// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s
#include "Inputs/system-header-simulator.h"
void clang_analyzer_eval(int);
// Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
// _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
// the builtin type: "Using the typedef version can cause portability
// problems", but we're ok here because we're not actually running anything.
// Also of note is this cryptic warning: "The wchar_t type is not supported
// when you compile C code".
//
// See the docs for more:
// https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
#if !defined(_WCHAR_T_DEFINED)
// "Microsoft implements wchar_t as a two-byte unsigned value"
typedef unsigned short wchar_t;
#define _WCHAR_T_DEFINED
#endif // !defined(_WCHAR_T_DEFINED)
typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t);
void *alloca(size_t);
void *valloc(size_t);
void free(void *);
void *realloc(void *ptr, size_t size);
void *reallocf(void *ptr, size_t size);
void *calloc(size_t nmemb, size_t size);
char *strdup(const char *s);
wchar_t *wcsdup(const wchar_t *s);
char *strndup(const char *s, size_t n);
int memcmp(const void *s1, const void *s2, size_t n);
// Windows variants
char *_strdup(const char *strSource);
wchar_t *_wcsdup(const wchar_t *strSource);
void *_alloca(size_t size);
void myfoo(int *p);
void myfooint(int p);
char *fooRetPtr();
void f1() {
int *p = malloc(12);
return; // expected-warning{{Potential leak of memory pointed to by 'p'}}
}
void f2() {
int *p = malloc(12);
free(p);
free(p); // expected-warning{{Attempt to free released memory}}
}
void f2_realloc_0() {
int *p = malloc(12);
realloc(p,0);
realloc(p,0); // expected-warning{{Attempt to free released memory}}
}
void f2_realloc_1() {
int *p = malloc(12);
int *q = realloc(p,0); // no-warning
}
void reallocNotNullPtr(unsigned sizeIn) {
unsigned size = 12;
char *p = (char*)malloc(size);
if (p) {
char *q = (char*)realloc(p, sizeIn);
char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}}
}
}
void allocaTest() {
int *p = alloca(sizeof(int));
} // no warn
void winAllocaTest() {
int *p = _alloca(sizeof(int));
} // no warn
void allocaBuiltinTest() {
int *p = __builtin_alloca(sizeof(int));
} // no warn
int *realloctest1() {
int *q = malloc(12);
q = realloc(q, 20);
return q; // no warning - returning the allocated value
}
// p should be freed if realloc fails.
void reallocFails() {
char *p = malloc(12);
char *r = realloc(p, 12+1);
if (!r) {
free(p);
} else {
free(r);
}
}
void reallocSizeZero1() {
char *p = malloc(12);
char *r = realloc(p, 0);
if (!r) {
free(p); // expected-warning {{Attempt to free released memory}}
} else {
free(r);
}
}
void reallocSizeZero2() {
char *p = malloc(12);
char *r = realloc(p, 0);
if (!r) {
free(p); // expected-warning {{Attempt to free released memory}}
} else {
free(r);
}
free(p); // expected-warning {{Attempt to free released memory}}
}
void reallocSizeZero3() {
char *p = malloc(12);
char *r = realloc(p, 0);
free(r);
}
void reallocSizeZero4() {
char *r = realloc(0, 0);
free(r);
}
void reallocSizeZero5() {
char *r = realloc(0, 0);
}
void reallocPtrZero1() {
char *r = realloc(0, 12);
} // expected-warning {{Potential leak of memory pointed to by 'r'}}
void reallocPtrZero2() {
char *r = realloc(0, 12);
if (r)
free(r);
}
void reallocPtrZero3() {
char *r = realloc(0, 12);
free(r);
}
void reallocRadar6337483_1() {
char *buf = malloc(100);
buf = (char*)realloc(buf, 0x1000000);
if (!buf) {
return;// expected-warning {{Potential leak of memory pointed to by}}
}
free(buf);
}
void reallocRadar6337483_2() {
char *buf = malloc(100);
char *buf2 = (char*)realloc(buf, 0x1000000);
if (!buf2) {
;
} else {
free(buf2);
}
} // expected-warning {{Potential leak of memory pointed to by}}
void reallocRadar6337483_3() {
char * buf = malloc(100);
char * tmp;
tmp = (char*)realloc(buf, 0x1000000);
if (!tmp) {
free(buf);
return;
}
buf = tmp;
free(buf);
}
void reallocRadar6337483_4() {
char *buf = malloc(100);
char *buf2 = (char*)realloc(buf, 0x1000000);
if (!buf2) {
return; // expected-warning {{Potential leak of memory pointed to by}}
} else {
free(buf2);
}
}
int *reallocfTest1() {
int *q = malloc(12);
q = reallocf(q, 20);
return q; // no warning - returning the allocated value
}
void reallocfRadar6337483_4() {
char *buf = malloc(100);
char *buf2 = (char*)reallocf(buf, 0x1000000);
if (!buf2) {
return; // no warning - reallocf frees even on failure
} else {
free(buf2);
}
}
void reallocfRadar6337483_3() {
char * buf = malloc(100);
char * tmp;
tmp = (char*)reallocf(buf, 0x1000000);
if (!tmp) {
free(buf); // expected-warning {{Attempt to free released memory}}
return;
}
buf = tmp;
free(buf);
}
void reallocfPtrZero1() {
char *r = reallocf(0, 12);
} // expected-warning {{Potential leak of memory pointed to by}}
//------------------- Check usage of zero-allocated memory ---------------------
void CheckUseZeroAllocatedNoWarn1() {
int *p = malloc(0);
free(p); // no warning
}
void CheckUseZeroAllocatedNoWarn2() {
int *p = alloca(0); // no warning
}
void CheckUseZeroWinAllocatedNoWarn2() {
int *p = _alloca(0); // no warning
}
void CheckUseZeroAllocatedNoWarn3() {
int *p = malloc(0);
int *q = realloc(p, 8); // no warning
free(q);
}
void CheckUseZeroAllocatedNoWarn4() {
int *p = realloc(0, 8);
*p = 1; // no warning
free(p);
}
void CheckUseZeroAllocated1() {
int *p = malloc(0);
*p = 1; // expected-warning {{Use of zero-allocated memory}}
free(p);
}
char CheckUseZeroAllocated2() {
char *p = alloca(0);
return *p; // expected-warning {{Use of zero-allocated memory}}
}
char CheckUseZeroWinAllocated2() {
char *p = _alloca(0);
return *p; // expected-warning {{Use of zero-allocated memory}}
}
void UseZeroAllocated(int *p) {
if (p)
*p = 7; // expected-warning {{Use of zero-allocated memory}}
}
void CheckUseZeroAllocated3() {
int *p = malloc(0);
UseZeroAllocated(p);
}
void f(char);
void CheckUseZeroAllocated4() {
char *p = valloc(0);
f(*p); // expected-warning {{Use of zero-allocated memory}}
free(p);
}
void CheckUseZeroAllocated5() {
int *p = calloc(0, 2);
*p = 1; // expected-warning {{Use of zero-allocated memory}}
free(p);
}
void CheckUseZeroAllocated6() {
int *p = calloc(2, 0);
*p = 1; // expected-warning {{Use of zero-allocated memory}}
free(p);
}
void CheckUseZeroAllocated7() {
int *p = realloc(0, 0);
*p = 1; // expected-warning {{Use of zero-allocated memory}}
free(p);
}
void CheckUseZeroAllocated8() {
int *p = malloc(8);
int *q = realloc(p, 0);
*q = 1; // expected-warning {{Use of zero-allocated memory}}
free(q);
}
void CheckUseZeroAllocated9() {
int *p = realloc(0, 0);
int *q = realloc(p, 0);
*q = 1; // expected-warning {{Use of zero-allocated memory}}
free(q);
}
void CheckUseZeroAllocatedPathNoWarn(_Bool b) {
int s = 0;
if (b)
s= 10;
char *p = malloc(s);
if (b)
*p = 1; // no warning
free(p);
}
void CheckUseZeroAllocatedPathWarn(_Bool b) {
int s = 10;
if (b)
s= 0;
char *p = malloc(s);
if (b)
*p = 1; // expected-warning {{Use of zero-allocated memory}}
free(p);
}
void CheckUseZeroReallocatedPathNoWarn(_Bool b) {
int s = 0;
if (b)
s= 10;
char *p = malloc(8);
char *q = realloc(p, s);
if (b)
*q = 1; // no warning
free(q);
}
void CheckUseZeroReallocatedPathWarn(_Bool b) {
int s = 10;
if (b)
s= 0;
char *p = malloc(8);
char *q = realloc(p, s);
if (b)
*q = 1; // expected-warning {{Use of zero-allocated memory}}
free(q);
}
// This case tests that storing malloc'ed memory to a static variable which is
// then returned is not leaked. In the absence of known contracts for functions
// or inter-procedural analysis, this is a conservative answer.
int *f3() {
static int *p = 0;
p = malloc(12);
return p; // no-warning
}
// This case tests that storing malloc'ed memory to a static global variable
// which is then returned is not leaked. In the absence of known contracts for
// functions or inter-procedural analysis, this is a conservative answer.
static int *p_f4 = 0;
int *f4() {
p_f4 = malloc(12);
return p_f4; // no-warning
}
int *f5() {
int *q = malloc(12);
q = realloc(q, 20);
return q; // no-warning
}
void f6() {
int *p = malloc(12);
if (!p)
return; // no-warning
else
free(p);
}
void f6_realloc() {
int *p = malloc(12);
if (!p)
return; // no-warning
else
realloc(p,0);
}
char *doit2();
void pr6069() {
char *buf = doit2();
free(buf);
}
void pr6293() {
free(0);
}
void f7() {
char *x = (char*) malloc(4);
free(x);
x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
}
void f8() {
char *x = (char*) malloc(4);
free(x);
char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}}
}
void f7_realloc() {
char *x = (char*) malloc(4);
realloc(x,0);
x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
}
void PR6123() {
int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
}
void PR7217() {
int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
buf[1] = 'c'; // not crash
}
void cast_emtpy_struct() {
struct st {
};
struct st *s = malloc(sizeof(struct st)); // no-warning
free(s);
}
void cast_struct_1() {
struct st {
int i[100];
char j[];
};
struct st *s = malloc(sizeof(struct st)); // no-warning
free(s);
}
void cast_struct_2() {
struct st {
int i[100];
char j[0];
};
struct st *s = malloc(sizeof(struct st)); // no-warning
free(s);
}
void cast_struct_3() {
struct st {
int i[100];
char j[1];
};
struct st *s = malloc(sizeof(struct st)); // no-warning
free(s);
}
void cast_struct_4() {
struct st {
int i[100];
char j[2];
};
struct st *s = malloc(sizeof(struct st)); // no-warning
free(s);
}
void cast_struct_5() {
struct st {
char i[200];
char j[1];
};
struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning
free(s);
}
void cast_struct_warn_1() {
struct st {
int i[100];
char j[2];
};
struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free(s);
}
void cast_struct_warn_2() {
struct st {
int i[100];
char j[2];
};
struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free(s);
}
void cast_struct_flex_array_1() {
struct st {
int i[100];
char j[];
};
struct st *s = malloc(sizeof(struct st) + 3); // no-warning
free(s);
}
void cast_struct_flex_array_2() {
struct st {
int i[100];
char j[0];
};
struct st *s = malloc(sizeof(struct st) + 3); // no-warning
free(s);
}
void cast_struct_flex_array_3() {
struct st {
int i[100];
char j[1];
};
struct st *s = malloc(sizeof(struct st) + 3); // no-warning
free(s);
}
void cast_struct_flex_array_4() {
struct foo {
char f[32];
};
struct st {
char i[100];
struct foo data[];
};
struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
free(s);
}
void cast_struct_flex_array_5() {
struct foo {
char f[32];
};
struct st {
char i[100];
struct foo data[0];
};
struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
free(s);
}
void cast_struct_flex_array_6() {
struct foo {
char f[32];
};
struct st {
char i[100];
struct foo data[1];
};
struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
free(s);
}
void cast_struct_flex_array_warn_1() {
struct foo {
char f[32];
};
struct st {
char i[100];
struct foo data[];
};
struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free(s);
}
void cast_struct_flex_array_warn_2() {
struct foo {
char f[32];
};
struct st {
char i[100];
struct foo data[0];
};
struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free(s);
}
void cast_struct_flex_array_warn_3() {
struct foo {
char f[32];
};
struct st {
char i[100];
struct foo data[1];
};
struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free(s);
}
void cast_struct_flex_array_warn_4() {
struct st {
int i[100];
int j[];
};
struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free(s);
}
void cast_struct_flex_array_warn_5() {
struct st {
int i[100];
int j[0];
};
struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free(s);
}
void cast_struct_flex_array_warn_6() {
struct st {
int i[100];
int j[1];
};
struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free(s);
}
void mallocCastToVoid() {
void *p = malloc(2);
const void *cp = p; // not crash
free(p);
}
void mallocCastToFP() {
void *p = malloc(2);
void (*fp)() = p; // not crash
free(p);
}
// This tests that malloc() buffers are undefined by default
char mallocGarbage () {
char *buf = malloc(2);
char result = buf[1]; // expected-warning{{undefined}}
free(buf);
return result;
}
// This tests that calloc() buffers need to be freed
void callocNoFree () {
char *buf = calloc(2,2);
return; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
}
// These test that calloc() buffers are zeroed by default
char callocZeroesGood () {
char *buf = calloc(2,2);
char result = buf[3]; // no-warning
if (buf[1] == 0) {
free(buf);
}
return result; // no-warning
}
char callocZeroesBad () {
char *buf = calloc(2,2);
char result = buf[3]; // no-warning
if (buf[1] != 0) {
free(buf); // expected-warning{{never executed}}
}
return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
}
void nullFree() {
int *p = 0;
free(p); // no warning - a nop
}
void paramFree(int *p) {
myfoo(p);
free(p); // no warning
myfoo(p); // expected-warning {{Use of memory after it is freed}}
}
int* mallocEscapeRet() {
int *p = malloc(12);
return p; // no warning
}
void mallocEscapeFoo() {
int *p = malloc(12);
myfoo(p);
return; // no warning
}
void mallocEscapeFree() {
int *p = malloc(12);
myfoo(p);
free(p);
}
void mallocEscapeFreeFree() {
int *p = malloc(12);
myfoo(p);
free(p);
free(p); // expected-warning{{Attempt to free released memory}}
}
void mallocEscapeFreeUse() {
int *p = malloc(12);
myfoo(p);
free(p);
myfoo(p); // expected-warning{{Use of memory after it is freed}}
}
int *myalloc();
void myalloc2(int **p);
void mallocEscapeFreeCustomAlloc() {
int *p = malloc(12);
myfoo(p);
free(p);
p = myalloc();
free(p); // no warning
}
void mallocEscapeFreeCustomAlloc2() {
int *p = malloc(12);
myfoo(p);
free(p);
myalloc2(&p);
free(p); // no warning
}
void mallocBindFreeUse() {
int *x = malloc(12);
int *y = x;
free(y);
myfoo(x); // expected-warning{{Use of memory after it is freed}}
}
void mallocEscapeMalloc() {
int *p = malloc(12);
myfoo(p);
p = malloc(12);
} // expected-warning{{Potential leak of memory pointed to by}}
void mallocMalloc() {
int *p = malloc(12);
p = malloc(12);
} // expected-warning {{Potential leak of memory pointed to by}}
void mallocFreeMalloc() {
int *p = malloc(12);
free(p);
p = malloc(12);
free(p);
}
void mallocFreeUse_params() {
int *p = malloc(12);
free(p);
myfoo(p); //expected-warning{{Use of memory after it is freed}}
}
void mallocFreeUse_params2() {
int *p = malloc(12);
free(p);
myfooint(*p); //expected-warning{{Use of memory after it is freed}}
}
void mallocFailedOrNot() {
int *p = malloc(12);
if (!p)
free(p);
else
free(p);
}
struct StructWithInt {
int g;
};
int *mallocReturnFreed() {
int *p = malloc(12);
free(p);
return p; // expected-warning {{Use of memory after it is freed}}
}
int useAfterFreeStruct() {
struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
px->g = 5;
free(px);
return px->g; // expected-warning {{Use of memory after it is freed}}
}
void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
void mallocEscapeFooNonSymbolArg() {
struct StructWithInt *p = malloc(sizeof(struct StructWithInt));
nonSymbolAsFirstArg(&p->g, p);
return; // no warning
}
void mallocFailedOrNotLeak() {
int *p = malloc(12);
if (p == 0)
return; // no warning
else
return; // expected-warning {{Potential leak of memory pointed to by}}
}
void mallocAssignment() {
char *p = malloc(12);
p = fooRetPtr();
} // expected-warning {{leak}}
int vallocTest() {
char *mem = valloc(12);
return 0; // expected-warning {{Potential leak of memory pointed to by}}
}
void vallocEscapeFreeUse() {
int *p = valloc(12);
myfoo(p);
free(p);
myfoo(p); // expected-warning{{Use of memory after it is freed}}
}
int *Gl;
struct GlStTy {
int *x;
};
struct GlStTy GlS = {0};
void GlobalFree() {
free(Gl);
}
void GlobalMalloc() {
Gl = malloc(12);
}
void GlobalStructMalloc() {
int *a = malloc(12);
GlS.x = a;
}
void GlobalStructMallocFree() {
int *a = malloc(12);
GlS.x = a;
free(GlS.x);
}
char *ArrayG[12];
void globalArrayTest() {
char *p = (char*)malloc(12);
ArrayG[0] = p;
}
// Make sure that we properly handle a pointer stored into a local struct/array.
typedef struct _StructWithPtr {
int *memP;
} StructWithPtr;
static StructWithPtr arrOfStructs[10];
void testMalloc() {
int *x = malloc(12);
StructWithPtr St;
St.memP = x;
arrOfStructs[0] = St; // no-warning
}
StructWithPtr testMalloc2() {
int *x = malloc(12);
StructWithPtr St;
St.memP = x;
return St; // no-warning
}
int *testMalloc3() {
int *x = malloc(12);
int *y = x;
return y; // no-warning
}
void testStructLeak() {
StructWithPtr St;
St.memP = malloc(12);
return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}}
}
void testElemRegion1() {
char *x = (void*)malloc(2);
int *ix = (int*)x;
free(&(x[0]));
}
void testElemRegion2(int **pp) {
int *p = malloc(12);
*pp = p;
free(pp[0]);
}
void testElemRegion3(int **pp) {
int *p = malloc(12);
*pp = p;
free(*pp);
}
// Region escape testing.
unsigned takePtrToPtr(int **p);
void PassTheAddrOfAllocatedData(int f) {
int *p = malloc(12);
// We don't know what happens after the call. Should stop tracking here.
if (takePtrToPtr(&p))
f++;
free(p); // no warning
}
struct X {
int *p;
};
unsigned takePtrToStruct(struct X *s);
int ** foo2(int *g, int f) {
int *p = malloc(12);
struct X *px= malloc(sizeof(struct X));
px->p = p;
// We don't know what happens after this call. Should not track px nor p.
if (takePtrToStruct(px))
f++;
free(p);
return 0;
}
struct X* RegInvalidationDetect1(struct X *s2) {
struct X *px= malloc(sizeof(struct X));
px->p = 0;
px = s2;
return px; // expected-warning {{Potential leak of memory pointed to by}}
}
struct X* RegInvalidationGiveUp1() {
int *p = malloc(12);
struct X *px= malloc(sizeof(struct X));
px->p = p;
return px;
}
int **RegInvalidationDetect2(int **pp) {
int *p = malloc(12);
pp = &p;
pp++;
return 0;// expected-warning {{Potential leak of memory pointed to by}}
}
extern void exit(int) __attribute__ ((__noreturn__));
void mallocExit(int *g) {
struct xx *p = malloc(12);
if (g != 0)
exit(1);
free(p);
return;
}
extern void __assert_fail (__const char *__assertion, __const char *__file,
unsigned int __line, __const char *__function)
__attribute__ ((__noreturn__));
#define assert(expr) \
((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
void mallocAssert(int *g) {
struct xx *p = malloc(12);
assert(g != 0);
free(p);
return;
}
void doNotInvalidateWhenPassedToSystemCalls(char *s) {
char *p = malloc(12);
strlen(p);
strcpy(p, s);
strcpy(s, p);
strcpy(p, p);
memcpy(p, s, 1);
memcpy(s, p, 1);
memcpy(p, p, 1);
} // expected-warning {{leak}}
// Treat source buffer contents as escaped.
void escapeSourceContents(char *s) {
char *p = malloc(12);
memcpy(s, &p, 12); // no warning
void *p1 = malloc(7);
char *a;
memcpy(&a, &p1, sizeof a);
// FIXME: No warning due to limitations imposed by current modelling of
// 'memcpy' (regions metadata is not copied).
int *ptrs[2];
int *allocated = (int *)malloc(4);
memcpy(&ptrs[0], &allocated, sizeof(int *));
// FIXME: No warning due to limitations imposed by current modelling of
// 'memcpy' (regions metadata is not copied).
}
void invalidateDestinationContents() {
int *null = 0;
int *p = (int *)malloc(4);
memcpy(&p, &null, sizeof(int *));
int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}}
ptrs1[0] = (int *)malloc(4);
memcpy(ptrs1, &null, sizeof(int *));
int *ptrs2[2]; // expected-warning {{Potential memory leak}}
ptrs2[0] = (int *)malloc(4);
memcpy(&ptrs2[1], &null, sizeof(int *));
int *ptrs3[2]; // expected-warning {{Potential memory leak}}
ptrs3[0] = (int *)malloc(4);
memcpy(&ptrs3[0], &null, sizeof(int *));
} // expected-warning {{Potential memory leak}}
// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p.
void symbolLostWithStrcpy(char *s) {
char *p = malloc(12);
p = strcpy(p, s);
free(p);
}
// The same test as the one above, but with what is actually generated on a mac.
static __inline char *
__inline_strcpy_chk (char *restrict __dest, const char *restrict __src)
{
return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1));
}
void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) {
char *p = malloc(12);
p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s));
free(p);
}
// Here we are returning a pointer one past the allocated value. An idiom which
// can be used for implementing special malloc. The correct uses of this might
// be rare enough so that we could keep this as a warning.
static void *specialMalloc(int n){
int *p;
p = malloc( n+8 );
if( p ){
p[0] = n;
p++;
}
return p;
}
// Potentially, the user could free the struct by performing pointer arithmetic on the return value.
// This is a variation of the specialMalloc issue, though probably would be more rare in correct code.
int *specialMallocWithStruct() {
struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
return &(px->g);
}
// Test various allocation/deallocation functions.
void testStrdup(const char *s, unsigned validIndex) {
char *s2 = strdup(s);
s2[validIndex + 1] = 'b';
} // expected-warning {{Potential leak of memory pointed to by}}
void testWinStrdup(const char *s, unsigned validIndex) {
char *s2 = _strdup(s);
s2[validIndex + 1] = 'b';
} // expected-warning {{Potential leak of memory pointed to by}}
void testWcsdup(const wchar_t *s, unsigned validIndex) {
wchar_t *s2 = wcsdup(s);
s2[validIndex + 1] = 'b';
} // expected-warning {{Potential leak of memory pointed to by}}
void testWinWcsdup(const wchar_t *s, unsigned validIndex) {
wchar_t *s2 = _wcsdup(s);
s2[validIndex + 1] = 'b';
} // expected-warning {{Potential leak of memory pointed to by}}
int testStrndup(const char *s, unsigned validIndex, unsigned size) {
char *s2 = strndup(s, size);
s2 [validIndex + 1] = 'b';
if (s2[validIndex] != 'a')
return 0;
else
return 1;// expected-warning {{Potential leak of memory pointed to by}}
}
void testStrdupContentIsDefined(const char *s, unsigned validIndex) {
char *s2 = strdup(s);
char result = s2[1];// no warning
free(s2);
}
void testWinStrdupContentIsDefined(const char *s, unsigned validIndex) {
char *s2 = _strdup(s);
char result = s2[1];// no warning
free(s2);
}
void testWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
wchar_t *s2 = wcsdup(s);
wchar_t result = s2[1];// no warning
free(s2);
}
void testWinWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
wchar_t *s2 = _wcsdup(s);
wchar_t result = s2[1];// no warning
free(s2);
}
// ----------------------------------------------------------------------------
// Test the system library functions to which the pointer can escape.
// This tests false positive suppression.
// For now, we assume memory passed to pthread_specific escapes.
// TODO: We could check that if a new pthread binding is set, the existing
// binding must be freed; otherwise, a memory leak can occur.
void testPthereadSpecificEscape(pthread_key_t key) {
void *buf = malloc(12);
pthread_setspecific(key, buf); // no warning
}
// PR12101: Test funopen().
static int releasePtr(void *_ctx) {
free(_ctx);
return 0;
}
FILE *useFunOpen() {
void *ctx = malloc(sizeof(int));
FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning
if (f == 0) {
free(ctx);
}
return f;
}
FILE *useFunOpenNoReleaseFunction() {
void *ctx = malloc(sizeof(int));
FILE *f = funopen(ctx, 0, 0, 0, 0);
if (f == 0) {
free(ctx);
}
return f; // expected-warning{{leak}}
}
static int readNothing(void *_ctx, char *buf, int size) {
return 0;
}
FILE *useFunOpenReadNoRelease() {
void *ctx = malloc(sizeof(int));
FILE *f = funopen(ctx, readNothing, 0, 0, 0);
if (f == 0) {
free(ctx);
}
return f; // expected-warning{{leak}}
}
// Test setbuf, setvbuf.
int my_main_no_warning() {
char *p = malloc(100);
setvbuf(stdout, p, 0, 100);
return 0;
}
int my_main_no_warning2() {
char *p = malloc(100);
setbuf(__stdoutp, p);
return 0;
}
int my_main_warn(FILE *f) {
char *p = malloc(100);
setvbuf(f, p, 0, 100);
return 0;// expected-warning {{leak}}
}
// <rdar://problem/10978247>.
// some people use stack allocated memory as an optimization to avoid
// a heap allocation for small work sizes. This tests the analyzer's
// understanding that the malloc'ed memory is not the same as stackBuffer.
void radar10978247(int myValueSize) {
char stackBuffer[128];
char *buffer;
if (myValueSize <= sizeof(stackBuffer))
buffer = stackBuffer;
else
buffer = malloc(myValueSize);
// do stuff with the buffer
if (buffer != stackBuffer)
free(buffer);
}
void radar10978247_positive(int myValueSize) {
char stackBuffer[128];
char *buffer;
if (myValueSize <= sizeof(stackBuffer))
buffer = stackBuffer;
else
buffer = malloc(myValueSize);
// do stuff with the buffer
if (buffer == stackBuffer)
return;
else
return; // expected-warning {{leak}}
}
// <rdar://problem/11269741> Previously this triggered a false positive
// because malloc() is known to return uninitialized memory and the binding
// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak.
struct rdar11269741_a_t {
struct rdar11269741_b_t {
int m;
} n;
};
int rdar11269741(struct rdar11269741_b_t o)
{
struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p));
p->n = o;
return p->n.m; // expected-warning {{leak}}
}
// Pointer arithmetic, returning an ElementRegion.
void *radar11329382(unsigned bl) {
void *ptr = malloc (16);
ptr = ptr + (2 - bl);
return ptr; // no warning
}
void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__));
int strcmp(const char *, const char *);
char *a (void);
void radar11270219(void) {
char *x = a(), *y = a();
(__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0);
strcmp(x, y); // no warning
}
void radar_11358224_test_double_assign_ints_positive_2()
{
void *ptr = malloc(16);
ptr = ptr;
} // expected-warning {{leak}}
// Assume that functions which take a function pointer can free memory even if
// they are defined in system headers and take the const pointer to the
// allocated memory. (radar://11160612)
int const_ptr_and_callback(int, const char*, int n, void(*)(void*));
void r11160612_1() {
char *x = malloc(12);
const_ptr_and_callback(0, x, 12, free); // no - warning
}
// Null is passed as callback.
void r11160612_2() {
char *x = malloc(12);
const_ptr_and_callback(0, x, 12, 0);
} // expected-warning {{leak}}
// Callback is passed to a function defined in a system header.
void r11160612_4() {
char *x = malloc(12);
sqlite3_bind_text_my(0, x, 12, free); // no - warning
}
// Passing callbacks in a struct.
void r11160612_5(StWithCallback St) {
void *x = malloc(12);
dealocateMemWhenDoneByVal(x, St);
}
void r11160612_6(StWithCallback St) {
void *x = malloc(12);
dealocateMemWhenDoneByRef(&St, x);
}
int mySub(int, int);
int myAdd(int, int);
int fPtr(unsigned cond, int x) {
return (cond ? mySub : myAdd)(x, x);
}
// Test anti-aliasing.
void dependsOnValueOfPtr(int *g, unsigned f) {
int *p;
if (f) {
p = g;
} else {
p = malloc(12);
}
if (p != g)
free(p);
else
return; // no warning
return;
}
int CMPRegionHeapToStack() {
int x = 0;
int *x1 = malloc(8);
int *x2 = &x;
clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}}
free(x1);
return x;
}
int CMPRegionHeapToHeap2() {
int x = 0;
int *x1 = malloc(8);
int *x2 = malloc(8);
int *x4 = x1;
int *x5 = x2;
clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}}
free(x1);
free(x2);
return x;
}
int CMPRegionHeapToHeap() {
int x = 0;
int *x1 = malloc(8);
int *x4 = x1;
if (x1 == x4) {
free(x1);
return 5/x; // expected-warning{{Division by zero}}
}
return x;// expected-warning{{This statement is never executed}}
}
int HeapAssignment() {
int m = 0;
int *x = malloc(4);
int *y = x;
*x = 5;
clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}}
free(x);
return 0;
}
int *retPtr();
int *retPtrMightAlias(int *x);
int cmpHeapAllocationToUnknown() {
int zero = 0;
int *yBefore = retPtr();
int *m = malloc(8);
int *yAfter = retPtrMightAlias(m);
clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}}
clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}}
free(m);
return 0;
}
void localArrayTest() {
char *p = (char*)malloc(12);
char *ArrayL[12];
ArrayL[0] = p;
} // expected-warning {{leak}}
void localStructTest() {
StructWithPtr St;
StructWithPtr *pSt = &St;
pSt->memP = malloc(12);
} // expected-warning{{Potential leak of memory pointed to by}}
#ifdef __INTPTR_TYPE__
// Test double assignment through integers.
typedef __INTPTR_TYPE__ intptr_t;
typedef unsigned __INTPTR_TYPE__ uintptr_t;
static intptr_t glob;
void test_double_assign_ints()
{
void *ptr = malloc (16); // no-warning
glob = (intptr_t)(uintptr_t)ptr;
}
void test_double_assign_ints_positive()
{
void *ptr = malloc(16);
(void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}}
} // expected-warning {{leak}}
#endif
void testCGContextNoLeak()
{
void *ptr = malloc(16);
CGContextRef context = CGBitmapContextCreate(ptr);
// Because you can get the data back out like this, even much later,
// CGBitmapContextCreate is one of our "stop-tracking" exceptions.
free(CGBitmapContextGetData(context));
}
void testCGContextLeak()
{
void *ptr = malloc(16);
CGContextRef context = CGBitmapContextCreate(ptr);
// However, this time we're just leaking the data, because the context
// object doesn't escape and it hasn't been freed in this function.
}
// Allow xpc context to escape. radar://11635258
// TODO: Would be great if we checked that the finalize_connection_context actually releases it.
static void finalize_connection_context(void *ctx) {
int *context = ctx;
free(context);
}
void foo (xpc_connection_t peer) {
int *ctx = calloc(1, sizeof(int));
xpc_connection_set_context(peer, ctx);
xpc_connection_set_finalizer_f(peer, finalize_connection_context);
xpc_connection_resume(peer);
}
// Make sure we catch errors when we free in a function which does not allocate memory.
void freeButNoMalloc(int *p, int x){
if (x) {
free(p);
//user forgot a return here.
}
free(p); // expected-warning {{Attempt to free released memory}}
}
struct HasPtr {
char *p;
};
char* reallocButNoMalloc(struct HasPtr *a, int c, int size) {
int *s;
char *b = realloc(a->p, size);
char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}}
// We don't expect a use-after-free for a->P here because the warning above
// is a sink.
return a->p; // no-warning
}
// We should not warn in this case since the caller will presumably free a->p in all cases.
int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) {
int *s;
char *b = realloc(a->p, size);
if (b == 0)
return -1;
a->p = b;
return 0;
}
// Test realloc with no visible malloc.
void *test(void *ptr) {
void *newPtr = realloc(ptr, 4);
if (newPtr == 0) {
if (ptr)
free(ptr); // no-warning
}
return newPtr;
}
char *testLeakWithinReturn(char *str) {
return strdup(strdup(str)); // expected-warning{{leak}}
}
char *testWinLeakWithinReturn(char *str) {
return _strdup(_strdup(str)); // expected-warning{{leak}}
}
wchar_t *testWinWideLeakWithinReturn(wchar_t *str) {
return _wcsdup(_wcsdup(str)); // expected-warning{{leak}}
}
void passConstPtr(const char * ptr);
void testPassConstPointer() {
char * string = malloc(sizeof(char)*10);
passConstPtr(string);
return; // expected-warning {{leak}}
}
void testPassConstPointerIndirectly() {
char *p = malloc(1);
p++;
memcmp(p, p, sizeof(&p));
return; // expected-warning {{leak}}
}
void testPassConstPointerIndirectlyStruct() {
struct HasPtr hp;
hp.p = malloc(10);
memcmp(&hp, &hp, sizeof(hp));
return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}}
}
void testPassToSystemHeaderFunctionIndirectlyStruct() {
SomeStruct ss;
ss.p = malloc(1);
fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
// Technically a false negative here -- we know the system function won't free
// ss.p, but nothing else will either!
} // no-warning
void testPassToSystemHeaderFunctionIndirectlyStructFree() {
SomeStruct ss;
ss.p = malloc(1);
fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
free(ss.p);
} // no-warning
void testPassToSystemHeaderFunctionIndirectlyArray() {
int *p[1];
p[0] = malloc(sizeof(int));
fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
// Technically a false negative here -- we know the system function won't free
// p[0], but nothing else will either!
} // no-warning
void testPassToSystemHeaderFunctionIndirectlyArrayFree() {
int *p[1];
p[0] = malloc(sizeof(int));
fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
free(p[0]);
} // no-warning
int *testOffsetAllocate(size_t size) {
int *memoryBlock = (int *)malloc(size + sizeof(int));
return &memoryBlock[1]; // no-warning
}
void testOffsetDeallocate(int *memoryBlock) {
free(&memoryBlock[-1]); // no-warning
}
void testOffsetOfRegionFreed() {
__int64_t * array = malloc(sizeof(__int64_t)*2);
array += 1;
free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
}
void testOffsetOfRegionFreed2() {
__int64_t *p = malloc(sizeof(__int64_t)*2);
p += 1;
free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
}
void testOffsetOfRegionFreed3() {
char *r = malloc(sizeof(char));
r = r - 10;
free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}}
}
void testOffsetOfRegionFreedAfterFunctionCall() {
int *p = malloc(sizeof(int)*2);
p += 1;
myfoo(p);
free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}}
}
void testFixManipulatedPointerBeforeFree() {
int * array = malloc(sizeof(int)*2);
array += 1;
free(&array[-1]); // no-warning
}
void testFixManipulatedPointerBeforeFree2() {
char *r = malloc(sizeof(char));
r = r + 10;
free(r-10); // no-warning
}
void freeOffsetPointerPassedToFunction() {
__int64_t *p = malloc(sizeof(__int64_t)*2);
p[1] = 0;
p += 1;
myfooint(*p); // not passing the pointer, only a value pointed by pointer
free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
}
int arbitraryInt();
void freeUnknownOffsetPointer() {
char *r = malloc(sizeof(char));
r = r + arbitraryInt(); // unable to reason about what the offset might be
free(r); // no-warning
}
void testFreeNonMallocPointerWithNoOffset() {
char c;
char *r = &c;
r = r + 10;
free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
}
void testFreeNonMallocPointerWithOffset() {
char c;
char *r = &c;
free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
}
void testOffsetZeroDoubleFree() {
int *array = malloc(sizeof(int)*2);
int *p = &array[0];
free(p);
free(&array[0]); // expected-warning{{Attempt to free released memory}}
}
void testOffsetPassedToStrlen() {
char * string = malloc(sizeof(char)*10);
string += 1;
int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}}
}
void testOffsetPassedToStrlenThenFree() {
char * string = malloc(sizeof(char)*10);
string += 1;
int length = strlen(string);
free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
}
void testOffsetPassedAsConst() {
char * string = malloc(sizeof(char)*10);
string += 1;
passConstPtr(string);
free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
}
char **_vectorSegments;
int _nVectorSegments;
void poolFreeC(void* s) {
free(s); // no-warning
}
void freeMemory() {
while (_nVectorSegments) {
poolFreeC(_vectorSegments[_nVectorSegments++]);
}
}
// PR16730
void testReallocEscaped(void **memory) {
*memory = malloc(47);
char *new_memory = realloc(*memory, 47);
if (new_memory != 0) {
*memory = new_memory;
}
}
// PR16558
void *smallocNoWarn(size_t size) {
if (size == 0) {
return malloc(1); // this branch is never called
}
else {
return malloc(size);
}
}
char *dupstrNoWarn(const char *s) {
const int len = strlen(s);
char *p = (char*) smallocNoWarn(len + 1);
strcpy(p, s); // no-warning
return p;
}
void *smallocWarn(size_t size) {
if (size == 2) {
return malloc(1);
}
else {
return malloc(size);
}
}
char *dupstrWarn(const char *s) {
const int len = strlen(s);
char *p = (char*) smallocWarn(len + 1);
strcpy(p, s); // expected-warning{{String copy function overflows destination buffer}}
return p;
}
int *radar15580979() {
int *data = (int *)malloc(32);
int *p = data ?: (int*)malloc(32); // no warning
return p;
}
// Some data structures may hold onto the pointer and free it later.
void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) {
int *data = (int *)malloc(32);
fake_insque(queue, data); // no warning
}
void testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t *rbt) {
int *data = (int *)malloc(32);
fake_rb_tree_init(rbt, data);
} //expected-warning{{Potential leak}}
void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) {
int *data = (int *)malloc(32);
fake_rb_tree_init(rbt, data);
fake_rb_tree_insert_node(rbt, data); // no warning
}
struct IntAndPtr {
int x;
int *p;
};
void constEscape(const void *ptr);
void testConstEscapeThroughAnotherField() {
struct IntAndPtr s;
s.p = malloc(sizeof(int));
constEscape(&(s.x)); // could free s->p!
} // no-warning
// ----------------------------------------------------------------------------
// False negatives.
void testMallocWithParam(int **p) {
*p = (int*) malloc(sizeof(int));
*p = 0; // FIXME: should warn here
}
void testMallocWithParam_2(int **p) {
*p = (int*) malloc(sizeof(int)); // no-warning
}
void testPassToSystemHeaderFunctionIndirectly() {
int *p = malloc(4);
p++;
fakeSystemHeaderCallInt(p);
// FIXME: This is a leak: if we think a system function won't free p, it
// won't free (p-1) either.
}
void testMallocIntoMalloc() {
StructWithPtr *s = malloc(sizeof(StructWithPtr));
s->memP = malloc(sizeof(int));
free(s);
} // FIXME: should warn here