(root)/
gcc-13.2.0/
gcc/
testsuite/
gcc.dg/
analyzer/
CVE-2005-1689-minimal.c
       1  #include <stdlib.h>
       2  #include "analyzer-decls.h"
       3  
       4  typedef struct _krb5_data {
       5    char *data;
       6  } krb5_data;
       7  
       8  void
       9  test_1 (krb5_data inbuf, int flag)
      10  {
      11    free(inbuf.data); /* { dg-message "first 'free' here" } */
      12    free(inbuf.data); /* { dg-warning "double-'free' of 'inbuf.data'" } */
      13  }
      14  
      15  void
      16  test_2 (krb5_data inbuf, int flag)
      17  {
      18    if (flag) {
      19      free(inbuf.data); /* { dg-message "first 'free' here" } */
      20    }
      21    free(inbuf.data); /* { dg-warning "double-'free' of 'inbuf.data'" } */
      22  }
      23  
      24  void
      25  test_3 (krb5_data inbuf, int flag)
      26  {
      27    if (flag) {
      28      free((char *)inbuf.data); /* { dg-message "first 'free' here" } */
      29    }
      30    free((char *)inbuf.data); /* { dg-warning "double-'free' of 'inbuf.data'" } */
      31  }
      32  
      33  extern void unknown_fn (void *);
      34  
      35  void
      36  test_4 (krb5_data inbuf)
      37  {
      38    unknown_fn (NULL);
      39    free(inbuf.data); /* { dg-message "first 'free' here" } */
      40    free(inbuf.data); /* { dg-warning "double-'free' of 'inbuf.data'" } */
      41  }
      42  
      43  void
      44  test_5 (krb5_data inbuf)
      45  {
      46    unknown_fn (&inbuf);
      47    free(inbuf.data); /* { dg-message "first 'free' here" } */
      48    free(inbuf.data); /* { dg-warning "double-'free' of 'inbuf.data'" "inbuf.data" } */
      49    /* { dg-bogus "double-'free' of 'inbuf'" "inbuf" { target *-*-* } .-1 } */
      50  }
      51  
      52  typedef struct _padded_krb5_data {
      53    int pad;
      54    char *data;
      55  } padded_krb5_data;
      56  
      57  void
      58  test_6 (padded_krb5_data inbuf)
      59  {
      60    unknown_fn (&inbuf.data);
      61    free((char *)inbuf.data); /* { dg-message "first 'free' here" } */
      62    free((char *)inbuf.data); /* { dg-warning "double-'free' of 'inbuf.data'" "inbuf.data" } */
      63  }
      64  
      65  void
      66  test_7 (padded_krb5_data inbuf)
      67  {
      68    unknown_fn (&inbuf.data);
      69    free((char *)inbuf.data);
      70  
      71    unknown_fn (&inbuf.data);
      72    free((char *)inbuf.data);  
      73  }
      74  
      75  void
      76  test_8 (padded_krb5_data inbuf, int flag)
      77  {
      78    if (flag)
      79      {
      80        unknown_fn (&inbuf.data);
      81        free((char *)inbuf.data);
      82      }
      83    /* Should have two enodes, one for the explicit "freed" state, and one
      84       for the implicit "start" state.  */
      85    __analyzer_dump_exploded_nodes (0); /* { dg-warning "2 processed enodes" } */
      86  
      87    unknown_fn (&inbuf.data);
      88  
      89    /* Should have just one enode, for the implicit "start" state.  */
      90    __analyzer_dump_exploded_nodes (0); /* { dg-warning "1 processed enode" } */
      91  }