1 // RUN: %clang_analyze_cc1 -verify \
2 // RUN: -analyzer-checker=core \
3 // RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
4 // RUN: -analyzer-checker=alpha.core.CastSize \
5 // RUN: -analyzer-checker=unix.Malloc \
6 // RUN: -analyzer-config unix.DynamicMemoryModeling:Optimistic=true %s
7
8 typedef __typeof(sizeof(int)) size_t;
9 void *malloc(size_t);
10 void free(void *);
11 void *realloc(void *ptr, size_t size);
12 void *calloc(size_t nmemb, size_t size);
13 void __attribute((ownership_returns(malloc))) *my_malloc(size_t);
14 void __attribute((ownership_takes(malloc, 1))) my_free(void *);
15 void my_freeBoth(void *, void *)
16 __attribute((ownership_holds(malloc, 1, 2)));
17 void __attribute((ownership_returns(malloc, 1))) *my_malloc2(size_t);
18 void __attribute((ownership_holds(malloc, 1))) my_hold(void *);
19
20 // Duplicate attributes are silly, but not an error.
21 // Duplicate attribute has no extra effect.
22 // If two are of different kinds, that is an error and reported as such.
23 void __attribute((ownership_holds(malloc, 1)))
24 __attribute((ownership_holds(malloc, 1)))
25 __attribute((ownership_holds(malloc, 3))) my_hold2(void *, void *, void *);
26 void *my_malloc3(size_t);
27 void *myglobalpointer;
28 struct stuff {
29 void *somefield;
30 };
31 struct stuff myglobalstuff;
32
f1(void)33 void f1(void) {
34 int *p = malloc(12);
35 return; // expected-warning{{Potential leak of memory pointed to by}}
36 }
37
f2(void)38 void f2(void) {
39 int *p = malloc(12);
40 free(p);
41 free(p); // expected-warning{{Attempt to free released memory}}
42 }
43
f2_realloc_0(void)44 void f2_realloc_0(void) {
45 int *p = malloc(12);
46 realloc(p,0);
47 realloc(p,0); // expected-warning{{Attempt to free released memory}}
48 }
49
f2_realloc_1(void)50 void f2_realloc_1(void) {
51 int *p = malloc(12);
52 int *q = realloc(p,0); // no-warning
53 }
54
55 // ownership attributes tests
naf1(void)56 void naf1(void) {
57 int *p = my_malloc3(12);
58 return; // no-warning
59 }
60
n2af1(void)61 void n2af1(void) {
62 int *p = my_malloc2(12);
63 return; // expected-warning{{Potential leak of memory pointed to by}}
64 }
65
af1(void)66 void af1(void) {
67 int *p = my_malloc(12);
68 return; // expected-warning{{Potential leak of memory pointed to by}}
69 }
70
af1_b(void)71 void af1_b(void) {
72 int *p = my_malloc(12);
73 } // expected-warning{{Potential leak of memory pointed to by}}
74
af1_c(void)75 void af1_c(void) {
76 myglobalpointer = my_malloc(12); // no-warning
77 }
78
af1_d(void)79 void af1_d(void) {
80 struct stuff mystuff;
81 mystuff.somefield = my_malloc(12);
82 } // expected-warning{{Potential leak of memory pointed to by}}
83
84 // Test that we can pass out allocated memory via pointer-to-pointer.
af1_e(void ** pp)85 void af1_e(void **pp) {
86 *pp = my_malloc(42); // no-warning
87 }
88
af1_f(struct stuff * somestuff)89 void af1_f(struct stuff *somestuff) {
90 somestuff->somefield = my_malloc(12); // no-warning
91 }
92
93 // Allocating memory for a field via multiple indirections to our arguments is OK.
af1_g(struct stuff ** pps)94 void af1_g(struct stuff **pps) {
95 *pps = my_malloc(sizeof(struct stuff)); // no-warning
96 (*pps)->somefield = my_malloc(42); // no-warning
97 }
98
af2(void)99 void af2(void) {
100 int *p = my_malloc(12);
101 my_free(p);
102 free(p); // expected-warning{{Attempt to free released memory}}
103 }
104
af2b(void)105 void af2b(void) {
106 int *p = my_malloc(12);
107 free(p);
108 my_free(p); // expected-warning{{Attempt to free released memory}}
109 }
110
af2c(void)111 void af2c(void) {
112 int *p = my_malloc(12);
113 free(p);
114 my_hold(p); // expected-warning{{Attempt to free released memory}}
115 }
116
af2d(void)117 void af2d(void) {
118 int *p = my_malloc(12);
119 free(p);
120 my_hold2(0, 0, p); // expected-warning{{Attempt to free released memory}}
121 }
122
123 // No leak if malloc returns null.
af2e(void)124 void af2e(void) {
125 int *p = my_malloc(12);
126 if (!p)
127 return; // no-warning
128 free(p); // no-warning
129 }
130
131 // This case inflicts a possible double-free.
af3(void)132 void af3(void) {
133 int *p = my_malloc(12);
134 my_hold(p);
135 free(p); // expected-warning{{Attempt to free non-owned memory}}
136 }
137
af4(void)138 int * af4(void) {
139 int *p = my_malloc(12);
140 my_free(p);
141 return p; // expected-warning{{Use of memory after it is freed}}
142 }
143
144 // This case is (possibly) ok, be conservative
af5(void)145 int * af5(void) {
146 int *p = my_malloc(12);
147 my_hold(p);
148 return p; // no-warning
149 }
150
151
152
153 // This case tests that storing malloc'ed memory to a static variable which is
154 // then returned is not leaked. In the absence of known contracts for functions
155 // or inter-procedural analysis, this is a conservative answer.
f3(void)156 int *f3(void) {
157 static int *p = 0;
158 p = malloc(12);
159 return p; // no-warning
160 }
161
162 // This case tests that storing malloc'ed memory to a static global variable
163 // which is then returned is not leaked. In the absence of known contracts for
164 // functions or inter-procedural analysis, this is a conservative answer.
165 static int *p_f4 = 0;
f4(void)166 int *f4(void) {
167 p_f4 = malloc(12);
168 return p_f4; // no-warning
169 }
170
f5(void)171 int *f5(void) {
172 int *q = malloc(12);
173 q = realloc(q, 20);
174 return q; // no-warning
175 }
176
f6(void)177 void f6(void) {
178 int *p = malloc(12);
179 if (!p)
180 return; // no-warning
181 else
182 free(p);
183 }
184
f6_realloc(void)185 void f6_realloc(void) {
186 int *p = malloc(12);
187 if (!p)
188 return; // no-warning
189 else
190 realloc(p,0);
191 }
192
193
194 char *doit2(void);
pr6069(void)195 void pr6069(void) {
196 char *buf = doit2();
197 free(buf);
198 }
199
pr6293(void)200 void pr6293(void) {
201 free(0);
202 }
203
f7(void)204 void f7(void) {
205 char *x = (char*) malloc(4);
206 free(x);
207 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
208 }
209
f7_realloc(void)210 void f7_realloc(void) {
211 char *x = (char*) malloc(4);
212 realloc(x,0);
213 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
214 }
215
PR6123(void)216 void PR6123(void) {
217 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
218 }
219
PR7217(void)220 void PR7217(void) {
221 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
222 buf[1] = 'c'; // not crash
223 }
224
mallocCastToVoid(void)225 void mallocCastToVoid(void) {
226 void *p = malloc(2);
227 const void *cp = p; // not crash
228 free(p);
229 }
230
mallocCastToFP(void)231 void mallocCastToFP(void) {
232 void *p = malloc(2);
233 void (*fp)(void) = p; // not crash
234 free(p);
235 }
236
237 // This tests that malloc() buffers are undefined by default
mallocGarbage(void)238 char mallocGarbage (void) {
239 char *buf = malloc(2);
240 char result = buf[1]; // expected-warning{{undefined}}
241 free(buf);
242 return result;
243 }
244
245 // This tests that calloc() buffers need to be freed
callocNoFree(void)246 void callocNoFree (void) {
247 char *buf = calloc(2,2);
248 return; // expected-warning{{Potential leak of memory pointed to by}}
249 }
250
251 // These test that calloc() buffers are zeroed by default
callocZeroesGood(void)252 char callocZeroesGood (void) {
253 char *buf = calloc(2,2);
254 char result = buf[3]; // no-warning
255 if (buf[1] == 0) {
256 free(buf);
257 }
258 return result; // no-warning
259 }
260
callocZeroesBad(void)261 char callocZeroesBad (void) {
262 char *buf = calloc(2,2);
263 char result = buf[3]; // no-warning
264 if (buf[1] != 0) {
265 free(buf); // expected-warning{{never executed}}
266 }
267 return result; // expected-warning{{Potential leak of memory pointed to by}}
268 }
269
testMultipleFreeAnnotations(void)270 void testMultipleFreeAnnotations(void) {
271 int *p = malloc(12);
272 int *q = malloc(12);
273 my_freeBoth(p, q);
274 }
275
276