1 // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s
3 #include "Inputs/system-header-simulator.h"
5 void clang_analyzer_eval(int);
7 // Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
8 // _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
9 // the builtin type: "Using the typedef version can cause portability
10 // problems", but we're ok here because we're not actually running anything.
11 // Also of note is this cryptic warning: "The wchar_t type is not supported
12 // when you compile C code".
14 // See the docs for more:
15 // https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
16 #if !defined(_WCHAR_T_DEFINED)
17 // "Microsoft implements wchar_t as a two-byte unsigned value"
18 typedef unsigned short wchar_t;
19 #define _WCHAR_T_DEFINED
20 #endif // !defined(_WCHAR_T_DEFINED)
22 typedef __typeof(sizeof(int)) size_t;
27 void *realloc(void *ptr, size_t size);
28 void *reallocf(void *ptr, size_t size);
29 void *calloc(size_t nmemb, size_t size);
30 char *strdup(const char *s);
31 wchar_t *wcsdup(const wchar_t *s);
32 char *strndup(const char *s, size_t n);
33 int memcmp(const void *s1, const void *s2, size_t n);
36 char *_strdup(const char *strSource);
37 wchar_t *_wcsdup(const wchar_t *strSource);
38 void *_alloca(size_t size);
46 return; // expected-warning{{Potential leak of memory pointed to by 'p'}}
52 free(p); // expected-warning{{Attempt to free released memory}}
58 realloc(p,0); // expected-warning{{Attempt to free released memory}}
63 int *q = realloc(p,0); // no-warning
66 void reallocNotNullPtr(unsigned sizeIn) {
68 char *p = (char*)malloc(size);
70 char *q = (char*)realloc(p, sizeIn);
71 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}}
76 int *p = alloca(sizeof(int));
79 void winAllocaTest() {
80 int *p = _alloca(sizeof(int));
83 void allocaBuiltinTest() {
84 int *p = __builtin_alloca(sizeof(int));
90 return q; // no warning - returning the allocated value
93 // p should be freed if realloc fails.
96 char *r = realloc(p, 12+1);
104 void reallocSizeZero1() {
105 char *p = malloc(12);
106 char *r = realloc(p, 0);
108 free(p); // expected-warning {{Attempt to free released memory}}
114 void reallocSizeZero2() {
115 char *p = malloc(12);
116 char *r = realloc(p, 0);
118 free(p); // expected-warning {{Attempt to free released memory}}
122 free(p); // expected-warning {{Attempt to free released memory}}
125 void reallocSizeZero3() {
126 char *p = malloc(12);
127 char *r = realloc(p, 0);
131 void reallocSizeZero4() {
132 char *r = realloc(0, 0);
136 void reallocSizeZero5() {
137 char *r = realloc(0, 0);
140 void reallocPtrZero1() {
141 char *r = realloc(0, 12);
142 } // expected-warning {{Potential leak of memory pointed to by 'r'}}
144 void reallocPtrZero2() {
145 char *r = realloc(0, 12);
150 void reallocPtrZero3() {
151 char *r = realloc(0, 12);
155 void reallocRadar6337483_1() {
156 char *buf = malloc(100);
157 buf = (char*)realloc(buf, 0x1000000);
159 return;// expected-warning {{Potential leak of memory pointed to by}}
164 void reallocRadar6337483_2() {
165 char *buf = malloc(100);
166 char *buf2 = (char*)realloc(buf, 0x1000000);
172 } // expected-warning {{Potential leak of memory pointed to by}}
174 void reallocRadar6337483_3() {
175 char * buf = malloc(100);
177 tmp = (char*)realloc(buf, 0x1000000);
186 void reallocRadar6337483_4() {
187 char *buf = malloc(100);
188 char *buf2 = (char*)realloc(buf, 0x1000000);
190 return; // expected-warning {{Potential leak of memory pointed to by}}
196 int *reallocfTest1() {
199 return q; // no warning - returning the allocated value
202 void reallocfRadar6337483_4() {
203 char *buf = malloc(100);
204 char *buf2 = (char*)reallocf(buf, 0x1000000);
206 return; // no warning - reallocf frees even on failure
212 void reallocfRadar6337483_3() {
213 char * buf = malloc(100);
215 tmp = (char*)reallocf(buf, 0x1000000);
217 free(buf); // expected-warning {{Attempt to free released memory}}
224 void reallocfPtrZero1() {
225 char *r = reallocf(0, 12);
226 } // expected-warning {{Potential leak of memory pointed to by}}
228 //------------------- Check usage of zero-allocated memory ---------------------
229 void CheckUseZeroAllocatedNoWarn1() {
231 free(p); // no warning
234 void CheckUseZeroAllocatedNoWarn2() {
235 int *p = alloca(0); // no warning
238 void CheckUseZeroWinAllocatedNoWarn2() {
239 int *p = _alloca(0); // no warning
243 void CheckUseZeroAllocatedNoWarn3() {
245 int *q = realloc(p, 8); // no warning
249 void CheckUseZeroAllocatedNoWarn4() {
250 int *p = realloc(0, 8);
251 *p = 1; // no warning
255 void CheckUseZeroAllocated1() {
257 *p = 1; // expected-warning {{Use of zero-allocated memory}}
261 char CheckUseZeroAllocated2() {
263 return *p; // expected-warning {{Use of zero-allocated memory}}
266 char CheckUseZeroWinAllocated2() {
267 char *p = _alloca(0);
268 return *p; // expected-warning {{Use of zero-allocated memory}}
271 void UseZeroAllocated(int *p) {
273 *p = 7; // expected-warning {{Use of zero-allocated memory}}
275 void CheckUseZeroAllocated3() {
281 void CheckUseZeroAllocated4() {
283 f(*p); // expected-warning {{Use of zero-allocated memory}}
287 void CheckUseZeroAllocated5() {
288 int *p = calloc(0, 2);
289 *p = 1; // expected-warning {{Use of zero-allocated memory}}
293 void CheckUseZeroAllocated6() {
294 int *p = calloc(2, 0);
295 *p = 1; // expected-warning {{Use of zero-allocated memory}}
299 void CheckUseZeroAllocated7() {
300 int *p = realloc(0, 0);
301 *p = 1; // expected-warning {{Use of zero-allocated memory}}
305 void CheckUseZeroAllocated8() {
307 int *q = realloc(p, 0);
308 *q = 1; // expected-warning {{Use of zero-allocated memory}}
312 void CheckUseZeroAllocated9() {
313 int *p = realloc(0, 0);
314 int *q = realloc(p, 0);
315 *q = 1; // expected-warning {{Use of zero-allocated memory}}
319 void CheckUseZeroAllocatedPathNoWarn(_Bool b) {
327 *p = 1; // no warning
332 void CheckUseZeroAllocatedPathWarn(_Bool b) {
340 *p = 1; // expected-warning {{Use of zero-allocated memory}}
345 void CheckUseZeroReallocatedPathNoWarn(_Bool b) {
351 char *q = realloc(p, s);
354 *q = 1; // no warning
359 void CheckUseZeroReallocatedPathWarn(_Bool b) {
365 char *q = realloc(p, s);
368 *q = 1; // expected-warning {{Use of zero-allocated memory}}
373 // This case tests that storing malloc'ed memory to a static variable which is
374 // then returned is not leaked. In the absence of known contracts for functions
375 // or inter-procedural analysis, this is a conservative answer.
379 return p; // no-warning
382 // This case tests that storing malloc'ed memory to a static global variable
383 // which is then returned is not leaked. In the absence of known contracts for
384 // functions or inter-procedural analysis, this is a conservative answer.
385 static int *p_f4 = 0;
388 return p_f4; // no-warning
394 return q; // no-warning
400 return; // no-warning
408 return; // no-warning
425 char *x = (char*) malloc(4);
427 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
431 char *x = (char*) malloc(4);
433 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}}
437 char *x = (char*) malloc(4);
439 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
443 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
447 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
448 buf[1] = 'c'; // not crash
451 void cast_emtpy_struct() {
455 struct st *s = malloc(sizeof(struct st)); // no-warning
459 void cast_struct_1() {
465 struct st *s = malloc(sizeof(struct st)); // no-warning
469 void cast_struct_2() {
475 struct st *s = malloc(sizeof(struct st)); // no-warning
479 void cast_struct_3() {
485 struct st *s = malloc(sizeof(struct st)); // no-warning
489 void cast_struct_4() {
495 struct st *s = malloc(sizeof(struct st)); // no-warning
499 void cast_struct_5() {
505 struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning
509 void cast_struct_warn_1() {
515 struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
519 void cast_struct_warn_2() {
525 struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
529 void cast_struct_flex_array_1() {
535 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
539 void cast_struct_flex_array_2() {
545 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
549 void cast_struct_flex_array_3() {
555 struct st *s = malloc(sizeof(struct st) + 3); // no-warning
559 void cast_struct_flex_array_4() {
568 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
572 void cast_struct_flex_array_5() {
581 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
585 void cast_struct_flex_array_6() {
594 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning
598 void cast_struct_flex_array_warn_1() {
607 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
611 void cast_struct_flex_array_warn_2() {
620 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
624 void cast_struct_flex_array_warn_3() {
633 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
637 void cast_struct_flex_array_warn_4() {
643 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
647 void cast_struct_flex_array_warn_5() {
653 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
657 void cast_struct_flex_array_warn_6() {
663 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
667 void mallocCastToVoid() {
669 const void *cp = p; // not crash
673 void mallocCastToFP() {
675 void (*fp)() = p; // not crash
679 // This tests that malloc() buffers are undefined by default
680 char mallocGarbage () {
681 char *buf = malloc(2);
682 char result = buf[1]; // expected-warning{{undefined}}
687 // This tests that calloc() buffers need to be freed
688 void callocNoFree () {
689 char *buf = calloc(2,2);
690 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
693 // These test that calloc() buffers are zeroed by default
694 char callocZeroesGood () {
695 char *buf = calloc(2,2);
696 char result = buf[3]; // no-warning
700 return result; // no-warning
703 char callocZeroesBad () {
704 char *buf = calloc(2,2);
705 char result = buf[3]; // no-warning
707 free(buf); // expected-warning{{never executed}}
709 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
714 free(p); // no warning - a nop
717 void paramFree(int *p) {
719 free(p); // no warning
720 myfoo(p); // expected-warning {{Use of memory after it is freed}}
723 int* mallocEscapeRet() {
725 return p; // no warning
728 void mallocEscapeFoo() {
731 return; // no warning
734 void mallocEscapeFree() {
740 void mallocEscapeFreeFree() {
744 free(p); // expected-warning{{Attempt to free released memory}}
747 void mallocEscapeFreeUse() {
751 myfoo(p); // expected-warning{{Use of memory after it is freed}}
755 void myalloc2(int **p);
757 void mallocEscapeFreeCustomAlloc() {
762 free(p); // no warning
765 void mallocEscapeFreeCustomAlloc2() {
770 free(p); // no warning
773 void mallocBindFreeUse() {
777 myfoo(x); // expected-warning{{Use of memory after it is freed}}
780 void mallocEscapeMalloc() {
784 } // expected-warning{{Potential leak of memory pointed to by}}
786 void mallocMalloc() {
789 } // expected-warning {{Potential leak of memory pointed to by}}
791 void mallocFreeMalloc() {
798 void mallocFreeUse_params() {
801 myfoo(p); //expected-warning{{Use of memory after it is freed}}
804 void mallocFreeUse_params2() {
807 myfooint(*p); //expected-warning{{Use of memory after it is freed}}
810 void mallocFailedOrNot() {
818 struct StructWithInt {
822 int *mallocReturnFreed() {
825 return p; // expected-warning {{Use of memory after it is freed}}
828 int useAfterFreeStruct() {
829 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
832 return px->g; // expected-warning {{Use of memory after it is freed}}
835 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
837 void mallocEscapeFooNonSymbolArg() {
838 struct StructWithInt *p = malloc(sizeof(struct StructWithInt));
839 nonSymbolAsFirstArg(&p->g, p);
840 return; // no warning
843 void mallocFailedOrNotLeak() {
846 return; // no warning
848 return; // expected-warning {{Potential leak of memory pointed to by}}
851 void mallocAssignment() {
852 char *p = malloc(12);
854 } // expected-warning {{leak}}
857 char *mem = valloc(12);
858 return 0; // expected-warning {{Potential leak of memory pointed to by}}
861 void vallocEscapeFreeUse() {
865 myfoo(p); // expected-warning{{Use of memory after it is freed}}
873 struct GlStTy GlS = {0};
879 void GlobalMalloc() {
883 void GlobalStructMalloc() {
888 void GlobalStructMallocFree() {
896 void globalArrayTest() {
897 char *p = (char*)malloc(12);
901 // Make sure that we properly handle a pointer stored into a local struct/array.
902 typedef struct _StructWithPtr {
906 static StructWithPtr arrOfStructs[10];
912 arrOfStructs[0] = St; // no-warning
915 StructWithPtr testMalloc2() {
919 return St; // no-warning
925 return y; // no-warning
928 void testStructLeak() {
930 St.memP = malloc(12);
931 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}}
934 void testElemRegion1() {
935 char *x = (void*)malloc(2);
940 void testElemRegion2(int **pp) {
946 void testElemRegion3(int **pp) {
951 // Region escape testing.
953 unsigned takePtrToPtr(int **p);
954 void PassTheAddrOfAllocatedData(int f) {
956 // We don't know what happens after the call. Should stop tracking here.
957 if (takePtrToPtr(&p))
959 free(p); // no warning
965 unsigned takePtrToStruct(struct X *s);
966 int ** foo2(int *g, int f) {
968 struct X *px= malloc(sizeof(struct X));
970 // We don't know what happens after this call. Should not track px nor p.
971 if (takePtrToStruct(px))
977 struct X* RegInvalidationDetect1(struct X *s2) {
978 struct X *px= malloc(sizeof(struct X));
981 return px; // expected-warning {{Potential leak of memory pointed to by}}
984 struct X* RegInvalidationGiveUp1() {
986 struct X *px= malloc(sizeof(struct X));
991 int **RegInvalidationDetect2(int **pp) {
995 return 0;// expected-warning {{Potential leak of memory pointed to by}}
998 extern void exit(int) __attribute__ ((__noreturn__));
999 void mallocExit(int *g) {
1000 struct xx *p = malloc(12);
1007 extern void __assert_fail (__const char *__assertion, __const char *__file,
1008 unsigned int __line, __const char *__function)
1009 __attribute__ ((__noreturn__));
1010 #define assert(expr) \
1011 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
1012 void mallocAssert(int *g) {
1013 struct xx *p = malloc(12);
1020 void doNotInvalidateWhenPassedToSystemCalls(char *s) {
1021 char *p = malloc(12);
1029 } // expected-warning {{leak}}
1031 // Treat source buffer contents as escaped.
1032 void escapeSourceContents(char *s) {
1033 char *p = malloc(12);
1034 memcpy(s, &p, 12); // no warning
1036 void *p1 = malloc(7);
1038 memcpy(&a, &p1, sizeof a);
1039 // FIXME: No warning due to limitations imposed by current modelling of
1040 // 'memcpy' (regions metadata is not copied).
1043 int *allocated = (int *)malloc(4);
1044 memcpy(&ptrs[0], &allocated, sizeof(int *));
1045 // FIXME: No warning due to limitations imposed by current modelling of
1046 // 'memcpy' (regions metadata is not copied).
1049 void invalidateDestinationContents() {
1051 int *p = (int *)malloc(4);
1052 memcpy(&p, &null, sizeof(int *));
1054 int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}}
1055 ptrs1[0] = (int *)malloc(4);
1056 memcpy(ptrs1, &null, sizeof(int *));
1058 int *ptrs2[2]; // expected-warning {{Potential memory leak}}
1059 ptrs2[0] = (int *)malloc(4);
1060 memcpy(&ptrs2[1], &null, sizeof(int *));
1062 int *ptrs3[2]; // expected-warning {{Potential memory leak}}
1063 ptrs3[0] = (int *)malloc(4);
1064 memcpy(&ptrs3[0], &null, sizeof(int *));
1065 } // expected-warning {{Potential memory leak}}
1067 // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p.
1068 void symbolLostWithStrcpy(char *s) {
1069 char *p = malloc(12);
1075 // The same test as the one above, but with what is actually generated on a mac.
1076 static __inline char *
1077 __inline_strcpy_chk (char *restrict __dest, const char *restrict __src)
1079 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1));
1082 void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) {
1083 char *p = malloc(12);
1084 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s));
1088 // Here we are returning a pointer one past the allocated value. An idiom which
1089 // can be used for implementing special malloc. The correct uses of this might
1090 // be rare enough so that we could keep this as a warning.
1091 static void *specialMalloc(int n){
1101 // Potentially, the user could free the struct by performing pointer arithmetic on the return value.
1102 // This is a variation of the specialMalloc issue, though probably would be more rare in correct code.
1103 int *specialMallocWithStruct() {
1104 struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
1108 // Test various allocation/deallocation functions.
1109 void testStrdup(const char *s, unsigned validIndex) {
1110 char *s2 = strdup(s);
1111 s2[validIndex + 1] = 'b';
1112 } // expected-warning {{Potential leak of memory pointed to by}}
1114 void testWinStrdup(const char *s, unsigned validIndex) {
1115 char *s2 = _strdup(s);
1116 s2[validIndex + 1] = 'b';
1117 } // expected-warning {{Potential leak of memory pointed to by}}
1119 void testWcsdup(const wchar_t *s, unsigned validIndex) {
1120 wchar_t *s2 = wcsdup(s);
1121 s2[validIndex + 1] = 'b';
1122 } // expected-warning {{Potential leak of memory pointed to by}}
1124 void testWinWcsdup(const wchar_t *s, unsigned validIndex) {
1125 wchar_t *s2 = _wcsdup(s);
1126 s2[validIndex + 1] = 'b';
1127 } // expected-warning {{Potential leak of memory pointed to by}}
1129 int testStrndup(const char *s, unsigned validIndex, unsigned size) {
1130 char *s2 = strndup(s, size);
1131 s2 [validIndex + 1] = 'b';
1132 if (s2[validIndex] != 'a')
1135 return 1;// expected-warning {{Potential leak of memory pointed to by}}
1138 void testStrdupContentIsDefined(const char *s, unsigned validIndex) {
1139 char *s2 = strdup(s);
1140 char result = s2[1];// no warning
1144 void testWinStrdupContentIsDefined(const char *s, unsigned validIndex) {
1145 char *s2 = _strdup(s);
1146 char result = s2[1];// no warning
1150 void testWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
1151 wchar_t *s2 = wcsdup(s);
1152 wchar_t result = s2[1];// no warning
1156 void testWinWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
1157 wchar_t *s2 = _wcsdup(s);
1158 wchar_t result = s2[1];// no warning
1162 // ----------------------------------------------------------------------------
1163 // Test the system library functions to which the pointer can escape.
1164 // This tests false positive suppression.
1166 // For now, we assume memory passed to pthread_specific escapes.
1167 // TODO: We could check that if a new pthread binding is set, the existing
1168 // binding must be freed; otherwise, a memory leak can occur.
1169 void testPthereadSpecificEscape(pthread_key_t key) {
1170 void *buf = malloc(12);
1171 pthread_setspecific(key, buf); // no warning
1174 // PR12101: Test funopen().
1175 static int releasePtr(void *_ctx) {
1179 FILE *useFunOpen() {
1180 void *ctx = malloc(sizeof(int));
1181 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning
1187 FILE *useFunOpenNoReleaseFunction() {
1188 void *ctx = malloc(sizeof(int));
1189 FILE *f = funopen(ctx, 0, 0, 0, 0);
1193 return f; // expected-warning{{leak}}
1196 static int readNothing(void *_ctx, char *buf, int size) {
1199 FILE *useFunOpenReadNoRelease() {
1200 void *ctx = malloc(sizeof(int));
1201 FILE *f = funopen(ctx, readNothing, 0, 0, 0);
1205 return f; // expected-warning{{leak}}
1208 // Test setbuf, setvbuf.
1209 int my_main_no_warning() {
1210 char *p = malloc(100);
1211 setvbuf(stdout, p, 0, 100);
1214 int my_main_no_warning2() {
1215 char *p = malloc(100);
1216 setbuf(__stdoutp, p);
1219 int my_main_warn(FILE *f) {
1220 char *p = malloc(100);
1221 setvbuf(f, p, 0, 100);
1222 return 0;// expected-warning {{leak}}
1225 // <rdar://problem/10978247>.
1226 // some people use stack allocated memory as an optimization to avoid
1227 // a heap allocation for small work sizes. This tests the analyzer's
1228 // understanding that the malloc'ed memory is not the same as stackBuffer.
1229 void radar10978247(int myValueSize) {
1230 char stackBuffer[128];
1233 if (myValueSize <= sizeof(stackBuffer))
1234 buffer = stackBuffer;
1236 buffer = malloc(myValueSize);
1238 // do stuff with the buffer
1239 if (buffer != stackBuffer)
1243 void radar10978247_positive(int myValueSize) {
1244 char stackBuffer[128];
1247 if (myValueSize <= sizeof(stackBuffer))
1248 buffer = stackBuffer;
1250 buffer = malloc(myValueSize);
1252 // do stuff with the buffer
1253 if (buffer == stackBuffer)
1256 return; // expected-warning {{leak}}
1258 // <rdar://problem/11269741> Previously this triggered a false positive
1259 // because malloc() is known to return uninitialized memory and the binding
1260 // of 'o' to 'p->n' was not getting propertly handled. Now we report a leak.
1261 struct rdar11269741_a_t {
1262 struct rdar11269741_b_t {
1267 int rdar11269741(struct rdar11269741_b_t o)
1269 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p));
1271 return p->n.m; // expected-warning {{leak}}
1274 // Pointer arithmetic, returning an ElementRegion.
1275 void *radar11329382(unsigned bl) {
1276 void *ptr = malloc (16);
1277 ptr = ptr + (2 - bl);
1278 return ptr; // no warning
1281 void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__));
1282 int strcmp(const char *, const char *);
1284 void radar11270219(void) {
1285 char *x = a(), *y = a();
1286 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0);
1287 strcmp(x, y); // no warning
1290 void radar_11358224_test_double_assign_ints_positive_2()
1292 void *ptr = malloc(16);
1294 } // expected-warning {{leak}}
1296 // Assume that functions which take a function pointer can free memory even if
1297 // they are defined in system headers and take the const pointer to the
1298 // allocated memory. (radar://11160612)
1299 int const_ptr_and_callback(int, const char*, int n, void(*)(void*));
1300 void r11160612_1() {
1301 char *x = malloc(12);
1302 const_ptr_and_callback(0, x, 12, free); // no - warning
1305 // Null is passed as callback.
1306 void r11160612_2() {
1307 char *x = malloc(12);
1308 const_ptr_and_callback(0, x, 12, 0);
1309 } // expected-warning {{leak}}
1311 // Callback is passed to a function defined in a system header.
1312 void r11160612_4() {
1313 char *x = malloc(12);
1314 sqlite3_bind_text_my(0, x, 12, free); // no - warning
1317 // Passing callbacks in a struct.
1318 void r11160612_5(StWithCallback St) {
1319 void *x = malloc(12);
1320 dealocateMemWhenDoneByVal(x, St);
1322 void r11160612_6(StWithCallback St) {
1323 void *x = malloc(12);
1324 dealocateMemWhenDoneByRef(&St, x);
1327 int mySub(int, int);
1328 int myAdd(int, int);
1329 int fPtr(unsigned cond, int x) {
1330 return (cond ? mySub : myAdd)(x, x);
1333 // Test anti-aliasing.
1335 void dependsOnValueOfPtr(int *g, unsigned f) {
1347 return; // no warning
1351 int CMPRegionHeapToStack() {
1353 int *x1 = malloc(8);
1355 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}}
1360 int CMPRegionHeapToHeap2() {
1362 int *x1 = malloc(8);
1363 int *x2 = malloc(8);
1366 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}}
1372 int CMPRegionHeapToHeap() {
1374 int *x1 = malloc(8);
1378 return 5/x; // expected-warning{{Division by zero}}
1380 return x;// expected-warning{{This statement is never executed}}
1383 int HeapAssignment() {
1388 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}}
1394 int *retPtrMightAlias(int *x);
1395 int cmpHeapAllocationToUnknown() {
1397 int *yBefore = retPtr();
1399 int *yAfter = retPtrMightAlias(m);
1400 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}}
1401 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}}
1406 void localArrayTest() {
1407 char *p = (char*)malloc(12);
1410 } // expected-warning {{leak}}
1412 void localStructTest() {
1414 StructWithPtr *pSt = &St;
1415 pSt->memP = malloc(12);
1416 } // expected-warning{{Potential leak of memory pointed to by}}
1418 #ifdef __INTPTR_TYPE__
1419 // Test double assignment through integers.
1420 typedef __INTPTR_TYPE__ intptr_t;
1421 typedef unsigned __INTPTR_TYPE__ uintptr_t;
1423 static intptr_t glob;
1424 void test_double_assign_ints()
1426 void *ptr = malloc (16); // no-warning
1427 glob = (intptr_t)(uintptr_t)ptr;
1430 void test_double_assign_ints_positive()
1432 void *ptr = malloc(16);
1433 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}}
1434 } // expected-warning {{leak}}
1437 void testCGContextNoLeak()
1439 void *ptr = malloc(16);
1440 CGContextRef context = CGBitmapContextCreate(ptr);
1442 // Because you can get the data back out like this, even much later,
1443 // CGBitmapContextCreate is one of our "stop-tracking" exceptions.
1444 free(CGBitmapContextGetData(context));
1447 void testCGContextLeak()
1449 void *ptr = malloc(16);
1450 CGContextRef context = CGBitmapContextCreate(ptr);
1451 // However, this time we're just leaking the data, because the context
1452 // object doesn't escape and it hasn't been freed in this function.
1455 // Allow xpc context to escape. radar://11635258
1456 // TODO: Would be great if we checked that the finalize_connection_context actually releases it.
1457 static void finalize_connection_context(void *ctx) {
1461 void foo (xpc_connection_t peer) {
1462 int *ctx = calloc(1, sizeof(int));
1463 xpc_connection_set_context(peer, ctx);
1464 xpc_connection_set_finalizer_f(peer, finalize_connection_context);
1465 xpc_connection_resume(peer);
1468 // Make sure we catch errors when we free in a function which does not allocate memory.
1469 void freeButNoMalloc(int *p, int x){
1472 //user forgot a return here.
1474 free(p); // expected-warning {{Attempt to free released memory}}
1481 char* reallocButNoMalloc(struct HasPtr *a, int c, int size) {
1483 char *b = realloc(a->p, size);
1484 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}}
1485 // We don't expect a use-after-free for a->P here because the warning above
1487 return a->p; // no-warning
1490 // We should not warn in this case since the caller will presumably free a->p in all cases.
1491 int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) {
1493 char *b = realloc(a->p, size);
1500 // Test realloc with no visible malloc.
1501 void *test(void *ptr) {
1502 void *newPtr = realloc(ptr, 4);
1505 free(ptr); // no-warning
1511 char *testLeakWithinReturn(char *str) {
1512 return strdup(strdup(str)); // expected-warning{{leak}}
1515 char *testWinLeakWithinReturn(char *str) {
1516 return _strdup(_strdup(str)); // expected-warning{{leak}}
1519 wchar_t *testWinWideLeakWithinReturn(wchar_t *str) {
1520 return _wcsdup(_wcsdup(str)); // expected-warning{{leak}}
1523 void passConstPtr(const char * ptr);
1525 void testPassConstPointer() {
1526 char * string = malloc(sizeof(char)*10);
1527 passConstPtr(string);
1528 return; // expected-warning {{leak}}
1531 void testPassConstPointerIndirectly() {
1532 char *p = malloc(1);
1534 memcmp(p, p, sizeof(&p));
1535 return; // expected-warning {{leak}}
1538 void testPassConstPointerIndirectlyStruct() {
1541 memcmp(&hp, &hp, sizeof(hp));
1542 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}}
1545 void testPassToSystemHeaderFunctionIndirectlyStruct() {
1548 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1549 // Technically a false negative here -- we know the system function won't free
1550 // ss.p, but nothing else will either!
1553 void testPassToSystemHeaderFunctionIndirectlyStructFree() {
1556 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1560 void testPassToSystemHeaderFunctionIndirectlyArray() {
1562 p[0] = malloc(sizeof(int));
1563 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1564 // Technically a false negative here -- we know the system function won't free
1565 // p[0], but nothing else will either!
1568 void testPassToSystemHeaderFunctionIndirectlyArrayFree() {
1570 p[0] = malloc(sizeof(int));
1571 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1575 int *testOffsetAllocate(size_t size) {
1576 int *memoryBlock = (int *)malloc(size + sizeof(int));
1577 return &memoryBlock[1]; // no-warning
1580 void testOffsetDeallocate(int *memoryBlock) {
1581 free(&memoryBlock[-1]); // no-warning
1584 void testOffsetOfRegionFreed() {
1585 __int64_t * array = malloc(sizeof(__int64_t)*2);
1587 free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1590 void testOffsetOfRegionFreed2() {
1591 __int64_t *p = malloc(sizeof(__int64_t)*2);
1593 free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1596 void testOffsetOfRegionFreed3() {
1597 char *r = malloc(sizeof(char));
1599 free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}}
1602 void testOffsetOfRegionFreedAfterFunctionCall() {
1603 int *p = malloc(sizeof(int)*2);
1606 free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}}
1609 void testFixManipulatedPointerBeforeFree() {
1610 int * array = malloc(sizeof(int)*2);
1612 free(&array[-1]); // no-warning
1615 void testFixManipulatedPointerBeforeFree2() {
1616 char *r = malloc(sizeof(char));
1618 free(r-10); // no-warning
1621 void freeOffsetPointerPassedToFunction() {
1622 __int64_t *p = malloc(sizeof(__int64_t)*2);
1625 myfooint(*p); // not passing the pointer, only a value pointed by pointer
1626 free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1630 void freeUnknownOffsetPointer() {
1631 char *r = malloc(sizeof(char));
1632 r = r + arbitraryInt(); // unable to reason about what the offset might be
1633 free(r); // no-warning
1636 void testFreeNonMallocPointerWithNoOffset() {
1640 free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1643 void testFreeNonMallocPointerWithOffset() {
1646 free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1649 void testOffsetZeroDoubleFree() {
1650 int *array = malloc(sizeof(int)*2);
1653 free(&array[0]); // expected-warning{{Attempt to free released memory}}
1656 void testOffsetPassedToStrlen() {
1657 char * string = malloc(sizeof(char)*10);
1659 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}}
1662 void testOffsetPassedToStrlenThenFree() {
1663 char * string = malloc(sizeof(char)*10);
1665 int length = strlen(string);
1666 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1669 void testOffsetPassedAsConst() {
1670 char * string = malloc(sizeof(char)*10);
1672 passConstPtr(string);
1673 free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1676 char **_vectorSegments;
1677 int _nVectorSegments;
1679 void poolFreeC(void* s) {
1680 free(s); // no-warning
1683 while (_nVectorSegments) {
1684 poolFreeC(_vectorSegments[_nVectorSegments++]);
1689 void testReallocEscaped(void **memory) {
1690 *memory = malloc(47);
1691 char *new_memory = realloc(*memory, 47);
1692 if (new_memory != 0) {
1693 *memory = new_memory;
1698 void *smallocNoWarn(size_t size) {
1700 return malloc(1); // this branch is never called
1703 return malloc(size);
1707 char *dupstrNoWarn(const char *s) {
1708 const int len = strlen(s);
1709 char *p = (char*) smallocNoWarn(len + 1);
1710 strcpy(p, s); // no-warning
1714 void *smallocWarn(size_t size) {
1719 return malloc(size);
1723 char *dupstrWarn(const char *s) {
1724 const int len = strlen(s);
1725 char *p = (char*) smallocWarn(len + 1);
1726 strcpy(p, s); // expected-warning{{String copy function overflows destination buffer}}
1730 int *radar15580979() {
1731 int *data = (int *)malloc(32);
1732 int *p = data ?: (int*)malloc(32); // no warning
1736 // Some data structures may hold onto the pointer and free it later.
1737 void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) {
1738 int *data = (int *)malloc(32);
1739 fake_insque(queue, data); // no warning
1742 void testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t *rbt) {
1743 int *data = (int *)malloc(32);
1744 fake_rb_tree_init(rbt, data);
1745 } //expected-warning{{Potential leak}}
1747 void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) {
1748 int *data = (int *)malloc(32);
1749 fake_rb_tree_init(rbt, data);
1750 fake_rb_tree_insert_node(rbt, data); // no warning
1758 void constEscape(const void *ptr);
1760 void testConstEscapeThroughAnotherField() {
1762 s.p = malloc(sizeof(int));
1763 constEscape(&(s.x)); // could free s->p!
1767 int testNoCheckerDataPropogationFromLogicalOpOperandToOpResult(void) {
1768 char *param = malloc(10);
1769 char *value = malloc(10);
1770 int ok = (param && value);
1773 // Previously we ended up with 'Use of memory after it is freed' on return.
1774 return ok; // no warning
1777 // ----------------------------------------------------------------------------
1780 void testMallocWithParam(int **p) {
1781 *p = (int*) malloc(sizeof(int));
1782 *p = 0; // FIXME: should warn here
1785 void testMallocWithParam_2(int **p) {
1786 *p = (int*) malloc(sizeof(int)); // no-warning
1789 void testPassToSystemHeaderFunctionIndirectly() {
1792 fakeSystemHeaderCallInt(p);
1793 // FIXME: This is a leak: if we think a system function won't free p, it
1794 // won't free (p-1) either.
1797 void testMallocIntoMalloc() {
1798 StructWithPtr *s = malloc(sizeof(StructWithPtr));
1799 s->memP = malloc(sizeof(int));
1801 } // FIXME: should warn here