1 // RUN: %clang_analyze_cc1 -verify \
2 // RUN: -analyzer-checker=core \
3 // RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
4 // RUN: -analyzer-checker=alpha.core.CastSize \
5 // RUN: -analyzer-checker=unix.Malloc \
6 // RUN: -analyzer-checker=debug.ExprInspection \
7 // RUN: -analyzer-config unix.DynamicMemoryModeling:Optimistic=true %s
9 typedef __typeof(sizeof(int)) size_t;
12 void *realloc(void *ptr
, size_t size
);
13 void *calloc(size_t nmemb
, size_t size
);
14 void __attribute((ownership_returns(malloc
))) *my_malloc(size_t);
15 void __attribute((ownership_takes(malloc
, 1))) my_free(void *);
16 void my_freeBoth(void *, void *)
17 __attribute((ownership_holds(malloc
, 1, 2)));
18 void __attribute((ownership_returns(malloc
, 1))) *my_malloc2(size_t);
19 void __attribute((ownership_holds(malloc
, 1))) my_hold(void *);
21 // Duplicate attributes are silly, but not an error.
22 // Duplicate attribute has no extra effect.
23 // If two are of different kinds, that is an error and reported as such.
24 void __attribute((ownership_holds(malloc
, 1)))
25 __attribute((ownership_holds(malloc
, 1)))
26 __attribute((ownership_holds(malloc
, 3))) my_hold2(void *, void *, void *);
28 __attribute((ownership_returns(user_malloc
, 1))) void *user_malloc(size_t);
29 __attribute((ownership_takes(user_malloc
, 1))) void user_free(void *);
31 void clang_analyzer_dump(int);
33 void *my_malloc3(size_t);
34 void *myglobalpointer
;
38 struct stuff myglobalstuff
;
42 return; // expected-warning{{Potential leak of memory pointed to by}}
48 free(p
); // expected-warning{{Attempt to free released memory}}
51 void f2_realloc_0(void) {
54 realloc(p
,0); // expected-warning{{Attempt to free released memory}}
57 void f2_realloc_1(void) {
59 int *q
= realloc(p
,0); // no-warning
62 // ownership attributes tests
64 int *p
= my_malloc3(12);
69 int *p
= my_malloc2(12);
70 return; // expected-warning{{Potential leak of memory pointed to by}}
74 int *p
= my_malloc(12);
75 return; // expected-warning{{Potential leak of memory pointed to by}}
79 int *p
= my_malloc(12);
80 } // expected-warning{{Potential leak of memory pointed to by}}
83 myglobalpointer
= my_malloc(12); // no-warning
88 mystuff
.somefield
= my_malloc(12);
89 } // expected-warning{{Potential leak of memory pointed to by}}
91 // Test that we can pass out allocated memory via pointer-to-pointer.
92 void af1_e(void **pp
) {
93 *pp
= my_malloc(42); // no-warning
96 void af1_f(struct stuff
*somestuff
) {
97 somestuff
->somefield
= my_malloc(12); // no-warning
100 // Allocating memory for a field via multiple indirections to our arguments is OK.
101 void af1_g(struct stuff
**pps
) {
102 *pps
= my_malloc(sizeof(struct stuff
)); // no-warning
103 (*pps
)->somefield
= my_malloc(42); // no-warning
107 int *p
= my_malloc(12);
109 free(p
); // expected-warning{{Attempt to free released memory}}
113 int *p
= my_malloc(12);
115 my_free(p
); // expected-warning{{Attempt to free released memory}}
119 int *p
= my_malloc(12);
121 my_hold(p
); // expected-warning{{Attempt to free released memory}}
125 int *p
= my_malloc(12);
127 my_hold2(0, 0, p
); // expected-warning{{Attempt to free released memory}}
130 // No leak if malloc returns null.
132 int *p
= my_malloc(12);
134 return; // no-warning
135 free(p
); // no-warning
138 // This case inflicts a possible double-free.
140 int *p
= my_malloc(12);
142 free(p
); // expected-warning{{Attempt to free non-owned memory}}
146 int *p
= my_malloc(12);
148 return p
; // expected-warning{{Use of memory after it is freed}}
151 // This case is (possibly) ok, be conservative
153 int *p
= my_malloc(12);
155 return p
; // no-warning
160 // This case tests that storing malloc'ed memory to a static variable which is
161 // then returned is not leaked. In the absence of known contracts for functions
162 // or inter-procedural analysis, this is a conservative answer.
166 return p
; // no-warning
169 // This case tests that storing malloc'ed memory to a static global variable
170 // which is then returned is not leaked. In the absence of known contracts for
171 // functions or inter-procedural analysis, this is a conservative answer.
172 static int *p_f4
= 0;
175 return p_f4
; // no-warning
181 return q
; // no-warning
187 return; // no-warning
192 void f6_realloc(void) {
195 return; // no-warning
212 char *x
= (char*) malloc(4);
214 x
[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
217 void f7_realloc(void) {
218 char *x
= (char*) malloc(4);
220 x
[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
224 int *x
= malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
228 int *buf
= malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
229 buf
[1] = 'c'; // not crash
232 void mallocCastToVoid(void) {
234 const void *cp
= p
; // not crash
238 void mallocCastToFP(void) {
240 void (*fp
)(void) = p
; // not crash
244 // This tests that malloc() buffers are undefined by default
245 char mallocGarbage (void) {
246 char *buf
= malloc(2);
247 char result
= buf
[1]; // expected-warning{{undefined}}
252 // This tests that calloc() buffers need to be freed
253 void callocNoFree (void) {
254 char *buf
= calloc(2,2);
255 return; // expected-warning{{Potential leak of memory pointed to by}}
258 // These test that calloc() buffers are zeroed by default
259 char callocZeroesGood (void) {
260 char *buf
= calloc(2,2);
261 char result
= buf
[3]; // no-warning
265 return result
; // no-warning
268 char callocZeroesBad (void) {
269 char *buf
= calloc(2,2);
270 char result
= buf
[3]; // no-warning
272 free(buf
); // expected-warning{{never executed}}
274 return result
; // expected-warning{{Potential leak of memory pointed to by}}
277 void testMultipleFreeAnnotations(void) {
283 void testNoUninitAttr(void) {
284 int *p
= user_malloc(sizeof(int));
285 int read
= p
[0]; // no-warning
286 clang_analyzer_dump(p
[0]); // expected-warning{{Unknown}}
