1 // RUN: %clang_cc1 -analyze -analyzer-checker=unix.Malloc -analyzer-inline-max-stack-depth=5 -verify %s
2
3 #include "Inputs/system-header-simulator.h"
4
5 void *malloc(size_t);
6 void *valloc(size_t);
7 void free(void *);
8 void *realloc(void *ptr, size_t size);
9 void *reallocf(void *ptr, size_t size);
10 void *calloc(size_t nmemb, size_t size);
11
12 void exit(int) __attribute__ ((__noreturn__));
13 void *memcpy(void * restrict s1, const void * restrict s2, size_t n);
14 size_t strlen(const char *);
15
my_malloc1(void ** d,size_t size)16 static void my_malloc1(void **d, size_t size) {
17 *d = malloc(size);
18 }
19
my_malloc2(int elevel,size_t size)20 static void *my_malloc2(int elevel, size_t size) {
21 void *data;
22 data = malloc(size);
23 if (data == 0)
24 exit(0);
25 return data;
26 }
27
my_free1(void * p)28 static void my_free1(void *p) {
29 free(p);
30 }
31
test1()32 static void test1() {
33 void *data = 0;
34 my_malloc1(&data, 4);
35 } // expected-warning {{Potential leak of memory pointed to by 'data'}}
36
test11()37 static void test11() {
38 void *data = 0;
39 my_malloc1(&data, 4);
40 my_free1(data);
41 }
42
testUniqueingByallocationSiteInTopLevelFunction()43 static void testUniqueingByallocationSiteInTopLevelFunction() {
44 void *data = my_malloc2(1, 4);
45 data = 0;
46 int x = 5;// expected-warning {{Potential leak of memory pointed to by 'data'}}
47 data = my_malloc2(1, 4);
48 } // expected-warning {{Potential leak of memory pointed to by 'data'}}
49
test3()50 static void test3() {
51 void *data = my_malloc2(1, 4);
52 free(data);
53 data = my_malloc2(1, 4);
54 free(data);
55 }
56
test4()57 int test4() {
58 int *data = (int*)my_malloc2(1, 4);
59 my_free1(data);
60 data = (int *)my_malloc2(1, 4);
61 my_free1(data);
62 return *data; // expected-warning {{Use of memory after it is freed}}
63 }
64
test6()65 void test6() {
66 int *data = (int *)my_malloc2(1, 4);
67 my_free1((int*)data);
68 my_free1((int*)data); // expected-warning{{Use of memory after it is freed}}
69 }
70
71 // TODO: We should warn here.
test5()72 void test5() {
73 int *data;
74 my_free1((int*)data);
75 }
76
reshape(char * in)77 static char *reshape(char *in) {
78 return 0;
79 }
80
testThatRemoveDeadBindingsRunBeforeEachCall()81 void testThatRemoveDeadBindingsRunBeforeEachCall() {
82 char *v = malloc(12);
83 v = reshape(v);
84 v = reshape(v);// expected-warning {{Potential leak of memory pointed to by 'v'}}
85 }
86
87 // Test that we keep processing after 'return;'
fooWithEmptyReturn(int x)88 void fooWithEmptyReturn(int x) {
89 if (x)
90 return;
91 x++;
92 return;
93 }
94
uafAndCallsFooWithEmptyReturn()95 int uafAndCallsFooWithEmptyReturn() {
96 int *x = (int*)malloc(12);
97 free(x);
98 fooWithEmptyReturn(12);
99 return *x; // expected-warning {{Use of memory after it is freed}}
100 }
101
102
103 // If we inline any of the malloc-family functions, the checker shouldn't also
104 // try to do additional modeling. <rdar://problem/12317671>
strndup(const char * str,size_t n)105 char *strndup(const char *str, size_t n) {
106 if (!str)
107 return 0;
108
109 // DO NOT FIX. This is to test that we are actually using the inlined
110 // behavior!
111 if (n < 5)
112 return 0;
113
114 size_t length = strlen(str);
115 if (length < n)
116 n = length;
117
118 char *result = malloc(n + 1);
119 memcpy(result, str, n);
120 result[n] = '\0';
121 return result;
122 }
123
useStrndup(size_t n)124 void useStrndup(size_t n) {
125 if (n == 0) {
126 (void)strndup(0, 20); // no-warning
127 return;
128 } else if (n < 5) {
129 (void)strndup("hi there", n); // no-warning
130 return;
131 } else {
132 (void)strndup("hi there", n);
133 return; // expected-warning{{leak}}
134 }
135 }
136