1*67e74705SXin Li // RUN: %clang_cc1 -analyze -analyzer-checker=unix.Malloc -analyzer-inline-max-stack-depth=5 -verify %s
2*67e74705SXin Li
3*67e74705SXin Li #include "Inputs/system-header-simulator.h"
4*67e74705SXin Li
5*67e74705SXin Li void *malloc(size_t);
6*67e74705SXin Li void *valloc(size_t);
7*67e74705SXin Li void free(void *);
8*67e74705SXin Li void *realloc(void *ptr, size_t size);
9*67e74705SXin Li void *reallocf(void *ptr, size_t size);
10*67e74705SXin Li void *calloc(size_t nmemb, size_t size);
11*67e74705SXin Li
12*67e74705SXin Li void exit(int) __attribute__ ((__noreturn__));
13*67e74705SXin Li void *memcpy(void * restrict s1, const void * restrict s2, size_t n);
14*67e74705SXin Li size_t strlen(const char *);
15*67e74705SXin Li
my_malloc1(void ** d,size_t size)16*67e74705SXin Li static void my_malloc1(void **d, size_t size) {
17*67e74705SXin Li *d = malloc(size);
18*67e74705SXin Li }
19*67e74705SXin Li
my_malloc2(int elevel,size_t size)20*67e74705SXin Li static void *my_malloc2(int elevel, size_t size) {
21*67e74705SXin Li void *data;
22*67e74705SXin Li data = malloc(size);
23*67e74705SXin Li if (data == 0)
24*67e74705SXin Li exit(0);
25*67e74705SXin Li return data;
26*67e74705SXin Li }
27*67e74705SXin Li
my_free1(void * p)28*67e74705SXin Li static void my_free1(void *p) {
29*67e74705SXin Li free(p);
30*67e74705SXin Li }
31*67e74705SXin Li
test1()32*67e74705SXin Li static void test1() {
33*67e74705SXin Li void *data = 0;
34*67e74705SXin Li my_malloc1(&data, 4);
35*67e74705SXin Li } // expected-warning {{Potential leak of memory pointed to by 'data'}}
36*67e74705SXin Li
test11()37*67e74705SXin Li static void test11() {
38*67e74705SXin Li void *data = 0;
39*67e74705SXin Li my_malloc1(&data, 4);
40*67e74705SXin Li my_free1(data);
41*67e74705SXin Li }
42*67e74705SXin Li
testUniqueingByallocationSiteInTopLevelFunction()43*67e74705SXin Li static void testUniqueingByallocationSiteInTopLevelFunction() {
44*67e74705SXin Li void *data = my_malloc2(1, 4);
45*67e74705SXin Li data = 0;
46*67e74705SXin Li int x = 5;// expected-warning {{Potential leak of memory pointed to by 'data'}}
47*67e74705SXin Li data = my_malloc2(1, 4);
48*67e74705SXin Li } // expected-warning {{Potential leak of memory pointed to by 'data'}}
49*67e74705SXin Li
test3()50*67e74705SXin Li static void test3() {
51*67e74705SXin Li void *data = my_malloc2(1, 4);
52*67e74705SXin Li free(data);
53*67e74705SXin Li data = my_malloc2(1, 4);
54*67e74705SXin Li free(data);
55*67e74705SXin Li }
56*67e74705SXin Li
test4()57*67e74705SXin Li int test4() {
58*67e74705SXin Li int *data = (int*)my_malloc2(1, 4);
59*67e74705SXin Li my_free1(data);
60*67e74705SXin Li data = (int *)my_malloc2(1, 4);
61*67e74705SXin Li my_free1(data);
62*67e74705SXin Li return *data; // expected-warning {{Use of memory after it is freed}}
63*67e74705SXin Li }
64*67e74705SXin Li
test6()65*67e74705SXin Li void test6() {
66*67e74705SXin Li int *data = (int *)my_malloc2(1, 4);
67*67e74705SXin Li my_free1((int*)data);
68*67e74705SXin Li my_free1((int*)data); // expected-warning{{Use of memory after it is freed}}
69*67e74705SXin Li }
70*67e74705SXin Li
71*67e74705SXin Li // TODO: We should warn here.
test5()72*67e74705SXin Li void test5() {
73*67e74705SXin Li int *data;
74*67e74705SXin Li my_free1((int*)data);
75*67e74705SXin Li }
76*67e74705SXin Li
reshape(char * in)77*67e74705SXin Li static char *reshape(char *in) {
78*67e74705SXin Li return 0;
79*67e74705SXin Li }
80*67e74705SXin Li
testThatRemoveDeadBindingsRunBeforeEachCall()81*67e74705SXin Li void testThatRemoveDeadBindingsRunBeforeEachCall() {
82*67e74705SXin Li char *v = malloc(12);
83*67e74705SXin Li v = reshape(v);
84*67e74705SXin Li v = reshape(v);// expected-warning {{Potential leak of memory pointed to by 'v'}}
85*67e74705SXin Li }
86*67e74705SXin Li
87*67e74705SXin Li // Test that we keep processing after 'return;'
fooWithEmptyReturn(int x)88*67e74705SXin Li void fooWithEmptyReturn(int x) {
89*67e74705SXin Li if (x)
90*67e74705SXin Li return;
91*67e74705SXin Li x++;
92*67e74705SXin Li return;
93*67e74705SXin Li }
94*67e74705SXin Li
uafAndCallsFooWithEmptyReturn()95*67e74705SXin Li int uafAndCallsFooWithEmptyReturn() {
96*67e74705SXin Li int *x = (int*)malloc(12);
97*67e74705SXin Li free(x);
98*67e74705SXin Li fooWithEmptyReturn(12);
99*67e74705SXin Li return *x; // expected-warning {{Use of memory after it is freed}}
100*67e74705SXin Li }
101*67e74705SXin Li
102*67e74705SXin Li
103*67e74705SXin Li // If we inline any of the malloc-family functions, the checker shouldn't also
104*67e74705SXin Li // try to do additional modeling. <rdar://problem/12317671>
strndup(const char * str,size_t n)105*67e74705SXin Li char *strndup(const char *str, size_t n) {
106*67e74705SXin Li if (!str)
107*67e74705SXin Li return 0;
108*67e74705SXin Li
109*67e74705SXin Li // DO NOT FIX. This is to test that we are actually using the inlined
110*67e74705SXin Li // behavior!
111*67e74705SXin Li if (n < 5)
112*67e74705SXin Li return 0;
113*67e74705SXin Li
114*67e74705SXin Li size_t length = strlen(str);
115*67e74705SXin Li if (length < n)
116*67e74705SXin Li n = length;
117*67e74705SXin Li
118*67e74705SXin Li char *result = malloc(n + 1);
119*67e74705SXin Li memcpy(result, str, n);
120*67e74705SXin Li result[n] = '\0';
121*67e74705SXin Li return result;
122*67e74705SXin Li }
123*67e74705SXin Li
useStrndup(size_t n)124*67e74705SXin Li void useStrndup(size_t n) {
125*67e74705SXin Li if (n == 0) {
126*67e74705SXin Li (void)strndup(0, 20); // no-warning
127*67e74705SXin Li return;
128*67e74705SXin Li } else if (n < 5) {
129*67e74705SXin Li (void)strndup("hi there", n); // no-warning
130*67e74705SXin Li return;
131*67e74705SXin Li } else {
132*67e74705SXin Li (void)strndup("hi there", n);
133*67e74705SXin Li return; // expected-warning{{leak}}
134*67e74705SXin Li }
135*67e74705SXin Li }
136