| // RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc,unix.MismatchedDeallocator,cplusplus.NewDelete -std=c++11 -verify %s |
| // RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc,unix.MismatchedDeallocator,cplusplus.NewDelete,cplusplus.NewDeleteLeaks -DLEAKS -std=c++11 -verify %s |
| |
| #include "Inputs/system-header-simulator-for-malloc.h" |
| |
| //-------------------------------------------------- |
| // Check that unix.Malloc catches all types of bugs. |
| //-------------------------------------------------- |
| void testMallocDoubleFree() { |
| int *p = (int *)malloc(sizeof(int)); |
| free(p); |
| free(p); // expected-warning{{Attempt to free released memory}} |
| } |
| |
| void testMallocLeak() { |
| int *p = (int *)malloc(sizeof(int)); |
| } // expected-warning{{Potential leak of memory pointed to by 'p'}} |
| |
| void testMallocUseAfterFree() { |
| int *p = (int *)malloc(sizeof(int)); |
| free(p); |
| int j = *p; // expected-warning{{Use of memory after it is freed}} |
| } |
| |
| void testMallocBadFree() { |
| int i; |
| free(&i); // expected-warning{{Argument to free() is the address of the local variable 'i', which is not memory allocated by malloc()}} |
| } |
| |
| void testMallocOffsetFree() { |
| int *p = (int *)malloc(sizeof(int)); |
| free(++p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}} |
| } |
| |
| //----------------------------------------------------------------- |
| // Check that unix.MismatchedDeallocator catches all types of bugs. |
| //----------------------------------------------------------------- |
| void testMismatchedDeallocator() { |
| int *x = (int *)malloc(sizeof(int)); |
| delete x; // expected-warning{{Memory allocated by malloc() should be deallocated by free(), not 'delete'}} |
| } |
| |
| //---------------------------------------------------------------- |
| // Check that alpha.cplusplus.NewDelete catches all types of bugs. |
| //---------------------------------------------------------------- |
| void testNewDoubleFree() { |
| int *p = new int; |
| delete p; |
| delete p; // expected-warning{{Attempt to free released memory}} |
| } |
| |
| void testNewLeak() { |
| int *p = new int; |
| } |
| #ifdef LEAKS |
| // expected-warning@-2 {{Potential leak of memory pointed to by 'p'}} |
| #endif |
| |
| void testNewUseAfterFree() { |
| int *p = (int *)operator new(0); |
| delete p; |
| int j = *p; // expected-warning{{Use of memory after it is freed}} |
| } |
| |
| void testNewBadFree() { |
| int i; |
| delete &i; // expected-warning{{Argument to 'delete' is the address of the local variable 'i', which is not memory allocated by 'new'}} |
| } |
| |
| void testNewOffsetFree() { |
| int *p = new int; |
| operator delete(++p); // expected-warning{{Argument to operator delete is offset by 4 bytes from the start of memory allocated by 'new'}} |
| } |
| |
| //---------------------------------------------------------------- |
| // Test that we check for free errors on escaped pointers. |
| //---------------------------------------------------------------- |
| void changePtr(int **p); |
| static int *globalPtr; |
| void changePointee(int *p); |
| |
| void testMismatchedChangePtrThroughCall() { |
| int *p = (int*)malloc(sizeof(int)*4); |
| changePtr(&p); |
| delete p; // no-warning the value of the pointer might have changed |
| } |
| |
| void testMismatchedChangePointeeThroughCall() { |
| int *p = (int*)malloc(sizeof(int)*4); |
| changePointee(p); |
| delete p; // expected-warning{{Memory allocated by malloc() should be deallocated by free(), not 'delete'}} |
| } |
| |
| void testShouldReportDoubleFreeNotMismatched() { |
| int *p = (int*)malloc(sizeof(int)*4); |
| globalPtr = p; |
| free(p); |
| delete globalPtr; // expected-warning {{Attempt to free released memory}} |
| } |
| int *allocIntArray(unsigned c) { |
| return new int[c]; |
| } |
| void testMismatchedChangePointeeThroughAssignment() { |
| int *arr = allocIntArray(4); |
| globalPtr = arr; |
| delete arr; // expected-warning{{Memory allocated by 'new[]' should be deallocated by 'delete[]', not 'delete'}} |
| } |