From fe94b66af7350c057e077edff14b39837169d4f6 Mon Sep 17 00:00:00 2001
From: David Malcolm <dmalcolm@redhat.com>
Date: Thu, 14 Mar 2019 19:53:30 -0400
Subject: [PATCH 117/169] FIXME: add malloc-ipa-11.c

---
 gcc/testsuite/gcc.dg/analyzer/malloc-ipa-11.c | 37 +++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 gcc/testsuite/gcc.dg/analyzer/malloc-ipa-11.c

diff --git a/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-11.c b/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-11.c
new file mode 100644
index 0000000..0de42a5
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/malloc-ipa-11.c
@@ -0,0 +1,37 @@
+#include <stdlib.h>
+
+extern int some_condition ();
+extern void do_stuff (int);
+
+void
+may_call_free (void *victim)
+{
+  if (some_condition ())
+    return;
+
+  free (victim); /* { dg-warning "double-free of 'victim'" "" { xfail *-*-* } } */ 
+  /* TODO(xfail): when expanding the call summary for the first call to
+     may_call_free it's picking the early-return path, and not purging
+     locals from the path state.  Hence it gets a contradiction with
+       "_1 is true"
+     and
+       "_1 is false"
+     and decides the path is impossible.
+
+     TODO: purge the locals when returning from a function.
+     TODO: better expansion of call summary, to reflect the target state we're
+     interested in.  */
+}
+
+void test (void *ptr)
+{
+  do_stuff (1);
+
+  may_call_free (ptr);
+
+  do_stuff (2);
+
+  may_call_free (ptr);
+
+  do_stuff (3);
+}
-- 
1.8.5.3