1 // RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s 2 3 #include "Inputs/system-header-simulator.h" 4 5 void clang_analyzer_eval(int); 6 7 typedef __typeof(sizeof(int)) size_t; 8 void *malloc(size_t); 9 void *valloc(size_t); 10 void free(void *); 11 void *realloc(void *ptr, size_t size); 12 void *reallocf(void *ptr, size_t size); 13 void *calloc(size_t nmemb, size_t size); 14 char *strdup(const char *s); 15 char *strndup(const char *s, size_t n); 16 int memcmp(const void *s1, const void *s2, size_t n); 17 18 void myfoo(int *p); 19 void myfooint(int p); 20 char *fooRetPtr(); 21 22 void f1() { 23 int *p = malloc(12); 24 return; // expected-warning{{Potential leak of memory pointed to by 'p'}} 25 } 26 27 void f2() { 28 int *p = malloc(12); 29 free(p); 30 free(p); // expected-warning{{Attempt to free released memory}} 31 } 32 33 void f2_realloc_0() { 34 int *p = malloc(12); 35 realloc(p,0); 36 realloc(p,0); // expected-warning{{Attempt to free released memory}} 37 } 38 39 void f2_realloc_1() { 40 int *p = malloc(12); 41 int *q = realloc(p,0); // no-warning 42 } 43 44 void reallocNotNullPtr(unsigned sizeIn) { 45 unsigned size = 12; 46 char *p = (char*)malloc(size); 47 if (p) { 48 char *q = (char*)realloc(p, sizeIn); 49 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}} 50 } 51 } 52 53 int *realloctest1() { 54 int *q = malloc(12); 55 q = realloc(q, 20); 56 return q; // no warning - returning the allocated value 57 } 58 59 // p should be freed if realloc fails. 60 void reallocFails() { 61 char *p = malloc(12); 62 char *r = realloc(p, 12+1); 63 if (!r) { 64 free(p); 65 } else { 66 free(r); 67 } 68 } 69 70 void reallocSizeZero1() { 71 char *p = malloc(12); 72 char *r = realloc(p, 0); 73 if (!r) { 74 free(p); // expected-warning {{Attempt to free released memory}} 75 } else { 76 free(r); 77 } 78 } 79 80 void reallocSizeZero2() { 81 char *p = malloc(12); 82 char *r = realloc(p, 0); 83 if (!r) { 84 free(p); // expected-warning {{Attempt to free released memory}} 85 } else { 86 free(r); 87 } 88 free(p); // expected-warning {{Attempt to free released memory}} 89 } 90 91 void reallocSizeZero3() { 92 char *p = malloc(12); 93 char *r = realloc(p, 0); 94 free(r); 95 } 96 97 void reallocSizeZero4() { 98 char *r = realloc(0, 0); 99 free(r); 100 } 101 102 void reallocSizeZero5() { 103 char *r = realloc(0, 0); 104 } 105 106 void reallocPtrZero1() { 107 char *r = realloc(0, 12); 108 } // expected-warning {{Potential leak of memory pointed to by 'r'}} 109 110 void reallocPtrZero2() { 111 char *r = realloc(0, 12); 112 if (r) 113 free(r); 114 } 115 116 void reallocPtrZero3() { 117 char *r = realloc(0, 12); 118 free(r); 119 } 120 121 void reallocRadar6337483_1() { 122 char *buf = malloc(100); 123 buf = (char*)realloc(buf, 0x1000000); 124 if (!buf) { 125 return;// expected-warning {{Potential leak of memory pointed to by}} 126 } 127 free(buf); 128 } 129 130 void reallocRadar6337483_2() { 131 char *buf = malloc(100); 132 char *buf2 = (char*)realloc(buf, 0x1000000); 133 if (!buf2) { 134 ; 135 } else { 136 free(buf2); 137 } 138 } // expected-warning {{Potential leak of memory pointed to by}} 139 140 void reallocRadar6337483_3() { 141 char * buf = malloc(100); 142 char * tmp; 143 tmp = (char*)realloc(buf, 0x1000000); 144 if (!tmp) { 145 free(buf); 146 return; 147 } 148 buf = tmp; 149 free(buf); 150 } 151 152 void reallocRadar6337483_4() { 153 char *buf = malloc(100); 154 char *buf2 = (char*)realloc(buf, 0x1000000); 155 if (!buf2) { 156 return; // expected-warning {{Potential leak of memory pointed to by}} 157 } else { 158 free(buf2); 159 } 160 } 161 162 int *reallocfTest1() { 163 int *q = malloc(12); 164 q = reallocf(q, 20); 165 return q; // no warning - returning the allocated value 166 } 167 168 void reallocfRadar6337483_4() { 169 char *buf = malloc(100); 170 char *buf2 = (char*)reallocf(buf, 0x1000000); 171 if (!buf2) { 172 return; // no warning - reallocf frees even on failure 173 } else { 174 free(buf2); 175 } 176 } 177 178 void reallocfRadar6337483_3() { 179 char * buf = malloc(100); 180 char * tmp; 181 tmp = (char*)reallocf(buf, 0x1000000); 182 if (!tmp) { 183 free(buf); // expected-warning {{Attempt to free released memory}} 184 return; 185 } 186 buf = tmp; 187 free(buf); 188 } 189 190 void reallocfPtrZero1() { 191 char *r = reallocf(0, 12); 192 } // expected-warning {{Potential leak of memory pointed to by}} 193 194 195 // This case tests that storing malloc'ed memory to a static variable which is 196 // then returned is not leaked. In the absence of known contracts for functions 197 // or inter-procedural analysis, this is a conservative answer. 198 int *f3() { 199 static int *p = 0; 200 p = malloc(12); 201 return p; // no-warning 202 } 203 204 // This case tests that storing malloc'ed memory to a static global variable 205 // which is then returned is not leaked. In the absence of known contracts for 206 // functions or inter-procedural analysis, this is a conservative answer. 207 static int *p_f4 = 0; 208 int *f4() { 209 p_f4 = malloc(12); 210 return p_f4; // no-warning 211 } 212 213 int *f5() { 214 int *q = malloc(12); 215 q = realloc(q, 20); 216 return q; // no-warning 217 } 218 219 void f6() { 220 int *p = malloc(12); 221 if (!p) 222 return; // no-warning 223 else 224 free(p); 225 } 226 227 void f6_realloc() { 228 int *p = malloc(12); 229 if (!p) 230 return; // no-warning 231 else 232 realloc(p,0); 233 } 234 235 236 char *doit2(); 237 void pr6069() { 238 char *buf = doit2(); 239 free(buf); 240 } 241 242 void pr6293() { 243 free(0); 244 } 245 246 void f7() { 247 char *x = (char*) malloc(4); 248 free(x); 249 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 250 } 251 252 void f8() { 253 char *x = (char*) malloc(4); 254 free(x); 255 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} 256 } 257 258 void f7_realloc() { 259 char *x = (char*) malloc(4); 260 realloc(x,0); 261 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 262 } 263 264 void PR6123() { 265 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 266 } 267 268 void PR7217() { 269 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 270 buf[1] = 'c'; // not crash 271 } 272 273 void mallocCastToVoid() { 274 void *p = malloc(2); 275 const void *cp = p; // not crash 276 free(p); 277 } 278 279 void mallocCastToFP() { 280 void *p = malloc(2); 281 void (*fp)() = p; // not crash 282 free(p); 283 } 284 285 // This tests that malloc() buffers are undefined by default 286 char mallocGarbage () { 287 char *buf = malloc(2); 288 char result = buf[1]; // expected-warning{{undefined}} 289 free(buf); 290 return result; 291 } 292 293 // This tests that calloc() buffers need to be freed 294 void callocNoFree () { 295 char *buf = calloc(2,2); 296 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 297 } 298 299 // These test that calloc() buffers are zeroed by default 300 char callocZeroesGood () { 301 char *buf = calloc(2,2); 302 char result = buf[3]; // no-warning 303 if (buf[1] == 0) { 304 free(buf); 305 } 306 return result; // no-warning 307 } 308 309 char callocZeroesBad () { 310 char *buf = calloc(2,2); 311 char result = buf[3]; // no-warning 312 if (buf[1] != 0) { 313 free(buf); // expected-warning{{never executed}} 314 } 315 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 316 } 317 318 void nullFree() { 319 int *p = 0; 320 free(p); // no warning - a nop 321 } 322 323 void paramFree(int *p) { 324 myfoo(p); 325 free(p); // no warning 326 myfoo(p); // expected-warning {{Use of memory after it is freed}} 327 } 328 329 int* mallocEscapeRet() { 330 int *p = malloc(12); 331 return p; // no warning 332 } 333 334 void mallocEscapeFoo() { 335 int *p = malloc(12); 336 myfoo(p); 337 return; // no warning 338 } 339 340 void mallocEscapeFree() { 341 int *p = malloc(12); 342 myfoo(p); 343 free(p); 344 } 345 346 void mallocEscapeFreeFree() { 347 int *p = malloc(12); 348 myfoo(p); 349 free(p); 350 free(p); // expected-warning{{Attempt to free released memory}} 351 } 352 353 void mallocEscapeFreeUse() { 354 int *p = malloc(12); 355 myfoo(p); 356 free(p); 357 myfoo(p); // expected-warning{{Use of memory after it is freed}} 358 } 359 360 int *myalloc(); 361 void myalloc2(int **p); 362 363 void mallocEscapeFreeCustomAlloc() { 364 int *p = malloc(12); 365 myfoo(p); 366 free(p); 367 p = myalloc(); 368 free(p); // no warning 369 } 370 371 void mallocEscapeFreeCustomAlloc2() { 372 int *p = malloc(12); 373 myfoo(p); 374 free(p); 375 myalloc2(&p); 376 free(p); // no warning 377 } 378 379 void mallocBindFreeUse() { 380 int *x = malloc(12); 381 int *y = x; 382 free(y); 383 myfoo(x); // expected-warning{{Use of memory after it is freed}} 384 } 385 386 void mallocEscapeMalloc() { 387 int *p = malloc(12); 388 myfoo(p); 389 p = malloc(12); 390 } // expected-warning{{Potential leak of memory pointed to by}} 391 392 void mallocMalloc() { 393 int *p = malloc(12); 394 p = malloc(12); 395 } // expected-warning {{Potential leak of memory pointed to by}} 396 397 void mallocFreeMalloc() { 398 int *p = malloc(12); 399 free(p); 400 p = malloc(12); 401 free(p); 402 } 403 404 void mallocFreeUse_params() { 405 int *p = malloc(12); 406 free(p); 407 myfoo(p); //expected-warning{{Use of memory after it is freed}} 408 } 409 410 void mallocFreeUse_params2() { 411 int *p = malloc(12); 412 free(p); 413 myfooint(*p); //expected-warning{{Use of memory after it is freed}} 414 } 415 416 void mallocFailedOrNot() { 417 int *p = malloc(12); 418 if (!p) 419 free(p); 420 else 421 free(p); 422 } 423 424 struct StructWithInt { 425 int g; 426 }; 427 428 int *mallocReturnFreed() { 429 int *p = malloc(12); 430 free(p); 431 return p; // expected-warning {{Use of memory after it is freed}} 432 } 433 434 int useAfterFreeStruct() { 435 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 436 px->g = 5; 437 free(px); 438 return px->g; // expected-warning {{Use of memory after it is freed}} 439 } 440 441 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); 442 443 void mallocEscapeFooNonSymbolArg() { 444 struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); 445 nonSymbolAsFirstArg(&p->g, p); 446 return; // no warning 447 } 448 449 void mallocFailedOrNotLeak() { 450 int *p = malloc(12); 451 if (p == 0) 452 return; // no warning 453 else 454 return; // expected-warning {{Potential leak of memory pointed to by}} 455 } 456 457 void mallocAssignment() { 458 char *p = malloc(12); 459 p = fooRetPtr(); 460 } // expected-warning {{leak}} 461 462 int vallocTest() { 463 char *mem = valloc(12); 464 return 0; // expected-warning {{Potential leak of memory pointed to by}} 465 } 466 467 void vallocEscapeFreeUse() { 468 int *p = valloc(12); 469 myfoo(p); 470 free(p); 471 myfoo(p); // expected-warning{{Use of memory after it is freed}} 472 } 473 474 int *Gl; 475 struct GlStTy { 476 int *x; 477 }; 478 479 struct GlStTy GlS = {0}; 480 481 void GlobalFree() { 482 free(Gl); 483 } 484 485 void GlobalMalloc() { 486 Gl = malloc(12); 487 } 488 489 void GlobalStructMalloc() { 490 int *a = malloc(12); 491 GlS.x = a; 492 } 493 494 void GlobalStructMallocFree() { 495 int *a = malloc(12); 496 GlS.x = a; 497 free(GlS.x); 498 } 499 500 char *ArrayG[12]; 501 502 void globalArrayTest() { 503 char *p = (char*)malloc(12); 504 ArrayG[0] = p; 505 } 506 507 // Make sure that we properly handle a pointer stored into a local struct/array. 508 typedef struct _StructWithPtr { 509 int *memP; 510 } StructWithPtr; 511 512 static StructWithPtr arrOfStructs[10]; 513 514 void testMalloc() { 515 int *x = malloc(12); 516 StructWithPtr St; 517 St.memP = x; 518 arrOfStructs[0] = St; // no-warning 519 } 520 521 StructWithPtr testMalloc2() { 522 int *x = malloc(12); 523 StructWithPtr St; 524 St.memP = x; 525 return St; // no-warning 526 } 527 528 int *testMalloc3() { 529 int *x = malloc(12); 530 int *y = x; 531 return y; // no-warning 532 } 533 534 void testStructLeak() { 535 StructWithPtr St; 536 St.memP = malloc(12); 537 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}} 538 } 539 540 void testElemRegion1() { 541 char *x = (void*)malloc(2); 542 int *ix = (int*)x; 543 free(&(x[0])); 544 } 545 546 void testElemRegion2(int **pp) { 547 int *p = malloc(12); 548 *pp = p; 549 free(pp[0]); 550 } 551 552 void testElemRegion3(int **pp) { 553 int *p = malloc(12); 554 *pp = p; 555 free(*pp); 556 } 557 // Region escape testing. 558 559 unsigned takePtrToPtr(int **p); 560 void PassTheAddrOfAllocatedData(int f) { 561 int *p = malloc(12); 562 // We don't know what happens after the call. Should stop tracking here. 563 if (takePtrToPtr(&p)) 564 f++; 565 free(p); // no warning 566 } 567 568 struct X { 569 int *p; 570 }; 571 unsigned takePtrToStruct(struct X *s); 572 int ** foo2(int *g, int f) { 573 int *p = malloc(12); 574 struct X *px= malloc(sizeof(struct X)); 575 px->p = p; 576 // We don't know what happens after this call. Should not track px nor p. 577 if (takePtrToStruct(px)) 578 f++; 579 free(p); 580 return 0; 581 } 582 583 struct X* RegInvalidationDetect1(struct X *s2) { 584 struct X *px= malloc(sizeof(struct X)); 585 px->p = 0; 586 px = s2; 587 return px; // expected-warning {{Potential leak of memory pointed to by}} 588 } 589 590 struct X* RegInvalidationGiveUp1() { 591 int *p = malloc(12); 592 struct X *px= malloc(sizeof(struct X)); 593 px->p = p; 594 return px; 595 } 596 597 int **RegInvalidationDetect2(int **pp) { 598 int *p = malloc(12); 599 pp = &p; 600 pp++; 601 return 0;// expected-warning {{Potential leak of memory pointed to by}} 602 } 603 604 extern void exit(int) __attribute__ ((__noreturn__)); 605 void mallocExit(int *g) { 606 struct xx *p = malloc(12); 607 if (g != 0) 608 exit(1); 609 free(p); 610 return; 611 } 612 613 extern void __assert_fail (__const char *__assertion, __const char *__file, 614 unsigned int __line, __const char *__function) 615 __attribute__ ((__noreturn__)); 616 #define assert(expr) \ 617 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 618 void mallocAssert(int *g) { 619 struct xx *p = malloc(12); 620 621 assert(g != 0); 622 free(p); 623 return; 624 } 625 626 void doNotInvalidateWhenPassedToSystemCalls(char *s) { 627 char *p = malloc(12); 628 strlen(p); 629 strcpy(p, s); 630 } // expected-warning {{leak}} 631 632 // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. 633 void symbolLostWithStrcpy(char *s) { 634 char *p = malloc(12); 635 p = strcpy(p, s); 636 free(p); 637 } 638 639 640 // The same test as the one above, but with what is actually generated on a mac. 641 static __inline char * 642 __inline_strcpy_chk (char *restrict __dest, const char *restrict __src) 643 { 644 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); 645 } 646 647 void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { 648 char *p = malloc(12); 649 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); 650 free(p); 651 } 652 653 // Here we are returning a pointer one past the allocated value. An idiom which 654 // can be used for implementing special malloc. The correct uses of this might 655 // be rare enough so that we could keep this as a warning. 656 static void *specialMalloc(int n){ 657 int *p; 658 p = malloc( n+8 ); 659 if( p ){ 660 p[0] = n; 661 p++; 662 } 663 return p; 664 } 665 666 // Potentially, the user could free the struct by performing pointer arithmetic on the return value. 667 // This is a variation of the specialMalloc issue, though probably would be more rare in correct code. 668 int *specialMallocWithStruct() { 669 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 670 return &(px->g); 671 } 672 673 // Test various allocation/deallocation functions. 674 void testStrdup(const char *s, unsigned validIndex) { 675 char *s2 = strdup(s); 676 s2[validIndex + 1] = 'b'; 677 } // expected-warning {{Potential leak of memory pointed to by}} 678 679 int testStrndup(const char *s, unsigned validIndex, unsigned size) { 680 char *s2 = strndup(s, size); 681 s2 [validIndex + 1] = 'b'; 682 if (s2[validIndex] != 'a') 683 return 0; 684 else 685 return 1;// expected-warning {{Potential leak of memory pointed to by}} 686 } 687 688 void testStrdupContentIsDefined(const char *s, unsigned validIndex) { 689 char *s2 = strdup(s); 690 char result = s2[1];// no warning 691 free(s2); 692 } 693 694 // ---------------------------------------------------------------------------- 695 // Test the system library functions to which the pointer can escape. 696 // This tests false positive suppression. 697 698 // For now, we assume memory passed to pthread_specific escapes. 699 // TODO: We could check that if a new pthread binding is set, the existing 700 // binding must be freed; otherwise, a memory leak can occur. 701 void testPthereadSpecificEscape(pthread_key_t key) { 702 void *buf = malloc(12); 703 pthread_setspecific(key, buf); // no warning 704 } 705 706 // PR12101: Test funopen(). 707 static int releasePtr(void *_ctx) { 708 free(_ctx); 709 return 0; 710 } 711 FILE *useFunOpen() { 712 void *ctx = malloc(sizeof(int)); 713 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning 714 if (f == 0) { 715 free(ctx); 716 } 717 return f; 718 } 719 FILE *useFunOpenNoReleaseFunction() { 720 void *ctx = malloc(sizeof(int)); 721 FILE *f = funopen(ctx, 0, 0, 0, 0); 722 if (f == 0) { 723 free(ctx); 724 } 725 return f; // expected-warning{{leak}} 726 } 727 728 static int readNothing(void *_ctx, char *buf, int size) { 729 return 0; 730 } 731 FILE *useFunOpenReadNoRelease() { 732 void *ctx = malloc(sizeof(int)); 733 FILE *f = funopen(ctx, readNothing, 0, 0, 0); 734 if (f == 0) { 735 free(ctx); 736 } 737 return f; // expected-warning{{leak}} 738 } 739 740 // Test setbuf, setvbuf. 741 int my_main_no_warning() { 742 char *p = malloc(100); 743 setvbuf(stdout, p, 0, 100); 744 return 0; 745 } 746 int my_main_no_warning2() { 747 char *p = malloc(100); 748 setbuf(__stdoutp, p); 749 return 0; 750 } 751 int my_main_warn(FILE *f) { 752 char *p = malloc(100); 753 setvbuf(f, p, 0, 100); 754 return 0;// expected-warning {{leak}} 755 } 756 757 // <rdar://problem/10978247>. 758 // some people use stack allocated memory as an optimization to avoid 759 // a heap allocation for small work sizes. This tests the analyzer's 760 // understanding that the malloc'ed memory is not the same as stackBuffer. 761 void radar10978247(int myValueSize) { 762 char stackBuffer[128]; 763 char *buffer; 764 765 if (myValueSize <= sizeof(stackBuffer)) 766 buffer = stackBuffer; 767 else 768 buffer = malloc(myValueSize); 769 770 // do stuff with the buffer 771 if (buffer != stackBuffer) 772 free(buffer); 773 } 774 775 void radar10978247_positive(int myValueSize) { 776 char stackBuffer[128]; 777 char *buffer; 778 779 if (myValueSize <= sizeof(stackBuffer)) 780 buffer = stackBuffer; 781 else 782 buffer = malloc(myValueSize); 783 784 // do stuff with the buffer 785 if (buffer == stackBuffer) 786 return; 787 else 788 return; // expected-warning {{leak}} 789 } 791 // <rdar://problem/11269741> Previously this triggered a false positive 792 // because malloc() is known to return uninitialized memory and the binding 793 // of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. 794 struct rdar11269741_a_t { 795 struct rdar11269741_b_t { 796 int m; 797 } n; 798 }; 799 800 int rdar11269741(struct rdar11269741_b_t o) 801 { 802 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); 803 p->n = o; 804 return p->n.m; // expected-warning {{leak}} 805 } 806 807 // Pointer arithmetic, returning an ElementRegion. 808 void *radar11329382(unsigned bl) { 809 void *ptr = malloc (16); 810 ptr = ptr + (2 - bl); 811 return ptr; // no warning 812 } 813 814 void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); 815 int strcmp(const char *, const char *); 816 char *a (void); 817 void radar11270219(void) { 818 char *x = a(), *y = a(); 819 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); 820 strcmp(x, y); // no warning 821 } 822 823 void radar_11358224_test_double_assign_ints_positive_2() 824 { 825 void *ptr = malloc(16); 826 ptr = ptr; 827 } // expected-warning {{leak}} 828 829 // Assume that functions which take a function pointer can free memory even if 830 // they are defined in system headers and take the const pointer to the 831 // allocated memory. (radar://11160612) 832 int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); 833 void r11160612_1() { 834 char *x = malloc(12); 835 const_ptr_and_callback(0, x, 12, free); // no - warning 836 } 837 838 // Null is passed as callback. 839 void r11160612_2() { 840 char *x = malloc(12); 841 const_ptr_and_callback(0, x, 12, 0); 842 } // expected-warning {{leak}} 843 844 // Callback is passed to a function defined in a system header. 845 void r11160612_4() { 846 char *x = malloc(12); 847 sqlite3_bind_text_my(0, x, 12, free); // no - warning 848 } 849 850 // Passing callbacks in a struct. 851 void r11160612_5(StWithCallback St) { 852 void *x = malloc(12); 853 dealocateMemWhenDoneByVal(x, St); 854 } 855 void r11160612_6(StWithCallback St) { 856 void *x = malloc(12); 857 dealocateMemWhenDoneByRef(&St, x); 858 } 859 860 int mySub(int, int); 861 int myAdd(int, int); 862 int fPtr(unsigned cond, int x) { 863 return (cond ? mySub : myAdd)(x, x); 864 } 865 866 // Test anti-aliasing. 867 868 void dependsOnValueOfPtr(int *g, unsigned f) { 869 int *p; 870 871 if (f) { 872 p = g; 873 } else { 874 p = malloc(12); 875 } 876 877 if (p != g) 878 free(p); 879 else 880 return; // no warning 881 return; 882 } 883 884 int CMPRegionHeapToStack() { 885 int x = 0; 886 int *x1 = malloc(8); 887 int *x2 = &x; 888 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} 889 free(x1); 890 return x; 891 } 892 893 int CMPRegionHeapToHeap2() { 894 int x = 0; 895 int *x1 = malloc(8); 896 int *x2 = malloc(8); 897 int *x4 = x1; 898 int *x5 = x2; 899 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} 900 free(x1); 901 free(x2); 902 return x; 903 } 904 905 int CMPRegionHeapToHeap() { 906 int x = 0; 907 int *x1 = malloc(8); 908 int *x4 = x1; 909 if (x1 == x4) { 910 free(x1); 911 return 5/x; // expected-warning{{Division by zero}} 912 } 913 return x;// expected-warning{{This statement is never executed}} 914 } 915 916 int HeapAssignment() { 917 int m = 0; 918 int *x = malloc(4); 919 int *y = x; 920 *x = 5; 921 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} 922 free(x); 923 return 0; 924 } 925 926 int *retPtr(); 927 int *retPtrMightAlias(int *x); 928 int cmpHeapAllocationToUnknown() { 929 int zero = 0; 930 int *yBefore = retPtr(); 931 int *m = malloc(8); 932 int *yAfter = retPtrMightAlias(m); 933 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} 934 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} 935 free(m); 936 return 0; 937 } 938 939 void localArrayTest() { 940 char *p = (char*)malloc(12); 941 char *ArrayL[12]; 942 ArrayL[0] = p; 943 } // expected-warning {{leak}} 944 945 void localStructTest() { 946 StructWithPtr St; 947 StructWithPtr *pSt = &St; 948 pSt->memP = malloc(12); 949 } // expected-warning{{Potential leak of memory pointed to by}} 950 951 #ifdef __INTPTR_TYPE__ 952 // Test double assignment through integers. 953 typedef __INTPTR_TYPE__ intptr_t; 954 typedef unsigned __INTPTR_TYPE__ uintptr_t; 955 956 static intptr_t glob; 957 void test_double_assign_ints() 958 { 959 void *ptr = malloc (16); // no-warning 960 glob = (intptr_t)(uintptr_t)ptr; 961 } 962 963 void test_double_assign_ints_positive() 964 { 965 void *ptr = malloc(16); 966 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}} 967 } // expected-warning {{leak}} 968 #endif 969 970 void testCGContextNoLeak() 971 { 972 void *ptr = malloc(16); 973 CGContextRef context = CGBitmapContextCreate(ptr); 974 975 // Because you can get the data back out like this, even much later, 976 // CGBitmapContextCreate is one of our "stop-tracking" exceptions. 977 free(CGBitmapContextGetData(context)); 978 } 979 980 void testCGContextLeak() 981 { 982 void *ptr = malloc(16); 983 CGContextRef context = CGBitmapContextCreate(ptr); 984 // However, this time we're just leaking the data, because the context 985 // object doesn't escape and it hasn't been freed in this function. 986 } 987 988 // Allow xpc context to escape. radar://11635258 989 // TODO: Would be great if we checked that the finalize_connection_context actually releases it. 990 static void finalize_connection_context(void *ctx) { 991 int *context = ctx; 992 free(context); 993 } 994 void foo (xpc_connection_t peer) { 995 int *ctx = calloc(1, sizeof(int)); 996 xpc_connection_set_context(peer, ctx); 997 xpc_connection_set_finalizer_f(peer, finalize_connection_context); 998 xpc_connection_resume(peer); 999 } 1000 1001 // Make sure we catch errors when we free in a function which does not allocate memory. 1002 void freeButNoMalloc(int *p, int x){ 1003 if (x) { 1004 free(p); 1005 //user forgot a return here. 1006 } 1007 free(p); // expected-warning {{Attempt to free released memory}} 1008 } 1009 1010 struct HasPtr { 1011 char *p; 1012 }; 1013 1014 char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { 1015 int *s; 1016 char *b = realloc(a->p, size); 1017 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} 1018 return a->p; 1019 } 1020 1021 // We should not warn in this case since the caller will presumably free a->p in all cases. 1022 int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { 1023 int *s; 1024 char *b = realloc(a->p, size); 1025 if (b == 0) 1026 return -1; 1027 a->p = b; 1028 return 0; 1029 } 1030 1031 // Test realloc with no visible malloc. 1032 void *test(void *ptr) { 1033 void *newPtr = realloc(ptr, 4); 1034 if (newPtr == 0) { 1035 if (ptr) 1036 free(ptr); // no-warning 1037 } 1038 return newPtr; 1039 } 1040 1041 1042 char *testLeakWithinReturn(char *str) { 1043 return strdup(strdup(str)); // expected-warning{{leak}} 1044 } 1045 1046 void passConstPtr(const char * ptr); 1047 1048 void testPassConstPointer() { 1049 char * string = malloc(sizeof(char)*10); 1050 passConstPtr(string); 1051 return; // expected-warning {{leak}} 1052 } 1053 1054 void testPassConstPointerIndirectly() { 1055 char *p = malloc(1); 1056 p++; 1057 memcmp(p, p, sizeof(&p)); 1058 return; // expected-warning {{leak}} 1059 } 1060 1061 void testPassConstPointerIndirectlyStruct() { 1062 struct HasPtr hp; 1063 hp.p = malloc(10); 1064 memcmp(&hp, &hp, sizeof(hp)); 1065 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}} 1066 } 1067 1068 void testPassToSystemHeaderFunctionIndirectlyStruct() { 1069 SomeStruct ss; 1070 ss.p = malloc(1); 1071 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1072 // Technically a false negative here -- we know the system function won't free 1073 // ss.p, but nothing else will either! 1074 } // no-warning 1075 1076 void testPassToSystemHeaderFunctionIndirectlyStructFree() { 1077 SomeStruct ss; 1078 ss.p = malloc(1); 1079 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1080 free(ss.p); 1081 } // no-warning 1082 1083 void testPassToSystemHeaderFunctionIndirectlyArray() { 1084 int *p[1]; 1085 p[0] = malloc(sizeof(int)); 1086 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1087 // Technically a false negative here -- we know the system function won't free 1088 // p[0], but nothing else will either! 1089 } // no-warning 1090 1091 void testPassToSystemHeaderFunctionIndirectlyArrayFree() { 1092 int *p[1]; 1093 p[0] = malloc(sizeof(int)); 1094 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1095 free(p[0]); 1096 } // no-warning 1097 1098 int *testOffsetAllocate(size_t size) { 1099 int *memoryBlock = (int *)malloc(size + sizeof(int)); 1100 return &memoryBlock[1]; // no-warning 1101 } 1102 1103 void testOffsetDeallocate(int *memoryBlock) { 1104 free(&memoryBlock[-1]); // no-warning 1105 } 1106 1107 void testOffsetOfRegionFreed() { 1108 __int64_t * array = malloc(sizeof(__int64_t)*2); 1109 array += 1; 1110 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1111 } 1112 1113 void testOffsetOfRegionFreed2() { 1114 __int64_t *p = malloc(sizeof(__int64_t)*2); 1115 p += 1; 1116 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1117 } 1118 1119 void testOffsetOfRegionFreed3() { 1120 char *r = malloc(sizeof(char)); 1121 r = r - 10; 1122 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}} 1123 } 1124 1125 void testOffsetOfRegionFreedAfterFunctionCall() { 1126 int *p = malloc(sizeof(int)*2); 1127 p += 1; 1128 myfoo(p); 1129 free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}} 1130 } 1131 1132 void testFixManipulatedPointerBeforeFree() { 1133 int * array = malloc(sizeof(int)*2); 1134 array += 1; 1135 free(&array[-1]); // no-warning 1136 } 1137 1138 void testFixManipulatedPointerBeforeFree2() { 1139 char *r = malloc(sizeof(char)); 1140 r = r + 10; 1141 free(r-10); // no-warning 1142 } 1143 1144 void freeOffsetPointerPassedToFunction() { 1145 __int64_t *p = malloc(sizeof(__int64_t)*2); 1146 p[1] = 0; 1147 p += 1; 1148 myfooint(*p); // not passing the pointer, only a value pointed by pointer 1149 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1150 } 1151 1152 int arbitraryInt(); 1153 void freeUnknownOffsetPointer() { 1154 char *r = malloc(sizeof(char)); 1155 r = r + arbitraryInt(); // unable to reason about what the offset might be 1156 free(r); // no-warning 1157 } 1158 1159 void testFreeNonMallocPointerWithNoOffset() { 1160 char c; 1161 char *r = &c; 1162 r = r + 10; 1163 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1164 } 1165 1166 void testFreeNonMallocPointerWithOffset() { 1167 char c; 1168 char *r = &c; 1169 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1170 } 1171 1172 void testOffsetZeroDoubleFree() { 1173 int *array = malloc(sizeof(int)*2); 1174 int *p = &array[0]; 1175 free(p); 1176 free(&array[0]); // expected-warning{{Attempt to free released memory}} 1177 } 1178 1179 void testOffsetPassedToStrlen() { 1180 char * string = malloc(sizeof(char)*10); 1181 string += 1; 1182 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}} 1183 } 1184 1185 void testOffsetPassedToStrlenThenFree() { 1186 char * string = malloc(sizeof(char)*10); 1187 string += 1; 1188 int length = strlen(string); 1189 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1190 } 1191 1192 void testOffsetPassedAsConst() { 1193 char * string = malloc(sizeof(char)*10); 1194 string += 1; 1195 passConstPtr(string); 1196 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1197 } 1198 1199 char **_vectorSegments; 1200 int _nVectorSegments; 1201 1202 void poolFreeC(void* s) { 1203 free(s); // no-warning 1204 } 1205 void freeMemory() { 1206 while (_nVectorSegments) { 1207 poolFreeC(_vectorSegments[_nVectorSegments++]); 1208 } 1209 } 1210 1211 // ---------------------------------------------------------------------------- 1212 // False negatives. 1213 1214 void testMallocWithParam(int **p) { 1215 *p = (int*) malloc(sizeof(int)); 1216 *p = 0; // FIXME: should warn here 1217 } 1218 1219 void testMallocWithParam_2(int **p) { 1220 *p = (int*) malloc(sizeof(int)); // no-warning 1221 } 1222 1223 void testPassToSystemHeaderFunctionIndirectly() { 1224 int *p = malloc(4); 1225 p++; 1226 fakeSystemHeaderCallInt(p); 1227 // FIXME: This is a leak: if we think a system function won't free p, it 1228 // won't free (p-1) either. 1229 } 1230
