clang  16.0.0git
MallocChecker.cpp
Go to the documentation of this file.
1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines a variety of memory management related checkers, such as
10 // leak, double free, and use-after-free.
11 //
12 // The following checkers are defined here:
13 //
14 // * MallocChecker
15 // Despite its name, it models all sorts of memory allocations and
16 // de- or reallocation, including but not limited to malloc, free,
17 // relloc, new, delete. It also reports on a variety of memory misuse
18 // errors.
19 // Many other checkers interact very closely with this checker, in fact,
20 // most are merely options to this one. Other checkers may register
21 // MallocChecker, but do not enable MallocChecker's reports (more details
22 // to follow around its field, ChecksEnabled).
23 // It also has a boolean "Optimistic" checker option, which if set to true
24 // will cause the checker to model user defined memory management related
25 // functions annotated via the attribute ownership_takes, ownership_holds
26 // and ownership_returns.
27 //
28 // * NewDeleteChecker
29 // Enables the modeling of new, new[], delete, delete[] in MallocChecker,
30 // and checks for related double-free and use-after-free errors.
31 //
32 // * NewDeleteLeaksChecker
33 // Checks for leaks related to new, new[], delete, delete[].
34 // Depends on NewDeleteChecker.
35 //
36 // * MismatchedDeallocatorChecker
37 // Enables checking whether memory is deallocated with the correspending
38 // allocation function in MallocChecker, such as malloc() allocated
39 // regions are only freed by free(), new by delete, new[] by delete[].
40 //
41 // InnerPointerChecker interacts very closely with MallocChecker, but unlike
42 // the above checkers, it has it's own file, hence the many InnerPointerChecker
43 // related headers and non-static functions.
44 //
45 //===----------------------------------------------------------------------===//
46 
47 #include "AllocationState.h"
48 #include "InterCheckerAPI.h"
49 #include "clang/AST/Attr.h"
50 #include "clang/AST/DeclCXX.h"
51 #include "clang/AST/DeclTemplate.h"
52 #include "clang/AST/Expr.h"
53 #include "clang/AST/ExprCXX.h"
54 #include "clang/AST/ParentMap.h"
58 #include "clang/Basic/LLVM.h"
60 #include "clang/Basic/TargetInfo.h"
61 #include "clang/Lex/Lexer.h"
79 #include "llvm/ADT/STLExtras.h"
80 #include "llvm/ADT/SetOperations.h"
81 #include "llvm/ADT/SmallString.h"
82 #include "llvm/ADT/StringExtras.h"
83 #include "llvm/Support/Casting.h"
84 #include "llvm/Support/Compiler.h"
85 #include "llvm/Support/ErrorHandling.h"
86 #include "llvm/Support/raw_ostream.h"
87 #include <climits>
88 #include <functional>
89 #include <utility>
90 
91 using namespace clang;
92 using namespace ento;
93 using namespace std::placeholders;
94 
95 //===----------------------------------------------------------------------===//
96 // The types of allocation we're modeling. This is used to check whether a
97 // dynamically allocated object is deallocated with the correct function, like
98 // not using operator delete on an object created by malloc(), or alloca regions
99 // aren't ever deallocated manually.
100 //===----------------------------------------------------------------------===//
101 
102 namespace {
103 
104 // Used to check correspondence between allocators and deallocators.
105 enum AllocationFamily {
106  AF_None,
107  AF_Malloc,
108  AF_CXXNew,
109  AF_CXXNewArray,
110  AF_IfNameIndex,
111  AF_Alloca,
112  AF_InnerBuffer
113 };
114 
115 } // end of anonymous namespace
116 
117 /// Print names of allocators and deallocators.
118 ///
119 /// \returns true on success.
120 static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E);
121 
122 /// Print expected name of an allocator based on the deallocator's family
123 /// derived from the DeallocExpr.
124 static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family);
125 
126 /// Print expected name of a deallocator based on the allocator's
127 /// family.
128 static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family);
129 
130 //===----------------------------------------------------------------------===//
131 // The state of a symbol, in terms of memory management.
132 //===----------------------------------------------------------------------===//
133 
134 namespace {
135 
136 class RefState {
137  enum Kind {
138  // Reference to allocated memory.
139  Allocated,
140  // Reference to zero-allocated memory.
141  AllocatedOfSizeZero,
142  // Reference to released/freed memory.
143  Released,
144  // The responsibility for freeing resources has transferred from
145  // this reference. A relinquished symbol should not be freed.
146  Relinquished,
147  // We are no longer guaranteed to have observed all manipulations
148  // of this pointer/memory. For example, it could have been
149  // passed as a parameter to an opaque function.
150  Escaped
151  };
152 
153  const Stmt *S;
154 
155  Kind K;
156  AllocationFamily Family;
157 
158  RefState(Kind k, const Stmt *s, AllocationFamily family)
159  : S(s), K(k), Family(family) {
160  assert(family != AF_None);
161  }
162 
163 public:
164  bool isAllocated() const { return K == Allocated; }
165  bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; }
166  bool isReleased() const { return K == Released; }
167  bool isRelinquished() const { return K == Relinquished; }
168  bool isEscaped() const { return K == Escaped; }
169  AllocationFamily getAllocationFamily() const { return Family; }
170  const Stmt *getStmt() const { return S; }
171 
172  bool operator==(const RefState &X) const {
173  return K == X.K && S == X.S && Family == X.Family;
174  }
175 
176  static RefState getAllocated(AllocationFamily family, const Stmt *s) {
177  return RefState(Allocated, s, family);
178  }
179  static RefState getAllocatedOfSizeZero(const RefState *RS) {
180  return RefState(AllocatedOfSizeZero, RS->getStmt(),
181  RS->getAllocationFamily());
182  }
183  static RefState getReleased(AllocationFamily family, const Stmt *s) {
184  return RefState(Released, s, family);
185  }
186  static RefState getRelinquished(AllocationFamily family, const Stmt *s) {
187  return RefState(Relinquished, s, family);
188  }
189  static RefState getEscaped(const RefState *RS) {
190  return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());
191  }
192 
193  void Profile(llvm::FoldingSetNodeID &ID) const {
194  ID.AddInteger(K);
195  ID.AddPointer(S);
196  ID.AddInteger(Family);
197  }
198 
199  LLVM_DUMP_METHOD void dump(raw_ostream &OS) const {
200  switch (K) {
201 #define CASE(ID) case ID: OS << #ID; break;
202  CASE(Allocated)
203  CASE(AllocatedOfSizeZero)
204  CASE(Released)
205  CASE(Relinquished)
206  CASE(Escaped)
207  }
208  }
209 
210  LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
211 };
212 
213 } // end of anonymous namespace
214 
215 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
216 
217 /// Check if the memory associated with this symbol was released.
218 static bool isReleased(SymbolRef Sym, CheckerContext &C);
219 
220 /// Update the RefState to reflect the new memory allocation.
221 /// The optional \p RetVal parameter specifies the newly allocated pointer
222 /// value; if unspecified, the value of expression \p E is used.
223 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
225  AllocationFamily Family,
226  Optional<SVal> RetVal = None);
227 
228 //===----------------------------------------------------------------------===//
229 // The modeling of memory reallocation.
230 //
231 // The terminology 'toPtr' and 'fromPtr' will be used:
232 // toPtr = realloc(fromPtr, 20);
233 //===----------------------------------------------------------------------===//
234 
235 REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef)
236 
237 namespace {
238 
239 /// The state of 'fromPtr' after reallocation is known to have failed.
240 enum OwnershipAfterReallocKind {
241  // The symbol needs to be freed (e.g.: realloc)
242  OAR_ToBeFreedAfterFailure,
243  // The symbol has been freed (e.g.: reallocf)
244  OAR_FreeOnFailure,
245  // The symbol doesn't have to freed (e.g.: we aren't sure if, how and where
246  // 'fromPtr' was allocated:
247  // void Haha(int *ptr) {
248  // ptr = realloc(ptr, 67);
249  // // ...
250  // }
251  // ).
252  OAR_DoNotTrackAfterFailure
253 };
254 
255 /// Stores information about the 'fromPtr' symbol after reallocation.
256 ///
257 /// This is important because realloc may fail, and that needs special modeling.
258 /// Whether reallocation failed or not will not be known until later, so we'll
259 /// store whether upon failure 'fromPtr' will be freed, or needs to be freed
260 /// later, etc.
261 struct ReallocPair {
262 
263  // The 'fromPtr'.
264  SymbolRef ReallocatedSym;
265  OwnershipAfterReallocKind Kind;
266 
267  ReallocPair(SymbolRef S, OwnershipAfterReallocKind K)
268  : ReallocatedSym(S), Kind(K) {}
269  void Profile(llvm::FoldingSetNodeID &ID) const {
270  ID.AddInteger(Kind);
271  ID.AddPointer(ReallocatedSym);
272  }
273  bool operator==(const ReallocPair &X) const {
274  return ReallocatedSym == X.ReallocatedSym &&
275  Kind == X.Kind;
276  }
277 };
278 
279 } // end of anonymous namespace
280 
281 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
282 
283 /// Tells if the callee is one of the builtin new/delete operators, including
284 /// placement operators and other standard overloads.
285 static bool isStandardNewDelete(const FunctionDecl *FD);
286 static bool isStandardNewDelete(const CallEvent &Call) {
287  if (!Call.getDecl() || !isa<FunctionDecl>(Call.getDecl()))
288  return false;
289  return isStandardNewDelete(cast<FunctionDecl>(Call.getDecl()));
290 }
291 
292 //===----------------------------------------------------------------------===//
293 // Definition of the MallocChecker class.
294 //===----------------------------------------------------------------------===//
295 
296 namespace {
297 
298 class MallocChecker
299  : public Checker<check::DeadSymbols, check::PointerEscape,
300  check::ConstPointerEscape, check::PreStmt<ReturnStmt>,
301  check::EndFunction, check::PreCall, check::PostCall,
302  check::NewAllocator, check::PostStmt<BlockExpr>,
303  check::PostObjCMessage, check::Location, eval::Assume> {
304 public:
305  /// In pessimistic mode, the checker assumes that it does not know which
306  /// functions might free the memory.
307  /// In optimistic mode, the checker assumes that all user-defined functions
308  /// which might free a pointer are annotated.
309  bool ShouldIncludeOwnershipAnnotatedFunctions = false;
310 
311  bool ShouldRegisterNoOwnershipChangeVisitor = false;
312 
313  /// Many checkers are essentially built into this one, so enabling them will
314  /// make MallocChecker perform additional modeling and reporting.
315  enum CheckKind {
316  /// When a subchecker is enabled but MallocChecker isn't, model memory
317  /// management but do not emit warnings emitted with MallocChecker only
318  /// enabled.
319  CK_MallocChecker,
320  CK_NewDeleteChecker,
321  CK_NewDeleteLeaksChecker,
322  CK_MismatchedDeallocatorChecker,
323  CK_InnerPointerChecker,
324  CK_NumCheckKinds
325  };
326 
327  using LeakInfo = std::pair<const ExplodedNode *, const MemRegion *>;
328 
329  bool ChecksEnabled[CK_NumCheckKinds] = {false};
330  CheckerNameRef CheckNames[CK_NumCheckKinds];
331 
332  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
333  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
334  void checkNewAllocator(const CXXAllocatorCall &Call, CheckerContext &C) const;
335  void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
336  void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
337  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
338  void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
339  void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;
340  ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
341  bool Assumption) const;
342  void checkLocation(SVal l, bool isLoad, const Stmt *S,
343  CheckerContext &C) const;
344 
345  ProgramStateRef checkPointerEscape(ProgramStateRef State,
346  const InvalidatedSymbols &Escaped,
347  const CallEvent *Call,
348  PointerEscapeKind Kind) const;
349  ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
350  const InvalidatedSymbols &Escaped,
351  const CallEvent *Call,
352  PointerEscapeKind Kind) const;
353 
354  void printState(raw_ostream &Out, ProgramStateRef State,
355  const char *NL, const char *Sep) const override;
356 
357 private:
358  mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
359  mutable std::unique_ptr<BugType> BT_DoubleDelete;
360  mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
361  mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
362  mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
363  mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
364  mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
365  mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
366  mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
367 
368 #define CHECK_FN(NAME) \
369  void NAME(const CallEvent &Call, CheckerContext &C) const;
370 
371  CHECK_FN(checkFree)
372  CHECK_FN(checkIfNameIndex)
373  CHECK_FN(checkBasicAlloc)
374  CHECK_FN(checkKernelMalloc)
375  CHECK_FN(checkCalloc)
376  CHECK_FN(checkAlloca)
377  CHECK_FN(checkStrdup)
378  CHECK_FN(checkIfFreeNameIndex)
379  CHECK_FN(checkCXXNewOrCXXDelete)
380  CHECK_FN(checkGMalloc0)
381  CHECK_FN(checkGMemdup)
382  CHECK_FN(checkGMallocN)
383  CHECK_FN(checkGMallocN0)
384  CHECK_FN(checkReallocN)
385  CHECK_FN(checkOwnershipAttr)
386 
387  void checkRealloc(const CallEvent &Call, CheckerContext &C,
388  bool ShouldFreeOnFail) const;
389 
390  using CheckFn = std::function<void(const MallocChecker *,
391  const CallEvent &Call, CheckerContext &C)>;
392 
393  const CallDescriptionMap<CheckFn> FreeingMemFnMap{
394  {{"free", 1}, &MallocChecker::checkFree},
395  {{"if_freenameindex", 1}, &MallocChecker::checkIfFreeNameIndex},
396  {{"kfree", 1}, &MallocChecker::checkFree},
397  {{"g_free", 1}, &MallocChecker::checkFree},
398  };
399 
400  bool isFreeingCall(const CallEvent &Call) const;
401  static bool isFreeingOwnershipAttrCall(const FunctionDecl *Func);
402 
403  friend class NoOwnershipChangeVisitor;
404 
405  CallDescriptionMap<CheckFn> AllocatingMemFnMap{
406  {{"alloca", 1}, &MallocChecker::checkAlloca},
407  {{"_alloca", 1}, &MallocChecker::checkAlloca},
408  {{"malloc", 1}, &MallocChecker::checkBasicAlloc},
409  {{"malloc", 3}, &MallocChecker::checkKernelMalloc},
410  {{"calloc", 2}, &MallocChecker::checkCalloc},
411  {{"valloc", 1}, &MallocChecker::checkBasicAlloc},
412  {{CDF_MaybeBuiltin, "strndup", 2}, &MallocChecker::checkStrdup},
413  {{CDF_MaybeBuiltin, "strdup", 1}, &MallocChecker::checkStrdup},
414  {{"_strdup", 1}, &MallocChecker::checkStrdup},
415  {{"kmalloc", 2}, &MallocChecker::checkKernelMalloc},
416  {{"if_nameindex", 1}, &MallocChecker::checkIfNameIndex},
417  {{CDF_MaybeBuiltin, "wcsdup", 1}, &MallocChecker::checkStrdup},
418  {{CDF_MaybeBuiltin, "_wcsdup", 1}, &MallocChecker::checkStrdup},
419  {{"g_malloc", 1}, &MallocChecker::checkBasicAlloc},
420  {{"g_malloc0", 1}, &MallocChecker::checkGMalloc0},
421  {{"g_try_malloc", 1}, &MallocChecker::checkBasicAlloc},
422  {{"g_try_malloc0", 1}, &MallocChecker::checkGMalloc0},
423  {{"g_memdup", 2}, &MallocChecker::checkGMemdup},
424  {{"g_malloc_n", 2}, &MallocChecker::checkGMallocN},
425  {{"g_malloc0_n", 2}, &MallocChecker::checkGMallocN0},
426  {{"g_try_malloc_n", 2}, &MallocChecker::checkGMallocN},
427  {{"g_try_malloc0_n", 2}, &MallocChecker::checkGMallocN0},
428  };
429 
430  CallDescriptionMap<CheckFn> ReallocatingMemFnMap{
431  {{"realloc", 2},
432  std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)},
433  {{"reallocf", 2},
434  std::bind(&MallocChecker::checkRealloc, _1, _2, _3, true)},
435  {{"g_realloc", 2},
436  std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)},
437  {{"g_try_realloc", 2},
438  std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)},
439  {{"g_realloc_n", 3}, &MallocChecker::checkReallocN},
440  {{"g_try_realloc_n", 3}, &MallocChecker::checkReallocN},
441  };
442 
443  bool isMemCall(const CallEvent &Call) const;
444 
445  // TODO: Remove mutable by moving the initializtaion to the registry function.
446  mutable Optional<uint64_t> KernelZeroFlagVal;
447 
448  using KernelZeroSizePtrValueTy = Optional<int>;
449  /// Store the value of macro called `ZERO_SIZE_PTR`.
450  /// The value is initialized at first use, before first use the outer
451  /// Optional is empty, afterwards it contains another Optional that indicates
452  /// if the macro value could be determined, and if yes the value itself.
453  mutable Optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue;
454 
455  /// Process C++ operator new()'s allocation, which is the part of C++
456  /// new-expression that goes before the constructor.
457  [[nodiscard]] ProgramStateRef
458  processNewAllocation(const CXXAllocatorCall &Call, CheckerContext &C,
459  AllocationFamily Family) const;
460 
461  /// Perform a zero-allocation check.
462  ///
463  /// \param [in] Call The expression that allocates memory.
464  /// \param [in] IndexOfSizeArg Index of the argument that specifies the size
465  /// of the memory that needs to be allocated. E.g. for malloc, this would be
466  /// 0.
467  /// \param [in] RetVal Specifies the newly allocated pointer value;
468  /// if unspecified, the value of expression \p E is used.
469  [[nodiscard]] static ProgramStateRef
470  ProcessZeroAllocCheck(const CallEvent &Call, const unsigned IndexOfSizeArg,
472 
473  /// Model functions with the ownership_returns attribute.
474  ///
475  /// User-defined function may have the ownership_returns attribute, which
476  /// annotates that the function returns with an object that was allocated on
477  /// the heap, and passes the ownertship to the callee.
478  ///
479  /// void __attribute((ownership_returns(malloc, 1))) *my_malloc(size_t);
480  ///
481  /// It has two parameters:
482  /// - first: name of the resource (e.g. 'malloc')
483  /// - (OPTIONAL) second: size of the allocated region
484  ///
485  /// \param [in] Call The expression that allocates memory.
486  /// \param [in] Att The ownership_returns attribute.
487  /// \param [in] State The \c ProgramState right before allocation.
488  /// \returns The ProgramState right after allocation.
489  [[nodiscard]] ProgramStateRef
490  MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
491  const OwnershipAttr *Att, ProgramStateRef State) const;
492 
493  /// Models memory allocation.
494  ///
495  /// \param [in] Call The expression that allocates memory.
496  /// \param [in] SizeEx Size of the memory that needs to be allocated.
497  /// \param [in] Init The value the allocated memory needs to be initialized.
498  /// with. For example, \c calloc initializes the allocated memory to 0,
499  /// malloc leaves it undefined.
500  /// \param [in] State The \c ProgramState right before allocation.
501  /// \returns The ProgramState right after allocation.
502  [[nodiscard]] static ProgramStateRef
503  MallocMemAux(CheckerContext &C, const CallEvent &Call, const Expr *SizeEx,
504  SVal Init, ProgramStateRef State, AllocationFamily Family);
505 
506  /// Models memory allocation.
507  ///
508  /// \param [in] Call The expression that allocates memory.
509  /// \param [in] Size Size of the memory that needs to be allocated.
510  /// \param [in] Init The value the allocated memory needs to be initialized.
511  /// with. For example, \c calloc initializes the allocated memory to 0,
512  /// malloc leaves it undefined.
513  /// \param [in] State The \c ProgramState right before allocation.
514  /// \returns The ProgramState right after allocation.
515  [[nodiscard]] static ProgramStateRef
516  MallocMemAux(CheckerContext &C, const CallEvent &Call, SVal Size, SVal Init,
517  ProgramStateRef State, AllocationFamily Family);
518 
519  // Check if this malloc() for special flags. At present that means M_ZERO or
520  // __GFP_ZERO (in which case, treat it like calloc).
521  [[nodiscard]] llvm::Optional<ProgramStateRef>
522  performKernelMalloc(const CallEvent &Call, CheckerContext &C,
523  const ProgramStateRef &State) const;
524 
525  /// Model functions with the ownership_takes and ownership_holds attributes.
526  ///
527  /// User-defined function may have the ownership_takes and/or ownership_holds
528  /// attributes, which annotates that the function frees the memory passed as a
529  /// parameter.
530  ///
531  /// void __attribute((ownership_takes(malloc, 1))) my_free(void *);
532  /// void __attribute((ownership_holds(malloc, 1))) my_hold(void *);
533  ///
534  /// They have two parameters:
535  /// - first: name of the resource (e.g. 'malloc')
536  /// - second: index of the parameter the attribute applies to
537  ///
538  /// \param [in] Call The expression that frees memory.
539  /// \param [in] Att The ownership_takes or ownership_holds attribute.
540  /// \param [in] State The \c ProgramState right before allocation.
541  /// \returns The ProgramState right after deallocation.
542  [[nodiscard]] ProgramStateRef FreeMemAttr(CheckerContext &C,
543  const CallEvent &Call,
544  const OwnershipAttr *Att,
545  ProgramStateRef State) const;
546 
547  /// Models memory deallocation.
548  ///
549  /// \param [in] Call The expression that frees memory.
550  /// \param [in] State The \c ProgramState right before allocation.
551  /// \param [in] Num Index of the argument that needs to be freed. This is
552  /// normally 0, but for custom free functions it may be different.
553  /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
554  /// attribute.
555  /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known
556  /// to have been allocated, or in other words, the symbol to be freed was
557  /// registered as allocated by this checker. In the following case, \c ptr
558  /// isn't known to be allocated.
559  /// void Haha(int *ptr) {
560  /// ptr = realloc(ptr, 67);
561  /// // ...
562  /// }
563  /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
564  /// we're modeling returns with Null on failure.
565  /// \returns The ProgramState right after deallocation.
566  [[nodiscard]] ProgramStateRef
567  FreeMemAux(CheckerContext &C, const CallEvent &Call, ProgramStateRef State,
568  unsigned Num, bool Hold, bool &IsKnownToBeAllocated,
569  AllocationFamily Family, bool ReturnsNullOnFailure = false) const;
570 
571  /// Models memory deallocation.
572  ///
573  /// \param [in] ArgExpr The variable who's pointee needs to be freed.
574  /// \param [in] Call The expression that frees the memory.
575  /// \param [in] State The \c ProgramState right before allocation.
576  /// normally 0, but for custom free functions it may be different.
577  /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
578  /// attribute.
579  /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known
580  /// to have been allocated, or in other words, the symbol to be freed was
581  /// registered as allocated by this checker. In the following case, \c ptr
582  /// isn't known to be allocated.
583  /// void Haha(int *ptr) {
584  /// ptr = realloc(ptr, 67);
585  /// // ...
586  /// }
587  /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
588  /// we're modeling returns with Null on failure.
589  /// \returns The ProgramState right after deallocation.
590  [[nodiscard]] ProgramStateRef
591  FreeMemAux(CheckerContext &C, const Expr *ArgExpr, const CallEvent &Call,
592  ProgramStateRef State, bool Hold, bool &IsKnownToBeAllocated,
593  AllocationFamily Family, bool ReturnsNullOnFailure = false) const;
594 
595  // TODO: Needs some refactoring, as all other deallocation modeling
596  // functions are suffering from out parameters and messy code due to how
597  // realloc is handled.
598  //
599  /// Models memory reallocation.
600  ///
601  /// \param [in] Call The expression that reallocated memory
602  /// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied
603  /// memory should be freed.
604  /// \param [in] State The \c ProgramState right before reallocation.
605  /// \param [in] SuffixWithN Whether the reallocation function we're modeling
606  /// has an '_n' suffix, such as g_realloc_n.
607  /// \returns The ProgramState right after reallocation.
608  [[nodiscard]] ProgramStateRef
609  ReallocMemAux(CheckerContext &C, const CallEvent &Call, bool ShouldFreeOnFail,
610  ProgramStateRef State, AllocationFamily Family,
611  bool SuffixWithN = false) const;
612 
613  /// Evaluates the buffer size that needs to be allocated.
614  ///
615  /// \param [in] Blocks The amount of blocks that needs to be allocated.
616  /// \param [in] BlockBytes The size of a block.
617  /// \returns The symbolic value of \p Blocks * \p BlockBytes.
618  [[nodiscard]] static SVal evalMulForBufferSize(CheckerContext &C,
619  const Expr *Blocks,
620  const Expr *BlockBytes);
621 
622  /// Models zero initialized array allocation.
623  ///
624  /// \param [in] Call The expression that reallocated memory
625  /// \param [in] State The \c ProgramState right before reallocation.
626  /// \returns The ProgramState right after allocation.
627  [[nodiscard]] static ProgramStateRef
628  CallocMem(CheckerContext &C, const CallEvent &Call, ProgramStateRef State);
629 
630  /// See if deallocation happens in a suspicious context. If so, escape the
631  /// pointers that otherwise would have been deallocated and return true.
632  bool suppressDeallocationsInSuspiciousContexts(const CallEvent &Call,
633  CheckerContext &C) const;
634 
635  /// If in \p S \p Sym is used, check whether \p Sym was already freed.
636  bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
637 
638  /// If in \p S \p Sym is used, check whether \p Sym was allocated as a zero
639  /// sized memory region.
640  void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
641  const Stmt *S) const;
642 
643  /// If in \p S \p Sym is being freed, check whether \p Sym was already freed.
644  bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;
645 
646  /// Check if the function is known to free memory, or if it is
647  /// "interesting" and should be modeled explicitly.
648  ///
649  /// \param [out] EscapingSymbol A function might not free memory in general,
650  /// but could be known to free a particular symbol. In this case, false is
651  /// returned and the single escaping symbol is returned through the out
652  /// parameter.
653  ///
654  /// We assume that pointers do not escape through calls to system functions
655  /// not handled by this checker.
656  bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call,
658  SymbolRef &EscapingSymbol) const;
659 
660  /// Implementation of the checkPointerEscape callbacks.
661  [[nodiscard]] ProgramStateRef
662  checkPointerEscapeAux(ProgramStateRef State,
663  const InvalidatedSymbols &Escaped,
664  const CallEvent *Call, PointerEscapeKind Kind,
665  bool IsConstPointerEscape) const;
666 
667  // Implementation of the checkPreStmt and checkEndFunction callbacks.
668  void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const;
669 
670  ///@{
671  /// Tells if a given family/call/symbol is tracked by the current checker.
672  /// Sets CheckKind to the kind of the checker responsible for this
673  /// family/call/symbol.
674  Optional<CheckKind> getCheckIfTracked(AllocationFamily Family,
675  bool IsALeakCheck = false) const;
676 
677  Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
678  bool IsALeakCheck = false) const;
679  ///@}
680  static bool SummarizeValue(raw_ostream &os, SVal V);
681  static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
682 
683  void HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal, SourceRange Range,
684  const Expr *DeallocExpr,
685  AllocationFamily Family) const;
686 
687  void HandleFreeAlloca(CheckerContext &C, SVal ArgVal,
688  SourceRange Range) const;
689 
690  void HandleMismatchedDealloc(CheckerContext &C, SourceRange Range,
691  const Expr *DeallocExpr, const RefState *RS,
692  SymbolRef Sym, bool OwnershipTransferred) const;
693 
694  void HandleOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
695  const Expr *DeallocExpr, AllocationFamily Family,
696  const Expr *AllocExpr = nullptr) const;
697 
698  void HandleUseAfterFree(CheckerContext &C, SourceRange Range,
699  SymbolRef Sym) const;
700 
701  void HandleDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
702  SymbolRef Sym, SymbolRef PrevSym) const;
703 
704  void HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
705 
706  void HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,
707  SymbolRef Sym) const;
708 
709  void HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
710  const Expr *FreeExpr,
711  AllocationFamily Family) const;
712 
713  /// Find the location of the allocation for Sym on the path leading to the
714  /// exploded node N.
715  static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
716  CheckerContext &C);
717 
718  void HandleLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
719 
720  /// Test if value in ArgVal equals to value in macro `ZERO_SIZE_PTR`.
721  bool isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C,
722  SVal ArgVal) const;
723 };
724 } // end anonymous namespace
725 
726 //===----------------------------------------------------------------------===//
727 // Definition of NoOwnershipChangeVisitor.
728 //===----------------------------------------------------------------------===//
729 
730 namespace {
731 class NoOwnershipChangeVisitor final : public NoStateChangeFuncVisitor {
732  // The symbol whose (lack of) ownership change we are interested in.
733  SymbolRef Sym;
734  const MallocChecker &Checker;
736 
737  // Collect which entities point to the allocated memory, and could be
738  // responsible for deallocating it.
739  class OwnershipBindingsHandler : public StoreManager::BindingsHandler {
740  SymbolRef Sym;
741  OwnerSet &Owners;
742 
743  public:
744  OwnershipBindingsHandler(SymbolRef Sym, OwnerSet &Owners)
745  : Sym(Sym), Owners(Owners) {}
746 
747  bool HandleBinding(StoreManager &SMgr, Store Store, const MemRegion *Region,
748  SVal Val) override {
749  if (Val.getAsSymbol() == Sym)
750  Owners.insert(Region);
751  return true;
752  }
753 
754  LLVM_DUMP_METHOD void dump() const { dumpToStream(llvm::errs()); }
755  LLVM_DUMP_METHOD void dumpToStream(llvm::raw_ostream &out) const {
756  out << "Owners: {\n";
757  for (const MemRegion *Owner : Owners) {
758  out << " ";
759  Owner->dumpToStream(out);
760  out << ",\n";
761  }
762  out << "}\n";
763  }
764  };
765 
766 protected:
767  OwnerSet getOwnersAtNode(const ExplodedNode *N) {
768  OwnerSet Ret;
769 
770  ProgramStateRef State = N->getState();
771  OwnershipBindingsHandler Handler{Sym, Ret};
772  State->getStateManager().getStoreManager().iterBindings(State->getStore(),
773  Handler);
774  return Ret;
775  }
776 
777  LLVM_DUMP_METHOD static std::string
778  getFunctionName(const ExplodedNode *CallEnterN) {
779  if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>(
780  CallEnterN->getLocationAs<CallEnter>()->getCallExpr()))
781  if (const FunctionDecl *FD = CE->getDirectCallee())
782  return FD->getQualifiedNameAsString();
783  return "";
784  }
785 
786  /// Syntactically checks whether the callee is a deallocating function. Since
787  /// we have no path-sensitive information on this call (we would need a
788  /// CallEvent instead of a CallExpr for that), its possible that a
789  /// deallocation function was called indirectly through a function pointer,
790  /// but we are not able to tell, so this is a best effort analysis.
791  /// See namespace `memory_passed_to_fn_call_free_through_fn_ptr` in
792  /// clang/test/Analysis/NewDeleteLeaks.cpp.
793  bool isFreeingCallAsWritten(const CallExpr &Call) const {
794  if (Checker.FreeingMemFnMap.lookupAsWritten(Call) ||
795  Checker.ReallocatingMemFnMap.lookupAsWritten(Call))
796  return true;
797 
798  if (const auto *Func =
799  llvm::dyn_cast_or_null<FunctionDecl>(Call.getCalleeDecl()))
800  return MallocChecker::isFreeingOwnershipAttrCall(Func);
801 
802  return false;
803  }
804 
805  /// Heuristically guess whether the callee intended to free memory. This is
806  /// done syntactically, because we are trying to argue about alternative
807  /// paths of execution, and as a consequence we don't have path-sensitive
808  /// information.
809  bool doesFnIntendToHandleOwnership(const Decl *Callee, ASTContext &ACtx) {
810  using namespace clang::ast_matchers;
811  const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee);
812 
813  // Given that the stack frame was entered, the body should always be
814  // theoretically obtainable. In case of body farms, the synthesized body
815  // is not attached to declaration, thus triggering the '!FD->hasBody()'
816  // branch. That said, would a synthesized body ever intend to handle
817  // ownership? As of today they don't. And if they did, how would we
818  // put notes inside it, given that it doesn't match any source locations?
819  if (!FD || !FD->hasBody())
820  return false;
821 
822  auto Matches = match(findAll(stmt(anyOf(cxxDeleteExpr().bind("delete"),
823  callExpr().bind("call")))),
824  *FD->getBody(), ACtx);
825  for (BoundNodes Match : Matches) {
826  if (Match.getNodeAs<CXXDeleteExpr>("delete"))
827  return true;
828 
829  if (const auto *Call = Match.getNodeAs<CallExpr>("call"))
830  if (isFreeingCallAsWritten(*Call))
831  return true;
832  }
833  // TODO: Ownership might change with an attempt to store the allocated
834  // memory, not only through deallocation. Check for attempted stores as
835  // well.
836  return false;
837  }
838 
839  bool wasModifiedInFunction(const ExplodedNode *CallEnterN,
840  const ExplodedNode *CallExitEndN) override {
841  if (!doesFnIntendToHandleOwnership(
842  CallExitEndN->getFirstPred()->getLocationContext()->getDecl(),
843  CallExitEndN->getState()->getAnalysisManager().getASTContext()))
844  return true;
845 
846  if (CallEnterN->getState()->get<RegionState>(Sym) !=
847  CallExitEndN->getState()->get<RegionState>(Sym))
848  return true;
849 
850  OwnerSet CurrOwners = getOwnersAtNode(CallEnterN);
851  OwnerSet ExitOwners = getOwnersAtNode(CallExitEndN);
852 
853  // Owners in the current set may be purged from the analyzer later on.
854  // If a variable is dead (is not referenced directly or indirectly after
855  // some point), it will be removed from the Store before the end of its
856  // actual lifetime.
857  // This means that if the ownership status didn't change, CurrOwners
858  // must be a superset of, but not necessarily equal to ExitOwners.
859  return !llvm::set_is_subset(ExitOwners, CurrOwners);
860  }
861 
862  static PathDiagnosticPieceRef emitNote(const ExplodedNode *N) {
863  PathDiagnosticLocation L = PathDiagnosticLocation::create(
864  N->getLocation(),
865  N->getState()->getStateManager().getContext().getSourceManager());
866  return std::make_shared<PathDiagnosticEventPiece>(
867  L, "Returning without deallocating memory or storing the pointer for "
868  "later deallocation");
869  }
870 
872  maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
873  const ObjCMethodCall &Call,
874  const ExplodedNode *N) override {
875  // TODO: Implement.
876  return nullptr;
877  }
878 
880  maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
881  const CXXConstructorCall &Call,
882  const ExplodedNode *N) override {
883  // TODO: Implement.
884  return nullptr;
885  }
886 
888  maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call,
889  const ExplodedNode *N) override {
890  // TODO: Factor the logic of "what constitutes as an entity being passed
891  // into a function call" out by reusing the code in
892  // NoStoreFuncVisitor::maybeEmitNoteForParameters, maybe by incorporating
893  // the printing technology in UninitializedObject's FieldChainInfo.
894  ArrayRef<ParmVarDecl *> Parameters = Call.parameters();
895  for (unsigned I = 0; I < Call.getNumArgs() && I < Parameters.size(); ++I) {
896  SVal V = Call.getArgSVal(I);
897  if (V.getAsSymbol() == Sym)
898  return emitNote(N);
899  }
900  return nullptr;
901  }
902 
903 public:
904  NoOwnershipChangeVisitor(SymbolRef Sym, const MallocChecker *Checker)
905  : NoStateChangeFuncVisitor(bugreporter::TrackingKind::Thorough), Sym(Sym),
906  Checker(*Checker) {}
907 
908  void Profile(llvm::FoldingSetNodeID &ID) const override {
909  static int Tag = 0;
910  ID.AddPointer(&Tag);
911  ID.AddPointer(Sym);
912  }
913 };
914 
915 } // end anonymous namespace
916 
917 //===----------------------------------------------------------------------===//
918 // Definition of MallocBugVisitor.
919 //===----------------------------------------------------------------------===//
920 
921 namespace {
922 /// The bug visitor which allows us to print extra diagnostics along the
923 /// BugReport path. For example, showing the allocation site of the leaked
924 /// region.
925 class MallocBugVisitor final : public BugReporterVisitor {
926 protected:
927  enum NotificationMode { Normal, ReallocationFailed };
928 
929  // The allocated region symbol tracked by the main analysis.
930  SymbolRef Sym;
931 
932  // The mode we are in, i.e. what kind of diagnostics will be emitted.
933  NotificationMode Mode;
934 
935  // A symbol from when the primary region should have been reallocated.
936  SymbolRef FailedReallocSymbol;
937 
938  // A C++ destructor stack frame in which memory was released. Used for
939  // miscellaneous false positive suppression.
940  const StackFrameContext *ReleaseDestructorLC;
941 
942  bool IsLeak;
943 
944 public:
945  MallocBugVisitor(SymbolRef S, bool isLeak = false)
946  : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr),
947  ReleaseDestructorLC(nullptr), IsLeak(isLeak) {}
948 
949  static void *getTag() {
950  static int Tag = 0;
951  return &Tag;
952  }
953 
954  void Profile(llvm::FoldingSetNodeID &ID) const override {
955  ID.AddPointer(getTag());
956  ID.AddPointer(Sym);
957  }
958 
959  /// Did not track -> allocated. Other state (released) -> allocated.
960  static inline bool isAllocated(const RefState *RSCurr, const RefState *RSPrev,
961  const Stmt *Stmt) {
962  return (isa_and_nonnull<CallExpr, CXXNewExpr>(Stmt) &&
963  (RSCurr &&
964  (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) &&
965  (!RSPrev ||
966  !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero())));
967  }
968 
969  /// Did not track -> released. Other state (allocated) -> released.
970  /// The statement associated with the release might be missing.
971  static inline bool isReleased(const RefState *RSCurr, const RefState *RSPrev,
972  const Stmt *Stmt) {
973  bool IsReleased =
974  (RSCurr && RSCurr->isReleased()) && (!RSPrev || !RSPrev->isReleased());
975  assert(!IsReleased || (isa_and_nonnull<CallExpr, CXXDeleteExpr>(Stmt)) ||
976  (!Stmt && RSCurr->getAllocationFamily() == AF_InnerBuffer));
977  return IsReleased;
978  }
979 
980  /// Did not track -> relinquished. Other state (allocated) -> relinquished.
981  static inline bool isRelinquished(const RefState *RSCurr,
982  const RefState *RSPrev, const Stmt *Stmt) {
983  return (
984  isa_and_nonnull<CallExpr, ObjCMessageExpr, ObjCPropertyRefExpr>(Stmt) &&
985  (RSCurr && RSCurr->isRelinquished()) &&
986  (!RSPrev || !RSPrev->isRelinquished()));
987  }
988 
989  /// If the expression is not a call, and the state change is
990  /// released -> allocated, it must be the realloc return value
991  /// check. If we have to handle more cases here, it might be cleaner just
992  /// to track this extra bit in the state itself.
993  static inline bool hasReallocFailed(const RefState *RSCurr,
994  const RefState *RSPrev,
995  const Stmt *Stmt) {
996  return ((!isa_and_nonnull<CallExpr>(Stmt)) &&
997  (RSCurr &&
998  (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) &&
999  (RSPrev &&
1000  !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero())));
1001  }
1002 
1003  PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
1004  BugReporterContext &BRC,
1005  PathSensitiveBugReport &BR) override;
1006 
1007  PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC,
1008  const ExplodedNode *EndPathNode,
1009  PathSensitiveBugReport &BR) override {
1010  if (!IsLeak)
1011  return nullptr;
1012 
1013  PathDiagnosticLocation L = BR.getLocation();
1014  // Do not add the statement itself as a range in case of leak.
1015  return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(),
1016  false);
1017  }
1018 
1019 private:
1020  class StackHintGeneratorForReallocationFailed
1021  : public StackHintGeneratorForSymbol {
1022  public:
1023  StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M)
1024  : StackHintGeneratorForSymbol(S, M) {}
1025 
1026  std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) override {
1027  // Printed parameters start at 1, not 0.
1028  ++ArgIndex;
1029 
1030  SmallString<200> buf;
1031  llvm::raw_svector_ostream os(buf);
1032 
1033  os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex)
1034  << " parameter failed";
1035 
1036  return std::string(os.str());
1037  }
1038 
1039  std::string getMessageForReturn(const CallExpr *CallExpr) override {
1040  return "Reallocation of returned value failed";
1041  }
1042  };
1043 };
1044 } // end anonymous namespace
1045 
1046 // A map from the freed symbol to the symbol representing the return value of
1047 // the free function.
1049 
1050 namespace {
1051 class StopTrackingCallback final : public SymbolVisitor {
1053 
1054 public:
1055  StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
1056  ProgramStateRef getState() const { return state; }
1057 
1058  bool VisitSymbol(SymbolRef sym) override {
1059  state = state->remove<RegionState>(sym);
1060  return true;
1061  }
1062 };
1063 } // end anonymous namespace
1064 
1065 static bool isStandardNewDelete(const FunctionDecl *FD) {
1066  if (!FD)
1067  return false;
1068 
1070  if (Kind != OO_New && Kind != OO_Array_New && Kind != OO_Delete &&
1071  Kind != OO_Array_Delete)
1072  return false;
1073 
1074  // This is standard if and only if it's not defined in a user file.
1075  SourceLocation L = FD->getLocation();
1076  // If the header for operator delete is not included, it's still defined
1077  // in an invalid source location. Check to make sure we don't crash.
1078  return !L.isValid() ||
1080 }
1081 
1082 //===----------------------------------------------------------------------===//
1083 // Methods of MallocChecker and MallocBugVisitor.
1084 //===----------------------------------------------------------------------===//
1085 
1086 bool MallocChecker::isFreeingOwnershipAttrCall(const FunctionDecl *Func) {
1087  if (Func->hasAttrs()) {
1088  for (const auto *I : Func->specific_attrs<OwnershipAttr>()) {
1089  OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
1090  if (OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds)
1091  return true;
1092  }
1093  }
1094  return false;
1095 }
1096 
1097 bool MallocChecker::isFreeingCall(const CallEvent &Call) const {
1098  if (FreeingMemFnMap.lookup(Call) || ReallocatingMemFnMap.lookup(Call))
1099  return true;
1100 
1101  if (const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl()))
1102  return isFreeingOwnershipAttrCall(Func);
1103 
1104  return false;
1105 }
1106 
1107 bool MallocChecker::isMemCall(const CallEvent &Call) const {
1108  if (FreeingMemFnMap.lookup(Call) || AllocatingMemFnMap.lookup(Call) ||
1109  ReallocatingMemFnMap.lookup(Call))
1110  return true;
1111 
1112  if (!ShouldIncludeOwnershipAnnotatedFunctions)
1113  return false;
1114 
1115  const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl());
1116  return Func && Func->hasAttr<OwnershipAttr>();
1117 }
1118 
1120 MallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C,
1121  const ProgramStateRef &State) const {
1122  // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
1123  //
1124  // void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
1125  //
1126  // One of the possible flags is M_ZERO, which means 'give me back an
1127  // allocation which is already zeroed', like calloc.
1128 
1129  // 2-argument kmalloc(), as used in the Linux kernel:
1130  //
1131  // void *kmalloc(size_t size, gfp_t flags);
1132  //
1133  // Has the similar flag value __GFP_ZERO.
1134 
1135  // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some
1136  // code could be shared.
1137 
1138  ASTContext &Ctx = C.getASTContext();
1139  llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS();
1140 
1141  if (!KernelZeroFlagVal) {
1142  if (OS == llvm::Triple::FreeBSD)
1143  KernelZeroFlagVal = 0x0100;
1144  else if (OS == llvm::Triple::NetBSD)
1145  KernelZeroFlagVal = 0x0002;
1146  else if (OS == llvm::Triple::OpenBSD)
1147  KernelZeroFlagVal = 0x0008;
1148  else if (OS == llvm::Triple::Linux)
1149  // __GFP_ZERO
1150  KernelZeroFlagVal = 0x8000;
1151  else
1152  // FIXME: We need a more general way of getting the M_ZERO value.
1153  // See also: O_CREAT in UnixAPIChecker.cpp.
1154 
1155  // Fall back to normal malloc behavior on platforms where we don't
1156  // know M_ZERO.
1157  return None;
1158  }
1159 
1160  // We treat the last argument as the flags argument, and callers fall-back to
1161  // normal malloc on a None return. This works for the FreeBSD kernel malloc
1162  // as well as Linux kmalloc.
1163  if (Call.getNumArgs() < 2)
1164  return None;
1165 
1166  const Expr *FlagsEx = Call.getArgExpr(Call.getNumArgs() - 1);
1167  const SVal V = C.getSVal(FlagsEx);
1168  if (!isa<NonLoc>(V)) {
1169  // The case where 'V' can be a location can only be due to a bad header,
1170  // so in this case bail out.
1171  return None;
1172  }
1173 
1174  NonLoc Flags = V.castAs<NonLoc>();
1175  NonLoc ZeroFlag =
1176  C.getSValBuilder()
1177  .makeIntVal(KernelZeroFlagVal.value(), FlagsEx->getType())
1178  .castAs<NonLoc>();
1179  SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And,
1180  Flags, ZeroFlag,
1181  FlagsEx->getType());
1182  if (MaskedFlagsUC.isUnknownOrUndef())
1183  return None;
1184  DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>();
1185 
1186  // Check if maskedFlags is non-zero.
1187  ProgramStateRef TrueState, FalseState;
1188  std::tie(TrueState, FalseState) = State->assume(MaskedFlags);
1189 
1190  // If M_ZERO is set, treat this like calloc (initialized).
1191  if (TrueState && !FalseState) {
1192  SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy);
1193  return MallocMemAux(C, Call, Call.getArgExpr(0), ZeroVal, TrueState,
1194  AF_Malloc);
1195  }
1196 
1197  return None;
1198 }
1199 
1200 SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
1201  const Expr *BlockBytes) {
1202  SValBuilder &SB = C.getSValBuilder();
1203  SVal BlocksVal = C.getSVal(Blocks);
1204  SVal BlockBytesVal = C.getSVal(BlockBytes);
1205  ProgramStateRef State = C.getState();
1206  SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,
1207  SB.getContext().getSizeType());
1208  return TotalSize;
1209 }
1210 
1211 void MallocChecker::checkBasicAlloc(const CallEvent &Call,
1212  CheckerContext &C) const {
1213  ProgramStateRef State = C.getState();
1214  State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,
1215  AF_Malloc);
1216  State = ProcessZeroAllocCheck(Call, 0, State);
1217  C.addTransition(State);
1218 }
1219 
1220 void MallocChecker::checkKernelMalloc(const CallEvent &Call,
1221  CheckerContext &C) const {
1222  ProgramStateRef State = C.getState();
1223  llvm::Optional<ProgramStateRef> MaybeState =
1224  performKernelMalloc(Call, C, State);
1225  if (MaybeState)
1226  State = MaybeState.value();
1227  else
1228  State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,
1229  AF_Malloc);
1230  C.addTransition(State);
1231 }
1232 
1233 static bool isStandardRealloc(const CallEvent &Call) {
1234  const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl());
1235  assert(FD);
1236  ASTContext &AC = FD->getASTContext();
1237 
1238  if (isa<CXXMethodDecl>(FD))
1239  return false;
1240 
1241  return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy &&
1242  FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
1243  FD->getParamDecl(1)->getType().getDesugaredType(AC) ==
1244  AC.getSizeType();
1245 }
1246 
1247 static bool isGRealloc(const CallEvent &Call) {
1248  const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl());
1249  assert(FD);
1250  ASTContext &AC = FD->getASTContext();
1251 
1252  if (isa<CXXMethodDecl>(FD))
1253  return false;
1254 
1255  return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy &&
1256  FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
1257  FD->getParamDecl(1)->getType().getDesugaredType(AC) ==
1258  AC.UnsignedLongTy;
1259 }
1260 
1261 void MallocChecker::checkRealloc(const CallEvent &Call, CheckerContext &C,
1262  bool ShouldFreeOnFail) const {
1263  // HACK: CallDescription currently recognizes non-standard realloc functions
1264  // as standard because it doesn't check the type, or wether its a non-method
1265  // function. This should be solved by making CallDescription smarter.
1266  // Mind that this came from a bug report, and all other functions suffer from
1267  // this.
1268  // https://bugs.llvm.org/show_bug.cgi?id=46253
1269  if (!isStandardRealloc(Call) && !isGRealloc(Call))
1270  return;
1271  ProgramStateRef State = C.getState();
1272  State = ReallocMemAux(C, Call, ShouldFreeOnFail, State, AF_Malloc);
1273  State = ProcessZeroAllocCheck(Call, 1, State);
1274  C.addTransition(State);
1275 }
1276 
1277 void MallocChecker::checkCalloc(const CallEvent &Call,
1278  CheckerContext &C) const {
1279  ProgramStateRef State = C.getState();
1280  State = CallocMem(C, Call, State);
1281  State = ProcessZeroAllocCheck(Call, 0, State);
1282  State = ProcessZeroAllocCheck(Call, 1, State);
1283  C.addTransition(State);
1284 }
1285 
1286 void MallocChecker::checkFree(const CallEvent &Call, CheckerContext &C) const {
1287  ProgramStateRef State = C.getState();
1288  bool IsKnownToBeAllocatedMemory = false;
1289  if (suppressDeallocationsInSuspiciousContexts(Call, C))
1290  return;
1291  State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
1292  AF_Malloc);
1293  C.addTransition(State);
1294 }
1295 
1296 void MallocChecker::checkAlloca(const CallEvent &Call,
1297  CheckerContext &C) const {
1298  ProgramStateRef State = C.getState();
1299  State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,
1300  AF_Alloca);
1301  State = ProcessZeroAllocCheck(Call, 0, State);
1302  C.addTransition(State);
1303 }
1304 
1305 void MallocChecker::checkStrdup(const CallEvent &Call,
1306  CheckerContext &C) const {
1307  ProgramStateRef State = C.getState();
1308  const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
1309  if (!CE)
1310  return;
1311  State = MallocUpdateRefState(C, CE, State, AF_Malloc);
1312 
1313  C.addTransition(State);
1314 }
1315 
1316 void MallocChecker::checkIfNameIndex(const CallEvent &Call,
1317  CheckerContext &C) const {
1318  ProgramStateRef State = C.getState();
1319  // Should we model this differently? We can allocate a fixed number of
1320  // elements with zeros in the last one.
1321  State =
1322  MallocMemAux(C, Call, UnknownVal(), UnknownVal(), State, AF_IfNameIndex);
1323 
1324  C.addTransition(State);
1325 }
1326 
1327 void MallocChecker::checkIfFreeNameIndex(const CallEvent &Call,
1328  CheckerContext &C) const {
1329  ProgramStateRef State = C.getState();
1330  bool IsKnownToBeAllocatedMemory = false;
1331  State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
1332  AF_IfNameIndex);
1333  C.addTransition(State);
1334 }
1335 
1336 void MallocChecker::checkCXXNewOrCXXDelete(const CallEvent &Call,
1337  CheckerContext &C) const {
1338  ProgramStateRef State = C.getState();
1339  bool IsKnownToBeAllocatedMemory = false;
1340  const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
1341  if (!CE)
1342  return;
1343 
1344  assert(isStandardNewDelete(Call));
1345 
1346  // Process direct calls to operator new/new[]/delete/delete[] functions
1347  // as distinct from new/new[]/delete/delete[] expressions that are
1348  // processed by the checkPostStmt callbacks for CXXNewExpr and
1349  // CXXDeleteExpr.
1350  const FunctionDecl *FD = C.getCalleeDecl(CE);
1351  switch (FD->getOverloadedOperator()) {
1352  case OO_New:
1353  State =
1354  MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State, AF_CXXNew);
1355  State = ProcessZeroAllocCheck(Call, 0, State);
1356  break;
1357  case OO_Array_New:
1358  State = MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State,
1359  AF_CXXNewArray);
1360  State = ProcessZeroAllocCheck(Call, 0, State);
1361  break;
1362  case OO_Delete:
1363  State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
1364  AF_CXXNew);
1365  break;
1366  case OO_Array_Delete:
1367  State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
1368  AF_CXXNewArray);
1369  break;
1370  default:
1371  llvm_unreachable("not a new/delete operator");
1372  }
1373 
1374  C.addTransition(State);
1375 }
1376 
1377 void MallocChecker::checkGMalloc0(const CallEvent &Call,
1378  CheckerContext &C) const {
1379  ProgramStateRef State = C.getState();
1380  SValBuilder &svalBuilder = C.getSValBuilder();
1381  SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
1382  State = MallocMemAux(C, Call, Call.getArgExpr(0), zeroVal, State, AF_Malloc);
1383  State = ProcessZeroAllocCheck(Call, 0, State);
1384  C.addTransition(State);
1385 }
1386 
1387 void MallocChecker::checkGMemdup(const CallEvent &Call,
1388  CheckerContext &C) const {
1389  ProgramStateRef State = C.getState();
1390  State =
1391  MallocMemAux(C, Call, Call.getArgExpr(1), UnknownVal(), State, AF_Malloc);
1392  State = ProcessZeroAllocCheck(Call, 1, State);
1393  C.addTransition(State);
1394 }
1395 
1396 void MallocChecker::checkGMallocN(const CallEvent &Call,
1397  CheckerContext &C) const {
1398  ProgramStateRef State = C.getState();
1399  SVal Init = UndefinedVal();
1400  SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
1401  State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc);
1402  State = ProcessZeroAllocCheck(Call, 0, State);
1403  State = ProcessZeroAllocCheck(Call, 1, State);
1404  C.addTransition(State);
1405 }
1406 
1407 void MallocChecker::checkGMallocN0(const CallEvent &Call,
1408  CheckerContext &C) const {
1409  ProgramStateRef State = C.getState();
1410  SValBuilder &SB = C.getSValBuilder();
1411  SVal Init = SB.makeZeroVal(SB.getContext().CharTy);
1412  SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
1413  State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc);
1414  State = ProcessZeroAllocCheck(Call, 0, State);
1415  State = ProcessZeroAllocCheck(Call, 1, State);
1416  C.addTransition(State);
1417 }
1418 
1419 void MallocChecker::checkReallocN(const CallEvent &Call,
1420  CheckerContext &C) const {
1421  ProgramStateRef State = C.getState();
1422  State = ReallocMemAux(C, Call, /*ShouldFreeOnFail=*/false, State, AF_Malloc,
1423  /*SuffixWithN=*/true);
1424  State = ProcessZeroAllocCheck(Call, 1, State);
1425  State = ProcessZeroAllocCheck(Call, 2, State);
1426  C.addTransition(State);
1427 }
1428 
1429 void MallocChecker::checkOwnershipAttr(const CallEvent &Call,
1430  CheckerContext &C) const {
1431  ProgramStateRef State = C.getState();
1432  const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
1433  if (!CE)
1434  return;
1435  const FunctionDecl *FD = C.getCalleeDecl(CE);
1436  if (!FD)
1437  return;
1438  if (ShouldIncludeOwnershipAnnotatedFunctions ||
1439  ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
1440  // Check all the attributes, if there are any.
1441  // There can be multiple of these attributes.
1442  if (FD->hasAttrs())
1443  for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
1444  switch (I->getOwnKind()) {
1445  case OwnershipAttr::Returns:
1446  State = MallocMemReturnsAttr(C, Call, I, State);
1447  break;
1448  case OwnershipAttr::Takes:
1449  case OwnershipAttr::Holds:
1450  State = FreeMemAttr(C, Call, I, State);
1451  break;
1452  }
1453  }
1454  }
1455  C.addTransition(State);
1456 }
1457 
1458 void MallocChecker::checkPostCall(const CallEvent &Call,
1459  CheckerContext &C) const {
1460  if (C.wasInlined)
1461  return;
1462  if (!Call.getOriginExpr())
1463  return;
1464 
1465  ProgramStateRef State = C.getState();
1466 
1467  if (const CheckFn *Callback = FreeingMemFnMap.lookup(Call)) {
1468  (*Callback)(this, Call, C);
1469  return;
1470  }
1471 
1472  if (const CheckFn *Callback = AllocatingMemFnMap.lookup(Call)) {
1473  (*Callback)(this, Call, C);
1474  return;
1475  }
1476 
1477  if (const CheckFn *Callback = ReallocatingMemFnMap.lookup(Call)) {
1478  (*Callback)(this, Call, C);
1479  return;
1480  }
1481 
1482  if (isStandardNewDelete(Call)) {
1483  checkCXXNewOrCXXDelete(Call, C);
1484  return;
1485  }
1486 
1487  checkOwnershipAttr(Call, C);
1488 }
1489 
1490 // Performs a 0-sized allocations check.
1491 ProgramStateRef MallocChecker::ProcessZeroAllocCheck(
1492  const CallEvent &Call, const unsigned IndexOfSizeArg, ProgramStateRef State,
1493  Optional<SVal> RetVal) {
1494  if (!State)
1495  return nullptr;
1496 
1497  if (!RetVal)
1498  RetVal = Call.getReturnValue();
1499 
1500  const Expr *Arg = nullptr;
1501 
1502  if (const CallExpr *CE = dyn_cast<CallExpr>(Call.getOriginExpr())) {
1503  Arg = CE->getArg(IndexOfSizeArg);
1504  } else if (const CXXNewExpr *NE =
1505  dyn_cast<CXXNewExpr>(Call.getOriginExpr())) {
1506  if (NE->isArray()) {
1507  Arg = *NE->getArraySize();
1508  } else {
1509  return State;
1510  }
1511  } else
1512  llvm_unreachable("not a CallExpr or CXXNewExpr");
1513 
1514  assert(Arg);
1515 
1516  auto DefArgVal =
1517  State->getSVal(Arg, Call.getLocationContext()).getAs<DefinedSVal>();
1518 
1519  if (!DefArgVal)
1520  return State;
1521 
1522  // Check if the allocation size is 0.
1523  ProgramStateRef TrueState, FalseState;
1524  SValBuilder &SvalBuilder = State->getStateManager().getSValBuilder();
1525  DefinedSVal Zero =
1526  SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
1527 
1528  std::tie(TrueState, FalseState) =
1529  State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));
1530 
1531  if (TrueState && !FalseState) {
1532  SymbolRef Sym = RetVal->getAsLocSymbol();
1533  if (!Sym)
1534  return State;
1535 
1536  const RefState *RS = State->get<RegionState>(Sym);
1537  if (RS) {
1538  if (RS->isAllocated())
1539  return TrueState->set<RegionState>(Sym,
1540  RefState::getAllocatedOfSizeZero(RS));
1541  else
1542  return State;
1543  } else {
1544  // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as
1545  // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not
1546  // tracked. Add zero-reallocated Sym to the state to catch references
1547  // to zero-allocated memory.
1548  return TrueState->add<ReallocSizeZeroSymbols>(Sym);
1549  }
1550  }
1551 
1552  // Assume the value is non-zero going forward.
1553  assert(FalseState);
1554  return FalseState;
1555 }
1556 
1558  QualType Result = T, PointeeType = T->getPointeeType();
1559  while (!PointeeType.isNull()) {
1560  Result = PointeeType;
1561  PointeeType = PointeeType->getPointeeType();
1562  }
1563  return Result;
1564 }
1565 
1566 /// \returns true if the constructor invoked by \p NE has an argument of a
1567 /// pointer/reference to a record type.
1569 
1570  const CXXConstructExpr *ConstructE = NE->getConstructExpr();
1571  if (!ConstructE)
1572  return false;
1573 
1574  if (!NE->getAllocatedType()->getAsCXXRecordDecl())
1575  return false;
1576 
1577  const CXXConstructorDecl *CtorD = ConstructE->getConstructor();
1578 
1579  // Iterate over the constructor parameters.
1580  for (const auto *CtorParam : CtorD->parameters()) {
1581 
1582  QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType();
1583  if (CtorParamPointeeT.isNull())
1584  continue;
1585 
1586  CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT);
1587 
1588  if (CtorParamPointeeT->getAsCXXRecordDecl())
1589  return true;
1590  }
1591 
1592  return false;
1593 }
1594 
1596 MallocChecker::processNewAllocation(const CXXAllocatorCall &Call,
1597  CheckerContext &C,
1598  AllocationFamily Family) const {
1599  if (!isStandardNewDelete(Call))
1600  return nullptr;
1601 
1602  const CXXNewExpr *NE = Call.getOriginExpr();
1603  const ParentMap &PM = C.getLocationContext()->getParentMap();
1604  ProgramStateRef State = C.getState();
1605 
1606  // Non-trivial constructors have a chance to escape 'this', but marking all
1607  // invocations of trivial constructors as escaped would cause too great of
1608  // reduction of true positives, so let's just do that for constructors that
1609  // have an argument of a pointer-to-record type.
1611  return State;
1612 
1613  // The return value from operator new is bound to a specified initialization
1614  // value (if any) and we don't want to loose this value. So we call
1615  // MallocUpdateRefState() instead of MallocMemAux() which breaks the
1616  // existing binding.
1617  SVal Target = Call.getObjectUnderConstruction();
1618  State = MallocUpdateRefState(C, NE, State, Family, Target);
1619  State = ProcessZeroAllocCheck(Call, 0, State, Target);
1620  return State;
1621 }
1622 
1623 void MallocChecker::checkNewAllocator(const CXXAllocatorCall &Call,
1624  CheckerContext &C) const {
1625  if (!C.wasInlined) {
1626  ProgramStateRef State = processNewAllocation(
1627  Call, C,
1628  (Call.getOriginExpr()->isArray() ? AF_CXXNewArray : AF_CXXNew));
1629  C.addTransition(State);
1630  }
1631 }
1632 
1633 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) {
1634  // If the first selector piece is one of the names below, assume that the
1635  // object takes ownership of the memory, promising to eventually deallocate it
1636  // with free().
1637  // Ex: [NSData dataWithBytesNoCopy:bytes length:10];
1638  // (...unless a 'freeWhenDone' parameter is false, but that's checked later.)
1639  StringRef FirstSlot = Call.getSelector().getNameForSlot(0);
1640  return FirstSlot == "dataWithBytesNoCopy" ||
1641  FirstSlot == "initWithBytesNoCopy" ||
1642  FirstSlot == "initWithCharactersNoCopy";
1643 }
1644 
1645 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) {
1646  Selector S = Call.getSelector();
1647 
1648  // FIXME: We should not rely on fully-constrained symbols being folded.
1649  for (unsigned i = 1; i < S.getNumArgs(); ++i)
1650  if (S.getNameForSlot(i).equals("freeWhenDone"))
1651  return !Call.getArgSVal(i).isZeroConstant();
1652 
1653  return None;
1654 }
1655 
1656 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
1657  CheckerContext &C) const {
1658  if (C.wasInlined)
1659  return;
1660 
1661  if (!isKnownDeallocObjCMethodName(Call))
1662  return;
1663 
1664  if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call))
1665  if (!*FreeWhenDone)
1666  return;
1667 
1668  if (Call.hasNonZeroCallbackArg())
1669  return;
1670 
1671  bool IsKnownToBeAllocatedMemory;
1673  FreeMemAux(C, Call.getArgExpr(0), Call, C.getState(),
1674  /*Hold=*/true, IsKnownToBeAllocatedMemory, AF_Malloc,
1675  /*ReturnsNullOnFailure=*/true);
1676 
1677  C.addTransition(State);
1678 }
1679 
1681 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
1682  const OwnershipAttr *Att,
1683  ProgramStateRef State) const {
1684  if (!State)
1685  return nullptr;
1686 
1687  if (Att->getModule()->getName() != "malloc")
1688  return nullptr;
1689 
1690  OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
1691  if (I != E) {
1692  return MallocMemAux(C, Call, Call.getArgExpr(I->getASTIndex()),
1693  UndefinedVal(), State, AF_Malloc);
1694  }
1695  return MallocMemAux(C, Call, UnknownVal(), UndefinedVal(), State, AF_Malloc);
1696 }
1697 
1698 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1699  const CallEvent &Call,
1700  const Expr *SizeEx, SVal Init,
1702  AllocationFamily Family) {
1703  if (!State)
1704  return nullptr;
1705 
1706  assert(SizeEx);
1707  return MallocMemAux(C, Call, C.getSVal(SizeEx), Init, State, Family);
1708 }
1709 
1710 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1711  const CallEvent &Call, SVal Size,
1712  SVal Init, ProgramStateRef State,
1713  AllocationFamily Family) {
1714  if (!State)
1715  return nullptr;
1716 
1717  const Expr *CE = Call.getOriginExpr();
1718 
1719  // We expect the malloc functions to return a pointer.
1720  if (!Loc::isLocType(CE->getType()))
1721  return nullptr;
1722 
1723  // Bind the return value to the symbolic value from the heap region.
1724  // TODO: We could rewrite post visit to eval call; 'malloc' does not have
1725  // side effects other than what we model here.
1726  unsigned Count = C.blockCount();
1727  SValBuilder &svalBuilder = C.getSValBuilder();
1728  const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
1729  DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
1730  .castAs<DefinedSVal>();
1731  State = State->BindExpr(CE, C.getLocationContext(), RetVal);
1732 
1733  // Fill the region with the initialization value.
1734  State = State->bindDefaultInitial(RetVal, Init, LCtx);
1735 
1736  // If Size is somehow undefined at this point, this line prevents a crash.
1737  if (Size.isUndef())
1738  Size = UnknownVal();
1739 
1740  // Set the region's extent.
1741  State = setDynamicExtent(State, RetVal.getAsRegion(),
1742  Size.castAs<DefinedOrUnknownSVal>(), svalBuilder);
1743 
1744  return MallocUpdateRefState(C, CE, State, Family);
1745 }
1746 
1747 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
1749  AllocationFamily Family,
1750  Optional<SVal> RetVal) {
1751  if (!State)
1752  return nullptr;
1753 
1754  // Get the return value.
1755  if (!RetVal)
1756  RetVal = C.getSVal(E);
1757 
1758  // We expect the malloc functions to return a pointer.
1759  if (!RetVal->getAs<Loc>())
1760  return nullptr;
1761 
1762  SymbolRef Sym = RetVal->getAsLocSymbol();
1763  // This is a return value of a function that was not inlined, such as malloc()
1764  // or new(). We've checked that in the caller. Therefore, it must be a symbol.
1765  assert(Sym);
1766 
1767  // Set the symbol's state to Allocated.
1768  return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
1769 }
1770 
1771 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
1772  const CallEvent &Call,
1773  const OwnershipAttr *Att,
1774  ProgramStateRef State) const {
1775  if (!State)
1776  return nullptr;
1777 
1778  if (Att->getModule()->getName() != "malloc")
1779  return nullptr;
1780 
1781  bool IsKnownToBeAllocated = false;
1782 
1783  for (const auto &Arg : Att->args()) {
1784  ProgramStateRef StateI =
1785  FreeMemAux(C, Call, State, Arg.getASTIndex(),
1786  Att->getOwnKind() == OwnershipAttr::Holds,
1787  IsKnownToBeAllocated, AF_Malloc);
1788  if (StateI)
1789  State = StateI;
1790  }
1791  return State;
1792 }
1793 
1794 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1795  const CallEvent &Call,
1796  ProgramStateRef State, unsigned Num,
1797  bool Hold, bool &IsKnownToBeAllocated,
1798  AllocationFamily Family,
1799  bool ReturnsNullOnFailure) const {
1800  if (!State)
1801  return nullptr;
1802 
1803  if (Call.getNumArgs() < (Num + 1))
1804  return nullptr;
1805 
1806  return FreeMemAux(C, Call.getArgExpr(Num), Call, State, Hold,
1807  IsKnownToBeAllocated, Family, ReturnsNullOnFailure);
1808 }
1809 
1810 /// Checks if the previous call to free on the given symbol failed - if free
1811 /// failed, returns true. Also, returns the corresponding return value symbol.
1813  SymbolRef Sym, SymbolRef &RetStatusSymbol) {
1814  const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
1815  if (Ret) {
1816  assert(*Ret && "We should not store the null return symbol");
1817  ConstraintManager &CMgr = State->getConstraintManager();
1818  ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret);
1819  RetStatusSymbol = *Ret;
1820  return FreeFailed.isConstrainedTrue();
1821  }
1822  return false;
1823 }
1824 
1825 static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E) {
1826  if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
1827  // FIXME: This doesn't handle indirect calls.
1828  const FunctionDecl *FD = CE->getDirectCallee();
1829  if (!FD)
1830  return false;
1831 
1832  os << *FD;
1833  if (!FD->isOverloadedOperator())
1834  os << "()";
1835  return true;
1836  }
1837 
1838  if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) {
1839  if (Msg->isInstanceMessage())
1840  os << "-";
1841  else
1842  os << "+";
1843  Msg->getSelector().print(os);
1844  return true;
1845  }
1846 
1847  if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
1848  os << "'"
1849  << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator())
1850  << "'";
1851  return true;
1852  }
1853 
1854  if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) {
1855  os << "'"
1856  << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator())
1857  << "'";
1858  return true;
1859  }
1860 
1861  return false;
1862 }
1863 
1864 static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family) {
1865 
1866  switch(Family) {
1867  case AF_Malloc: os << "malloc()"; return;
1868  case AF_CXXNew: os << "'new'"; return;
1869  case AF_CXXNewArray: os << "'new[]'"; return;
1870  case AF_IfNameIndex: os << "'if_nameindex()'"; return;
1871  case AF_InnerBuffer: os << "container-specific allocator"; return;
1872  case AF_Alloca:
1873  case AF_None: llvm_unreachable("not a deallocation expression");
1874  }
1875 }
1876 
1877 static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) {
1878  switch(Family) {
1879  case AF_Malloc: os << "free()"; return;
1880  case AF_CXXNew: os << "'delete'"; return;
1881  case AF_CXXNewArray: os << "'delete[]'"; return;
1882  case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
1883  case AF_InnerBuffer: os << "container-specific deallocator"; return;
1884  case AF_Alloca:
1885  case AF_None: llvm_unreachable("suspicious argument");
1886  }
1887 }
1888 
1889 ProgramStateRef MallocChecker::FreeMemAux(
1890  CheckerContext &C, const Expr *ArgExpr, const CallEvent &Call,
1891  ProgramStateRef State, bool Hold, bool &IsKnownToBeAllocated,
1892  AllocationFamily Family, bool ReturnsNullOnFailure) const {
1893 
1894  if (!State)
1895  return nullptr;
1896 
1897  SVal ArgVal = C.getSVal(ArgExpr);
1898  if (!isa<DefinedOrUnknownSVal>(ArgVal))
1899  return nullptr;
1900  DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
1901 
1902  // Check for null dereferences.
1903  if (!isa<Loc>(location))
1904  return nullptr;
1905 
1906  // The explicit NULL case, no operation is performed.
1907  ProgramStateRef notNullState, nullState;
1908  std::tie(notNullState, nullState) = State->assume(location);
1909  if (nullState && !notNullState)
1910  return nullptr;
1911 
1912  // Unknown values could easily be okay
1913  // Undefined values are handled elsewhere
1914  if (ArgVal.isUnknownOrUndef())
1915  return nullptr;
1916 
1917  const MemRegion *R = ArgVal.getAsRegion();
1918  const Expr *ParentExpr = Call.getOriginExpr();
1919 
1920  // NOTE: We detected a bug, but the checker under whose name we would emit the
1921  // error could be disabled. Generally speaking, the MallocChecker family is an
1922  // integral part of the Static Analyzer, and disabling any part of it should
1923  // only be done under exceptional circumstances, such as frequent false
1924  // positives. If this is the case, we can reasonably believe that there are
1925  // serious faults in our understanding of the source code, and even if we
1926  // don't emit an warning, we should terminate further analysis with a sink
1927  // node.
1928 
1929  // Nonlocs can't be freed, of course.
1930  // Non-region locations (labels and fixed addresses) also shouldn't be freed.
1931  if (!R) {
1932  // Exception:
1933  // If the macro ZERO_SIZE_PTR is defined, this could be a kernel source
1934  // code. In that case, the ZERO_SIZE_PTR defines a special value used for a
1935  // zero-sized memory block which is allowed to be freed, despite not being a
1936  // null pointer.
1937  if (Family != AF_Malloc || !isArgZERO_SIZE_PTR(State, C, ArgVal))
1938  HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1939  Family);
1940  return nullptr;
1941  }
1942 
1943  R = R->StripCasts();
1944 
1945  // Blocks might show up as heap data, but should not be free()d
1946  if (isa<BlockDataRegion>(R)) {
1947  HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1948  Family);
1949  return nullptr;
1950  }
1951 
1952  const MemSpaceRegion *MS = R->getMemorySpace();
1953 
1954  // Parameters, locals, statics, globals, and memory returned by
1955  // __builtin_alloca() shouldn't be freed.
1956  if (!isa<UnknownSpaceRegion, HeapSpaceRegion>(MS)) {
1957  // FIXME: at the time this code was written, malloc() regions were
1958  // represented by conjured symbols, which are all in UnknownSpaceRegion.
1959  // This means that there isn't actually anything from HeapSpaceRegion
1960  // that should be freed, even though we allow it here.
1961  // Of course, free() can work on memory allocated outside the current
1962  // function, so UnknownSpaceRegion is always a possibility.
1963  // False negatives are better than false positives.
1964 
1965  if (isa<AllocaRegion>(R))
1966  HandleFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1967  else
1968  HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1969  Family);
1970 
1971  return nullptr;
1972  }
1973 
1974  const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
1975  // Various cases could lead to non-symbol values here.
1976  // For now, ignore them.
1977  if (!SrBase)
1978  return nullptr;
1979 
1980  SymbolRef SymBase = SrBase->getSymbol();
1981  const RefState *RsBase = State->get<RegionState>(SymBase);
1982  SymbolRef PreviousRetStatusSymbol = nullptr;
1983 
1984  IsKnownToBeAllocated =
1985  RsBase && (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero());
1986 
1987  if (RsBase) {
1988 
1989  // Memory returned by alloca() shouldn't be freed.
1990  if (RsBase->getAllocationFamily() == AF_Alloca) {
1991  HandleFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1992  return nullptr;
1993  }
1994 
1995  // Check for double free first.
1996  if ((RsBase->isReleased() || RsBase->isRelinquished()) &&
1997  !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
1998  HandleDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),
1999  SymBase, PreviousRetStatusSymbol);
2000  return nullptr;
2001 
2002  // If the pointer is allocated or escaped, but we are now trying to free it,
2003  // check that the call to free is proper.
2004  } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() ||
2005  RsBase->isEscaped()) {
2006 
2007  // Check if an expected deallocation function matches the real one.
2008  bool DeallocMatchesAlloc = RsBase->getAllocationFamily() == Family;
2009  if (!DeallocMatchesAlloc) {
2010  HandleMismatchedDealloc(C, ArgExpr->getSourceRange(), ParentExpr,
2011  RsBase, SymBase, Hold);
2012  return nullptr;
2013  }
2014 
2015  // Check if the memory location being freed is the actual location
2016  // allocated, or an offset.
2017  RegionOffset Offset = R->getAsOffset();
2018  if (Offset.isValid() &&
2019  !Offset.hasSymbolicOffset() &&
2020  Offset.getOffset() != 0) {
2021  const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
2022  HandleOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
2023  Family, AllocExpr);
2024  return nullptr;
2025  }
2026  }
2027  }
2028 
2029  if (SymBase->getType()->isFunctionPointerType()) {
2030  HandleFunctionPtrFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
2031  Family);
2032  return nullptr;
2033  }
2034 
2035  // Clean out the info on previous call to free return info.
2036  State = State->remove<FreeReturnValue>(SymBase);
2037 
2038  // Keep track of the return value. If it is NULL, we will know that free
2039  // failed.
2040  if (ReturnsNullOnFailure) {
2041  SVal RetVal = C.getSVal(ParentExpr);
2042  SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
2043  if (RetStatusSymbol) {
2044  C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol);
2045  State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol);
2046  }
2047  }
2048 
2049  // If we don't know anything about this symbol, a free on it may be totally
2050  // valid. If this is the case, lets assume that the allocation family of the
2051  // freeing function is the same as the symbols allocation family, and go with
2052  // that.
2053  assert(!RsBase || (RsBase && RsBase->getAllocationFamily() == Family));
2054 
2055  // Normal free.
2056  if (Hold)
2057  return State->set<RegionState>(SymBase,
2058  RefState::getRelinquished(Family,
2059  ParentExpr));
2060 
2061  return State->set<RegionState>(SymBase,
2062  RefState::getReleased(Family, ParentExpr));
2063 }
2064 
2066 MallocChecker::getCheckIfTracked(AllocationFamily Family,
2067  bool IsALeakCheck) const {
2068  switch (Family) {
2069  case AF_Malloc:
2070  case AF_Alloca:
2071  case AF_IfNameIndex: {
2072  if (ChecksEnabled[CK_MallocChecker])
2073  return CK_MallocChecker;
2074  return None;
2075  }
2076  case AF_CXXNew:
2077  case AF_CXXNewArray: {
2078  if (IsALeakCheck) {
2079  if (ChecksEnabled[CK_NewDeleteLeaksChecker])
2080  return CK_NewDeleteLeaksChecker;
2081  }
2082  else {
2083  if (ChecksEnabled[CK_NewDeleteChecker])
2084  return CK_NewDeleteChecker;
2085  }
2086  return None;
2087  }
2088  case AF_InnerBuffer: {
2089  if (ChecksEnabled[CK_InnerPointerChecker])
2090  return CK_InnerPointerChecker;
2091  return None;
2092  }
2093  case AF_None: {
2094  llvm_unreachable("no family");
2095  }
2096  }
2097  llvm_unreachable("unhandled family");
2098 }
2099 
2101 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
2102  bool IsALeakCheck) const {
2103  if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym))
2104  return CK_MallocChecker;
2105 
2106  const RefState *RS = C.getState()->get<RegionState>(Sym);
2107  assert(RS);
2108  return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck);
2109 }
2110 
2111 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
2112  if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>())
2113  os << "an integer (" << IntVal->getValue() << ")";
2114  else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>())
2115  os << "a constant address (" << ConstAddr->getValue() << ")";
2116  else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>())
2117  os << "the address of the label '" << Label->getLabel()->getName() << "'";
2118  else
2119  return false;
2120 
2121  return true;
2122 }
2123 
2124 bool MallocChecker::SummarizeRegion(raw_ostream &os,
2125  const MemRegion *MR) {
2126  switch (MR->getKind()) {
2127  case MemRegion::FunctionCodeRegionKind: {
2128  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
2129  if (FD)
2130  os << "the address of the function '" << *FD << '\'';
2131  else
2132  os << "the address of a function";
2133  return true;
2134  }
2135  case MemRegion::BlockCodeRegionKind:
2136  os << "block text";
2137  return true;
2138  case MemRegion::BlockDataRegionKind:
2139  // FIXME: where the block came from?
2140  os << "a block";
2141  return true;
2142  default: {
2143  const MemSpaceRegion *MS = MR->getMemorySpace();
2144 
2145  if (isa<StackLocalsSpaceRegion>(MS)) {
2146  const VarRegion *VR = dyn_cast<VarRegion>(MR);
2147  const VarDecl *VD;
2148  if (VR)
2149  VD = VR->getDecl();
2150  else
2151  VD = nullptr;
2152 
2153  if (VD)
2154  os << "the address of the local variable '" << VD->getName() << "'";
2155  else
2156  os << "the address of a local stack variable";
2157  return true;
2158  }
2159 
2160  if (isa<StackArgumentsSpaceRegion>(MS)) {
2161  const VarRegion *VR = dyn_cast<VarRegion>(MR);
2162  const VarDecl *VD;
2163  if (VR)
2164  VD = VR->getDecl();
2165  else
2166  VD = nullptr;
2167 
2168  if (VD)
2169  os << "the address of the parameter '" << VD->getName() << "'";
2170  else
2171  os << "the address of a parameter";
2172  return true;
2173  }
2174 
2175  if (isa<GlobalsSpaceRegion>(MS)) {
2176  const VarRegion *VR = dyn_cast<VarRegion>(MR);
2177  const VarDecl *VD;
2178  if (VR)
2179  VD = VR->getDecl();
2180  else
2181  VD = nullptr;
2182 
2183  if (VD) {
2184  if (VD->isStaticLocal())
2185  os << "the address of the static variable '" << VD->getName() << "'";
2186  else
2187  os << "the address of the global variable '" << VD->getName() << "'";
2188  } else
2189  os << "the address of a global variable";
2190  return true;
2191  }
2192 
2193  return false;
2194  }
2195  }
2196 }
2197 
2198 void MallocChecker::HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal,
2199  SourceRange Range,
2200  const Expr *DeallocExpr,
2201  AllocationFamily Family) const {
2202 
2203  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2204  C.addSink();
2205  return;
2206  }
2207 
2208  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2209  if (!CheckKind)
2210  return;
2211 
2212  if (ExplodedNode *N = C.generateErrorNode()) {
2213  if (!BT_BadFree[*CheckKind])
2214  BT_BadFree[*CheckKind].reset(new BugType(
2215  CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2216 
2217  SmallString<100> buf;
2218  llvm::raw_svector_ostream os(buf);
2219 
2220  const MemRegion *MR = ArgVal.getAsRegion();
2221  while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
2222  MR = ER->getSuperRegion();
2223 
2224  os << "Argument to ";
2225  if (!printMemFnName(os, C, DeallocExpr))
2226  os << "deallocator";
2227 
2228  os << " is ";
2229  bool Summarized = MR ? SummarizeRegion(os, MR)
2230  : SummarizeValue(os, ArgVal);
2231  if (Summarized)
2232  os << ", which is not memory allocated by ";
2233  else
2234  os << "not memory allocated by ";
2235 
2236  printExpectedAllocName(os, Family);
2237 
2238  auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind],
2239  os.str(), N);
2240  R->markInteresting(MR);
2241  R->addRange(Range);
2242  C.emitReport(std::move(R));
2243  }
2244 }
2245 
2246 void MallocChecker::HandleFreeAlloca(CheckerContext &C, SVal ArgVal,
2247  SourceRange Range) const {
2248 
2250 
2251  if (ChecksEnabled[CK_MallocChecker])
2252  CheckKind = CK_MallocChecker;
2253  else if (ChecksEnabled[CK_MismatchedDeallocatorChecker])
2254  CheckKind = CK_MismatchedDeallocatorChecker;
2255  else {
2256  C.addSink();
2257  return;
2258  }
2259 
2260  if (ExplodedNode *N = C.generateErrorNode()) {
2261  if (!BT_FreeAlloca[*CheckKind])
2262  BT_FreeAlloca[*CheckKind].reset(new BugType(
2263  CheckNames[*CheckKind], "Free alloca()", categories::MemoryError));
2264 
2265  auto R = std::make_unique<PathSensitiveBugReport>(
2266  *BT_FreeAlloca[*CheckKind],
2267  "Memory allocated by alloca() should not be deallocated", N);
2268  R->markInteresting(ArgVal.getAsRegion());
2269  R->addRange(Range);
2270  C.emitReport(std::move(R));
2271  }
2272 }
2273 
2274 void MallocChecker::HandleMismatchedDealloc(CheckerContext &C,
2275  SourceRange Range,
2276  const Expr *DeallocExpr,
2277  const RefState *RS, SymbolRef Sym,
2278  bool OwnershipTransferred) const {
2279 
2280  if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
2281  C.addSink();
2282  return;
2283  }
2284 
2285  if (ExplodedNode *N = C.generateErrorNode()) {
2286  if (!BT_MismatchedDealloc)
2287  BT_MismatchedDealloc.reset(
2288  new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
2289  "Bad deallocator", categories::MemoryError));
2290 
2291  SmallString<100> buf;
2292  llvm::raw_svector_ostream os(buf);
2293 
2294  const Expr *AllocExpr = cast<Expr>(RS->getStmt());
2295  SmallString<20> AllocBuf;
2296  llvm::raw_svector_ostream AllocOs(AllocBuf);
2297  SmallString<20> DeallocBuf;
2298  llvm::raw_svector_ostream DeallocOs(DeallocBuf);
2299 
2300  if (OwnershipTransferred) {
2301  if (printMemFnName(DeallocOs, C, DeallocExpr))
2302  os << DeallocOs.str() << " cannot";
2303  else
2304  os << "Cannot";
2305 
2306  os << " take ownership of memory";
2307 
2308  if (printMemFnName(AllocOs, C, AllocExpr))
2309  os << " allocated by " << AllocOs.str();
2310  } else {
2311  os << "Memory";
2312  if (printMemFnName(AllocOs, C, AllocExpr))
2313  os << " allocated by " << AllocOs.str();
2314 
2315  os << " should be deallocated by ";
2316  printExpectedDeallocName(os, RS->getAllocationFamily());
2317 
2318  if (printMemFnName(DeallocOs, C, DeallocExpr))
2319  os << ", not " << DeallocOs.str();
2320  }
2321 
2322  auto R = std::make_unique<PathSensitiveBugReport>(*BT_MismatchedDealloc,
2323  os.str(), N);
2324  R->markInteresting(Sym);
2325  R->addRange(Range);
2326  R->addVisitor<MallocBugVisitor>(Sym);
2327  C.emitReport(std::move(R));
2328  }
2329 }
2330 
2331 void MallocChecker::HandleOffsetFree(CheckerContext &C, SVal ArgVal,
2332  SourceRange Range, const Expr *DeallocExpr,
2333  AllocationFamily Family,
2334  const Expr *AllocExpr) const {
2335 
2336  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2337  C.addSink();
2338  return;
2339  }
2340 
2341  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2342  if (!CheckKind)
2343  return;
2344 
2345  ExplodedNode *N = C.generateErrorNode();
2346  if (!N)
2347  return;
2348 
2349  if (!BT_OffsetFree[*CheckKind])
2350  BT_OffsetFree[*CheckKind].reset(new BugType(
2351  CheckNames[*CheckKind], "Offset free", categories::MemoryError));
2352 
2353  SmallString<100> buf;
2354  llvm::raw_svector_ostream os(buf);
2355  SmallString<20> AllocNameBuf;
2356  llvm::raw_svector_ostream AllocNameOs(AllocNameBuf);
2357 
2358  const MemRegion *MR = ArgVal.getAsRegion();
2359  assert(MR && "Only MemRegion based symbols can have offset free errors");
2360 
2361  RegionOffset Offset = MR->getAsOffset();
2362  assert((Offset.isValid() &&
2363  !Offset.hasSymbolicOffset() &&
2364  Offset.getOffset() != 0) &&
2365  "Only symbols with a valid offset can have offset free errors");
2366 
2367  int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
2368 
2369  os << "Argument to ";
2370  if (!printMemFnName(os, C, DeallocExpr))
2371  os << "deallocator";
2372  os << " is offset by "
2373  << offsetBytes
2374  << " "
2375  << ((abs(offsetBytes) > 1) ? "bytes" : "byte")
2376  << " from the start of ";
2377  if (AllocExpr && printMemFnName(AllocNameOs, C, AllocExpr))
2378  os << "memory allocated by " << AllocNameOs.str();
2379  else
2380  os << "allocated memory";
2381 
2382  auto R = std::make_unique<PathSensitiveBugReport>(*BT_OffsetFree[*CheckKind],
2383  os.str(), N);
2384  R->markInteresting(MR->getBaseRegion());
2385  R->addRange(Range);
2386  C.emitReport(std::move(R));
2387 }
2388 
2389 void MallocChecker::HandleUseAfterFree(CheckerContext &C, SourceRange Range,
2390  SymbolRef Sym) const {
2391 
2392  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker] &&
2393  !ChecksEnabled[CK_InnerPointerChecker]) {
2394  C.addSink();
2395  return;
2396  }
2397 
2398  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2399  if (!CheckKind)
2400  return;
2401 
2402  if (ExplodedNode *N = C.generateErrorNode()) {
2403  if (!BT_UseFree[*CheckKind])
2404  BT_UseFree[*CheckKind].reset(new BugType(
2405  CheckNames[*CheckKind], "Use-after-free", categories::MemoryError));
2406 
2407  AllocationFamily AF =
2408  C.getState()->get<RegionState>(Sym)->getAllocationFamily();
2409 
2410  auto R = std::make_unique<PathSensitiveBugReport>(
2411  *BT_UseFree[*CheckKind],
2412  AF == AF_InnerBuffer
2413  ? "Inner pointer of container used after re/deallocation"
2414  : "Use of memory after it is freed",
2415  N);
2416 
2417  R->markInteresting(Sym);
2418  R->addRange(Range);
2419  R->addVisitor<MallocBugVisitor>(Sym);
2420 
2421  if (AF == AF_InnerBuffer)
2422  R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym));
2423 
2424  C.emitReport(std::move(R));
2425  }
2426 }
2427 
2428 void MallocChecker::HandleDoubleFree(CheckerContext &C, SourceRange Range,
2429  bool Released, SymbolRef Sym,
2430  SymbolRef PrevSym) const {
2431 
2432  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2433  C.addSink();
2434  return;
2435  }
2436 
2437  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2438  if (!CheckKind)
2439  return;
2440 
2441  if (ExplodedNode *N = C.generateErrorNode()) {
2442  if (!BT_DoubleFree[*CheckKind])
2443  BT_DoubleFree[*CheckKind].reset(new BugType(
2444  CheckNames[*CheckKind], "Double free", categories::MemoryError));
2445 
2446  auto R = std::make_unique<PathSensitiveBugReport>(
2447  *BT_DoubleFree[*CheckKind],
2448  (Released ? "Attempt to free released memory"
2449  : "Attempt to free non-owned memory"),
2450  N);
2451  R->addRange(Range);
2452  R->markInteresting(Sym);
2453  if (PrevSym)
2454  R->markInteresting(PrevSym);
2455  R->addVisitor<MallocBugVisitor>(Sym);
2456  C.emitReport(std::move(R));
2457  }
2458 }
2459 
2460 void MallocChecker::HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
2461 
2462  if (!ChecksEnabled[CK_NewDeleteChecker]) {
2463  C.addSink();
2464  return;
2465  }
2466 
2467  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2468  if (!CheckKind)
2469  return;
2470 
2471  if (ExplodedNode *N = C.generateErrorNode()) {
2472  if (!BT_DoubleDelete)
2473  BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker],
2474  "Double delete",
2476 
2477  auto R = std::make_unique<PathSensitiveBugReport>(
2478  *BT_DoubleDelete, "Attempt to delete released memory", N);
2479 
2480  R->markInteresting(Sym);
2481  R->addVisitor<MallocBugVisitor>(Sym);
2482  C.emitReport(std::move(R));
2483  }
2484 }
2485 
2486 void MallocChecker::HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,
2487  SymbolRef Sym) const {
2488 
2489  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2490  C.addSink();
2491  return;
2492  }
2493 
2494  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2495 
2496  if (!CheckKind)
2497  return;
2498 
2499  if (ExplodedNode *N = C.generateErrorNode()) {
2500  if (!BT_UseZerroAllocated[*CheckKind])
2501  BT_UseZerroAllocated[*CheckKind].reset(
2502  new BugType(CheckNames[*CheckKind], "Use of zero allocated",
2504 
2505  auto R = std::make_unique<PathSensitiveBugReport>(
2506  *BT_UseZerroAllocated[*CheckKind],
2507  "Use of memory allocated with size zero", N);
2508 
2509  R->addRange(Range);
2510  if (Sym) {
2511  R->markInteresting(Sym);
2512  R->addVisitor<MallocBugVisitor>(Sym);
2513  }
2514  C.emitReport(std::move(R));
2515  }
2516 }
2517 
2518 void MallocChecker::HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal,
2519  SourceRange Range,
2520  const Expr *FreeExpr,
2521  AllocationFamily Family) const {
2522  if (!ChecksEnabled[CK_MallocChecker]) {
2523  C.addSink();
2524  return;
2525  }
2526 
2527  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2528  if (!CheckKind)
2529  return;
2530 
2531  if (ExplodedNode *N = C.generateErrorNode()) {
2532  if (!BT_BadFree[*CheckKind])
2533  BT_BadFree[*CheckKind].reset(new BugType(
2534  CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2535 
2536  SmallString<100> Buf;
2537  llvm::raw_svector_ostream Os(Buf);
2538 
2539  const MemRegion *MR = ArgVal.getAsRegion();
2540  while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
2541  MR = ER->getSuperRegion();
2542 
2543  Os << "Argument to ";
2544  if (!printMemFnName(Os, C, FreeExpr))
2545  Os << "deallocator";
2546 
2547  Os << " is a function pointer";
2548 
2549  auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind],
2550  Os.str(), N);
2551  R->markInteresting(MR);
2552  R->addRange(Range);
2553  C.emitReport(std::move(R));
2554  }
2555 }
2556 
2558 MallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call,
2559  bool ShouldFreeOnFail, ProgramStateRef State,
2560  AllocationFamily Family, bool SuffixWithN) const {
2561  if (!State)
2562  return nullptr;
2563 
2564  const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr());
2565 
2566  if (SuffixWithN && CE->getNumArgs() < 3)
2567  return nullptr;
2568  else if (CE->getNumArgs() < 2)
2569  return nullptr;
2570 
2571  const Expr *arg0Expr = CE->getArg(0);
2572  SVal Arg0Val = C.getSVal(arg0Expr);
2573  if (!isa<DefinedOrUnknownSVal>(Arg0Val))
2574  return nullptr;
2575  DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
2576 
2577  SValBuilder &svalBuilder = C.getSValBuilder();
2578 
2579  DefinedOrUnknownSVal PtrEQ = svalBuilder.evalEQ(
2580  State, arg0Val, svalBuilder.makeNullWithType(arg0Expr->getType()));
2581 
2582  // Get the size argument.
2583  const Expr *Arg1 = CE->getArg(1);
2584 
2585  // Get the value of the size argument.
2586  SVal TotalSize = C.getSVal(Arg1);
2587  if (SuffixWithN)
2588  TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2));
2589  if (!isa<DefinedOrUnknownSVal>(TotalSize))
2590  return nullptr;
2591 
2592  // Compare the size argument to 0.
2593  DefinedOrUnknownSVal SizeZero =
2594  svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(),
2595  svalBuilder.makeIntValWithWidth(
2596  svalBuilder.getContext().getSizeType(), 0));
2597 
2598  ProgramStateRef StatePtrIsNull, StatePtrNotNull;
2599  std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ);
2600  ProgramStateRef StateSizeIsZero, StateSizeNotZero;
2601  std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero);
2602  // We only assume exceptional states if they are definitely true; if the
2603  // state is under-constrained, assume regular realloc behavior.
2604  bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
2605  bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
2606 
2607  // If the ptr is NULL and the size is not 0, the call is equivalent to
2608  // malloc(size).
2609  if (PrtIsNull && !SizeIsZero) {
2610  ProgramStateRef stateMalloc = MallocMemAux(
2611  C, Call, TotalSize, UndefinedVal(), StatePtrIsNull, Family);
2612  return stateMalloc;
2613  }
2614 
2615  if (PrtIsNull && SizeIsZero)
2616  return State;
2617 
2618  assert(!PrtIsNull);
2619 
2620  bool IsKnownToBeAllocated = false;
2621 
2622  // If the size is 0, free the memory.
2623  if (SizeIsZero)
2624  // The semantics of the return value are:
2625  // If size was equal to 0, either NULL or a pointer suitable to be passed
2626  // to free() is returned. We just free the input pointer and do not add
2627  // any constrains on the output pointer.
2628  if (ProgramStateRef stateFree = FreeMemAux(
2629  C, Call, StateSizeIsZero, 0, false, IsKnownToBeAllocated, Family))
2630  return stateFree;
2631 
2632  // Default behavior.
2633  if (ProgramStateRef stateFree =
2634  FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocated, Family)) {
2635 
2636  ProgramStateRef stateRealloc =
2637  MallocMemAux(C, Call, TotalSize, UnknownVal(), stateFree, Family);
2638  if (!stateRealloc)
2639  return nullptr;
2640 
2641  OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure;
2642  if (ShouldFreeOnFail)
2643  Kind = OAR_FreeOnFailure;
2644  else if (!IsKnownToBeAllocated)
2645  Kind = OAR_DoNotTrackAfterFailure;
2646 
2647  // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
2648  SymbolRef FromPtr = arg0Val.getLocSymbolInBase();
2649  SVal RetVal = C.getSVal(CE);
2650  SymbolRef ToPtr = RetVal.getAsSymbol();
2651  assert(FromPtr && ToPtr &&
2652  "By this point, FreeMemAux and MallocMemAux should have checked "
2653  "whether the argument or the return value is symbolic!");
2654 
2655  // Record the info about the reallocated symbol so that we could properly
2656  // process failed reallocation.
2657  stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
2658  ReallocPair(FromPtr, Kind));
2659  // The reallocated symbol should stay alive for as long as the new symbol.
2660  C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
2661  return stateRealloc;
2662  }
2663  return nullptr;
2664 }
2665 
2666 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C,
2667  const CallEvent &Call,
2669  if (!State)
2670  return nullptr;
2671 
2672  if (Call.getNumArgs() < 2)
2673  return nullptr;
2674 
2675  SValBuilder &svalBuilder = C.getSValBuilder();
2676  SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
2677  SVal TotalSize =
2678  evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
2679 
2680  return MallocMemAux(C, Call, TotalSize, zeroVal, State, AF_Malloc);
2681 }
2682 
2683 MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N,
2684  SymbolRef Sym,
2685  CheckerContext &C) {
2686  const LocationContext *LeakContext = N->getLocationContext();
2687  // Walk the ExplodedGraph backwards and find the first node that referred to
2688  // the tracked symbol.
2689  const ExplodedNode *AllocNode = N;
2690  const MemRegion *ReferenceRegion = nullptr;
2691 
2692  while (N) {
2693  ProgramStateRef State = N->getState();
2694  if (!State->get<RegionState>(Sym))
2695  break;
2696 
2697  // Find the most recent expression bound to the symbol in the current
2698  // context.
2699  if (!ReferenceRegion) {
2700  if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) {
2701  SVal Val = State->getSVal(MR);
2702  if (Val.getAsLocSymbol() == Sym) {
2703  const VarRegion *VR = MR->getBaseRegion()->getAs<VarRegion>();
2704  // Do not show local variables belonging to a function other than
2705  // where the error is reported.
2706  if (!VR || (VR->getStackFrame() == LeakContext->getStackFrame()))
2707  ReferenceRegion = MR;
2708  }
2709  }
2710  }
2711 
2712  // Allocation node, is the last node in the current or parent context in
2713  // which the symbol was tracked.
2714  const LocationContext *NContext = N->getLocationContext();
2715  if (NContext == LeakContext ||
2716  NContext->isParentOf(LeakContext))
2717  AllocNode = N;
2718  N = N->pred_empty() ? nullptr : *(N->pred_begin());
2719  }
2720 
2721  return LeakInfo(AllocNode, ReferenceRegion);
2722 }
2723 
2724 void MallocChecker::HandleLeak(SymbolRef Sym, ExplodedNode *N,
2725  CheckerContext &C) const {
2726 
2727  if (!ChecksEnabled[CK_MallocChecker] &&
2728  !ChecksEnabled[CK_NewDeleteLeaksChecker])
2729  return;
2730 
2731  const RefState *RS = C.getState()->get<RegionState>(Sym);
2732  assert(RS && "cannot leak an untracked symbol");
2733  AllocationFamily Family = RS->getAllocationFamily();
2734 
2735  if (Family == AF_Alloca)
2736  return;
2737 
2739  CheckKind = getCheckIfTracked(Family, true);
2740 
2741  if (!CheckKind)
2742  return;
2743 
2744  assert(N);
2745  if (!BT_Leak[*CheckKind]) {
2746  // Leaks should not be reported if they are post-dominated by a sink:
2747  // (1) Sinks are higher importance bugs.
2748  // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
2749  // with __noreturn functions such as assert() or exit(). We choose not
2750  // to report leaks on such paths.
2751  BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak",
2753  /*SuppressOnSink=*/true));
2754  }
2755 
2756  // Most bug reports are cached at the location where they occurred.
2757  // With leaks, we want to unique them by the location where they were
2758  // allocated, and only report a single path.
2759  PathDiagnosticLocation LocUsedForUniqueing;
2760  const ExplodedNode *AllocNode = nullptr;
2761  const MemRegion *Region = nullptr;
2762  std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C);
2763 
2764  const Stmt *AllocationStmt = AllocNode->getStmtForDiagnostics();
2765  if (AllocationStmt)
2766  LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt,
2767  C.getSourceManager(),
2768  AllocNode->getLocationContext());
2769 
2770  SmallString<200> buf;
2771  llvm::raw_svector_ostream os(buf);
2772  if (Region && Region->canPrintPretty()) {
2773  os << "Potential leak of memory pointed to by ";
2774  Region->printPretty(os);
2775  } else {
2776  os << "Potential memory leak";
2777  }
2778 
2779  auto R = std::make_unique<PathSensitiveBugReport>(
2780  *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing,
2781  AllocNode->getLocationContext()->getDecl());
2782  R->markInteresting(Sym);
2783  R->addVisitor<MallocBugVisitor>(Sym, true);
2784  if (ShouldRegisterNoOwnershipChangeVisitor)
2785  R->addVisitor<NoOwnershipChangeVisitor>(Sym, this);
2786  C.emitReport(std::move(R));
2787 }
2788 
2789 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
2790  CheckerContext &C) const
2791 {
2792  ProgramStateRef state = C.getState();
2793  RegionStateTy OldRS = state->get<RegionState>();
2794  RegionStateTy::Factory &F = state->get_context<RegionState>();
2795 
2796  RegionStateTy RS = OldRS;
2798  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2799  if (SymReaper.isDead(I->first)) {
2800  if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero())
2801  Errors.push_back(I->first);
2802  // Remove the dead symbol from the map.
2803  RS = F.remove(RS, I->first);
2804  }
2805  }
2806 
2807  if (RS == OldRS) {
2808  // We shouldn't have touched other maps yet.
2809  assert(state->get<ReallocPairs>() ==
2810  C.getState()->get<ReallocPairs>());
2811  assert(state->get<FreeReturnValue>() ==
2812  C.getState()->get<FreeReturnValue>());
2813  return;
2814  }
2815 
2816  // Cleanup the Realloc Pairs Map.
2817  ReallocPairsTy RP = state->get<ReallocPairs>();
2818  for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2819  if (SymReaper.isDead(I->first) ||
2820  SymReaper.isDead(I->second.ReallocatedSym)) {
2821  state = state->remove<ReallocPairs>(I->first);
2822  }
2823  }
2824 
2825  // Cleanup the FreeReturnValue Map.
2826  FreeReturnValueTy FR = state->get<FreeReturnValue>();
2827  for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) {
2828  if (SymReaper.isDead(I->first) ||
2829  SymReaper.isDead(I->second)) {
2830  state = state->remove<FreeReturnValue>(I->first);
2831  }
2832  }
2833 
2834  // Generate leak node.
2835  ExplodedNode *N = C.getPredecessor();
2836  if (!Errors.empty()) {
2837  static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
2838  N = C.generateNonFatalErrorNode(C.getState(), &Tag);
2839  if (N) {
2841  I = Errors.begin(), E = Errors.end(); I != E; ++I) {
2842  HandleLeak(*I, N, C);
2843  }
2844  }
2845  }
2846 
2847  C.addTransition(state->set<RegionState>(RS), N);
2848 }
2849 
2850 void MallocChecker::checkPreCall(const CallEvent &Call,
2851  CheckerContext &C) const {
2852 
2853  if (const auto *DC = dyn_cast<CXXDeallocatorCall>(&Call)) {
2854  const CXXDeleteExpr *DE = DC->getOriginExpr();
2855 
2856  if (!ChecksEnabled[CK_NewDeleteChecker])
2857  if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
2858  checkUseAfterFree(Sym, C, DE->getArgument());
2859 
2860  if (!isStandardNewDelete(DC->getDecl()))
2861  return;
2862 
2863  ProgramStateRef State = C.getState();
2864  bool IsKnownToBeAllocated;
2865  State = FreeMemAux(C, DE->getArgument(), Call, State,
2866  /*Hold*/ false, IsKnownToBeAllocated,
2867  (DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew));
2868 
2869  C.addTransition(State);
2870  return;
2871  }
2872 
2873  if (const auto *DC = dyn_cast<CXXDestructorCall>(&Call)) {
2874  SymbolRef Sym = DC->getCXXThisVal().getAsSymbol();
2875  if (!Sym || checkDoubleDelete(Sym, C))
2876  return;
2877  }
2878 
2879  // We will check for double free in the post visit.
2880  if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) {
2881  const FunctionDecl *FD = FC->getDecl();
2882  if (!FD)
2883  return;
2884 
2885  if (ChecksEnabled[CK_MallocChecker] && isFreeingCall(Call))
2886  return;
2887  }
2888 
2889  // Check if the callee of a method is deleted.
2890  if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
2891  SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
2892  if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
2893  return;
2894  }
2895 
2896  // Check arguments for being used after free.
2897  for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
2898  SVal ArgSVal = Call.getArgSVal(I);
2899  if (isa<Loc>(ArgSVal)) {
2900  SymbolRef Sym = ArgSVal.getAsSymbol();
2901  if (!Sym)
2902  continue;
2903  if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
2904  return;
2905  }
2906  }
2907 }
2908 
2909 void MallocChecker::checkPreStmt(const ReturnStmt *S,
2910  CheckerContext &C) const {
2911  checkEscapeOnReturn(S, C);
2912 }
2913 
2914 // In the CFG, automatic destructors come after the return statement.
2915 // This callback checks for returning memory that is freed by automatic
2916 // destructors, as those cannot be reached in checkPreStmt().
2917 void MallocChecker::checkEndFunction(const ReturnStmt *S,
2918  CheckerContext &C) const {
2919  checkEscapeOnReturn(S, C);
2920 }
2921 
2922 void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S,
2923  CheckerContext &C) const {
2924  if (!S)
2925  return;
2926 
2927  const Expr *E = S->getRetValue();
2928  if (!E)
2929  return;
2930 
2931  // Check if we are returning a symbol.
2932  ProgramStateRef State = C.getState();
2933  SVal RetVal = C.getSVal(E);
2934  SymbolRef Sym = RetVal.getAsSymbol();
2935  if (!Sym)
2936  // If we are returning a field of the allocated struct or an array element,
2937  // the callee could still free the memory.
2938  // TODO: This logic should be a part of generic symbol escape callback.
2939  if (const MemRegion *MR = RetVal.getAsRegion())
2940  if (isa<FieldRegion, ElementRegion>(MR))
2941  if (const SymbolicRegion *BMR =
2942  dyn_cast<SymbolicRegion>(MR->getBaseRegion()))
2943  Sym = BMR->getSymbol();
2944 
2945  // Check if we are returning freed memory.
2946  if (Sym)
2947  checkUseAfterFree(Sym, C, E);
2948 }
2949 
2950 // TODO: Blocks should be either inlined or should call invalidate regions
2951 // upon invocation. After that's in place, special casing here will not be
2952 // needed.
2953 void MallocChecker::checkPostStmt(const BlockExpr *BE,
2954  CheckerContext &C) const {
2955 
2956  // Scan the BlockDecRefExprs for any object the retain count checker
2957  // may be tracking.
2958  if (!BE->getBlockDecl()->hasCaptures())
2959  return;
2960 
2961  ProgramStateRef state = C.getState();
2962  const BlockDataRegion *R =
2963  cast<BlockDataRegion>(C.getSVal(BE).getAsRegion());
2964 
2965  BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(),
2966  E = R->referenced_vars_end();
2967 
2968  if (I == E)
2969  return;
2970 
2972  const LocationContext *LC = C.getLocationContext();
2973  MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
2974 
2975  for ( ; I != E; ++I) {
2976  const VarRegion *VR = I.getCapturedRegion();
2977  if (VR->getSuperRegion() == R) {
2978  VR = MemMgr.getVarRegion(VR->getDecl(), LC);
2979  }
2980  Regions.push_back(VR);
2981  }
2982 
2983  state =
2984  state->scanReachableSymbols<StopTrackingCallback>(Regions).getState();
2985  C.addTransition(state);
2986 }
2987 
2988 static bool isReleased(SymbolRef Sym, CheckerContext &C) {
2989  assert(Sym);
2990  const RefState *RS = C.getState()->get<RegionState>(Sym);
2991  return (RS && RS->isReleased());
2992 }
2993 
2994 bool MallocChecker::suppressDeallocationsInSuspiciousContexts(
2995  const CallEvent &Call, CheckerContext &C) const {
2996  if (Call.getNumArgs() == 0)
2997  return false;
2998 
2999  StringRef FunctionStr = "";
3000  if (const auto *FD = dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
3001  if (const Stmt *Body = FD->getBody())
3002  if (Body->getBeginLoc().isValid())
3003  FunctionStr =
3005  {FD->getBeginLoc(), Body->getBeginLoc()}),
3006  C.getSourceManager(), C.getLangOpts());
3007 
3008  // We do not model the Integer Set Library's retain-count based allocation.
3009  if (!FunctionStr.contains("__isl_"))
3010  return false;
3011 
3012  ProgramStateRef State = C.getState();
3013 
3014  for (const Expr *Arg : cast<CallExpr>(Call.getOriginExpr())->arguments())
3015  if (SymbolRef Sym = C.getSVal(Arg).getAsSymbol())
3016  if (const RefState *RS = State->get<RegionState>(Sym))
3017  State = State->set<RegionState>(Sym, RefState::getEscaped(RS));
3018 
3019  C.addTransition(State);
3020  return true;
3021 }
3022 
3023 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
3024  const Stmt *S) const {
3025 
3026  if (isReleased(Sym, C)) {
3027  HandleUseAfterFree(C, S->getSourceRange(), Sym);
3028  return true;
3029  }
3030 
3031  return false;
3032 }
3033 
3034 void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
3035  const Stmt *S) const {
3036  assert(Sym);
3037 
3038  if (const RefState *RS = C.getState()->get<RegionState>(Sym)) {
3039  if (RS->isAllocatedOfSizeZero())
3040  HandleUseZeroAlloc(C, RS->getStmt()->getSourceRange(), Sym);
3041  }
3042  else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) {
3043  HandleUseZeroAlloc(C, S->getSourceRange(), Sym);
3044  }
3045 }
3046 
3047 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
3048 
3049  if (isReleased(Sym, C)) {
3050  HandleDoubleDelete(C, Sym);
3051  return true;
3052  }
3053  return false;
3054 }
3055 
3056 // Check if the location is a freed symbolic region.
3057 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
3058  CheckerContext &C) const {
3059  SymbolRef Sym = l.getLocSymbolInBase();
3060  if (Sym) {
3061  checkUseAfterFree(Sym, C, S);
3062  checkUseZeroAllocated(Sym, C, S);
3063  }
3064 }
3065 
3066 // If a symbolic region is assumed to NULL (or another constant), stop tracking
3067 // it - assuming that allocation failed on this path.
3068 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
3069  SVal Cond,
3070  bool Assumption) const {
3071  RegionStateTy RS = state->get<RegionState>();
3072  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
3073  // If the symbol is assumed to be NULL, remove it from consideration.
3074  ConstraintManager &CMgr = state->getConstraintManager();
3075  ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
3076  if (AllocFailed.isConstrainedTrue())
3077  state = state->remove<RegionState>(I.getKey());
3078  }
3079 
3080  // Realloc returns 0 when reallocation fails, which means that we should
3081  // restore the state of the pointer being reallocated.
3082  ReallocPairsTy RP = state->get<ReallocPairs>();
3083  for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
3084  // If the symbol is assumed to be NULL, remove it from consideration.
3085  ConstraintManager &CMgr = state->getConstraintManager();
3086  ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
3087  if (!AllocFailed.isConstrainedTrue())
3088  continue;
3089 
3090  SymbolRef ReallocSym = I.getData().ReallocatedSym;
3091  if (const RefState *RS = state->get<RegionState>(ReallocSym)) {
3092  if (RS->isReleased()) {
3093  switch (I.getData().Kind) {
3094  case OAR_ToBeFreedAfterFailure:
3095  state = state->set<RegionState>(ReallocSym,
3096  RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt()));
3097  break;
3098  case OAR_DoNotTrackAfterFailure:
3099  state = state->remove<RegionState>(ReallocSym);
3100  break;
3101  default:
3102  assert(I.getData().Kind == OAR_FreeOnFailure);
3103  }
3104  }
3105  }
3106  state = state->remove<ReallocPairs>(I.getKey());
3107  }
3108 
3109  return state;
3110 }
3111 
3112 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
3113  const CallEvent *Call,
3115  SymbolRef &EscapingSymbol) const {
3116  assert(Call);
3117  EscapingSymbol = nullptr;
3118 
3119  // For now, assume that any C++ or block call can free memory.
3120  // TODO: If we want to be more optimistic here, we'll need to make sure that
3121  // regions escape to C++ containers. They seem to do that even now, but for
3122  // mysterious reasons.
3123  if (!isa<SimpleFunctionCall, ObjCMethodCall>(Call))
3124  return true;
3125 
3126  // Check Objective-C messages by selector name.
3127  if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
3128  // If it's not a framework call, or if it takes a callback, assume it
3129  // can free memory.
3130  if (!Call->isInSystemHeader() || Call->argumentsMayEscape())
3131  return true;
3132 
3133  // If it's a method we know about, handle it explicitly post-call.
3134  // This should happen before the "freeWhenDone" check below.
3135  if (isKnownDeallocObjCMethodName(*Msg))
3136  return false;
3137 
3138  // If there's a "freeWhenDone" parameter, but the method isn't one we know
3139  // about, we can't be sure that the object will use free() to deallocate the
3140  // memory, so we can't model it explicitly. The best we can do is use it to
3141  // decide whether the pointer escapes.
3142  if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg))
3143  return *FreeWhenDone;
3144 
3145  // If the first selector piece ends with "NoCopy", and there is no
3146  // "freeWhenDone" parameter set to zero, we know ownership is being
3147  // transferred. Again, though, we can't be sure that the object will use
3148  // free() to deallocate the memory, so we can't model it explicitly.
3149  StringRef FirstSlot = Msg->getSelector().getNameForSlot(0);
3150  if (FirstSlot.endswith("NoCopy"))
3151  return true;
3152 
3153  // If the first selector starts with addPointer, insertPointer,
3154  // or replacePointer, assume we are dealing with NSPointerArray or similar.
3155  // This is similar to C++ containers (vector); we still might want to check
3156  // that the pointers get freed by following the container itself.
3157  if (FirstSlot.startswith("addPointer") ||
3158  FirstSlot.startswith("insertPointer") ||
3159  FirstSlot.startswith("replacePointer") ||
3160  FirstSlot.equals("valueWithPointer")) {
3161  return true;
3162  }
3163 
3164  // We should escape receiver on call to 'init'. This is especially relevant
3165  // to the receiver, as the corresponding symbol is usually not referenced
3166  // after the call.
3167  if (Msg->getMethodFamily() == OMF_init) {
3168  EscapingSymbol = Msg->getReceiverSVal().getAsSymbol();
3169  return true;
3170  }
3171 
3172  // Otherwise, assume that the method does not free memory.
3173  // Most framework methods do not free memory.
3174  return false;
3175  }
3176 
3177  // At this point the only thing left to handle is straight function calls.
3178  const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl();
3179  if (!FD)
3180  return true;
3181 
3182  // If it's one of the allocation functions we can reason about, we model
3183  // its behavior explicitly.
3184  if (isMemCall(*Call))
3185  return false;
3186 
3187  // If it's not a system call, assume it frees memory.
3188  if (!Call->isInSystemHeader())
3189  return true;
3190 
3191  // White list the system functions whose arguments escape.
3192  const IdentifierInfo *II = FD->getIdentifier();
3193  if (!II)
3194  return true;
3195  StringRef FName = II->getName();
3196 
3197  // White list the 'XXXNoCopy' CoreFoundation functions.
3198  // We specifically check these before
3199  if (FName.endswith("NoCopy")) {
3200  // Look for the deallocator argument. We know that the memory ownership
3201  // is not transferred only if the deallocator argument is
3202  // 'kCFAllocatorNull'.
3203  for (unsigned i = 1; i < Call->getNumArgs(); ++i) {
3204  const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts();
3205  if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) {
3206  StringRef DeallocatorName = DE->getFoundDecl()->getName();
3207  if (DeallocatorName == "kCFAllocatorNull")
3208  return false;
3209  }
3210  }
3211  return true;
3212  }
3213 
3214  // Associating streams with malloced buffers. The pointer can escape if
3215  // 'closefn' is specified (and if that function does free memory),
3216  // but it will not if closefn is not specified.
3217  // Currently, we do not inspect the 'closefn' function (PR12101).
3218  if (FName == "funopen")
3219  if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0))
3220  return false;
3221 
3222  // Do not warn on pointers passed to 'setbuf' when used with std streams,
3223  // these leaks might be intentional when setting the buffer for stdio.
3224  // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer
3225  if (FName == "setbuf" || FName =="setbuffer" ||
3226  FName == "setlinebuf" || FName == "setvbuf") {
3227  if (Call->getNumArgs() >= 1) {
3228  const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts();
3229  if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE))
3230  if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl()))
3231  if (D->getCanonicalDecl()->getName().contains("std"))
3232  return true;
3233  }
3234  }
3235 
3236  // A bunch of other functions which either take ownership of a pointer or
3237  // wrap the result up in a struct or object, meaning it can be freed later.
3238  // (See RetainCountChecker.) Not all the parameters here are invalidated,
3239  // but the Malloc checker cannot differentiate between them. The right way
3240  // of doing this would be to implement a pointer escapes callback.
3241  if (FName == "CGBitmapContextCreate" ||
3242  FName == "CGBitmapContextCreateWithData" ||
3243  FName == "CVPixelBufferCreateWithBytes" ||
3244  FName == "CVPixelBufferCreateWithPlanarBytes" ||
3245  FName == "OSAtomicEnqueue") {
3246  return true;
3247  }
3248 
3249  if (FName == "postEvent" &&
3250  FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
3251  return true;
3252  }
3253 
3254  if (FName == "connectImpl" &&
3255  FD->getQualifiedNameAsString() == "QObject::connectImpl") {
3256  return true;
3257  }
3258 
3259  // Handle cases where we know a buffer's /address/ can escape.
3260  // Note that the above checks handle some special cases where we know that
3261  // even though the address escapes, it's still our responsibility to free the
3262  // buffer.
3263  if (Call->argumentsMayEscape())
3264  return true;
3265 
3266  // Otherwise, assume that the function does not free memory.
3267  // Most system calls do not free the memory.
3268  return false;
3269 }
3270 
3271 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
3272  const InvalidatedSymbols &Escaped,
3273  const CallEvent *Call,
3274  PointerEscapeKind Kind) const {
3275  return checkPointerEscapeAux(State, Escaped, Call, Kind,
3276  /*IsConstPointerEscape*/ false);
3277 }
3278 
3279 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State,
3280  const InvalidatedSymbols &Escaped,
3281  const CallEvent *Call,
3282  PointerEscapeKind Kind) const {
3283  // If a const pointer escapes, it may not be freed(), but it could be deleted.
3284  return checkPointerEscapeAux(State, Escaped, Call, Kind,
3285  /*IsConstPointerEscape*/ true);
3286 }
3287 
3288 static bool checkIfNewOrNewArrayFamily(const RefState *RS) {
3289  return (RS->getAllocationFamily() == AF_CXXNewArray ||
3290  RS->getAllocationFamily() == AF_CXXNew);
3291 }
3292 
3293 ProgramStateRef MallocChecker::checkPointerEscapeAux(
3294  ProgramStateRef State, const InvalidatedSymbols &Escaped,
3295  const CallEvent *Call, PointerEscapeKind Kind,
3296  bool IsConstPointerEscape) const {
3297  // If we know that the call does not free memory, or we want to process the
3298  // call later, keep tracking the top level arguments.
3299  SymbolRef EscapingSymbol = nullptr;
3300  if (Kind == PSK_DirectEscapeOnCall &&
3301  !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State,
3302  EscapingSymbol) &&
3303  !EscapingSymbol) {
3304  return State;
3305  }
3306 
3307  for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
3308  E = Escaped.end();
3309  I != E; ++I) {
3310  SymbolRef sym = *I;
3311 
3312  if (EscapingSymbol && EscapingSymbol != sym)
3313  continue;
3314 
3315  if (const RefState *RS = State->get<RegionState>(sym))
3316  if (RS->isAllocated() || RS->isAllocatedOfSizeZero())
3317  if (!IsConstPointerEscape || checkIfNewOrNewArrayFamily(RS))
3318  State = State->set<RegionState>(sym, RefState::getEscaped(RS));
3319  }
3320  return State;
3321 }
3322 
3323 bool MallocChecker::isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C,
3324  SVal ArgVal) const {
3325  if (!KernelZeroSizePtrValue)
3326  KernelZeroSizePtrValue =
3327  tryExpandAsInteger("ZERO_SIZE_PTR", C.getPreprocessor());
3328 
3329  const llvm::APSInt *ArgValKnown =
3330  C.getSValBuilder().getKnownValue(State, ArgVal);
3331  return ArgValKnown && *KernelZeroSizePtrValue &&
3332  ArgValKnown->getSExtValue() == **KernelZeroSizePtrValue;
3333 }
3334 
3336  ProgramStateRef prevState) {
3337  ReallocPairsTy currMap = currState->get<ReallocPairs>();
3338  ReallocPairsTy prevMap = prevState->get<ReallocPairs>();
3339 
3340  for (const ReallocPairsTy::value_type &Pair : prevMap) {
3341  SymbolRef sym = Pair.first;
3342  if (!currMap.lookup(sym))
3343  return sym;
3344  }
3345 
3346  return nullptr;
3347 }
3348 
3350  if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) {
3351  StringRef N = II->getName();
3352  if (N.contains_insensitive("ptr") || N.contains_insensitive("pointer")) {
3353  if (N.contains_insensitive("ref") || N.contains_insensitive("cnt") ||
3354  N.contains_insensitive("intrusive") ||
3355  N.contains_insensitive("shared")) {
3356  return true;
3357  }
3358  }
3359  }
3360  return false;
3361 }
3362 
3363 PathDiagnosticPieceRef MallocBugVisitor::VisitNode(const ExplodedNode *N,
3364  BugReporterContext &BRC,
3365  PathSensitiveBugReport &BR) {
3366  ProgramStateRef state = N->getState();
3367  ProgramStateRef statePrev = N->getFirstPred()->getState();
3368 
3369  const RefState *RSCurr = state->get<RegionState>(Sym);
3370  const RefState *RSPrev = statePrev->get<RegionState>(Sym);
3371 
3372  const Stmt *S = N->getStmtForDiagnostics();
3373  // When dealing with containers, we sometimes want to give a note
3374  // even if the statement is missing.
3375  if (!S && (!RSCurr || RSCurr->getAllocationFamily() != AF_InnerBuffer))
3376  return nullptr;
3377 
3378  const LocationContext *CurrentLC = N->getLocationContext();
3379 
3380  // If we find an atomic fetch_add or fetch_sub within the destructor in which
3381  // the pointer was released (before the release), this is likely a destructor
3382  // of a shared pointer.
3383  // Because we don't model atomics, and also because we don't know that the
3384  // original reference count is positive, we should not report use-after-frees
3385  // on objects deleted in such destructors. This can probably be improved
3386  // through better shared pointer modeling.
3387  if (ReleaseDestructorLC) {
3388  if (const auto *AE = dyn_cast<AtomicExpr>(S)) {
3389  AtomicExpr::AtomicOp Op = AE->getOp();
3390  if (Op == AtomicExpr::AO__c11_atomic_fetch_add ||
3391  Op == AtomicExpr::AO__c11_atomic_fetch_sub) {
3392  if (ReleaseDestructorLC == CurrentLC ||
3393  ReleaseDestructorLC->isParentOf(CurrentLC)) {
3394  BR.markInvalid(getTag(), S);
3395  }
3396  }
3397  }
3398  }
3399 
3400  // FIXME: We will eventually need to handle non-statement-based events
3401  // (__attribute__((cleanup))).
3402 
3403  // Find out if this is an interesting point and what is the kind.
3404  StringRef Msg;
3405  std::unique_ptr<StackHintGeneratorForSymbol> StackHint = nullptr;
3406  SmallString<256> Buf;
3407  llvm::raw_svector_ostream OS(Buf);
3408 
3409  if (Mode == Normal) {
3410  if (isAllocated(RSCurr, RSPrev, S)) {
3411  Msg = "Memory is allocated";
3412  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3413  Sym, "Returned allocated memory");
3414  } else if (isReleased(RSCurr, RSPrev, S)) {
3415  const auto Family = RSCurr->getAllocationFamily();
3416  switch (Family) {
3417  case AF_Alloca:
3418  case AF_Malloc:
3419  case AF_CXXNew:
3420  case AF_CXXNewArray:
3421  case AF_IfNameIndex:
3422  Msg = "Memory is released";
3423  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3424  Sym, "Returning; memory was released");
3425  break;
3426  case AF_InnerBuffer: {
3427  const MemRegion *ObjRegion =
3429  const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion);
3430  QualType ObjTy = TypedRegion->getValueType();
3431  OS << "Inner buffer of '" << ObjTy << "' ";
3432 
3433  if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) {
3434  OS << "deallocated by call to destructor";
3435  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3436  Sym, "Returning; inner buffer was deallocated");
3437  } else {
3438  OS << "reallocated by call to '";
3439  const Stmt *S = RSCurr->getStmt();
3440  if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) {
3441  OS << MemCallE->getMethodDecl()->getDeclName();
3442  } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) {
3443  OS << OpCallE->getDirectCallee()->getDeclName();
3444  } else if (const auto *CallE = dyn_cast<CallExpr>(S)) {
3445  auto &CEMgr = BRC.getStateManager().getCallEventManager();
3446  CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC);
3447  if (const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl()))
3448  OS << D->getDeclName();
3449  else
3450  OS << "unknown";
3451  }
3452  OS << "'";
3453  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3454  Sym, "Returning; inner buffer was reallocated");
3455  }
3456  Msg = OS.str();
3457  break;
3458  }
3459  case AF_None:
3460  llvm_unreachable("Unhandled allocation family!");
3461  }
3462 
3463  // See if we're releasing memory while inlining a destructor
3464  // (or one of its callees). This turns on various common
3465  // false positive suppressions.
3466  bool FoundAnyDestructor = false;
3467  for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) {
3468  if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) {
3470  // This immediately looks like a reference-counting destructor.
3471  // We're bad at guessing the original reference count of the object,
3472  // so suppress the report for now.
3473  BR.markInvalid(getTag(), DD);
3474  } else if (!FoundAnyDestructor) {
3475  assert(!ReleaseDestructorLC &&
3476  "There can be only one release point!");
3477  // Suspect that it's a reference counting pointer destructor.
3478  // On one of the next nodes might find out that it has atomic
3479  // reference counting operations within it (see the code above),
3480  // and if so, we'd conclude that it likely is a reference counting
3481  // pointer destructor.
3482  ReleaseDestructorLC = LC->getStackFrame();
3483  // It is unlikely that releasing memory is delegated to a destructor
3484  // inside a destructor of a shared pointer, because it's fairly hard
3485  // to pass the information that the pointer indeed needs to be
3486  // released into it. So we're only interested in the innermost
3487  // destructor.
3488  FoundAnyDestructor = true;
3489  }
3490  }
3491  }
3492  } else if (isRelinquished(RSCurr, RSPrev, S)) {
3493  Msg = "Memory ownership is transferred";
3494  StackHint = std::make_unique<StackHintGeneratorForSymbol>(Sym, "");
3495  } else if (hasReallocFailed(RSCurr, RSPrev, S)) {
3496  Mode = ReallocationFailed;
3497  Msg = "Reallocation failed";
3498  StackHint = std::make_unique<StackHintGeneratorForReallocationFailed>(
3499  Sym, "Reallocation failed");
3500 
3501  if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) {
3502  // Is it possible to fail two reallocs WITHOUT testing in between?
3503  assert((!FailedReallocSymbol || FailedReallocSymbol == sym) &&
3504  "We only support one failed realloc at a time.");
3505  BR.markInteresting(sym);
3506  FailedReallocSymbol = sym;
3507  }
3508  }
3509 
3510  // We are in a special mode if a reallocation failed later in the path.
3511  } else if (Mode == ReallocationFailed) {
3512  assert(FailedReallocSymbol && "No symbol to look for.");
3513 
3514  // Is this is the first appearance of the reallocated symbol?
3515  if (!statePrev->get<RegionState>(FailedReallocSymbol)) {
3516  // We're at the reallocation point.
3517  Msg = "Attempt to reallocate memory";
3518  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3519  Sym, "Returned reallocated memory");
3520  FailedReallocSymbol = nullptr;
3521  Mode = Normal;
3522  }
3523  }
3524 
3525  if (Msg.empty()) {
3526  assert(!StackHint);
3527  return nullptr;
3528  }
3529 
3530  assert(StackHint);
3531 
3532  // Generate the extra diagnostic.
3533  PathDiagnosticLocation Pos;
3534  if (!S) {
3535  assert(RSCurr->getAllocationFamily() == AF_InnerBuffer);
3536  auto PostImplCall = N->getLocation().getAs<PostImplicitCall>();
3537  if (!PostImplCall)
3538  return nullptr;
3539  Pos = PathDiagnosticLocation(PostImplCall->getLocation(),
3540  BRC.getSourceManager());
3541  } else {
3542  Pos = PathDiagnosticLocation(S, BRC.getSourceManager(),
3543  N->getLocationContext());
3544  }
3545 
3546  auto P = std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true);
3547  BR.addCallStackHint(P, std::move(StackHint));
3548  return P;
3549 }
3550 
3551 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
3552  const char *NL, const char *Sep) const {
3553 
3554  RegionStateTy RS = State->get<RegionState>();
3555 
3556  if (!RS.isEmpty()) {
3557  Out << Sep << "MallocChecker :" << NL;
3558  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
3559  const RefState *RefS = State->get<RegionState>(I.getKey());
3560  AllocationFamily Family = RefS->getAllocationFamily();
3561  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
3562  if (!CheckKind)
3563  CheckKind = getCheckIfTracked(Family, true);
3564 
3565  I.getKey()->dumpToStream(Out);
3566  Out << " : ";
3567  I.getData().dump(Out);
3568  if (CheckKind)
3569  Out << " (" << CheckNames[*CheckKind].getName() << ")";
3570  Out << NL;
3571  }
3572  }
3573 }
3574 
3575 namespace clang {
3576 namespace ento {
3577 namespace allocation_state {
3578 
3581  AllocationFamily Family = AF_InnerBuffer;
3582  return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin));
3583 }
3584 
3585 } // end namespace allocation_state
3586 } // end namespace ento
3587 } // end namespace clang
3588 
3589 // Intended to be used in InnerPointerChecker to register the part of
3590 // MallocChecker connected to it.
3592  MallocChecker *checker = mgr.getChecker<MallocChecker>();
3593  checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true;
3594  checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =
3595  mgr.getCurrentCheckerName();
3596 }
3597 
3598 void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {
3599  auto *checker = mgr.registerChecker<MallocChecker>();
3600  checker->ShouldIncludeOwnershipAnnotatedFunctions =
3601  mgr.getAnalyzerOptions().getCheckerBooleanOption(checker, "Optimistic");
3602  checker->ShouldRegisterNoOwnershipChangeVisitor =
3603  mgr.getAnalyzerOptions().getCheckerBooleanOption(
3604  checker, "AddNoOwnershipChangeNotes");
3605 }
3606 
3607 bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) {
3608  return true;
3609 }
3610 
3611 #define REGISTER_CHECKER(name) \
3612  void ento::register##name(CheckerManager &mgr) { \
3613  MallocChecker *checker = mgr.getChecker<MallocChecker>(); \
3614  checker->ChecksEnabled[MallocChecker::CK_##name] = true; \
3615  checker->CheckNames[MallocChecker::CK_##name] = \
3616  mgr.getCurrentCheckerName(); \
3617  } \
3618  \
3619  bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
3620 
3621 REGISTER_CHECKER(MallocChecker)
3622 REGISTER_CHECKER(NewDeleteChecker)
3623 REGISTER_CHECKER(NewDeleteLeaksChecker)
3624 REGISTER_CHECKER(MismatchedDeallocatorChecker)
findFailedReallocSymbol
static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, ProgramStateRef prevState)
Definition: MallocChecker.cpp:3335
clang::ento::Loc::isLocType
static bool isLocType(QualType T)
Definition: SVals.h:290
clang::ento::PSK_DirectEscapeOnCall
@ PSK_DirectEscapeOnCall
The pointer has been passed to a function call directly.
Definition: CheckerManager.h:84
clang::Decl::getASTContext
ASTContext & getASTContext() const LLVM_READONLY
Definition: DeclBase.cpp:428
clang::CXXConstructorDecl
Represents a C++ constructor within a class.
Definition: DeclCXX.h:2436
DynamicExtent.h
getDeepPointeeType
static QualType getDeepPointeeType(QualType T)
Definition: MallocChecker.cpp:1557
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
CallDescription.h
clang::LocationContext::getStackFrame
const StackFrameContext * getStackFrame() const
Definition: AnalysisDeclContext.cpp:463
clang::DeclaratorDecl::getBeginLoc
SourceLocation getBeginLoc() const LLVM_READONLY
Definition: Decl.h:810
SVals.h
clang::SourceRange
A trivial tuple used to represent a source range.
Definition: SourceLocation.h:210
string
string(SUBSTRING ${CMAKE_CURRENT_BINARY_DIR} 0 ${PATH_LIB_START} PATH_HEAD) string(SUBSTRING $
Definition: CMakeLists.txt:22
Ret
static bool Ret(InterpState &S, CodePtr &PC, APValue &Result)
Definition: Interp.cpp:34
clang::ast_matchers::stmt
const internal::VariadicAllOfMatcher< Stmt > stmt
Matches statements.
Definition: ASTMatchersInternal.cpp:810
clang::Decl::hasAttr
bool hasAttr() const
Definition: DeclBase.h:560
clang::ento::PathDiagnosticPieceRef
std::shared_ptr< PathDiagnosticPiece > PathDiagnosticPieceRef
Definition: PathDiagnostic.h:492
clang::ento::CheckerManager::getCurrentCheckerName
CheckerNameRef getCurrentCheckerName() const
Definition: CheckerManager.h:163
clang::ast_matchers::anyOf
const internal::VariadicOperatorMatcherFunc< 2, std::numeric_limits< unsigned >::max()> anyOf
Matches if any of the given matchers matches.
Definition: ASTMatchersInternal.cpp:990
llvm::SmallVector
Definition: LLVM.h:38
clang::SourceLocation
Encodes a location in the source.
Definition: SourceLocation.h:86
clang::ast_matchers::findAll
internal::Matcher< T > findAll(const internal::Matcher< T > &Matcher)
Matches if the node or any descendant matches.
Definition: ASTMatchers.h:3489
clang::NamedDecl
This represents a decl that may have a name.
Definition: Decl.h:247
clang::ento::registerInnerPointerCheckerAux
void registerInnerPointerCheckerAux(CheckerManager &Mgr)
Register the part of MallocChecker connected to InnerPointerChecker.
Definition: MallocChecker.cpp:3591
TargetInfo.h
clang::MultiVersionKind::Target
@ Target
clang::CXXDeleteExpr::isArrayForm
bool isArrayForm() const
Definition: ExprCXX.h:2448
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:324
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:737
Attr.h
CHECK_FN
#define CHECK_FN(NAME)
Definition: MallocChecker.cpp:368
clang::FunctionDecl::getParamDecl
const ParmVarDecl * getParamDecl(unsigned i) const
Definition: Decl.h:2594
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:56
clang::OMF_init
@ OMF_init
Definition: IdentifierTable.h:707
DeclCXX.h
ProgramState_Fwd.h
SymbolManager.h
clang::CXXNewExpr
Represents a new-expression for memory allocation and constructor calls, e.g: "new CXXNewExpr(foo)".
Definition: ExprCXX.h:2146
clang::ento::SymbolRef
const SymExpr * SymbolRef
Definition: SymExpr.h:111
clang::FunctionDecl::getDeclaredReturnType
QualType getDeclaredReturnType() const
Get the declared return type, which may differ from the actual return type if the return type is dedu...
Definition: Decl.h:2642
llvm::Optional
Definition: LLVM.h:40
clang::ento::bugreporter::TrackingKind
TrackingKind
Specifies the type of tracking for an expression.
Definition: BugReporterVisitors.h:95
llvm::SmallPtrSet
Definition: ASTContext.h:82
clang::Lexer::getSourceText
static StringRef getSourceText(CharSourceRange Range, const SourceManager &SM, const LangOptions &LangOpts, bool *Invalid=nullptr)
Returns a string for the source that the range encompasses.
Definition: Lexer.cpp:961
clang::StackFrameContext
It represents a stack frame of the call stack (based on CallEvent).
Definition: AnalysisDeclContext.h:299
SourceManager.h
clang::tooling::X
static ToolExecutorPluginRegistry::Add< AllTUsToolExecutorPlugin > X("all-TUs", "Runs FrontendActions on all TUs in the compilation database. " "Tool results are stored in memory.")
ASTMatchFinder.h
CommonBugCategories.h
clang::ento::Store
const void * Store
Store - This opaque type encapsulates an immutable mapping from locations to values.
Definition: StoreRef.h:27
clang::ASTContext::getSourceManager
SourceManager & getSourceManager()
Definition: ASTContext.h:721
clang::ento::tryExpandAsInteger
llvm::Optional< int > tryExpandAsInteger(StringRef Macro, const Preprocessor &PP)
Try to parse the value of a defined preprocessor macro.
Definition: CheckerHelpers.cpp:113
printExpectedAllocName
static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family)
Print expected name of an allocator based on the deallocator's family derived from the DeallocExpr.
Definition: MallocChecker.cpp:1864
clang::PostImplicitCall
Represents a program point just after an implicit call event.
Definition: ProgramPoint.h:599
InterCheckerAPI.h
CallEvent.h
clang::ast_matchers::cxxDeleteExpr
const internal::VariadicDynCastAllOfMatcher< Stmt, CXXDeleteExpr > cxxDeleteExpr
Matches delete expressions.
Definition: ASTMatchersInternal.cpp:879
Offset
unsigned Offset
Definition: Format.cpp:2717
REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:87
APSInt
llvm::APSInt APSInt
Definition: ByteCodeEmitter.cpp:19
AllocationState.h
clang::syntax::NodeRole::Parameters
@ Parameters
V
#define V(N, I)
Definition: ASTContext.h:3235
ProgramPoint.h
clang::ast_matchers
Definition: ASTMatchers.h:98
BuiltinCheckerRegistration.h
DeclTemplate.h
CASE
#define CASE(ID)
clang::Decl::specific_attrs
llvm::iterator_range< specific_attr_iterator< T > > specific_attrs() const
Definition: DeclBase.h:542
clang::VarDecl::isStaticLocal
bool isStaticLocal() const
Returns true if a variable with function scope is a static local variable.
Definition: Decl.h:1155
clang::ento::PathDiagnosticLocation::create
static PathDiagnosticLocation create(const Decl *D, const SourceManager &SM)
Create a location corresponding to the given declaration.
Definition: PathDiagnostic.h:248
clang::XRayInstrKind::None
constexpr XRayInstrMask None
Definition: XRayInstr.h:38
CheckerManager.h
clang::BlockExpr::getBlockDecl
const BlockDecl * getBlockDecl() const
Definition: Expr.h:5987
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:209
ASTMatchers.h
clang::ASTContext::getSizeType
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.
Definition: ASTContext.cpp:5933
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:29
clang::FunctionDecl::getBody
Stmt * getBody(const FunctionDecl *&Definition) const
Retrieve the body (definition) of the function.
Definition: Decl.cpp:3116
clang::LocationContext::isParentOf
bool isParentOf(const LocationContext *LC) const
Definition: AnalysisDeclContext.cpp:477
clang::CallExpr::getArg
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:3001
clang::CXXDestructorDecl
Represents a C++ destructor within a class.
Definition: DeclCXX.h:2703
didPreviousFreeFail
static bool didPreviousFreeFail(ProgramStateRef State, SymbolRef Sym, SymbolRef &RetStatusSymbol)
Checks if the previous call to free on the given symbol failed - if free failed, returns true.
Definition: MallocChecker.cpp:1812
Expr.h
llvm::SmallString
Definition: LLVM.h:37
clang::interp::Zero
bool Zero(InterpState &S, CodePtr OpPC)
Definition: Interp.h:1122
REGISTER_SET_WITH_PROGRAMSTATE
#define REGISTER_SET_WITH_PROGRAMSTATE(Name, Elem)
Declares an immutable set of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:112
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:906
clang::CallEnter::getCallExpr
const Stmt * getCallExpr() const
Definition: ProgramPoint.h:635
clang::Type::getPointeeType
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee.
Definition: Type.cpp:625
clang::ento::bugreporter::TrackingKind::Thorough
@ Thorough
Default tracking kind – specifies that as much information should be gathered about the tracked expre...
clang::CXXConstructExpr::getConstructor
CXXConstructorDecl * getConstructor() const
Get the constructor that this expression will (ultimately) call.
Definition: ExprCXX.h:1539
clang::Type::getAsCXXRecordDecl
CXXRecordDecl * getAsCXXRecordDecl() const
Retrieves the CXXRecordDecl that this type refers to, either because the type is a RecordType or beca...
Definition: Type.cpp:1760
clang::getOperatorSpelling
const char * getOperatorSpelling(OverloadedOperatorKind Operator)
Retrieve the spelling of the given overloaded operator, without the preceding "operator" keyword.
Definition: IdentifierTable.cpp:818
ExprCXX.h
Label
std::string Label
Definition: UsingDeclarationsSorter.cpp:69
clang::FunctionDecl::getOverloadedOperator
OverloadedOperatorKind getOverloadedOperator() const
getOverloadedOperator - Which C++ overloaded operator this function represents, if any.
Definition: Decl.cpp:3739
clang::AtomicExpr::AtomicOp
AtomicOp
Definition: Expr.h:6241
clang::ObjCMessageExpr
An expression that sends a message to the given Objective-C object or class.
Definition: ExprObjC.h:940
ExplodedGraph.h
clang::OverloadedOperatorKind
OverloadedOperatorKind
Enumeration specifying the different kinds of C++ overloaded operators.
Definition: OperatorKinds.h:21
state
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial state
Definition: README.txt:30
clang::FunctionDecl::hasBody
bool hasBody(const FunctionDecl *&Definition) const
Returns true if the function has a body.
Definition: Decl.cpp:3036
clang::BlockDecl::hasCaptures
bool hasCaptures() const
True if this block (or its nested blocks) captures anything of local storage from its enclosing scope...
Definition: Decl.h:4402
clang::LocationContext::getParent
const LocationContext * getParent() const
It might return null.
Definition: AnalysisDeclContext.h:247
clang::QualType::getDesugaredType
QualType getDesugaredType(const ASTContext &Context) const
Return the specified type with any "sugar" removed from the type.
Definition: Type.h:1052
clang::ento::CheckerManager::getChecker
CHECKER * getChecker()
Definition: CheckerManager.h:218
clang::TargetInfo::getTriple
const llvm::Triple & getTriple() const
Returns the target triple of the primary target.
Definition: TargetInfo.h:1197
clang::ASTContext::UnsignedLongTy
CanQualType UnsignedLongTy
Definition: ASTContext.h:1117
clang::ento::categories::MemoryError
const char *const MemoryError
Definition: CommonBugCategories.cpp:20
clang::ParentMap
Definition: ParentMap.h:20
checkIfNewOrNewArrayFamily
static bool checkIfNewOrNewArrayFamily(const RefState *RS)
Definition: MallocChecker.cpp:3288
P
StringRef P
Definition: ASTMatchersInternal.cpp:563
printExpectedDeallocName
static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family)
Print expected name of a deallocator based on the allocator's family.
Definition: MallocChecker.cpp:1877
isReferenceCountingPointerDestructor
static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD)
Definition: MallocChecker.cpp:3349
clang::ASTContext::VoidPtrTy
CanQualType VoidPtrTy
Definition: ASTContext.h:1134
clang::Decl::hasAttrs
bool hasAttrs() const
Definition: DeclBase.h:502
clang::syntax::NodeRole::Size
@ Size
BugType.h
clang::NamedDecl::getIdentifier
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:268
clang::ento::allocation_state::getInnerPointerBRVisitor
std::unique_ptr< BugReporterVisitor > getInnerPointerBRVisitor(SymbolRef Sym)
This function provides an additional visitor that augments the bug report with information relevant t...
Definition: InnerPointerChecker.cpp:288
clang::ProgramPoint::PostImplicitCallKind
@ PostImplicitCallKind
Definition: ProgramPoint.h:82
dump
static void dump(llvm::raw_ostream &OS, StringRef FunctionName, ArrayRef< CounterExpression > Expressions, ArrayRef< CounterMappingRegion > Regions)
Definition: CoverageMappingGen.cpp:1539
clang::CharSourceRange::getTokenRange
static CharSourceRange getTokenRange(SourceRange R)
Definition: SourceLocation.h:261
clang::CallExpr::getNumArgs
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2988
clang::CXXDeleteExpr
Represents a delete expression for memory deallocation and destructor calls, e.g.
Definition: ExprCXX.h:2422
hasNonTrivialConstructorCall
static bool hasNonTrivialConstructorCall(const CXXNewExpr *NE)
Definition: MallocChecker.cpp:1568
clang::QualType::isNull
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:802
clang::BlockExpr
BlockExpr - Adaptor class for mixing a BlockDecl with expressions.
Definition: Expr.h:5975
llvm::ArrayRef
Definition: LLVM.h:34
printMemFnName
static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E)
Print names of allocators and deallocators.
Definition: MallocChecker.cpp:1825
Lexer.h
clang::Decl
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:83
clang::ento::CDF_MaybeBuiltin
@ CDF_MaybeBuiltin
Describes a C standard function that is sometimes implemented as a macro that expands to a compiler b...
Definition: CallDescription.h:38
LLVM.h
clang::ASTContext::CharTy
CanQualType CharTy
Definition: ASTContext.h:1109
State
LineState State
Definition: UnwrappedLineFormatter.cpp:1147
clang::NamedDecl::getQualifiedNameAsString
std::string getQualifiedNameAsString() const
Definition: Decl.cpp:1626
clang::ast_matchers::callExpr
const internal::VariadicDynCastAllOfMatcher< Stmt, CallExpr > callExpr
Matches call expressions.
Definition: ASTMatchersInternal.cpp:817
clang::IdentifierInfo
One of these records is kept for each identifier that is lexed.
Definition: IdentifierTable.h:85
clang::ASTContext::getTargetInfo
const TargetInfo & getTargetInfo() const
Definition: ASTContext.h:773
isStandardNewDelete
static bool isStandardNewDelete(const FunctionDecl *FD)
Tells if the callee is one of the builtin new/delete operators, including placement operators and oth...
Definition: MallocChecker.cpp:1065
CheckerContext.h
clang::ento::allocation_state::getContainerObjRegion
const MemRegion * getContainerObjRegion(ProgramStateRef State, SymbolRef Sym)
'Sym' represents a pointer to the inner buffer of a container object.
Definition: InnerPointerChecker.cpp:292
clang::ObjCPropertyAttribute::Kind
Kind
Definition: DeclObjCCommon.h:22
ProgramState.h
Checker.h
MallocUpdateRefState
static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, AllocationFamily Family, Optional< SVal > RetVal=None)
Update the RefState to reflect the new memory allocation.
Definition: MallocChecker.cpp:1747
std
Definition: Format.h:4477
clang::interp::NE
bool NE(InterpState &S, CodePtr OpPC)
Definition: Interp.h:490
ParentMap.h
clang::ento::CheckerManager
Definition: CheckerManager.h:126
clang::IdentifierInfo::getName
StringRef getName() const
Return the actual identifier string.
Definition: IdentifierTable.h:196
clang::Builtin::ID
ID
Definition: Builtins.h:52
clang
Definition: CalledOnceCheck.h:17
clang::Selector
Smart pointer class that efficiently represents Objective-C method names.
Definition: IdentifierTable.h:759
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:71
clang::Decl::print
void print(raw_ostream &Out, unsigned Indentation=0, bool PrintInstantiation=false) const
Definition: DeclPrinter.cpp:125
clang::SourceManager::isInSystemHeader
bool isInSystemHeader(SourceLocation Loc) const
Returns if a SourceLocation is in a system header.
Definition: SourceManager.h:1504
clang::ast_matchers::match
SmallVector< BoundNodes, 1 > match(MatcherT Matcher, const NodeT &Node, ASTContext &Context)
Returns the results of matching Matcher on Node.
Definition: ASTMatchFinder.h:312
isStandardRealloc
static bool isStandardRealloc(const CallEvent &Call)
Definition: MallocChecker.cpp:1233
CheckerHelpers.h
clang::Expr::getType
QualType getType() const
Definition: Expr.h:141
clang::SourceLocation::isValid
bool isValid() const
Return true if this is a valid SourceLocation object.
Definition: SourceLocation.h:110
clang::ento::PathDiagnosticLocation::createBegin
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
Definition: PathDiagnostic.cpp:580
clang::OverloadCandidateParamOrder::Normal
@ Normal
s
__device__ __2f16 float bool s
Definition: __clang_hip_libdevice_declares.h:320
clang::CXXDeleteExpr::getArgument
Expr * getArgument()
Definition: ExprCXX.h:2463
isGRealloc
static bool isGRealloc(const CallEvent &Call)
Definition: MallocChecker.cpp:1247
clang::ento::PointerEscapeKind
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
Definition: CheckerManager.h:78
isReleased
static bool isReleased(SymbolRef Sym, CheckerContext &C)
Check if the memory associated with this symbol was released.
Definition: MallocChecker.cpp:2988
clang::CallEnter
Represents a point when we begin processing an inlined call.
Definition: ProgramPoint.h:629
clang::ast_matchers::BoundNodes
Maps string IDs to AST nodes matched by parts of a matcher.
Definition: ASTMatchers.h:107
clang::ento::setDynamicExtent
ProgramStateRef setDynamicExtent(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal Extent, SValBuilder &SVB)
Set the dynamic extent Extent of the region MR.
clang::ento::allocation_state::markReleased
ProgramStateRef markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin)
Definition: MallocChecker.cpp:3580
isKnownDeallocObjCMethodName
static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call)
Definition: MallocChecker.cpp:1633
llvm::SmallVectorImpl
Definition: Randstruct.h:18
clang::interp::Call
bool Call(InterpState &S, CodePtr &PC, const Function *Func)
Definition: Interp.h:1246
clang::ParentMap::isConsumedExpr
bool isConsumedExpr(Expr *E) const
Definition: ParentMap.cpp:170
clang::ValueDecl::getType
QualType getType() const
Definition: Decl.h:712
ProgramStateTrait.h
clang::Expr
This represents one expression.
Definition: Expr.h:109
clang::ento::InvalidatedSymbols
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:51
clang::FunctionDecl::parameters
ArrayRef< ParmVarDecl * > parameters() const
Definition: Decl.h:2571
clang::Decl::getLocation
SourceLocation getLocation() const
Definition: DeclBase.h:432
clang::DeclRefExpr
A reference to a declared variable, function, enum, etc.
Definition: Expr.h:1232
GCCTypeClass::None
@ None
clang::LocationContext::getDecl
const Decl * getDecl() const
Definition: AnalysisDeclContext.h:251
clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1904
StoreRef.h
clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2810
REGISTER_CHECKER
#define REGISTER_CHECKER(name)
Definition: MallocChecker.cpp:3611
clang::CXXConstructExpr
Represents a call to a C++ constructor.
Definition: ExprCXX.h:1467
getFreeWhenDoneArg
static Optional< bool > getFreeWhenDoneArg(const ObjCMethodCall &Call)
Definition: MallocChecker.cpp:1645
clang::operator==
bool operator==(const CallGraphNode::CallRecord &LHS, const CallGraphNode::CallRecord &RHS)
Definition: CallGraph.h:207
llvm::IntrusiveRefCntPtr< const ProgramState >
abs
__DEVICE__ long long abs(long long __n)
Definition: __clang_cuda_cmath.h:41
clang::ento::ObjKind::OS
@ OS
Indicates that the tracking object is a descendant of a referenced-counted OSObject,...
clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:2796
clang::CXXMethodDecl::getParent
const CXXRecordDecl * getParent() const
Return the parent of this method declaration, which is the class in which this method is defined.
Definition: DeclCXX.h:2098
clang::NamedDecl::getName
StringRef getName() const
Get the name of identifier for this declaration as a StringRef.
Definition: Decl.h:274