From f02fe3d2dd7f406b4201c8f177f94be02b7cc11b Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Mon, 24 Jun 2019 16:02:22 -0400 Subject: [PATCH 41/85] FIXME: expand malloc-paths-9.c --- gcc/testsuite/gcc.dg/analyzer/malloc-paths-9.c | 218 ++++++++++++++++++++++++- 1 file changed, 216 insertions(+), 2 deletions(-) diff --git a/gcc/testsuite/gcc.dg/analyzer/malloc-paths-9.c b/gcc/testsuite/gcc.dg/analyzer/malloc-paths-9.c index febce92..a6e09e6 100644 --- a/gcc/testsuite/gcc.dg/analyzer/malloc-paths-9.c +++ b/gcc/testsuite/gcc.dg/analyzer/malloc-paths-9.c @@ -1,3 +1,5 @@ +/* { dg-additional-options "-fdiagnostics-show-line-numbers -fdiagnostics-nn-line-numbers -fdiagnostics-path-format=inline-events" } */ + #include void test_1 (void) @@ -6,6 +8,23 @@ void test_1 (void) free (ptr); free (ptr); /* { dg-warning "double-free of 'ptr'" } */ } +/* { dg-begin-multiline-output "" } + 'test_1': events 1-3 + | + | NN | void *ptr = malloc (1024); + | | ^~~~~~~~~~~~~ + | | | + | | (1) allocated here + | NN | free (ptr); + | | ~~~~~~~~~~ + | | | + | | (2) first 'free' here + | NN | free (ptr); + | | ~~~~~~~~~~ + | | | + | | (3) second 'free' here; first 'free' was at (2) + | + { dg-end-multiline-output "" } */ void test_2 (int x, int y) { @@ -16,6 +35,58 @@ void test_2 (int x, int y) free (ptr); /* { dg-warning "double-free of 'ptr'" } */ } /* { dg-warning "leak of 'ptr'" } */ +/* "double-free of 'ptr'". */ +/* { dg-begin-multiline-output "" } + 'test_2': events 1-5 + | + | NN | void *ptr = malloc (1024); + | | ^~~~~~~~~~~~~ + | | | + | | (1) allocated here + | NN | if (x) + | | ~ + | | | + | | (2) following 'true' branch + | NN | free (ptr); + | | ~~~~~~~~~~ + | | | + | | (3) first 'free' here + | NN | if (y) + | | ~ + | | | + | | (4) following 'true' branch + | NN | free (ptr); + | | ~~~~~~~~~~ + | | | + | | (5) second 'free' here; first 'free' was at (3) + | + { dg-end-multiline-output "" } */ + +/* "leak of 'ptr'. */ +/* { dg-begin-multiline-output "" } + 'test_2': events 1-4 + | + | NN | void *ptr = malloc (1024); + | | ^~~~~~~~~~~~~ + | | | + | | (1) allocated here + | NN | if (x) + | | ~ + | | | + | | (2) following 'false' branch + | NN | free (ptr); + | NN | if (y) + | | ~ + | | | + | | (3) following 'false' branch + | NN | free (ptr); + | NN | } + | | ~ + | | | + | | (4) 'ptr' leaks here; was allocated at (1) + | + { dg-end-multiline-output "" } */ + int test_3 (int x, int y) { int *ptr = (int *)malloc (sizeof (int)); @@ -36,5 +107,148 @@ int test_3 (int x, int y) /* { dg-warning "leak of 'ptr'" "" { target *-*-* } .-3 } */ } -/* TODO: enable showing the various paths, and verify them exactly; - what's going on? */ +/* "use of possibly-NULL 'ptr'". */ +/* { dg-begin-multiline-output "" } + 'test_3': events 1-2 + | + | NN | int *ptr = (int *)malloc (sizeof (int)); + | | ^~~~~~~~~~~~~~~~~~~~~ + | | | + | | (1) this call could return NULL + | NN | *ptr = 42; + | | ~~~~~~~~~ + | | | + | | (2) 'ptr' could be NULL + | + { dg-end-multiline-output "" } */ + +/* "use after free of 'ptr'". */ +/* { dg-begin-multiline-output "" } + 'test_3': events 1-5 + | + | NN | int *ptr = (int *)malloc (sizeof (int)); + | | ^~~~~~~~~~~~~~~~~~~~~ + | | | + | | (1) allocated here + | NN | *ptr = 42; + | | ~~~~~~~~~ + | | | + | | (2) assuming 'ptr' is non-NULL + | NN | if (x) + | | ~ + | | | + | | (3) following 'true' branch + | NN | free (ptr); + | | ~~~~~~~~~~ + | | | + | | (4) freed here + | NN | + | NN | *ptr = 19; + | | ~~~~~~~~~ + | | | + | | (5) here ('ptr' is in state 'free') + | + { dg-end-multiline-output "" } */ + +/* "dereference of freed pointer 'ptr'". */ +/* { dg-begin-multiline-output "" } + 'test_3': events 1-2 + | + | NN | if (x) + | | ^ + | | | + | | (1) following 'true' branch + |...... + | NN | *ptr = 19; + | | ~~~~~~~~~ + | | | + | | (2) here + | + { dg-end-multiline-output "" } */ +/* TODO: this is really a duplicate; can we either eliminate it, or + improve the path? */ + +/* "use after free of 'ptr'". */ +/* { dg-begin-multiline-output "" } + 'test_3': events 1-5 + | + | NN | int *ptr = (int *)malloc (sizeof (int)); + | | ^~~~~~~~~~~~~~~~~~~~~ + | | | + | | (1) allocated here + | NN | *ptr = 42; + | | ~~~~~~~~~ + | | | + | | (2) assuming 'ptr' is non-NULL + | NN | if (x) + | | ~ + | | | + | | (3) following 'false' branch + |...... + | NN | if (y) + | | ~ + | | | + | | (4) following 'false' branch + |...... + | NN | return *ptr; + | | ~~~~ + | | | + | | (5) 'ptr' leaks here; was allocated at (1) + | + { dg-end-multiline-output "" } */ + +/* "leak of 'ptr'". */ +/* { dg-begin-multiline-output "" } + 'test_3': events 1-6 + | + | NN | int *ptr = (int *)malloc (sizeof (int)); + | | ^~~~~~~~~~~~~~~~~~~~~ + | | | + | | (1) allocated here + | NN | *ptr = 42; + | | ~~~~~~~~~ + | | | + | | (2) assuming 'ptr' is non-NULL + | NN | if (x) + | | ~ + | | | + | | (3) following 'false' branch + |...... + | NN | if (y) + | | ~ + | | | + | | (4) following 'true' branch + | NN | free (ptr); + | | ~~~~~~~~~~ + | | | + | | (5) freed here + | NN | + | NN | return *ptr; + | | ~~~~ + | | | + | | (6) here ('ptr' is in state 'free') + | + { dg-end-multiline-output "" } */ + +/* "dereference of freed pointer 'ptr'". */ +/* { dg-begin-multiline-output "" } + 'test_3': events 1-3 + | + | NN | if (x) + | | ^ + | | | + | | (1) following 'false' branch + |...... + | NN | if (y) + | | ~ + | | | + | | (2) following 'true' branch + |...... + | NN | return *ptr; + | | ~~~~ + | | | + | | (3) here + | + { dg-end-multiline-output "" } */ +/* TODO: this is really a duplicate; can we either eliminate it, or + improve the path? */ -- 1.8.5.3