From: Anna Zaks <ganna@apple.com>
Date: Sat, 11 Feb 2012 21:44:39 +0000 (+0000)
Subject: [analyzer] Malloc Checker: Report a leak when we are returning freed
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0860cd0646ed40f87085df39563f2c5f7f77750b;p=clang

[analyzer] Malloc Checker: Report a leak when we are returning freed
memory.
(As per one test case, the existing checker thought that this could
cause a lot of false positives - not sure if that's valid, to be
verified.)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@150313 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index d858959bd5..ea4d7d29ea 100644
--- a/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -760,10 +760,16 @@ void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const {
   const Expr *E = S->getRetValue();
   if (!E)
     return;
+
+  // Check if we are returning a symbol.
   SymbolRef Sym = C.getState()->getSVal(E, C.getLocationContext()).getAsSymbol();
   if (!Sym)
     return;
 
+  // Check if we are returning freed memory.
+  checkUseAfterFree(Sym, C, S);
+
+  // Check if the symbol is escaping.
   checkEscape(Sym, S, C);
 }
 
diff --git a/test/Analysis/malloc-annotations.c b/test/Analysis/malloc-annotations.c
index 7890cfc176..98dc2e7269 100644
--- a/test/Analysis/malloc-annotations.c
+++ b/test/Analysis/malloc-annotations.c
@@ -128,12 +128,10 @@ void af3() {
   free(p); // no-warning
 }
 
-// This case would inflict a double-free elsewhere.
-// However, this case is considered an analyzer bug since it causes false-positives.
 int * af4() {
   int *p = my_malloc(12);
   my_free(p);
-  return p; // no-warning
+  return p; // expected-warning{{Use of dynamically allocated}}
 }
 
 // This case is (possibly) ok, be conservative
diff --git a/test/Analysis/malloc.c b/test/Analysis/malloc.c
index 89299e6637..b3095e0f30 100644
--- a/test/Analysis/malloc.c
+++ b/test/Analysis/malloc.c
@@ -251,6 +251,20 @@ void mallocFailedOrNot() {
 struct StructWithInt {
   int g;
 };
+
+int *mallocReturnFreed() {
+  int *p = malloc(12);
+  free(p);
+  return p; // expected-warning {{Use of dynamically allocated}}
+}
+
+int useAfterFreeStruct() {
+  struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
+  px->g = 5;
+  free(px);
+  return px->g; // expected-warning {{Use of dynamically allocated}}
+}
+
 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
 
 void mallocEscapeFooNonSymbolArg() {