1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
| // RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc,unix.MismatchedDeallocator,cplusplus.NewDelete -std=c++11 -verify %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc,unix.MismatchedDeallocator,cplusplus.NewDelete,cplusplus.NewDeleteLeaks -DLEAKS -std=c++11 -verify %s
#include "Inputs/system-header-simulator-for-malloc.h"
//--------------------------------------------------
// Check that unix.Malloc catches all types of bugs.
//--------------------------------------------------
void testMallocDoubleFree() {
int *p = (int *)malloc(sizeof(int));
free(p);
free(p); // expected-warning{{Attempt to free released memory}}
}
void testMallocLeak() {
int *p = (int *)malloc(sizeof(int));
} // expected-warning{{Potential leak of memory pointed to by 'p'}}
void testMallocUseAfterFree() {
int *p = (int *)malloc(sizeof(int));
free(p);
int j = *p; // expected-warning{{Use of memory after it is freed}}
}
void testMallocBadFree() {
int i;
free(&i); // expected-warning{{Argument to free() is the address of the local variable 'i', which is not memory allocated by malloc()}}
}
void testMallocOffsetFree() {
int *p = (int *)malloc(sizeof(int));
free(++p); // expected-warning{{Argument to free() is offset by 4 bytes from the start of memory allocated by malloc()}}
}
//-----------------------------------------------------------------
// Check that unix.MismatchedDeallocator catches all types of bugs.
//-----------------------------------------------------------------
void testMismatchedDeallocator() {
int *x = (int *)malloc(sizeof(int));
delete x; // expected-warning{{Memory allocated by malloc() should be deallocated by free(), not 'delete'}}
}
//----------------------------------------------------------------
// Check that alpha.cplusplus.NewDelete catches all types of bugs.
//----------------------------------------------------------------
void testNewDoubleFree() {
int *p = new int;
delete p;
delete p; // expected-warning{{Attempt to free released memory}}
}
void testNewLeak() {
int *p = new int;
}
#ifdef LEAKS
// expected-warning@-2 {{Potential leak of memory pointed to by 'p'}}
#endif
void testNewUseAfterFree() {
int *p = (int *)operator new(0);
delete p;
int j = *p; // expected-warning{{Use of memory after it is freed}}
}
void testNewBadFree() {
int i;
delete &i; // expected-warning{{Argument to 'delete' is the address of the local variable 'i', which is not memory allocated by 'new'}}
}
void testNewOffsetFree() {
int *p = new int;
operator delete(++p); // expected-warning{{Argument to operator delete is offset by 4 bytes from the start of memory allocated by 'new'}}
}
//----------------------------------------------------------------
// Test that we check for free errors on escaped pointers.
//----------------------------------------------------------------
void changePtr(int **p);
static int *globalPtr;
void changePointee(int *p);
void testMismatchedChangePtrThroughCall() {
int *p = (int*)malloc(sizeof(int)*4);
changePtr(&p);
delete p; // no-warning the value of the pointer might have changed
}
void testMismatchedChangePointeeThroughCall() {
int *p = (int*)malloc(sizeof(int)*4);
changePointee(p);
delete p; // expected-warning{{Memory allocated by malloc() should be deallocated by free(), not 'delete'}}
}
void testShouldReportDoubleFreeNotMismatched() {
int *p = (int*)malloc(sizeof(int)*4);
globalPtr = p;
free(p);
delete globalPtr; // expected-warning {{Attempt to free released memory}}
}
int *allocIntArray(unsigned c) {
return new int[c];
}
void testMismatchedChangePointeeThroughAssignment() {
int *arr = allocIntArray(4);
globalPtr = arr;
delete arr; // expected-warning{{Memory allocated by 'new[]' should be deallocated by 'delete[]', not 'delete'}}
}
|