1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
// RUN: %clang_cc1 -analyze -analyzer-checker=unix.Malloc -analyzer-ipa=inlining -analyzer-inline-max-stack-depth=5 -analyzer-inline-max-function-size=6 -analyzer-store=region -verify %s
#include "system-header-simulator.h"
typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t);
void *valloc(size_t);
void free(void *);
void *realloc(void *ptr, size_t size);
void *reallocf(void *ptr, size_t size);
void *calloc(size_t nmemb, size_t size);
extern void exit(int) __attribute__ ((__noreturn__));
static void my_malloc1(void **d, size_t size) {
*d = malloc(size);
}
static void *my_malloc2(int elevel, size_t size) {
void *data;
data = malloc(size);
if (data == 0)
exit(0);
return data;
}
static void my_free1(void *p) {
free(p);
}
static void test1() {
void *data = 0;
my_malloc1(&data, 4); // expected-warning {{Memory is never released; potential leak of memory pointed to by 'data'}}
}
static void test11() {
void *data = 0;
my_malloc1(&data, 4);
my_free1(data);
}
static void testUniqueingByallocationSiteInTopLevelFunction() {
void *data = my_malloc2(1, 4);
data = 0;
int x = 5;// expected-warning {{Memory is never released; potential leak of memory pointed to by 'data'}}
data = my_malloc2(1, 4);// expected-warning {{Memory is never released; potential leak of memory pointed to by 'data'}}
}
static void test3() {
void *data = my_malloc2(1, 4);
free(data);
data = my_malloc2(1, 4);
free(data);
}
int test4() {
int *data = (int*)my_malloc2(1, 4);
my_free1(data);
data = (int *)my_malloc2(1, 4);
my_free1(data);
return *data; // expected-warning {{Use of memory after it is freed}}
}
void test6() {
int *data = (int *)my_malloc2(1, 4);
my_free1((int*)data);
my_free1((int*)data); // expected-warning{{Use of memory after it is freed}}
}
// TODO: We should warn here.
void test5() {
int *data;
my_free1((int*)data);
}
static char *reshape(char *in) {
return 0;
}
void testThatRemoveDeadBindingsRunBeforeEachCall() {
char *v = malloc(12);
v = reshape(v);
v = reshape(v);// expected-warning {{Memory is never released; potential leak of memory pointed to by 'v'}}
}
// Test that we keep processing after 'return;'
void fooWithEmptyReturn(int x) {
if (x)
return;
x++;
return;
}
int uafAndCallsFooWithEmptyReturn() {
int *x = (int*)malloc(12);
free(x);
fooWithEmptyReturn(12);
return *x; // expected-warning {{Use of memory after it is freed}}
}
|