search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[RISCV][FMV] Support target_clones (#85786)
[llvm-project.git] / clang / test / Analysis / malloc.c
blob9c7ca43bfbc5af2c9a726ffc771f6350c2e5b6f8
1 // RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -verify %s \
2 // RUN: -analyzer-checker=core \
3 // RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
4 // RUN: -analyzer-checker=alpha.core.CastSize \
5 // RUN: -analyzer-checker=unix \
6 // RUN: -analyzer-checker=debug.ExprInspection \
7 // RUN: -analyzer-checker=alpha.security.taint.TaintPropagation \
8 // RUN: -analyzer-checker=optin.taint.TaintedAlloc
9
10 #include "Inputs/system-header-simulator.h"
11
12 void clang_analyzer_eval(int);
13 void clang_analyzer_dump(int);
14 void clang_analyzer_dumpExtent(void *);
15
16 // Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
17 // _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
18 // the builtin type: "Using the typedef version can cause portability
19 // problems", but we're ok here because we're not actually running anything.
20 // Also of note is this cryptic warning: "The wchar_t type is not supported
21 // when you compile C code".
22 //
23 // See the docs for more:
24 // https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
25 #if !defined(_WCHAR_T_DEFINED)
26 // "Microsoft implements wchar_t as a two-byte unsigned value"
27 typedef unsigned short wchar_t;
28 #define _WCHAR_T_DEFINED
29 #endif // !defined(_WCHAR_T_DEFINED)
30
31 typedef __typeof(sizeof(int)) size_t;
32 void *malloc(size_t);
33 void *alloca(size_t);
34 void *valloc(size_t);
35 void free(void *);
36 void *realloc(void *ptr, size_t size);
37 void *reallocf(void *ptr, size_t size);
38 void *calloc(size_t nmemb, size_t size);
39 char *strdup(const char *s);
40 wchar_t *wcsdup(const wchar_t *s);
41 char *strndup(const char *s, size_t n);
42 int memcmp(const void *s1, const void *s2, size_t n);
43
44 // Windows variants
45 char *_strdup(const char *strSource);
46 wchar_t *_wcsdup(const wchar_t *strSource);
47 void *_alloca(size_t size);
48
49 void myfoo(int *p);
50 void myfooint(int p);
51 char *fooRetPtr(void);
52
53 void t1(void) {
54 size_t size = 0;
55 scanf("%zu", &size);
56 int *p = malloc(size); // expected-warning{{malloc is called with a tainted (potentially attacker controlled) value}}
57 free(p);
58 }
59
60 void t2(void) {
61 size_t size = 0;
62 scanf("%zu", &size);
63 int *p = calloc(size,2); // expected-warning{{calloc is called with a tainted (potentially attacker controlled) value}}
64 free(p);
65 }
66
67 void t3(void) {
68 size_t size = 0;
69 scanf("%zu", &size);
70 if (1024 < size)
71 return;
72 int *p = malloc(size); // No warning expected as the the user input is bound
73 free(p);
74 }
75
76 void t4(void) {
77 size_t size = 0;
78 int *p = malloc(sizeof(int));
79 scanf("%zu", &size);
80 p = (int*) realloc((void*) p, size); // expected-warning{{realloc is called with a tainted (potentially attacker controlled) value}}
81 free(p);
82 }
83
84 void t5(void) {
85 size_t size = 0;
86 int *p = alloca(sizeof(int));
87 scanf("%zu", &size);
88 p = (int*) alloca(size); // expected-warning{{alloca is called with a tainted (potentially attacker controlled) value}}
89 }
90
91
92 void f1(void) {
93 int *p = malloc(12);
94 return; // expected-warning{{Potential leak of memory pointed to by 'p'}}
95 }
96
97 void f2(void) {
98 int *p = malloc(12);
99 free(p);
100 free(p); // expected-warning{{Attempt to free released memory}}
101 }
102
103 void f2_realloc_0(void) {
104 int *p = malloc(12);
105 realloc(p,0);
106 realloc(p,0); // expected-warning{{Attempt to free released memory}}
107 }
108
109 void f2_realloc_1(void) {
110 int *p = malloc(12);
111 int *q = realloc(p,0); // no-warning
112 }
113
114 void reallocNotNullPtr(unsigned sizeIn) {
115 unsigned size = 12;
116 char *p = (char*)malloc(size);
117 if (p) {
118 char *q = (char*)realloc(p, sizeIn);
119 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}}
120 }
121 }
122
123 void allocaTest(void) {
124 int *p = alloca(sizeof(int));
125 } // no warn
126
127 void winAllocaTest(void) {
128 int *p = _alloca(sizeof(int));
129 } // no warn
130
131 void allocaBuiltinTest(void) {
132 int *p = __builtin_alloca(sizeof(int));
133 } // no warn
134
135 int *realloctest1(void) {
136 int *q = malloc(12);
137 q = realloc(q, 20);
138 return q; // no warning - returning the allocated value
139 }
140
141 // p should be freed if realloc fails.
142 void reallocFails(void) {
143 char *p = malloc(12);
144 char *r = realloc(p, 12+1);
145 if (!r) {
146 free(p);
147 } else {
148 free(r);
149 }
150 }
151
152 void reallocSizeZero1(void) {
153 char *p = malloc(12);
154 char *r = realloc(p, 0);
155 if (!r) {
156 free(p); // expected-warning {{Attempt to free released memory}}
157 } else {
158 free(r);
159 }
160 }
161
162 void reallocSizeZero2(void) {
163 char *p = malloc(12);
164 char *r = realloc(p, 0);
165 if (!r) {
166 free(p); // expected-warning {{Attempt to free released memory}}
167 } else {
168 free(r);
169 }
170 free(p); // expected-warning {{Attempt to free released memory}}
171 }
172
173 void reallocSizeZero3(void) {
174 char *p = malloc(12);
175 char *r = realloc(p, 0);
176 free(r);
177 }
178
179 void reallocSizeZero4(void) {
180 char *r = realloc(0, 0);
181 free(r);
182 }
183
184 void reallocSizeZero5(void) {
185 char *r = realloc(0, 0);
186 }
187
188 void reallocPtrZero1(void) {
189 char *r = realloc(0, 12);
190 } // expected-warning {{Potential leak of memory pointed to by 'r'}}
191
192 void reallocPtrZero2(void) {
193 char *r = realloc(0, 12);
194 if (r)
195 free(r);
196 }
197
198 void reallocPtrZero3(void) {
199 char *r = realloc(0, 12);
200 free(r);
201 }
202
203 void reallocRadar6337483_1(void) {
204 char *buf = malloc(100);
205 buf = (char*)realloc(buf, 0x1000000);
206 if (!buf) {
207 return;// expected-warning {{Potential leak of memory pointed to by}}
208 }
209 free(buf);
210 }
211
212 void reallocRadar6337483_2(void) {
213 char *buf = malloc(100);
214 char *buf2 = (char*)realloc(buf, 0x1000000);
215 if (!buf2) {
216 ;
217 } else {
218 free(buf2);
219 }
220 } // expected-warning {{Potential leak of memory pointed to by}}
221
222 void reallocRadar6337483_3(void) {
223 char * buf = malloc(100);
224 char * tmp;
225 tmp = (char*)realloc(buf, 0x1000000);
226 if (!tmp) {
227 free(buf);
228 return;
229 }
230 buf = tmp;
231 free(buf);
232 }
233
234 void reallocRadar6337483_4(void) {
235 char *buf = malloc(100);
236 char *buf2 = (char*)realloc(buf, 0x1000000);
237 if (!buf2) {
238 return; // expected-warning {{Potential leak of memory pointed to by}}
239 } else {
240 free(buf2);
241 }
242 }
243
244 int *reallocfTest1(void) {
245 int *q = malloc(12);
246 q = reallocf(q, 20);
247 return q; // no warning - returning the allocated value
248 }
249
250 void reallocfRadar6337483_4(void) {
251 char *buf = malloc(100);
252 char *buf2 = (char*)reallocf(buf, 0x1000000);
253 if (!buf2) {
254 return; // no warning - reallocf frees even on failure
255 } else {
256 free(buf2);
257 }
258 }
259
260 void reallocfRadar6337483_3(void) {
261 char * buf = malloc(100);
262 char * tmp;
263 tmp = (char*)reallocf(buf, 0x1000000);
264 if (!tmp) {
265 free(buf); // expected-warning {{Attempt to free released memory}}
266 return;
267 }
268 buf = tmp;
269 free(buf);
270 }
271
272 void reallocfPtrZero1(void) {
273 char *r = reallocf(0, 12);
274 } // expected-warning {{Potential leak of memory pointed to by}}
275
276 //------------------- Check usage of zero-allocated memory ---------------------
277 void CheckUseZeroAllocatedNoWarn1(void) {
278 int *p = malloc(0);
279 free(p); // no warning
280 }
281
282 void CheckUseZeroAllocatedNoWarn2(void) {
283 int *p = alloca(0); // no warning
284 }
285
286 void CheckUseZeroWinAllocatedNoWarn2(void) {
287 int *p = _alloca(0); // no warning
288 }
289
290
291 void CheckUseZeroAllocatedNoWarn3(void) {
292 int *p = malloc(0);
293 int *q = realloc(p, 8); // no warning
294 free(q);
295 }
296
297 void CheckUseZeroAllocatedNoWarn4(void) {
298 int *p = realloc(0, 8);
299 *p = 1; // no warning
300 free(p);
301 }
302
303 void CheckUseZeroAllocated1(void) {
304 int *p = malloc(0);
305 *p = 1; // expected-warning {{Use of memory allocated with size zero}}
306 free(p);
307 }
308
309 char CheckUseZeroAllocated2(void) {
310 // NOTE: The `AllocaRegion` that models the return value of `alloca()`
311 // doesn't have an associated symbol, so the current implementation of
312 // `MallocChecker::checkUseZeroAllocated()` cannot provide warnings for it.
313 // However, other checkers like core.uninitialized.UndefReturn (that
314 // activates in these TCs) or the array bound checkers provide more generic,
315 // but still sufficient warnings in these cases, so I think it isn't
316 // important to cover this in MallocChecker.
317 char *p = alloca(0);
318 return *p; // expected-warning {{Undefined or garbage value returned to caller}}
319 }
320
321 char CheckUseZeroWinAllocated2(void) {
322 // Note: Same situation as `CheckUseZeroAllocated2()`.
323 char *p = _alloca(0);
324 return *p; // expected-warning {{Undefined or garbage value returned to caller}}
325 }
326
327 void UseZeroAllocated(int *p) {
328 if (p)
329 *p = 7; // expected-warning {{Use of memory allocated with size zero}}
330 }
331 void CheckUseZeroAllocated3(void) {
332 int *p = malloc(0);
333 UseZeroAllocated(p);
334 }
335
336 void f(char);
337 void CheckUseZeroAllocated4(void) {
338 char *p = valloc(0);
339 f(*p); // expected-warning {{Use of memory allocated with size zero}}
340 free(p);
341 }
342
343 void CheckUseZeroAllocated5(void) {
344 int *p = calloc(0, 2);
345 *p = 1; // expected-warning {{Use of memory allocated with size zero}}
346 free(p);
347 }
348
349 void CheckUseZeroAllocated6(void) {
350 int *p = calloc(2, 0);
351 *p = 1; // expected-warning {{Use of memory allocated with size zero}}
352 free(p);
353 }
354
355 void CheckUseZeroAllocated7(void) {
356 int *p = realloc(0, 0);
357 *p = 1; // expected-warning {{Use of memory allocated with size zero}}
358 free(p);
359 }
360
361 void CheckUseZeroAllocated8(void) {
362 int *p = malloc(8);
363 int *q = realloc(p, 0);
364 *q = 1; // expected-warning {{Use of memory allocated with size zero}}
365 free(q);
366 }
367
368 void CheckUseZeroAllocated9(void) {
369 int *p = realloc(0, 0);
370 int *q = realloc(p, 0);
371 *q = 1; // expected-warning {{Use of memory allocated with size zero}}
372 free(q);
373 }
374
375 void CheckUseZeroAllocatedPathNoWarn(_Bool b) {
376 int s = 0;
377 if (b)
378 s= 10;
379
380 char *p = malloc(s);
381
382 if (b)
383 *p = 1; // no warning
384
385 free(p);
386 }
387
388 void CheckUseZeroAllocatedPathWarn(_Bool b) {
389 int s = 10;
390 if (b)
391 s= 0;
392
393 char *p = malloc(s);
394
395 if (b)
396 *p = 1; // expected-warning {{Use of memory allocated with size zero}}
397
398 free(p);
399 }
400
401 void CheckUseZeroReallocatedPathNoWarn(_Bool b) {
402 int s = 0;
403 if (b)
404 s= 10;
405
406 char *p = malloc(8);
407 char *q = realloc(p, s);
408
409 if (b)
410 *q = 1; // no warning
411
412 free(q);
413 }
414
415 void CheckUseZeroReallocatedPathWarn(_Bool b) {
416 int s = 10;
417 if (b)
418 s= 0;
419
420 char *p = malloc(8);
421 char *q = realloc(p, s);
422
423 if (b)
424 *q = 1; // expected-warning {{Use of memory allocated with size zero}}
425
426 free(q);
427 }
428
429 // This case tests that storing malloc'ed memory to a static variable which is
430 // then returned is not leaked. In the absence of known contracts for functions
431 // or inter-procedural analysis, this is a conservative answer.
432 int *f3(void) {
433 static int *p = 0;
434 p = malloc(12);
435 return p; // no-warning
436 }
437
438 // This case tests that storing malloc'ed memory to a static global variable
439 // which is then returned is not leaked. In the absence of known contracts for
440 // functions or inter-procedural analysis, this is a conservative answer.
441 static int *p_f4 = 0;
442 int *f4(void) {
443 p_f4 = malloc(12);
444 return p_f4; // no-warning
445 }
446
447 int *f5(void) {
448 int *q = malloc(12);
449 q = realloc(q, 20);
450 return q; // no-warning
451 }
452
453 void f6(void) {
454 int *p = malloc(12);
455 if (!p)
456 return; // no-warning
457 else
458 free(p);
459 }
460
461 void f6_realloc(void) {
462 int *p = malloc(12);
463 if (!p)
464 return; // no-warning
465 else
466 realloc(p,0);
467 }
468
469
470 char *doit2(void);
471 void pr6069(void) {
472 char *buf = doit2();
473 free(buf);
474 }
475
476 void pr6293(void) {
477 free(0);
478 }
479
480 void f7(void) {
481 char *x = (char*) malloc(4);
482 free(x);
483 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
484 }
485
486 void f8(void) {
487 char *x = (char*) malloc(4);
488 free(x);
489 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}}
490 }
491
492 void f7_realloc(void) {
493 char *x = (char*) malloc(4);
494 realloc(x,0);
495 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
496 }
497
498 void PR6123(void) {
499 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
500 }
501
502 void PR7217(void) {
503 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
504 buf[1] = 'c'; // not crash
505 }
506
507 void cast_emtpy_struct(void) {
508 struct st {
509 };
510
511 struct st *s = malloc(sizeof(struct st)); // no-warning
512 free(s);
513 }
514
515 void cast_struct_1(void) {
516 struct st {
517 int i[100];
518 char j[];
519 };
520
521 struct st *s = malloc(sizeof(struct st)); // no-warning
522 free(s);
523 }
524
525 void cast_struct_2(void) {
526 struct st {
527 int i[100];
528 char j[0];
529 };
530
531 struct st *s = malloc(sizeof(struct st)); // no-warning
532 free(s);
533 }
534
535 void cast_struct_3(void) {
536 struct st {
537 int i[100];
538 char j[1];
539 };
540
541 struct st *s = malloc(sizeof(struct st)); // no-warning
542 free(s);
543 }
544
545 void cast_struct_4(void) {
546 struct st {
547 int i[100];
548 char j[2];
549 };
550
551 struct st *s = malloc(sizeof(struct st)); // no-warning
552 free(s);
553 }
554
555 void cast_struct_5(void) {
556 struct st {
557 char i[200];
558 char j[1];
559 };
560
561 struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning
562 free(s);
563 }
564
565 void cast_struct_warn_1(void) {
566 struct st {
567 int i[100];
568 char j[2];
569 };
570
571 struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
572 free(s);
573 }
574
575 void cast_struct_warn_2(void) {
576 struct st {
577 int i[100];
578 char j[2];
579 };
580
581 struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
582 free(s);
583 }
584
585 void cast_struct_flex_array_1(void) {
586 struct st {
587 int i[100];
588 char j[];
589 };
590
591 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
592 free(s);
593 }
594
595 void cast_struct_flex_array_2(void) {
596 struct st {
597 int i[100];
598 char j[0];
599 };
600
601 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
602 free(s);
603 }
604
605 void cast_struct_flex_array_3(void) {
606 struct st {
607 int i[100];
608 char j[1];
609 };
610
611 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
612 free(s);
613 }
614
615 void cast_struct_flex_array_4(void) {
616 struct foo {
617 char f[32];
618 };
619 struct st {
620 char i[100];
621 struct foo data[];
622 };
623
624 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
625 free(s);
626 }
627
628 void cast_struct_flex_array_5(void) {
629 struct foo {
630 char f[32];
631 };
632 struct st {
633 char i[100];
634 struct foo data[0];
635 };
636
637 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
638 free(s);
639 }
640
641 void cast_struct_flex_array_6(void) {
642 struct foo {
643 char f[32];
644 };
645 struct st {
646 char i[100];
647 struct foo data[1];
648 };
649
650 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
651 free(s);
652 }
653
654 void cast_struct_flex_array_warn_1(void) {
655 struct foo {
656 char f[32];
657 };
658 struct st {
659 char i[100];
660 struct foo data[];
661 };
662
663 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
664 free(s);
665 }
666
667 void cast_struct_flex_array_warn_2(void) {
668 struct foo {
669 char f[32];
670 };
671 struct st {
672 char i[100];
673 struct foo data[0];
674 };
675
676 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
677 free(s);
678 }
679
680 void cast_struct_flex_array_warn_3(void) {
681 struct foo {
682 char f[32];
683 };
684 struct st {
685 char i[100];
686 struct foo data[1];
687 };
688
689 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
690 free(s);
691 }
692
693 void cast_struct_flex_array_warn_4(void) {
694 struct st {
695 int i[100];
696 int j[];
697 };
698
699 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
700 free(s);
701 }
702
703 void cast_struct_flex_array_warn_5(void) {
704 struct st {
705 int i[100];
706 int j[0];
707 };
708
709 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
710 free(s);
711 }
712
713 void cast_struct_flex_array_warn_6(void) {
714 struct st {
715 int i[100];
716 int j[1];
717 };
718
719 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
720 free(s);
721 }
722
723 void mallocCastToVoid(void) {
724 void *p = malloc(2);
725 const void *cp = p; // not crash
726 free(p);
727 }
728
729 void mallocCastToFP(void) {
730 void *p = malloc(2);
731 void (*fp)(void) = p; // not crash
732 free(p);
733 }
734
735 // This tests that 'malloc()' buffers are undefined by default
736 char mallocGarbage (void) {
737 char *buf = malloc(2);
738 char result = buf[1]; // expected-warning{{undefined}}
739 free(buf);
740 return result;
741 }
742
743 // This tests that calloc() buffers need to be freed
744 void callocNoFree (void) {
745 char *buf = calloc(2,2);
746 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
747 }
748
749 // These test that calloc() buffers are zeroed by default
750 char callocZeroesGood (void) {
751 char *buf = calloc(2,2);
752 char result = buf[3]; // no-warning
753 if (buf[1] == 0) {
754 free(buf);
755 }
756 return result; // no-warning
757 }
758
759 char callocZeroesBad (void) {
760 char *buf = calloc(2,2);
761 char result = buf[3]; // no-warning
762 if (buf[1] != 0) {
763 free(buf); // expected-warning{{never executed}}
764 }
765 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
766 }
767
768 void nullFree(void) {
769 int *p = 0;
770 free(p); // no warning - a nop
771 }
772
773 void paramFree(int *p) {
774 myfoo(p);
775 free(p); // no warning
776 myfoo(p); // expected-warning {{Use of memory after it is freed}}
777 }
778
779 void allocaFree(void) {
780 int *p = alloca(sizeof(int));
781 free(p); // expected-warning {{Memory allocated by 'alloca()' should not be deallocated}}
782 }
783
784 void allocaFreeBuiltin(void) {
785 int *p = __builtin_alloca(sizeof(int));
786 free(p); // expected-warning {{Memory allocated by 'alloca()' should not be deallocated}}
787 }
788
789 void allocaFreeBuiltinAlign(void) {
790 int *p = __builtin_alloca_with_align(sizeof(int), 64);
791 free(p); // expected-warning {{Memory allocated by 'alloca()' should not be deallocated}}
792 }
793
794
795 int* mallocEscapeRet(void) {
796 int *p = malloc(12);
797 return p; // no warning
798 }
799
800 void mallocEscapeFoo(void) {
801 int *p = malloc(12);
802 myfoo(p);
803 return; // no warning
804 }
805
806 void mallocEscapeFree(void) {
807 int *p = malloc(12);
808 myfoo(p);
809 free(p);
810 }
811
812 void mallocEscapeFreeFree(void) {
813 int *p = malloc(12);
814 myfoo(p);
815 free(p);
816 free(p); // expected-warning{{Attempt to free released memory}}
817 }
818
819 void mallocEscapeFreeUse(void) {
820 int *p = malloc(12);
821 myfoo(p);
822 free(p);
823 myfoo(p); // expected-warning{{Use of memory after it is freed}}
824 }
825
826 int *myalloc(void);
827 void myalloc2(int **p);
828
829 void mallocEscapeFreeCustomAlloc(void) {
830 int *p = malloc(12);
831 myfoo(p);
832 free(p);
833 p = myalloc();
834 free(p); // no warning
835 }
836
837 void mallocEscapeFreeCustomAlloc2(void) {
838 int *p = malloc(12);
839 myfoo(p);
840 free(p);
841 myalloc2(&p);
842 free(p); // no warning
843 }
844
845 void mallocBindFreeUse(void) {
846 int *x = malloc(12);
847 int *y = x;
848 free(y);
849 myfoo(x); // expected-warning{{Use of memory after it is freed}}
850 }
851
852 void mallocEscapeMalloc(void) {
853 int *p = malloc(12);
854 myfoo(p);
855 p = malloc(12);
856 } // expected-warning{{Potential leak of memory pointed to by}}
857
858 void mallocMalloc(void) {
859 int *p = malloc(12);
860 p = malloc(12);
861 } // expected-warning {{Potential leak of memory pointed to by}}\
862 // expected-warning {{Potential leak of memory pointed to by}}
863
864 void mallocFreeMalloc(void) {
865 int *p = malloc(12);
866 free(p);
867 p = malloc(12);
868 free(p);
869 }
870
871 void mallocFreeUse_params(void) {
872 int *p = malloc(12);
873 free(p);
874 myfoo(p); //expected-warning{{Use of memory after it is freed}}
875 }
876
877 void mallocFreeUse_params2(void) {
878 int *p = malloc(12);
879 free(p);
880 myfooint(*p); //expected-warning{{Use of memory after it is freed}}
881 }
882
883 void mallocFailedOrNot(void) {
884 int *p = malloc(12);
885 if (!p)
886 free(p);
887 else
888 free(p);
889 }
890
891 struct StructWithInt {
892 int g;
893 };
894
895 int *mallocReturnFreed(void) {
896 int *p = malloc(12);
897 free(p);
898 return p; // expected-warning {{Use of memory after it is freed}}
899 }
900
901 int useAfterFreeStruct(void) {
902 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
903 px->g = 5;
904 free(px);
905 return px->g; // expected-warning {{Use of memory after it is freed}}
906 }
907
908 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
909
910 void mallocEscapeFooNonSymbolArg(void) {
911 struct StructWithInt *p = malloc(sizeof(struct StructWithInt));
912 nonSymbolAsFirstArg(&p->g, p);
913 return; // no warning
914 }
915
916 void mallocFailedOrNotLeak(void) {
917 int *p = malloc(12);
918 if (p == 0)
919 return; // no warning
920 else
921 return; // expected-warning {{Potential leak of memory pointed to by}}
922 }
923
924 void mallocAssignment(void) {
925 char *p = malloc(12);
926 p = fooRetPtr();
927 } // expected-warning {{leak}}
928
929 int vallocTest(void) {
930 char *mem = valloc(12);
931 return 0; // expected-warning {{Potential leak of memory pointed to by}}
932 }
933
934 void vallocEscapeFreeUse(void) {
935 int *p = valloc(12);
936 myfoo(p);
937 free(p);
938 myfoo(p); // expected-warning{{Use of memory after it is freed}}
939 }
940
941 int *Gl;
942 struct GlStTy {
943 int *x;
944 };
945
946 struct GlStTy GlS = {0};
947
948 void GlobalFree(void) {
949 free(Gl);
950 }
951
952 void GlobalMalloc(void) {
953 Gl = malloc(12);
954 }
955
956 void GlobalStructMalloc(void) {
957 int *a = malloc(12);
958 GlS.x = a;
959 }
960
961 void GlobalStructMallocFree(void) {
962 int *a = malloc(12);
963 GlS.x = a;
964 free(GlS.x);
965 }
966
967 char *ArrayG[12];
968
969 void globalArrayTest(void) {
970 char *p = (char*)malloc(12);
971 ArrayG[0] = p;
972 }
973
974 // Make sure that we properly handle a pointer stored into a local struct/array.
975 typedef struct _StructWithPtr {
976 int *memP;
977 } StructWithPtr;
978
979 static StructWithPtr arrOfStructs[10];
980
981 void testMalloc(void) {
982 int *x = malloc(12);
983 StructWithPtr St;
984 St.memP = x;
985 arrOfStructs[0] = St; // no-warning
986 }
987
988 StructWithPtr testMalloc2(void) {
989 int *x = malloc(12);
990 StructWithPtr St;
991 St.memP = x;
992 return St; // no-warning
993 }
994
995 int *testMalloc3(void) {
996 int *x = malloc(12);
997 int *y = x;
998 return y; // no-warning
999 }
1000
1001 void testStructLeak(void) {
1002 StructWithPtr St;
1003 St.memP = malloc(12);
1004 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}}
1005 }
1006
1007 void testElemRegion1(void) {
1008 char *x = (void*)malloc(2);
1009 int *ix = (int*)x;
1010 free(&(x[0]));
1011 }
1012
1013 void testElemRegion2(int **pp) {
1014 int *p = malloc(12);
1015 *pp = p;
1016 free(pp[0]);
1017 }
1018
1019 void testElemRegion3(int **pp) {
1020 int *p = malloc(12);
1021 *pp = p;
1022 free(*pp);
1023 }
1024 // Region escape testing.
1025
1026 unsigned takePtrToPtr(int **p);
1027 void PassTheAddrOfAllocatedData(int f) {
1028 int *p = malloc(12);
1029 // We don't know what happens after the call. Should stop tracking here.
1030 if (takePtrToPtr(&p))
1031 f++;
1032 free(p); // no warning
1033 }
1034
1035 struct X {
1036 int *p;
1037 };
1038 unsigned takePtrToStruct(struct X *s);
1039 int ** foo2(int *g, int f) {
1040 int *p = malloc(12);
1041 struct X *px= malloc(sizeof(struct X));
1042 px->p = p;
1043 // We don't know what happens after this call. Should not track px nor p.
1044 if (takePtrToStruct(px))
1045 f++;
1046 free(p);
1047 return 0;
1048 }
1049
1050 struct X* RegInvalidationDetect1(struct X *s2) {
1051 struct X *px= malloc(sizeof(struct X));
1052 px->p = 0;
1053 px = s2;
1054 return px; // expected-warning {{Potential leak of memory pointed to by}}
1055 }
1056
1057 struct X* RegInvalidationGiveUp1(void) {
1058 int *p = malloc(12);
1059 struct X *px= malloc(sizeof(struct X));
1060 px->p = p;
1061 return px;
1062 }
1063
1064 int **RegInvalidationDetect2(int **pp) {
1065 int *p = malloc(12);
1066 pp = &p;
1067 pp++;
1068 return 0;// expected-warning {{Potential leak of memory pointed to by}}
1069 }
1070
1071 extern void exit(int) __attribute__ ((__noreturn__));
1072 void mallocExit(int *g) {
1073 struct xx *p = malloc(12);
1074 if (g != 0)
1075 exit(1);
1076 free(p);
1077 return;
1078 }
1079
1080 extern void __assert_fail (__const char *__assertion, __const char *__file,
1081 unsigned int __line, __const char *__function)
1082 __attribute__ ((__noreturn__));
1083 #define assert(expr) \
1084 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
1085 void mallocAssert(int *g) {
1086 struct xx *p = malloc(12);
1087
1088 assert(g != 0);
1089 free(p);
1090 return;
1091 }
1092
1093 void doNotInvalidateWhenPassedToSystemCalls(char *s) {
1094 char *p = malloc(12);
1095 strlen(p);
1096 strcpy(p, s);
1097 strcpy(s, p);
1098 strcpy(p, p);
1099 memcpy(p, s, 1);
1100 memcpy(s, p, 1);
1101 memcpy(p, p, 1);
1102 } // expected-warning {{leak}}
1103
1104 // Treat source buffer contents as escaped.
1105 void escapeSourceContents(char *s) {
1106 char *p = malloc(12);
1107 memcpy(s, &p, 12); // no warning
1108
1109 void *p1 = malloc(7);
1110 char *a;
1111 memcpy(&a, &p1, sizeof a);
1112 // FIXME: No warning due to limitations imposed by current modelling of
1113 // 'memcpy' (regions metadata is not copied).
1114
1115 int *ptrs[2];
1116 int *allocated = (int *)malloc(4);
1117 memcpy(&ptrs[0], &allocated, sizeof(int *));
1118 // FIXME: No warning due to limitations imposed by current modelling of
1119 // 'memcpy' (regions metadata is not copied).
1120 }
1121
1122 void invalidateDestinationContents(void) {
1123 int *null = 0;
1124 int *p = (int *)malloc(4);
1125 memcpy(&p, &null, sizeof(int *));
1126
1127 int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}}
1128 ptrs1[0] = (int *)malloc(4);
1129 memcpy(ptrs1, &null, sizeof(int *));
1130
1131 int *ptrs2[2]; // expected-warning {{Potential memory leak}}
1132 ptrs2[0] = (int *)malloc(4);
1133 memcpy(&ptrs2[1], &null, sizeof(int *));
1134
1135 int *ptrs3[2]; // expected-warning {{Potential memory leak}}
1136 ptrs3[0] = (int *)malloc(4);
1137 memcpy(&ptrs3[0], &null, sizeof(int *));
1138 } // expected-warning {{Potential memory leak}}
1139
1140 // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p.
1141 void symbolLostWithStrcpy(char *s) {
1142 char *p = malloc(12);
1143 p = strcpy(p, s);
1144 free(p);
1145 }
1146
1147
1148 // The same test as the one above, but with what is actually generated on a mac.
1149 static __inline char *
1150 __inline_strcpy_chk (char *restrict __dest, const char *restrict __src)
1151 {
1152 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1));
1153 }
1154
1155 void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) {
1156 char *p = malloc(12);
1157 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s));
1158 free(p);
1159 }
1160
1161 // Here we are returning a pointer one past the allocated value. An idiom which
1162 // can be used for implementing special malloc. The correct uses of this might
1163 // be rare enough so that we could keep this as a warning.
1164 static void *specialMalloc(int n){
1165 int *p;
1166 p = malloc( n+8 );
1167 if( p ){
1168 p[0] = n;
1169 p++;
1170 }
1171 return p;
1172 }
1173
1174 // Potentially, the user could free the struct by performing pointer arithmetic on the return value.
1175 // This is a variation of the specialMalloc issue, though probably would be more rare in correct code.
1176 int *specialMallocWithStruct(void) {
1177 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
1178 return &(px->g);
1179 }
1180
1181 // Test various allocation/deallocation functions.
1182 void testStrdup(const char *s, unsigned validIndex) {
1183 char *s2 = strdup(s);
1184 s2[validIndex + 1] = 'b';
1185 } // expected-warning {{Potential leak of memory pointed to by}}
1186
1187 void testWinStrdup(const char *s, unsigned validIndex) {
1188 char *s2 = _strdup(s);
1189 s2[validIndex + 1] = 'b';
1190 } // expected-warning {{Potential leak of memory pointed to by}}
1191
1192 void testWcsdup(const wchar_t *s, unsigned validIndex) {
1193 wchar_t *s2 = wcsdup(s);
1194 s2[validIndex + 1] = 'b';
1195 } // expected-warning {{Potential leak of memory pointed to by}}
1196
1197 void testWinWcsdup(const wchar_t *s, unsigned validIndex) {
1198 wchar_t *s2 = _wcsdup(s);
1199 s2[validIndex + 1] = 'b';
1200 } // expected-warning {{Potential leak of memory pointed to by}}
1201
1202 int testStrndup(const char *s, unsigned validIndex, unsigned size) {
1203 char *s2 = strndup(s, size);
1204 s2 [validIndex + 1] = 'b';
1205 if (s2[validIndex] != 'a')
1206 return 0;
1207 else
1208 return 1;// expected-warning {{Potential leak of memory pointed to by}}
1209 }
1210
1211 void testStrdupContentIsDefined(const char *s, unsigned validIndex) {
1212 char *s2 = strdup(s);
1213 char result = s2[1];// no warning
1214 free(s2);
1215 }
1216
1217 void testWinStrdupContentIsDefined(const char *s, unsigned validIndex) {
1218 char *s2 = _strdup(s);
1219 char result = s2[1];// no warning
1220 free(s2);
1221 }
1222
1223 void testWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
1224 wchar_t *s2 = wcsdup(s);
1225 wchar_t result = s2[1];// no warning
1226 free(s2);
1227 }
1228
1229 void testWinWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
1230 wchar_t *s2 = _wcsdup(s);
1231 wchar_t result = s2[1];// no warning
1232 free(s2);
1233 }
1234
1235 // ----------------------------------------------------------------------------
1236 // Test the system library functions to which the pointer can escape.
1237 // This tests false positive suppression.
1238
1239 // For now, we assume memory passed to pthread_specific escapes.
1240 // TODO: We could check that if a new pthread binding is set, the existing
1241 // binding must be freed; otherwise, a memory leak can occur.
1242 void testPthereadSpecificEscape(pthread_key_t key) {
1243 void *buf = malloc(12);
1244 pthread_setspecific(key, buf); // no warning
1245 }
1246
1247 // PR12101: Test funopen().
1248 static int releasePtr(void *_ctx) {
1249 free(_ctx);
1250 return 0;
1251 }
1252 FILE *useFunOpen(void) {
1253 void *ctx = malloc(sizeof(int));
1254 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning
1255 if (f == 0) {
1256 free(ctx);
1257 }
1258 return f;
1259 }
1260 FILE *useFunOpenNoReleaseFunction(void) {
1261 void *ctx = malloc(sizeof(int));
1262 FILE *f = funopen(ctx, 0, 0, 0, 0);
1263 if (f == 0) {
1264 free(ctx);
1265 }
1266 return f; // expected-warning{{leak}}
1267 }
1268
1269 static int readNothing(void *_ctx, char *buf, int size) {
1270 return 0;
1271 }
1272 FILE *useFunOpenReadNoRelease(void) {
1273 void *ctx = malloc(sizeof(int));
1274 FILE *f = funopen(ctx, readNothing, 0, 0, 0);
1275 if (f == 0) {
1276 free(ctx);
1277 }
1278 return f; // expected-warning{{leak}}
1279 }
1280
1281 // Test setbuf, setvbuf.
1282 int my_main_no_warning(void) {
1283 char *p = malloc(100);
1284 setvbuf(stdout, p, 0, 100);
1285 return 0;
1286 }
1287 int my_main_no_warning2(void) {
1288 char *p = malloc(100);
1289 setbuf(__stdoutp, p);
1290 return 0;
1291 }
1292 int my_main_warn(FILE *f) {
1293 char *p = malloc(100);
1294 setvbuf(f, p, 0, 100);
1295 return 0;// expected-warning {{leak}}
1296 }
1297
1298 // some people use stack allocated memory as an optimization to avoid
1299 // a heap allocation for small work sizes. This tests the analyzer's
1300 // understanding that the malloc'ed memory is not the same as stackBuffer.
1301 void radar10978247(int myValueSize) {
1302 char stackBuffer[128];
1303 char *buffer;
1304
1305 if (myValueSize <= sizeof(stackBuffer))
1306 buffer = stackBuffer;
1307 else
1308 buffer = malloc(myValueSize);
1309
1310 // do stuff with the buffer
1311 if (buffer != stackBuffer)
1312 free(buffer);
1313 }
1314
1315 void radar10978247_positive(int myValueSize) {
1316 char stackBuffer[128];
1317 char *buffer;
1318
1319 if (myValueSize <= sizeof(stackBuffer))
1320 buffer = stackBuffer;
1321 else
1322 buffer = malloc(myValueSize);
1323
1324 // do stuff with the buffer
1325 if (buffer == stackBuffer)
1326 return;
1327 else
1328 return; // expected-warning {{leak}}
1329 }
1330 // Previously this triggered a false positive because 'malloc()' is known to
1331 // return uninitialized memory and the binding of 'o' to 'p->n' was not getting
1332 // propertly handled. Now we report a leak.
1333 struct rdar11269741_a_t {
1334 struct rdar11269741_b_t {
1335 int m;
1336 } n;
1337 };
1338
1339 int rdar11269741(struct rdar11269741_b_t o)
1340 {
1341 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p));
1342 p->n = o;
1343 return p->n.m; // expected-warning {{leak}}
1344 }
1345
1346 // Pointer arithmetic, returning an ElementRegion.
1347 void *radar11329382(unsigned bl) {
1348 void *ptr = malloc (16);
1349 ptr = ptr + (2 - bl);
1350 return ptr; // no warning
1351 }
1352
1353 void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__));
1354 int strcmp(const char *, const char *);
1355 char *a (void);
1356 void radar11270219(void) {
1357 char *x = a(), *y = a();
1358 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0);
1359 strcmp(x, y); // no warning
1360 }
1361
1362 void radar_11358224_test_double_assign_ints_positive_2(void)
1363 {
1364 void *ptr = malloc(16);
1365 ptr = ptr;
1366 } // expected-warning {{leak}}
1367
1368 // Assume that functions which take a function pointer can free memory even if
1369 // they are defined in system headers and take the const pointer to the
1370 // allocated memory.
1371 int const_ptr_and_callback(int, const char*, int n, void(*)(void*));
1372 void r11160612_1(void) {
1373 char *x = malloc(12);
1374 const_ptr_and_callback(0, x, 12, free); // no - warning
1375 }
1376
1377 // Null is passed as callback.
1378 void r11160612_2(void) {
1379 char *x = malloc(12);
1380 const_ptr_and_callback(0, x, 12, 0);
1381 } // expected-warning {{leak}}
1382
1383 // Callback is passed to a function defined in a system header.
1384 void r11160612_4(void) {
1385 char *x = malloc(12);
1386 sqlite3_bind_text_my(0, x, 12, free); // no - warning
1387 }
1388
1389 // Passing callbacks in a struct.
1390 void r11160612_5(StWithCallback St) {
1391 void *x = malloc(12);
1392 dealocateMemWhenDoneByVal(x, St);
1393 }
1394 void r11160612_6(StWithCallback St) {
1395 void *x = malloc(12);
1396 dealocateMemWhenDoneByRef(&St, x);
1397 }
1398
1399 int mySub(int, int);
1400 int myAdd(int, int);
1401 int fPtr(unsigned cond, int x) {
1402 return (cond ? mySub : myAdd)(x, x);
1403 }
1404
1405 // Test anti-aliasing.
1406
1407 void dependsOnValueOfPtr(int *g, unsigned f) {
1408 int *p;
1409
1410 if (f) {
1411 p = g;
1412 } else {
1413 p = malloc(12);
1414 }
1415
1416 if (p != g)
1417 free(p);
1418 else
1419 return; // no warning
1420 return;
1421 }
1422
1423 int CMPRegionHeapToStack(void) {
1424 int x = 0;
1425 int *x1 = malloc(8);
1426 int *x2 = &x;
1427 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}}
1428 free(x1);
1429 return x;
1430 }
1431
1432 int CMPRegionHeapToHeap2(void) {
1433 int x = 0;
1434 int *x1 = malloc(8);
1435 int *x2 = malloc(8);
1436 int *x4 = x1;
1437 int *x5 = x2;
1438 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}}
1439 free(x1);
1440 free(x2);
1441 return x;
1442 }
1443
1444 int CMPRegionHeapToHeap(void) {
1445 int x = 0;
1446 int *x1 = malloc(8);
1447 int *x4 = x1;
1448 if (x1 == x4) {
1449 free(x1);
1450 return 5/x; // expected-warning{{Division by zero}}
1451 }
1452 return x;// expected-warning{{This statement is never executed}}
1453 }
1454
1455 int HeapAssignment(void) {
1456 int m = 0;
1457 int *x = malloc(4);
1458 int *y = x;
1459 *x = 5;
1460 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}}
1461 free(x);
1462 return 0;
1463 }
1464
1465 int *retPtr(void);
1466 int *retPtrMightAlias(int *x);
1467 int cmpHeapAllocationToUnknown(void) {
1468 int zero = 0;
1469 int *yBefore = retPtr();
1470 int *m = malloc(8);
1471 int *yAfter = retPtrMightAlias(m);
1472 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}}
1473 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}}
1474 free(m);
1475 return 0;
1476 }
1477
1478 void localArrayTest(void) {
1479 char *p = (char*)malloc(12);
1480 char *ArrayL[12];
1481 ArrayL[0] = p;
1482 } // expected-warning {{leak}}
1483
1484 void localStructTest(void) {
1485 StructWithPtr St;
1486 StructWithPtr *pSt = &St;
1487 pSt->memP = malloc(12);
1488 } // expected-warning{{Potential leak of memory pointed to by}}
1489
1490 #ifdef __INTPTR_TYPE__
1491 // Test double assignment through integers.
1492 typedef __INTPTR_TYPE__ intptr_t;
1493 typedef unsigned __INTPTR_TYPE__ uintptr_t;
1494
1495 static intptr_t glob;
1496 void test_double_assign_ints(void)
1497 {
1498 void *ptr = malloc (16); // no-warning
1499 glob = (intptr_t)(uintptr_t)ptr;
1500 }
1501
1502 void test_double_assign_ints_positive(void)
1503 {
1504 void *ptr = malloc(16);
1505 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}}
1506 } // expected-warning {{leak}}
1507 #endif
1508
1509 void testCGContextNoLeak(void)
1510 {
1511 void *ptr = malloc(16);
1512 CGContextRef context = CGBitmapContextCreate(ptr);
1513
1514 // Because you can get the data back out like this, even much later,
1515 // CGBitmapContextCreate is one of our "stop-tracking" exceptions.
1516 free(CGBitmapContextGetData(context));
1517 }
1518
1519 void testCGContextLeak(void)
1520 {
1521 void *ptr = malloc(16);
1522 CGContextRef context = CGBitmapContextCreate(ptr);
1523 // However, this time we're just leaking the data, because the context
1524 // object doesn't escape and it hasn't been freed in this function.
1525 }
1526
1527 // Allow xpc context to escape.
1528 // TODO: Would be great if we checked that the finalize_connection_context actually releases it.
1529 static void finalize_connection_context(void *ctx) {
1530 int *context = ctx;
1531 free(context);
1532 }
1533 void foo (xpc_connection_t peer) {
1534 int *ctx = calloc(1, sizeof(int));
1535 xpc_connection_set_context(peer, ctx);
1536 xpc_connection_set_finalizer_f(peer, finalize_connection_context);
1537 xpc_connection_resume(peer);
1538 }
1539
1540 // Make sure we catch errors when we free in a function which does not allocate memory.
1541 void freeButNoMalloc(int *p, int x){
1542 if (x) {
1543 free(p);
1544 //user forgot a return here.
1545 }
1546 free(p); // expected-warning {{Attempt to free released memory}}
1547 }
1548
1549 struct HasPtr {
1550 char *p;
1551 };
1552
1553 char* reallocButNoMalloc(struct HasPtr *a, int c, int size) {
1554 int *s;
1555 char *b = realloc(a->p, size);
1556 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}}
1557 // We don't expect a use-after-free for a->P here because the warning above
1558 // is a sink.
1559 return a->p; // no-warning
1560 }
1561
1562 // We should not warn in this case since the caller will presumably free a->p in all cases.
1563 int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) {
1564 int *s;
1565 char *b = realloc(a->p, size);
1566 if (b == 0)
1567 return -1;
1568 a->p = b;
1569 return 0;
1570 }
1571
1572 // Test realloc with no visible malloc.
1573 void *test(void *ptr) {
1574 void *newPtr = realloc(ptr, 4);
1575 if (newPtr == 0) {
1576 if (ptr)
1577 free(ptr); // no-warning
1578 }
1579 return newPtr;
1580 }
1581
1582
1583 char *testLeakWithinReturn(char *str) {
1584 return strdup(strdup(str)); // expected-warning{{leak}}
1585 }
1586
1587 char *testWinLeakWithinReturn(char *str) {
1588 return _strdup(_strdup(str)); // expected-warning{{leak}}
1589 }
1590
1591 wchar_t *testWinWideLeakWithinReturn(wchar_t *str) {
1592 return _wcsdup(_wcsdup(str)); // expected-warning{{leak}}
1593 }
1594
1595 void passConstPtr(const char * ptr);
1596
1597 void testPassConstPointer(void) {
1598 char * string = malloc(sizeof(char)*10);
1599 passConstPtr(string);
1600 return; // expected-warning {{leak}}
1601 }
1602
1603 void testPassConstPointerIndirectly(void) {
1604 char *p = malloc(1);
1605 p++;
1606 memcmp(p, p, sizeof(&p));
1607 return; // expected-warning {{leak}}
1608 }
1609
1610 void testPassConstPointerIndirectlyStruct(void) {
1611 struct HasPtr hp;
1612 hp.p = malloc(10);
1613 memcmp(&hp, &hp, sizeof(hp));
1614 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}}
1615 }
1616
1617 void testPassToSystemHeaderFunctionIndirectlyStruct(void) {
1618 SomeStruct ss;
1619 ss.p = malloc(1);
1620 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1621 // Technically a false negative here -- we know the system function won't free
1622 // ss.p, but nothing else will either!
1623 } // no-warning
1624
1625 void testPassToSystemHeaderFunctionIndirectlyStructFree(void) {
1626 SomeStruct ss;
1627 ss.p = malloc(1);
1628 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1629 free(ss.p);
1630 } // no-warning
1631
1632 void testPassToSystemHeaderFunctionIndirectlyArray(void) {
1633 int *p[1];
1634 p[0] = malloc(sizeof(int));
1635 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1636 // Technically a false negative here -- we know the system function won't free
1637 // p[0], but nothing else will either!
1638 } // no-warning
1639
1640 void testPassToSystemHeaderFunctionIndirectlyArrayFree(void) {
1641 int *p[1];
1642 p[0] = malloc(sizeof(int));
1643 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1644 free(p[0]);
1645 } // no-warning
1646
1647 int *testOffsetAllocate(size_t size) {
1648 int *memoryBlock = (int *)malloc(size + sizeof(int));
1649 return &memoryBlock[1]; // no-warning
1650 }
1651
1652 void testOffsetDeallocate(int *memoryBlock) {
1653 free(&memoryBlock[-1]); // no-warning
1654 }
1655
1656 void testOffsetOfRegionFreed(void) {
1657 __int64_t * array = malloc(sizeof(__int64_t)*2);
1658 array += 1;
1659 free(&array[0]); // expected-warning{{Argument to 'free()' is offset by 8 bytes from the start of memory allocated by 'malloc()'}}
1660 }
1661
1662 void testOffsetOfRegionFreed2(void) {
1663 __int64_t *p = malloc(sizeof(__int64_t)*2);
1664 p += 1;
1665 free(p); // expected-warning{{Argument to 'free()' is offset by 8 bytes from the start of memory allocated by 'malloc()'}}
1666 }
1667
1668 void testOffsetOfRegionFreed3(void) {
1669 char *r = malloc(sizeof(char));
1670 r = r - 10;
1671 free(r); // expected-warning {{Argument to 'free()' is offset by -10 bytes from the start of memory allocated by 'malloc()'}}
1672 }
1673
1674 void testOffsetOfRegionFreedAfterFunctionCall(void) {
1675 int *p = malloc(sizeof(int)*2);
1676 p += 1;
1677 myfoo(p);
1678 free(p); // expected-warning{{Argument to 'free()' is offset by 4 bytes from the start of memory allocated by 'malloc()'}}
1679 }
1680
1681 void testFixManipulatedPointerBeforeFree(void) {
1682 int * array = malloc(sizeof(int)*2);
1683 array += 1;
1684 free(&array[-1]); // no-warning
1685 }
1686
1687 void testFixManipulatedPointerBeforeFree2(void) {
1688 char *r = malloc(sizeof(char));
1689 r = r + 10;
1690 free(r-10); // no-warning
1691 }
1692
1693 void freeOffsetPointerPassedToFunction(void) {
1694 __int64_t *p = malloc(sizeof(__int64_t)*2);
1695 p[1] = 0;
1696 p += 1;
1697 myfooint(*p); // not passing the pointer, only a value pointed by pointer
1698 free(p); // expected-warning {{Argument to 'free()' is offset by 8 bytes from the start of memory allocated by 'malloc()'}}
1699 }
1700
1701 int arbitraryInt(void);
1702 void freeUnknownOffsetPointer(void) {
1703 char *r = malloc(sizeof(char));
1704 r = r + arbitraryInt(); // unable to reason about what the offset might be
1705 free(r); // no-warning
1706 }
1707
1708 void testFreeNonMallocPointerWithNoOffset(void) {
1709 char c;
1710 char *r = &c;
1711 r = r + 10;
1712 free(r-10); // expected-warning {{Argument to 'free()' is the address of the local variable 'c', which is not memory allocated by 'malloc()'}}
1713 }
1714
1715 void testFreeNonMallocPointerWithOffset(void) {
1716 char c;
1717 char *r = &c;
1718 free(r+1); // expected-warning {{Argument to 'free()' is the address of the local variable 'c', which is not memory allocated by 'malloc()'}}
1719 }
1720
1721 void testOffsetZeroDoubleFree(void) {
1722 int *array = malloc(sizeof(int)*2);
1723 int *p = &array[0];
1724 free(p);
1725 free(&array[0]); // expected-warning{{Attempt to free released memory}}
1726 }
1727
1728 void testOffsetPassedToStrlen(void) {
1729 char * string = malloc(sizeof(char)*10);
1730 string += 1;
1731 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}}
1732 }
1733
1734 void testOffsetPassedToStrlenThenFree(void) {
1735 char * string = malloc(sizeof(char)*10);
1736 string += 1;
1737 int length = strlen(string);
1738 free(string); // expected-warning {{Argument to 'free()' is offset by 1 byte from the start of memory allocated by 'malloc()'}}
1739 }
1740
1741 void testOffsetPassedAsConst(void) {
1742 char * string = malloc(sizeof(char)*10);
1743 string += 1;
1744 passConstPtr(string);
1745 free(string); // expected-warning {{Argument to 'free()' is offset by 1 byte from the start of memory allocated by 'malloc()'}}
1746 }
1747
1748 char **_vectorSegments;
1749 int _nVectorSegments;
1750
1751 void poolFreeC(void* s) {
1752 free(s); // no-warning
1753 }
1754 void freeMemory(void) {
1755 while (_nVectorSegments) {
1756 poolFreeC(_vectorSegments[_nVectorSegments++]);
1757 }
1758 }
1759
1760 // PR16730
1761 void testReallocEscaped(void **memory) {
1762 *memory = malloc(47);
1763 char *new_memory = realloc(*memory, 47);
1764 if (new_memory != 0) {
1765 *memory = new_memory;
1766 }
1767 }
1768
1769 // PR16558
1770 void *smallocNoWarn(size_t size) {
1771 if (size == 0) {
1772 return malloc(1); // this branch is never called
1773 }
1774 else {
1775 return malloc(size);
1776 }
1777 }
1778
1779 char *dupstrNoWarn(const char *s) {
1780 const int len = strlen(s);
1781 char *p = (char*) smallocNoWarn(len + 1);
1782 strcpy(p, s); // no-warning
1783 return p;
1784 }
1785
1786 void *smallocWarn(size_t size) {
1787 if (size == 2) {
1788 return malloc(1);
1789 }
1790 else {
1791 return malloc(size);
1792 }
1793 }
1794
1795 int *radar15580979(void) {
1796 int *data = (int *)malloc(32);
1797 int *p = data ?: (int*)malloc(32); // no warning
1798 return p;
1799 }
1800
1801 // Some data structures may hold onto the pointer and free it later.
1802 void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) {
1803 int *data = (int *)malloc(32);
1804 fake_insque(queue, data); // no warning
1805 }
1806
1807 void testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t *rbt) {
1808 int *data = (int *)malloc(32);
1809 fake_rb_tree_init(rbt, data);
1810 } //expected-warning{{Potential leak}}
1811
1812 void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) {
1813 int *data = (int *)malloc(32);
1814 fake_rb_tree_init(rbt, data);
1815 fake_rb_tree_insert_node(rbt, data); // no warning
1816 }
1817
1818 struct IntAndPtr {
1819 int x;
1820 int *p;
1821 };
1822
1823 void constEscape(const void *ptr);
1824
1825 void testConstEscapeThroughAnotherField(void) {
1826 struct IntAndPtr s;
1827 s.p = malloc(sizeof(int));
1828 constEscape(&(s.x)); // could free s->p!
1829 } // no-warning
1830
1831 // PR15623
1832 int testNoCheckerDataPropogationFromLogicalOpOperandToOpResult(void) {
1833 char *param = malloc(10);
1834 char *value = malloc(10);
1835 int ok = (param && value);
1836 free(param);
1837 free(value);
1838 // Previously we ended up with 'Use of memory after it is freed' on return.
1839 return ok; // no warning
1840 }
1841
1842 void (*fnptr)(int);
1843 void freeIndirectFunctionPtr(void) {
1844 void *p = (void *)fnptr;
1845 free(p); // expected-warning {{Argument to 'free()' is a function pointer}}
1846 }
1847
1848 void freeFunctionPtr(void) {
1849 free((void *)fnptr);
1850 // expected-warning@-1{{Argument to 'free()' is a function pointer}}
1851 // expected-warning@-2{{attempt to call free on non-heap object '(void *)fnptr'}}
1852 }
1853
1854 void allocateSomeMemory(void *offendingParameter, void **ptr) {
1855 *ptr = malloc(1);
1856 }
1857
1858 void testNoCrashOnOffendingParameter(void) {
1859 // "extern" is necessary to avoid unrelated warnings
1860 // on passing uninitialized value.
1861 extern void *offendingParameter;
1862 void* ptr;
1863 allocateSomeMemory(offendingParameter, &ptr);
1864 } // expected-warning {{Potential leak of memory pointed to by 'ptr'}}
1865
1866
1867 // Test a false positive caused by a bug in liveness analysis.
1868 struct A {
1869 int *buf;
1870 };
1871 struct B {
1872 struct A *a;
1873 };
1874 void livenessBugRealloc(struct A *a) {
1875 a->buf = realloc(a->buf, sizeof(int)); // no-warning
1876 }
1877 void testLivenessBug(struct B *in_b) {
1878 struct B *b = in_b;
1879 livenessBugRealloc(b->a);
1880 ((void) 0); // An attempt to trick liveness analysis.
1881 livenessBugRealloc(b->a);
1882 }
1883
1884 struct ListInfo {
1885 struct ListInfo *next;
1886 };
1887
1888 struct ConcreteListItem {
1889 struct ListInfo li;
1890 int i;
1891 };
1892
1893 void list_add(struct ListInfo *list, struct ListInfo *item);
1894
1895 void testCStyleListItems(struct ListInfo *list) {
1896 struct ConcreteListItem *x = malloc(sizeof(struct ConcreteListItem));
1897 list_add(list, &x->li); // will free 'x'.
1898 }
1899
1900 // MEM34-C. Only free memory allocated dynamically
1901 // Second non-compliant example.
1902 // https://wiki.sei.cmu.edu/confluence/display/c/MEM34-C.+Only+free+memory+allocated+dynamically
1903 enum { BUFSIZE = 256 };
1904
1905 void MEM34_C(void) {
1906 char buf[BUFSIZE];
1907 char *p = (char *)realloc(buf, 2 * BUFSIZE);
1908 // expected-warning@-1{{Argument to 'realloc()' is the address of the local \
1909 variable 'buf', which is not memory allocated by 'malloc()' [unix.Malloc]}}
1910 if (p == NULL) {
1911 /* Handle error */
1912 }
1913 }
1914
1915 (*crash_a)(); // expected-warning{{type specifier missing}}
1916 // A CallEvent without a corresponding FunctionDecl.
1917 crash_b() { crash_a(); } // no-crash
1918 // expected-warning@-1{{type specifier missing}} expected-warning@-1{{non-void}}
1919
1920 long *global_a;
1921 void realloc_crash(void) {
1922 long *c = global_a;
1923 c--;
1924 realloc(c, 8); // no-crash
1925 } // expected-warning{{Potential memory leak [unix.Malloc]}}
1926
1927 // ----------------------------------------------------------------------------
1928 // False negatives.
1929
1930 void testMallocWithParam(int **p) {
1931 *p = (int*) malloc(sizeof(int));
1932 *p = 0; // FIXME: should warn here
1933 }
1934
1935 void testMallocWithParam_2(int **p) {
1936 *p = (int*) malloc(sizeof(int)); // no-warning
1937 }
1938
1939 void testPassToSystemHeaderFunctionIndirectly(void) {
1940 int *p = malloc(4);
1941 p++;
1942 fakeSystemHeaderCallInt(p);
1943 // FIXME: This is a leak: if we think a system function won't free p, it
1944 // won't free (p-1) either.
1945 }
1946
1947 void testMallocIntoMalloc(void) {
1948 StructWithPtr *s = malloc(sizeof(StructWithPtr));
1949 s->memP = malloc(sizeof(int));
1950 free(s);
1951 } // FIXME: should warn here
1952
1953 int conjure(void);
1954 void testExtent(void) {
1955 int x = conjure();
1956 clang_analyzer_dump(x);
1957 // expected-warning-re@-1 {{{{^conj_\$[[:digit:]]+{int, LC1, S[[:digit:]]+, #1}}}}}}
1958 int *p = (int *)malloc(x);
1959 clang_analyzer_dumpExtent(p);
1960 // expected-warning-re@-1 {{{{^conj_\$[[:digit:]]+{int, LC1, S[[:digit:]]+, #1}}}}}}
1961 free(p);
1962 }
LLVM monorepo