[analyzer][MallocChecker][NFC] Document and reorganize some functions
This patch merely reorganizes some things, and features no functional change.
In detail:
* Provided documentation, or moved existing documentation in more obvious
places.
* Added dividers. (the //===----------===// thing).
* Moved getAllocationFamily, printAllocDeallocName, printExpectedAllocName and
printExpectedDeallocName in the global namespace on top of the file where
AllocationFamily is declared, as they are very strongly related.
* Moved isReleased and MallocUpdateRefState near RefState's definition for the
same reason.
* Realloc modeling was very poor in terms of variable and structure naming, as
well as documentation, so I renamed some of them and added much needed docs.
* Moved function IdentifierInfos to a separate struct, and moved isMemFunction,
isCMemFunction adn isStandardNewDelete inside it. This makes the patch affect
quite a lot of lines, should I extract it to a separate one?
* Moved MallocBugVisitor out of MallocChecker.
* Preferred switches to long else-if branches in some places.
* Neatly organized some RUN: lines.
Differential Revision: https://reviews.llvm.org/D54823
llvm-svn: 349281
2018-12-16 02:34:00 +08:00
/ / RUN : % clang_analyze_cc1 - analyzer - store = region - verify % s \
/ / RUN : - analyzer - checker = core \
/ / RUN : - analyzer - checker = alpha . deadcode . UnreachableCode \
/ / RUN : - analyzer - checker = alpha . core . CastSize \
2020-05-21 07:03:31 +08:00
/ / RUN : - analyzer - checker = unix \
[analyzer][MallocChecker][NFC] Document and reorganize some functions
This patch merely reorganizes some things, and features no functional change.
In detail:
* Provided documentation, or moved existing documentation in more obvious
places.
* Added dividers. (the //===----------===// thing).
* Moved getAllocationFamily, printAllocDeallocName, printExpectedAllocName and
printExpectedDeallocName in the global namespace on top of the file where
AllocationFamily is declared, as they are very strongly related.
* Moved isReleased and MallocUpdateRefState near RefState's definition for the
same reason.
* Realloc modeling was very poor in terms of variable and structure naming, as
well as documentation, so I renamed some of them and added much needed docs.
* Moved function IdentifierInfos to a separate struct, and moved isMemFunction,
isCMemFunction adn isStandardNewDelete inside it. This makes the patch affect
quite a lot of lines, should I extract it to a separate one?
* Moved MallocBugVisitor out of MallocChecker.
* Preferred switches to long else-if branches in some places.
* Neatly organized some RUN: lines.
Differential Revision: https://reviews.llvm.org/D54823
llvm-svn: 349281
2018-12-16 02:34:00 +08:00
// RUN: -analyzer-checker=debug.ExprInspection
2012-11-19 18:00:59 +08:00
2012-09-12 09:11:10 +08:00
# include "Inputs/system-header-simulator.h"
2012-02-12 07:46:36 +08:00
2012-06-08 08:04:40 +08:00
void clang_analyzer_eval ( int ) ;
2016-03-08 09:21:51 +08:00
// Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
// _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
// the builtin type: "Using the typedef version can cause portability
// problems", but we're ok here because we're not actually running anything.
// Also of note is this cryptic warning: "The wchar_t type is not supported
// when you compile C code".
//
// See the docs for more:
// https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
# if !defined(_WCHAR_T_DEFINED)
// "Microsoft implements wchar_t as a two-byte unsigned value"
typedef unsigned short wchar_t ;
# define _WCHAR_T_DEFINED
# endif // !defined(_WCHAR_T_DEFINED)
2009-11-14 12:23:25 +08:00
typedef __typeof ( sizeof ( int ) ) size_t ;
2009-11-14 04:03:22 +08:00
void * malloc ( size_t ) ;
2015-03-05 07:18:21 +08:00
void * alloca ( size_t ) ;
2012-02-15 08:11:22 +08:00
void * valloc ( size_t ) ;
2009-11-14 04:03:22 +08:00
void free ( void * ) ;
2009-12-12 20:29:38 +08:00
void * realloc ( void * ptr , size_t size ) ;
2012-02-15 08:11:25 +08:00
void * reallocf ( void * ptr , size_t size ) ;
2009-12-12 20:29:38 +08:00
void * calloc ( size_t nmemb , size_t size ) ;
2012-05-18 09:16:10 +08:00
char * strdup ( const char * s ) ;
2016-03-08 09:21:51 +08:00
wchar_t * wcsdup ( const wchar_t * s ) ;
2012-05-18 09:16:10 +08:00
char * strndup ( const char * s , size_t n ) ;
2013-02-08 07:05:43 +08:00
int memcmp ( const void * s1 , const void * s2 , size_t n ) ;
2012-02-09 07:16:56 +08:00
2016-03-08 09:21:51 +08:00
// Windows variants
char * _strdup ( const char * strSource ) ;
wchar_t * _wcsdup ( const wchar_t * strSource ) ;
void * _alloca ( size_t size ) ;
2012-02-09 07:16:56 +08:00
void myfoo ( int * p ) ;
void myfooint ( int p ) ;
2012-02-15 08:11:28 +08:00
char * fooRetPtr ( ) ;
2009-11-13 15:48:11 +08:00
void f1 ( ) {
2010-05-25 12:59:19 +08:00
int * p = malloc ( 12 ) ;
2013-04-06 08:41:36 +08:00
return ; // expected-warning{{Potential leak of memory pointed to by 'p'}}
2009-11-13 15:48:11 +08:00
}
void f2 ( ) {
2010-05-25 12:59:19 +08:00
int * p = malloc ( 12 ) ;
2009-11-13 15:48:11 +08:00
free ( p ) ;
2012-02-17 06:26:12 +08:00
free ( p ) ; // expected-warning{{Attempt to free released memory}}
2009-11-13 15:48:11 +08:00
}
2009-11-14 04:00:28 +08:00
2011-04-27 22:49:29 +08:00
void f2_realloc_0 ( ) {
int * p = malloc ( 12 ) ;
realloc ( p , 0 ) ;
2012-02-17 06:26:12 +08:00
realloc ( p , 0 ) ; // expected-warning{{Attempt to free released memory}}
2011-04-27 22:49:29 +08:00
}
void f2_realloc_1 ( ) {
int * p = malloc ( 12 ) ;
2011-09-01 12:53:59 +08:00
int * q = realloc ( p , 0 ) ; // no-warning
2011-04-27 22:49:29 +08:00
}
2012-02-14 02:05:39 +08:00
void reallocNotNullPtr ( unsigned sizeIn ) {
unsigned size = 12 ;
char * p = ( char * ) malloc ( size ) ;
if ( p ) {
char * q = ( char * ) realloc ( p , sizeIn ) ;
2013-04-06 08:41:36 +08:00
char x = * q ; // expected-warning {{Potential leak of memory pointed to by 'q'}}
2012-02-14 02:05:39 +08:00
}
}
2015-03-05 07:18:21 +08:00
void allocaTest ( ) {
int * p = alloca ( sizeof ( int ) ) ;
} // no warn
2016-03-08 09:21:51 +08:00
void winAllocaTest ( ) {
int * p = _alloca ( sizeof ( int ) ) ;
} // no warn
2015-03-05 07:18:21 +08:00
void allocaBuiltinTest ( ) {
int * p = __builtin_alloca ( sizeof ( int ) ) ;
} // no warn
2012-02-14 02:05:39 +08:00
int * realloctest1 ( ) {
int * q = malloc ( 12 ) ;
q = realloc ( q , 20 ) ;
return q ; // no warning - returning the allocated value
}
// p should be freed if realloc fails.
void reallocFails ( ) {
char * p = malloc ( 12 ) ;
char * r = realloc ( p , 12 + 1 ) ;
if ( ! r ) {
free ( p ) ;
} else {
free ( r ) ;
}
}
2012-02-14 04:57:07 +08:00
void reallocSizeZero1 ( ) {
char * p = malloc ( 12 ) ;
char * r = realloc ( p , 0 ) ;
if ( ! r ) {
2012-08-04 02:30:18 +08:00
free ( p ) ; // expected-warning {{Attempt to free released memory}}
2012-02-14 04:57:07 +08:00
} else {
free ( r ) ;
}
}
void reallocSizeZero2 ( ) {
char * p = malloc ( 12 ) ;
char * r = realloc ( p , 0 ) ;
if ( ! r ) {
2012-08-04 02:30:18 +08:00
free ( p ) ; // expected-warning {{Attempt to free released memory}}
2012-02-14 04:57:07 +08:00
} else {
free ( r ) ;
}
2012-02-17 06:26:12 +08:00
free ( p ) ; // expected-warning {{Attempt to free released memory}}
2012-02-14 04:57:07 +08:00
}
void reallocSizeZero3 ( ) {
char * p = malloc ( 12 ) ;
char * r = realloc ( p , 0 ) ;
free ( r ) ;
}
void reallocSizeZero4 ( ) {
char * r = realloc ( 0 , 0 ) ;
free ( r ) ;
}
void reallocSizeZero5 ( ) {
char * r = realloc ( 0 , 0 ) ;
}
void reallocPtrZero1 ( ) {
2012-11-16 03:11:43 +08:00
char * r = realloc ( 0 , 12 ) ;
2013-04-06 08:41:36 +08:00
} // expected-warning {{Potential leak of memory pointed to by 'r'}}
2012-02-14 04:57:07 +08:00
void reallocPtrZero2 ( ) {
char * r = realloc ( 0 , 12 ) ;
if ( r )
free ( r ) ;
}
void reallocPtrZero3 ( ) {
char * r = realloc ( 0 , 12 ) ;
free ( r ) ;
}
2012-02-14 08:26:13 +08:00
void reallocRadar6337483_1 ( ) {
char * buf = malloc ( 100 ) ;
buf = ( char * ) realloc ( buf , 0x1000000 ) ;
if ( ! buf ) {
2013-04-06 08:41:36 +08:00
return ; // expected-warning {{Potential leak of memory pointed to by}}
2012-02-14 08:26:13 +08:00
}
free ( buf ) ;
}
void reallocRadar6337483_2 ( ) {
char * buf = malloc ( 100 ) ;
char * buf2 = ( char * ) realloc ( buf , 0x1000000 ) ;
2012-11-16 03:11:43 +08:00
if ( ! buf2 ) {
2012-02-14 08:26:13 +08:00
;
} else {
free ( buf2 ) ;
}
2013-04-06 08:41:36 +08:00
} // expected-warning {{Potential leak of memory pointed to by}}
2012-02-14 08:26:13 +08:00
void reallocRadar6337483_3 ( ) {
char * buf = malloc ( 100 ) ;
char * tmp ;
tmp = ( char * ) realloc ( buf , 0x1000000 ) ;
if ( ! tmp ) {
free ( buf ) ;
return ;
}
buf = tmp ;
free ( buf ) ;
}
void reallocRadar6337483_4 ( ) {
char * buf = malloc ( 100 ) ;
char * buf2 = ( char * ) realloc ( buf , 0x1000000 ) ;
if ( ! buf2 ) {
2013-04-06 08:41:36 +08:00
return ; // expected-warning {{Potential leak of memory pointed to by}}
2012-02-14 08:26:13 +08:00
} else {
free ( buf2 ) ;
}
}
2012-02-15 08:11:25 +08:00
int * reallocfTest1 ( ) {
int * q = malloc ( 12 ) ;
q = reallocf ( q , 20 ) ;
return q ; // no warning - returning the allocated value
}
void reallocfRadar6337483_4 ( ) {
char * buf = malloc ( 100 ) ;
char * buf2 = ( char * ) reallocf ( buf , 0x1000000 ) ;
if ( ! buf2 ) {
return ; // no warning - reallocf frees even on failure
} else {
free ( buf2 ) ;
}
}
void reallocfRadar6337483_3 ( ) {
char * buf = malloc ( 100 ) ;
char * tmp ;
tmp = ( char * ) reallocf ( buf , 0x1000000 ) ;
if ( ! tmp ) {
2012-02-17 06:26:12 +08:00
free ( buf ) ; // expected-warning {{Attempt to free released memory}}
2012-02-15 08:11:25 +08:00
return ;
}
buf = tmp ;
free ( buf ) ;
}
void reallocfPtrZero1 ( ) {
2012-11-16 03:11:43 +08:00
char * r = reallocf ( 0 , 12 ) ;
2013-04-06 08:41:36 +08:00
} // expected-warning {{Potential leak of memory pointed to by}}
2012-02-15 08:11:25 +08:00
2015-04-14 22:18:04 +08:00
//------------------- Check usage of zero-allocated memory ---------------------
void CheckUseZeroAllocatedNoWarn1 ( ) {
int * p = malloc ( 0 ) ;
free ( p ) ; // no warning
}
void CheckUseZeroAllocatedNoWarn2 ( ) {
int * p = alloca ( 0 ) ; // no warning
}
2016-03-08 09:21:51 +08:00
void CheckUseZeroWinAllocatedNoWarn2 ( ) {
int * p = _alloca ( 0 ) ; // no warning
}
2015-04-14 22:18:04 +08:00
void CheckUseZeroAllocatedNoWarn3 ( ) {
int * p = malloc ( 0 ) ;
int * q = realloc ( p , 8 ) ; // no warning
free ( q ) ;
}
void CheckUseZeroAllocatedNoWarn4 ( ) {
int * p = realloc ( 0 , 8 ) ;
* p = 1 ; // no warning
free ( p ) ;
}
void CheckUseZeroAllocated1 ( ) {
int * p = malloc ( 0 ) ;
* p = 1 ; // expected-warning {{Use of zero-allocated memory}}
free ( p ) ;
}
char CheckUseZeroAllocated2 ( ) {
char * p = alloca ( 0 ) ;
return * p ; // expected-warning {{Use of zero-allocated memory}}
}
2016-03-08 09:21:51 +08:00
char CheckUseZeroWinAllocated2 ( ) {
char * p = _alloca ( 0 ) ;
return * p ; // expected-warning {{Use of zero-allocated memory}}
}
2015-04-14 22:18:04 +08:00
void UseZeroAllocated ( int * p ) {
if ( p )
* p = 7 ; // expected-warning {{Use of zero-allocated memory}}
}
void CheckUseZeroAllocated3 ( ) {
int * p = malloc ( 0 ) ;
UseZeroAllocated ( p ) ;
}
void f ( char ) ;
void CheckUseZeroAllocated4 ( ) {
char * p = valloc ( 0 ) ;
f ( * p ) ; // expected-warning {{Use of zero-allocated memory}}
free ( p ) ;
}
void CheckUseZeroAllocated5 ( ) {
int * p = calloc ( 0 , 2 ) ;
* p = 1 ; // expected-warning {{Use of zero-allocated memory}}
free ( p ) ;
}
void CheckUseZeroAllocated6 ( ) {
int * p = calloc ( 2 , 0 ) ;
* p = 1 ; // expected-warning {{Use of zero-allocated memory}}
free ( p ) ;
}
void CheckUseZeroAllocated7 ( ) {
int * p = realloc ( 0 , 0 ) ;
[analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0).
Currently realloc(ptr, 0) is treated as free() which seems to be not correct. C
standard (N1570) establishes equivalent behavior for malloc(0) and realloc(ptr,
0): "7.22.3 Memory management functions calloc, malloc, realloc: If the size of
the space requested is zero, the behavior is implementation-defined: either a
null pointer is returned, or the behavior is as if the size were some nonzero
value, except that the returned pointer shall not be used to access an object."
The patch equalizes the processing of malloc(0) and realloc(ptr,0). The patch
also enables unix.Malloc checker to detect references to zero-allocated memory
returned by realloc(ptr,0) ("Use of zero-allocated memory" warning).
A patch by Антон Ярцев!
Differential Revision: http://reviews.llvm.org/D9040
llvm-svn: 248336
2015-09-23 06:47:14 +08:00
* p = 1 ; // expected-warning {{Use of zero-allocated memory}}
2015-04-14 22:18:04 +08:00
free ( p ) ;
}
void CheckUseZeroAllocated8 ( ) {
int * p = malloc ( 8 ) ;
int * q = realloc ( p , 0 ) ;
[analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0).
Currently realloc(ptr, 0) is treated as free() which seems to be not correct. C
standard (N1570) establishes equivalent behavior for malloc(0) and realloc(ptr,
0): "7.22.3 Memory management functions calloc, malloc, realloc: If the size of
the space requested is zero, the behavior is implementation-defined: either a
null pointer is returned, or the behavior is as if the size were some nonzero
value, except that the returned pointer shall not be used to access an object."
The patch equalizes the processing of malloc(0) and realloc(ptr,0). The patch
also enables unix.Malloc checker to detect references to zero-allocated memory
returned by realloc(ptr,0) ("Use of zero-allocated memory" warning).
A patch by Антон Ярцев!
Differential Revision: http://reviews.llvm.org/D9040
llvm-svn: 248336
2015-09-23 06:47:14 +08:00
* q = 1 ; // expected-warning {{Use of zero-allocated memory}}
2015-04-14 22:18:04 +08:00
free ( q ) ;
}
void CheckUseZeroAllocated9 ( ) {
int * p = realloc ( 0 , 0 ) ;
int * q = realloc ( p , 0 ) ;
[analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0).
Currently realloc(ptr, 0) is treated as free() which seems to be not correct. C
standard (N1570) establishes equivalent behavior for malloc(0) and realloc(ptr,
0): "7.22.3 Memory management functions calloc, malloc, realloc: If the size of
the space requested is zero, the behavior is implementation-defined: either a
null pointer is returned, or the behavior is as if the size were some nonzero
value, except that the returned pointer shall not be used to access an object."
The patch equalizes the processing of malloc(0) and realloc(ptr,0). The patch
also enables unix.Malloc checker to detect references to zero-allocated memory
returned by realloc(ptr,0) ("Use of zero-allocated memory" warning).
A patch by Антон Ярцев!
Differential Revision: http://reviews.llvm.org/D9040
llvm-svn: 248336
2015-09-23 06:47:14 +08:00
* q = 1 ; // expected-warning {{Use of zero-allocated memory}}
2015-04-14 22:18:04 +08:00
free ( q ) ;
}
void CheckUseZeroAllocatedPathNoWarn ( _Bool b ) {
int s = 0 ;
if ( b )
s = 10 ;
char * p = malloc ( s ) ;
if ( b )
* p = 1 ; // no warning
free ( p ) ;
}
void CheckUseZeroAllocatedPathWarn ( _Bool b ) {
int s = 10 ;
if ( b )
s = 0 ;
char * p = malloc ( s ) ;
if ( b )
* p = 1 ; // expected-warning {{Use of zero-allocated memory}}
free ( p ) ;
}
2012-02-15 08:11:25 +08:00
[analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0).
Currently realloc(ptr, 0) is treated as free() which seems to be not correct. C
standard (N1570) establishes equivalent behavior for malloc(0) and realloc(ptr,
0): "7.22.3 Memory management functions calloc, malloc, realloc: If the size of
the space requested is zero, the behavior is implementation-defined: either a
null pointer is returned, or the behavior is as if the size were some nonzero
value, except that the returned pointer shall not be used to access an object."
The patch equalizes the processing of malloc(0) and realloc(ptr,0). The patch
also enables unix.Malloc checker to detect references to zero-allocated memory
returned by realloc(ptr,0) ("Use of zero-allocated memory" warning).
A patch by Антон Ярцев!
Differential Revision: http://reviews.llvm.org/D9040
llvm-svn: 248336
2015-09-23 06:47:14 +08:00
void CheckUseZeroReallocatedPathNoWarn ( _Bool b ) {
int s = 0 ;
if ( b )
s = 10 ;
char * p = malloc ( 8 ) ;
char * q = realloc ( p , s ) ;
if ( b )
* q = 1 ; // no warning
free ( q ) ;
}
void CheckUseZeroReallocatedPathWarn ( _Bool b ) {
int s = 10 ;
if ( b )
s = 0 ;
char * p = malloc ( 8 ) ;
char * q = realloc ( p , s ) ;
if ( b )
* q = 1 ; // expected-warning {{Use of zero-allocated memory}}
free ( q ) ;
}
2009-11-17 15:54:15 +08:00
// This case tests that storing malloc'ed memory to a static variable which is
// then returned is not leaked. In the absence of known contracts for functions
// or inter-procedural analysis, this is a conservative answer.
2009-11-14 04:00:28 +08:00
int * f3 ( ) {
static int * p = 0 ;
2018-07-13 21:44:44 +08:00
p = malloc ( 12 ) ;
2009-11-17 16:58:18 +08:00
return p ; // no-warning
2009-11-14 04:00:28 +08:00
}
2009-11-17 15:54:15 +08:00
// This case tests that storing malloc'ed memory to a static global variable
// which is then returned is not leaked. In the absence of known contracts for
// functions or inter-procedural analysis, this is a conservative answer.
2009-11-14 04:00:28 +08:00
static int * p_f4 = 0 ;
int * f4 ( ) {
2018-07-13 21:44:44 +08:00
p_f4 = malloc ( 12 ) ;
2009-11-17 16:58:18 +08:00
return p_f4 ; // no-warning
2009-11-14 04:00:28 +08:00
}
2009-12-12 20:29:38 +08:00
int * f5 ( ) {
2010-05-25 12:59:19 +08:00
int * q = malloc ( 12 ) ;
2009-12-12 20:29:38 +08:00
q = realloc ( q , 20 ) ;
return q ; // no-warning
}
2009-12-31 14:13:07 +08:00
void f6 ( ) {
2010-05-25 12:59:19 +08:00
int * p = malloc ( 12 ) ;
2009-12-31 14:13:07 +08:00
if ( ! p )
return ; // no-warning
else
free ( p ) ;
}
2010-01-18 12:01:40 +08:00
2011-04-27 22:49:29 +08:00
void f6_realloc ( ) {
int * p = malloc ( 12 ) ;
if ( ! p )
return ; // no-warning
else
realloc ( p , 0 ) ;
}
2010-01-18 12:01:40 +08:00
char * doit2 ( ) ;
void pr6069 ( ) {
char * buf = doit2 ( ) ;
free ( buf ) ;
}
2010-02-14 14:49:48 +08:00
void pr6293 ( ) {
free ( 0 ) ;
}
2010-03-10 12:58:55 +08:00
void f7 ( ) {
char * x = ( char * ) malloc ( 4 ) ;
free ( x ) ;
2012-02-17 06:26:12 +08:00
x [ 0 ] = ' a ' ; // expected-warning{{Use of memory after it is freed}}
2010-03-10 12:58:55 +08:00
}
2010-05-25 12:59:19 +08:00
2012-05-18 09:16:10 +08:00
void f8 ( ) {
char * x = ( char * ) malloc ( 4 ) ;
free ( x ) ;
char * y = strndup ( x , 4 ) ; // expected-warning{{Use of memory after it is freed}}
}
2011-04-27 22:49:29 +08:00
void f7_realloc ( ) {
char * x = ( char * ) malloc ( 4 ) ;
realloc ( x , 0 ) ;
2012-02-17 06:26:12 +08:00
x [ 0 ] = ' a ' ; // expected-warning{{Use of memory after it is freed}}
2011-04-27 22:49:29 +08:00
}
2010-05-25 12:59:19 +08:00
void PR6123 ( ) {
Allow multiple PathDiagnosticConsumers to be used with a BugReporter at the same time.
This fixes several issues:
- removes egregious hack where PlistDiagnosticConsumer would forward to HTMLDiagnosticConsumer,
but diagnostics wouldn't be generated consistently in the same way if PlistDiagnosticConsumer
was used by itself.
- emitting diagnostics to the terminal (using clang's diagnostic machinery) is no longer a special
case, just another PathDiagnosticConsumer. This also magically resolved some duplicate warnings,
as we now use PathDiagnosticConsumer's diagnostic pruning, which has scope for the entire translation
unit, not just the scope of a BugReporter (which is limited to a particular ExprEngine).
As an interesting side-effect, diagnostics emitted to the terminal also have their trailing "." stripped,
just like with diagnostics emitted to plists and HTML. This required some tests to be updated, but now
the tests have higher fidelity with what users will see.
There are some inefficiencies in this patch. We currently generate the report graph (from the ExplodedGraph)
once per PathDiagnosticConsumer, which is a bit wasteful, but that could be pulled up higher in the
logic stack. There is some intended duplication, however, as we now generate different PathDiagnostics (for the same issue)
for different PathDiagnosticConsumers. This is necessary to produce the diagnostics that a particular
consumer expects.
llvm-svn: 162028
2012-08-17 01:45:23 +08:00
int * x = malloc ( 11 ) ; // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
2010-05-25 12:59:19 +08:00
}
void PR7217 ( ) {
Allow multiple PathDiagnosticConsumers to be used with a BugReporter at the same time.
This fixes several issues:
- removes egregious hack where PlistDiagnosticConsumer would forward to HTMLDiagnosticConsumer,
but diagnostics wouldn't be generated consistently in the same way if PlistDiagnosticConsumer
was used by itself.
- emitting diagnostics to the terminal (using clang's diagnostic machinery) is no longer a special
case, just another PathDiagnosticConsumer. This also magically resolved some duplicate warnings,
as we now use PathDiagnosticConsumer's diagnostic pruning, which has scope for the entire translation
unit, not just the scope of a BugReporter (which is limited to a particular ExprEngine).
As an interesting side-effect, diagnostics emitted to the terminal also have their trailing "." stripped,
just like with diagnostics emitted to plists and HTML. This required some tests to be updated, but now
the tests have higher fidelity with what users will see.
There are some inefficiencies in this patch. We currently generate the report graph (from the ExplodedGraph)
once per PathDiagnosticConsumer, which is a bit wasteful, but that could be pulled up higher in the
logic stack. There is some intended duplication, however, as we now generate different PathDiagnostics (for the same issue)
for different PathDiagnosticConsumers. This is necessary to produce the diagnostics that a particular
consumer expects.
llvm-svn: 162028
2012-08-17 01:45:23 +08:00
int * buf = malloc ( 2 ) ; // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
2010-05-25 12:59:19 +08:00
buf [ 1 ] = ' c ' ; // not crash
2010-06-20 12:30:57 +08:00
}
2014-02-19 01:06:30 +08:00
void cast_emtpy_struct ( ) {
struct st {
} ;
struct st * s = malloc ( sizeof ( struct st ) ) ; // no-warning
free ( s ) ;
}
void cast_struct_1 ( ) {
struct st {
int i [ 100 ] ;
char j [ ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) ) ; // no-warning
free ( s ) ;
}
void cast_struct_2 ( ) {
struct st {
int i [ 100 ] ;
char j [ 0 ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) ) ; // no-warning
free ( s ) ;
}
void cast_struct_3 ( ) {
struct st {
int i [ 100 ] ;
char j [ 1 ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) ) ; // no-warning
free ( s ) ;
}
void cast_struct_4 ( ) {
struct st {
int i [ 100 ] ;
char j [ 2 ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) ) ; // no-warning
free ( s ) ;
}
void cast_struct_5 ( ) {
struct st {
char i [ 200 ] ;
char j [ 1 ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) - sizeof ( char ) ) ; // no-warning
free ( s ) ;
}
void cast_struct_warn_1 ( ) {
struct st {
int i [ 100 ] ;
char j [ 2 ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) + 2 ) ; // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free ( s ) ;
}
void cast_struct_warn_2 ( ) {
struct st {
int i [ 100 ] ;
char j [ 2 ] ;
} ;
struct st * s = malloc ( 2 ) ; // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free ( s ) ;
}
void cast_struct_flex_array_1 ( ) {
struct st {
int i [ 100 ] ;
char j [ ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) + 3 ) ; // no-warning
free ( s ) ;
}
void cast_struct_flex_array_2 ( ) {
struct st {
int i [ 100 ] ;
char j [ 0 ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) + 3 ) ; // no-warning
free ( s ) ;
}
void cast_struct_flex_array_3 ( ) {
struct st {
int i [ 100 ] ;
char j [ 1 ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) + 3 ) ; // no-warning
free ( s ) ;
}
void cast_struct_flex_array_4 ( ) {
struct foo {
char f [ 32 ] ;
} ;
struct st {
char i [ 100 ] ;
struct foo data [ ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) + 3 * sizeof ( struct foo ) ) ; // no-warning
free ( s ) ;
}
void cast_struct_flex_array_5 ( ) {
struct foo {
char f [ 32 ] ;
} ;
struct st {
char i [ 100 ] ;
struct foo data [ 0 ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) + 3 * sizeof ( struct foo ) ) ; // no-warning
free ( s ) ;
}
void cast_struct_flex_array_6 ( ) {
struct foo {
char f [ 32 ] ;
} ;
struct st {
char i [ 100 ] ;
struct foo data [ 1 ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) + 3 * sizeof ( struct foo ) ) ; // no-warning
free ( s ) ;
}
void cast_struct_flex_array_warn_1 ( ) {
struct foo {
char f [ 32 ] ;
} ;
struct st {
char i [ 100 ] ;
struct foo data [ ] ;
} ;
struct st * s = malloc ( 3 * sizeof ( struct st ) + 3 * sizeof ( struct foo ) ) ; // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free ( s ) ;
}
void cast_struct_flex_array_warn_2 ( ) {
struct foo {
char f [ 32 ] ;
} ;
struct st {
char i [ 100 ] ;
struct foo data [ 0 ] ;
} ;
struct st * s = malloc ( 3 * sizeof ( struct st ) + 3 * sizeof ( struct foo ) ) ; // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free ( s ) ;
}
void cast_struct_flex_array_warn_3 ( ) {
struct foo {
char f [ 32 ] ;
} ;
struct st {
char i [ 100 ] ;
struct foo data [ 1 ] ;
} ;
struct st * s = malloc ( 3 * sizeof ( struct st ) + 3 * sizeof ( struct foo ) ) ; // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free ( s ) ;
}
void cast_struct_flex_array_warn_4 ( ) {
struct st {
int i [ 100 ] ;
int j [ ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) + 3 ) ; // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free ( s ) ;
}
void cast_struct_flex_array_warn_5 ( ) {
struct st {
int i [ 100 ] ;
int j [ 0 ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) + 3 ) ; // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free ( s ) ;
}
void cast_struct_flex_array_warn_6 ( ) {
struct st {
int i [ 100 ] ;
int j [ 1 ] ;
} ;
struct st * s = malloc ( sizeof ( struct st ) + 3 ) ; // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
free ( s ) ;
}
2010-06-20 12:30:57 +08:00
void mallocCastToVoid ( ) {
void * p = malloc ( 2 ) ;
const void * cp = p ; // not crash
free ( p ) ;
}
2010-05-25 12:59:19 +08:00
2010-06-20 12:30:57 +08:00
void mallocCastToFP ( ) {
void * p = malloc ( 2 ) ;
void ( * fp ) ( ) = p ; // not crash
free ( p ) ;
2010-05-25 12:59:19 +08:00
}
2010-06-20 12:30:57 +08:00
2010-06-01 11:01:33 +08:00
// This tests that malloc() buffers are undefined by default
char mallocGarbage ( ) {
char * buf = malloc ( 2 ) ;
char result = buf [ 1 ] ; // expected-warning{{undefined}}
free ( buf ) ;
return result ;
}
// This tests that calloc() buffers need to be freed
void callocNoFree ( ) {
char * buf = calloc ( 2 , 2 ) ;
2013-04-06 08:41:36 +08:00
return ; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
2010-06-01 11:01:33 +08:00
}
// These test that calloc() buffers are zeroed by default
char callocZeroesGood ( ) {
char * buf = calloc ( 2 , 2 ) ;
char result = buf [ 3 ] ; // no-warning
if ( buf [ 1 ] = = 0 ) {
free ( buf ) ;
}
return result ; // no-warning
}
char callocZeroesBad ( ) {
char * buf = calloc ( 2 , 2 ) ;
char result = buf [ 3 ] ; // no-warning
if ( buf [ 1 ] ! = 0 ) {
2010-07-24 07:04:53 +08:00
free ( buf ) ; // expected-warning{{never executed}}
2010-06-01 11:01:33 +08:00
}
2013-04-06 08:41:36 +08:00
return result ; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
2010-06-01 11:01:33 +08:00
}
2012-02-09 07:16:56 +08:00
void nullFree ( ) {
int * p = 0 ;
free ( p ) ; // no warning - a nop
}
void paramFree ( int * p ) {
myfoo ( p ) ;
free ( p ) ; // no warning
2012-08-04 02:30:18 +08:00
myfoo ( p ) ; // expected-warning {{Use of memory after it is freed}}
2012-02-09 07:16:56 +08:00
}
int * mallocEscapeRet ( ) {
int * p = malloc ( 12 ) ;
return p ; // no warning
}
void mallocEscapeFoo ( ) {
int * p = malloc ( 12 ) ;
myfoo ( p ) ;
return ; // no warning
}
void mallocEscapeFree ( ) {
int * p = malloc ( 12 ) ;
myfoo ( p ) ;
free ( p ) ;
}
void mallocEscapeFreeFree ( ) {
int * p = malloc ( 12 ) ;
myfoo ( p ) ;
free ( p ) ;
2012-02-17 06:26:12 +08:00
free ( p ) ; // expected-warning{{Attempt to free released memory}}
2012-02-09 07:16:56 +08:00
}
void mallocEscapeFreeUse ( ) {
int * p = malloc ( 12 ) ;
myfoo ( p ) ;
free ( p ) ;
2012-02-17 06:26:12 +08:00
myfoo ( p ) ; // expected-warning{{Use of memory after it is freed}}
2012-02-09 07:16:56 +08:00
}
int * myalloc ( ) ;
void myalloc2 ( int * * p ) ;
void mallocEscapeFreeCustomAlloc ( ) {
int * p = malloc ( 12 ) ;
myfoo ( p ) ;
free ( p ) ;
p = myalloc ( ) ;
free ( p ) ; // no warning
}
void mallocEscapeFreeCustomAlloc2 ( ) {
int * p = malloc ( 12 ) ;
myfoo ( p ) ;
free ( p ) ;
myalloc2 ( & p ) ;
free ( p ) ; // no warning
}
void mallocBindFreeUse ( ) {
int * x = malloc ( 12 ) ;
int * y = x ;
free ( y ) ;
2012-02-17 06:26:12 +08:00
myfoo ( x ) ; // expected-warning{{Use of memory after it is freed}}
2012-02-09 07:16:56 +08:00
}
void mallocEscapeMalloc ( ) {
int * p = malloc ( 12 ) ;
myfoo ( p ) ;
2012-11-16 03:11:43 +08:00
p = malloc ( 12 ) ;
2013-04-06 08:41:36 +08:00
} // expected-warning{{Potential leak of memory pointed to by}}
2012-02-09 07:16:56 +08:00
void mallocMalloc ( ) {
int * p = malloc ( 12 ) ;
2012-11-16 03:11:43 +08:00
p = malloc ( 12 ) ;
[Analyzer] Report every bug if only uniqueing location differs.
Summary:
Two CSA bug reports where only the uniqueing location is different
should be treated as different problems. The role of uniqueing location
is to differentiate bug reports.
Reviewers: Szelethus, baloghadamsoftware, NoQ, vsavchenko, xazax.hun, martong
Reviewed By: NoQ
Subscribers: NoQ, rnkovacs, xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, gamesh411, Charusso, martong, ASDenysPetrov, cfe-commits
Tags: #clang
Differential Revision: https://reviews.llvm.org/D83115
2020-07-15 17:05:22 +08:00
} / / expected - warning { { Potential leak of memory pointed to by } } \
// expected-warning {{Potential leak of memory pointed to by}}
2012-02-09 07:16:56 +08:00
void mallocFreeMalloc ( ) {
int * p = malloc ( 12 ) ;
free ( p ) ;
p = malloc ( 12 ) ;
free ( p ) ;
}
2012-02-09 14:25:47 +08:00
void mallocFreeUse_params ( ) {
2012-02-09 07:16:56 +08:00
int * p = malloc ( 12 ) ;
free ( p ) ;
2012-02-17 06:26:12 +08:00
myfoo ( p ) ; //expected-warning{{Use of memory after it is freed}}
2012-02-12 07:46:36 +08:00
}
void mallocFreeUse_params2 ( ) {
int * p = malloc ( 12 ) ;
free ( p ) ;
2012-02-17 06:26:12 +08:00
myfooint ( * p ) ; //expected-warning{{Use of memory after it is freed}}
2012-02-09 07:16:56 +08:00
}
2012-02-09 14:25:51 +08:00
void mallocFailedOrNot ( ) {
int * p = malloc ( 12 ) ;
if ( ! p )
free ( p ) ;
else
free ( p ) ;
}
2012-02-10 09:11:00 +08:00
struct StructWithInt {
int g ;
} ;
2012-02-12 05:44:39 +08:00
int * mallocReturnFreed ( ) {
int * p = malloc ( 12 ) ;
free ( p ) ;
2012-02-17 06:26:12 +08:00
return p ; // expected-warning {{Use of memory after it is freed}}
2012-02-12 05:44:39 +08:00
}
int useAfterFreeStruct ( ) {
struct StructWithInt * px = malloc ( sizeof ( struct StructWithInt ) ) ;
px - > g = 5 ;
free ( px ) ;
2012-02-17 06:26:12 +08:00
return px - > g ; // expected-warning {{Use of memory after it is freed}}
2012-02-12 05:44:39 +08:00
}
2012-02-10 09:11:00 +08:00
void nonSymbolAsFirstArg ( int * pp , struct StructWithInt * p ) ;
void mallocEscapeFooNonSymbolArg ( ) {
struct StructWithInt * p = malloc ( sizeof ( struct StructWithInt ) ) ;
nonSymbolAsFirstArg ( & p - > g , p ) ;
return ; // no warning
}
2012-02-12 05:02:35 +08:00
void mallocFailedOrNotLeak ( ) {
int * p = malloc ( 12 ) ;
if ( p = = 0 )
return ; // no warning
else
2013-04-06 08:41:36 +08:00
return ; // expected-warning {{Potential leak of memory pointed to by}}
2012-02-12 05:02:35 +08:00
}
2012-02-10 09:11:00 +08:00
2012-02-15 08:11:28 +08:00
void mallocAssignment ( ) {
char * p = malloc ( 12 ) ;
2012-11-16 03:11:43 +08:00
p = fooRetPtr ( ) ;
} // expected-warning {{leak}}
2012-02-15 08:11:28 +08:00
2012-02-15 08:11:22 +08:00
int vallocTest ( ) {
char * mem = valloc ( 12 ) ;
2013-04-06 08:41:36 +08:00
return 0 ; // expected-warning {{Potential leak of memory pointed to by}}
2012-02-15 08:11:22 +08:00
}
void vallocEscapeFreeUse ( ) {
int * p = valloc ( 12 ) ;
myfoo ( p ) ;
free ( p ) ;
2012-02-17 06:26:12 +08:00
myfoo ( p ) ; // expected-warning{{Use of memory after it is freed}}
2012-02-15 08:11:22 +08:00
}
2012-02-09 14:25:47 +08:00
int * Gl ;
struct GlStTy {
int * x ;
} ;
struct GlStTy GlS = { 0 } ;
void GlobalFree ( ) {
free ( Gl ) ;
}
void GlobalMalloc ( ) {
Gl = malloc ( 12 ) ;
}
void GlobalStructMalloc ( ) {
int * a = malloc ( 12 ) ;
GlS . x = a ;
}
void GlobalStructMallocFree ( ) {
int * a = malloc ( 12 ) ;
GlS . x = a ;
free ( GlS . x ) ;
}
2012-02-10 09:11:03 +08:00
2012-02-17 06:26:15 +08:00
char * ArrayG [ 12 ] ;
void globalArrayTest ( ) {
char * p = ( char * ) malloc ( 12 ) ;
ArrayG [ 0 ] = p ;
}
2012-02-16 11:40:57 +08:00
// Make sure that we properly handle a pointer stored into a local struct/array.
typedef struct _StructWithPtr {
int * memP ;
} StructWithPtr ;
static StructWithPtr arrOfStructs [ 10 ] ;
void testMalloc ( ) {
int * x = malloc ( 12 ) ;
StructWithPtr St ;
St . memP = x ;
2012-08-09 02:23:31 +08:00
arrOfStructs [ 0 ] = St ; // no-warning
2012-02-16 11:40:57 +08:00
}
StructWithPtr testMalloc2 ( ) {
int * x = malloc ( 12 ) ;
StructWithPtr St ;
St . memP = x ;
2012-08-09 02:23:31 +08:00
return St ; // no-warning
2012-02-16 11:40:57 +08:00
}
int * testMalloc3 ( ) {
int * x = malloc ( 12 ) ;
int * y = x ;
2012-08-09 02:23:31 +08:00
return y ; // no-warning
2012-02-16 11:40:57 +08:00
}
2013-03-21 04:35:57 +08:00
void testStructLeak ( ) {
StructWithPtr St ;
St . memP = malloc ( 12 ) ;
2013-04-06 08:41:36 +08:00
return ; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}}
2013-03-21 04:35:57 +08:00
}
2012-02-18 06:35:34 +08:00
void testElemRegion1 ( ) {
char * x = ( void * ) malloc ( 2 ) ;
int * ix = ( int * ) x ;
free ( & ( x [ 0 ] ) ) ;
}
void testElemRegion2 ( int * * pp ) {
int * p = malloc ( 12 ) ;
* pp = p ;
free ( pp [ 0 ] ) ;
}
void testElemRegion3 ( int * * pp ) {
int * p = malloc ( 12 ) ;
* pp = p ;
free ( * pp ) ;
}
2012-02-12 05:02:35 +08:00
// Region escape testing.
unsigned takePtrToPtr ( int * * p ) ;
void PassTheAddrOfAllocatedData ( int f ) {
int * p = malloc ( 12 ) ;
// We don't know what happens after the call. Should stop tracking here.
if ( takePtrToPtr ( & p ) )
f + + ;
free ( p ) ; // no warning
}
struct X {
int * p ;
} ;
unsigned takePtrToStruct ( struct X * s ) ;
int * * foo2 ( int * g , int f ) {
int * p = malloc ( 12 ) ;
struct X * px = malloc ( sizeof ( struct X ) ) ;
px - > p = p ;
// We don't know what happens after this call. Should not track px nor p.
if ( takePtrToStruct ( px ) )
f + + ;
free ( p ) ;
return 0 ;
}
struct X * RegInvalidationDetect1 ( struct X * s2 ) {
struct X * px = malloc ( sizeof ( struct X ) ) ;
px - > p = 0 ;
px = s2 ;
2013-04-06 08:41:36 +08:00
return px ; // expected-warning {{Potential leak of memory pointed to by}}
2012-02-12 05:02:35 +08:00
}
struct X * RegInvalidationGiveUp1 ( ) {
int * p = malloc ( 12 ) ;
struct X * px = malloc ( sizeof ( struct X ) ) ;
px - > p = p ;
return px ;
}
int * * RegInvalidationDetect2 ( int * * pp ) {
int * p = malloc ( 12 ) ;
pp = & p ;
pp + + ;
2013-04-06 08:41:36 +08:00
return 0 ; // expected-warning {{Potential leak of memory pointed to by}}
2012-02-12 05:02:35 +08:00
}
2012-02-10 09:11:03 +08:00
extern void exit ( int ) __attribute__ ( ( __noreturn__ ) ) ;
void mallocExit ( int * g ) {
struct xx * p = malloc ( 12 ) ;
2012-02-12 05:02:40 +08:00
if ( g ! = 0 )
exit ( 1 ) ;
2012-02-10 09:11:03 +08:00
free ( p ) ;
return ;
}
extern void __assert_fail ( __const char * __assertion , __const char * __file ,
unsigned int __line , __const char * __function )
__attribute__ ( ( __noreturn__ ) ) ;
# define assert(expr) \
( ( expr ) ? ( void ) ( 0 ) : __assert_fail ( # expr , __FILE__ , __LINE__ , __func__ ) )
void mallocAssert ( int * g ) {
struct xx * p = malloc ( 12 ) ;
2012-02-12 05:02:40 +08:00
assert ( g ! = 0 ) ;
2012-02-10 09:11:03 +08:00
free ( p ) ;
return ;
}
2012-02-12 07:46:36 +08:00
void doNotInvalidateWhenPassedToSystemCalls ( char * s ) {
char * p = malloc ( 12 ) ;
strlen ( p ) ;
2012-11-16 03:11:43 +08:00
strcpy ( p , s ) ;
2013-11-17 17:18:48 +08:00
strcpy ( s , p ) ;
strcpy ( p , p ) ;
memcpy ( p , s , 1 ) ;
memcpy ( s , p , 1 ) ;
memcpy ( p , p , 1 ) ;
2012-11-16 03:11:43 +08:00
} // expected-warning {{leak}}
2012-02-12 07:46:36 +08:00
2013-11-17 17:18:48 +08:00
// Treat source buffer contents as escaped.
void escapeSourceContents ( char * s ) {
char * p = malloc ( 12 ) ;
memcpy ( s , & p , 12 ) ; // no warning
void * p1 = malloc ( 7 ) ;
char * a ;
memcpy ( & a , & p1 , sizeof a ) ;
// FIXME: No warning due to limitations imposed by current modelling of
// 'memcpy' (regions metadata is not copied).
int * ptrs [ 2 ] ;
int * allocated = ( int * ) malloc ( 4 ) ;
memcpy ( & ptrs [ 0 ] , & allocated , sizeof ( int * ) ) ;
// FIXME: No warning due to limitations imposed by current modelling of
// 'memcpy' (regions metadata is not copied).
}
void invalidateDestinationContents ( ) {
int * null = 0 ;
int * p = ( int * ) malloc ( 4 ) ;
memcpy ( & p , & null , sizeof ( int * ) ) ;
int * ptrs1 [ 2 ] ; // expected-warning {{Potential leak of memory pointed to by}}
ptrs1 [ 0 ] = ( int * ) malloc ( 4 ) ;
memcpy ( ptrs1 , & null , sizeof ( int * ) ) ;
int * ptrs2 [ 2 ] ; // expected-warning {{Potential memory leak}}
ptrs2 [ 0 ] = ( int * ) malloc ( 4 ) ;
memcpy ( & ptrs2 [ 1 ] , & null , sizeof ( int * ) ) ;
int * ptrs3 [ 2 ] ; // expected-warning {{Potential memory leak}}
ptrs3 [ 0 ] = ( int * ) malloc ( 4 ) ;
memcpy ( & ptrs3 [ 0 ] , & null , sizeof ( int * ) ) ;
} // expected-warning {{Potential memory leak}}
2012-02-18 06:35:31 +08:00
// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p.
void symbolLostWithStrcpy ( char * s ) {
char * p = malloc ( 12 ) ;
p = strcpy ( p , s ) ;
free ( p ) ;
}
// The same test as the one above, but with what is actually generated on a mac.
static __inline char *
__inline_strcpy_chk ( char * restrict __dest , const char * restrict __src )
{
return __builtin___strcpy_chk ( __dest , __src , __builtin_object_size ( __dest , 2 > 1 ) ) ;
}
void symbolLostWithStrcpy_InlineStrcpyVersion ( char * s ) {
char * p = malloc ( 12 ) ;
p = ( ( __builtin_object_size ( p , 0 ) ! = ( size_t ) - 1 ) ? __builtin___strcpy_chk ( p , s , __builtin_object_size ( p , 2 > 1 ) ) : __inline_strcpy_chk ( p , s ) ) ;
free ( p ) ;
}
2012-02-22 10:36:01 +08:00
// Here we are returning a pointer one past the allocated value. An idiom which
// can be used for implementing special malloc. The correct uses of this might
// be rare enough so that we could keep this as a warning.
static void * specialMalloc ( int n ) {
int * p ;
p = malloc ( n + 8 ) ;
if ( p ) {
p [ 0 ] = n ;
p + + ;
}
return p ;
}
// Potentially, the user could free the struct by performing pointer arithmetic on the return value.
// This is a variation of the specialMalloc issue, though probably would be more rare in correct code.
int * specialMallocWithStruct ( ) {
struct StructWithInt * px = malloc ( sizeof ( struct StructWithInt ) ) ;
return & ( px - > g ) ;
}
2012-02-22 11:14:20 +08:00
// Test various allocation/deallocation functions.
void testStrdup ( const char * s , unsigned validIndex ) {
char * s2 = strdup ( s ) ;
2012-11-16 03:11:43 +08:00
s2 [ validIndex + 1 ] = ' b ' ;
2013-04-06 08:41:36 +08:00
} // expected-warning {{Potential leak of memory pointed to by}}
2012-02-22 11:14:20 +08:00
2016-03-08 09:21:51 +08:00
void testWinStrdup ( const char * s , unsigned validIndex ) {
char * s2 = _strdup ( s ) ;
s2 [ validIndex + 1 ] = ' b ' ;
} // expected-warning {{Potential leak of memory pointed to by}}
void testWcsdup ( const wchar_t * s , unsigned validIndex ) {
wchar_t * s2 = wcsdup ( s ) ;
s2 [ validIndex + 1 ] = ' b ' ;
} // expected-warning {{Potential leak of memory pointed to by}}
void testWinWcsdup ( const wchar_t * s , unsigned validIndex ) {
wchar_t * s2 = _wcsdup ( s ) ;
s2 [ validIndex + 1 ] = ' b ' ;
} // expected-warning {{Potential leak of memory pointed to by}}
2012-02-22 11:14:20 +08:00
int testStrndup ( const char * s , unsigned validIndex , unsigned size ) {
char * s2 = strndup ( s , size ) ;
s2 [ validIndex + 1 ] = ' b ' ;
if ( s2 [ validIndex ] ! = ' a ' )
2012-02-24 05:38:21 +08:00
return 0 ;
2012-02-22 11:14:20 +08:00
else
2013-04-06 08:41:36 +08:00
return 1 ; // expected-warning {{Potential leak of memory pointed to by}}
2012-02-22 11:14:20 +08:00
}
2012-02-23 03:24:52 +08:00
void testStrdupContentIsDefined ( const char * s , unsigned validIndex ) {
char * s2 = strdup ( s ) ;
char result = s2 [ 1 ] ; // no warning
free ( s2 ) ;
}
2016-03-08 09:21:51 +08:00
void testWinStrdupContentIsDefined ( const char * s , unsigned validIndex ) {
char * s2 = _strdup ( s ) ;
char result = s2 [ 1 ] ; // no warning
free ( s2 ) ;
}
void testWcsdupContentIsDefined ( const wchar_t * s , unsigned validIndex ) {
wchar_t * s2 = wcsdup ( s ) ;
wchar_t result = s2 [ 1 ] ; // no warning
free ( s2 ) ;
}
void testWinWcsdupContentIsDefined ( const wchar_t * s , unsigned validIndex ) {
wchar_t * s2 = _wcsdup ( s ) ;
wchar_t result = s2 [ 1 ] ; // no warning
free ( s2 ) ;
}
2012-03-01 02:42:47 +08:00
// ----------------------------------------------------------------------------
2012-02-23 09:05:27 +08:00
// Test the system library functions to which the pointer can escape.
2012-03-01 02:42:47 +08:00
// This tests false positive suppression.
2012-02-23 09:05:27 +08:00
// For now, we assume memory passed to pthread_specific escapes.
// TODO: We could check that if a new pthread binding is set, the existing
// binding must be freed; otherwise, a memory leak can occur.
void testPthereadSpecificEscape ( pthread_key_t key ) {
void * buf = malloc ( 12 ) ;
pthread_setspecific ( key , buf ) ; // no warning
}
2012-03-01 02:42:47 +08:00
// PR12101: Test funopen().
static int releasePtr ( void * _ctx ) {
free ( _ctx ) ;
return 0 ;
}
FILE * useFunOpen ( ) {
void * ctx = malloc ( sizeof ( int ) ) ;
FILE * f = funopen ( ctx , 0 , 0 , 0 , releasePtr ) ; // no warning
if ( f = = 0 ) {
free ( ctx ) ;
}
return f ;
}
FILE * useFunOpenNoReleaseFunction ( ) {
void * ctx = malloc ( sizeof ( int ) ) ;
FILE * f = funopen ( ctx , 0 , 0 , 0 , 0 ) ;
if ( f = = 0 ) {
free ( ctx ) ;
}
return f ; // expected-warning{{leak}}
}
2012-07-03 03:27:51 +08:00
static int readNothing ( void * _ctx , char * buf , int size ) {
return 0 ;
}
FILE * useFunOpenReadNoRelease ( ) {
void * ctx = malloc ( sizeof ( int ) ) ;
FILE * f = funopen ( ctx , readNothing , 0 , 0 , 0 ) ;
if ( f = = 0 ) {
free ( ctx ) ;
}
return f ; // expected-warning{{leak}}
}
2012-03-01 02:42:47 +08:00
// Test setbuf, setvbuf.
int my_main_no_warning ( ) {
char * p = malloc ( 100 ) ;
setvbuf ( stdout , p , 0 , 100 ) ;
return 0 ;
}
int my_main_no_warning2 ( ) {
char * p = malloc ( 100 ) ;
setbuf ( __stdoutp , p ) ;
return 0 ;
}
int my_main_warn ( FILE * f ) {
char * p = malloc ( 100 ) ;
setvbuf ( f , p , 0 , 100 ) ;
return 0 ; // expected-warning {{leak}}
}
2012-03-06 07:06:19 +08:00
// <rdar://problem/10978247>.
// some people use stack allocated memory as an optimization to avoid
// a heap allocation for small work sizes. This tests the analyzer's
// understanding that the malloc'ed memory is not the same as stackBuffer.
void radar10978247 ( int myValueSize ) {
char stackBuffer [ 128 ] ;
char * buffer ;
if ( myValueSize < = sizeof ( stackBuffer ) )
buffer = stackBuffer ;
2018-07-13 21:44:44 +08:00
else
2012-03-06 07:06:19 +08:00
buffer = malloc ( myValueSize ) ;
// do stuff with the buffer
if ( buffer ! = stackBuffer )
free ( buffer ) ;
}
void radar10978247_positive ( int myValueSize ) {
char stackBuffer [ 128 ] ;
char * buffer ;
if ( myValueSize < = sizeof ( stackBuffer ) )
buffer = stackBuffer ;
2018-07-13 21:44:44 +08:00
else
2012-03-06 07:06:19 +08:00
buffer = malloc ( myValueSize ) ;
// do stuff with the buffer
2012-11-16 03:11:43 +08:00
if ( buffer = = stackBuffer )
2012-03-06 07:06:19 +08:00
return ;
2012-11-16 03:11:43 +08:00
else
return ; // expected-warning {{leak}}
2018-07-13 21:44:44 +08:00
}
2012-04-26 13:08:26 +08:00
// <rdar://problem/11269741> Previously this triggered a false positive
// because malloc() is known to return uninitialized memory and the binding
// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak.
struct rdar11269741_a_t {
struct rdar11269741_b_t {
int m ;
} n ;
} ;
int rdar11269741 ( struct rdar11269741_b_t o )
{
struct rdar11269741_a_t * p = ( struct rdar11269741_a_t * ) malloc ( sizeof ( * p ) ) ;
p - > n = o ;
return p - > n . m ; // expected-warning {{leak}}
}
2012-05-03 10:13:56 +08:00
// Pointer arithmetic, returning an ElementRegion.
void * radar11329382 ( unsigned bl ) {
void * ptr = malloc ( 16 ) ;
ptr = ptr + ( 2 - bl ) ;
return ptr ; // no warning
}
2012-05-02 05:10:29 +08:00
void __assert_rtn ( const char * , const char * , int , const char * ) __attribute__ ( ( __noreturn__ ) ) ;
int strcmp ( const char * , const char * ) ;
char * a ( void ) ;
void radar11270219 ( void ) {
char * x = a ( ) , * y = a ( ) ;
( __builtin_expect ( ! ( x & & y ) , 0 ) ? __assert_rtn ( __func__ , " /Users/zaks/tmp/ex.c " , 24 , " x && y " ) : ( void ) 0 ) ;
strcmp ( x , y ) ; // no warning
}
2012-05-02 08:05:20 +08:00
void radar_11358224_test_double_assign_ints_positive_2 ( )
{
void * ptr = malloc ( 16 ) ;
2012-11-16 03:11:43 +08:00
ptr = ptr ;
} // expected-warning {{leak}}
2012-05-02 08:05:20 +08:00
2012-05-04 07:50:28 +08:00
// Assume that functions which take a function pointer can free memory even if
// they are defined in system headers and take the const pointer to the
// allocated memory. (radar://11160612)
int const_ptr_and_callback ( int , const char * , int n , void ( * ) ( void * ) ) ;
void r11160612_1 ( ) {
char * x = malloc ( 12 ) ;
const_ptr_and_callback ( 0 , x , 12 , free ) ; // no - warning
}
// Null is passed as callback.
void r11160612_2 ( ) {
char * x = malloc ( 12 ) ;
2012-11-16 03:11:43 +08:00
const_ptr_and_callback ( 0 , x , 12 , 0 ) ;
} // expected-warning {{leak}}
2012-05-04 07:50:28 +08:00
// Callback is passed to a function defined in a system header.
void r11160612_4 ( ) {
char * x = malloc ( 12 ) ;
sqlite3_bind_text_my ( 0 , x , 12 , free ) ; // no - warning
}
2012-05-04 07:50:33 +08:00
// Passing callbacks in a struct.
void r11160612_5 ( StWithCallback St ) {
void * x = malloc ( 12 ) ;
dealocateMemWhenDoneByVal ( x , St ) ;
}
void r11160612_6 ( StWithCallback St ) {
void * x = malloc ( 12 ) ;
dealocateMemWhenDoneByRef ( & St , x ) ;
}
2012-05-05 01:37:16 +08:00
int mySub ( int , int ) ;
int myAdd ( int , int ) ;
int fPtr ( unsigned cond , int x ) {
return ( cond ? mySub : myAdd ) ( x , x ) ;
}
2012-06-07 11:57:32 +08:00
// Test anti-aliasing.
2012-02-12 05:02:40 +08:00
2012-02-10 09:11:03 +08:00
void dependsOnValueOfPtr ( int * g , unsigned f ) {
int * p ;
if ( f ) {
p = g ;
} else {
p = malloc ( 12 ) ;
}
if ( p ! = g )
free ( p ) ;
else
2012-06-07 11:57:32 +08:00
return ; // no warning
2012-02-10 09:11:03 +08:00
return ;
}
2012-06-07 11:57:32 +08:00
int CMPRegionHeapToStack ( ) {
int x = 0 ;
int * x1 = malloc ( 8 ) ;
int * x2 = & x ;
2012-06-08 08:04:40 +08:00
clang_analyzer_eval ( x1 = = x2 ) ; // expected-warning{{FALSE}}
2012-06-07 11:57:32 +08:00
free ( x1 ) ;
return x ;
}
int CMPRegionHeapToHeap2 ( ) {
int x = 0 ;
int * x1 = malloc ( 8 ) ;
int * x2 = malloc ( 8 ) ;
int * x4 = x1 ;
int * x5 = x2 ;
2012-06-08 08:04:40 +08:00
clang_analyzer_eval ( x4 = = x5 ) ; // expected-warning{{FALSE}}
2012-06-07 11:57:32 +08:00
free ( x1 ) ;
free ( x2 ) ;
return x ;
}
int CMPRegionHeapToHeap ( ) {
int x = 0 ;
int * x1 = malloc ( 8 ) ;
int * x4 = x1 ;
if ( x1 = = x4 ) {
free ( x1 ) ;
return 5 / x ; // expected-warning{{Division by zero}}
}
return x ; // expected-warning{{This statement is never executed}}
}
int HeapAssignment ( ) {
int m = 0 ;
int * x = malloc ( 4 ) ;
int * y = x ;
* x = 5 ;
2012-06-08 08:04:40 +08:00
clang_analyzer_eval ( * x ! = * y ) ; // expected-warning{{FALSE}}
2012-06-07 11:57:32 +08:00
free ( x ) ;
return 0 ;
}
2012-06-08 04:18:08 +08:00
int * retPtr ( ) ;
int * retPtrMightAlias ( int * x ) ;
int cmpHeapAllocationToUnknown ( ) {
int zero = 0 ;
int * yBefore = retPtr ( ) ;
int * m = malloc ( 8 ) ;
int * yAfter = retPtrMightAlias ( m ) ;
2012-06-08 08:04:40 +08:00
clang_analyzer_eval ( yBefore = = m ) ; // expected-warning{{FALSE}}
clang_analyzer_eval ( yAfter = = m ) ; // expected-warning{{FALSE}}
2012-06-08 04:18:08 +08:00
free ( m ) ;
return 0 ;
}
2013-03-21 04:35:57 +08:00
void localArrayTest ( ) {
char * p = ( char * ) malloc ( 12 ) ;
char * ArrayL [ 12 ] ;
ArrayL [ 0 ] = p ;
} // expected-warning {{leak}}
void localStructTest ( ) {
StructWithPtr St ;
StructWithPtr * pSt = & St ;
pSt - > memP = malloc ( 12 ) ;
2013-04-06 08:41:36 +08:00
} // expected-warning{{Potential leak of memory pointed to by}}
2013-03-21 04:35:57 +08:00
2012-11-27 10:37:49 +08:00
# ifdef __INTPTR_TYPE__
2012-05-02 05:58:29 +08:00
// Test double assignment through integers.
2012-11-27 10:37:49 +08:00
typedef __INTPTR_TYPE__ intptr_t ;
typedef unsigned __INTPTR_TYPE__ uintptr_t ;
static intptr_t glob ;
2012-05-02 05:58:29 +08:00
void test_double_assign_ints ( )
{
void * ptr = malloc ( 16 ) ; // no-warning
2012-11-27 10:37:49 +08:00
glob = ( intptr_t ) ( uintptr_t ) ptr ;
2012-05-02 05:58:29 +08:00
}
void test_double_assign_ints_positive ( )
{
void * ptr = malloc ( 16 ) ;
2012-11-27 10:37:49 +08:00
( void * ) ( intptr_t ) ( uintptr_t ) ptr ; // expected-warning {{unused}}
2012-11-16 03:11:43 +08:00
} // expected-warning {{leak}}
2012-11-27 10:37:49 +08:00
# endif
2012-06-16 08:09:20 +08:00
void testCGContextNoLeak ( )
{
void * ptr = malloc ( 16 ) ;
CGContextRef context = CGBitmapContextCreate ( ptr ) ;
// Because you can get the data back out like this, even much later,
// CGBitmapContextCreate is one of our "stop-tracking" exceptions.
free ( CGBitmapContextGetData ( context ) ) ;
}
void testCGContextLeak ( )
{
void * ptr = malloc ( 16 ) ;
CGContextRef context = CGBitmapContextCreate ( ptr ) ;
// However, this time we're just leaking the data, because the context
// object doesn't escape and it hasn't been freed in this function.
}
2012-06-21 07:35:57 +08:00
// Allow xpc context to escape. radar://11635258
// TODO: Would be great if we checked that the finalize_connection_context actually releases it.
static void finalize_connection_context ( void * ctx ) {
int * context = ctx ;
free ( context ) ;
}
void foo ( xpc_connection_t peer ) {
int * ctx = calloc ( 1 , sizeof ( int ) ) ;
xpc_connection_set_context ( peer , ctx ) ;
xpc_connection_set_finalizer_f ( peer , finalize_connection_context ) ;
xpc_connection_resume ( peer ) ;
}
2012-08-04 02:30:18 +08:00
// Make sure we catch errors when we free in a function which does not allocate memory.
void freeButNoMalloc ( int * p , int x ) {
if ( x ) {
free ( p ) ;
//user forgot a return here.
}
free ( p ) ; // expected-warning {{Attempt to free released memory}}
}
2012-08-04 10:04:27 +08:00
struct HasPtr {
2012-08-24 10:28:20 +08:00
char * p ;
2012-08-04 10:04:27 +08:00
} ;
2012-08-24 10:28:20 +08:00
char * reallocButNoMalloc ( struct HasPtr * a , int c , int size ) {
2012-08-04 10:04:27 +08:00
int * s ;
2012-08-24 10:28:20 +08:00
char * b = realloc ( a - > p , size ) ;
char * m = realloc ( a - > p , size ) ; // expected-warning {{Attempt to free released memory}}
2015-09-17 06:03:05 +08:00
// We don't expect a use-after-free for a->P here because the warning above
// is a sink.
return a - > p ; // no-warning
2012-08-04 10:04:27 +08:00
}
2012-08-09 02:23:31 +08:00
2012-08-24 10:28:20 +08:00
// We should not warn in this case since the caller will presumably free a->p in all cases.
int reallocButNoMallocPR13674 ( struct HasPtr * a , int c , int size ) {
int * s ;
char * b = realloc ( a - > p , size ) ;
if ( b = = 0 )
return - 1 ;
a - > p = b ;
return 0 ;
}
2012-09-13 06:57:34 +08:00
// Test realloc with no visible malloc.
void * test ( void * ptr ) {
void * newPtr = realloc ( ptr , 4 ) ;
if ( newPtr = = 0 ) {
if ( ptr )
free ( ptr ) ; // no-warning
}
return newPtr ;
}
2012-11-16 03:11:27 +08:00
char * testLeakWithinReturn ( char * str ) {
return strdup ( strdup ( str ) ) ; // expected-warning{{leak}}
}
2016-03-08 09:21:51 +08:00
char * testWinLeakWithinReturn ( char * str ) {
return _strdup ( _strdup ( str ) ) ; // expected-warning{{leak}}
}
wchar_t * testWinWideLeakWithinReturn ( wchar_t * str ) {
return _wcsdup ( _wcsdup ( str ) ) ; // expected-warning{{leak}}
}
2013-02-08 07:05:43 +08:00
void passConstPtr ( const char * ptr ) ;
void testPassConstPointer ( ) {
char * string = malloc ( sizeof ( char ) * 10 ) ;
passConstPtr ( string ) ;
return ; // expected-warning {{leak}}
}
void testPassConstPointerIndirectly ( ) {
char * p = malloc ( 1 ) ;
p + + ;
memcmp ( p , p , sizeof ( & p ) ) ;
return ; // expected-warning {{leak}}
}
void testPassConstPointerIndirectlyStruct ( ) {
struct HasPtr hp ;
hp . p = malloc ( 10 ) ;
memcmp ( & hp , & hp , sizeof ( hp ) ) ;
2013-04-06 08:41:36 +08:00
return ; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}}
2013-02-08 07:05:43 +08:00
}
void testPassToSystemHeaderFunctionIndirectlyStruct ( ) {
SomeStruct ss ;
ss . p = malloc ( 1 ) ;
[analyzer] Indirect invalidation counts as an escape for leak checkers.
Consider this example:
char *p = malloc(sizeof(char));
systemFunction(&p);
free(p);
In this case, when we call systemFunction, we know (because it's a system
function) that it won't free 'p'. However, we /don't/ know whether or not
it will /change/ 'p', so the analyzer is forced to invalidate 'p', wiping
out any bindings it contains. But now the malloc'd region looks like a
leak, since there are no more bindings pointing to it, and we'll get a
spurious leak warning.
The fix for this is to notice when something is becoming inaccessible due
to invalidation (i.e. an imperfect model, as opposed to being explicitly
overwritten) and stop tracking it at that point. Currently, the best way
to determine this for a call is the "indirect escape" pointer-escape kind.
In practice, all the patch does is take the "system functions don't free
memory" special case and limit it to direct parameters, i.e. just the
arguments to a call and not other regions accessible to them. This is a
conservative change that should only cause us to escape regions more
eagerly, which means fewer leak warnings.
This isn't perfect for several reasons, the main one being that this
example is treated the same as the one above:
char **p = malloc(sizeof(char *));
systemFunction(p + 1);
// leak
Currently, "addresses accessible by offsets of the starting region" and
"addresses accessible through bindings of the starting region" are both
considered "indirect" regions, hence this uniform treatment.
Another issue is our longstanding problem of not distinguishing const and
non-const bindings; if in the first example systemFunction's parameter were
a char * const *, we should know that the function will not overwrite 'p',
and thus we can safely report the leak.
<rdar://problem/13758386>
llvm-svn: 181607
2013-05-11 01:07:16 +08:00
fakeSystemHeaderCall ( & ss ) ; // invalidates ss, making ss.p unreachable
// Technically a false negative here -- we know the system function won't free
// ss.p, but nothing else will either!
} // no-warning
void testPassToSystemHeaderFunctionIndirectlyStructFree ( ) {
SomeStruct ss ;
ss . p = malloc ( 1 ) ;
fakeSystemHeaderCall ( & ss ) ; // invalidates ss, making ss.p unreachable
free ( ss . p ) ;
} // no-warning
void testPassToSystemHeaderFunctionIndirectlyArray ( ) {
int * p [ 1 ] ;
p [ 0 ] = malloc ( sizeof ( int ) ) ;
fakeSystemHeaderCallIntPtr ( p ) ; // invalidates p, making p[0] unreachable
// Technically a false negative here -- we know the system function won't free
// p[0], but nothing else will either!
} // no-warning
void testPassToSystemHeaderFunctionIndirectlyArrayFree ( ) {
int * p [ 1 ] ;
p [ 0 ] = malloc ( sizeof ( int ) ) ;
fakeSystemHeaderCallIntPtr ( p ) ; // invalidates p, making p[0] unreachable
free ( p [ 0 ] ) ;
} // no-warning
2013-02-06 08:01:14 +08:00
2013-02-08 07:05:47 +08:00
int * testOffsetAllocate ( size_t size ) {
int * memoryBlock = ( int * ) malloc ( size + sizeof ( int ) ) ;
return & memoryBlock [ 1 ] ; // no-warning
}
void testOffsetDeallocate ( int * memoryBlock ) {
free ( & memoryBlock [ - 1 ] ) ; // no-warning
}
void testOffsetOfRegionFreed ( ) {
__int64_t * array = malloc ( sizeof ( __int64_t ) * 2 ) ;
array + = 1 ;
free ( & array [ 0 ] ) ; // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
}
void testOffsetOfRegionFreed2 ( ) {
__int64_t * p = malloc ( sizeof ( __int64_t ) * 2 ) ;
p + = 1 ;
free ( p ) ; // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
}
void testOffsetOfRegionFreed3 ( ) {
char * r = malloc ( sizeof ( char ) ) ;
r = r - 10 ;
free ( r ) ; // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}}
}
void testOffsetOfRegionFreedAfterFunctionCall ( ) {
int * p = malloc ( sizeof ( int ) * 2 ) ;
p + = 1 ;
myfoo ( p ) ;
2013-04-09 08:30:28 +08:00
free ( p ) ; // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}}
2013-02-08 07:05:47 +08:00
}
void testFixManipulatedPointerBeforeFree ( ) {
int * array = malloc ( sizeof ( int ) * 2 ) ;
array + = 1 ;
free ( & array [ - 1 ] ) ; // no-warning
}
void testFixManipulatedPointerBeforeFree2 ( ) {
char * r = malloc ( sizeof ( char ) ) ;
r = r + 10 ;
free ( r - 10 ) ; // no-warning
}
void freeOffsetPointerPassedToFunction ( ) {
__int64_t * p = malloc ( sizeof ( __int64_t ) * 2 ) ;
p [ 1 ] = 0 ;
p + = 1 ;
myfooint ( * p ) ; // not passing the pointer, only a value pointed by pointer
free ( p ) ; // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
}
int arbitraryInt ( ) ;
void freeUnknownOffsetPointer ( ) {
char * r = malloc ( sizeof ( char ) ) ;
r = r + arbitraryInt ( ) ; // unable to reason about what the offset might be
free ( r ) ; // no-warning
}
void testFreeNonMallocPointerWithNoOffset ( ) {
char c ;
char * r = & c ;
r = r + 10 ;
free ( r - 10 ) ; // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
}
void testFreeNonMallocPointerWithOffset ( ) {
char c ;
char * r = & c ;
free ( r + 1 ) ; // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
}
void testOffsetZeroDoubleFree ( ) {
int * array = malloc ( sizeof ( int ) * 2 ) ;
int * p = & array [ 0 ] ;
free ( p ) ;
free ( & array [ 0 ] ) ; // expected-warning{{Attempt to free released memory}}
}
void testOffsetPassedToStrlen ( ) {
char * string = malloc ( sizeof ( char ) * 10 ) ;
string + = 1 ;
2013-04-06 08:41:36 +08:00
int length = strlen ( string ) ; // expected-warning {{Potential leak of memory pointed to by 'string'}}
2013-02-08 07:05:47 +08:00
}
void testOffsetPassedToStrlenThenFree ( ) {
char * string = malloc ( sizeof ( char ) * 10 ) ;
string + = 1 ;
int length = strlen ( string ) ;
free ( string ) ; // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
}
void testOffsetPassedAsConst ( ) {
char * string = malloc ( sizeof ( char ) * 10 ) ;
string + = 1 ;
passConstPtr ( string ) ;
free ( string ) ; // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
}
2013-02-06 08:01:14 +08:00
2013-03-16 07:34:29 +08:00
char * * _vectorSegments ;
int _nVectorSegments ;
void poolFreeC ( void * s ) {
free ( s ) ; // no-warning
}
void freeMemory ( ) {
while ( _nVectorSegments ) {
poolFreeC ( _vectorSegments [ _nVectorSegments + + ] ) ;
}
}
2013-03-21 04:35:57 +08:00
[analyzer] If realloc fails on an escaped region, that region doesn't leak.
When a region is realloc()ed, MallocChecker records whether it was known
to be allocated or not. If it is, and the reallocation fails, the original
region has to be freed. Previously, when an allocated region escaped,
MallocChecker completely stopped tracking it, so a failed reallocation
still (correctly) wouldn't require freeing the original region. Recently,
however, MallocChecker started tracking escaped symbols, so that if it were
freed we could check that the deallocator matched the allocator. This
broke the reallocation model for whether or not a symbol was allocated.
Now, MallocChecker will actually check if a symbol is owned, and only
require freeing after a failed reallocation if it was owned before.
PR16730
llvm-svn: 188468
2013-08-16 01:22:06 +08:00
// PR16730
void testReallocEscaped ( void * * memory ) {
* memory = malloc ( 47 ) ;
char * new_memory = realloc ( * memory , 47 ) ;
if ( new_memory ! = 0 ) {
* memory = new_memory ;
}
}
2013-08-20 00:27:34 +08:00
// PR16558
void * smallocNoWarn ( size_t size ) {
if ( size = = 0 ) {
return malloc ( 1 ) ; // this branch is never called
2018-07-13 21:44:44 +08:00
}
2013-08-20 00:27:34 +08:00
else {
return malloc ( size ) ;
}
}
char * dupstrNoWarn ( const char * s ) {
const int len = strlen ( s ) ;
char * p = ( char * ) smallocNoWarn ( len + 1 ) ;
strcpy ( p , s ) ; // no-warning
return p ;
}
void * smallocWarn ( size_t size ) {
if ( size = = 2 ) {
return malloc ( 1 ) ;
}
else {
return malloc ( size ) ;
}
}
2013-12-07 03:28:16 +08:00
int * radar15580979 ( ) {
int * data = ( int * ) malloc ( 32 ) ;
int * p = data ? : ( int * ) malloc ( 32 ) ; // no warning
return p ;
}
2015-10-28 04:19:45 +08:00
// Some data structures may hold onto the pointer and free it later.
void testEscapeThroughSystemCallTakingVoidPointer1 ( void * queue ) {
int * data = ( int * ) malloc ( 32 ) ;
fake_insque ( queue , data ) ; // no warning
}
void testEscapeThroughSystemCallTakingVoidPointer2 ( fake_rb_tree_t * rbt ) {
int * data = ( int * ) malloc ( 32 ) ;
fake_rb_tree_init ( rbt , data ) ;
} //expected-warning{{Potential leak}}
void testEscapeThroughSystemCallTakingVoidPointer3 ( fake_rb_tree_t * rbt ) {
int * data = ( int * ) malloc ( 32 ) ;
fake_rb_tree_init ( rbt , data ) ;
fake_rb_tree_insert_node ( rbt , data ) ; // no warning
}
2016-04-25 22:44:25 +08:00
struct IntAndPtr {
int x ;
int * p ;
} ;
void constEscape ( const void * ptr ) ;
void testConstEscapeThroughAnotherField ( ) {
struct IntAndPtr s ;
s . p = malloc ( sizeof ( int ) ) ;
2019-04-04 02:21:16 +08:00
constEscape ( & ( s . x ) ) ; // could free s->p!
} // no-warning
2016-04-25 22:44:25 +08:00
2016-12-25 08:57:51 +08:00
// PR15623
int testNoCheckerDataPropogationFromLogicalOpOperandToOpResult ( void ) {
char * param = malloc ( 10 ) ;
char * value = malloc ( 10 ) ;
int ok = ( param & & value ) ;
free ( param ) ;
free ( value ) ;
// Previously we ended up with 'Use of memory after it is freed' on return.
return ok ; // no warning
}
2017-05-02 19:46:12 +08:00
void ( * fnptr ) ( int ) ;
void freeIndirectFunctionPtr ( ) {
void * p = ( void * ) fnptr ;
free ( p ) ; // expected-warning {{Argument to free() is a function pointer}}
}
void freeFunctionPtr ( ) {
free ( ( void * ) fnptr ) ; // expected-warning {{Argument to free() is a function pointer}}
}
2018-01-25 06:17:30 +08:00
void allocateSomeMemory ( void * offendingParameter , void * * ptr ) {
* ptr = malloc ( 1 ) ;
}
void testNoCrashOnOffendingParameter ( ) {
2018-07-13 21:44:44 +08:00
// "extern" is necessary to avoid unrelated warnings
2018-01-25 06:17:30 +08:00
// on passing uninitialized value.
extern void * offendingParameter ;
void * ptr ;
allocateSomeMemory ( offendingParameter , & ptr ) ;
} // expected-warning {{Potential leak of memory pointed to by 'ptr'}}
2019-02-07 07:56:43 +08:00
// Test a false positive caused by a bug in liveness analysis.
struct A {
int * buf ;
} ;
struct B {
struct A * a ;
} ;
void livenessBugRealloc ( struct A * a ) {
a - > buf = realloc ( a - > buf , sizeof ( int ) ) ; // no-warning
}
void testLivenessBug ( struct B * in_b ) {
struct B * b = in_b ;
livenessBugRealloc ( b - > a ) ;
( ( void ) 0 ) ; // An attempt to trick liveness analysis.
livenessBugRealloc ( b - > a ) ;
}
2019-04-04 02:21:16 +08:00
struct ListInfo {
struct ListInfo * next ;
} ;
struct ConcreteListItem {
struct ListInfo li ;
int i ;
} ;
void list_add ( struct ListInfo * list , struct ListInfo * item ) ;
void testCStyleListItems ( struct ListInfo * list ) {
struct ConcreteListItem * x = malloc ( sizeof ( struct ConcreteListItem ) ) ;
list_add ( list , & x - > li ) ; // will free 'x'.
}
[analyzer][MallocChecker] When modeling realloc-like functions, don't early return if the argument is symbolic
The very essence of MallocChecker lies in 2 overload sets: the FreeMemAux
functions and the MallocMemAux functions. The former houses most of the error
checking as well (aside from leaks), such as incorrect deallocation. There, we
check whether the argument's MemSpaceRegion is the heap or unknown, and if it
isn't, we know we encountered a bug (aside from a corner case patched by
@balazske in D76830), as specified by MEM34-C.
In ReallocMemAux, which really is the combination of FreeMemAux and
MallocMemAux, we incorrectly early returned if the memory argument of realloc is
non-symbolic. The problem is, one of the cases where this happens when we know
precisely what the region is, like an array, as demonstrated in the test file.
So, lets get rid of this false negative :^)
Side note, I dislike the warning message and the associated checker name, but
I'll address it in a later patch.
Differential Revision: https://reviews.llvm.org/D79415
2020-05-05 20:55:37 +08:00
// MEM34-C. Only free memory allocated dynamically
// Second non-compliant example.
// https://wiki.sei.cmu.edu/confluence/display/c/MEM34-C.+Only+free+memory+allocated+dynamically
enum { BUFSIZE = 256 } ;
void MEM34_C ( void ) {
char buf [ BUFSIZE ] ;
char * p = ( char * ) realloc ( buf , 2 * BUFSIZE ) ;
/ / expected - warning @ - 1 { { Argument to realloc ( ) is the address of the local \
variable ' buf ' , which is not memory allocated by malloc ( ) [ unix . Malloc ] } }
if ( p = = NULL ) {
/* Handle error */
}
}
2020-05-21 07:54:11 +08:00
( * crash_a ) ( ) ; // expected-warning{{type specifier missing}}
2020-05-21 07:03:31 +08:00
// A CallEvent without a corresponding FunctionDecl.
crash_b ( ) { crash_a ( ) ; } // no-crash
2020-05-21 07:54:11 +08:00
// expected-warning@-1{{type specifier missing}} expected-warning@-1{{non-void}}
2020-05-21 07:03:31 +08:00
2020-06-02 04:03:05 +08:00
long * global_a ;
void realloc_crash ( ) {
long * c = global_a ;
c - - ;
realloc ( c , 8 ) ; // no-crash
} // expected-warning{{Potential memory leak [unix.Malloc]}}
2013-03-21 04:35:57 +08:00
// ----------------------------------------------------------------------------
// False negatives.
void testMallocWithParam ( int * * p ) {
* p = ( int * ) malloc ( sizeof ( int ) ) ;
* p = 0 ; // FIXME: should warn here
}
void testMallocWithParam_2 ( int * * p ) {
* p = ( int * ) malloc ( sizeof ( int ) ) ; // no-warning
}
[analyzer] Indirect invalidation counts as an escape for leak checkers.
Consider this example:
char *p = malloc(sizeof(char));
systemFunction(&p);
free(p);
In this case, when we call systemFunction, we know (because it's a system
function) that it won't free 'p'. However, we /don't/ know whether or not
it will /change/ 'p', so the analyzer is forced to invalidate 'p', wiping
out any bindings it contains. But now the malloc'd region looks like a
leak, since there are no more bindings pointing to it, and we'll get a
spurious leak warning.
The fix for this is to notice when something is becoming inaccessible due
to invalidation (i.e. an imperfect model, as opposed to being explicitly
overwritten) and stop tracking it at that point. Currently, the best way
to determine this for a call is the "indirect escape" pointer-escape kind.
In practice, all the patch does is take the "system functions don't free
memory" special case and limit it to direct parameters, i.e. just the
arguments to a call and not other regions accessible to them. This is a
conservative change that should only cause us to escape regions more
eagerly, which means fewer leak warnings.
This isn't perfect for several reasons, the main one being that this
example is treated the same as the one above:
char **p = malloc(sizeof(char *));
systemFunction(p + 1);
// leak
Currently, "addresses accessible by offsets of the starting region" and
"addresses accessible through bindings of the starting region" are both
considered "indirect" regions, hence this uniform treatment.
Another issue is our longstanding problem of not distinguishing const and
non-const bindings; if in the first example systemFunction's parameter were
a char * const *, we should know that the function will not overwrite 'p',
and thus we can safely report the leak.
<rdar://problem/13758386>
llvm-svn: 181607
2013-05-11 01:07:16 +08:00
void testPassToSystemHeaderFunctionIndirectly ( ) {
int * p = malloc ( 4 ) ;
p + + ;
fakeSystemHeaderCallInt ( p ) ;
// FIXME: This is a leak: if we think a system function won't free p, it
// won't free (p-1) either.
}
2016-04-25 22:44:25 +08:00
void testMallocIntoMalloc ( ) {
StructWithPtr * s = malloc ( sizeof ( StructWithPtr ) ) ;
s - > memP = malloc ( sizeof ( int ) ) ;
free ( s ) ;
} // FIXME: should warn here