gcc/testsuite/gcc.dg/analyzer/unknown-fns.c - gcc - Git at Google

 /* Verify that the analyzer correctly purges state when it sees a call to
    an unknown function.  */

 #include <stdlib.h>

 /* Verify fix for false-positive when checking for CVE-2005-1689.  */

 typedef struct _krb5_data {
   char *data;
 } krb5_data;

 extern void krb5_read_message(krb5_data *buf);

 void
 test_1 (krb5_data inbuf)
 {
   free(inbuf.data);
   krb5_read_message(&inbuf);
   free(inbuf.data); /* { dg-bogus "double-'free'" } */
 }

 /* Verify that __pure__ functions are treated as not having side-effects.  */

 extern int called_by_test_1a (void *)
   __attribute__ ((__pure__));
 void test_1a (krb5_data inbuf)
 {
   free (inbuf.data);
   called_by_test_1a (&inbuf);
   free (inbuf.data); /* { dg-warning "double-'free'" } */
 }

 /* Verify that global pointers can be affected by an unknown function.  */

 void *global_ptr;
 extern void unknown_side_effects (void);

 void test_2 (void)
 {
   free (global_ptr);
   unknown_side_effects ();
   free (global_ptr);
 }

 extern void called_by_test_3 (void *);

 void test_3a (void)
 {
   void *ptr = malloc (1024);
   called_by_test_3 (ptr);
 }  /* { dg-bogus "leak" } */

 void test_3b (void)
 {
   krb5_data k;
   k.data = malloc (1024);
   called_by_test_3 (&k);
 } /* { dg-bogus "leak" } */

 /* Verify that we traverse the graph of regions that are reachable from
    the call.  */

 struct foo
 {
   struct foo *next;
   int *ptr;
 };

 /* First, without a call to an unknown function.  */

 void test_4a (void)
 {
   struct foo node_a;
   struct foo node_b;
   node_a.next = &node_b;
   node_b.ptr = malloc (sizeof (int));
   global_ptr = &node_a;
   *node_b.ptr = 42; /* { dg-warning "possibly-NULL" "possibly-NULL" } */
   /* Although there's a chain of pointers to the allocation, pointed to
      by global_ptr, the chain goes through the stack frame and thus
      there's a leak when it is popped.  */
 } /* { dg-warning "leak of 'node_b.ptr'" } */

 /* With a call to an unknown function.  */

 void test_4b (void)
 {
   struct foo node_a;
   struct foo node_b;
   node_a.next = &node_b;
   node_b.ptr = malloc (sizeof (int));
   global_ptr = &node_a;
   unknown_side_effects (); /* everything potentially visible through global_ptr.  */
   *node_b.ptr = 42; /* { dg-bogus "possibly-NULL" } */
 } /* { dg-bogus "leak" } */

 extern void called_by_test_5 (const char *);
 void test_5 (void)
 {
   called_by_test_5 ("???");
 }

 extern void called_by_test_6 (const struct foo *);
 void test_6 (void)
 {
   struct foo node;
   node.next = NULL;
   node.ptr = malloc (sizeof (int));

   /* This is a const ptr, but struct foo's ptr is non-const,
      so we ought to assume it could be written to.  */
   called_by_test_6 (&node);
 } /* { dg-bogus "leak" } */

 /* TODO: things reachable from "outside" i.e. by params to caller to entrypoint.  */
	/* Verify that the analyzer correctly purges state when it sees a call to
	an unknown function. */

	#include <stdlib.h>

	/* Verify fix for false-positive when checking for CVE-2005-1689. */

	typedef struct _krb5_data {
	char *data;
	} krb5_data;

	extern void krb5_read_message(krb5_data *buf);

	void
	test_1 (krb5_data inbuf)
	{
	free(inbuf.data);
	krb5_read_message(&inbuf);
	free(inbuf.data); /* { dg-bogus "double-'free'" } */
	}

	/* Verify that __pure__ functions are treated as not having side-effects. */

	extern int called_by_test_1a (void *)
	__attribute__ ((__pure__));
	void test_1a (krb5_data inbuf)
	{
	free (inbuf.data);
	called_by_test_1a (&inbuf);
	free (inbuf.data); /* { dg-warning "double-'free'" } */
	}

	/* Verify that global pointers can be affected by an unknown function. */

	void *global_ptr;
	extern void unknown_side_effects (void);

	void test_2 (void)
	{
	free (global_ptr);
	unknown_side_effects ();
	free (global_ptr);
	}

	extern void called_by_test_3 (void *);

	void test_3a (void)
	{
	void *ptr = malloc (1024);
	called_by_test_3 (ptr);
	} /* { dg-bogus "leak" } */

	void test_3b (void)
	{
	krb5_data k;
	k.data = malloc (1024);
	called_by_test_3 (&k);
	} /* { dg-bogus "leak" } */

	/* Verify that we traverse the graph of regions that are reachable from
	the call. */

	struct foo
	{
	struct foo *next;
	int *ptr;
	};

	/* First, without a call to an unknown function. */

	void test_4a (void)
	{
	struct foo node_a;
	struct foo node_b;
	node_a.next = &node_b;
	node_b.ptr = malloc (sizeof (int));
	global_ptr = &node_a;
	node_b.ptr = 42; / { dg-warning "possibly-NULL" "possibly-NULL" } */
	/* Although there's a chain of pointers to the allocation, pointed to
	by global_ptr, the chain goes through the stack frame and thus
	there's a leak when it is popped. */
	} /* { dg-warning "leak of 'node_b.ptr'" } */

	/* With a call to an unknown function. */

	void test_4b (void)
	{
	struct foo node_a;
	struct foo node_b;
	node_a.next = &node_b;
	node_b.ptr = malloc (sizeof (int));
	global_ptr = &node_a;
	unknown_side_effects (); /* everything potentially visible through global_ptr. */
	node_b.ptr = 42; / { dg-bogus "possibly-NULL" } */
	} /* { dg-bogus "leak" } */

	extern void called_by_test_5 (const char *);
	void test_5 (void)
	{
	called_by_test_5 ("???");
	}

	extern void called_by_test_6 (const struct foo *);
	void test_6 (void)
	{
	struct foo node;
	node.next = NULL;
	node.ptr = malloc (sizeof (int));

	/* This is a const ptr, but struct foo's ptr is non-const,
	so we ought to assume it could be written to. */
	called_by_test_6 (&node);
	} /* { dg-bogus "leak" } */

	/* TODO: things reachable from "outside" i.e. by params to caller to entrypoint. */