clang 22.0.0git
Classes | Namespaces | Macros | Functions
MallocChecker.cpp File Reference
#include "AllocationState.h"
#include "InterCheckerAPI.h"
#include "NoOwnershipChangeVisitor.h"
#include "clang/AST/Attr.h"
#include "clang/AST/DeclCXX.h"
#include "clang/AST/DeclTemplate.h"
#include "clang/AST/Expr.h"
#include "clang/AST/ExprCXX.h"
#include "clang/AST/ParentMap.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/ASTMatchers/ASTMatchers.h"
#include "clang/Analysis/ProgramPoint.h"
#include "clang/Basic/LLVM.h"
#include "clang/Basic/SourceManager.h"
#include "clang/Basic/TargetInfo.h"
#include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Checkers/Taint.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/StringExtras.h"
#include "llvm/Support/Casting.h"
#include "llvm/Support/Compiler.h"
#include "llvm/Support/ErrorHandling.h"
#include "llvm/Support/raw_ostream.h"
#include <functional>
#include <optional>
#include <utility>

Go to the source code of this file.

Classes

struct  FieldConsumer
 Helper struct for collecting smart owning pointer field regions. More...

Namespaces

namespace  clang
 The JSON file list parser is used to communicate input to InstallAPI.
namespace  clang::ento
namespace  clang::ento::allocation_state

Macros

#define CASE(ID)
#define BUGTYPE_PROVIDER(NAME, DEF)
#define CHECK_FN(NAME)
#define REGISTER_CHECKER(NAME)

Functions

static bool printMemFnName (raw_ostream &os, CheckerContext &C, const Expr *E)
 Print names of allocators and deallocators.
static void printExpectedAllocName (raw_ostream &os, AllocationFamily Family)
 Print expected name of an allocator based on the deallocator's family derived from the DeallocExpr.
static void printExpectedDeallocName (raw_ostream &os, AllocationFamily Family)
 Print expected name of a deallocator based on the allocator's family.
static bool isReleased (SymbolRef Sym, CheckerContext &C)
 Check if the memory associated with this symbol was released.
static ProgramStateRef MallocUpdateRefState (CheckerContext &C, const Expr *E, ProgramStateRef State, AllocationFamily Family, std::optional< SVal > RetVal=std::nullopt)
 Update the RefState to reflect the new memory allocation.
static bool isStandardNew (const FunctionDecl *FD)
static bool isStandardNew (const CallEvent &Call)
static bool isStandardDelete (const FunctionDecl *FD)
static bool isStandardDelete (const CallEvent &Call)
template<typename T>
static bool isStandardNewDelete (const T &FD)
 Tells if the callee is one of the builtin new/delete operators, including placement operators and other standard overloads.
static bool isStandardRealloc (const CallEvent &Call)
static bool isGRealloc (const CallEvent &Call)
static const ExprgetPlacementNewBufferArg (const CallExpr *CE, const FunctionDecl *FD)
static bool isFromStdNamespace (const CallEvent &Call)
static QualType getDeepPointeeType (QualType T)
static bool hasNonTrivialConstructorCall (const CXXNewExpr *NE)
static bool isKnownDeallocObjCMethodName (const ObjCMethodCall &Call)
static std::optional< boolgetFreeWhenDoneArg (const ObjCMethodCall &Call)
static bool didPreviousFreeFail (ProgramStateRef State, SymbolRef Sym, SymbolRef &RetStatusSymbol)
 Checks if the previous call to free on the given symbol failed - if free failed, returns true.
static void printOwnershipTakesList (raw_ostream &os, CheckerContext &C, const Expr *E)
static bool isSmartPtrName (StringRef Name)
static bool isSmartPtrType (QualType QT)
static bool hasSmartPtrField (const CXXRecordDecl *CRD, std::optional< FieldConsumer > FC=std::nullopt)
 Check if a record type has smart owning pointer fields (directly or in base classes).
static bool isRvalueByValueRecord (const Expr *AE)
 Check if an expression is an rvalue record type passed by value.
static bool isRvalueByValueRecordWithSmartPtr (const Expr *AE)
 Check if an expression is an rvalue record with smart owning pointer fields passed by value.
static bool isSmartPtrRecord (const CXXRecordDecl *RD)
 Check if a CXXRecordDecl has a name matching recognized smart pointer names.
static bool isSmartPtrCall (const CallEvent &Call)
 Check if a call is a constructor of a smart owning pointer class that accepts pointer parameters.
static void collectSmartPtrFieldRegions (const MemRegion *Reg, QualType RecQT, CheckerContext &C, llvm::SmallPtrSetImpl< const MemRegion * > &Out)
 Collect memory regions of smart owning pointer fields from a record type (including fields from base classes).
static bool checkIfNewOrNewArrayFamily (const RefState *RS)
static SymbolRef findFailedReallocSymbol (ProgramStateRef currState, ProgramStateRef prevState)
static bool isReferenceCountingPointerDestructor (const CXXDestructorDecl *DD)
ProgramStateRef clang::ento::allocation_state::markReleased (ProgramStateRef State, SymbolRef Sym, const Expr *Origin)

Macro Definition Documentation

◆ BUGTYPE_PROVIDER

#define BUGTYPE_PROVIDER ( NAME,
DEF )
Value:
struct NAME : virtual public CheckerFrontend { \
BugType NAME##Bug{this, DEF, categories::MemoryError}; \
};
clang::ento::CheckerFrontend
A CheckerFrontend instance is what the user recognizes as "one checker": it has a public canonical na...
Definition Checker.h:514

Definition at line 344 of file MallocChecker.cpp.

◆ CASE

#define CASE ( ID)
Value:
case ID: OS << #ID; break;
clang::ento::ObjKind::OS
@ OS
Indicates that the tracking object is a descendant of a referenced-counted OSObject,...
Definition RetainSummaryManager.h:51

◆ CHECK_FN

#define CHECK_FN ( NAME)
Value:
void NAME(ProgramStateRef State, const CallEvent &Call, CheckerContext &C) \
const;
clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition CallEvent.h:153
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition ProgramState_Fwd.h:37

Definition at line 458 of file MallocChecker.cpp.

◆ REGISTER_CHECKER

#define REGISTER_CHECKER ( NAME)
Value:
void ento::register##NAME(CheckerManager &Mgr) { \
Mgr.getChecker<MallocChecker>()->NAME.enable(Mgr); \
} \
\
bool ento::shouldRegister##NAME(const CheckerManager &) { return true; }
clang::ento::CheckerManager::getChecker
CHECKER * getChecker(AT &&...Args)
If the the singleton instance of a checker class is not yet constructed, then construct it (with the ...
Definition CheckerManager.h:199

Definition at line 4205 of file MallocChecker.cpp.

Function Documentation

◆ checkIfNewOrNewArrayFamily()

bool checkIfNewOrNewArrayFamily ( const RefState * RS)
static

Definition at line 3844 of file MallocChecker.cpp.

◆ collectSmartPtrFieldRegions()

void collectSmartPtrFieldRegions ( const MemRegion * Reg,
QualType RecQT,
CheckerContext & C,
llvm::SmallPtrSetImpl< const MemRegion * > & Out )
static

Collect memory regions of smart owning pointer fields from a record type (including fields from base classes).

Definition at line 3288 of file MallocChecker.cpp.

References clang::C, clang::Type::getAsCXXRecordDecl(), and hasSmartPtrField().

◆ didPreviousFreeFail()

bool didPreviousFreeFail ( ProgramStateRef State,
SymbolRef Sym,
SymbolRef & RetStatusSymbol )
static

Checks if the previous call to free on the given symbol failed - if free failed, returns true.

Also, returns the corresponding return value symbol.

Definition at line 2120 of file MallocChecker.cpp.

References clang::ento::ConditionTruthVal::isConstrainedTrue(), and clang::ento::ConstraintManager::isNull().

◆ findFailedReallocSymbol()

SymbolRef findFailedReallocSymbol ( ProgramStateRef currState,
ProgramStateRef prevState )
static

Definition at line 3887 of file MallocChecker.cpp.

◆ getDeepPointeeType()

QualType getDeepPointeeType ( QualType T)
static

Definition at line 1785 of file MallocChecker.cpp.

References clang::T.

Referenced by hasNonTrivialConstructorCall().

◆ getFreeWhenDoneArg()

std::optional< bool > getFreeWhenDoneArg ( const ObjCMethodCall & Call)
static

Definition at line 1880 of file MallocChecker.cpp.

References clang::Call, clang::Selector::getNameForSlot(), and clang::Selector::getNumArgs().

◆ getPlacementNewBufferArg()

const Expr * getPlacementNewBufferArg ( const CallExpr * CE,
const FunctionDecl * FD )
static

Definition at line 1459 of file MallocChecker.cpp.

References clang::CallExpr::getArg(), clang::CallExpr::getNumArgs(), clang::FunctionDecl::getOverloadedOperator(), clang::FunctionDecl::getParamDecl(), and clang::ValueDecl::getType().

◆ hasNonTrivialConstructorCall()

bool hasNonTrivialConstructorCall ( const CXXNewExpr * NE)
static
Returns
true if the constructor invoked by NE has an argument of a pointer/reference to a record type.

Definition at line 1796 of file MallocChecker.cpp.

References clang::Type::getAsCXXRecordDecl(), clang::CXXConstructExpr::getConstructor(), getDeepPointeeType(), clang::Type::getPointeeType(), clang::QualType::isNull(), and clang::FunctionDecl::parameters().

◆ hasSmartPtrField()

bool hasSmartPtrField ( const CXXRecordDecl * CRD,
std::optional< FieldConsumer > FC = std::nullopt )
static

Check if a record type has smart owning pointer fields (directly or in base classes).

When FC is provided, also collect the field regions.

This function has dual behavior:

  • When FC is nullopt: Returns true if smart pointer fields are found
  • When FC is provided: Always returns false, but collects field regions as a side effect through the FieldConsumer

Note: When FC is provided, the return value should be ignored since the function performs full traversal for collection and always returns false to avoid early termination.

Definition at line 3198 of file MallocChecker.cpp.

References clang::CXXRecordDecl::bases(), clang::RecordDecl::fields(), clang::Found, hasSmartPtrField(), and isSmartPtrType().

Referenced by collectSmartPtrFieldRegions(), hasSmartPtrField(), and isRvalueByValueRecordWithSmartPtr().

◆ isFromStdNamespace()

bool isFromStdNamespace ( const CallEvent & Call)
static

Definition at line 1564 of file MallocChecker.cpp.

References clang::Call, and clang::Decl::isInStdNamespace().

◆ isGRealloc()

bool isGRealloc ( const CallEvent & Call)
static

Definition at line 1375 of file MallocChecker.cpp.

References clang::Call, clang::Decl::getASTContext(), clang::FunctionDecl::getDeclaredReturnType(), clang::FunctionDecl::getParamDecl(), clang::ValueDecl::getType(), clang::ASTContext::hasSameType(), clang::ASTContext::UnsignedLongTy, and clang::ASTContext::VoidPtrTy.

◆ isKnownDeallocObjCMethodName()

bool isKnownDeallocObjCMethodName ( const ObjCMethodCall & Call)
static

Definition at line 1868 of file MallocChecker.cpp.

References clang::Call.

◆ isReferenceCountingPointerDestructor()

bool isReferenceCountingPointerDestructor ( const CXXDestructorDecl * DD)
static

Definition at line 3901 of file MallocChecker.cpp.

References clang::NamedDecl::getIdentifier(), clang::IdentifierInfo::getName(), and clang::CXXMethodDecl::getParent().

◆ isReleased()

bool isReleased ( SymbolRef Sym,
CheckerContext & C )
static

Check if the memory associated with this symbol was released.

Definition at line 3548 of file MallocChecker.cpp.

References clang::C.

◆ isRvalueByValueRecord()

bool isRvalueByValueRecord ( const Expr * AE)
static

Check if an expression is an rvalue record type passed by value.

Definition at line 3228 of file MallocChecker.cpp.

References clang::Expr::getType(), clang::isa(), clang::Expr::isGLValue(), and clang::T.

Referenced by isRvalueByValueRecordWithSmartPtr().

◆ isRvalueByValueRecordWithSmartPtr()

bool isRvalueByValueRecordWithSmartPtr ( const Expr * AE)
static

Check if an expression is an rvalue record with smart owning pointer fields passed by value.

Definition at line 3243 of file MallocChecker.cpp.

References clang::Type::getAsCXXRecordDecl(), clang::Expr::getType(), hasSmartPtrField(), and isRvalueByValueRecord().

◆ isSmartPtrCall()

bool isSmartPtrCall ( const CallEvent & Call)
static

Check if a call is a constructor of a smart owning pointer class that accepts pointer parameters.

Definition at line 3263 of file MallocChecker.cpp.

References clang::Call, clang::Type::isFunctionPointerType(), clang::Type::isPointerType(), isSmartPtrRecord(), and clang::Type::isVoidPointerType().

◆ isSmartPtrName()

bool isSmartPtrName ( StringRef Name)
static

Definition at line 3130 of file MallocChecker.cpp.

Referenced by isSmartPtrRecord(), and isSmartPtrType().

◆ isSmartPtrRecord()

bool isSmartPtrRecord ( const CXXRecordDecl * RD)
static

Check if a CXXRecordDecl has a name matching recognized smart pointer names.

Definition at line 3252 of file MallocChecker.cpp.

References clang::NamedDecl::getName(), and isSmartPtrName().

Referenced by isSmartPtrCall().

◆ isSmartPtrType()

bool isSmartPtrType ( QualType QT)
static

Definition at line 3135 of file MallocChecker.cpp.

References clang::Type::getAs(), clang::Type::getCanonicalTypeUnqualified(), clang::TemplateDecl::getTemplatedDecl(), and isSmartPtrName().

Referenced by hasSmartPtrField().

◆ isStandardDelete() [1/2]

bool isStandardDelete ( const CallEvent & Call)
static

Definition at line 325 of file MallocChecker.cpp.

References clang::Call, clang::cast(), clang::isa(), and isStandardDelete().

◆ isStandardDelete() [2/2]

bool isStandardDelete ( const FunctionDecl * FD)
static

Definition at line 1173 of file MallocChecker.cpp.

References clang::Decl::getASTContext(), clang::Decl::getLocation(), clang::FunctionDecl::getOverloadedOperator(), clang::ASTContext::getSourceManager(), clang::FunctionDecl::hasBody(), clang::SourceLocation::isInvalid(), and SM.

Referenced by isStandardDelete(), and isStandardNewDelete().

◆ isStandardNew() [1/2]

bool isStandardNew ( const CallEvent & Call)
static

Definition at line 318 of file MallocChecker.cpp.

References clang::Call, clang::cast(), clang::isa(), and isStandardNew().

◆ isStandardNew() [2/2]

bool isStandardNew ( const FunctionDecl * FD)
static

Definition at line 1157 of file MallocChecker.cpp.

References clang::Decl::getASTContext(), clang::Decl::getLocation(), clang::FunctionDecl::getOverloadedOperator(), clang::ASTContext::getSourceManager(), clang::SourceManager::isInSystemHeader(), and clang::SourceLocation::isValid().

Referenced by isStandardNew(), and isStandardNewDelete().

◆ isStandardNewDelete()

template<typename T>
bool isStandardNewDelete ( const T & FD)
static

Tells if the callee is one of the builtin new/delete operators, including placement operators and other standard overloads.

Definition at line 333 of file MallocChecker.cpp.

References isStandardDelete(), isStandardNew(), and clang::T.

◆ isStandardRealloc()

bool isStandardRealloc ( const CallEvent & Call)
static

Definition at line 1366 of file MallocChecker.cpp.

References clang::Call, clang::Decl::getASTContext(), clang::FunctionDecl::getDeclaredReturnType(), clang::FunctionDecl::getParamDecl(), clang::ASTContext::getSizeType(), clang::ValueDecl::getType(), clang::ASTContext::hasSameType(), and clang::ASTContext::VoidPtrTy.

◆ MallocUpdateRefState()

ProgramStateRef MallocUpdateRefState ( CheckerContext & C,
const Expr * E,
ProgramStateRef State,
AllocationFamily Family,
std::optional< SVal > RetVal = std::nullopt )
static

Update the RefState to reflect the new memory allocation.

The optional RetVal parameter specifies the newly allocated pointer value; if unspecified, the value of expression E is used.

Definition at line 2051 of file MallocChecker.cpp.

References clang::C.

◆ printExpectedAllocName()

void printExpectedAllocName ( raw_ostream & os,
AllocationFamily Family )
static

Print expected name of an allocator based on the deallocator's family derived from the DeallocExpr.

Definition at line 2196 of file MallocChecker.cpp.

◆ printExpectedDeallocName()

void printExpectedDeallocName ( raw_ostream & os,
AllocationFamily Family )
static

Print expected name of a deallocator based on the allocator's family.

Definition at line 2223 of file MallocChecker.cpp.

◆ printMemFnName()

bool printMemFnName ( raw_ostream & os,
CheckerContext & C,
const Expr * E )
static

Print names of allocators and deallocators.

Returns
true on success.

Definition at line 2154 of file MallocChecker.cpp.

References clang::C, clang::getOperatorSpelling(), and clang::FunctionDecl::isOverloadedOperator().

◆ printOwnershipTakesList()

void printOwnershipTakesList ( raw_ostream & os,
CheckerContext & C,
const Expr * E )
static

Definition at line 2133 of file MallocChecker.cpp.

References clang::C, clang::CallExpr::getDirectCallee(), and clang::Decl::specific_attrs().

Generated on for clang by doxygen 1.14.0