1 // RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s
2
3 #include "Inputs/system-header-simulator.h"
4
5 void clang_analyzer_eval(int);
6
7 typedef __typeof(sizeof(int)) size_t;
8 void *malloc(size_t);
9 void *valloc(size_t);
10 void free(void *);
11 void *realloc(void *ptr, size_t size);
12 void *reallocf(void *ptr, size_t size);
13 void *calloc(size_t nmemb, size_t size);
14 char *strdup(const char *s);
15 char *strndup(const char *s, size_t n);
16 int memcmp(const void *s1, const void *s2, size_t n);
17
18 void myfoo(int *p);
19 void myfooint(int p);
20 char *fooRetPtr();
21
f1()22 void f1() {
23 int *p = malloc(12);
24 return; // expected-warning{{Potential leak of memory pointed to by 'p'}}
25 }
26
f2()27 void f2() {
28 int *p = malloc(12);
29 free(p);
30 free(p); // expected-warning{{Attempt to free released memory}}
31 }
32
f2_realloc_0()33 void f2_realloc_0() {
34 int *p = malloc(12);
35 realloc(p,0);
36 realloc(p,0); // expected-warning{{Attempt to free released memory}}
37 }
38
f2_realloc_1()39 void f2_realloc_1() {
40 int *p = malloc(12);
41 int *q = realloc(p,0); // no-warning
42 }
43
reallocNotNullPtr(unsigned sizeIn)44 void reallocNotNullPtr(unsigned sizeIn) {
45 unsigned size = 12;
46 char *p = (char*)malloc(size);
47 if (p) {
48 char *q = (char*)realloc(p, sizeIn);
49 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}}
50 }
51 }
52
realloctest1()53 int *realloctest1() {
54 int *q = malloc(12);
55 q = realloc(q, 20);
56 return q; // no warning - returning the allocated value
57 }
58
59 // p should be freed if realloc fails.
reallocFails()60 void reallocFails() {
61 char *p = malloc(12);
62 char *r = realloc(p, 12+1);
63 if (!r) {
64 free(p);
65 } else {
66 free(r);
67 }
68 }
69
reallocSizeZero1()70 void reallocSizeZero1() {
71 char *p = malloc(12);
72 char *r = realloc(p, 0);
73 if (!r) {
74 free(p); // expected-warning {{Attempt to free released memory}}
75 } else {
76 free(r);
77 }
78 }
79
reallocSizeZero2()80 void reallocSizeZero2() {
81 char *p = malloc(12);
82 char *r = realloc(p, 0);
83 if (!r) {
84 free(p); // expected-warning {{Attempt to free released memory}}
85 } else {
86 free(r);
87 }
88 free(p); // expected-warning {{Attempt to free released memory}}
89 }
90
reallocSizeZero3()91 void reallocSizeZero3() {
92 char *p = malloc(12);
93 char *r = realloc(p, 0);
94 free(r);
95 }
96
reallocSizeZero4()97 void reallocSizeZero4() {
98 char *r = realloc(0, 0);
99 free(r);
100 }
101
reallocSizeZero5()102 void reallocSizeZero5() {
103 char *r = realloc(0, 0);
104 }
105
reallocPtrZero1()106 void reallocPtrZero1() {
107 char *r = realloc(0, 12);
108 } // expected-warning {{Potential leak of memory pointed to by 'r'}}
109
reallocPtrZero2()110 void reallocPtrZero2() {
111 char *r = realloc(0, 12);
112 if (r)
113 free(r);
114 }
115
reallocPtrZero3()116 void reallocPtrZero3() {
117 char *r = realloc(0, 12);
118 free(r);
119 }
120
reallocRadar6337483_1()121 void reallocRadar6337483_1() {
122 char *buf = malloc(100);
123 buf = (char*)realloc(buf, 0x1000000);
124 if (!buf) {
125 return;// expected-warning {{Potential leak of memory pointed to by}}
126 }
127 free(buf);
128 }
129
reallocRadar6337483_2()130 void reallocRadar6337483_2() {
131 char *buf = malloc(100);
132 char *buf2 = (char*)realloc(buf, 0x1000000);
133 if (!buf2) {
134 ;
135 } else {
136 free(buf2);
137 }
138 } // expected-warning {{Potential leak of memory pointed to by}}
139
reallocRadar6337483_3()140 void reallocRadar6337483_3() {
141 char * buf = malloc(100);
142 char * tmp;
143 tmp = (char*)realloc(buf, 0x1000000);
144 if (!tmp) {
145 free(buf);
146 return;
147 }
148 buf = tmp;
149 free(buf);
150 }
151
reallocRadar6337483_4()152 void reallocRadar6337483_4() {
153 char *buf = malloc(100);
154 char *buf2 = (char*)realloc(buf, 0x1000000);
155 if (!buf2) {
156 return; // expected-warning {{Potential leak of memory pointed to by}}
157 } else {
158 free(buf2);
159 }
160 }
161
reallocfTest1()162 int *reallocfTest1() {
163 int *q = malloc(12);
164 q = reallocf(q, 20);
165 return q; // no warning - returning the allocated value
166 }
167
reallocfRadar6337483_4()168 void reallocfRadar6337483_4() {
169 char *buf = malloc(100);
170 char *buf2 = (char*)reallocf(buf, 0x1000000);
171 if (!buf2) {
172 return; // no warning - reallocf frees even on failure
173 } else {
174 free(buf2);
175 }
176 }
177
reallocfRadar6337483_3()178 void reallocfRadar6337483_3() {
179 char * buf = malloc(100);
180 char * tmp;
181 tmp = (char*)reallocf(buf, 0x1000000);
182 if (!tmp) {
183 free(buf); // expected-warning {{Attempt to free released memory}}
184 return;
185 }
186 buf = tmp;
187 free(buf);
188 }
189
reallocfPtrZero1()190 void reallocfPtrZero1() {
191 char *r = reallocf(0, 12);
192 } // expected-warning {{Potential leak of memory pointed to by}}
193
194
195 // This case tests that storing malloc'ed memory to a static variable which is
196 // then returned is not leaked. In the absence of known contracts for functions
197 // or inter-procedural analysis, this is a conservative answer.
f3()198 int *f3() {
199 static int *p = 0;
200 p = malloc(12);
201 return p; // no-warning
202 }
203
204 // This case tests that storing malloc'ed memory to a static global variable
205 // which is then returned is not leaked. In the absence of known contracts for
206 // functions or inter-procedural analysis, this is a conservative answer.
207 static int *p_f4 = 0;
f4()208 int *f4() {
209 p_f4 = malloc(12);
210 return p_f4; // no-warning
211 }
212
f5()213 int *f5() {
214 int *q = malloc(12);
215 q = realloc(q, 20);
216 return q; // no-warning
217 }
218
f6()219 void f6() {
220 int *p = malloc(12);
221 if (!p)
222 return; // no-warning
223 else
224 free(p);
225 }
226
f6_realloc()227 void f6_realloc() {
228 int *p = malloc(12);
229 if (!p)
230 return; // no-warning
231 else
232 realloc(p,0);
233 }
234
235
236 char *doit2();
pr6069()237 void pr6069() {
238 char *buf = doit2();
239 free(buf);
240 }
241
pr6293()242 void pr6293() {
243 free(0);
244 }
245
f7()246 void f7() {
247 char *x = (char*) malloc(4);
248 free(x);
249 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
250 }
251
f8()252 void f8() {
253 char *x = (char*) malloc(4);
254 free(x);
255 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}}
256 }
257
f7_realloc()258 void f7_realloc() {
259 char *x = (char*) malloc(4);
260 realloc(x,0);
261 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
262 }
263
PR6123()264 void PR6123() {
265 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
266 }
267
PR7217()268 void PR7217() {
269 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
270 buf[1] = 'c'; // not crash
271 }
272
cast_emtpy_struct()273 void cast_emtpy_struct() {
274 struct st {
275 };
276
277 struct st *s = malloc(sizeof(struct st)); // no-warning
278 free(s);
279 }
280
cast_struct_1()281 void cast_struct_1() {
282 struct st {
283 int i[100];
284 char j[];
285 };
286
287 struct st *s = malloc(sizeof(struct st)); // no-warning
288 free(s);
289 }
290
cast_struct_2()291 void cast_struct_2() {
292 struct st {
293 int i[100];
294 char j[0];
295 };
296
297 struct st *s = malloc(sizeof(struct st)); // no-warning
298 free(s);
299 }
300
cast_struct_3()301 void cast_struct_3() {
302 struct st {
303 int i[100];
304 char j[1];
305 };
306
307 struct st *s = malloc(sizeof(struct st)); // no-warning
308 free(s);
309 }
310
cast_struct_4()311 void cast_struct_4() {
312 struct st {
313 int i[100];
314 char j[2];
315 };
316
317 struct st *s = malloc(sizeof(struct st)); // no-warning
318 free(s);
319 }
320
cast_struct_5()321 void cast_struct_5() {
322 struct st {
323 char i[200];
324 char j[1];
325 };
326
327 struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning
328 free(s);
329 }
330
cast_struct_warn_1()331 void cast_struct_warn_1() {
332 struct st {
333 int i[100];
334 char j[2];
335 };
336
337 struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
338 free(s);
339 }
340
cast_struct_warn_2()341 void cast_struct_warn_2() {
342 struct st {
343 int i[100];
344 char j[2];
345 };
346
347 struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
348 free(s);
349 }
350
cast_struct_flex_array_1()351 void cast_struct_flex_array_1() {
352 struct st {
353 int i[100];
354 char j[];
355 };
356
357 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
358 free(s);
359 }
360
cast_struct_flex_array_2()361 void cast_struct_flex_array_2() {
362 struct st {
363 int i[100];
364 char j[0];
365 };
366
367 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
368 free(s);
369 }
370
cast_struct_flex_array_3()371 void cast_struct_flex_array_3() {
372 struct st {
373 int i[100];
374 char j[1];
375 };
376
377 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
378 free(s);
379 }
380
cast_struct_flex_array_4()381 void cast_struct_flex_array_4() {
382 struct foo {
383 char f[32];
384 };
385 struct st {
386 char i[100];
387 struct foo data[];
388 };
389
390 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
391 free(s);
392 }
393
cast_struct_flex_array_5()394 void cast_struct_flex_array_5() {
395 struct foo {
396 char f[32];
397 };
398 struct st {
399 char i[100];
400 struct foo data[0];
401 };
402
403 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
404 free(s);
405 }
406
cast_struct_flex_array_6()407 void cast_struct_flex_array_6() {
408 struct foo {
409 char f[32];
410 };
411 struct st {
412 char i[100];
413 struct foo data[1];
414 };
415
416 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
417 free(s);
418 }
419
cast_struct_flex_array_warn_1()420 void cast_struct_flex_array_warn_1() {
421 struct foo {
422 char f[32];
423 };
424 struct st {
425 char i[100];
426 struct foo data[];
427 };
428
429 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
430 free(s);
431 }
432
cast_struct_flex_array_warn_2()433 void cast_struct_flex_array_warn_2() {
434 struct foo {
435 char f[32];
436 };
437 struct st {
438 char i[100];
439 struct foo data[0];
440 };
441
442 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
443 free(s);
444 }
445
cast_struct_flex_array_warn_3()446 void cast_struct_flex_array_warn_3() {
447 struct foo {
448 char f[32];
449 };
450 struct st {
451 char i[100];
452 struct foo data[1];
453 };
454
455 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
456 free(s);
457 }
458
cast_struct_flex_array_warn_4()459 void cast_struct_flex_array_warn_4() {
460 struct st {
461 int i[100];
462 int j[];
463 };
464
465 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
466 free(s);
467 }
468
cast_struct_flex_array_warn_5()469 void cast_struct_flex_array_warn_5() {
470 struct st {
471 int i[100];
472 int j[0];
473 };
474
475 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
476 free(s);
477 }
478
cast_struct_flex_array_warn_6()479 void cast_struct_flex_array_warn_6() {
480 struct st {
481 int i[100];
482 int j[1];
483 };
484
485 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
486 free(s);
487 }
488
mallocCastToVoid()489 void mallocCastToVoid() {
490 void *p = malloc(2);
491 const void *cp = p; // not crash
492 free(p);
493 }
494
mallocCastToFP()495 void mallocCastToFP() {
496 void *p = malloc(2);
497 void (*fp)() = p; // not crash
498 free(p);
499 }
500
501 // This tests that malloc() buffers are undefined by default
mallocGarbage()502 char mallocGarbage () {
503 char *buf = malloc(2);
504 char result = buf[1]; // expected-warning{{undefined}}
505 free(buf);
506 return result;
507 }
508
509 // This tests that calloc() buffers need to be freed
callocNoFree()510 void callocNoFree () {
511 char *buf = calloc(2,2);
512 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
513 }
514
515 // These test that calloc() buffers are zeroed by default
callocZeroesGood()516 char callocZeroesGood () {
517 char *buf = calloc(2,2);
518 char result = buf[3]; // no-warning
519 if (buf[1] == 0) {
520 free(buf);
521 }
522 return result; // no-warning
523 }
524
callocZeroesBad()525 char callocZeroesBad () {
526 char *buf = calloc(2,2);
527 char result = buf[3]; // no-warning
528 if (buf[1] != 0) {
529 free(buf); // expected-warning{{never executed}}
530 }
531 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
532 }
533
nullFree()534 void nullFree() {
535 int *p = 0;
536 free(p); // no warning - a nop
537 }
538
paramFree(int * p)539 void paramFree(int *p) {
540 myfoo(p);
541 free(p); // no warning
542 myfoo(p); // expected-warning {{Use of memory after it is freed}}
543 }
544
mallocEscapeRet()545 int* mallocEscapeRet() {
546 int *p = malloc(12);
547 return p; // no warning
548 }
549
mallocEscapeFoo()550 void mallocEscapeFoo() {
551 int *p = malloc(12);
552 myfoo(p);
553 return; // no warning
554 }
555
mallocEscapeFree()556 void mallocEscapeFree() {
557 int *p = malloc(12);
558 myfoo(p);
559 free(p);
560 }
561
mallocEscapeFreeFree()562 void mallocEscapeFreeFree() {
563 int *p = malloc(12);
564 myfoo(p);
565 free(p);
566 free(p); // expected-warning{{Attempt to free released memory}}
567 }
568
mallocEscapeFreeUse()569 void mallocEscapeFreeUse() {
570 int *p = malloc(12);
571 myfoo(p);
572 free(p);
573 myfoo(p); // expected-warning{{Use of memory after it is freed}}
574 }
575
576 int *myalloc();
577 void myalloc2(int **p);
578
mallocEscapeFreeCustomAlloc()579 void mallocEscapeFreeCustomAlloc() {
580 int *p = malloc(12);
581 myfoo(p);
582 free(p);
583 p = myalloc();
584 free(p); // no warning
585 }
586
mallocEscapeFreeCustomAlloc2()587 void mallocEscapeFreeCustomAlloc2() {
588 int *p = malloc(12);
589 myfoo(p);
590 free(p);
591 myalloc2(&p);
592 free(p); // no warning
593 }
594
mallocBindFreeUse()595 void mallocBindFreeUse() {
596 int *x = malloc(12);
597 int *y = x;
598 free(y);
599 myfoo(x); // expected-warning{{Use of memory after it is freed}}
600 }
601
mallocEscapeMalloc()602 void mallocEscapeMalloc() {
603 int *p = malloc(12);
604 myfoo(p);
605 p = malloc(12);
606 } // expected-warning{{Potential leak of memory pointed to by}}
607
mallocMalloc()608 void mallocMalloc() {
609 int *p = malloc(12);
610 p = malloc(12);
611 } // expected-warning {{Potential leak of memory pointed to by}}
612
mallocFreeMalloc()613 void mallocFreeMalloc() {
614 int *p = malloc(12);
615 free(p);
616 p = malloc(12);
617 free(p);
618 }
619
mallocFreeUse_params()620 void mallocFreeUse_params() {
621 int *p = malloc(12);
622 free(p);
623 myfoo(p); //expected-warning{{Use of memory after it is freed}}
624 }
625
mallocFreeUse_params2()626 void mallocFreeUse_params2() {
627 int *p = malloc(12);
628 free(p);
629 myfooint(*p); //expected-warning{{Use of memory after it is freed}}
630 }
631
mallocFailedOrNot()632 void mallocFailedOrNot() {
633 int *p = malloc(12);
634 if (!p)
635 free(p);
636 else
637 free(p);
638 }
639
640 struct StructWithInt {
641 int g;
642 };
643
mallocReturnFreed()644 int *mallocReturnFreed() {
645 int *p = malloc(12);
646 free(p);
647 return p; // expected-warning {{Use of memory after it is freed}}
648 }
649
useAfterFreeStruct()650 int useAfterFreeStruct() {
651 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
652 px->g = 5;
653 free(px);
654 return px->g; // expected-warning {{Use of memory after it is freed}}
655 }
656
657 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
658
mallocEscapeFooNonSymbolArg()659 void mallocEscapeFooNonSymbolArg() {
660 struct StructWithInt *p = malloc(sizeof(struct StructWithInt));
661 nonSymbolAsFirstArg(&p->g, p);
662 return; // no warning
663 }
664
mallocFailedOrNotLeak()665 void mallocFailedOrNotLeak() {
666 int *p = malloc(12);
667 if (p == 0)
668 return; // no warning
669 else
670 return; // expected-warning {{Potential leak of memory pointed to by}}
671 }
672
mallocAssignment()673 void mallocAssignment() {
674 char *p = malloc(12);
675 p = fooRetPtr();
676 } // expected-warning {{leak}}
677
vallocTest()678 int vallocTest() {
679 char *mem = valloc(12);
680 return 0; // expected-warning {{Potential leak of memory pointed to by}}
681 }
682
vallocEscapeFreeUse()683 void vallocEscapeFreeUse() {
684 int *p = valloc(12);
685 myfoo(p);
686 free(p);
687 myfoo(p); // expected-warning{{Use of memory after it is freed}}
688 }
689
690 int *Gl;
691 struct GlStTy {
692 int *x;
693 };
694
695 struct GlStTy GlS = {0};
696
GlobalFree()697 void GlobalFree() {
698 free(Gl);
699 }
700
GlobalMalloc()701 void GlobalMalloc() {
702 Gl = malloc(12);
703 }
704
GlobalStructMalloc()705 void GlobalStructMalloc() {
706 int *a = malloc(12);
707 GlS.x = a;
708 }
709
GlobalStructMallocFree()710 void GlobalStructMallocFree() {
711 int *a = malloc(12);
712 GlS.x = a;
713 free(GlS.x);
714 }
715
716 char *ArrayG[12];
717
globalArrayTest()718 void globalArrayTest() {
719 char *p = (char*)malloc(12);
720 ArrayG[0] = p;
721 }
722
723 // Make sure that we properly handle a pointer stored into a local struct/array.
724 typedef struct _StructWithPtr {
725 int *memP;
726 } StructWithPtr;
727
728 static StructWithPtr arrOfStructs[10];
729
testMalloc()730 void testMalloc() {
731 int *x = malloc(12);
732 StructWithPtr St;
733 St.memP = x;
734 arrOfStructs[0] = St; // no-warning
735 }
736
testMalloc2()737 StructWithPtr testMalloc2() {
738 int *x = malloc(12);
739 StructWithPtr St;
740 St.memP = x;
741 return St; // no-warning
742 }
743
testMalloc3()744 int *testMalloc3() {
745 int *x = malloc(12);
746 int *y = x;
747 return y; // no-warning
748 }
749
testStructLeak()750 void testStructLeak() {
751 StructWithPtr St;
752 St.memP = malloc(12);
753 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}}
754 }
755
testElemRegion1()756 void testElemRegion1() {
757 char *x = (void*)malloc(2);
758 int *ix = (int*)x;
759 free(&(x[0]));
760 }
761
testElemRegion2(int ** pp)762 void testElemRegion2(int **pp) {
763 int *p = malloc(12);
764 *pp = p;
765 free(pp[0]);
766 }
767
testElemRegion3(int ** pp)768 void testElemRegion3(int **pp) {
769 int *p = malloc(12);
770 *pp = p;
771 free(*pp);
772 }
773 // Region escape testing.
774
775 unsigned takePtrToPtr(int **p);
PassTheAddrOfAllocatedData(int f)776 void PassTheAddrOfAllocatedData(int f) {
777 int *p = malloc(12);
778 // We don't know what happens after the call. Should stop tracking here.
779 if (takePtrToPtr(&p))
780 f++;
781 free(p); // no warning
782 }
783
784 struct X {
785 int *p;
786 };
787 unsigned takePtrToStruct(struct X *s);
foo2(int * g,int f)788 int ** foo2(int *g, int f) {
789 int *p = malloc(12);
790 struct X *px= malloc(sizeof(struct X));
791 px->p = p;
792 // We don't know what happens after this call. Should not track px nor p.
793 if (takePtrToStruct(px))
794 f++;
795 free(p);
796 return 0;
797 }
798
RegInvalidationDetect1(struct X * s2)799 struct X* RegInvalidationDetect1(struct X *s2) {
800 struct X *px= malloc(sizeof(struct X));
801 px->p = 0;
802 px = s2;
803 return px; // expected-warning {{Potential leak of memory pointed to by}}
804 }
805
RegInvalidationGiveUp1()806 struct X* RegInvalidationGiveUp1() {
807 int *p = malloc(12);
808 struct X *px= malloc(sizeof(struct X));
809 px->p = p;
810 return px;
811 }
812
RegInvalidationDetect2(int ** pp)813 int **RegInvalidationDetect2(int **pp) {
814 int *p = malloc(12);
815 pp = &p;
816 pp++;
817 return 0;// expected-warning {{Potential leak of memory pointed to by}}
818 }
819
820 extern void exit(int) __attribute__ ((__noreturn__));
mallocExit(int * g)821 void mallocExit(int *g) {
822 struct xx *p = malloc(12);
823 if (g != 0)
824 exit(1);
825 free(p);
826 return;
827 }
828
829 extern void __assert_fail (__const char *__assertion, __const char *__file,
830 unsigned int __line, __const char *__function)
831 __attribute__ ((__noreturn__));
832 #define assert(expr) \
833 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
mallocAssert(int * g)834 void mallocAssert(int *g) {
835 struct xx *p = malloc(12);
836
837 assert(g != 0);
838 free(p);
839 return;
840 }
841
doNotInvalidateWhenPassedToSystemCalls(char * s)842 void doNotInvalidateWhenPassedToSystemCalls(char *s) {
843 char *p = malloc(12);
844 strlen(p);
845 strcpy(p, s);
846 strcpy(s, p);
847 strcpy(p, p);
848 memcpy(p, s, 1);
849 memcpy(s, p, 1);
850 memcpy(p, p, 1);
851 } // expected-warning {{leak}}
852
853 // Treat source buffer contents as escaped.
escapeSourceContents(char * s)854 void escapeSourceContents(char *s) {
855 char *p = malloc(12);
856 memcpy(s, &p, 12); // no warning
857
858 void *p1 = malloc(7);
859 char *a;
860 memcpy(&a, &p1, sizeof a);
861 // FIXME: No warning due to limitations imposed by current modelling of
862 // 'memcpy' (regions metadata is not copied).
863
864 int *ptrs[2];
865 int *allocated = (int *)malloc(4);
866 memcpy(&ptrs[0], &allocated, sizeof(int *));
867 // FIXME: No warning due to limitations imposed by current modelling of
868 // 'memcpy' (regions metadata is not copied).
869 }
870
invalidateDestinationContents()871 void invalidateDestinationContents() {
872 int *null = 0;
873 int *p = (int *)malloc(4);
874 memcpy(&p, &null, sizeof(int *));
875
876 int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}}
877 ptrs1[0] = (int *)malloc(4);
878 memcpy(ptrs1, &null, sizeof(int *));
879
880 int *ptrs2[2]; // expected-warning {{Potential memory leak}}
881 ptrs2[0] = (int *)malloc(4);
882 memcpy(&ptrs2[1], &null, sizeof(int *));
883
884 int *ptrs3[2]; // expected-warning {{Potential memory leak}}
885 ptrs3[0] = (int *)malloc(4);
886 memcpy(&ptrs3[0], &null, sizeof(int *));
887 } // expected-warning {{Potential memory leak}}
888
889 // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p.
symbolLostWithStrcpy(char * s)890 void symbolLostWithStrcpy(char *s) {
891 char *p = malloc(12);
892 p = strcpy(p, s);
893 free(p);
894 }
895
896
897 // The same test as the one above, but with what is actually generated on a mac.
898 static __inline char *
__inline_strcpy_chk(char * restrict __dest,const char * restrict __src)899 __inline_strcpy_chk (char *restrict __dest, const char *restrict __src)
900 {
901 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1));
902 }
903
symbolLostWithStrcpy_InlineStrcpyVersion(char * s)904 void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) {
905 char *p = malloc(12);
906 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s));
907 free(p);
908 }
909
910 // Here we are returning a pointer one past the allocated value. An idiom which
911 // can be used for implementing special malloc. The correct uses of this might
912 // be rare enough so that we could keep this as a warning.
specialMalloc(int n)913 static void *specialMalloc(int n){
914 int *p;
915 p = malloc( n+8 );
916 if( p ){
917 p[0] = n;
918 p++;
919 }
920 return p;
921 }
922
923 // Potentially, the user could free the struct by performing pointer arithmetic on the return value.
924 // This is a variation of the specialMalloc issue, though probably would be more rare in correct code.
specialMallocWithStruct()925 int *specialMallocWithStruct() {
926 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
927 return &(px->g);
928 }
929
930 // Test various allocation/deallocation functions.
testStrdup(const char * s,unsigned validIndex)931 void testStrdup(const char *s, unsigned validIndex) {
932 char *s2 = strdup(s);
933 s2[validIndex + 1] = 'b';
934 } // expected-warning {{Potential leak of memory pointed to by}}
935
testStrndup(const char * s,unsigned validIndex,unsigned size)936 int testStrndup(const char *s, unsigned validIndex, unsigned size) {
937 char *s2 = strndup(s, size);
938 s2 [validIndex + 1] = 'b';
939 if (s2[validIndex] != 'a')
940 return 0;
941 else
942 return 1;// expected-warning {{Potential leak of memory pointed to by}}
943 }
944
testStrdupContentIsDefined(const char * s,unsigned validIndex)945 void testStrdupContentIsDefined(const char *s, unsigned validIndex) {
946 char *s2 = strdup(s);
947 char result = s2[1];// no warning
948 free(s2);
949 }
950
951 // ----------------------------------------------------------------------------
952 // Test the system library functions to which the pointer can escape.
953 // This tests false positive suppression.
954
955 // For now, we assume memory passed to pthread_specific escapes.
956 // TODO: We could check that if a new pthread binding is set, the existing
957 // binding must be freed; otherwise, a memory leak can occur.
testPthereadSpecificEscape(pthread_key_t key)958 void testPthereadSpecificEscape(pthread_key_t key) {
959 void *buf = malloc(12);
960 pthread_setspecific(key, buf); // no warning
961 }
962
963 // PR12101: Test funopen().
releasePtr(void * _ctx)964 static int releasePtr(void *_ctx) {
965 free(_ctx);
966 return 0;
967 }
useFunOpen()968 FILE *useFunOpen() {
969 void *ctx = malloc(sizeof(int));
970 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning
971 if (f == 0) {
972 free(ctx);
973 }
974 return f;
975 }
useFunOpenNoReleaseFunction()976 FILE *useFunOpenNoReleaseFunction() {
977 void *ctx = malloc(sizeof(int));
978 FILE *f = funopen(ctx, 0, 0, 0, 0);
979 if (f == 0) {
980 free(ctx);
981 }
982 return f; // expected-warning{{leak}}
983 }
984
readNothing(void * _ctx,char * buf,int size)985 static int readNothing(void *_ctx, char *buf, int size) {
986 return 0;
987 }
useFunOpenReadNoRelease()988 FILE *useFunOpenReadNoRelease() {
989 void *ctx = malloc(sizeof(int));
990 FILE *f = funopen(ctx, readNothing, 0, 0, 0);
991 if (f == 0) {
992 free(ctx);
993 }
994 return f; // expected-warning{{leak}}
995 }
996
997 // Test setbuf, setvbuf.
my_main_no_warning()998 int my_main_no_warning() {
999 char *p = malloc(100);
1000 setvbuf(stdout, p, 0, 100);
1001 return 0;
1002 }
my_main_no_warning2()1003 int my_main_no_warning2() {
1004 char *p = malloc(100);
1005 setbuf(__stdoutp, p);
1006 return 0;
1007 }
my_main_warn(FILE * f)1008 int my_main_warn(FILE *f) {
1009 char *p = malloc(100);
1010 setvbuf(f, p, 0, 100);
1011 return 0;// expected-warning {{leak}}
1012 }
1013
1014 // <rdar://problem/10978247>.
1015 // some people use stack allocated memory as an optimization to avoid
1016 // a heap allocation for small work sizes. This tests the analyzer's
1017 // understanding that the malloc'ed memory is not the same as stackBuffer.
radar10978247(int myValueSize)1018 void radar10978247(int myValueSize) {
1019 char stackBuffer[128];
1020 char *buffer;
1021
1022 if (myValueSize <= sizeof(stackBuffer))
1023 buffer = stackBuffer;
1024 else
1025 buffer = malloc(myValueSize);
1026
1027 // do stuff with the buffer
1028 if (buffer != stackBuffer)
1029 free(buffer);
1030 }
1031
radar10978247_positive(int myValueSize)1032 void radar10978247_positive(int myValueSize) {
1033 char stackBuffer[128];
1034 char *buffer;
1035
1036 if (myValueSize <= sizeof(stackBuffer))
1037 buffer = stackBuffer;
1038 else
1039 buffer = malloc(myValueSize);
1040
1041 // do stuff with the buffer
1042 if (buffer == stackBuffer)
1043 return;
1044 else
1045 return; // expected-warning {{leak}}
1046 }�
1047 // <rdar://problem/11269741> Previously this triggered a false positive
1048 // because malloc() is known to return uninitialized memory and the binding
1049 // of 'o' to 'p->n' was not getting propertly handled. Now we report a leak.
1050 struct rdar11269741_a_t {
1051 struct rdar11269741_b_t {
1052 int m;
1053 } n;
1054 };
1055
rdar11269741(struct rdar11269741_b_t o)1056 int rdar11269741(struct rdar11269741_b_t o)
1057 {
1058 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p));
1059 p->n = o;
1060 return p->n.m; // expected-warning {{leak}}
1061 }
1062
1063 // Pointer arithmetic, returning an ElementRegion.
radar11329382(unsigned bl)1064 void *radar11329382(unsigned bl) {
1065 void *ptr = malloc (16);
1066 ptr = ptr + (2 - bl);
1067 return ptr; // no warning
1068 }
1069
1070 void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__));
1071 int strcmp(const char *, const char *);
1072 char *a (void);
radar11270219(void)1073 void radar11270219(void) {
1074 char *x = a(), *y = a();
1075 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0);
1076 strcmp(x, y); // no warning
1077 }
1078
radar_11358224_test_double_assign_ints_positive_2()1079 void radar_11358224_test_double_assign_ints_positive_2()
1080 {
1081 void *ptr = malloc(16);
1082 ptr = ptr;
1083 } // expected-warning {{leak}}
1084
1085 // Assume that functions which take a function pointer can free memory even if
1086 // they are defined in system headers and take the const pointer to the
1087 // allocated memory. (radar://11160612)
1088 int const_ptr_and_callback(int, const char*, int n, void(*)(void*));
r11160612_1()1089 void r11160612_1() {
1090 char *x = malloc(12);
1091 const_ptr_and_callback(0, x, 12, free); // no - warning
1092 }
1093
1094 // Null is passed as callback.
r11160612_2()1095 void r11160612_2() {
1096 char *x = malloc(12);
1097 const_ptr_and_callback(0, x, 12, 0);
1098 } // expected-warning {{leak}}
1099
1100 // Callback is passed to a function defined in a system header.
r11160612_4()1101 void r11160612_4() {
1102 char *x = malloc(12);
1103 sqlite3_bind_text_my(0, x, 12, free); // no - warning
1104 }
1105
1106 // Passing callbacks in a struct.
r11160612_5(StWithCallback St)1107 void r11160612_5(StWithCallback St) {
1108 void *x = malloc(12);
1109 dealocateMemWhenDoneByVal(x, St);
1110 }
r11160612_6(StWithCallback St)1111 void r11160612_6(StWithCallback St) {
1112 void *x = malloc(12);
1113 dealocateMemWhenDoneByRef(&St, x);
1114 }
1115
1116 int mySub(int, int);
1117 int myAdd(int, int);
fPtr(unsigned cond,int x)1118 int fPtr(unsigned cond, int x) {
1119 return (cond ? mySub : myAdd)(x, x);
1120 }
1121
1122 // Test anti-aliasing.
1123
dependsOnValueOfPtr(int * g,unsigned f)1124 void dependsOnValueOfPtr(int *g, unsigned f) {
1125 int *p;
1126
1127 if (f) {
1128 p = g;
1129 } else {
1130 p = malloc(12);
1131 }
1132
1133 if (p != g)
1134 free(p);
1135 else
1136 return; // no warning
1137 return;
1138 }
1139
CMPRegionHeapToStack()1140 int CMPRegionHeapToStack() {
1141 int x = 0;
1142 int *x1 = malloc(8);
1143 int *x2 = &x;
1144 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}}
1145 free(x1);
1146 return x;
1147 }
1148
CMPRegionHeapToHeap2()1149 int CMPRegionHeapToHeap2() {
1150 int x = 0;
1151 int *x1 = malloc(8);
1152 int *x2 = malloc(8);
1153 int *x4 = x1;
1154 int *x5 = x2;
1155 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}}
1156 free(x1);
1157 free(x2);
1158 return x;
1159 }
1160
CMPRegionHeapToHeap()1161 int CMPRegionHeapToHeap() {
1162 int x = 0;
1163 int *x1 = malloc(8);
1164 int *x4 = x1;
1165 if (x1 == x4) {
1166 free(x1);
1167 return 5/x; // expected-warning{{Division by zero}}
1168 }
1169 return x;// expected-warning{{This statement is never executed}}
1170 }
1171
HeapAssignment()1172 int HeapAssignment() {
1173 int m = 0;
1174 int *x = malloc(4);
1175 int *y = x;
1176 *x = 5;
1177 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}}
1178 free(x);
1179 return 0;
1180 }
1181
1182 int *retPtr();
1183 int *retPtrMightAlias(int *x);
cmpHeapAllocationToUnknown()1184 int cmpHeapAllocationToUnknown() {
1185 int zero = 0;
1186 int *yBefore = retPtr();
1187 int *m = malloc(8);
1188 int *yAfter = retPtrMightAlias(m);
1189 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}}
1190 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}}
1191 free(m);
1192 return 0;
1193 }
1194
localArrayTest()1195 void localArrayTest() {
1196 char *p = (char*)malloc(12);
1197 char *ArrayL[12];
1198 ArrayL[0] = p;
1199 } // expected-warning {{leak}}
1200
localStructTest()1201 void localStructTest() {
1202 StructWithPtr St;
1203 StructWithPtr *pSt = &St;
1204 pSt->memP = malloc(12);
1205 } // expected-warning{{Potential leak of memory pointed to by}}
1206
1207 #ifdef __INTPTR_TYPE__
1208 // Test double assignment through integers.
1209 typedef __INTPTR_TYPE__ intptr_t;
1210 typedef unsigned __INTPTR_TYPE__ uintptr_t;
1211
1212 static intptr_t glob;
test_double_assign_ints()1213 void test_double_assign_ints()
1214 {
1215 void *ptr = malloc (16); // no-warning
1216 glob = (intptr_t)(uintptr_t)ptr;
1217 }
1218
test_double_assign_ints_positive()1219 void test_double_assign_ints_positive()
1220 {
1221 void *ptr = malloc(16);
1222 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}}
1223 } // expected-warning {{leak}}
1224 #endif
1225
testCGContextNoLeak()1226 void testCGContextNoLeak()
1227 {
1228 void *ptr = malloc(16);
1229 CGContextRef context = CGBitmapContextCreate(ptr);
1230
1231 // Because you can get the data back out like this, even much later,
1232 // CGBitmapContextCreate is one of our "stop-tracking" exceptions.
1233 free(CGBitmapContextGetData(context));
1234 }
1235
testCGContextLeak()1236 void testCGContextLeak()
1237 {
1238 void *ptr = malloc(16);
1239 CGContextRef context = CGBitmapContextCreate(ptr);
1240 // However, this time we're just leaking the data, because the context
1241 // object doesn't escape and it hasn't been freed in this function.
1242 }
1243
1244 // Allow xpc context to escape. radar://11635258
1245 // TODO: Would be great if we checked that the finalize_connection_context actually releases it.
finalize_connection_context(void * ctx)1246 static void finalize_connection_context(void *ctx) {
1247 int *context = ctx;
1248 free(context);
1249 }
foo(xpc_connection_t peer)1250 void foo (xpc_connection_t peer) {
1251 int *ctx = calloc(1, sizeof(int));
1252 xpc_connection_set_context(peer, ctx);
1253 xpc_connection_set_finalizer_f(peer, finalize_connection_context);
1254 xpc_connection_resume(peer);
1255 }
1256
1257 // Make sure we catch errors when we free in a function which does not allocate memory.
freeButNoMalloc(int * p,int x)1258 void freeButNoMalloc(int *p, int x){
1259 if (x) {
1260 free(p);
1261 //user forgot a return here.
1262 }
1263 free(p); // expected-warning {{Attempt to free released memory}}
1264 }
1265
1266 struct HasPtr {
1267 char *p;
1268 };
1269
reallocButNoMalloc(struct HasPtr * a,int c,int size)1270 char* reallocButNoMalloc(struct HasPtr *a, int c, int size) {
1271 int *s;
1272 char *b = realloc(a->p, size);
1273 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}}
1274 return a->p;
1275 }
1276
1277 // We should not warn in this case since the caller will presumably free a->p in all cases.
reallocButNoMallocPR13674(struct HasPtr * a,int c,int size)1278 int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) {
1279 int *s;
1280 char *b = realloc(a->p, size);
1281 if (b == 0)
1282 return -1;
1283 a->p = b;
1284 return 0;
1285 }
1286
1287 // Test realloc with no visible malloc.
test(void * ptr)1288 void *test(void *ptr) {
1289 void *newPtr = realloc(ptr, 4);
1290 if (newPtr == 0) {
1291 if (ptr)
1292 free(ptr); // no-warning
1293 }
1294 return newPtr;
1295 }
1296
1297
testLeakWithinReturn(char * str)1298 char *testLeakWithinReturn(char *str) {
1299 return strdup(strdup(str)); // expected-warning{{leak}}
1300 }
1301
1302 void passConstPtr(const char * ptr);
1303
testPassConstPointer()1304 void testPassConstPointer() {
1305 char * string = malloc(sizeof(char)*10);
1306 passConstPtr(string);
1307 return; // expected-warning {{leak}}
1308 }
1309
testPassConstPointerIndirectly()1310 void testPassConstPointerIndirectly() {
1311 char *p = malloc(1);
1312 p++;
1313 memcmp(p, p, sizeof(&p));
1314 return; // expected-warning {{leak}}
1315 }
1316
testPassConstPointerIndirectlyStruct()1317 void testPassConstPointerIndirectlyStruct() {
1318 struct HasPtr hp;
1319 hp.p = malloc(10);
1320 memcmp(&hp, &hp, sizeof(hp));
1321 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}}
1322 }
1323
testPassToSystemHeaderFunctionIndirectlyStruct()1324 void testPassToSystemHeaderFunctionIndirectlyStruct() {
1325 SomeStruct ss;
1326 ss.p = malloc(1);
1327 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1328 // Technically a false negative here -- we know the system function won't free
1329 // ss.p, but nothing else will either!
1330 } // no-warning
1331
testPassToSystemHeaderFunctionIndirectlyStructFree()1332 void testPassToSystemHeaderFunctionIndirectlyStructFree() {
1333 SomeStruct ss;
1334 ss.p = malloc(1);
1335 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1336 free(ss.p);
1337 } // no-warning
1338
testPassToSystemHeaderFunctionIndirectlyArray()1339 void testPassToSystemHeaderFunctionIndirectlyArray() {
1340 int *p[1];
1341 p[0] = malloc(sizeof(int));
1342 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1343 // Technically a false negative here -- we know the system function won't free
1344 // p[0], but nothing else will either!
1345 } // no-warning
1346
testPassToSystemHeaderFunctionIndirectlyArrayFree()1347 void testPassToSystemHeaderFunctionIndirectlyArrayFree() {
1348 int *p[1];
1349 p[0] = malloc(sizeof(int));
1350 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1351 free(p[0]);
1352 } // no-warning
1353
testOffsetAllocate(size_t size)1354 int *testOffsetAllocate(size_t size) {
1355 int *memoryBlock = (int *)malloc(size + sizeof(int));
1356 return &memoryBlock[1]; // no-warning
1357 }
1358
testOffsetDeallocate(int * memoryBlock)1359 void testOffsetDeallocate(int *memoryBlock) {
1360 free(&memoryBlock[-1]); // no-warning
1361 }
1362
testOffsetOfRegionFreed()1363 void testOffsetOfRegionFreed() {
1364 __int64_t * array = malloc(sizeof(__int64_t)*2);
1365 array += 1;
1366 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1367 }
1368
testOffsetOfRegionFreed2()1369 void testOffsetOfRegionFreed2() {
1370 __int64_t *p = malloc(sizeof(__int64_t)*2);
1371 p += 1;
1372 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1373 }
1374
testOffsetOfRegionFreed3()1375 void testOffsetOfRegionFreed3() {
1376 char *r = malloc(sizeof(char));
1377 r = r - 10;
1378 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}}
1379 }
1380
testOffsetOfRegionFreedAfterFunctionCall()1381 void testOffsetOfRegionFreedAfterFunctionCall() {
1382 int *p = malloc(sizeof(int)*2);
1383 p += 1;
1384 myfoo(p);
1385 free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}}
1386 }
1387
testFixManipulatedPointerBeforeFree()1388 void testFixManipulatedPointerBeforeFree() {
1389 int * array = malloc(sizeof(int)*2);
1390 array += 1;
1391 free(&array[-1]); // no-warning
1392 }
1393
testFixManipulatedPointerBeforeFree2()1394 void testFixManipulatedPointerBeforeFree2() {
1395 char *r = malloc(sizeof(char));
1396 r = r + 10;
1397 free(r-10); // no-warning
1398 }
1399
freeOffsetPointerPassedToFunction()1400 void freeOffsetPointerPassedToFunction() {
1401 __int64_t *p = malloc(sizeof(__int64_t)*2);
1402 p[1] = 0;
1403 p += 1;
1404 myfooint(*p); // not passing the pointer, only a value pointed by pointer
1405 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1406 }
1407
1408 int arbitraryInt();
freeUnknownOffsetPointer()1409 void freeUnknownOffsetPointer() {
1410 char *r = malloc(sizeof(char));
1411 r = r + arbitraryInt(); // unable to reason about what the offset might be
1412 free(r); // no-warning
1413 }
1414
testFreeNonMallocPointerWithNoOffset()1415 void testFreeNonMallocPointerWithNoOffset() {
1416 char c;
1417 char *r = &c;
1418 r = r + 10;
1419 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1420 }
1421
testFreeNonMallocPointerWithOffset()1422 void testFreeNonMallocPointerWithOffset() {
1423 char c;
1424 char *r = &c;
1425 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1426 }
1427
testOffsetZeroDoubleFree()1428 void testOffsetZeroDoubleFree() {
1429 int *array = malloc(sizeof(int)*2);
1430 int *p = &array[0];
1431 free(p);
1432 free(&array[0]); // expected-warning{{Attempt to free released memory}}
1433 }
1434
testOffsetPassedToStrlen()1435 void testOffsetPassedToStrlen() {
1436 char * string = malloc(sizeof(char)*10);
1437 string += 1;
1438 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}}
1439 }
1440
testOffsetPassedToStrlenThenFree()1441 void testOffsetPassedToStrlenThenFree() {
1442 char * string = malloc(sizeof(char)*10);
1443 string += 1;
1444 int length = strlen(string);
1445 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1446 }
1447
testOffsetPassedAsConst()1448 void testOffsetPassedAsConst() {
1449 char * string = malloc(sizeof(char)*10);
1450 string += 1;
1451 passConstPtr(string);
1452 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1453 }
1454
1455 char **_vectorSegments;
1456 int _nVectorSegments;
1457
poolFreeC(void * s)1458 void poolFreeC(void* s) {
1459 free(s); // no-warning
1460 }
freeMemory()1461 void freeMemory() {
1462 while (_nVectorSegments) {
1463 poolFreeC(_vectorSegments[_nVectorSegments++]);
1464 }
1465 }
1466
1467 // PR16730
testReallocEscaped(void ** memory)1468 void testReallocEscaped(void **memory) {
1469 *memory = malloc(47);
1470 char *new_memory = realloc(*memory, 47);
1471 if (new_memory != 0) {
1472 *memory = new_memory;
1473 }
1474 }
1475
1476 // PR16558
smallocNoWarn(size_t size)1477 void *smallocNoWarn(size_t size) {
1478 if (size == 0) {
1479 return malloc(1); // this branch is never called
1480 }
1481 else {
1482 return malloc(size);
1483 }
1484 }
1485
dupstrNoWarn(const char * s)1486 char *dupstrNoWarn(const char *s) {
1487 const int len = strlen(s);
1488 char *p = (char*) smallocNoWarn(len + 1);
1489 strcpy(p, s); // no-warning
1490 return p;
1491 }
1492
smallocWarn(size_t size)1493 void *smallocWarn(size_t size) {
1494 if (size == 2) {
1495 return malloc(1);
1496 }
1497 else {
1498 return malloc(size);
1499 }
1500 }
1501
dupstrWarn(const char * s)1502 char *dupstrWarn(const char *s) {
1503 const int len = strlen(s);
1504 char *p = (char*) smallocWarn(len + 1);
1505 strcpy(p, s); // expected-warning{{String copy function overflows destination buffer}}
1506 return p;
1507 }
1508
radar15580979()1509 int *radar15580979() {
1510 int *data = (int *)malloc(32);
1511 int *p = data ?: (int*)malloc(32); // no warning
1512 return p;
1513 }
1514
1515 // ----------------------------------------------------------------------------
1516 // False negatives.
1517
testMallocWithParam(int ** p)1518 void testMallocWithParam(int **p) {
1519 *p = (int*) malloc(sizeof(int));
1520 *p = 0; // FIXME: should warn here
1521 }
1522
testMallocWithParam_2(int ** p)1523 void testMallocWithParam_2(int **p) {
1524 *p = (int*) malloc(sizeof(int)); // no-warning
1525 }
1526
testPassToSystemHeaderFunctionIndirectly()1527 void testPassToSystemHeaderFunctionIndirectly() {
1528 int *p = malloc(4);
1529 p++;
1530 fakeSystemHeaderCallInt(p);
1531 // FIXME: This is a leak: if we think a system function won't free p, it
1532 // won't free (p-1) either.
1533 }
1534