR15623
1767 int testNoCheckerDataPropogationFromLogicalOpOperandToOpResult(void) {
1768 char *param = malloc(10);
1769 char *value = malloc(10);
1770 int ok = (param && value);
1771 free(param);
1772 free(value);
1773 // Previously we ended up with 'Use of memory after it is freed' on return.
1774 return ok; // no warning
1775 }
1776
1777 void (*fnptr)(int);
1778 void freeIndirectFunctionPtr(void) {
1779 void *p = (void *)fnptr;
1780 free(p); // expected-warning {{Argument to free() is a function pointer}}
1781 }
1782
1783 void freeFunctionPtr(void) {
1784 free((void *)fnptr);
1785 // expected-warning@-1{{Argument to free() is a function pointer}}
1786 // expected-warning@-2{{attempt to call free on non-heap object '(void *)fnptr'}}
1787 }
1788
1789 void allocateSomeMemory(void *offendingParameter, void **ptr) {
1790 *ptr = malloc(1);
1791 }
1792
1793 void testNoCrashOnOffendingParameter(void) {
1794 // "extern" is necessary to avoid unrelated warnings
1795 // on passing uninitialized value.
1796 extern void *offendingParameter;
1797 void* ptr;
1798 allocateSomeMemory(offendingParameter, &ptr);
1799 } // expected-warning {{Potential leak of memory pointed to by 'ptr'}}
1800
1801
1802 // Test a false positive caused by a bug in liveness analysis.
1803 struct A {
1804 int *buf;
1805 };
1806 struct B {
1807 struct A *a;
1808 };
1809 void livenessBugRealloc(struct A *a) {
1810 a->buf = realloc(a->buf, sizeof(int)); // no-warning
1811 }
1812 void testLivenessBug(struct B *in_b) {
1813 struct B *b = in_b;
1814 livenessBugRealloc(b->a);
1815 ((void) 0); // An attempt to trick liveness analysis.
1816 livenessBugRealloc(b->a);
1817 }
1818
1819 struct ListInfo {
1820 struct ListInfo *next;
1821 };
1822
1823 struct ConcreteListItem {
1824 struct ListInfo li;
1825 int i;
1826 };
1827
1828 void list_add(struct ListInfo *list, struct ListInfo *item);
1829
1830 void testCStyleListItems(struct ListInfo *list) {
1831 struct ConcreteListItem *x = malloc(sizeof(struct ConcreteListItem));
1832 list_add(list, &x->li); // will free 'x'.
1833 }
1834
1835 // MEM34-C. Only free memory allocated dynamically
1836 // Second non-compliant example.
1837 // https://wiki.sei.cmu.edu/confluence/display/c/MEM34-C.+Only+free+memory+allocated+dynamically
1838 enum { BUFSIZE = 256 };
1839
1840 void MEM34_C(void) {
1841 char buf[BUFSIZE];
1842 char *p = (char *)realloc(buf, 2 * BUFSIZE);
1843 // expected-warning@-1{{Argument to realloc() is the address of the local \
1844 variable 'buf', which is not memory allocated by malloc() [unix.Malloc]}}
1845 if (p == NULL) {
1846 /* Handle error */
1847 }
1848 }
1849
1850 (*crash_a)(); // expected-warning{{type specifier missing}}
1851 // A CallEvent without a corresponding FunctionDecl.
1852 crash_b() { crash_a(); } // no-crash
1853 // expected-warning@-1{{type specifier missing}} expected-warning@-1{{non-void}}
1854
1855 long *global_a;
1856 void realloc_crash(void) {
1857 long *c = global_a;
1858 c--;
1859 realloc(c, 8); // no-crash
1860 } // expected-warning{{Potential memory leak [unix.Malloc]}}
1861
1862 // ----------------------------------------------------------------------------
1863 // False negatives.
1864
1865 void testMallocWithParam(int **p) {
1866 *p = (int*) malloc(sizeof(int));
1867 *p = 0; // FIXME: should warn here
1868 }
1869
1870 void testMallocWithParam_2(int **p) {
1871 *p = (int*) malloc(sizeof(int)); // no-warning
1872 }
1873
1874 void testPassToSystemHeaderFunctionIndirectly(void) {
1875 int *p = malloc(4);
1876 p++;
1877 fakeSystemHeaderCallInt(p);
1878 // FIXME: This is a leak: if we think a system function won't free p, it
1879 // won't free (p-1) either.
1880 }
1881
1882 void testMallocIntoMalloc(void) {
1883 StructWithPtr *s = malloc(sizeof(StructWithPtr));
1884 s->memP = malloc(sizeof(int));
1885 free(s);
1886 } // FIXME: should warn here
1887
1888 int conjure(void);
1889 void testExtent(void) {
1890 int x = conjure();
1891 clang_analyzer_dump(x);
1892 // expected-warning-re@-1 {{{{^conj_\$[[:digit:]]+{int, LC1, S[[:digit:]]+, #1}}}}}}
1893 int *p = (int *)malloc(x);
1894 clang_analyzer_dumpExtent(p);
1895 // expected-warning-re@-1 {{{{^conj_\$[[:digit:]]+{int, LC1, S[[:digit:]]+, #1}}}}}}
1896 free(p);
1897 }
LLVM monorepo