clang/test/Analysis/malloc-annotations.c

   1 // RUN: %clang_analyze_cc1 -verify \
   2 // RUN:   -analyzer-checker=core \
   3 // RUN:   -analyzer-checker=alpha.deadcode.UnreachableCode \
   4 // RUN:   -analyzer-checker=alpha.core.CastSize \
   5 // RUN:   -analyzer-checker=unix.Malloc \
   6 // RUN:   -analyzer-config unix.DynamicMemoryModeling:Optimistic=true %s
   7
   8 typedef __typeof(sizeof(int)) size_t;
   9 void *malloc(size_t);
  10 void free(void *);
  11 void *realloc(void *ptr, size_t size);
  12 void *calloc(size_t nmemb, size_t size);
  13 void __attribute((ownership_returns(malloc))) *my_malloc(size_t);
  14 void __attribute((ownership_takes(malloc, 1))) my_free(void *);
  15 void my_freeBoth(void *, void *)
  16        __attribute((ownership_holds(malloc, 1, 2)));
  17 void __attribute((ownership_returns(malloc, 1))) *my_malloc2(size_t);
  18 void __attribute((ownership_holds(malloc, 1))) my_hold(void *);
  19
  20 // Duplicate attributes are silly, but not an error.
  21 // Duplicate attribute has no extra effect.
  22 // If two are of different kinds, that is an error and reported as such.
  23 void __attribute((ownership_holds(malloc, 1)))
  24 __attribute((ownership_holds(malloc, 1)))
  25 __attribute((ownership_holds(malloc, 3))) my_hold2(void *, void *, void *);
  26 void *my_malloc3(size_t);
  27 void *myglobalpointer;
  28 struct stuff {
  29   void *somefield;
  30 };
  31 struct stuff myglobalstuff;
  32
  33 void f1(void) {
  34   int *p = malloc(12);
  35   return; // expected-warning{{Potential leak of memory pointed to by}}
  36 }
  37
  38 void f2(void) {
  39   int *p = malloc(12);
  40   free(p);
  41   free(p); // expected-warning{{Attempt to free released memory}}
  42 }
  43
  44 void f2_realloc_0(void) {
  45   int *p = malloc(12);
  46   realloc(p,0);
  47   realloc(p,0); // expected-warning{{Attempt to free released memory}}
  48 }
  49
  50 void f2_realloc_1(void) {
  51   int *p = malloc(12);
  52   int *q = realloc(p,0); // no-warning
  53 }
  54
  55 // ownership attributes tests
  56 void naf1(void) {
  57   int *p = my_malloc3(12);
  58   return; // no-warning
  59 }
  60
  61 void n2af1(void) {
  62   int *p = my_malloc2(12);
  63   return; // expected-warning{{Potential leak of memory pointed to by}}
  64 }
  65
  66 void af1(void) {
  67   int *p = my_malloc(12);
  68   return; // expected-warning{{Potential leak of memory pointed to by}}
  69 }
  70
  71 void af1_b(void) {
  72   int *p = my_malloc(12);
  73 } // expected-warning{{Potential leak of memory pointed to by}}
  74
  75 void af1_c(void) {
  76   myglobalpointer = my_malloc(12); // no-warning
  77 }
  78
  79 void af1_d(void) {
  80   struct stuff mystuff;
  81   mystuff.somefield = my_malloc(12);
  82 } // expected-warning{{Potential leak of memory pointed to by}}
  83
  84 // Test that we can pass out allocated memory via pointer-to-pointer.
  85 void af1_e(void **pp) {
  86   *pp = my_malloc(42); // no-warning
  87 }
  88
  89 void af1_f(struct stuff *somestuff) {
  90   somestuff->somefield = my_malloc(12); // no-warning
  91 }
  92
  93 // Allocating memory for a field via multiple indirections to our arguments is OK.
  94 void af1_g(struct stuff **pps) {
  95   *pps = my_malloc(sizeof(struct stuff)); // no-warning
  96   (*pps)->somefield = my_malloc(42); // no-warning
  97 }
  98
  99 void af2(void) {
 100   int *p = my_malloc(12);
 101   my_free(p);
 102   free(p); // expected-warning{{Attempt to free released memory}}
 103 }
 104
 105 void af2b(void) {
 106   int *p = my_malloc(12);
 107   free(p);
 108   my_free(p); // expected-warning{{Attempt to free released memory}}
 109 }
 110
 111 void af2c(void) {
 112   int *p = my_malloc(12);
 113   free(p);
 114   my_hold(p); // expected-warning{{Attempt to free released memory}}
 115 }
 116
 117 void af2d(void) {
 118   int *p = my_malloc(12);
 119   free(p);
 120   my_hold2(0, 0, p); // expected-warning{{Attempt to free released memory}}
 121 }
 122
 123 // No leak if malloc returns null.
 124 void af2e(void) {
 125   int *p = my_malloc(12);
 126   if (!p)
 127     return; // no-warning
 128   free(p); // no-warning
 129 }
 130
 131 // This case inflicts a possible double-free.
 132 void af3(void) {
 133   int *p = my_malloc(12);
 134   my_hold(p);
 135   free(p); // expected-warning{{Attempt to free non-owned memory}}
 136 }
 137
 138 int * af4(void) {
 139   int *p = my_malloc(12);
 140   my_free(p);
 141   return p; // expected-warning{{Use of memory after it is freed}}
 142 }
 143
 144 // This case is (possibly) ok, be conservative
 145 int * af5(void) {
 146   int *p = my_malloc(12);
 147   my_hold(p);
 148   return p; // no-warning
 149 }
 150
 151
 152
 153 // This case tests that storing malloc'ed memory to a static variable which is
 154 // then returned is not leaked.  In the absence of known contracts for functions
 155 // or inter-procedural analysis, this is a conservative answer.
 156 int *f3(void) {
 157   static int *p = 0;
 158   p = malloc(12);
 159   return p; // no-warning
 160 }
 161
 162 // This case tests that storing malloc'ed memory to a static global variable
 163 // which is then returned is not leaked.  In the absence of known contracts for
 164 // functions or inter-procedural analysis, this is a conservative answer.
 165 static int *p_f4 = 0;
 166 int *f4(void) {
 167   p_f4 = malloc(12);
 168   return p_f4; // no-warning
 169 }
 170
 171 int *f5(void) {
 172   int *q = malloc(12);
 173   q = realloc(q, 20);
 174   return q; // no-warning
 175 }
 176
 177 void f6(void) {
 178   int *p = malloc(12);
 179   if (!p)
 180     return; // no-warning
 181   else
 182     free(p);
 183 }
 184
 185 void f6_realloc(void) {
 186   int *p = malloc(12);
 187   if (!p)
 188     return; // no-warning
 189   else
 190     realloc(p,0);
 191 }
 192
 193
 194 char *doit2(void);
 195 void pr6069(void) {
 196   char *buf = doit2();
 197   free(buf);
 198 }
 199
 200 void pr6293(void) {
 201   free(0);
 202 }
 203
 204 void f7(void) {
 205   char *x = (char*) malloc(4);
 206   free(x);
 207   x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
 208 }
 209
 210 void f7_realloc(void) {
 211   char *x = (char*) malloc(4);
 212   realloc(x,0);
 213   x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
 214 }
 215
 216 void PR6123(void) {
 217   int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
 218 }
 219
 220 void PR7217(void) {
 221   int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
 222   buf[1] = 'c'; // not crash
 223 }
 224
 225 void mallocCastToVoid(void) {
 226   void *p = malloc(2);
 227   const void *cp = p; // not crash
 228   free(p);
 229 }
 230
 231 void mallocCastToFP(void) {
 232   void *p = malloc(2);
 233   void (*fp)(void) = p; // not crash
 234   free(p);
 235 }
 236
 237 // This tests that malloc() buffers are undefined by default
 238 char mallocGarbage (void) {
 239   char *buf = malloc(2);
 240   char result = buf[1]; // expected-warning{{undefined}}
 241   free(buf);
 242   return result;
 243 }
 244
 245 // This tests that calloc() buffers need to be freed
 246 void callocNoFree (void) {
 247   char *buf = calloc(2,2);
 248   return; // expected-warning{{Potential leak of memory pointed to by}}
 249 }
 250
 251 // These test that calloc() buffers are zeroed by default
 252 char callocZeroesGood (void) {
 253   char *buf = calloc(2,2);
 254   char result = buf[3]; // no-warning
 255   if (buf[1] == 0) {
 256     free(buf);
 257   }
 258   return result; // no-warning
 259 }
 260
 261 char callocZeroesBad (void) {
 262   char *buf = calloc(2,2);
 263   char result = buf[3]; // no-warning
 264   if (buf[1] != 0) {
 265     free(buf); // expected-warning{{never executed}}
 266   }
 267   return result; // expected-warning{{Potential leak of memory pointed to by}}
 268 }
 269
 270 void testMultipleFreeAnnotations(void) {
 271   int *p = malloc(12);
 272   int *q = malloc(12);
 273   my_freeBoth(p, q);
 274 }
 275