1184c6242SDominic Chen // RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc,unix.MismatchedDeallocator,cplusplus.NewDelete -std=c++11 -verify %s
2184c6242SDominic Chen // RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc,unix.MismatchedDeallocator,cplusplus.NewDelete,cplusplus.NewDeleteLeaks -DLEAKS -std=c++11 -verify %s
3e3377fbcSAnton Yartsev
4d02adbf0SJordan Rose #include "Inputs/system-header-simulator-for-malloc.h"
5e3377fbcSAnton Yartsev
6e3377fbcSAnton Yartsev //--------------------------------------------------
7e3377fbcSAnton Yartsev // Check that unix.Malloc catches all types of bugs.
8e3377fbcSAnton Yartsev //--------------------------------------------------
testMallocDoubleFree()9e3377fbcSAnton Yartsev void testMallocDoubleFree() {
10e3377fbcSAnton Yartsev int *p = (int *)malloc(sizeof(int));
11e3377fbcSAnton Yartsev free(p);
12e3377fbcSAnton Yartsev free(p); // expected-warning{{Attempt to free released memory}}
13e3377fbcSAnton Yartsev }
14e3377fbcSAnton Yartsev
testMallocLeak()15e3377fbcSAnton Yartsev void testMallocLeak() {
16e3377fbcSAnton Yartsev int *p = (int *)malloc(sizeof(int));
17a1de8567SAnna Zaks } // expected-warning{{Potential leak of memory pointed to by 'p'}}
18e3377fbcSAnton Yartsev
testMallocUseAfterFree()19e3377fbcSAnton Yartsev void testMallocUseAfterFree() {
20e3377fbcSAnton Yartsev int *p = (int *)malloc(sizeof(int));
21e3377fbcSAnton Yartsev free(p);
22e3377fbcSAnton Yartsev int j = *p; // expected-warning{{Use of memory after it is freed}}
23e3377fbcSAnton Yartsev }
24e3377fbcSAnton Yartsev
testMallocBadFree()25e3377fbcSAnton Yartsev void testMallocBadFree() {
26e3377fbcSAnton Yartsev int i;
27e3377fbcSAnton Yartsev free(&i); // expected-warning{{Argument to free() is the address of the local variable 'i', which is not memory allocated by malloc()}}
28e3377fbcSAnton Yartsev }
29e3377fbcSAnton Yartsev
testMallocOffsetFree()30e3377fbcSAnton Yartsev void testMallocOffsetFree() {
31e3377fbcSAnton Yartsev int *p = (int *)malloc(sizeof(int));
32e3377fbcSAnton Yartsev free(++p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}}
33e3377fbcSAnton Yartsev }
34e3377fbcSAnton Yartsev
35e3377fbcSAnton Yartsev //-----------------------------------------------------------------
36e3377fbcSAnton Yartsev // Check that unix.MismatchedDeallocator catches all types of bugs.
37e3377fbcSAnton Yartsev //-----------------------------------------------------------------
testMismatchedDeallocator()38e3377fbcSAnton Yartsev void testMismatchedDeallocator() {
39e3377fbcSAnton Yartsev int *x = (int *)malloc(sizeof(int));
40e3377fbcSAnton Yartsev delete x; // expected-warning{{Memory allocated by malloc() should be deallocated by free(), not 'delete'}}
41e3377fbcSAnton Yartsev }
42e3377fbcSAnton Yartsev
43e3377fbcSAnton Yartsev //----------------------------------------------------------------
44e3377fbcSAnton Yartsev // Check that alpha.cplusplus.NewDelete catches all types of bugs.
45e3377fbcSAnton Yartsev //----------------------------------------------------------------
testNewDoubleFree()46e3377fbcSAnton Yartsev void testNewDoubleFree() {
47e3377fbcSAnton Yartsev int *p = new int;
48e3377fbcSAnton Yartsev delete p;
49*09e86e77SKristof Umann delete p; // expected-warning{{Attempt to free released memory}}
50e3377fbcSAnton Yartsev }
51e3377fbcSAnton Yartsev
testNewLeak()52e3377fbcSAnton Yartsev void testNewLeak() {
53e3377fbcSAnton Yartsev int *p = new int;
5426330563SJordan Rose }
5526330563SJordan Rose #ifdef LEAKS
56a1de8567SAnna Zaks // expected-warning@-2 {{Potential leak of memory pointed to by 'p'}}
5726330563SJordan Rose #endif
58e3377fbcSAnton Yartsev
testNewUseAfterFree()59e3377fbcSAnton Yartsev void testNewUseAfterFree() {
60e3377fbcSAnton Yartsev int *p = (int *)operator new(0);
61e3377fbcSAnton Yartsev delete p;
62e3377fbcSAnton Yartsev int j = *p; // expected-warning{{Use of memory after it is freed}}
63e3377fbcSAnton Yartsev }
64e3377fbcSAnton Yartsev
testNewBadFree()65e3377fbcSAnton Yartsev void testNewBadFree() {
66e3377fbcSAnton Yartsev int i;
67e3377fbcSAnton Yartsev delete &i; // expected-warning{{Argument to 'delete' is the address of the local variable 'i', which is not memory allocated by 'new'}}
68e3377fbcSAnton Yartsev }
69e3377fbcSAnton Yartsev
testNewOffsetFree()70e3377fbcSAnton Yartsev void testNewOffsetFree() {
71e3377fbcSAnton Yartsev int *p = new int;
72e3377fbcSAnton Yartsev operator delete(++p); // expected-warning{{Argument to operator delete is offset by 4 bytes from the start of memory allocated by 'new'}}
73e3377fbcSAnton Yartsev }
7493a21a8cSAnna Zaks
7593a21a8cSAnna Zaks //----------------------------------------------------------------
7693a21a8cSAnna Zaks // Test that we check for free errors on escaped pointers.
7793a21a8cSAnna Zaks //----------------------------------------------------------------
7893a21a8cSAnna Zaks void changePtr(int **p);
7993a21a8cSAnna Zaks static int *globalPtr;
8093a21a8cSAnna Zaks void changePointee(int *p);
8193a21a8cSAnna Zaks
testMismatchedChangePtrThroughCall()8293a21a8cSAnna Zaks void testMismatchedChangePtrThroughCall() {
8393a21a8cSAnna Zaks int *p = (int*)malloc(sizeof(int)*4);
8493a21a8cSAnna Zaks changePtr(&p);
8593a21a8cSAnna Zaks delete p; // no-warning the value of the pointer might have changed
8693a21a8cSAnna Zaks }
8793a21a8cSAnna Zaks
testMismatchedChangePointeeThroughCall()8893a21a8cSAnna Zaks void testMismatchedChangePointeeThroughCall() {
8993a21a8cSAnna Zaks int *p = (int*)malloc(sizeof(int)*4);
9093a21a8cSAnna Zaks changePointee(p);
9193a21a8cSAnna Zaks delete p; // expected-warning{{Memory allocated by malloc() should be deallocated by free(), not 'delete'}}
9293a21a8cSAnna Zaks }
9393a21a8cSAnna Zaks
testShouldReportDoubleFreeNotMismatched()9493a21a8cSAnna Zaks void testShouldReportDoubleFreeNotMismatched() {
9593a21a8cSAnna Zaks int *p = (int*)malloc(sizeof(int)*4);
9693a21a8cSAnna Zaks globalPtr = p;
9793a21a8cSAnna Zaks free(p);
9893a21a8cSAnna Zaks delete globalPtr; // expected-warning {{Attempt to free released memory}}
9993a21a8cSAnna Zaks }
allocIntArray(unsigned c)100e5768d17SIsmail Pazarbasi int *allocIntArray(unsigned c) {
101e5768d17SIsmail Pazarbasi return new int[c];
102e5768d17SIsmail Pazarbasi }
testMismatchedChangePointeeThroughAssignment()10393a21a8cSAnna Zaks void testMismatchedChangePointeeThroughAssignment() {
104e5768d17SIsmail Pazarbasi int *arr = allocIntArray(4);
10593a21a8cSAnna Zaks globalPtr = arr;
10693a21a8cSAnna Zaks delete arr; // expected-warning{{Memory allocated by 'new[]' should be deallocated by 'delete[]', not 'delete'}}
10793a21a8cSAnna Zaks }
108