| // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s |
| |
| #include "Inputs/system-header-simulator.h" |
| |
| void clang_analyzer_eval(int); |
| |
| // Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines |
| // _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use |
| // the builtin type: "Using the typedef version can cause portability |
| // problems", but we're ok here because we're not actually running anything. |
| // Also of note is this cryptic warning: "The wchar_t type is not supported |
| // when you compile C code". |
| // |
| // See the docs for more: |
| // https://msdn.microsoft.com/en-us/library/dh8che7s.aspx |
| #if !defined(_WCHAR_T_DEFINED) |
| // "Microsoft implements wchar_t as a two-byte unsigned value" |
| typedef unsigned short wchar_t; |
| #define _WCHAR_T_DEFINED |
| #endif // !defined(_WCHAR_T_DEFINED) |
| |
| typedef __typeof(sizeof(int)) size_t; |
| void *malloc(size_t); |
| void *alloca(size_t); |
| void *valloc(size_t); |
| void free(void *); |
| void *realloc(void *ptr, size_t size); |
| void *reallocf(void *ptr, size_t size); |
| void *calloc(size_t nmemb, size_t size); |
| char *strdup(const char *s); |
| wchar_t *wcsdup(const wchar_t *s); |
| char *strndup(const char *s, size_t n); |
| int memcmp(const void *s1, const void *s2, size_t n); |
| |
| // Windows variants |
| char *_strdup(const char *strSource); |
| wchar_t *_wcsdup(const wchar_t *strSource); |
| void *_alloca(size_t size); |
| |
| void myfoo(int *p); |
| void myfooint(int p); |
| char *fooRetPtr(); |
| |
| void f1() { |
| int *p = malloc(12); |
| return; // expected-warning{{Potential leak of memory pointed to by 'p'}} |
| } |
| |
| void f2() { |
| int *p = malloc(12); |
| free(p); |
| free(p); // expected-warning{{Attempt to free released memory}} |
| } |
| |
| void f2_realloc_0() { |
| int *p = malloc(12); |
| realloc(p,0); |
| realloc(p,0); // expected-warning{{Attempt to free released memory}} |
| } |
| |
| void f2_realloc_1() { |
| int *p = malloc(12); |
| int *q = realloc(p,0); // no-warning |
| } |
| |
| void reallocNotNullPtr(unsigned sizeIn) { |
| unsigned size = 12; |
| char *p = (char*)malloc(size); |
| if (p) { |
| char *q = (char*)realloc(p, sizeIn); |
| char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}} |
| } |
| } |
| |
| void allocaTest() { |
| int *p = alloca(sizeof(int)); |
| } // no warn |
| |
| void winAllocaTest() { |
| int *p = _alloca(sizeof(int)); |
| } // no warn |
| |
| void allocaBuiltinTest() { |
| int *p = __builtin_alloca(sizeof(int)); |
| } // no warn |
| |
| int *realloctest1() { |
| int *q = malloc(12); |
| q = realloc(q, 20); |
| return q; // no warning - returning the allocated value |
| } |
| |
| // p should be freed if realloc fails. |
| void reallocFails() { |
| char *p = malloc(12); |
| char *r = realloc(p, 12+1); |
| if (!r) { |
| free(p); |
| } else { |
| free(r); |
| } |
| } |
| |
| void reallocSizeZero1() { |
| char *p = malloc(12); |
| char *r = realloc(p, 0); |
| if (!r) { |
| free(p); // expected-warning {{Attempt to free released memory}} |
| } else { |
| free(r); |
| } |
| } |
| |
| void reallocSizeZero2() { |
| char *p = malloc(12); |
| char *r = realloc(p, 0); |
| if (!r) { |
| free(p); // expected-warning {{Attempt to free released memory}} |
| } else { |
| free(r); |
| } |
| free(p); // expected-warning {{Attempt to free released memory}} |
| } |
| |
| void reallocSizeZero3() { |
| char *p = malloc(12); |
| char *r = realloc(p, 0); |
| free(r); |
| } |
| |
| void reallocSizeZero4() { |
| char *r = realloc(0, 0); |
| free(r); |
| } |
| |
| void reallocSizeZero5() { |
| char *r = realloc(0, 0); |
| } |
| |
| void reallocPtrZero1() { |
| char *r = realloc(0, 12); |
| } // expected-warning {{Potential leak of memory pointed to by 'r'}} |
| |
| void reallocPtrZero2() { |
| char *r = realloc(0, 12); |
| if (r) |
| free(r); |
| } |
| |
| void reallocPtrZero3() { |
| char *r = realloc(0, 12); |
| free(r); |
| } |
| |
| void reallocRadar6337483_1() { |
| char *buf = malloc(100); |
| buf = (char*)realloc(buf, 0x1000000); |
| if (!buf) { |
| return;// expected-warning {{Potential leak of memory pointed to by}} |
| } |
| free(buf); |
| } |
| |
| void reallocRadar6337483_2() { |
| char *buf = malloc(100); |
| char *buf2 = (char*)realloc(buf, 0x1000000); |
| if (!buf2) { |
| ; |
| } else { |
| free(buf2); |
| } |
| } // expected-warning {{Potential leak of memory pointed to by}} |
| |
| void reallocRadar6337483_3() { |
| char * buf = malloc(100); |
| char * tmp; |
| tmp = (char*)realloc(buf, 0x1000000); |
| if (!tmp) { |
| free(buf); |
| return; |
| } |
| buf = tmp; |
| free(buf); |
| } |
| |
| void reallocRadar6337483_4() { |
| char *buf = malloc(100); |
| char *buf2 = (char*)realloc(buf, 0x1000000); |
| if (!buf2) { |
| return; // expected-warning {{Potential leak of memory pointed to by}} |
| } else { |
| free(buf2); |
| } |
| } |
| |
| int *reallocfTest1() { |
| int *q = malloc(12); |
| q = reallocf(q, 20); |
| return q; // no warning - returning the allocated value |
| } |
| |
| void reallocfRadar6337483_4() { |
| char *buf = malloc(100); |
| char *buf2 = (char*)reallocf(buf, 0x1000000); |
| if (!buf2) { |
| return; // no warning - reallocf frees even on failure |
| } else { |
| free(buf2); |
| } |
| } |
| |
| void reallocfRadar6337483_3() { |
| char * buf = malloc(100); |
| char * tmp; |
| tmp = (char*)reallocf(buf, 0x1000000); |
| if (!tmp) { |
| free(buf); // expected-warning {{Attempt to free released memory}} |
| return; |
| } |
| buf = tmp; |
| free(buf); |
| } |
| |
| void reallocfPtrZero1() { |
| char *r = reallocf(0, 12); |
| } // expected-warning {{Potential leak of memory pointed to by}} |
| |
| //------------------- Check usage of zero-allocated memory --------------------- |
| void CheckUseZeroAllocatedNoWarn1() { |
| int *p = malloc(0); |
| free(p); // no warning |
| } |
| |
| void CheckUseZeroAllocatedNoWarn2() { |
| int *p = alloca(0); // no warning |
| } |
| |
| void CheckUseZeroWinAllocatedNoWarn2() { |
| int *p = _alloca(0); // no warning |
| } |
| |
| |
| void CheckUseZeroAllocatedNoWarn3() { |
| int *p = malloc(0); |
| int *q = realloc(p, 8); // no warning |
| free(q); |
| } |
| |
| void CheckUseZeroAllocatedNoWarn4() { |
| int *p = realloc(0, 8); |
| *p = 1; // no warning |
| free(p); |
| } |
| |
| void CheckUseZeroAllocated1() { |
| int *p = malloc(0); |
| *p = 1; // expected-warning {{Use of zero-allocated memory}} |
| free(p); |
| } |
| |
| char CheckUseZeroAllocated2() { |
| char *p = alloca(0); |
| return *p; // expected-warning {{Use of zero-allocated memory}} |
| } |
| |
| char CheckUseZeroWinAllocated2() { |
| char *p = _alloca(0); |
| return *p; // expected-warning {{Use of zero-allocated memory}} |
| } |
| |
| void UseZeroAllocated(int *p) { |
| if (p) |
| *p = 7; // expected-warning {{Use of zero-allocated memory}} |
| } |
| void CheckUseZeroAllocated3() { |
| int *p = malloc(0); |
| UseZeroAllocated(p); |
| } |
| |
| void f(char); |
| void CheckUseZeroAllocated4() { |
| char *p = valloc(0); |
| f(*p); // expected-warning {{Use of zero-allocated memory}} |
| free(p); |
| } |
| |
| void CheckUseZeroAllocated5() { |
| int *p = calloc(0, 2); |
| *p = 1; // expected-warning {{Use of zero-allocated memory}} |
| free(p); |
| } |
| |
| void CheckUseZeroAllocated6() { |
| int *p = calloc(2, 0); |
| *p = 1; // expected-warning {{Use of zero-allocated memory}} |
| free(p); |
| } |
| |
| void CheckUseZeroAllocated7() { |
| int *p = realloc(0, 0); |
| *p = 1; // expected-warning {{Use of zero-allocated memory}} |
| free(p); |
| } |
| |
| void CheckUseZeroAllocated8() { |
| int *p = malloc(8); |
| int *q = realloc(p, 0); |
| *q = 1; // expected-warning {{Use of zero-allocated memory}} |
| free(q); |
| } |
| |
| void CheckUseZeroAllocated9() { |
| int *p = realloc(0, 0); |
| int *q = realloc(p, 0); |
| *q = 1; // expected-warning {{Use of zero-allocated memory}} |
| free(q); |
| } |
| |
| void CheckUseZeroAllocatedPathNoWarn(_Bool b) { |
| int s = 0; |
| if (b) |
| s= 10; |
| |
| char *p = malloc(s); |
| |
| if (b) |
| *p = 1; // no warning |
| |
| free(p); |
| } |
| |
| void CheckUseZeroAllocatedPathWarn(_Bool b) { |
| int s = 10; |
| if (b) |
| s= 0; |
| |
| char *p = malloc(s); |
| |
| if (b) |
| *p = 1; // expected-warning {{Use of zero-allocated memory}} |
| |
| free(p); |
| } |
| |
| void CheckUseZeroReallocatedPathNoWarn(_Bool b) { |
| int s = 0; |
| if (b) |
| s= 10; |
| |
| char *p = malloc(8); |
| char *q = realloc(p, s); |
| |
| if (b) |
| *q = 1; // no warning |
| |
| free(q); |
| } |
| |
| void CheckUseZeroReallocatedPathWarn(_Bool b) { |
| int s = 10; |
| if (b) |
| s= 0; |
| |
| char *p = malloc(8); |
| char *q = realloc(p, s); |
| |
| if (b) |
| *q = 1; // expected-warning {{Use of zero-allocated memory}} |
| |
| free(q); |
| } |
| |
| // This case tests that storing malloc'ed memory to a static variable which is |
| // then returned is not leaked. In the absence of known contracts for functions |
| // or inter-procedural analysis, this is a conservative answer. |
| int *f3() { |
| static int *p = 0; |
| p = malloc(12); |
| return p; // no-warning |
| } |
| |
| // This case tests that storing malloc'ed memory to a static global variable |
| // which is then returned is not leaked. In the absence of known contracts for |
| // functions or inter-procedural analysis, this is a conservative answer. |
| static int *p_f4 = 0; |
| int *f4() { |
| p_f4 = malloc(12); |
| return p_f4; // no-warning |
| } |
| |
| int *f5() { |
| int *q = malloc(12); |
| q = realloc(q, 20); |
| return q; // no-warning |
| } |
| |
| void f6() { |
| int *p = malloc(12); |
| if (!p) |
| return; // no-warning |
| else |
| free(p); |
| } |
| |
| void f6_realloc() { |
| int *p = malloc(12); |
| if (!p) |
| return; // no-warning |
| else |
| realloc(p,0); |
| } |
| |
| |
| char *doit2(); |
| void pr6069() { |
| char *buf = doit2(); |
| free(buf); |
| } |
| |
| void pr6293() { |
| free(0); |
| } |
| |
| void f7() { |
| char *x = (char*) malloc(4); |
| free(x); |
| x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} |
| } |
| |
| void f8() { |
| char *x = (char*) malloc(4); |
| free(x); |
| char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} |
| } |
| |
| void f7_realloc() { |
| char *x = (char*) malloc(4); |
| realloc(x,0); |
| x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} |
| } |
| |
| void PR6123() { |
| int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| } |
| |
| void PR7217() { |
| int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| buf[1] = 'c'; // not crash |
| } |
| |
| void cast_emtpy_struct() { |
| struct st { |
| }; |
| |
| struct st *s = malloc(sizeof(struct st)); // no-warning |
| free(s); |
| } |
| |
| void cast_struct_1() { |
| struct st { |
| int i[100]; |
| char j[]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st)); // no-warning |
| free(s); |
| } |
| |
| void cast_struct_2() { |
| struct st { |
| int i[100]; |
| char j[0]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st)); // no-warning |
| free(s); |
| } |
| |
| void cast_struct_3() { |
| struct st { |
| int i[100]; |
| char j[1]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st)); // no-warning |
| free(s); |
| } |
| |
| void cast_struct_4() { |
| struct st { |
| int i[100]; |
| char j[2]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st)); // no-warning |
| free(s); |
| } |
| |
| void cast_struct_5() { |
| struct st { |
| char i[200]; |
| char j[1]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning |
| free(s); |
| } |
| |
| void cast_struct_warn_1() { |
| struct st { |
| int i[100]; |
| char j[2]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| free(s); |
| } |
| |
| void cast_struct_warn_2() { |
| struct st { |
| int i[100]; |
| char j[2]; |
| }; |
| |
| struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| free(s); |
| } |
| |
| void cast_struct_flex_array_1() { |
| struct st { |
| int i[100]; |
| char j[]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st) + 3); // no-warning |
| free(s); |
| } |
| |
| void cast_struct_flex_array_2() { |
| struct st { |
| int i[100]; |
| char j[0]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st) + 3); // no-warning |
| free(s); |
| } |
| |
| void cast_struct_flex_array_3() { |
| struct st { |
| int i[100]; |
| char j[1]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st) + 3); // no-warning |
| free(s); |
| } |
| |
| void cast_struct_flex_array_4() { |
| struct foo { |
| char f[32]; |
| }; |
| struct st { |
| char i[100]; |
| struct foo data[]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning |
| free(s); |
| } |
| |
| void cast_struct_flex_array_5() { |
| struct foo { |
| char f[32]; |
| }; |
| struct st { |
| char i[100]; |
| struct foo data[0]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning |
| free(s); |
| } |
| |
| void cast_struct_flex_array_6() { |
| struct foo { |
| char f[32]; |
| }; |
| struct st { |
| char i[100]; |
| struct foo data[1]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning |
| free(s); |
| } |
| |
| void cast_struct_flex_array_warn_1() { |
| struct foo { |
| char f[32]; |
| }; |
| struct st { |
| char i[100]; |
| struct foo data[]; |
| }; |
| |
| struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| free(s); |
| } |
| |
| void cast_struct_flex_array_warn_2() { |
| struct foo { |
| char f[32]; |
| }; |
| struct st { |
| char i[100]; |
| struct foo data[0]; |
| }; |
| |
| struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| free(s); |
| } |
| |
| void cast_struct_flex_array_warn_3() { |
| struct foo { |
| char f[32]; |
| }; |
| struct st { |
| char i[100]; |
| struct foo data[1]; |
| }; |
| |
| struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| free(s); |
| } |
| |
| void cast_struct_flex_array_warn_4() { |
| struct st { |
| int i[100]; |
| int j[]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| free(s); |
| } |
| |
| void cast_struct_flex_array_warn_5() { |
| struct st { |
| int i[100]; |
| int j[0]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| free(s); |
| } |
| |
| void cast_struct_flex_array_warn_6() { |
| struct st { |
| int i[100]; |
| int j[1]; |
| }; |
| |
| struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} |
| free(s); |
| } |
| |
| void mallocCastToVoid() { |
| void *p = malloc(2); |
| const void *cp = p; // not crash |
| free(p); |
| } |
| |
| void mallocCastToFP() { |
| void *p = malloc(2); |
| void (*fp)() = p; // not crash |
| free(p); |
| } |
| |
| // This tests that malloc() buffers are undefined by default |
| char mallocGarbage () { |
| char *buf = malloc(2); |
| char result = buf[1]; // expected-warning{{undefined}} |
| free(buf); |
| return result; |
| } |
| |
| // This tests that calloc() buffers need to be freed |
| void callocNoFree () { |
| char *buf = calloc(2,2); |
| return; // expected-warning{{Potential leak of memory pointed to by 'buf'}} |
| } |
| |
| // These test that calloc() buffers are zeroed by default |
| char callocZeroesGood () { |
| char *buf = calloc(2,2); |
| char result = buf[3]; // no-warning |
| if (buf[1] == 0) { |
| free(buf); |
| } |
| return result; // no-warning |
| } |
| |
| char callocZeroesBad () { |
| char *buf = calloc(2,2); |
| char result = buf[3]; // no-warning |
| if (buf[1] != 0) { |
| free(buf); // expected-warning{{never executed}} |
| } |
| return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}} |
| } |
| |
| void nullFree() { |
| int *p = 0; |
| free(p); // no warning - a nop |
| } |
| |
| void paramFree(int *p) { |
| myfoo(p); |
| free(p); // no warning |
| myfoo(p); // expected-warning {{Use of memory after it is freed}} |
| } |
| |
| int* mallocEscapeRet() { |
| int *p = malloc(12); |
| return p; // no warning |
| } |
| |
| void mallocEscapeFoo() { |
| int *p = malloc(12); |
| myfoo(p); |
| return; // no warning |
| } |
| |
| void mallocEscapeFree() { |
| int *p = malloc(12); |
| myfoo(p); |
| free(p); |
| } |
| |
| void mallocEscapeFreeFree() { |
| int *p = malloc(12); |
| myfoo(p); |
| free(p); |
| free(p); // expected-warning{{Attempt to free released memory}} |
| } |
| |
| void mallocEscapeFreeUse() { |
| int *p = malloc(12); |
| myfoo(p); |
| free(p); |
| myfoo(p); // expected-warning{{Use of memory after it is freed}} |
| } |
| |
| int *myalloc(); |
| void myalloc2(int **p); |
| |
| void mallocEscapeFreeCustomAlloc() { |
| int *p = malloc(12); |
| myfoo(p); |
| free(p); |
| p = myalloc(); |
| free(p); // no warning |
| } |
| |
| void mallocEscapeFreeCustomAlloc2() { |
| int *p = malloc(12); |
| myfoo(p); |
| free(p); |
| myalloc2(&p); |
| free(p); // no warning |
| } |
| |
| void mallocBindFreeUse() { |
| int *x = malloc(12); |
| int *y = x; |
| free(y); |
| myfoo(x); // expected-warning{{Use of memory after it is freed}} |
| } |
| |
| void mallocEscapeMalloc() { |
| int *p = malloc(12); |
| myfoo(p); |
| p = malloc(12); |
| } // expected-warning{{Potential leak of memory pointed to by}} |
| |
| void mallocMalloc() { |
| int *p = malloc(12); |
| p = malloc(12); |
| } // expected-warning {{Potential leak of memory pointed to by}} |
| |
| void mallocFreeMalloc() { |
| int *p = malloc(12); |
| free(p); |
| p = malloc(12); |
| free(p); |
| } |
| |
| void mallocFreeUse_params() { |
| int *p = malloc(12); |
| free(p); |
| myfoo(p); //expected-warning{{Use of memory after it is freed}} |
| } |
| |
| void mallocFreeUse_params2() { |
| int *p = malloc(12); |
| free(p); |
| myfooint(*p); //expected-warning{{Use of memory after it is freed}} |
| } |
| |
| void mallocFailedOrNot() { |
| int *p = malloc(12); |
| if (!p) |
| free(p); |
| else |
| free(p); |
| } |
| |
| struct StructWithInt { |
| int g; |
| }; |
| |
| int *mallocReturnFreed() { |
| int *p = malloc(12); |
| free(p); |
| return p; // expected-warning {{Use of memory after it is freed}} |
| } |
| |
| int useAfterFreeStruct() { |
| struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); |
| px->g = 5; |
| free(px); |
| return px->g; // expected-warning {{Use of memory after it is freed}} |
| } |
| |
| void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); |
| |
| void mallocEscapeFooNonSymbolArg() { |
| struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); |
| nonSymbolAsFirstArg(&p->g, p); |
| return; // no warning |
| } |
| |
| void mallocFailedOrNotLeak() { |
| int *p = malloc(12); |
| if (p == 0) |
| return; // no warning |
| else |
| return; // expected-warning {{Potential leak of memory pointed to by}} |
| } |
| |
| void mallocAssignment() { |
| char *p = malloc(12); |
| p = fooRetPtr(); |
| } // expected-warning {{leak}} |
| |
| int vallocTest() { |
| char *mem = valloc(12); |
| return 0; // expected-warning {{Potential leak of memory pointed to by}} |
| } |
| |
| void vallocEscapeFreeUse() { |
| int *p = valloc(12); |
| myfoo(p); |
| free(p); |
| myfoo(p); // expected-warning{{Use of memory after it is freed}} |
| } |
| |
| int *Gl; |
| struct GlStTy { |
| int *x; |
| }; |
| |
| struct GlStTy GlS = {0}; |
| |
| void GlobalFree() { |
| free(Gl); |
| } |
| |
| void GlobalMalloc() { |
| Gl = malloc(12); |
| } |
| |
| void GlobalStructMalloc() { |
| int *a = malloc(12); |
| GlS.x = a; |
| } |
| |
| void GlobalStructMallocFree() { |
| int *a = malloc(12); |
| GlS.x = a; |
| free(GlS.x); |
| } |
| |
| char *ArrayG[12]; |
| |
| void globalArrayTest() { |
| char *p = (char*)malloc(12); |
| ArrayG[0] = p; |
| } |
| |
| // Make sure that we properly handle a pointer stored into a local struct/array. |
| typedef struct _StructWithPtr { |
| int *memP; |
| } StructWithPtr; |
| |
| static StructWithPtr arrOfStructs[10]; |
| |
| void testMalloc() { |
| int *x = malloc(12); |
| StructWithPtr St; |
| St.memP = x; |
| arrOfStructs[0] = St; // no-warning |
| } |
| |
| StructWithPtr testMalloc2() { |
| int *x = malloc(12); |
| StructWithPtr St; |
| St.memP = x; |
| return St; // no-warning |
| } |
| |
| int *testMalloc3() { |
| int *x = malloc(12); |
| int *y = x; |
| return y; // no-warning |
| } |
| |
| void testStructLeak() { |
| StructWithPtr St; |
| St.memP = malloc(12); |
| return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}} |
| } |
| |
| void testElemRegion1() { |
| char *x = (void*)malloc(2); |
| int *ix = (int*)x; |
| free(&(x[0])); |
| } |
| |
| void testElemRegion2(int **pp) { |
| int *p = malloc(12); |
| *pp = p; |
| free(pp[0]); |
| } |
| |
| void testElemRegion3(int **pp) { |
| int *p = malloc(12); |
| *pp = p; |
| free(*pp); |
| } |
| // Region escape testing. |
| |
| unsigned takePtrToPtr(int **p); |
| void PassTheAddrOfAllocatedData(int f) { |
| int *p = malloc(12); |
| // We don't know what happens after the call. Should stop tracking here. |
| if (takePtrToPtr(&p)) |
| f++; |
| free(p); // no warning |
| } |
| |
| struct X { |
| int *p; |
| }; |
| unsigned takePtrToStruct(struct X *s); |
| int ** foo2(int *g, int f) { |
| int *p = malloc(12); |
| struct X *px= malloc(sizeof(struct X)); |
| px->p = p; |
| // We don't know what happens after this call. Should not track px nor p. |
| if (takePtrToStruct(px)) |
| f++; |
| free(p); |
| return 0; |
| } |
| |
| struct X* RegInvalidationDetect1(struct X *s2) { |
| struct X *px= malloc(sizeof(struct X)); |
| px->p = 0; |
| px = s2; |
| return px; // expected-warning {{Potential leak of memory pointed to by}} |
| } |
| |
| struct X* RegInvalidationGiveUp1() { |
| int *p = malloc(12); |
| struct X *px= malloc(sizeof(struct X)); |
| px->p = p; |
| return px; |
| } |
| |
| int **RegInvalidationDetect2(int **pp) { |
| int *p = malloc(12); |
| pp = &p; |
| pp++; |
| return 0;// expected-warning {{Potential leak of memory pointed to by}} |
| } |
| |
| extern void exit(int) __attribute__ ((__noreturn__)); |
| void mallocExit(int *g) { |
| struct xx *p = malloc(12); |
| if (g != 0) |
| exit(1); |
| free(p); |
| return; |
| } |
| |
| extern void __assert_fail (__const char *__assertion, __const char *__file, |
| unsigned int __line, __const char *__function) |
| __attribute__ ((__noreturn__)); |
| #define assert(expr) \ |
| ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) |
| void mallocAssert(int *g) { |
| struct xx *p = malloc(12); |
| |
| assert(g != 0); |
| free(p); |
| return; |
| } |
| |
| void doNotInvalidateWhenPassedToSystemCalls(char *s) { |
| char *p = malloc(12); |
| strlen(p); |
| strcpy(p, s); |
| strcpy(s, p); |
| strcpy(p, p); |
| memcpy(p, s, 1); |
| memcpy(s, p, 1); |
| memcpy(p, p, 1); |
| } // expected-warning {{leak}} |
| |
| // Treat source buffer contents as escaped. |
| void escapeSourceContents(char *s) { |
| char *p = malloc(12); |
| memcpy(s, &p, 12); // no warning |
| |
| void *p1 = malloc(7); |
| char *a; |
| memcpy(&a, &p1, sizeof a); |
| // FIXME: No warning due to limitations imposed by current modelling of |
| // 'memcpy' (regions metadata is not copied). |
| |
| int *ptrs[2]; |
| int *allocated = (int *)malloc(4); |
| memcpy(&ptrs[0], &allocated, sizeof(int *)); |
| // FIXME: No warning due to limitations imposed by current modelling of |
| // 'memcpy' (regions metadata is not copied). |
| } |
| |
| void invalidateDestinationContents() { |
| int *null = 0; |
| int *p = (int *)malloc(4); |
| memcpy(&p, &null, sizeof(int *)); |
| |
| int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}} |
| ptrs1[0] = (int *)malloc(4); |
| memcpy(ptrs1, &null, sizeof(int *)); |
| |
| int *ptrs2[2]; // expected-warning {{Potential memory leak}} |
| ptrs2[0] = (int *)malloc(4); |
| memcpy(&ptrs2[1], &null, sizeof(int *)); |
| |
| int *ptrs3[2]; // expected-warning {{Potential memory leak}} |
| ptrs3[0] = (int *)malloc(4); |
| memcpy(&ptrs3[0], &null, sizeof(int *)); |
| } // expected-warning {{Potential memory leak}} |
| |
| // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. |
| void symbolLostWithStrcpy(char *s) { |
| char *p = malloc(12); |
| p = strcpy(p, s); |
| free(p); |
| } |
| |
| |
| // The same test as the one above, but with what is actually generated on a mac. |
| static __inline char * |
| __inline_strcpy_chk (char *restrict __dest, const char *restrict __src) |
| { |
| return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); |
| } |
| |
| void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { |
| char *p = malloc(12); |
| p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); |
| free(p); |
| } |
| |
| // Here we are returning a pointer one past the allocated value. An idiom which |
| // can be used for implementing special malloc. The correct uses of this might |
| // be rare enough so that we could keep this as a warning. |
| static void *specialMalloc(int n){ |
| int *p; |
| p = malloc( n+8 ); |
| if( p ){ |
| p[0] = n; |
| p++; |
| } |
| return p; |
| } |
| |
| // Potentially, the user could free the struct by performing pointer arithmetic on the return value. |
| // This is a variation of the specialMalloc issue, though probably would be more rare in correct code. |
| int *specialMallocWithStruct() { |
| struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); |
| return &(px->g); |
| } |
| |
| // Test various allocation/deallocation functions. |
| void testStrdup(const char *s, unsigned validIndex) { |
| char *s2 = strdup(s); |
| s2[validIndex + 1] = 'b'; |
| } // expected-warning {{Potential leak of memory pointed to by}} |
| |
| void testWinStrdup(const char *s, unsigned validIndex) { |
| char *s2 = _strdup(s); |
| s2[validIndex + 1] = 'b'; |
| } // expected-warning {{Potential leak of memory pointed to by}} |
| |
| void testWcsdup(const wchar_t *s, unsigned validIndex) { |
| wchar_t *s2 = wcsdup(s); |
| s2[validIndex + 1] = 'b'; |
| } // expected-warning {{Potential leak of memory pointed to by}} |
| |
| void testWinWcsdup(const wchar_t *s, unsigned validIndex) { |
| wchar_t *s2 = _wcsdup(s); |
| s2[validIndex + 1] = 'b'; |
| } // expected-warning {{Potential leak of memory pointed to by}} |
| |
| int testStrndup(const char *s, unsigned validIndex, unsigned size) { |
| char *s2 = strndup(s, size); |
| s2 [validIndex + 1] = 'b'; |
| if (s2[validIndex] != 'a') |
| return 0; |
| else |
| return 1;// expected-warning {{Potential leak of memory pointed to by}} |
| } |
| |
| void testStrdupContentIsDefined(const char *s, unsigned validIndex) { |
| char *s2 = strdup(s); |
| char result = s2[1];// no warning |
| free(s2); |
| } |
| |
| void testWinStrdupContentIsDefined(const char *s, unsigned validIndex) { |
| char *s2 = _strdup(s); |
| char result = s2[1];// no warning |
| free(s2); |
| } |
| |
| void testWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) { |
| wchar_t *s2 = wcsdup(s); |
| wchar_t result = s2[1];// no warning |
| free(s2); |
| } |
| |
| void testWinWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) { |
| wchar_t *s2 = _wcsdup(s); |
| wchar_t result = s2[1];// no warning |
| free(s2); |
| } |
| |
| // ---------------------------------------------------------------------------- |
| // Test the system library functions to which the pointer can escape. |
| // This tests false positive suppression. |
| |
| // For now, we assume memory passed to pthread_specific escapes. |
| // TODO: We could check that if a new pthread binding is set, the existing |
| // binding must be freed; otherwise, a memory leak can occur. |
| void testPthereadSpecificEscape(pthread_key_t key) { |
| void *buf = malloc(12); |
| pthread_setspecific(key, buf); // no warning |
| } |
| |
| // PR12101: Test funopen(). |
| static int releasePtr(void *_ctx) { |
| free(_ctx); |
| return 0; |
| } |
| FILE *useFunOpen() { |
| void *ctx = malloc(sizeof(int)); |
| FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning |
| if (f == 0) { |
| free(ctx); |
| } |
| return f; |
| } |
| FILE *useFunOpenNoReleaseFunction() { |
| void *ctx = malloc(sizeof(int)); |
| FILE *f = funopen(ctx, 0, 0, 0, 0); |
| if (f == 0) { |
| free(ctx); |
| } |
| return f; // expected-warning{{leak}} |
| } |
| |
| static int readNothing(void *_ctx, char *buf, int size) { |
| return 0; |
| } |
| FILE *useFunOpenReadNoRelease() { |
| void *ctx = malloc(sizeof(int)); |
| FILE *f = funopen(ctx, readNothing, 0, 0, 0); |
| if (f == 0) { |
| free(ctx); |
| } |
| return f; // expected-warning{{leak}} |
| } |
| |
| // Test setbuf, setvbuf. |
| int my_main_no_warning() { |
| char *p = malloc(100); |
| setvbuf(stdout, p, 0, 100); |
| return 0; |
| } |
| int my_main_no_warning2() { |
| char *p = malloc(100); |
| setbuf(__stdoutp, p); |
| return 0; |
| } |
| int my_main_warn(FILE *f) { |
| char *p = malloc(100); |
| setvbuf(f, p, 0, 100); |
| return 0;// expected-warning {{leak}} |
| } |
| |
| // <rdar://problem/10978247>. |
| // some people use stack allocated memory as an optimization to avoid |
| // a heap allocation for small work sizes. This tests the analyzer's |
| // understanding that the malloc'ed memory is not the same as stackBuffer. |
| void radar10978247(int myValueSize) { |
| char stackBuffer[128]; |
| char *buffer; |
| |
| if (myValueSize <= sizeof(stackBuffer)) |
| buffer = stackBuffer; |
| else |
| buffer = malloc(myValueSize); |
| |
| // do stuff with the buffer |
| if (buffer != stackBuffer) |
| free(buffer); |
| } |
| |
| void radar10978247_positive(int myValueSize) { |
| char stackBuffer[128]; |
| char *buffer; |
| |
| if (myValueSize <= sizeof(stackBuffer)) |
| buffer = stackBuffer; |
| else |
| buffer = malloc(myValueSize); |
| |
| // do stuff with the buffer |
| if (buffer == stackBuffer) |
| return; |
| else |
| return; // expected-warning {{leak}} |
| } |
| // <rdar://problem/11269741> Previously this triggered a false positive |
| // because malloc() is known to return uninitialized memory and the binding |
| // of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. |
| struct rdar11269741_a_t { |
| struct rdar11269741_b_t { |
| int m; |
| } n; |
| }; |
| |
| int rdar11269741(struct rdar11269741_b_t o) |
| { |
| struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); |
| p->n = o; |
| return p->n.m; // expected-warning {{leak}} |
| } |
| |
| // Pointer arithmetic, returning an ElementRegion. |
| void *radar11329382(unsigned bl) { |
| void *ptr = malloc (16); |
| ptr = ptr + (2 - bl); |
| return ptr; // no warning |
| } |
| |
| void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); |
| int strcmp(const char *, const char *); |
| char *a (void); |
| void radar11270219(void) { |
| char *x = a(), *y = a(); |
| (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); |
| strcmp(x, y); // no warning |
| } |
| |
| void radar_11358224_test_double_assign_ints_positive_2() |
| { |
| void *ptr = malloc(16); |
| ptr = ptr; |
| } // expected-warning {{leak}} |
| |
| // Assume that functions which take a function pointer can free memory even if |
| // they are defined in system headers and take the const pointer to the |
| // allocated memory. (radar://11160612) |
| int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); |
| void r11160612_1() { |
| char *x = malloc(12); |
| const_ptr_and_callback(0, x, 12, free); // no - warning |
| } |
| |
| // Null is passed as callback. |
| void r11160612_2() { |
| char *x = malloc(12); |
| const_ptr_and_callback(0, x, 12, 0); |
| } // expected-warning {{leak}} |
| |
| // Callback is passed to a function defined in a system header. |
| void r11160612_4() { |
| char *x = malloc(12); |
| sqlite3_bind_text_my(0, x, 12, free); // no - warning |
| } |
| |
| // Passing callbacks in a struct. |
| void r11160612_5(StWithCallback St) { |
| void *x = malloc(12); |
| dealocateMemWhenDoneByVal(x, St); |
| } |
| void r11160612_6(StWithCallback St) { |
| void *x = malloc(12); |
| dealocateMemWhenDoneByRef(&St, x); |
| } |
| |
| int mySub(int, int); |
| int myAdd(int, int); |
| int fPtr(unsigned cond, int x) { |
| return (cond ? mySub : myAdd)(x, x); |
| } |
| |
| // Test anti-aliasing. |
| |
| void dependsOnValueOfPtr(int *g, unsigned f) { |
| int *p; |
| |
| if (f) { |
| p = g; |
| } else { |
| p = malloc(12); |
| } |
| |
| if (p != g) |
| free(p); |
| else |
| return; // no warning |
| return; |
| } |
| |
| int CMPRegionHeapToStack() { |
| int x = 0; |
| int *x1 = malloc(8); |
| int *x2 = &x; |
| clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} |
| free(x1); |
| return x; |
| } |
| |
| int CMPRegionHeapToHeap2() { |
| int x = 0; |
| int *x1 = malloc(8); |
| int *x2 = malloc(8); |
| int *x4 = x1; |
| int *x5 = x2; |
| clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} |
| free(x1); |
| free(x2); |
| return x; |
| } |
| |
| int CMPRegionHeapToHeap() { |
| int x = 0; |
| int *x1 = malloc(8); |
| int *x4 = x1; |
| if (x1 == x4) { |
| free(x1); |
| return 5/x; // expected-warning{{Division by zero}} |
| } |
| return x;// expected-warning{{This statement is never executed}} |
| } |
| |
| int HeapAssignment() { |
| int m = 0; |
| int *x = malloc(4); |
| int *y = x; |
| *x = 5; |
| clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} |
| free(x); |
| return 0; |
| } |
| |
| int *retPtr(); |
| int *retPtrMightAlias(int *x); |
| int cmpHeapAllocationToUnknown() { |
| int zero = 0; |
| int *yBefore = retPtr(); |
| int *m = malloc(8); |
| int *yAfter = retPtrMightAlias(m); |
| clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} |
| clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} |
| free(m); |
| return 0; |
| } |
| |
| void localArrayTest() { |
| char *p = (char*)malloc(12); |
| char *ArrayL[12]; |
| ArrayL[0] = p; |
| } // expected-warning {{leak}} |
| |
| void localStructTest() { |
| StructWithPtr St; |
| StructWithPtr *pSt = &St; |
| pSt->memP = malloc(12); |
| } // expected-warning{{Potential leak of memory pointed to by}} |
| |
| #ifdef __INTPTR_TYPE__ |
| // Test double assignment through integers. |
| typedef __INTPTR_TYPE__ intptr_t; |
| typedef unsigned __INTPTR_TYPE__ uintptr_t; |
| |
| static intptr_t glob; |
| void test_double_assign_ints() |
| { |
| void *ptr = malloc (16); // no-warning |
| glob = (intptr_t)(uintptr_t)ptr; |
| } |
| |
| void test_double_assign_ints_positive() |
| { |
| void *ptr = malloc(16); |
| (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}} |
| } // expected-warning {{leak}} |
| #endif |
| |
| void testCGContextNoLeak() |
| { |
| void *ptr = malloc(16); |
| CGContextRef context = CGBitmapContextCreate(ptr); |
| |
| // Because you can get the data back out like this, even much later, |
| // CGBitmapContextCreate is one of our "stop-tracking" exceptions. |
| free(CGBitmapContextGetData(context)); |
| } |
| |
| void testCGContextLeak() |
| { |
| void *ptr = malloc(16); |
| CGContextRef context = CGBitmapContextCreate(ptr); |
| // However, this time we're just leaking the data, because the context |
| // object doesn't escape and it hasn't been freed in this function. |
| } |
| |
| // Allow xpc context to escape. radar://11635258 |
| // TODO: Would be great if we checked that the finalize_connection_context actually releases it. |
| static void finalize_connection_context(void *ctx) { |
| int *context = ctx; |
| free(context); |
| } |
| void foo (xpc_connection_t peer) { |
| int *ctx = calloc(1, sizeof(int)); |
| xpc_connection_set_context(peer, ctx); |
| xpc_connection_set_finalizer_f(peer, finalize_connection_context); |
| xpc_connection_resume(peer); |
| } |
| |
| // Make sure we catch errors when we free in a function which does not allocate memory. |
| void freeButNoMalloc(int *p, int x){ |
| if (x) { |
| free(p); |
| //user forgot a return here. |
| } |
| free(p); // expected-warning {{Attempt to free released memory}} |
| } |
| |
| struct HasPtr { |
| char *p; |
| }; |
| |
| char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { |
| int *s; |
| char *b = realloc(a->p, size); |
| char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} |
| // We don't expect a use-after-free for a->P here because the warning above |
| // is a sink. |
| return a->p; // no-warning |
| } |
| |
| // We should not warn in this case since the caller will presumably free a->p in all cases. |
| int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { |
| int *s; |
| char *b = realloc(a->p, size); |
| if (b == 0) |
| return -1; |
| a->p = b; |
| return 0; |
| } |
| |
| // Test realloc with no visible malloc. |
| void *test(void *ptr) { |
| void *newPtr = realloc(ptr, 4); |
| if (newPtr == 0) { |
| if (ptr) |
| free(ptr); // no-warning |
| } |
| return newPtr; |
| } |
| |
| |
| char *testLeakWithinReturn(char *str) { |
| return strdup(strdup(str)); // expected-warning{{leak}} |
| } |
| |
| char *testWinLeakWithinReturn(char *str) { |
| return _strdup(_strdup(str)); // expected-warning{{leak}} |
| } |
| |
| wchar_t *testWinWideLeakWithinReturn(wchar_t *str) { |
| return _wcsdup(_wcsdup(str)); // expected-warning{{leak}} |
| } |
| |
| void passConstPtr(const char * ptr); |
| |
| void testPassConstPointer() { |
| char * string = malloc(sizeof(char)*10); |
| passConstPtr(string); |
| return; // expected-warning {{leak}} |
| } |
| |
| void testPassConstPointerIndirectly() { |
| char *p = malloc(1); |
| p++; |
| memcmp(p, p, sizeof(&p)); |
| return; // expected-warning {{leak}} |
| } |
| |
| void testPassConstPointerIndirectlyStruct() { |
| struct HasPtr hp; |
| hp.p = malloc(10); |
| memcmp(&hp, &hp, sizeof(hp)); |
| return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}} |
| } |
| |
| void testPassToSystemHeaderFunctionIndirectlyStruct() { |
| SomeStruct ss; |
| ss.p = malloc(1); |
| fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable |
| // Technically a false negative here -- we know the system function won't free |
| // ss.p, but nothing else will either! |
| } // no-warning |
| |
| void testPassToSystemHeaderFunctionIndirectlyStructFree() { |
| SomeStruct ss; |
| ss.p = malloc(1); |
| fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable |
| free(ss.p); |
| } // no-warning |
| |
| void testPassToSystemHeaderFunctionIndirectlyArray() { |
| int *p[1]; |
| p[0] = malloc(sizeof(int)); |
| fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable |
| // Technically a false negative here -- we know the system function won't free |
| // p[0], but nothing else will either! |
| } // no-warning |
| |
| void testPassToSystemHeaderFunctionIndirectlyArrayFree() { |
| int *p[1]; |
| p[0] = malloc(sizeof(int)); |
| fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable |
| free(p[0]); |
| } // no-warning |
| |
| int *testOffsetAllocate(size_t size) { |
| int *memoryBlock = (int *)malloc(size + sizeof(int)); |
| return &memoryBlock[1]; // no-warning |
| } |
| |
| void testOffsetDeallocate(int *memoryBlock) { |
| free(&memoryBlock[-1]); // no-warning |
| } |
| |
| void testOffsetOfRegionFreed() { |
| __int64_t * array = malloc(sizeof(__int64_t)*2); |
| array += 1; |
| free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} |
| } |
| |
| void testOffsetOfRegionFreed2() { |
| __int64_t *p = malloc(sizeof(__int64_t)*2); |
| p += 1; |
| free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} |
| } |
| |
| void testOffsetOfRegionFreed3() { |
| char *r = malloc(sizeof(char)); |
| r = r - 10; |
| free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}} |
| } |
| |
| void testOffsetOfRegionFreedAfterFunctionCall() { |
| int *p = malloc(sizeof(int)*2); |
| p += 1; |
| myfoo(p); |
| free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}} |
| } |
| |
| void testFixManipulatedPointerBeforeFree() { |
| int * array = malloc(sizeof(int)*2); |
| array += 1; |
| free(&array[-1]); // no-warning |
| } |
| |
| void testFixManipulatedPointerBeforeFree2() { |
| char *r = malloc(sizeof(char)); |
| r = r + 10; |
| free(r-10); // no-warning |
| } |
| |
| void freeOffsetPointerPassedToFunction() { |
| __int64_t *p = malloc(sizeof(__int64_t)*2); |
| p[1] = 0; |
| p += 1; |
| myfooint(*p); // not passing the pointer, only a value pointed by pointer |
| free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} |
| } |
| |
| int arbitraryInt(); |
| void freeUnknownOffsetPointer() { |
| char *r = malloc(sizeof(char)); |
| r = r + arbitraryInt(); // unable to reason about what the offset might be |
| free(r); // no-warning |
| } |
| |
| void testFreeNonMallocPointerWithNoOffset() { |
| char c; |
| char *r = &c; |
| r = r + 10; |
| free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} |
| } |
| |
| void testFreeNonMallocPointerWithOffset() { |
| char c; |
| char *r = &c; |
| free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} |
| } |
| |
| void testOffsetZeroDoubleFree() { |
| int *array = malloc(sizeof(int)*2); |
| int *p = &array[0]; |
| free(p); |
| free(&array[0]); // expected-warning{{Attempt to free released memory}} |
| } |
| |
| void testOffsetPassedToStrlen() { |
| char * string = malloc(sizeof(char)*10); |
| string += 1; |
| int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}} |
| } |
| |
| void testOffsetPassedToStrlenThenFree() { |
| char * string = malloc(sizeof(char)*10); |
| string += 1; |
| int length = strlen(string); |
| free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} |
| } |
| |
| void testOffsetPassedAsConst() { |
| char * string = malloc(sizeof(char)*10); |
| string += 1; |
| passConstPtr(string); |
| free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} |
| } |
| |
| char **_vectorSegments; |
| int _nVectorSegments; |
| |
| void poolFreeC(void* s) { |
| free(s); // no-warning |
| } |
| void freeMemory() { |
| while (_nVectorSegments) { |
| poolFreeC(_vectorSegments[_nVectorSegments++]); |
| } |
| } |
| |
| // PR16730 |
| void testReallocEscaped(void **memory) { |
| *memory = malloc(47); |
| char *new_memory = realloc(*memory, 47); |
| if (new_memory != 0) { |
| *memory = new_memory; |
| } |
| } |
| |
| // PR16558 |
| void *smallocNoWarn(size_t size) { |
| if (size == 0) { |
| return malloc(1); // this branch is never called |
| } |
| else { |
| return malloc(size); |
| } |
| } |
| |
| char *dupstrNoWarn(const char *s) { |
| const int len = strlen(s); |
| char *p = (char*) smallocNoWarn(len + 1); |
| strcpy(p, s); // no-warning |
| return p; |
| } |
| |
| void *smallocWarn(size_t size) { |
| if (size == 2) { |
| return malloc(1); |
| } |
| else { |
| return malloc(size); |
| } |
| } |
| |
| int *radar15580979() { |
| int *data = (int *)malloc(32); |
| int *p = data ?: (int*)malloc(32); // no warning |
| return p; |
| } |
| |
| // Some data structures may hold onto the pointer and free it later. |
| void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) { |
| int *data = (int *)malloc(32); |
| fake_insque(queue, data); // no warning |
| } |
| |
| void testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t *rbt) { |
| int *data = (int *)malloc(32); |
| fake_rb_tree_init(rbt, data); |
| } //expected-warning{{Potential leak}} |
| |
| void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) { |
| int *data = (int *)malloc(32); |
| fake_rb_tree_init(rbt, data); |
| fake_rb_tree_insert_node(rbt, data); // no warning |
| } |
| |
| struct IntAndPtr { |
| int x; |
| int *p; |
| }; |
| |
| void constEscape(const void *ptr); |
| |
| void testConstEscapeThroughAnotherField() { |
| struct IntAndPtr s; |
| s.p = malloc(sizeof(int)); |
| constEscape(&(s.x)); // could free s->p! |
| } // no-warning |
| |
| // PR15623 |
| int testNoCheckerDataPropogationFromLogicalOpOperandToOpResult(void) { |
| char *param = malloc(10); |
| char *value = malloc(10); |
| int ok = (param && value); |
| free(param); |
| free(value); |
| // Previously we ended up with 'Use of memory after it is freed' on return. |
| return ok; // no warning |
| } |
| |
| void (*fnptr)(int); |
| void freeIndirectFunctionPtr() { |
| void *p = (void *)fnptr; |
| free(p); // expected-warning {{Argument to free() is a function pointer}} |
| } |
| |
| void freeFunctionPtr() { |
| free((void *)fnptr); // expected-warning {{Argument to free() is a function pointer}} |
| } |
| |
| // ---------------------------------------------------------------------------- |
| // False negatives. |
| |
| void testMallocWithParam(int **p) { |
| *p = (int*) malloc(sizeof(int)); |
| *p = 0; // FIXME: should warn here |
| } |
| |
| void testMallocWithParam_2(int **p) { |
| *p = (int*) malloc(sizeof(int)); // no-warning |
| } |
| |
| void testPassToSystemHeaderFunctionIndirectly() { |
| int *p = malloc(4); |
| p++; |
| fakeSystemHeaderCallInt(p); |
| // FIXME: This is a leak: if we think a system function won't free p, it |
| // won't free (p-1) either. |
| } |
| |
| void testMallocIntoMalloc() { |
| StructWithPtr *s = malloc(sizeof(StructWithPtr)); |
| s->memP = malloc(sizeof(int)); |
| free(s); |
| } // FIXME: should warn here |