1 // RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s 2 3 #include "Inputs/system-header-simulator.h" 4 5 void clang_analyzer_eval(int); 6 7 typedef __typeof(sizeof(int)) size_t; 8 void *malloc(size_t); 9 void *valloc(size_t); 10 void free(void *); 11 void *realloc(void *ptr, size_t size); 12 void *reallocf(void *ptr, size_t size); 13 void *calloc(size_t nmemb, size_t size); 14 char *strdup(const char *s); 15 char *strndup(const char *s, size_t n); 16 int memcmp(const void *s1, const void *s2, size_t n); 17 18 void myfoo(int *p); 19 void myfooint(int p); 20 char *fooRetPtr(); 21 22 void f1() { 23 int *p = malloc(12); 24 return; // expected-warning{{Potential leak of memory pointed to by 'p'}} 25 } 26 27 void f2() { 28 int *p = malloc(12); 29 free(p); 30 free(p); // expected-warning{{Attempt to free released memory}} 31 } 32 33 void f2_realloc_0() { 34 int *p = malloc(12); 35 realloc(p,0); 36 realloc(p,0); // expected-warning{{Attempt to free released memory}} 37 } 38 39 void f2_realloc_1() { 40 int *p = malloc(12); 41 int *q = realloc(p,0); // no-warning 42 } 43 44 void reallocNotNullPtr(unsigned sizeIn) { 45 unsigned size = 12; 46 char *p = (char*)malloc(size); 47 if (p) { 48 char *q = (char*)realloc(p, sizeIn); 49 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}} 50 } 51 } 52 53 int *realloctest1() { 54 int *q = malloc(12); 55 q = realloc(q, 20); 56 return q; // no warning - returning the allocated value 57 } 58 59 // p should be freed if realloc fails. 60 void reallocFails() { 61 char *p = malloc(12); 62 char *r = realloc(p, 12+1); 63 if (!r) { 64 free(p); 65 } else { 66 free(r); 67 } 68 } 69 70 void reallocSizeZero1() { 71 char *p = malloc(12); 72 char *r = realloc(p, 0); 73 if (!r) { 74 free(p); // expected-warning {{Attempt to free released memory}} 75 } else { 76 free(r); 77 } 78 } 79 80 void reallocSizeZero2() { 81 char *p = malloc(12); 82 char *r = realloc(p, 0); 83 if (!r) { 84 free(p); // expected-warning {{Attempt to free released memory}} 85 } else { 86 free(r); 87 } 88 free(p); // expected-warning {{Attempt to free released memory}} 89 } 90 91 void reallocSizeZero3() { 92 char *p = malloc(12); 93 char *r = realloc(p, 0); 94 free(r); 95 } 96 97 void reallocSizeZero4() { 98 char *r = realloc(0, 0); 99 free(r); 100 } 101 102 void reallocSizeZero5() { 103 char *r = realloc(0, 0); 104 } 105 106 void reallocPtrZero1() { 107 char *r = realloc(0, 12); 108 } // expected-warning {{Potential leak of memory pointed to by 'r'}} 109 110 void reallocPtrZero2() { 111 char *r = realloc(0, 12); 112 if (r) 113 free(r); 114 } 115 116 void reallocPtrZero3() { 117 char *r = realloc(0, 12); 118 free(r); 119 } 120 121 void reallocRadar6337483_1() { 122 char *buf = malloc(100); 123 buf = (char*)realloc(buf, 0x1000000); 124 if (!buf) { 125 return;// expected-warning {{Potential leak of memory pointed to by}} 126 } 127 free(buf); 128 } 129 130 void reallocRadar6337483_2() { 131 char *buf = malloc(100); 132 char *buf2 = (char*)realloc(buf, 0x1000000); 133 if (!buf2) { 134 ; 135 } else { 136 free(buf2); 137 } 138 } // expected-warning {{Potential leak of memory pointed to by}} 139 140 void reallocRadar6337483_3() { 141 char * buf = malloc(100); 142 char * tmp; 143 tmp = (char*)realloc(buf, 0x1000000); 144 if (!tmp) { 145 free(buf); 146 return; 147 } 148 buf = tmp; 149 free(buf); 150 } 151 152 void reallocRadar6337483_4() { 153 char *buf = malloc(100); 154 char *buf2 = (char*)realloc(buf, 0x1000000); 155 if (!buf2) { 156 return; // expected-warning {{Potential leak of memory pointed to by}} 157 } else { 158 free(buf2); 159 } 160 } 161 162 int *reallocfTest1() { 163 int *q = malloc(12); 164 q = reallocf(q, 20); 165 return q; // no warning - returning the allocated value 166 } 167 168 void reallocfRadar6337483_4() { 169 char *buf = malloc(100); 170 char *buf2 = (char*)reallocf(buf, 0x1000000); 171 if (!buf2) { 172 return; // no warning - reallocf frees even on failure 173 } else { 174 free(buf2); 175 } 176 } 177 178 void reallocfRadar6337483_3() { 179 char * buf = malloc(100); 180 char * tmp; 181 tmp = (char*)reallocf(buf, 0x1000000); 182 if (!tmp) { 183 free(buf); // expected-warning {{Attempt to free released memory}} 184 return; 185 } 186 buf = tmp; 187 free(buf); 188 } 189 190 void reallocfPtrZero1() { 191 char *r = reallocf(0, 12); 192 } // expected-warning {{Potential leak of memory pointed to by}} 193 194 195 // This case tests that storing malloc'ed memory to a static variable which is 196 // then returned is not leaked. In the absence of known contracts for functions 197 // or inter-procedural analysis, this is a conservative answer. 198 int *f3() { 199 static int *p = 0; 200 p = malloc(12); 201 return p; // no-warning 202 } 203 204 // This case tests that storing malloc'ed memory to a static global variable 205 // which is then returned is not leaked. In the absence of known contracts for 206 // functions or inter-procedural analysis, this is a conservative answer. 207 static int *p_f4 = 0; 208 int *f4() { 209 p_f4 = malloc(12); 210 return p_f4; // no-warning 211 } 212 213 int *f5() { 214 int *q = malloc(12); 215 q = realloc(q, 20); 216 return q; // no-warning 217 } 218 219 void f6() { 220 int *p = malloc(12); 221 if (!p) 222 return; // no-warning 223 else 224 free(p); 225 } 226 227 void f6_realloc() { 228 int *p = malloc(12); 229 if (!p) 230 return; // no-warning 231 else 232 realloc(p,0); 233 } 234 235 236 char *doit2(); 237 void pr6069() { 238 char *buf = doit2(); 239 free(buf); 240 } 241 242 void pr6293() { 243 free(0); 244 } 245 246 void f7() { 247 char *x = (char*) malloc(4); 248 free(x); 249 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 250 } 251 252 void f8() { 253 char *x = (char*) malloc(4); 254 free(x); 255 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} 256 } 257 258 void f7_realloc() { 259 char *x = (char*) malloc(4); 260 realloc(x,0); 261 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 262 } 263 264 void PR6123() { 265 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 266 } 267 268 void PR7217() { 269 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 270 buf[1] = 'c'; // not crash 271 } 272 273 void cast_emtpy_struct() { 274 struct st { 275 }; 276 277 struct st *s = malloc(sizeof(struct st)); // no-warning 278 free(s); 279 } 280 281 void cast_struct_1() { 282 struct st { 283 int i[100]; 284 char j[]; 285 }; 286 287 struct st *s = malloc(sizeof(struct st)); // no-warning 288 free(s); 289 } 290 291 void cast_struct_2() { 292 struct st { 293 int i[100]; 294 char j[0]; 295 }; 296 297 struct st *s = malloc(sizeof(struct st)); // no-warning 298 free(s); 299 } 300 301 void cast_struct_3() { 302 struct st { 303 int i[100]; 304 char j[1]; 305 }; 306 307 struct st *s = malloc(sizeof(struct st)); // no-warning 308 free(s); 309 } 310 311 void cast_struct_4() { 312 struct st { 313 int i[100]; 314 char j[2]; 315 }; 316 317 struct st *s = malloc(sizeof(struct st)); // no-warning 318 free(s); 319 } 320 321 void cast_struct_5() { 322 struct st { 323 char i[200]; 324 char j[1]; 325 }; 326 327 struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning 328 free(s); 329 } 330 331 void cast_struct_warn_1() { 332 struct st { 333 int i[100]; 334 char j[2]; 335 }; 336 337 struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 338 free(s); 339 } 340 341 void cast_struct_warn_2() { 342 struct st { 343 int i[100]; 344 char j[2]; 345 }; 346 347 struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 348 free(s); 349 } 350 351 void cast_struct_flex_array_1() { 352 struct st { 353 int i[100]; 354 char j[]; 355 }; 356 357 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 358 free(s); 359 } 360 361 void cast_struct_flex_array_2() { 362 struct st { 363 int i[100]; 364 char j[0]; 365 }; 366 367 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 368 free(s); 369 } 370 371 void cast_struct_flex_array_3() { 372 struct st { 373 int i[100]; 374 char j[1]; 375 }; 376 377 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 378 free(s); 379 } 380 381 void cast_struct_flex_array_4() { 382 struct foo { 383 char f[32]; 384 }; 385 struct st { 386 char i[100]; 387 struct foo data[]; 388 }; 389 390 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 391 free(s); 392 } 393 394 void cast_struct_flex_array_5() { 395 struct foo { 396 char f[32]; 397 }; 398 struct st { 399 char i[100]; 400 struct foo data[0]; 401 }; 402 403 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 404 free(s); 405 } 406 407 void cast_struct_flex_array_6() { 408 struct foo { 409 char f[32]; 410 }; 411 struct st { 412 char i[100]; 413 struct foo data[1]; 414 }; 415 416 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 417 free(s); 418 } 419 420 void cast_struct_flex_array_warn_1() { 421 struct foo { 422 char f[32]; 423 }; 424 struct st { 425 char i[100]; 426 struct foo data[]; 427 }; 428 429 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 430 free(s); 431 } 432 433 void cast_struct_flex_array_warn_2() { 434 struct foo { 435 char f[32]; 436 }; 437 struct st { 438 char i[100]; 439 struct foo data[0]; 440 }; 441 442 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 443 free(s); 444 } 445 446 void cast_struct_flex_array_warn_3() { 447 struct foo { 448 char f[32]; 449 }; 450 struct st { 451 char i[100]; 452 struct foo data[1]; 453 }; 454 455 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 456 free(s); 457 } 458 459 void cast_struct_flex_array_warn_4() { 460 struct st { 461 int i[100]; 462 int j[]; 463 }; 464 465 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 466 free(s); 467 } 468 469 void cast_struct_flex_array_warn_5() { 470 struct st { 471 int i[100]; 472 int j[0]; 473 }; 474 475 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 476 free(s); 477 } 478 479 void cast_struct_flex_array_warn_6() { 480 struct st { 481 int i[100]; 482 int j[1]; 483 }; 484 485 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 486 free(s); 487 } 488 489 void mallocCastToVoid() { 490 void *p = malloc(2); 491 const void *cp = p; // not crash 492 free(p); 493 } 494 495 void mallocCastToFP() { 496 void *p = malloc(2); 497 void (*fp)() = p; // not crash 498 free(p); 499 } 500 501 // This tests that malloc() buffers are undefined by default 502 char mallocGarbage () { 503 char *buf = malloc(2); 504 char result = buf[1]; // expected-warning{{undefined}} 505 free(buf); 506 return result; 507 } 508 509 // This tests that calloc() buffers need to be freed 510 void callocNoFree () { 511 char *buf = calloc(2,2); 512 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 513 } 514 515 // These test that calloc() buffers are zeroed by default 516 char callocZeroesGood () { 517 char *buf = calloc(2,2); 518 char result = buf[3]; // no-warning 519 if (buf[1] == 0) { 520 free(buf); 521 } 522 return result; // no-warning 523 } 524 525 char callocZeroesBad () { 526 char *buf = calloc(2,2); 527 char result = buf[3]; // no-warning 528 if (buf[1] != 0) { 529 free(buf); // expected-warning{{never executed}} 530 } 531 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 532 } 533 534 void nullFree() { 535 int *p = 0; 536 free(p); // no warning - a nop 537 } 538 539 void paramFree(int *p) { 540 myfoo(p); 541 free(p); // no warning 542 myfoo(p); // expected-warning {{Use of memory after it is freed}} 543 } 544 545 int* mallocEscapeRet() { 546 int *p = malloc(12); 547 return p; // no warning 548 } 549 550 void mallocEscapeFoo() { 551 int *p = malloc(12); 552 myfoo(p); 553 return; // no warning 554 } 555 556 void mallocEscapeFree() { 557 int *p = malloc(12); 558 myfoo(p); 559 free(p); 560 } 561 562 void mallocEscapeFreeFree() { 563 int *p = malloc(12); 564 myfoo(p); 565 free(p); 566 free(p); // expected-warning{{Attempt to free released memory}} 567 } 568 569 void mallocEscapeFreeUse() { 570 int *p = malloc(12); 571 myfoo(p); 572 free(p); 573 myfoo(p); // expected-warning{{Use of memory after it is freed}} 574 } 575 576 int *myalloc(); 577 void myalloc2(int **p); 578 579 void mallocEscapeFreeCustomAlloc() { 580 int *p = malloc(12); 581 myfoo(p); 582 free(p); 583 p = myalloc(); 584 free(p); // no warning 585 } 586 587 void mallocEscapeFreeCustomAlloc2() { 588 int *p = malloc(12); 589 myfoo(p); 590 free(p); 591 myalloc2(&p); 592 free(p); // no warning 593 } 594 595 void mallocBindFreeUse() { 596 int *x = malloc(12); 597 int *y = x; 598 free(y); 599 myfoo(x); // expected-warning{{Use of memory after it is freed}} 600 } 601 602 void mallocEscapeMalloc() { 603 int *p = malloc(12); 604 myfoo(p); 605 p = malloc(12); 606 } // expected-warning{{Potential leak of memory pointed to by}} 607 608 void mallocMalloc() { 609 int *p = malloc(12); 610 p = malloc(12); 611 } // expected-warning {{Potential leak of memory pointed to by}} 612 613 void mallocFreeMalloc() { 614 int *p = malloc(12); 615 free(p); 616 p = malloc(12); 617 free(p); 618 } 619 620 void mallocFreeUse_params() { 621 int *p = malloc(12); 622 free(p); 623 myfoo(p); //expected-warning{{Use of memory after it is freed}} 624 } 625 626 void mallocFreeUse_params2() { 627 int *p = malloc(12); 628 free(p); 629 myfooint(*p); //expected-warning{{Use of memory after it is freed}} 630 } 631 632 void mallocFailedOrNot() { 633 int *p = malloc(12); 634 if (!p) 635 free(p); 636 else 637 free(p); 638 } 639 640 struct StructWithInt { 641 int g; 642 }; 643 644 int *mallocReturnFreed() { 645 int *p = malloc(12); 646 free(p); 647 return p; // expected-warning {{Use of memory after it is freed}} 648 } 649 650 int useAfterFreeStruct() { 651 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 652 px->g = 5; 653 free(px); 654 return px->g; // expected-warning {{Use of memory after it is freed}} 655 } 656 657 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); 658 659 void mallocEscapeFooNonSymbolArg() { 660 struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); 661 nonSymbolAsFirstArg(&p->g, p); 662 return; // no warning 663 } 664 665 void mallocFailedOrNotLeak() { 666 int *p = malloc(12); 667 if (p == 0) 668 return; // no warning 669 else 670 return; // expected-warning {{Potential leak of memory pointed to by}} 671 } 672 673 void mallocAssignment() { 674 char *p = malloc(12); 675 p = fooRetPtr(); 676 } // expected-warning {{leak}} 677 678 int vallocTest() { 679 char *mem = valloc(12); 680 return 0; // expected-warning {{Potential leak of memory pointed to by}} 681 } 682 683 void vallocEscapeFreeUse() { 684 int *p = valloc(12); 685 myfoo(p); 686 free(p); 687 myfoo(p); // expected-warning{{Use of memory after it is freed}} 688 } 689 690 int *Gl; 691 struct GlStTy { 692 int *x; 693 }; 694 695 struct GlStTy GlS = {0}; 696 697 void GlobalFree() { 698 free(Gl); 699 } 700 701 void GlobalMalloc() { 702 Gl = malloc(12); 703 } 704 705 void GlobalStructMalloc() { 706 int *a = malloc(12); 707 GlS.x = a; 708 } 709 710 void GlobalStructMallocFree() { 711 int *a = malloc(12); 712 GlS.x = a; 713 free(GlS.x); 714 } 715 716 char *ArrayG[12]; 717 718 void globalArrayTest() { 719 char *p = (char*)malloc(12); 720 ArrayG[0] = p; 721 } 722 723 // Make sure that we properly handle a pointer stored into a local struct/array. 724 typedef struct _StructWithPtr { 725 int *memP; 726 } StructWithPtr; 727 728 static StructWithPtr arrOfStructs[10]; 729 730 void testMalloc() { 731 int *x = malloc(12); 732 StructWithPtr St; 733 St.memP = x; 734 arrOfStructs[0] = St; // no-warning 735 } 736 737 StructWithPtr testMalloc2() { 738 int *x = malloc(12); 739 StructWithPtr St; 740 St.memP = x; 741 return St; // no-warning 742 } 743 744 int *testMalloc3() { 745 int *x = malloc(12); 746 int *y = x; 747 return y; // no-warning 748 } 749 750 void testStructLeak() { 751 StructWithPtr St; 752 St.memP = malloc(12); 753 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}} 754 } 755 756 void testElemRegion1() { 757 char *x = (void*)malloc(2); 758 int *ix = (int*)x; 759 free(&(x[0])); 760 } 761 762 void testElemRegion2(int **pp) { 763 int *p = malloc(12); 764 *pp = p; 765 free(pp[0]); 766 } 767 768 void testElemRegion3(int **pp) { 769 int *p = malloc(12); 770 *pp = p; 771 free(*pp); 772 } 773 // Region escape testing. 774 775 unsigned takePtrToPtr(int **p); 776 void PassTheAddrOfAllocatedData(int f) { 777 int *p = malloc(12); 778 // We don't know what happens after the call. Should stop tracking here. 779 if (takePtrToPtr(&p)) 780 f++; 781 free(p); // no warning 782 } 783 784 struct X { 785 int *p; 786 }; 787 unsigned takePtrToStruct(struct X *s); 788 int ** foo2(int *g, int f) { 789 int *p = malloc(12); 790 struct X *px= malloc(sizeof(struct X)); 791 px->p = p; 792 // We don't know what happens after this call. Should not track px nor p. 793 if (takePtrToStruct(px)) 794 f++; 795 free(p); 796 return 0; 797 } 798 799 struct X* RegInvalidationDetect1(struct X *s2) { 800 struct X *px= malloc(sizeof(struct X)); 801 px->p = 0; 802 px = s2; 803 return px; // expected-warning {{Potential leak of memory pointed to by}} 804 } 805 806 struct X* RegInvalidationGiveUp1() { 807 int *p = malloc(12); 808 struct X *px= malloc(sizeof(struct X)); 809 px->p = p; 810 return px; 811 } 812 813 int **RegInvalidationDetect2(int **pp) { 814 int *p = malloc(12); 815 pp = &p; 816 pp++; 817 return 0;// expected-warning {{Potential leak of memory pointed to by}} 818 } 819 820 extern void exit(int) __attribute__ ((__noreturn__)); 821 void mallocExit(int *g) { 822 struct xx *p = malloc(12); 823 if (g != 0) 824 exit(1); 825 free(p); 826 return; 827 } 828 829 extern void __assert_fail (__const char *__assertion, __const char *__file, 830 unsigned int __line, __const char *__function) 831 __attribute__ ((__noreturn__)); 832 #define assert(expr) \ 833 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 834 void mallocAssert(int *g) { 835 struct xx *p = malloc(12); 836 837 assert(g != 0); 838 free(p); 839 return; 840 } 841 842 void doNotInvalidateWhenPassedToSystemCalls(char *s) { 843 char *p = malloc(12); 844 strlen(p); 845 strcpy(p, s); 846 strcpy(s, p); 847 strcpy(p, p); 848 memcpy(p, s, 1); 849 memcpy(s, p, 1); 850 memcpy(p, p, 1); 851 } // expected-warning {{leak}} 852 853 // Treat source buffer contents as escaped. 854 void escapeSourceContents(char *s) { 855 char *p = malloc(12); 856 memcpy(s, &p, 12); // no warning 857 858 void *p1 = malloc(7); 859 char *a; 860 memcpy(&a, &p1, sizeof a); 861 // FIXME: No warning due to limitations imposed by current modelling of 862 // 'memcpy' (regions metadata is not copied). 863 864 int *ptrs[2]; 865 int *allocated = (int *)malloc(4); 866 memcpy(&ptrs[0], &allocated, sizeof(int *)); 867 // FIXME: No warning due to limitations imposed by current modelling of 868 // 'memcpy' (regions metadata is not copied). 869 } 870 871 void invalidateDestinationContents() { 872 int *null = 0; 873 int *p = (int *)malloc(4); 874 memcpy(&p, &null, sizeof(int *)); 875 876 int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}} 877 ptrs1[0] = (int *)malloc(4); 878 memcpy(ptrs1, &null, sizeof(int *)); 879 880 int *ptrs2[2]; // expected-warning {{Potential memory leak}} 881 ptrs2[0] = (int *)malloc(4); 882 memcpy(&ptrs2[1], &null, sizeof(int *)); 883 884 int *ptrs3[2]; // expected-warning {{Potential memory leak}} 885 ptrs3[0] = (int *)malloc(4); 886 memcpy(&ptrs3[0], &null, sizeof(int *)); 887 } // expected-warning {{Potential memory leak}} 888 889 // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. 890 void symbolLostWithStrcpy(char *s) { 891 char *p = malloc(12); 892 p = strcpy(p, s); 893 free(p); 894 } 895 896 897 // The same test as the one above, but with what is actually generated on a mac. 898 static __inline char * 899 __inline_strcpy_chk (char *restrict __dest, const char *restrict __src) 900 { 901 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); 902 } 903 904 void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { 905 char *p = malloc(12); 906 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); 907 free(p); 908 } 909 910 // Here we are returning a pointer one past the allocated value. An idiom which 911 // can be used for implementing special malloc. The correct uses of this might 912 // be rare enough so that we could keep this as a warning. 913 static void *specialMalloc(int n){ 914 int *p; 915 p = malloc( n+8 ); 916 if( p ){ 917 p[0] = n; 918 p++; 919 } 920 return p; 921 } 922 923 // Potentially, the user could free the struct by performing pointer arithmetic on the return value. 924 // This is a variation of the specialMalloc issue, though probably would be more rare in correct code. 925 int *specialMallocWithStruct() { 926 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 927 return &(px->g); 928 } 929 930 // Test various allocation/deallocation functions. 931 void testStrdup(const char *s, unsigned validIndex) { 932 char *s2 = strdup(s); 933 s2[validIndex + 1] = 'b'; 934 } // expected-warning {{Potential leak of memory pointed to by}} 935 936 int testStrndup(const char *s, unsigned validIndex, unsigned size) { 937 char *s2 = strndup(s, size); 938 s2 [validIndex + 1] = 'b'; 939 if (s2[validIndex] != 'a') 940 return 0; 941 else 942 return 1;// expected-warning {{Potential leak of memory pointed to by}} 943 } 944 945 void testStrdupContentIsDefined(const char *s, unsigned validIndex) { 946 char *s2 = strdup(s); 947 char result = s2[1];// no warning 948 free(s2); 949 } 950 951 // ---------------------------------------------------------------------------- 952 // Test the system library functions to which the pointer can escape. 953 // This tests false positive suppression. 954 955 // For now, we assume memory passed to pthread_specific escapes. 956 // TODO: We could check that if a new pthread binding is set, the existing 957 // binding must be freed; otherwise, a memory leak can occur. 958 void testPthereadSpecificEscape(pthread_key_t key) { 959 void *buf = malloc(12); 960 pthread_setspecific(key, buf); // no warning 961 } 962 963 // PR12101: Test funopen(). 964 static int releasePtr(void *_ctx) { 965 free(_ctx); 966 return 0; 967 } 968 FILE *useFunOpen() { 969 void *ctx = malloc(sizeof(int)); 970 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning 971 if (f == 0) { 972 free(ctx); 973 } 974 return f; 975 } 976 FILE *useFunOpenNoReleaseFunction() { 977 void *ctx = malloc(sizeof(int)); 978 FILE *f = funopen(ctx, 0, 0, 0, 0); 979 if (f == 0) { 980 free(ctx); 981 } 982 return f; // expected-warning{{leak}} 983 } 984 985 static int readNothing(void *_ctx, char *buf, int size) { 986 return 0; 987 } 988 FILE *useFunOpenReadNoRelease() { 989 void *ctx = malloc(sizeof(int)); 990 FILE *f = funopen(ctx, readNothing, 0, 0, 0); 991 if (f == 0) { 992 free(ctx); 993 } 994 return f; // expected-warning{{leak}} 995 } 996 997 // Test setbuf, setvbuf. 998 int my_main_no_warning() { 999 char *p = malloc(100); 1000 setvbuf(stdout, p, 0, 100); 1001 return 0; 1002 } 1003 int my_main_no_warning2() { 1004 char *p = malloc(100); 1005 setbuf(__stdoutp, p); 1006 return 0; 1007 } 1008 int my_main_warn(FILE *f) { 1009 char *p = malloc(100); 1010 setvbuf(f, p, 0, 100); 1011 return 0;// expected-warning {{leak}} 1012 } 1013 1014 // <rdar://problem/10978247>. 1015 // some people use stack allocated memory as an optimization to avoid 1016 // a heap allocation for small work sizes. This tests the analyzer's 1017 // understanding that the malloc'ed memory is not the same as stackBuffer. 1018 void radar10978247(int myValueSize) { 1019 char stackBuffer[128]; 1020 char *buffer; 1021 1022 if (myValueSize <= sizeof(stackBuffer)) 1023 buffer = stackBuffer; 1024 else 1025 buffer = malloc(myValueSize); 1026 1027 // do stuff with the buffer 1028 if (buffer != stackBuffer) 1029 free(buffer); 1030 } 1031 1032 void radar10978247_positive(int myValueSize) { 1033 char stackBuffer[128]; 1034 char *buffer; 1035 1036 if (myValueSize <= sizeof(stackBuffer)) 1037 buffer = stackBuffer; 1038 else 1039 buffer = malloc(myValueSize); 1040 1041 // do stuff with the buffer 1042 if (buffer == stackBuffer) 1043 return; 1044 else 1045 return; // expected-warning {{leak}} 1046 } 1048 // <rdar://problem/11269741> Previously this triggered a false positive 1049 // because malloc() is known to return uninitialized memory and the binding 1050 // of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. 1051 struct rdar11269741_a_t { 1052 struct rdar11269741_b_t { 1053 int m; 1054 } n; 1055 }; 1056 1057 int rdar11269741(struct rdar11269741_b_t o) 1058 { 1059 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); 1060 p->n = o; 1061 return p->n.m; // expected-warning {{leak}} 1062 } 1063 1064 // Pointer arithmetic, returning an ElementRegion. 1065 void *radar11329382(unsigned bl) { 1066 void *ptr = malloc (16); 1067 ptr = ptr + (2 - bl); 1068 return ptr; // no warning 1069 } 1070 1071 void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); 1072 int strcmp(const char *, const char *); 1073 char *a (void); 1074 void radar11270219(void) { 1075 char *x = a(), *y = a(); 1076 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); 1077 strcmp(x, y); // no warning 1078 } 1079 1080 void radar_11358224_test_double_assign_ints_positive_2() 1081 { 1082 void *ptr = malloc(16); 1083 ptr = ptr; 1084 } // expected-warning {{leak}} 1085 1086 // Assume that functions which take a function pointer can free memory even if 1087 // they are defined in system headers and take the const pointer to the 1088 // allocated memory. (radar://11160612) 1089 int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); 1090 void r11160612_1() { 1091 char *x = malloc(12); 1092 const_ptr_and_callback(0, x, 12, free); // no - warning 1093 } 1094 1095 // Null is passed as callback. 1096 void r11160612_2() { 1097 char *x = malloc(12); 1098 const_ptr_and_callback(0, x, 12, 0); 1099 } // expected-warning {{leak}} 1100 1101 // Callback is passed to a function defined in a system header. 1102 void r11160612_4() { 1103 char *x = malloc(12); 1104 sqlite3_bind_text_my(0, x, 12, free); // no - warning 1105 } 1106 1107 // Passing callbacks in a struct. 1108 void r11160612_5(StWithCallback St) { 1109 void *x = malloc(12); 1110 dealocateMemWhenDoneByVal(x, St); 1111 } 1112 void r11160612_6(StWithCallback St) { 1113 void *x = malloc(12); 1114 dealocateMemWhenDoneByRef(&St, x); 1115 } 1116 1117 int mySub(int, int); 1118 int myAdd(int, int); 1119 int fPtr(unsigned cond, int x) { 1120 return (cond ? mySub : myAdd)(x, x); 1121 } 1122 1123 // Test anti-aliasing. 1124 1125 void dependsOnValueOfPtr(int *g, unsigned f) { 1126 int *p; 1127 1128 if (f) { 1129 p = g; 1130 } else { 1131 p = malloc(12); 1132 } 1133 1134 if (p != g) 1135 free(p); 1136 else 1137 return; // no warning 1138 return; 1139 } 1140 1141 int CMPRegionHeapToStack() { 1142 int x = 0; 1143 int *x1 = malloc(8); 1144 int *x2 = &x; 1145 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} 1146 free(x1); 1147 return x; 1148 } 1149 1150 int CMPRegionHeapToHeap2() { 1151 int x = 0; 1152 int *x1 = malloc(8); 1153 int *x2 = malloc(8); 1154 int *x4 = x1; 1155 int *x5 = x2; 1156 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} 1157 free(x1); 1158 free(x2); 1159 return x; 1160 } 1161 1162 int CMPRegionHeapToHeap() { 1163 int x = 0; 1164 int *x1 = malloc(8); 1165 int *x4 = x1; 1166 if (x1 == x4) { 1167 free(x1); 1168 return 5/x; // expected-warning{{Division by zero}} 1169 } 1170 return x;// expected-warning{{This statement is never executed}} 1171 } 1172 1173 int HeapAssignment() { 1174 int m = 0; 1175 int *x = malloc(4); 1176 int *y = x; 1177 *x = 5; 1178 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} 1179 free(x); 1180 return 0; 1181 } 1182 1183 int *retPtr(); 1184 int *retPtrMightAlias(int *x); 1185 int cmpHeapAllocationToUnknown() { 1186 int zero = 0; 1187 int *yBefore = retPtr(); 1188 int *m = malloc(8); 1189 int *yAfter = retPtrMightAlias(m); 1190 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} 1191 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} 1192 free(m); 1193 return 0; 1194 } 1195 1196 void localArrayTest() { 1197 char *p = (char*)malloc(12); 1198 char *ArrayL[12]; 1199 ArrayL[0] = p; 1200 } // expected-warning {{leak}} 1201 1202 void localStructTest() { 1203 StructWithPtr St; 1204 StructWithPtr *pSt = &St; 1205 pSt->memP = malloc(12); 1206 } // expected-warning{{Potential leak of memory pointed to by}} 1207 1208 #ifdef __INTPTR_TYPE__ 1209 // Test double assignment through integers. 1210 typedef __INTPTR_TYPE__ intptr_t; 1211 typedef unsigned __INTPTR_TYPE__ uintptr_t; 1212 1213 static intptr_t glob; 1214 void test_double_assign_ints() 1215 { 1216 void *ptr = malloc (16); // no-warning 1217 glob = (intptr_t)(uintptr_t)ptr; 1218 } 1219 1220 void test_double_assign_ints_positive() 1221 { 1222 void *ptr = malloc(16); 1223 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}} 1224 } // expected-warning {{leak}} 1225 #endif 1226 1227 void testCGContextNoLeak() 1228 { 1229 void *ptr = malloc(16); 1230 CGContextRef context = CGBitmapContextCreate(ptr); 1231 1232 // Because you can get the data back out like this, even much later, 1233 // CGBitmapContextCreate is one of our "stop-tracking" exceptions. 1234 free(CGBitmapContextGetData(context)); 1235 } 1236 1237 void testCGContextLeak() 1238 { 1239 void *ptr = malloc(16); 1240 CGContextRef context = CGBitmapContextCreate(ptr); 1241 // However, this time we're just leaking the data, because the context 1242 // object doesn't escape and it hasn't been freed in this function. 1243 } 1244 1245 // Allow xpc context to escape. radar://11635258 1246 // TODO: Would be great if we checked that the finalize_connection_context actually releases it. 1247 static void finalize_connection_context(void *ctx) { 1248 int *context = ctx; 1249 free(context); 1250 } 1251 void foo (xpc_connection_t peer) { 1252 int *ctx = calloc(1, sizeof(int)); 1253 xpc_connection_set_context(peer, ctx); 1254 xpc_connection_set_finalizer_f(peer, finalize_connection_context); 1255 xpc_connection_resume(peer); 1256 } 1257 1258 // Make sure we catch errors when we free in a function which does not allocate memory. 1259 void freeButNoMalloc(int *p, int x){ 1260 if (x) { 1261 free(p); 1262 //user forgot a return here. 1263 } 1264 free(p); // expected-warning {{Attempt to free released memory}} 1265 } 1266 1267 struct HasPtr { 1268 char *p; 1269 }; 1270 1271 char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { 1272 int *s; 1273 char *b = realloc(a->p, size); 1274 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} 1275 return a->p; 1276 } 1277 1278 // We should not warn in this case since the caller will presumably free a->p in all cases. 1279 int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { 1280 int *s; 1281 char *b = realloc(a->p, size); 1282 if (b == 0) 1283 return -1; 1284 a->p = b; 1285 return 0; 1286 } 1287 1288 // Test realloc with no visible malloc. 1289 void *test(void *ptr) { 1290 void *newPtr = realloc(ptr, 4); 1291 if (newPtr == 0) { 1292 if (ptr) 1293 free(ptr); // no-warning 1294 } 1295 return newPtr; 1296 } 1297 1298 1299 char *testLeakWithinReturn(char *str) { 1300 return strdup(strdup(str)); // expected-warning{{leak}} 1301 } 1302 1303 void passConstPtr(const char * ptr); 1304 1305 void testPassConstPointer() { 1306 char * string = malloc(sizeof(char)*10); 1307 passConstPtr(string); 1308 return; // expected-warning {{leak}} 1309 } 1310 1311 void testPassConstPointerIndirectly() { 1312 char *p = malloc(1); 1313 p++; 1314 memcmp(p, p, sizeof(&p)); 1315 return; // expected-warning {{leak}} 1316 } 1317 1318 void testPassConstPointerIndirectlyStruct() { 1319 struct HasPtr hp; 1320 hp.p = malloc(10); 1321 memcmp(&hp, &hp, sizeof(hp)); 1322 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}} 1323 } 1324 1325 void testPassToSystemHeaderFunctionIndirectlyStruct() { 1326 SomeStruct ss; 1327 ss.p = malloc(1); 1328 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1329 // Technically a false negative here -- we know the system function won't free 1330 // ss.p, but nothing else will either! 1331 } // no-warning 1332 1333 void testPassToSystemHeaderFunctionIndirectlyStructFree() { 1334 SomeStruct ss; 1335 ss.p = malloc(1); 1336 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1337 free(ss.p); 1338 } // no-warning 1339 1340 void testPassToSystemHeaderFunctionIndirectlyArray() { 1341 int *p[1]; 1342 p[0] = malloc(sizeof(int)); 1343 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1344 // Technically a false negative here -- we know the system function won't free 1345 // p[0], but nothing else will either! 1346 } // no-warning 1347 1348 void testPassToSystemHeaderFunctionIndirectlyArrayFree() { 1349 int *p[1]; 1350 p[0] = malloc(sizeof(int)); 1351 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1352 free(p[0]); 1353 } // no-warning 1354 1355 int *testOffsetAllocate(size_t size) { 1356 int *memoryBlock = (int *)malloc(size + sizeof(int)); 1357 return &memoryBlock[1]; // no-warning 1358 } 1359 1360 void testOffsetDeallocate(int *memoryBlock) { 1361 free(&memoryBlock[-1]); // no-warning 1362 } 1363 1364 void testOffsetOfRegionFreed() { 1365 __int64_t * array = malloc(sizeof(__int64_t)*2); 1366 array += 1; 1367 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1368 } 1369 1370 void testOffsetOfRegionFreed2() { 1371 __int64_t *p = malloc(sizeof(__int64_t)*2); 1372 p += 1; 1373 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1374 } 1375 1376 void testOffsetOfRegionFreed3() { 1377 char *r = malloc(sizeof(char)); 1378 r = r - 10; 1379 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}} 1380 } 1381 1382 void testOffsetOfRegionFreedAfterFunctionCall() { 1383 int *p = malloc(sizeof(int)*2); 1384 p += 1; 1385 myfoo(p); 1386 free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}} 1387 } 1388 1389 void testFixManipulatedPointerBeforeFree() { 1390 int * array = malloc(sizeof(int)*2); 1391 array += 1; 1392 free(&array[-1]); // no-warning 1393 } 1394 1395 void testFixManipulatedPointerBeforeFree2() { 1396 char *r = malloc(sizeof(char)); 1397 r = r + 10; 1398 free(r-10); // no-warning 1399 } 1400 1401 void freeOffsetPointerPassedToFunction() { 1402 __int64_t *p = malloc(sizeof(__int64_t)*2); 1403 p[1] = 0; 1404 p += 1; 1405 myfooint(*p); // not passing the pointer, only a value pointed by pointer 1406 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1407 } 1408 1409 int arbitraryInt(); 1410 void freeUnknownOffsetPointer() { 1411 char *r = malloc(sizeof(char)); 1412 r = r + arbitraryInt(); // unable to reason about what the offset might be 1413 free(r); // no-warning 1414 } 1415 1416 void testFreeNonMallocPointerWithNoOffset() { 1417 char c; 1418 char *r = &c; 1419 r = r + 10; 1420 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1421 } 1422 1423 void testFreeNonMallocPointerWithOffset() { 1424 char c; 1425 char *r = &c; 1426 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1427 } 1428 1429 void testOffsetZeroDoubleFree() { 1430 int *array = malloc(sizeof(int)*2); 1431 int *p = &array[0]; 1432 free(p); 1433 free(&array[0]); // expected-warning{{Attempt to free released memory}} 1434 } 1435 1436 void testOffsetPassedToStrlen() { 1437 char * string = malloc(sizeof(char)*10); 1438 string += 1; 1439 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}} 1440 } 1441 1442 void testOffsetPassedToStrlenThenFree() { 1443 char * string = malloc(sizeof(char)*10); 1444 string += 1; 1445 int length = strlen(string); 1446 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1447 } 1448 1449 void testOffsetPassedAsConst() { 1450 char * string = malloc(sizeof(char)*10); 1451 string += 1; 1452 passConstPtr(string); 1453 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1454 } 1455 1456 char **_vectorSegments; 1457 int _nVectorSegments; 1458 1459 void poolFreeC(void* s) { 1460 free(s); // no-warning 1461 } 1462 void freeMemory() { 1463 while (_nVectorSegments) { 1464 poolFreeC(_vectorSegments[_nVectorSegments++]); 1465 } 1466 } 1467 1468 // PR16730 1469 void testReallocEscaped(void **memory) { 1470 *memory = malloc(47); 1471 char *new_memory = realloc(*memory, 47); 1472 if (new_memory != 0) { 1473 *memory = new_memory; 1474 } 1475 } 1476 1477 // PR16558 1478 void *smallocNoWarn(size_t size) { 1479 if (size == 0) { 1480 return malloc(1); // this branch is never called 1481 } 1482 else { 1483 return malloc(size); 1484 } 1485 } 1486 1487 char *dupstrNoWarn(const char *s) { 1488 const int len = strlen(s); 1489 char *p = (char*) smallocNoWarn(len + 1); 1490 strcpy(p, s); // no-warning 1491 return p; 1492 } 1493 1494 void *smallocWarn(size_t size) { 1495 if (size == 2) { 1496 return malloc(1); 1497 } 1498 else { 1499 return malloc(size); 1500 } 1501 } 1502 1503 char *dupstrWarn(const char *s) { 1504 const int len = strlen(s); 1505 char *p = (char*) smallocWarn(len + 1); 1506 strcpy(p, s); // expected-warning{{String copy function overflows destination buffer}} 1507 return p; 1508 } 1509 1510 int *radar15580979() { 1511 int *data = (int *)malloc(32); 1512 int *p = data ?: (int*)malloc(32); // no warning 1513 return p; 1514 } 1515 1516 // ---------------------------------------------------------------------------- 1517 // False negatives. 1518 1519 void testMallocWithParam(int **p) { 1520 *p = (int*) malloc(sizeof(int)); 1521 *p = 0; // FIXME: should warn here 1522 } 1523 1524 void testMallocWithParam_2(int **p) { 1525 *p = (int*) malloc(sizeof(int)); // no-warning 1526 } 1527 1528 void testPassToSystemHeaderFunctionIndirectly() { 1529 int *p = malloc(4); 1530 p++; 1531 fakeSystemHeaderCallInt(p); 1532 // FIXME: This is a leak: if we think a system function won't free p, it 1533 // won't free (p-1) either. 1534 } 1535
