malloc.mm
12.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
// RUN: %clang_analyze_cc1 -std=c++14 \
// RUN: -analyzer-checker=core,unix.Malloc,cplusplus.NewDelete \
// RUN: -analyzer-checker=unix.MismatchedDeallocator \
// RUN: -verify -fblocks %s
#import "Inputs/system-header-simulator-objc.h"
#import "Inputs/system-header-simulator-for-malloc.h"
// Done with headers. Start testing.
void testNSDatafFreeWhenDoneNoError(NSUInteger dataLength) {
unsigned char *data = (unsigned char *)malloc(42);
NSData *nsdata = [NSData dataWithBytesNoCopy:data length:dataLength];
}
void testNSDataFreeWhenDoneYES(NSUInteger dataLength) {
unsigned char *data = (unsigned char *)malloc(42);
NSData *nsdata = [NSData dataWithBytesNoCopy:data length:dataLength freeWhenDone:1]; // no-warning
}
void testNSDataFreeWhenDoneYES2(NSUInteger dataLength) {
unsigned char *data = (unsigned char *)malloc(42);
NSData *nsdata = [[NSData alloc] initWithBytesNoCopy:data length:dataLength freeWhenDone:1]; // no-warning
}
void testNSDataFreeWhenDoneYES2_with_wrapper(NSUInteger dataLength) {
unsigned char *data = (unsigned char *)malloc(42);
Wrapper *nsdata = [[Wrapper alloc] initWithBytesNoCopy:data length:dataLength]; // no-warning
}
void testNSStringFreeWhenDoneYES3(NSUInteger dataLength) {
unsigned char *data = (unsigned char *)malloc(42);
NSString *nsstr = [[NSString alloc] initWithBytesNoCopy:data length:dataLength encoding:NSUTF8StringEncoding freeWhenDone:1];
}
void testNSStringFreeWhenDoneYES4(NSUInteger dataLength) {
unichar *data = (unichar*)malloc(42);
NSString *nsstr = [[NSString alloc] initWithCharactersNoCopy:data length:dataLength freeWhenDone:1];
free(data); //expected-warning {{Attempt to free non-owned memory}}
}
void testNSStringFreeWhenDoneYES(NSUInteger dataLength) {
unsigned char *data = (unsigned char *)malloc(42);
NSString *nsstr = [[NSString alloc] initWithBytesNoCopy:data length:dataLength encoding:NSUTF8StringEncoding freeWhenDone:1]; // no-warning
}
void testNSStringFreeWhenDoneYES2(NSUInteger dataLength) {
unichar *data = (unichar*)malloc(42);
NSString *nsstr = [[NSString alloc] initWithCharactersNoCopy:data length:dataLength freeWhenDone:1]; // no-warning
}
void testNSDataFreeWhenDoneNO(NSUInteger dataLength) {
unsigned char *data = (unsigned char *)malloc(42);
NSData *nsdata = [NSData dataWithBytesNoCopy:data length:dataLength freeWhenDone:0]; // expected-warning{{leak}}
}
void testNSDataFreeWhenDoneNO2(NSUInteger dataLength) {
unsigned char *data = (unsigned char *)malloc(42);
NSData *nsdata = [[NSData alloc] initWithBytesNoCopy:data length:dataLength freeWhenDone:0]; // expected-warning{{leak}}
}
void testNSStringFreeWhenDoneNO(NSUInteger dataLength) {
unsigned char *data = (unsigned char *)malloc(42);
NSString *nsstr = [[NSString alloc] initWithBytesNoCopy:data length:dataLength encoding:NSUTF8StringEncoding freeWhenDone:0]; // expected-warning{{leak}}
}
void testNSStringFreeWhenDoneNewDelete(NSUInteger dataLength) {
unsigned char *data = new unsigned char(42);
NSData *nsdata = [[NSData alloc] initWithBytesNoCopy:data
length:dataLength freeWhenDone:1];
// expected-warning@-2{{-initWithBytesNoCopy:length:freeWhenDone: cannot take ownership of memory allocated by 'new'}}
}
void testNSStringFreeWhenDoneNewDelete2(NSUInteger dataLength) {
unsigned char *data = new unsigned char(42);
NSData *nsdata = [[NSData alloc] initWithBytesNoCopy:data
length:dataLength
deallocator:^(void *bytes,
NSUInteger length) {
delete (unsigned char *)bytes;
}]; // no-warning
}
void testNSStringFreeWhenDoneNO2(NSUInteger dataLength) {
unichar *data = (unichar*)malloc(42);
NSString *nsstr = [[NSString alloc] initWithCharactersNoCopy:data length:dataLength freeWhenDone:0]; // expected-warning{{leak}}
}
void testOffsetFree() {
int *p = (int *)malloc(sizeof(int));
NSData *nsdata = [NSData dataWithBytesNoCopy:++p length:sizeof(int) freeWhenDone:1]; // expected-warning{{Argument to +dataWithBytesNoCopy:length:freeWhenDone: is offset by 4 bytes from the start of memory allocated by malloc()}}
}
void testRelinquished1() {
void *data = malloc(42);
NSData *nsdata = [NSData dataWithBytesNoCopy:data length:42 freeWhenDone:1];
free(data); // expected-warning {{Attempt to free non-owned memory}}
}
void testRelinquished2() {
void *data = malloc(42);
NSData *nsdata;
free(data);
[NSData dataWithBytesNoCopy:data length:42]; // expected-warning {{Use of memory after it is freed}}
}
@interface My
+ (void)param:(void *)p;
@end
void testUseAfterFree() {
int *p = (int *)malloc(sizeof(int));
free(p);
[My param:p]; // expected-warning{{Use of memory after it is freed}}
}
void testNoCopy() {
char *p = (char *)calloc(sizeof(int), 1);
CustomData *w = [CustomData somethingNoCopy:p]; // no-warning
}
void testFreeWhenDone() {
char *p = (char *)calloc(sizeof(int), 1);
CustomData *w = [CustomData something:p freeWhenDone:1]; // no-warning
}
void testFreeWhenDonePositive() {
char *p = (char *)calloc(sizeof(int), 1);
CustomData *w = [CustomData something:p freeWhenDone:0]; // expected-warning{{leak}}
}
void testFreeWhenDoneNoCopy() {
int *p = (int *)malloc(sizeof(int));
CustomData *w = [CustomData somethingNoCopy:p length:sizeof(int) freeWhenDone:1]; // no-warning
}
void testFreeWhenDoneNoCopyPositive() {
int *p = (int *)malloc(sizeof(int));
CustomData *w = [CustomData somethingNoCopy:p length:sizeof(int) freeWhenDone:0]; // expected-warning{{leak}}
}
// Test CF/NS...NoCopy. PR12100: Pointers can escape when custom deallocators are provided.
void testNSDatafFreeWhenDone(NSUInteger dataLength) {
CFStringRef str;
char *bytes = (char*)malloc(12);
str = CFStringCreateWithCStringNoCopy(0, bytes, NSNEXTSTEPStringEncoding, 0); // no warning
CFRelease(str); // default allocator also frees bytes
}
void stringWithExternalContentsExample(void) {
#define BufferSize 1000
CFMutableStringRef mutStr;
UniChar *myBuffer;
myBuffer = (UniChar *)malloc(BufferSize * sizeof(UniChar));
mutStr = CFStringCreateMutableWithExternalCharactersNoCopy(0, myBuffer, 0, BufferSize, kCFAllocatorNull); // expected-warning{{leak}}
CFRelease(mutStr);
//free(myBuffer);
}
// PR12101 : pointers can escape through custom deallocators set on creation of a container.
void TestCallbackReleasesMemory(CFDictionaryKeyCallBacks keyCallbacks) {
void *key = malloc(12);
void *val = malloc(12);
CFMutableDictionaryRef x = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &keyCallbacks, &kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(x, key, val);
return;// no-warning
}
NSData *radar10976702() {
void *bytes = malloc(10);
return [NSData dataWithBytesNoCopy:bytes length:10]; // no-warning
}
void testBlocks() {
int *x= (int*)malloc(sizeof(int));
int (^myBlock)(int) = ^(int num) {
free(x);
return num;
};
myBlock(3);
}
// Test NSMapInsert.
@interface NSMapTable : NSObject <NSCopying, NSCoding, NSFastEnumeration>
@end
extern void *NSMapGet(NSMapTable *table, const void *key);
extern void NSMapInsert(NSMapTable *table, const void *key, const void *value);
extern void NSMapInsertKnownAbsent(NSMapTable *table, const void *key, const void *value);
char *strdup(const char *s);
NSString * radar11152419(NSString *string1, NSMapTable *map) {
const char *strkey = "key";
NSString *string = ( NSString *)NSMapGet(map, strkey);
if (!string) {
string = [string1 copy];
NSMapInsert(map, strdup(strkey), (void*)string); // no warning
NSMapInsertKnownAbsent(map, strdup(strkey), (void*)string); // no warning
}
return string;
}
// Test that we handle pointer escaping through OSAtomicEnqueue.
typedef volatile struct {
void *opaque1;
long opaque2;
} OSQueueHead;
extern "C" void OSAtomicEnqueue( OSQueueHead *__list, void *__new, size_t __offset) __attribute__((weak_import));
static inline void radar11111210(OSQueueHead *pool) {
void *newItem = malloc(4);
OSAtomicEnqueue(pool, newItem, 4);
}
// Pointer might escape through CGDataProviderCreateWithData (radar://11187558).
typedef struct CGDataProvider *CGDataProviderRef;
typedef void (*CGDataProviderReleaseDataCallback)(void *info, const void *data,
size_t size);
extern CGDataProviderRef CGDataProviderCreateWithData(void *info,
const void *data, size_t size,
CGDataProviderReleaseDataCallback releaseData)
__attribute__((visibility("default")));
void *calloc(size_t, size_t);
static void releaseDataCallback (void *info, const void *data, size_t size) {
#pragma unused (info, size)
free((void*)data);
}
void testCGDataProviderCreateWithData() {
void* b = calloc(8, 8);
CGDataProviderRef p = CGDataProviderCreateWithData(0, b, 8*8, releaseDataCallback);
}
// Assume that functions which take a function pointer can free memory even if
// they are defined in system headers and take the const pointer to the
// allocated memory. (radar://11160612)
extern CGDataProviderRef UnknownFunWithCallback(void *info,
const void *data, size_t size,
CGDataProviderReleaseDataCallback releaseData)
__attribute__((visibility("default")));
void testUnknownFunWithCallBack() {
void* b = calloc(8, 8);
CGDataProviderRef p = UnknownFunWithCallback(0, b, 8*8, releaseDataCallback);
}
// Test blocks.
void acceptBlockParam(void *, void (^block)(void *), unsigned);
void testCallWithBlockCallback() {
void *l = malloc(12);
acceptBlockParam(l, ^(void *i) { free(i); }, sizeof(char *));
}
// Test blocks in system headers.
void testCallWithBlockCallbackInSystem() {
void *l = malloc(12);
SystemHeaderFunctionWithBlockParam(l, ^(void *i) { free(i); }, sizeof(char *));
}
// Test escape into NSPointerArray. radar://11691035, PR13140
void foo(NSPointerArray* pointerArray) {
void* p1 = malloc (1024);
if (p1) {
[pointerArray addPointer:p1];
}
void* p2 = malloc (1024);
if (p2) {
[pointerArray insertPointer:p2 atIndex:1];
}
void* p3 = malloc (1024);
if (p3) {
[pointerArray replacePointerAtIndex:1 withPointer:p3];
}
// Freeing the buffer is allowed.
void* buffer = [pointerArray pointerAtIndex:0];
free(buffer);
}
void noCrashOnVariableArgumentSelector() {
NSMutableString *myString = [NSMutableString stringWithString:@"some text"];
[myString appendFormat:@"some text = %d", 3];
}
void test12365078_check() {
unichar *characters = (unichar*)malloc(12);
NSString *string = [[NSString alloc] initWithCharactersNoCopy:characters length:12 freeWhenDone:1];
if (!string) free(characters); // no-warning
}
void test12365078_nocheck() {
unichar *characters = (unichar*)malloc(12);
NSString *string = [[NSString alloc] initWithCharactersNoCopy:characters length:12 freeWhenDone:1];
}
void test12365078_false_negative() {
unichar *characters = (unichar*)malloc(12);
NSString *string = [[NSString alloc] initWithCharactersNoCopy:characters length:12 freeWhenDone:1];
if (!string) {;}
}
void test12365078_no_malloc(unichar *characters) {
NSString *string = [[NSString alloc] initWithCharactersNoCopy:characters length:12 freeWhenDone:1];
if (!string) {free(characters);}
}
NSString *test12365078_no_malloc_returnValue(unichar *characters) {
NSString *string = [[NSString alloc] initWithCharactersNoCopy:characters length:12 freeWhenDone:1];
if (!string) {
return 0; // no-warning
}
return string;
}
void test12365078_nocheck_nomalloc(unichar *characters) {
NSString *string = [[NSString alloc] initWithCharactersNoCopy:characters length:12 freeWhenDone:1];
free(characters); // expected-warning {{Attempt to free non-owned memory}}
}
void test12365078_nested(unichar *characters) {
NSString *string = [[NSString alloc] initWithCharactersNoCopy:characters length:12 freeWhenDone:1];
if (!string) {
NSString *string2 = [[NSString alloc] initWithCharactersNoCopy:characters length:12 freeWhenDone:1];
if (!string2) {
NSString *string3 = [[NSString alloc] initWithCharactersNoCopy:characters length:12 freeWhenDone:1];
if (!string3) {
NSString *string4 = [[NSString alloc] initWithCharactersNoCopy:characters length:12 freeWhenDone:1];
if (!string4)
free(characters);
}
}
}
}
void test12365078_check_positive() {
unichar *characters = (unichar*)malloc(12);
NSString *string = [[NSString alloc] initWithCharactersNoCopy:characters length:12 freeWhenDone:1];
if (string) free(characters); // expected-warning{{Attempt to free non-owned memory}}
}
void *test_reinterpret_cast_to_block() {
// Used to leak because the pointer was disappearing
// during the reinterpret_cast.
using BlockPtrTy = void (^)();
struct Block {};
Block* block = static_cast<Block*>(malloc(sizeof(Block)));
BlockPtrTy blockPtr = reinterpret_cast<BlockPtrTy>(block); // no-warning
return blockPtr;
}