clang  7.0.0svn
MallocChecker.cpp
Go to the documentation of this file.
1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file defines malloc/free checker, which checks for potential memory
11 // leaks, double free, and use-after-free problems.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "InterCheckerAPI.h"
17 #include "clang/AST/Attr.h"
18 #include "clang/AST/ParentMap.h"
20 #include "clang/Basic/TargetInfo.h"
30 #include "llvm/ADT/STLExtras.h"
31 #include "llvm/ADT/SmallString.h"
32 #include "llvm/ADT/StringExtras.h"
33 #include "AllocationState.h"
34 #include <climits>
35 #include <utility>
36 
37 using namespace clang;
38 using namespace ento;
39 
40 namespace {
41 
42 // Used to check correspondence between allocators and deallocators.
44  AF_None,
45  AF_Malloc,
46  AF_CXXNew,
47  AF_CXXNewArray,
48  AF_IfNameIndex,
49  AF_Alloca,
50  AF_InternalBuffer
51 };
52 
53 class RefState {
54  enum Kind { // Reference to allocated memory.
55  Allocated,
56  // Reference to zero-allocated memory.
57  AllocatedOfSizeZero,
58  // Reference to released/freed memory.
59  Released,
60  // The responsibility for freeing resources has transferred from
61  // this reference. A relinquished symbol should not be freed.
62  Relinquished,
63  // We are no longer guaranteed to have observed all manipulations
64  // of this pointer/memory. For example, it could have been
65  // passed as a parameter to an opaque function.
66  Escaped
67  };
68 
69  const Stmt *S;
70  unsigned K : 3; // Kind enum, but stored as a bitfield.
71  unsigned Family : 29; // Rest of 32-bit word, currently just an allocation
72  // family.
73 
74  RefState(Kind k, const Stmt *s, unsigned family)
75  : S(s), K(k), Family(family) {
76  assert(family != AF_None);
77  }
78 public:
79  bool isAllocated() const { return K == Allocated; }
80  bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; }
81  bool isReleased() const { return K == Released; }
82  bool isRelinquished() const { return K == Relinquished; }
83  bool isEscaped() const { return K == Escaped; }
84  AllocationFamily getAllocationFamily() const {
85  return (AllocationFamily)Family;
86  }
87  const Stmt *getStmt() const { return S; }
88 
89  bool operator==(const RefState &X) const {
90  return K == X.K && S == X.S && Family == X.Family;
91  }
92 
93  static RefState getAllocated(unsigned family, const Stmt *s) {
94  return RefState(Allocated, s, family);
95  }
96  static RefState getAllocatedOfSizeZero(const RefState *RS) {
97  return RefState(AllocatedOfSizeZero, RS->getStmt(),
98  RS->getAllocationFamily());
99  }
100  static RefState getReleased(unsigned family, const Stmt *s) {
101  return RefState(Released, s, family);
102  }
103  static RefState getRelinquished(unsigned family, const Stmt *s) {
104  return RefState(Relinquished, s, family);
105  }
106  static RefState getEscaped(const RefState *RS) {
107  return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());
108  }
109 
110  void Profile(llvm::FoldingSetNodeID &ID) const {
111  ID.AddInteger(K);
112  ID.AddPointer(S);
113  ID.AddInteger(Family);
114  }
115 
116  void dump(raw_ostream &OS) const {
117  switch (static_cast<Kind>(K)) {
118 #define CASE(ID) case ID: OS << #ID; break;
119  CASE(Allocated)
120  CASE(AllocatedOfSizeZero)
121  CASE(Released)
122  CASE(Relinquished)
123  CASE(Escaped)
124  }
125  }
126 
127  LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
128 };
129 
131  RPToBeFreedAfterFailure,
132  // The symbol has been freed when reallocation failed.
133  RPIsFreeOnFailure,
134  // The symbol does not need to be freed after reallocation fails.
135  RPDoNotTrackAfterFailure
136 };
137 
138 /// \class ReallocPair
139 /// Stores information about the symbol being reallocated by a call to
140 /// 'realloc' to allow modeling failed reallocation later in the path.
141 struct ReallocPair {
142  // The symbol which realloc reallocated.
143  SymbolRef ReallocatedSym;
145 
146  ReallocPair(SymbolRef S, ReallocPairKind K) :
147  ReallocatedSym(S), Kind(K) {}
148  void Profile(llvm::FoldingSetNodeID &ID) const {
149  ID.AddInteger(Kind);
150  ID.AddPointer(ReallocatedSym);
151  }
152  bool operator==(const ReallocPair &X) const {
153  return ReallocatedSym == X.ReallocatedSym &&
154  Kind == X.Kind;
155  }
156 };
157 
158 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo;
159 
160 class MallocChecker : public Checker<check::DeadSymbols,
161  check::PointerEscape,
162  check::ConstPointerEscape,
163  check::PreStmt<ReturnStmt>,
164  check::PreCall,
165  check::PostStmt<CallExpr>,
166  check::PostStmt<CXXNewExpr>,
167  check::NewAllocator,
168  check::PreStmt<CXXDeleteExpr>,
169  check::PostStmt<BlockExpr>,
170  check::PostObjCMessage,
171  check::Location,
172  eval::Assume>
173 {
174 public:
175  MallocChecker()
176  : II_alloca(nullptr), II_win_alloca(nullptr), II_malloc(nullptr),
177  II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr),
178  II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr),
179  II_strdup(nullptr), II_win_strdup(nullptr), II_kmalloc(nullptr),
180  II_if_nameindex(nullptr), II_if_freenameindex(nullptr),
181  II_wcsdup(nullptr), II_win_wcsdup(nullptr), II_g_malloc(nullptr),
182  II_g_malloc0(nullptr), II_g_realloc(nullptr), II_g_try_malloc(nullptr),
183  II_g_try_malloc0(nullptr), II_g_try_realloc(nullptr),
184  II_g_free(nullptr), II_g_memdup(nullptr), II_g_malloc_n(nullptr),
185  II_g_malloc0_n(nullptr), II_g_realloc_n(nullptr),
186  II_g_try_malloc_n(nullptr), II_g_try_malloc0_n(nullptr),
187  II_g_try_realloc_n(nullptr) {}
188 
189  /// In pessimistic mode, the checker assumes that it does not know which
190  /// functions might free the memory.
191  enum CheckKind {
192  CK_MallocChecker,
193  CK_NewDeleteChecker,
194  CK_NewDeleteLeaksChecker,
195  CK_MismatchedDeallocatorChecker,
196  CK_NumCheckKinds
197  };
198 
199  enum class MemoryOperationKind {
200  MOK_Allocate,
201  MOK_Free,
202  MOK_Any
203  };
204 
205  DefaultBool IsOptimistic;
206 
207  DefaultBool ChecksEnabled[CK_NumCheckKinds];
208  CheckName CheckNames[CK_NumCheckKinds];
209 
210  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
211  void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
212  void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;
213  void checkNewAllocator(const CXXNewExpr *NE, SVal Target,
214  CheckerContext &C) const;
215  void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
216  void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
217  void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
218  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
219  void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
220  ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
221  bool Assumption) const;
222  void checkLocation(SVal l, bool isLoad, const Stmt *S,
223  CheckerContext &C) const;
224 
225  ProgramStateRef checkPointerEscape(ProgramStateRef State,
226  const InvalidatedSymbols &Escaped,
227  const CallEvent *Call,
228  PointerEscapeKind Kind) const;
229  ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
230  const InvalidatedSymbols &Escaped,
231  const CallEvent *Call,
232  PointerEscapeKind Kind) const;
233 
234  void printState(raw_ostream &Out, ProgramStateRef State,
235  const char *NL, const char *Sep) const override;
236 
237 private:
238  mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
239  mutable std::unique_ptr<BugType> BT_DoubleDelete;
240  mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
241  mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
242  mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
243  mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
244  mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
245  mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
246  mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
247  mutable IdentifierInfo *II_alloca, *II_win_alloca, *II_malloc, *II_free,
248  *II_realloc, *II_calloc, *II_valloc, *II_reallocf,
249  *II_strndup, *II_strdup, *II_win_strdup, *II_kmalloc,
250  *II_if_nameindex, *II_if_freenameindex, *II_wcsdup,
251  *II_win_wcsdup, *II_g_malloc, *II_g_malloc0,
252  *II_g_realloc, *II_g_try_malloc, *II_g_try_malloc0,
253  *II_g_try_realloc, *II_g_free, *II_g_memdup,
254  *II_g_malloc_n, *II_g_malloc0_n, *II_g_realloc_n,
255  *II_g_try_malloc_n, *II_g_try_malloc0_n,
256  *II_g_try_realloc_n;
257  mutable Optional<uint64_t> KernelZeroFlagVal;
258 
259  void initIdentifierInfo(ASTContext &C) const;
260 
261  /// Determine family of a deallocation expression.
262  AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const;
263 
264  /// Print names of allocators and deallocators.
265  ///
266  /// \returns true on success.
267  bool printAllocDeallocName(raw_ostream &os, CheckerContext &C,
268  const Expr *E) const;
269 
270  /// Print expected name of an allocator based on the deallocator's
271  /// family derived from the DeallocExpr.
272  void printExpectedAllocName(raw_ostream &os, CheckerContext &C,
273  const Expr *DeallocExpr) const;
274  /// Print expected name of a deallocator based on the allocator's
275  /// family.
276  void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const;
277 
278  ///@{
279  /// Check if this is one of the functions which can allocate/reallocate memory
280  /// pointed to by one of its arguments.
281  bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const;
282  bool isCMemFunction(const FunctionDecl *FD,
283  ASTContext &C,
284  AllocationFamily Family,
285  MemoryOperationKind MemKind) const;
286  bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const;
287  ///@}
288 
289  /// Process C++ operator new()'s allocation, which is the part of C++
290  /// new-expression that goes before the constructor.
291  void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C,
292  SVal Target) const;
293 
294  /// Perform a zero-allocation check.
295  /// The optional \p RetVal parameter specifies the newly allocated pointer
296  /// value; if unspecified, the value of expression \p E is used.
297  ProgramStateRef ProcessZeroAllocation(CheckerContext &C, const Expr *E,
298  const unsigned AllocationSizeArg,
299  ProgramStateRef State,
300  Optional<SVal> RetVal = None) const;
301 
302  ProgramStateRef MallocMemReturnsAttr(CheckerContext &C,
303  const CallExpr *CE,
304  const OwnershipAttr* Att,
305  ProgramStateRef State) const;
306  static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
307  const Expr *SizeEx, SVal Init,
308  ProgramStateRef State,
309  AllocationFamily Family = AF_Malloc);
310  static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
311  SVal SizeEx, SVal Init,
312  ProgramStateRef State,
313  AllocationFamily Family = AF_Malloc);
314 
315  static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE,
316  ProgramStateRef State, SVal Target);
317 
318  // Check if this malloc() for special flags. At present that means M_ZERO or
319  // __GFP_ZERO (in which case, treat it like calloc).
321  performKernelMalloc(const CallExpr *CE, CheckerContext &C,
322  const ProgramStateRef &State) const;
323 
324  /// Update the RefState to reflect the new memory allocation.
325  /// The optional \p RetVal parameter specifies the newly allocated pointer
326  /// value; if unspecified, the value of expression \p E is used.
327  static ProgramStateRef
328  MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State,
329  AllocationFamily Family = AF_Malloc,
330  Optional<SVal> RetVal = None);
331 
332  ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE,
333  const OwnershipAttr* Att,
334  ProgramStateRef State) const;
335  ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE,
336  ProgramStateRef state, unsigned Num,
337  bool Hold,
338  bool &ReleasedAllocated,
339  bool ReturnsNullOnFailure = false) const;
340  ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg,
341  const Expr *ParentExpr,
342  ProgramStateRef State,
343  bool Hold,
344  bool &ReleasedAllocated,
345  bool ReturnsNullOnFailure = false) const;
346 
347  ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE,
348  bool FreesMemOnFailure,
349  ProgramStateRef State,
350  bool SuffixWithN = false) const;
351  static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
352  const Expr *BlockBytes);
353  static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE,
354  ProgramStateRef State);
355 
356  ///Check if the memory associated with this symbol was released.
357  bool isReleased(SymbolRef Sym, CheckerContext &C) const;
358 
359  bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
360 
361  void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
362  const Stmt *S) const;
363 
364  bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;
365 
366  /// Check if the function is known free memory, or if it is
367  /// "interesting" and should be modeled explicitly.
368  ///
369  /// \param [out] EscapingSymbol A function might not free memory in general,
370  /// but could be known to free a particular symbol. In this case, false is
371  /// returned and the single escaping symbol is returned through the out
372  /// parameter.
373  ///
374  /// We assume that pointers do not escape through calls to system functions
375  /// not handled by this checker.
376  bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call,
377  ProgramStateRef State,
378  SymbolRef &EscapingSymbol) const;
379 
380  // Implementation of the checkPointerEscape callabcks.
381  ProgramStateRef checkPointerEscapeAux(ProgramStateRef State,
382  const InvalidatedSymbols &Escaped,
383  const CallEvent *Call,
384  PointerEscapeKind Kind,
385  bool(*CheckRefState)(const RefState*)) const;
386 
387  ///@{
388  /// Tells if a given family/call/symbol is tracked by the current checker.
389  /// Sets CheckKind to the kind of the checker responsible for this
390  /// family/call/symbol.
391  Optional<CheckKind> getCheckIfTracked(AllocationFamily Family,
392  bool IsALeakCheck = false) const;
393  Optional<CheckKind> getCheckIfTracked(CheckerContext &C,
394  const Stmt *AllocDeallocStmt,
395  bool IsALeakCheck = false) const;
396  Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
397  bool IsALeakCheck = false) const;
398  ///@}
399  static bool SummarizeValue(raw_ostream &os, SVal V);
400  static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
401  void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
402  const Expr *DeallocExpr) const;
403  void ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
404  SourceRange Range) const;
405  void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range,
406  const Expr *DeallocExpr, const RefState *RS,
407  SymbolRef Sym, bool OwnershipTransferred) const;
408  void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
409  const Expr *DeallocExpr,
410  const Expr *AllocExpr = nullptr) const;
411  void ReportUseAfterFree(CheckerContext &C, SourceRange Range,
412  SymbolRef Sym) const;
413  void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
414  SymbolRef Sym, SymbolRef PrevSym) const;
415 
416  void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
417 
418  void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range,
419  SymbolRef Sym) const;
420 
421  void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
422  SourceRange Range, const Expr *FreeExpr) const;
423 
424  /// Find the location of the allocation for Sym on the path leading to the
425  /// exploded node N.
426  LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
427  CheckerContext &C) const;
428 
429  void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
430 
431  /// The bug visitor which allows us to print extra diagnostics along the
432  /// BugReport path. For example, showing the allocation site of the leaked
433  /// region.
434  class MallocBugVisitor final
435  : public BugReporterVisitorImpl<MallocBugVisitor> {
436  protected:
437  enum NotificationMode {
438  Normal,
439  ReallocationFailed
440  };
441 
442  // The allocated region symbol tracked by the main analysis.
443  SymbolRef Sym;
444 
445  // The mode we are in, i.e. what kind of diagnostics will be emitted.
446  NotificationMode Mode;
447 
448  // A symbol from when the primary region should have been reallocated.
449  SymbolRef FailedReallocSymbol;
450 
451  // A C++ destructor stack frame in which memory was released. Used for
452  // miscellaneous false positive suppression.
453  const StackFrameContext *ReleaseDestructorLC;
454 
455  bool IsLeak;
456 
457  public:
458  MallocBugVisitor(SymbolRef S, bool isLeak = false)
459  : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr),
460  ReleaseDestructorLC(nullptr), IsLeak(isLeak) {}
461 
462  static void *getTag() {
463  static int Tag = 0;
464  return &Tag;
465  }
466 
467  void Profile(llvm::FoldingSetNodeID &ID) const override {
468  ID.AddPointer(getTag());
469  ID.AddPointer(Sym);
470  }
471 
472  inline bool isAllocated(const RefState *S, const RefState *SPrev,
473  const Stmt *Stmt) {
474  // Did not track -> allocated. Other state (released) -> allocated.
475  return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) &&
476  (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) &&
477  (!SPrev || !(SPrev->isAllocated() ||
478  SPrev->isAllocatedOfSizeZero())));
479  }
480 
481  inline bool isReleased(const RefState *S, const RefState *SPrev,
482  const Stmt *Stmt) {
483  // Did not track -> released. Other state (allocated) -> released.
484  return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt)) &&
485  (S && S->isReleased()) && (!SPrev || !SPrev->isReleased()));
486  }
487 
488  inline bool isRelinquished(const RefState *S, const RefState *SPrev,
489  const Stmt *Stmt) {
490  // Did not track -> relinquished. Other state (allocated) -> relinquished.
491  return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) ||
492  isa<ObjCPropertyRefExpr>(Stmt)) &&
493  (S && S->isRelinquished()) &&
494  (!SPrev || !SPrev->isRelinquished()));
495  }
496 
497  inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev,
498  const Stmt *Stmt) {
499  // If the expression is not a call, and the state change is
500  // released -> allocated, it must be the realloc return value
501  // check. If we have to handle more cases here, it might be cleaner just
502  // to track this extra bit in the state itself.
503  return ((!Stmt || !isa<CallExpr>(Stmt)) &&
504  (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) &&
505  (SPrev && !(SPrev->isAllocated() ||
506  SPrev->isAllocatedOfSizeZero())));
507  }
508 
509  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
510  const ExplodedNode *PrevN,
511  BugReporterContext &BRC,
512  BugReport &BR) override;
513 
514  std::unique_ptr<PathDiagnosticPiece>
515  getEndPath(BugReporterContext &BRC, const ExplodedNode *EndPathNode,
516  BugReport &BR) override {
517  if (!IsLeak)
518  return nullptr;
519 
522  BRC.getSourceManager());
523  // Do not add the statement itself as a range in case of leak.
524  return llvm::make_unique<PathDiagnosticEventPiece>(L, BR.getDescription(),
525  false);
526  }
527 
528  private:
529  class StackHintGeneratorForReallocationFailed
530  : public StackHintGeneratorForSymbol {
531  public:
532  StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M)
533  : StackHintGeneratorForSymbol(S, M) {}
534 
535  std::string getMessageForArg(const Expr *ArgE,
536  unsigned ArgIndex) override {
537  // Printed parameters start at 1, not 0.
538  ++ArgIndex;
539 
540  SmallString<200> buf;
541  llvm::raw_svector_ostream os(buf);
542 
543  os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex)
544  << " parameter failed";
545 
546  return os.str();
547  }
548 
549  std::string getMessageForReturn(const CallExpr *CallExpr) override {
550  return "Reallocation of returned value failed";
551  }
552  };
553  };
554 };
555 } // end anonymous namespace
556 
557 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
558 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
559 REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef)
560 
561 // A map from the freed symbol to the symbol representing the return value of
562 // the free function.
564 
565 namespace {
566 class StopTrackingCallback final : public SymbolVisitor {
568 public:
569  StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
570  ProgramStateRef getState() const { return state; }
571 
572  bool VisitSymbol(SymbolRef sym) override {
573  state = state->remove<RegionState>(sym);
574  return true;
575  }
576 };
577 } // end anonymous namespace
578 
579 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const {
580  if (II_malloc)
581  return;
582  II_alloca = &Ctx.Idents.get("alloca");
583  II_malloc = &Ctx.Idents.get("malloc");
584  II_free = &Ctx.Idents.get("free");
585  II_realloc = &Ctx.Idents.get("realloc");
586  II_reallocf = &Ctx.Idents.get("reallocf");
587  II_calloc = &Ctx.Idents.get("calloc");
588  II_valloc = &Ctx.Idents.get("valloc");
589  II_strdup = &Ctx.Idents.get("strdup");
590  II_strndup = &Ctx.Idents.get("strndup");
591  II_wcsdup = &Ctx.Idents.get("wcsdup");
592  II_kmalloc = &Ctx.Idents.get("kmalloc");
593  II_if_nameindex = &Ctx.Idents.get("if_nameindex");
594  II_if_freenameindex = &Ctx.Idents.get("if_freenameindex");
595 
596  //MSVC uses `_`-prefixed instead, so we check for them too.
597  II_win_strdup = &Ctx.Idents.get("_strdup");
598  II_win_wcsdup = &Ctx.Idents.get("_wcsdup");
599  II_win_alloca = &Ctx.Idents.get("_alloca");
600 
601  // Glib
602  II_g_malloc = &Ctx.Idents.get("g_malloc");
603  II_g_malloc0 = &Ctx.Idents.get("g_malloc0");
604  II_g_realloc = &Ctx.Idents.get("g_realloc");
605  II_g_try_malloc = &Ctx.Idents.get("g_try_malloc");
606  II_g_try_malloc0 = &Ctx.Idents.get("g_try_malloc0");
607  II_g_try_realloc = &Ctx.Idents.get("g_try_realloc");
608  II_g_free = &Ctx.Idents.get("g_free");
609  II_g_memdup = &Ctx.Idents.get("g_memdup");
610  II_g_malloc_n = &Ctx.Idents.get("g_malloc_n");
611  II_g_malloc0_n = &Ctx.Idents.get("g_malloc0_n");
612  II_g_realloc_n = &Ctx.Idents.get("g_realloc_n");
613  II_g_try_malloc_n = &Ctx.Idents.get("g_try_malloc_n");
614  II_g_try_malloc0_n = &Ctx.Idents.get("g_try_malloc0_n");
615  II_g_try_realloc_n = &Ctx.Idents.get("g_try_realloc_n");
616 }
617 
618 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const {
619  if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any))
620  return true;
621 
622  if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
623  return true;
624 
625  if (isCMemFunction(FD, C, AF_Alloca, MemoryOperationKind::MOK_Any))
626  return true;
627 
628  if (isStandardNewDelete(FD, C))
629  return true;
630 
631  return false;
632 }
633 
634 bool MallocChecker::isCMemFunction(const FunctionDecl *FD,
635  ASTContext &C,
636  AllocationFamily Family,
637  MemoryOperationKind MemKind) const {
638  if (!FD)
639  return false;
640 
641  bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any ||
642  MemKind == MemoryOperationKind::MOK_Free);
643  bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any ||
644  MemKind == MemoryOperationKind::MOK_Allocate);
645 
646  if (FD->getKind() == Decl::Function) {
647  const IdentifierInfo *FunI = FD->getIdentifier();
648  initIdentifierInfo(C);
649 
650  if (Family == AF_Malloc && CheckFree) {
651  if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf ||
652  FunI == II_g_free)
653  return true;
654  }
655 
656  if (Family == AF_Malloc && CheckAlloc) {
657  if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf ||
658  FunI == II_calloc || FunI == II_valloc || FunI == II_strdup ||
659  FunI == II_win_strdup || FunI == II_strndup || FunI == II_wcsdup ||
660  FunI == II_win_wcsdup || FunI == II_kmalloc ||
661  FunI == II_g_malloc || FunI == II_g_malloc0 ||
662  FunI == II_g_realloc || FunI == II_g_try_malloc ||
663  FunI == II_g_try_malloc0 || FunI == II_g_try_realloc ||
664  FunI == II_g_memdup || FunI == II_g_malloc_n ||
665  FunI == II_g_malloc0_n || FunI == II_g_realloc_n ||
666  FunI == II_g_try_malloc_n || FunI == II_g_try_malloc0_n ||
667  FunI == II_g_try_realloc_n)
668  return true;
669  }
670 
671  if (Family == AF_IfNameIndex && CheckFree) {
672  if (FunI == II_if_freenameindex)
673  return true;
674  }
675 
676  if (Family == AF_IfNameIndex && CheckAlloc) {
677  if (FunI == II_if_nameindex)
678  return true;
679  }
680 
681  if (Family == AF_Alloca && CheckAlloc) {
682  if (FunI == II_alloca || FunI == II_win_alloca)
683  return true;
684  }
685  }
686 
687  if (Family != AF_Malloc)
688  return false;
689 
690  if (IsOptimistic && FD->hasAttrs()) {
691  for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
692  OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
693  if(OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) {
694  if (CheckFree)
695  return true;
696  } else if (OwnKind == OwnershipAttr::Returns) {
697  if (CheckAlloc)
698  return true;
699  }
700  }
701  }
702 
703  return false;
704 }
705 
706 // Tells if the callee is one of the following:
707 // 1) A global non-placement new/delete operator function.
708 // 2) A global placement operator function with the single placement argument
709 // of type std::nothrow_t.
710 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD,
711  ASTContext &C) const {
712  if (!FD)
713  return false;
714 
716  if (Kind != OO_New && Kind != OO_Array_New &&
717  Kind != OO_Delete && Kind != OO_Array_Delete)
718  return false;
719 
720  // Skip all operator new/delete methods.
721  if (isa<CXXMethodDecl>(FD))
722  return false;
723 
724  // Return true if tested operator is a standard placement nothrow operator.
725  if (FD->getNumParams() == 2) {
726  QualType T = FD->getParamDecl(1)->getType();
727  if (const IdentifierInfo *II = T.getBaseTypeIdentifier())
728  return II->getName().equals("nothrow_t");
729  }
730 
731  // Skip placement operators.
732  if (FD->getNumParams() != 1 || FD->isVariadic())
733  return false;
734 
735  // One of the standard new/new[]/delete/delete[] non-placement operators.
736  return true;
737 }
738 
739 llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc(
740  const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const {
741  // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
742  //
743  // void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
744  //
745  // One of the possible flags is M_ZERO, which means 'give me back an
746  // allocation which is already zeroed', like calloc.
747 
748  // 2-argument kmalloc(), as used in the Linux kernel:
749  //
750  // void *kmalloc(size_t size, gfp_t flags);
751  //
752  // Has the similar flag value __GFP_ZERO.
753 
754  // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some
755  // code could be shared.
756 
757  ASTContext &Ctx = C.getASTContext();
758  llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS();
759 
760  if (!KernelZeroFlagVal.hasValue()) {
761  if (OS == llvm::Triple::FreeBSD)
762  KernelZeroFlagVal = 0x0100;
763  else if (OS == llvm::Triple::NetBSD)
764  KernelZeroFlagVal = 0x0002;
765  else if (OS == llvm::Triple::OpenBSD)
766  KernelZeroFlagVal = 0x0008;
767  else if (OS == llvm::Triple::Linux)
768  // __GFP_ZERO
769  KernelZeroFlagVal = 0x8000;
770  else
771  // FIXME: We need a more general way of getting the M_ZERO value.
772  // See also: O_CREAT in UnixAPIChecker.cpp.
773 
774  // Fall back to normal malloc behavior on platforms where we don't
775  // know M_ZERO.
776  return None;
777  }
778 
779  // We treat the last argument as the flags argument, and callers fall-back to
780  // normal malloc on a None return. This works for the FreeBSD kernel malloc
781  // as well as Linux kmalloc.
782  if (CE->getNumArgs() < 2)
783  return None;
784 
785  const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1);
786  const SVal V = C.getSVal(FlagsEx);
787  if (!V.getAs<NonLoc>()) {
788  // The case where 'V' can be a location can only be due to a bad header,
789  // so in this case bail out.
790  return None;
791  }
792 
793  NonLoc Flags = V.castAs<NonLoc>();
794  NonLoc ZeroFlag = C.getSValBuilder()
795  .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType())
796  .castAs<NonLoc>();
797  SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And,
798  Flags, ZeroFlag,
799  FlagsEx->getType());
800  if (MaskedFlagsUC.isUnknownOrUndef())
801  return None;
802  DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>();
803 
804  // Check if maskedFlags is non-zero.
805  ProgramStateRef TrueState, FalseState;
806  std::tie(TrueState, FalseState) = State->assume(MaskedFlags);
807 
808  // If M_ZERO is set, treat this like calloc (initialized).
809  if (TrueState && !FalseState) {
810  SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy);
811  return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState);
812  }
813 
814  return None;
815 }
816 
817 SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
818  const Expr *BlockBytes) {
819  SValBuilder &SB = C.getSValBuilder();
820  SVal BlocksVal = C.getSVal(Blocks);
821  SVal BlockBytesVal = C.getSVal(BlockBytes);
822  ProgramStateRef State = C.getState();
823  SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,
824  SB.getContext().getSizeType());
825  return TotalSize;
826 }
827 
828 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const {
829  if (C.wasInlined)
830  return;
831 
832  const FunctionDecl *FD = C.getCalleeDecl(CE);
833  if (!FD)
834  return;
835 
836  ProgramStateRef State = C.getState();
837  bool ReleasedAllocatedMemory = false;
838 
839  if (FD->getKind() == Decl::Function) {
840  initIdentifierInfo(C.getASTContext());
841  IdentifierInfo *FunI = FD->getIdentifier();
842 
843  if (FunI == II_malloc || FunI == II_g_malloc || FunI == II_g_try_malloc) {
844  if (CE->getNumArgs() < 1)
845  return;
846  if (CE->getNumArgs() < 3) {
847  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
848  if (CE->getNumArgs() == 1)
849  State = ProcessZeroAllocation(C, CE, 0, State);
850  } else if (CE->getNumArgs() == 3) {
852  performKernelMalloc(CE, C, State);
853  if (MaybeState.hasValue())
854  State = MaybeState.getValue();
855  else
856  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
857  }
858  } else if (FunI == II_kmalloc) {
859  if (CE->getNumArgs() < 1)
860  return;
862  performKernelMalloc(CE, C, State);
863  if (MaybeState.hasValue())
864  State = MaybeState.getValue();
865  else
866  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
867  } else if (FunI == II_valloc) {
868  if (CE->getNumArgs() < 1)
869  return;
870  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
871  State = ProcessZeroAllocation(C, CE, 0, State);
872  } else if (FunI == II_realloc || FunI == II_g_realloc ||
873  FunI == II_g_try_realloc) {
874  State = ReallocMemAux(C, CE, false, State);
875  State = ProcessZeroAllocation(C, CE, 1, State);
876  } else if (FunI == II_reallocf) {
877  State = ReallocMemAux(C, CE, true, State);
878  State = ProcessZeroAllocation(C, CE, 1, State);
879  } else if (FunI == II_calloc) {
880  State = CallocMem(C, CE, State);
881  State = ProcessZeroAllocation(C, CE, 0, State);
882  State = ProcessZeroAllocation(C, CE, 1, State);
883  } else if (FunI == II_free || FunI == II_g_free) {
884  State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
885  } else if (FunI == II_strdup || FunI == II_win_strdup ||
886  FunI == II_wcsdup || FunI == II_win_wcsdup) {
887  State = MallocUpdateRefState(C, CE, State);
888  } else if (FunI == II_strndup) {
889  State = MallocUpdateRefState(C, CE, State);
890  } else if (FunI == II_alloca || FunI == II_win_alloca) {
891  if (CE->getNumArgs() < 1)
892  return;
893  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
894  AF_Alloca);
895  State = ProcessZeroAllocation(C, CE, 0, State);
896  } else if (isStandardNewDelete(FD, C.getASTContext())) {
897  // Process direct calls to operator new/new[]/delete/delete[] functions
898  // as distinct from new/new[]/delete/delete[] expressions that are
899  // processed by the checkPostStmt callbacks for CXXNewExpr and
900  // CXXDeleteExpr.
902  if (K == OO_New) {
903  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
904  AF_CXXNew);
905  State = ProcessZeroAllocation(C, CE, 0, State);
906  }
907  else if (K == OO_Array_New) {
908  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
909  AF_CXXNewArray);
910  State = ProcessZeroAllocation(C, CE, 0, State);
911  }
912  else if (K == OO_Delete || K == OO_Array_Delete)
913  State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
914  else
915  llvm_unreachable("not a new/delete operator");
916  } else if (FunI == II_if_nameindex) {
917  // Should we model this differently? We can allocate a fixed number of
918  // elements with zeros in the last one.
919  State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State,
920  AF_IfNameIndex);
921  } else if (FunI == II_if_freenameindex) {
922  State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
923  } else if (FunI == II_g_malloc0 || FunI == II_g_try_malloc0) {
924  if (CE->getNumArgs() < 1)
925  return;
926  SValBuilder &svalBuilder = C.getSValBuilder();
927  SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
928  State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State);
929  State = ProcessZeroAllocation(C, CE, 0, State);
930  } else if (FunI == II_g_memdup) {
931  if (CE->getNumArgs() < 2)
932  return;
933  State = MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State);
934  State = ProcessZeroAllocation(C, CE, 1, State);
935  } else if (FunI == II_g_malloc_n || FunI == II_g_try_malloc_n ||
936  FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) {
937  if (CE->getNumArgs() < 2)
938  return;
939  SVal Init = UndefinedVal();
940  if (FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) {
941  SValBuilder &SB = C.getSValBuilder();
942  Init = SB.makeZeroVal(SB.getContext().CharTy);
943  }
944  SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
945  State = MallocMemAux(C, CE, TotalSize, Init, State);
946  State = ProcessZeroAllocation(C, CE, 0, State);
947  State = ProcessZeroAllocation(C, CE, 1, State);
948  } else if (FunI == II_g_realloc_n || FunI == II_g_try_realloc_n) {
949  if (CE->getNumArgs() < 3)
950  return;
951  State = ReallocMemAux(C, CE, false, State, true);
952  State = ProcessZeroAllocation(C, CE, 1, State);
953  State = ProcessZeroAllocation(C, CE, 2, State);
954  }
955  }
956 
957  if (IsOptimistic || ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
958  // Check all the attributes, if there are any.
959  // There can be multiple of these attributes.
960  if (FD->hasAttrs())
961  for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
962  switch (I->getOwnKind()) {
963  case OwnershipAttr::Returns:
964  State = MallocMemReturnsAttr(C, CE, I, State);
965  break;
966  case OwnershipAttr::Takes:
967  case OwnershipAttr::Holds:
968  State = FreeMemAttr(C, CE, I, State);
969  break;
970  }
971  }
972  }
973  C.addTransition(State);
974 }
975 
976 // Performs a 0-sized allocations check.
977 ProgramStateRef MallocChecker::ProcessZeroAllocation(
978  CheckerContext &C, const Expr *E, const unsigned AllocationSizeArg,
979  ProgramStateRef State, Optional<SVal> RetVal) const {
980  if (!State)
981  return nullptr;
982 
983  if (!RetVal)
984  RetVal = C.getSVal(E);
985 
986  const Expr *Arg = nullptr;
987 
988  if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
989  Arg = CE->getArg(AllocationSizeArg);
990  }
991  else if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
992  if (NE->isArray())
993  Arg = NE->getArraySize();
994  else
995  return State;
996  }
997  else
998  llvm_unreachable("not a CallExpr or CXXNewExpr");
999 
1000  assert(Arg);
1001 
1002  Optional<DefinedSVal> DefArgVal = C.getSVal(Arg).getAs<DefinedSVal>();
1003 
1004  if (!DefArgVal)
1005  return State;
1006 
1007  // Check if the allocation size is 0.
1008  ProgramStateRef TrueState, FalseState;
1009  SValBuilder &SvalBuilder = C.getSValBuilder();
1010  DefinedSVal Zero =
1011  SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
1012 
1013  std::tie(TrueState, FalseState) =
1014  State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));
1015 
1016  if (TrueState && !FalseState) {
1017  SymbolRef Sym = RetVal->getAsLocSymbol();
1018  if (!Sym)
1019  return State;
1020 
1021  const RefState *RS = State->get<RegionState>(Sym);
1022  if (RS) {
1023  if (RS->isAllocated())
1024  return TrueState->set<RegionState>(Sym,
1025  RefState::getAllocatedOfSizeZero(RS));
1026  else
1027  return State;
1028  } else {
1029  // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as
1030  // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not
1031  // tracked. Add zero-reallocated Sym to the state to catch references
1032  // to zero-allocated memory.
1033  return TrueState->add<ReallocSizeZeroSymbols>(Sym);
1034  }
1035  }
1036 
1037  // Assume the value is non-zero going forward.
1038  assert(FalseState);
1039  return FalseState;
1040 }
1041 
1043  QualType Result = T, PointeeType = T->getPointeeType();
1044  while (!PointeeType.isNull()) {
1045  Result = PointeeType;
1046  PointeeType = PointeeType->getPointeeType();
1047  }
1048  return Result;
1049 }
1050 
1051 static bool treatUnusedNewEscaped(const CXXNewExpr *NE) {
1052 
1053  const CXXConstructExpr *ConstructE = NE->getConstructExpr();
1054  if (!ConstructE)
1055  return false;
1056 
1057  if (!NE->getAllocatedType()->getAsCXXRecordDecl())
1058  return false;
1059 
1060  const CXXConstructorDecl *CtorD = ConstructE->getConstructor();
1061 
1062  // Iterate over the constructor parameters.
1063  for (const auto *CtorParam : CtorD->parameters()) {
1064 
1065  QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType();
1066  if (CtorParamPointeeT.isNull())
1067  continue;
1068 
1069  CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT);
1070 
1071  if (CtorParamPointeeT->getAsCXXRecordDecl())
1072  return true;
1073  }
1074 
1075  return false;
1076 }
1077 
1078 void MallocChecker::processNewAllocation(const CXXNewExpr *NE,
1079  CheckerContext &C,
1080  SVal Target) const {
1081  if (NE->getNumPlacementArgs())
1083  E = NE->placement_arg_end(); I != E; ++I)
1084  if (SymbolRef Sym = C.getSVal(*I).getAsSymbol())
1085  checkUseAfterFree(Sym, C, *I);
1086 
1087  if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext()))
1088  return;
1089 
1091  if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE))
1092  return;
1093 
1094  ProgramStateRef State = C.getState();
1095  // The return value from operator new is bound to a specified initialization
1096  // value (if any) and we don't want to loose this value. So we call
1097  // MallocUpdateRefState() instead of MallocMemAux() which breakes the
1098  // existing binding.
1099  State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray
1100  : AF_CXXNew, Target);
1101  State = addExtentSize(C, NE, State, Target);
1102  State = ProcessZeroAllocation(C, NE, 0, State, Target);
1103  C.addTransition(State);
1104 }
1105 
1106 void MallocChecker::checkPostStmt(const CXXNewExpr *NE,
1107  CheckerContext &C) const {
1109  processNewAllocation(NE, C, C.getSVal(NE));
1110 }
1111 
1112 void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target,
1113  CheckerContext &C) const {
1114  if (!C.wasInlined)
1115  processNewAllocation(NE, C, Target);
1116 }
1117 
1118 // Sets the extent value of the MemRegion allocated by
1119 // new expression NE to its size in Bytes.
1120 //
1121 ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C,
1122  const CXXNewExpr *NE,
1123  ProgramStateRef State,
1124  SVal Target) {
1125  if (!State)
1126  return nullptr;
1127  SValBuilder &svalBuilder = C.getSValBuilder();
1128  SVal ElementCount;
1129  const SubRegion *Region;
1130  if (NE->isArray()) {
1131  const Expr *SizeExpr = NE->getArraySize();
1132  ElementCount = C.getSVal(SizeExpr);
1133  // Store the extent size for the (symbolic)region
1134  // containing the elements.
1135  Region = Target.getAsRegion()
1136  ->getAs<SubRegion>()
1137  ->StripCasts()
1138  ->getAs<SubRegion>();
1139  } else {
1140  ElementCount = svalBuilder.makeIntVal(1, true);
1141  Region = Target.getAsRegion()->getAs<SubRegion>();
1142  }
1143  assert(Region);
1144 
1145  // Set the region's extent equal to the Size in Bytes.
1146  QualType ElementType = NE->getAllocatedType();
1147  ASTContext &AstContext = C.getASTContext();
1148  CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType);
1149 
1150  if (ElementCount.getAs<NonLoc>()) {
1151  DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder);
1152  // size in Bytes = ElementCount*TypeSize
1153  SVal SizeInBytes = svalBuilder.evalBinOpNN(
1154  State, BO_Mul, ElementCount.castAs<NonLoc>(),
1155  svalBuilder.makeArrayIndex(TypeSize.getQuantity()),
1156  svalBuilder.getArrayIndexType());
1157  DefinedOrUnknownSVal extentMatchesSize = svalBuilder.evalEQ(
1158  State, Extent, SizeInBytes.castAs<DefinedOrUnknownSVal>());
1159  State = State->assume(extentMatchesSize, true);
1160  }
1161  return State;
1162 }
1163 
1164 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE,
1165  CheckerContext &C) const {
1166 
1167  if (!ChecksEnabled[CK_NewDeleteChecker])
1168  if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
1169  checkUseAfterFree(Sym, C, DE->getArgument());
1170 
1171  if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext()))
1172  return;
1173 
1174  ProgramStateRef State = C.getState();
1175  bool ReleasedAllocated;
1176  State = FreeMemAux(C, DE->getArgument(), DE, State,
1177  /*Hold*/false, ReleasedAllocated);
1178 
1179  C.addTransition(State);
1180 }
1181 
1183  // If the first selector piece is one of the names below, assume that the
1184  // object takes ownership of the memory, promising to eventually deallocate it
1185  // with free().
1186  // Ex: [NSData dataWithBytesNoCopy:bytes length:10];
1187  // (...unless a 'freeWhenDone' parameter is false, but that's checked later.)
1188  StringRef FirstSlot = Call.getSelector().getNameForSlot(0);
1189  return FirstSlot == "dataWithBytesNoCopy" ||
1190  FirstSlot == "initWithBytesNoCopy" ||
1191  FirstSlot == "initWithCharactersNoCopy";
1192 }
1193 
1195  Selector S = Call.getSelector();
1196 
1197  // FIXME: We should not rely on fully-constrained symbols being folded.
1198  for (unsigned i = 1; i < S.getNumArgs(); ++i)
1199  if (S.getNameForSlot(i).equals("freeWhenDone"))
1200  return !Call.getArgSVal(i).isZeroConstant();
1201 
1202  return None;
1203 }
1204 
1205 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
1206  CheckerContext &C) const {
1207  if (C.wasInlined)
1208  return;
1209 
1210  if (!isKnownDeallocObjCMethodName(Call))
1211  return;
1212 
1213  if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call))
1214  if (!*FreeWhenDone)
1215  return;
1216 
1217  bool ReleasedAllocatedMemory;
1218  ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0),
1219  Call.getOriginExpr(), C.getState(),
1220  /*Hold=*/true, ReleasedAllocatedMemory,
1221  /*RetNullOnFailure=*/true);
1222 
1223  C.addTransition(State);
1224 }
1225 
1227 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE,
1228  const OwnershipAttr *Att,
1229  ProgramStateRef State) const {
1230  if (!State)
1231  return nullptr;
1232 
1233  if (Att->getModule() != II_malloc)
1234  return nullptr;
1235 
1236  OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
1237  if (I != E) {
1238  return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(),
1239  State);
1240  }
1241  return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State);
1242 }
1243 
1244 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1245  const CallExpr *CE,
1246  const Expr *SizeEx, SVal Init,
1247  ProgramStateRef State,
1248  AllocationFamily Family) {
1249  if (!State)
1250  return nullptr;
1251 
1252  return MallocMemAux(C, CE, C.getSVal(SizeEx), Init, State, Family);
1253 }
1254 
1255 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1256  const CallExpr *CE,
1257  SVal Size, SVal Init,
1258  ProgramStateRef State,
1259  AllocationFamily Family) {
1260  if (!State)
1261  return nullptr;
1262 
1263  // We expect the malloc functions to return a pointer.
1264  if (!Loc::isLocType(CE->getType()))
1265  return nullptr;
1266 
1267  // Bind the return value to the symbolic value from the heap region.
1268  // TODO: We could rewrite post visit to eval call; 'malloc' does not have
1269  // side effects other than what we model here.
1270  unsigned Count = C.blockCount();
1271  SValBuilder &svalBuilder = C.getSValBuilder();
1272  const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
1273  DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
1274  .castAs<DefinedSVal>();
1275  State = State->BindExpr(CE, C.getLocationContext(), RetVal);
1276 
1277  // Fill the region with the initialization value.
1278  State = State->bindDefaultInitial(RetVal, Init, LCtx);
1279 
1280  // Set the region's extent equal to the Size parameter.
1281  const SymbolicRegion *R =
1282  dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion());
1283  if (!R)
1284  return nullptr;
1285  if (Optional<DefinedOrUnknownSVal> DefinedSize =
1286  Size.getAs<DefinedOrUnknownSVal>()) {
1287  SValBuilder &svalBuilder = C.getSValBuilder();
1288  DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder);
1289  DefinedOrUnknownSVal extentMatchesSize =
1290  svalBuilder.evalEQ(State, Extent, *DefinedSize);
1291 
1292  State = State->assume(extentMatchesSize, true);
1293  assert(State);
1294  }
1295 
1296  return MallocUpdateRefState(C, CE, State, Family);
1297 }
1298 
1299 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C,
1300  const Expr *E,
1301  ProgramStateRef State,
1302  AllocationFamily Family,
1303  Optional<SVal> RetVal) {
1304  if (!State)
1305  return nullptr;
1306 
1307  // Get the return value.
1308  if (!RetVal)
1309  RetVal = C.getSVal(E);
1310 
1311  // We expect the malloc functions to return a pointer.
1312  if (!RetVal->getAs<Loc>())
1313  return nullptr;
1314 
1315  SymbolRef Sym = RetVal->getAsLocSymbol();
1316  // This is a return value of a function that was not inlined, such as malloc()
1317  // or new(). We've checked that in the caller. Therefore, it must be a symbol.
1318  assert(Sym);
1319 
1320  // Set the symbol's state to Allocated.
1321  return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
1322 }
1323 
1324 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
1325  const CallExpr *CE,
1326  const OwnershipAttr *Att,
1327  ProgramStateRef State) const {
1328  if (!State)
1329  return nullptr;
1330 
1331  if (Att->getModule() != II_malloc)
1332  return nullptr;
1333 
1334  bool ReleasedAllocated = false;
1335 
1336  for (const auto &Arg : Att->args()) {
1337  ProgramStateRef StateI = FreeMemAux(
1338  C, CE, State, Arg.getASTIndex(),
1339  Att->getOwnKind() == OwnershipAttr::Holds, ReleasedAllocated);
1340  if (StateI)
1341  State = StateI;
1342  }
1343  return State;
1344 }
1345 
1346 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1347  const CallExpr *CE,
1348  ProgramStateRef State,
1349  unsigned Num,
1350  bool Hold,
1351  bool &ReleasedAllocated,
1352  bool ReturnsNullOnFailure) const {
1353  if (!State)
1354  return nullptr;
1355 
1356  if (CE->getNumArgs() < (Num + 1))
1357  return nullptr;
1358 
1359  return FreeMemAux(C, CE->getArg(Num), CE, State, Hold,
1360  ReleasedAllocated, ReturnsNullOnFailure);
1361 }
1362 
1363 /// Checks if the previous call to free on the given symbol failed - if free
1364 /// failed, returns true. Also, returns the corresponding return value symbol.
1366  SymbolRef Sym, SymbolRef &RetStatusSymbol) {
1367  const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
1368  if (Ret) {
1369  assert(*Ret && "We should not store the null return symbol");
1370  ConstraintManager &CMgr = State->getConstraintManager();
1371  ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret);
1372  RetStatusSymbol = *Ret;
1373  return FreeFailed.isConstrainedTrue();
1374  }
1375  return false;
1376 }
1377 
1378 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C,
1379  const Stmt *S) const {
1380  if (!S)
1381  return AF_None;
1382 
1383  if (const CallExpr *CE = dyn_cast<CallExpr>(S)) {
1384  const FunctionDecl *FD = C.getCalleeDecl(CE);
1385 
1386  if (!FD)
1387  FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl());
1388 
1389  ASTContext &Ctx = C.getASTContext();
1390 
1391  if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any))
1392  return AF_Malloc;
1393 
1394  if (isStandardNewDelete(FD, Ctx)) {
1396  if (Kind == OO_New || Kind == OO_Delete)
1397  return AF_CXXNew;
1398  else if (Kind == OO_Array_New || Kind == OO_Array_Delete)
1399  return AF_CXXNewArray;
1400  }
1401 
1402  if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
1403  return AF_IfNameIndex;
1404 
1405  if (isCMemFunction(FD, Ctx, AF_Alloca, MemoryOperationKind::MOK_Any))
1406  return AF_Alloca;
1407 
1408  return AF_None;
1409  }
1410 
1411  if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S))
1412  return NE->isArray() ? AF_CXXNewArray : AF_CXXNew;
1413 
1414  if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S))
1415  return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew;
1416 
1417  if (isa<ObjCMessageExpr>(S))
1418  return AF_Malloc;
1419 
1420  return AF_None;
1421 }
1422 
1423 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C,
1424  const Expr *E) const {
1425  if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
1426  // FIXME: This doesn't handle indirect calls.
1427  const FunctionDecl *FD = CE->getDirectCallee();
1428  if (!FD)
1429  return false;
1430 
1431  os << *FD;
1432  if (!FD->isOverloadedOperator())
1433  os << "()";
1434  return true;
1435  }
1436 
1437  if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) {
1438  if (Msg->isInstanceMessage())
1439  os << "-";
1440  else
1441  os << "+";
1442  Msg->getSelector().print(os);
1443  return true;
1444  }
1445 
1446  if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
1447  os << "'"
1449  << "'";
1450  return true;
1451  }
1452 
1453  if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) {
1454  os << "'"
1456  << "'";
1457  return true;
1458  }
1459 
1460  return false;
1461 }
1462 
1463 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C,
1464  const Expr *E) const {
1465  AllocationFamily Family = getAllocationFamily(C, E);
1466 
1467  switch(Family) {
1468  case AF_Malloc: os << "malloc()"; return;
1469  case AF_CXXNew: os << "'new'"; return;
1470  case AF_CXXNewArray: os << "'new[]'"; return;
1471  case AF_IfNameIndex: os << "'if_nameindex()'"; return;
1472  case AF_InternalBuffer: os << "container-specific allocator"; return;
1473  case AF_Alloca:
1474  case AF_None: llvm_unreachable("not a deallocation expression");
1475  }
1476 }
1477 
1478 void MallocChecker::printExpectedDeallocName(raw_ostream &os,
1479  AllocationFamily Family) const {
1480  switch(Family) {
1481  case AF_Malloc: os << "free()"; return;
1482  case AF_CXXNew: os << "'delete'"; return;
1483  case AF_CXXNewArray: os << "'delete[]'"; return;
1484  case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
1485  case AF_InternalBuffer: os << "container-specific deallocator"; return;
1486  case AF_Alloca:
1487  case AF_None: llvm_unreachable("suspicious argument");
1488  }
1489 }
1490 
1491 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1492  const Expr *ArgExpr,
1493  const Expr *ParentExpr,
1494  ProgramStateRef State,
1495  bool Hold,
1496  bool &ReleasedAllocated,
1497  bool ReturnsNullOnFailure) const {
1498 
1499  if (!State)
1500  return nullptr;
1501 
1502  SVal ArgVal = C.getSVal(ArgExpr);
1503  if (!ArgVal.getAs<DefinedOrUnknownSVal>())
1504  return nullptr;
1505  DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
1506 
1507  // Check for null dereferences.
1508  if (!location.getAs<Loc>())
1509  return nullptr;
1510 
1511  // The explicit NULL case, no operation is performed.
1512  ProgramStateRef notNullState, nullState;
1513  std::tie(notNullState, nullState) = State->assume(location);
1514  if (nullState && !notNullState)
1515  return nullptr;
1516 
1517  // Unknown values could easily be okay
1518  // Undefined values are handled elsewhere
1519  if (ArgVal.isUnknownOrUndef())
1520  return nullptr;
1521 
1522  const MemRegion *R = ArgVal.getAsRegion();
1523 
1524  // Nonlocs can't be freed, of course.
1525  // Non-region locations (labels and fixed addresses) also shouldn't be freed.
1526  if (!R) {
1527  ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1528  return nullptr;
1529  }
1530 
1531  R = R->StripCasts();
1532 
1533  // Blocks might show up as heap data, but should not be free()d
1534  if (isa<BlockDataRegion>(R)) {
1535  ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1536  return nullptr;
1537  }
1538 
1539  const MemSpaceRegion *MS = R->getMemorySpace();
1540 
1541  // Parameters, locals, statics, globals, and memory returned by
1542  // __builtin_alloca() shouldn't be freed.
1543  if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) {
1544  // FIXME: at the time this code was written, malloc() regions were
1545  // represented by conjured symbols, which are all in UnknownSpaceRegion.
1546  // This means that there isn't actually anything from HeapSpaceRegion
1547  // that should be freed, even though we allow it here.
1548  // Of course, free() can work on memory allocated outside the current
1549  // function, so UnknownSpaceRegion is always a possibility.
1550  // False negatives are better than false positives.
1551 
1552  if (isa<AllocaRegion>(R))
1553  ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1554  else
1555  ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1556 
1557  return nullptr;
1558  }
1559 
1560  const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
1561  // Various cases could lead to non-symbol values here.
1562  // For now, ignore them.
1563  if (!SrBase)
1564  return nullptr;
1565 
1566  SymbolRef SymBase = SrBase->getSymbol();
1567  const RefState *RsBase = State->get<RegionState>(SymBase);
1568  SymbolRef PreviousRetStatusSymbol = nullptr;
1569 
1570  if (RsBase) {
1571 
1572  // Memory returned by alloca() shouldn't be freed.
1573  if (RsBase->getAllocationFamily() == AF_Alloca) {
1574  ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1575  return nullptr;
1576  }
1577 
1578  // Check for double free first.
1579  if ((RsBase->isReleased() || RsBase->isRelinquished()) &&
1580  !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
1581  ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),
1582  SymBase, PreviousRetStatusSymbol);
1583  return nullptr;
1584 
1585  // If the pointer is allocated or escaped, but we are now trying to free it,
1586  // check that the call to free is proper.
1587  } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() ||
1588  RsBase->isEscaped()) {
1589 
1590  // Check if an expected deallocation function matches the real one.
1591  bool DeallocMatchesAlloc =
1592  RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr);
1593  if (!DeallocMatchesAlloc) {
1594  ReportMismatchedDealloc(C, ArgExpr->getSourceRange(),
1595  ParentExpr, RsBase, SymBase, Hold);
1596  return nullptr;
1597  }
1598 
1599  // Check if the memory location being freed is the actual location
1600  // allocated, or an offset.
1602  if (Offset.isValid() &&
1603  !Offset.hasSymbolicOffset() &&
1604  Offset.getOffset() != 0) {
1605  const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
1606  ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1607  AllocExpr);
1608  return nullptr;
1609  }
1610  }
1611  }
1612 
1613  if (SymBase->getType()->isFunctionPointerType()) {
1614  ReportFunctionPointerFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1615  return nullptr;
1616  }
1617 
1618  ReleasedAllocated = (RsBase != nullptr) && (RsBase->isAllocated() ||
1619  RsBase->isAllocatedOfSizeZero());
1620 
1621  // Clean out the info on previous call to free return info.
1622  State = State->remove<FreeReturnValue>(SymBase);
1623 
1624  // Keep track of the return value. If it is NULL, we will know that free
1625  // failed.
1626  if (ReturnsNullOnFailure) {
1627  SVal RetVal = C.getSVal(ParentExpr);
1628  SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
1629  if (RetStatusSymbol) {
1630  C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol);
1631  State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol);
1632  }
1633  }
1634 
1635  AllocationFamily Family = RsBase ? RsBase->getAllocationFamily()
1636  : getAllocationFamily(C, ParentExpr);
1637  // Normal free.
1638  if (Hold)
1639  return State->set<RegionState>(SymBase,
1640  RefState::getRelinquished(Family,
1641  ParentExpr));
1642 
1643  return State->set<RegionState>(SymBase,
1644  RefState::getReleased(Family, ParentExpr));
1645 }
1646 
1648 MallocChecker::getCheckIfTracked(AllocationFamily Family,
1649  bool IsALeakCheck) const {
1650  switch (Family) {
1651  case AF_Malloc:
1652  case AF_Alloca:
1653  case AF_IfNameIndex: {
1654  if (ChecksEnabled[CK_MallocChecker])
1655  return CK_MallocChecker;
1656 
1658  }
1659  case AF_CXXNew:
1660  case AF_CXXNewArray:
1661  // FIXME: Add new CheckKind for AF_InternalBuffer.
1662  case AF_InternalBuffer: {
1663  if (IsALeakCheck) {
1664  if (ChecksEnabled[CK_NewDeleteLeaksChecker])
1665  return CK_NewDeleteLeaksChecker;
1666  }
1667  else {
1668  if (ChecksEnabled[CK_NewDeleteChecker])
1669  return CK_NewDeleteChecker;
1670  }
1672  }
1673  case AF_None: {
1674  llvm_unreachable("no family");
1675  }
1676  }
1677  llvm_unreachable("unhandled family");
1678 }
1679 
1681 MallocChecker::getCheckIfTracked(CheckerContext &C,
1682  const Stmt *AllocDeallocStmt,
1683  bool IsALeakCheck) const {
1684  return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt),
1685  IsALeakCheck);
1686 }
1687 
1689 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
1690  bool IsALeakCheck) const {
1691  if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym))
1692  return CK_MallocChecker;
1693 
1694  const RefState *RS = C.getState()->get<RegionState>(Sym);
1695  assert(RS);
1696  return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck);
1697 }
1698 
1699 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
1701  os << "an integer (" << IntVal->getValue() << ")";
1702  else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>())
1703  os << "a constant address (" << ConstAddr->getValue() << ")";
1705  os << "the address of the label '" << Label->getLabel()->getName() << "'";
1706  else
1707  return false;
1708 
1709  return true;
1710 }
1711 
1712 bool MallocChecker::SummarizeRegion(raw_ostream &os,
1713  const MemRegion *MR) {
1714  switch (MR->getKind()) {
1715  case MemRegion::FunctionCodeRegionKind: {
1716  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
1717  if (FD)
1718  os << "the address of the function '" << *FD << '\'';
1719  else
1720  os << "the address of a function";
1721  return true;
1722  }
1723  case MemRegion::BlockCodeRegionKind:
1724  os << "block text";
1725  return true;
1726  case MemRegion::BlockDataRegionKind:
1727  // FIXME: where the block came from?
1728  os << "a block";
1729  return true;
1730  default: {
1731  const MemSpaceRegion *MS = MR->getMemorySpace();
1732 
1733  if (isa<StackLocalsSpaceRegion>(MS)) {
1734  const VarRegion *VR = dyn_cast<VarRegion>(MR);
1735  const VarDecl *VD;
1736  if (VR)
1737  VD = VR->getDecl();
1738  else
1739  VD = nullptr;
1740 
1741  if (VD)
1742  os << "the address of the local variable '" << VD->getName() << "'";
1743  else
1744  os << "the address of a local stack variable";
1745  return true;
1746  }
1747 
1748  if (isa<StackArgumentsSpaceRegion>(MS)) {
1749  const VarRegion *VR = dyn_cast<VarRegion>(MR);
1750  const VarDecl *VD;
1751  if (VR)
1752  VD = VR->getDecl();
1753  else
1754  VD = nullptr;
1755 
1756  if (VD)
1757  os << "the address of the parameter '" << VD->getName() << "'";
1758  else
1759  os << "the address of a parameter";
1760  return true;
1761  }
1762 
1763  if (isa<GlobalsSpaceRegion>(MS)) {
1764  const VarRegion *VR = dyn_cast<VarRegion>(MR);
1765  const VarDecl *VD;
1766  if (VR)
1767  VD = VR->getDecl();
1768  else
1769  VD = nullptr;
1770 
1771  if (VD) {
1772  if (VD->isStaticLocal())
1773  os << "the address of the static variable '" << VD->getName() << "'";
1774  else
1775  os << "the address of the global variable '" << VD->getName() << "'";
1776  } else
1777  os << "the address of a global variable";
1778  return true;
1779  }
1780 
1781  return false;
1782  }
1783  }
1784 }
1785 
1786 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal,
1788  const Expr *DeallocExpr) const {
1789 
1790  if (!ChecksEnabled[CK_MallocChecker] &&
1791  !ChecksEnabled[CK_NewDeleteChecker])
1792  return;
1793 
1795  getCheckIfTracked(C, DeallocExpr);
1796  if (!CheckKind.hasValue())
1797  return;
1798 
1799  if (ExplodedNode *N = C.generateErrorNode()) {
1800  if (!BT_BadFree[*CheckKind])
1801  BT_BadFree[*CheckKind].reset(new BugType(
1802  CheckNames[*CheckKind], "Bad free", categories::MemoryError));
1803 
1804  SmallString<100> buf;
1805  llvm::raw_svector_ostream os(buf);
1806 
1807  const MemRegion *MR = ArgVal.getAsRegion();
1808  while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
1809  MR = ER->getSuperRegion();
1810 
1811  os << "Argument to ";
1812  if (!printAllocDeallocName(os, C, DeallocExpr))
1813  os << "deallocator";
1814 
1815  os << " is ";
1816  bool Summarized = MR ? SummarizeRegion(os, MR)
1817  : SummarizeValue(os, ArgVal);
1818  if (Summarized)
1819  os << ", which is not memory allocated by ";
1820  else
1821  os << "not memory allocated by ";
1822 
1823  printExpectedAllocName(os, C, DeallocExpr);
1824 
1825  auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], os.str(), N);
1826  R->markInteresting(MR);
1827  R->addRange(Range);
1828  C.emitReport(std::move(R));
1829  }
1830 }
1831 
1832 void MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
1833  SourceRange Range) const {
1834 
1836 
1837  if (ChecksEnabled[CK_MallocChecker])
1838  CheckKind = CK_MallocChecker;
1839  else if (ChecksEnabled[CK_MismatchedDeallocatorChecker])
1840  CheckKind = CK_MismatchedDeallocatorChecker;
1841  else
1842  return;
1843 
1844  if (ExplodedNode *N = C.generateErrorNode()) {
1845  if (!BT_FreeAlloca[*CheckKind])
1846  BT_FreeAlloca[*CheckKind].reset(new BugType(
1847  CheckNames[*CheckKind], "Free alloca()", categories::MemoryError));
1848 
1849  auto R = llvm::make_unique<BugReport>(
1850  *BT_FreeAlloca[*CheckKind],
1851  "Memory allocated by alloca() should not be deallocated", N);
1852  R->markInteresting(ArgVal.getAsRegion());
1853  R->addRange(Range);
1854  C.emitReport(std::move(R));
1855  }
1856 }
1857 
1858 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C,
1859  SourceRange Range,
1860  const Expr *DeallocExpr,
1861  const RefState *RS,
1862  SymbolRef Sym,
1863  bool OwnershipTransferred) const {
1864 
1865  if (!ChecksEnabled[CK_MismatchedDeallocatorChecker])
1866  return;
1867 
1868  if (ExplodedNode *N = C.generateErrorNode()) {
1869  if (!BT_MismatchedDealloc)
1870  BT_MismatchedDealloc.reset(
1871  new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
1872  "Bad deallocator", categories::MemoryError));
1873 
1874  SmallString<100> buf;
1875  llvm::raw_svector_ostream os(buf);
1876 
1877  const Expr *AllocExpr = cast<Expr>(RS->getStmt());
1878  SmallString<20> AllocBuf;
1879  llvm::raw_svector_ostream AllocOs(AllocBuf);
1880  SmallString<20> DeallocBuf;
1881  llvm::raw_svector_ostream DeallocOs(DeallocBuf);
1882 
1883  if (OwnershipTransferred) {
1884  if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1885  os << DeallocOs.str() << " cannot";
1886  else
1887  os << "Cannot";
1888 
1889  os << " take ownership of memory";
1890 
1891  if (printAllocDeallocName(AllocOs, C, AllocExpr))
1892  os << " allocated by " << AllocOs.str();
1893  } else {
1894  os << "Memory";
1895  if (printAllocDeallocName(AllocOs, C, AllocExpr))
1896  os << " allocated by " << AllocOs.str();
1897 
1898  os << " should be deallocated by ";
1899  printExpectedDeallocName(os, RS->getAllocationFamily());
1900 
1901  if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1902  os << ", not " << DeallocOs.str();
1903  }
1904 
1905  auto R = llvm::make_unique<BugReport>(*BT_MismatchedDealloc, os.str(), N);
1906  R->markInteresting(Sym);
1907  R->addRange(Range);
1908  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
1909  C.emitReport(std::move(R));
1910  }
1911 }
1912 
1913 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal,
1914  SourceRange Range, const Expr *DeallocExpr,
1915  const Expr *AllocExpr) const {
1916 
1917 
1918  if (!ChecksEnabled[CK_MallocChecker] &&
1919  !ChecksEnabled[CK_NewDeleteChecker])
1920  return;
1921 
1923  getCheckIfTracked(C, AllocExpr);
1924  if (!CheckKind.hasValue())
1925  return;
1926 
1928  if (!N)
1929  return;
1930 
1931  if (!BT_OffsetFree[*CheckKind])
1932  BT_OffsetFree[*CheckKind].reset(new BugType(
1933  CheckNames[*CheckKind], "Offset free", categories::MemoryError));
1934 
1935  SmallString<100> buf;
1936  llvm::raw_svector_ostream os(buf);
1937  SmallString<20> AllocNameBuf;
1938  llvm::raw_svector_ostream AllocNameOs(AllocNameBuf);
1939 
1940  const MemRegion *MR = ArgVal.getAsRegion();
1941  assert(MR && "Only MemRegion based symbols can have offset free errors");
1942 
1944  assert((Offset.isValid() &&
1945  !Offset.hasSymbolicOffset() &&
1946  Offset.getOffset() != 0) &&
1947  "Only symbols with a valid offset can have offset free errors");
1948 
1949  int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
1950 
1951  os << "Argument to ";
1952  if (!printAllocDeallocName(os, C, DeallocExpr))
1953  os << "deallocator";
1954  os << " is offset by "
1955  << offsetBytes
1956  << " "
1957  << ((abs(offsetBytes) > 1) ? "bytes" : "byte")
1958  << " from the start of ";
1959  if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr))
1960  os << "memory allocated by " << AllocNameOs.str();
1961  else
1962  os << "allocated memory";
1963 
1964  auto R = llvm::make_unique<BugReport>(*BT_OffsetFree[*CheckKind], os.str(), N);
1965  R->markInteresting(MR->getBaseRegion());
1966  R->addRange(Range);
1967  C.emitReport(std::move(R));
1968 }
1969 
1970 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range,
1971  SymbolRef Sym) const {
1972 
1973  if (!ChecksEnabled[CK_MallocChecker] &&
1974  !ChecksEnabled[CK_NewDeleteChecker])
1975  return;
1976 
1977  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
1978  if (!CheckKind.hasValue())
1979  return;
1980 
1981  if (ExplodedNode *N = C.generateErrorNode()) {
1982  if (!BT_UseFree[*CheckKind])
1983  BT_UseFree[*CheckKind].reset(new BugType(
1984  CheckNames[*CheckKind], "Use-after-free", categories::MemoryError));
1985 
1986  auto R = llvm::make_unique<BugReport>(*BT_UseFree[*CheckKind],
1987  "Use of memory after it is freed", N);
1988 
1989  R->markInteresting(Sym);
1990  R->addRange(Range);
1991  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
1992  C.emitReport(std::move(R));
1993  }
1994 }
1995 
1996 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range,
1997  bool Released, SymbolRef Sym,
1998  SymbolRef PrevSym) const {
1999 
2000  if (!ChecksEnabled[CK_MallocChecker] &&
2001  !ChecksEnabled[CK_NewDeleteChecker])
2002  return;
2003 
2004  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2005  if (!CheckKind.hasValue())
2006  return;
2007 
2008  if (ExplodedNode *N = C.generateErrorNode()) {
2009  if (!BT_DoubleFree[*CheckKind])
2010  BT_DoubleFree[*CheckKind].reset(new BugType(
2011  CheckNames[*CheckKind], "Double free", categories::MemoryError));
2012 
2013  auto R = llvm::make_unique<BugReport>(
2014  *BT_DoubleFree[*CheckKind],
2015  (Released ? "Attempt to free released memory"
2016  : "Attempt to free non-owned memory"),
2017  N);
2018  R->addRange(Range);
2019  R->markInteresting(Sym);
2020  if (PrevSym)
2021  R->markInteresting(PrevSym);
2022  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2023  C.emitReport(std::move(R));
2024  }
2025 }
2026 
2027 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
2028 
2029  if (!ChecksEnabled[CK_NewDeleteChecker])
2030  return;
2031 
2032  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2033  if (!CheckKind.hasValue())
2034  return;
2035 
2036  if (ExplodedNode *N = C.generateErrorNode()) {
2037  if (!BT_DoubleDelete)
2038  BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker],
2039  "Double delete",
2041 
2042  auto R = llvm::make_unique<BugReport>(
2043  *BT_DoubleDelete, "Attempt to delete released memory", N);
2044 
2045  R->markInteresting(Sym);
2046  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2047  C.emitReport(std::move(R));
2048  }
2049 }
2050 
2051 void MallocChecker::ReportUseZeroAllocated(CheckerContext &C,
2052  SourceRange Range,
2053  SymbolRef Sym) const {
2054 
2055  if (!ChecksEnabled[CK_MallocChecker] &&
2056  !ChecksEnabled[CK_NewDeleteChecker])
2057  return;
2058 
2059  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2060 
2061  if (!CheckKind.hasValue())
2062  return;
2063 
2064  if (ExplodedNode *N = C.generateErrorNode()) {
2065  if (!BT_UseZerroAllocated[*CheckKind])
2066  BT_UseZerroAllocated[*CheckKind].reset(
2067  new BugType(CheckNames[*CheckKind], "Use of zero allocated",
2069 
2070  auto R = llvm::make_unique<BugReport>(*BT_UseZerroAllocated[*CheckKind],
2071  "Use of zero-allocated memory", N);
2072 
2073  R->addRange(Range);
2074  if (Sym) {
2075  R->markInteresting(Sym);
2076  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2077  }
2078  C.emitReport(std::move(R));
2079  }
2080 }
2081 
2082 void MallocChecker::ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
2083  SourceRange Range,
2084  const Expr *FreeExpr) const {
2085  if (!ChecksEnabled[CK_MallocChecker])
2086  return;
2087 
2088  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, FreeExpr);
2089  if (!CheckKind.hasValue())
2090  return;
2091 
2092  if (ExplodedNode *N = C.generateErrorNode()) {
2093  if (!BT_BadFree[*CheckKind])
2094  BT_BadFree[*CheckKind].reset(new BugType(
2095  CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2096 
2097  SmallString<100> Buf;
2098  llvm::raw_svector_ostream Os(Buf);
2099 
2100  const MemRegion *MR = ArgVal.getAsRegion();
2101  while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
2102  MR = ER->getSuperRegion();
2103 
2104  Os << "Argument to ";
2105  if (!printAllocDeallocName(Os, C, FreeExpr))
2106  Os << "deallocator";
2107 
2108  Os << " is a function pointer";
2109 
2110  auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], Os.str(), N);
2111  R->markInteresting(MR);
2112  R->addRange(Range);
2113  C.emitReport(std::move(R));
2114  }
2115 }
2116 
2117 ProgramStateRef MallocChecker::ReallocMemAux(CheckerContext &C,
2118  const CallExpr *CE,
2119  bool FreesOnFail,
2120  ProgramStateRef State,
2121  bool SuffixWithN) const {
2122  if (!State)
2123  return nullptr;
2124 
2125  if (SuffixWithN && CE->getNumArgs() < 3)
2126  return nullptr;
2127  else if (CE->getNumArgs() < 2)
2128  return nullptr;
2129 
2130  const Expr *arg0Expr = CE->getArg(0);
2131  SVal Arg0Val = C.getSVal(arg0Expr);
2132  if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
2133  return nullptr;
2134  DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
2135 
2136  SValBuilder &svalBuilder = C.getSValBuilder();
2137 
2138  DefinedOrUnknownSVal PtrEQ =
2139  svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull());
2140 
2141  // Get the size argument.
2142  const Expr *Arg1 = CE->getArg(1);
2143 
2144  // Get the value of the size argument.
2145  SVal TotalSize = C.getSVal(Arg1);
2146  if (SuffixWithN)
2147  TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2));
2148  if (!TotalSize.getAs<DefinedOrUnknownSVal>())
2149  return nullptr;
2150 
2151  // Compare the size argument to 0.
2152  DefinedOrUnknownSVal SizeZero =
2153  svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(),
2154  svalBuilder.makeIntValWithPtrWidth(0, false));
2155 
2156  ProgramStateRef StatePtrIsNull, StatePtrNotNull;
2157  std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ);
2158  ProgramStateRef StateSizeIsZero, StateSizeNotZero;
2159  std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero);
2160  // We only assume exceptional states if they are definitely true; if the
2161  // state is under-constrained, assume regular realloc behavior.
2162  bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
2163  bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
2164 
2165  // If the ptr is NULL and the size is not 0, the call is equivalent to
2166  // malloc(size).
2167  if (PrtIsNull && !SizeIsZero) {
2168  ProgramStateRef stateMalloc = MallocMemAux(C, CE, TotalSize,
2169  UndefinedVal(), StatePtrIsNull);
2170  return stateMalloc;
2171  }
2172 
2173  if (PrtIsNull && SizeIsZero)
2174  return State;
2175 
2176  // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
2177  assert(!PrtIsNull);
2178  SymbolRef FromPtr = arg0Val.getAsSymbol();
2179  SVal RetVal = C.getSVal(CE);
2180  SymbolRef ToPtr = RetVal.getAsSymbol();
2181  if (!FromPtr || !ToPtr)
2182  return nullptr;
2183 
2184  bool ReleasedAllocated = false;
2185 
2186  // If the size is 0, free the memory.
2187  if (SizeIsZero)
2188  if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0,
2189  false, ReleasedAllocated)){
2190  // The semantics of the return value are:
2191  // If size was equal to 0, either NULL or a pointer suitable to be passed
2192  // to free() is returned. We just free the input pointer and do not add
2193  // any constrains on the output pointer.
2194  return stateFree;
2195  }
2196 
2197  // Default behavior.
2198  if (ProgramStateRef stateFree =
2199  FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) {
2200 
2201  ProgramStateRef stateRealloc = MallocMemAux(C, CE, TotalSize,
2202  UnknownVal(), stateFree);
2203  if (!stateRealloc)
2204  return nullptr;
2205 
2206  ReallocPairKind Kind = RPToBeFreedAfterFailure;
2207  if (FreesOnFail)
2208  Kind = RPIsFreeOnFailure;
2209  else if (!ReleasedAllocated)
2210  Kind = RPDoNotTrackAfterFailure;
2211 
2212  // Record the info about the reallocated symbol so that we could properly
2213  // process failed reallocation.
2214  stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
2215  ReallocPair(FromPtr, Kind));
2216  // The reallocated symbol should stay alive for as long as the new symbol.
2217  C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
2218  return stateRealloc;
2219  }
2220  return nullptr;
2221 }
2222 
2223 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE,
2224  ProgramStateRef State) {
2225  if (!State)
2226  return nullptr;
2227 
2228  if (CE->getNumArgs() < 2)
2229  return nullptr;
2230 
2231  SValBuilder &svalBuilder = C.getSValBuilder();
2232  SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
2233  SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
2234 
2235  return MallocMemAux(C, CE, TotalSize, zeroVal, State);
2236 }
2237 
2238 LeakInfo
2239 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
2240  CheckerContext &C) const {
2241  const LocationContext *LeakContext = N->getLocationContext();
2242  // Walk the ExplodedGraph backwards and find the first node that referred to
2243  // the tracked symbol.
2244  const ExplodedNode *AllocNode = N;
2245  const MemRegion *ReferenceRegion = nullptr;
2246 
2247  while (N) {
2248  ProgramStateRef State = N->getState();
2249  if (!State->get<RegionState>(Sym))
2250  break;
2251 
2252  // Find the most recent expression bound to the symbol in the current
2253  // context.
2254  if (!ReferenceRegion) {
2255  if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) {
2256  SVal Val = State->getSVal(MR);
2257  if (Val.getAsLocSymbol() == Sym) {
2258  const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>();
2259  // Do not show local variables belonging to a function other than
2260  // where the error is reported.
2261  if (!VR ||
2262  (VR->getStackFrame() == LeakContext->getCurrentStackFrame()))
2263  ReferenceRegion = MR;
2264  }
2265  }
2266  }
2267 
2268  // Allocation node, is the last node in the current or parent context in
2269  // which the symbol was tracked.
2270  const LocationContext *NContext = N->getLocationContext();
2271  if (NContext == LeakContext ||
2272  NContext->isParentOf(LeakContext))
2273  AllocNode = N;
2274  N = N->pred_empty() ? nullptr : *(N->pred_begin());
2275  }
2276 
2277  return LeakInfo(AllocNode, ReferenceRegion);
2278 }
2279 
2280 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N,
2281  CheckerContext &C) const {
2282 
2283  if (!ChecksEnabled[CK_MallocChecker] &&
2284  !ChecksEnabled[CK_NewDeleteLeaksChecker])
2285  return;
2286 
2287  const RefState *RS = C.getState()->get<RegionState>(Sym);
2288  assert(RS && "cannot leak an untracked symbol");
2289  AllocationFamily Family = RS->getAllocationFamily();
2290 
2291  if (Family == AF_Alloca)
2292  return;
2293 
2295  CheckKind = getCheckIfTracked(Family, true);
2296 
2297  if (!CheckKind.hasValue())
2298  return;
2299 
2300  assert(N);
2301  if (!BT_Leak[*CheckKind]) {
2302  BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak",
2304  // Leaks should not be reported if they are post-dominated by a sink:
2305  // (1) Sinks are higher importance bugs.
2306  // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
2307  // with __noreturn functions such as assert() or exit(). We choose not
2308  // to report leaks on such paths.
2309  BT_Leak[*CheckKind]->setSuppressOnSink(true);
2310  }
2311 
2312  // Most bug reports are cached at the location where they occurred.
2313  // With leaks, we want to unique them by the location where they were
2314  // allocated, and only report a single path.
2315  PathDiagnosticLocation LocUsedForUniqueing;
2316  const ExplodedNode *AllocNode = nullptr;
2317  const MemRegion *Region = nullptr;
2318  std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C);
2319 
2320  const Stmt *AllocationStmt = PathDiagnosticLocation::getStmt(AllocNode);
2321  if (AllocationStmt)
2322  LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt,
2323  C.getSourceManager(),
2324  AllocNode->getLocationContext());
2325 
2326  SmallString<200> buf;
2327  llvm::raw_svector_ostream os(buf);
2328  if (Region && Region->canPrintPretty()) {
2329  os << "Potential leak of memory pointed to by ";
2330  Region->printPretty(os);
2331  } else {
2332  os << "Potential memory leak";
2333  }
2334 
2335  auto R = llvm::make_unique<BugReport>(
2336  *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing,
2337  AllocNode->getLocationContext()->getDecl());
2338  R->markInteresting(Sym);
2339  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym, true));
2340  C.emitReport(std::move(R));
2341 }
2342 
2343 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
2344  CheckerContext &C) const
2345 {
2346  if (!SymReaper.hasDeadSymbols())
2347  return;
2348 
2350  RegionStateTy RS = state->get<RegionState>();
2351  RegionStateTy::Factory &F = state->get_context<RegionState>();
2352 
2354  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2355  if (SymReaper.isDead(I->first)) {
2356  if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero())
2357  Errors.push_back(I->first);
2358  // Remove the dead symbol from the map.
2359  RS = F.remove(RS, I->first);
2360 
2361  }
2362  }
2363 
2364  // Cleanup the Realloc Pairs Map.
2365  ReallocPairsTy RP = state->get<ReallocPairs>();
2366  for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2367  if (SymReaper.isDead(I->first) ||
2368  SymReaper.isDead(I->second.ReallocatedSym)) {
2369  state = state->remove<ReallocPairs>(I->first);
2370  }
2371  }
2372 
2373  // Cleanup the FreeReturnValue Map.
2374  FreeReturnValueTy FR = state->get<FreeReturnValue>();
2375  for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) {
2376  if (SymReaper.isDead(I->first) ||
2377  SymReaper.isDead(I->second)) {
2378  state = state->remove<FreeReturnValue>(I->first);
2379  }
2380  }
2381 
2382  // Generate leak node.
2383  ExplodedNode *N = C.getPredecessor();
2384  if (!Errors.empty()) {
2385  static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
2386  N = C.generateNonFatalErrorNode(C.getState(), &Tag);
2387  if (N) {
2389  I = Errors.begin(), E = Errors.end(); I != E; ++I) {
2390  reportLeak(*I, N, C);
2391  }
2392  }
2393  }
2394 
2395  C.addTransition(state->set<RegionState>(RS), N);
2396 }
2397 
2398 void MallocChecker::checkPreCall(const CallEvent &Call,
2399  CheckerContext &C) const {
2400 
2401  if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) {
2402  SymbolRef Sym = DC->getCXXThisVal().getAsSymbol();
2403  if (!Sym || checkDoubleDelete(Sym, C))
2404  return;
2405  }
2406 
2407  // We will check for double free in the post visit.
2408  if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) {
2409  const FunctionDecl *FD = FC->getDecl();
2410  if (!FD)
2411  return;
2412 
2413  ASTContext &Ctx = C.getASTContext();
2414  if (ChecksEnabled[CK_MallocChecker] &&
2415  (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) ||
2416  isCMemFunction(FD, Ctx, AF_IfNameIndex,
2417  MemoryOperationKind::MOK_Free)))
2418  return;
2419 
2420  if (ChecksEnabled[CK_NewDeleteChecker] &&
2421  isStandardNewDelete(FD, Ctx))
2422  return;
2423  }
2424 
2425  // Check if the callee of a method is deleted.
2426  if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
2427  SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
2428  if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
2429  return;
2430  }
2431 
2432  // Check arguments for being used after free.
2433  for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
2434  SVal ArgSVal = Call.getArgSVal(I);
2435  if (ArgSVal.getAs<Loc>()) {
2436  SymbolRef Sym = ArgSVal.getAsSymbol();
2437  if (!Sym)
2438  continue;
2439  if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
2440  return;
2441  }
2442  }
2443 }
2444 
2445 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const {
2446  const Expr *E = S->getRetValue();
2447  if (!E)
2448  return;
2449 
2450  // Check if we are returning a symbol.
2451  ProgramStateRef State = C.getState();
2452  SVal RetVal = C.getSVal(E);
2453  SymbolRef Sym = RetVal.getAsSymbol();
2454  if (!Sym)
2455  // If we are returning a field of the allocated struct or an array element,
2456  // the callee could still free the memory.
2457  // TODO: This logic should be a part of generic symbol escape callback.
2458  if (const MemRegion *MR = RetVal.getAsRegion())
2459  if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR))
2460  if (const SymbolicRegion *BMR =
2461  dyn_cast<SymbolicRegion>(MR->getBaseRegion()))
2462  Sym = BMR->getSymbol();
2463 
2464  // Check if we are returning freed memory.
2465  if (Sym)
2466  checkUseAfterFree(Sym, C, E);
2467 }
2468 
2469 // TODO: Blocks should be either inlined or should call invalidate regions
2470 // upon invocation. After that's in place, special casing here will not be
2471 // needed.
2472 void MallocChecker::checkPostStmt(const BlockExpr *BE,
2473  CheckerContext &C) const {
2474 
2475  // Scan the BlockDecRefExprs for any object the retain count checker
2476  // may be tracking.
2477  if (!BE->getBlockDecl()->hasCaptures())
2478  return;
2479 
2481  const BlockDataRegion *R =
2482  cast<BlockDataRegion>(C.getSVal(BE).getAsRegion());
2483 
2485  E = R->referenced_vars_end();
2486 
2487  if (I == E)
2488  return;
2489 
2491  const LocationContext *LC = C.getLocationContext();
2493 
2494  for ( ; I != E; ++I) {
2495  const VarRegion *VR = I.getCapturedRegion();
2496  if (VR->getSuperRegion() == R) {
2497  VR = MemMgr.getVarRegion(VR->getDecl(), LC);
2498  }
2499  Regions.push_back(VR);
2500  }
2501 
2502  state =
2503  state->scanReachableSymbols<StopTrackingCallback>(Regions.data(),
2504  Regions.data() + Regions.size()).getState();
2505  C.addTransition(state);
2506 }
2507 
2508 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const {
2509  assert(Sym);
2510  const RefState *RS = C.getState()->get<RegionState>(Sym);
2511  return (RS && RS->isReleased());
2512 }
2513 
2514 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
2515  const Stmt *S) const {
2516 
2517  if (isReleased(Sym, C)) {
2518  ReportUseAfterFree(C, S->getSourceRange(), Sym);
2519  return true;
2520  }
2521 
2522  return false;
2523 }
2524 
2525 void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
2526  const Stmt *S) const {
2527  assert(Sym);
2528 
2529  if (const RefState *RS = C.getState()->get<RegionState>(Sym)) {
2530  if (RS->isAllocatedOfSizeZero())
2531  ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym);
2532  }
2533  else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) {
2534  ReportUseZeroAllocated(C, S->getSourceRange(), Sym);
2535  }
2536 }
2537 
2538 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
2539 
2540  if (isReleased(Sym, C)) {
2541  ReportDoubleDelete(C, Sym);
2542  return true;
2543  }
2544  return false;
2545 }
2546 
2547 // Check if the location is a freed symbolic region.
2548 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
2549  CheckerContext &C) const {
2550  SymbolRef Sym = l.getLocSymbolInBase();
2551  if (Sym) {
2552  checkUseAfterFree(Sym, C, S);
2553  checkUseZeroAllocated(Sym, C, S);
2554  }
2555 }
2556 
2557 // If a symbolic region is assumed to NULL (or another constant), stop tracking
2558 // it - assuming that allocation failed on this path.
2559 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
2560  SVal Cond,
2561  bool Assumption) const {
2562  RegionStateTy RS = state->get<RegionState>();
2563  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2564  // If the symbol is assumed to be NULL, remove it from consideration.
2565  ConstraintManager &CMgr = state->getConstraintManager();
2566  ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2567  if (AllocFailed.isConstrainedTrue())
2568  state = state->remove<RegionState>(I.getKey());
2569  }
2570 
2571  // Realloc returns 0 when reallocation fails, which means that we should
2572  // restore the state of the pointer being reallocated.
2573  ReallocPairsTy RP = state->get<ReallocPairs>();
2574  for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2575  // If the symbol is assumed to be NULL, remove it from consideration.
2576  ConstraintManager &CMgr = state->getConstraintManager();
2577  ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2578  if (!AllocFailed.isConstrainedTrue())
2579  continue;
2580 
2581  SymbolRef ReallocSym = I.getData().ReallocatedSym;
2582  if (const RefState *RS = state->get<RegionState>(ReallocSym)) {
2583  if (RS->isReleased()) {
2584  if (I.getData().Kind == RPToBeFreedAfterFailure)
2585  state = state->set<RegionState>(ReallocSym,
2586  RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt()));
2587  else if (I.getData().Kind == RPDoNotTrackAfterFailure)
2588  state = state->remove<RegionState>(ReallocSym);
2589  else
2590  assert(I.getData().Kind == RPIsFreeOnFailure);
2591  }
2592  }
2593  state = state->remove<ReallocPairs>(I.getKey());
2594  }
2595 
2596  return state;
2597 }
2598 
2599 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
2600  const CallEvent *Call,
2601  ProgramStateRef State,
2602  SymbolRef &EscapingSymbol) const {
2603  assert(Call);
2604  EscapingSymbol = nullptr;
2605 
2606  // For now, assume that any C++ or block call can free memory.
2607  // TODO: If we want to be more optimistic here, we'll need to make sure that
2608  // regions escape to C++ containers. They seem to do that even now, but for
2609  // mysterious reasons.
2610  if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call)))
2611  return true;
2612 
2613  // Check Objective-C messages by selector name.
2614  if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
2615  // If it's not a framework call, or if it takes a callback, assume it
2616  // can free memory.
2617  if (!Call->isInSystemHeader() || Call->argumentsMayEscape())
2618  return true;
2619 
2620  // If it's a method we know about, handle it explicitly post-call.
2621  // This should happen before the "freeWhenDone" check below.
2622  if (isKnownDeallocObjCMethodName(*Msg))
2623  return false;
2624 
2625  // If there's a "freeWhenDone" parameter, but the method isn't one we know
2626  // about, we can't be sure that the object will use free() to deallocate the
2627  // memory, so we can't model it explicitly. The best we can do is use it to
2628  // decide whether the pointer escapes.
2629  if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg))
2630  return *FreeWhenDone;
2631 
2632  // If the first selector piece ends with "NoCopy", and there is no
2633  // "freeWhenDone" parameter set to zero, we know ownership is being
2634  // transferred. Again, though, we can't be sure that the object will use
2635  // free() to deallocate the memory, so we can't model it explicitly.
2636  StringRef FirstSlot = Msg->getSelector().getNameForSlot(0);
2637  if (FirstSlot.endswith("NoCopy"))
2638  return true;
2639 
2640  // If the first selector starts with addPointer, insertPointer,
2641  // or replacePointer, assume we are dealing with NSPointerArray or similar.
2642  // This is similar to C++ containers (vector); we still might want to check
2643  // that the pointers get freed by following the container itself.
2644  if (FirstSlot.startswith("addPointer") ||
2645  FirstSlot.startswith("insertPointer") ||
2646  FirstSlot.startswith("replacePointer") ||
2647  FirstSlot.equals("valueWithPointer")) {
2648  return true;
2649  }
2650 
2651  // We should escape receiver on call to 'init'. This is especially relevant
2652  // to the receiver, as the corresponding symbol is usually not referenced
2653  // after the call.
2654  if (Msg->getMethodFamily() == OMF_init) {
2655  EscapingSymbol = Msg->getReceiverSVal().getAsSymbol();
2656  return true;
2657  }
2658 
2659  // Otherwise, assume that the method does not free memory.
2660  // Most framework methods do not free memory.
2661  return false;
2662  }
2663 
2664  // At this point the only thing left to handle is straight function calls.
2665  const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl();
2666  if (!FD)
2667  return true;
2668 
2669  ASTContext &ASTC = State->getStateManager().getContext();
2670 
2671  // If it's one of the allocation functions we can reason about, we model
2672  // its behavior explicitly.
2673  if (isMemFunction(FD, ASTC))
2674  return false;
2675 
2676  // If it's not a system call, assume it frees memory.
2677  if (!Call->isInSystemHeader())
2678  return true;
2679 
2680  // White list the system functions whose arguments escape.
2681  const IdentifierInfo *II = FD->getIdentifier();
2682  if (!II)
2683  return true;
2684  StringRef FName = II->getName();
2685 
2686  // White list the 'XXXNoCopy' CoreFoundation functions.
2687  // We specifically check these before
2688  if (FName.endswith("NoCopy")) {
2689  // Look for the deallocator argument. We know that the memory ownership
2690  // is not transferred only if the deallocator argument is
2691  // 'kCFAllocatorNull'.
2692  for (unsigned i = 1; i < Call->getNumArgs(); ++i) {
2693  const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts();
2694  if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) {
2695  StringRef DeallocatorName = DE->getFoundDecl()->getName();
2696  if (DeallocatorName == "kCFAllocatorNull")
2697  return false;
2698  }
2699  }
2700  return true;
2701  }
2702 
2703  // Associating streams with malloced buffers. The pointer can escape if
2704  // 'closefn' is specified (and if that function does free memory),
2705  // but it will not if closefn is not specified.
2706  // Currently, we do not inspect the 'closefn' function (PR12101).
2707  if (FName == "funopen")
2708  if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0))
2709  return false;
2710 
2711  // Do not warn on pointers passed to 'setbuf' when used with std streams,
2712  // these leaks might be intentional when setting the buffer for stdio.
2713  // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer
2714  if (FName == "setbuf" || FName =="setbuffer" ||
2715  FName == "setlinebuf" || FName == "setvbuf") {
2716  if (Call->getNumArgs() >= 1) {
2717  const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts();
2718  if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE))
2719  if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl()))
2720  if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos)
2721  return true;
2722  }
2723  }
2724 
2725  // A bunch of other functions which either take ownership of a pointer or
2726  // wrap the result up in a struct or object, meaning it can be freed later.
2727  // (See RetainCountChecker.) Not all the parameters here are invalidated,
2728  // but the Malloc checker cannot differentiate between them. The right way
2729  // of doing this would be to implement a pointer escapes callback.
2730  if (FName == "CGBitmapContextCreate" ||
2731  FName == "CGBitmapContextCreateWithData" ||
2732  FName == "CVPixelBufferCreateWithBytes" ||
2733  FName == "CVPixelBufferCreateWithPlanarBytes" ||
2734  FName == "OSAtomicEnqueue") {
2735  return true;
2736  }
2737 
2738  if (FName == "postEvent" &&
2739  FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
2740  return true;
2741  }
2742 
2743  if (FName == "postEvent" &&
2744  FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
2745  return true;
2746  }
2747 
2748  if (FName == "connectImpl" &&
2749  FD->getQualifiedNameAsString() == "QObject::connectImpl") {
2750  return true;
2751  }
2752 
2753  // Handle cases where we know a buffer's /address/ can escape.
2754  // Note that the above checks handle some special cases where we know that
2755  // even though the address escapes, it's still our responsibility to free the
2756  // buffer.
2757  if (Call->argumentsMayEscape())
2758  return true;
2759 
2760  // Otherwise, assume that the function does not free memory.
2761  // Most system calls do not free the memory.
2762  return false;
2763 }
2764 
2765 static bool retTrue(const RefState *RS) {
2766  return true;
2767 }
2768 
2769 static bool checkIfNewOrNewArrayFamily(const RefState *RS) {
2770  return (RS->getAllocationFamily() == AF_CXXNewArray ||
2771  RS->getAllocationFamily() == AF_CXXNew);
2772 }
2773 
2774 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
2775  const InvalidatedSymbols &Escaped,
2776  const CallEvent *Call,
2777  PointerEscapeKind Kind) const {
2778  return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue);
2779 }
2780 
2781 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State,
2782  const InvalidatedSymbols &Escaped,
2783  const CallEvent *Call,
2784  PointerEscapeKind Kind) const {
2785  return checkPointerEscapeAux(State, Escaped, Call, Kind,
2787 }
2788 
2789 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State,
2790  const InvalidatedSymbols &Escaped,
2791  const CallEvent *Call,
2793  bool(*CheckRefState)(const RefState*)) const {
2794  // If we know that the call does not free memory, or we want to process the
2795  // call later, keep tracking the top level arguments.
2796  SymbolRef EscapingSymbol = nullptr;
2797  if (Kind == PSK_DirectEscapeOnCall &&
2798  !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State,
2799  EscapingSymbol) &&
2800  !EscapingSymbol) {
2801  return State;
2802  }
2803 
2804  for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
2805  E = Escaped.end();
2806  I != E; ++I) {
2807  SymbolRef sym = *I;
2808 
2809  if (EscapingSymbol && EscapingSymbol != sym)
2810  continue;
2811 
2812  if (const RefState *RS = State->get<RegionState>(sym)) {
2813  if ((RS->isAllocated() || RS->isAllocatedOfSizeZero()) &&
2814  CheckRefState(RS)) {
2815  State = State->remove<RegionState>(sym);
2816  State = State->set<RegionState>(sym, RefState::getEscaped(RS));
2817  }
2818  }
2819  }
2820  return State;
2821 }
2822 
2824  ProgramStateRef prevState) {
2825  ReallocPairsTy currMap = currState->get<ReallocPairs>();
2826  ReallocPairsTy prevMap = prevState->get<ReallocPairs>();
2827 
2828  for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end();
2829  I != E; ++I) {
2830  SymbolRef sym = I.getKey();
2831  if (!currMap.lookup(sym))
2832  return sym;
2833  }
2834 
2835  return nullptr;
2836 }
2837 
2839  if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) {
2840  StringRef N = II->getName();
2841  if (N.contains_lower("ptr") || N.contains_lower("pointer")) {
2842  if (N.contains_lower("ref") || N.contains_lower("cnt") ||
2843  N.contains_lower("intrusive") || N.contains_lower("shared")) {
2844  return true;
2845  }
2846  }
2847  }
2848  return false;
2849 }
2850 
2851 std::shared_ptr<PathDiagnosticPiece> MallocChecker::MallocBugVisitor::VisitNode(
2852  const ExplodedNode *N, const ExplodedNode *PrevN, BugReporterContext &BRC,
2853  BugReport &BR) {
2854  const Stmt *S = PathDiagnosticLocation::getStmt(N);
2855  if (!S)
2856  return nullptr;
2857 
2858  const LocationContext *CurrentLC = N->getLocationContext();
2859 
2860  // If we find an atomic fetch_add or fetch_sub within the destructor in which
2861  // the pointer was released (before the release), this is likely a destructor
2862  // of a shared pointer.
2863  // Because we don't model atomics, and also because we don't know that the
2864  // original reference count is positive, we should not report use-after-frees
2865  // on objects deleted in such destructors. This can probably be improved
2866  // through better shared pointer modeling.
2867  if (ReleaseDestructorLC) {
2868  if (const auto *AE = dyn_cast<AtomicExpr>(S)) {
2869  AtomicExpr::AtomicOp Op = AE->getOp();
2870  if (Op == AtomicExpr::AO__c11_atomic_fetch_add ||
2871  Op == AtomicExpr::AO__c11_atomic_fetch_sub) {
2872  if (ReleaseDestructorLC == CurrentLC ||
2873  ReleaseDestructorLC->isParentOf(CurrentLC)) {
2874  BR.markInvalid(getTag(), S);
2875  }
2876  }
2877  }
2878  }
2879 
2880  ProgramStateRef state = N->getState();
2881  ProgramStateRef statePrev = PrevN->getState();
2882 
2883  const RefState *RS = state->get<RegionState>(Sym);
2884  const RefState *RSPrev = statePrev->get<RegionState>(Sym);
2885  if (!RS)
2886  return nullptr;
2887 
2888  // FIXME: We will eventually need to handle non-statement-based events
2889  // (__attribute__((cleanup))).
2890 
2891  // Find out if this is an interesting point and what is the kind.
2892  const char *Msg = nullptr;
2893  StackHintGeneratorForSymbol *StackHint = nullptr;
2894  if (Mode == Normal) {
2895  if (isAllocated(RS, RSPrev, S)) {
2896  Msg = "Memory is allocated";
2897  StackHint = new StackHintGeneratorForSymbol(Sym,
2898  "Returned allocated memory");
2899  } else if (isReleased(RS, RSPrev, S)) {
2900  Msg = "Memory is released";
2901  StackHint = new StackHintGeneratorForSymbol(Sym,
2902  "Returning; memory was released");
2903 
2904  // See if we're releasing memory while inlining a destructor
2905  // (or one of its callees). This turns on various common
2906  // false positive suppressions.
2907  bool FoundAnyDestructor = false;
2908  for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) {
2909  if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) {
2911  // This immediately looks like a reference-counting destructor.
2912  // We're bad at guessing the original reference count of the object,
2913  // so suppress the report for now.
2914  BR.markInvalid(getTag(), DD);
2915  } else if (!FoundAnyDestructor) {
2916  assert(!ReleaseDestructorLC &&
2917  "There can be only one release point!");
2918  // Suspect that it's a reference counting pointer destructor.
2919  // On one of the next nodes might find out that it has atomic
2920  // reference counting operations within it (see the code above),
2921  // and if so, we'd conclude that it likely is a reference counting
2922  // pointer destructor.
2923  ReleaseDestructorLC = LC->getCurrentStackFrame();
2924  // It is unlikely that releasing memory is delegated to a destructor
2925  // inside a destructor of a shared pointer, because it's fairly hard
2926  // to pass the information that the pointer indeed needs to be
2927  // released into it. So we're only interested in the innermost
2928  // destructor.
2929  FoundAnyDestructor = true;
2930  }
2931  }
2932  }
2933  } else if (isRelinquished(RS, RSPrev, S)) {
2934  Msg = "Memory ownership is transferred";
2935  StackHint = new StackHintGeneratorForSymbol(Sym, "");
2936  } else if (isReallocFailedCheck(RS, RSPrev, S)) {
2937  Mode = ReallocationFailed;
2938  Msg = "Reallocation failed";
2939  StackHint = new StackHintGeneratorForReallocationFailed(Sym,
2940  "Reallocation failed");
2941 
2942  if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) {
2943  // Is it possible to fail two reallocs WITHOUT testing in between?
2944  assert((!FailedReallocSymbol || FailedReallocSymbol == sym) &&
2945  "We only support one failed realloc at a time.");
2946  BR.markInteresting(sym);
2947  FailedReallocSymbol = sym;
2948  }
2949  }
2950 
2951  // We are in a special mode if a reallocation failed later in the path.
2952  } else if (Mode == ReallocationFailed) {
2953  assert(FailedReallocSymbol && "No symbol to look for.");
2954 
2955  // Is this is the first appearance of the reallocated symbol?
2956  if (!statePrev->get<RegionState>(FailedReallocSymbol)) {
2957  // We're at the reallocation point.
2958  Msg = "Attempt to reallocate memory";
2959  StackHint = new StackHintGeneratorForSymbol(Sym,
2960  "Returned reallocated memory");
2961  FailedReallocSymbol = nullptr;
2962  Mode = Normal;
2963  }
2964  }
2965 
2966  if (!Msg)
2967  return nullptr;
2968  assert(StackHint);
2969 
2970  // Generate the extra diagnostic.
2972  N->getLocationContext());
2973  return std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true, StackHint);
2974 }
2975 
2976 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
2977  const char *NL, const char *Sep) const {
2978 
2979  RegionStateTy RS = State->get<RegionState>();
2980 
2981  if (!RS.isEmpty()) {
2982  Out << Sep << "MallocChecker :" << NL;
2983  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2984  const RefState *RefS = State->get<RegionState>(I.getKey());
2985  AllocationFamily Family = RefS->getAllocationFamily();
2986  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2987  if (!CheckKind.hasValue())
2988  CheckKind = getCheckIfTracked(Family, true);
2989 
2990  I.getKey()->dumpToStream(Out);
2991  Out << " : ";
2992  I.getData().dump(Out);
2993  if (CheckKind.hasValue())
2994  Out << " (" << CheckNames[*CheckKind].getName() << ")";
2995  Out << NL;
2996  }
2997  }
2998 }
2999 
3000 namespace clang {
3001 namespace ento {
3002 namespace allocation_state {
3003 
3005 markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin) {
3006  AllocationFamily Family = AF_InternalBuffer;
3007  return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin));
3008 }
3009 
3010 } // end namespace allocation_state
3011 } // end namespace ento
3012 } // end namespace clang
3013 
3014 void ento::registerNewDeleteLeaksChecker(CheckerManager &mgr) {
3016  MallocChecker *checker = mgr.registerChecker<MallocChecker>();
3017  checker->IsOptimistic = mgr.getAnalyzerOptions().getBooleanOption(
3018  "Optimistic", false, checker);
3019  checker->ChecksEnabled[MallocChecker::CK_NewDeleteLeaksChecker] = true;
3020  checker->CheckNames[MallocChecker::CK_NewDeleteLeaksChecker] =
3021  mgr.getCurrentCheckName();
3022  // We currently treat NewDeleteLeaks checker as a subchecker of NewDelete
3023  // checker.
3024  if (!checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker]) {
3025  checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker] = true;
3026  // FIXME: This does not set the correct name, but without this workaround
3027  // no name will be set at all.
3028  checker->CheckNames[MallocChecker::CK_NewDeleteChecker] =
3029  mgr.getCurrentCheckName();
3030  }
3031 }
3032 
3033 #define REGISTER_CHECKER(name) \
3034  void ento::register##name(CheckerManager &mgr) { \
3035  registerCStringCheckerBasic(mgr); \
3036  MallocChecker *checker = mgr.registerChecker<MallocChecker>(); \
3037  checker->IsOptimistic = mgr.getAnalyzerOptions().getBooleanOption( \
3038  "Optimistic", false, checker); \
3039  checker->ChecksEnabled[MallocChecker::CK_##name] = true; \
3040  checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \
3041  }
3042 
3043 REGISTER_CHECKER(MallocChecker)
3044 REGISTER_CHECKER(NewDeleteChecker)
3045 REGISTER_CHECKER(MismatchedDeallocatorChecker)
const BlockDecl * getBlockDecl() const
Definition: Expr.h:4945
Represents a function declaration or definition.
Definition: Decl.h:1714
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:279
Smart pointer class that efficiently represents Objective-C method names.
QualType getArrayIndexType() const
Definition: SValBuilder.h:165
A (possibly-)qualified type.
Definition: Type.h:655
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:94
ExplodedNode * generateErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2352
bool hasCaptures() const
True if this block (or its nested blocks) captures anything of local storage from its enclosing scope...
Definition: Decl.h:3960
SymbolRef getLocSymbolInBase() const
Get the symbol in the SVal or its base region.
Definition: SVals.cpp:101
bool operator==(CanQual< T > x, CanQual< U > y)
Stmt - This represents one statement.
Definition: Stmt.h:66
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2340
A helper class which wraps a boolean value set to false by default.
Definition: Checker.h:567
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:460
const llvm::Triple & getTriple() const
Returns the target triple of the primary target.
Definition: TargetInfo.h:935
Defines the SourceManager interface.
ExplodedNode * addTransition(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generates a new transition in the program state graph (ExplodedGraph).
__DEVICE__ long long abs(long long __n)
StringRef getDescription() const
Definition: BugReporter.h:207
FunctionDecl * getOperatorNew() const
Definition: ExprCXX.h:1945
Constructs a Stack hint for the given symbol.
A Range represents the closed range [from, to].
Represents a call to a C++ constructor.
Definition: ExprCXX.h:1239
const TargetInfo & getTargetInfo() const
Definition: ASTContext.h:672
MemSpaceRegion - A memory region that represents a "memory space"; for example, the set of global var...
Definition: MemRegion.h:194
constexpr XRayInstrMask Function
Definition: XRayInstr.h:39
AnalysisManager & getAnalysisManager()
const ProgramStateRef & getState() const
Represents a C++ constructor within a class.
Definition: DeclCXX.h:2463
Value representing integer constant.
Definition: SVals.h:374
bool isConsumedExpr(Expr *E) const
Definition: ParentMap.cpp:160
Represents a variable declaration or definition.
Definition: Decl.h:812
SymbolRef getAsLocSymbol(bool IncludeBaseRegions=false) const
If this SVal is a location and wraps a symbol, return that SymbolRef.
Definition: SVals.cpp:85
const FunctionDecl * getCalleeDecl(const CallExpr *CE) const
Get the declaration of the called function (path-sensitive).
NonLoc makeArrayIndex(uint64_t idx)
Definition: SValBuilder.h:273
bool isDead(SymbolRef sym) const
Returns whether or not a symbol has been confirmed dead.
ExplodedNode * getPredecessor()
Returns the previous node in the exploded graph, which includes the state of the program before the c...
unsigned getNumPlacementArgs() const
Definition: ExprCXX.h:1959
SVal getSVal(const Stmt *S) const
Get the value of arbitrary expressions at this point in the path.
const bool wasInlined
If we are post visiting a call, this flag will be set if the call was inlined.
std::string getName(ArrayRef< StringRef > Parts) const
Get the platform-specific name separator.
#define REGISTER_SET_WITH_PROGRAMSTATE(Name, Elem)
Declares an immutable set of type NameTy, suitable for placement into the ProgramState.
Symbolic value.
Definition: SymExpr.h:30
bool isParentOf(const LocationContext *LC) const
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:269
const MemRegion * getSuperRegion() const
Definition: MemRegion.h:443
ConditionTruthVal isNull(ProgramStateRef State, SymbolRef Sym)
Convenience method to query the state to see if a symbol is null or not null, or if neither assumptio...
static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call)
One of these records is kept for each identifier that is lexed.
MemRegionManager & getRegionManager()
Definition: SValBuilder.h:175
void print(raw_ostream &Out, unsigned Indentation=0, bool PrintInstantiation=false) const
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:150
LineState State
bool isValid() const
Definition: MemRegion.h:86
This class provides a convenience implementation for clone() using the Curiously-Recurring Template P...
const Expr * getRetValue() const
Definition: Stmt.cpp:928
const CXXConstructExpr * getConstructExpr() const
Returns the CXXConstructExpr from this new-expression, or null.
Definition: ExprCXX.h:1998
void addSymbolDependency(const SymbolRef Primary, const SymbolRef Dependent)
Add artificial symbol dependency.
virtual const Expr * getArgExpr(unsigned Index) const
Returns the expression associated with a given argument.
Definition: CallEvent.h:298
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
virtual DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const
getExtent - Returns the size of the region in bytes.
Definition: MemRegion.h:448
IdentifierTable & Idents
Definition: ASTContext.h:538
ArrayRef< ParmVarDecl * > parameters() const
Definition: Decl.h:2222
static bool isLocType(QualType T)
Definition: SVals.h:327
void registerCStringCheckerBasic(CheckerManager &Mgr)
Register the checker which evaluates CString API calls.
Expr * getArraySize()
Definition: ExprCXX.h:1952
BlockDataRegion - A region that represents a block instance.
Definition: MemRegion.h:668
Represents any expression that calls an Objective-C method.
Definition: CallEvent.h:892
FunctionDecl * getOperatorDelete() const
Definition: ExprCXX.h:2126
CharUnits - This is an opaque type for sizes expressed in character units.
Definition: CharUnits.h:38
uint32_t Offset
Definition: CacheTokens.cpp:43
static void dump(llvm::raw_ostream &OS, StringRef FunctionName, ArrayRef< CounterExpression > Expressions, ArrayRef< CounterMappingRegion > Regions)
const StackFrameContext * getCurrentStackFrame() const
const LocationContext * getLocationContext() const
const LocationContext * getParent() const
Expr * IgnoreParenCasts() LLVM_READONLY
IgnoreParenCasts - Ignore parentheses and casts.
Definition: Expr.cpp:2500
static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD)
referenced_vars_iterator referenced_vars_end() const
Definition: MemRegion.cpp:1504
Represent a region&#39;s offset within the top level base region.
Definition: MemRegion.h:62
bool isConstant() const
Definition: SVals.cpp:218
const MemSpaceRegion * getMemorySpace() const
Definition: MemRegion.cpp:1094
static bool didPreviousFreeFail(ProgramStateRef State, SymbolRef Sym, SymbolRef &RetStatusSymbol)
Checks if the previous call to free on the given symbol failed - if free failed, returns true...
arg_iterator placement_arg_end()
Definition: ExprCXX.h:2029
virtual QualType getType() const =0
CheckName getCurrentCheckName() const
bool isArrayForm() const
Definition: ExprCXX.h:2115
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:127
bool isConstrainedTrue() const
Return true if the constraint is perfectly constrained to &#39;true&#39;.
Const iterator for iterating over Stmt * arrays that contain only Expr *.
Definition: Stmt.h:357
CXXRecordDecl * getAsCXXRecordDecl() const
Retrieves the CXXRecordDecl that this type refers to, either because the type is a RecordType or beca...
Definition: Type.cpp:1590
OverloadedOperatorKind getOverloadedOperator() const
getOverloadedOperator - Which C++ overloaded operator this function represents, if any...
Definition: Decl.cpp:3225
CXXConstructorDecl * getConstructor() const
Get the constructor that this expression will (ultimately) call.
Definition: ExprCXX.h:1302
Represents a non-static C++ member function call, no matter how it is written.
Definition: CallEvent.h:621
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
QuantityType getQuantity() const
getQuantity - Get the raw integer representation of this quantity.
Definition: CharUnits.h:179
const RegionTy * getAs() const
Definition: MemRegion.h:1180
SymbolicRegion - A special, "non-concrete" region.
Definition: MemRegion.h:759
DefinedOrUnknownSVal makeZeroVal(QualType type)
Construct an SVal representing &#39;0&#39; for the specified type.
Definition: SValBuilder.cpp:51
Expr - This represents one expression.
Definition: Expr.h:106
bool isVariadic() const
Whether this function is variadic.
Definition: Decl.cpp:2620
std::string Label
const FunctionProtoType * T
const IdentifierInfo * getBaseTypeIdentifier() const
Retrieves a pointer to the name of the base type.
Definition: Type.cpp:71
Represents an implicit call to a C++ destructor.
Definition: CallEvent.h:737
DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const override
getExtent - Returns the size of the region in bytes.
Definition: MemRegion.cpp:204
static bool retTrue(const RefState *RS)
BlockExpr - Adaptor class for mixing a BlockDecl with expressions.
Definition: Expr.h:4931
Represents a C++ destructor within a class.
Definition: DeclCXX.h:2686
AnalyzerOptions & getAnalyzerOptions() override
The pointer has been passed to a function call directly.
Represents a call to any sort of function that might have a FunctionDecl.
Definition: CallEvent.h:444
bool isInSystemHeader() const
Returns true if the callee is known to be from a system header.
Definition: CallEvent.h:260
StringRef getNameForSlot(unsigned argIndex) const
Retrieve the name at a given position in the selector.
SymbolManager & getSymbolManager()
QualType getType() const
Definition: Expr.h:128
ReturnStmt - This represents a return, optionally of an expression: return; return 4;...
Definition: Stmt.h:1433
An expression that sends a message to the given Objective-C object or class.
Definition: ExprObjC.h:903
SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, SVal lhs, SVal rhs, QualType type)
unsigned getNumArgs() const
void markInteresting(SymbolRef sym)
ExplodedNode * generateNonFatalErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
bool isNull() const
Return true if this QualType doesn&#39;t point to a type yet.
Definition: Type.h:720
bool getBooleanOption(StringRef Name, bool DefaultVal, const ento::CheckerBase *C=nullptr, bool SearchInParents=false)
Interprets an option&#39;s string value as a boolean.
ParentMap & getParentMap() const
const VarDecl * getDecl() const
Definition: MemRegion.h:943
Optional< T > getAs() const
Convert to the specified SVal type, returning None if this SVal is not of the desired type...
Definition: SVals.h:112
virtual bool argumentsMayEscape() const
Returns true if any of the arguments are known to escape to long- term storage, even if this method w...
Definition: CallEvent.h:329
bool hasAttrs() const
Definition: DeclBase.h:472
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
static const Stmt * getStmt(const ExplodedNode *N)
Given an exploded node, retrieve the statement that should be used for the diagnostic location...
Expr * getArgument()
Definition: ExprCXX.h:2128
const MemRegion * StripCasts(bool StripBaseCasts=true) const
Definition: MemRegion.cpp:1152
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
Kind getKind() const
Definition: MemRegion.h:165
Kind
CHECKER * registerChecker()
Used to register checkers.
AllocationFamily
SymbolRef getSymbol() const
Definition: MemRegion.h:774
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
virtual bool canPrintPretty() const
Returns true if this region can be printed in a user-friendly way.
Definition: MemRegion.cpp:566
ReallocPairKind
const MemRegion * getAsRegion() const
Definition: SVals.cpp:151
Represents a new-expression for memory allocation and constructor calls, e.g: "new CXXNewExpr(foo)"...
Definition: ExprCXX.h:1845
ASTContext & getContext()
Definition: SValBuilder.h:156
static bool checkIfNewOrNewArrayFamily(const RefState *RS)
QualType getAllocatedType() const
Definition: ExprCXX.h:1919
const ParmVarDecl * getParamDecl(unsigned i) const
Definition: Decl.h:2245
SVal - This represents a symbolic expression, which can be either an L-value or an R-value...
Definition: SVals.h:76
const StackFrameContext * getStackFrame() const
Definition: MemRegion.cpp:158
bool isArray() const
Definition: ExprCXX.h:1950
A class responsible for cleaning up unused symbols.
static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, ProgramStateRef prevState)
referenced_vars_iterator referenced_vars_begin() const
Definition: MemRegion.cpp:1488
DefinedOrUnknownSVal getConjuredHeapSymbolVal(const Expr *E, const LocationContext *LCtx, unsigned Count)
Conjure a symbol representing heap allocated memory region.
virtual void printPretty(raw_ostream &os) const
Print the region for use in diagnostics.
Definition: MemRegion.cpp:574
static bool treatUnusedNewEscaped(const CXXNewExpr *NE)
virtual SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, NonLoc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two non- location operands.
unsigned blockCount() const
Returns the number of times the current block has been visited along the analyzed path...
StringRef getName() const
Return the actual identifier string.
virtual const ObjCMessageExpr * getOriginExpr() const
Definition: CallEvent.h:916
CanQualType CharTy
Definition: ASTContext.h:999
Selector getSelector() const
Definition: CallEvent.h:940
Dataflow Directional Tag Classes.
Represents a delete expression for memory deallocation and destructor calls, e.g. ...
Definition: ExprCXX.h:2074
OverloadedOperatorKind
Enumeration specifying the different kinds of C++ overloaded operators.
Definition: OperatorKinds.h:22
FunctionDecl * getDirectCallee()
If the callee is a FunctionDecl, return it. Otherwise return 0.
Definition: Expr.cpp:1247
static QualType getDeepPointeeType(QualType T)
const VarRegion * getVarRegion(const VarDecl *D, const LocationContext *LC)
getVarRegion - Retrieve or create the memory region associated with a specified VarDecl and LocationC...
Definition: MemRegion.cpp:819
const CXXRecordDecl * getParent() const
Returns the parent of this method declaration, which is the class in which this method is defined...
Definition: DeclCXX.h:2151
Kind getKind() const
Definition: DeclBase.h:420
SVal evalEQ(ProgramStateRef state, SVal lhs, SVal rhs)
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:164
AnalyzerOptions & getAnalyzerOptions()
const Decl * getDecl() const
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
Decl * getCalleeDecl()
Definition: Expr.cpp:1251
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:104
SubRegion - A region that subsets another larger region.
Definition: MemRegion.h:431
#define REGISTER_CHECKER(name)
const ProgramStateRef & getState() const
const char * getOperatorSpelling(OverloadedOperatorKind Operator)
Retrieve the spelling of the given overloaded operator, without the preceding "operator" keyword...
uint64_t getCharWidth() const
Return the size of the character type, in bits.
Definition: ASTContext.h:2044
static Optional< bool > getFreeWhenDoneArg(const ObjCMethodCall &Call)
RegionOffset getAsOffset() const
Compute the offset within the top level memory object.
Definition: MemRegion.cpp:1415
ProgramStateRef markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin)
int64_t getOffset() const
Definition: MemRegion.h:81
arg_iterator placement_arg_begin()
Definition: ExprCXX.h:2026
llvm::iterator_range< specific_attr_iterator< T > > specific_attrs() const
Definition: DeclBase.h:518
X
Add a minimal nested name specifier fixit hint to allow lookup of a tag name from an outer enclosing ...
Definition: SemaDecl.cpp:13462
const Expr * getArgExpr(unsigned Index) const override
Definition: CallEvent.h:928
#define CASE(ID)
pred_iterator pred_begin()
SourceManager & getSourceManager()
virtual unsigned getNumArgs() const =0
Returns the number of arguments (explicit and implicit).
static PathDiagnosticLocation createEndOfPath(const ExplodedNode *N, const SourceManager &SM)
Create a location corresponding to the next valid ExplodedNode as end of path location.
void markInvalid(const void *Tag, const void *Data)
Marks the current report as invalid, meaning that it is probably a false positive and should not be r...
Definition: BugReporter.h:253
const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1126
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:266
SValBuilder & getSValBuilder()
Defines the clang::TargetInfo interface.
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2283
StringRef getName() const
Get the name of identifier for this declaration as a StringRef.
Definition: Decl.h:275
ElementRegin is used to represent both array elements and casts.
Definition: MemRegion.h:1076
std::string getQualifiedNameAsString() const
Definition: Decl.cpp:1500
A reference to a declared variable, function, enum, etc.
Definition: Expr.h:972
static const MemRegion * getLocationRegionIfPostStore(const ExplodedNode *N)
If the given node corresponds to a PostStore program point, retrieve the location region as it was ut...
CharUnits getTypeSizeInChars(QualType T) const
Return the size of the specified (complete) type T, in characters.
bool mayInlineCXXAllocator()
Returns whether or not allocator call may be considered for inlining.
virtual SVal getArgSVal(unsigned Index) const
Returns the value of a given argument at the time of the call.
Definition: CallEvent.cpp:268
QualType getType() const
Definition: Decl.h:647
A trivial tuple used to represent a source range.
This represents a decl that may have a name.
Definition: Decl.h:248
Tag that can use a checker name as a message provider (see SimpleProgramPointTag).
Definition: Checker.h:509
This class provides an interface through which checkers can create individual bug reports...
Definition: BugReporter.h:70
bool isFunctionPointerType() const
Definition: Type.h:6073
const LocationContext * getLocationContext() const
unsigned getNumParams() const
Return the number of parameters this function must have based on its FunctionType.
Definition: Decl.cpp:2963
SourceManager & getSourceManager()
Definition: BugReporter.h:574
bool hasSymbolicOffset() const
Definition: MemRegion.h:79
bool isUnknownOrUndef() const
Definition: SVals.h:145
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.