1 // RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s
2
3 #include "Inputs/system-header-simulator.h"
4
5 void clang_analyzer_eval(int);
6
7 typedef __typeof(sizeof(int)) size_t;
8 void *malloc(size_t);
9 void *alloca(size_t);
10 void *valloc(size_t);
11 void free(void *);
12 void *realloc(void *ptr, size_t size);
13 void *reallocf(void *ptr, size_t size);
14 void *calloc(size_t nmemb, size_t size);
15 char *strdup(const char *s);
16 char *strndup(const char *s, size_t n);
17 int memcmp(const void *s1, const void *s2, size_t n);
18
19 void myfoo(int *p);
20 void myfooint(int p);
21 char *fooRetPtr();
22
f1()23 void f1() {
24 int *p = malloc(12);
25 return; // expected-warning{{Potential leak of memory pointed to by 'p'}}
26 }
27
f2()28 void f2() {
29 int *p = malloc(12);
30 free(p);
31 free(p); // expected-warning{{Attempt to free released memory}}
32 }
33
f2_realloc_0()34 void f2_realloc_0() {
35 int *p = malloc(12);
36 realloc(p,0);
37 realloc(p,0); // expected-warning{{Attempt to free released memory}}
38 }
39
f2_realloc_1()40 void f2_realloc_1() {
41 int *p = malloc(12);
42 int *q = realloc(p,0); // no-warning
43 }
44
reallocNotNullPtr(unsigned sizeIn)45 void reallocNotNullPtr(unsigned sizeIn) {
46 unsigned size = 12;
47 char *p = (char*)malloc(size);
48 if (p) {
49 char *q = (char*)realloc(p, sizeIn);
50 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}}
51 }
52 }
53
allocaTest()54 void allocaTest() {
55 int *p = alloca(sizeof(int));
56 } // no warn
57
allocaBuiltinTest()58 void allocaBuiltinTest() {
59 int *p = __builtin_alloca(sizeof(int));
60 } // no warn
61
realloctest1()62 int *realloctest1() {
63 int *q = malloc(12);
64 q = realloc(q, 20);
65 return q; // no warning - returning the allocated value
66 }
67
68 // p should be freed if realloc fails.
reallocFails()69 void reallocFails() {
70 char *p = malloc(12);
71 char *r = realloc(p, 12+1);
72 if (!r) {
73 free(p);
74 } else {
75 free(r);
76 }
77 }
78
reallocSizeZero1()79 void reallocSizeZero1() {
80 char *p = malloc(12);
81 char *r = realloc(p, 0);
82 if (!r) {
83 free(p); // expected-warning {{Attempt to free released memory}}
84 } else {
85 free(r);
86 }
87 }
88
reallocSizeZero2()89 void reallocSizeZero2() {
90 char *p = malloc(12);
91 char *r = realloc(p, 0);
92 if (!r) {
93 free(p); // expected-warning {{Attempt to free released memory}}
94 } else {
95 free(r);
96 }
97 free(p); // expected-warning {{Attempt to free released memory}}
98 }
99
reallocSizeZero3()100 void reallocSizeZero3() {
101 char *p = malloc(12);
102 char *r = realloc(p, 0);
103 free(r);
104 }
105
reallocSizeZero4()106 void reallocSizeZero4() {
107 char *r = realloc(0, 0);
108 free(r);
109 }
110
reallocSizeZero5()111 void reallocSizeZero5() {
112 char *r = realloc(0, 0);
113 }
114
reallocPtrZero1()115 void reallocPtrZero1() {
116 char *r = realloc(0, 12);
117 } // expected-warning {{Potential leak of memory pointed to by 'r'}}
118
reallocPtrZero2()119 void reallocPtrZero2() {
120 char *r = realloc(0, 12);
121 if (r)
122 free(r);
123 }
124
reallocPtrZero3()125 void reallocPtrZero3() {
126 char *r = realloc(0, 12);
127 free(r);
128 }
129
reallocRadar6337483_1()130 void reallocRadar6337483_1() {
131 char *buf = malloc(100);
132 buf = (char*)realloc(buf, 0x1000000);
133 if (!buf) {
134 return;// expected-warning {{Potential leak of memory pointed to by}}
135 }
136 free(buf);
137 }
138
reallocRadar6337483_2()139 void reallocRadar6337483_2() {
140 char *buf = malloc(100);
141 char *buf2 = (char*)realloc(buf, 0x1000000);
142 if (!buf2) {
143 ;
144 } else {
145 free(buf2);
146 }
147 } // expected-warning {{Potential leak of memory pointed to by}}
148
reallocRadar6337483_3()149 void reallocRadar6337483_3() {
150 char * buf = malloc(100);
151 char * tmp;
152 tmp = (char*)realloc(buf, 0x1000000);
153 if (!tmp) {
154 free(buf);
155 return;
156 }
157 buf = tmp;
158 free(buf);
159 }
160
reallocRadar6337483_4()161 void reallocRadar6337483_4() {
162 char *buf = malloc(100);
163 char *buf2 = (char*)realloc(buf, 0x1000000);
164 if (!buf2) {
165 return; // expected-warning {{Potential leak of memory pointed to by}}
166 } else {
167 free(buf2);
168 }
169 }
170
reallocfTest1()171 int *reallocfTest1() {
172 int *q = malloc(12);
173 q = reallocf(q, 20);
174 return q; // no warning - returning the allocated value
175 }
176
reallocfRadar6337483_4()177 void reallocfRadar6337483_4() {
178 char *buf = malloc(100);
179 char *buf2 = (char*)reallocf(buf, 0x1000000);
180 if (!buf2) {
181 return; // no warning - reallocf frees even on failure
182 } else {
183 free(buf2);
184 }
185 }
186
reallocfRadar6337483_3()187 void reallocfRadar6337483_3() {
188 char * buf = malloc(100);
189 char * tmp;
190 tmp = (char*)reallocf(buf, 0x1000000);
191 if (!tmp) {
192 free(buf); // expected-warning {{Attempt to free released memory}}
193 return;
194 }
195 buf = tmp;
196 free(buf);
197 }
198
reallocfPtrZero1()199 void reallocfPtrZero1() {
200 char *r = reallocf(0, 12);
201 } // expected-warning {{Potential leak of memory pointed to by}}
202
203 //------------------- Check usage of zero-allocated memory ---------------------
CheckUseZeroAllocatedNoWarn1()204 void CheckUseZeroAllocatedNoWarn1() {
205 int *p = malloc(0);
206 free(p); // no warning
207 }
208
CheckUseZeroAllocatedNoWarn2()209 void CheckUseZeroAllocatedNoWarn2() {
210 int *p = alloca(0); // no warning
211 }
212
CheckUseZeroAllocatedNoWarn3()213 void CheckUseZeroAllocatedNoWarn3() {
214 int *p = malloc(0);
215 int *q = realloc(p, 8); // no warning
216 free(q);
217 }
218
CheckUseZeroAllocatedNoWarn4()219 void CheckUseZeroAllocatedNoWarn4() {
220 int *p = realloc(0, 8);
221 *p = 1; // no warning
222 free(p);
223 }
224
CheckUseZeroAllocated1()225 void CheckUseZeroAllocated1() {
226 int *p = malloc(0);
227 *p = 1; // expected-warning {{Use of zero-allocated memory}}
228 free(p);
229 }
230
CheckUseZeroAllocated2()231 char CheckUseZeroAllocated2() {
232 char *p = alloca(0);
233 return *p; // expected-warning {{Use of zero-allocated memory}}
234 }
235
UseZeroAllocated(int * p)236 void UseZeroAllocated(int *p) {
237 if (p)
238 *p = 7; // expected-warning {{Use of zero-allocated memory}}
239 }
CheckUseZeroAllocated3()240 void CheckUseZeroAllocated3() {
241 int *p = malloc(0);
242 UseZeroAllocated(p);
243 }
244
245 void f(char);
CheckUseZeroAllocated4()246 void CheckUseZeroAllocated4() {
247 char *p = valloc(0);
248 f(*p); // expected-warning {{Use of zero-allocated memory}}
249 free(p);
250 }
251
CheckUseZeroAllocated5()252 void CheckUseZeroAllocated5() {
253 int *p = calloc(0, 2);
254 *p = 1; // expected-warning {{Use of zero-allocated memory}}
255 free(p);
256 }
257
CheckUseZeroAllocated6()258 void CheckUseZeroAllocated6() {
259 int *p = calloc(2, 0);
260 *p = 1; // expected-warning {{Use of zero-allocated memory}}
261 free(p);
262 }
263
CheckUseZeroAllocated7()264 void CheckUseZeroAllocated7() {
265 int *p = realloc(0, 0);
266 *p = 1; // expected-warning {{Use of zero-allocated memory}}
267 free(p);
268 }
269
CheckUseZeroAllocated8()270 void CheckUseZeroAllocated8() {
271 int *p = malloc(8);
272 int *q = realloc(p, 0);
273 *q = 1; // expected-warning {{Use of zero-allocated memory}}
274 free(q);
275 }
276
CheckUseZeroAllocated9()277 void CheckUseZeroAllocated9() {
278 int *p = realloc(0, 0);
279 int *q = realloc(p, 0);
280 *q = 1; // expected-warning {{Use of zero-allocated memory}}
281 free(q);
282 }
283
CheckUseZeroAllocatedPathNoWarn(_Bool b)284 void CheckUseZeroAllocatedPathNoWarn(_Bool b) {
285 int s = 0;
286 if (b)
287 s= 10;
288
289 char *p = malloc(s);
290
291 if (b)
292 *p = 1; // no warning
293
294 free(p);
295 }
296
CheckUseZeroAllocatedPathWarn(_Bool b)297 void CheckUseZeroAllocatedPathWarn(_Bool b) {
298 int s = 10;
299 if (b)
300 s= 0;
301
302 char *p = malloc(s);
303
304 if (b)
305 *p = 1; // expected-warning {{Use of zero-allocated memory}}
306
307 free(p);
308 }
309
CheckUseZeroReallocatedPathNoWarn(_Bool b)310 void CheckUseZeroReallocatedPathNoWarn(_Bool b) {
311 int s = 0;
312 if (b)
313 s= 10;
314
315 char *p = malloc(8);
316 char *q = realloc(p, s);
317
318 if (b)
319 *q = 1; // no warning
320
321 free(q);
322 }
323
CheckUseZeroReallocatedPathWarn(_Bool b)324 void CheckUseZeroReallocatedPathWarn(_Bool b) {
325 int s = 10;
326 if (b)
327 s= 0;
328
329 char *p = malloc(8);
330 char *q = realloc(p, s);
331
332 if (b)
333 *q = 1; // expected-warning {{Use of zero-allocated memory}}
334
335 free(q);
336 }
337
338 // This case tests that storing malloc'ed memory to a static variable which is
339 // then returned is not leaked. In the absence of known contracts for functions
340 // or inter-procedural analysis, this is a conservative answer.
f3()341 int *f3() {
342 static int *p = 0;
343 p = malloc(12);
344 return p; // no-warning
345 }
346
347 // This case tests that storing malloc'ed memory to a static global variable
348 // which is then returned is not leaked. In the absence of known contracts for
349 // functions or inter-procedural analysis, this is a conservative answer.
350 static int *p_f4 = 0;
f4()351 int *f4() {
352 p_f4 = malloc(12);
353 return p_f4; // no-warning
354 }
355
f5()356 int *f5() {
357 int *q = malloc(12);
358 q = realloc(q, 20);
359 return q; // no-warning
360 }
361
f6()362 void f6() {
363 int *p = malloc(12);
364 if (!p)
365 return; // no-warning
366 else
367 free(p);
368 }
369
f6_realloc()370 void f6_realloc() {
371 int *p = malloc(12);
372 if (!p)
373 return; // no-warning
374 else
375 realloc(p,0);
376 }
377
378
379 char *doit2();
pr6069()380 void pr6069() {
381 char *buf = doit2();
382 free(buf);
383 }
384
pr6293()385 void pr6293() {
386 free(0);
387 }
388
f7()389 void f7() {
390 char *x = (char*) malloc(4);
391 free(x);
392 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
393 }
394
f8()395 void f8() {
396 char *x = (char*) malloc(4);
397 free(x);
398 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}}
399 }
400
f7_realloc()401 void f7_realloc() {
402 char *x = (char*) malloc(4);
403 realloc(x,0);
404 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
405 }
406
PR6123()407 void PR6123() {
408 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
409 }
410
PR7217()411 void PR7217() {
412 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
413 buf[1] = 'c'; // not crash
414 }
415
cast_emtpy_struct()416 void cast_emtpy_struct() {
417 struct st {
418 };
419
420 struct st *s = malloc(sizeof(struct st)); // no-warning
421 free(s);
422 }
423
cast_struct_1()424 void cast_struct_1() {
425 struct st {
426 int i[100];
427 char j[];
428 };
429
430 struct st *s = malloc(sizeof(struct st)); // no-warning
431 free(s);
432 }
433
cast_struct_2()434 void cast_struct_2() {
435 struct st {
436 int i[100];
437 char j[0];
438 };
439
440 struct st *s = malloc(sizeof(struct st)); // no-warning
441 free(s);
442 }
443
cast_struct_3()444 void cast_struct_3() {
445 struct st {
446 int i[100];
447 char j[1];
448 };
449
450 struct st *s = malloc(sizeof(struct st)); // no-warning
451 free(s);
452 }
453
cast_struct_4()454 void cast_struct_4() {
455 struct st {
456 int i[100];
457 char j[2];
458 };
459
460 struct st *s = malloc(sizeof(struct st)); // no-warning
461 free(s);
462 }
463
cast_struct_5()464 void cast_struct_5() {
465 struct st {
466 char i[200];
467 char j[1];
468 };
469
470 struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning
471 free(s);
472 }
473
cast_struct_warn_1()474 void cast_struct_warn_1() {
475 struct st {
476 int i[100];
477 char j[2];
478 };
479
480 struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
481 free(s);
482 }
483
cast_struct_warn_2()484 void cast_struct_warn_2() {
485 struct st {
486 int i[100];
487 char j[2];
488 };
489
490 struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
491 free(s);
492 }
493
cast_struct_flex_array_1()494 void cast_struct_flex_array_1() {
495 struct st {
496 int i[100];
497 char j[];
498 };
499
500 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
501 free(s);
502 }
503
cast_struct_flex_array_2()504 void cast_struct_flex_array_2() {
505 struct st {
506 int i[100];
507 char j[0];
508 };
509
510 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
511 free(s);
512 }
513
cast_struct_flex_array_3()514 void cast_struct_flex_array_3() {
515 struct st {
516 int i[100];
517 char j[1];
518 };
519
520 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
521 free(s);
522 }
523
cast_struct_flex_array_4()524 void cast_struct_flex_array_4() {
525 struct foo {
526 char f[32];
527 };
528 struct st {
529 char i[100];
530 struct foo data[];
531 };
532
533 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
534 free(s);
535 }
536
cast_struct_flex_array_5()537 void cast_struct_flex_array_5() {
538 struct foo {
539 char f[32];
540 };
541 struct st {
542 char i[100];
543 struct foo data[0];
544 };
545
546 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
547 free(s);
548 }
549
cast_struct_flex_array_6()550 void cast_struct_flex_array_6() {
551 struct foo {
552 char f[32];
553 };
554 struct st {
555 char i[100];
556 struct foo data[1];
557 };
558
559 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
560 free(s);
561 }
562
cast_struct_flex_array_warn_1()563 void cast_struct_flex_array_warn_1() {
564 struct foo {
565 char f[32];
566 };
567 struct st {
568 char i[100];
569 struct foo data[];
570 };
571
572 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
573 free(s);
574 }
575
cast_struct_flex_array_warn_2()576 void cast_struct_flex_array_warn_2() {
577 struct foo {
578 char f[32];
579 };
580 struct st {
581 char i[100];
582 struct foo data[0];
583 };
584
585 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
586 free(s);
587 }
588
cast_struct_flex_array_warn_3()589 void cast_struct_flex_array_warn_3() {
590 struct foo {
591 char f[32];
592 };
593 struct st {
594 char i[100];
595 struct foo data[1];
596 };
597
598 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
599 free(s);
600 }
601
cast_struct_flex_array_warn_4()602 void cast_struct_flex_array_warn_4() {
603 struct st {
604 int i[100];
605 int j[];
606 };
607
608 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
609 free(s);
610 }
611
cast_struct_flex_array_warn_5()612 void cast_struct_flex_array_warn_5() {
613 struct st {
614 int i[100];
615 int j[0];
616 };
617
618 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
619 free(s);
620 }
621
cast_struct_flex_array_warn_6()622 void cast_struct_flex_array_warn_6() {
623 struct st {
624 int i[100];
625 int j[1];
626 };
627
628 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
629 free(s);
630 }
631
mallocCastToVoid()632 void mallocCastToVoid() {
633 void *p = malloc(2);
634 const void *cp = p; // not crash
635 free(p);
636 }
637
mallocCastToFP()638 void mallocCastToFP() {
639 void *p = malloc(2);
640 void (*fp)() = p; // not crash
641 free(p);
642 }
643
644 // This tests that malloc() buffers are undefined by default
mallocGarbage()645 char mallocGarbage () {
646 char *buf = malloc(2);
647 char result = buf[1]; // expected-warning{{undefined}}
648 free(buf);
649 return result;
650 }
651
652 // This tests that calloc() buffers need to be freed
callocNoFree()653 void callocNoFree () {
654 char *buf = calloc(2,2);
655 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
656 }
657
658 // These test that calloc() buffers are zeroed by default
callocZeroesGood()659 char callocZeroesGood () {
660 char *buf = calloc(2,2);
661 char result = buf[3]; // no-warning
662 if (buf[1] == 0) {
663 free(buf);
664 }
665 return result; // no-warning
666 }
667
callocZeroesBad()668 char callocZeroesBad () {
669 char *buf = calloc(2,2);
670 char result = buf[3]; // no-warning
671 if (buf[1] != 0) {
672 free(buf); // expected-warning{{never executed}}
673 }
674 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
675 }
676
nullFree()677 void nullFree() {
678 int *p = 0;
679 free(p); // no warning - a nop
680 }
681
paramFree(int * p)682 void paramFree(int *p) {
683 myfoo(p);
684 free(p); // no warning
685 myfoo(p); // expected-warning {{Use of memory after it is freed}}
686 }
687
mallocEscapeRet()688 int* mallocEscapeRet() {
689 int *p = malloc(12);
690 return p; // no warning
691 }
692
mallocEscapeFoo()693 void mallocEscapeFoo() {
694 int *p = malloc(12);
695 myfoo(p);
696 return; // no warning
697 }
698
mallocEscapeFree()699 void mallocEscapeFree() {
700 int *p = malloc(12);
701 myfoo(p);
702 free(p);
703 }
704
mallocEscapeFreeFree()705 void mallocEscapeFreeFree() {
706 int *p = malloc(12);
707 myfoo(p);
708 free(p);
709 free(p); // expected-warning{{Attempt to free released memory}}
710 }
711
mallocEscapeFreeUse()712 void mallocEscapeFreeUse() {
713 int *p = malloc(12);
714 myfoo(p);
715 free(p);
716 myfoo(p); // expected-warning{{Use of memory after it is freed}}
717 }
718
719 int *myalloc();
720 void myalloc2(int **p);
721
mallocEscapeFreeCustomAlloc()722 void mallocEscapeFreeCustomAlloc() {
723 int *p = malloc(12);
724 myfoo(p);
725 free(p);
726 p = myalloc();
727 free(p); // no warning
728 }
729
mallocEscapeFreeCustomAlloc2()730 void mallocEscapeFreeCustomAlloc2() {
731 int *p = malloc(12);
732 myfoo(p);
733 free(p);
734 myalloc2(&p);
735 free(p); // no warning
736 }
737
mallocBindFreeUse()738 void mallocBindFreeUse() {
739 int *x = malloc(12);
740 int *y = x;
741 free(y);
742 myfoo(x); // expected-warning{{Use of memory after it is freed}}
743 }
744
mallocEscapeMalloc()745 void mallocEscapeMalloc() {
746 int *p = malloc(12);
747 myfoo(p);
748 p = malloc(12);
749 } // expected-warning{{Potential leak of memory pointed to by}}
750
mallocMalloc()751 void mallocMalloc() {
752 int *p = malloc(12);
753 p = malloc(12);
754 } // expected-warning {{Potential leak of memory pointed to by}}
755
mallocFreeMalloc()756 void mallocFreeMalloc() {
757 int *p = malloc(12);
758 free(p);
759 p = malloc(12);
760 free(p);
761 }
762
mallocFreeUse_params()763 void mallocFreeUse_params() {
764 int *p = malloc(12);
765 free(p);
766 myfoo(p); //expected-warning{{Use of memory after it is freed}}
767 }
768
mallocFreeUse_params2()769 void mallocFreeUse_params2() {
770 int *p = malloc(12);
771 free(p);
772 myfooint(*p); //expected-warning{{Use of memory after it is freed}}
773 }
774
mallocFailedOrNot()775 void mallocFailedOrNot() {
776 int *p = malloc(12);
777 if (!p)
778 free(p);
779 else
780 free(p);
781 }
782
783 struct StructWithInt {
784 int g;
785 };
786
mallocReturnFreed()787 int *mallocReturnFreed() {
788 int *p = malloc(12);
789 free(p);
790 return p; // expected-warning {{Use of memory after it is freed}}
791 }
792
useAfterFreeStruct()793 int useAfterFreeStruct() {
794 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
795 px->g = 5;
796 free(px);
797 return px->g; // expected-warning {{Use of memory after it is freed}}
798 }
799
800 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
801
mallocEscapeFooNonSymbolArg()802 void mallocEscapeFooNonSymbolArg() {
803 struct StructWithInt *p = malloc(sizeof(struct StructWithInt));
804 nonSymbolAsFirstArg(&p->g, p);
805 return; // no warning
806 }
807
mallocFailedOrNotLeak()808 void mallocFailedOrNotLeak() {
809 int *p = malloc(12);
810 if (p == 0)
811 return; // no warning
812 else
813 return; // expected-warning {{Potential leak of memory pointed to by}}
814 }
815
mallocAssignment()816 void mallocAssignment() {
817 char *p = malloc(12);
818 p = fooRetPtr();
819 } // expected-warning {{leak}}
820
vallocTest()821 int vallocTest() {
822 char *mem = valloc(12);
823 return 0; // expected-warning {{Potential leak of memory pointed to by}}
824 }
825
vallocEscapeFreeUse()826 void vallocEscapeFreeUse() {
827 int *p = valloc(12);
828 myfoo(p);
829 free(p);
830 myfoo(p); // expected-warning{{Use of memory after it is freed}}
831 }
832
833 int *Gl;
834 struct GlStTy {
835 int *x;
836 };
837
838 struct GlStTy GlS = {0};
839
GlobalFree()840 void GlobalFree() {
841 free(Gl);
842 }
843
GlobalMalloc()844 void GlobalMalloc() {
845 Gl = malloc(12);
846 }
847
GlobalStructMalloc()848 void GlobalStructMalloc() {
849 int *a = malloc(12);
850 GlS.x = a;
851 }
852
GlobalStructMallocFree()853 void GlobalStructMallocFree() {
854 int *a = malloc(12);
855 GlS.x = a;
856 free(GlS.x);
857 }
858
859 char *ArrayG[12];
860
globalArrayTest()861 void globalArrayTest() {
862 char *p = (char*)malloc(12);
863 ArrayG[0] = p;
864 }
865
866 // Make sure that we properly handle a pointer stored into a local struct/array.
867 typedef struct _StructWithPtr {
868 int *memP;
869 } StructWithPtr;
870
871 static StructWithPtr arrOfStructs[10];
872
testMalloc()873 void testMalloc() {
874 int *x = malloc(12);
875 StructWithPtr St;
876 St.memP = x;
877 arrOfStructs[0] = St; // no-warning
878 }
879
testMalloc2()880 StructWithPtr testMalloc2() {
881 int *x = malloc(12);
882 StructWithPtr St;
883 St.memP = x;
884 return St; // no-warning
885 }
886
testMalloc3()887 int *testMalloc3() {
888 int *x = malloc(12);
889 int *y = x;
890 return y; // no-warning
891 }
892
testStructLeak()893 void testStructLeak() {
894 StructWithPtr St;
895 St.memP = malloc(12);
896 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}}
897 }
898
testElemRegion1()899 void testElemRegion1() {
900 char *x = (void*)malloc(2);
901 int *ix = (int*)x;
902 free(&(x[0]));
903 }
904
testElemRegion2(int ** pp)905 void testElemRegion2(int **pp) {
906 int *p = malloc(12);
907 *pp = p;
908 free(pp[0]);
909 }
910
testElemRegion3(int ** pp)911 void testElemRegion3(int **pp) {
912 int *p = malloc(12);
913 *pp = p;
914 free(*pp);
915 }
916 // Region escape testing.
917
918 unsigned takePtrToPtr(int **p);
PassTheAddrOfAllocatedData(int f)919 void PassTheAddrOfAllocatedData(int f) {
920 int *p = malloc(12);
921 // We don't know what happens after the call. Should stop tracking here.
922 if (takePtrToPtr(&p))
923 f++;
924 free(p); // no warning
925 }
926
927 struct X {
928 int *p;
929 };
930 unsigned takePtrToStruct(struct X *s);
foo2(int * g,int f)931 int ** foo2(int *g, int f) {
932 int *p = malloc(12);
933 struct X *px= malloc(sizeof(struct X));
934 px->p = p;
935 // We don't know what happens after this call. Should not track px nor p.
936 if (takePtrToStruct(px))
937 f++;
938 free(p);
939 return 0;
940 }
941
RegInvalidationDetect1(struct X * s2)942 struct X* RegInvalidationDetect1(struct X *s2) {
943 struct X *px= malloc(sizeof(struct X));
944 px->p = 0;
945 px = s2;
946 return px; // expected-warning {{Potential leak of memory pointed to by}}
947 }
948
RegInvalidationGiveUp1()949 struct X* RegInvalidationGiveUp1() {
950 int *p = malloc(12);
951 struct X *px= malloc(sizeof(struct X));
952 px->p = p;
953 return px;
954 }
955
RegInvalidationDetect2(int ** pp)956 int **RegInvalidationDetect2(int **pp) {
957 int *p = malloc(12);
958 pp = &p;
959 pp++;
960 return 0;// expected-warning {{Potential leak of memory pointed to by}}
961 }
962
963 extern void exit(int) __attribute__ ((__noreturn__));
mallocExit(int * g)964 void mallocExit(int *g) {
965 struct xx *p = malloc(12);
966 if (g != 0)
967 exit(1);
968 free(p);
969 return;
970 }
971
972 extern void __assert_fail (__const char *__assertion, __const char *__file,
973 unsigned int __line, __const char *__function)
974 __attribute__ ((__noreturn__));
975 #define assert(expr) \
976 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
mallocAssert(int * g)977 void mallocAssert(int *g) {
978 struct xx *p = malloc(12);
979
980 assert(g != 0);
981 free(p);
982 return;
983 }
984
doNotInvalidateWhenPassedToSystemCalls(char * s)985 void doNotInvalidateWhenPassedToSystemCalls(char *s) {
986 char *p = malloc(12);
987 strlen(p);
988 strcpy(p, s);
989 strcpy(s, p);
990 strcpy(p, p);
991 memcpy(p, s, 1);
992 memcpy(s, p, 1);
993 memcpy(p, p, 1);
994 } // expected-warning {{leak}}
995
996 // Treat source buffer contents as escaped.
escapeSourceContents(char * s)997 void escapeSourceContents(char *s) {
998 char *p = malloc(12);
999 memcpy(s, &p, 12); // no warning
1000
1001 void *p1 = malloc(7);
1002 char *a;
1003 memcpy(&a, &p1, sizeof a);
1004 // FIXME: No warning due to limitations imposed by current modelling of
1005 // 'memcpy' (regions metadata is not copied).
1006
1007 int *ptrs[2];
1008 int *allocated = (int *)malloc(4);
1009 memcpy(&ptrs[0], &allocated, sizeof(int *));
1010 // FIXME: No warning due to limitations imposed by current modelling of
1011 // 'memcpy' (regions metadata is not copied).
1012 }
1013
invalidateDestinationContents()1014 void invalidateDestinationContents() {
1015 int *null = 0;
1016 int *p = (int *)malloc(4);
1017 memcpy(&p, &null, sizeof(int *));
1018
1019 int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}}
1020 ptrs1[0] = (int *)malloc(4);
1021 memcpy(ptrs1, &null, sizeof(int *));
1022
1023 int *ptrs2[2]; // expected-warning {{Potential memory leak}}
1024 ptrs2[0] = (int *)malloc(4);
1025 memcpy(&ptrs2[1], &null, sizeof(int *));
1026
1027 int *ptrs3[2]; // expected-warning {{Potential memory leak}}
1028 ptrs3[0] = (int *)malloc(4);
1029 memcpy(&ptrs3[0], &null, sizeof(int *));
1030 } // expected-warning {{Potential memory leak}}
1031
1032 // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p.
symbolLostWithStrcpy(char * s)1033 void symbolLostWithStrcpy(char *s) {
1034 char *p = malloc(12);
1035 p = strcpy(p, s);
1036 free(p);
1037 }
1038
1039
1040 // The same test as the one above, but with what is actually generated on a mac.
1041 static __inline char *
__inline_strcpy_chk(char * restrict __dest,const char * restrict __src)1042 __inline_strcpy_chk (char *restrict __dest, const char *restrict __src)
1043 {
1044 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1));
1045 }
1046
symbolLostWithStrcpy_InlineStrcpyVersion(char * s)1047 void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) {
1048 char *p = malloc(12);
1049 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s));
1050 free(p);
1051 }
1052
1053 // Here we are returning a pointer one past the allocated value. An idiom which
1054 // can be used for implementing special malloc. The correct uses of this might
1055 // be rare enough so that we could keep this as a warning.
specialMalloc(int n)1056 static void *specialMalloc(int n){
1057 int *p;
1058 p = malloc( n+8 );
1059 if( p ){
1060 p[0] = n;
1061 p++;
1062 }
1063 return p;
1064 }
1065
1066 // Potentially, the user could free the struct by performing pointer arithmetic on the return value.
1067 // This is a variation of the specialMalloc issue, though probably would be more rare in correct code.
specialMallocWithStruct()1068 int *specialMallocWithStruct() {
1069 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
1070 return &(px->g);
1071 }
1072
1073 // Test various allocation/deallocation functions.
testStrdup(const char * s,unsigned validIndex)1074 void testStrdup(const char *s, unsigned validIndex) {
1075 char *s2 = strdup(s);
1076 s2[validIndex + 1] = 'b';
1077 } // expected-warning {{Potential leak of memory pointed to by}}
1078
testStrndup(const char * s,unsigned validIndex,unsigned size)1079 int testStrndup(const char *s, unsigned validIndex, unsigned size) {
1080 char *s2 = strndup(s, size);
1081 s2 [validIndex + 1] = 'b';
1082 if (s2[validIndex] != 'a')
1083 return 0;
1084 else
1085 return 1;// expected-warning {{Potential leak of memory pointed to by}}
1086 }
1087
testStrdupContentIsDefined(const char * s,unsigned validIndex)1088 void testStrdupContentIsDefined(const char *s, unsigned validIndex) {
1089 char *s2 = strdup(s);
1090 char result = s2[1];// no warning
1091 free(s2);
1092 }
1093
1094 // ----------------------------------------------------------------------------
1095 // Test the system library functions to which the pointer can escape.
1096 // This tests false positive suppression.
1097
1098 // For now, we assume memory passed to pthread_specific escapes.
1099 // TODO: We could check that if a new pthread binding is set, the existing
1100 // binding must be freed; otherwise, a memory leak can occur.
testPthereadSpecificEscape(pthread_key_t key)1101 void testPthereadSpecificEscape(pthread_key_t key) {
1102 void *buf = malloc(12);
1103 pthread_setspecific(key, buf); // no warning
1104 }
1105
1106 // PR12101: Test funopen().
releasePtr(void * _ctx)1107 static int releasePtr(void *_ctx) {
1108 free(_ctx);
1109 return 0;
1110 }
useFunOpen()1111 FILE *useFunOpen() {
1112 void *ctx = malloc(sizeof(int));
1113 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning
1114 if (f == 0) {
1115 free(ctx);
1116 }
1117 return f;
1118 }
useFunOpenNoReleaseFunction()1119 FILE *useFunOpenNoReleaseFunction() {
1120 void *ctx = malloc(sizeof(int));
1121 FILE *f = funopen(ctx, 0, 0, 0, 0);
1122 if (f == 0) {
1123 free(ctx);
1124 }
1125 return f; // expected-warning{{leak}}
1126 }
1127
readNothing(void * _ctx,char * buf,int size)1128 static int readNothing(void *_ctx, char *buf, int size) {
1129 return 0;
1130 }
useFunOpenReadNoRelease()1131 FILE *useFunOpenReadNoRelease() {
1132 void *ctx = malloc(sizeof(int));
1133 FILE *f = funopen(ctx, readNothing, 0, 0, 0);
1134 if (f == 0) {
1135 free(ctx);
1136 }
1137 return f; // expected-warning{{leak}}
1138 }
1139
1140 // Test setbuf, setvbuf.
my_main_no_warning()1141 int my_main_no_warning() {
1142 char *p = malloc(100);
1143 setvbuf(stdout, p, 0, 100);
1144 return 0;
1145 }
my_main_no_warning2()1146 int my_main_no_warning2() {
1147 char *p = malloc(100);
1148 setbuf(__stdoutp, p);
1149 return 0;
1150 }
my_main_warn(FILE * f)1151 int my_main_warn(FILE *f) {
1152 char *p = malloc(100);
1153 setvbuf(f, p, 0, 100);
1154 return 0;// expected-warning {{leak}}
1155 }
1156
1157 // <rdar://problem/10978247>.
1158 // some people use stack allocated memory as an optimization to avoid
1159 // a heap allocation for small work sizes. This tests the analyzer's
1160 // understanding that the malloc'ed memory is not the same as stackBuffer.
radar10978247(int myValueSize)1161 void radar10978247(int myValueSize) {
1162 char stackBuffer[128];
1163 char *buffer;
1164
1165 if (myValueSize <= sizeof(stackBuffer))
1166 buffer = stackBuffer;
1167 else
1168 buffer = malloc(myValueSize);
1169
1170 // do stuff with the buffer
1171 if (buffer != stackBuffer)
1172 free(buffer);
1173 }
1174
radar10978247_positive(int myValueSize)1175 void radar10978247_positive(int myValueSize) {
1176 char stackBuffer[128];
1177 char *buffer;
1178
1179 if (myValueSize <= sizeof(stackBuffer))
1180 buffer = stackBuffer;
1181 else
1182 buffer = malloc(myValueSize);
1183
1184 // do stuff with the buffer
1185 if (buffer == stackBuffer)
1186 return;
1187 else
1188 return; // expected-warning {{leak}}
1189 }�
1190 // <rdar://problem/11269741> Previously this triggered a false positive
1191 // because malloc() is known to return uninitialized memory and the binding
1192 // of 'o' to 'p->n' was not getting propertly handled. Now we report a leak.
1193 struct rdar11269741_a_t {
1194 struct rdar11269741_b_t {
1195 int m;
1196 } n;
1197 };
1198
rdar11269741(struct rdar11269741_b_t o)1199 int rdar11269741(struct rdar11269741_b_t o)
1200 {
1201 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p));
1202 p->n = o;
1203 return p->n.m; // expected-warning {{leak}}
1204 }
1205
1206 // Pointer arithmetic, returning an ElementRegion.
radar11329382(unsigned bl)1207 void *radar11329382(unsigned bl) {
1208 void *ptr = malloc (16);
1209 ptr = ptr + (2 - bl);
1210 return ptr; // no warning
1211 }
1212
1213 void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__));
1214 int strcmp(const char *, const char *);
1215 char *a (void);
radar11270219(void)1216 void radar11270219(void) {
1217 char *x = a(), *y = a();
1218 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0);
1219 strcmp(x, y); // no warning
1220 }
1221
radar_11358224_test_double_assign_ints_positive_2()1222 void radar_11358224_test_double_assign_ints_positive_2()
1223 {
1224 void *ptr = malloc(16);
1225 ptr = ptr;
1226 } // expected-warning {{leak}}
1227
1228 // Assume that functions which take a function pointer can free memory even if
1229 // they are defined in system headers and take the const pointer to the
1230 // allocated memory. (radar://11160612)
1231 int const_ptr_and_callback(int, const char*, int n, void(*)(void*));
r11160612_1()1232 void r11160612_1() {
1233 char *x = malloc(12);
1234 const_ptr_and_callback(0, x, 12, free); // no - warning
1235 }
1236
1237 // Null is passed as callback.
r11160612_2()1238 void r11160612_2() {
1239 char *x = malloc(12);
1240 const_ptr_and_callback(0, x, 12, 0);
1241 } // expected-warning {{leak}}
1242
1243 // Callback is passed to a function defined in a system header.
r11160612_4()1244 void r11160612_4() {
1245 char *x = malloc(12);
1246 sqlite3_bind_text_my(0, x, 12, free); // no - warning
1247 }
1248
1249 // Passing callbacks in a struct.
r11160612_5(StWithCallback St)1250 void r11160612_5(StWithCallback St) {
1251 void *x = malloc(12);
1252 dealocateMemWhenDoneByVal(x, St);
1253 }
r11160612_6(StWithCallback St)1254 void r11160612_6(StWithCallback St) {
1255 void *x = malloc(12);
1256 dealocateMemWhenDoneByRef(&St, x);
1257 }
1258
1259 int mySub(int, int);
1260 int myAdd(int, int);
fPtr(unsigned cond,int x)1261 int fPtr(unsigned cond, int x) {
1262 return (cond ? mySub : myAdd)(x, x);
1263 }
1264
1265 // Test anti-aliasing.
1266
dependsOnValueOfPtr(int * g,unsigned f)1267 void dependsOnValueOfPtr(int *g, unsigned f) {
1268 int *p;
1269
1270 if (f) {
1271 p = g;
1272 } else {
1273 p = malloc(12);
1274 }
1275
1276 if (p != g)
1277 free(p);
1278 else
1279 return; // no warning
1280 return;
1281 }
1282
CMPRegionHeapToStack()1283 int CMPRegionHeapToStack() {
1284 int x = 0;
1285 int *x1 = malloc(8);
1286 int *x2 = &x;
1287 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}}
1288 free(x1);
1289 return x;
1290 }
1291
CMPRegionHeapToHeap2()1292 int CMPRegionHeapToHeap2() {
1293 int x = 0;
1294 int *x1 = malloc(8);
1295 int *x2 = malloc(8);
1296 int *x4 = x1;
1297 int *x5 = x2;
1298 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}}
1299 free(x1);
1300 free(x2);
1301 return x;
1302 }
1303
CMPRegionHeapToHeap()1304 int CMPRegionHeapToHeap() {
1305 int x = 0;
1306 int *x1 = malloc(8);
1307 int *x4 = x1;
1308 if (x1 == x4) {
1309 free(x1);
1310 return 5/x; // expected-warning{{Division by zero}}
1311 }
1312 return x;// expected-warning{{This statement is never executed}}
1313 }
1314
HeapAssignment()1315 int HeapAssignment() {
1316 int m = 0;
1317 int *x = malloc(4);
1318 int *y = x;
1319 *x = 5;
1320 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}}
1321 free(x);
1322 return 0;
1323 }
1324
1325 int *retPtr();
1326 int *retPtrMightAlias(int *x);
cmpHeapAllocationToUnknown()1327 int cmpHeapAllocationToUnknown() {
1328 int zero = 0;
1329 int *yBefore = retPtr();
1330 int *m = malloc(8);
1331 int *yAfter = retPtrMightAlias(m);
1332 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}}
1333 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}}
1334 free(m);
1335 return 0;
1336 }
1337
localArrayTest()1338 void localArrayTest() {
1339 char *p = (char*)malloc(12);
1340 char *ArrayL[12];
1341 ArrayL[0] = p;
1342 } // expected-warning {{leak}}
1343
localStructTest()1344 void localStructTest() {
1345 StructWithPtr St;
1346 StructWithPtr *pSt = &St;
1347 pSt->memP = malloc(12);
1348 } // expected-warning{{Potential leak of memory pointed to by}}
1349
1350 #ifdef __INTPTR_TYPE__
1351 // Test double assignment through integers.
1352 typedef __INTPTR_TYPE__ intptr_t;
1353 typedef unsigned __INTPTR_TYPE__ uintptr_t;
1354
1355 static intptr_t glob;
test_double_assign_ints()1356 void test_double_assign_ints()
1357 {
1358 void *ptr = malloc (16); // no-warning
1359 glob = (intptr_t)(uintptr_t)ptr;
1360 }
1361
test_double_assign_ints_positive()1362 void test_double_assign_ints_positive()
1363 {
1364 void *ptr = malloc(16);
1365 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}}
1366 } // expected-warning {{leak}}
1367 #endif
1368
testCGContextNoLeak()1369 void testCGContextNoLeak()
1370 {
1371 void *ptr = malloc(16);
1372 CGContextRef context = CGBitmapContextCreate(ptr);
1373
1374 // Because you can get the data back out like this, even much later,
1375 // CGBitmapContextCreate is one of our "stop-tracking" exceptions.
1376 free(CGBitmapContextGetData(context));
1377 }
1378
testCGContextLeak()1379 void testCGContextLeak()
1380 {
1381 void *ptr = malloc(16);
1382 CGContextRef context = CGBitmapContextCreate(ptr);
1383 // However, this time we're just leaking the data, because the context
1384 // object doesn't escape and it hasn't been freed in this function.
1385 }
1386
1387 // Allow xpc context to escape. radar://11635258
1388 // TODO: Would be great if we checked that the finalize_connection_context actually releases it.
finalize_connection_context(void * ctx)1389 static void finalize_connection_context(void *ctx) {
1390 int *context = ctx;
1391 free(context);
1392 }
foo(xpc_connection_t peer)1393 void foo (xpc_connection_t peer) {
1394 int *ctx = calloc(1, sizeof(int));
1395 xpc_connection_set_context(peer, ctx);
1396 xpc_connection_set_finalizer_f(peer, finalize_connection_context);
1397 xpc_connection_resume(peer);
1398 }
1399
1400 // Make sure we catch errors when we free in a function which does not allocate memory.
freeButNoMalloc(int * p,int x)1401 void freeButNoMalloc(int *p, int x){
1402 if (x) {
1403 free(p);
1404 //user forgot a return here.
1405 }
1406 free(p); // expected-warning {{Attempt to free released memory}}
1407 }
1408
1409 struct HasPtr {
1410 char *p;
1411 };
1412
reallocButNoMalloc(struct HasPtr * a,int c,int size)1413 char* reallocButNoMalloc(struct HasPtr *a, int c, int size) {
1414 int *s;
1415 char *b = realloc(a->p, size);
1416 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}}
1417 // We don't expect a use-after-free for a->P here because the warning above
1418 // is a sink.
1419 return a->p; // no-warning
1420 }
1421
1422 // We should not warn in this case since the caller will presumably free a->p in all cases.
reallocButNoMallocPR13674(struct HasPtr * a,int c,int size)1423 int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) {
1424 int *s;
1425 char *b = realloc(a->p, size);
1426 if (b == 0)
1427 return -1;
1428 a->p = b;
1429 return 0;
1430 }
1431
1432 // Test realloc with no visible malloc.
test(void * ptr)1433 void *test(void *ptr) {
1434 void *newPtr = realloc(ptr, 4);
1435 if (newPtr == 0) {
1436 if (ptr)
1437 free(ptr); // no-warning
1438 }
1439 return newPtr;
1440 }
1441
1442
testLeakWithinReturn(char * str)1443 char *testLeakWithinReturn(char *str) {
1444 return strdup(strdup(str)); // expected-warning{{leak}}
1445 }
1446
1447 void passConstPtr(const char * ptr);
1448
testPassConstPointer()1449 void testPassConstPointer() {
1450 char * string = malloc(sizeof(char)*10);
1451 passConstPtr(string);
1452 return; // expected-warning {{leak}}
1453 }
1454
testPassConstPointerIndirectly()1455 void testPassConstPointerIndirectly() {
1456 char *p = malloc(1);
1457 p++;
1458 memcmp(p, p, sizeof(&p));
1459 return; // expected-warning {{leak}}
1460 }
1461
testPassConstPointerIndirectlyStruct()1462 void testPassConstPointerIndirectlyStruct() {
1463 struct HasPtr hp;
1464 hp.p = malloc(10);
1465 memcmp(&hp, &hp, sizeof(hp));
1466 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}}
1467 }
1468
testPassToSystemHeaderFunctionIndirectlyStruct()1469 void testPassToSystemHeaderFunctionIndirectlyStruct() {
1470 SomeStruct ss;
1471 ss.p = malloc(1);
1472 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1473 // Technically a false negative here -- we know the system function won't free
1474 // ss.p, but nothing else will either!
1475 } // no-warning
1476
testPassToSystemHeaderFunctionIndirectlyStructFree()1477 void testPassToSystemHeaderFunctionIndirectlyStructFree() {
1478 SomeStruct ss;
1479 ss.p = malloc(1);
1480 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1481 free(ss.p);
1482 } // no-warning
1483
testPassToSystemHeaderFunctionIndirectlyArray()1484 void testPassToSystemHeaderFunctionIndirectlyArray() {
1485 int *p[1];
1486 p[0] = malloc(sizeof(int));
1487 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1488 // Technically a false negative here -- we know the system function won't free
1489 // p[0], but nothing else will either!
1490 } // no-warning
1491
testPassToSystemHeaderFunctionIndirectlyArrayFree()1492 void testPassToSystemHeaderFunctionIndirectlyArrayFree() {
1493 int *p[1];
1494 p[0] = malloc(sizeof(int));
1495 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1496 free(p[0]);
1497 } // no-warning
1498
testOffsetAllocate(size_t size)1499 int *testOffsetAllocate(size_t size) {
1500 int *memoryBlock = (int *)malloc(size + sizeof(int));
1501 return &memoryBlock[1]; // no-warning
1502 }
1503
testOffsetDeallocate(int * memoryBlock)1504 void testOffsetDeallocate(int *memoryBlock) {
1505 free(&memoryBlock[-1]); // no-warning
1506 }
1507
testOffsetOfRegionFreed()1508 void testOffsetOfRegionFreed() {
1509 __int64_t * array = malloc(sizeof(__int64_t)*2);
1510 array += 1;
1511 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1512 }
1513
testOffsetOfRegionFreed2()1514 void testOffsetOfRegionFreed2() {
1515 __int64_t *p = malloc(sizeof(__int64_t)*2);
1516 p += 1;
1517 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1518 }
1519
testOffsetOfRegionFreed3()1520 void testOffsetOfRegionFreed3() {
1521 char *r = malloc(sizeof(char));
1522 r = r - 10;
1523 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}}
1524 }
1525
testOffsetOfRegionFreedAfterFunctionCall()1526 void testOffsetOfRegionFreedAfterFunctionCall() {
1527 int *p = malloc(sizeof(int)*2);
1528 p += 1;
1529 myfoo(p);
1530 free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}}
1531 }
1532
testFixManipulatedPointerBeforeFree()1533 void testFixManipulatedPointerBeforeFree() {
1534 int * array = malloc(sizeof(int)*2);
1535 array += 1;
1536 free(&array[-1]); // no-warning
1537 }
1538
testFixManipulatedPointerBeforeFree2()1539 void testFixManipulatedPointerBeforeFree2() {
1540 char *r = malloc(sizeof(char));
1541 r = r + 10;
1542 free(r-10); // no-warning
1543 }
1544
freeOffsetPointerPassedToFunction()1545 void freeOffsetPointerPassedToFunction() {
1546 __int64_t *p = malloc(sizeof(__int64_t)*2);
1547 p[1] = 0;
1548 p += 1;
1549 myfooint(*p); // not passing the pointer, only a value pointed by pointer
1550 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1551 }
1552
1553 int arbitraryInt();
freeUnknownOffsetPointer()1554 void freeUnknownOffsetPointer() {
1555 char *r = malloc(sizeof(char));
1556 r = r + arbitraryInt(); // unable to reason about what the offset might be
1557 free(r); // no-warning
1558 }
1559
testFreeNonMallocPointerWithNoOffset()1560 void testFreeNonMallocPointerWithNoOffset() {
1561 char c;
1562 char *r = &c;
1563 r = r + 10;
1564 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1565 }
1566
testFreeNonMallocPointerWithOffset()1567 void testFreeNonMallocPointerWithOffset() {
1568 char c;
1569 char *r = &c;
1570 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1571 }
1572
testOffsetZeroDoubleFree()1573 void testOffsetZeroDoubleFree() {
1574 int *array = malloc(sizeof(int)*2);
1575 int *p = &array[0];
1576 free(p);
1577 free(&array[0]); // expected-warning{{Attempt to free released memory}}
1578 }
1579
testOffsetPassedToStrlen()1580 void testOffsetPassedToStrlen() {
1581 char * string = malloc(sizeof(char)*10);
1582 string += 1;
1583 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}}
1584 }
1585
testOffsetPassedToStrlenThenFree()1586 void testOffsetPassedToStrlenThenFree() {
1587 char * string = malloc(sizeof(char)*10);
1588 string += 1;
1589 int length = strlen(string);
1590 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1591 }
1592
testOffsetPassedAsConst()1593 void testOffsetPassedAsConst() {
1594 char * string = malloc(sizeof(char)*10);
1595 string += 1;
1596 passConstPtr(string);
1597 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1598 }
1599
1600 char **_vectorSegments;
1601 int _nVectorSegments;
1602
poolFreeC(void * s)1603 void poolFreeC(void* s) {
1604 free(s); // no-warning
1605 }
freeMemory()1606 void freeMemory() {
1607 while (_nVectorSegments) {
1608 poolFreeC(_vectorSegments[_nVectorSegments++]);
1609 }
1610 }
1611
1612 // PR16730
testReallocEscaped(void ** memory)1613 void testReallocEscaped(void **memory) {
1614 *memory = malloc(47);
1615 char *new_memory = realloc(*memory, 47);
1616 if (new_memory != 0) {
1617 *memory = new_memory;
1618 }
1619 }
1620
1621 // PR16558
smallocNoWarn(size_t size)1622 void *smallocNoWarn(size_t size) {
1623 if (size == 0) {
1624 return malloc(1); // this branch is never called
1625 }
1626 else {
1627 return malloc(size);
1628 }
1629 }
1630
dupstrNoWarn(const char * s)1631 char *dupstrNoWarn(const char *s) {
1632 const int len = strlen(s);
1633 char *p = (char*) smallocNoWarn(len + 1);
1634 strcpy(p, s); // no-warning
1635 return p;
1636 }
1637
smallocWarn(size_t size)1638 void *smallocWarn(size_t size) {
1639 if (size == 2) {
1640 return malloc(1);
1641 }
1642 else {
1643 return malloc(size);
1644 }
1645 }
1646
dupstrWarn(const char * s)1647 char *dupstrWarn(const char *s) {
1648 const int len = strlen(s);
1649 char *p = (char*) smallocWarn(len + 1);
1650 strcpy(p, s); // expected-warning{{String copy function overflows destination buffer}}
1651 return p;
1652 }
1653
radar15580979()1654 int *radar15580979() {
1655 int *data = (int *)malloc(32);
1656 int *p = data ?: (int*)malloc(32); // no warning
1657 return p;
1658 }
1659
1660 // Some data structures may hold onto the pointer and free it later.
testEscapeThroughSystemCallTakingVoidPointer1(void * queue)1661 void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) {
1662 int *data = (int *)malloc(32);
1663 fake_insque(queue, data); // no warning
1664 }
1665
testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t * rbt)1666 void testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t *rbt) {
1667 int *data = (int *)malloc(32);
1668 fake_rb_tree_init(rbt, data);
1669 } //expected-warning{{Potential leak}}
1670
testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t * rbt)1671 void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) {
1672 int *data = (int *)malloc(32);
1673 fake_rb_tree_init(rbt, data);
1674 fake_rb_tree_insert_node(rbt, data); // no warning
1675 }
1676
1677 // ----------------------------------------------------------------------------
1678 // False negatives.
1679
testMallocWithParam(int ** p)1680 void testMallocWithParam(int **p) {
1681 *p = (int*) malloc(sizeof(int));
1682 *p = 0; // FIXME: should warn here
1683 }
1684
testMallocWithParam_2(int ** p)1685 void testMallocWithParam_2(int **p) {
1686 *p = (int*) malloc(sizeof(int)); // no-warning
1687 }
1688
testPassToSystemHeaderFunctionIndirectly()1689 void testPassToSystemHeaderFunctionIndirectly() {
1690 int *p = malloc(4);
1691 p++;
1692 fakeSystemHeaderCallInt(p);
1693 // FIXME: This is a leak: if we think a system function won't free p, it
1694 // won't free (p-1) either.
1695 }
1696