1 // RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s 2 3 #include "Inputs/system-header-simulator.h" 4 5 void clang_analyzer_eval(int); 6 7 typedef __typeof(sizeof(int)) size_t; 8 void *malloc(size_t); 9 void *alloca(size_t); 10 void *valloc(size_t); 11 void free(void *); 12 void *realloc(void *ptr, size_t size); 13 void *reallocf(void *ptr, size_t size); 14 void *calloc(size_t nmemb, size_t size); 15 char *strdup(const char *s); 16 char *strndup(const char *s, size_t n); 17 int memcmp(const void *s1, const void *s2, size_t n); 18 19 void myfoo(int *p); 20 void myfooint(int p); 21 char *fooRetPtr(); 22 23 void f1() { 24 int *p = malloc(12); 25 return; // expected-warning{{Potential leak of memory pointed to by 'p'}} 26 } 27 28 void f2() { 29 int *p = malloc(12); 30 free(p); 31 free(p); // expected-warning{{Attempt to free released memory}} 32 } 33 34 void f2_realloc_0() { 35 int *p = malloc(12); 36 realloc(p,0); 37 realloc(p,0); // expected-warning{{Attempt to free released memory}} 38 } 39 40 void f2_realloc_1() { 41 int *p = malloc(12); 42 int *q = realloc(p,0); // no-warning 43 } 44 45 void reallocNotNullPtr(unsigned sizeIn) { 46 unsigned size = 12; 47 char *p = (char*)malloc(size); 48 if (p) { 49 char *q = (char*)realloc(p, sizeIn); 50 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}} 51 } 52 } 53 54 void allocaTest() { 55 int *p = alloca(sizeof(int)); 56 } // no warn 57 58 void allocaBuiltinTest() { 59 int *p = __builtin_alloca(sizeof(int)); 60 } // no warn 61 62 int *realloctest1() { 63 int *q = malloc(12); 64 q = realloc(q, 20); 65 return q; // no warning - returning the allocated value 66 } 67 68 // p should be freed if realloc fails. 69 void reallocFails() { 70 char *p = malloc(12); 71 char *r = realloc(p, 12+1); 72 if (!r) { 73 free(p); 74 } else { 75 free(r); 76 } 77 } 78 79 void reallocSizeZero1() { 80 char *p = malloc(12); 81 char *r = realloc(p, 0); 82 if (!r) { 83 free(p); // expected-warning {{Attempt to free released memory}} 84 } else { 85 free(r); 86 } 87 } 88 89 void reallocSizeZero2() { 90 char *p = malloc(12); 91 char *r = realloc(p, 0); 92 if (!r) { 93 free(p); // expected-warning {{Attempt to free released memory}} 94 } else { 95 free(r); 96 } 97 free(p); // expected-warning {{Attempt to free released memory}} 98 } 99 100 void reallocSizeZero3() { 101 char *p = malloc(12); 102 char *r = realloc(p, 0); 103 free(r); 104 } 105 106 void reallocSizeZero4() { 107 char *r = realloc(0, 0); 108 free(r); 109 } 110 111 void reallocSizeZero5() { 112 char *r = realloc(0, 0); 113 } 114 115 void reallocPtrZero1() { 116 char *r = realloc(0, 12); 117 } // expected-warning {{Potential leak of memory pointed to by 'r'}} 118 119 void reallocPtrZero2() { 120 char *r = realloc(0, 12); 121 if (r) 122 free(r); 123 } 124 125 void reallocPtrZero3() { 126 char *r = realloc(0, 12); 127 free(r); 128 } 129 130 void reallocRadar6337483_1() { 131 char *buf = malloc(100); 132 buf = (char*)realloc(buf, 0x1000000); 133 if (!buf) { 134 return;// expected-warning {{Potential leak of memory pointed to by}} 135 } 136 free(buf); 137 } 138 139 void reallocRadar6337483_2() { 140 char *buf = malloc(100); 141 char *buf2 = (char*)realloc(buf, 0x1000000); 142 if (!buf2) { 143 ; 144 } else { 145 free(buf2); 146 } 147 } // expected-warning {{Potential leak of memory pointed to by}} 148 149 void reallocRadar6337483_3() { 150 char * buf = malloc(100); 151 char * tmp; 152 tmp = (char*)realloc(buf, 0x1000000); 153 if (!tmp) { 154 free(buf); 155 return; 156 } 157 buf = tmp; 158 free(buf); 159 } 160 161 void reallocRadar6337483_4() { 162 char *buf = malloc(100); 163 char *buf2 = (char*)realloc(buf, 0x1000000); 164 if (!buf2) { 165 return; // expected-warning {{Potential leak of memory pointed to by}} 166 } else { 167 free(buf2); 168 } 169 } 170 171 int *reallocfTest1() { 172 int *q = malloc(12); 173 q = reallocf(q, 20); 174 return q; // no warning - returning the allocated value 175 } 176 177 void reallocfRadar6337483_4() { 178 char *buf = malloc(100); 179 char *buf2 = (char*)reallocf(buf, 0x1000000); 180 if (!buf2) { 181 return; // no warning - reallocf frees even on failure 182 } else { 183 free(buf2); 184 } 185 } 186 187 void reallocfRadar6337483_3() { 188 char * buf = malloc(100); 189 char * tmp; 190 tmp = (char*)reallocf(buf, 0x1000000); 191 if (!tmp) { 192 free(buf); // expected-warning {{Attempt to free released memory}} 193 return; 194 } 195 buf = tmp; 196 free(buf); 197 } 198 199 void reallocfPtrZero1() { 200 char *r = reallocf(0, 12); 201 } // expected-warning {{Potential leak of memory pointed to by}} 202 203 //------------------- Check usage of zero-allocated memory --------------------- 204 void CheckUseZeroAllocatedNoWarn1() { 205 int *p = malloc(0); 206 free(p); // no warning 207 } 208 209 void CheckUseZeroAllocatedNoWarn2() { 210 int *p = alloca(0); // no warning 211 } 212 213 void CheckUseZeroAllocatedNoWarn3() { 214 int *p = malloc(0); 215 int *q = realloc(p, 8); // no warning 216 free(q); 217 } 218 219 void CheckUseZeroAllocatedNoWarn4() { 220 int *p = realloc(0, 8); 221 *p = 1; // no warning 222 free(p); 223 } 224 225 void CheckUseZeroAllocated1() { 226 int *p = malloc(0); 227 *p = 1; // expected-warning {{Use of zero-allocated memory}} 228 free(p); 229 } 230 231 char CheckUseZeroAllocated2() { 232 char *p = alloca(0); 233 return *p; // expected-warning {{Use of zero-allocated memory}} 234 } 235 236 void UseZeroAllocated(int *p) { 237 if (p) 238 *p = 7; // expected-warning {{Use of zero-allocated memory}} 239 } 240 void CheckUseZeroAllocated3() { 241 int *p = malloc(0); 242 UseZeroAllocated(p); 243 } 244 245 void f(char); 246 void CheckUseZeroAllocated4() { 247 char *p = valloc(0); 248 f(*p); // expected-warning {{Use of zero-allocated memory}} 249 free(p); 250 } 251 252 void CheckUseZeroAllocated5() { 253 int *p = calloc(0, 2); 254 *p = 1; // expected-warning {{Use of zero-allocated memory}} 255 free(p); 256 } 257 258 void CheckUseZeroAllocated6() { 259 int *p = calloc(2, 0); 260 *p = 1; // expected-warning {{Use of zero-allocated memory}} 261 free(p); 262 } 263 264 void CheckUseZeroAllocated7() { 265 int *p = realloc(0, 0); 266 *p = 1; // expected-warning {{Use of zero-allocated memory}} 267 free(p); 268 } 269 270 void CheckUseZeroAllocated8() { 271 int *p = malloc(8); 272 int *q = realloc(p, 0); 273 *q = 1; // expected-warning {{Use of zero-allocated memory}} 274 free(q); 275 } 276 277 void CheckUseZeroAllocated9() { 278 int *p = realloc(0, 0); 279 int *q = realloc(p, 0); 280 *q = 1; // expected-warning {{Use of zero-allocated memory}} 281 free(q); 282 } 283 284 void CheckUseZeroAllocatedPathNoWarn(_Bool b) { 285 int s = 0; 286 if (b) 287 s= 10; 288 289 char *p = malloc(s); 290 291 if (b) 292 *p = 1; // no warning 293 294 free(p); 295 } 296 297 void CheckUseZeroAllocatedPathWarn(_Bool b) { 298 int s = 10; 299 if (b) 300 s= 0; 301 302 char *p = malloc(s); 303 304 if (b) 305 *p = 1; // expected-warning {{Use of zero-allocated memory}} 306 307 free(p); 308 } 309 310 void CheckUseZeroReallocatedPathNoWarn(_Bool b) { 311 int s = 0; 312 if (b) 313 s= 10; 314 315 char *p = malloc(8); 316 char *q = realloc(p, s); 317 318 if (b) 319 *q = 1; // no warning 320 321 free(q); 322 } 323 324 void CheckUseZeroReallocatedPathWarn(_Bool b) { 325 int s = 10; 326 if (b) 327 s= 0; 328 329 char *p = malloc(8); 330 char *q = realloc(p, s); 331 332 if (b) 333 *q = 1; // expected-warning {{Use of zero-allocated memory}} 334 335 free(q); 336 } 337 338 // This case tests that storing malloc'ed memory to a static variable which is 339 // then returned is not leaked. In the absence of known contracts for functions 340 // or inter-procedural analysis, this is a conservative answer. 341 int *f3() { 342 static int *p = 0; 343 p = malloc(12); 344 return p; // no-warning 345 } 346 347 // This case tests that storing malloc'ed memory to a static global variable 348 // which is then returned is not leaked. In the absence of known contracts for 349 // functions or inter-procedural analysis, this is a conservative answer. 350 static int *p_f4 = 0; 351 int *f4() { 352 p_f4 = malloc(12); 353 return p_f4; // no-warning 354 } 355 356 int *f5() { 357 int *q = malloc(12); 358 q = realloc(q, 20); 359 return q; // no-warning 360 } 361 362 void f6() { 363 int *p = malloc(12); 364 if (!p) 365 return; // no-warning 366 else 367 free(p); 368 } 369 370 void f6_realloc() { 371 int *p = malloc(12); 372 if (!p) 373 return; // no-warning 374 else 375 realloc(p,0); 376 } 377 378 379 char *doit2(); 380 void pr6069() { 381 char *buf = doit2(); 382 free(buf); 383 } 384 385 void pr6293() { 386 free(0); 387 } 388 389 void f7() { 390 char *x = (char*) malloc(4); 391 free(x); 392 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 393 } 394 395 void f8() { 396 char *x = (char*) malloc(4); 397 free(x); 398 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} 399 } 400 401 void f7_realloc() { 402 char *x = (char*) malloc(4); 403 realloc(x,0); 404 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 405 } 406 407 void PR6123() { 408 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 409 } 410 411 void PR7217() { 412 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 413 buf[1] = 'c'; // not crash 414 } 415 416 void cast_emtpy_struct() { 417 struct st { 418 }; 419 420 struct st *s = malloc(sizeof(struct st)); // no-warning 421 free(s); 422 } 423 424 void cast_struct_1() { 425 struct st { 426 int i[100]; 427 char j[]; 428 }; 429 430 struct st *s = malloc(sizeof(struct st)); // no-warning 431 free(s); 432 } 433 434 void cast_struct_2() { 435 struct st { 436 int i[100]; 437 char j[0]; 438 }; 439 440 struct st *s = malloc(sizeof(struct st)); // no-warning 441 free(s); 442 } 443 444 void cast_struct_3() { 445 struct st { 446 int i[100]; 447 char j[1]; 448 }; 449 450 struct st *s = malloc(sizeof(struct st)); // no-warning 451 free(s); 452 } 453 454 void cast_struct_4() { 455 struct st { 456 int i[100]; 457 char j[2]; 458 }; 459 460 struct st *s = malloc(sizeof(struct st)); // no-warning 461 free(s); 462 } 463 464 void cast_struct_5() { 465 struct st { 466 char i[200]; 467 char j[1]; 468 }; 469 470 struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning 471 free(s); 472 } 473 474 void cast_struct_warn_1() { 475 struct st { 476 int i[100]; 477 char j[2]; 478 }; 479 480 struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 481 free(s); 482 } 483 484 void cast_struct_warn_2() { 485 struct st { 486 int i[100]; 487 char j[2]; 488 }; 489 490 struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 491 free(s); 492 } 493 494 void cast_struct_flex_array_1() { 495 struct st { 496 int i[100]; 497 char j[]; 498 }; 499 500 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 501 free(s); 502 } 503 504 void cast_struct_flex_array_2() { 505 struct st { 506 int i[100]; 507 char j[0]; 508 }; 509 510 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 511 free(s); 512 } 513 514 void cast_struct_flex_array_3() { 515 struct st { 516 int i[100]; 517 char j[1]; 518 }; 519 520 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 521 free(s); 522 } 523 524 void cast_struct_flex_array_4() { 525 struct foo { 526 char f[32]; 527 }; 528 struct st { 529 char i[100]; 530 struct foo data[]; 531 }; 532 533 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 534 free(s); 535 } 536 537 void cast_struct_flex_array_5() { 538 struct foo { 539 char f[32]; 540 }; 541 struct st { 542 char i[100]; 543 struct foo data[0]; 544 }; 545 546 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 547 free(s); 548 } 549 550 void cast_struct_flex_array_6() { 551 struct foo { 552 char f[32]; 553 }; 554 struct st { 555 char i[100]; 556 struct foo data[1]; 557 }; 558 559 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 560 free(s); 561 } 562 563 void cast_struct_flex_array_warn_1() { 564 struct foo { 565 char f[32]; 566 }; 567 struct st { 568 char i[100]; 569 struct foo data[]; 570 }; 571 572 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 573 free(s); 574 } 575 576 void cast_struct_flex_array_warn_2() { 577 struct foo { 578 char f[32]; 579 }; 580 struct st { 581 char i[100]; 582 struct foo data[0]; 583 }; 584 585 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 586 free(s); 587 } 588 589 void cast_struct_flex_array_warn_3() { 590 struct foo { 591 char f[32]; 592 }; 593 struct st { 594 char i[100]; 595 struct foo data[1]; 596 }; 597 598 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 599 free(s); 600 } 601 602 void cast_struct_flex_array_warn_4() { 603 struct st { 604 int i[100]; 605 int j[]; 606 }; 607 608 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 609 free(s); 610 } 611 612 void cast_struct_flex_array_warn_5() { 613 struct st { 614 int i[100]; 615 int j[0]; 616 }; 617 618 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 619 free(s); 620 } 621 622 void cast_struct_flex_array_warn_6() { 623 struct st { 624 int i[100]; 625 int j[1]; 626 }; 627 628 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 629 free(s); 630 } 631 632 void mallocCastToVoid() { 633 void *p = malloc(2); 634 const void *cp = p; // not crash 635 free(p); 636 } 637 638 void mallocCastToFP() { 639 void *p = malloc(2); 640 void (*fp)() = p; // not crash 641 free(p); 642 } 643 644 // This tests that malloc() buffers are undefined by default 645 char mallocGarbage () { 646 char *buf = malloc(2); 647 char result = buf[1]; // expected-warning{{undefined}} 648 free(buf); 649 return result; 650 } 651 652 // This tests that calloc() buffers need to be freed 653 void callocNoFree () { 654 char *buf = calloc(2,2); 655 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 656 } 657 658 // These test that calloc() buffers are zeroed by default 659 char callocZeroesGood () { 660 char *buf = calloc(2,2); 661 char result = buf[3]; // no-warning 662 if (buf[1] == 0) { 663 free(buf); 664 } 665 return result; // no-warning 666 } 667 668 char callocZeroesBad () { 669 char *buf = calloc(2,2); 670 char result = buf[3]; // no-warning 671 if (buf[1] != 0) { 672 free(buf); // expected-warning{{never executed}} 673 } 674 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 675 } 676 677 void nullFree() { 678 int *p = 0; 679 free(p); // no warning - a nop 680 } 681 682 void paramFree(int *p) { 683 myfoo(p); 684 free(p); // no warning 685 myfoo(p); // expected-warning {{Use of memory after it is freed}} 686 } 687 688 int* mallocEscapeRet() { 689 int *p = malloc(12); 690 return p; // no warning 691 } 692 693 void mallocEscapeFoo() { 694 int *p = malloc(12); 695 myfoo(p); 696 return; // no warning 697 } 698 699 void mallocEscapeFree() { 700 int *p = malloc(12); 701 myfoo(p); 702 free(p); 703 } 704 705 void mallocEscapeFreeFree() { 706 int *p = malloc(12); 707 myfoo(p); 708 free(p); 709 free(p); // expected-warning{{Attempt to free released memory}} 710 } 711 712 void mallocEscapeFreeUse() { 713 int *p = malloc(12); 714 myfoo(p); 715 free(p); 716 myfoo(p); // expected-warning{{Use of memory after it is freed}} 717 } 718 719 int *myalloc(); 720 void myalloc2(int **p); 721 722 void mallocEscapeFreeCustomAlloc() { 723 int *p = malloc(12); 724 myfoo(p); 725 free(p); 726 p = myalloc(); 727 free(p); // no warning 728 } 729 730 void mallocEscapeFreeCustomAlloc2() { 731 int *p = malloc(12); 732 myfoo(p); 733 free(p); 734 myalloc2(&p); 735 free(p); // no warning 736 } 737 738 void mallocBindFreeUse() { 739 int *x = malloc(12); 740 int *y = x; 741 free(y); 742 myfoo(x); // expected-warning{{Use of memory after it is freed}} 743 } 744 745 void mallocEscapeMalloc() { 746 int *p = malloc(12); 747 myfoo(p); 748 p = malloc(12); 749 } // expected-warning{{Potential leak of memory pointed to by}} 750 751 void mallocMalloc() { 752 int *p = malloc(12); 753 p = malloc(12); 754 } // expected-warning {{Potential leak of memory pointed to by}} 755 756 void mallocFreeMalloc() { 757 int *p = malloc(12); 758 free(p); 759 p = malloc(12); 760 free(p); 761 } 762 763 void mallocFreeUse_params() { 764 int *p = malloc(12); 765 free(p); 766 myfoo(p); //expected-warning{{Use of memory after it is freed}} 767 } 768 769 void mallocFreeUse_params2() { 770 int *p = malloc(12); 771 free(p); 772 myfooint(*p); //expected-warning{{Use of memory after it is freed}} 773 } 774 775 void mallocFailedOrNot() { 776 int *p = malloc(12); 777 if (!p) 778 free(p); 779 else 780 free(p); 781 } 782 783 struct StructWithInt { 784 int g; 785 }; 786 787 int *mallocReturnFreed() { 788 int *p = malloc(12); 789 free(p); 790 return p; // expected-warning {{Use of memory after it is freed}} 791 } 792 793 int useAfterFreeStruct() { 794 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 795 px->g = 5; 796 free(px); 797 return px->g; // expected-warning {{Use of memory after it is freed}} 798 } 799 800 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); 801 802 void mallocEscapeFooNonSymbolArg() { 803 struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); 804 nonSymbolAsFirstArg(&p->g, p); 805 return; // no warning 806 } 807 808 void mallocFailedOrNotLeak() { 809 int *p = malloc(12); 810 if (p == 0) 811 return; // no warning 812 else 813 return; // expected-warning {{Potential leak of memory pointed to by}} 814 } 815 816 void mallocAssignment() { 817 char *p = malloc(12); 818 p = fooRetPtr(); 819 } // expected-warning {{leak}} 820 821 int vallocTest() { 822 char *mem = valloc(12); 823 return 0; // expected-warning {{Potential leak of memory pointed to by}} 824 } 825 826 void vallocEscapeFreeUse() { 827 int *p = valloc(12); 828 myfoo(p); 829 free(p); 830 myfoo(p); // expected-warning{{Use of memory after it is freed}} 831 } 832 833 int *Gl; 834 struct GlStTy { 835 int *x; 836 }; 837 838 struct GlStTy GlS = {0}; 839 840 void GlobalFree() { 841 free(Gl); 842 } 843 844 void GlobalMalloc() { 845 Gl = malloc(12); 846 } 847 848 void GlobalStructMalloc() { 849 int *a = malloc(12); 850 GlS.x = a; 851 } 852 853 void GlobalStructMallocFree() { 854 int *a = malloc(12); 855 GlS.x = a; 856 free(GlS.x); 857 } 858 859 char *ArrayG[12]; 860 861 void globalArrayTest() { 862 char *p = (char*)malloc(12); 863 ArrayG[0] = p; 864 } 865 866 // Make sure that we properly handle a pointer stored into a local struct/array. 867 typedef struct _StructWithPtr { 868 int *memP; 869 } StructWithPtr; 870 871 static StructWithPtr arrOfStructs[10]; 872 873 void testMalloc() { 874 int *x = malloc(12); 875 StructWithPtr St; 876 St.memP = x; 877 arrOfStructs[0] = St; // no-warning 878 } 879 880 StructWithPtr testMalloc2() { 881 int *x = malloc(12); 882 StructWithPtr St; 883 St.memP = x; 884 return St; // no-warning 885 } 886 887 int *testMalloc3() { 888 int *x = malloc(12); 889 int *y = x; 890 return y; // no-warning 891 } 892 893 void testStructLeak() { 894 StructWithPtr St; 895 St.memP = malloc(12); 896 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}} 897 } 898 899 void testElemRegion1() { 900 char *x = (void*)malloc(2); 901 int *ix = (int*)x; 902 free(&(x[0])); 903 } 904 905 void testElemRegion2(int **pp) { 906 int *p = malloc(12); 907 *pp = p; 908 free(pp[0]); 909 } 910 911 void testElemRegion3(int **pp) { 912 int *p = malloc(12); 913 *pp = p; 914 free(*pp); 915 } 916 // Region escape testing. 917 918 unsigned takePtrToPtr(int **p); 919 void PassTheAddrOfAllocatedData(int f) { 920 int *p = malloc(12); 921 // We don't know what happens after the call. Should stop tracking here. 922 if (takePtrToPtr(&p)) 923 f++; 924 free(p); // no warning 925 } 926 927 struct X { 928 int *p; 929 }; 930 unsigned takePtrToStruct(struct X *s); 931 int ** foo2(int *g, int f) { 932 int *p = malloc(12); 933 struct X *px= malloc(sizeof(struct X)); 934 px->p = p; 935 // We don't know what happens after this call. Should not track px nor p. 936 if (takePtrToStruct(px)) 937 f++; 938 free(p); 939 return 0; 940 } 941 942 struct X* RegInvalidationDetect1(struct X *s2) { 943 struct X *px= malloc(sizeof(struct X)); 944 px->p = 0; 945 px = s2; 946 return px; // expected-warning {{Potential leak of memory pointed to by}} 947 } 948 949 struct X* RegInvalidationGiveUp1() { 950 int *p = malloc(12); 951 struct X *px= malloc(sizeof(struct X)); 952 px->p = p; 953 return px; 954 } 955 956 int **RegInvalidationDetect2(int **pp) { 957 int *p = malloc(12); 958 pp = &p; 959 pp++; 960 return 0;// expected-warning {{Potential leak of memory pointed to by}} 961 } 962 963 extern void exit(int) __attribute__ ((__noreturn__)); 964 void mallocExit(int *g) { 965 struct xx *p = malloc(12); 966 if (g != 0) 967 exit(1); 968 free(p); 969 return; 970 } 971 972 extern void __assert_fail (__const char *__assertion, __const char *__file, 973 unsigned int __line, __const char *__function) 974 __attribute__ ((__noreturn__)); 975 #define assert(expr) \ 976 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 977 void mallocAssert(int *g) { 978 struct xx *p = malloc(12); 979 980 assert(g != 0); 981 free(p); 982 return; 983 } 984 985 void doNotInvalidateWhenPassedToSystemCalls(char *s) { 986 char *p = malloc(12); 987 strlen(p); 988 strcpy(p, s); 989 strcpy(s, p); 990 strcpy(p, p); 991 memcpy(p, s, 1); 992 memcpy(s, p, 1); 993 memcpy(p, p, 1); 994 } // expected-warning {{leak}} 995 996 // Treat source buffer contents as escaped. 997 void escapeSourceContents(char *s) { 998 char *p = malloc(12); 999 memcpy(s, &p, 12); // no warning 1000 1001 void *p1 = malloc(7); 1002 char *a; 1003 memcpy(&a, &p1, sizeof a); 1004 // FIXME: No warning due to limitations imposed by current modelling of 1005 // 'memcpy' (regions metadata is not copied). 1006 1007 int *ptrs[2]; 1008 int *allocated = (int *)malloc(4); 1009 memcpy(&ptrs[0], &allocated, sizeof(int *)); 1010 // FIXME: No warning due to limitations imposed by current modelling of 1011 // 'memcpy' (regions metadata is not copied). 1012 } 1013 1014 void invalidateDestinationContents() { 1015 int *null = 0; 1016 int *p = (int *)malloc(4); 1017 memcpy(&p, &null, sizeof(int *)); 1018 1019 int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}} 1020 ptrs1[0] = (int *)malloc(4); 1021 memcpy(ptrs1, &null, sizeof(int *)); 1022 1023 int *ptrs2[2]; // expected-warning {{Potential memory leak}} 1024 ptrs2[0] = (int *)malloc(4); 1025 memcpy(&ptrs2[1], &null, sizeof(int *)); 1026 1027 int *ptrs3[2]; // expected-warning {{Potential memory leak}} 1028 ptrs3[0] = (int *)malloc(4); 1029 memcpy(&ptrs3[0], &null, sizeof(int *)); 1030 } // expected-warning {{Potential memory leak}} 1031 1032 // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. 1033 void symbolLostWithStrcpy(char *s) { 1034 char *p = malloc(12); 1035 p = strcpy(p, s); 1036 free(p); 1037 } 1038 1039 1040 // The same test as the one above, but with what is actually generated on a mac. 1041 static __inline char * 1042 __inline_strcpy_chk (char *restrict __dest, const char *restrict __src) 1043 { 1044 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); 1045 } 1046 1047 void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { 1048 char *p = malloc(12); 1049 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); 1050 free(p); 1051 } 1052 1053 // Here we are returning a pointer one past the allocated value. An idiom which 1054 // can be used for implementing special malloc. The correct uses of this might 1055 // be rare enough so that we could keep this as a warning. 1056 static void *specialMalloc(int n){ 1057 int *p; 1058 p = malloc( n+8 ); 1059 if( p ){ 1060 p[0] = n; 1061 p++; 1062 } 1063 return p; 1064 } 1065 1066 // Potentially, the user could free the struct by performing pointer arithmetic on the return value. 1067 // This is a variation of the specialMalloc issue, though probably would be more rare in correct code. 1068 int *specialMallocWithStruct() { 1069 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 1070 return &(px->g); 1071 } 1072 1073 // Test various allocation/deallocation functions. 1074 void testStrdup(const char *s, unsigned validIndex) { 1075 char *s2 = strdup(s); 1076 s2[validIndex + 1] = 'b'; 1077 } // expected-warning {{Potential leak of memory pointed to by}} 1078 1079 int testStrndup(const char *s, unsigned validIndex, unsigned size) { 1080 char *s2 = strndup(s, size); 1081 s2 [validIndex + 1] = 'b'; 1082 if (s2[validIndex] != 'a') 1083 return 0; 1084 else 1085 return 1;// expected-warning {{Potential leak of memory pointed to by}} 1086 } 1087 1088 void testStrdupContentIsDefined(const char *s, unsigned validIndex) { 1089 char *s2 = strdup(s); 1090 char result = s2[1];// no warning 1091 free(s2); 1092 } 1093 1094 // ---------------------------------------------------------------------------- 1095 // Test the system library functions to which the pointer can escape. 1096 // This tests false positive suppression. 1097 1098 // For now, we assume memory passed to pthread_specific escapes. 1099 // TODO: We could check that if a new pthread binding is set, the existing 1100 // binding must be freed; otherwise, a memory leak can occur. 1101 void testPthereadSpecificEscape(pthread_key_t key) { 1102 void *buf = malloc(12); 1103 pthread_setspecific(key, buf); // no warning 1104 } 1105 1106 // PR12101: Test funopen(). 1107 static int releasePtr(void *_ctx) { 1108 free(_ctx); 1109 return 0; 1110 } 1111 FILE *useFunOpen() { 1112 void *ctx = malloc(sizeof(int)); 1113 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning 1114 if (f == 0) { 1115 free(ctx); 1116 } 1117 return f; 1118 } 1119 FILE *useFunOpenNoReleaseFunction() { 1120 void *ctx = malloc(sizeof(int)); 1121 FILE *f = funopen(ctx, 0, 0, 0, 0); 1122 if (f == 0) { 1123 free(ctx); 1124 } 1125 return f; // expected-warning{{leak}} 1126 } 1127 1128 static int readNothing(void *_ctx, char *buf, int size) { 1129 return 0; 1130 } 1131 FILE *useFunOpenReadNoRelease() { 1132 void *ctx = malloc(sizeof(int)); 1133 FILE *f = funopen(ctx, readNothing, 0, 0, 0); 1134 if (f == 0) { 1135 free(ctx); 1136 } 1137 return f; // expected-warning{{leak}} 1138 } 1139 1140 // Test setbuf, setvbuf. 1141 int my_main_no_warning() { 1142 char *p = malloc(100); 1143 setvbuf(stdout, p, 0, 100); 1144 return 0; 1145 } 1146 int my_main_no_warning2() { 1147 char *p = malloc(100); 1148 setbuf(__stdoutp, p); 1149 return 0; 1150 } 1151 int my_main_warn(FILE *f) { 1152 char *p = malloc(100); 1153 setvbuf(f, p, 0, 100); 1154 return 0;// expected-warning {{leak}} 1155 } 1156 1157 // <rdar://problem/10978247>. 1158 // some people use stack allocated memory as an optimization to avoid 1159 // a heap allocation for small work sizes. This tests the analyzer's 1160 // understanding that the malloc'ed memory is not the same as stackBuffer. 1161 void radar10978247(int myValueSize) { 1162 char stackBuffer[128]; 1163 char *buffer; 1164 1165 if (myValueSize <= sizeof(stackBuffer)) 1166 buffer = stackBuffer; 1167 else 1168 buffer = malloc(myValueSize); 1169 1170 // do stuff with the buffer 1171 if (buffer != stackBuffer) 1172 free(buffer); 1173 } 1174 1175 void radar10978247_positive(int myValueSize) { 1176 char stackBuffer[128]; 1177 char *buffer; 1178 1179 if (myValueSize <= sizeof(stackBuffer)) 1180 buffer = stackBuffer; 1181 else 1182 buffer = malloc(myValueSize); 1183 1184 // do stuff with the buffer 1185 if (buffer == stackBuffer) 1186 return; 1187 else 1188 return; // expected-warning {{leak}} 1189 } 1191 // <rdar://problem/11269741> Previously this triggered a false positive 1192 // because malloc() is known to return uninitialized memory and the binding 1193 // of 'o' to 'p->n' was not getting propertly handled. Now we report a leak. 1194 struct rdar11269741_a_t { 1195 struct rdar11269741_b_t { 1196 int m; 1197 } n; 1198 }; 1199 1200 int rdar11269741(struct rdar11269741_b_t o) 1201 { 1202 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); 1203 p->n = o; 1204 return p->n.m; // expected-warning {{leak}} 1205 } 1206 1207 // Pointer arithmetic, returning an ElementRegion. 1208 void *radar11329382(unsigned bl) { 1209 void *ptr = malloc (16); 1210 ptr = ptr + (2 - bl); 1211 return ptr; // no warning 1212 } 1213 1214 void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); 1215 int strcmp(const char *, const char *); 1216 char *a (void); 1217 void radar11270219(void) { 1218 char *x = a(), *y = a(); 1219 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); 1220 strcmp(x, y); // no warning 1221 } 1222 1223 void radar_11358224_test_double_assign_ints_positive_2() 1224 { 1225 void *ptr = malloc(16); 1226 ptr = ptr; 1227 } // expected-warning {{leak}} 1228 1229 // Assume that functions which take a function pointer can free memory even if 1230 // they are defined in system headers and take the const pointer to the 1231 // allocated memory. (radar://11160612) 1232 int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); 1233 void r11160612_1() { 1234 char *x = malloc(12); 1235 const_ptr_and_callback(0, x, 12, free); // no - warning 1236 } 1237 1238 // Null is passed as callback. 1239 void r11160612_2() { 1240 char *x = malloc(12); 1241 const_ptr_and_callback(0, x, 12, 0); 1242 } // expected-warning {{leak}} 1243 1244 // Callback is passed to a function defined in a system header. 1245 void r11160612_4() { 1246 char *x = malloc(12); 1247 sqlite3_bind_text_my(0, x, 12, free); // no - warning 1248 } 1249 1250 // Passing callbacks in a struct. 1251 void r11160612_5(StWithCallback St) { 1252 void *x = malloc(12); 1253 dealocateMemWhenDoneByVal(x, St); 1254 } 1255 void r11160612_6(StWithCallback St) { 1256 void *x = malloc(12); 1257 dealocateMemWhenDoneByRef(&St, x); 1258 } 1259 1260 int mySub(int, int); 1261 int myAdd(int, int); 1262 int fPtr(unsigned cond, int x) { 1263 return (cond ? mySub : myAdd)(x, x); 1264 } 1265 1266 // Test anti-aliasing. 1267 1268 void dependsOnValueOfPtr(int *g, unsigned f) { 1269 int *p; 1270 1271 if (f) { 1272 p = g; 1273 } else { 1274 p = malloc(12); 1275 } 1276 1277 if (p != g) 1278 free(p); 1279 else 1280 return; // no warning 1281 return; 1282 } 1283 1284 int CMPRegionHeapToStack() { 1285 int x = 0; 1286 int *x1 = malloc(8); 1287 int *x2 = &x; 1288 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} 1289 free(x1); 1290 return x; 1291 } 1292 1293 int CMPRegionHeapToHeap2() { 1294 int x = 0; 1295 int *x1 = malloc(8); 1296 int *x2 = malloc(8); 1297 int *x4 = x1; 1298 int *x5 = x2; 1299 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} 1300 free(x1); 1301 free(x2); 1302 return x; 1303 } 1304 1305 int CMPRegionHeapToHeap() { 1306 int x = 0; 1307 int *x1 = malloc(8); 1308 int *x4 = x1; 1309 if (x1 == x4) { 1310 free(x1); 1311 return 5/x; // expected-warning{{Division by zero}} 1312 } 1313 return x;// expected-warning{{This statement is never executed}} 1314 } 1315 1316 int HeapAssignment() { 1317 int m = 0; 1318 int *x = malloc(4); 1319 int *y = x; 1320 *x = 5; 1321 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} 1322 free(x); 1323 return 0; 1324 } 1325 1326 int *retPtr(); 1327 int *retPtrMightAlias(int *x); 1328 int cmpHeapAllocationToUnknown() { 1329 int zero = 0; 1330 int *yBefore = retPtr(); 1331 int *m = malloc(8); 1332 int *yAfter = retPtrMightAlias(m); 1333 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} 1334 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} 1335 free(m); 1336 return 0; 1337 } 1338 1339 void localArrayTest() { 1340 char *p = (char*)malloc(12); 1341 char *ArrayL[12]; 1342 ArrayL[0] = p; 1343 } // expected-warning {{leak}} 1344 1345 void localStructTest() { 1346 StructWithPtr St; 1347 StructWithPtr *pSt = &St; 1348 pSt->memP = malloc(12); 1349 } // expected-warning{{Potential leak of memory pointed to by}} 1350 1351 #ifdef __INTPTR_TYPE__ 1352 // Test double assignment through integers. 1353 typedef __INTPTR_TYPE__ intptr_t; 1354 typedef unsigned __INTPTR_TYPE__ uintptr_t; 1355 1356 static intptr_t glob; 1357 void test_double_assign_ints() 1358 { 1359 void *ptr = malloc (16); // no-warning 1360 glob = (intptr_t)(uintptr_t)ptr; 1361 } 1362 1363 void test_double_assign_ints_positive() 1364 { 1365 void *ptr = malloc(16); 1366 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}} 1367 } // expected-warning {{leak}} 1368 #endif 1369 1370 void testCGContextNoLeak() 1371 { 1372 void *ptr = malloc(16); 1373 CGContextRef context = CGBitmapContextCreate(ptr); 1374 1375 // Because you can get the data back out like this, even much later, 1376 // CGBitmapContextCreate is one of our "stop-tracking" exceptions. 1377 free(CGBitmapContextGetData(context)); 1378 } 1379 1380 void testCGContextLeak() 1381 { 1382 void *ptr = malloc(16); 1383 CGContextRef context = CGBitmapContextCreate(ptr); 1384 // However, this time we're just leaking the data, because the context 1385 // object doesn't escape and it hasn't been freed in this function. 1386 } 1387 1388 // Allow xpc context to escape. radar://11635258 1389 // TODO: Would be great if we checked that the finalize_connection_context actually releases it. 1390 static void finalize_connection_context(void *ctx) { 1391 int *context = ctx; 1392 free(context); 1393 } 1394 void foo (xpc_connection_t peer) { 1395 int *ctx = calloc(1, sizeof(int)); 1396 xpc_connection_set_context(peer, ctx); 1397 xpc_connection_set_finalizer_f(peer, finalize_connection_context); 1398 xpc_connection_resume(peer); 1399 } 1400 1401 // Make sure we catch errors when we free in a function which does not allocate memory. 1402 void freeButNoMalloc(int *p, int x){ 1403 if (x) { 1404 free(p); 1405 //user forgot a return here. 1406 } 1407 free(p); // expected-warning {{Attempt to free released memory}} 1408 } 1409 1410 struct HasPtr { 1411 char *p; 1412 }; 1413 1414 char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { 1415 int *s; 1416 char *b = realloc(a->p, size); 1417 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} 1418 // We don't expect a use-after-free for a->P here because the warning above 1419 // is a sink. 1420 return a->p; // no-warning 1421 } 1422 1423 // We should not warn in this case since the caller will presumably free a->p in all cases. 1424 int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { 1425 int *s; 1426 char *b = realloc(a->p, size); 1427 if (b == 0) 1428 return -1; 1429 a->p = b; 1430 return 0; 1431 } 1432 1433 // Test realloc with no visible malloc. 1434 void *test(void *ptr) { 1435 void *newPtr = realloc(ptr, 4); 1436 if (newPtr == 0) { 1437 if (ptr) 1438 free(ptr); // no-warning 1439 } 1440 return newPtr; 1441 } 1442 1443 1444 char *testLeakWithinReturn(char *str) { 1445 return strdup(strdup(str)); // expected-warning{{leak}} 1446 } 1447 1448 void passConstPtr(const char * ptr); 1449 1450 void testPassConstPointer() { 1451 char * string = malloc(sizeof(char)*10); 1452 passConstPtr(string); 1453 return; // expected-warning {{leak}} 1454 } 1455 1456 void testPassConstPointerIndirectly() { 1457 char *p = malloc(1); 1458 p++; 1459 memcmp(p, p, sizeof(&p)); 1460 return; // expected-warning {{leak}} 1461 } 1462 1463 void testPassConstPointerIndirectlyStruct() { 1464 struct HasPtr hp; 1465 hp.p = malloc(10); 1466 memcmp(&hp, &hp, sizeof(hp)); 1467 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}} 1468 } 1469 1470 void testPassToSystemHeaderFunctionIndirectlyStruct() { 1471 SomeStruct ss; 1472 ss.p = malloc(1); 1473 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1474 // Technically a false negative here -- we know the system function won't free 1475 // ss.p, but nothing else will either! 1476 } // no-warning 1477 1478 void testPassToSystemHeaderFunctionIndirectlyStructFree() { 1479 SomeStruct ss; 1480 ss.p = malloc(1); 1481 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1482 free(ss.p); 1483 } // no-warning 1484 1485 void testPassToSystemHeaderFunctionIndirectlyArray() { 1486 int *p[1]; 1487 p[0] = malloc(sizeof(int)); 1488 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1489 // Technically a false negative here -- we know the system function won't free 1490 // p[0], but nothing else will either! 1491 } // no-warning 1492 1493 void testPassToSystemHeaderFunctionIndirectlyArrayFree() { 1494 int *p[1]; 1495 p[0] = malloc(sizeof(int)); 1496 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1497 free(p[0]); 1498 } // no-warning 1499 1500 int *testOffsetAllocate(size_t size) { 1501 int *memoryBlock = (int *)malloc(size + sizeof(int)); 1502 return &memoryBlock[1]; // no-warning 1503 } 1504 1505 void testOffsetDeallocate(int *memoryBlock) { 1506 free(&memoryBlock[-1]); // no-warning 1507 } 1508 1509 void testOffsetOfRegionFreed() { 1510 __int64_t * array = malloc(sizeof(__int64_t)*2); 1511 array += 1; 1512 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1513 } 1514 1515 void testOffsetOfRegionFreed2() { 1516 __int64_t *p = malloc(sizeof(__int64_t)*2); 1517 p += 1; 1518 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1519 } 1520 1521 void testOffsetOfRegionFreed3() { 1522 char *r = malloc(sizeof(char)); 1523 r = r - 10; 1524 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}} 1525 } 1526 1527 void testOffsetOfRegionFreedAfterFunctionCall() { 1528 int *p = malloc(sizeof(int)*2); 1529 p += 1; 1530 myfoo(p); 1531 free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}} 1532 } 1533 1534 void testFixManipulatedPointerBeforeFree() { 1535 int * array = malloc(sizeof(int)*2); 1536 array += 1; 1537 free(&array[-1]); // no-warning 1538 } 1539 1540 void testFixManipulatedPointerBeforeFree2() { 1541 char *r = malloc(sizeof(char)); 1542 r = r + 10; 1543 free(r-10); // no-warning 1544 } 1545 1546 void freeOffsetPointerPassedToFunction() { 1547 __int64_t *p = malloc(sizeof(__int64_t)*2); 1548 p[1] = 0; 1549 p += 1; 1550 myfooint(*p); // not passing the pointer, only a value pointed by pointer 1551 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}} 1552 } 1553 1554 int arbitraryInt(); 1555 void freeUnknownOffsetPointer() { 1556 char *r = malloc(sizeof(char)); 1557 r = r + arbitraryInt(); // unable to reason about what the offset might be 1558 free(r); // no-warning 1559 } 1560 1561 void testFreeNonMallocPointerWithNoOffset() { 1562 char c; 1563 char *r = &c; 1564 r = r + 10; 1565 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1566 } 1567 1568 void testFreeNonMallocPointerWithOffset() { 1569 char c; 1570 char *r = &c; 1571 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}} 1572 } 1573 1574 void testOffsetZeroDoubleFree() { 1575 int *array = malloc(sizeof(int)*2); 1576 int *p = &array[0]; 1577 free(p); 1578 free(&array[0]); // expected-warning{{Attempt to free released memory}} 1579 } 1580 1581 void testOffsetPassedToStrlen() { 1582 char * string = malloc(sizeof(char)*10); 1583 string += 1; 1584 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}} 1585 } 1586 1587 void testOffsetPassedToStrlenThenFree() { 1588 char * string = malloc(sizeof(char)*10); 1589 string += 1; 1590 int length = strlen(string); 1591 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1592 } 1593 1594 void testOffsetPassedAsConst() { 1595 char * string = malloc(sizeof(char)*10); 1596 string += 1; 1597 passConstPtr(string); 1598 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}} 1599 } 1600 1601 char **_vectorSegments; 1602 int _nVectorSegments; 1603 1604 void poolFreeC(void* s) { 1605 free(s); // no-warning 1606 } 1607 void freeMemory() { 1608 while (_nVectorSegments) { 1609 poolFreeC(_vectorSegments[_nVectorSegments++]); 1610 } 1611 } 1612 1613 // PR16730 1614 void testReallocEscaped(void **memory) { 1615 *memory = malloc(47); 1616 char *new_memory = realloc(*memory, 47); 1617 if (new_memory != 0) { 1618 *memory = new_memory; 1619 } 1620 } 1621 1622 // PR16558 1623 void *smallocNoWarn(size_t size) { 1624 if (size == 0) { 1625 return malloc(1); // this branch is never called 1626 } 1627 else { 1628 return malloc(size); 1629 } 1630 } 1631 1632 char *dupstrNoWarn(const char *s) { 1633 const int len = strlen(s); 1634 char *p = (char*) smallocNoWarn(len + 1); 1635 strcpy(p, s); // no-warning 1636 return p; 1637 } 1638 1639 void *smallocWarn(size_t size) { 1640 if (size == 2) { 1641 return malloc(1); 1642 } 1643 else { 1644 return malloc(size); 1645 } 1646 } 1647 1648 char *dupstrWarn(const char *s) { 1649 const int len = strlen(s); 1650 char *p = (char*) smallocWarn(len + 1); 1651 strcpy(p, s); // expected-warning{{String copy function overflows destination buffer}} 1652 return p; 1653 } 1654 1655 int *radar15580979() { 1656 int *data = (int *)malloc(32); 1657 int *p = data ?: (int*)malloc(32); // no warning 1658 return p; 1659 } 1660 1661 // Some data structures may hold onto the pointer and free it later. 1662 void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) { 1663 int *data = (int *)malloc(32); 1664 fake_insque(queue, data); // no warning 1665 } 1666 1667 void testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t *rbt) { 1668 int *data = (int *)malloc(32); 1669 fake_rb_tree_init(rbt, data); 1670 } //expected-warning{{Potential leak}} 1671 1672 void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) { 1673 int *data = (int *)malloc(32); 1674 fake_rb_tree_init(rbt, data); 1675 fake_rb_tree_insert_node(rbt, data); // no warning 1676 } 1677 1678 // ---------------------------------------------------------------------------- 1679 // False negatives. 1680 1681 void testMallocWithParam(int **p) { 1682 *p = (int*) malloc(sizeof(int)); 1683 *p = 0; // FIXME: should warn here 1684 } 1685 1686 void testMallocWithParam_2(int **p) { 1687 *p = (int*) malloc(sizeof(int)); // no-warning 1688 } 1689 1690 void testPassToSystemHeaderFunctionIndirectly() { 1691 int *p = malloc(4); 1692 p++; 1693 fakeSystemHeaderCallInt(p); 1694 // FIXME: This is a leak: if we think a system function won't free p, it 1695 // won't free (p-1) either. 1696 } 1697