[analyzer] Malloc Checker: Report a leak when we are returning freed

memory.
(As per one test case, the existing checker thought that this could
cause a lot of false positives - not sure if that's valid, to be
verified.)

llvm-svn: 150313

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

@@ -760,10 +760,16 @@ void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const {
   const Expr *E = S->getRetValue();
   if (!E)
     return;
+
+  // Check if we are returning a symbol.
   SymbolRef Sym = C.getState()->getSVal(E, C.getLocationContext()).getAsSymbol();
   if (!Sym)
     return;
 
+  // Check if we are returning freed memory.
+  checkUseAfterFree(Sym, C, S);
+
+  // Check if the symbol is escaping.
   checkEscape(Sym, S, C);
 }
 

clang/test/Analysis/malloc-annotations.c

@@ -128,12 +128,10 @@ void af3() {
   free(p); // no-warning
 }
 
-// This case would inflict a double-free elsewhere.
-// However, this case is considered an analyzer bug since it causes false-positives.
 int * af4() {
   int *p = my_malloc(12);
   my_free(p);
-  return p; // no-warning
+  return p; // expected-warning{{Use of dynamically allocated}}
 }
 
 // This case is (possibly) ok, be conservative

clang/test/Analysis/malloc.c

@@ -251,6 +251,20 @@ void mallocFailedOrNot() {
 struct StructWithInt {
   int g;
 };
+
+int *mallocReturnFreed() {
+  int *p = malloc(12);
+  free(p);
+  return p; // expected-warning {{Use of dynamically allocated}}
+}
+
+int useAfterFreeStruct() {
+  struct StructWithInt *px= malloc(sizeof(struct StructWithInt));
+  px->g = 5;
+  free(px);
+  return px->g; // expected-warning {{Use of dynamically allocated}}
+}
+
 void nonSymbolAsFirstArg(int *pp, struct StructWithInt *p);
 
 void mallocEscapeFooNonSymbolArg() {