1 // RUN: %clang_analyze_cc1 -verify \ 2 // RUN: -analyzer-checker=core \ 3 // RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \ 4 // RUN: -analyzer-checker=alpha.core.CastSize \ 5 // RUN: -analyzer-checker=unix.Malloc \ 6 // RUN: -analyzer-checker=debug.ExprInspection \ 7 // RUN: -analyzer-config unix.DynamicMemoryModeling:Optimistic=true %s 8 9 typedef __typeof(sizeof(int)) size_t; 10 void *malloc(size_t); 11 void free(void *); 12 void *realloc(void *ptr, size_t size); 13 void *calloc(size_t nmemb, size_t size); 14 void __attribute((ownership_returns(malloc))) *my_malloc(size_t); 15 void __attribute((ownership_takes(malloc, 1))) my_free(void *); 16 void my_freeBoth(void *, void *) 17 __attribute((ownership_holds(malloc, 1, 2))); 18 void __attribute((ownership_returns(malloc, 1))) *my_malloc2(size_t); 19 void __attribute((ownership_holds(malloc, 1))) my_hold(void *); 20 21 // Duplicate attributes are silly, but not an error. 22 // Duplicate attribute has no extra effect. 23 // If two are of different kinds, that is an error and reported as such. 24 void __attribute((ownership_holds(malloc, 1))) 25 __attribute((ownership_holds(malloc, 1))) 26 __attribute((ownership_holds(malloc, 3))) my_hold2(void *, void *, void *); 27 28 __attribute((ownership_returns(user_malloc, 1))) void *user_malloc(size_t); 29 __attribute((ownership_takes(user_malloc, 1))) void user_free(void *); 30 31 void clang_analyzer_dump(int); 32 33 void *my_malloc3(size_t); 34 void *myglobalpointer; 35 struct stuff { 36 void *somefield; 37 }; 38 struct stuff myglobalstuff; 39 40 void f1(void) { 41 int *p = malloc(12); 42 return; // expected-warning{{Potential leak of memory pointed to by}} 43 } 44 45 void f2(void) { 46 int *p = malloc(12); 47 free(p); 48 free(p); // expected-warning{{Attempt to free released memory}} 49 } 50 51 void f2_realloc_0(void) { 52 int *p = malloc(12); 53 realloc(p,0); 54 realloc(p,0); // expected-warning{{Attempt to free released memory}} 55 } 56 57 void f2_realloc_1(void) { 58 int *p = malloc(12); 59 int *q = realloc(p,0); // no-warning 60 } 61 62 // ownership attributes tests 63 void naf1(void) { 64 int *p = my_malloc3(12); 65 return; // no-warning 66 } 67 68 void n2af1(void) { 69 int *p = my_malloc2(12); 70 return; // expected-warning{{Potential leak of memory pointed to by}} 71 } 72 73 void af1(void) { 74 int *p = my_malloc(12); 75 return; // expected-warning{{Potential leak of memory pointed to by}} 76 } 77 78 void af1_b(void) { 79 int *p = my_malloc(12); 80 } // expected-warning{{Potential leak of memory pointed to by}} 81 82 void af1_c(void) { 83 myglobalpointer = my_malloc(12); // no-warning 84 } 85 86 void af1_d(void) { 87 struct stuff mystuff; 88 mystuff.somefield = my_malloc(12); 89 } // expected-warning{{Potential leak of memory pointed to by}} 90 91 // Test that we can pass out allocated memory via pointer-to-pointer. 92 void af1_e(void **pp) { 93 *pp = my_malloc(42); // no-warning 94 } 95 96 void af1_f(struct stuff *somestuff) { 97 somestuff->somefield = my_malloc(12); // no-warning 98 } 99 100 // Allocating memory for a field via multiple indirections to our arguments is OK. 101 void af1_g(struct stuff **pps) { 102 *pps = my_malloc(sizeof(struct stuff)); // no-warning 103 (*pps)->somefield = my_malloc(42); // no-warning 104 } 105 106 void af2(void) { 107 int *p = my_malloc(12); 108 my_free(p); 109 free(p); // expected-warning{{Attempt to free released memory}} 110 } 111 112 void af2b(void) { 113 int *p = my_malloc(12); 114 free(p); 115 my_free(p); // expected-warning{{Attempt to free released memory}} 116 } 117 118 void af2c(void) { 119 int *p = my_malloc(12); 120 free(p); 121 my_hold(p); // expected-warning{{Attempt to free released memory}} 122 } 123 124 void af2d(void) { 125 int *p = my_malloc(12); 126 free(p); 127 my_hold2(0, 0, p); // expected-warning{{Attempt to free released memory}} 128 } 129 130 // No leak if malloc returns null. 131 void af2e(void) { 132 int *p = my_malloc(12); 133 if (!p) 134 return; // no-warning 135 free(p); // no-warning 136 } 137 138 // This case inflicts a possible double-free. 139 void af3(void) { 140 int *p = my_malloc(12); 141 my_hold(p); 142 free(p); // expected-warning{{Attempt to free non-owned memory}} 143 } 144 145 int * af4(void) { 146 int *p = my_malloc(12); 147 my_free(p); 148 return p; // expected-warning{{Use of memory after it is freed}} 149 } 150 151 // This case is (possibly) ok, be conservative 152 int * af5(void) { 153 int *p = my_malloc(12); 154 my_hold(p); 155 return p; // no-warning 156 } 157 158 159 160 // This case tests that storing malloc'ed memory to a static variable which is 161 // then returned is not leaked. In the absence of known contracts for functions 162 // or inter-procedural analysis, this is a conservative answer. 163 int *f3(void) { 164 static int *p = 0; 165 p = malloc(12); 166 return p; // no-warning 167 } 168 169 // This case tests that storing malloc'ed memory to a static global variable 170 // which is then returned is not leaked. In the absence of known contracts for 171 // functions or inter-procedural analysis, this is a conservative answer. 172 static int *p_f4 = 0; 173 int *f4(void) { 174 p_f4 = malloc(12); 175 return p_f4; // no-warning 176 } 177 178 int *f5(void) { 179 int *q = malloc(12); 180 q = realloc(q, 20); 181 return q; // no-warning 182 } 183 184 void f6(void) { 185 int *p = malloc(12); 186 if (!p) 187 return; // no-warning 188 else 189 free(p); 190 } 191 192 void f6_realloc(void) { 193 int *p = malloc(12); 194 if (!p) 195 return; // no-warning 196 else 197 realloc(p,0); 198 } 199 200 201 char *doit2(void); 202 void pr6069(void) { 203 char *buf = doit2(); 204 free(buf); 205 } 206 207 void pr6293(void) { 208 free(0); 209 } 210 211 void f7(void) { 212 char *x = (char*) malloc(4); 213 free(x); 214 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 215 } 216 217 void f7_realloc(void) { 218 char *x = (char*) malloc(4); 219 realloc(x,0); 220 x[0] = 'a'; // expected-warning{{Use of memory after it is freed}} 221 } 222 223 void PR6123(void) { 224 int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 225 } 226 227 void PR7217(void) { 228 int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}} 229 buf[1] = 'c'; // not crash 230 } 231 232 void mallocCastToVoid(void) { 233 void *p = malloc(2); 234 const void *cp = p; // not crash 235 free(p); 236 } 237 238 void mallocCastToFP(void) { 239 void *p = malloc(2); 240 void (*fp)(void) = p; // not crash 241 free(p); 242 } 243 244 // This tests that malloc() buffers are undefined by default 245 char mallocGarbage (void) { 246 char *buf = malloc(2); 247 char result = buf[1]; // expected-warning{{undefined}} 248 free(buf); 249 return result; 250 } 251 252 // This tests that calloc() buffers need to be freed 253 void callocNoFree (void) { 254 char *buf = calloc(2,2); 255 return; // expected-warning{{Potential leak of memory pointed to by}} 256 } 257 258 // These test that calloc() buffers are zeroed by default 259 char callocZeroesGood (void) { 260 char *buf = calloc(2,2); 261 char result = buf[3]; // no-warning 262 if (buf[1] == 0) { 263 free(buf); 264 } 265 return result; // no-warning 266 } 267 268 char callocZeroesBad (void) { 269 char *buf = calloc(2,2); 270 char result = buf[3]; // no-warning 271 if (buf[1] != 0) { 272 free(buf); // expected-warning{{never executed}} 273 } 274 return result; // expected-warning{{Potential leak of memory pointed to by}} 275 } 276 277 void testMultipleFreeAnnotations(void) { 278 int *p = malloc(12); 279 int *q = malloc(12); 280 my_freeBoth(p, q); 281 } 282 283 void testNoUninitAttr(void) { 284 int *p = user_malloc(sizeof(int)); 285 int read = p[0]; // no-warning 286 clang_analyzer_dump(p[0]); // expected-warning{{Unknown}} 287 user_free(p); 288 } 289 290