1 // RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -verify %s \ 2 // RUN: -analyzer-checker=core \ 3 // RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \ 4 // RUN: -analyzer-checker=alpha.core.CastSize \ 5 // RUN: -analyzer-checker=unix \ 6 // RUN: -analyzer-checker=debug.ExprInspection \ 7 // RUN: -analyzer-checker=optin.taint.TaintPropagation \ 8 // RUN: -analyzer-checker=optin.taint.TaintedAlloc 9 10 #include "Inputs/system-header-simulator.h" 11 12 void clang_analyzer_eval(int); 13 void clang_analyzer_dump(int); 14 void clang_analyzer_dumpExtent(void *); 15 16 // Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines 17 // _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use 18 // the builtin type: "Using the typedef version can cause portability 19 // problems", but we're ok here because we're not actually running anything. 20 // Also of note is this cryptic warning: "The wchar_t type is not supported 21 // when you compile C code". 22 // 23 // See the docs for more: 24 // https://msdn.microsoft.com/en-us/library/dh8che7s.aspx 25 #if !defined(_WCHAR_T_DEFINED) 26 // "Microsoft implements wchar_t as a two-byte unsigned value" 27 typedef unsigned short wchar_t; 28 #define _WCHAR_T_DEFINED 29 #endif // !defined(_WCHAR_T_DEFINED) 30 31 typedef __typeof(sizeof(int)) size_t; 32 void *malloc(size_t); 33 void *alloca(size_t); 34 void *valloc(size_t); 35 void free(void *); 36 void *realloc(void *ptr, size_t size); 37 void *reallocf(void *ptr, size_t size); 38 void *calloc(size_t nmemb, size_t size); 39 char *strdup(const char *s); 40 wchar_t *wcsdup(const wchar_t *s); 41 char *strndup(const char *s, size_t n); 42 int memcmp(const void *s1, const void *s2, size_t n); 43 44 // Windows variants 45 char *_strdup(const char *strSource); 46 wchar_t *_wcsdup(const wchar_t *strSource); 47 void *_alloca(size_t size); 48 49 void myfoo(int *p); 50 void myfooint(int p); 51 char *fooRetPtr(void); 52 53 void t1(void) { 54 size_t size = 0; 55 scanf("%zu", &size); 56 int *p = malloc(size); // expected-warning{{malloc is called with a tainted (potentially attacker controlled) value}} 57 free(p); 58 } 59 60 void t2(void) { 61 size_t size = 0; 62 scanf("%zu", &size); 63 int *p = calloc(size,2); // expected-warning{{calloc is called with a tainted (potentially attacker controlled) value}} 64 free(p); 65 } 66 67 void t3(void) { 68 size_t size = 0; 69 scanf("%zu", &size); 70 if (1024 < size) 71 return; 72 int *p = malloc(size); // No warning expected as the the user input is bound 73 free(p); 74 } 75 76 void t4(void) { 77 size_t size = 0; 78 int *p = malloc(sizeof(int)); 79 scanf("%zu", &size); 80 p = (int*) realloc((void*) p, size); // expected-warning{{realloc is called with a tainted (potentially attacker controlled) value}} 81 free(p); 82 } 83 84 void t5(void) { 85 size_t size = 0; 86 int *p = alloca(sizeof(int)); 87 scanf("%zu", &size); 88 p = (int*) alloca(size); // expected-warning{{alloca is called with a tainted (potentially attacker controlled) value}} 89 } 90 91 92 void f1(void) { 93 int *p = malloc(12); 94 return; // expected-warning{{Potential leak of memory pointed to by 'p'}} 95 } 96 97 void f2(void) { 98 int *p = malloc(12); 99 free(p); 100 free(p); // expected-warning{{Attempt to free released memory}} 101 } 102 103 void f2_realloc_0(void) { 104 int *p = malloc(12); 105 realloc(p,0); 106 realloc(p,0); // expected-warning{{Attempt to free released memory}} 107 } 108 109 void f2_realloc_1(void) { 110 int *p = malloc(12); 111 int *q = realloc(p,0); // no-warning 112 } 113 114 void reallocNotNullPtr(unsigned sizeIn) { 115 unsigned size = 12; 116 char *p = (char*)malloc(size); 117 if (p) { 118 char *q = (char*)realloc(p, sizeIn); 119 char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}} 120 } 121 } 122 123 void allocaTest(void) { 124 int *p = alloca(sizeof(int)); 125 } // no warn 126 127 void winAllocaTest(void) { 128 int *p = _alloca(sizeof(int)); 129 } // no warn 130 131 void allocaBuiltinTest(void) { 132 int *p = __builtin_alloca(sizeof(int)); 133 } // no warn 134 135 int *realloctest1(void) { 136 int *q = malloc(12); 137 q = realloc(q, 20); 138 return q; // no warning - returning the allocated value 139 } 140 141 // p should be freed if realloc fails. 142 void reallocFails(void) { 143 char *p = malloc(12); 144 char *r = realloc(p, 12+1); 145 if (!r) { 146 free(p); 147 } else { 148 free(r); 149 } 150 } 151 152 void reallocSizeZero1(void) { 153 char *p = malloc(12); 154 char *r = realloc(p, 0); 155 if (!r) { 156 free(p); // expected-warning {{Attempt to free released memory}} 157 } else { 158 free(r); 159 } 160 } 161 162 void reallocSizeZero2(void) { 163 char *p = malloc(12); 164 char *r = realloc(p, 0); 165 if (!r) { 166 free(p); // expected-warning {{Attempt to free released memory}} 167 } else { 168 free(r); 169 } 170 free(p); // expected-warning {{Attempt to free released memory}} 171 } 172 173 void reallocSizeZero3(void) { 174 char *p = malloc(12); 175 char *r = realloc(p, 0); 176 free(r); 177 } 178 179 void reallocSizeZero4(void) { 180 char *r = realloc(0, 0); 181 free(r); 182 } 183 184 void reallocSizeZero5(void) { 185 char *r = realloc(0, 0); 186 } 187 188 void reallocPtrZero1(void) { 189 char *r = realloc(0, 12); 190 } // expected-warning {{Potential leak of memory pointed to by 'r'}} 191 192 void reallocPtrZero2(void) { 193 char *r = realloc(0, 12); 194 if (r) 195 free(r); 196 } 197 198 void reallocPtrZero3(void) { 199 char *r = realloc(0, 12); 200 free(r); 201 } 202 203 void reallocRadar6337483_1(void) { 204 char *buf = malloc(100); 205 buf = (char*)realloc(buf, 0x1000000); 206 if (!buf) { 207 return;// expected-warning {{Potential leak of memory pointed to by}} 208 } 209 free(buf); 210 } 211 212 void reallocRadar6337483_2(void) { 213 char *buf = malloc(100); 214 char *buf2 = (char*)realloc(buf, 0x1000000); 215 if (!buf2) { 216 ; 217 } else { 218 free(buf2); 219 } 220 } // expected-warning {{Potential leak of memory pointed to by}} 221 222 void reallocRadar6337483_3(void) { 223 char * buf = malloc(100); 224 char * tmp; 225 tmp = (char*)realloc(buf, 0x1000000); 226 if (!tmp) { 227 free(buf); 228 return; 229 } 230 buf = tmp; 231 free(buf); 232 } 233 234 void reallocRadar6337483_4(void) { 235 char *buf = malloc(100); 236 char *buf2 = (char*)realloc(buf, 0x1000000); 237 if (!buf2) { 238 return; // expected-warning {{Potential leak of memory pointed to by}} 239 } else { 240 free(buf2); 241 } 242 } 243 244 int *reallocfTest1(void) { 245 int *q = malloc(12); 246 q = reallocf(q, 20); 247 return q; // no warning - returning the allocated value 248 } 249 250 void reallocfRadar6337483_4(void) { 251 char *buf = malloc(100); 252 char *buf2 = (char*)reallocf(buf, 0x1000000); 253 if (!buf2) { 254 return; // no warning - reallocf frees even on failure 255 } else { 256 free(buf2); 257 } 258 } 259 260 void reallocfRadar6337483_3(void) { 261 char * buf = malloc(100); 262 char * tmp; 263 tmp = (char*)reallocf(buf, 0x1000000); 264 if (!tmp) { 265 free(buf); // expected-warning {{Attempt to free released memory}} 266 return; 267 } 268 buf = tmp; 269 free(buf); 270 } 271 272 void reallocfPtrZero1(void) { 273 char *r = reallocf(0, 12); 274 } // expected-warning {{Potential leak of memory pointed to by}} 275 276 //------------------- Check usage of zero-allocated memory --------------------- 277 void CheckUseZeroAllocatedNoWarn1(void) { 278 int *p = malloc(0); 279 free(p); // no warning 280 } 281 282 void CheckUseZeroAllocatedNoWarn2(void) { 283 int *p = alloca(0); // no warning 284 } 285 286 void CheckUseZeroWinAllocatedNoWarn2(void) { 287 int *p = _alloca(0); // no warning 288 } 289 290 291 void CheckUseZeroAllocatedNoWarn3(void) { 292 int *p = malloc(0); 293 int *q = realloc(p, 8); // no warning 294 free(q); 295 } 296 297 void CheckUseZeroAllocatedNoWarn4(void) { 298 int *p = realloc(0, 8); 299 *p = 1; // no warning 300 free(p); 301 } 302 303 void CheckUseZeroAllocated1(void) { 304 int *p = malloc(0); 305 *p = 1; // expected-warning {{Use of memory allocated with size zero}} 306 free(p); 307 } 308 309 char CheckUseZeroAllocated2(void) { 310 // NOTE: The `AllocaRegion` that models the return value of `alloca()` 311 // doesn't have an associated symbol, so the current implementation of 312 // `MallocChecker::checkUseZeroAllocated()` cannot provide warnings for it. 313 // However, other checkers like core.uninitialized.UndefReturn (that 314 // activates in these TCs) or the array bound checkers provide more generic, 315 // but still sufficient warnings in these cases, so I think it isn't 316 // important to cover this in MallocChecker. 317 char *p = alloca(0); 318 return *p; // expected-warning {{Undefined or garbage value returned to caller}} 319 } 320 321 char CheckUseZeroWinAllocated2(void) { 322 // Note: Same situation as `CheckUseZeroAllocated2()`. 323 char *p = _alloca(0); 324 return *p; // expected-warning {{Undefined or garbage value returned to caller}} 325 } 326 327 void UseZeroAllocated(int *p) { 328 if (p) 329 *p = 7; // expected-warning {{Use of memory allocated with size zero}} 330 } 331 void CheckUseZeroAllocated3(void) { 332 int *p = malloc(0); 333 UseZeroAllocated(p); 334 } 335 336 void f(char); 337 void CheckUseZeroAllocated4(void) { 338 char *p = valloc(0); 339 f(*p); // expected-warning {{Use of memory allocated with size zero}} 340 free(p); 341 } 342 343 void CheckUseZeroAllocated5(void) { 344 int *p = calloc(0, 2); 345 *p = 1; // expected-warning {{Use of memory allocated with size zero}} 346 free(p); 347 } 348 349 void CheckUseZeroAllocated6(void) { 350 int *p = calloc(2, 0); 351 *p = 1; // expected-warning {{Use of memory allocated with size zero}} 352 free(p); 353 } 354 355 void CheckUseZeroAllocated7(void) { 356 int *p = realloc(0, 0); 357 *p = 1; // expected-warning {{Use of memory allocated with size zero}} 358 free(p); 359 } 360 361 void CheckUseZeroAllocated8(void) { 362 int *p = malloc(8); 363 int *q = realloc(p, 0); 364 *q = 1; // expected-warning {{Use of memory allocated with size zero}} 365 free(q); 366 } 367 368 void CheckUseZeroAllocated9(void) { 369 int *p = realloc(0, 0); 370 int *q = realloc(p, 0); 371 *q = 1; // expected-warning {{Use of memory allocated with size zero}} 372 free(q); 373 } 374 375 void CheckUseZeroAllocatedPathNoWarn(_Bool b) { 376 int s = 0; 377 if (b) 378 s= 10; 379 380 char *p = malloc(s); 381 382 if (b) 383 *p = 1; // no warning 384 385 free(p); 386 } 387 388 void CheckUseZeroAllocatedPathWarn(_Bool b) { 389 int s = 10; 390 if (b) 391 s= 0; 392 393 char *p = malloc(s); 394 395 if (b) 396 *p = 1; // expected-warning {{Use of memory allocated with size zero}} 397 398 free(p); 399 } 400 401 void CheckUseZeroReallocatedPathNoWarn(_Bool b) { 402 int s = 0; 403 if (b) 404 s= 10; 405 406 char *p = malloc(8); 407 char *q = realloc(p, s); 408 409 if (b) 410 *q = 1; // no warning 411 412 free(q); 413 } 414 415 void CheckUseZeroReallocatedPathWarn(_Bool b) { 416 int s = 10; 417 if (b) 418 s= 0; 419 420 char *p = malloc(8); 421 char *q = realloc(p, s); 422 423 if (b) 424 *q = 1; // expected-warning {{Use of memory allocated with size zero}} 425 426 free(q); 427 } 428 429 // This case tests that storing malloc'ed memory to a static variable which is 430 // then returned is not leaked. In the absence of known contracts for functions 431 // or inter-procedural analysis, this is a conservative answer. 432 int *f3(void) { 433 static int *p = 0; 434 p = malloc(12); 435 return p; // no-warning 436 } 437 438 // This case tests that storing malloc'ed memory to a static global variable 439 // which is then returned is not leaked. In the absence of known contracts for 440 // functions or inter-procedural analysis, this is a conservative answer. 441 static int *p_f4 = 0; 442 int *f4(void) { 443 p_f4 = malloc(12); 444 return p_f4; // no-warning 445 } 446 447 int *f5(void) { 448 int *q = malloc(12); 449 q = realloc(q, 20); 450 return q; // no-warning 451 } 452 453 void f6(void) { 454 int *p = malloc(12); 455 if (!p) 456 return; // no-warning 457 else 458 free(p); 459 } 460 461 void f6_realloc(void) { 462 int *p = malloc(12); 463 if (!p) 464 return; // no-warning 465 else 466 realloc(p,0); 467 } 468 469 470 char *doit2(void); 471 void pr6069(void) { 472 char *buf = doit2(); 473 free(buf); 474 } 475 476 void pr6293(void) { 477 free(0); 478 } 479 480 void f7(void) { 481 char *x = (char*) malloc(4); 482 free(x); 483 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 484 } 485 486 void f8(void) { 487 char *x = (char*) malloc(4); 488 free(x); 489 char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}} 490 } 491 492 void f7_realloc(void) { 493 char *x = (char*) malloc(4); 494 realloc(x,0); 495 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 496 } 497 498 void PR6123(void) { 499 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 500 } 501 502 void PR7217(void) { 503 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 504 buf[1] = 'c'; // not crash 505 } 506 507 void cast_emtpy_struct(void) { 508 struct st { 509 }; 510 511 struct st *s = malloc(sizeof(struct st)); // no-warning 512 free(s); 513 } 514 515 void cast_struct_1(void) { 516 struct st { 517 int i[100]; 518 char j[]; 519 }; 520 521 struct st *s = malloc(sizeof(struct st)); // no-warning 522 free(s); 523 } 524 525 void cast_struct_2(void) { 526 struct st { 527 int i[100]; 528 char j[0]; 529 }; 530 531 struct st *s = malloc(sizeof(struct st)); // no-warning 532 free(s); 533 } 534 535 void cast_struct_3(void) { 536 struct st { 537 int i[100]; 538 char j[1]; 539 }; 540 541 struct st *s = malloc(sizeof(struct st)); // no-warning 542 free(s); 543 } 544 545 void cast_struct_4(void) { 546 struct st { 547 int i[100]; 548 char j[2]; 549 }; 550 551 struct st *s = malloc(sizeof(struct st)); // no-warning 552 free(s); 553 } 554 555 void cast_struct_5(void) { 556 struct st { 557 char i[200]; 558 char j[1]; 559 }; 560 561 struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning 562 free(s); 563 } 564 565 void cast_struct_warn_1(void) { 566 struct st { 567 int i[100]; 568 char j[2]; 569 }; 570 571 struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 572 free(s); 573 } 574 575 void cast_struct_warn_2(void) { 576 struct st { 577 int i[100]; 578 char j[2]; 579 }; 580 581 struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 582 free(s); 583 } 584 585 void cast_struct_flex_array_1(void) { 586 struct st { 587 int i[100]; 588 char j[]; 589 }; 590 591 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 592 free(s); 593 } 594 595 void cast_struct_flex_array_2(void) { 596 struct st { 597 int i[100]; 598 char j[0]; 599 }; 600 601 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 602 free(s); 603 } 604 605 void cast_struct_flex_array_3(void) { 606 struct st { 607 int i[100]; 608 char j[1]; 609 }; 610 611 struct st *s = malloc(sizeof(struct st) + 3); // no-warning 612 free(s); 613 } 614 615 void cast_struct_flex_array_4(void) { 616 struct foo { 617 char f[32]; 618 }; 619 struct st { 620 char i[100]; 621 struct foo data[]; 622 }; 623 624 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 625 free(s); 626 } 627 628 void cast_struct_flex_array_5(void) { 629 struct foo { 630 char f[32]; 631 }; 632 struct st { 633 char i[100]; 634 struct foo data[0]; 635 }; 636 637 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 638 free(s); 639 } 640 641 void cast_struct_flex_array_6(void) { 642 struct foo { 643 char f[32]; 644 }; 645 struct st { 646 char i[100]; 647 struct foo data[1]; 648 }; 649 650 struct st *s = malloc(sizeof(struct st) + 3 * sizeof(struct foo)); // no-warning 651 free(s); 652 } 653 654 void cast_struct_flex_array_warn_1(void) { 655 struct foo { 656 char f[32]; 657 }; 658 struct st { 659 char i[100]; 660 struct foo data[]; 661 }; 662 663 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 664 free(s); 665 } 666 667 void cast_struct_flex_array_warn_2(void) { 668 struct foo { 669 char f[32]; 670 }; 671 struct st { 672 char i[100]; 673 struct foo data[0]; 674 }; 675 676 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 677 free(s); 678 } 679 680 void cast_struct_flex_array_warn_3(void) { 681 struct foo { 682 char f[32]; 683 }; 684 struct st { 685 char i[100]; 686 struct foo data[1]; 687 }; 688 689 struct st *s = malloc(3 * sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 690 free(s); 691 } 692 693 void cast_struct_flex_array_warn_4(void) { 694 struct st { 695 int i[100]; 696 int j[]; 697 }; 698 699 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 700 free(s); 701 } 702 703 void cast_struct_flex_array_warn_5(void) { 704 struct st { 705 int i[100]; 706 int j[0]; 707 }; 708 709 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 710 free(s); 711 } 712 713 void cast_struct_flex_array_warn_6(void) { 714 struct st { 715 int i[100]; 716 int j[1]; 717 }; 718 719 struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 720 free(s); 721 } 722 723 void mallocCastToVoid(void) { 724 void *p = malloc(2); 725 const void *cp = p; // not crash 726 free(p); 727 } 728 729 void mallocCastToFP(void) { 730 void *p = malloc(2); 731 void (*fp)(void) = p; // not crash 732 free(p); 733 } 734 735 // This tests that 'malloc()' buffers are undefined by default 736 char mallocGarbage (void) { 737 char *buf = malloc(2); 738 char result = buf[1]; // expected-warning{{undefined}} 739 free(buf); 740 return result; 741 } 742 743 // This tests that calloc() buffers need to be freed 744 void callocNoFree (void) { 745 char *buf = calloc(2,2); 746 return; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 747 } 748 749 // These test that calloc() buffers are zeroed by default 750 char callocZeroesGood (void) { 751 char *buf = calloc(2,2); 752 char result = buf[3]; // no-warning 753 if (buf[1] == 0) { 754 free(buf); 755 } 756 return result; // no-warning 757 } 758 759 char callocZeroesBad (void) { 760 char *buf = calloc(2,2); 761 char result = buf[3]; // no-warning 762 if (buf[1] != 0) { 763 free(buf); // expected-warning{{never executed}} 764 } 765 return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}} 766 } 767 768 void nullFree(void) { 769 int *p = 0; 770 free(p); // no warning - a nop 771 } 772 773 void paramFree(int *p) { 774 myfoo(p); 775 free(p); // no warning 776 myfoo(p); // expected-warning {{Use of memory after it is freed}} 777 } 778 779 void allocaFree(void) { 780 int *p = alloca(sizeof(int)); 781 free(p); // expected-warning {{Memory allocated by 'alloca()' should not be deallocated}} 782 } 783 784 void allocaFreeBuiltin(void) { 785 int *p = __builtin_alloca(sizeof(int)); 786 free(p); // expected-warning {{Memory allocated by 'alloca()' should not be deallocated}} 787 } 788 789 void allocaFreeBuiltinAlign(void) { 790 int *p = __builtin_alloca_with_align(sizeof(int), 64); 791 free(p); // expected-warning {{Memory allocated by 'alloca()' should not be deallocated}} 792 } 793 794 795 int* mallocEscapeRet(void) { 796 int *p = malloc(12); 797 return p; // no warning 798 } 799 800 void mallocEscapeFoo(void) { 801 int *p = malloc(12); 802 myfoo(p); 803 return; // no warning 804 } 805 806 void mallocEscapeFree(void) { 807 int *p = malloc(12); 808 myfoo(p); 809 free(p); 810 } 811 812 void mallocEscapeFreeFree(void) { 813 int *p = malloc(12); 814 myfoo(p); 815 free(p); 816 free(p); // expected-warning{{Attempt to free released memory}} 817 } 818 819 void mallocEscapeFreeUse(void) { 820 int *p = malloc(12); 821 myfoo(p); 822 free(p); 823 myfoo(p); // expected-warning{{Use of memory after it is freed}} 824 } 825 826 int *myalloc(void); 827 void myalloc2(int **p); 828 829 void mallocEscapeFreeCustomAlloc(void) { 830 int *p = malloc(12); 831 myfoo(p); 832 free(p); 833 p = myalloc(); 834 free(p); // no warning 835 } 836 837 void mallocEscapeFreeCustomAlloc2(void) { 838 int *p = malloc(12); 839 myfoo(p); 840 free(p); 841 myalloc2(&p); 842 free(p); // no warning 843 } 844 845 void mallocBindFreeUse(void) { 846 int *x = malloc(12); 847 int *y = x; 848 free(y); 849 myfoo(x); // expected-warning{{Use of memory after it is freed}} 850 } 851 852 void mallocEscapeMalloc(void) { 853 int *p = malloc(12); 854 myfoo(p); 855 p = malloc(12); 856 } // expected-warning{{Potential leak of memory pointed to by}} 857 858 void mallocMalloc(void) { 859 int *p = malloc(12); 860 p = malloc(12); 861 } // expected-warning {{Potential leak of memory pointed to by}}\ 862 // expected-warning {{Potential leak of memory pointed to by}} 863 864 void mallocFreeMalloc(void) { 865 int *p = malloc(12); 866 free(p); 867 p = malloc(12); 868 free(p); 869 } 870 871 void mallocFreeUse_params(void) { 872 int *p = malloc(12); 873 free(p); 874 myfoo(p); //expected-warning{{Use of memory after it is freed}} 875 } 876 877 void mallocFreeUse_params2(void) { 878 int *p = malloc(12); 879 free(p); 880 myfooint(*p); //expected-warning{{Use of memory after it is freed}} 881 } 882 883 void mallocFailedOrNot(void) { 884 int *p = malloc(12); 885 if (!p) 886 free(p); 887 else 888 free(p); 889 } 890 891 struct StructWithInt { 892 int g; 893 }; 894 895 int *mallocReturnFreed(void) { 896 int *p = malloc(12); 897 free(p); 898 return p; // expected-warning {{Use of memory after it is freed}} 899 } 900 901 int useAfterFreeStruct(void) { 902 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 903 px->g = 5; 904 free(px); 905 return px->g; // expected-warning {{Use of memory after it is freed}} 906 } 907 908 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p); 909 910 void mallocEscapeFooNonSymbolArg(void) { 911 struct StructWithInt *p = malloc(sizeof(struct StructWithInt)); 912 nonSymbolAsFirstArg(&p->g, p); 913 return; // no warning 914 } 915 916 void mallocFailedOrNotLeak(void) { 917 int *p = malloc(12); 918 if (p == 0) 919 return; // no warning 920 else 921 return; // expected-warning {{Potential leak of memory pointed to by}} 922 } 923 924 void mallocAssignment(void) { 925 char *p = malloc(12); 926 p = fooRetPtr(); 927 } // expected-warning {{leak}} 928 929 int vallocTest(void) { 930 char *mem = valloc(12); 931 return 0; // expected-warning {{Potential leak of memory pointed to by}} 932 } 933 934 void vallocEscapeFreeUse(void) { 935 int *p = valloc(12); 936 myfoo(p); 937 free(p); 938 myfoo(p); // expected-warning{{Use of memory after it is freed}} 939 } 940 941 int *Gl; 942 struct GlStTy { 943 int *x; 944 }; 945 946 struct GlStTy GlS = {0}; 947 948 void GlobalFree(void) { 949 free(Gl); 950 } 951 952 void GlobalMalloc(void) { 953 Gl = malloc(12); 954 } 955 956 void GlobalStructMalloc(void) { 957 int *a = malloc(12); 958 GlS.x = a; 959 } 960 961 void GlobalStructMallocFree(void) { 962 int *a = malloc(12); 963 GlS.x = a; 964 free(GlS.x); 965 } 966 967 char *ArrayG[12]; 968 969 void globalArrayTest(void) { 970 char *p = (char*)malloc(12); 971 ArrayG[0] = p; 972 } 973 974 // Make sure that we properly handle a pointer stored into a local struct/array. 975 typedef struct _StructWithPtr { 976 int *memP; 977 } StructWithPtr; 978 979 static StructWithPtr arrOfStructs[10]; 980 981 void testMalloc(void) { 982 int *x = malloc(12); 983 StructWithPtr St; 984 St.memP = x; 985 arrOfStructs[0] = St; // no-warning 986 } 987 988 StructWithPtr testMalloc2(void) { 989 int *x = malloc(12); 990 StructWithPtr St; 991 St.memP = x; 992 return St; // no-warning 993 } 994 995 int *testMalloc3(void) { 996 int *x = malloc(12); 997 int *y = x; 998 return y; // no-warning 999 } 1000 1001 void testStructLeak(void) { 1002 StructWithPtr St; 1003 St.memP = malloc(12); 1004 return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}} 1005 } 1006 1007 void testElemRegion1(void) { 1008 char *x = (void*)malloc(2); 1009 int *ix = (int*)x; 1010 free(&(x[0])); 1011 } 1012 1013 void testElemRegion2(int **pp) { 1014 int *p = malloc(12); 1015 *pp = p; 1016 free(pp[0]); 1017 } 1018 1019 void testElemRegion3(int **pp) { 1020 int *p = malloc(12); 1021 *pp = p; 1022 free(*pp); 1023 } 1024 // Region escape testing. 1025 1026 unsigned takePtrToPtr(int **p); 1027 void PassTheAddrOfAllocatedData(int f) { 1028 int *p = malloc(12); 1029 // We don't know what happens after the call. Should stop tracking here. 1030 if (takePtrToPtr(&p)) 1031 f++; 1032 free(p); // no warning 1033 } 1034 1035 struct X { 1036 int *p; 1037 }; 1038 unsigned takePtrToStruct(struct X *s); 1039 int ** foo2(int *g, int f) { 1040 int *p = malloc(12); 1041 struct X *px= malloc(sizeof(struct X)); 1042 px->p = p; 1043 // We don't know what happens after this call. Should not track px nor p. 1044 if (takePtrToStruct(px)) 1045 f++; 1046 free(p); 1047 return 0; 1048 } 1049 1050 struct X* RegInvalidationDetect1(struct X *s2) { 1051 struct X *px= malloc(sizeof(struct X)); 1052 px->p = 0; 1053 px = s2; 1054 return px; // expected-warning {{Potential leak of memory pointed to by}} 1055 } 1056 1057 struct X* RegInvalidationGiveUp1(void) { 1058 int *p = malloc(12); 1059 struct X *px= malloc(sizeof(struct X)); 1060 px->p = p; 1061 return px; 1062 } 1063 1064 int **RegInvalidationDetect2(int **pp) { 1065 int *p = malloc(12); 1066 pp = &p; 1067 pp++; 1068 return 0;// expected-warning {{Potential leak of memory pointed to by}} 1069 } 1070 1071 extern void exit(int) __attribute__ ((__noreturn__)); 1072 void mallocExit(int *g) { 1073 struct xx *p = malloc(12); 1074 if (g != 0) 1075 exit(1); 1076 free(p); 1077 return; 1078 } 1079 1080 extern void __assert_fail (__const char *__assertion, __const char *__file, 1081 unsigned int __line, __const char *__function) 1082 __attribute__ ((__noreturn__)); 1083 #define assert(expr) \ 1084 ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__)) 1085 void mallocAssert(int *g) { 1086 struct xx *p = malloc(12); 1087 1088 assert(g != 0); 1089 free(p); 1090 return; 1091 } 1092 1093 void doNotInvalidateWhenPassedToSystemCalls(char *s) { 1094 char *p = malloc(12); 1095 strlen(p); 1096 strcpy(p, s); 1097 strcpy(s, p); 1098 strcpy(p, p); 1099 memcpy(p, s, 1); 1100 memcpy(s, p, 1); 1101 memcpy(p, p, 1); 1102 } // expected-warning {{leak}} 1103 1104 // Treat source buffer contents as escaped. 1105 void escapeSourceContents(char *s) { 1106 char *p = malloc(12); 1107 memcpy(s, &p, 12); // no warning 1108 1109 void *p1 = malloc(7); 1110 char *a; 1111 memcpy(&a, &p1, sizeof a); 1112 // FIXME: No warning due to limitations imposed by current modelling of 1113 // 'memcpy' (regions metadata is not copied). 1114 1115 int *ptrs[2]; 1116 int *allocated = (int *)malloc(4); 1117 memcpy(&ptrs[0], &allocated, sizeof(int *)); 1118 // FIXME: No warning due to limitations imposed by current modelling of 1119 // 'memcpy' (regions metadata is not copied). 1120 } 1121 1122 void invalidateDestinationContents(void) { 1123 int *null = 0; 1124 int *p = (int *)malloc(4); 1125 memcpy(&p, &null, sizeof(int *)); 1126 1127 int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}} 1128 ptrs1[0] = (int *)malloc(4); 1129 memcpy(ptrs1, &null, sizeof(int *)); 1130 1131 int *ptrs2[2]; // expected-warning {{Potential memory leak}} 1132 ptrs2[0] = (int *)malloc(4); 1133 memcpy(&ptrs2[1], &null, sizeof(int *)); 1134 1135 int *ptrs3[2]; // expected-warning {{Potential memory leak}} 1136 ptrs3[0] = (int *)malloc(4); 1137 memcpy(&ptrs3[0], &null, sizeof(int *)); 1138 } // expected-warning {{Potential memory leak}} 1139 1140 // Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p. 1141 void symbolLostWithStrcpy(char *s) { 1142 char *p = malloc(12); 1143 p = strcpy(p, s); 1144 free(p); 1145 } 1146 1147 1148 // The same test as the one above, but with what is actually generated on a mac. 1149 static __inline char * 1150 __inline_strcpy_chk (char *restrict __dest, const char *restrict __src) 1151 { 1152 return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1)); 1153 } 1154 1155 void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) { 1156 char *p = malloc(12); 1157 p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s)); 1158 free(p); 1159 } 1160 1161 // Here we are returning a pointer one past the allocated value. An idiom which 1162 // can be used for implementing special malloc. The correct uses of this might 1163 // be rare enough so that we could keep this as a warning. 1164 static void *specialMalloc(int n){ 1165 int *p; 1166 p = malloc( n+8 ); 1167 if( p ){ 1168 p[0] = n; 1169 p++; 1170 } 1171 return p; 1172 } 1173 1174 // Potentially, the user could free the struct by performing pointer arithmetic on the return value. 1175 // This is a variation of the specialMalloc issue, though probably would be more rare in correct code. 1176 int *specialMallocWithStruct(void) { 1177 struct StructWithInt *px= malloc(sizeof(struct StructWithInt)); 1178 return &(px->g); 1179 } 1180 1181 // Test various allocation/deallocation functions. 1182 void testStrdup(const char *s, unsigned validIndex) { 1183 char *s2 = strdup(s); 1184 s2[validIndex + 1] = 'b'; 1185 } // expected-warning {{Potential leak of memory pointed to by}} 1186 1187 void testWinStrdup(const char *s, unsigned validIndex) { 1188 char *s2 = _strdup(s); 1189 s2[validIndex + 1] = 'b'; 1190 } // expected-warning {{Potential leak of memory pointed to by}} 1191 1192 void testWcsdup(const wchar_t *s, unsigned validIndex) { 1193 wchar_t *s2 = wcsdup(s); 1194 s2[validIndex + 1] = 'b'; 1195 } // expected-warning {{Potential leak of memory pointed to by}} 1196 1197 void testWinWcsdup(const wchar_t *s, unsigned validIndex) { 1198 wchar_t *s2 = _wcsdup(s); 1199 s2[validIndex + 1] = 'b'; 1200 } // expected-warning {{Potential leak of memory pointed to by}} 1201 1202 int testStrndup(const char *s, unsigned validIndex, unsigned size) { 1203 char *s2 = strndup(s, size); 1204 s2 [validIndex + 1] = 'b'; 1205 if (s2[validIndex] != 'a') 1206 return 0; 1207 else 1208 return 1;// expected-warning {{Potential leak of memory pointed to by}} 1209 } 1210 1211 void testStrdupContentIsDefined(const char *s, unsigned validIndex) { 1212 char *s2 = strdup(s); 1213 char result = s2[1];// no warning 1214 free(s2); 1215 } 1216 1217 void testWinStrdupContentIsDefined(const char *s, unsigned validIndex) { 1218 char *s2 = _strdup(s); 1219 char result = s2[1];// no warning 1220 free(s2); 1221 } 1222 1223 void testWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) { 1224 wchar_t *s2 = wcsdup(s); 1225 wchar_t result = s2[1];// no warning 1226 free(s2); 1227 } 1228 1229 void testWinWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) { 1230 wchar_t *s2 = _wcsdup(s); 1231 wchar_t result = s2[1];// no warning 1232 free(s2); 1233 } 1234 1235 // ---------------------------------------------------------------------------- 1236 // Test the system library functions to which the pointer can escape. 1237 // This tests false positive suppression. 1238 1239 // For now, we assume memory passed to pthread_specific escapes. 1240 // TODO: We could check that if a new pthread binding is set, the existing 1241 // binding must be freed; otherwise, a memory leak can occur. 1242 void testPthereadSpecificEscape(pthread_key_t key) { 1243 void *buf = malloc(12); 1244 pthread_setspecific(key, buf); // no warning 1245 } 1246 1247 // PR12101: Test funopen(). 1248 static int releasePtr(void *_ctx) { 1249 free(_ctx); 1250 return 0; 1251 } 1252 FILE *useFunOpen(void) { 1253 void *ctx = malloc(sizeof(int)); 1254 FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning 1255 if (f == 0) { 1256 free(ctx); 1257 } 1258 return f; 1259 } 1260 FILE *useFunOpenNoReleaseFunction(void) { 1261 void *ctx = malloc(sizeof(int)); 1262 FILE *f = funopen(ctx, 0, 0, 0, 0); 1263 if (f == 0) { 1264 free(ctx); 1265 } 1266 return f; // expected-warning{{leak}} 1267 } 1268 1269 static int readNothing(void *_ctx, char *buf, int size) { 1270 return 0; 1271 } 1272 FILE *useFunOpenReadNoRelease(void) { 1273 void *ctx = malloc(sizeof(int)); 1274 FILE *f = funopen(ctx, readNothing, 0, 0, 0); 1275 if (f == 0) { 1276 free(ctx); 1277 } 1278 return f; // expected-warning{{leak}} 1279 } 1280 1281 // Test setbuf, setvbuf. 1282 int my_main_no_warning(void) { 1283 char *p = malloc(100); 1284 setvbuf(stdout, p, 0, 100); 1285 return 0; 1286 } 1287 int my_main_no_warning2(void) { 1288 char *p = malloc(100); 1289 setbuf(__stdoutp, p); 1290 return 0; 1291 } 1292 int my_main_warn(FILE *f) { 1293 char *p = malloc(100); 1294 setvbuf(f, p, 0, 100); 1295 return 0;// expected-warning {{leak}} 1296 } 1297 1298 // some people use stack allocated memory as an optimization to avoid 1299 // a heap allocation for small work sizes. This tests the analyzer's 1300 // understanding that the malloc'ed memory is not the same as stackBuffer. 1301 void radar10978247(int myValueSize) { 1302 char stackBuffer[128]; 1303 char *buffer; 1304 1305 if (myValueSize <= sizeof(stackBuffer)) 1306 buffer = stackBuffer; 1307 else 1308 buffer = malloc(myValueSize); 1309 1310 // do stuff with the buffer 1311 if (buffer != stackBuffer) 1312 free(buffer); 1313 } 1314 1315 void radar10978247_positive(int myValueSize) { 1316 char stackBuffer[128]; 1317 char *buffer; 1318 1319 if (myValueSize <= sizeof(stackBuffer)) 1320 buffer = stackBuffer; 1321 else 1322 buffer = malloc(myValueSize); 1323 1324 // do stuff with the buffer 1325 if (buffer == stackBuffer) 1326 return; 1327 else 1328 return; // expected-warning {{leak}} 1329 } 1330 // Previously this triggered a false positive because 'malloc()' is known to 1331 // return uninitialized memory and the binding of 'o' to 'p->n' was not getting 1332 // propertly handled. Now we report a leak. 1333 struct rdar11269741_a_t { 1334 struct rdar11269741_b_t { 1335 int m; 1336 } n; 1337 }; 1338 1339 int rdar11269741(struct rdar11269741_b_t o) 1340 { 1341 struct rdar11269741_a_t *p = (struct rdar11269741_a_t *) malloc(sizeof(*p)); 1342 p->n = o; 1343 return p->n.m; // expected-warning {{leak}} 1344 } 1345 1346 // Pointer arithmetic, returning an ElementRegion. 1347 void *radar11329382(unsigned bl) { 1348 void *ptr = malloc (16); 1349 ptr = ptr + (2 - bl); 1350 return ptr; // no warning 1351 } 1352 1353 void __assert_rtn(const char *, const char *, int, const char *) __attribute__((__noreturn__)); 1354 int strcmp(const char *, const char *); 1355 char *a (void); 1356 void radar11270219(void) { 1357 char *x = a(), *y = a(); 1358 (__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0); 1359 strcmp(x, y); // no warning 1360 } 1361 1362 void radar_11358224_test_double_assign_ints_positive_2(void) 1363 { 1364 void *ptr = malloc(16); 1365 ptr = ptr; 1366 } // expected-warning {{leak}} 1367 1368 // Assume that functions which take a function pointer can free memory even if 1369 // they are defined in system headers and take the const pointer to the 1370 // allocated memory. 1371 int const_ptr_and_callback(int, const char*, int n, void(*)(void*)); 1372 void r11160612_1(void) { 1373 char *x = malloc(12); 1374 const_ptr_and_callback(0, x, 12, free); // no - warning 1375 } 1376 1377 // Null is passed as callback. 1378 void r11160612_2(void) { 1379 char *x = malloc(12); 1380 const_ptr_and_callback(0, x, 12, 0); 1381 } // expected-warning {{leak}} 1382 1383 // Callback is passed to a function defined in a system header. 1384 void r11160612_4(void) { 1385 char *x = malloc(12); 1386 sqlite3_bind_text_my(0, x, 12, free); // no - warning 1387 } 1388 1389 // Passing callbacks in a struct. 1390 void r11160612_5(StWithCallback St) { 1391 void *x = malloc(12); 1392 dealocateMemWhenDoneByVal(x, St); 1393 } 1394 void r11160612_6(StWithCallback St) { 1395 void *x = malloc(12); 1396 dealocateMemWhenDoneByRef(&St, x); 1397 } 1398 1399 int mySub(int, int); 1400 int myAdd(int, int); 1401 int fPtr(unsigned cond, int x) { 1402 return (cond ? mySub : myAdd)(x, x); 1403 } 1404 1405 // Test anti-aliasing. 1406 1407 void dependsOnValueOfPtr(int *g, unsigned f) { 1408 int *p; 1409 1410 if (f) { 1411 p = g; 1412 } else { 1413 p = malloc(12); 1414 } 1415 1416 if (p != g) 1417 free(p); 1418 else 1419 return; // no warning 1420 return; 1421 } 1422 1423 int CMPRegionHeapToStack(void) { 1424 int x = 0; 1425 int *x1 = malloc(8); 1426 int *x2 = &x; 1427 clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}} 1428 free(x1); 1429 return x; 1430 } 1431 1432 int CMPRegionHeapToHeap2(void) { 1433 int x = 0; 1434 int *x1 = malloc(8); 1435 int *x2 = malloc(8); 1436 int *x4 = x1; 1437 int *x5 = x2; 1438 clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}} 1439 free(x1); 1440 free(x2); 1441 return x; 1442 } 1443 1444 int CMPRegionHeapToHeap(void) { 1445 int x = 0; 1446 int *x1 = malloc(8); 1447 int *x4 = x1; 1448 if (x1 == x4) { 1449 free(x1); 1450 return 5/x; // expected-warning{{Division by zero}} 1451 } 1452 return x;// expected-warning{{This statement is never executed}} 1453 } 1454 1455 int HeapAssignment(void) { 1456 int m = 0; 1457 int *x = malloc(4); 1458 int *y = x; 1459 *x = 5; 1460 clang_analyzer_eval(*x != *y); // expected-warning{{FALSE}} 1461 free(x); 1462 return 0; 1463 } 1464 1465 int *retPtr(void); 1466 int *retPtrMightAlias(int *x); 1467 int cmpHeapAllocationToUnknown(void) { 1468 int zero = 0; 1469 int *yBefore = retPtr(); 1470 int *m = malloc(8); 1471 int *yAfter = retPtrMightAlias(m); 1472 clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}} 1473 clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}} 1474 free(m); 1475 return 0; 1476 } 1477 1478 void localArrayTest(void) { 1479 char *p = (char*)malloc(12); 1480 char *ArrayL[12]; 1481 ArrayL[0] = p; 1482 } // expected-warning {{leak}} 1483 1484 void localStructTest(void) { 1485 StructWithPtr St; 1486 StructWithPtr *pSt = &St; 1487 pSt->memP = malloc(12); 1488 } // expected-warning{{Potential leak of memory pointed to by}} 1489 1490 #ifdef __INTPTR_TYPE__ 1491 // Test double assignment through integers. 1492 typedef __INTPTR_TYPE__ intptr_t; 1493 typedef unsigned __INTPTR_TYPE__ uintptr_t; 1494 1495 static intptr_t glob; 1496 void test_double_assign_ints(void) 1497 { 1498 void *ptr = malloc (16); // no-warning 1499 glob = (intptr_t)(uintptr_t)ptr; 1500 } 1501 1502 void test_double_assign_ints_positive(void) 1503 { 1504 void *ptr = malloc(16); 1505 (void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}} 1506 } // expected-warning {{leak}} 1507 #endif 1508 1509 void testCGContextNoLeak(void) 1510 { 1511 void *ptr = malloc(16); 1512 CGContextRef context = CGBitmapContextCreate(ptr); 1513 1514 // Because you can get the data back out like this, even much later, 1515 // CGBitmapContextCreate is one of our "stop-tracking" exceptions. 1516 free(CGBitmapContextGetData(context)); 1517 } 1518 1519 void testCGContextLeak(void) 1520 { 1521 void *ptr = malloc(16); 1522 CGContextRef context = CGBitmapContextCreate(ptr); 1523 // However, this time we're just leaking the data, because the context 1524 // object doesn't escape and it hasn't been freed in this function. 1525 } 1526 1527 // Allow xpc context to escape. 1528 // TODO: Would be great if we checked that the finalize_connection_context actually releases it. 1529 static void finalize_connection_context(void *ctx) { 1530 int *context = ctx; 1531 free(context); 1532 } 1533 void foo (xpc_connection_t peer) { 1534 int *ctx = calloc(1, sizeof(int)); 1535 xpc_connection_set_context(peer, ctx); 1536 xpc_connection_set_finalizer_f(peer, finalize_connection_context); 1537 xpc_connection_resume(peer); 1538 } 1539 1540 // Make sure we catch errors when we free in a function which does not allocate memory. 1541 void freeButNoMalloc(int *p, int x){ 1542 if (x) { 1543 free(p); 1544 //user forgot a return here. 1545 } 1546 free(p); // expected-warning {{Attempt to free released memory}} 1547 } 1548 1549 struct HasPtr { 1550 char *p; 1551 }; 1552 1553 char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { 1554 int *s; 1555 char *b = realloc(a->p, size); 1556 char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} 1557 // We don't expect a use-after-free for a->P here because the warning above 1558 // is a sink. 1559 return a->p; // no-warning 1560 } 1561 1562 // We should not warn in this case since the caller will presumably free a->p in all cases. 1563 int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { 1564 int *s; 1565 char *b = realloc(a->p, size); 1566 if (b == 0) 1567 return -1; 1568 a->p = b; 1569 return 0; 1570 } 1571 1572 // Test realloc with no visible malloc. 1573 void *test(void *ptr) { 1574 void *newPtr = realloc(ptr, 4); 1575 if (newPtr == 0) { 1576 if (ptr) 1577 free(ptr); // no-warning 1578 } 1579 return newPtr; 1580 } 1581 1582 1583 char *testLeakWithinReturn(char *str) { 1584 return strdup(strdup(str)); // expected-warning{{leak}} 1585 } 1586 1587 char *testWinLeakWithinReturn(char *str) { 1588 return _strdup(_strdup(str)); // expected-warning{{leak}} 1589 } 1590 1591 wchar_t *testWinWideLeakWithinReturn(wchar_t *str) { 1592 return _wcsdup(_wcsdup(str)); // expected-warning{{leak}} 1593 } 1594 1595 void passConstPtr(const char * ptr); 1596 1597 void testPassConstPointer(void) { 1598 char * string = malloc(sizeof(char)*10); 1599 passConstPtr(string); 1600 return; // expected-warning {{leak}} 1601 } 1602 1603 void testPassConstPointerIndirectly(void) { 1604 char *p = malloc(1); 1605 p++; 1606 memcmp(p, p, sizeof(&p)); 1607 return; // expected-warning {{leak}} 1608 } 1609 1610 void testPassConstPointerIndirectlyStruct(void) { 1611 struct HasPtr hp; 1612 hp.p = malloc(10); 1613 memcmp(&hp, &hp, sizeof(hp)); 1614 return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}} 1615 } 1616 1617 void testPassToSystemHeaderFunctionIndirectlyStruct(void) { 1618 SomeStruct ss; 1619 ss.p = malloc(1); 1620 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1621 // Technically a false negative here -- we know the system function won't free 1622 // ss.p, but nothing else will either! 1623 } // no-warning 1624 1625 void testPassToSystemHeaderFunctionIndirectlyStructFree(void) { 1626 SomeStruct ss; 1627 ss.p = malloc(1); 1628 fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable 1629 free(ss.p); 1630 } // no-warning 1631 1632 void testPassToSystemHeaderFunctionIndirectlyArray(void) { 1633 int *p[1]; 1634 p[0] = malloc(sizeof(int)); 1635 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1636 // Technically a false negative here -- we know the system function won't free 1637 // p[0], but nothing else will either! 1638 } // no-warning 1639 1640 void testPassToSystemHeaderFunctionIndirectlyArrayFree(void) { 1641 int *p[1]; 1642 p[0] = malloc(sizeof(int)); 1643 fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable 1644 free(p[0]); 1645 } // no-warning 1646 1647 int *testOffsetAllocate(size_t size) { 1648 int *memoryBlock = (int *)malloc(size + sizeof(int)); 1649 return &memoryBlock[1]; // no-warning 1650 } 1651 1652 void testOffsetDeallocate(int *memoryBlock) { 1653 free(&memoryBlock[-1]); // no-warning 1654 } 1655 1656 void testOffsetOfRegionFreed(void) { 1657 __int64_t * array = malloc(sizeof(__int64_t)*2); 1658 array += 1; 1659 free(&array[0]); // expected-warning{{Argument to 'free()' is offset by 8 bytes from the start of memory allocated by 'malloc()'}} 1660 } 1661 1662 void testOffsetOfRegionFreed2(void) { 1663 __int64_t *p = malloc(sizeof(__int64_t)*2); 1664 p += 1; 1665 free(p); // expected-warning{{Argument to 'free()' is offset by 8 bytes from the start of memory allocated by 'malloc()'}} 1666 } 1667 1668 void testOffsetOfRegionFreed3(void) { 1669 char *r = malloc(sizeof(char)); 1670 r = r - 10; 1671 free(r); // expected-warning {{Argument to 'free()' is offset by -10 bytes from the start of memory allocated by 'malloc()'}} 1672 } 1673 1674 void testOffsetOfRegionFreedAfterFunctionCall(void) { 1675 int *p = malloc(sizeof(int)*2); 1676 p += 1; 1677 myfoo(p); 1678 free(p); // expected-warning{{Argument to 'free()' is offset by 4 bytes from the start of memory allocated by 'malloc()'}} 1679 } 1680 1681 void testFixManipulatedPointerBeforeFree(void) { 1682 int * array = malloc(sizeof(int)*2); 1683 array += 1; 1684 free(&array[-1]); // no-warning 1685 } 1686 1687 void testFixManipulatedPointerBeforeFree2(void) { 1688 char *r = malloc(sizeof(char)); 1689 r = r + 10; 1690 free(r-10); // no-warning 1691 } 1692 1693 void freeOffsetPointerPassedToFunction(void) { 1694 __int64_t *p = malloc(sizeof(__int64_t)*2); 1695 p[1] = 0; 1696 p += 1; 1697 myfooint(*p); // not passing the pointer, only a value pointed by pointer 1698 free(p); // expected-warning {{Argument to 'free()' is offset by 8 bytes from the start of memory allocated by 'malloc()'}} 1699 } 1700 1701 int arbitraryInt(void); 1702 void freeUnknownOffsetPointer(void) { 1703 char *r = malloc(sizeof(char)); 1704 r = r + arbitraryInt(); // unable to reason about what the offset might be 1705 free(r); // no-warning 1706 } 1707 1708 void testFreeNonMallocPointerWithNoOffset(void) { 1709 char c; 1710 char *r = &c; 1711 r = r + 10; 1712 free(r-10); // expected-warning {{Argument to 'free()' is the address of the local variable 'c', which is not memory allocated by 'malloc()'}} 1713 } 1714 1715 void testFreeNonMallocPointerWithOffset(void) { 1716 char c; 1717 char *r = &c; 1718 free(r+1); // expected-warning {{Argument to 'free()' is the address of the local variable 'c', which is not memory allocated by 'malloc()'}} 1719 } 1720 1721 void testOffsetZeroDoubleFree(void) { 1722 int *array = malloc(sizeof(int)*2); 1723 int *p = &array[0]; 1724 free(p); 1725 free(&array[0]); // expected-warning{{Attempt to free released memory}} 1726 } 1727 1728 void testOffsetPassedToStrlen(void) { 1729 char * string = malloc(sizeof(char)*10); 1730 string += 1; 1731 int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}} 1732 } 1733 1734 void testOffsetPassedToStrlenThenFree(void) { 1735 char * string = malloc(sizeof(char)*10); 1736 string += 1; 1737 int length = strlen(string); 1738 free(string); // expected-warning {{Argument to 'free()' is offset by 1 byte from the start of memory allocated by 'malloc()'}} 1739 } 1740 1741 void testOffsetPassedAsConst(void) { 1742 char * string = malloc(sizeof(char)*10); 1743 string += 1; 1744 passConstPtr(string); 1745 free(string); // expected-warning {{Argument to 'free()' is offset by 1 byte from the start of memory allocated by 'malloc()'}} 1746 } 1747 1748 char **_vectorSegments; 1749 int _nVectorSegments; 1750 1751 void poolFreeC(void* s) { 1752 free(s); // no-warning 1753 } 1754 void freeMemory(void) { 1755 while (_nVectorSegments) { 1756 poolFreeC(_vectorSegments[_nVectorSegments++]); 1757 } 1758 } 1759 1760 // PR16730 1761 void testReallocEscaped(void **memory) { 1762 *memory = malloc(47); 1763 char *new_memory = realloc(*memory, 47); 1764 if (new_memory != 0) { 1765 *memory = new_memory; 1766 } 1767 } 1768 1769 // PR16558 1770 void *smallocNoWarn(size_t size) { 1771 if (size == 0) { 1772 return malloc(1); // this branch is never called 1773 } 1774 else { 1775 return malloc(size); 1776 } 1777 } 1778 1779 char *dupstrNoWarn(const char *s) { 1780 const int len = strlen(s); 1781 char *p = (char*) smallocNoWarn(len + 1); 1782 strcpy(p, s); // no-warning 1783 return p; 1784 } 1785 1786 void *smallocWarn(size_t size) { 1787 if (size == 2) { 1788 return malloc(1); 1789 } 1790 else { 1791 return malloc(size); 1792 } 1793 } 1794 1795 int *radar15580979(void) { 1796 int *data = (int *)malloc(32); 1797 int *p = data ?: (int*)malloc(32); // no warning 1798 return p; 1799 } 1800 1801 // Some data structures may hold onto the pointer and free it later. 1802 void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) { 1803 int *data = (int *)malloc(32); 1804 fake_insque(queue, data); // no warning 1805 } 1806 1807 void testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t *rbt) { 1808 int *data = (int *)malloc(32); 1809 fake_rb_tree_init(rbt, data); 1810 } //expected-warning{{Potential leak}} 1811 1812 void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) { 1813 int *data = (int *)malloc(32); 1814 fake_rb_tree_init(rbt, data); 1815 fake_rb_tree_insert_node(rbt, data); // no warning 1816 } 1817 1818 struct IntAndPtr { 1819 int x; 1820 int *p; 1821 }; 1822 1823 void constEscape(const void *ptr); 1824 1825 void testConstEscapeThroughAnotherField(void) { 1826 struct IntAndPtr s; 1827 s.p = malloc(sizeof(int)); 1828 constEscape(&(s.x)); // could free s->p! 1829 } // no-warning 1830 1831 // PR15623 1832 int testNoCheckerDataPropagationFromLogicalOpOperandToOpResult(void) { 1833 char *param = malloc(10); 1834 char *value = malloc(10); 1835 int ok = (param && value); 1836 free(param); 1837 free(value); 1838 // Previously we ended up with 'Use of memory after it is freed' on return. 1839 return ok; // no warning 1840 } 1841 1842 void (*fnptr)(int); 1843 void freeIndirectFunctionPtr(void) { 1844 void *p = (void *)fnptr; 1845 free(p); // expected-warning {{Argument to 'free()' is a function pointer}} 1846 } 1847 1848 void freeFunctionPtr(void) { 1849 free((void *)fnptr); 1850 // expected-warning@-1{{Argument to 'free()' is a function pointer}} 1851 // expected-warning@-2{{attempt to call free on non-heap object '(void *)fnptr'}} 1852 } 1853 1854 void allocateSomeMemory(void *offendingParameter, void **ptr) { 1855 *ptr = malloc(1); 1856 } 1857 1858 void testNoCrashOnOffendingParameter(void) { 1859 // "extern" is necessary to avoid unrelated warnings 1860 // on passing uninitialized value. 1861 extern void *offendingParameter; 1862 void* ptr; 1863 allocateSomeMemory(offendingParameter, &ptr); 1864 } // expected-warning {{Potential leak of memory pointed to by 'ptr'}} 1865 1866 1867 // Test a false positive caused by a bug in liveness analysis. 1868 struct A { 1869 int *buf; 1870 }; 1871 struct B { 1872 struct A *a; 1873 }; 1874 void livenessBugRealloc(struct A *a) { 1875 a->buf = realloc(a->buf, sizeof(int)); // no-warning 1876 } 1877 void testLivenessBug(struct B *in_b) { 1878 struct B *b = in_b; 1879 livenessBugRealloc(b->a); 1880 ((void) 0); // An attempt to trick liveness analysis. 1881 livenessBugRealloc(b->a); 1882 } 1883 1884 struct ListInfo { 1885 struct ListInfo *next; 1886 }; 1887 1888 struct ConcreteListItem { 1889 struct ListInfo li; 1890 int i; 1891 }; 1892 1893 void list_add(struct ListInfo *list, struct ListInfo *item); 1894 1895 void testCStyleListItems(struct ListInfo *list) { 1896 struct ConcreteListItem *x = malloc(sizeof(struct ConcreteListItem)); 1897 list_add(list, &x->li); // will free 'x'. 1898 } 1899 1900 // MEM34-C. Only free memory allocated dynamically 1901 // Second non-compliant example. 1902 // https://wiki.sei.cmu.edu/confluence/display/c/MEM34-C.+Only+free+memory+allocated+dynamically 1903 enum { BUFSIZE = 256 }; 1904 1905 void MEM34_C(void) { 1906 char buf[BUFSIZE]; 1907 char *p = (char *)realloc(buf, 2 * BUFSIZE); 1908 // expected-warning@-1{{Argument to 'realloc()' is the address of the local \ 1909 variable 'buf', which is not memory allocated by 'malloc()' [unix.Malloc]}} 1910 if (p == NULL) { 1911 /* Handle error */ 1912 } 1913 } 1914 1915 (*crash_a)(); // expected-warning{{type specifier missing}} 1916 // A CallEvent without a corresponding FunctionDecl. 1917 crash_b() { crash_a(); return 0; } // no-crash 1918 // expected-warning@-1{{type specifier missing}} 1919 1920 long *global_a; 1921 void realloc_crash(void) { 1922 long *c = global_a; 1923 c--; 1924 realloc(c, 8); // no-crash 1925 } // expected-warning{{Potential memory leak [unix.Malloc]}} 1926 1927 // ---------------------------------------------------------------------------- 1928 // False negatives. 1929 1930 void testMallocWithParam(int **p) { 1931 *p = (int*) malloc(sizeof(int)); 1932 *p = 0; // FIXME: should warn here 1933 } 1934 1935 void testMallocWithParam_2(int **p) { 1936 *p = (int*) malloc(sizeof(int)); // no-warning 1937 } 1938 1939 void testPassToSystemHeaderFunctionIndirectly(void) { 1940 int *p = malloc(4); 1941 p++; 1942 fakeSystemHeaderCallInt(p); 1943 // FIXME: This is a leak: if we think a system function won't free p, it 1944 // won't free (p-1) either. 1945 } 1946 1947 void testMallocIntoMalloc(void) { 1948 StructWithPtr *s = malloc(sizeof(StructWithPtr)); 1949 s->memP = malloc(sizeof(int)); 1950 free(s); 1951 } // FIXME: should warn here 1952 1953 int conjure(void); 1954 void testExtent(void) { 1955 int x = conjure(); 1956 clang_analyzer_dump(x); 1957 // expected-warning-re@-1 {{{{^conj_\$[[:digit:]]+{int, LC1, S[[:digit:]]+, #1}}}}}} 1958 int *p = (int *)malloc(x); 1959 clang_analyzer_dumpExtent(p); 1960 // expected-warning-re@-1 {{{{^conj_\$[[:digit:]]+{int, LC1, S[[:digit:]]+, #1}}}}}} 1961 free(p); 1962 } 1963