clang/test/Analysis/malloc-interprocedural.c

   1 // RUN: %clang_analyze_cc1 -analyzer-checker=unix.Malloc -analyzer-inline-max-stack-depth=5 -verify %s
   2
   3 #include "Inputs/system-header-simulator.h"
   4
   5 void *malloc(size_t);
   6 void *valloc(size_t);
   7 void free(void *);
   8 void *realloc(void *ptr, size_t size);
   9 void *reallocf(void *ptr, size_t size);
  10 void *calloc(size_t nmemb, size_t size);
  11
  12 void exit(int) __attribute__ ((__noreturn__));
  13 void *memcpy(void * restrict s1, const void * restrict s2, size_t n);
  14 size_t strlen(const char *);
  15
  16 static void my_malloc1(void **d, size_t size) {
  17   *d = malloc(size);
  18 }
  19
  20 static void *my_malloc2(int elevel, size_t size) {
  21   void     *data;
  22   data = malloc(size);
  23   if (data == 0)
  24     exit(0);
  25   return data;
  26 }
  27
  28 static void my_free1(void *p) {
  29   free(p);
  30 }
  31
  32 static void test1(void) {
  33   void *data = 0;
  34   my_malloc1(&data, 4);
  35 } // expected-warning {{Potential leak of memory pointed to by 'data'}}
  36
  37 static void test11(void) {
  38   void *data = 0;
  39   my_malloc1(&data, 4);
  40   my_free1(data);
  41 }
  42
  43 static void testUniqueingByallocationSiteInTopLevelFunction(void) {
  44   void *data = my_malloc2(1, 4);
  45   data = 0;
  46   int x = 5;// expected-warning {{Potential leak of memory pointed to by 'data'}}
  47   data = my_malloc2(1, 4);
  48 } // expected-warning {{Potential leak of memory pointed to by 'data'}}
  49
  50 static void test3(void) {
  51   void *data = my_malloc2(1, 4);
  52   free(data);
  53   data = my_malloc2(1, 4);
  54   free(data);
  55 }
  56
  57 int test4(void) {
  58   int *data = (int*)my_malloc2(1, 4);
  59   my_free1(data);
  60   data = (int *)my_malloc2(1, 4);
  61   my_free1(data);
  62   return *data; // expected-warning {{Use of memory after it is freed}}
  63 }
  64
  65 void test6(void) {
  66   int *data = (int *)my_malloc2(1, 4);
  67   my_free1((int*)data);
  68   my_free1((int*)data); // expected-warning{{Use of memory after it is freed}}
  69 }
  70
  71 // TODO: We should warn here.
  72 void test5(void) {
  73   int *data;
  74   my_free1((int*)data);
  75 }
  76
  77 static char *reshape(char *in) {
  78     return 0;
  79 }
  80
  81 void testThatRemoveDeadBindingsRunBeforeEachCall(void) {
  82     char *v = malloc(12);
  83     v = reshape(v);
  84     v = reshape(v);// expected-warning {{Potential leak of memory pointed to by 'v'}}
  85 }
  86
  87 // Test that we keep processing after 'return;'
  88 void fooWithEmptyReturn(int x) {
  89   if (x)
  90     return;
  91   x++;
  92   return;
  93 }
  94
  95 int uafAndCallsFooWithEmptyReturn(void) {
  96   int *x = (int*)malloc(12);
  97   free(x);
  98   fooWithEmptyReturn(12);
  99   return *x; // expected-warning {{Use of memory after it is freed}}
 100 }
 101
 102
 103 // If we inline any of the malloc-family functions, the checker shouldn't also
 104 // try to do additional modeling.
 105 char *strndup(const char *str, size_t n) {
 106   if (!str)
 107     return 0;
 108
 109   // DO NOT FIX. This is to test that we are actually using the inlined
 110   // behavior!
 111   if (n < 5)
 112     return 0;
 113
 114   size_t length = strlen(str);
 115   if (length < n)
 116     n = length;
 117
 118   char *result = malloc(n + 1);
 119   memcpy(result, str, n);
 120   result[n] = '\0';
 121   return result;
 122 }
 123
 124 void useStrndup(size_t n) {
 125   if (n == 0) {
 126     (void)strndup(0, 20); // no-warning
 127     return;
 128   } else if (n < 5) {
 129     (void)strndup("hi there", n); // no-warning
 130     return;
 131   } else {
 132     (void)strndup("hi there", n);
 133     return; // expected-warning{{leak}}
 134   }
 135 }