1 // RUN: %clang_analyze_cc1 -analyzer-store=region -verify %s \
2 // RUN: -analyzer-checker=core \
3 // RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
4 // RUN: -analyzer-checker=alpha.core.CastSize \
5 // RUN: -analyzer-checker=unix.Malloc \
6 // RUN: -analyzer-checker=debug.ExprInspection
7
8 #include "Inputs/system-header-simulator.h"
9
10 void clang_analyzer_eval(int);
11
12 // Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
13 // _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
14 // the builtin type: "Using the typedef version can cause portability
15 // problems", but we're ok here because we're not actually running anything.
16 // Also of note is this cryptic warning: "The wchar_t type is not supported
17 // when you compile C code".
18 //
19 // See the docs for more:
20 // https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
21 #if !defined(_WCHAR_T_DEFINED)
22 // "Microsoft implements wchar_t as a two-byte unsigned value"
23 typedef unsigned short wchar_t;
24 #define _WCHAR_T_DEFINED
25 #endif // !defined(_WCHAR_T_DEFINED)
26
27 typedef __typeof(sizeof(int)) size_t;
28 void *malloc(size_t);
29 void *alloca(size_t);
30 void *valloc(size_t);
31 void free(void *);
32 void *realloc(void *ptr, size_t size);
33 void *reallocf(void *ptr, size_t size);
34 void *calloc(size_t nmemb, size_t size);
35 char *strdup(const char *s);
36 wchar_t *wcsdup(const wchar_t *s);
37 char *strndup(const char *s, size_t n);
38 int memcmp(const void *s1, const void *s2, size_t n);
39
40 // Windows variants
41 char *_strdup(const char *strSource);
42 wchar_t *_wcsdup(const wchar_t *strSource);
43 void *_alloca(size_t size);
44
45 void myfoo(int *p);
46 void myfooint(int p);
47 char *fooRetPtr();
48
f1()49 void f1() {
50 int *p = malloc(12);
51 return; // expected-warning{{Potential leak of memory pointed to by 'p'}}
52 }
53
f2()54 void f2() {
55 int *p = malloc(12);
56 free(p);
57 free(p); // expected-warning{{Attempt to free released memory}}
58 }
59
f2_realloc_0()60 void f2_realloc_0() {
61 int *p = malloc(12);
62 realloc(p,0);
63 realloc(p,0); // expected-warning{{Attempt to free released memory}}
64 }
65
f2_realloc_1()66 void f2_realloc_1() {
67 int *p = malloc(12);
68 int *q = realloc(p,0); // no-warning
69 }
70
reallocNotNullPtr(unsigned sizeIn)71 void reallocNotNullPtr(unsigned sizeIn) {
72 unsigned size = 12;
73 char *p = (char*)malloc(size);
74 if (p) {
75 char *q = (char*)realloc(p, sizeIn);
76 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}}
77 }
78 }
79
allocaTest()80 void allocaTest() {
81 int *p = alloca(sizeof(int));
82 } // no warn
83
winAllocaTest()84 void winAllocaTest() {
85 int *p = _alloca(sizeof(int));
86 } // no warn
87
allocaBuiltinTest()88 void allocaBuiltinTest() {
89 int *p = __builtin_alloca(sizeof(int));
90 } // no warn
91
realloctest1()92 int *realloctest1() {
93 int *q = malloc(12);
94 q = realloc(q, 20);
95 return q; // no warning - returning the allocated value
96 }
97
98 // p should be freed if realloc fails.
reallocFails()99 void reallocFails() {
100 char *p = malloc(12);
101 char *r = realloc(p, 12+1);
102 if (!r) {
103 free(p);
104 } else {
105 free(r);
106 }
107 }
108
reallocSizeZero1()109 void reallocSizeZero1() {
110 char *p = malloc(12);
111 char *r = realloc(p, 0);
112 if (!r) {
113 free(p); // expected-warning {{Attempt to free released memory}}
114 } else {
115 free(r);
116 }
117 }
118
reallocSizeZero2()119 void reallocSizeZero2() {
120 char *p = malloc(12);
121 char *r = realloc(p, 0);
122 if (!r) {
123 free(p); // expected-warning {{Attempt to free released memory}}
124 } else {
125 free(r);
126 }
127 free(p); // expected-warning {{Attempt to free released memory}}
128 }
129
reallocSizeZero3()130 void reallocSizeZero3() {
131 char *p = malloc(12);
132 char *r = realloc(p, 0);
133 free(r);
134 }
135
reallocSizeZero4()136 void reallocSizeZero4() {
137 char *r = realloc(0, 0);
138 free(r);
139 }
140
reallocSizeZero5()141 void reallocSizeZero5() {
142 char *r = realloc(0, 0);
143 }
144
reallocPtrZero1()145 void reallocPtrZero1() {
146 char *r = realloc(0, 12);
147 } // expected-warning {{Potential leak of memory pointed to by 'r'}}
148
reallocPtrZero2()149 void reallocPtrZero2() {
150 char *r = realloc(0, 12);
151 if (r)
152 free(r);
153 }
154
reallocPtrZero3()155 void reallocPtrZero3() {
156 char *r = realloc(0, 12);
157 free(r);
158 }
159
reallocRadar6337483_1()160 void reallocRadar6337483_1() {
161 char *buf = malloc(100);
162 buf = (char*)realloc(buf, 0x1000000);
163 if (!buf) {
164 return;// expected-warning {{Potential leak of memory pointed to by}}
165 }
166 free(buf);
167 }
168
reallocRadar6337483_2()169 void reallocRadar6337483_2() {
170 char *buf = malloc(100);
171 char *buf2 = (char*)realloc(buf, 0x1000000);
172 if (!buf2) {
173 ;
174 } else {
175 free(buf2);
176 }
177 } // expected-warning {{Potential leak of memory pointed to by}}
178
reallocRadar6337483_3()179 void reallocRadar6337483_3() {
180 char * buf = malloc(100);
181 char * tmp;
182 tmp = (char*)realloc(buf, 0x1000000);
183 if (!tmp) {
184 free(buf);
185 return;
186 }
187 buf = tmp;
188 free(buf);
189 }
190
reallocRadar6337483_4()191 void reallocRadar6337483_4() {
192 char *buf = malloc(100);
193 char *buf2 = (char*)realloc(buf, 0x1000000);
194 if (!buf2) {
195 return; // expected-warning {{Potential leak of memory pointed to by}}
196 } else {
197 free(buf2);
198 }
199 }
200
reallocfTest1()201 int *reallocfTest1() {
202 int *q = malloc(12);
203 q = reallocf(q, 20);
204 return q; // no warning - returning the allocated value
205 }
206
reallocfRadar6337483_4()207 void reallocfRadar6337483_4() {
208 char *buf = malloc(100);
209 char *buf2 = (char*)reallocf(buf, 0x1000000);
210 if (!buf2) {
211 return; // no warning - reallocf frees even on failure
212 } else {
213 free(buf2);
214 }
215 }
216
reallocfRadar6337483_3()217 void reallocfRadar6337483_3() {
218 char * buf = malloc(100);
219 char * tmp;
220 tmp = (char*)reallocf(buf, 0x1000000);
221 if (!tmp) {
222 free(buf); // expected-warning {{Attempt to free released memory}}
223 return;
224 }
225 buf = tmp;
226 free(buf);
227 }
228
reallocfPtrZero1()229 void reallocfPtrZero1() {
230 char *r = reallocf(0, 12);
231 } // expected-warning {{Potential leak of memory pointed to by}}
232
233 //------------------- Check usage of zero-allocated memory ---------------------
CheckUseZeroAllocatedNoWarn1()234 void CheckUseZeroAllocatedNoWarn1() {
235 int *p = malloc(0);
236 free(p); // no warning
237 }
238
CheckUseZeroAllocatedNoWarn2()239 void CheckUseZeroAllocatedNoWarn2() {
240 int *p = alloca(0); // no warning
241 }
242
CheckUseZeroWinAllocatedNoWarn2()243 void CheckUseZeroWinAllocatedNoWarn2() {
244 int *p = _alloca(0); // no warning
245 }
246
247
CheckUseZeroAllocatedNoWarn3()248 void CheckUseZeroAllocatedNoWarn3() {
249 int *p = malloc(0);
250 int *q = realloc(p, 8); // no warning
251 free(q);
252 }
253
CheckUseZeroAllocatedNoWarn4()254 void CheckUseZeroAllocatedNoWarn4() {
255 int *p = realloc(0, 8);
256 *p = 1; // no warning
257 free(p);
258 }
259
CheckUseZeroAllocated1()260 void CheckUseZeroAllocated1() {
261 int *p = malloc(0);
262 *p = 1; // expected-warning {{Use of zero-allocated memory}}
263 free(p);
264 }
265
CheckUseZeroAllocated2()266 char CheckUseZeroAllocated2() {
267 char *p = alloca(0);
268 return *p; // expected-warning {{Use of zero-allocated memory}}
269 }
270
CheckUseZeroWinAllocated2()271 char CheckUseZeroWinAllocated2() {
272 char *p = _alloca(0);
273 return *p; // expected-warning {{Use of zero-allocated memory}}
274 }
275
UseZeroAllocated(int * p)276 void UseZeroAllocated(int *p) {
277 if (p)
278 *p = 7; // expected-warning {{Use of zero-allocated memory}}
279 }
CheckUseZeroAllocated3()280 void CheckUseZeroAllocated3() {
281 int *p = malloc(0);
282 UseZeroAllocated(p);
283 }
284
285 void f(char);
CheckUseZeroAllocated4()286 void CheckUseZeroAllocated4() {
287 char *p = valloc(0);
288 f(*p); // expected-warning {{Use of zero-allocated memory}}
289 free(p);
290 }
291
CheckUseZeroAllocated5()292 void CheckUseZeroAllocated5() {
293 int *p = calloc(0, 2);
294 *p = 1; // expected-warning {{Use of zero-allocated memory}}
295 free(p);
296 }
297
CheckUseZeroAllocated6()298 void CheckUseZeroAllocated6() {
299 int *p = calloc(2, 0);
300 *p = 1; // expected-warning {{Use of zero-allocated memory}}
301 free(p);
302 }
303
CheckUseZeroAllocated7()304 void CheckUseZeroAllocated7() {
305 int *p = realloc(0, 0);
306 *p = 1; // expected-warning {{Use of zero-allocated memory}}
307 free(p);
308 }
309
CheckUseZeroAllocated8()310 void CheckUseZeroAllocated8() {
311 int *p = malloc(8);
312 int *q = realloc(p, 0);
313 *q = 1; // expected-warning {{Use of zero-allocated memory}}
314 free(q);
315 }
316
CheckUseZeroAllocated9()317 void CheckUseZeroAllocated9() {
318 int *p = realloc(0, 0);
319 int *q = realloc(p, 0);
320 *q = 1; // expected-warning {{Use of zero-allocated memory}}
321 free(q);
322 }
323
CheckUseZeroAllocatedPathNoWarn(_Bool b)324 void CheckUseZeroAllocatedPathNoWarn(_Bool b) {
325 int s = 0;
326 if (b)
327 s= 10;
328
329 char *p = malloc(s);
330
331 if (b)
332 *p = 1; // no warning
333
334 free(p);
335 }
336
CheckUseZeroAllocatedPathWarn(_Bool b)337 void CheckUseZeroAllocatedPathWarn(_Bool b) {
338 int s = 10;
339 if (b)
340 s= 0;
341
342 char *p = malloc(s);
343
344 if (b)
345 *p = 1; // expected-warning {{Use of zero-allocated memory}}
346
347 free(p);
348 }
349
CheckUseZeroReallocatedPathNoWarn(_Bool b)350 void CheckUseZeroReallocatedPathNoWarn(_Bool b) {
351 int s = 0;
352 if (b)
353 s= 10;
354
355 char *p = malloc(8);
356 char *q = realloc(p, s);
357
358 if (b)
359 *q = 1; // no warning
360
361 free(q);
362 }
363
CheckUseZeroReallocatedPathWarn(_Bool b)364 void CheckUseZeroReallocatedPathWarn(_Bool b) {
365 int s = 10;
366 if (b)
367 s= 0;
368
369 char *p = malloc(8);
370 char *q = realloc(p, s);
371
372 if (b)
373 *q = 1; // expected-warning {{Use of zero-allocated memory}}
374
375 free(q);
376 }
377
378 // This case tests that storing malloc'ed memory to a static variable which is
379 // then returned is not leaked. In the absence of known contracts for functions
380 // or inter-procedural analysis, this is a conservative answer.
f3()381 int *f3() {
382 static int *p = 0;
383 p = malloc(12);
384 return p; // no-warning
385 }
386
387 // This case tests that storing malloc'ed memory to a static global variable
388 // which is then returned is not leaked. In the absence of known contracts for
389 // functions or inter-procedural analysis, this is a conservative answer.
390 static int *p_f4 = 0;
f4()391 int *f4() {
392 p_f4 = malloc(12);
393 return p_f4; // no-warning
394 }
395
f5()396 int *f5() {
397 int *q = malloc(12);
398 q = realloc(q, 20);
399 return q; // no-warning
400 }
401
f6()402 void f6() {
403 int *p = malloc(12);
404 if (!p)
405 return; // no-warning
406 else
407 free(p);
408 }
409
f6_realloc()410 void f6_realloc() {
411 int *p = malloc(12);
412 if (!p)
413 return; // no-warning
414 else
415 realloc(p,0);
416 }
417
418
419 char *doit2();
pr6069()420 void pr6069() {
421 char *buf = doit2();
422 free(buf);
423 }
424
pr6293()425 void pr6293() {
426 free(0);
427 }
428
f7()429 void f7() {
430 char *x = (char*) malloc(4);
431 free(x);
432 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
433 }
434
f8()435 void f8() {
436 char *x = (char*) malloc(4);
437 free(x);
438 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}}
439 }
440
f7_realloc()441 void f7_realloc() {
442 char *x = (char*) malloc(4);
443 realloc(x,0);
444 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
445 }
446
PR6123()447 void PR6123() {
448 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
449 }
450
PR7217()451 void PR7217() {
452 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
453 buf[1] = 'c'; // not crash
454 }
455
cast_emtpy_struct()456 void cast_emtpy_struct() {
457 struct st {
458 };
459
460 struct st *s = malloc(sizeof(struct st)); // no-warning
461 free(s);
462 }
463
cast_struct_1()464 void cast_struct_1() {
465 struct st {
466 int i[100];
467 char j[];
468 };
469
470 struct st *s = malloc(sizeof(struct st)); // no-warning
471 free(s);
472 }
473
cast_struct_2()474 void cast_struct_2() {
475 struct st {
476 int i[100];
477 char j[0];
478 };
479
480 struct st *s = malloc(sizeof(struct st)); // no-warning
481 free(s);
482 }
483
cast_struct_3()484 void cast_struct_3() {
485 struct st {
486 int i[100];
487 char j[1];
488 };
489
490 struct st *s = malloc(sizeof(struct st)); // no-warning
491 free(s);
492 }
493
cast_struct_4()494 void cast_struct_4() {
495 struct st {
496 int i[100];
497 char j[2];
498 };
499
500 struct st *s = malloc(sizeof(struct st)); // no-warning
501 free(s);
502 }
503
cast_struct_5()504 void cast_struct_5() {
505 struct st {
506 char i[200];
507 char j[1];
508 };
509
510 struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning
511 free(s);
512 }
513
cast_struct_warn_1()514 void cast_struct_warn_1() {
515 struct st {
516 int i[100];
517 char j[2];
518 };
519
520 struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
521 free(s);
522 }
523
cast_struct_warn_2()524 void cast_struct_warn_2() {
525 struct st {
526 int i[100];
527 char j[2];
528 };
529
530 struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
531 free(s);
532 }
533
cast_struct_flex_array_1()534 void cast_struct_flex_array_1() {
535 struct st {
536 int i[100];
537 char j[];
538 };
539
540 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
541 free(s);
542 }
543
cast_struct_flex_array_2()544 void cast_struct_flex_array_2() {
545 struct st {
546 int i[100];
547 char j[0];
548 };
549
550 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
551 free(s);
552 }
553
cast_struct_flex_array_3()554 void cast_struct_flex_array_3() {
555 struct st {
556 int i[100];
557 char j[1];
558 };
559
560 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
561 free(s);
562 }
563
cast_struct_flex_array_4()564 void cast_struct_flex_array_4() {
565 struct foo {
566 char f[32];
567 };
568 struct st {
569 char i[100];
570 struct foo data[];
571 };
572
573 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
574 free(s);
575 }
576
cast_struct_flex_array_5()577 void cast_struct_flex_array_5() {
578 struct foo {
579 char f[32];
580 };
581 struct st {
582 char i[100];
583 struct foo data[0];
584 };
585
586 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
587 free(s);
588 }
589
cast_struct_flex_array_6()590 void cast_struct_flex_array_6() {
591 struct foo {
592 char f[32];
593 };
594 struct st {
595 char i[100];
596 struct foo data[1];
597 };
598
599 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
600 free(s);
601 }
602
cast_struct_flex_array_warn_1()603 void cast_struct_flex_array_warn_1() {
604 struct foo {
605 char f[32];
606 };
607 struct st {
608 char i[100];
609 struct foo data[];
610 };
611
612 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
613 free(s);
614 }
615
cast_struct_flex_array_warn_2()616 void cast_struct_flex_array_warn_2() {
617 struct foo {
618 char f[32];
619 };
620 struct st {
621 char i[100];
622 struct foo data[0];
623 };
624
625 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
626 free(s);
627 }
628
cast_struct_flex_array_warn_3()629 void cast_struct_flex_array_warn_3() {
630 struct foo {
631 char f[32];
632 };
633 struct st {
634 char i[100];
635 struct foo data[1];
636 };
637
638 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
639 free(s);
640 }
641
cast_struct_flex_array_warn_4()642 void cast_struct_flex_array_warn_4() {
643 struct st {
644 int i[100];
645 int j[];
646 };
647
648 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
649 free(s);
650 }
651
cast_struct_flex_array_warn_5()652 void cast_struct_flex_array_warn_5() {
653 struct st {
654 int i[100];
655 int j[0];
656 };
657
658 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
659 free(s);
660 }
661
cast_struct_flex_array_warn_6()662 void cast_struct_flex_array_warn_6() {
663 struct st {
664 int i[100];
665 int j[1];
666 };
667
668 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
669 free(s);
670 }
671
mallocCastToVoid()672 void mallocCastToVoid() {
673 void *p = malloc(2);
674 const void *cp = p; // not crash
675 free(p);
676 }
677
mallocCastToFP()678 void mallocCastToFP() {
679 void *p = malloc(2);
680 void (*fp)() = p; // not crash
681 free(p);
682 }
683
684 // This tests that malloc() buffers are undefined by default
mallocGarbage()685 char mallocGarbage () {
686 char *buf = malloc(2);
687 char result = buf[1]; // expected-warning{{undefined}}
688 free(buf);
689 return result;
690 }
691
692 // This tests that calloc() buffers need to be freed
callocNoFree()693 void callocNoFree () {
694 char *buf = calloc(2,2);
695 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
696 }
697
698 // These test that calloc() buffers are zeroed by default
callocZeroesGood()699 char callocZeroesGood () {
700 char *buf = calloc(2,2);
701 char result = buf[3]; // no-warning
702 if (buf[1] == 0) {
703 free(buf);
704 }
705 return result; // no-warning
706 }
707
callocZeroesBad()708 char callocZeroesBad () {
709 char *buf = calloc(2,2);
710 char result = buf[3]; // no-warning
711 if (buf[1] != 0) {
712 free(buf); // expected-warning{{never executed}}
713 }
714 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
715 }
716
nullFree()717 void nullFree() {
718 int *p = 0;
719 free(p); // no warning - a nop
720 }
721
paramFree(int * p)722 void paramFree(int *p) {
723 myfoo(p);
724 free(p); // no warning
725 myfoo(p); // expected-warning {{Use of memory after it is freed}}
726 }
727
mallocEscapeRet()728 int* mallocEscapeRet() {
729 int *p = malloc(12);
730 return p; // no warning
731 }
732
mallocEscapeFoo()733 void mallocEscapeFoo() {
734 int *p = malloc(12);
735 myfoo(p);
736 return; // no warning
737 }
738
mallocEscapeFree()739 void mallocEscapeFree() {
740 int *p = malloc(12);
741 myfoo(p);
742 free(p);
743 }
744
mallocEscapeFreeFree()745 void mallocEscapeFreeFree() {
746 int *p = malloc(12);
747 myfoo(p);
748 free(p);
749 free(p); // expected-warning{{Attempt to free released memory}}
750 }
751
mallocEscapeFreeUse()752 void mallocEscapeFreeUse() {
753 int *p = malloc(12);
754 myfoo(p);
755 free(p);
756 myfoo(p); // expected-warning{{Use of memory after it is freed}}
757 }
758
759 int *myalloc();
760 void myalloc2(int **p);
761
mallocEscapeFreeCustomAlloc()762 void mallocEscapeFreeCustomAlloc() {
763 int *p = malloc(12);
764 myfoo(p);
765 free(p);
766 p = myalloc();
767 free(p); // no warning
768 }
769
mallocEscapeFreeCustomAlloc2()770 void mallocEscapeFreeCustomAlloc2() {
771 int *p = malloc(12);
772 myfoo(p);
773 free(p);
774 myalloc2(&p);
775 free(p); // no warning
776 }
777
mallocBindFreeUse()778 void mallocBindFreeUse() {
779 int *x = malloc(12);
780 int *y = x;
781 free(y);
782 myfoo(x); // expected-warning{{Use of memory after it is freed}}
783 }
784
mallocEscapeMalloc()785 void mallocEscapeMalloc() {
786 int *p = malloc(12);
787 myfoo(p);
788 p = malloc(12);
789 } // expected-warning{{Potential leak of memory pointed to by}}
790
mallocMalloc()791 void mallocMalloc() {
792 int *p = malloc(12);
793 p = malloc(12);
794 } // expected-warning {{Potential leak of memory pointed to by}}
795
mallocFreeMalloc()796 void mallocFreeMalloc() {
797 int *p = malloc(12);
798 free(p);
799 p = malloc(12);
800 free(p);
801 }
802
mallocFreeUse_params()803 void mallocFreeUse_params() {
804 int *p = malloc(12);
805 free(p);
806 myfoo(p); //expected-warning{{Use of memory after it is freed}}
807 }
808
mallocFreeUse_params2()809 void mallocFreeUse_params2() {
810 int *p = malloc(12);
811 free(p);
812 myfooint(*p); //expected-warning{{Use of memory after it is freed}}
813 }
814
mallocFailedOrNot()815 void mallocFailedOrNot() {
816 int *p = malloc(12);
817 if (!p)
818 free(p);
819 else
820 free(p);
821 }
822
823 struct StructWithInt {
824 int g;
825 };
826
mallocReturnFreed()827 int *mallocReturnFreed() {
828 int *p = malloc(12);
829 free(p);
830 return p; // expected-warning {{Use of memory after it is freed}}
831 }
832
useAfterFreeStruct()833 int useAfterFreeStruct() {
834 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
835 px->g = 5;
836 free(px);
837 return px->g; // expected-warning {{Use of memory after it is freed}}
838 }
839
840 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
841
mallocEscapeFooNonSymbolArg()842 void mallocEscapeFooNonSymbolArg() {
843 struct StructWithInt *p = malloc(sizeof(struct StructWithInt));
844 nonSymbolAsFirstArg(&p->g, p);
845 return; // no warning
846 }
847
mallocFailedOrNotLeak()848 void mallocFailedOrNotLeak() {
849 int *p = malloc(12);
850 if (p == 0)
851 return; // no warning
852 else
853 return; // expected-warning {{Potential leak of memory pointed to by}}
854 }
855
mallocAssignment()856 void mallocAssignment() {
857 char *p = malloc(12);
858 p = fooRetPtr();
859 } // expected-warning {{leak}}
860
vallocTest()861 int vallocTest() {
862 char *mem = valloc(12);
863 return 0; // expected-warning {{Potential leak of memory pointed to by}}
864 }
865
vallocEscapeFreeUse()866 void vallocEscapeFreeUse() {
867 int *p = valloc(12);
868 myfoo(p);
869 free(p);
870 myfoo(p); // expected-warning{{Use of memory after it is freed}}
871 }
872
873 int *Gl;
874 struct GlStTy {
875 int *x;
876 };
877
878 struct GlStTy GlS = {0};
879
GlobalFree()880 void GlobalFree() {
881 free(Gl);
882 }
883
GlobalMalloc()884 void GlobalMalloc() {
885 Gl = malloc(12);
886 }
887
GlobalStructMalloc()888 void GlobalStructMalloc() {
889 int *a = malloc(12);
890 GlS.x = a;
891 }
892
GlobalStructMallocFree()893 void GlobalStructMallocFree() {
894 int *a = malloc(12);
895 GlS.x = a;
896 free(GlS.x);
897 }
898
899 char *ArrayG[12];
900
globalArrayTest()901 void globalArrayTest() {
902 char *p = (char*)malloc(12);
903 ArrayG[0] = p;
904 }
905
906 // Make sure that we properly handle a pointer stored into a local struct/array.
907 typedef struct _StructWithPtr {
908 int *memP;
909 } StructWithPtr;
910
911 static StructWithPtr arrOfStructs[10];
912
testMalloc()913 void testMalloc() {
914 int *x = malloc(12);
915 StructWithPtr St;
916 St.memP = x;
917 arrOfStructs[0] = St; // no-warning
918 }
919
testMalloc2()920 StructWithPtr testMalloc2() {
921 int *x = malloc(12);
922 StructWithPtr St;
923 St.memP = x;
924 return St; // no-warning
925 }
926
testMalloc3()927 int *testMalloc3() {
928 int *x = malloc(12);
929 int *y = x;
930 return y; // no-warning
931 }
932
testStructLeak()933 void testStructLeak() {
934 StructWithPtr St;
935 St.memP = malloc(12);
936 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}}
937 }
938
testElemRegion1()939 void testElemRegion1() {
940 char *x = (void*)malloc(2);
941 int *ix = (int*)x;
942 free(&(x[0]));
943 }
944
testElemRegion2(int ** pp)945 void testElemRegion2(int **pp) {
946 int *p = malloc(12);
947 *pp = p;
948 free(pp[0]);
949 }
950
testElemRegion3(int ** pp)951 void testElemRegion3(int **pp) {
952 int *p = malloc(12);
953 *pp = p;
954 free(*pp);
955 }
956 // Region escape testing.
957
958 unsigned takePtrToPtr(int **p);
PassTheAddrOfAllocatedData(int f)959 void PassTheAddrOfAllocatedData(int f) {
960 int *p = malloc(12);
961 // We don't know what happens after the call. Should stop tracking here.
962 if (takePtrToPtr(&p))
963 f++;
964 free(p); // no warning
965 }
966
967 struct X {
968 int *p;
969 };
970 unsigned takePtrToStruct(struct X *s);
foo2(int * g,int f)971 int ** foo2(int *g, int f) {
972 int *p = malloc(12);
973 struct X *px= malloc(sizeof(struct X));
974 px->p = p;
975 // We don't know what happens after this call. Should not track px nor p.
976 if (takePtrToStruct(px))
977 f++;
978 free(p);
979 return 0;
980 }
981
RegInvalidationDetect1(struct X * s2)982 struct X* RegInvalidationDetect1(struct X *s2) {
983 struct X *px= malloc(sizeof(struct X));
984 px->p = 0;
985 px = s2;
986 return px; // expected-warning {{Potential leak of memory pointed to by}}
987 }
988
RegInvalidationGiveUp1()989 struct X* RegInvalidationGiveUp1() {
990 int *p = malloc(12);
991 struct X *px= malloc(sizeof(struct X));
992 px->p = p;
993 return px;
994 }
995
RegInvalidationDetect2(int ** pp)996 int **RegInvalidationDetect2(int **pp) {
997 int *p = malloc(12);
998 pp = &p;
999 pp++;
1000 return 0;// expected-warning {{Potential leak of memory pointed to by}}
1001 }
1002
1003 extern void exit(int) __attribute__ ((__noreturn__));
mallocExit(int * g)1004 void mallocExit(int *g) {
1005 struct xx *p = malloc(12);
1006 if (g != 0)
1007 exit(1);
1008 free(p);
1009 return;
1010 }
1011
1012 extern void __assert_fail (__const char *__assertion, __const char *__file,
1013 unsigned int __line, __const char *__function)
1014 __attribute__ ((__noreturn__));
1015 #define assert(expr) \
1016 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
mallocAssert(int * g)1017 void mallocAssert(int *g) {
1018 struct xx *p = malloc(12);
1019
1020 assert(g != 0);
1021 free(p);
1022 return;
1023 }
1024
doNotInvalidateWhenPassedToSystemCalls(char * s)1025 void doNotInvalidateWhenPassedToSystemCalls(char *s) {
1026 char *p = malloc(12);
1027 strlen(p);
1028 strcpy(p, s);
1029 strcpy(s, p);
1030 strcpy(p, p);
1031 memcpy(p, s, 1);
1032 memcpy(s, p, 1);
1033 memcpy(p, p, 1);
1034 } // expected-warning {{leak}}
1035
1036 // Treat source buffer contents as escaped.
escapeSourceContents(char * s)1037 void escapeSourceContents(char *s) {
1038 char *p = malloc(12);
1039 memcpy(s, &p, 12); // no warning
1040
1041 void *p1 = malloc(7);
1042 char *a;
1043 memcpy(&a, &p1, sizeof a);
1044 // FIXME: No warning due to limitations imposed by current modelling of
1045 // 'memcpy' (regions metadata is not copied).
1046
1047 int *ptrs[2];
1048 int *allocated = (int *)malloc(4);
1049 memcpy(&ptrs[0], &allocated, sizeof(int *));
1050 // FIXME: No warning due to limitations imposed by current modelling of
1051 // 'memcpy' (regions metadata is not copied).
1052 }
1053
invalidateDestinationContents()1054 void invalidateDestinationContents() {
1055 int *null = 0;
1056 int *p = (int *)malloc(4);
1057 memcpy(&p, &null, sizeof(int *));
1058
1059 int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}}
1060 ptrs1[0] = (int *)malloc(4);
1061 memcpy(ptrs1, &null, sizeof(int *));
1062
1063 int *ptrs2[2]; // expected-warning {{Potential memory leak}}
1064 ptrs2[0] = (int *)malloc(4);
1065 memcpy(&ptrs2[1], &null, sizeof(int *));
1066
1067 int *ptrs3[2]; // expected-warning {{Potential memory leak}}
1068 ptrs3[0] = (int *)malloc(4);
1069 memcpy(&ptrs3[0], &null, sizeof(int *));
1070 } // expected-warning {{Potential memory leak}}
1071
1072 // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p.
symbolLostWithStrcpy(char * s)1073 void symbolLostWithStrcpy(char *s) {
1074 char *p = malloc(12);
1075 p = strcpy(p, s);
1076 free(p);
1077 }
1078
1079
1080 // The same test as the one above, but with what is actually generated on a mac.
1081 static __inline char *
__inline_strcpy_chk(char * restrict __dest,const char * restrict __src)1082 __inline_strcpy_chk (char *restrict __dest, const char *restrict __src)
1083 {
1084 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1));
1085 }
1086
symbolLostWithStrcpy_InlineStrcpyVersion(char * s)1087 void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) {
1088 char *p = malloc(12);
1089 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s));
1090 free(p);
1091 }
1092
1093 // Here we are returning a pointer one past the allocated value. An idiom which
1094 // can be used for implementing special malloc. The correct uses of this might
1095 // be rare enough so that we could keep this as a warning.
specialMalloc(int n)1096 static void *specialMalloc(int n){
1097 int *p;
1098 p = malloc( n+8 );
1099 if( p ){
1100 p[0] = n;
1101 p++;
1102 }
1103 return p;
1104 }
1105
1106 // Potentially, the user could free the struct by performing pointer arithmetic on the return value.
1107 // This is a variation of the specialMalloc issue, though probably would be more rare in correct code.
specialMallocWithStruct()1108 int *specialMallocWithStruct() {
1109 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
1110 return &(px->g);
1111 }
1112
1113 // Test various allocation/deallocation functions.
testStrdup(const char * s,unsigned validIndex)1114 void testStrdup(const char *s, unsigned validIndex) {
1115 char *s2 = strdup(s);
1116 s2[validIndex + 1] = 'b';
1117 } // expected-warning {{Potential leak of memory pointed to by}}
1118
testWinStrdup(const char * s,unsigned validIndex)1119 void testWinStrdup(const char *s, unsigned validIndex) {
1120 char *s2 = _strdup(s);
1121 s2[validIndex + 1] = 'b';
1122 } // expected-warning {{Potential leak of memory pointed to by}}
1123
testWcsdup(const wchar_t * s,unsigned validIndex)1124 void testWcsdup(const wchar_t *s, unsigned validIndex) {
1125 wchar_t *s2 = wcsdup(s);
1126 s2[validIndex + 1] = 'b';
1127 } // expected-warning {{Potential leak of memory pointed to by}}
1128
testWinWcsdup(const wchar_t * s,unsigned validIndex)1129 void testWinWcsdup(const wchar_t *s, unsigned validIndex) {
1130 wchar_t *s2 = _wcsdup(s);
1131 s2[validIndex + 1] = 'b';
1132 } // expected-warning {{Potential leak of memory pointed to by}}
1133
testStrndup(const char * s,unsigned validIndex,unsigned size)1134 int testStrndup(const char *s, unsigned validIndex, unsigned size) {
1135 char *s2 = strndup(s, size);
1136 s2 [validIndex + 1] = 'b';
1137 if (s2[validIndex] != 'a')
1138 return 0;
1139 else
1140 return 1;// expected-warning {{Potential leak of memory pointed to by}}
1141 }
1142
testStrdupContentIsDefined(const char * s,unsigned validIndex)1143 void testStrdupContentIsDefined(const char *s, unsigned validIndex) {
1144 char *s2 = strdup(s);
1145 char result = s2[1];// no warning
1146 free(s2);
1147 }
1148
testWinStrdupContentIsDefined(const char * s,unsigned validIndex)1149 void testWinStrdupContentIsDefined(const char *s, unsigned validIndex) {
1150 char *s2 = _strdup(s);
1151 char result = s2[1];// no warning
1152 free(s2);
1153 }
1154
testWcsdupContentIsDefined(const wchar_t * s,unsigned validIndex)1155 void testWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
1156 wchar_t *s2 = wcsdup(s);
1157 wchar_t result = s2[1];// no warning
1158 free(s2);
1159 }
1160
testWinWcsdupContentIsDefined(const wchar_t * s,unsigned validIndex)1161 void testWinWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
1162 wchar_t *s2 = _wcsdup(s);
1163 wchar_t result = s2[1];// no warning
1164 free(s2);
1165 }
1166
1167 // ----------------------------------------------------------------------------
1168 // Test the system library functions to which the pointer can escape.
1169 // This tests false positive suppression.
1170
1171 // For now, we assume memory passed to pthread_specific escapes.
1172 // TODO: We could check that if a new pthread binding is set, the existing
1173 // binding must be freed; otherwise, a memory leak can occur.
testPthereadSpecificEscape(pthread_key_t key)1174 void testPthereadSpecificEscape(pthread_key_t key) {
1175 void *buf = malloc(12);
1176 pthread_setspecific(key, buf); // no warning
1177 }
1178
1179 // PR12101: Test funopen().
releasePtr(void * _ctx)1180 static int releasePtr(void *_ctx) {
1181 free(_ctx);
1182 return 0;
1183 }
useFunOpen()1184 FILE *useFunOpen() {
1185 void *ctx = malloc(sizeof(int));
1186 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning
1187 if (f == 0) {
1188 free(ctx);
1189 }
1190 return f;
1191 }
useFunOpenNoReleaseFunction()1192 FILE *useFunOpenNoReleaseFunction() {
1193 void *ctx = malloc(sizeof(int));
1194 FILE *f = funopen(ctx, 0, 0, 0, 0);
1195 if (f == 0) {
1196 free(ctx);
1197 }
1198 return f; // expected-warning{{leak}}
1199 }
1200
readNothing(void * _ctx,char * buf,int size)1201 static int readNothing(void *_ctx, char *buf, int size) {
1202 return 0;
1203 }
useFunOpenReadNoRelease()1204 FILE *useFunOpenReadNoRelease() {
1205 void *ctx = malloc(sizeof(int));
1206 FILE *f = funopen(ctx, readNothing, 0, 0, 0);
1207 if (f == 0) {
1208 free(ctx);
1209 }
1210 return f; // expected-warning{{leak}}
1211 }
1212
1213 // Test setbuf, setvbuf.
my_main_no_warning()1214 int my_main_no_warning() {
1215 char *p = malloc(100);
1216 setvbuf(stdout, p, 0, 100);
1217 return 0;
1218 }
my_main_no_warning2()1219 int my_main_no_warning2() {
1220 char *p = malloc(100);
1221 setbuf(__stdoutp, p);
1222 return 0;
1223 }
my_main_warn(FILE * f)1224 int my_main_warn(FILE *f) {
1225 char *p = malloc(100);
1226 setvbuf(f, p, 0, 100);
1227 return 0;// expected-warning {{leak}}
1228 }
1229
1230 // <rdar://problem/10978247>.
1231 // some people use stack allocated memory as an optimization to avoid
1232 // a heap allocation for small work sizes. This tests the analyzer's
1233 // understanding that the malloc'ed memory is not the same as stackBuffer.
radar10978247(int myValueSize)1234 void radar10978247(int myValueSize) {
1235 char stackBuffer[128];
1236 char *buffer;
1237
1238 if (myValueSize <= sizeof(stackBuffer))
1239 buffer = stackBuffer;
1240 else
1241 buffer = malloc(myValueSize);
1242
1243 // do stuff with the buffer
1244 if (buffer != stackBuffer)
1245 free(buffer);
1246 }
1247
radar10978247_positive(int myValueSize)1248 void radar10978247_positive(int myValueSize) {
1249 char stackBuffer[128];
1250 char *buffer;
1251
1252 if (myValueSize <= sizeof(stackBuffer))
1253 buffer = stackBuffer;
1254 else
1255 buffer = malloc(myValueSize);
1256
1257 // do stuff with the buffer
1258 if (buffer == stackBuffer)
1259 return;
1260 else
1261 return; // expected-warning {{leak}}
1262 }
1263 // <rdar://problem/11269741> Previously this triggered a false positive
1264 // because malloc() is known to return uninitialized memory and the binding
1265 // of 'o' to 'p->n' was not getting propertly handled. Now we report a leak.
1266 struct rdar11269741_a_t {
1267 struct rdar11269741_b_t {
1268 int m;
1269 } n;
1270 };
1271
rdar11269741(struct rdar11269741_b_t o)1272 int rdar11269741(struct rdar11269741_b_t o)
1273 {
1274 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p));
1275 p->n = o;
1276 return p->n.m; // expected-warning {{leak}}
1277 }
1278
1279 // Pointer arithmetic, returning an ElementRegion.
radar11329382(unsigned bl)1280 void *radar11329382(unsigned bl) {
1281 void *ptr = malloc (16);
1282 ptr = ptr + (2 - bl);
1283 return ptr; // no warning
1284 }
1285
1286 void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__));
1287 int strcmp(const char *, const char *);
1288 char *a (void);
radar11270219(void)1289 void radar11270219(void) {
1290 char *x = a(), *y = a();
1291 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0);
1292 strcmp(x, y); // no warning
1293 }
1294
radar_11358224_test_double_assign_ints_positive_2()1295 void radar_11358224_test_double_assign_ints_positive_2()
1296 {
1297 void *ptr = malloc(16);
1298 ptr = ptr;
1299 } // expected-warning {{leak}}
1300
1301 // Assume that functions which take a function pointer can free memory even if
1302 // they are defined in system headers and take the const pointer to the
1303 // allocated memory. (radar://11160612)
1304 int const_ptr_and_callback(int, const char*, int n, void(*)(void*));
r11160612_1()1305 void r11160612_1() {
1306 char *x = malloc(12);
1307 const_ptr_and_callback(0, x, 12, free); // no - warning
1308 }
1309
1310 // Null is passed as callback.
r11160612_2()1311 void r11160612_2() {
1312 char *x = malloc(12);
1313 const_ptr_and_callback(0, x, 12, 0);
1314 } // expected-warning {{leak}}
1315
1316 // Callback is passed to a function defined in a system header.
r11160612_4()1317 void r11160612_4() {
1318 char *x = malloc(12);
1319 sqlite3_bind_text_my(0, x, 12, free); // no - warning
1320 }
1321
1322 // Passing callbacks in a struct.
r11160612_5(StWithCallback St)1323 void r11160612_5(StWithCallback St) {
1324 void *x = malloc(12);
1325 dealocateMemWhenDoneByVal(x, St);
1326 }
r11160612_6(StWithCallback St)1327 void r11160612_6(StWithCallback St) {
1328 void *x = malloc(12);
1329 dealocateMemWhenDoneByRef(&St, x);
1330 }
1331
1332 int mySub(int, int);
1333 int myAdd(int, int);
fPtr(unsigned cond,int x)1334 int fPtr(unsigned cond, int x) {
1335 return (cond ? mySub : myAdd)(x, x);
1336 }
1337
1338 // Test anti-aliasing.
1339
dependsOnValueOfPtr(int * g,unsigned f)1340 void dependsOnValueOfPtr(int *g, unsigned f) {
1341 int *p;
1342
1343 if (f) {
1344 p = g;
1345 } else {
1346 p = malloc(12);
1347 }
1348
1349 if (p != g)
1350 free(p);
1351 else
1352 return; // no warning
1353 return;
1354 }
1355
CMPRegionHeapToStack()1356 int CMPRegionHeapToStack() {
1357 int x = 0;
1358 int *x1 = malloc(8);
1359 int *x2 = &x;
1360 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}}
1361 free(x1);
1362 return x;
1363 }
1364
CMPRegionHeapToHeap2()1365 int CMPRegionHeapToHeap2() {
1366 int x = 0;
1367 int *x1 = malloc(8);
1368 int *x2 = malloc(8);
1369 int *x4 = x1;
1370 int *x5 = x2;
1371 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}}
1372 free(x1);
1373 free(x2);
1374 return x;
1375 }
1376
CMPRegionHeapToHeap()1377 int CMPRegionHeapToHeap() {
1378 int x = 0;
1379 int *x1 = malloc(8);
1380 int *x4 = x1;
1381 if (x1 == x4) {
1382 free(x1);
1383 return 5/x; // expected-warning{{Division by zero}}
1384 }
1385 return x;// expected-warning{{This statement is never executed}}
1386 }
1387
HeapAssignment()1388 int HeapAssignment() {
1389 int m = 0;
1390 int *x = malloc(4);
1391 int *y = x;
1392 *x = 5;
1393 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}}
1394 free(x);
1395 return 0;
1396 }
1397
1398 int *retPtr();
1399 int *retPtrMightAlias(int *x);
cmpHeapAllocationToUnknown()1400 int cmpHeapAllocationToUnknown() {
1401 int zero = 0;
1402 int *yBefore = retPtr();
1403 int *m = malloc(8);
1404 int *yAfter = retPtrMightAlias(m);
1405 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}}
1406 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}}
1407 free(m);
1408 return 0;
1409 }
1410
localArrayTest()1411 void localArrayTest() {
1412 char *p = (char*)malloc(12);
1413 char *ArrayL[12];
1414 ArrayL[0] = p;
1415 } // expected-warning {{leak}}
1416
localStructTest()1417 void localStructTest() {
1418 StructWithPtr St;
1419 StructWithPtr *pSt = &St;
1420 pSt->memP = malloc(12);
1421 } // expected-warning{{Potential leak of memory pointed to by}}
1422
1423 #ifdef __INTPTR_TYPE__
1424 // Test double assignment through integers.
1425 typedef __INTPTR_TYPE__ intptr_t;
1426 typedef unsigned __INTPTR_TYPE__ uintptr_t;
1427
1428 static intptr_t glob;
test_double_assign_ints()1429 void test_double_assign_ints()
1430 {
1431 void *ptr = malloc (16); // no-warning
1432 glob = (intptr_t)(uintptr_t)ptr;
1433 }
1434
test_double_assign_ints_positive()1435 void test_double_assign_ints_positive()
1436 {
1437 void *ptr = malloc(16);
1438 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}}
1439 } // expected-warning {{leak}}
1440 #endif
1441
testCGContextNoLeak()1442 void testCGContextNoLeak()
1443 {
1444 void *ptr = malloc(16);
1445 CGContextRef context = CGBitmapContextCreate(ptr);
1446
1447 // Because you can get the data back out like this, even much later,
1448 // CGBitmapContextCreate is one of our "stop-tracking" exceptions.
1449 free(CGBitmapContextGetData(context));
1450 }
1451
testCGContextLeak()1452 void testCGContextLeak()
1453 {
1454 void *ptr = malloc(16);
1455 CGContextRef context = CGBitmapContextCreate(ptr);
1456 // However, this time we're just leaking the data, because the context
1457 // object doesn't escape and it hasn't been freed in this function.
1458 }
1459
1460 // Allow xpc context to escape. radar://11635258
1461 // TODO: Would be great if we checked that the finalize_connection_context actually releases it.
finalize_connection_context(void * ctx)1462 static void finalize_connection_context(void *ctx) {
1463 int *context = ctx;
1464 free(context);
1465 }
foo(xpc_connection_t peer)1466 void foo (xpc_connection_t peer) {
1467 int *ctx = calloc(1, sizeof(int));
1468 xpc_connection_set_context(peer, ctx);
1469 xpc_connection_set_finalizer_f(peer, finalize_connection_context);
1470 xpc_connection_resume(peer);
1471 }
1472
1473 // Make sure we catch errors when we free in a function which does not allocate memory.
freeButNoMalloc(int * p,int x)1474 void freeButNoMalloc(int *p, int x){
1475 if (x) {
1476 free(p);
1477 //user forgot a return here.
1478 }
1479 free(p); // expected-warning {{Attempt to free released memory}}
1480 }
1481
1482 struct HasPtr {
1483 char *p;
1484 };
1485
reallocButNoMalloc(struct HasPtr * a,int c,int size)1486 char* reallocButNoMalloc(struct HasPtr *a, int c, int size) {
1487 int *s;
1488 char *b = realloc(a->p, size);
1489 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}}
1490 // We don't expect a use-after-free for a->P here because the warning above
1491 // is a sink.
1492 return a->p; // no-warning
1493 }
1494
1495 // We should not warn in this case since the caller will presumably free a->p in all cases.
reallocButNoMallocPR13674(struct HasPtr * a,int c,int size)1496 int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) {
1497 int *s;
1498 char *b = realloc(a->p, size);
1499 if (b == 0)
1500 return -1;
1501 a->p = b;
1502 return 0;
1503 }
1504
1505 // Test realloc with no visible malloc.
test(void * ptr)1506 void *test(void *ptr) {
1507 void *newPtr = realloc(ptr, 4);
1508 if (newPtr == 0) {
1509 if (ptr)
1510 free(ptr); // no-warning
1511 }
1512 return newPtr;
1513 }
1514
1515
testLeakWithinReturn(char * str)1516 char *testLeakWithinReturn(char *str) {
1517 return strdup(strdup(str)); // expected-warning{{leak}}
1518 }
1519
testWinLeakWithinReturn(char * str)1520 char *testWinLeakWithinReturn(char *str) {
1521 return _strdup(_strdup(str)); // expected-warning{{leak}}
1522 }
1523
testWinWideLeakWithinReturn(wchar_t * str)1524 wchar_t *testWinWideLeakWithinReturn(wchar_t *str) {
1525 return _wcsdup(_wcsdup(str)); // expected-warning{{leak}}
1526 }
1527
1528 void passConstPtr(const char * ptr);
1529
testPassConstPointer()1530 void testPassConstPointer() {
1531 char * string = malloc(sizeof(char)*10);
1532 passConstPtr(string);
1533 return; // expected-warning {{leak}}
1534 }
1535
testPassConstPointerIndirectly()1536 void testPassConstPointerIndirectly() {
1537 char *p = malloc(1);
1538 p++;
1539 memcmp(p, p, sizeof(&p));
1540 return; // expected-warning {{leak}}
1541 }
1542
testPassConstPointerIndirectlyStruct()1543 void testPassConstPointerIndirectlyStruct() {
1544 struct HasPtr hp;
1545 hp.p = malloc(10);
1546 memcmp(&hp, &hp, sizeof(hp));
1547 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}}
1548 }
1549
testPassToSystemHeaderFunctionIndirectlyStruct()1550 void testPassToSystemHeaderFunctionIndirectlyStruct() {
1551 SomeStruct ss;
1552 ss.p = malloc(1);
1553 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1554 // Technically a false negative here -- we know the system function won't free
1555 // ss.p, but nothing else will either!
1556 } // no-warning
1557
testPassToSystemHeaderFunctionIndirectlyStructFree()1558 void testPassToSystemHeaderFunctionIndirectlyStructFree() {
1559 SomeStruct ss;
1560 ss.p = malloc(1);
1561 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1562 free(ss.p);
1563 } // no-warning
1564
testPassToSystemHeaderFunctionIndirectlyArray()1565 void testPassToSystemHeaderFunctionIndirectlyArray() {
1566 int *p[1];
1567 p[0] = malloc(sizeof(int));
1568 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1569 // Technically a false negative here -- we know the system function won't free
1570 // p[0], but nothing else will either!
1571 } // no-warning
1572
testPassToSystemHeaderFunctionIndirectlyArrayFree()1573 void testPassToSystemHeaderFunctionIndirectlyArrayFree() {
1574 int *p[1];
1575 p[0] = malloc(sizeof(int));
1576 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1577 free(p[0]);
1578 } // no-warning
1579
testOffsetAllocate(size_t size)1580 int *testOffsetAllocate(size_t size) {
1581 int *memoryBlock = (int *)malloc(size + sizeof(int));
1582 return &memoryBlock[1]; // no-warning
1583 }
1584
testOffsetDeallocate(int * memoryBlock)1585 void testOffsetDeallocate(int *memoryBlock) {
1586 free(&memoryBlock[-1]); // no-warning
1587 }
1588
testOffsetOfRegionFreed()1589 void testOffsetOfRegionFreed() {
1590 __int64_t * array = malloc(sizeof(__int64_t)*2);
1591 array += 1;
1592 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1593 }
1594
testOffsetOfRegionFreed2()1595 void testOffsetOfRegionFreed2() {
1596 __int64_t *p = malloc(sizeof(__int64_t)*2);
1597 p += 1;
1598 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1599 }
1600
testOffsetOfRegionFreed3()1601 void testOffsetOfRegionFreed3() {
1602 char *r = malloc(sizeof(char));
1603 r = r - 10;
1604 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}}
1605 }
1606
testOffsetOfRegionFreedAfterFunctionCall()1607 void testOffsetOfRegionFreedAfterFunctionCall() {
1608 int *p = malloc(sizeof(int)*2);
1609 p += 1;
1610 myfoo(p);
1611 free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}}
1612 }
1613
testFixManipulatedPointerBeforeFree()1614 void testFixManipulatedPointerBeforeFree() {
1615 int * array = malloc(sizeof(int)*2);
1616 array += 1;
1617 free(&array[-1]); // no-warning
1618 }
1619
testFixManipulatedPointerBeforeFree2()1620 void testFixManipulatedPointerBeforeFree2() {
1621 char *r = malloc(sizeof(char));
1622 r = r + 10;
1623 free(r-10); // no-warning
1624 }
1625
freeOffsetPointerPassedToFunction()1626 void freeOffsetPointerPassedToFunction() {
1627 __int64_t *p = malloc(sizeof(__int64_t)*2);
1628 p[1] = 0;
1629 p += 1;
1630 myfooint(*p); // not passing the pointer, only a value pointed by pointer
1631 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1632 }
1633
1634 int arbitraryInt();
freeUnknownOffsetPointer()1635 void freeUnknownOffsetPointer() {
1636 char *r = malloc(sizeof(char));
1637 r = r + arbitraryInt(); // unable to reason about what the offset might be
1638 free(r); // no-warning
1639 }
1640
testFreeNonMallocPointerWithNoOffset()1641 void testFreeNonMallocPointerWithNoOffset() {
1642 char c;
1643 char *r = &c;
1644 r = r + 10;
1645 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1646 }
1647
testFreeNonMallocPointerWithOffset()1648 void testFreeNonMallocPointerWithOffset() {
1649 char c;
1650 char *r = &c;
1651 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1652 }
1653
testOffsetZeroDoubleFree()1654 void testOffsetZeroDoubleFree() {
1655 int *array = malloc(sizeof(int)*2);
1656 int *p = &array[0];
1657 free(p);
1658 free(&array[0]); // expected-warning{{Attempt to free released memory}}
1659 }
1660
testOffsetPassedToStrlen()1661 void testOffsetPassedToStrlen() {
1662 char * string = malloc(sizeof(char)*10);
1663 string += 1;
1664 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}}
1665 }
1666
testOffsetPassedToStrlenThenFree()1667 void testOffsetPassedToStrlenThenFree() {
1668 char * string = malloc(sizeof(char)*10);
1669 string += 1;
1670 int length = strlen(string);
1671 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1672 }
1673
testOffsetPassedAsConst()1674 void testOffsetPassedAsConst() {
1675 char * string = malloc(sizeof(char)*10);
1676 string += 1;
1677 passConstPtr(string);
1678 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1679 }
1680
1681 char **_vectorSegments;
1682 int _nVectorSegments;
1683
poolFreeC(void * s)1684 void poolFreeC(void* s) {
1685 free(s); // no-warning
1686 }
freeMemory()1687 void freeMemory() {
1688 while (_nVectorSegments) {
1689 poolFreeC(_vectorSegments[_nVectorSegments++]);
1690 }
1691 }
1692
1693 // PR16730
testReallocEscaped(void ** memory)1694 void testReallocEscaped(void **memory) {
1695 *memory = malloc(47);
1696 char *new_memory = realloc(*memory, 47);
1697 if (new_memory != 0) {
1698 *memory = new_memory;
1699 }
1700 }
1701
1702 // PR16558
smallocNoWarn(size_t size)1703 void *smallocNoWarn(size_t size) {
1704 if (size == 0) {
1705 return malloc(1); // this branch is never called
1706 }
1707 else {
1708 return malloc(size);
1709 }
1710 }
1711
dupstrNoWarn(const char * s)1712 char *dupstrNoWarn(const char *s) {
1713 const int len = strlen(s);
1714 char *p = (char*) smallocNoWarn(len + 1);
1715 strcpy(p, s); // no-warning
1716 return p;
1717 }
1718
smallocWarn(size_t size)1719 void *smallocWarn(size_t size) {
1720 if (size == 2) {
1721 return malloc(1);
1722 }
1723 else {
1724 return malloc(size);
1725 }
1726 }
1727
radar15580979()1728 int *radar15580979() {
1729 int *data = (int *)malloc(32);
1730 int *p = data ?: (int*)malloc(32); // no warning
1731 return p;
1732 }
1733
1734 // Some data structures may hold onto the pointer and free it later.
testEscapeThroughSystemCallTakingVoidPointer1(void * queue)1735 void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) {
1736 int *data = (int *)malloc(32);
1737 fake_insque(queue, data); // no warning
1738 }
1739
testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t * rbt)1740 void testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t *rbt) {
1741 int *data = (int *)malloc(32);
1742 fake_rb_tree_init(rbt, data);
1743 } //expected-warning{{Potential leak}}
1744
testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t * rbt)1745 void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) {
1746 int *data = (int *)malloc(32);
1747 fake_rb_tree_init(rbt, data);
1748 fake_rb_tree_insert_node(rbt, data); // no warning
1749 }
1750
1751 struct IntAndPtr {
1752 int x;
1753 int *p;
1754 };
1755
1756 void constEscape(const void *ptr);
1757
testConstEscapeThroughAnotherField()1758 void testConstEscapeThroughAnotherField() {
1759 struct IntAndPtr s;
1760 s.p = malloc(sizeof(int));
1761 constEscape(&(s.x)); // could free s->p!
1762 } // no-warning
1763
1764 // PR15623
testNoCheckerDataPropogationFromLogicalOpOperandToOpResult(void)1765 int testNoCheckerDataPropogationFromLogicalOpOperandToOpResult(void) {
1766 char *param = malloc(10);
1767 char *value = malloc(10);
1768 int ok = (param && value);
1769 free(param);
1770 free(value);
1771 // Previously we ended up with 'Use of memory after it is freed' on return.
1772 return ok; // no warning
1773 }
1774
1775 void (*fnptr)(int);
freeIndirectFunctionPtr()1776 void freeIndirectFunctionPtr() {
1777 void *p = (void *)fnptr;
1778 free(p); // expected-warning {{Argument to free() is a function pointer}}
1779 }
1780
freeFunctionPtr()1781 void freeFunctionPtr() {
1782 free((void *)fnptr); // expected-warning {{Argument to free() is a function pointer}}
1783 }
1784
allocateSomeMemory(void * offendingParameter,void ** ptr)1785 void allocateSomeMemory(void *offendingParameter, void **ptr) {
1786 *ptr = malloc(1);
1787 }
1788
testNoCrashOnOffendingParameter()1789 void testNoCrashOnOffendingParameter() {
1790 // "extern" is necessary to avoid unrelated warnings
1791 // on passing uninitialized value.
1792 extern void *offendingParameter;
1793 void* ptr;
1794 allocateSomeMemory(offendingParameter, &ptr);
1795 } // expected-warning {{Potential leak of memory pointed to by 'ptr'}}
1796
1797
1798 // Test a false positive caused by a bug in liveness analysis.
1799 struct A {
1800 int *buf;
1801 };
1802 struct B {
1803 struct A *a;
1804 };
livenessBugRealloc(struct A * a)1805 void livenessBugRealloc(struct A *a) {
1806 a->buf = realloc(a->buf, sizeof(int)); // no-warning
1807 }
testLivenessBug(struct B * in_b)1808 void testLivenessBug(struct B *in_b) {
1809 struct B *b = in_b;
1810 livenessBugRealloc(b->a);
1811 ((void) 0); // An attempt to trick liveness analysis.
1812 livenessBugRealloc(b->a);
1813 }
1814
1815 struct ListInfo {
1816 struct ListInfo *next;
1817 };
1818
1819 struct ConcreteListItem {
1820 struct ListInfo li;
1821 int i;
1822 };
1823
1824 void list_add(struct ListInfo *list, struct ListInfo *item);
1825
testCStyleListItems(struct ListInfo * list)1826 void testCStyleListItems(struct ListInfo *list) {
1827 struct ConcreteListItem *x = malloc(sizeof(struct ConcreteListItem));
1828 list_add(list, &x->li); // will free 'x'.
1829 }
1830
1831 // ----------------------------------------------------------------------------
1832 // False negatives.
1833
testMallocWithParam(int ** p)1834 void testMallocWithParam(int **p) {
1835 *p = (int*) malloc(sizeof(int));
1836 *p = 0; // FIXME: should warn here
1837 }
1838
testMallocWithParam_2(int ** p)1839 void testMallocWithParam_2(int **p) {
1840 *p = (int*) malloc(sizeof(int)); // no-warning
1841 }
1842
testPassToSystemHeaderFunctionIndirectly()1843 void testPassToSystemHeaderFunctionIndirectly() {
1844 int *p = malloc(4);
1845 p++;
1846 fakeSystemHeaderCallInt(p);
1847 // FIXME: This is a leak: if we think a system function won't free p, it
1848 // won't free (p-1) either.
1849 }
1850
testMallocIntoMalloc()1851 void testMallocIntoMalloc() {
1852 StructWithPtr *s = malloc(sizeof(StructWithPtr));
1853 s->memP = malloc(sizeof(int));
1854 free(s);
1855 } // FIXME: should warn here
1856