1 // RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s
2
3 #include "Inputs/system-header-simulator.h"
4
5 void clang_analyzer_eval(int);
6
7 // Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
8 // _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
9 // the builtin type: "Using the typedef version can cause portability
10 // problems", but we're ok here because we're not actually running anything.
11 // Also of note is this cryptic warning: "The wchar_t type is not supported
12 // when you compile C code".
13 //
14 // See the docs for more:
15 // https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
16 #if !defined(_WCHAR_T_DEFINED)
17 // "Microsoft implements wchar_t as a two-byte unsigned value"
18 typedef unsigned short wchar_t;
19 #define _WCHAR_T_DEFINED
20 #endif // !defined(_WCHAR_T_DEFINED)
21
22 typedef __typeof(sizeof(int)) size_t;
23 void *malloc(size_t);
24 void *alloca(size_t);
25 void *valloc(size_t);
26 void free(void *);
27 void *realloc(void *ptr, size_t size);
28 void *reallocf(void *ptr, size_t size);
29 void *calloc(size_t nmemb, size_t size);
30 char *strdup(const char *s);
31 wchar_t *wcsdup(const wchar_t *s);
32 char *strndup(const char *s, size_t n);
33 int memcmp(const void *s1, const void *s2, size_t n);
34
35 // Windows variants
36 char *_strdup(const char *strSource);
37 wchar_t *_wcsdup(const wchar_t *strSource);
38 void *_alloca(size_t size);
39
40 void myfoo(int *p);
41 void myfooint(int p);
42 char *fooRetPtr();
43
f1()44 void f1() {
45 int *p = malloc(12);
46 return; // expected-warning{{Potential leak of memory pointed to by 'p'}}
47 }
48
f2()49 void f2() {
50 int *p = malloc(12);
51 free(p);
52 free(p); // expected-warning{{Attempt to free released memory}}
53 }
54
f2_realloc_0()55 void f2_realloc_0() {
56 int *p = malloc(12);
57 realloc(p,0);
58 realloc(p,0); // expected-warning{{Attempt to free released memory}}
59 }
60
f2_realloc_1()61 void f2_realloc_1() {
62 int *p = malloc(12);
63 int *q = realloc(p,0); // no-warning
64 }
65
reallocNotNullPtr(unsigned sizeIn)66 void reallocNotNullPtr(unsigned sizeIn) {
67 unsigned size = 12;
68 char *p = (char*)malloc(size);
69 if (p) {
70 char *q = (char*)realloc(p, sizeIn);
71 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}}
72 }
73 }
74
allocaTest()75 void allocaTest() {
76 int *p = alloca(sizeof(int));
77 } // no warn
78
winAllocaTest()79 void winAllocaTest() {
80 int *p = _alloca(sizeof(int));
81 } // no warn
82
allocaBuiltinTest()83 void allocaBuiltinTest() {
84 int *p = __builtin_alloca(sizeof(int));
85 } // no warn
86
realloctest1()87 int *realloctest1() {
88 int *q = malloc(12);
89 q = realloc(q, 20);
90 return q; // no warning - returning the allocated value
91 }
92
93 // p should be freed if realloc fails.
reallocFails()94 void reallocFails() {
95 char *p = malloc(12);
96 char *r = realloc(p, 12+1);
97 if (!r) {
98 free(p);
99 } else {
100 free(r);
101 }
102 }
103
reallocSizeZero1()104 void reallocSizeZero1() {
105 char *p = malloc(12);
106 char *r = realloc(p, 0);
107 if (!r) {
108 free(p); // expected-warning {{Attempt to free released memory}}
109 } else {
110 free(r);
111 }
112 }
113
reallocSizeZero2()114 void reallocSizeZero2() {
115 char *p = malloc(12);
116 char *r = realloc(p, 0);
117 if (!r) {
118 free(p); // expected-warning {{Attempt to free released memory}}
119 } else {
120 free(r);
121 }
122 free(p); // expected-warning {{Attempt to free released memory}}
123 }
124
reallocSizeZero3()125 void reallocSizeZero3() {
126 char *p = malloc(12);
127 char *r = realloc(p, 0);
128 free(r);
129 }
130
reallocSizeZero4()131 void reallocSizeZero4() {
132 char *r = realloc(0, 0);
133 free(r);
134 }
135
reallocSizeZero5()136 void reallocSizeZero5() {
137 char *r = realloc(0, 0);
138 }
139
reallocPtrZero1()140 void reallocPtrZero1() {
141 char *r = realloc(0, 12);
142 } // expected-warning {{Potential leak of memory pointed to by 'r'}}
143
reallocPtrZero2()144 void reallocPtrZero2() {
145 char *r = realloc(0, 12);
146 if (r)
147 free(r);
148 }
149
reallocPtrZero3()150 void reallocPtrZero3() {
151 char *r = realloc(0, 12);
152 free(r);
153 }
154
reallocRadar6337483_1()155 void reallocRadar6337483_1() {
156 char *buf = malloc(100);
157 buf = (char*)realloc(buf, 0x1000000);
158 if (!buf) {
159 return;// expected-warning {{Potential leak of memory pointed to by}}
160 }
161 free(buf);
162 }
163
reallocRadar6337483_2()164 void reallocRadar6337483_2() {
165 char *buf = malloc(100);
166 char *buf2 = (char*)realloc(buf, 0x1000000);
167 if (!buf2) {
168 ;
169 } else {
170 free(buf2);
171 }
172 } // expected-warning {{Potential leak of memory pointed to by}}
173
reallocRadar6337483_3()174 void reallocRadar6337483_3() {
175 char * buf = malloc(100);
176 char * tmp;
177 tmp = (char*)realloc(buf, 0x1000000);
178 if (!tmp) {
179 free(buf);
180 return;
181 }
182 buf = tmp;
183 free(buf);
184 }
185
reallocRadar6337483_4()186 void reallocRadar6337483_4() {
187 char *buf = malloc(100);
188 char *buf2 = (char*)realloc(buf, 0x1000000);
189 if (!buf2) {
190 return; // expected-warning {{Potential leak of memory pointed to by}}
191 } else {
192 free(buf2);
193 }
194 }
195
reallocfTest1()196 int *reallocfTest1() {
197 int *q = malloc(12);
198 q = reallocf(q, 20);
199 return q; // no warning - returning the allocated value
200 }
201
reallocfRadar6337483_4()202 void reallocfRadar6337483_4() {
203 char *buf = malloc(100);
204 char *buf2 = (char*)reallocf(buf, 0x1000000);
205 if (!buf2) {
206 return; // no warning - reallocf frees even on failure
207 } else {
208 free(buf2);
209 }
210 }
211
reallocfRadar6337483_3()212 void reallocfRadar6337483_3() {
213 char * buf = malloc(100);
214 char * tmp;
215 tmp = (char*)reallocf(buf, 0x1000000);
216 if (!tmp) {
217 free(buf); // expected-warning {{Attempt to free released memory}}
218 return;
219 }
220 buf = tmp;
221 free(buf);
222 }
223
reallocfPtrZero1()224 void reallocfPtrZero1() {
225 char *r = reallocf(0, 12);
226 } // expected-warning {{Potential leak of memory pointed to by}}
227
228 //------------------- Check usage of zero-allocated memory ---------------------
CheckUseZeroAllocatedNoWarn1()229 void CheckUseZeroAllocatedNoWarn1() {
230 int *p = malloc(0);
231 free(p); // no warning
232 }
233
CheckUseZeroAllocatedNoWarn2()234 void CheckUseZeroAllocatedNoWarn2() {
235 int *p = alloca(0); // no warning
236 }
237
CheckUseZeroWinAllocatedNoWarn2()238 void CheckUseZeroWinAllocatedNoWarn2() {
239 int *p = _alloca(0); // no warning
240 }
241
242
CheckUseZeroAllocatedNoWarn3()243 void CheckUseZeroAllocatedNoWarn3() {
244 int *p = malloc(0);
245 int *q = realloc(p, 8); // no warning
246 free(q);
247 }
248
CheckUseZeroAllocatedNoWarn4()249 void CheckUseZeroAllocatedNoWarn4() {
250 int *p = realloc(0, 8);
251 *p = 1; // no warning
252 free(p);
253 }
254
CheckUseZeroAllocated1()255 void CheckUseZeroAllocated1() {
256 int *p = malloc(0);
257 *p = 1; // expected-warning {{Use of zero-allocated memory}}
258 free(p);
259 }
260
CheckUseZeroAllocated2()261 char CheckUseZeroAllocated2() {
262 char *p = alloca(0);
263 return *p; // expected-warning {{Use of zero-allocated memory}}
264 }
265
CheckUseZeroWinAllocated2()266 char CheckUseZeroWinAllocated2() {
267 char *p = _alloca(0);
268 return *p; // expected-warning {{Use of zero-allocated memory}}
269 }
270
UseZeroAllocated(int * p)271 void UseZeroAllocated(int *p) {
272 if (p)
273 *p = 7; // expected-warning {{Use of zero-allocated memory}}
274 }
CheckUseZeroAllocated3()275 void CheckUseZeroAllocated3() {
276 int *p = malloc(0);
277 UseZeroAllocated(p);
278 }
279
280 void f(char);
CheckUseZeroAllocated4()281 void CheckUseZeroAllocated4() {
282 char *p = valloc(0);
283 f(*p); // expected-warning {{Use of zero-allocated memory}}
284 free(p);
285 }
286
CheckUseZeroAllocated5()287 void CheckUseZeroAllocated5() {
288 int *p = calloc(0, 2);
289 *p = 1; // expected-warning {{Use of zero-allocated memory}}
290 free(p);
291 }
292
CheckUseZeroAllocated6()293 void CheckUseZeroAllocated6() {
294 int *p = calloc(2, 0);
295 *p = 1; // expected-warning {{Use of zero-allocated memory}}
296 free(p);
297 }
298
CheckUseZeroAllocated7()299 void CheckUseZeroAllocated7() {
300 int *p = realloc(0, 0);
301 *p = 1; // expected-warning {{Use of zero-allocated memory}}
302 free(p);
303 }
304
CheckUseZeroAllocated8()305 void CheckUseZeroAllocated8() {
306 int *p = malloc(8);
307 int *q = realloc(p, 0);
308 *q = 1; // expected-warning {{Use of zero-allocated memory}}
309 free(q);
310 }
311
CheckUseZeroAllocated9()312 void CheckUseZeroAllocated9() {
313 int *p = realloc(0, 0);
314 int *q = realloc(p, 0);
315 *q = 1; // expected-warning {{Use of zero-allocated memory}}
316 free(q);
317 }
318
CheckUseZeroAllocatedPathNoWarn(_Bool b)319 void CheckUseZeroAllocatedPathNoWarn(_Bool b) {
320 int s = 0;
321 if (b)
322 s= 10;
323
324 char *p = malloc(s);
325
326 if (b)
327 *p = 1; // no warning
328
329 free(p);
330 }
331
CheckUseZeroAllocatedPathWarn(_Bool b)332 void CheckUseZeroAllocatedPathWarn(_Bool b) {
333 int s = 10;
334 if (b)
335 s= 0;
336
337 char *p = malloc(s);
338
339 if (b)
340 *p = 1; // expected-warning {{Use of zero-allocated memory}}
341
342 free(p);
343 }
344
CheckUseZeroReallocatedPathNoWarn(_Bool b)345 void CheckUseZeroReallocatedPathNoWarn(_Bool b) {
346 int s = 0;
347 if (b)
348 s= 10;
349
350 char *p = malloc(8);
351 char *q = realloc(p, s);
352
353 if (b)
354 *q = 1; // no warning
355
356 free(q);
357 }
358
CheckUseZeroReallocatedPathWarn(_Bool b)359 void CheckUseZeroReallocatedPathWarn(_Bool b) {
360 int s = 10;
361 if (b)
362 s= 0;
363
364 char *p = malloc(8);
365 char *q = realloc(p, s);
366
367 if (b)
368 *q = 1; // expected-warning {{Use of zero-allocated memory}}
369
370 free(q);
371 }
372
373 // This case tests that storing malloc'ed memory to a static variable which is
374 // then returned is not leaked. In the absence of known contracts for functions
375 // or inter-procedural analysis, this is a conservative answer.
f3()376 int *f3() {
377 static int *p = 0;
378 p = malloc(12);
379 return p; // no-warning
380 }
381
382 // This case tests that storing malloc'ed memory to a static global variable
383 // which is then returned is not leaked. In the absence of known contracts for
384 // functions or inter-procedural analysis, this is a conservative answer.
385 static int *p_f4 = 0;
f4()386 int *f4() {
387 p_f4 = malloc(12);
388 return p_f4; // no-warning
389 }
390
f5()391 int *f5() {
392 int *q = malloc(12);
393 q = realloc(q, 20);
394 return q; // no-warning
395 }
396
f6()397 void f6() {
398 int *p = malloc(12);
399 if (!p)
400 return; // no-warning
401 else
402 free(p);
403 }
404
f6_realloc()405 void f6_realloc() {
406 int *p = malloc(12);
407 if (!p)
408 return; // no-warning
409 else
410 realloc(p,0);
411 }
412
413
414 char *doit2();
pr6069()415 void pr6069() {
416 char *buf = doit2();
417 free(buf);
418 }
419
pr6293()420 void pr6293() {
421 free(0);
422 }
423
f7()424 void f7() {
425 char *x = (char*) malloc(4);
426 free(x);
427 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
428 }
429
f8()430 void f8() {
431 char *x = (char*) malloc(4);
432 free(x);
433 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}}
434 }
435
f7_realloc()436 void f7_realloc() {
437 char *x = (char*) malloc(4);
438 realloc(x,0);
439 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
440 }
441
PR6123()442 void PR6123() {
443 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
444 }
445
PR7217()446 void PR7217() {
447 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
448 buf[1] = 'c'; // not crash
449 }
450
cast_emtpy_struct()451 void cast_emtpy_struct() {
452 struct st {
453 };
454
455 struct st *s = malloc(sizeof(struct st)); // no-warning
456 free(s);
457 }
458
cast_struct_1()459 void cast_struct_1() {
460 struct st {
461 int i[100];
462 char j[];
463 };
464
465 struct st *s = malloc(sizeof(struct st)); // no-warning
466 free(s);
467 }
468
cast_struct_2()469 void cast_struct_2() {
470 struct st {
471 int i[100];
472 char j[0];
473 };
474
475 struct st *s = malloc(sizeof(struct st)); // no-warning
476 free(s);
477 }
478
cast_struct_3()479 void cast_struct_3() {
480 struct st {
481 int i[100];
482 char j[1];
483 };
484
485 struct st *s = malloc(sizeof(struct st)); // no-warning
486 free(s);
487 }
488
cast_struct_4()489 void cast_struct_4() {
490 struct st {
491 int i[100];
492 char j[2];
493 };
494
495 struct st *s = malloc(sizeof(struct st)); // no-warning
496 free(s);
497 }
498
cast_struct_5()499 void cast_struct_5() {
500 struct st {
501 char i[200];
502 char j[1];
503 };
504
505 struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning
506 free(s);
507 }
508
cast_struct_warn_1()509 void cast_struct_warn_1() {
510 struct st {
511 int i[100];
512 char j[2];
513 };
514
515 struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
516 free(s);
517 }
518
cast_struct_warn_2()519 void cast_struct_warn_2() {
520 struct st {
521 int i[100];
522 char j[2];
523 };
524
525 struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
526 free(s);
527 }
528
cast_struct_flex_array_1()529 void cast_struct_flex_array_1() {
530 struct st {
531 int i[100];
532 char j[];
533 };
534
535 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
536 free(s);
537 }
538
cast_struct_flex_array_2()539 void cast_struct_flex_array_2() {
540 struct st {
541 int i[100];
542 char j[0];
543 };
544
545 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
546 free(s);
547 }
548
cast_struct_flex_array_3()549 void cast_struct_flex_array_3() {
550 struct st {
551 int i[100];
552 char j[1];
553 };
554
555 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
556 free(s);
557 }
558
cast_struct_flex_array_4()559 void cast_struct_flex_array_4() {
560 struct foo {
561 char f[32];
562 };
563 struct st {
564 char i[100];
565 struct foo data[];
566 };
567
568 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
569 free(s);
570 }
571
cast_struct_flex_array_5()572 void cast_struct_flex_array_5() {
573 struct foo {
574 char f[32];
575 };
576 struct st {
577 char i[100];
578 struct foo data[0];
579 };
580
581 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
582 free(s);
583 }
584
cast_struct_flex_array_6()585 void cast_struct_flex_array_6() {
586 struct foo {
587 char f[32];
588 };
589 struct st {
590 char i[100];
591 struct foo data[1];
592 };
593
594 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
595 free(s);
596 }
597
cast_struct_flex_array_warn_1()598 void cast_struct_flex_array_warn_1() {
599 struct foo {
600 char f[32];
601 };
602 struct st {
603 char i[100];
604 struct foo data[];
605 };
606
607 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
608 free(s);
609 }
610
cast_struct_flex_array_warn_2()611 void cast_struct_flex_array_warn_2() {
612 struct foo {
613 char f[32];
614 };
615 struct st {
616 char i[100];
617 struct foo data[0];
618 };
619
620 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
621 free(s);
622 }
623
cast_struct_flex_array_warn_3()624 void cast_struct_flex_array_warn_3() {
625 struct foo {
626 char f[32];
627 };
628 struct st {
629 char i[100];
630 struct foo data[1];
631 };
632
633 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
634 free(s);
635 }
636
cast_struct_flex_array_warn_4()637 void cast_struct_flex_array_warn_4() {
638 struct st {
639 int i[100];
640 int j[];
641 };
642
643 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
644 free(s);
645 }
646
cast_struct_flex_array_warn_5()647 void cast_struct_flex_array_warn_5() {
648 struct st {
649 int i[100];
650 int j[0];
651 };
652
653 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
654 free(s);
655 }
656
cast_struct_flex_array_warn_6()657 void cast_struct_flex_array_warn_6() {
658 struct st {
659 int i[100];
660 int j[1];
661 };
662
663 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
664 free(s);
665 }
666
mallocCastToVoid()667 void mallocCastToVoid() {
668 void *p = malloc(2);
669 const void *cp = p; // not crash
670 free(p);
671 }
672
mallocCastToFP()673 void mallocCastToFP() {
674 void *p = malloc(2);
675 void (*fp)() = p; // not crash
676 free(p);
677 }
678
679 // This tests that malloc() buffers are undefined by default
mallocGarbage()680 char mallocGarbage () {
681 char *buf = malloc(2);
682 char result = buf[1]; // expected-warning{{undefined}}
683 free(buf);
684 return result;
685 }
686
687 // This tests that calloc() buffers need to be freed
callocNoFree()688 void callocNoFree () {
689 char *buf = calloc(2,2);
690 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
691 }
692
693 // These test that calloc() buffers are zeroed by default
callocZeroesGood()694 char callocZeroesGood () {
695 char *buf = calloc(2,2);
696 char result = buf[3]; // no-warning
697 if (buf[1] == 0) {
698 free(buf);
699 }
700 return result; // no-warning
701 }
702
callocZeroesBad()703 char callocZeroesBad () {
704 char *buf = calloc(2,2);
705 char result = buf[3]; // no-warning
706 if (buf[1] != 0) {
707 free(buf); // expected-warning{{never executed}}
708 }
709 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
710 }
711
nullFree()712 void nullFree() {
713 int *p = 0;
714 free(p); // no warning - a nop
715 }
716
paramFree(int * p)717 void paramFree(int *p) {
718 myfoo(p);
719 free(p); // no warning
720 myfoo(p); // expected-warning {{Use of memory after it is freed}}
721 }
722
mallocEscapeRet()723 int* mallocEscapeRet() {
724 int *p = malloc(12);
725 return p; // no warning
726 }
727
mallocEscapeFoo()728 void mallocEscapeFoo() {
729 int *p = malloc(12);
730 myfoo(p);
731 return; // no warning
732 }
733
mallocEscapeFree()734 void mallocEscapeFree() {
735 int *p = malloc(12);
736 myfoo(p);
737 free(p);
738 }
739
mallocEscapeFreeFree()740 void mallocEscapeFreeFree() {
741 int *p = malloc(12);
742 myfoo(p);
743 free(p);
744 free(p); // expected-warning{{Attempt to free released memory}}
745 }
746
mallocEscapeFreeUse()747 void mallocEscapeFreeUse() {
748 int *p = malloc(12);
749 myfoo(p);
750 free(p);
751 myfoo(p); // expected-warning{{Use of memory after it is freed}}
752 }
753
754 int *myalloc();
755 void myalloc2(int **p);
756
mallocEscapeFreeCustomAlloc()757 void mallocEscapeFreeCustomAlloc() {
758 int *p = malloc(12);
759 myfoo(p);
760 free(p);
761 p = myalloc();
762 free(p); // no warning
763 }
764
mallocEscapeFreeCustomAlloc2()765 void mallocEscapeFreeCustomAlloc2() {
766 int *p = malloc(12);
767 myfoo(p);
768 free(p);
769 myalloc2(&p);
770 free(p); // no warning
771 }
772
mallocBindFreeUse()773 void mallocBindFreeUse() {
774 int *x = malloc(12);
775 int *y = x;
776 free(y);
777 myfoo(x); // expected-warning{{Use of memory after it is freed}}
778 }
779
mallocEscapeMalloc()780 void mallocEscapeMalloc() {
781 int *p = malloc(12);
782 myfoo(p);
783 p = malloc(12);
784 } // expected-warning{{Potential leak of memory pointed to by}}
785
mallocMalloc()786 void mallocMalloc() {
787 int *p = malloc(12);
788 p = malloc(12);
789 } // expected-warning {{Potential leak of memory pointed to by}}
790
mallocFreeMalloc()791 void mallocFreeMalloc() {
792 int *p = malloc(12);
793 free(p);
794 p = malloc(12);
795 free(p);
796 }
797
mallocFreeUse_params()798 void mallocFreeUse_params() {
799 int *p = malloc(12);
800 free(p);
801 myfoo(p); //expected-warning{{Use of memory after it is freed}}
802 }
803
mallocFreeUse_params2()804 void mallocFreeUse_params2() {
805 int *p = malloc(12);
806 free(p);
807 myfooint(*p); //expected-warning{{Use of memory after it is freed}}
808 }
809
mallocFailedOrNot()810 void mallocFailedOrNot() {
811 int *p = malloc(12);
812 if (!p)
813 free(p);
814 else
815 free(p);
816 }
817
818 struct StructWithInt {
819 int g;
820 };
821
mallocReturnFreed()822 int *mallocReturnFreed() {
823 int *p = malloc(12);
824 free(p);
825 return p; // expected-warning {{Use of memory after it is freed}}
826 }
827
useAfterFreeStruct()828 int useAfterFreeStruct() {
829 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
830 px->g = 5;
831 free(px);
832 return px->g; // expected-warning {{Use of memory after it is freed}}
833 }
834
835 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
836
mallocEscapeFooNonSymbolArg()837 void mallocEscapeFooNonSymbolArg() {
838 struct StructWithInt *p = malloc(sizeof(struct StructWithInt));
839 nonSymbolAsFirstArg(&p->g, p);
840 return; // no warning
841 }
842
mallocFailedOrNotLeak()843 void mallocFailedOrNotLeak() {
844 int *p = malloc(12);
845 if (p == 0)
846 return; // no warning
847 else
848 return; // expected-warning {{Potential leak of memory pointed to by}}
849 }
850
mallocAssignment()851 void mallocAssignment() {
852 char *p = malloc(12);
853 p = fooRetPtr();
854 } // expected-warning {{leak}}
855
vallocTest()856 int vallocTest() {
857 char *mem = valloc(12);
858 return 0; // expected-warning {{Potential leak of memory pointed to by}}
859 }
860
vallocEscapeFreeUse()861 void vallocEscapeFreeUse() {
862 int *p = valloc(12);
863 myfoo(p);
864 free(p);
865 myfoo(p); // expected-warning{{Use of memory after it is freed}}
866 }
867
868 int *Gl;
869 struct GlStTy {
870 int *x;
871 };
872
873 struct GlStTy GlS = {0};
874
GlobalFree()875 void GlobalFree() {
876 free(Gl);
877 }
878
GlobalMalloc()879 void GlobalMalloc() {
880 Gl = malloc(12);
881 }
882
GlobalStructMalloc()883 void GlobalStructMalloc() {
884 int *a = malloc(12);
885 GlS.x = a;
886 }
887
GlobalStructMallocFree()888 void GlobalStructMallocFree() {
889 int *a = malloc(12);
890 GlS.x = a;
891 free(GlS.x);
892 }
893
894 char *ArrayG[12];
895
globalArrayTest()896 void globalArrayTest() {
897 char *p = (char*)malloc(12);
898 ArrayG[0] = p;
899 }
900
901 // Make sure that we properly handle a pointer stored into a local struct/array.
902 typedef struct _StructWithPtr {
903 int *memP;
904 } StructWithPtr;
905
906 static StructWithPtr arrOfStructs[10];
907
testMalloc()908 void testMalloc() {
909 int *x = malloc(12);
910 StructWithPtr St;
911 St.memP = x;
912 arrOfStructs[0] = St; // no-warning
913 }
914
testMalloc2()915 StructWithPtr testMalloc2() {
916 int *x = malloc(12);
917 StructWithPtr St;
918 St.memP = x;
919 return St; // no-warning
920 }
921
testMalloc3()922 int *testMalloc3() {
923 int *x = malloc(12);
924 int *y = x;
925 return y; // no-warning
926 }
927
testStructLeak()928 void testStructLeak() {
929 StructWithPtr St;
930 St.memP = malloc(12);
931 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}}
932 }
933
testElemRegion1()934 void testElemRegion1() {
935 char *x = (void*)malloc(2);
936 int *ix = (int*)x;
937 free(&(x[0]));
938 }
939
testElemRegion2(int ** pp)940 void testElemRegion2(int **pp) {
941 int *p = malloc(12);
942 *pp = p;
943 free(pp[0]);
944 }
945
testElemRegion3(int ** pp)946 void testElemRegion3(int **pp) {
947 int *p = malloc(12);
948 *pp = p;
949 free(*pp);
950 }
951 // Region escape testing.
952
953 unsigned takePtrToPtr(int **p);
PassTheAddrOfAllocatedData(int f)954 void PassTheAddrOfAllocatedData(int f) {
955 int *p = malloc(12);
956 // We don't know what happens after the call. Should stop tracking here.
957 if (takePtrToPtr(&p))
958 f++;
959 free(p); // no warning
960 }
961
962 struct X {
963 int *p;
964 };
965 unsigned takePtrToStruct(struct X *s);
foo2(int * g,int f)966 int ** foo2(int *g, int f) {
967 int *p = malloc(12);
968 struct X *px= malloc(sizeof(struct X));
969 px->p = p;
970 // We don't know what happens after this call. Should not track px nor p.
971 if (takePtrToStruct(px))
972 f++;
973 free(p);
974 return 0;
975 }
976
RegInvalidationDetect1(struct X * s2)977 struct X* RegInvalidationDetect1(struct X *s2) {
978 struct X *px= malloc(sizeof(struct X));
979 px->p = 0;
980 px = s2;
981 return px; // expected-warning {{Potential leak of memory pointed to by}}
982 }
983
RegInvalidationGiveUp1()984 struct X* RegInvalidationGiveUp1() {
985 int *p = malloc(12);
986 struct X *px= malloc(sizeof(struct X));
987 px->p = p;
988 return px;
989 }
990
RegInvalidationDetect2(int ** pp)991 int **RegInvalidationDetect2(int **pp) {
992 int *p = malloc(12);
993 pp = &p;
994 pp++;
995 return 0;// expected-warning {{Potential leak of memory pointed to by}}
996 }
997
998 extern void exit(int) __attribute__ ((__noreturn__));
mallocExit(int * g)999 void mallocExit(int *g) {
1000 struct xx *p = malloc(12);
1001 if (g != 0)
1002 exit(1);
1003 free(p);
1004 return;
1005 }
1006
1007 extern void __assert_fail (__const char *__assertion, __const char *__file,
1008 unsigned int __line, __const char *__function)
1009 __attribute__ ((__noreturn__));
1010 #define assert(expr) \
1011 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
mallocAssert(int * g)1012 void mallocAssert(int *g) {
1013 struct xx *p = malloc(12);
1014
1015 assert(g != 0);
1016 free(p);
1017 return;
1018 }
1019
doNotInvalidateWhenPassedToSystemCalls(char * s)1020 void doNotInvalidateWhenPassedToSystemCalls(char *s) {
1021 char *p = malloc(12);
1022 strlen(p);
1023 strcpy(p, s);
1024 strcpy(s, p);
1025 strcpy(p, p);
1026 memcpy(p, s, 1);
1027 memcpy(s, p, 1);
1028 memcpy(p, p, 1);
1029 } // expected-warning {{leak}}
1030
1031 // Treat source buffer contents as escaped.
escapeSourceContents(char * s)1032 void escapeSourceContents(char *s) {
1033 char *p = malloc(12);
1034 memcpy(s, &p, 12); // no warning
1035
1036 void *p1 = malloc(7);
1037 char *a;
1038 memcpy(&a, &p1, sizeof a);
1039 // FIXME: No warning due to limitations imposed by current modelling of
1040 // 'memcpy' (regions metadata is not copied).
1041
1042 int *ptrs[2];
1043 int *allocated = (int *)malloc(4);
1044 memcpy(&ptrs[0], &allocated, sizeof(int *));
1045 // FIXME: No warning due to limitations imposed by current modelling of
1046 // 'memcpy' (regions metadata is not copied).
1047 }
1048
invalidateDestinationContents()1049 void invalidateDestinationContents() {
1050 int *null = 0;
1051 int *p = (int *)malloc(4);
1052 memcpy(&p, &null, sizeof(int *));
1053
1054 int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}}
1055 ptrs1[0] = (int *)malloc(4);
1056 memcpy(ptrs1, &null, sizeof(int *));
1057
1058 int *ptrs2[2]; // expected-warning {{Potential memory leak}}
1059 ptrs2[0] = (int *)malloc(4);
1060 memcpy(&ptrs2[1], &null, sizeof(int *));
1061
1062 int *ptrs3[2]; // expected-warning {{Potential memory leak}}
1063 ptrs3[0] = (int *)malloc(4);
1064 memcpy(&ptrs3[0], &null, sizeof(int *));
1065 } // expected-warning {{Potential memory leak}}
1066
1067 // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p.
symbolLostWithStrcpy(char * s)1068 void symbolLostWithStrcpy(char *s) {
1069 char *p = malloc(12);
1070 p = strcpy(p, s);
1071 free(p);
1072 }
1073
1074
1075 // The same test as the one above, but with what is actually generated on a mac.
1076 static __inline char *
__inline_strcpy_chk(char * restrict __dest,const char * restrict __src)1077 __inline_strcpy_chk (char *restrict __dest, const char *restrict __src)
1078 {
1079 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1));
1080 }
1081
symbolLostWithStrcpy_InlineStrcpyVersion(char * s)1082 void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) {
1083 char *p = malloc(12);
1084 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s));
1085 free(p);
1086 }
1087
1088 // Here we are returning a pointer one past the allocated value. An idiom which
1089 // can be used for implementing special malloc. The correct uses of this might
1090 // be rare enough so that we could keep this as a warning.
specialMalloc(int n)1091 static void *specialMalloc(int n){
1092 int *p;
1093 p = malloc( n+8 );
1094 if( p ){
1095 p[0] = n;
1096 p++;
1097 }
1098 return p;
1099 }
1100
1101 // Potentially, the user could free the struct by performing pointer arithmetic on the return value.
1102 // This is a variation of the specialMalloc issue, though probably would be more rare in correct code.
specialMallocWithStruct()1103 int *specialMallocWithStruct() {
1104 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
1105 return &(px->g);
1106 }
1107
1108 // Test various allocation/deallocation functions.
testStrdup(const char * s,unsigned validIndex)1109 void testStrdup(const char *s, unsigned validIndex) {
1110 char *s2 = strdup(s);
1111 s2[validIndex + 1] = 'b';
1112 } // expected-warning {{Potential leak of memory pointed to by}}
1113
testWinStrdup(const char * s,unsigned validIndex)1114 void testWinStrdup(const char *s, unsigned validIndex) {
1115 char *s2 = _strdup(s);
1116 s2[validIndex + 1] = 'b';
1117 } // expected-warning {{Potential leak of memory pointed to by}}
1118
testWcsdup(const wchar_t * s,unsigned validIndex)1119 void testWcsdup(const wchar_t *s, unsigned validIndex) {
1120 wchar_t *s2 = wcsdup(s);
1121 s2[validIndex + 1] = 'b';
1122 } // expected-warning {{Potential leak of memory pointed to by}}
1123
testWinWcsdup(const wchar_t * s,unsigned validIndex)1124 void testWinWcsdup(const wchar_t *s, unsigned validIndex) {
1125 wchar_t *s2 = _wcsdup(s);
1126 s2[validIndex + 1] = 'b';
1127 } // expected-warning {{Potential leak of memory pointed to by}}
1128
testStrndup(const char * s,unsigned validIndex,unsigned size)1129 int testStrndup(const char *s, unsigned validIndex, unsigned size) {
1130 char *s2 = strndup(s, size);
1131 s2 [validIndex + 1] = 'b';
1132 if (s2[validIndex] != 'a')
1133 return 0;
1134 else
1135 return 1;// expected-warning {{Potential leak of memory pointed to by}}
1136 }
1137
testStrdupContentIsDefined(const char * s,unsigned validIndex)1138 void testStrdupContentIsDefined(const char *s, unsigned validIndex) {
1139 char *s2 = strdup(s);
1140 char result = s2[1];// no warning
1141 free(s2);
1142 }
1143
testWinStrdupContentIsDefined(const char * s,unsigned validIndex)1144 void testWinStrdupContentIsDefined(const char *s, unsigned validIndex) {
1145 char *s2 = _strdup(s);
1146 char result = s2[1];// no warning
1147 free(s2);
1148 }
1149
testWcsdupContentIsDefined(const wchar_t * s,unsigned validIndex)1150 void testWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
1151 wchar_t *s2 = wcsdup(s);
1152 wchar_t result = s2[1];// no warning
1153 free(s2);
1154 }
1155
testWinWcsdupContentIsDefined(const wchar_t * s,unsigned validIndex)1156 void testWinWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
1157 wchar_t *s2 = _wcsdup(s);
1158 wchar_t result = s2[1];// no warning
1159 free(s2);
1160 }
1161
1162 // ----------------------------------------------------------------------------
1163 // Test the system library functions to which the pointer can escape.
1164 // This tests false positive suppression.
1165
1166 // For now, we assume memory passed to pthread_specific escapes.
1167 // TODO: We could check that if a new pthread binding is set, the existing
1168 // binding must be freed; otherwise, a memory leak can occur.
testPthereadSpecificEscape(pthread_key_t key)1169 void testPthereadSpecificEscape(pthread_key_t key) {
1170 void *buf = malloc(12);
1171 pthread_setspecific(key, buf); // no warning
1172 }
1173
1174 // PR12101: Test funopen().
releasePtr(void * _ctx)1175 static int releasePtr(void *_ctx) {
1176 free(_ctx);
1177 return 0;
1178 }
useFunOpen()1179 FILE *useFunOpen() {
1180 void *ctx = malloc(sizeof(int));
1181 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning
1182 if (f == 0) {
1183 free(ctx);
1184 }
1185 return f;
1186 }
useFunOpenNoReleaseFunction()1187 FILE *useFunOpenNoReleaseFunction() {
1188 void *ctx = malloc(sizeof(int));
1189 FILE *f = funopen(ctx, 0, 0, 0, 0);
1190 if (f == 0) {
1191 free(ctx);
1192 }
1193 return f; // expected-warning{{leak}}
1194 }
1195
readNothing(void * _ctx,char * buf,int size)1196 static int readNothing(void *_ctx, char *buf, int size) {
1197 return 0;
1198 }
useFunOpenReadNoRelease()1199 FILE *useFunOpenReadNoRelease() {
1200 void *ctx = malloc(sizeof(int));
1201 FILE *f = funopen(ctx, readNothing, 0, 0, 0);
1202 if (f == 0) {
1203 free(ctx);
1204 }
1205 return f; // expected-warning{{leak}}
1206 }
1207
1208 // Test setbuf, setvbuf.
my_main_no_warning()1209 int my_main_no_warning() {
1210 char *p = malloc(100);
1211 setvbuf(stdout, p, 0, 100);
1212 return 0;
1213 }
my_main_no_warning2()1214 int my_main_no_warning2() {
1215 char *p = malloc(100);
1216 setbuf(__stdoutp, p);
1217 return 0;
1218 }
my_main_warn(FILE * f)1219 int my_main_warn(FILE *f) {
1220 char *p = malloc(100);
1221 setvbuf(f, p, 0, 100);
1222 return 0;// expected-warning {{leak}}
1223 }
1224
1225 // <rdar://problem/10978247>.
1226 // some people use stack allocated memory as an optimization to avoid
1227 // a heap allocation for small work sizes. This tests the analyzer's
1228 // understanding that the malloc'ed memory is not the same as stackBuffer.
radar10978247(int myValueSize)1229 void radar10978247(int myValueSize) {
1230 char stackBuffer[128];
1231 char *buffer;
1232
1233 if (myValueSize <= sizeof(stackBuffer))
1234 buffer = stackBuffer;
1235 else
1236 buffer = malloc(myValueSize);
1237
1238 // do stuff with the buffer
1239 if (buffer != stackBuffer)
1240 free(buffer);
1241 }
1242
radar10978247_positive(int myValueSize)1243 void radar10978247_positive(int myValueSize) {
1244 char stackBuffer[128];
1245 char *buffer;
1246
1247 if (myValueSize <= sizeof(stackBuffer))
1248 buffer = stackBuffer;
1249 else
1250 buffer = malloc(myValueSize);
1251
1252 // do stuff with the buffer
1253 if (buffer == stackBuffer)
1254 return;
1255 else
1256 return; // expected-warning {{leak}}
1257 }�
1258 // <rdar://problem/11269741> Previously this triggered a false positive
1259 // because malloc() is known to return uninitialized memory and the binding
1260 // of 'o' to 'p->n' was not getting propertly handled. Now we report a leak.
1261 struct rdar11269741_a_t {
1262 struct rdar11269741_b_t {
1263 int m;
1264 } n;
1265 };
1266
rdar11269741(struct rdar11269741_b_t o)1267 int rdar11269741(struct rdar11269741_b_t o)
1268 {
1269 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p));
1270 p->n = o;
1271 return p->n.m; // expected-warning {{leak}}
1272 }
1273
1274 // Pointer arithmetic, returning an ElementRegion.
radar11329382(unsigned bl)1275 void *radar11329382(unsigned bl) {
1276 void *ptr = malloc (16);
1277 ptr = ptr + (2 - bl);
1278 return ptr; // no warning
1279 }
1280
1281 void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__));
1282 int strcmp(const char *, const char *);
1283 char *a (void);
radar11270219(void)1284 void radar11270219(void) {
1285 char *x = a(), *y = a();
1286 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0);
1287 strcmp(x, y); // no warning
1288 }
1289
radar_11358224_test_double_assign_ints_positive_2()1290 void radar_11358224_test_double_assign_ints_positive_2()
1291 {
1292 void *ptr = malloc(16);
1293 ptr = ptr;
1294 } // expected-warning {{leak}}
1295
1296 // Assume that functions which take a function pointer can free memory even if
1297 // they are defined in system headers and take the const pointer to the
1298 // allocated memory. (radar://11160612)
1299 int const_ptr_and_callback(int, const char*, int n, void(*)(void*));
r11160612_1()1300 void r11160612_1() {
1301 char *x = malloc(12);
1302 const_ptr_and_callback(0, x, 12, free); // no - warning
1303 }
1304
1305 // Null is passed as callback.
r11160612_2()1306 void r11160612_2() {
1307 char *x = malloc(12);
1308 const_ptr_and_callback(0, x, 12, 0);
1309 } // expected-warning {{leak}}
1310
1311 // Callback is passed to a function defined in a system header.
r11160612_4()1312 void r11160612_4() {
1313 char *x = malloc(12);
1314 sqlite3_bind_text_my(0, x, 12, free); // no - warning
1315 }
1316
1317 // Passing callbacks in a struct.
r11160612_5(StWithCallback St)1318 void r11160612_5(StWithCallback St) {
1319 void *x = malloc(12);
1320 dealocateMemWhenDoneByVal(x, St);
1321 }
r11160612_6(StWithCallback St)1322 void r11160612_6(StWithCallback St) {
1323 void *x = malloc(12);
1324 dealocateMemWhenDoneByRef(&St, x);
1325 }
1326
1327 int mySub(int, int);
1328 int myAdd(int, int);
fPtr(unsigned cond,int x)1329 int fPtr(unsigned cond, int x) {
1330 return (cond ? mySub : myAdd)(x, x);
1331 }
1332
1333 // Test anti-aliasing.
1334
dependsOnValueOfPtr(int * g,unsigned f)1335 void dependsOnValueOfPtr(int *g, unsigned f) {
1336 int *p;
1337
1338 if (f) {
1339 p = g;
1340 } else {
1341 p = malloc(12);
1342 }
1343
1344 if (p != g)
1345 free(p);
1346 else
1347 return; // no warning
1348 return;
1349 }
1350
CMPRegionHeapToStack()1351 int CMPRegionHeapToStack() {
1352 int x = 0;
1353 int *x1 = malloc(8);
1354 int *x2 = &x;
1355 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}}
1356 free(x1);
1357 return x;
1358 }
1359
CMPRegionHeapToHeap2()1360 int CMPRegionHeapToHeap2() {
1361 int x = 0;
1362 int *x1 = malloc(8);
1363 int *x2 = malloc(8);
1364 int *x4 = x1;
1365 int *x5 = x2;
1366 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}}
1367 free(x1);
1368 free(x2);
1369 return x;
1370 }
1371
CMPRegionHeapToHeap()1372 int CMPRegionHeapToHeap() {
1373 int x = 0;
1374 int *x1 = malloc(8);
1375 int *x4 = x1;
1376 if (x1 == x4) {
1377 free(x1);
1378 return 5/x; // expected-warning{{Division by zero}}
1379 }
1380 return x;// expected-warning{{This statement is never executed}}
1381 }
1382
HeapAssignment()1383 int HeapAssignment() {
1384 int m = 0;
1385 int *x = malloc(4);
1386 int *y = x;
1387 *x = 5;
1388 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}}
1389 free(x);
1390 return 0;
1391 }
1392
1393 int *retPtr();
1394 int *retPtrMightAlias(int *x);
cmpHeapAllocationToUnknown()1395 int cmpHeapAllocationToUnknown() {
1396 int zero = 0;
1397 int *yBefore = retPtr();
1398 int *m = malloc(8);
1399 int *yAfter = retPtrMightAlias(m);
1400 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}}
1401 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}}
1402 free(m);
1403 return 0;
1404 }
1405
localArrayTest()1406 void localArrayTest() {
1407 char *p = (char*)malloc(12);
1408 char *ArrayL[12];
1409 ArrayL[0] = p;
1410 } // expected-warning {{leak}}
1411
localStructTest()1412 void localStructTest() {
1413 StructWithPtr St;
1414 StructWithPtr *pSt = &St;
1415 pSt->memP = malloc(12);
1416 } // expected-warning{{Potential leak of memory pointed to by}}
1417
1418 #ifdef __INTPTR_TYPE__
1419 // Test double assignment through integers.
1420 typedef __INTPTR_TYPE__ intptr_t;
1421 typedef unsigned __INTPTR_TYPE__ uintptr_t;
1422
1423 static intptr_t glob;
test_double_assign_ints()1424 void test_double_assign_ints()
1425 {
1426 void *ptr = malloc (16); // no-warning
1427 glob = (intptr_t)(uintptr_t)ptr;
1428 }
1429
test_double_assign_ints_positive()1430 void test_double_assign_ints_positive()
1431 {
1432 void *ptr = malloc(16);
1433 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}}
1434 } // expected-warning {{leak}}
1435 #endif
1436
testCGContextNoLeak()1437 void testCGContextNoLeak()
1438 {
1439 void *ptr = malloc(16);
1440 CGContextRef context = CGBitmapContextCreate(ptr);
1441
1442 // Because you can get the data back out like this, even much later,
1443 // CGBitmapContextCreate is one of our "stop-tracking" exceptions.
1444 free(CGBitmapContextGetData(context));
1445 }
1446
testCGContextLeak()1447 void testCGContextLeak()
1448 {
1449 void *ptr = malloc(16);
1450 CGContextRef context = CGBitmapContextCreate(ptr);
1451 // However, this time we're just leaking the data, because the context
1452 // object doesn't escape and it hasn't been freed in this function.
1453 }
1454
1455 // Allow xpc context to escape. radar://11635258
1456 // TODO: Would be great if we checked that the finalize_connection_context actually releases it.
finalize_connection_context(void * ctx)1457 static void finalize_connection_context(void *ctx) {
1458 int *context = ctx;
1459 free(context);
1460 }
foo(xpc_connection_t peer)1461 void foo (xpc_connection_t peer) {
1462 int *ctx = calloc(1, sizeof(int));
1463 xpc_connection_set_context(peer, ctx);
1464 xpc_connection_set_finalizer_f(peer, finalize_connection_context);
1465 xpc_connection_resume(peer);
1466 }
1467
1468 // Make sure we catch errors when we free in a function which does not allocate memory.
freeButNoMalloc(int * p,int x)1469 void freeButNoMalloc(int *p, int x){
1470 if (x) {
1471 free(p);
1472 //user forgot a return here.
1473 }
1474 free(p); // expected-warning {{Attempt to free released memory}}
1475 }
1476
1477 struct HasPtr {
1478 char *p;
1479 };
1480
reallocButNoMalloc(struct HasPtr * a,int c,int size)1481 char* reallocButNoMalloc(struct HasPtr *a, int c, int size) {
1482 int *s;
1483 char *b = realloc(a->p, size);
1484 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}}
1485 // We don't expect a use-after-free for a->P here because the warning above
1486 // is a sink.
1487 return a->p; // no-warning
1488 }
1489
1490 // We should not warn in this case since the caller will presumably free a->p in all cases.
reallocButNoMallocPR13674(struct HasPtr * a,int c,int size)1491 int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) {
1492 int *s;
1493 char *b = realloc(a->p, size);
1494 if (b == 0)
1495 return -1;
1496 a->p = b;
1497 return 0;
1498 }
1499
1500 // Test realloc with no visible malloc.
test(void * ptr)1501 void *test(void *ptr) {
1502 void *newPtr = realloc(ptr, 4);
1503 if (newPtr == 0) {
1504 if (ptr)
1505 free(ptr); // no-warning
1506 }
1507 return newPtr;
1508 }
1509
1510
testLeakWithinReturn(char * str)1511 char *testLeakWithinReturn(char *str) {
1512 return strdup(strdup(str)); // expected-warning{{leak}}
1513 }
1514
testWinLeakWithinReturn(char * str)1515 char *testWinLeakWithinReturn(char *str) {
1516 return _strdup(_strdup(str)); // expected-warning{{leak}}
1517 }
1518
testWinWideLeakWithinReturn(wchar_t * str)1519 wchar_t *testWinWideLeakWithinReturn(wchar_t *str) {
1520 return _wcsdup(_wcsdup(str)); // expected-warning{{leak}}
1521 }
1522
1523 void passConstPtr(const char * ptr);
1524
testPassConstPointer()1525 void testPassConstPointer() {
1526 char * string = malloc(sizeof(char)*10);
1527 passConstPtr(string);
1528 return; // expected-warning {{leak}}
1529 }
1530
testPassConstPointerIndirectly()1531 void testPassConstPointerIndirectly() {
1532 char *p = malloc(1);
1533 p++;
1534 memcmp(p, p, sizeof(&p));
1535 return; // expected-warning {{leak}}
1536 }
1537
testPassConstPointerIndirectlyStruct()1538 void testPassConstPointerIndirectlyStruct() {
1539 struct HasPtr hp;
1540 hp.p = malloc(10);
1541 memcmp(&hp, &hp, sizeof(hp));
1542 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}}
1543 }
1544
testPassToSystemHeaderFunctionIndirectlyStruct()1545 void testPassToSystemHeaderFunctionIndirectlyStruct() {
1546 SomeStruct ss;
1547 ss.p = malloc(1);
1548 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1549 // Technically a false negative here -- we know the system function won't free
1550 // ss.p, but nothing else will either!
1551 } // no-warning
1552
testPassToSystemHeaderFunctionIndirectlyStructFree()1553 void testPassToSystemHeaderFunctionIndirectlyStructFree() {
1554 SomeStruct ss;
1555 ss.p = malloc(1);
1556 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1557 free(ss.p);
1558 } // no-warning
1559
testPassToSystemHeaderFunctionIndirectlyArray()1560 void testPassToSystemHeaderFunctionIndirectlyArray() {
1561 int *p[1];
1562 p[0] = malloc(sizeof(int));
1563 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1564 // Technically a false negative here -- we know the system function won't free
1565 // p[0], but nothing else will either!
1566 } // no-warning
1567
testPassToSystemHeaderFunctionIndirectlyArrayFree()1568 void testPassToSystemHeaderFunctionIndirectlyArrayFree() {
1569 int *p[1];
1570 p[0] = malloc(sizeof(int));
1571 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1572 free(p[0]);
1573 } // no-warning
1574
testOffsetAllocate(size_t size)1575 int *testOffsetAllocate(size_t size) {
1576 int *memoryBlock = (int *)malloc(size + sizeof(int));
1577 return &memoryBlock[1]; // no-warning
1578 }
1579
testOffsetDeallocate(int * memoryBlock)1580 void testOffsetDeallocate(int *memoryBlock) {
1581 free(&memoryBlock[-1]); // no-warning
1582 }
1583
testOffsetOfRegionFreed()1584 void testOffsetOfRegionFreed() {
1585 __int64_t * array = malloc(sizeof(__int64_t)*2);
1586 array += 1;
1587 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1588 }
1589
testOffsetOfRegionFreed2()1590 void testOffsetOfRegionFreed2() {
1591 __int64_t *p = malloc(sizeof(__int64_t)*2);
1592 p += 1;
1593 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1594 }
1595
testOffsetOfRegionFreed3()1596 void testOffsetOfRegionFreed3() {
1597 char *r = malloc(sizeof(char));
1598 r = r - 10;
1599 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}}
1600 }
1601
testOffsetOfRegionFreedAfterFunctionCall()1602 void testOffsetOfRegionFreedAfterFunctionCall() {
1603 int *p = malloc(sizeof(int)*2);
1604 p += 1;
1605 myfoo(p);
1606 free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}}
1607 }
1608
testFixManipulatedPointerBeforeFree()1609 void testFixManipulatedPointerBeforeFree() {
1610 int * array = malloc(sizeof(int)*2);
1611 array += 1;
1612 free(&array[-1]); // no-warning
1613 }
1614
testFixManipulatedPointerBeforeFree2()1615 void testFixManipulatedPointerBeforeFree2() {
1616 char *r = malloc(sizeof(char));
1617 r = r + 10;
1618 free(r-10); // no-warning
1619 }
1620
freeOffsetPointerPassedToFunction()1621 void freeOffsetPointerPassedToFunction() {
1622 __int64_t *p = malloc(sizeof(__int64_t)*2);
1623 p[1] = 0;
1624 p += 1;
1625 myfooint(*p); // not passing the pointer, only a value pointed by pointer
1626 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1627 }
1628
1629 int arbitraryInt();
freeUnknownOffsetPointer()1630 void freeUnknownOffsetPointer() {
1631 char *r = malloc(sizeof(char));
1632 r = r + arbitraryInt(); // unable to reason about what the offset might be
1633 free(r); // no-warning
1634 }
1635
testFreeNonMallocPointerWithNoOffset()1636 void testFreeNonMallocPointerWithNoOffset() {
1637 char c;
1638 char *r = &c;
1639 r = r + 10;
1640 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1641 }
1642
testFreeNonMallocPointerWithOffset()1643 void testFreeNonMallocPointerWithOffset() {
1644 char c;
1645 char *r = &c;
1646 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1647 }
1648
testOffsetZeroDoubleFree()1649 void testOffsetZeroDoubleFree() {
1650 int *array = malloc(sizeof(int)*2);
1651 int *p = &array[0];
1652 free(p);
1653 free(&array[0]); // expected-warning{{Attempt to free released memory}}
1654 }
1655
testOffsetPassedToStrlen()1656 void testOffsetPassedToStrlen() {
1657 char * string = malloc(sizeof(char)*10);
1658 string += 1;
1659 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}}
1660 }
1661
testOffsetPassedToStrlenThenFree()1662 void testOffsetPassedToStrlenThenFree() {
1663 char * string = malloc(sizeof(char)*10);
1664 string += 1;
1665 int length = strlen(string);
1666 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1667 }
1668
testOffsetPassedAsConst()1669 void testOffsetPassedAsConst() {
1670 char * string = malloc(sizeof(char)*10);
1671 string += 1;
1672 passConstPtr(string);
1673 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1674 }
1675
1676 char **_vectorSegments;
1677 int _nVectorSegments;
1678
poolFreeC(void * s)1679 void poolFreeC(void* s) {
1680 free(s); // no-warning
1681 }
freeMemory()1682 void freeMemory() {
1683 while (_nVectorSegments) {
1684 poolFreeC(_vectorSegments[_nVectorSegments++]);
1685 }
1686 }
1687
1688 // PR16730
testReallocEscaped(void ** memory)1689 void testReallocEscaped(void **memory) {
1690 *memory = malloc(47);
1691 char *new_memory = realloc(*memory, 47);
1692 if (new_memory != 0) {
1693 *memory = new_memory;
1694 }
1695 }
1696
1697 // PR16558
smallocNoWarn(size_t size)1698 void *smallocNoWarn(size_t size) {
1699 if (size == 0) {
1700 return malloc(1); // this branch is never called
1701 }
1702 else {
1703 return malloc(size);
1704 }
1705 }
1706
dupstrNoWarn(const char * s)1707 char *dupstrNoWarn(const char *s) {
1708 const int len = strlen(s);
1709 char *p = (char*) smallocNoWarn(len + 1);
1710 strcpy(p, s); // no-warning
1711 return p;
1712 }
1713
smallocWarn(size_t size)1714 void *smallocWarn(size_t size) {
1715 if (size == 2) {
1716 return malloc(1);
1717 }
1718 else {
1719 return malloc(size);
1720 }
1721 }
1722
dupstrWarn(const char * s)1723 char *dupstrWarn(const char *s) {
1724 const int len = strlen(s);
1725 char *p = (char*) smallocWarn(len + 1);
1726 strcpy(p, s); // expected-warning{{String copy function overflows destination buffer}}
1727 return p;
1728 }
1729
radar15580979()1730 int *radar15580979() {
1731 int *data = (int *)malloc(32);
1732 int *p = data ?: (int*)malloc(32); // no warning
1733 return p;
1734 }
1735
1736 // Some data structures may hold onto the pointer and free it later.
testEscapeThroughSystemCallTakingVoidPointer1(void * queue)1737 void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) {
1738 int *data = (int *)malloc(32);
1739 fake_insque(queue, data); // no warning
1740 }
1741
testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t * rbt)1742 void testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t *rbt) {
1743 int *data = (int *)malloc(32);
1744 fake_rb_tree_init(rbt, data);
1745 } //expected-warning{{Potential leak}}
1746
testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t * rbt)1747 void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) {
1748 int *data = (int *)malloc(32);
1749 fake_rb_tree_init(rbt, data);
1750 fake_rb_tree_insert_node(rbt, data); // no warning
1751 }
1752
1753 struct IntAndPtr {
1754 int x;
1755 int *p;
1756 };
1757
1758 void constEscape(const void *ptr);
1759
testConstEscapeThroughAnotherField()1760 void testConstEscapeThroughAnotherField() {
1761 struct IntAndPtr s;
1762 s.p = malloc(sizeof(int));
1763 constEscape(&(s.x)); // could free s->p!
1764 } // no-warning
1765
1766 // ----------------------------------------------------------------------------
1767 // False negatives.
1768
testMallocWithParam(int ** p)1769 void testMallocWithParam(int **p) {
1770 *p = (int*) malloc(sizeof(int));
1771 *p = 0; // FIXME: should warn here
1772 }
1773
testMallocWithParam_2(int ** p)1774 void testMallocWithParam_2(int **p) {
1775 *p = (int*) malloc(sizeof(int)); // no-warning
1776 }
1777
testPassToSystemHeaderFunctionIndirectly()1778 void testPassToSystemHeaderFunctionIndirectly() {
1779 int *p = malloc(4);
1780 p++;
1781 fakeSystemHeaderCallInt(p);
1782 // FIXME: This is a leak: if we think a system function won't free p, it
1783 // won't free (p-1) either.
1784 }
1785
testMallocIntoMalloc()1786 void testMallocIntoMalloc() {
1787 StructWithPtr *s = malloc(sizeof(StructWithPtr));
1788 s->memP = malloc(sizeof(int));
1789 free(s);
1790 } // FIXME: should warn here
1791