clang  9.0.0svn
MallocChecker.cpp
Go to the documentation of this file.
1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines malloc/free checker, which checks for potential memory
10 // leaks, double free, and use-after-free problems.
11 //
12 //===----------------------------------------------------------------------===//
13 
15 #include "InterCheckerAPI.h"
16 #include "clang/AST/Attr.h"
17 #include "clang/AST/ParentMap.h"
19 #include "clang/Basic/TargetInfo.h"
29 #include "llvm/ADT/STLExtras.h"
30 #include "llvm/ADT/SmallString.h"
31 #include "llvm/ADT/StringExtras.h"
32 #include "AllocationState.h"
33 #include <climits>
34 #include <utility>
35 
36 using namespace clang;
37 using namespace ento;
38 
39 namespace {
40 
41 // Used to check correspondence between allocators and deallocators.
43  AF_None,
44  AF_Malloc,
45  AF_CXXNew,
46  AF_CXXNewArray,
47  AF_IfNameIndex,
48  AF_Alloca,
49  AF_InnerBuffer
50 };
51 
52 class RefState {
53  enum Kind { // Reference to allocated memory.
54  Allocated,
55  // Reference to zero-allocated memory.
56  AllocatedOfSizeZero,
57  // Reference to released/freed memory.
58  Released,
59  // The responsibility for freeing resources has transferred from
60  // this reference. A relinquished symbol should not be freed.
61  Relinquished,
62  // We are no longer guaranteed to have observed all manipulations
63  // of this pointer/memory. For example, it could have been
64  // passed as a parameter to an opaque function.
65  Escaped
66  };
67 
68  const Stmt *S;
69  unsigned K : 3; // Kind enum, but stored as a bitfield.
70  unsigned Family : 29; // Rest of 32-bit word, currently just an allocation
71  // family.
72 
73  RefState(Kind k, const Stmt *s, unsigned family)
74  : S(s), K(k), Family(family) {
75  assert(family != AF_None);
76  }
77 public:
78  bool isAllocated() const { return K == Allocated; }
79  bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; }
80  bool isReleased() const { return K == Released; }
81  bool isRelinquished() const { return K == Relinquished; }
82  bool isEscaped() const { return K == Escaped; }
83  AllocationFamily getAllocationFamily() const {
84  return (AllocationFamily)Family;
85  }
86  const Stmt *getStmt() const { return S; }
87 
88  bool operator==(const RefState &X) const {
89  return K == X.K && S == X.S && Family == X.Family;
90  }
91 
92  static RefState getAllocated(unsigned family, const Stmt *s) {
93  return RefState(Allocated, s, family);
94  }
95  static RefState getAllocatedOfSizeZero(const RefState *RS) {
96  return RefState(AllocatedOfSizeZero, RS->getStmt(),
97  RS->getAllocationFamily());
98  }
99  static RefState getReleased(unsigned family, const Stmt *s) {
100  return RefState(Released, s, family);
101  }
102  static RefState getRelinquished(unsigned family, const Stmt *s) {
103  return RefState(Relinquished, s, family);
104  }
105  static RefState getEscaped(const RefState *RS) {
106  return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());
107  }
108 
109  void Profile(llvm::FoldingSetNodeID &ID) const {
110  ID.AddInteger(K);
111  ID.AddPointer(S);
112  ID.AddInteger(Family);
113  }
114 
115  void dump(raw_ostream &OS) const {
116  switch (static_cast<Kind>(K)) {
117 #define CASE(ID) case ID: OS << #ID; break;
118  CASE(Allocated)
119  CASE(AllocatedOfSizeZero)
120  CASE(Released)
121  CASE(Relinquished)
122  CASE(Escaped)
123  }
124  }
125 
126  LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
127 };
128 
130  RPToBeFreedAfterFailure,
131  // The symbol has been freed when reallocation failed.
132  RPIsFreeOnFailure,
133  // The symbol does not need to be freed after reallocation fails.
134  RPDoNotTrackAfterFailure
135 };
136 
137 /// \class ReallocPair
138 /// Stores information about the symbol being reallocated by a call to
139 /// 'realloc' to allow modeling failed reallocation later in the path.
140 struct ReallocPair {
141  // The symbol which realloc reallocated.
142  SymbolRef ReallocatedSym;
144 
145  ReallocPair(SymbolRef S, ReallocPairKind K) :
146  ReallocatedSym(S), Kind(K) {}
147  void Profile(llvm::FoldingSetNodeID &ID) const {
148  ID.AddInteger(Kind);
149  ID.AddPointer(ReallocatedSym);
150  }
151  bool operator==(const ReallocPair &X) const {
152  return ReallocatedSym == X.ReallocatedSym &&
153  Kind == X.Kind;
154  }
155 };
156 
157 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo;
158 
159 class MallocChecker : public Checker<check::DeadSymbols,
160  check::PointerEscape,
161  check::ConstPointerEscape,
162  check::PreStmt<ReturnStmt>,
163  check::EndFunction,
164  check::PreCall,
165  check::PostStmt<CallExpr>,
166  check::PostStmt<CXXNewExpr>,
167  check::NewAllocator,
168  check::PreStmt<CXXDeleteExpr>,
169  check::PostStmt<BlockExpr>,
170  check::PostObjCMessage,
171  check::Location,
172  eval::Assume>
173 {
174 public:
175  MallocChecker()
176  : II_alloca(nullptr), II_win_alloca(nullptr), II_malloc(nullptr),
177  II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr),
178  II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr),
179  II_strdup(nullptr), II_win_strdup(nullptr), II_kmalloc(nullptr),
180  II_if_nameindex(nullptr), II_if_freenameindex(nullptr),
181  II_wcsdup(nullptr), II_win_wcsdup(nullptr), II_g_malloc(nullptr),
182  II_g_malloc0(nullptr), II_g_realloc(nullptr), II_g_try_malloc(nullptr),
183  II_g_try_malloc0(nullptr), II_g_try_realloc(nullptr),
184  II_g_free(nullptr), II_g_memdup(nullptr), II_g_malloc_n(nullptr),
185  II_g_malloc0_n(nullptr), II_g_realloc_n(nullptr),
186  II_g_try_malloc_n(nullptr), II_g_try_malloc0_n(nullptr),
187  II_g_try_realloc_n(nullptr) {}
188 
189  /// In pessimistic mode, the checker assumes that it does not know which
190  /// functions might free the memory.
191  enum CheckKind {
192  CK_MallocChecker,
193  CK_NewDeleteChecker,
194  CK_NewDeleteLeaksChecker,
195  CK_MismatchedDeallocatorChecker,
196  CK_InnerPointerChecker,
197  CK_NumCheckKinds
198  };
199 
200  enum class MemoryOperationKind {
201  MOK_Allocate,
202  MOK_Free,
203  MOK_Any
204  };
205 
206  DefaultBool IsOptimistic;
207 
208  DefaultBool ChecksEnabled[CK_NumCheckKinds];
209  CheckName CheckNames[CK_NumCheckKinds];
210 
211  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
212  void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
213  void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;
214  void checkNewAllocator(const CXXNewExpr *NE, SVal Target,
215  CheckerContext &C) const;
216  void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
217  void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
218  void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
219  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
220  void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
221  void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;
222  ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
223  bool Assumption) const;
224  void checkLocation(SVal l, bool isLoad, const Stmt *S,
225  CheckerContext &C) const;
226 
227  ProgramStateRef checkPointerEscape(ProgramStateRef State,
228  const InvalidatedSymbols &Escaped,
229  const CallEvent *Call,
230  PointerEscapeKind Kind) const;
231  ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
232  const InvalidatedSymbols &Escaped,
233  const CallEvent *Call,
234  PointerEscapeKind Kind) const;
235 
236  void printState(raw_ostream &Out, ProgramStateRef State,
237  const char *NL, const char *Sep) const override;
238 
239 private:
240  mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
241  mutable std::unique_ptr<BugType> BT_DoubleDelete;
242  mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
243  mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
244  mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
245  mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
246  mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
247  mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
248  mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
249  mutable IdentifierInfo *II_alloca, *II_win_alloca, *II_malloc, *II_free,
250  *II_realloc, *II_calloc, *II_valloc, *II_reallocf,
251  *II_strndup, *II_strdup, *II_win_strdup, *II_kmalloc,
252  *II_if_nameindex, *II_if_freenameindex, *II_wcsdup,
253  *II_win_wcsdup, *II_g_malloc, *II_g_malloc0,
254  *II_g_realloc, *II_g_try_malloc, *II_g_try_malloc0,
255  *II_g_try_realloc, *II_g_free, *II_g_memdup,
256  *II_g_malloc_n, *II_g_malloc0_n, *II_g_realloc_n,
257  *II_g_try_malloc_n, *II_g_try_malloc0_n,
258  *II_g_try_realloc_n;
259  mutable Optional<uint64_t> KernelZeroFlagVal;
260 
261  void initIdentifierInfo(ASTContext &C) const;
262 
263  /// Determine family of a deallocation expression.
264  AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const;
265 
266  /// Print names of allocators and deallocators.
267  ///
268  /// \returns true on success.
269  bool printAllocDeallocName(raw_ostream &os, CheckerContext &C,
270  const Expr *E) const;
271 
272  /// Print expected name of an allocator based on the deallocator's
273  /// family derived from the DeallocExpr.
274  void printExpectedAllocName(raw_ostream &os, CheckerContext &C,
275  const Expr *DeallocExpr) const;
276  /// Print expected name of a deallocator based on the allocator's
277  /// family.
278  void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const;
279 
280  ///@{
281  /// Check if this is one of the functions which can allocate/reallocate memory
282  /// pointed to by one of its arguments.
283  bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const;
284  bool isCMemFunction(const FunctionDecl *FD,
285  ASTContext &C,
286  AllocationFamily Family,
287  MemoryOperationKind MemKind) const;
288  bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const;
289  ///@}
290 
291  /// Process C++ operator new()'s allocation, which is the part of C++
292  /// new-expression that goes before the constructor.
293  void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C,
294  SVal Target) const;
295 
296  /// Perform a zero-allocation check.
297  /// The optional \p RetVal parameter specifies the newly allocated pointer
298  /// value; if unspecified, the value of expression \p E is used.
299  ProgramStateRef ProcessZeroAllocation(CheckerContext &C, const Expr *E,
300  const unsigned AllocationSizeArg,
301  ProgramStateRef State,
302  Optional<SVal> RetVal = None) const;
303 
304  ProgramStateRef MallocMemReturnsAttr(CheckerContext &C,
305  const CallExpr *CE,
306  const OwnershipAttr* Att,
307  ProgramStateRef State) const;
308  static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
309  const Expr *SizeEx, SVal Init,
310  ProgramStateRef State,
311  AllocationFamily Family = AF_Malloc);
312  static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
313  SVal SizeEx, SVal Init,
314  ProgramStateRef State,
315  AllocationFamily Family = AF_Malloc);
316 
317  static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE,
318  ProgramStateRef State, SVal Target);
319 
320  // Check if this malloc() for special flags. At present that means M_ZERO or
321  // __GFP_ZERO (in which case, treat it like calloc).
323  performKernelMalloc(const CallExpr *CE, CheckerContext &C,
324  const ProgramStateRef &State) const;
325 
326  /// Update the RefState to reflect the new memory allocation.
327  /// The optional \p RetVal parameter specifies the newly allocated pointer
328  /// value; if unspecified, the value of expression \p E is used.
329  static ProgramStateRef
330  MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State,
331  AllocationFamily Family = AF_Malloc,
332  Optional<SVal> RetVal = None);
333 
334  ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE,
335  const OwnershipAttr* Att,
336  ProgramStateRef State) const;
337  ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE,
338  ProgramStateRef state, unsigned Num,
339  bool Hold,
340  bool &ReleasedAllocated,
341  bool ReturnsNullOnFailure = false) const;
342  ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg,
343  const Expr *ParentExpr,
344  ProgramStateRef State,
345  bool Hold,
346  bool &ReleasedAllocated,
347  bool ReturnsNullOnFailure = false) const;
348 
349  ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE,
350  bool FreesMemOnFailure,
351  ProgramStateRef State,
352  bool SuffixWithN = false) const;
353  static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
354  const Expr *BlockBytes);
355  static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE,
356  ProgramStateRef State);
357 
358  /// Check if the memory associated with this symbol was released.
359  bool isReleased(SymbolRef Sym, CheckerContext &C) const;
360 
361  bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
362 
363  void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
364  const Stmt *S) const;
365 
366  bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;
367 
368  /// Check if the function is known free memory, or if it is
369  /// "interesting" and should be modeled explicitly.
370  ///
371  /// \param [out] EscapingSymbol A function might not free memory in general,
372  /// but could be known to free a particular symbol. In this case, false is
373  /// returned and the single escaping symbol is returned through the out
374  /// parameter.
375  ///
376  /// We assume that pointers do not escape through calls to system functions
377  /// not handled by this checker.
378  bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call,
379  ProgramStateRef State,
380  SymbolRef &EscapingSymbol) const;
381 
382  // Implementation of the checkPointerEscape callbacks.
383  ProgramStateRef checkPointerEscapeAux(ProgramStateRef State,
384  const InvalidatedSymbols &Escaped,
385  const CallEvent *Call,
386  PointerEscapeKind Kind,
387  bool(*CheckRefState)(const RefState*)) const;
388 
389  // Implementation of the checkPreStmt and checkEndFunction callbacks.
390  void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const;
391 
392  ///@{
393  /// Tells if a given family/call/symbol is tracked by the current checker.
394  /// Sets CheckKind to the kind of the checker responsible for this
395  /// family/call/symbol.
396  Optional<CheckKind> getCheckIfTracked(AllocationFamily Family,
397  bool IsALeakCheck = false) const;
398  Optional<CheckKind> getCheckIfTracked(CheckerContext &C,
399  const Stmt *AllocDeallocStmt,
400  bool IsALeakCheck = false) const;
401  Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
402  bool IsALeakCheck = false) const;
403  ///@}
404  static bool SummarizeValue(raw_ostream &os, SVal V);
405  static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
406  void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
407  const Expr *DeallocExpr) const;
408  void ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
409  SourceRange Range) const;
410  void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range,
411  const Expr *DeallocExpr, const RefState *RS,
412  SymbolRef Sym, bool OwnershipTransferred) const;
413  void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
414  const Expr *DeallocExpr,
415  const Expr *AllocExpr = nullptr) const;
416  void ReportUseAfterFree(CheckerContext &C, SourceRange Range,
417  SymbolRef Sym) const;
418  void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
419  SymbolRef Sym, SymbolRef PrevSym) const;
420 
421  void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
422 
423  void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range,
424  SymbolRef Sym) const;
425 
426  void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
427  SourceRange Range, const Expr *FreeExpr) const;
428 
429  /// Find the location of the allocation for Sym on the path leading to the
430  /// exploded node N.
431  LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
432  CheckerContext &C) const;
433 
434  void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
435 
436  /// The bug visitor which allows us to print extra diagnostics along the
437  /// BugReport path. For example, showing the allocation site of the leaked
438  /// region.
439  class MallocBugVisitor final : public BugReporterVisitor {
440  protected:
441  enum NotificationMode {
442  Normal,
443  ReallocationFailed
444  };
445 
446  // The allocated region symbol tracked by the main analysis.
447  SymbolRef Sym;
448 
449  // The mode we are in, i.e. what kind of diagnostics will be emitted.
450  NotificationMode Mode;
451 
452  // A symbol from when the primary region should have been reallocated.
453  SymbolRef FailedReallocSymbol;
454 
455  // A C++ destructor stack frame in which memory was released. Used for
456  // miscellaneous false positive suppression.
457  const StackFrameContext *ReleaseDestructorLC;
458 
459  bool IsLeak;
460 
461  public:
462  MallocBugVisitor(SymbolRef S, bool isLeak = false)
463  : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr),
464  ReleaseDestructorLC(nullptr), IsLeak(isLeak) {}
465 
466  static void *getTag() {
467  static int Tag = 0;
468  return &Tag;
469  }
470 
471  void Profile(llvm::FoldingSetNodeID &ID) const override {
472  ID.AddPointer(getTag());
473  ID.AddPointer(Sym);
474  }
475 
476  inline bool isAllocated(const RefState *S, const RefState *SPrev,
477  const Stmt *Stmt) {
478  // Did not track -> allocated. Other state (released) -> allocated.
479  return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) &&
480  (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) &&
481  (!SPrev || !(SPrev->isAllocated() ||
482  SPrev->isAllocatedOfSizeZero())));
483  }
484 
485  inline bool isReleased(const RefState *S, const RefState *SPrev,
486  const Stmt *Stmt) {
487  // Did not track -> released. Other state (allocated) -> released.
488  // The statement associated with the release might be missing.
489  bool IsReleased = (S && S->isReleased()) &&
490  (!SPrev || !SPrev->isReleased());
491  assert(!IsReleased ||
492  (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) ||
493  (!Stmt && S->getAllocationFamily() == AF_InnerBuffer));
494  return IsReleased;
495  }
496 
497  inline bool isRelinquished(const RefState *S, const RefState *SPrev,
498  const Stmt *Stmt) {
499  // Did not track -> relinquished. Other state (allocated) -> relinquished.
500  return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) ||
501  isa<ObjCPropertyRefExpr>(Stmt)) &&
502  (S && S->isRelinquished()) &&
503  (!SPrev || !SPrev->isRelinquished()));
504  }
505 
506  inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev,
507  const Stmt *Stmt) {
508  // If the expression is not a call, and the state change is
509  // released -> allocated, it must be the realloc return value
510  // check. If we have to handle more cases here, it might be cleaner just
511  // to track this extra bit in the state itself.
512  return ((!Stmt || !isa<CallExpr>(Stmt)) &&
513  (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) &&
514  (SPrev && !(SPrev->isAllocated() ||
515  SPrev->isAllocatedOfSizeZero())));
516  }
517 
518  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
519  BugReporterContext &BRC,
520  BugReport &BR) override;
521 
522  std::shared_ptr<PathDiagnosticPiece>
523  getEndPath(BugReporterContext &BRC, const ExplodedNode *EndPathNode,
524  BugReport &BR) override {
525  if (!IsLeak)
526  return nullptr;
527 
528  PathDiagnosticLocation L =
530  BRC.getSourceManager());
531  // Do not add the statement itself as a range in case of leak.
532  return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(),
533  false);
534  }
535 
536  private:
537  class StackHintGeneratorForReallocationFailed
538  : public StackHintGeneratorForSymbol {
539  public:
540  StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M)
541  : StackHintGeneratorForSymbol(S, M) {}
542 
543  std::string getMessageForArg(const Expr *ArgE,
544  unsigned ArgIndex) override {
545  // Printed parameters start at 1, not 0.
546  ++ArgIndex;
547 
548  SmallString<200> buf;
549  llvm::raw_svector_ostream os(buf);
550 
551  os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex)
552  << " parameter failed";
553 
554  return os.str();
555  }
556 
557  std::string getMessageForReturn(const CallExpr *CallExpr) override {
558  return "Reallocation of returned value failed";
559  }
560  };
561  };
562 };
563 } // end anonymous namespace
564 
565 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
566 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
567 REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef)
568 
569 // A map from the freed symbol to the symbol representing the return value of
570 // the free function.
572 
573 namespace {
574 class StopTrackingCallback final : public SymbolVisitor {
576 public:
577  StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
578  ProgramStateRef getState() const { return state; }
579 
580  bool VisitSymbol(SymbolRef sym) override {
581  state = state->remove<RegionState>(sym);
582  return true;
583  }
584 };
585 } // end anonymous namespace
586 
587 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const {
588  if (II_malloc)
589  return;
590  II_alloca = &Ctx.Idents.get("alloca");
591  II_malloc = &Ctx.Idents.get("malloc");
592  II_free = &Ctx.Idents.get("free");
593  II_realloc = &Ctx.Idents.get("realloc");
594  II_reallocf = &Ctx.Idents.get("reallocf");
595  II_calloc = &Ctx.Idents.get("calloc");
596  II_valloc = &Ctx.Idents.get("valloc");
597  II_strdup = &Ctx.Idents.get("strdup");
598  II_strndup = &Ctx.Idents.get("strndup");
599  II_wcsdup = &Ctx.Idents.get("wcsdup");
600  II_kmalloc = &Ctx.Idents.get("kmalloc");
601  II_if_nameindex = &Ctx.Idents.get("if_nameindex");
602  II_if_freenameindex = &Ctx.Idents.get("if_freenameindex");
603 
604  //MSVC uses `_`-prefixed instead, so we check for them too.
605  II_win_strdup = &Ctx.Idents.get("_strdup");
606  II_win_wcsdup = &Ctx.Idents.get("_wcsdup");
607  II_win_alloca = &Ctx.Idents.get("_alloca");
608 
609  // Glib
610  II_g_malloc = &Ctx.Idents.get("g_malloc");
611  II_g_malloc0 = &Ctx.Idents.get("g_malloc0");
612  II_g_realloc = &Ctx.Idents.get("g_realloc");
613  II_g_try_malloc = &Ctx.Idents.get("g_try_malloc");
614  II_g_try_malloc0 = &Ctx.Idents.get("g_try_malloc0");
615  II_g_try_realloc = &Ctx.Idents.get("g_try_realloc");
616  II_g_free = &Ctx.Idents.get("g_free");
617  II_g_memdup = &Ctx.Idents.get("g_memdup");
618  II_g_malloc_n = &Ctx.Idents.get("g_malloc_n");
619  II_g_malloc0_n = &Ctx.Idents.get("g_malloc0_n");
620  II_g_realloc_n = &Ctx.Idents.get("g_realloc_n");
621  II_g_try_malloc_n = &Ctx.Idents.get("g_try_malloc_n");
622  II_g_try_malloc0_n = &Ctx.Idents.get("g_try_malloc0_n");
623  II_g_try_realloc_n = &Ctx.Idents.get("g_try_realloc_n");
624 }
625 
626 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const {
627  if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any))
628  return true;
629 
630  if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
631  return true;
632 
633  if (isCMemFunction(FD, C, AF_Alloca, MemoryOperationKind::MOK_Any))
634  return true;
635 
636  if (isStandardNewDelete(FD, C))
637  return true;
638 
639  return false;
640 }
641 
642 bool MallocChecker::isCMemFunction(const FunctionDecl *FD,
643  ASTContext &C,
644  AllocationFamily Family,
645  MemoryOperationKind MemKind) const {
646  if (!FD)
647  return false;
648 
649  bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any ||
650  MemKind == MemoryOperationKind::MOK_Free);
651  bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any ||
652  MemKind == MemoryOperationKind::MOK_Allocate);
653 
654  if (FD->getKind() == Decl::Function) {
655  const IdentifierInfo *FunI = FD->getIdentifier();
656  initIdentifierInfo(C);
657 
658  if (Family == AF_Malloc && CheckFree) {
659  if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf ||
660  FunI == II_g_free)
661  return true;
662  }
663 
664  if (Family == AF_Malloc && CheckAlloc) {
665  if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf ||
666  FunI == II_calloc || FunI == II_valloc || FunI == II_strdup ||
667  FunI == II_win_strdup || FunI == II_strndup || FunI == II_wcsdup ||
668  FunI == II_win_wcsdup || FunI == II_kmalloc ||
669  FunI == II_g_malloc || FunI == II_g_malloc0 ||
670  FunI == II_g_realloc || FunI == II_g_try_malloc ||
671  FunI == II_g_try_malloc0 || FunI == II_g_try_realloc ||
672  FunI == II_g_memdup || FunI == II_g_malloc_n ||
673  FunI == II_g_malloc0_n || FunI == II_g_realloc_n ||
674  FunI == II_g_try_malloc_n || FunI == II_g_try_malloc0_n ||
675  FunI == II_g_try_realloc_n)
676  return true;
677  }
678 
679  if (Family == AF_IfNameIndex && CheckFree) {
680  if (FunI == II_if_freenameindex)
681  return true;
682  }
683 
684  if (Family == AF_IfNameIndex && CheckAlloc) {
685  if (FunI == II_if_nameindex)
686  return true;
687  }
688 
689  if (Family == AF_Alloca && CheckAlloc) {
690  if (FunI == II_alloca || FunI == II_win_alloca)
691  return true;
692  }
693  }
694 
695  if (Family != AF_Malloc)
696  return false;
697 
698  if (IsOptimistic && FD->hasAttrs()) {
699  for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
700  OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
701  if(OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) {
702  if (CheckFree)
703  return true;
704  } else if (OwnKind == OwnershipAttr::Returns) {
705  if (CheckAlloc)
706  return true;
707  }
708  }
709  }
710 
711  return false;
712 }
713 
714 // Tells if the callee is one of the builtin new/delete operators, including
715 // placement operators and other standard overloads.
716 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD,
717  ASTContext &C) const {
718  if (!FD)
719  return false;
720 
722  if (Kind != OO_New && Kind != OO_Array_New &&
723  Kind != OO_Delete && Kind != OO_Array_Delete)
724  return false;
725 
726  // This is standard if and only if it's not defined in a user file.
727  SourceLocation L = FD->getLocation();
728  // If the header for operator delete is not included, it's still defined
729  // in an invalid source location. Check to make sure we don't crash.
730  return !L.isValid() || C.getSourceManager().isInSystemHeader(L);
731 }
732 
733 llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc(
734  const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const {
735  // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
736  //
737  // void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
738  //
739  // One of the possible flags is M_ZERO, which means 'give me back an
740  // allocation which is already zeroed', like calloc.
741 
742  // 2-argument kmalloc(), as used in the Linux kernel:
743  //
744  // void *kmalloc(size_t size, gfp_t flags);
745  //
746  // Has the similar flag value __GFP_ZERO.
747 
748  // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some
749  // code could be shared.
750 
751  ASTContext &Ctx = C.getASTContext();
752  llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS();
753 
754  if (!KernelZeroFlagVal.hasValue()) {
755  if (OS == llvm::Triple::FreeBSD)
756  KernelZeroFlagVal = 0x0100;
757  else if (OS == llvm::Triple::NetBSD)
758  KernelZeroFlagVal = 0x0002;
759  else if (OS == llvm::Triple::OpenBSD)
760  KernelZeroFlagVal = 0x0008;
761  else if (OS == llvm::Triple::Linux)
762  // __GFP_ZERO
763  KernelZeroFlagVal = 0x8000;
764  else
765  // FIXME: We need a more general way of getting the M_ZERO value.
766  // See also: O_CREAT in UnixAPIChecker.cpp.
767 
768  // Fall back to normal malloc behavior on platforms where we don't
769  // know M_ZERO.
770  return None;
771  }
772 
773  // We treat the last argument as the flags argument, and callers fall-back to
774  // normal malloc on a None return. This works for the FreeBSD kernel malloc
775  // as well as Linux kmalloc.
776  if (CE->getNumArgs() < 2)
777  return None;
778 
779  const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1);
780  const SVal V = C.getSVal(FlagsEx);
781  if (!V.getAs<NonLoc>()) {
782  // The case where 'V' can be a location can only be due to a bad header,
783  // so in this case bail out.
784  return None;
785  }
786 
787  NonLoc Flags = V.castAs<NonLoc>();
788  NonLoc ZeroFlag = C.getSValBuilder()
789  .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType())
790  .castAs<NonLoc>();
791  SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And,
792  Flags, ZeroFlag,
793  FlagsEx->getType());
794  if (MaskedFlagsUC.isUnknownOrUndef())
795  return None;
796  DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>();
797 
798  // Check if maskedFlags is non-zero.
799  ProgramStateRef TrueState, FalseState;
800  std::tie(TrueState, FalseState) = State->assume(MaskedFlags);
801 
802  // If M_ZERO is set, treat this like calloc (initialized).
803  if (TrueState && !FalseState) {
804  SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy);
805  return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState);
806  }
807 
808  return None;
809 }
810 
811 SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
812  const Expr *BlockBytes) {
813  SValBuilder &SB = C.getSValBuilder();
814  SVal BlocksVal = C.getSVal(Blocks);
815  SVal BlockBytesVal = C.getSVal(BlockBytes);
816  ProgramStateRef State = C.getState();
817  SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,
818  SB.getContext().getSizeType());
819  return TotalSize;
820 }
821 
822 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const {
823  if (C.wasInlined)
824  return;
825 
826  const FunctionDecl *FD = C.getCalleeDecl(CE);
827  if (!FD)
828  return;
829 
830  ProgramStateRef State = C.getState();
831  bool ReleasedAllocatedMemory = false;
832 
833  if (FD->getKind() == Decl::Function) {
834  initIdentifierInfo(C.getASTContext());
835  IdentifierInfo *FunI = FD->getIdentifier();
836 
837  if (FunI == II_malloc || FunI == II_g_malloc || FunI == II_g_try_malloc) {
838  if (CE->getNumArgs() < 1)
839  return;
840  if (CE->getNumArgs() < 3) {
841  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
842  if (CE->getNumArgs() == 1)
843  State = ProcessZeroAllocation(C, CE, 0, State);
844  } else if (CE->getNumArgs() == 3) {
846  performKernelMalloc(CE, C, State);
847  if (MaybeState.hasValue())
848  State = MaybeState.getValue();
849  else
850  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
851  }
852  } else if (FunI == II_kmalloc) {
853  if (CE->getNumArgs() < 1)
854  return;
856  performKernelMalloc(CE, C, State);
857  if (MaybeState.hasValue())
858  State = MaybeState.getValue();
859  else
860  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
861  } else if (FunI == II_valloc) {
862  if (CE->getNumArgs() < 1)
863  return;
864  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
865  State = ProcessZeroAllocation(C, CE, 0, State);
866  } else if (FunI == II_realloc || FunI == II_g_realloc ||
867  FunI == II_g_try_realloc) {
868  State = ReallocMemAux(C, CE, false, State);
869  State = ProcessZeroAllocation(C, CE, 1, State);
870  } else if (FunI == II_reallocf) {
871  State = ReallocMemAux(C, CE, true, State);
872  State = ProcessZeroAllocation(C, CE, 1, State);
873  } else if (FunI == II_calloc) {
874  State = CallocMem(C, CE, State);
875  State = ProcessZeroAllocation(C, CE, 0, State);
876  State = ProcessZeroAllocation(C, CE, 1, State);
877  } else if (FunI == II_free || FunI == II_g_free) {
878  State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
879  } else if (FunI == II_strdup || FunI == II_win_strdup ||
880  FunI == II_wcsdup || FunI == II_win_wcsdup) {
881  State = MallocUpdateRefState(C, CE, State);
882  } else if (FunI == II_strndup) {
883  State = MallocUpdateRefState(C, CE, State);
884  } else if (FunI == II_alloca || FunI == II_win_alloca) {
885  if (CE->getNumArgs() < 1)
886  return;
887  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
888  AF_Alloca);
889  State = ProcessZeroAllocation(C, CE, 0, State);
890  } else if (isStandardNewDelete(FD, C.getASTContext())) {
891  // Process direct calls to operator new/new[]/delete/delete[] functions
892  // as distinct from new/new[]/delete/delete[] expressions that are
893  // processed by the checkPostStmt callbacks for CXXNewExpr and
894  // CXXDeleteExpr.
896  if (K == OO_New) {
897  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
898  AF_CXXNew);
899  State = ProcessZeroAllocation(C, CE, 0, State);
900  }
901  else if (K == OO_Array_New) {
902  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
903  AF_CXXNewArray);
904  State = ProcessZeroAllocation(C, CE, 0, State);
905  }
906  else if (K == OO_Delete || K == OO_Array_Delete)
907  State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
908  else
909  llvm_unreachable("not a new/delete operator");
910  } else if (FunI == II_if_nameindex) {
911  // Should we model this differently? We can allocate a fixed number of
912  // elements with zeros in the last one.
913  State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State,
914  AF_IfNameIndex);
915  } else if (FunI == II_if_freenameindex) {
916  State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
917  } else if (FunI == II_g_malloc0 || FunI == II_g_try_malloc0) {
918  if (CE->getNumArgs() < 1)
919  return;
920  SValBuilder &svalBuilder = C.getSValBuilder();
921  SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
922  State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State);
923  State = ProcessZeroAllocation(C, CE, 0, State);
924  } else if (FunI == II_g_memdup) {
925  if (CE->getNumArgs() < 2)
926  return;
927  State = MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State);
928  State = ProcessZeroAllocation(C, CE, 1, State);
929  } else if (FunI == II_g_malloc_n || FunI == II_g_try_malloc_n ||
930  FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) {
931  if (CE->getNumArgs() < 2)
932  return;
933  SVal Init = UndefinedVal();
934  if (FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) {
935  SValBuilder &SB = C.getSValBuilder();
936  Init = SB.makeZeroVal(SB.getContext().CharTy);
937  }
938  SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
939  State = MallocMemAux(C, CE, TotalSize, Init, State);
940  State = ProcessZeroAllocation(C, CE, 0, State);
941  State = ProcessZeroAllocation(C, CE, 1, State);
942  } else if (FunI == II_g_realloc_n || FunI == II_g_try_realloc_n) {
943  if (CE->getNumArgs() < 3)
944  return;
945  State = ReallocMemAux(C, CE, false, State, true);
946  State = ProcessZeroAllocation(C, CE, 1, State);
947  State = ProcessZeroAllocation(C, CE, 2, State);
948  }
949  }
950 
951  if (IsOptimistic || ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
952  // Check all the attributes, if there are any.
953  // There can be multiple of these attributes.
954  if (FD->hasAttrs())
955  for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
956  switch (I->getOwnKind()) {
957  case OwnershipAttr::Returns:
958  State = MallocMemReturnsAttr(C, CE, I, State);
959  break;
960  case OwnershipAttr::Takes:
961  case OwnershipAttr::Holds:
962  State = FreeMemAttr(C, CE, I, State);
963  break;
964  }
965  }
966  }
967  C.addTransition(State);
968 }
969 
970 // Performs a 0-sized allocations check.
971 ProgramStateRef MallocChecker::ProcessZeroAllocation(
972  CheckerContext &C, const Expr *E, const unsigned AllocationSizeArg,
973  ProgramStateRef State, Optional<SVal> RetVal) const {
974  if (!State)
975  return nullptr;
976 
977  if (!RetVal)
978  RetVal = C.getSVal(E);
979 
980  const Expr *Arg = nullptr;
981 
982  if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
983  Arg = CE->getArg(AllocationSizeArg);
984  }
985  else if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
986  if (NE->isArray())
987  Arg = NE->getArraySize();
988  else
989  return State;
990  }
991  else
992  llvm_unreachable("not a CallExpr or CXXNewExpr");
993 
994  assert(Arg);
995 
996  Optional<DefinedSVal> DefArgVal = C.getSVal(Arg).getAs<DefinedSVal>();
997 
998  if (!DefArgVal)
999  return State;
1000 
1001  // Check if the allocation size is 0.
1002  ProgramStateRef TrueState, FalseState;
1003  SValBuilder &SvalBuilder = C.getSValBuilder();
1004  DefinedSVal Zero =
1005  SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
1006 
1007  std::tie(TrueState, FalseState) =
1008  State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));
1009 
1010  if (TrueState && !FalseState) {
1011  SymbolRef Sym = RetVal->getAsLocSymbol();
1012  if (!Sym)
1013  return State;
1014 
1015  const RefState *RS = State->get<RegionState>(Sym);
1016  if (RS) {
1017  if (RS->isAllocated())
1018  return TrueState->set<RegionState>(Sym,
1019  RefState::getAllocatedOfSizeZero(RS));
1020  else
1021  return State;
1022  } else {
1023  // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as
1024  // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not
1025  // tracked. Add zero-reallocated Sym to the state to catch references
1026  // to zero-allocated memory.
1027  return TrueState->add<ReallocSizeZeroSymbols>(Sym);
1028  }
1029  }
1030 
1031  // Assume the value is non-zero going forward.
1032  assert(FalseState);
1033  return FalseState;
1034 }
1035 
1037  QualType Result = T, PointeeType = T->getPointeeType();
1038  while (!PointeeType.isNull()) {
1039  Result = PointeeType;
1040  PointeeType = PointeeType->getPointeeType();
1041  }
1042  return Result;
1043 }
1044 
1045 static bool treatUnusedNewEscaped(const CXXNewExpr *NE) {
1046 
1047  const CXXConstructExpr *ConstructE = NE->getConstructExpr();
1048  if (!ConstructE)
1049  return false;
1050 
1051  if (!NE->getAllocatedType()->getAsCXXRecordDecl())
1052  return false;
1053 
1054  const CXXConstructorDecl *CtorD = ConstructE->getConstructor();
1055 
1056  // Iterate over the constructor parameters.
1057  for (const auto *CtorParam : CtorD->parameters()) {
1058 
1059  QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType();
1060  if (CtorParamPointeeT.isNull())
1061  continue;
1062 
1063  CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT);
1064 
1065  if (CtorParamPointeeT->getAsCXXRecordDecl())
1066  return true;
1067  }
1068 
1069  return false;
1070 }
1071 
1072 void MallocChecker::processNewAllocation(const CXXNewExpr *NE,
1073  CheckerContext &C,
1074  SVal Target) const {
1075  if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext()))
1076  return;
1077 
1078  ParentMap &PM = C.getLocationContext()->getParentMap();
1079  if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE))
1080  return;
1081 
1082  ProgramStateRef State = C.getState();
1083  // The return value from operator new is bound to a specified initialization
1084  // value (if any) and we don't want to loose this value. So we call
1085  // MallocUpdateRefState() instead of MallocMemAux() which breaks the
1086  // existing binding.
1087  State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray
1088  : AF_CXXNew, Target);
1089  State = addExtentSize(C, NE, State, Target);
1090  State = ProcessZeroAllocation(C, NE, 0, State, Target);
1091  C.addTransition(State);
1092 }
1093 
1094 void MallocChecker::checkPostStmt(const CXXNewExpr *NE,
1095  CheckerContext &C) const {
1096  if (!C.getAnalysisManager().getAnalyzerOptions().MayInlineCXXAllocator)
1097  processNewAllocation(NE, C, C.getSVal(NE));
1098 }
1099 
1100 void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target,
1101  CheckerContext &C) const {
1102  if (!C.wasInlined)
1103  processNewAllocation(NE, C, Target);
1104 }
1105 
1106 // Sets the extent value of the MemRegion allocated by
1107 // new expression NE to its size in Bytes.
1108 //
1109 ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C,
1110  const CXXNewExpr *NE,
1112  SVal Target) {
1113  if (!State)
1114  return nullptr;
1115  SValBuilder &svalBuilder = C.getSValBuilder();
1116  SVal ElementCount;
1117  const SubRegion *Region;
1118  if (NE->isArray()) {
1119  const Expr *SizeExpr = NE->getArraySize();
1120  ElementCount = C.getSVal(SizeExpr);
1121  // Store the extent size for the (symbolic)region
1122  // containing the elements.
1123  Region = Target.getAsRegion()
1124  ->getAs<SubRegion>()
1125  ->StripCasts()
1126  ->getAs<SubRegion>();
1127  } else {
1128  ElementCount = svalBuilder.makeIntVal(1, true);
1129  Region = Target.getAsRegion()->getAs<SubRegion>();
1130  }
1131  assert(Region);
1132 
1133  // Set the region's extent equal to the Size in Bytes.
1134  QualType ElementType = NE->getAllocatedType();
1135  ASTContext &AstContext = C.getASTContext();
1136  CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType);
1137 
1138  if (ElementCount.getAs<NonLoc>()) {
1139  DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder);
1140  // size in Bytes = ElementCount*TypeSize
1141  SVal SizeInBytes = svalBuilder.evalBinOpNN(
1142  State, BO_Mul, ElementCount.castAs<NonLoc>(),
1143  svalBuilder.makeArrayIndex(TypeSize.getQuantity()),
1144  svalBuilder.getArrayIndexType());
1145  DefinedOrUnknownSVal extentMatchesSize = svalBuilder.evalEQ(
1146  State, Extent, SizeInBytes.castAs<DefinedOrUnknownSVal>());
1147  State = State->assume(extentMatchesSize, true);
1148  }
1149  return State;
1150 }
1151 
1152 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE,
1153  CheckerContext &C) const {
1154 
1155  if (!ChecksEnabled[CK_NewDeleteChecker])
1156  if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
1157  checkUseAfterFree(Sym, C, DE->getArgument());
1158 
1159  if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext()))
1160  return;
1161 
1162  ProgramStateRef State = C.getState();
1163  bool ReleasedAllocated;
1164  State = FreeMemAux(C, DE->getArgument(), DE, State,
1165  /*Hold*/false, ReleasedAllocated);
1166 
1167  C.addTransition(State);
1168 }
1169 
1171  // If the first selector piece is one of the names below, assume that the
1172  // object takes ownership of the memory, promising to eventually deallocate it
1173  // with free().
1174  // Ex: [NSData dataWithBytesNoCopy:bytes length:10];
1175  // (...unless a 'freeWhenDone' parameter is false, but that's checked later.)
1176  StringRef FirstSlot = Call.getSelector().getNameForSlot(0);
1177  return FirstSlot == "dataWithBytesNoCopy" ||
1178  FirstSlot == "initWithBytesNoCopy" ||
1179  FirstSlot == "initWithCharactersNoCopy";
1180 }
1181 
1183  Selector S = Call.getSelector();
1184 
1185  // FIXME: We should not rely on fully-constrained symbols being folded.
1186  for (unsigned i = 1; i < S.getNumArgs(); ++i)
1187  if (S.getNameForSlot(i).equals("freeWhenDone"))
1188  return !Call.getArgSVal(i).isZeroConstant();
1189 
1190  return None;
1191 }
1192 
1193 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
1194  CheckerContext &C) const {
1195  if (C.wasInlined)
1196  return;
1197 
1198  if (!isKnownDeallocObjCMethodName(Call))
1199  return;
1200 
1201  if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call))
1202  if (!*FreeWhenDone)
1203  return;
1204 
1205  bool ReleasedAllocatedMemory;
1206  ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0),
1207  Call.getOriginExpr(), C.getState(),
1208  /*Hold=*/true, ReleasedAllocatedMemory,
1209  /*RetNullOnFailure=*/true);
1210 
1211  C.addTransition(State);
1212 }
1213 
1215 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE,
1216  const OwnershipAttr *Att,
1217  ProgramStateRef State) const {
1218  if (!State)
1219  return nullptr;
1220 
1221  if (Att->getModule() != II_malloc)
1222  return nullptr;
1223 
1224  OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
1225  if (I != E) {
1226  return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(),
1227  State);
1228  }
1229  return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State);
1230 }
1231 
1232 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1233  const CallExpr *CE,
1234  const Expr *SizeEx, SVal Init,
1236  AllocationFamily Family) {
1237  if (!State)
1238  return nullptr;
1239 
1240  return MallocMemAux(C, CE, C.getSVal(SizeEx), Init, State, Family);
1241 }
1242 
1243 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1244  const CallExpr *CE,
1245  SVal Size, SVal Init,
1247  AllocationFamily Family) {
1248  if (!State)
1249  return nullptr;
1250 
1251  // We expect the malloc functions to return a pointer.
1252  if (!Loc::isLocType(CE->getType()))
1253  return nullptr;
1254 
1255  // Bind the return value to the symbolic value from the heap region.
1256  // TODO: We could rewrite post visit to eval call; 'malloc' does not have
1257  // side effects other than what we model here.
1258  unsigned Count = C.blockCount();
1259  SValBuilder &svalBuilder = C.getSValBuilder();
1260  const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
1261  DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
1262  .castAs<DefinedSVal>();
1263  State = State->BindExpr(CE, C.getLocationContext(), RetVal);
1264 
1265  // Fill the region with the initialization value.
1266  State = State->bindDefaultInitial(RetVal, Init, LCtx);
1267 
1268  // Set the region's extent equal to the Size parameter.
1269  const SymbolicRegion *R =
1270  dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion());
1271  if (!R)
1272  return nullptr;
1273  if (Optional<DefinedOrUnknownSVal> DefinedSize =
1274  Size.getAs<DefinedOrUnknownSVal>()) {
1275  SValBuilder &svalBuilder = C.getSValBuilder();
1276  DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder);
1277  DefinedOrUnknownSVal extentMatchesSize =
1278  svalBuilder.evalEQ(State, Extent, *DefinedSize);
1279 
1280  State = State->assume(extentMatchesSize, true);
1281  assert(State);
1282  }
1283 
1284  return MallocUpdateRefState(C, CE, State, Family);
1285 }
1286 
1287 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C,
1288  const Expr *E,
1290  AllocationFamily Family,
1291  Optional<SVal> RetVal) {
1292  if (!State)
1293  return nullptr;
1294 
1295  // Get the return value.
1296  if (!RetVal)
1297  RetVal = C.getSVal(E);
1298 
1299  // We expect the malloc functions to return a pointer.
1300  if (!RetVal->getAs<Loc>())
1301  return nullptr;
1302 
1303  SymbolRef Sym = RetVal->getAsLocSymbol();
1304  // This is a return value of a function that was not inlined, such as malloc()
1305  // or new(). We've checked that in the caller. Therefore, it must be a symbol.
1306  assert(Sym);
1307 
1308  // Set the symbol's state to Allocated.
1309  return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
1310 }
1311 
1312 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
1313  const CallExpr *CE,
1314  const OwnershipAttr *Att,
1315  ProgramStateRef State) const {
1316  if (!State)
1317  return nullptr;
1318 
1319  if (Att->getModule() != II_malloc)
1320  return nullptr;
1321 
1322  bool ReleasedAllocated = false;
1323 
1324  for (const auto &Arg : Att->args()) {
1325  ProgramStateRef StateI = FreeMemAux(
1326  C, CE, State, Arg.getASTIndex(),
1327  Att->getOwnKind() == OwnershipAttr::Holds, ReleasedAllocated);
1328  if (StateI)
1329  State = StateI;
1330  }
1331  return State;
1332 }
1333 
1334 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1335  const CallExpr *CE,
1337  unsigned Num,
1338  bool Hold,
1339  bool &ReleasedAllocated,
1340  bool ReturnsNullOnFailure) const {
1341  if (!State)
1342  return nullptr;
1343 
1344  if (CE->getNumArgs() < (Num + 1))
1345  return nullptr;
1346 
1347  return FreeMemAux(C, CE->getArg(Num), CE, State, Hold,
1348  ReleasedAllocated, ReturnsNullOnFailure);
1349 }
1350 
1351 /// Checks if the previous call to free on the given symbol failed - if free
1352 /// failed, returns true. Also, returns the corresponding return value symbol.
1354  SymbolRef Sym, SymbolRef &RetStatusSymbol) {
1355  const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
1356  if (Ret) {
1357  assert(*Ret && "We should not store the null return symbol");
1358  ConstraintManager &CMgr = State->getConstraintManager();
1359  ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret);
1360  RetStatusSymbol = *Ret;
1361  return FreeFailed.isConstrainedTrue();
1362  }
1363  return false;
1364 }
1365 
1366 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C,
1367  const Stmt *S) const {
1368  if (!S)
1369  return AF_None;
1370 
1371  if (const CallExpr *CE = dyn_cast<CallExpr>(S)) {
1372  const FunctionDecl *FD = C.getCalleeDecl(CE);
1373 
1374  if (!FD)
1375  FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl());
1376 
1377  ASTContext &Ctx = C.getASTContext();
1378 
1379  if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any))
1380  return AF_Malloc;
1381 
1382  if (isStandardNewDelete(FD, Ctx)) {
1384  if (Kind == OO_New || Kind == OO_Delete)
1385  return AF_CXXNew;
1386  else if (Kind == OO_Array_New || Kind == OO_Array_Delete)
1387  return AF_CXXNewArray;
1388  }
1389 
1390  if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
1391  return AF_IfNameIndex;
1392 
1393  if (isCMemFunction(FD, Ctx, AF_Alloca, MemoryOperationKind::MOK_Any))
1394  return AF_Alloca;
1395 
1396  return AF_None;
1397  }
1398 
1399  if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S))
1400  return NE->isArray() ? AF_CXXNewArray : AF_CXXNew;
1401 
1402  if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S))
1403  return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew;
1404 
1405  if (isa<ObjCMessageExpr>(S))
1406  return AF_Malloc;
1407 
1408  return AF_None;
1409 }
1410 
1411 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C,
1412  const Expr *E) const {
1413  if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
1414  // FIXME: This doesn't handle indirect calls.
1415  const FunctionDecl *FD = CE->getDirectCallee();
1416  if (!FD)
1417  return false;
1418 
1419  os << *FD;
1420  if (!FD->isOverloadedOperator())
1421  os << "()";
1422  return true;
1423  }
1424 
1425  if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) {
1426  if (Msg->isInstanceMessage())
1427  os << "-";
1428  else
1429  os << "+";
1430  Msg->getSelector().print(os);
1431  return true;
1432  }
1433 
1434  if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
1435  os << "'"
1437  << "'";
1438  return true;
1439  }
1440 
1441  if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) {
1442  os << "'"
1444  << "'";
1445  return true;
1446  }
1447 
1448  return false;
1449 }
1450 
1451 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C,
1452  const Expr *E) const {
1453  AllocationFamily Family = getAllocationFamily(C, E);
1454 
1455  switch(Family) {
1456  case AF_Malloc: os << "malloc()"; return;
1457  case AF_CXXNew: os << "'new'"; return;
1458  case AF_CXXNewArray: os << "'new[]'"; return;
1459  case AF_IfNameIndex: os << "'if_nameindex()'"; return;
1460  case AF_InnerBuffer: os << "container-specific allocator"; return;
1461  case AF_Alloca:
1462  case AF_None: llvm_unreachable("not a deallocation expression");
1463  }
1464 }
1465 
1466 void MallocChecker::printExpectedDeallocName(raw_ostream &os,
1467  AllocationFamily Family) const {
1468  switch(Family) {
1469  case AF_Malloc: os << "free()"; return;
1470  case AF_CXXNew: os << "'delete'"; return;
1471  case AF_CXXNewArray: os << "'delete[]'"; return;
1472  case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
1473  case AF_InnerBuffer: os << "container-specific deallocator"; return;
1474  case AF_Alloca:
1475  case AF_None: llvm_unreachable("suspicious argument");
1476  }
1477 }
1478 
1479 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1480  const Expr *ArgExpr,
1481  const Expr *ParentExpr,
1483  bool Hold,
1484  bool &ReleasedAllocated,
1485  bool ReturnsNullOnFailure) const {
1486 
1487  if (!State)
1488  return nullptr;
1489 
1490  SVal ArgVal = C.getSVal(ArgExpr);
1491  if (!ArgVal.getAs<DefinedOrUnknownSVal>())
1492  return nullptr;
1493  DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
1494 
1495  // Check for null dereferences.
1496  if (!location.getAs<Loc>())
1497  return nullptr;
1498 
1499  // The explicit NULL case, no operation is performed.
1500  ProgramStateRef notNullState, nullState;
1501  std::tie(notNullState, nullState) = State->assume(location);
1502  if (nullState && !notNullState)
1503  return nullptr;
1504 
1505  // Unknown values could easily be okay
1506  // Undefined values are handled elsewhere
1507  if (ArgVal.isUnknownOrUndef())
1508  return nullptr;
1509 
1510  const MemRegion *R = ArgVal.getAsRegion();
1511 
1512  // Nonlocs can't be freed, of course.
1513  // Non-region locations (labels and fixed addresses) also shouldn't be freed.
1514  if (!R) {
1515  ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1516  return nullptr;
1517  }
1518 
1519  R = R->StripCasts();
1520 
1521  // Blocks might show up as heap data, but should not be free()d
1522  if (isa<BlockDataRegion>(R)) {
1523  ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1524  return nullptr;
1525  }
1526 
1527  const MemSpaceRegion *MS = R->getMemorySpace();
1528 
1529  // Parameters, locals, statics, globals, and memory returned by
1530  // __builtin_alloca() shouldn't be freed.
1531  if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) {
1532  // FIXME: at the time this code was written, malloc() regions were
1533  // represented by conjured symbols, which are all in UnknownSpaceRegion.
1534  // This means that there isn't actually anything from HeapSpaceRegion
1535  // that should be freed, even though we allow it here.
1536  // Of course, free() can work on memory allocated outside the current
1537  // function, so UnknownSpaceRegion is always a possibility.
1538  // False negatives are better than false positives.
1539 
1540  if (isa<AllocaRegion>(R))
1541  ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1542  else
1543  ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1544 
1545  return nullptr;
1546  }
1547 
1548  const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
1549  // Various cases could lead to non-symbol values here.
1550  // For now, ignore them.
1551  if (!SrBase)
1552  return nullptr;
1553 
1554  SymbolRef SymBase = SrBase->getSymbol();
1555  const RefState *RsBase = State->get<RegionState>(SymBase);
1556  SymbolRef PreviousRetStatusSymbol = nullptr;
1557 
1558  if (RsBase) {
1559 
1560  // Memory returned by alloca() shouldn't be freed.
1561  if (RsBase->getAllocationFamily() == AF_Alloca) {
1562  ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1563  return nullptr;
1564  }
1565 
1566  // Check for double free first.
1567  if ((RsBase->isReleased() || RsBase->isRelinquished()) &&
1568  !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
1569  ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),
1570  SymBase, PreviousRetStatusSymbol);
1571  return nullptr;
1572 
1573  // If the pointer is allocated or escaped, but we are now trying to free it,
1574  // check that the call to free is proper.
1575  } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() ||
1576  RsBase->isEscaped()) {
1577 
1578  // Check if an expected deallocation function matches the real one.
1579  bool DeallocMatchesAlloc =
1580  RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr);
1581  if (!DeallocMatchesAlloc) {
1582  ReportMismatchedDealloc(C, ArgExpr->getSourceRange(),
1583  ParentExpr, RsBase, SymBase, Hold);
1584  return nullptr;
1585  }
1586 
1587  // Check if the memory location being freed is the actual location
1588  // allocated, or an offset.
1589  RegionOffset Offset = R->getAsOffset();
1590  if (Offset.isValid() &&
1591  !Offset.hasSymbolicOffset() &&
1592  Offset.getOffset() != 0) {
1593  const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
1594  ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1595  AllocExpr);
1596  return nullptr;
1597  }
1598  }
1599  }
1600 
1601  if (SymBase->getType()->isFunctionPointerType()) {
1602  ReportFunctionPointerFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1603  return nullptr;
1604  }
1605 
1606  ReleasedAllocated = (RsBase != nullptr) && (RsBase->isAllocated() ||
1607  RsBase->isAllocatedOfSizeZero());
1608 
1609  // Clean out the info on previous call to free return info.
1610  State = State->remove<FreeReturnValue>(SymBase);
1611 
1612  // Keep track of the return value. If it is NULL, we will know that free
1613  // failed.
1614  if (ReturnsNullOnFailure) {
1615  SVal RetVal = C.getSVal(ParentExpr);
1616  SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
1617  if (RetStatusSymbol) {
1618  C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol);
1619  State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol);
1620  }
1621  }
1622 
1623  AllocationFamily Family = RsBase ? RsBase->getAllocationFamily()
1624  : getAllocationFamily(C, ParentExpr);
1625  // Normal free.
1626  if (Hold)
1627  return State->set<RegionState>(SymBase,
1628  RefState::getRelinquished(Family,
1629  ParentExpr));
1630 
1631  return State->set<RegionState>(SymBase,
1632  RefState::getReleased(Family, ParentExpr));
1633 }
1634 
1636 MallocChecker::getCheckIfTracked(AllocationFamily Family,
1637  bool IsALeakCheck) const {
1638  switch (Family) {
1639  case AF_Malloc:
1640  case AF_Alloca:
1641  case AF_IfNameIndex: {
1642  if (ChecksEnabled[CK_MallocChecker])
1643  return CK_MallocChecker;
1644  return None;
1645  }
1646  case AF_CXXNew:
1647  case AF_CXXNewArray: {
1648  if (IsALeakCheck) {
1649  if (ChecksEnabled[CK_NewDeleteLeaksChecker])
1650  return CK_NewDeleteLeaksChecker;
1651  }
1652  else {
1653  if (ChecksEnabled[CK_NewDeleteChecker])
1654  return CK_NewDeleteChecker;
1655  }
1656  return None;
1657  }
1658  case AF_InnerBuffer: {
1659  if (ChecksEnabled[CK_InnerPointerChecker])
1660  return CK_InnerPointerChecker;
1661  return None;
1662  }
1663  case AF_None: {
1664  llvm_unreachable("no family");
1665  }
1666  }
1667  llvm_unreachable("unhandled family");
1668 }
1669 
1671 MallocChecker::getCheckIfTracked(CheckerContext &C,
1672  const Stmt *AllocDeallocStmt,
1673  bool IsALeakCheck) const {
1674  return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt),
1675  IsALeakCheck);
1676 }
1677 
1679 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
1680  bool IsALeakCheck) const {
1681  if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym))
1682  return CK_MallocChecker;
1683 
1684  const RefState *RS = C.getState()->get<RegionState>(Sym);
1685  assert(RS);
1686  return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck);
1687 }
1688 
1689 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
1690  if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>())
1691  os << "an integer (" << IntVal->getValue() << ")";
1692  else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>())
1693  os << "a constant address (" << ConstAddr->getValue() << ")";
1694  else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>())
1695  os << "the address of the label '" << Label->getLabel()->getName() << "'";
1696  else
1697  return false;
1698 
1699  return true;
1700 }
1701 
1702 bool MallocChecker::SummarizeRegion(raw_ostream &os,
1703  const MemRegion *MR) {
1704  switch (MR->getKind()) {
1705  case MemRegion::FunctionCodeRegionKind: {
1706  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
1707  if (FD)
1708  os << "the address of the function '" << *FD << '\'';
1709  else
1710  os << "the address of a function";
1711  return true;
1712  }
1713  case MemRegion::BlockCodeRegionKind:
1714  os << "block text";
1715  return true;
1716  case MemRegion::BlockDataRegionKind:
1717  // FIXME: where the block came from?
1718  os << "a block";
1719  return true;
1720  default: {
1721  const MemSpaceRegion *MS = MR->getMemorySpace();
1722 
1723  if (isa<StackLocalsSpaceRegion>(MS)) {
1724  const VarRegion *VR = dyn_cast<VarRegion>(MR);
1725  const VarDecl *VD;
1726  if (VR)
1727  VD = VR->getDecl();
1728  else
1729  VD = nullptr;
1730 
1731  if (VD)
1732  os << "the address of the local variable '" << VD->getName() << "'";
1733  else
1734  os << "the address of a local stack variable";
1735  return true;
1736  }
1737 
1738  if (isa<StackArgumentsSpaceRegion>(MS)) {
1739  const VarRegion *VR = dyn_cast<VarRegion>(MR);
1740  const VarDecl *VD;
1741  if (VR)
1742  VD = VR->getDecl();
1743  else
1744  VD = nullptr;
1745 
1746  if (VD)
1747  os << "the address of the parameter '" << VD->getName() << "'";
1748  else
1749  os << "the address of a parameter";
1750  return true;
1751  }
1752 
1753  if (isa<GlobalsSpaceRegion>(MS)) {
1754  const VarRegion *VR = dyn_cast<VarRegion>(MR);
1755  const VarDecl *VD;
1756  if (VR)
1757  VD = VR->getDecl();
1758  else
1759  VD = nullptr;
1760 
1761  if (VD) {
1762  if (VD->isStaticLocal())
1763  os << "the address of the static variable '" << VD->getName() << "'";
1764  else
1765  os << "the address of the global variable '" << VD->getName() << "'";
1766  } else
1767  os << "the address of a global variable";
1768  return true;
1769  }
1770 
1771  return false;
1772  }
1773  }
1774 }
1775 
1776 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal,
1777  SourceRange Range,
1778  const Expr *DeallocExpr) const {
1779 
1780  if (!ChecksEnabled[CK_MallocChecker] &&
1781  !ChecksEnabled[CK_NewDeleteChecker])
1782  return;
1783 
1785  getCheckIfTracked(C, DeallocExpr);
1786  if (!CheckKind.hasValue())
1787  return;
1788 
1789  if (ExplodedNode *N = C.generateErrorNode()) {
1790  if (!BT_BadFree[*CheckKind])
1791  BT_BadFree[*CheckKind].reset(new BugType(
1792  CheckNames[*CheckKind], "Bad free", categories::MemoryError));
1793 
1794  SmallString<100> buf;
1795  llvm::raw_svector_ostream os(buf);
1796 
1797  const MemRegion *MR = ArgVal.getAsRegion();
1798  while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
1799  MR = ER->getSuperRegion();
1800 
1801  os << "Argument to ";
1802  if (!printAllocDeallocName(os, C, DeallocExpr))
1803  os << "deallocator";
1804 
1805  os << " is ";
1806  bool Summarized = MR ? SummarizeRegion(os, MR)
1807  : SummarizeValue(os, ArgVal);
1808  if (Summarized)
1809  os << ", which is not memory allocated by ";
1810  else
1811  os << "not memory allocated by ";
1812 
1813  printExpectedAllocName(os, C, DeallocExpr);
1814 
1815  auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], os.str(), N);
1816  R->markInteresting(MR);
1817  R->addRange(Range);
1818  C.emitReport(std::move(R));
1819  }
1820 }
1821 
1822 void MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
1823  SourceRange Range) const {
1824 
1826 
1827  if (ChecksEnabled[CK_MallocChecker])
1828  CheckKind = CK_MallocChecker;
1829  else if (ChecksEnabled[CK_MismatchedDeallocatorChecker])
1830  CheckKind = CK_MismatchedDeallocatorChecker;
1831  else
1832  return;
1833 
1834  if (ExplodedNode *N = C.generateErrorNode()) {
1835  if (!BT_FreeAlloca[*CheckKind])
1836  BT_FreeAlloca[*CheckKind].reset(new BugType(
1837  CheckNames[*CheckKind], "Free alloca()", categories::MemoryError));
1838 
1839  auto R = llvm::make_unique<BugReport>(
1840  *BT_FreeAlloca[*CheckKind],
1841  "Memory allocated by alloca() should not be deallocated", N);
1842  R->markInteresting(ArgVal.getAsRegion());
1843  R->addRange(Range);
1844  C.emitReport(std::move(R));
1845  }
1846 }
1847 
1848 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C,
1849  SourceRange Range,
1850  const Expr *DeallocExpr,
1851  const RefState *RS,
1852  SymbolRef Sym,
1853  bool OwnershipTransferred) const {
1854 
1855  if (!ChecksEnabled[CK_MismatchedDeallocatorChecker])
1856  return;
1857 
1858  if (ExplodedNode *N = C.generateErrorNode()) {
1859  if (!BT_MismatchedDealloc)
1860  BT_MismatchedDealloc.reset(
1861  new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
1862  "Bad deallocator", categories::MemoryError));
1863 
1864  SmallString<100> buf;
1865  llvm::raw_svector_ostream os(buf);
1866 
1867  const Expr *AllocExpr = cast<Expr>(RS->getStmt());
1868  SmallString<20> AllocBuf;
1869  llvm::raw_svector_ostream AllocOs(AllocBuf);
1870  SmallString<20> DeallocBuf;
1871  llvm::raw_svector_ostream DeallocOs(DeallocBuf);
1872 
1873  if (OwnershipTransferred) {
1874  if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1875  os << DeallocOs.str() << " cannot";
1876  else
1877  os << "Cannot";
1878 
1879  os << " take ownership of memory";
1880 
1881  if (printAllocDeallocName(AllocOs, C, AllocExpr))
1882  os << " allocated by " << AllocOs.str();
1883  } else {
1884  os << "Memory";
1885  if (printAllocDeallocName(AllocOs, C, AllocExpr))
1886  os << " allocated by " << AllocOs.str();
1887 
1888  os << " should be deallocated by ";
1889  printExpectedDeallocName(os, RS->getAllocationFamily());
1890 
1891  if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1892  os << ", not " << DeallocOs.str();
1893  }
1894 
1895  auto R = llvm::make_unique<BugReport>(*BT_MismatchedDealloc, os.str(), N);
1896  R->markInteresting(Sym);
1897  R->addRange(Range);
1898  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
1899  C.emitReport(std::move(R));
1900  }
1901 }
1902 
1903 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal,
1904  SourceRange Range, const Expr *DeallocExpr,
1905  const Expr *AllocExpr) const {
1906 
1907 
1908  if (!ChecksEnabled[CK_MallocChecker] &&
1909  !ChecksEnabled[CK_NewDeleteChecker])
1910  return;
1911 
1913  getCheckIfTracked(C, AllocExpr);
1914  if (!CheckKind.hasValue())
1915  return;
1916 
1917  ExplodedNode *N = C.generateErrorNode();
1918  if (!N)
1919  return;
1920 
1921  if (!BT_OffsetFree[*CheckKind])
1922  BT_OffsetFree[*CheckKind].reset(new BugType(
1923  CheckNames[*CheckKind], "Offset free", categories::MemoryError));
1924 
1925  SmallString<100> buf;
1926  llvm::raw_svector_ostream os(buf);
1927  SmallString<20> AllocNameBuf;
1928  llvm::raw_svector_ostream AllocNameOs(AllocNameBuf);
1929 
1930  const MemRegion *MR = ArgVal.getAsRegion();
1931  assert(MR && "Only MemRegion based symbols can have offset free errors");
1932 
1933  RegionOffset Offset = MR->getAsOffset();
1934  assert((Offset.isValid() &&
1935  !Offset.hasSymbolicOffset() &&
1936  Offset.getOffset() != 0) &&
1937  "Only symbols with a valid offset can have offset free errors");
1938 
1939  int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
1940 
1941  os << "Argument to ";
1942  if (!printAllocDeallocName(os, C, DeallocExpr))
1943  os << "deallocator";
1944  os << " is offset by "
1945  << offsetBytes
1946  << " "
1947  << ((abs(offsetBytes) > 1) ? "bytes" : "byte")
1948  << " from the start of ";
1949  if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr))
1950  os << "memory allocated by " << AllocNameOs.str();
1951  else
1952  os << "allocated memory";
1953 
1954  auto R = llvm::make_unique<BugReport>(*BT_OffsetFree[*CheckKind], os.str(), N);
1955  R->markInteresting(MR->getBaseRegion());
1956  R->addRange(Range);
1957  C.emitReport(std::move(R));
1958 }
1959 
1960 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range,
1961  SymbolRef Sym) const {
1962 
1963  if (!ChecksEnabled[CK_MallocChecker] &&
1964  !ChecksEnabled[CK_NewDeleteChecker] &&
1965  !ChecksEnabled[CK_InnerPointerChecker])
1966  return;
1967 
1968  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
1969  if (!CheckKind.hasValue())
1970  return;
1971 
1972  if (ExplodedNode *N = C.generateErrorNode()) {
1973  if (!BT_UseFree[*CheckKind])
1974  BT_UseFree[*CheckKind].reset(new BugType(
1975  CheckNames[*CheckKind], "Use-after-free", categories::MemoryError));
1976 
1977  AllocationFamily AF =
1978  C.getState()->get<RegionState>(Sym)->getAllocationFamily();
1979 
1980  auto R = llvm::make_unique<BugReport>(*BT_UseFree[*CheckKind],
1981  AF == AF_InnerBuffer
1982  ? "Inner pointer of container used after re/deallocation"
1983  : "Use of memory after it is freed",
1984  N);
1985 
1986  R->markInteresting(Sym);
1987  R->addRange(Range);
1988  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
1989 
1990  if (AF == AF_InnerBuffer)
1991  R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym));
1992 
1993  C.emitReport(std::move(R));
1994  }
1995 }
1996 
1997 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range,
1998  bool Released, SymbolRef Sym,
1999  SymbolRef PrevSym) const {
2000 
2001  if (!ChecksEnabled[CK_MallocChecker] &&
2002  !ChecksEnabled[CK_NewDeleteChecker])
2003  return;
2004 
2005  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2006  if (!CheckKind.hasValue())
2007  return;
2008 
2009  if (ExplodedNode *N = C.generateErrorNode()) {
2010  if (!BT_DoubleFree[*CheckKind])
2011  BT_DoubleFree[*CheckKind].reset(new BugType(
2012  CheckNames[*CheckKind], "Double free", categories::MemoryError));
2013 
2014  auto R = llvm::make_unique<BugReport>(
2015  *BT_DoubleFree[*CheckKind],
2016  (Released ? "Attempt to free released memory"
2017  : "Attempt to free non-owned memory"),
2018  N);
2019  R->addRange(Range);
2020  R->markInteresting(Sym);
2021  if (PrevSym)
2022  R->markInteresting(PrevSym);
2023  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2024  C.emitReport(std::move(R));
2025  }
2026 }
2027 
2028 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
2029 
2030  if (!ChecksEnabled[CK_NewDeleteChecker])
2031  return;
2032 
2033  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2034  if (!CheckKind.hasValue())
2035  return;
2036 
2037  if (ExplodedNode *N = C.generateErrorNode()) {
2038  if (!BT_DoubleDelete)
2039  BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker],
2040  "Double delete",
2042 
2043  auto R = llvm::make_unique<BugReport>(
2044  *BT_DoubleDelete, "Attempt to delete released memory", N);
2045 
2046  R->markInteresting(Sym);
2047  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2048  C.emitReport(std::move(R));
2049  }
2050 }
2051 
2052 void MallocChecker::ReportUseZeroAllocated(CheckerContext &C,
2053  SourceRange Range,
2054  SymbolRef Sym) const {
2055 
2056  if (!ChecksEnabled[CK_MallocChecker] &&
2057  !ChecksEnabled[CK_NewDeleteChecker])
2058  return;
2059 
2060  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2061 
2062  if (!CheckKind.hasValue())
2063  return;
2064 
2065  if (ExplodedNode *N = C.generateErrorNode()) {
2066  if (!BT_UseZerroAllocated[*CheckKind])
2067  BT_UseZerroAllocated[*CheckKind].reset(
2068  new BugType(CheckNames[*CheckKind], "Use of zero allocated",
2070 
2071  auto R = llvm::make_unique<BugReport>(*BT_UseZerroAllocated[*CheckKind],
2072  "Use of zero-allocated memory", N);
2073 
2074  R->addRange(Range);
2075  if (Sym) {
2076  R->markInteresting(Sym);
2077  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2078  }
2079  C.emitReport(std::move(R));
2080  }
2081 }
2082 
2083 void MallocChecker::ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
2084  SourceRange Range,
2085  const Expr *FreeExpr) const {
2086  if (!ChecksEnabled[CK_MallocChecker])
2087  return;
2088 
2089  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, FreeExpr);
2090  if (!CheckKind.hasValue())
2091  return;
2092 
2093  if (ExplodedNode *N = C.generateErrorNode()) {
2094  if (!BT_BadFree[*CheckKind])
2095  BT_BadFree[*CheckKind].reset(new BugType(
2096  CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2097 
2098  SmallString<100> Buf;
2099  llvm::raw_svector_ostream Os(Buf);
2100 
2101  const MemRegion *MR = ArgVal.getAsRegion();
2102  while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
2103  MR = ER->getSuperRegion();
2104 
2105  Os << "Argument to ";
2106  if (!printAllocDeallocName(Os, C, FreeExpr))
2107  Os << "deallocator";
2108 
2109  Os << " is a function pointer";
2110 
2111  auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], Os.str(), N);
2112  R->markInteresting(MR);
2113  R->addRange(Range);
2114  C.emitReport(std::move(R));
2115  }
2116 }
2117 
2118 ProgramStateRef MallocChecker::ReallocMemAux(CheckerContext &C,
2119  const CallExpr *CE,
2120  bool FreesOnFail,
2122  bool SuffixWithN) const {
2123  if (!State)
2124  return nullptr;
2125 
2126  if (SuffixWithN && CE->getNumArgs() < 3)
2127  return nullptr;
2128  else if (CE->getNumArgs() < 2)
2129  return nullptr;
2130 
2131  const Expr *arg0Expr = CE->getArg(0);
2132  SVal Arg0Val = C.getSVal(arg0Expr);
2133  if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
2134  return nullptr;
2135  DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
2136 
2137  SValBuilder &svalBuilder = C.getSValBuilder();
2138 
2139  DefinedOrUnknownSVal PtrEQ =
2140  svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull());
2141 
2142  // Get the size argument.
2143  const Expr *Arg1 = CE->getArg(1);
2144 
2145  // Get the value of the size argument.
2146  SVal TotalSize = C.getSVal(Arg1);
2147  if (SuffixWithN)
2148  TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2));
2149  if (!TotalSize.getAs<DefinedOrUnknownSVal>())
2150  return nullptr;
2151 
2152  // Compare the size argument to 0.
2153  DefinedOrUnknownSVal SizeZero =
2154  svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(),
2155  svalBuilder.makeIntValWithPtrWidth(0, false));
2156 
2157  ProgramStateRef StatePtrIsNull, StatePtrNotNull;
2158  std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ);
2159  ProgramStateRef StateSizeIsZero, StateSizeNotZero;
2160  std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero);
2161  // We only assume exceptional states if they are definitely true; if the
2162  // state is under-constrained, assume regular realloc behavior.
2163  bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
2164  bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
2165 
2166  // If the ptr is NULL and the size is not 0, the call is equivalent to
2167  // malloc(size).
2168  if (PrtIsNull && !SizeIsZero) {
2169  ProgramStateRef stateMalloc = MallocMemAux(C, CE, TotalSize,
2170  UndefinedVal(), StatePtrIsNull);
2171  return stateMalloc;
2172  }
2173 
2174  if (PrtIsNull && SizeIsZero)
2175  return State;
2176 
2177  // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
2178  assert(!PrtIsNull);
2179  SymbolRef FromPtr = arg0Val.getAsSymbol();
2180  SVal RetVal = C.getSVal(CE);
2181  SymbolRef ToPtr = RetVal.getAsSymbol();
2182  if (!FromPtr || !ToPtr)
2183  return nullptr;
2184 
2185  bool ReleasedAllocated = false;
2186 
2187  // If the size is 0, free the memory.
2188  if (SizeIsZero)
2189  if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0,
2190  false, ReleasedAllocated)){
2191  // The semantics of the return value are:
2192  // If size was equal to 0, either NULL or a pointer suitable to be passed
2193  // to free() is returned. We just free the input pointer and do not add
2194  // any constrains on the output pointer.
2195  return stateFree;
2196  }
2197 
2198  // Default behavior.
2199  if (ProgramStateRef stateFree =
2200  FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) {
2201 
2202  ProgramStateRef stateRealloc = MallocMemAux(C, CE, TotalSize,
2203  UnknownVal(), stateFree);
2204  if (!stateRealloc)
2205  return nullptr;
2206 
2207  ReallocPairKind Kind = RPToBeFreedAfterFailure;
2208  if (FreesOnFail)
2209  Kind = RPIsFreeOnFailure;
2210  else if (!ReleasedAllocated)
2211  Kind = RPDoNotTrackAfterFailure;
2212 
2213  // Record the info about the reallocated symbol so that we could properly
2214  // process failed reallocation.
2215  stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
2216  ReallocPair(FromPtr, Kind));
2217  // The reallocated symbol should stay alive for as long as the new symbol.
2218  C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
2219  return stateRealloc;
2220  }
2221  return nullptr;
2222 }
2223 
2224 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE,
2226  if (!State)
2227  return nullptr;
2228 
2229  if (CE->getNumArgs() < 2)
2230  return nullptr;
2231 
2232  SValBuilder &svalBuilder = C.getSValBuilder();
2233  SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
2234  SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
2235 
2236  return MallocMemAux(C, CE, TotalSize, zeroVal, State);
2237 }
2238 
2239 LeakInfo
2240 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
2241  CheckerContext &C) const {
2242  const LocationContext *LeakContext = N->getLocationContext();
2243  // Walk the ExplodedGraph backwards and find the first node that referred to
2244  // the tracked symbol.
2245  const ExplodedNode *AllocNode = N;
2246  const MemRegion *ReferenceRegion = nullptr;
2247 
2248  while (N) {
2249  ProgramStateRef State = N->getState();
2250  if (!State->get<RegionState>(Sym))
2251  break;
2252 
2253  // Find the most recent expression bound to the symbol in the current
2254  // context.
2255  if (!ReferenceRegion) {
2256  if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) {
2257  SVal Val = State->getSVal(MR);
2258  if (Val.getAsLocSymbol() == Sym) {
2259  const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>();
2260  // Do not show local variables belonging to a function other than
2261  // where the error is reported.
2262  if (!VR ||
2263  (VR->getStackFrame() == LeakContext->getStackFrame()))
2264  ReferenceRegion = MR;
2265  }
2266  }
2267  }
2268 
2269  // Allocation node, is the last node in the current or parent context in
2270  // which the symbol was tracked.
2271  const LocationContext *NContext = N->getLocationContext();
2272  if (NContext == LeakContext ||
2273  NContext->isParentOf(LeakContext))
2274  AllocNode = N;
2275  N = N->pred_empty() ? nullptr : *(N->pred_begin());
2276  }
2277 
2278  return LeakInfo(AllocNode, ReferenceRegion);
2279 }
2280 
2281 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N,
2282  CheckerContext &C) const {
2283 
2284  if (!ChecksEnabled[CK_MallocChecker] &&
2285  !ChecksEnabled[CK_NewDeleteLeaksChecker])
2286  return;
2287 
2288  const RefState *RS = C.getState()->get<RegionState>(Sym);
2289  assert(RS && "cannot leak an untracked symbol");
2290  AllocationFamily Family = RS->getAllocationFamily();
2291 
2292  if (Family == AF_Alloca)
2293  return;
2294 
2296  CheckKind = getCheckIfTracked(Family, true);
2297 
2298  if (!CheckKind.hasValue())
2299  return;
2300 
2301  assert(N);
2302  if (!BT_Leak[*CheckKind]) {
2303  // Leaks should not be reported if they are post-dominated by a sink:
2304  // (1) Sinks are higher importance bugs.
2305  // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
2306  // with __noreturn functions such as assert() or exit(). We choose not
2307  // to report leaks on such paths.
2308  BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak",
2310  /*SuppressOnSink=*/true));
2311  }
2312 
2313  // Most bug reports are cached at the location where they occurred.
2314  // With leaks, we want to unique them by the location where they were
2315  // allocated, and only report a single path.
2316  PathDiagnosticLocation LocUsedForUniqueing;
2317  const ExplodedNode *AllocNode = nullptr;
2318  const MemRegion *Region = nullptr;
2319  std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C);
2320 
2321  const Stmt *AllocationStmt = PathDiagnosticLocation::getStmt(AllocNode);
2322  if (AllocationStmt)
2323  LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt,
2324  C.getSourceManager(),
2325  AllocNode->getLocationContext());
2326 
2327  SmallString<200> buf;
2328  llvm::raw_svector_ostream os(buf);
2329  if (Region && Region->canPrintPretty()) {
2330  os << "Potential leak of memory pointed to by ";
2331  Region->printPretty(os);
2332  } else {
2333  os << "Potential memory leak";
2334  }
2335 
2336  auto R = llvm::make_unique<BugReport>(
2337  *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing,
2338  AllocNode->getLocationContext()->getDecl());
2339  R->markInteresting(Sym);
2340  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym, true));
2341  C.emitReport(std::move(R));
2342 }
2343 
2344 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
2345  CheckerContext &C) const
2346 {
2347  ProgramStateRef state = C.getState();
2348  RegionStateTy OldRS = state->get<RegionState>();
2349  RegionStateTy::Factory &F = state->get_context<RegionState>();
2350 
2351  RegionStateTy RS = OldRS;
2353  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2354  if (SymReaper.isDead(I->first)) {
2355  if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero())
2356  Errors.push_back(I->first);
2357  // Remove the dead symbol from the map.
2358  RS = F.remove(RS, I->first);
2359  }
2360  }
2361 
2362  if (RS == OldRS) {
2363  // We shouldn't have touched other maps yet.
2364  assert(state->get<ReallocPairs>() ==
2365  C.getState()->get<ReallocPairs>());
2366  assert(state->get<FreeReturnValue>() ==
2367  C.getState()->get<FreeReturnValue>());
2368  return;
2369  }
2370 
2371  // Cleanup the Realloc Pairs Map.
2372  ReallocPairsTy RP = state->get<ReallocPairs>();
2373  for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2374  if (SymReaper.isDead(I->first) ||
2375  SymReaper.isDead(I->second.ReallocatedSym)) {
2376  state = state->remove<ReallocPairs>(I->first);
2377  }
2378  }
2379 
2380  // Cleanup the FreeReturnValue Map.
2381  FreeReturnValueTy FR = state->get<FreeReturnValue>();
2382  for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) {
2383  if (SymReaper.isDead(I->first) ||
2384  SymReaper.isDead(I->second)) {
2385  state = state->remove<FreeReturnValue>(I->first);
2386  }
2387  }
2388 
2389  // Generate leak node.
2390  ExplodedNode *N = C.getPredecessor();
2391  if (!Errors.empty()) {
2392  static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
2393  N = C.generateNonFatalErrorNode(C.getState(), &Tag);
2394  if (N) {
2396  I = Errors.begin(), E = Errors.end(); I != E; ++I) {
2397  reportLeak(*I, N, C);
2398  }
2399  }
2400  }
2401 
2402  C.addTransition(state->set<RegionState>(RS), N);
2403 }
2404 
2405 void MallocChecker::checkPreCall(const CallEvent &Call,
2406  CheckerContext &C) const {
2407 
2408  if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) {
2409  SymbolRef Sym = DC->getCXXThisVal().getAsSymbol();
2410  if (!Sym || checkDoubleDelete(Sym, C))
2411  return;
2412  }
2413 
2414  // We will check for double free in the post visit.
2415  if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) {
2416  const FunctionDecl *FD = FC->getDecl();
2417  if (!FD)
2418  return;
2419 
2420  ASTContext &Ctx = C.getASTContext();
2421  if (ChecksEnabled[CK_MallocChecker] &&
2422  (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) ||
2423  isCMemFunction(FD, Ctx, AF_IfNameIndex,
2424  MemoryOperationKind::MOK_Free)))
2425  return;
2426  }
2427 
2428  // Check if the callee of a method is deleted.
2429  if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
2430  SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
2431  if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
2432  return;
2433  }
2434 
2435  // Check arguments for being used after free.
2436  for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
2437  SVal ArgSVal = Call.getArgSVal(I);
2438  if (ArgSVal.getAs<Loc>()) {
2439  SymbolRef Sym = ArgSVal.getAsSymbol();
2440  if (!Sym)
2441  continue;
2442  if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
2443  return;
2444  }
2445  }
2446 }
2447 
2448 void MallocChecker::checkPreStmt(const ReturnStmt *S,
2449  CheckerContext &C) const {
2450  checkEscapeOnReturn(S, C);
2451 }
2452 
2453 // In the CFG, automatic destructors come after the return statement.
2454 // This callback checks for returning memory that is freed by automatic
2455 // destructors, as those cannot be reached in checkPreStmt().
2456 void MallocChecker::checkEndFunction(const ReturnStmt *S,
2457  CheckerContext &C) const {
2458  checkEscapeOnReturn(S, C);
2459 }
2460 
2461 void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S,
2462  CheckerContext &C) const {
2463  if (!S)
2464  return;
2465 
2466  const Expr *E = S->getRetValue();
2467  if (!E)
2468  return;
2469 
2470  // Check if we are returning a symbol.
2471  ProgramStateRef State = C.getState();
2472  SVal RetVal = C.getSVal(E);
2473  SymbolRef Sym = RetVal.getAsSymbol();
2474  if (!Sym)
2475  // If we are returning a field of the allocated struct or an array element,
2476  // the callee could still free the memory.
2477  // TODO: This logic should be a part of generic symbol escape callback.
2478  if (const MemRegion *MR = RetVal.getAsRegion())
2479  if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR))
2480  if (const SymbolicRegion *BMR =
2481  dyn_cast<SymbolicRegion>(MR->getBaseRegion()))
2482  Sym = BMR->getSymbol();
2483 
2484  // Check if we are returning freed memory.
2485  if (Sym)
2486  checkUseAfterFree(Sym, C, E);
2487 }
2488 
2489 // TODO: Blocks should be either inlined or should call invalidate regions
2490 // upon invocation. After that's in place, special casing here will not be
2491 // needed.
2492 void MallocChecker::checkPostStmt(const BlockExpr *BE,
2493  CheckerContext &C) const {
2494 
2495  // Scan the BlockDecRefExprs for any object the retain count checker
2496  // may be tracking.
2497  if (!BE->getBlockDecl()->hasCaptures())
2498  return;
2499 
2500  ProgramStateRef state = C.getState();
2501  const BlockDataRegion *R =
2502  cast<BlockDataRegion>(C.getSVal(BE).getAsRegion());
2503 
2504  BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(),
2505  E = R->referenced_vars_end();
2506 
2507  if (I == E)
2508  return;
2509 
2511  const LocationContext *LC = C.getLocationContext();
2512  MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
2513 
2514  for ( ; I != E; ++I) {
2515  const VarRegion *VR = I.getCapturedRegion();
2516  if (VR->getSuperRegion() == R) {
2517  VR = MemMgr.getVarRegion(VR->getDecl(), LC);
2518  }
2519  Regions.push_back(VR);
2520  }
2521 
2522  state =
2523  state->scanReachableSymbols<StopTrackingCallback>(Regions).getState();
2524  C.addTransition(state);
2525 }
2526 
2527 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const {
2528  assert(Sym);
2529  const RefState *RS = C.getState()->get<RegionState>(Sym);
2530  return (RS && RS->isReleased());
2531 }
2532 
2533 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
2534  const Stmt *S) const {
2535 
2536  if (isReleased(Sym, C)) {
2537  ReportUseAfterFree(C, S->getSourceRange(), Sym);
2538  return true;
2539  }
2540 
2541  return false;
2542 }
2543 
2544 void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
2545  const Stmt *S) const {
2546  assert(Sym);
2547 
2548  if (const RefState *RS = C.getState()->get<RegionState>(Sym)) {
2549  if (RS->isAllocatedOfSizeZero())
2550  ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym);
2551  }
2552  else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) {
2553  ReportUseZeroAllocated(C, S->getSourceRange(), Sym);
2554  }
2555 }
2556 
2557 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
2558 
2559  if (isReleased(Sym, C)) {
2560  ReportDoubleDelete(C, Sym);
2561  return true;
2562  }
2563  return false;
2564 }
2565 
2566 // Check if the location is a freed symbolic region.
2567 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
2568  CheckerContext &C) const {
2569  SymbolRef Sym = l.getLocSymbolInBase();
2570  if (Sym) {
2571  checkUseAfterFree(Sym, C, S);
2572  checkUseZeroAllocated(Sym, C, S);
2573  }
2574 }
2575 
2576 // If a symbolic region is assumed to NULL (or another constant), stop tracking
2577 // it - assuming that allocation failed on this path.
2578 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
2579  SVal Cond,
2580  bool Assumption) const {
2581  RegionStateTy RS = state->get<RegionState>();
2582  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2583  // If the symbol is assumed to be NULL, remove it from consideration.
2584  ConstraintManager &CMgr = state->getConstraintManager();
2585  ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2586  if (AllocFailed.isConstrainedTrue())
2587  state = state->remove<RegionState>(I.getKey());
2588  }
2589 
2590  // Realloc returns 0 when reallocation fails, which means that we should
2591  // restore the state of the pointer being reallocated.
2592  ReallocPairsTy RP = state->get<ReallocPairs>();
2593  for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2594  // If the symbol is assumed to be NULL, remove it from consideration.
2595  ConstraintManager &CMgr = state->getConstraintManager();
2596  ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2597  if (!AllocFailed.isConstrainedTrue())
2598  continue;
2599 
2600  SymbolRef ReallocSym = I.getData().ReallocatedSym;
2601  if (const RefState *RS = state->get<RegionState>(ReallocSym)) {
2602  if (RS->isReleased()) {
2603  if (I.getData().Kind == RPToBeFreedAfterFailure)
2604  state = state->set<RegionState>(ReallocSym,
2605  RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt()));
2606  else if (I.getData().Kind == RPDoNotTrackAfterFailure)
2607  state = state->remove<RegionState>(ReallocSym);
2608  else
2609  assert(I.getData().Kind == RPIsFreeOnFailure);
2610  }
2611  }
2612  state = state->remove<ReallocPairs>(I.getKey());
2613  }
2614 
2615  return state;
2616 }
2617 
2618 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
2619  const CallEvent *Call,
2621  SymbolRef &EscapingSymbol) const {
2622  assert(Call);
2623  EscapingSymbol = nullptr;
2624 
2625  // For now, assume that any C++ or block call can free memory.
2626  // TODO: If we want to be more optimistic here, we'll need to make sure that
2627  // regions escape to C++ containers. They seem to do that even now, but for
2628  // mysterious reasons.
2629  if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call)))
2630  return true;
2631 
2632  // Check Objective-C messages by selector name.
2633  if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
2634  // If it's not a framework call, or if it takes a callback, assume it
2635  // can free memory.
2636  if (!Call->isInSystemHeader() || Call->argumentsMayEscape())
2637  return true;
2638 
2639  // If it's a method we know about, handle it explicitly post-call.
2640  // This should happen before the "freeWhenDone" check below.
2641  if (isKnownDeallocObjCMethodName(*Msg))
2642  return false;
2643 
2644  // If there's a "freeWhenDone" parameter, but the method isn't one we know
2645  // about, we can't be sure that the object will use free() to deallocate the
2646  // memory, so we can't model it explicitly. The best we can do is use it to
2647  // decide whether the pointer escapes.
2648  if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg))
2649  return *FreeWhenDone;
2650 
2651  // If the first selector piece ends with "NoCopy", and there is no
2652  // "freeWhenDone" parameter set to zero, we know ownership is being
2653  // transferred. Again, though, we can't be sure that the object will use
2654  // free() to deallocate the memory, so we can't model it explicitly.
2655  StringRef FirstSlot = Msg->getSelector().getNameForSlot(0);
2656  if (FirstSlot.endswith("NoCopy"))
2657  return true;
2658 
2659  // If the first selector starts with addPointer, insertPointer,
2660  // or replacePointer, assume we are dealing with NSPointerArray or similar.
2661  // This is similar to C++ containers (vector); we still might want to check
2662  // that the pointers get freed by following the container itself.
2663  if (FirstSlot.startswith("addPointer") ||
2664  FirstSlot.startswith("insertPointer") ||
2665  FirstSlot.startswith("replacePointer") ||
2666  FirstSlot.equals("valueWithPointer")) {
2667  return true;
2668  }
2669 
2670  // We should escape receiver on call to 'init'. This is especially relevant
2671  // to the receiver, as the corresponding symbol is usually not referenced
2672  // after the call.
2673  if (Msg->getMethodFamily() == OMF_init) {
2674  EscapingSymbol = Msg->getReceiverSVal().getAsSymbol();
2675  return true;
2676  }
2677 
2678  // Otherwise, assume that the method does not free memory.
2679  // Most framework methods do not free memory.
2680  return false;
2681  }
2682 
2683  // At this point the only thing left to handle is straight function calls.
2684  const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl();
2685  if (!FD)
2686  return true;
2687 
2688  ASTContext &ASTC = State->getStateManager().getContext();
2689 
2690  // If it's one of the allocation functions we can reason about, we model
2691  // its behavior explicitly.
2692  if (isMemFunction(FD, ASTC))
2693  return false;
2694 
2695  // If it's not a system call, assume it frees memory.
2696  if (!Call->isInSystemHeader())
2697  return true;
2698 
2699  // White list the system functions whose arguments escape.
2700  const IdentifierInfo *II = FD->getIdentifier();
2701  if (!II)
2702  return true;
2703  StringRef FName = II->getName();
2704 
2705  // White list the 'XXXNoCopy' CoreFoundation functions.
2706  // We specifically check these before
2707  if (FName.endswith("NoCopy")) {
2708  // Look for the deallocator argument. We know that the memory ownership
2709  // is not transferred only if the deallocator argument is
2710  // 'kCFAllocatorNull'.
2711  for (unsigned i = 1; i < Call->getNumArgs(); ++i) {
2712  const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts();
2713  if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) {
2714  StringRef DeallocatorName = DE->getFoundDecl()->getName();
2715  if (DeallocatorName == "kCFAllocatorNull")
2716  return false;
2717  }
2718  }
2719  return true;
2720  }
2721 
2722  // Associating streams with malloced buffers. The pointer can escape if
2723  // 'closefn' is specified (and if that function does free memory),
2724  // but it will not if closefn is not specified.
2725  // Currently, we do not inspect the 'closefn' function (PR12101).
2726  if (FName == "funopen")
2727  if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0))
2728  return false;
2729 
2730  // Do not warn on pointers passed to 'setbuf' when used with std streams,
2731  // these leaks might be intentional when setting the buffer for stdio.
2732  // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer
2733  if (FName == "setbuf" || FName =="setbuffer" ||
2734  FName == "setlinebuf" || FName == "setvbuf") {
2735  if (Call->getNumArgs() >= 1) {
2736  const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts();
2737  if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE))
2738  if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl()))
2739  if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos)
2740  return true;
2741  }
2742  }
2743 
2744  // A bunch of other functions which either take ownership of a pointer or
2745  // wrap the result up in a struct or object, meaning it can be freed later.
2746  // (See RetainCountChecker.) Not all the parameters here are invalidated,
2747  // but the Malloc checker cannot differentiate between them. The right way
2748  // of doing this would be to implement a pointer escapes callback.
2749  if (FName == "CGBitmapContextCreate" ||
2750  FName == "CGBitmapContextCreateWithData" ||
2751  FName == "CVPixelBufferCreateWithBytes" ||
2752  FName == "CVPixelBufferCreateWithPlanarBytes" ||
2753  FName == "OSAtomicEnqueue") {
2754  return true;
2755  }
2756 
2757  if (FName == "postEvent" &&
2758  FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
2759  return true;
2760  }
2761 
2762  if (FName == "postEvent" &&
2763  FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
2764  return true;
2765  }
2766 
2767  if (FName == "connectImpl" &&
2768  FD->getQualifiedNameAsString() == "QObject::connectImpl") {
2769  return true;
2770  }
2771 
2772  // Handle cases where we know a buffer's /address/ can escape.
2773  // Note that the above checks handle some special cases where we know that
2774  // even though the address escapes, it's still our responsibility to free the
2775  // buffer.
2776  if (Call->argumentsMayEscape())
2777  return true;
2778 
2779  // Otherwise, assume that the function does not free memory.
2780  // Most system calls do not free the memory.
2781  return false;
2782 }
2783 
2784 static bool retTrue(const RefState *RS) {
2785  return true;
2786 }
2787 
2788 static bool checkIfNewOrNewArrayFamily(const RefState *RS) {
2789  return (RS->getAllocationFamily() == AF_CXXNewArray ||
2790  RS->getAllocationFamily() == AF_CXXNew);
2791 }
2792 
2793 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
2794  const InvalidatedSymbols &Escaped,
2795  const CallEvent *Call,
2796  PointerEscapeKind Kind) const {
2797  return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue);
2798 }
2799 
2800 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State,
2801  const InvalidatedSymbols &Escaped,
2802  const CallEvent *Call,
2803  PointerEscapeKind Kind) const {
2804  return checkPointerEscapeAux(State, Escaped, Call, Kind,
2806 }
2807 
2808 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State,
2809  const InvalidatedSymbols &Escaped,
2810  const CallEvent *Call,
2812  bool(*CheckRefState)(const RefState*)) const {
2813  // If we know that the call does not free memory, or we want to process the
2814  // call later, keep tracking the top level arguments.
2815  SymbolRef EscapingSymbol = nullptr;
2816  if (Kind == PSK_DirectEscapeOnCall &&
2817  !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State,
2818  EscapingSymbol) &&
2819  !EscapingSymbol) {
2820  return State;
2821  }
2822 
2823  for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
2824  E = Escaped.end();
2825  I != E; ++I) {
2826  SymbolRef sym = *I;
2827 
2828  if (EscapingSymbol && EscapingSymbol != sym)
2829  continue;
2830 
2831  if (const RefState *RS = State->get<RegionState>(sym)) {
2832  if ((RS->isAllocated() || RS->isAllocatedOfSizeZero()) &&
2833  CheckRefState(RS)) {
2834  State = State->remove<RegionState>(sym);
2835  State = State->set<RegionState>(sym, RefState::getEscaped(RS));
2836  }
2837  }
2838  }
2839  return State;
2840 }
2841 
2843  ProgramStateRef prevState) {
2844  ReallocPairsTy currMap = currState->get<ReallocPairs>();
2845  ReallocPairsTy prevMap = prevState->get<ReallocPairs>();
2846 
2847  for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end();
2848  I != E; ++I) {
2849  SymbolRef sym = I.getKey();
2850  if (!currMap.lookup(sym))
2851  return sym;
2852  }
2853 
2854  return nullptr;
2855 }
2856 
2858  if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) {
2859  StringRef N = II->getName();
2860  if (N.contains_lower("ptr") || N.contains_lower("pointer")) {
2861  if (N.contains_lower("ref") || N.contains_lower("cnt") ||
2862  N.contains_lower("intrusive") || N.contains_lower("shared")) {
2863  return true;
2864  }
2865  }
2866  }
2867  return false;
2868 }
2869 
2870 std::shared_ptr<PathDiagnosticPiece> MallocChecker::MallocBugVisitor::VisitNode(
2871  const ExplodedNode *N, BugReporterContext &BRC, BugReport &BR) {
2872 
2873  ProgramStateRef state = N->getState();
2874  ProgramStateRef statePrev = N->getFirstPred()->getState();
2875 
2876  const RefState *RS = state->get<RegionState>(Sym);
2877  const RefState *RSPrev = statePrev->get<RegionState>(Sym);
2878 
2879  const Stmt *S = PathDiagnosticLocation::getStmt(N);
2880  // When dealing with containers, we sometimes want to give a note
2881  // even if the statement is missing.
2882  if (!S && (!RS || RS->getAllocationFamily() != AF_InnerBuffer))
2883  return nullptr;
2884 
2885  const LocationContext *CurrentLC = N->getLocationContext();
2886 
2887  // If we find an atomic fetch_add or fetch_sub within the destructor in which
2888  // the pointer was released (before the release), this is likely a destructor
2889  // of a shared pointer.
2890  // Because we don't model atomics, and also because we don't know that the
2891  // original reference count is positive, we should not report use-after-frees
2892  // on objects deleted in such destructors. This can probably be improved
2893  // through better shared pointer modeling.
2894  if (ReleaseDestructorLC) {
2895  if (const auto *AE = dyn_cast<AtomicExpr>(S)) {
2896  AtomicExpr::AtomicOp Op = AE->getOp();
2897  if (Op == AtomicExpr::AO__c11_atomic_fetch_add ||
2898  Op == AtomicExpr::AO__c11_atomic_fetch_sub) {
2899  if (ReleaseDestructorLC == CurrentLC ||
2900  ReleaseDestructorLC->isParentOf(CurrentLC)) {
2901  BR.markInvalid(getTag(), S);
2902  }
2903  }
2904  }
2905  }
2906 
2907  // FIXME: We will eventually need to handle non-statement-based events
2908  // (__attribute__((cleanup))).
2909 
2910  // Find out if this is an interesting point and what is the kind.
2911  StringRef Msg;
2912  StackHintGeneratorForSymbol *StackHint = nullptr;
2913  SmallString<256> Buf;
2914  llvm::raw_svector_ostream OS(Buf);
2915 
2916  if (Mode == Normal) {
2917  if (isAllocated(RS, RSPrev, S)) {
2918  Msg = "Memory is allocated";
2919  StackHint = new StackHintGeneratorForSymbol(Sym,
2920  "Returned allocated memory");
2921  } else if (isReleased(RS, RSPrev, S)) {
2922  const auto Family = RS->getAllocationFamily();
2923  switch (Family) {
2924  case AF_Alloca:
2925  case AF_Malloc:
2926  case AF_CXXNew:
2927  case AF_CXXNewArray:
2928  case AF_IfNameIndex:
2929  Msg = "Memory is released";
2930  StackHint = new StackHintGeneratorForSymbol(Sym,
2931  "Returning; memory was released");
2932  break;
2933  case AF_InnerBuffer: {
2934  const MemRegion *ObjRegion =
2936  const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion);
2937  QualType ObjTy = TypedRegion->getValueType();
2938  OS << "Inner buffer of '" << ObjTy.getAsString() << "' ";
2939 
2940  if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) {
2941  OS << "deallocated by call to destructor";
2942  StackHint = new StackHintGeneratorForSymbol(Sym,
2943  "Returning; inner buffer was deallocated");
2944  } else {
2945  OS << "reallocated by call to '";
2946  const Stmt *S = RS->getStmt();
2947  if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) {
2948  OS << MemCallE->getMethodDecl()->getNameAsString();
2949  } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) {
2950  OS << OpCallE->getDirectCallee()->getNameAsString();
2951  } else if (const auto *CallE = dyn_cast<CallExpr>(S)) {
2952  auto &CEMgr = BRC.getStateManager().getCallEventManager();
2953  CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC);
2954  const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl());
2955  OS << (D ? D->getNameAsString() : "unknown");
2956  }
2957  OS << "'";
2958  StackHint = new StackHintGeneratorForSymbol(Sym,
2959  "Returning; inner buffer was reallocated");
2960  }
2961  Msg = OS.str();
2962  break;
2963  }
2964  case AF_None:
2965  llvm_unreachable("Unhandled allocation family!");
2966  }
2967 
2968  // See if we're releasing memory while inlining a destructor
2969  // (or one of its callees). This turns on various common
2970  // false positive suppressions.
2971  bool FoundAnyDestructor = false;
2972  for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) {
2973  if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) {
2975  // This immediately looks like a reference-counting destructor.
2976  // We're bad at guessing the original reference count of the object,
2977  // so suppress the report for now.
2978  BR.markInvalid(getTag(), DD);
2979  } else if (!FoundAnyDestructor) {
2980  assert(!ReleaseDestructorLC &&
2981  "There can be only one release point!");
2982  // Suspect that it's a reference counting pointer destructor.
2983  // On one of the next nodes might find out that it has atomic
2984  // reference counting operations within it (see the code above),
2985  // and if so, we'd conclude that it likely is a reference counting
2986  // pointer destructor.
2987  ReleaseDestructorLC = LC->getStackFrame();
2988  // It is unlikely that releasing memory is delegated to a destructor
2989  // inside a destructor of a shared pointer, because it's fairly hard
2990  // to pass the information that the pointer indeed needs to be
2991  // released into it. So we're only interested in the innermost
2992  // destructor.
2993  FoundAnyDestructor = true;
2994  }
2995  }
2996  }
2997  } else if (isRelinquished(RS, RSPrev, S)) {
2998  Msg = "Memory ownership is transferred";
2999  StackHint = new StackHintGeneratorForSymbol(Sym, "");
3000  } else if (isReallocFailedCheck(RS, RSPrev, S)) {
3001  Mode = ReallocationFailed;
3002  Msg = "Reallocation failed";
3003  StackHint = new StackHintGeneratorForReallocationFailed(Sym,
3004  "Reallocation failed");
3005 
3006  if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) {
3007  // Is it possible to fail two reallocs WITHOUT testing in between?
3008  assert((!FailedReallocSymbol || FailedReallocSymbol == sym) &&
3009  "We only support one failed realloc at a time.");
3010  BR.markInteresting(sym);
3011  FailedReallocSymbol = sym;
3012  }
3013  }
3014 
3015  // We are in a special mode if a reallocation failed later in the path.
3016  } else if (Mode == ReallocationFailed) {
3017  assert(FailedReallocSymbol && "No symbol to look for.");
3018 
3019  // Is this is the first appearance of the reallocated symbol?
3020  if (!statePrev->get<RegionState>(FailedReallocSymbol)) {
3021  // We're at the reallocation point.
3022  Msg = "Attempt to reallocate memory";
3023  StackHint = new StackHintGeneratorForSymbol(Sym,
3024  "Returned reallocated memory");
3025  FailedReallocSymbol = nullptr;
3026  Mode = Normal;
3027  }
3028  }
3029 
3030  if (Msg.empty())
3031  return nullptr;
3032  assert(StackHint);
3033 
3034  // Generate the extra diagnostic.
3035  PathDiagnosticLocation Pos;
3036  if (!S) {
3037  assert(RS->getAllocationFamily() == AF_InnerBuffer);
3038  auto PostImplCall = N->getLocation().getAs<PostImplicitCall>();
3039  if (!PostImplCall)
3040  return nullptr;
3041  Pos = PathDiagnosticLocation(PostImplCall->getLocation(),
3042  BRC.getSourceManager());
3043  } else {
3044  Pos = PathDiagnosticLocation(S, BRC.getSourceManager(),
3045  N->getLocationContext());
3046  }
3047 
3048  return std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true, StackHint);
3049 }
3050 
3051 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
3052  const char *NL, const char *Sep) const {
3053 
3054  RegionStateTy RS = State->get<RegionState>();
3055 
3056  if (!RS.isEmpty()) {
3057  Out << Sep << "MallocChecker :" << NL;
3058  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
3059  const RefState *RefS = State->get<RegionState>(I.getKey());
3060  AllocationFamily Family = RefS->getAllocationFamily();
3061  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
3062  if (!CheckKind.hasValue())
3063  CheckKind = getCheckIfTracked(Family, true);
3064 
3065  I.getKey()->dumpToStream(Out);
3066  Out << " : ";
3067  I.getData().dump(Out);
3068  if (CheckKind.hasValue())
3069  Out << " (" << CheckNames[*CheckKind].getName() << ")";
3070  Out << NL;
3071  }
3072  }
3073 }
3074 
3075 namespace clang {
3076 namespace ento {
3077 namespace allocation_state {
3078 
3081  AllocationFamily Family = AF_InnerBuffer;
3082  return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin));
3083 }
3084 
3085 } // end namespace allocation_state
3086 } // end namespace ento
3087 } // end namespace clang
3088 
3089 // Intended to be used in InnerPointerChecker to register the part of
3090 // MallocChecker connected to it.
3092  MallocChecker *checker = mgr.getChecker<MallocChecker>();
3093  checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true;
3094  checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =
3095  mgr.getCurrentCheckName();
3096 }
3097 
3098 void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {
3099  auto *checker = mgr.registerChecker<MallocChecker>();
3100  checker->IsOptimistic = mgr.getAnalyzerOptions().getCheckerBooleanOption(
3101  checker, "Optimistic", false);
3102 }
3103 
3104 bool ento::shouldRegisterDynamicMemoryModeling(const LangOptions &LO) {
3105  return true;
3106 }
3107 
3108 #define REGISTER_CHECKER(name) \
3109  void ento::register##name(CheckerManager &mgr) { \
3110  MallocChecker *checker = mgr.getChecker<MallocChecker>(); \
3111  checker->ChecksEnabled[MallocChecker::CK_##name] = true; \
3112  checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \
3113  } \
3114  \
3115  bool ento::shouldRegister##name(const LangOptions &LO) { \
3116  return true; \
3117  }
3118 
3119 REGISTER_CHECKER(MallocChecker)
3120 REGISTER_CHECKER(NewDeleteChecker)
3121 REGISTER_CHECKER(NewDeleteLeaksChecker)
3122 REGISTER_CHECKER(MismatchedDeallocatorChecker)
const BlockDecl * getBlockDecl() const
Definition: Expr.h:5398
Represents a function declaration or definition.
Definition: Decl.h:1737
Smart pointer class that efficiently represents Objective-C method names.
A (possibly-)qualified type.
Definition: Type.h:639
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2586
bool hasCaptures() const
True if this block (or its nested blocks) captures anything of local storage from its enclosing scope...
Definition: Decl.h:3976
bool operator==(CanQual< T > x, CanQual< U > y)
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:51
const SymExpr * SymbolRef
Stmt - This represents one statement.
Definition: Stmt.h:65
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2573
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:505
const llvm::Triple & getTriple() const
Returns the target triple of the primary target.
Definition: TargetInfo.h:966
Defines the SourceManager interface.
void registerInnerPointerCheckerAux(CheckerManager &Mgr)
Register the part of MallocChecker connected to InnerPointerChecker.
__DEVICE__ long long abs(long long __n)
FunctionDecl * getOperatorNew() const
Definition: ExprCXX.h:2032
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
const MemRegion * getContainerObjRegion(ProgramStateRef State, SymbolRef Sym)
&#39;Sym&#39; represents a pointer to the inner buffer of a container object.
Represents a call to a C++ constructor.
Definition: ExprCXX.h:1261
const TargetInfo & getTargetInfo() const
Definition: ASTContext.h:689
constexpr XRayInstrMask Function
Definition: XRayInstr.h:38
Represents a C++ constructor within a class.
Definition: DeclCXX.h:2491
bool isConsumedExpr(Expr *E) const
Definition: ParentMap.cpp:159
Represents a variable declaration or definition.
Definition: Decl.h:812
std::string getName(ArrayRef< StringRef > Parts) const
Get the platform-specific name separator.
Symbolic value.
Definition: SymExpr.h:29
bool isParentOf(const LocationContext *LC) const
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:269
static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call)
One of these records is kept for each identifier that is lexed.
void print(raw_ostream &Out, unsigned Indentation=0, bool PrintInstantiation=false) const
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:154
LineState State
const CXXConstructExpr * getConstructExpr() const
Returns the CXXConstructExpr from this new-expression, or null.
Definition: ExprCXX.h:2101
std::unique_ptr< BugReporterVisitor > getInnerPointerBRVisitor(SymbolRef Sym)
This function provides an additional visitor that augments the bug report with information relevant t...
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:49
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
IdentifierTable & Idents
Definition: ASTContext.h:565
ArrayRef< ParmVarDecl * > parameters() const
Definition: Decl.h:2261
static bool isLocType(QualType T)
Definition: SVals.h:326
Expr * getArraySize()
Definition: ExprCXX.h:2039
Represents any expression that calls an Objective-C method.
Definition: CallEvent.h:969
FunctionDecl * getOperatorDelete() const
Definition: ExprCXX.h:2209
CharUnits - This is an opaque type for sizes expressed in character units.
Definition: CharUnits.h:37
static void dump(llvm::raw_ostream &OS, StringRef FunctionName, ArrayRef< CounterExpression > Expressions, ArrayRef< CounterMappingRegion > Regions)
const LocationContext * getParent() const
static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD)
static bool didPreviousFreeFail(ProgramStateRef State, SymbolRef Sym, SymbolRef &RetStatusSymbol)
Checks if the previous call to free on the given symbol failed - if free failed, returns true...
CheckName getCurrentCheckName() const
bool isArrayForm() const
Definition: ExprCXX.h:2196
CXXRecordDecl * getAsCXXRecordDecl() const
Retrieves the CXXRecordDecl that this type refers to, either because the type is a RecordType or beca...
Definition: Type.cpp:1635
OverloadedOperatorKind getOverloadedOperator() const
getOverloadedOperator - Which C++ overloaded operator this function represents, if any...
Definition: Decl.cpp:3303
CXXConstructorDecl * getConstructor() const
Get the constructor that this expression will (ultimately) call.
Definition: ExprCXX.h:1333
Represents a non-static C++ member function call, no matter how it is written.
Definition: CallEvent.h:669
QuantityType getQuantity() const
getQuantity - Get the raw integer representation of this quantity.
Definition: CharUnits.h:178
unsigned Offset
Definition: Format.cpp:1669
This represents one expression.
Definition: Expr.h:108
std::string Label
bool isInSystemHeader(SourceLocation Loc) const
Returns if a SourceLocation is in a system header.
Represents an implicit call to a C++ destructor.
Definition: CallEvent.h:799
static bool retTrue(const RefState *RS)
BlockExpr - Adaptor class for mixing a BlockDecl with expressions.
Definition: Expr.h:5384
Represents a C++ destructor within a class.
Definition: DeclCXX.h:2713
The pointer has been passed to a function call directly.
StringRef getNameForSlot(unsigned argIndex) const
Retrieve the name at a given position in the selector.
FunctionDecl * getDirectCallee()
If the callee is a FunctionDecl, return it. Otherwise return null.
Definition: Expr.h:2565
QualType getType() const
Definition: Expr.h:130
ReturnStmt - This represents a return, optionally of an expression: return; return 4;...
Definition: Stmt.h:2476
An expression that sends a message to the given Objective-C object or class.
Definition: ExprObjC.h:903
unsigned getNumArgs() const
bool isNull() const
Return true if this QualType doesn&#39;t point to a type yet.
Definition: Type.h:704
bool hasAttrs() const
Definition: DeclBase.h:475
static const Stmt * getStmt(const ExplodedNode *N)
Given an exploded node, retrieve the statement that should be used for the diagnostic location...
Expr * getArgument()
Definition: ExprCXX.h:2211
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
Kind
AllocationFamily
Encodes a location in the source.
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Expr * getRetValue()
Definition: Stmt.h:2509
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
ReallocPairKind
Represents a new-expression for memory allocation and constructor calls, e.g: "new CXXNewExpr(foo)"...
Definition: ExprCXX.h:1913
ASTContext & getASTContext() const LLVM_READONLY
Definition: DeclBase.cpp:375
bool getCheckerBooleanOption(StringRef CheckerName, StringRef OptionName, bool DefaultVal, bool SearchInParents=false) const
Interprets an option&#39;s string value as a boolean.
static bool checkIfNewOrNewArrayFamily(const RefState *RS)
QualType getAllocatedType() const
Definition: ExprCXX.h:2006
bool isArray() const
Definition: ExprCXX.h:2037
static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, ProgramStateRef prevState)
static bool treatUnusedNewEscaped(const CXXNewExpr *NE)
StringRef getName() const
Return the actual identifier string.
virtual const ObjCMessageExpr * getOriginExpr() const
Definition: CallEvent.h:993
CanQualType CharTy
Definition: ASTContext.h:1017
#define REGISTER_SET_WITH_PROGRAMSTATE(Name, Elem)
Declares an immutable set of type NameTy, suitable for placement into the ProgramState.
Selector getSelector() const
Definition: CallEvent.h:1017
Dataflow Directional Tag Classes.
bool isValid() const
Return true if this is a valid SourceLocation object.
Represents a delete expression for memory deallocation and destructor calls, e.g. ...
Definition: ExprCXX.h:2169
Represents a program point just after an implicit call event.
Definition: ProgramPoint.h:601
OverloadedOperatorKind
Enumeration specifying the different kinds of C++ overloaded operators.
Definition: OperatorKinds.h:21
static QualType getDeepPointeeType(QualType T)
const CXXRecordDecl * getParent() const
Returns the parent of this method declaration, which is the class in which this method is defined...
Definition: DeclCXX.h:2173
Kind getKind() const
Definition: DeclBase.h:423
AnalyzerOptions & getAnalyzerOptions()
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
Indicates that the tracking object is a descendant of a referenced-counted OSObject, used in the Darwin kernel.
#define REGISTER_CHECKER(name)
const char * getOperatorSpelling(OverloadedOperatorKind Operator)
Retrieve the spelling of the given overloaded operator, without the preceding "operator" keyword...
uint64_t getCharWidth() const
Return the size of the character type, in bits.
Definition: ASTContext.h:2076
static Optional< bool > getFreeWhenDoneArg(const ObjCMethodCall &Call)
const StackFrameContext * getStackFrame() const
ProgramStateRef markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin)
SourceManager & getSourceManager()
Definition: ASTContext.h:661
llvm::iterator_range< specific_attr_iterator< T > > specific_attrs() const
Definition: DeclBase.h:515
X
Add a minimal nested name specifier fixit hint to allow lookup of a tag name from an outer enclosing ...
Definition: SemaDecl.cpp:14015
const Expr * getArgExpr(unsigned Index) const override
Definition: CallEvent.h:1005
#define CASE(ID)
static PathDiagnosticLocation createEndOfPath(const ExplodedNode *N, const SourceManager &SM)
Create a location corresponding to the next valid ExplodedNode as end of path location.
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:251
Defines the clang::TargetInfo interface.
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2429
StringRef getName() const
Get the name of identifier for this declaration as a StringRef.
Definition: Decl.h:275
std::string getQualifiedNameAsString() const
Definition: Decl.cpp:1519
A reference to a declared variable, function, enum, etc.
Definition: Expr.h:1074
CharUnits getTypeSizeInChars(QualType T) const
Return the size of the specified (complete) type T, in characters.
A trivial tuple used to represent a source range.
This represents a decl that may have a name.
Definition: Decl.h:248
Decl * getCalleeDecl()
Definition: Expr.h:2559
SourceLocation getLocation() const
Definition: DeclBase.h:420