1 // RUN: %clang_analyze_cc1 -analyzer-store=region -verify \
2 // RUN: -analyzer-checker=core \
3 // RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
4 // RUN: -analyzer-checker=alpha.core.CastSize \
5 // RUN: -analyzer-checker=unix.Malloc \
6 // RUN: -analyzer-config unix.DynamicMemoryModeling:Optimistic=true %s
7
8 typedef __typeof(sizeof(int)) size_t;
9 void *malloc(size_t);
10 void free(void *);
11 void *realloc(void *ptr, size_t size);
12 void *calloc(size_t nmemb, size_t size);
13 void __attribute((ownership_returns(malloc))) *my_malloc(size_t);
14 void __attribute((ownership_takes(malloc, 1))) my_free(void *);
15 void my_freeBoth(void *, void *)
16 __attribute((ownership_holds(malloc, 1, 2)));
17 void __attribute((ownership_returns(malloc, 1))) *my_malloc2(size_t);
18 void __attribute((ownership_holds(malloc, 1))) my_hold(void *);
19
20 // Duplicate attributes are silly, but not an error.
21 // Duplicate attribute has no extra effect.
22 // If two are of different kinds, that is an error and reported as such.
23 void __attribute((ownership_holds(malloc, 1)))
24 __attribute((ownership_holds(malloc, 1)))
25 __attribute((ownership_holds(malloc, 3))) my_hold2(void *, void *, void *);
26 void *my_malloc3(size_t);
27 void *myglobalpointer;
28 struct stuff {
29 void *somefield;
30 };
31 struct stuff myglobalstuff;
32
f1()33 void f1() {
34 int *p = malloc(12);
35 return; // expected-warning{{Potential leak of memory pointed to by}}
36 }
37
f2()38 void f2() {
39 int *p = malloc(12);
40 free(p);
41 free(p); // expected-warning{{Attempt to free released memory}}
42 }
43
f2_realloc_0()44 void f2_realloc_0() {
45 int *p = malloc(12);
46 realloc(p,0);
47 realloc(p,0); // expected-warning{{Attempt to free released memory}}
48 }
49
f2_realloc_1()50 void f2_realloc_1() {
51 int *p = malloc(12);
52 int *q = realloc(p,0); // no-warning
53 }
54
55 // ownership attributes tests
naf1()56 void naf1() {
57 int *p = my_malloc3(12);
58 return; // no-warning
59 }
60
n2af1()61 void n2af1() {
62 int *p = my_malloc2(12);
63 return; // expected-warning{{Potential leak of memory pointed to by}}
64 }
65
af1()66 void af1() {
67 int *p = my_malloc(12);
68 return; // expected-warning{{Potential leak of memory pointed to by}}
69 }
70
af1_b()71 void af1_b() {
72 int *p = my_malloc(12);
73 } // expected-warning{{Potential leak of memory pointed to by}}
74
af1_c()75 void af1_c() {
76 myglobalpointer = my_malloc(12); // no-warning
77 }
78
af1_d()79 void af1_d() {
80 struct stuff mystuff;
81 mystuff.somefield = my_malloc(12);
82 } // expected-warning{{Potential leak of memory pointed to by}}
83
84 // Test that we can pass out allocated memory via pointer-to-pointer.
af1_e(void ** pp)85 void af1_e(void **pp) {
86 *pp = my_malloc(42); // no-warning
87 }
88
af1_f(struct stuff * somestuff)89 void af1_f(struct stuff *somestuff) {
90 somestuff->somefield = my_malloc(12); // no-warning
91 }
92
93 // Allocating memory for a field via multiple indirections to our arguments is OK.
af1_g(struct stuff ** pps)94 void af1_g(struct stuff **pps) {
95 *pps = my_malloc(sizeof(struct stuff)); // no-warning
96 (*pps)->somefield = my_malloc(42); // no-warning
97 }
98
af2()99 void af2() {
100 int *p = my_malloc(12);
101 my_free(p);
102 free(p); // expected-warning{{Attempt to free released memory}}
103 }
104
af2b()105 void af2b() {
106 int *p = my_malloc(12);
107 free(p);
108 my_free(p); // expected-warning{{Attempt to free released memory}}
109 }
110
af2c()111 void af2c() {
112 int *p = my_malloc(12);
113 free(p);
114 my_hold(p); // expected-warning{{Attempt to free released memory}}
115 }
116
af2d()117 void af2d() {
118 int *p = my_malloc(12);
119 free(p);
120 my_hold2(0, 0, p); // expected-warning{{Attempt to free released memory}}
121 }
122
123 // No leak if malloc returns null.
af2e()124 void af2e() {
125 int *p = my_malloc(12);
126 if (!p)
127 return; // no-warning
128 free(p); // no-warning
129 }
130
131 // This case inflicts a possible double-free.
af3()132 void af3() {
133 int *p = my_malloc(12);
134 my_hold(p);
135 free(p); // expected-warning{{Attempt to free non-owned memory}}
136 }
137
af4()138 int * af4() {
139 int *p = my_malloc(12);
140 my_free(p);
141 return p; // expected-warning{{Use of memory after it is freed}}
142 }
143
144 // This case is (possibly) ok, be conservative
af5()145 int * af5() {
146 int *p = my_malloc(12);
147 my_hold(p);
148 return p; // no-warning
149 }
150
151
152
153 // This case tests that storing malloc'ed memory to a static variable which is
154 // then returned is not leaked. In the absence of known contracts for functions
155 // or inter-procedural analysis, this is a conservative answer.
f3()156 int *f3() {
157 static int *p = 0;
158 p = malloc(12);
159 return p; // no-warning
160 }
161
162 // This case tests that storing malloc'ed memory to a static global variable
163 // which is then returned is not leaked. In the absence of known contracts for
164 // functions or inter-procedural analysis, this is a conservative answer.
165 static int *p_f4 = 0;
f4()166 int *f4() {
167 p_f4 = malloc(12);
168 return p_f4; // no-warning
169 }
170
f5()171 int *f5() {
172 int *q = malloc(12);
173 q = realloc(q, 20);
174 return q; // no-warning
175 }
176
f6()177 void f6() {
178 int *p = malloc(12);
179 if (!p)
180 return; // no-warning
181 else
182 free(p);
183 }
184
f6_realloc()185 void f6_realloc() {
186 int *p = malloc(12);
187 if (!p)
188 return; // no-warning
189 else
190 realloc(p,0);
191 }
192
193
194 char *doit2();
pr6069()195 void pr6069() {
196 char *buf = doit2();
197 free(buf);
198 }
199
pr6293()200 void pr6293() {
201 free(0);
202 }
203
f7()204 void f7() {
205 char *x = (char*) malloc(4);
206 free(x);
207 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
208 }
209
f7_realloc()210 void f7_realloc() {
211 char *x = (char*) malloc(4);
212 realloc(x,0);
213 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
214 }
215
PR6123()216 void PR6123() {
217 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
218 }
219
PR7217()220 void PR7217() {
221 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
222 buf[1] = 'c'; // not crash
223 }
224
mallocCastToVoid()225 void mallocCastToVoid() {
226 void *p = malloc(2);
227 const void *cp = p; // not crash
228 free(p);
229 }
230
mallocCastToFP()231 void mallocCastToFP() {
232 void *p = malloc(2);
233 void (*fp)() = p; // not crash
234 free(p);
235 }
236
237 // This tests that malloc() buffers are undefined by default
mallocGarbage()238 char mallocGarbage () {
239 char *buf = malloc(2);
240 char result = buf[1]; // expected-warning{{undefined}}
241 free(buf);
242 return result;
243 }
244
245 // This tests that calloc() buffers need to be freed
callocNoFree()246 void callocNoFree () {
247 char *buf = calloc(2,2);
248 return; // expected-warning{{Potential leak of memory pointed to by}}
249 }
250
251 // These test that calloc() buffers are zeroed by default
callocZeroesGood()252 char callocZeroesGood () {
253 char *buf = calloc(2,2);
254 char result = buf[3]; // no-warning
255 if (buf[1] == 0) {
256 free(buf);
257 }
258 return result; // no-warning
259 }
260
callocZeroesBad()261 char callocZeroesBad () {
262 char *buf = calloc(2,2);
263 char result = buf[3]; // no-warning
264 if (buf[1] != 0) {
265 free(buf); // expected-warning{{never executed}}
266 }
267 return result; // expected-warning{{Potential leak of memory pointed to by}}
268 }
269
testMultipleFreeAnnotations()270 void testMultipleFreeAnnotations() {
271 int *p = malloc(12);
272 int *q = malloc(12);
273 my_freeBoth(p, q);
274 }
275
276