1 // RUN: %clang_cc1 -analyze -analyzer-checker=unix.Malloc -analyzer-inline-max-stack-depth=5 -verify %s
2 
3 #include "Inputs/system-header-simulator.h"
4 
5 void *malloc(size_t);
6 void *valloc(size_t);
7 void free(void *);
8 void *realloc(void *ptr, size_t size);
9 void *reallocf(void *ptr, size_t size);
10 void *calloc(size_t nmemb, size_t size);
11 
12 void exit(int) __attribute__ ((__noreturn__));
13 void *memcpy(void * restrict s1, const void * restrict s2, size_t n);
14 size_t strlen(const char *);
15 
my_malloc1(void ** d,size_t size)16 static void my_malloc1(void **d, size_t size) {
17   *d = malloc(size);
18 }
19 
my_malloc2(int elevel,size_t size)20 static void *my_malloc2(int elevel, size_t size) {
21   void     *data;
22   data = malloc(size);
23   if (data == 0)
24     exit(0);
25   return data;
26 }
27 
my_free1(void * p)28 static void my_free1(void *p) {
29   free(p);
30 }
31 
test1()32 static void test1() {
33   void *data = 0;
34   my_malloc1(&data, 4);
35 } // expected-warning {{Potential leak of memory pointed to by 'data'}}
36 
test11()37 static void test11() {
38   void *data = 0;
39   my_malloc1(&data, 4);
40   my_free1(data);
41 }
42 
testUniqueingByallocationSiteInTopLevelFunction()43 static void testUniqueingByallocationSiteInTopLevelFunction() {
44   void *data = my_malloc2(1, 4);
45   data = 0;
46   int x = 5;// expected-warning {{Potential leak of memory pointed to by 'data'}}
47   data = my_malloc2(1, 4);
48 } // expected-warning {{Potential leak of memory pointed to by 'data'}}
49 
test3()50 static void test3() {
51   void *data = my_malloc2(1, 4);
52   free(data);
53   data = my_malloc2(1, 4);
54   free(data);
55 }
56 
test4()57 int test4() {
58   int *data = (int*)my_malloc2(1, 4);
59   my_free1(data);
60   data = (int *)my_malloc2(1, 4);
61   my_free1(data);
62   return *data; // expected-warning {{Use of memory after it is freed}}
63 }
64 
test6()65 void test6() {
66   int *data = (int *)my_malloc2(1, 4);
67   my_free1((int*)data);
68   my_free1((int*)data); // expected-warning{{Use of memory after it is freed}}
69 }
70 
71 // TODO: We should warn here.
test5()72 void test5() {
73   int *data;
74   my_free1((int*)data);
75 }
76 
reshape(char * in)77 static char *reshape(char *in) {
78     return 0;
79 }
80 
testThatRemoveDeadBindingsRunBeforeEachCall()81 void testThatRemoveDeadBindingsRunBeforeEachCall() {
82     char *v = malloc(12);
83     v = reshape(v);
84     v = reshape(v);// expected-warning {{Potential leak of memory pointed to by 'v'}}
85 }
86 
87 // Test that we keep processing after 'return;'
fooWithEmptyReturn(int x)88 void fooWithEmptyReturn(int x) {
89   if (x)
90     return;
91   x++;
92   return;
93 }
94 
uafAndCallsFooWithEmptyReturn()95 int uafAndCallsFooWithEmptyReturn() {
96   int *x = (int*)malloc(12);
97   free(x);
98   fooWithEmptyReturn(12);
99   return *x; // expected-warning {{Use of memory after it is freed}}
100 }
101 
102 
103 // If we inline any of the malloc-family functions, the checker shouldn't also
104 // try to do additional modeling. <rdar://problem/12317671>
strndup(const char * str,size_t n)105 char *strndup(const char *str, size_t n) {
106   if (!str)
107     return 0;
108 
109   // DO NOT FIX. This is to test that we are actually using the inlined
110   // behavior!
111   if (n < 5)
112     return 0;
113 
114   size_t length = strlen(str);
115   if (length < n)
116     n = length;
117 
118   char *result = malloc(n + 1);
119   memcpy(result, str, n);
120   result[n] = '\0';
121   return result;
122 }
123 
useStrndup(size_t n)124 void useStrndup(size_t n) {
125   if (n == 0) {
126     (void)strndup(0, 20); // no-warning
127     return;
128   } else if (n < 5) {
129     (void)strndup("hi there", n); // no-warning
130     return;
131   } else {
132     (void)strndup("hi there", n);
133     return; // expected-warning{{leak}}
134   }
135 }
136