1 // RUN: %clang_analyze_cc1 -fblocks -verify %s -analyzer-store=region \
2 // RUN: -analyzer-checker=core \
3 // RUN: -analyzer-checker=unix.Malloc
4 //
5 // RUN: %clang_analyze_cc1 -fblocks -verify %s -analyzer-store=region \
6 // RUN: -analyzer-checker=core \
7 // RUN: -analyzer-checker=unix.Malloc \
8 // RUN: -analyzer-config unix.DynamicMemoryModeling:Optimistic=true
9 namespace std {
10 using size_t = decltype(sizeof(int));
11 void free(void *);
12 }
13
14 extern "C" void free(void *);
15 extern "C" void *alloca(std::size_t);
16
t1a()17 void t1a () {
18 int a[] = { 1 };
19 free(a);
20 // expected-warning@-1{{Argument to free() is the address of the local variable 'a', which is not memory allocated by malloc()}}
21 // expected-warning@-2{{attempt to call free on non-heap object 'a'}}
22 }
23
t1b()24 void t1b () {
25 int a[] = { 1 };
26 std::free(a);
27 // expected-warning@-1{{Argument to free() is the address of the local variable 'a', which is not memory allocated by malloc()}}
28 // expected-warning@-2{{attempt to call std::free on non-heap object 'a'}}
29 }
30
t2a()31 void t2a () {
32 int a = 1;
33 free(&a);
34 // expected-warning@-1{{Argument to free() is the address of the local variable 'a', which is not memory allocated by malloc()}}
35 // expected-warning@-2{{attempt to call free on non-heap object 'a'}}
36 }
37
t2b()38 void t2b () {
39 int a = 1;
40 std::free(&a);
41 // expected-warning@-1{{Argument to free() is the address of the local variable 'a', which is not memory allocated by malloc()}}
42 // expected-warning@-2{{attempt to call std::free on non-heap object 'a'}}
43 }
44
t3a()45 void t3a () {
46 static int a[] = { 1 };
47 free(a);
48 // expected-warning@-1{{Argument to free() is the address of the static variable 'a', which is not memory allocated by malloc()}}
49 // expected-warning@-2{{attempt to call free on non-heap object 'a'}}
50 }
51
t3b()52 void t3b () {
53 static int a[] = { 1 };
54 std::free(a);
55 // expected-warning@-1{{Argument to free() is the address of the static variable 'a', which is not memory allocated by malloc()}}
56 // expected-warning@-2{{attempt to call std::free on non-heap object 'a'}}
57 }
58
t4a(char * x)59 void t4a (char *x) {
60 free(x); // no-warning
61 }
62
t4b(char * x)63 void t4b (char *x) {
64 std::free(x); // no-warning
65 }
66
t5a()67 void t5a () {
68 extern char *ptr();
69 free(ptr()); // no-warning
70 }
71
t5b()72 void t5b () {
73 extern char *ptr();
74 std::free(ptr()); // no-warning
75 }
76
t6a()77 void t6a () {
78 free((void*)1000);
79 // expected-warning@-1{{Argument to free() is a constant address (1000), which is not memory allocated by malloc()}}
80 // expected-warning@-2{{attempt to call free on non-heap object '(void *)1000'}}
81 }
82
t6b()83 void t6b () {
84 std::free((void*)1000);
85 // expected-warning@-1{{Argument to free() is a constant address (1000), which is not memory allocated by malloc()}}
86 // expected-warning@-2{{attempt to call std::free on non-heap object '(void *)1000'}}
87 }
88
t7a(char ** x)89 void t7a (char **x) {
90 free(*x); // no-warning
91 }
92
t7b(char ** x)93 void t7b (char **x) {
94 std::free(*x); // no-warning
95 }
96
t8a(char ** x)97 void t8a (char **x) {
98 // ugh
99 free((*x)+8); // no-warning
100 }
101
t8b(char ** x)102 void t8b (char **x) {
103 // ugh
104 std::free((*x)+8); // no-warning
105 }
106
t9a()107 void t9a () {
108 label:
109 free(&&label);
110 // expected-warning@-1{{Argument to free() is the address of the label 'label', which is not memory allocated by malloc()}}
111 // expected-warning@-2{{attempt to call free on non-heap object 'label'}}
112 }
113
t9b()114 void t9b () {
115 label:
116 std::free(&&label);
117 // expected-warning@-1{{Argument to free() is the address of the label 'label', which is not memory allocated by malloc()}}
118 // expected-warning@-2{{attempt to call std::free on non-heap object 'label'}}
119 }
120
t10a()121 void t10a () {
122 free((void*)&t10a);
123 // expected-warning@-1{{Argument to free() is the address of the function 't10a', which is not memory allocated by malloc()}}
124 // expected-warning@-2{{attempt to call free on non-heap object 't10a'}}
125 }
126
t10b()127 void t10b () {
128 std::free((void*)&t10b);
129 // expected-warning@-1{{Argument to free() is the address of the function 't10b', which is not memory allocated by malloc()}}
130 // expected-warning@-2{{attempt to call std::free on non-heap object 't10b'}}
131 }
132
t11a()133 void t11a () {
134 char *p = (char*)alloca(2);
135 free(p); // expected-warning {{Memory allocated by alloca() should not be deallocated}}
136 }
137
t11b()138 void t11b () {
139 char *p = (char*)alloca(2);
140 std::free(p); // expected-warning {{Memory allocated by alloca() should not be deallocated}}
141 }
142
t12a()143 void t12a () {
144 char *p = (char*)__builtin_alloca(2);
145 free(p); // expected-warning {{Memory allocated by alloca() should not be deallocated}}
146 }
147
t12b()148 void t12b () {
149 char *p = (char*)__builtin_alloca(2);
150 std::free(p); // expected-warning {{Memory allocated by alloca() should not be deallocated}}
151 }
152
t13a()153 void t13a () {
154 free(^{return;});
155 // expected-warning@-1{{Argument to free() is a block, which is not memory allocated by malloc()}}
156 // expected-warning@-2{{attempt to call free on non-heap object: block expression}}
157 }
158
t13b()159 void t13b () {
160 std::free(^{return;});
161 // expected-warning@-1{{Argument to free() is a block, which is not memory allocated by malloc()}}
162 // expected-warning@-2{{attempt to call std::free on non-heap object: block expression}}
163 }
164
t14a()165 void t14a () {
166 free((void *)+[]{ return; });
167 // expected-warning@-1{{Argument to free() is the address of the function '__invoke', which is not memory allocated by malloc()}}
168 // expected-warning@-2{{attempt to call free on non-heap object: lambda-to-function-pointer conversion}}
169 }
170
t14b()171 void t14b () {
172 std::free((void *)+[]{ return; });
173 // expected-warning@-1{{Argument to free() is the address of the function '__invoke', which is not memory allocated by malloc()}}
174 // expected-warning@-2{{attempt to call std::free on non-heap object: lambda-to-function-pointer conversion}}
175 }
176
t15a(char a)177 void t15a (char a) {
178 free(&a);
179 // expected-warning@-1{{Argument to free() is the address of the parameter 'a', which is not memory allocated by malloc()}}
180 // expected-warning@-2{{attempt to call free on non-heap object 'a'}}
181 }
182
t15b(char a)183 void t15b (char a) {
184 std::free(&a);
185 // expected-warning@-1{{Argument to free() is the address of the parameter 'a', which is not memory allocated by malloc()}}
186 // expected-warning@-2{{attempt to call std::free on non-heap object 'a'}}
187 }
188
189 static int someGlobal[2];
t16a()190 void t16a () {
191 free(someGlobal);
192 // expected-warning@-1{{Argument to free() is the address of the global variable 'someGlobal', which is not memory allocated by malloc()}}
193 // expected-warning@-2{{attempt to call free on non-heap object 'someGlobal'}}
194 }
195
t16b()196 void t16b () {
197 std::free(someGlobal);
198 // expected-warning@-1{{Argument to free() is the address of the global variable 'someGlobal', which is not memory allocated by malloc()}}
199 // expected-warning@-2{{attempt to call std::free on non-heap object 'someGlobal'}}
200 }
201
t17a(char ** x,int offset)202 void t17a (char **x, int offset) {
203 // Unknown value
204 free(x[offset]); // no-warning
205 }
206
t17b(char ** x,int offset)207 void t17b (char **x, int offset) {
208 // Unknown value
209 std::free(x[offset]); // no-warning
210 }
211
212 struct S {
213 const char* p;
214 };
215
t18_C_style_C_style_free(S s)216 void t18_C_style_C_style_free (S s) {
217 free((void*)(unsigned long long)s.p); // no warning
218 }
219
t18_C_style_C_style_std_free(S s)220 void t18_C_style_C_style_std_free (S s) {
221 std::free((void*)(unsigned long long)s.p); // no warning
222 }
223
t18_C_style_reinterpret_free(S s)224 void t18_C_style_reinterpret_free (S s) {
225 free((void*)reinterpret_cast<unsigned long long>(s.p)); // no warning
226 }
227
t18_C_style_reinterpret_std_free(S s)228 void t18_C_style_reinterpret_std_free (S s) {
229 std::free((void*)reinterpret_cast<unsigned long long>(s.p)); // no warning
230 }
231
t18_reinterpret_C_style_free(S s)232 void t18_reinterpret_C_style_free (S s) {
233 free(reinterpret_cast<void*>((unsigned long long)(s.p))); // no warning
234 }
235
t18_reinterpret_C_style_std_free(S s)236 void t18_reinterpret_C_style_std_free (S s) {
237 std::free(reinterpret_cast<void*>((unsigned long long)(s.p))); // no warning
238 }
239
t18_reinterpret_reinterpret_free(S s)240 void t18_reinterpret_reinterpret_free (S s) {
241 free(reinterpret_cast<void*>(reinterpret_cast<unsigned long long>(s.p))); // no warning
242 }
243
t18_reinterpret_reinterpret_std_free(S s)244 void t18_reinterpret_reinterpret_std_free (S s) {
245 std::free(reinterpret_cast<void*>(reinterpret_cast<unsigned long long>(s.p))); // no warning
246 }
247