malloc.c source code [clang_source_code/test/Analysis/malloc.c]

1	// RUN: %clang_analyze_cc1 -analyzer-store=region -verify %s \
2	// RUN: -analyzer-checker=core \
3	// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
4	// RUN: -analyzer-checker=alpha.core.CastSize \
5	// RUN: -analyzer-checker=unix.Malloc \
6	// RUN: -analyzer-checker=debug.ExprInspection
7
8	#include "Inputs/system-header-simulator.h"
9
10	void clang_analyzer_eval(int);
11
12	// Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
13	// _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
14	// the builtin type: "Using the typedef version can cause portability
15	// problems", but we're ok here because we're not actually running anything.
16	// Also of note is this cryptic warning: "The wchar_t type is not supported
17	// when you compile C code".
18	//
19	// See the docs for more:
20	// https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
21	#if !defined(_WCHAR_T_DEFINED)
22	// "Microsoft implements wchar_t as a two-byte unsigned value"
23	typedef unsigned short wchar_t;
24	#define _WCHAR_T_DEFINED
25	#endif // !defined(_WCHAR_T_DEFINED)
26
27	typedef __typeof(sizeof(int)) size_t;
28	void *malloc(size_t);
29	void *alloca(size_t);
30	void *valloc(size_t);
31	void free(void *);
32	void realloc(void ptr, size_t size);
33	void reallocf(void ptr, size_t size);
34	void *calloc(size_t nmemb, size_t size);
35	char strdup(const char s);
36	wchar_t wcsdup(const wchar_t s);
37	char strndup(const char s, size_t n);
38	int memcmp(const void s1, const void s2, size_t n);
39
40	// Windows variants
41	char _strdup(const char strSource);
42	wchar_t _wcsdup(const wchar_t strSource);
43	void *_alloca(size_t size);
44
45	void myfoo(int *p);
46	void myfooint(int p);
47	char *fooRetPtr();
48
49	void f1() {
50	int *p = malloc(12);
51	return; // expected-warning{{Potential leak of memory pointed to by 'p'}}
52	}
53
54	void f2() {
55	int *p = malloc(12);
56	free(p);
57	free(p); // expected-warning{{Attempt to free released memory}}
58	}
59
60	void f2_realloc_0() {
61	int *p = malloc(12);
62	realloc(p,0);
63	realloc(p,0); // expected-warning{{Attempt to free released memory}}
64	}
65
66	void f2_realloc_1() {
67	int *p = malloc(12);
68	int *q = realloc(p,0); // no-warning
69	}
70
71	void reallocNotNullPtr(unsigned sizeIn) {
72	unsigned size = 12;
73	char p = (char)malloc(size);
74	if (p) {
75	char q = (char)realloc(p, sizeIn);
76	char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}}
77	}
78	}
79
80	void allocaTest() {
81	int *p = alloca(sizeof(int));
82	} // no warn
83
84	void winAllocaTest() {
85	int *p = _alloca(sizeof(int));
86	} // no warn
87
88	void allocaBuiltinTest() {
89	int *p = __builtin_alloca(sizeof(int));
90	} // no warn
91
92	int *realloctest1() {
93	int *q = malloc(12);
94	q = realloc(q, 20);
95	return q; // no warning - returning the allocated value
96	}
97
98	// p should be freed if realloc fails.
99	void reallocFails() {
100	char *p = malloc(12);
101	char *r = realloc(p, 12+1);
102	if (!r) {
103	free(p);
104	} else {
105	free(r);
106	}
107	}
108
109	void reallocSizeZero1() {
110	char *p = malloc(12);
111	char *r = realloc(p, 0);
112	if (!r) {
113	free(p); // expected-warning {{Attempt to free released memory}}
114	} else {
115	free(r);
116	}
117	}
118
119	void reallocSizeZero2() {
120	char *p = malloc(12);
121	char *r = realloc(p, 0);
122	if (!r) {
123	free(p); // expected-warning {{Attempt to free released memory}}
124	} else {
125	free(r);
126	}
127	free(p); // expected-warning {{Attempt to free released memory}}
128	}
129
130	void reallocSizeZero3() {
131	char *p = malloc(12);
132	char *r = realloc(p, 0);
133	free(r);
134	}
135
136	void reallocSizeZero4() {
137	char *r = realloc(0, 0);
138	free(r);
139	}
140
141	void reallocSizeZero5() {
142	char *r = realloc(0, 0);
143	}
144
145	void reallocPtrZero1() {
146	char *r = realloc(0, 12);
147	} // expected-warning {{Potential leak of memory pointed to by 'r'}}
148
149	void reallocPtrZero2() {
150	char *r = realloc(0, 12);
151	if (r)
152	free(r);
153	}
154
155	void reallocPtrZero3() {
156	char *r = realloc(0, 12);
157	free(r);
158	}
159
160	void reallocRadar6337483_1() {
161	char *buf = malloc(100);
162	buf = (char*)realloc(buf, 0x1000000);
163	if (!buf) {
164	return;// expected-warning {{Potential leak of memory pointed to by}}
165	}
166	free(buf);
167	}
168
169	void reallocRadar6337483_2() {
170	char *buf = malloc(100);
171	char buf2 = (char)realloc(buf, 0x1000000);
172	if (!buf2) {
173	;
174	} else {
175	free(buf2);
176	}
177	} // expected-warning {{Potential leak of memory pointed to by}}
178
179	void reallocRadar6337483_3() {
180	char * buf = malloc(100);
181	char * tmp;
182	tmp = (char*)realloc(buf, 0x1000000);
183	if (!tmp) {
184	free(buf);
185	return;
186	}
187	buf = tmp;
188	free(buf);
189	}
190
191	void reallocRadar6337483_4() {
192	char *buf = malloc(100);
193	char buf2 = (char)realloc(buf, 0x1000000);
194	if (!buf2) {
195	return; // expected-warning {{Potential leak of memory pointed to by}}
196	} else {
197	free(buf2);
198	}
199	}
200
201	int *reallocfTest1() {
202	int *q = malloc(12);
203	q = reallocf(q, 20);
204	return q; // no warning - returning the allocated value
205	}
206
207	void reallocfRadar6337483_4() {
208	char *buf = malloc(100);
209	char buf2 = (char)reallocf(buf, 0x1000000);
210	if (!buf2) {
211	return; // no warning - reallocf frees even on failure
212	} else {
213	free(buf2);
214	}
215	}
216
217	void reallocfRadar6337483_3() {
218	char * buf = malloc(100);
219	char * tmp;
220	tmp = (char*)reallocf(buf, 0x1000000);
221	if (!tmp) {
222	free(buf); // expected-warning {{Attempt to free released memory}}
223	return;
224	}
225	buf = tmp;
226	free(buf);
227	}
228
229	void reallocfPtrZero1() {
230	char *r = reallocf(0, 12);
231	} // expected-warning {{Potential leak of memory pointed to by}}
232
233	//------------------- Check usage of zero-allocated memory ---------------------
234	void CheckUseZeroAllocatedNoWarn1() {
235	int *p = malloc(0);
236	free(p); // no warning
237	}
238
239	void CheckUseZeroAllocatedNoWarn2() {
240	int *p = alloca(0); // no warning
241	}
242
243	void CheckUseZeroWinAllocatedNoWarn2() {
244	int *p = _alloca(0); // no warning
245	}
246
247
248	void CheckUseZeroAllocatedNoWarn3() {
249	int *p = malloc(0);
250	int *q = realloc(p, 8); // no warning
251	free(q);
252	}
253
254	void CheckUseZeroAllocatedNoWarn4() {
255	int *p = realloc(0, 8);
256	*p = 1; // no warning
257	free(p);
258	}
259
260	void CheckUseZeroAllocated1() {
261	int *p = malloc(0);
262	*p = 1; // expected-warning {{Use of zero-allocated memory}}
263	free(p);
264	}
265
266	char CheckUseZeroAllocated2() {
267	char *p = alloca(0);
268	return *p; // expected-warning {{Use of zero-allocated memory}}
269	}
270
271	char CheckUseZeroWinAllocated2() {
272	char *p = _alloca(0);
273	return *p; // expected-warning {{Use of zero-allocated memory}}
274	}
275
276	void UseZeroAllocated(int *p) {
277	if (p)
278	*p = 7; // expected-warning {{Use of zero-allocated memory}}
279	}
280	void CheckUseZeroAllocated3() {
281	int *p = malloc(0);
282	UseZeroAllocated(p);
283	}
284
285	void f(char);
286	void CheckUseZeroAllocated4() {
287	char *p = valloc(0);
288	f(*p); // expected-warning {{Use of zero-allocated memory}}
289	free(p);
290	}
291
292	void CheckUseZeroAllocated5() {
293	int *p = calloc(0, 2);
294	*p = 1; // expected-warning {{Use of zero-allocated memory}}
295	free(p);
296	}
297
298	void CheckUseZeroAllocated6() {
299	int *p = calloc(2, 0);
300	*p = 1; // expected-warning {{Use of zero-allocated memory}}
301	free(p);
302	}
303
304	void CheckUseZeroAllocated7() {
305	int *p = realloc(0, 0);
306	*p = 1; // expected-warning {{Use of zero-allocated memory}}
307	free(p);
308	}
309
310	void CheckUseZeroAllocated8() {
311	int *p = malloc(8);
312	int *q = realloc(p, 0);
313	*q = 1; // expected-warning {{Use of zero-allocated memory}}
314	free(q);
315	}
316
317	void CheckUseZeroAllocated9() {
318	int *p = realloc(0, 0);
319	int *q = realloc(p, 0);
320	*q = 1; // expected-warning {{Use of zero-allocated memory}}
321	free(q);
322	}
323
324	void CheckUseZeroAllocatedPathNoWarn(_Bool b) {
325	int s = 0;
326	if (b)
327	s= 10;
328
329	char *p = malloc(s);
330
331	if (b)
332	*p = 1; // no warning
333
334	free(p);
335	}
336
337	void CheckUseZeroAllocatedPathWarn(_Bool b) {
338	int s = 10;
339	if (b)
340	s= 0;
341
342	char *p = malloc(s);
343
344	if (b)
345	*p = 1; // expected-warning {{Use of zero-allocated memory}}
346
347	free(p);
348	}
349
350	void CheckUseZeroReallocatedPathNoWarn(_Bool b) {
351	int s = 0;
352	if (b)
353	s= 10;
354
355	char *p = malloc(8);
356	char *q = realloc(p, s);
357
358	if (b)
359	*q = 1; // no warning
360
361	free(q);
362	}
363
364	void CheckUseZeroReallocatedPathWarn(_Bool b) {
365	int s = 10;
366	if (b)
367	s= 0;
368
369	char *p = malloc(8);
370	char *q = realloc(p, s);
371
372	if (b)
373	*q = 1; // expected-warning {{Use of zero-allocated memory}}
374
375	free(q);
376	}
377
378	// This case tests that storing malloc'ed memory to a static variable which is
379	// then returned is not leaked. In the absence of known contracts for functions
380	// or inter-procedural analysis, this is a conservative answer.
381	int *f3() {
382	static int *p = 0;
383	p = malloc(12);
384	return p; // no-warning
385	}
386
387	// This case tests that storing malloc'ed memory to a static global variable
388	// which is then returned is not leaked. In the absence of known contracts for
389	// functions or inter-procedural analysis, this is a conservative answer.
390	static int *p_f4 = 0;
391	int *f4() {
392	p_f4 = malloc(12);
393	return p_f4; // no-warning
394	}
395
396	int *f5() {
397	int *q = malloc(12);
398	q = realloc(q, 20);
399	return q; // no-warning
400	}
401
402	void f6() {
403	int *p = malloc(12);
404	if (!p)
405	return; // no-warning
406	else
407	free(p);
408	}
409
410	void f6_realloc() {
411	int *p = malloc(12);
412	if (!p)
413	return; // no-warning
414	else
415	realloc(p,0);
416	}
417
418
419	char *doit2();
420	void pr6069() {
421	char *buf = doit2();
422	free(buf);
423	}
424
425	void pr6293() {
426	free(0);
427	}
428
429	void f7() {
430	char x = (char) malloc(4);
431	free(x);
432	x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
433	}
434
435	void f8() {
436	char x = (char) malloc(4);
437	free(x);
438	char *y = strndup(x, 4); // expected-warning{{Use of memory after it is freed}}
439	}
440
441	void f7_realloc() {
442	char x = (char) malloc(4);
443	realloc(x,0);
444	x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
445	}
446
447	void PR6123() {
448	int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
449	}
450
451	void PR7217() {
452	int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
453	buf[1] = 'c'; // not crash
454	}
455
456	void cast_emtpy_struct() {
457	struct st {
458	};
459
460	struct st *s = malloc(sizeof(struct st)); // no-warning
461	free(s);
462	}
463
464	void cast_struct_1() {
465	struct st {
466	int i[100];
467	char j[];
468	};
469
470	struct st *s = malloc(sizeof(struct st)); // no-warning
471	free(s);
472	}
473
474	void cast_struct_2() {
475	struct st {
476	int i[100];
477	char j[0];
478	};
479
480	struct st *s = malloc(sizeof(struct st)); // no-warning
481	free(s);
482	}
483
484	void cast_struct_3() {
485	struct st {
486	int i[100];
487	char j[1];
488	};
489
490	struct st *s = malloc(sizeof(struct st)); // no-warning
491	free(s);
492	}
493
494	void cast_struct_4() {
495	struct st {
496	int i[100];
497	char j[2];
498	};
499
500	struct st *s = malloc(sizeof(struct st)); // no-warning
501	free(s);
502	}
503
504	void cast_struct_5() {
505	struct st {
506	char i[200];
507	char j[1];
508	};
509
510	struct st *s = malloc(sizeof(struct st) - sizeof(char)); // no-warning
511	free(s);
512	}
513
514	void cast_struct_warn_1() {
515	struct st {
516	int i[100];
517	char j[2];
518	};
519
520	struct st *s = malloc(sizeof(struct st) + 2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
521	free(s);
522	}
523
524	void cast_struct_warn_2() {
525	struct st {
526	int i[100];
527	char j[2];
528	};
529
530	struct st *s = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
531	free(s);
532	}
533
534	void cast_struct_flex_array_1() {
535	struct st {
536	int i[100];
537	char j[];
538	};
539
540	struct st *s = malloc(sizeof(struct st) + 3); // no-warning
541	free(s);
542	}
543
544	void cast_struct_flex_array_2() {
545	struct st {
546	int i[100];
547	char j[0];
548	};
549
550	struct st *s = malloc(sizeof(struct st) + 3); // no-warning
551	free(s);
552	}
553
554	void cast_struct_flex_array_3() {
555	struct st {
556	int i[100];
557	char j[1];
558	};
559
560	struct st *s = malloc(sizeof(struct st) + 3); // no-warning
561	free(s);
562	}
563
564	void cast_struct_flex_array_4() {
565	struct foo {
566	char f[32];
567	};
568	struct st {
569	char i[100];
570	struct foo data[];
571	};
572
573	struct st s = malloc(sizeof(struct st) + 3 sizeof(struct foo)); // no-warning
574	free(s);
575	}
576
577	void cast_struct_flex_array_5() {
578	struct foo {
579	char f[32];
580	};
581	struct st {
582	char i[100];
583	struct foo data[0];
584	};
585
586	struct st s = malloc(sizeof(struct st) + 3 sizeof(struct foo)); // no-warning
587	free(s);
588	}
589
590	void cast_struct_flex_array_6() {
591	struct foo {
592	char f[32];
593	};
594	struct st {
595	char i[100];
596	struct foo data[1];
597	};
598
599	struct st s = malloc(sizeof(struct st) + 3 sizeof(struct foo)); // no-warning
600	free(s);
601	}
602
603	void cast_struct_flex_array_warn_1() {
604	struct foo {
605	char f[32];
606	};
607	struct st {
608	char i[100];
609	struct foo data[];
610	};
611
612	struct st s = malloc(3 sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
613	free(s);
614	}
615
616	void cast_struct_flex_array_warn_2() {
617	struct foo {
618	char f[32];
619	};
620	struct st {
621	char i[100];
622	struct foo data[0];
623	};
624
625	struct st s = malloc(3 sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
626	free(s);
627	}
628
629	void cast_struct_flex_array_warn_3() {
630	struct foo {
631	char f[32];
632	};
633	struct st {
634	char i[100];
635	struct foo data[1];
636	};
637
638	struct st s = malloc(3 sizeof(struct st) + 3 * sizeof(struct foo)); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
639	free(s);
640	}
641
642	void cast_struct_flex_array_warn_4() {
643	struct st {
644	int i[100];
645	int j[];
646	};
647
648	struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
649	free(s);
650	}
651
652	void cast_struct_flex_array_warn_5() {
653	struct st {
654	int i[100];
655	int j[0];
656	};
657
658	struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
659	free(s);
660	}
661
662	void cast_struct_flex_array_warn_6() {
663	struct st {
664	int i[100];
665	int j[1];
666	};
667
668	struct st *s = malloc(sizeof(struct st) + 3); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
669	free(s);
670	}
671
672	void mallocCastToVoid() {
673	void *p = malloc(2);
674	const void *cp = p; // not crash
675	free(p);
676	}
677
678	void mallocCastToFP() {
679	void *p = malloc(2);
680	void (*fp)() = p; // not crash
681	free(p);
682	}
683
684	// This tests that malloc() buffers are undefined by default
685	char mallocGarbage () {
686	char *buf = malloc(2);
687	char result = buf[1]; // expected-warning{{undefined}}
688	free(buf);
689	return result;
690	}
691
692	// This tests that calloc() buffers need to be freed
693	void callocNoFree () {
694	char *buf = calloc(2,2);
695	return; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
696	}
697
698	// These test that calloc() buffers are zeroed by default
699	char callocZeroesGood () {
700	char *buf = calloc(2,2);
701	char result = buf[3]; // no-warning
702	if (buf[1] == 0) {
703	free(buf);
704	}
705	return result; // no-warning
706	}
707
708	char callocZeroesBad () {
709	char *buf = calloc(2,2);
710	char result = buf[3]; // no-warning
711	if (buf[1] != 0) {
712	free(buf); // expected-warning{{never executed}}
713	}
714	return result; // expected-warning{{Potential leak of memory pointed to by 'buf'}}
715	}
716
717	void nullFree() {
718	int *p = 0;
719	free(p); // no warning - a nop
720	}
721
722	void paramFree(int *p) {
723	myfoo(p);
724	free(p); // no warning
725	myfoo(p); // expected-warning {{Use of memory after it is freed}}
726	}
727
728	int* mallocEscapeRet() {
729	int *p = malloc(12);
730	return p; // no warning
731	}
732
733	void mallocEscapeFoo() {
734	int *p = malloc(12);
735	myfoo(p);
736	return; // no warning
737	}
738
739	void mallocEscapeFree() {
740	int *p = malloc(12);
741	myfoo(p);
742	free(p);
743	}
744
745	void mallocEscapeFreeFree() {
746	int *p = malloc(12);
747	myfoo(p);
748	free(p);
749	free(p); // expected-warning{{Attempt to free released memory}}
750	}
751
752	void mallocEscapeFreeUse() {
753	int *p = malloc(12);
754	myfoo(p);
755	free(p);
756	myfoo(p); // expected-warning{{Use of memory after it is freed}}
757	}
758
759	int *myalloc();
760	void myalloc2(int **p);
761
762	void mallocEscapeFreeCustomAlloc() {
763	int *p = malloc(12);
764	myfoo(p);
765	free(p);
766	p = myalloc();
767	free(p); // no warning
768	}
769
770	void mallocEscapeFreeCustomAlloc2() {
771	int *p = malloc(12);
772	myfoo(p);
773	free(p);
774	myalloc2(&p);
775	free(p); // no warning
776	}
777
778	void mallocBindFreeUse() {
779	int *x = malloc(12);
780	int *y = x;
781	free(y);
782	myfoo(x); // expected-warning{{Use of memory after it is freed}}
783	}
784
785	void mallocEscapeMalloc() {
786	int *p = malloc(12);
787	myfoo(p);
788	p = malloc(12);
789	} // expected-warning{{Potential leak of memory pointed to by}}
790
791	void mallocMalloc() {
792	int *p = malloc(12);
793	p = malloc(12);
794	} // expected-warning {{Potential leak of memory pointed to by}}
795
796	void mallocFreeMalloc() {
797	int *p = malloc(12);
798	free(p);
799	p = malloc(12);
800	free(p);
801	}
802
803	void mallocFreeUse_params() {
804	int *p = malloc(12);
805	free(p);
806	myfoo(p); //expected-warning{{Use of memory after it is freed}}
807	}
808
809	void mallocFreeUse_params2() {
810	int *p = malloc(12);
811	free(p);
812	myfooint(*p); //expected-warning{{Use of memory after it is freed}}
813	}
814
815	void mallocFailedOrNot() {
816	int *p = malloc(12);
817	if (!p)
818	free(p);
819	else
820	free(p);
821	}
822
823	struct StructWithInt {
824	int g;
825	};
826
827	int *mallocReturnFreed() {
828	int *p = malloc(12);
829	free(p);
830	return p; // expected-warning {{Use of memory after it is freed}}
831	}
832
833	int useAfterFreeStruct() {
834	struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
835	px->g = 5;
836	free(px);
837	return px->g; // expected-warning {{Use of memory after it is freed}}
838	}
839
840	void nonSymbolAsFirstArg(int pp, struct StructWithInt p);
841
842	void mallocEscapeFooNonSymbolArg() {
843	struct StructWithInt *p = malloc(sizeof(struct StructWithInt));
844	nonSymbolAsFirstArg(&p->g, p);
845	return; // no warning
846	}
847
848	void mallocFailedOrNotLeak() {
849	int *p = malloc(12);
850	if (p == 0)
851	return; // no warning
852	else
853	return; // expected-warning {{Potential leak of memory pointed to by}}
854	}
855
856	void mallocAssignment() {
857	char *p = malloc(12);
858	p = fooRetPtr();
859	} // expected-warning {{leak}}
860
861	int vallocTest() {
862	char *mem = valloc(12);
863	return 0; // expected-warning {{Potential leak of memory pointed to by}}
864	}
865
866	void vallocEscapeFreeUse() {
867	int *p = valloc(12);
868	myfoo(p);
869	free(p);
870	myfoo(p); // expected-warning{{Use of memory after it is freed}}
871	}
872
873	int *Gl;
874	struct GlStTy {
875	int *x;
876	};
877
878	struct GlStTy GlS = {0};
879
880	void GlobalFree() {
881	free(Gl);
882	}
883
884	void GlobalMalloc() {
885	Gl = malloc(12);
886	}
887
888	void GlobalStructMalloc() {
889	int *a = malloc(12);
890	GlS.x = a;
891	}
892
893	void GlobalStructMallocFree() {
894	int *a = malloc(12);
895	GlS.x = a;
896	free(GlS.x);
897	}
898
899	char *ArrayG[12];
900
901	void globalArrayTest() {
902	char p = (char)malloc(12);
903	ArrayG[0] = p;
904	}
905
906	// Make sure that we properly handle a pointer stored into a local struct/array.
907	typedef struct _StructWithPtr {
908	int *memP;
909	} StructWithPtr;
910
911	static StructWithPtr arrOfStructs[10];
912
913	void testMalloc() {
914	int *x = malloc(12);
915	StructWithPtr St;
916	St.memP = x;
917	arrOfStructs[0] = St; // no-warning
918	}
919
920	StructWithPtr testMalloc2() {
921	int *x = malloc(12);
922	StructWithPtr St;
923	St.memP = x;
924	return St; // no-warning
925	}
926
927	int *testMalloc3() {
928	int *x = malloc(12);
929	int *y = x;
930	return y; // no-warning
931	}
932
933	void testStructLeak() {
934	StructWithPtr St;
935	St.memP = malloc(12);
936	return; // expected-warning {{Potential leak of memory pointed to by 'St.memP'}}
937	}
938
939	void testElemRegion1() {
940	char x = (void)malloc(2);
941	int ix = (int)x;
942	free(&(x[0]));
943	}
944
945	void testElemRegion2(int **pp) {
946	int *p = malloc(12);
947	*pp = p;
948	free(pp[0]);
949	}
950
951	void testElemRegion3(int **pp) {
952	int *p = malloc(12);
953	*pp = p;
954	free(*pp);
955	}
956	// Region escape testing.
957
958	unsigned takePtrToPtr(int **p);
959	void PassTheAddrOfAllocatedData(int f) {
960	int *p = malloc(12);
961	// We don't know what happens after the call. Should stop tracking here.
962	if (takePtrToPtr(&p))
963	f++;
964	free(p); // no warning
965	}
966
967	struct X {
968	int *p;
969	};
970	unsigned takePtrToStruct(struct X *s);
971	int ** foo2(int *g, int f) {
972	int *p = malloc(12);
973	struct X *px= malloc(sizeof(struct X));
974	px->p = p;
975	// We don't know what happens after this call. Should not track px nor p.
976	if (takePtrToStruct(px))
977	f++;
978	free(p);
979	return 0;
980	}
981
982	struct X* RegInvalidationDetect1(struct X *s2) {
983	struct X *px= malloc(sizeof(struct X));
984	px->p = 0;
985	px = s2;
986	return px; // expected-warning {{Potential leak of memory pointed to by}}
987	}
988
989	struct X* RegInvalidationGiveUp1() {
990	int *p = malloc(12);
991	struct X *px= malloc(sizeof(struct X));
992	px->p = p;
993	return px;
994	}
995
996	int RegInvalidationDetect2(int pp) {
997	int *p = malloc(12);
998	pp = &p;
999	pp++;
1000	return 0;// expected-warning {{Potential leak of memory pointed to by}}
1001	}
1002
1003	extern void exit(int) __attribute__ ((__noreturn__));
1004	void mallocExit(int *g) {
1005	struct xx *p = malloc(12);
1006	if (g != 0)
1007	exit(1);
1008	free(p);
1009	return;
1010	}
1011
1012	extern void __assert_fail (__const char __assertion, __const char __file,
1013	unsigned int __line, __const char *__function)
1014	__attribute__ ((__noreturn__));
1015	#define assert(expr) \
1016	((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))
1017	void mallocAssert(int *g) {
1018	struct xx *p = malloc(12);
1019
1020	assert(g != 0);
1021	free(p);
1022	return;
1023	}
1024
1025	void doNotInvalidateWhenPassedToSystemCalls(char *s) {
1026	char *p = malloc(12);
1027	strlen(p);
1028	strcpy(p, s);
1029	strcpy(s, p);
1030	strcpy(p, p);
1031	memcpy(p, s, 1);
1032	memcpy(s, p, 1);
1033	memcpy(p, p, 1);
1034	} // expected-warning {{leak}}
1035
1036	// Treat source buffer contents as escaped.
1037	void escapeSourceContents(char *s) {
1038	char *p = malloc(12);
1039	memcpy(s, &p, 12); // no warning
1040
1041	void *p1 = malloc(7);
1042	char *a;
1043	memcpy(&a, &p1, sizeof a);
1044	// FIXME: No warning due to limitations imposed by current modelling of
1045	// 'memcpy' (regions metadata is not copied).
1046
1047	int *ptrs[2];
1048	int allocated = (int )malloc(4);
1049	memcpy(&ptrs[0], &allocated, sizeof(int *));
1050	// FIXME: No warning due to limitations imposed by current modelling of
1051	// 'memcpy' (regions metadata is not copied).
1052	}
1053
1054	void invalidateDestinationContents() {
1055	int *null = 0;
1056	int p = (int )malloc(4);
1057	memcpy(&p, &null, sizeof(int *));
1058
1059	int *ptrs1[2]; // expected-warning {{Potential leak of memory pointed to by}}
1060	ptrs1[0] = (int *)malloc(4);
1061	memcpy(ptrs1, &null, sizeof(int *));
1062
1063	int *ptrs2[2]; // expected-warning {{Potential memory leak}}
1064	ptrs2[0] = (int *)malloc(4);
1065	memcpy(&ptrs2[1], &null, sizeof(int *));
1066
1067	int *ptrs3[2]; // expected-warning {{Potential memory leak}}
1068	ptrs3[0] = (int *)malloc(4);
1069	memcpy(&ptrs3[0], &null, sizeof(int *));
1070	} // expected-warning {{Potential memory leak}}
1071
1072	// Rely on the CString checker evaluation of the strcpy API to convey that the result of strcpy is equal to p.
1073	void symbolLostWithStrcpy(char *s) {
1074	char *p = malloc(12);
1075	p = strcpy(p, s);
1076	free(p);
1077	}
1078
1079
1080	// The same test as the one above, but with what is actually generated on a mac.
1081	static __inline char *
1082	__inline_strcpy_chk (char restrict __dest, const char restrict __src)
1083	{
1084	return __builtin___strcpy_chk (__dest, __src, __builtin_object_size (__dest, 2 > 1));
1085	}
1086
1087	void symbolLostWithStrcpy_InlineStrcpyVersion(char *s) {
1088	char *p = malloc(12);
1089	p = ((__builtin_object_size (p, 0) != (size_t) -1) ? __builtin___strcpy_chk (p, s, __builtin_object_size (p, 2 > 1)) : __inline_strcpy_chk (p, s));
1090	free(p);
1091	}
1092
1093	// Here we are returning a pointer one past the allocated value. An idiom which
1094	// can be used for implementing special malloc. The correct uses of this might
1095	// be rare enough so that we could keep this as a warning.
1096	static void *specialMalloc(int n){
1097	int *p;
1098	p = malloc( n+8 );
1099	if( p ){
1100	p[0] = n;
1101	p++;
1102	}
1103	return p;
1104	}
1105
1106	// Potentially, the user could free the struct by performing pointer arithmetic on the return value.
1107	// This is a variation of the specialMalloc issue, though probably would be more rare in correct code.
1108	int *specialMallocWithStruct() {
1109	struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
1110	return &(px->g);
1111	}
1112
1113	// Test various allocation/deallocation functions.
1114	void testStrdup(const char *s, unsigned validIndex) {
1115	char *s2 = strdup(s);
1116	s2[validIndex + 1] = 'b';
1117	} // expected-warning {{Potential leak of memory pointed to by}}
1118
1119	void testWinStrdup(const char *s, unsigned validIndex) {
1120	char *s2 = _strdup(s);
1121	s2[validIndex + 1] = 'b';
1122	} // expected-warning {{Potential leak of memory pointed to by}}
1123
1124	void testWcsdup(const wchar_t *s, unsigned validIndex) {
1125	wchar_t *s2 = wcsdup(s);
1126	s2[validIndex + 1] = 'b';
1127	} // expected-warning {{Potential leak of memory pointed to by}}
1128
1129	void testWinWcsdup(const wchar_t *s, unsigned validIndex) {
1130	wchar_t *s2 = _wcsdup(s);
1131	s2[validIndex + 1] = 'b';
1132	} // expected-warning {{Potential leak of memory pointed to by}}
1133
1134	int testStrndup(const char *s, unsigned validIndex, unsigned size) {
1135	char *s2 = strndup(s, size);
1136	s2 [validIndex + 1] = 'b';
1137	if (s2[validIndex] != 'a')
1138	return 0;
1139	else
1140	return 1;// expected-warning {{Potential leak of memory pointed to by}}
1141	}
1142
1143	void testStrdupContentIsDefined(const char *s, unsigned validIndex) {
1144	char *s2 = strdup(s);
1145	char result = s2[1];// no warning
1146	free(s2);
1147	}
1148
1149	void testWinStrdupContentIsDefined(const char *s, unsigned validIndex) {
1150	char *s2 = _strdup(s);
1151	char result = s2[1];// no warning
1152	free(s2);
1153	}
1154
1155	void testWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
1156	wchar_t *s2 = wcsdup(s);
1157	wchar_t result = s2[1];// no warning
1158	free(s2);
1159	}
1160
1161	void testWinWcsdupContentIsDefined(const wchar_t *s, unsigned validIndex) {
1162	wchar_t *s2 = _wcsdup(s);
1163	wchar_t result = s2[1];// no warning
1164	free(s2);
1165	}
1166
1167	// ----------------------------------------------------------------------------
1168	// Test the system library functions to which the pointer can escape.
1169	// This tests false positive suppression.
1170
1171	// For now, we assume memory passed to pthread_specific escapes.
1172	// TODO: We could check that if a new pthread binding is set, the existing
1173	// binding must be freed; otherwise, a memory leak can occur.
1174	void testPthereadSpecificEscape(pthread_key_t key) {
1175	void *buf = malloc(12);
1176	pthread_setspecific(key, buf); // no warning
1177	}
1178
1179	// PR12101: Test funopen().
1180	static int releasePtr(void *_ctx) {
1181	free(_ctx);
1182	return 0;
1183	}
1184	FILE *useFunOpen() {
1185	void *ctx = malloc(sizeof(int));
1186	FILE *f = funopen(ctx, 0, 0, 0, releasePtr); // no warning
1187	if (f == 0) {
1188	free(ctx);
1189	}
1190	return f;
1191	}
1192	FILE *useFunOpenNoReleaseFunction() {
1193	void *ctx = malloc(sizeof(int));
1194	FILE *f = funopen(ctx, 0, 0, 0, 0);
1195	if (f == 0) {
1196	free(ctx);
1197	}
1198	return f; // expected-warning{{leak}}
1199	}
1200
1201	static int readNothing(void _ctx, char buf, int size) {
1202	return 0;
1203	}
1204	FILE *useFunOpenReadNoRelease() {
1205	void *ctx = malloc(sizeof(int));
1206	FILE *f = funopen(ctx, readNothing, 0, 0, 0);
1207	if (f == 0) {
1208	free(ctx);
1209	}
1210	return f; // expected-warning{{leak}}
1211	}
1212
1213	// Test setbuf, setvbuf.
1214	int my_main_no_warning() {
1215	char *p = malloc(100);
1216	setvbuf(stdout, p, 0, 100);
1217	return 0;
1218	}
1219	int my_main_no_warning2() {
1220	char *p = malloc(100);
1221	setbuf(__stdoutp, p);
1222	return 0;
1223	}
1224	int my_main_warn(FILE *f) {
1225	char *p = malloc(100);
1226	setvbuf(f, p, 0, 100);
1227	return 0;// expected-warning {{leak}}
1228	}
1229
1230	// <rdar://problem/10978247>.
1231	// some people use stack allocated memory as an optimization to avoid
1232	// a heap allocation for small work sizes. This tests the analyzer's
1233	// understanding that the malloc'ed memory is not the same as stackBuffer.
1234	void radar10978247(int myValueSize) {
1235	char stackBuffer[128];
1236	char *buffer;
1237
1238	if (myValueSize <= sizeof(stackBuffer))
1239	buffer = stackBuffer;
1240	else
1241	buffer = malloc(myValueSize);
1242
1243	// do stuff with the buffer
1244	if (buffer != stackBuffer)
1245	free(buffer);
1246	}
1247
1248	void radar10978247_positive(int myValueSize) {
1249	char stackBuffer[128];
1250	char *buffer;
1251
1252	if (myValueSize <= sizeof(stackBuffer))
1253	buffer = stackBuffer;
1254	else
1255	buffer = malloc(myValueSize);
1256
1257	// do stuff with the buffer
1258	if (buffer == stackBuffer)
1259	return;
1260	else
1261	return; // expected-warning {{leak}}
1262	}
1263	// <rdar://problem/11269741> Previously this triggered a false positive
1264	// because malloc() is known to return uninitialized memory and the binding
1265	// of 'o' to 'p->n' was not getting propertly handled. Now we report a leak.
1266	struct rdar11269741_a_t {
1267	struct rdar11269741_b_t {
1268	int m;
1269	} n;
1270	};
1271
1272	int rdar11269741(struct rdar11269741_b_t o)
1273	{
1274	struct rdar11269741_a_t p = (struct rdar11269741_a_t ) malloc(sizeof(*p));
1275	p->n = o;
1276	return p->n.m; // expected-warning {{leak}}
1277	}
1278
1279	// Pointer arithmetic, returning an ElementRegion.
1280	void *radar11329382(unsigned bl) {
1281	void *ptr = malloc (16);
1282	ptr = ptr + (2 - bl);
1283	return ptr; // no warning
1284	}
1285
1286	void __assert_rtn(const char , const char , int, const char *) __attribute__((__noreturn__));
1287	int strcmp(const char , const char );
1288	char *a (void);
1289	void radar11270219(void) {
1290	char x = a(), y = a();
1291	(__builtin_expect(!(x && y), 0) ? __assert_rtn(__func__, "/Users/zaks/tmp/ex.c", 24, "x && y") : (void)0);
1292	strcmp(x, y); // no warning
1293	}
1294
1295	void radar_11358224_test_double_assign_ints_positive_2()
1296	{
1297	void *ptr = malloc(16);
1298	ptr = ptr;
1299	} // expected-warning {{leak}}
1300
1301	// Assume that functions which take a function pointer can free memory even if
1302	// they are defined in system headers and take the const pointer to the
1303	// allocated memory. (radar://11160612)
1304	int const_ptr_and_callback(int, const char, int n, void()(void*));
1305	void r11160612_1() {
1306	char *x = malloc(12);
1307	const_ptr_and_callback(0, x, 12, free); // no - warning
1308	}
1309
1310	// Null is passed as callback.
1311	void r11160612_2() {
1312	char *x = malloc(12);
1313	const_ptr_and_callback(0, x, 12, 0);
1314	} // expected-warning {{leak}}
1315
1316	// Callback is passed to a function defined in a system header.
1317	void r11160612_4() {
1318	char *x = malloc(12);
1319	sqlite3_bind_text_my(0, x, 12, free); // no - warning
1320	}
1321
1322	// Passing callbacks in a struct.
1323	void r11160612_5(StWithCallback St) {
1324	void *x = malloc(12);
1325	dealocateMemWhenDoneByVal(x, St);
1326	}
1327	void r11160612_6(StWithCallback St) {
1328	void *x = malloc(12);
1329	dealocateMemWhenDoneByRef(&St, x);
1330	}
1331
1332	int mySub(int, int);
1333	int myAdd(int, int);
1334	int fPtr(unsigned cond, int x) {
1335	return (cond ? mySub : myAdd)(x, x);
1336	}
1337
1338	// Test anti-aliasing.
1339
1340	void dependsOnValueOfPtr(int *g, unsigned f) {
1341	int *p;
1342
1343	if (f) {
1344	p = g;
1345	} else {
1346	p = malloc(12);
1347	}
1348
1349	if (p != g)
1350	free(p);
1351	else
1352	return; // no warning
1353	return;
1354	}
1355
1356	int CMPRegionHeapToStack() {
1357	int x = 0;
1358	int *x1 = malloc(8);
1359	int *x2 = &x;
1360	clang_analyzer_eval(x1 == x2); // expected-warning{{FALSE}}
1361	free(x1);
1362	return x;
1363	}
1364
1365	int CMPRegionHeapToHeap2() {
1366	int x = 0;
1367	int *x1 = malloc(8);
1368	int *x2 = malloc(8);
1369	int *x4 = x1;
1370	int *x5 = x2;
1371	clang_analyzer_eval(x4 == x5); // expected-warning{{FALSE}}
1372	free(x1);
1373	free(x2);
1374	return x;
1375	}
1376
1377	int CMPRegionHeapToHeap() {
1378	int x = 0;
1379	int *x1 = malloc(8);
1380	int *x4 = x1;
1381	if (x1 == x4) {
1382	free(x1);
1383	return 5/x; // expected-warning{{Division by zero}}
1384	}
1385	return x;// expected-warning{{This statement is never executed}}
1386	}
1387
1388	int HeapAssignment() {
1389	int m = 0;
1390	int *x = malloc(4);
1391	int *y = x;
1392	*x = 5;
1393	clang_analyzer_eval(x != y); // expected-warning{{FALSE}}
1394	free(x);
1395	return 0;
1396	}
1397
1398	int *retPtr();
1399	int retPtrMightAlias(int x);
1400	int cmpHeapAllocationToUnknown() {
1401	int zero = 0;
1402	int *yBefore = retPtr();
1403	int *m = malloc(8);
1404	int *yAfter = retPtrMightAlias(m);
1405	clang_analyzer_eval(yBefore == m); // expected-warning{{FALSE}}
1406	clang_analyzer_eval(yAfter == m); // expected-warning{{FALSE}}
1407	free(m);
1408	return 0;
1409	}
1410
1411	void localArrayTest() {
1412	char p = (char)malloc(12);
1413	char *ArrayL[12];
1414	ArrayL[0] = p;
1415	} // expected-warning {{leak}}
1416
1417	void localStructTest() {
1418	StructWithPtr St;
1419	StructWithPtr *pSt = &St;
1420	pSt->memP = malloc(12);
1421	} // expected-warning{{Potential leak of memory pointed to by}}
1422
1423	#ifdef __INTPTR_TYPE__
1424	// Test double assignment through integers.
1425	typedef __INTPTR_TYPE__ intptr_t;
1426	typedef unsigned __INTPTR_TYPE__ uintptr_t;
1427
1428	static intptr_t glob;
1429	void test_double_assign_ints()
1430	{
1431	void *ptr = malloc (16); // no-warning
1432	glob = (intptr_t)(uintptr_t)ptr;
1433	}
1434
1435	void test_double_assign_ints_positive()
1436	{
1437	void *ptr = malloc(16);
1438	(void*)(intptr_t)(uintptr_t)ptr; // expected-warning {{unused}}
1439	} // expected-warning {{leak}}
1440	#endif
1441
1442	void testCGContextNoLeak()
1443	{
1444	void *ptr = malloc(16);
1445	CGContextRef context = CGBitmapContextCreate(ptr);
1446
1447	// Because you can get the data back out like this, even much later,
1448	// CGBitmapContextCreate is one of our "stop-tracking" exceptions.
1449	free(CGBitmapContextGetData(context));
1450	}
1451
1452	void testCGContextLeak()
1453	{
1454	void *ptr = malloc(16);
1455	CGContextRef context = CGBitmapContextCreate(ptr);
1456	// However, this time we're just leaking the data, because the context
1457	// object doesn't escape and it hasn't been freed in this function.
1458	}
1459
1460	// Allow xpc context to escape. radar://11635258
1461	// TODO: Would be great if we checked that the finalize_connection_context actually releases it.
1462	static void finalize_connection_context(void *ctx) {
1463	int *context = ctx;
1464	free(context);
1465	}
1466	void foo (xpc_connection_t peer) {
1467	int *ctx = calloc(1, sizeof(int));
1468	xpc_connection_set_context(peer, ctx);
1469	xpc_connection_set_finalizer_f(peer, finalize_connection_context);
1470	xpc_connection_resume(peer);
1471	}
1472
1473	// Make sure we catch errors when we free in a function which does not allocate memory.
1474	void freeButNoMalloc(int *p, int x){
1475	if (x) {
1476	free(p);
1477	//user forgot a return here.
1478	}
1479	free(p); // expected-warning {{Attempt to free released memory}}
1480	}
1481
1482	struct HasPtr {
1483	char *p;
1484	};
1485
1486	char* reallocButNoMalloc(struct HasPtr *a, int c, int size) {
1487	int *s;
1488	char *b = realloc(a->p, size);
1489	char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}}
1490	// We don't expect a use-after-free for a->P here because the warning above
1491	// is a sink.
1492	return a->p; // no-warning
1493	}
1494
1495	// We should not warn in this case since the caller will presumably free a->p in all cases.
1496	int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) {
1497	int *s;
1498	char *b = realloc(a->p, size);
1499	if (b == 0)
1500	return -1;
1501	a->p = b;
1502	return 0;
1503	}
1504
1505	// Test realloc with no visible malloc.
1506	void test(void ptr) {
1507	void *newPtr = realloc(ptr, 4);
1508	if (newPtr == 0) {
1509	if (ptr)
1510	free(ptr); // no-warning
1511	}
1512	return newPtr;
1513	}
1514
1515
1516	char testLeakWithinReturn(char str) {
1517	return strdup(strdup(str)); // expected-warning{{leak}}
1518	}
1519
1520	char testWinLeakWithinReturn(char str) {
1521	return _strdup(_strdup(str)); // expected-warning{{leak}}
1522	}
1523
1524	wchar_t testWinWideLeakWithinReturn(wchar_t str) {
1525	return _wcsdup(_wcsdup(str)); // expected-warning{{leak}}
1526	}
1527
1528	void passConstPtr(const char * ptr);
1529
1530	void testPassConstPointer() {
1531	char * string = malloc(sizeof(char)*10);
1532	passConstPtr(string);
1533	return; // expected-warning {{leak}}
1534	}
1535
1536	void testPassConstPointerIndirectly() {
1537	char *p = malloc(1);
1538	p++;
1539	memcmp(p, p, sizeof(&p));
1540	return; // expected-warning {{leak}}
1541	}
1542
1543	void testPassConstPointerIndirectlyStruct() {
1544	struct HasPtr hp;
1545	hp.p = malloc(10);
1546	memcmp(&hp, &hp, sizeof(hp));
1547	return; // expected-warning {{Potential leak of memory pointed to by 'hp.p'}}
1548	}
1549
1550	void testPassToSystemHeaderFunctionIndirectlyStruct() {
1551	SomeStruct ss;
1552	ss.p = malloc(1);
1553	fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1554	// Technically a false negative here -- we know the system function won't free
1555	// ss.p, but nothing else will either!
1556	} // no-warning
1557
1558	void testPassToSystemHeaderFunctionIndirectlyStructFree() {
1559	SomeStruct ss;
1560	ss.p = malloc(1);
1561	fakeSystemHeaderCall(&ss); // invalidates ss, making ss.p unreachable
1562	free(ss.p);
1563	} // no-warning
1564
1565	void testPassToSystemHeaderFunctionIndirectlyArray() {
1566	int *p[1];
1567	p[0] = malloc(sizeof(int));
1568	fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1569	// Technically a false negative here -- we know the system function won't free
1570	// p[0], but nothing else will either!
1571	} // no-warning
1572
1573	void testPassToSystemHeaderFunctionIndirectlyArrayFree() {
1574	int *p[1];
1575	p[0] = malloc(sizeof(int));
1576	fakeSystemHeaderCallIntPtr(p); // invalidates p, making p[0] unreachable
1577	free(p[0]);
1578	} // no-warning
1579
1580	int *testOffsetAllocate(size_t size) {
1581	int memoryBlock = (int )malloc(size + sizeof(int));
1582	return &memoryBlock[1]; // no-warning
1583	}
1584
1585	void testOffsetDeallocate(int *memoryBlock) {
1586	free(&memoryBlock[-1]); // no-warning
1587	}
1588
1589	void testOffsetOfRegionFreed() {
1590	__int64_t * array = malloc(sizeof(__int64_t)*2);
1591	array += 1;
1592	free(&array[0]); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1593	}
1594
1595	void testOffsetOfRegionFreed2() {
1596	__int64_t p = malloc(sizeof(__int64_t)2);
1597	p += 1;
1598	free(p); // expected-warning{{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1599	}
1600
1601	void testOffsetOfRegionFreed3() {
1602	char *r = malloc(sizeof(char));
1603	r = r - 10;
1604	free(r); // expected-warning {{Argument to free() is offset by -10 bytes from the start of memory allocated by malloc()}}
1605	}
1606
1607	void testOffsetOfRegionFreedAfterFunctionCall() {
1608	int p = malloc(sizeof(int)2);
1609	p += 1;
1610	myfoo(p);
1611	free(p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}}
1612	}
1613
1614	void testFixManipulatedPointerBeforeFree() {
1615	int * array = malloc(sizeof(int)*2);
1616	array += 1;
1617	free(&array[-1]); // no-warning
1618	}
1619
1620	void testFixManipulatedPointerBeforeFree2() {
1621	char *r = malloc(sizeof(char));
1622	r = r + 10;
1623	free(r-10); // no-warning
1624	}
1625
1626	void freeOffsetPointerPassedToFunction() {
1627	__int64_t p = malloc(sizeof(__int64_t)2);
1628	p[1] = 0;
1629	p += 1;
1630	myfooint(*p); // not passing the pointer, only a value pointed by pointer
1631	free(p); // expected-warning {{Argument to free() is offset by 8 bytes from the start of memory allocated by malloc()}}
1632	}
1633
1634	int arbitraryInt();
1635	void freeUnknownOffsetPointer() {
1636	char *r = malloc(sizeof(char));
1637	r = r + arbitraryInt(); // unable to reason about what the offset might be
1638	free(r); // no-warning
1639	}
1640
1641	void testFreeNonMallocPointerWithNoOffset() {
1642	char c;
1643	char *r = &c;
1644	r = r + 10;
1645	free(r-10); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1646	}
1647
1648	void testFreeNonMallocPointerWithOffset() {
1649	char c;
1650	char *r = &c;
1651	free(r+1); // expected-warning {{Argument to free() is the address of the local variable 'c', which is not memory allocated by malloc()}}
1652	}
1653
1654	void testOffsetZeroDoubleFree() {
1655	int array = malloc(sizeof(int)2);
1656	int *p = &array[0];
1657	free(p);
1658	free(&array[0]); // expected-warning{{Attempt to free released memory}}
1659	}
1660
1661	void testOffsetPassedToStrlen() {
1662	char * string = malloc(sizeof(char)*10);
1663	string += 1;
1664	int length = strlen(string); // expected-warning {{Potential leak of memory pointed to by 'string'}}
1665	}
1666
1667	void testOffsetPassedToStrlenThenFree() {
1668	char * string = malloc(sizeof(char)*10);
1669	string += 1;
1670	int length = strlen(string);
1671	free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1672	}
1673
1674	void testOffsetPassedAsConst() {
1675	char * string = malloc(sizeof(char)*10);
1676	string += 1;
1677	passConstPtr(string);
1678	free(string); // expected-warning {{Argument to free() is offset by 1 byte from the start of memory allocated by malloc()}}
1679	}
1680
1681	char **_vectorSegments;
1682	int _nVectorSegments;
1683
1684	void poolFreeC(void* s) {
1685	free(s); // no-warning
1686	}
1687	void freeMemory() {
1688	while (_nVectorSegments) {
1689	poolFreeC(_vectorSegments[_nVectorSegments++]);
1690	}
1691	}
1692
1693	// PR16730
1694	void testReallocEscaped(void **memory) {
1695	*memory = malloc(47);
1696	char new_memory = realloc(memory, 47);
1697	if (new_memory != 0) {
1698	*memory = new_memory;
1699	}
1700	}
1701
1702	// PR16558
1703	void *smallocNoWarn(size_t size) {
1704	if (size == 0) {
1705	return malloc(1); // this branch is never called
1706	}
1707	else {
1708	return malloc(size);
1709	}
1710	}
1711
1712	char dupstrNoWarn(const char s) {
1713	const int len = strlen(s);
1714	char p = (char) smallocNoWarn(len + 1);
1715	strcpy(p, s); // no-warning
1716	return p;
1717	}
1718
1719	void *smallocWarn(size_t size) {
1720	if (size == 2) {
1721	return malloc(1);
1722	}
1723	else {
1724	return malloc(size);
1725	}
1726	}
1727
1728	int *radar15580979() {
1729	int data = (int )malloc(32);
1730	int p = data ?: (int)malloc(32); // no warning
1731	return p;
1732	}
1733
1734	// Some data structures may hold onto the pointer and free it later.
1735	void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) {
1736	int data = (int )malloc(32);
1737	fake_insque(queue, data); // no warning
1738	}
1739
1740	void testEscapeThroughSystemCallTakingVoidPointer2(fake_rb_tree_t *rbt) {
1741	int data = (int )malloc(32);
1742	fake_rb_tree_init(rbt, data);
1743	} //expected-warning{{Potential leak}}
1744
1745	void testEscapeThroughSystemCallTakingVoidPointer3(fake_rb_tree_t *rbt) {
1746	int data = (int )malloc(32);
1747	fake_rb_tree_init(rbt, data);
1748	fake_rb_tree_insert_node(rbt, data); // no warning
1749	}
1750
1751	struct IntAndPtr {
1752	int x;
1753	int *p;
1754	};
1755
1756	void constEscape(const void *ptr);
1757
1758	void testConstEscapeThroughAnotherField() {
1759	struct IntAndPtr s;
1760	s.p = malloc(sizeof(int));
1761	constEscape(&(s.x));
1762	} // expected-warning {{Potential leak of memory pointed to by 's.p'}}
1763
1764	// PR15623
1765	int testNoCheckerDataPropogationFromLogicalOpOperandToOpResult(void) {
1766	char *param = malloc(10);
1767	char *value = malloc(10);
1768	int ok = (param && value);
1769	free(param);
1770	free(value);
1771	// Previously we ended up with 'Use of memory after it is freed' on return.
1772	return ok; // no warning
1773	}
1774
1775	void (*fnptr)(int);
1776	void freeIndirectFunctionPtr() {
1777	void p = (void )fnptr;
1778	free(p); // expected-warning {{Argument to free() is a function pointer}}
1779	}
1780
1781	void freeFunctionPtr() {
1782	free((void *)fnptr); // expected-warning {{Argument to free() is a function pointer}}
1783	}
1784
1785	void allocateSomeMemory(void offendingParameter, void *ptr) {
1786	*ptr = malloc(1);
1787	}
1788
1789	void testNoCrashOnOffendingParameter() {
1790	// "extern" is necessary to avoid unrelated warnings
1791	// on passing uninitialized value.
1792	extern void *offendingParameter;
1793	void* ptr;
1794	allocateSomeMemory(offendingParameter, &ptr);
1795	} // expected-warning {{Potential leak of memory pointed to by 'ptr'}}
1796
1797
1798	// Test a false positive caused by a bug in liveness analysis.
1799	struct A {
1800	int *buf;
1801	};
1802	struct B {
1803	struct A *a;
1804	};
1805	void livenessBugRealloc(struct A *a) {
1806	a->buf = realloc(a->buf, sizeof(int)); // no-warning
1807	}
1808	void testLivenessBug(struct B *in_b) {
1809	struct B *b = in_b;
1810	livenessBugRealloc(b->a);
1811	((void) 0); // An attempt to trick liveness analysis.
1812	livenessBugRealloc(b->a);
1813	}
1814
1815	// ----------------------------------------------------------------------------
1816	// False negatives.
1817
1818	void testMallocWithParam(int **p) {
1819	p = (int) malloc(sizeof(int));
1820	*p = 0; // FIXME: should warn here
1821	}
1822
1823	void testMallocWithParam_2(int **p) {
1824	p = (int) malloc(sizeof(int)); // no-warning
1825	}
1826
1827	void testPassToSystemHeaderFunctionIndirectly() {
1828	int *p = malloc(4);
1829	p++;
1830	fakeSystemHeaderCallInt(p);
1831	// FIXME: This is a leak: if we think a system function won't free p, it
1832	// won't free (p-1) either.
1833	}
1834
1835	void testMallocIntoMalloc() {
1836	StructWithPtr *s = malloc(sizeof(StructWithPtr));
1837	s->memP = malloc(sizeof(int));
1838	free(s);
1839	} // FIXME: should warn here
1840

Clang Project