1 // RUN: %clang_analyze_cc1 -fblocks -verify %s \ 2 // RUN: -analyzer-checker=core \ 3 // RUN: -analyzer-checker=unix.Malloc 4 // 5 // RUN: %clang_analyze_cc1 -fblocks -verify %s \ 6 // RUN: -analyzer-checker=core \ 7 // RUN: -analyzer-checker=unix.Malloc \ 8 // RUN: -analyzer-config unix.DynamicMemoryModeling:Optimistic=true 9 namespace std { 10 using size_t = decltype(sizeof(int)); 11 void free(void *); 12 } 13 14 extern "C" void free(void *); 15 extern "C" void *alloca(std::size_t); 16 17 void t1a () { 18 int a[] = { 1 }; 19 free(a); 20 // expected-warning@-1{{Argument to 'free()' is the address of the local variable 'a', which is not memory allocated by 'malloc()'}} 21 // expected-warning@-2{{attempt to call free on non-heap object 'a'}} 22 } 23 24 void t1b () { 25 int a[] = { 1 }; 26 std::free(a); 27 // expected-warning@-1{{Argument to 'free()' is the address of the local variable 'a', which is not memory allocated by 'malloc()'}} 28 // expected-warning@-2{{attempt to call std::free on non-heap object 'a'}} 29 } 30 31 void t2a () { 32 int a = 1; 33 free(&a); 34 // expected-warning@-1{{Argument to 'free()' is the address of the local variable 'a', which is not memory allocated by 'malloc()'}} 35 // expected-warning@-2{{attempt to call free on non-heap object 'a'}} 36 } 37 38 void t2b () { 39 int a = 1; 40 std::free(&a); 41 // expected-warning@-1{{Argument to 'free()' is the address of the local variable 'a', which is not memory allocated by 'malloc()'}} 42 // expected-warning@-2{{attempt to call std::free on non-heap object 'a'}} 43 } 44 45 void t3a () { 46 static int a[] = { 1 }; 47 free(a); 48 // expected-warning@-1{{Argument to 'free()' is the address of the static variable 'a', which is not memory allocated by 'malloc()'}} 49 // expected-warning@-2{{attempt to call free on non-heap object 'a'}} 50 } 51 52 void t3b () { 53 static int a[] = { 1 }; 54 std::free(a); 55 // expected-warning@-1{{Argument to 'free()' is the address of the static variable 'a', which is not memory allocated by 'malloc()'}} 56 // expected-warning@-2{{attempt to call std::free on non-heap object 'a'}} 57 } 58 59 void t4a (char *x) { 60 free(x); // no-warning 61 } 62 63 void t4b (char *x) { 64 std::free(x); // no-warning 65 } 66 67 void t5a () { 68 extern char *ptr(); 69 free(ptr()); // no-warning 70 } 71 72 void t5b () { 73 extern char *ptr(); 74 std::free(ptr()); // no-warning 75 } 76 77 void t6a () { 78 free((void*)1000); 79 // expected-warning@-1{{Argument to 'free()' is a constant address (1000), which is not memory allocated by 'malloc()'}} 80 // expected-warning@-2{{attempt to call free on non-heap object '(void *)1000'}} 81 } 82 83 void t6b () { 84 std::free((void*)1000); 85 // expected-warning@-1{{Argument to 'free()' is a constant address (1000), which is not memory allocated by 'malloc()'}} 86 // expected-warning@-2{{attempt to call std::free on non-heap object '(void *)1000'}} 87 } 88 89 void t7a (char **x) { 90 free(*x); // no-warning 91 } 92 93 void t7b (char **x) { 94 std::free(*x); // no-warning 95 } 96 97 void t8a (char **x) { 98 // ugh 99 free((*x)+8); // no-warning 100 } 101 102 void t8b (char **x) { 103 // ugh 104 std::free((*x)+8); // no-warning 105 } 106 107 void t9a () { 108 label: 109 free(&&label); 110 // expected-warning@-1{{Argument to 'free()' is the address of the label 'label', which is not memory allocated by 'malloc()'}} 111 // expected-warning@-2{{attempt to call free on non-heap object 'label'}} 112 } 113 114 void t9b () { 115 label: 116 std::free(&&label); 117 // expected-warning@-1{{Argument to 'free()' is the address of the label 'label', which is not memory allocated by 'malloc()'}} 118 // expected-warning@-2{{attempt to call std::free on non-heap object 'label'}} 119 } 120 121 void t10a () { 122 free((void*)&t10a); 123 // expected-warning@-1{{Argument to 'free()' is the address of the function 't10a', which is not memory allocated by 'malloc()'}} 124 // expected-warning@-2{{attempt to call free on non-heap object 't10a'}} 125 } 126 127 void t10b () { 128 std::free((void*)&t10b); 129 // expected-warning@-1{{Argument to 'free()' is the address of the function 't10b', which is not memory allocated by 'malloc()'}} 130 // expected-warning@-2{{attempt to call std::free on non-heap object 't10b'}} 131 } 132 133 void t11a () { 134 char *p = (char*)alloca(2); 135 free(p); // expected-warning {{Memory allocated by 'alloca()' should not be deallocated}} 136 } 137 138 void t11b () { 139 char *p = (char*)alloca(2); 140 std::free(p); // expected-warning {{Memory allocated by 'alloca()' should not be deallocated}} 141 } 142 143 void t12a () { 144 char *p = (char*)__builtin_alloca(2); 145 free(p); // expected-warning {{Memory allocated by 'alloca()' should not be deallocated}} 146 } 147 148 void t12b () { 149 char *p = (char*)__builtin_alloca(2); 150 std::free(p); // expected-warning {{Memory allocated by 'alloca()' should not be deallocated}} 151 } 152 153 void t13a () { 154 free(^{return;}); 155 // expected-warning@-1{{Argument to 'free()' is a block, which is not memory allocated by 'malloc()'}} 156 // expected-warning@-2{{attempt to call free on non-heap object: block expression}} 157 } 158 159 void t13b () { 160 std::free(^{return;}); 161 // expected-warning@-1{{Argument to 'free()' is a block, which is not memory allocated by 'malloc()'}} 162 // expected-warning@-2{{attempt to call std::free on non-heap object: block expression}} 163 } 164 165 void t14a () { 166 free((void *)+[]{ return; }); 167 // expected-warning@-1{{Argument to 'free()' is the address of the function '__invoke', which is not memory allocated by 'malloc()'}} 168 // expected-warning@-2{{attempt to call free on non-heap object: lambda-to-function-pointer conversion}} 169 } 170 171 void t14b () { 172 std::free((void *)+[]{ return; }); 173 // expected-warning@-1{{Argument to 'free()' is the address of the function '__invoke', which is not memory allocated by 'malloc()'}} 174 // expected-warning@-2{{attempt to call std::free on non-heap object: lambda-to-function-pointer conversion}} 175 } 176 177 void t15a (char a) { 178 free(&a); 179 // expected-warning@-1{{Argument to 'free()' is the address of the parameter 'a', which is not memory allocated by 'malloc()'}} 180 // expected-warning@-2{{attempt to call free on non-heap object 'a'}} 181 } 182 183 void t15b (char a) { 184 std::free(&a); 185 // expected-warning@-1{{Argument to 'free()' is the address of the parameter 'a', which is not memory allocated by 'malloc()'}} 186 // expected-warning@-2{{attempt to call std::free on non-heap object 'a'}} 187 } 188 189 static int someGlobal[2]; 190 void t16a () { 191 free(someGlobal); 192 // expected-warning@-1{{Argument to 'free()' is the address of the global variable 'someGlobal', which is not memory allocated by 'malloc()'}} 193 // expected-warning@-2{{attempt to call free on non-heap object 'someGlobal'}} 194 } 195 196 void t16b () { 197 std::free(someGlobal); 198 // expected-warning@-1{{Argument to 'free()' is the address of the global variable 'someGlobal', which is not memory allocated by 'malloc()'}} 199 // expected-warning@-2{{attempt to call std::free on non-heap object 'someGlobal'}} 200 } 201 202 void t17a (char **x, int offset) { 203 // Unknown value 204 free(x[offset]); // no-warning 205 } 206 207 void t17b (char **x, int offset) { 208 // Unknown value 209 std::free(x[offset]); // no-warning 210 } 211 212 struct S { 213 const char* p; 214 }; 215 216 void t18_C_style_C_style_free (S s) { 217 free((void*)(unsigned long long)s.p); // no warning 218 } 219 220 void t18_C_style_C_style_std_free (S s) { 221 std::free((void*)(unsigned long long)s.p); // no warning 222 } 223 224 void t18_C_style_reinterpret_free (S s) { 225 free((void*)reinterpret_cast<unsigned long long>(s.p)); // no warning 226 } 227 228 void t18_C_style_reinterpret_std_free (S s) { 229 std::free((void*)reinterpret_cast<unsigned long long>(s.p)); // no warning 230 } 231 232 void t18_reinterpret_C_style_free (S s) { 233 free(reinterpret_cast<void*>((unsigned long long)(s.p))); // no warning 234 } 235 236 void t18_reinterpret_C_style_std_free (S s) { 237 std::free(reinterpret_cast<void*>((unsigned long long)(s.p))); // no warning 238 } 239 240 void t18_reinterpret_reinterpret_free (S s) { 241 free(reinterpret_cast<void*>(reinterpret_cast<unsigned long long>(s.p))); // no warning 242 } 243 244 void t18_reinterpret_reinterpret_std_free (S s) { 245 std::free(reinterpret_cast<void*>(reinterpret_cast<unsigned long long>(s.p))); // no warning 246 } 247