1 // RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s
2
3 #include "Inputs/system-header-simulator.h"
4
5 void clang_analyzer_eval(int);
6
7 typedef __typeof(sizeof(int)) size_t;
8 void *malloc(size_t);
9 void *valloc(size_t);
10 void free(void *);
11 void *realloc(void *ptr, size_t size);
12 void *reallocf(void *ptr, size_t size);
13 void *calloc(size_t nmemb, size_t size);
14 char *strdup(const char *s);
15 char *strndup(const char *s, size_t n);
16 int memcmp(const void *s1, const void *s2, size_t n);
17
18 void myfoo(int *p);
19 void myfooint(int p);
20 char *fooRetPtr();
21
f1()22 void f1() {
23 int *p = malloc(12);
24 return; // expected-warning{{Potential leak of memory pointed to by 'p'}}
25 }
26
f2()27 void f2() {
28 int *p = malloc(12);
29 free(p);
30 free(p); // expected-warning{{Attempt to free released memory}}
31 }
32
f2_realloc_0()33 void f2_realloc_0() {
34 int *p = malloc(12);
35 realloc(p,0);
36 realloc(p,0); // expected-warning{{Attempt to free released memory}}
37 }
38
f2_realloc_1()39 void f2_realloc_1() {
40 int *p = malloc(12);
41 int *q = realloc(p,0); // no-warning
42 }
43
reallocNotNullPtr(unsigned sizeIn)44 void reallocNotNullPtr(unsigned sizeIn) {
45 unsigned size = 12;
46 char *p = (char*)malloc(size);
47 if (p) {
48 char *q = (char*)realloc(p, sizeIn);
49 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}}
50 }
51 }
52
realloctest1()53 int *realloctest1() {
54 int *q = malloc(12);
55 q = realloc(q, 20);
56 return q; // no warning - returning the allocated value
57 }
58
59 // p should be freed if realloc fails.
reallocFails()60 void reallocFails() {
61 char *p = malloc(12);
62 char *r = realloc(p, 12+1);
63 if (!r) {
64 free(p);
65 } else {
66 free(r);
67 }
68 }
69
reallocSizeZero1()70 void reallocSizeZero1() {
71 char *p = malloc(12);
72 char *r = realloc(p, 0);
73 if (!r) {
74 free(p); // expected-warning {{Attempt to free released memory}}
75 } else {
76 free(r);
77 }
78 }
79
reallocSizeZero2()80 void reallocSizeZero2() {
81 char *p = malloc(12);
82 char *r = realloc(p, 0);
83 if (!r) {
84 free(p); // expected-warning {{Attempt to free released memory}}
85 } else {
86 free(r);
87 }
88 free(p); // expected-warning {{Attempt to free released memory}}
89 }
90
reallocSizeZero3()91 void reallocSizeZero3() {
92 char *p = malloc(12);
93 char *r = realloc(p, 0);
94 free(r);
95 }
96
reallocSizeZero4()97 void reallocSizeZero4() {
98 char *r = realloc(0, 0);
99 free(r);
100 }
101
reallocSizeZero5()102 void reallocSizeZero5() {
103 char *r = realloc(0, 0);
104 }
105
reallocPtrZero1()106 void reallocPtrZero1() {
107 char *r = realloc(0, 12);
108 } // expected-warning {{Potential leak of memory pointed to by 'r'}}
109
reallocPtrZero2()110 void reallocPtrZero2() {
111 char *r = realloc(0, 12);
112 if (r)
113 free(r);
114 }
115
reallocPtrZero3()116 void reallocPtrZero3() {
117 char *r = realloc(0, 12);
118 free(r);
119 }
120
reallocRadar6337483_1()121 void reallocRadar6337483_1() {
122 char *buf = malloc(100);
123 buf = (char*)realloc(buf, 0x1000000);
124 if (!buf) {
125 return;// expected-warning {{Potential leak of memory pointed to by}}
126 }
127 free(buf);
128 }
129
reallocRadar6337483_2()130 void reallocRadar6337483_2() {
131 char *buf = malloc(100);
132 char *buf2 = (char*)realloc(buf, 0x1000000);
133 if (!buf2) {
134 ;
135 } else {
136 free(buf2);
137 }
138 } // expected-warning {{Potential leak of memory pointed to by}}
139
reallocRadar6337483_3()140 void reallocRadar6337483_3() {
141 char * buf = malloc(100);
142 char * tmp;
143 tmp = (char*)realloc(buf, 0x1000000);
144 if (!tmp) {
145 free(buf);
146 return;
147 }
148 buf = tmp;
149 free(buf);
150 }
151
reallocRadar6337483_4()152 void reallocRadar6337483_4() {
153 char *buf = malloc(100);
154 char *buf2 = (char*)realloc(buf, 0x1000000);
155 if (!buf2) {
156 return; // expected-warning {{Potential leak of memory pointed to by}}
157 } else {
158 free(buf2);
159 }
160 }
161
reallocfTest1()162 int *reallocfTest1() {
163 int *q = malloc(12);
164 q = reallocf(q, 20);
165 return q; // no warning - returning the allocated value
166 }
167
reallocfRadar6337483_4()168 void reallocfRadar6337483_4() {
169 char *buf = malloc(100);
170 char *buf2 = (char*)reallocf(buf, 0x1000000);
171 if (!buf2) {
172 return; // no warning - reallocf frees even on failure
173 } else {
174 free(buf2);
175 }
176 }
177
reallocfRadar6337483_3()178 void reallocfRadar6337483_3() {
179 char * buf = malloc(100);
180 char * tmp;
181 tmp = (char*)reallocf(buf, 0x1000000);
182 if (!tmp) {
183 free(buf); // expected-warning {{Attempt to free released memory}}
184 return;
185 }
186 buf = tmp;
187 free(buf);
188 }
189
reallocfPtrZero1()190 void reallocfPtrZero1() {
191 char *r = reallocf(0, 12);
192 } // expected-warning {{Potential leak of memory pointed to by}}
193
194
195 // This case tests that storing malloc'ed memory to a static variable which is
196 // then returned is not leaked. In the absence of known contracts for functions
197 // or inter-procedural analysis, this is a conservative answer.
f3()198 int *f3() {
199 static int *p = 0;
200 p = malloc(12);
201 return p; // no-warning
202 }
203
204 // This case tests that storing malloc'ed memory to a static global variable
205 // which is then returned is not leaked. In the absence of known contracts for
206 // functions or inter-procedural analysis, this is a conservative answer.
207 static int *p_f4 = 0;
f4()208 int *f4() {
209 p_f4 = malloc(12);
210 return p_f4; // no-warning
211 }
212
f5()213 int *f5() {
214 int *q = malloc(12);
215 q = realloc(q, 20);
216 return q; // no-warning
217 }
218
f6()219 void f6() {
220 int *p = malloc(12);
221 if (!p)
222 return; // no-warning
223 else
224 free(p);
225 }
226
f6_realloc()227 void f6_realloc() {
228 int *p = malloc(12);
229 if (!p)
230 return; // no-warning
231 else
232 realloc(p,0);
233 }
234
235
236 char *doit2();
pr6069()237 void pr6069() {
238 char *buf = doit2();
239 free(buf);
240 }
241
pr6293()242 void pr6293() {
243 free(0);
244 }
245
f7()246 void f7() {
247 char *x = (char*) malloc(4);
248 free(x);
249 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
250 }
251
f8()252 void f8() {
253 char *x = (char*) malloc(4);
254 free(x);
255 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}}
256 }
257
f7_realloc()258 void f7_realloc() {
259 char *x = (char*) malloc(4);
260 realloc(x,0);
261 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
262 }
263
PR6123()264 void PR6123() {
265 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
266 }
267
PR7217()268 void PR7217() {
269 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
270 buf[1] = 'c'; // not crash
271 }
272
mallocCastToVoid()273 void mallocCastToVoid() {
274 void *p = malloc(2);
275 const void *cp = p; // not crash
276 free(p);
277 }
278
mallocCastToFP()279 void mallocCastToFP() {
280 void *p = malloc(2);
281 void (*fp)() = p; // not crash
282 free(p);
283 }
284
285 // This tests that malloc() buffers are undefined by default
mallocGarbage()286 char mallocGarbage () {
287 char *buf = malloc(2);
288 char result = buf[1]; // expected-warning{{undefined}}
289 free(buf);
290 return result;
291 }
292
293 // This tests that calloc() buffers need to be freed
callocNoFree()294 void callocNoFree () {
295 char *buf = calloc(2,2);
296 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
297 }
298
299 // These test that calloc() buffers are zeroed by default
callocZeroesGood()300 char callocZeroesGood () {
301 char *buf = calloc(2,2);
302 char result = buf[3]; // no-warning
303 if (buf[1] == 0) {
304 free(buf);
305 }
306 return result; // no-warning
307 }
308
callocZeroesBad()309 char callocZeroesBad () {
310 char *buf = calloc(2,2);
311 char result = buf[3]; // no-warning
312 if (buf[1] != 0) {
313 free(buf); // expected-warning{{never executed}}
314 }
315 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
316 }
317
nullFree()318 void nullFree() {
319 int *p = 0;
320 free(p); // no warning - a nop
321 }
322
paramFree(int * p)323 void paramFree(int *p) {
324 myfoo(p);
325 free(p); // no warning
326 myfoo(p); // expected-warning {{Use of memory after it is freed}}
327 }
328
mallocEscapeRet()329 int* mallocEscapeRet() {
330 int *p = malloc(12);
331 return p; // no warning
332 }
333
mallocEscapeFoo()334 void mallocEscapeFoo() {
335 int *p = malloc(12);
336 myfoo(p);
337 return; // no warning
338 }
339
mallocEscapeFree()340 void mallocEscapeFree() {
341 int *p = malloc(12);
342 myfoo(p);
343 free(p);
344 }
345
mallocEscapeFreeFree()346 void mallocEscapeFreeFree() {
347 int *p = malloc(12);
348 myfoo(p);
349 free(p);
350 free(p); // expected-warning{{Attempt to free released memory}}
351 }
352
mallocEscapeFreeUse()353 void mallocEscapeFreeUse() {
354 int *p = malloc(12);
355 myfoo(p);
356 free(p);
357 myfoo(p); // expected-warning{{Use of memory after it is freed}}
358 }
359
360 int *myalloc();
361 void myalloc2(int **p);
362
mallocEscapeFreeCustomAlloc()363 void mallocEscapeFreeCustomAlloc() {
364 int *p = malloc(12);
365 myfoo(p);
366 free(p);
367 p = myalloc();
368 free(p); // no warning
369 }
370
mallocEscapeFreeCustomAlloc2()371 void mallocEscapeFreeCustomAlloc2() {
372 int *p = malloc(12);
373 myfoo(p);
374 free(p);
375 myalloc2(&p);
376 free(p); // no warning
377 }
378
mallocBindFreeUse()379 void mallocBindFreeUse() {
380 int *x = malloc(12);
381 int *y = x;
382 free(y);
383 myfoo(x); // expected-warning{{Use of memory after it is freed}}
384 }
385
mallocEscapeMalloc()386 void mallocEscapeMalloc() {
387 int *p = malloc(12);
388 myfoo(p);
389 p = malloc(12);
390 } // expected-warning{{Potential leak of memory pointed to by}}
391
mallocMalloc()392 void mallocMalloc() {
393 int *p = malloc(12);
394 p = malloc(12);
395 } // expected-warning {{Potential leak of memory pointed to by}}
396
mallocFreeMalloc()397 void mallocFreeMalloc() {
398 int *p = malloc(12);
399 free(p);
400 p = malloc(12);
401 free(p);
402 }
403
mallocFreeUse_params()404 void mallocFreeUse_params() {
405 int *p = malloc(12);
406 free(p);
407 myfoo(p); //expected-warning{{Use of memory after it is freed}}
408 }
409
mallocFreeUse_params2()410 void mallocFreeUse_params2() {
411 int *p = malloc(12);
412 free(p);
413 myfooint(*p); //expected-warning{{Use of memory after it is freed}}
414 }
415
mallocFailedOrNot()416 void mallocFailedOrNot() {
417 int *p = malloc(12);
418 if (!p)
419 free(p);
420 else
421 free(p);
422 }
423
424 struct StructWithInt {
425 int g;
426 };
427
mallocReturnFreed()428 int *mallocReturnFreed() {
429 int *p = malloc(12);
430 free(p);
431 return p; // expected-warning {{Use of memory after it is freed}}
432 }
433
useAfterFreeStruct()434 int useAfterFreeStruct() {
435 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
436 px->g = 5;
437 free(px);
438 return px->g; // expected-warning {{Use of memory after it is freed}}
439 }
440
441 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
442
mallocEscapeFooNonSymbolArg()443 void mallocEscapeFooNonSymbolArg() {
444 struct StructWithInt *p = malloc(sizeof(struct StructWithInt));
445 nonSymbolAsFirstArg(&p->g, p);
446 return; // no warning
447 }
448
mallocFailedOrNotLeak()449 void mallocFailedOrNotLeak() {
450 int *p = malloc(12);
451 if (p == 0)
452 return; // no warning
453 else
454 return; // expected-warning {{Potential leak of memory pointed to by}}
455 }
456
mallocAssignment()457 void mallocAssignment() {
458 char *p = malloc(12);
459 p = fooRetPtr();
460 } // expected-warning {{leak}}
461
vallocTest()462 int vallocTest() {
463 char *mem = valloc(12);
464 return 0; // expected-warning {{Potential leak of memory pointed to by}}
465 }
466
vallocEscapeFreeUse()467 void vallocEscapeFreeUse() {
468 int *p = valloc(12);
469 myfoo(p);
470 free(p);
471 myfoo(p); // expected-warning{{Use of memory after it is freed}}
472 }
473
474 int *Gl;
475 struct GlStTy {
476 int *x;
477 };
478
479 struct GlStTy GlS = {0};
480
GlobalFree()481 void GlobalFree() {
482 free(Gl);
483 }
484
GlobalMalloc()485 void GlobalMalloc() {
486 Gl = malloc(12);
487 }
488
GlobalStructMalloc()489 void GlobalStructMalloc() {
490 int *a = malloc(12);
491 GlS.x = a;
492 }
493
GlobalStructMallocFree()494 void GlobalStructMallocFree() {
495 int *a = malloc(12);
496 GlS.x = a;
497 free(GlS.x);
498 }
499
500 char *ArrayG[12];
501
globalArrayTest()502 void globalArrayTest() {
503 char *p = (char*)malloc(12);
504 ArrayG[0] = p;
505 }
506
507 // Make sure that we properly handle a pointer stored into a local struct/array.
508 typedef struct _StructWithPtr {
509 int *memP;
510 } StructWithPtr;
511
512 static StructWithPtr arrOfStructs[10];
513
testMalloc()514 void testMalloc() {
515 int *x = malloc(12);
516 StructWithPtr St;
517 St.memP = x;
518 arrOfStructs[0] = St; // no-warning
519 }
520
testMalloc2()521 StructWithPtr testMalloc2() {
522 int *x = malloc(12);
523 StructWithPtr St;
524 St.memP = x;
525 return St; // no-warning
526 }
527
testMalloc3()528 int *testMalloc3() {
529 int *x = malloc(12);
530 int *y = x;
531 return y; // no-warning
532 }
533
testStructLeak()534 void testStructLeak() {
535 StructWithPtr St;
536 St.memP = malloc(12);
537 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}}
538 }
539
testElemRegion1()540 void testElemRegion1() {
541 char *x = (void*)malloc(2);
542 int *ix = (int*)x;
543 free(&(x[0]));
544 }
545
testElemRegion2(int ** pp)546 void testElemRegion2(int **pp) {
547 int *p = malloc(12);
548 *pp = p;
549 free(pp[0]);
550 }
551
testElemRegion3(int ** pp)552 void testElemRegion3(int **pp) {
553 int *p = malloc(12);
554 *pp = p;
555 free(*pp);
556 }
557 // Region escape testing.
558
559 unsigned takePtrToPtr(int **p);
PassTheAddrOfAllocatedData(int f)560 void PassTheAddrOfAllocatedData(int f) {
561 int *p = malloc(12);
562 // We don't know what happens after the call. Should stop tracking here.
563 if (takePtrToPtr(&p))
564 f++;
565 free(p); // no warning
566 }
567
568 struct X {
569 int *p;
570 };
571 unsigned takePtrToStruct(struct X *s);
foo2(int * g,int f)572 int ** foo2(int *g, int f) {
573 int *p = malloc(12);
574 struct X *px= malloc(sizeof(struct X));
575 px->p = p;
576 // We don't know what happens after this call. Should not track px nor p.
577 if (takePtrToStruct(px))
578 f++;
579 free(p);
580 return 0;
581 }
582
RegInvalidationDetect1(struct X * s2)583 struct X* RegInvalidationDetect1(struct X *s2) {
584 struct X *px= malloc(sizeof(struct X));
585 px->p = 0;
586 px = s2;
587 return px; // expected-warning {{Potential leak of memory pointed to by}}
588 }
589
RegInvalidationGiveUp1()590 struct X* RegInvalidationGiveUp1() {
591 int *p = malloc(12);
592 struct X *px= malloc(sizeof(struct X));
593 px->p = p;
594 return px;
595 }
596
RegInvalidationDetect2(int ** pp)597 int **RegInvalidationDetect2(int **pp) {
598 int *p = malloc(12);
599 pp = &p;
600 pp++;
601 return 0;// expected-warning {{Potential leak of memory pointed to by}}
602 }
603
604 extern void exit(int) __attribute__ ((__noreturn__));
mallocExit(int * g)605 void mallocExit(int *g) {
606 struct xx *p = malloc(12);
607 if (g != 0)
608 exit(1);
609 free(p);
610 return;
611 }
612
613 extern void __assert_fail (__const char *__assertion, __const char *__file,
614 unsigned int __line, __const char *__function)
615 __attribute__ ((__noreturn__));
616 #define assert(expr) \
617 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
mallocAssert(int * g)618 void mallocAssert(int *g) {
619 struct xx *p = malloc(12);
620
621 assert(g != 0);
622 free(p);
623 return;
624 }
625
doNotInvalidateWhenPassedToSystemCalls(char * s)626 void doNotInvalidateWhenPassedToSystemCalls(char *s) {
627 char *p = malloc(12);
628 strlen(p);
629 strcpy(p, s);
630 } // expected-warning {{leak}}
631
632 // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p.
symbolLostWithStrcpy(char * s)633 void symbolLostWithStrcpy(char *s) {
634 char *p = malloc(12);
635 p = strcpy(p, s);
636 free(p);
637 }
638
639
640 // The same test as the one above, but with what is actually generated on a mac.
641 static __inline char *
__inline_strcpy_chk(char * restrict __dest,const char * restrict __src)642 __inline_strcpy_chk (char *restrict __dest, const char *restrict __src)
643 {
644 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1));
645 }
646
symbolLostWithStrcpy_InlineStrcpyVersion(char * s)647 void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) {
648 char *p = malloc(12);
649 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s));
650 free(p);
651 }
652
653 // Here we are returning a pointer one past the allocated value. An idiom which
654 // can be used for implementing special malloc. The correct uses of this might
655 // be rare enough so that we could keep this as a warning.
specialMalloc(int n)656 static void *specialMalloc(int n){
657 int *p;
658 p = malloc( n+8 );
659 if( p ){
660 p[0] = n;
661 p++;
662 }
663 return p;
664 }
665
666 // Potentially, the user could free the struct by performing pointer arithmetic on the return value.
667 // This is a variation of the specialMalloc issue, though probably would be more rare in correct code.
specialMallocWithStruct()668 int *specialMallocWithStruct() {
669 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
670 return &(px->g);
671 }
672
673 // Test various allocation/deallocation functions.
testStrdup(const char * s,unsigned validIndex)674 void testStrdup(const char *s, unsigned validIndex) {
675 char *s2 = strdup(s);
676 s2[validIndex + 1] = 'b';
677 } // expected-warning {{Potential leak of memory pointed to by}}
678
testStrndup(const char * s,unsigned validIndex,unsigned size)679 int testStrndup(const char *s, unsigned validIndex, unsigned size) {
680 char *s2 = strndup(s, size);
681 s2 [validIndex + 1] = 'b';
682 if (s2[validIndex] != 'a')
683 return 0;
684 else
685 return 1;// expected-warning {{Potential leak of memory pointed to by}}
686 }
687
testStrdupContentIsDefined(const char * s,unsigned validIndex)688 void testStrdupContentIsDefined(const char *s, unsigned validIndex) {
689 char *s2 = strdup(s);
690 char result = s2[1];// no warning
691 free(s2);
692 }
693
694 // ----------------------------------------------------------------------------
695 // Test the system library functions to which the pointer can escape.
696 // This tests false positive suppression.
697
698 // For now, we assume memory passed to pthread_specific escapes.
699 // TODO: We could check that if a new pthread binding is set, the existing
700 // binding must be freed; otherwise, a memory leak can occur.
testPthereadSpecificEscape(pthread_key_t key)701 void testPthereadSpecificEscape(pthread_key_t key) {
702 void *buf = malloc(12);
703 pthread_setspecific(key, buf); // no warning
704 }
705
706 // PR12101: Test funopen().
releasePtr(void * _ctx)707 static int releasePtr(void *_ctx) {
708 free(_ctx);
709 return 0;
710 }
useFunOpen()711 FILE *useFunOpen() {
712 void *ctx = malloc(sizeof(int));
713 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning
714 if (f == 0) {
715 free(ctx);
716 }
717 return f;
718 }
useFunOpenNoReleaseFunction()719 FILE *useFunOpenNoReleaseFunction() {
720 void *ctx = malloc(sizeof(int));
721 FILE *f = funopen(ctx, 0, 0, 0, 0);
722 if (f == 0) {
723 free(ctx);
724 }
725 return f; // expected-warning{{leak}}
726 }
727
readNothing(void * _ctx,char * buf,int size)728 static int readNothing(void *_ctx, char *buf, int size) {
729 return 0;
730 }
useFunOpenReadNoRelease()731 FILE *useFunOpenReadNoRelease() {
732 void *ctx = malloc(sizeof(int));
733 FILE *f = funopen(ctx, readNothing, 0, 0, 0);
734 if (f == 0) {
735 free(ctx);
736 }
737 return f; // expected-warning{{leak}}
738 }
739
740 // Test setbuf, setvbuf.
my_main_no_warning()741 int my_main_no_warning() {
742 char *p = malloc(100);
743 setvbuf(stdout, p, 0, 100);
744 return 0;
745 }
my_main_no_warning2()746 int my_main_no_warning2() {
747 char *p = malloc(100);
748 setbuf(__stdoutp, p);
749 return 0;
750 }
my_main_warn(FILE * f)751 int my_main_warn(FILE *f) {
752 char *p = malloc(100);
753 setvbuf(f, p, 0, 100);
754 return 0;// expected-warning {{leak}}
755 }
756
757 // <rdar://problem/10978247>.
758 // some people use stack allocated memory as an optimization to avoid
759 // a heap allocation for small work sizes. This tests the analyzer's
760 // understanding that the malloc'ed memory is not the same as stackBuffer.
radar10978247(int myValueSize)761 void radar10978247(int myValueSize) {
762 char stackBuffer[128];
763 char *buffer;
764
765 if (myValueSize <= sizeof(stackBuffer))
766 buffer = stackBuffer;
767 else
768 buffer = malloc(myValueSize);
769
770 // do stuff with the buffer
771 if (buffer != stackBuffer)
772 free(buffer);
773 }
774
radar10978247_positive(int myValueSize)775 void radar10978247_positive(int myValueSize) {
776 char stackBuffer[128];
777 char *buffer;
778
779 if (myValueSize <= sizeof(stackBuffer))
780 buffer = stackBuffer;
781 else
782 buffer = malloc(myValueSize);
783
784 // do stuff with the buffer
785 if (buffer == stackBuffer)
786 return;
787 else
788 return; // expected-warning {{leak}}
789 }�
790 // <rdar://problem/11269741> Previously this triggered a false positive
791 // because malloc() is known to return uninitialized memory and the binding
792 // of 'o' to 'p->n' was not getting propertly handled. Now we report a leak.
793 struct rdar11269741_a_t {
794 struct rdar11269741_b_t {
795 int m;
796 } n;
797 };
798
rdar11269741(struct rdar11269741_b_t o)799 int rdar11269741(struct rdar11269741_b_t o)
800 {
801 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p));
802 p->n = o;
803 return p->n.m; // expected-warning {{leak}}
804 }
805
806 // Pointer arithmetic, returning an ElementRegion.
radar11329382(unsigned bl)807 void *radar11329382(unsigned bl) {
808 void *ptr = malloc (16);
809 ptr = ptr + (2 - bl);
810 return ptr; // no warning
811 }
812
813 void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__));
814 int strcmp(const char *, const char *);
815 char *a (void);
radar11270219(void)816 void radar11270219(void) {
817 char *x = a(), *y = a();
818 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0);
819 strcmp(x, y); // no warning
820 }
821
radar_11358224_test_double_assign_ints_positive_2()822 void radar_11358224_test_double_assign_ints_positive_2()
823 {
824 void *ptr = malloc(16);
825 ptr = ptr;
826 } // expected-warning {{leak}}
827
828 // Assume that functions which take a function pointer can free memory even if
829 // they are defined in system headers and take the const pointer to the
830 // allocated memory. (radar://11160612)
831 int const_ptr_and_callback(int, const char*, int n, void(*)(void*));
r11160612_1()832 void r11160612_1() {
833 char *x = malloc(12);
834 const_ptr_and_callback(0, x, 12, free); // no - warning
835 }
836
837 // Null is passed as callback.
r11160612_2()838 void r11160612_2() {
839 char *x = malloc(12);
840 const_ptr_and_callback(0, x, 12, 0);
841 } // expected-warning {{leak}}
842
843 // Callback is passed to a function defined in a system header.
r11160612_4()844 void r11160612_4() {
845 char *x = malloc(12);
846 sqlite3_bind_text_my(0, x, 12, free); // no - warning
847 }
848
849 // Passing callbacks in a struct.
r11160612_5(StWithCallback St)850 void r11160612_5(StWithCallback St) {
851 void *x = malloc(12);
852 dealocateMemWhenDoneByVal(x, St);
853 }
r11160612_6(StWithCallback St)854 void r11160612_6(StWithCallback St) {
855 void *x = malloc(12);
856 dealocateMemWhenDoneByRef(&St, x);
857 }
858
859 int mySub(int, int);
860 int myAdd(int, int);
fPtr(unsigned cond,int x)861 int fPtr(unsigned cond, int x) {
862 return (cond ? mySub : myAdd)(x, x);
863 }
864
865 // Test anti-aliasing.
866
dependsOnValueOfPtr(int * g,unsigned f)867 void dependsOnValueOfPtr(int *g, unsigned f) {
868 int *p;
869
870 if (f) {
871 p = g;
872 } else {
873 p = malloc(12);
874 }
875
876 if (p != g)
877 free(p);
878 else
879 return; // no warning
880 return;
881 }
882
CMPRegionHeapToStack()883 int CMPRegionHeapToStack() {
884 int x = 0;
885 int *x1 = malloc(8);
886 int *x2 = &x;
887 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}}
888 free(x1);
889 return x;
890 }
891
CMPRegionHeapToHeap2()892 int CMPRegionHeapToHeap2() {
893 int x = 0;
894 int *x1 = malloc(8);
895 int *x2 = malloc(8);
896 int *x4 = x1;
897 int *x5 = x2;
898 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}}
899 free(x1);
900 free(x2);
901 return x;
902 }
903
CMPRegionHeapToHeap()904 int CMPRegionHeapToHeap() {
905 int x = 0;
906 int *x1 = malloc(8);
907 int *x4 = x1;
908 if (x1 == x4) {
909 free(x1);
910 return 5/x; // expected-warning{{Division by zero}}
911 }
912 return x;// expected-warning{{This statement is never executed}}
913 }
914
HeapAssignment()915 int HeapAssignment() {
916 int m = 0;
917 int *x = malloc(4);
918 int *y = x;
919 *x = 5;
920 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}}
921 free(x);
922 return 0;
923 }
924
925 int *retPtr();
926 int *retPtrMightAlias(int *x);
cmpHeapAllocationToUnknown()927 int cmpHeapAllocationToUnknown() {
928 int zero = 0;
929 int *yBefore = retPtr();
930 int *m = malloc(8);
931 int *yAfter = retPtrMightAlias(m);
932 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}}
933 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}}
934 free(m);
935 return 0;
936 }
937
localArrayTest()938 void localArrayTest() {
939 char *p = (char*)malloc(12);
940 char *ArrayL[12];
941 ArrayL[0] = p;
942 } // expected-warning {{leak}}
943
localStructTest()944 void localStructTest() {
945 StructWithPtr St;
946 StructWithPtr *pSt = &St;
947 pSt->memP = malloc(12);
948 } // expected-warning{{Potential leak of memory pointed to by}}
949
950 #ifdef __INTPTR_TYPE__
951 // Test double assignment through integers.
952 typedef __INTPTR_TYPE__ intptr_t;
953 typedef unsigned __INTPTR_TYPE__ uintptr_t;
954
955 static intptr_t glob;
test_double_assign_ints()956 void test_double_assign_ints()
957 {
958 void *ptr = malloc (16); // no-warning
959 glob = (intptr_t)(uintptr_t)ptr;
960 }
961
test_double_assign_ints_positive()962 void test_double_assign_ints_positive()
963 {
964 void *ptr = malloc(16);
965 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}}
966 } // expected-warning {{leak}}
967 #endif
968
testCGContextNoLeak()969 void testCGContextNoLeak()
970 {
971 void *ptr = malloc(16);
972 CGContextRef context = CGBitmapContextCreate(ptr);
973
974 // Because you can get the data back out like this, even much later,
975 // CGBitmapContextCreate is one of our "stop-tracking" exceptions.
976 free(CGBitmapContextGetData(context));
977 }
978
testCGContextLeak()979 void testCGContextLeak()
980 {
981 void *ptr = malloc(16);
982 CGContextRef context = CGBitmapContextCreate(ptr);
983 // However, this time we're just leaking the data, because the context
984 // object doesn't escape and it hasn't been freed in this function.
985 }
986
987 // Allow xpc context to escape. radar://11635258
988 // TODO: Would be great if we checked that the finalize_connection_context actually releases it.
finalize_connection_context(void * ctx)989 static void finalize_connection_context(void *ctx) {
990 int *context = ctx;
991 free(context);
992 }
foo(xpc_connection_t peer)993 void foo (xpc_connection_t peer) {
994 int *ctx = calloc(1, sizeof(int));
995 xpc_connection_set_context(peer, ctx);
996 xpc_connection_set_finalizer_f(peer, finalize_connection_context);
997 xpc_connection_resume(peer);
998 }
999
1000 // Make sure we catch errors when we free in a function which does not allocate memory.
freeButNoMalloc(int * p,int x)1001 void freeButNoMalloc(int *p, int x){
1002 if (x) {
1003 free(p);
1004 //user forgot a return here.
1005 }
1006 free(p); // expected-warning {{Attempt to free released memory}}
1007 }
1008
1009 struct HasPtr {
1010 char *p;
1011 };
1012
reallocButNoMalloc(struct HasPtr * a,int c,int size)1013 char* reallocButNoMalloc(struct HasPtr *a, int c, int size) {
1014 int *s;
1015 char *b = realloc(a->p, size);
1016 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}}
1017 return a->p;
1018 }
1019
1020 // We should not warn in this case since the caller will presumably free a->p in all cases.
reallocButNoMallocPR13674(struct HasPtr * a,int c,int size)1021 int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) {
1022 int *s;
1023 char *b = realloc(a->p, size);
1024 if (b == 0)
1025 return -1;
1026 a->p = b;
1027 return 0;
1028 }
1029
1030 // Test realloc with no visible malloc.
test(void * ptr)1031 void *test(void *ptr) {
1032 void *newPtr = realloc(ptr, 4);
1033 if (newPtr == 0) {
1034 if (ptr)
1035 free(ptr); // no-warning
1036 }
1037 return newPtr;
1038 }
1039
1040
testLeakWithinReturn(char * str)1041 char *testLeakWithinReturn(char *str) {
1042 return strdup(strdup(str)); // expected-warning{{leak}}
1043 }
1044
1045 void passConstPtr(const char * ptr);
1046
testPassConstPointer()1047 void testPassConstPointer() {
1048 char * string = malloc(sizeof(char)*10);
1049 passConstPtr(string);
1050 return; // expected-warning {{leak}}
1051 }
1052
testPassConstPointerIndirectly()1053 void testPassConstPointerIndirectly() {
1054 char *p = malloc(1);
1055 p++;
1056 memcmp(p, p, sizeof(&p));
1057 return; // expected-warning {{leak}}
1058 }
1059
testPassConstPointerIndirectlyStruct()1060 void testPassConstPointerIndirectlyStruct() {
1061 struct HasPtr hp;
1062 hp.p = malloc(10);
1063 memcmp(&hp, &hp, sizeof(hp));
1064 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}}
1065 }
1066
testPassToSystemHeaderFunctionIndirectlyStruct()1067 void testPassToSystemHeaderFunctionIndirectlyStruct() {
1068 SomeStruct ss;
1069 ss.p = malloc(1);
1070 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1071 // Technically a false negative here -- we know the system function won't free
1072 // ss.p, but nothing else will either!
1073 } // no-warning
1074
testPassToSystemHeaderFunctionIndirectlyStructFree()1075 void testPassToSystemHeaderFunctionIndirectlyStructFree() {
1076 SomeStruct ss;
1077 ss.p = malloc(1);
1078 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1079 free(ss.p);
1080 } // no-warning
1081
testPassToSystemHeaderFunctionIndirectlyArray()1082 void testPassToSystemHeaderFunctionIndirectlyArray() {
1083 int *p[1];
1084 p[0] = malloc(sizeof(int));
1085 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1086 // Technically a false negative here -- we know the system function won't free
1087 // p[0], but nothing else will either!
1088 } // no-warning
1089
testPassToSystemHeaderFunctionIndirectlyArrayFree()1090 void testPassToSystemHeaderFunctionIndirectlyArrayFree() {
1091 int *p[1];
1092 p[0] = malloc(sizeof(int));
1093 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1094 free(p[0]);
1095 } // no-warning
1096
testOffsetAllocate(size_t size)1097 int *testOffsetAllocate(size_t size) {
1098 int *memoryBlock = (int *)malloc(size + sizeof(int));
1099 return &memoryBlock[1]; // no-warning
1100 }
1101
testOffsetDeallocate(int * memoryBlock)1102 void testOffsetDeallocate(int *memoryBlock) {
1103 free(&memoryBlock[-1]); // no-warning
1104 }
1105
testOffsetOfRegionFreed()1106 void testOffsetOfRegionFreed() {
1107 __int64_t * array = malloc(sizeof(__int64_t)*2);
1108 array += 1;
1109 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1110 }
1111
testOffsetOfRegionFreed2()1112 void testOffsetOfRegionFreed2() {
1113 __int64_t *p = malloc(sizeof(__int64_t)*2);
1114 p += 1;
1115 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1116 }
1117
testOffsetOfRegionFreed3()1118 void testOffsetOfRegionFreed3() {
1119 char *r = malloc(sizeof(char));
1120 r = r - 10;
1121 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}}
1122 }
1123
testOffsetOfRegionFreedAfterFunctionCall()1124 void testOffsetOfRegionFreedAfterFunctionCall() {
1125 int *p = malloc(sizeof(int)*2);
1126 p += 1;
1127 myfoo(p);
1128 free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}}
1129 }
1130
testFixManipulatedPointerBeforeFree()1131 void testFixManipulatedPointerBeforeFree() {
1132 int * array = malloc(sizeof(int)*2);
1133 array += 1;
1134 free(&array[-1]); // no-warning
1135 }
1136
testFixManipulatedPointerBeforeFree2()1137 void testFixManipulatedPointerBeforeFree2() {
1138 char *r = malloc(sizeof(char));
1139 r = r + 10;
1140 free(r-10); // no-warning
1141 }
1142
freeOffsetPointerPassedToFunction()1143 void freeOffsetPointerPassedToFunction() {
1144 __int64_t *p = malloc(sizeof(__int64_t)*2);
1145 p[1] = 0;
1146 p += 1;
1147 myfooint(*p); // not passing the pointer, only a value pointed by pointer
1148 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1149 }
1150
1151 int arbitraryInt();
freeUnknownOffsetPointer()1152 void freeUnknownOffsetPointer() {
1153 char *r = malloc(sizeof(char));
1154 r = r + arbitraryInt(); // unable to reason about what the offset might be
1155 free(r); // no-warning
1156 }
1157
testFreeNonMallocPointerWithNoOffset()1158 void testFreeNonMallocPointerWithNoOffset() {
1159 char c;
1160 char *r = &c;
1161 r = r + 10;
1162 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1163 }
1164
testFreeNonMallocPointerWithOffset()1165 void testFreeNonMallocPointerWithOffset() {
1166 char c;
1167 char *r = &c;
1168 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1169 }
1170
testOffsetZeroDoubleFree()1171 void testOffsetZeroDoubleFree() {
1172 int *array = malloc(sizeof(int)*2);
1173 int *p = &array[0];
1174 free(p);
1175 free(&array[0]); // expected-warning{{Attempt to free released memory}}
1176 }
1177
testOffsetPassedToStrlen()1178 void testOffsetPassedToStrlen() {
1179 char * string = malloc(sizeof(char)*10);
1180 string += 1;
1181 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}}
1182 }
1183
testOffsetPassedToStrlenThenFree()1184 void testOffsetPassedToStrlenThenFree() {
1185 char * string = malloc(sizeof(char)*10);
1186 string += 1;
1187 int length = strlen(string);
1188 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1189 }
1190
testOffsetPassedAsConst()1191 void testOffsetPassedAsConst() {
1192 char * string = malloc(sizeof(char)*10);
1193 string += 1;
1194 passConstPtr(string);
1195 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1196 }
1197
1198 char **_vectorSegments;
1199 int _nVectorSegments;
1200
poolFreeC(void * s)1201 void poolFreeC(void* s) {
1202 free(s); // no-warning
1203 }
freeMemory()1204 void freeMemory() {
1205 while (_nVectorSegments) {
1206 poolFreeC(_vectorSegments[_nVectorSegments++]);
1207 }
1208 }
1209
1210 // ----------------------------------------------------------------------------
1211 // False negatives.
1212
testMallocWithParam(int ** p)1213 void testMallocWithParam(int **p) {
1214 *p = (int*) malloc(sizeof(int));
1215 *p = 0; // FIXME: should warn here
1216 }
1217
testMallocWithParam_2(int ** p)1218 void testMallocWithParam_2(int **p) {
1219 *p = (int*) malloc(sizeof(int)); // no-warning
1220 }
1221
testPassToSystemHeaderFunctionIndirectly()1222 void testPassToSystemHeaderFunctionIndirectly() {
1223 int *p = malloc(4);
1224 p++;
1225 fakeSystemHeaderCallInt(p);
1226 // FIXME: This is a leak: if we think a system function won't free p, it
1227 // won't free (p-1) either.
1228 }
1229