clang  14.0.0git
MallocChecker.cpp
Go to the documentation of this file.
1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines a variety of memory management related checkers, such as
10 // leak, double free, and use-after-free.
11 //
12 // The following checkers are defined here:
13 //
14 // * MallocChecker
15 // Despite its name, it models all sorts of memory allocations and
16 // de- or reallocation, including but not limited to malloc, free,
17 // relloc, new, delete. It also reports on a variety of memory misuse
18 // errors.
19 // Many other checkers interact very closely with this checker, in fact,
20 // most are merely options to this one. Other checkers may register
21 // MallocChecker, but do not enable MallocChecker's reports (more details
22 // to follow around its field, ChecksEnabled).
23 // It also has a boolean "Optimistic" checker option, which if set to true
24 // will cause the checker to model user defined memory management related
25 // functions annotated via the attribute ownership_takes, ownership_holds
26 // and ownership_returns.
27 //
28 // * NewDeleteChecker
29 // Enables the modeling of new, new[], delete, delete[] in MallocChecker,
30 // and checks for related double-free and use-after-free errors.
31 //
32 // * NewDeleteLeaksChecker
33 // Checks for leaks related to new, new[], delete, delete[].
34 // Depends on NewDeleteChecker.
35 //
36 // * MismatchedDeallocatorChecker
37 // Enables checking whether memory is deallocated with the correspending
38 // allocation function in MallocChecker, such as malloc() allocated
39 // regions are only freed by free(), new by delete, new[] by delete[].
40 //
41 // InnerPointerChecker interacts very closely with MallocChecker, but unlike
42 // the above checkers, it has it's own file, hence the many InnerPointerChecker
43 // related headers and non-static functions.
44 //
45 //===----------------------------------------------------------------------===//
46 
47 #include "AllocationState.h"
48 #include "InterCheckerAPI.h"
49 #include "clang/AST/Attr.h"
50 #include "clang/AST/DeclCXX.h"
51 #include "clang/AST/DeclTemplate.h"
52 #include "clang/AST/Expr.h"
53 #include "clang/AST/ExprCXX.h"
54 #include "clang/AST/ParentMap.h"
58 #include "clang/Basic/LLVM.h"
60 #include "clang/Basic/TargetInfo.h"
61 #include "clang/Lex/Lexer.h"
78 #include "llvm/ADT/STLExtras.h"
79 #include "llvm/ADT/SetOperations.h"
80 #include "llvm/ADT/SmallString.h"
81 #include "llvm/ADT/StringExtras.h"
82 #include "llvm/Support/Casting.h"
83 #include "llvm/Support/Compiler.h"
84 #include "llvm/Support/ErrorHandling.h"
85 #include "llvm/Support/raw_ostream.h"
86 #include <climits>
87 #include <functional>
88 #include <utility>
89 
90 using namespace clang;
91 using namespace ento;
92 using namespace std::placeholders;
93 
94 //===----------------------------------------------------------------------===//
95 // The types of allocation we're modeling. This is used to check whether a
96 // dynamically allocated object is deallocated with the correct function, like
97 // not using operator delete on an object created by malloc(), or alloca regions
98 // aren't ever deallocated manually.
99 //===----------------------------------------------------------------------===//
100 
101 namespace {
102 
103 // Used to check correspondence between allocators and deallocators.
104 enum AllocationFamily {
105  AF_None,
106  AF_Malloc,
107  AF_CXXNew,
108  AF_CXXNewArray,
109  AF_IfNameIndex,
110  AF_Alloca,
111  AF_InnerBuffer
112 };
113 
114 } // end of anonymous namespace
115 
116 /// Print names of allocators and deallocators.
117 ///
118 /// \returns true on success.
119 static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E);
120 
121 /// Print expected name of an allocator based on the deallocator's family
122 /// derived from the DeallocExpr.
123 static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family);
124 
125 /// Print expected name of a deallocator based on the allocator's
126 /// family.
127 static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family);
128 
129 //===----------------------------------------------------------------------===//
130 // The state of a symbol, in terms of memory management.
131 //===----------------------------------------------------------------------===//
132 
133 namespace {
134 
135 class RefState {
136  enum Kind {
137  // Reference to allocated memory.
138  Allocated,
139  // Reference to zero-allocated memory.
140  AllocatedOfSizeZero,
141  // Reference to released/freed memory.
142  Released,
143  // The responsibility for freeing resources has transferred from
144  // this reference. A relinquished symbol should not be freed.
145  Relinquished,
146  // We are no longer guaranteed to have observed all manipulations
147  // of this pointer/memory. For example, it could have been
148  // passed as a parameter to an opaque function.
149  Escaped
150  };
151 
152  const Stmt *S;
153 
154  Kind K;
155  AllocationFamily Family;
156 
157  RefState(Kind k, const Stmt *s, AllocationFamily family)
158  : S(s), K(k), Family(family) {
159  assert(family != AF_None);
160  }
161 
162 public:
163  bool isAllocated() const { return K == Allocated; }
164  bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; }
165  bool isReleased() const { return K == Released; }
166  bool isRelinquished() const { return K == Relinquished; }
167  bool isEscaped() const { return K == Escaped; }
168  AllocationFamily getAllocationFamily() const { return Family; }
169  const Stmt *getStmt() const { return S; }
170 
171  bool operator==(const RefState &X) const {
172  return K == X.K && S == X.S && Family == X.Family;
173  }
174 
175  static RefState getAllocated(AllocationFamily family, const Stmt *s) {
176  return RefState(Allocated, s, family);
177  }
178  static RefState getAllocatedOfSizeZero(const RefState *RS) {
179  return RefState(AllocatedOfSizeZero, RS->getStmt(),
180  RS->getAllocationFamily());
181  }
182  static RefState getReleased(AllocationFamily family, const Stmt *s) {
183  return RefState(Released, s, family);
184  }
185  static RefState getRelinquished(AllocationFamily family, const Stmt *s) {
186  return RefState(Relinquished, s, family);
187  }
188  static RefState getEscaped(const RefState *RS) {
189  return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());
190  }
191 
192  void Profile(llvm::FoldingSetNodeID &ID) const {
193  ID.AddInteger(K);
194  ID.AddPointer(S);
195  ID.AddInteger(Family);
196  }
197 
198  LLVM_DUMP_METHOD void dump(raw_ostream &OS) const {
199  switch (K) {
200 #define CASE(ID) case ID: OS << #ID; break;
201  CASE(Allocated)
202  CASE(AllocatedOfSizeZero)
203  CASE(Released)
204  CASE(Relinquished)
205  CASE(Escaped)
206  }
207  }
208 
209  LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
210 };
211 
212 } // end of anonymous namespace
213 
214 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
215 
216 /// Check if the memory associated with this symbol was released.
217 static bool isReleased(SymbolRef Sym, CheckerContext &C);
218 
219 /// Update the RefState to reflect the new memory allocation.
220 /// The optional \p RetVal parameter specifies the newly allocated pointer
221 /// value; if unspecified, the value of expression \p E is used.
222 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
224  AllocationFamily Family,
225  Optional<SVal> RetVal = None);
226 
227 //===----------------------------------------------------------------------===//
228 // The modeling of memory reallocation.
229 //
230 // The terminology 'toPtr' and 'fromPtr' will be used:
231 // toPtr = realloc(fromPtr, 20);
232 //===----------------------------------------------------------------------===//
233 
234 REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef)
235 
236 namespace {
237 
238 /// The state of 'fromPtr' after reallocation is known to have failed.
239 enum OwnershipAfterReallocKind {
240  // The symbol needs to be freed (e.g.: realloc)
241  OAR_ToBeFreedAfterFailure,
242  // The symbol has been freed (e.g.: reallocf)
243  OAR_FreeOnFailure,
244  // The symbol doesn't have to freed (e.g.: we aren't sure if, how and where
245  // 'fromPtr' was allocated:
246  // void Haha(int *ptr) {
247  // ptr = realloc(ptr, 67);
248  // // ...
249  // }
250  // ).
251  OAR_DoNotTrackAfterFailure
252 };
253 
254 /// Stores information about the 'fromPtr' symbol after reallocation.
255 ///
256 /// This is important because realloc may fail, and that needs special modeling.
257 /// Whether reallocation failed or not will not be known until later, so we'll
258 /// store whether upon failure 'fromPtr' will be freed, or needs to be freed
259 /// later, etc.
260 struct ReallocPair {
261 
262  // The 'fromPtr'.
263  SymbolRef ReallocatedSym;
264  OwnershipAfterReallocKind Kind;
265 
266  ReallocPair(SymbolRef S, OwnershipAfterReallocKind K)
267  : ReallocatedSym(S), Kind(K) {}
268  void Profile(llvm::FoldingSetNodeID &ID) const {
269  ID.AddInteger(Kind);
270  ID.AddPointer(ReallocatedSym);
271  }
272  bool operator==(const ReallocPair &X) const {
273  return ReallocatedSym == X.ReallocatedSym &&
274  Kind == X.Kind;
275  }
276 };
277 
278 } // end of anonymous namespace
279 
280 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
281 
282 /// Tells if the callee is one of the builtin new/delete operators, including
283 /// placement operators and other standard overloads.
284 static bool isStandardNewDelete(const FunctionDecl *FD);
285 static bool isStandardNewDelete(const CallEvent &Call) {
286  if (!Call.getDecl() || !isa<FunctionDecl>(Call.getDecl()))
287  return false;
288  return isStandardNewDelete(cast<FunctionDecl>(Call.getDecl()));
289 }
290 
291 //===----------------------------------------------------------------------===//
292 // Definition of the MallocChecker class.
293 //===----------------------------------------------------------------------===//
294 
295 namespace {
296 
297 class MallocChecker
298  : public Checker<check::DeadSymbols, check::PointerEscape,
299  check::ConstPointerEscape, check::PreStmt<ReturnStmt>,
300  check::EndFunction, check::PreCall, check::PostCall,
301  check::NewAllocator, check::PostStmt<BlockExpr>,
302  check::PostObjCMessage, check::Location, eval::Assume> {
303 public:
304  /// In pessimistic mode, the checker assumes that it does not know which
305  /// functions might free the memory.
306  /// In optimistic mode, the checker assumes that all user-defined functions
307  /// which might free a pointer are annotated.
308  DefaultBool ShouldIncludeOwnershipAnnotatedFunctions;
309 
310  DefaultBool ShouldRegisterNoOwnershipChangeVisitor;
311 
312  /// Many checkers are essentially built into this one, so enabling them will
313  /// make MallocChecker perform additional modeling and reporting.
314  enum CheckKind {
315  /// When a subchecker is enabled but MallocChecker isn't, model memory
316  /// management but do not emit warnings emitted with MallocChecker only
317  /// enabled.
318  CK_MallocChecker,
319  CK_NewDeleteChecker,
320  CK_NewDeleteLeaksChecker,
321  CK_MismatchedDeallocatorChecker,
322  CK_InnerPointerChecker,
323  CK_NumCheckKinds
324  };
325 
326  using LeakInfo = std::pair<const ExplodedNode *, const MemRegion *>;
327 
328  DefaultBool ChecksEnabled[CK_NumCheckKinds];
329  CheckerNameRef CheckNames[CK_NumCheckKinds];
330 
331  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
332  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
333  void checkNewAllocator(const CXXAllocatorCall &Call, CheckerContext &C) const;
334  void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
335  void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
336  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
337  void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
338  void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;
339  ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
340  bool Assumption) const;
341  void checkLocation(SVal l, bool isLoad, const Stmt *S,
342  CheckerContext &C) const;
343 
344  ProgramStateRef checkPointerEscape(ProgramStateRef State,
345  const InvalidatedSymbols &Escaped,
346  const CallEvent *Call,
347  PointerEscapeKind Kind) const;
348  ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
349  const InvalidatedSymbols &Escaped,
350  const CallEvent *Call,
351  PointerEscapeKind Kind) const;
352 
353  void printState(raw_ostream &Out, ProgramStateRef State,
354  const char *NL, const char *Sep) const override;
355 
356 private:
357  mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
358  mutable std::unique_ptr<BugType> BT_DoubleDelete;
359  mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
360  mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
361  mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
362  mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
363  mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
364  mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
365  mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
366 
367 #define CHECK_FN(NAME) \
368  void NAME(const CallEvent &Call, CheckerContext &C) const;
369 
370  CHECK_FN(checkFree)
371  CHECK_FN(checkIfNameIndex)
372  CHECK_FN(checkBasicAlloc)
373  CHECK_FN(checkKernelMalloc)
374  CHECK_FN(checkCalloc)
375  CHECK_FN(checkAlloca)
376  CHECK_FN(checkStrdup)
377  CHECK_FN(checkIfFreeNameIndex)
378  CHECK_FN(checkCXXNewOrCXXDelete)
379  CHECK_FN(checkGMalloc0)
380  CHECK_FN(checkGMemdup)
381  CHECK_FN(checkGMallocN)
382  CHECK_FN(checkGMallocN0)
383  CHECK_FN(checkReallocN)
384  CHECK_FN(checkOwnershipAttr)
385 
386  void checkRealloc(const CallEvent &Call, CheckerContext &C,
387  bool ShouldFreeOnFail) const;
388 
389  using CheckFn = std::function<void(const MallocChecker *,
390  const CallEvent &Call, CheckerContext &C)>;
391 
392  const CallDescriptionMap<CheckFn> FreeingMemFnMap{
393  {{"free", 1}, &MallocChecker::checkFree},
394  {{"if_freenameindex", 1}, &MallocChecker::checkIfFreeNameIndex},
395  {{"kfree", 1}, &MallocChecker::checkFree},
396  {{"g_free", 1}, &MallocChecker::checkFree},
397  };
398 
399  bool isFreeingCall(const CallEvent &Call) const;
400 
401  CallDescriptionMap<CheckFn> AllocatingMemFnMap{
402  {{"alloca", 1}, &MallocChecker::checkAlloca},
403  {{"_alloca", 1}, &MallocChecker::checkAlloca},
404  {{"malloc", 1}, &MallocChecker::checkBasicAlloc},
405  {{"malloc", 3}, &MallocChecker::checkKernelMalloc},
406  {{"calloc", 2}, &MallocChecker::checkCalloc},
407  {{"valloc", 1}, &MallocChecker::checkBasicAlloc},
408  {{CDF_MaybeBuiltin, "strndup", 2}, &MallocChecker::checkStrdup},
409  {{CDF_MaybeBuiltin, "strdup", 1}, &MallocChecker::checkStrdup},
410  {{"_strdup", 1}, &MallocChecker::checkStrdup},
411  {{"kmalloc", 2}, &MallocChecker::checkKernelMalloc},
412  {{"if_nameindex", 1}, &MallocChecker::checkIfNameIndex},
413  {{CDF_MaybeBuiltin, "wcsdup", 1}, &MallocChecker::checkStrdup},
414  {{CDF_MaybeBuiltin, "_wcsdup", 1}, &MallocChecker::checkStrdup},
415  {{"g_malloc", 1}, &MallocChecker::checkBasicAlloc},
416  {{"g_malloc0", 1}, &MallocChecker::checkGMalloc0},
417  {{"g_try_malloc", 1}, &MallocChecker::checkBasicAlloc},
418  {{"g_try_malloc0", 1}, &MallocChecker::checkGMalloc0},
419  {{"g_memdup", 2}, &MallocChecker::checkGMemdup},
420  {{"g_malloc_n", 2}, &MallocChecker::checkGMallocN},
421  {{"g_malloc0_n", 2}, &MallocChecker::checkGMallocN0},
422  {{"g_try_malloc_n", 2}, &MallocChecker::checkGMallocN},
423  {{"g_try_malloc0_n", 2}, &MallocChecker::checkGMallocN0},
424  };
425 
426  CallDescriptionMap<CheckFn> ReallocatingMemFnMap{
427  {{"realloc", 2},
428  std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)},
429  {{"reallocf", 2},
430  std::bind(&MallocChecker::checkRealloc, _1, _2, _3, true)},
431  {{"g_realloc", 2},
432  std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)},
433  {{"g_try_realloc", 2},
434  std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)},
435  {{"g_realloc_n", 3}, &MallocChecker::checkReallocN},
436  {{"g_try_realloc_n", 3}, &MallocChecker::checkReallocN},
437  };
438 
439  bool isMemCall(const CallEvent &Call) const;
440 
441  // TODO: Remove mutable by moving the initializtaion to the registry function.
442  mutable Optional<uint64_t> KernelZeroFlagVal;
443 
444  using KernelZeroSizePtrValueTy = Optional<int>;
445  /// Store the value of macro called `ZERO_SIZE_PTR`.
446  /// The value is initialized at first use, before first use the outer
447  /// Optional is empty, afterwards it contains another Optional that indicates
448  /// if the macro value could be determined, and if yes the value itself.
449  mutable Optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue;
450 
451  /// Process C++ operator new()'s allocation, which is the part of C++
452  /// new-expression that goes before the constructor.
453  LLVM_NODISCARD
454  ProgramStateRef processNewAllocation(const CXXAllocatorCall &Call,
455  CheckerContext &C,
456  AllocationFamily Family) const;
457 
458  /// Perform a zero-allocation check.
459  ///
460  /// \param [in] Call The expression that allocates memory.
461  /// \param [in] IndexOfSizeArg Index of the argument that specifies the size
462  /// of the memory that needs to be allocated. E.g. for malloc, this would be
463  /// 0.
464  /// \param [in] RetVal Specifies the newly allocated pointer value;
465  /// if unspecified, the value of expression \p E is used.
466  LLVM_NODISCARD
467  static ProgramStateRef ProcessZeroAllocCheck(const CallEvent &Call,
468  const unsigned IndexOfSizeArg,
470  Optional<SVal> RetVal = None);
471 
472  /// Model functions with the ownership_returns attribute.
473  ///
474  /// User-defined function may have the ownership_returns attribute, which
475  /// annotates that the function returns with an object that was allocated on
476  /// the heap, and passes the ownertship to the callee.
477  ///
478  /// void __attribute((ownership_returns(malloc, 1))) *my_malloc(size_t);
479  ///
480  /// It has two parameters:
481  /// - first: name of the resource (e.g. 'malloc')
482  /// - (OPTIONAL) second: size of the allocated region
483  ///
484  /// \param [in] Call The expression that allocates memory.
485  /// \param [in] Att The ownership_returns attribute.
486  /// \param [in] State The \c ProgramState right before allocation.
487  /// \returns The ProgramState right after allocation.
488  LLVM_NODISCARD
489  ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
490  const OwnershipAttr *Att,
491  ProgramStateRef State) const;
492 
493  /// Models memory allocation.
494  ///
495  /// \param [in] Call The expression that allocates memory.
496  /// \param [in] SizeEx Size of the memory that needs to be allocated.
497  /// \param [in] Init The value the allocated memory needs to be initialized.
498  /// with. For example, \c calloc initializes the allocated memory to 0,
499  /// malloc leaves it undefined.
500  /// \param [in] State The \c ProgramState right before allocation.
501  /// \returns The ProgramState right after allocation.
502  LLVM_NODISCARD
503  static ProgramStateRef MallocMemAux(CheckerContext &C, const CallEvent &Call,
504  const Expr *SizeEx, SVal Init,
506  AllocationFamily Family);
507 
508  /// Models memory allocation.
509  ///
510  /// \param [in] Call The expression that allocates memory.
511  /// \param [in] Size Size of the memory that needs to be allocated.
512  /// \param [in] Init The value the allocated memory needs to be initialized.
513  /// with. For example, \c calloc initializes the allocated memory to 0,
514  /// malloc leaves it undefined.
515  /// \param [in] State The \c ProgramState right before allocation.
516  /// \returns The ProgramState right after allocation.
517  LLVM_NODISCARD
518  static ProgramStateRef MallocMemAux(CheckerContext &C, const CallEvent &Call,
519  SVal Size, SVal Init,
521  AllocationFamily Family);
522 
523  // Check if this malloc() for special flags. At present that means M_ZERO or
524  // __GFP_ZERO (in which case, treat it like calloc).
525  LLVM_NODISCARD
527  performKernelMalloc(const CallEvent &Call, CheckerContext &C,
528  const ProgramStateRef &State) const;
529 
530  /// Model functions with the ownership_takes and ownership_holds attributes.
531  ///
532  /// User-defined function may have the ownership_takes and/or ownership_holds
533  /// attributes, which annotates that the function frees the memory passed as a
534  /// parameter.
535  ///
536  /// void __attribute((ownership_takes(malloc, 1))) my_free(void *);
537  /// void __attribute((ownership_holds(malloc, 1))) my_hold(void *);
538  ///
539  /// They have two parameters:
540  /// - first: name of the resource (e.g. 'malloc')
541  /// - second: index of the parameter the attribute applies to
542  ///
543  /// \param [in] Call The expression that frees memory.
544  /// \param [in] Att The ownership_takes or ownership_holds attribute.
545  /// \param [in] State The \c ProgramState right before allocation.
546  /// \returns The ProgramState right after deallocation.
547  LLVM_NODISCARD
548  ProgramStateRef FreeMemAttr(CheckerContext &C, const CallEvent &Call,
549  const OwnershipAttr *Att,
550  ProgramStateRef State) const;
551 
552  /// Models memory deallocation.
553  ///
554  /// \param [in] Call The expression that frees memory.
555  /// \param [in] State The \c ProgramState right before allocation.
556  /// \param [in] Num Index of the argument that needs to be freed. This is
557  /// normally 0, but for custom free functions it may be different.
558  /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
559  /// attribute.
560  /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known
561  /// to have been allocated, or in other words, the symbol to be freed was
562  /// registered as allocated by this checker. In the following case, \c ptr
563  /// isn't known to be allocated.
564  /// void Haha(int *ptr) {
565  /// ptr = realloc(ptr, 67);
566  /// // ...
567  /// }
568  /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
569  /// we're modeling returns with Null on failure.
570  /// \returns The ProgramState right after deallocation.
571  LLVM_NODISCARD
572  ProgramStateRef FreeMemAux(CheckerContext &C, const CallEvent &Call,
573  ProgramStateRef State, unsigned Num, bool Hold,
574  bool &IsKnownToBeAllocated,
575  AllocationFamily Family,
576  bool ReturnsNullOnFailure = false) const;
577 
578  /// Models memory deallocation.
579  ///
580  /// \param [in] ArgExpr The variable who's pointee needs to be freed.
581  /// \param [in] Call The expression that frees the memory.
582  /// \param [in] State The \c ProgramState right before allocation.
583  /// normally 0, but for custom free functions it may be different.
584  /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
585  /// attribute.
586  /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known
587  /// to have been allocated, or in other words, the symbol to be freed was
588  /// registered as allocated by this checker. In the following case, \c ptr
589  /// isn't known to be allocated.
590  /// void Haha(int *ptr) {
591  /// ptr = realloc(ptr, 67);
592  /// // ...
593  /// }
594  /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
595  /// we're modeling returns with Null on failure.
596  /// \returns The ProgramState right after deallocation.
597  LLVM_NODISCARD
598  ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *ArgExpr,
599  const CallEvent &Call, ProgramStateRef State,
600  bool Hold, bool &IsKnownToBeAllocated,
601  AllocationFamily Family,
602  bool ReturnsNullOnFailure = false) const;
603 
604  // TODO: Needs some refactoring, as all other deallocation modeling
605  // functions are suffering from out parameters and messy code due to how
606  // realloc is handled.
607  //
608  /// Models memory reallocation.
609  ///
610  /// \param [in] Call The expression that reallocated memory
611  /// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied
612  /// memory should be freed.
613  /// \param [in] State The \c ProgramState right before reallocation.
614  /// \param [in] SuffixWithN Whether the reallocation function we're modeling
615  /// has an '_n' suffix, such as g_realloc_n.
616  /// \returns The ProgramState right after reallocation.
617  LLVM_NODISCARD
618  ProgramStateRef ReallocMemAux(CheckerContext &C, const CallEvent &Call,
619  bool ShouldFreeOnFail, ProgramStateRef State,
620  AllocationFamily Family,
621  bool SuffixWithN = false) const;
622 
623  /// Evaluates the buffer size that needs to be allocated.
624  ///
625  /// \param [in] Blocks The amount of blocks that needs to be allocated.
626  /// \param [in] BlockBytes The size of a block.
627  /// \returns The symbolic value of \p Blocks * \p BlockBytes.
628  LLVM_NODISCARD
629  static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
630  const Expr *BlockBytes);
631 
632  /// Models zero initialized array allocation.
633  ///
634  /// \param [in] Call The expression that reallocated memory
635  /// \param [in] State The \c ProgramState right before reallocation.
636  /// \returns The ProgramState right after allocation.
637  LLVM_NODISCARD
638  static ProgramStateRef CallocMem(CheckerContext &C, const CallEvent &Call,
640 
641  /// See if deallocation happens in a suspicious context. If so, escape the
642  /// pointers that otherwise would have been deallocated and return true.
643  bool suppressDeallocationsInSuspiciousContexts(const CallEvent &Call,
644  CheckerContext &C) const;
645 
646  /// If in \p S \p Sym is used, check whether \p Sym was already freed.
647  bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
648 
649  /// If in \p S \p Sym is used, check whether \p Sym was allocated as a zero
650  /// sized memory region.
651  void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
652  const Stmt *S) const;
653 
654  /// If in \p S \p Sym is being freed, check whether \p Sym was already freed.
655  bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;
656 
657  /// Check if the function is known to free memory, or if it is
658  /// "interesting" and should be modeled explicitly.
659  ///
660  /// \param [out] EscapingSymbol A function might not free memory in general,
661  /// but could be known to free a particular symbol. In this case, false is
662  /// returned and the single escaping symbol is returned through the out
663  /// parameter.
664  ///
665  /// We assume that pointers do not escape through calls to system functions
666  /// not handled by this checker.
667  bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call,
669  SymbolRef &EscapingSymbol) const;
670 
671  /// Implementation of the checkPointerEscape callbacks.
672  LLVM_NODISCARD
673  ProgramStateRef checkPointerEscapeAux(ProgramStateRef State,
674  const InvalidatedSymbols &Escaped,
675  const CallEvent *Call,
677  bool IsConstPointerEscape) const;
678 
679  // Implementation of the checkPreStmt and checkEndFunction callbacks.
680  void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const;
681 
682  ///@{
683  /// Tells if a given family/call/symbol is tracked by the current checker.
684  /// Sets CheckKind to the kind of the checker responsible for this
685  /// family/call/symbol.
686  Optional<CheckKind> getCheckIfTracked(AllocationFamily Family,
687  bool IsALeakCheck = false) const;
688 
689  Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
690  bool IsALeakCheck = false) const;
691  ///@}
692  static bool SummarizeValue(raw_ostream &os, SVal V);
693  static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
694 
695  void HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal, SourceRange Range,
696  const Expr *DeallocExpr,
697  AllocationFamily Family) const;
698 
699  void HandleFreeAlloca(CheckerContext &C, SVal ArgVal,
700  SourceRange Range) const;
701 
702  void HandleMismatchedDealloc(CheckerContext &C, SourceRange Range,
703  const Expr *DeallocExpr, const RefState *RS,
704  SymbolRef Sym, bool OwnershipTransferred) const;
705 
706  void HandleOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
707  const Expr *DeallocExpr, AllocationFamily Family,
708  const Expr *AllocExpr = nullptr) const;
709 
710  void HandleUseAfterFree(CheckerContext &C, SourceRange Range,
711  SymbolRef Sym) const;
712 
713  void HandleDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
714  SymbolRef Sym, SymbolRef PrevSym) const;
715 
716  void HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
717 
718  void HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,
719  SymbolRef Sym) const;
720 
721  void HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
722  const Expr *FreeExpr,
723  AllocationFamily Family) const;
724 
725  /// Find the location of the allocation for Sym on the path leading to the
726  /// exploded node N.
727  static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
728  CheckerContext &C);
729 
730  void HandleLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
731 
732  /// Test if value in ArgVal equals to value in macro `ZERO_SIZE_PTR`.
733  bool isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C,
734  SVal ArgVal) const;
735 };
736 } // end anonymous namespace
737 
738 //===----------------------------------------------------------------------===//
739 // Definition of NoOwnershipChangeVisitor.
740 //===----------------------------------------------------------------------===//
741 
742 namespace {
743 class NoOwnershipChangeVisitor final : public NoStateChangeFuncVisitor {
744  SymbolRef Sym;
746 
747  // Collect which entities point to the allocated memory, and could be
748  // responsible for deallocating it.
749  class OwnershipBindingsHandler : public StoreManager::BindingsHandler {
750  SymbolRef Sym;
751  OwnerSet &Owners;
752 
753  public:
754  OwnershipBindingsHandler(SymbolRef Sym, OwnerSet &Owners)
755  : Sym(Sym), Owners(Owners) {}
756 
757  bool HandleBinding(StoreManager &SMgr, Store Store, const MemRegion *Region,
758  SVal Val) override {
759  if (Val.getAsSymbol() == Sym)
760  Owners.insert(Region);
761  return true;
762  }
763 
764  LLVM_DUMP_METHOD void dump() const { dumpToStream(llvm::errs()); }
765  LLVM_DUMP_METHOD void dumpToStream(llvm::raw_ostream &out) const {
766  out << "Owners: {\n";
767  for (const MemRegion *Owner : Owners) {
768  out << " ";
769  Owner->dumpToStream(out);
770  out << ",\n";
771  }
772  out << "}\n";
773  }
774  };
775 
776 protected:
777  OwnerSet getOwnersAtNode(const ExplodedNode *N) {
778  OwnerSet Ret;
779 
780  ProgramStateRef State = N->getState();
781  OwnershipBindingsHandler Handler{Sym, Ret};
782  State->getStateManager().getStoreManager().iterBindings(State->getStore(),
783  Handler);
784  return Ret;
785  }
786 
787  LLVM_DUMP_METHOD static std::string
788  getFunctionName(const ExplodedNode *CallEnterN) {
789  if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>(
790  CallEnterN->getLocationAs<CallEnter>()->getCallExpr()))
791  if (const FunctionDecl *FD = CE->getDirectCallee())
792  return FD->getQualifiedNameAsString();
793  return "";
794  }
795 
796  bool doesFnIntendToHandleOwnership(const Decl *Callee, ASTContext &ACtx) {
797  using namespace clang::ast_matchers;
798  const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee);
799  if (!FD)
800  return false;
801  // TODO: Operator delete is hardly the only deallocator -- Can we reuse
802  // isFreeingCall() or something thats already here?
803  auto Deallocations = match(
804  stmt(hasDescendant(cxxDeleteExpr().bind("delete"))
805  ), *FD->getBody(), ACtx);
806  // TODO: Ownership my change with an attempt to store the allocated memory.
807  return !Deallocations.empty();
808  }
809 
810  virtual bool
811  wasModifiedInFunction(const ExplodedNode *CallEnterN,
812  const ExplodedNode *CallExitEndN) override {
813  if (!doesFnIntendToHandleOwnership(
814  CallExitEndN->getFirstPred()->getLocationContext()->getDecl(),
815  CallExitEndN->getState()->getAnalysisManager().getASTContext()))
816  return true;
817 
818  if (CallEnterN->getState()->get<RegionState>(Sym) !=
819  CallExitEndN->getState()->get<RegionState>(Sym))
820  return true;
821 
822  OwnerSet CurrOwners = getOwnersAtNode(CallEnterN);
823  OwnerSet ExitOwners = getOwnersAtNode(CallExitEndN);
824 
825  // Owners in the current set may be purged from the analyzer later on.
826  // If a variable is dead (is not referenced directly or indirectly after
827  // some point), it will be removed from the Store before the end of its
828  // actual lifetime.
829  // This means that that if the ownership status didn't change, CurrOwners
830  // must be a superset of, but not necessarily equal to ExitOwners.
831  return !llvm::set_is_subset(ExitOwners, CurrOwners);
832  }
833 
834  static PathDiagnosticPieceRef emitNote(const ExplodedNode *N) {
835  PathDiagnosticLocation L = PathDiagnosticLocation::create(
836  N->getLocation(),
837  N->getState()->getStateManager().getContext().getSourceManager());
838  return std::make_shared<PathDiagnosticEventPiece>(
839  L, "Returning without deallocating memory or storing the pointer for "
840  "later deallocation");
841  }
842 
843  virtual PathDiagnosticPieceRef
844  maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
845  const ObjCMethodCall &Call,
846  const ExplodedNode *N) override {
847  // TODO: Implement.
848  return nullptr;
849  }
850 
851  virtual PathDiagnosticPieceRef
852  maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
853  const CXXConstructorCall &Call,
854  const ExplodedNode *N) override {
855  // TODO: Implement.
856  return nullptr;
857  }
858 
859  virtual PathDiagnosticPieceRef
860  maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call,
861  const ExplodedNode *N) override {
862  // TODO: Factor the logic of "what constitutes as an entity being passed
863  // into a function call" out by reusing the code in
864  // NoStoreFuncVisitor::maybeEmitNoteForParameters, maybe by incorporating
865  // the printing technology in UninitializedObject's FieldChainInfo.
866  ArrayRef<ParmVarDecl *> Parameters = Call.parameters();
867  for (unsigned I = 0; I < Call.getNumArgs() && I < Parameters.size(); ++I) {
868  SVal V = Call.getArgSVal(I);
869  if (V.getAsSymbol() == Sym)
870  return emitNote(N);
871  }
872  return nullptr;
873  }
874 
875 public:
876  NoOwnershipChangeVisitor(SymbolRef Sym)
877  : NoStateChangeFuncVisitor(bugreporter::TrackingKind::Thorough),
878  Sym(Sym) {}
879 
880  void Profile(llvm::FoldingSetNodeID &ID) const override {
881  static int Tag = 0;
882  ID.AddPointer(&Tag);
883  ID.AddPointer(Sym);
884  }
885 
886  void *getTag() const {
887  static int Tag = 0;
888  return static_cast<void *>(&Tag);
889  }
890 };
891 
892 } // end anonymous namespace
893 
894 //===----------------------------------------------------------------------===//
895 // Definition of MallocBugVisitor.
896 //===----------------------------------------------------------------------===//
897 
898 namespace {
899 /// The bug visitor which allows us to print extra diagnostics along the
900 /// BugReport path. For example, showing the allocation site of the leaked
901 /// region.
902 class MallocBugVisitor final : public BugReporterVisitor {
903 protected:
904  enum NotificationMode { Normal, ReallocationFailed };
905 
906  // The allocated region symbol tracked by the main analysis.
907  SymbolRef Sym;
908 
909  // The mode we are in, i.e. what kind of diagnostics will be emitted.
910  NotificationMode Mode;
911 
912  // A symbol from when the primary region should have been reallocated.
913  SymbolRef FailedReallocSymbol;
914 
915  // A C++ destructor stack frame in which memory was released. Used for
916  // miscellaneous false positive suppression.
917  const StackFrameContext *ReleaseDestructorLC;
918 
919  bool IsLeak;
920 
921 public:
922  MallocBugVisitor(SymbolRef S, bool isLeak = false)
923  : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr),
924  ReleaseDestructorLC(nullptr), IsLeak(isLeak) {}
925 
926  static void *getTag() {
927  static int Tag = 0;
928  return &Tag;
929  }
930 
931  void Profile(llvm::FoldingSetNodeID &ID) const override {
932  ID.AddPointer(getTag());
933  ID.AddPointer(Sym);
934  }
935 
936  /// Did not track -> allocated. Other state (released) -> allocated.
937  static inline bool isAllocated(const RefState *RSCurr, const RefState *RSPrev,
938  const Stmt *Stmt) {
939  return (isa_and_nonnull<CallExpr, CXXNewExpr>(Stmt) &&
940  (RSCurr &&
941  (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) &&
942  (!RSPrev ||
943  !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero())));
944  }
945 
946  /// Did not track -> released. Other state (allocated) -> released.
947  /// The statement associated with the release might be missing.
948  static inline bool isReleased(const RefState *RSCurr, const RefState *RSPrev,
949  const Stmt *Stmt) {
950  bool IsReleased =
951  (RSCurr && RSCurr->isReleased()) && (!RSPrev || !RSPrev->isReleased());
952  assert(!IsReleased || (isa_and_nonnull<CallExpr, CXXDeleteExpr>(Stmt)) ||
953  (!Stmt && RSCurr->getAllocationFamily() == AF_InnerBuffer));
954  return IsReleased;
955  }
956 
957  /// Did not track -> relinquished. Other state (allocated) -> relinquished.
958  static inline bool isRelinquished(const RefState *RSCurr,
959  const RefState *RSPrev, const Stmt *Stmt) {
960  return (
961  isa_and_nonnull<CallExpr, ObjCMessageExpr, ObjCPropertyRefExpr>(Stmt) &&
962  (RSCurr && RSCurr->isRelinquished()) &&
963  (!RSPrev || !RSPrev->isRelinquished()));
964  }
965 
966  /// If the expression is not a call, and the state change is
967  /// released -> allocated, it must be the realloc return value
968  /// check. If we have to handle more cases here, it might be cleaner just
969  /// to track this extra bit in the state itself.
970  static inline bool hasReallocFailed(const RefState *RSCurr,
971  const RefState *RSPrev,
972  const Stmt *Stmt) {
973  return ((!isa_and_nonnull<CallExpr>(Stmt)) &&
974  (RSCurr &&
975  (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) &&
976  (RSPrev &&
977  !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero())));
978  }
979 
980  PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
981  BugReporterContext &BRC,
982  PathSensitiveBugReport &BR) override;
983 
984  PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC,
985  const ExplodedNode *EndPathNode,
986  PathSensitiveBugReport &BR) override {
987  if (!IsLeak)
988  return nullptr;
989 
990  PathDiagnosticLocation L = BR.getLocation();
991  // Do not add the statement itself as a range in case of leak.
992  return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(),
993  false);
994  }
995 
996 private:
997  class StackHintGeneratorForReallocationFailed
998  : public StackHintGeneratorForSymbol {
999  public:
1000  StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M)
1001  : StackHintGeneratorForSymbol(S, M) {}
1002 
1003  std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) override {
1004  // Printed parameters start at 1, not 0.
1005  ++ArgIndex;
1006 
1007  SmallString<200> buf;
1008  llvm::raw_svector_ostream os(buf);
1009 
1010  os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex)
1011  << " parameter failed";
1012 
1013  return std::string(os.str());
1014  }
1015 
1016  std::string getMessageForReturn(const CallExpr *CallExpr) override {
1017  return "Reallocation of returned value failed";
1018  }
1019  };
1020 };
1021 } // end anonymous namespace
1022 
1023 // A map from the freed symbol to the symbol representing the return value of
1024 // the free function.
1026 
1027 namespace {
1028 class StopTrackingCallback final : public SymbolVisitor {
1030 
1031 public:
1032  StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
1033  ProgramStateRef getState() const { return state; }
1034 
1035  bool VisitSymbol(SymbolRef sym) override {
1036  state = state->remove<RegionState>(sym);
1037  return true;
1038  }
1039 };
1040 } // end anonymous namespace
1041 
1042 static bool isStandardNewDelete(const FunctionDecl *FD) {
1043  if (!FD)
1044  return false;
1045 
1047  if (Kind != OO_New && Kind != OO_Array_New && Kind != OO_Delete &&
1048  Kind != OO_Array_Delete)
1049  return false;
1050 
1051  // This is standard if and only if it's not defined in a user file.
1052  SourceLocation L = FD->getLocation();
1053  // If the header for operator delete is not included, it's still defined
1054  // in an invalid source location. Check to make sure we don't crash.
1055  return !L.isValid() ||
1057 }
1058 
1059 //===----------------------------------------------------------------------===//
1060 // Methods of MallocChecker and MallocBugVisitor.
1061 //===----------------------------------------------------------------------===//
1062 
1063 bool MallocChecker::isFreeingCall(const CallEvent &Call) const {
1064  if (FreeingMemFnMap.lookup(Call) || ReallocatingMemFnMap.lookup(Call))
1065  return true;
1066 
1067  const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl());
1068  if (Func && Func->hasAttrs()) {
1069  for (const auto *I : Func->specific_attrs<OwnershipAttr>()) {
1070  OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
1071  if (OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds)
1072  return true;
1073  }
1074  }
1075  return false;
1076 }
1077 
1078 bool MallocChecker::isMemCall(const CallEvent &Call) const {
1079  if (FreeingMemFnMap.lookup(Call) || AllocatingMemFnMap.lookup(Call) ||
1080  ReallocatingMemFnMap.lookup(Call))
1081  return true;
1082 
1083  if (!ShouldIncludeOwnershipAnnotatedFunctions)
1084  return false;
1085 
1086  const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl());
1087  return Func && Func->hasAttr<OwnershipAttr>();
1088 }
1089 
1091 MallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C,
1092  const ProgramStateRef &State) const {
1093  // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
1094  //
1095  // void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
1096  //
1097  // One of the possible flags is M_ZERO, which means 'give me back an
1098  // allocation which is already zeroed', like calloc.
1099 
1100  // 2-argument kmalloc(), as used in the Linux kernel:
1101  //
1102  // void *kmalloc(size_t size, gfp_t flags);
1103  //
1104  // Has the similar flag value __GFP_ZERO.
1105 
1106  // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some
1107  // code could be shared.
1108 
1109  ASTContext &Ctx = C.getASTContext();
1110  llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS();
1111 
1112  if (!KernelZeroFlagVal.hasValue()) {
1113  if (OS == llvm::Triple::FreeBSD)
1114  KernelZeroFlagVal = 0x0100;
1115  else if (OS == llvm::Triple::NetBSD)
1116  KernelZeroFlagVal = 0x0002;
1117  else if (OS == llvm::Triple::OpenBSD)
1118  KernelZeroFlagVal = 0x0008;
1119  else if (OS == llvm::Triple::Linux)
1120  // __GFP_ZERO
1121  KernelZeroFlagVal = 0x8000;
1122  else
1123  // FIXME: We need a more general way of getting the M_ZERO value.
1124  // See also: O_CREAT in UnixAPIChecker.cpp.
1125 
1126  // Fall back to normal malloc behavior on platforms where we don't
1127  // know M_ZERO.
1128  return None;
1129  }
1130 
1131  // We treat the last argument as the flags argument, and callers fall-back to
1132  // normal malloc on a None return. This works for the FreeBSD kernel malloc
1133  // as well as Linux kmalloc.
1134  if (Call.getNumArgs() < 2)
1135  return None;
1136 
1137  const Expr *FlagsEx = Call.getArgExpr(Call.getNumArgs() - 1);
1138  const SVal V = C.getSVal(FlagsEx);
1139  if (!V.getAs<NonLoc>()) {
1140  // The case where 'V' can be a location can only be due to a bad header,
1141  // so in this case bail out.
1142  return None;
1143  }
1144 
1145  NonLoc Flags = V.castAs<NonLoc>();
1146  NonLoc ZeroFlag = C.getSValBuilder()
1147  .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType())
1148  .castAs<NonLoc>();
1149  SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And,
1150  Flags, ZeroFlag,
1151  FlagsEx->getType());
1152  if (MaskedFlagsUC.isUnknownOrUndef())
1153  return None;
1154  DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>();
1155 
1156  // Check if maskedFlags is non-zero.
1157  ProgramStateRef TrueState, FalseState;
1158  std::tie(TrueState, FalseState) = State->assume(MaskedFlags);
1159 
1160  // If M_ZERO is set, treat this like calloc (initialized).
1161  if (TrueState && !FalseState) {
1162  SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy);
1163  return MallocMemAux(C, Call, Call.getArgExpr(0), ZeroVal, TrueState,
1164  AF_Malloc);
1165  }
1166 
1167  return None;
1168 }
1169 
1170 SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
1171  const Expr *BlockBytes) {
1172  SValBuilder &SB = C.getSValBuilder();
1173  SVal BlocksVal = C.getSVal(Blocks);
1174  SVal BlockBytesVal = C.getSVal(BlockBytes);
1175  ProgramStateRef State = C.getState();
1176  SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,
1177  SB.getContext().getSizeType());
1178  return TotalSize;
1179 }
1180 
1181 void MallocChecker::checkBasicAlloc(const CallEvent &Call,
1182  CheckerContext &C) const {
1183  ProgramStateRef State = C.getState();
1184  State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,
1185  AF_Malloc);
1186  State = ProcessZeroAllocCheck(Call, 0, State);
1187  C.addTransition(State);
1188 }
1189 
1190 void MallocChecker::checkKernelMalloc(const CallEvent &Call,
1191  CheckerContext &C) const {
1192  ProgramStateRef State = C.getState();
1193  llvm::Optional<ProgramStateRef> MaybeState =
1194  performKernelMalloc(Call, C, State);
1195  if (MaybeState.hasValue())
1196  State = MaybeState.getValue();
1197  else
1198  State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,
1199  AF_Malloc);
1200  C.addTransition(State);
1201 }
1202 
1203 static bool isStandardRealloc(const CallEvent &Call) {
1204  const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl());
1205  assert(FD);
1206  ASTContext &AC = FD->getASTContext();
1207 
1208  if (isa<CXXMethodDecl>(FD))
1209  return false;
1210 
1211  return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy &&
1212  FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
1213  FD->getParamDecl(1)->getType().getDesugaredType(AC) ==
1214  AC.getSizeType();
1215 }
1216 
1217 static bool isGRealloc(const CallEvent &Call) {
1218  const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl());
1219  assert(FD);
1220  ASTContext &AC = FD->getASTContext();
1221 
1222  if (isa<CXXMethodDecl>(FD))
1223  return false;
1224 
1225  return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy &&
1226  FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
1227  FD->getParamDecl(1)->getType().getDesugaredType(AC) ==
1228  AC.UnsignedLongTy;
1229 }
1230 
1231 void MallocChecker::checkRealloc(const CallEvent &Call, CheckerContext &C,
1232  bool ShouldFreeOnFail) const {
1233  // HACK: CallDescription currently recognizes non-standard realloc functions
1234  // as standard because it doesn't check the type, or wether its a non-method
1235  // function. This should be solved by making CallDescription smarter.
1236  // Mind that this came from a bug report, and all other functions suffer from
1237  // this.
1238  // https://bugs.llvm.org/show_bug.cgi?id=46253
1239  if (!isStandardRealloc(Call) && !isGRealloc(Call))
1240  return;
1241  ProgramStateRef State = C.getState();
1242  State = ReallocMemAux(C, Call, ShouldFreeOnFail, State, AF_Malloc);
1243  State = ProcessZeroAllocCheck(Call, 1, State);
1244  C.addTransition(State);
1245 }
1246 
1247 void MallocChecker::checkCalloc(const CallEvent &Call,
1248  CheckerContext &C) const {
1249  ProgramStateRef State = C.getState();
1250  State = CallocMem(C, Call, State);
1251  State = ProcessZeroAllocCheck(Call, 0, State);
1252  State = ProcessZeroAllocCheck(Call, 1, State);
1253  C.addTransition(State);
1254 }
1255 
1256 void MallocChecker::checkFree(const CallEvent &Call, CheckerContext &C) const {
1257  ProgramStateRef State = C.getState();
1258  bool IsKnownToBeAllocatedMemory = false;
1259  if (suppressDeallocationsInSuspiciousContexts(Call, C))
1260  return;
1261  State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
1262  AF_Malloc);
1263  C.addTransition(State);
1264 }
1265 
1266 void MallocChecker::checkAlloca(const CallEvent &Call,
1267  CheckerContext &C) const {
1268  ProgramStateRef State = C.getState();
1269  State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,
1270  AF_Alloca);
1271  State = ProcessZeroAllocCheck(Call, 0, State);
1272  C.addTransition(State);
1273 }
1274 
1275 void MallocChecker::checkStrdup(const CallEvent &Call,
1276  CheckerContext &C) const {
1277  ProgramStateRef State = C.getState();
1278  const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
1279  if (!CE)
1280  return;
1281  State = MallocUpdateRefState(C, CE, State, AF_Malloc);
1282 
1283  C.addTransition(State);
1284 }
1285 
1286 void MallocChecker::checkIfNameIndex(const CallEvent &Call,
1287  CheckerContext &C) const {
1288  ProgramStateRef State = C.getState();
1289  // Should we model this differently? We can allocate a fixed number of
1290  // elements with zeros in the last one.
1291  State =
1292  MallocMemAux(C, Call, UnknownVal(), UnknownVal(), State, AF_IfNameIndex);
1293 
1294  C.addTransition(State);
1295 }
1296 
1297 void MallocChecker::checkIfFreeNameIndex(const CallEvent &Call,
1298  CheckerContext &C) const {
1299  ProgramStateRef State = C.getState();
1300  bool IsKnownToBeAllocatedMemory = false;
1301  State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
1302  AF_IfNameIndex);
1303  C.addTransition(State);
1304 }
1305 
1306 void MallocChecker::checkCXXNewOrCXXDelete(const CallEvent &Call,
1307  CheckerContext &C) const {
1308  ProgramStateRef State = C.getState();
1309  bool IsKnownToBeAllocatedMemory = false;
1310  const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
1311  if (!CE)
1312  return;
1313 
1314  assert(isStandardNewDelete(Call));
1315 
1316  // Process direct calls to operator new/new[]/delete/delete[] functions
1317  // as distinct from new/new[]/delete/delete[] expressions that are
1318  // processed by the checkPostStmt callbacks for CXXNewExpr and
1319  // CXXDeleteExpr.
1320  const FunctionDecl *FD = C.getCalleeDecl(CE);
1321  switch (FD->getOverloadedOperator()) {
1322  case OO_New:
1323  State =
1324  MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State, AF_CXXNew);
1325  State = ProcessZeroAllocCheck(Call, 0, State);
1326  break;
1327  case OO_Array_New:
1328  State = MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State,
1329  AF_CXXNewArray);
1330  State = ProcessZeroAllocCheck(Call, 0, State);
1331  break;
1332  case OO_Delete:
1333  State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
1334  AF_CXXNew);
1335  break;
1336  case OO_Array_Delete:
1337  State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
1338  AF_CXXNewArray);
1339  break;
1340  default:
1341  llvm_unreachable("not a new/delete operator");
1342  }
1343 
1344  C.addTransition(State);
1345 }
1346 
1347 void MallocChecker::checkGMalloc0(const CallEvent &Call,
1348  CheckerContext &C) const {
1349  ProgramStateRef State = C.getState();
1350  SValBuilder &svalBuilder = C.getSValBuilder();
1351  SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
1352  State = MallocMemAux(C, Call, Call.getArgExpr(0), zeroVal, State, AF_Malloc);
1353  State = ProcessZeroAllocCheck(Call, 0, State);
1354  C.addTransition(State);
1355 }
1356 
1357 void MallocChecker::checkGMemdup(const CallEvent &Call,
1358  CheckerContext &C) const {
1359  ProgramStateRef State = C.getState();
1360  State = MallocMemAux(C, Call, Call.getArgExpr(1), UndefinedVal(), State,
1361  AF_Malloc);
1362  State = ProcessZeroAllocCheck(Call, 1, State);
1363  C.addTransition(State);
1364 }
1365 
1366 void MallocChecker::checkGMallocN(const CallEvent &Call,
1367  CheckerContext &C) const {
1368  ProgramStateRef State = C.getState();
1369  SVal Init = UndefinedVal();
1370  SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
1371  State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc);
1372  State = ProcessZeroAllocCheck(Call, 0, State);
1373  State = ProcessZeroAllocCheck(Call, 1, State);
1374  C.addTransition(State);
1375 }
1376 
1377 void MallocChecker::checkGMallocN0(const CallEvent &Call,
1378  CheckerContext &C) const {
1379  ProgramStateRef State = C.getState();
1380  SValBuilder &SB = C.getSValBuilder();
1381  SVal Init = SB.makeZeroVal(SB.getContext().CharTy);
1382  SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
1383  State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc);
1384  State = ProcessZeroAllocCheck(Call, 0, State);
1385  State = ProcessZeroAllocCheck(Call, 1, State);
1386  C.addTransition(State);
1387 }
1388 
1389 void MallocChecker::checkReallocN(const CallEvent &Call,
1390  CheckerContext &C) const {
1391  ProgramStateRef State = C.getState();
1392  State = ReallocMemAux(C, Call, /*ShouldFreeOnFail=*/false, State, AF_Malloc,
1393  /*SuffixWithN=*/true);
1394  State = ProcessZeroAllocCheck(Call, 1, State);
1395  State = ProcessZeroAllocCheck(Call, 2, State);
1396  C.addTransition(State);
1397 }
1398 
1399 void MallocChecker::checkOwnershipAttr(const CallEvent &Call,
1400  CheckerContext &C) const {
1401  ProgramStateRef State = C.getState();
1402  const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
1403  if (!CE)
1404  return;
1405  const FunctionDecl *FD = C.getCalleeDecl(CE);
1406  if (!FD)
1407  return;
1408  if (ShouldIncludeOwnershipAnnotatedFunctions ||
1409  ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
1410  // Check all the attributes, if there are any.
1411  // There can be multiple of these attributes.
1412  if (FD->hasAttrs())
1413  for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
1414  switch (I->getOwnKind()) {
1415  case OwnershipAttr::Returns:
1416  State = MallocMemReturnsAttr(C, Call, I, State);
1417  break;
1418  case OwnershipAttr::Takes:
1419  case OwnershipAttr::Holds:
1420  State = FreeMemAttr(C, Call, I, State);
1421  break;
1422  }
1423  }
1424  }
1425  C.addTransition(State);
1426 }
1427 
1428 void MallocChecker::checkPostCall(const CallEvent &Call,
1429  CheckerContext &C) const {
1430  if (C.wasInlined)
1431  return;
1432  if (!Call.getOriginExpr())
1433  return;
1434 
1435  ProgramStateRef State = C.getState();
1436 
1437  if (const CheckFn *Callback = FreeingMemFnMap.lookup(Call)) {
1438  (*Callback)(this, Call, C);
1439  return;
1440  }
1441 
1442  if (const CheckFn *Callback = AllocatingMemFnMap.lookup(Call)) {
1443  (*Callback)(this, Call, C);
1444  return;
1445  }
1446 
1447  if (const CheckFn *Callback = ReallocatingMemFnMap.lookup(Call)) {
1448  (*Callback)(this, Call, C);
1449  return;
1450  }
1451 
1452  if (isStandardNewDelete(Call)) {
1453  checkCXXNewOrCXXDelete(Call, C);
1454  return;
1455  }
1456 
1457  checkOwnershipAttr(Call, C);
1458 }
1459 
1460 // Performs a 0-sized allocations check.
1461 ProgramStateRef MallocChecker::ProcessZeroAllocCheck(
1462  const CallEvent &Call, const unsigned IndexOfSizeArg, ProgramStateRef State,
1463  Optional<SVal> RetVal) {
1464  if (!State)
1465  return nullptr;
1466 
1467  if (!RetVal)
1468  RetVal = Call.getReturnValue();
1469 
1470  const Expr *Arg = nullptr;
1471 
1472  if (const CallExpr *CE = dyn_cast<CallExpr>(Call.getOriginExpr())) {
1473  Arg = CE->getArg(IndexOfSizeArg);
1474  } else if (const CXXNewExpr *NE =
1475  dyn_cast<CXXNewExpr>(Call.getOriginExpr())) {
1476  if (NE->isArray()) {
1477  Arg = *NE->getArraySize();
1478  } else {
1479  return State;
1480  }
1481  } else
1482  llvm_unreachable("not a CallExpr or CXXNewExpr");
1483 
1484  assert(Arg);
1485 
1486  auto DefArgVal =
1487  State->getSVal(Arg, Call.getLocationContext()).getAs<DefinedSVal>();
1488 
1489  if (!DefArgVal)
1490  return State;
1491 
1492  // Check if the allocation size is 0.
1493  ProgramStateRef TrueState, FalseState;
1494  SValBuilder &SvalBuilder = State->getStateManager().getSValBuilder();
1495  DefinedSVal Zero =
1496  SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
1497 
1498  std::tie(TrueState, FalseState) =
1499  State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));
1500 
1501  if (TrueState && !FalseState) {
1502  SymbolRef Sym = RetVal->getAsLocSymbol();
1503  if (!Sym)
1504  return State;
1505 
1506  const RefState *RS = State->get<RegionState>(Sym);
1507  if (RS) {
1508  if (RS->isAllocated())
1509  return TrueState->set<RegionState>(Sym,
1510  RefState::getAllocatedOfSizeZero(RS));
1511  else
1512  return State;
1513  } else {
1514  // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as
1515  // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not
1516  // tracked. Add zero-reallocated Sym to the state to catch references
1517  // to zero-allocated memory.
1518  return TrueState->add<ReallocSizeZeroSymbols>(Sym);
1519  }
1520  }
1521 
1522  // Assume the value is non-zero going forward.
1523  assert(FalseState);
1524  return FalseState;
1525 }
1526 
1528  QualType Result = T, PointeeType = T->getPointeeType();
1529  while (!PointeeType.isNull()) {
1530  Result = PointeeType;
1531  PointeeType = PointeeType->getPointeeType();
1532  }
1533  return Result;
1534 }
1535 
1536 /// \returns true if the constructor invoked by \p NE has an argument of a
1537 /// pointer/reference to a record type.
1539 
1540  const CXXConstructExpr *ConstructE = NE->getConstructExpr();
1541  if (!ConstructE)
1542  return false;
1543 
1544  if (!NE->getAllocatedType()->getAsCXXRecordDecl())
1545  return false;
1546 
1547  const CXXConstructorDecl *CtorD = ConstructE->getConstructor();
1548 
1549  // Iterate over the constructor parameters.
1550  for (const auto *CtorParam : CtorD->parameters()) {
1551 
1552  QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType();
1553  if (CtorParamPointeeT.isNull())
1554  continue;
1555 
1556  CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT);
1557 
1558  if (CtorParamPointeeT->getAsCXXRecordDecl())
1559  return true;
1560  }
1561 
1562  return false;
1563 }
1564 
1566 MallocChecker::processNewAllocation(const CXXAllocatorCall &Call,
1567  CheckerContext &C,
1568  AllocationFamily Family) const {
1569  if (!isStandardNewDelete(Call))
1570  return nullptr;
1571 
1572  const CXXNewExpr *NE = Call.getOriginExpr();
1573  const ParentMap &PM = C.getLocationContext()->getParentMap();
1574  ProgramStateRef State = C.getState();
1575 
1576  // Non-trivial constructors have a chance to escape 'this', but marking all
1577  // invocations of trivial constructors as escaped would cause too great of
1578  // reduction of true positives, so let's just do that for constructors that
1579  // have an argument of a pointer-to-record type.
1581  return State;
1582 
1583  // The return value from operator new is bound to a specified initialization
1584  // value (if any) and we don't want to loose this value. So we call
1585  // MallocUpdateRefState() instead of MallocMemAux() which breaks the
1586  // existing binding.
1587  SVal Target = Call.getObjectUnderConstruction();
1588  State = MallocUpdateRefState(C, NE, State, Family, Target);
1589  State = ProcessZeroAllocCheck(Call, 0, State, Target);
1590  return State;
1591 }
1592 
1593 void MallocChecker::checkNewAllocator(const CXXAllocatorCall &Call,
1594  CheckerContext &C) const {
1595  if (!C.wasInlined) {
1596  ProgramStateRef State = processNewAllocation(
1597  Call, C,
1598  (Call.getOriginExpr()->isArray() ? AF_CXXNewArray : AF_CXXNew));
1599  C.addTransition(State);
1600  }
1601 }
1602 
1603 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) {
1604  // If the first selector piece is one of the names below, assume that the
1605  // object takes ownership of the memory, promising to eventually deallocate it
1606  // with free().
1607  // Ex: [NSData dataWithBytesNoCopy:bytes length:10];
1608  // (...unless a 'freeWhenDone' parameter is false, but that's checked later.)
1609  StringRef FirstSlot = Call.getSelector().getNameForSlot(0);
1610  return FirstSlot == "dataWithBytesNoCopy" ||
1611  FirstSlot == "initWithBytesNoCopy" ||
1612  FirstSlot == "initWithCharactersNoCopy";
1613 }
1614 
1615 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) {
1616  Selector S = Call.getSelector();
1617 
1618  // FIXME: We should not rely on fully-constrained symbols being folded.
1619  for (unsigned i = 1; i < S.getNumArgs(); ++i)
1620  if (S.getNameForSlot(i).equals("freeWhenDone"))
1621  return !Call.getArgSVal(i).isZeroConstant();
1622 
1623  return None;
1624 }
1625 
1626 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
1627  CheckerContext &C) const {
1628  if (C.wasInlined)
1629  return;
1630 
1631  if (!isKnownDeallocObjCMethodName(Call))
1632  return;
1633 
1634  if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call))
1635  if (!*FreeWhenDone)
1636  return;
1637 
1638  if (Call.hasNonZeroCallbackArg())
1639  return;
1640 
1641  bool IsKnownToBeAllocatedMemory;
1643  FreeMemAux(C, Call.getArgExpr(0), Call, C.getState(),
1644  /*Hold=*/true, IsKnownToBeAllocatedMemory, AF_Malloc,
1645  /*RetNullOnFailure=*/true);
1646 
1647  C.addTransition(State);
1648 }
1649 
1651 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
1652  const OwnershipAttr *Att,
1653  ProgramStateRef State) const {
1654  if (!State)
1655  return nullptr;
1656 
1657  if (Att->getModule()->getName() != "malloc")
1658  return nullptr;
1659 
1660  OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
1661  if (I != E) {
1662  return MallocMemAux(C, Call, Call.getArgExpr(I->getASTIndex()),
1663  UndefinedVal(), State, AF_Malloc);
1664  }
1665  return MallocMemAux(C, Call, UnknownVal(), UndefinedVal(), State, AF_Malloc);
1666 }
1667 
1668 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1669  const CallEvent &Call,
1670  const Expr *SizeEx, SVal Init,
1672  AllocationFamily Family) {
1673  if (!State)
1674  return nullptr;
1675 
1676  assert(SizeEx);
1677  return MallocMemAux(C, Call, C.getSVal(SizeEx), Init, State, Family);
1678 }
1679 
1680 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1681  const CallEvent &Call, SVal Size,
1682  SVal Init, ProgramStateRef State,
1683  AllocationFamily Family) {
1684  if (!State)
1685  return nullptr;
1686 
1687  const Expr *CE = Call.getOriginExpr();
1688 
1689  // We expect the malloc functions to return a pointer.
1690  if (!Loc::isLocType(CE->getType()))
1691  return nullptr;
1692 
1693  // Bind the return value to the symbolic value from the heap region.
1694  // TODO: We could rewrite post visit to eval call; 'malloc' does not have
1695  // side effects other than what we model here.
1696  unsigned Count = C.blockCount();
1697  SValBuilder &svalBuilder = C.getSValBuilder();
1698  const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
1699  DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
1700  .castAs<DefinedSVal>();
1701  State = State->BindExpr(CE, C.getLocationContext(), RetVal);
1702 
1703  // Fill the region with the initialization value.
1704  State = State->bindDefaultInitial(RetVal, Init, LCtx);
1705 
1706  // Set the region's extent.
1707  State = setDynamicExtent(State, RetVal.getAsRegion(),
1708  Size.castAs<DefinedOrUnknownSVal>(), svalBuilder);
1709 
1710  return MallocUpdateRefState(C, CE, State, Family);
1711 }
1712 
1713 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
1715  AllocationFamily Family,
1716  Optional<SVal> RetVal) {
1717  if (!State)
1718  return nullptr;
1719 
1720  // Get the return value.
1721  if (!RetVal)
1722  RetVal = C.getSVal(E);
1723 
1724  // We expect the malloc functions to return a pointer.
1725  if (!RetVal->getAs<Loc>())
1726  return nullptr;
1727 
1728  SymbolRef Sym = RetVal->getAsLocSymbol();
1729  // This is a return value of a function that was not inlined, such as malloc()
1730  // or new(). We've checked that in the caller. Therefore, it must be a symbol.
1731  assert(Sym);
1732 
1733  // Set the symbol's state to Allocated.
1734  return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
1735 }
1736 
1737 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
1738  const CallEvent &Call,
1739  const OwnershipAttr *Att,
1740  ProgramStateRef State) const {
1741  if (!State)
1742  return nullptr;
1743 
1744  if (Att->getModule()->getName() != "malloc")
1745  return nullptr;
1746 
1747  bool IsKnownToBeAllocated = false;
1748 
1749  for (const auto &Arg : Att->args()) {
1750  ProgramStateRef StateI =
1751  FreeMemAux(C, Call, State, Arg.getASTIndex(),
1752  Att->getOwnKind() == OwnershipAttr::Holds,
1753  IsKnownToBeAllocated, AF_Malloc);
1754  if (StateI)
1755  State = StateI;
1756  }
1757  return State;
1758 }
1759 
1760 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1761  const CallEvent &Call,
1762  ProgramStateRef State, unsigned Num,
1763  bool Hold, bool &IsKnownToBeAllocated,
1764  AllocationFamily Family,
1765  bool ReturnsNullOnFailure) const {
1766  if (!State)
1767  return nullptr;
1768 
1769  if (Call.getNumArgs() < (Num + 1))
1770  return nullptr;
1771 
1772  return FreeMemAux(C, Call.getArgExpr(Num), Call, State, Hold,
1773  IsKnownToBeAllocated, Family, ReturnsNullOnFailure);
1774 }
1775 
1776 /// Checks if the previous call to free on the given symbol failed - if free
1777 /// failed, returns true. Also, returns the corresponding return value symbol.
1779  SymbolRef Sym, SymbolRef &RetStatusSymbol) {
1780  const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
1781  if (Ret) {
1782  assert(*Ret && "We should not store the null return symbol");
1783  ConstraintManager &CMgr = State->getConstraintManager();
1784  ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret);
1785  RetStatusSymbol = *Ret;
1786  return FreeFailed.isConstrainedTrue();
1787  }
1788  return false;
1789 }
1790 
1791 static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E) {
1792  if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
1793  // FIXME: This doesn't handle indirect calls.
1794  const FunctionDecl *FD = CE->getDirectCallee();
1795  if (!FD)
1796  return false;
1797 
1798  os << *FD;
1799  if (!FD->isOverloadedOperator())
1800  os << "()";
1801  return true;
1802  }
1803 
1804  if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) {
1805  if (Msg->isInstanceMessage())
1806  os << "-";
1807  else
1808  os << "+";
1809  Msg->getSelector().print(os);
1810  return true;
1811  }
1812 
1813  if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
1814  os << "'"
1815  << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator())
1816  << "'";
1817  return true;
1818  }
1819 
1820  if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) {
1821  os << "'"
1822  << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator())
1823  << "'";
1824  return true;
1825  }
1826 
1827  return false;
1828 }
1829 
1830 static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family) {
1831 
1832  switch(Family) {
1833  case AF_Malloc: os << "malloc()"; return;
1834  case AF_CXXNew: os << "'new'"; return;
1835  case AF_CXXNewArray: os << "'new[]'"; return;
1836  case AF_IfNameIndex: os << "'if_nameindex()'"; return;
1837  case AF_InnerBuffer: os << "container-specific allocator"; return;
1838  case AF_Alloca:
1839  case AF_None: llvm_unreachable("not a deallocation expression");
1840  }
1841 }
1842 
1843 static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) {
1844  switch(Family) {
1845  case AF_Malloc: os << "free()"; return;
1846  case AF_CXXNew: os << "'delete'"; return;
1847  case AF_CXXNewArray: os << "'delete[]'"; return;
1848  case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
1849  case AF_InnerBuffer: os << "container-specific deallocator"; return;
1850  case AF_Alloca:
1851  case AF_None: llvm_unreachable("suspicious argument");
1852  }
1853 }
1854 
1855 ProgramStateRef MallocChecker::FreeMemAux(
1856  CheckerContext &C, const Expr *ArgExpr, const CallEvent &Call,
1857  ProgramStateRef State, bool Hold, bool &IsKnownToBeAllocated,
1858  AllocationFamily Family, bool ReturnsNullOnFailure) const {
1859 
1860  if (!State)
1861  return nullptr;
1862 
1863  SVal ArgVal = C.getSVal(ArgExpr);
1864  if (!ArgVal.getAs<DefinedOrUnknownSVal>())
1865  return nullptr;
1866  DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
1867 
1868  // Check for null dereferences.
1869  if (!location.getAs<Loc>())
1870  return nullptr;
1871 
1872  // The explicit NULL case, no operation is performed.
1873  ProgramStateRef notNullState, nullState;
1874  std::tie(notNullState, nullState) = State->assume(location);
1875  if (nullState && !notNullState)
1876  return nullptr;
1877 
1878  // Unknown values could easily be okay
1879  // Undefined values are handled elsewhere
1880  if (ArgVal.isUnknownOrUndef())
1881  return nullptr;
1882 
1883  const MemRegion *R = ArgVal.getAsRegion();
1884  const Expr *ParentExpr = Call.getOriginExpr();
1885 
1886  // NOTE: We detected a bug, but the checker under whose name we would emit the
1887  // error could be disabled. Generally speaking, the MallocChecker family is an
1888  // integral part of the Static Analyzer, and disabling any part of it should
1889  // only be done under exceptional circumstances, such as frequent false
1890  // positives. If this is the case, we can reasonably believe that there are
1891  // serious faults in our understanding of the source code, and even if we
1892  // don't emit an warning, we should terminate further analysis with a sink
1893  // node.
1894 
1895  // Nonlocs can't be freed, of course.
1896  // Non-region locations (labels and fixed addresses) also shouldn't be freed.
1897  if (!R) {
1898  // Exception:
1899  // If the macro ZERO_SIZE_PTR is defined, this could be a kernel source
1900  // code. In that case, the ZERO_SIZE_PTR defines a special value used for a
1901  // zero-sized memory block which is allowed to be freed, despite not being a
1902  // null pointer.
1903  if (Family != AF_Malloc || !isArgZERO_SIZE_PTR(State, C, ArgVal))
1904  HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1905  Family);
1906  return nullptr;
1907  }
1908 
1909  R = R->StripCasts();
1910 
1911  // Blocks might show up as heap data, but should not be free()d
1912  if (isa<BlockDataRegion>(R)) {
1913  HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1914  Family);
1915  return nullptr;
1916  }
1917 
1918  const MemSpaceRegion *MS = R->getMemorySpace();
1919 
1920  // Parameters, locals, statics, globals, and memory returned by
1921  // __builtin_alloca() shouldn't be freed.
1922  if (!isa<UnknownSpaceRegion, HeapSpaceRegion>(MS)) {
1923  // FIXME: at the time this code was written, malloc() regions were
1924  // represented by conjured symbols, which are all in UnknownSpaceRegion.
1925  // This means that there isn't actually anything from HeapSpaceRegion
1926  // that should be freed, even though we allow it here.
1927  // Of course, free() can work on memory allocated outside the current
1928  // function, so UnknownSpaceRegion is always a possibility.
1929  // False negatives are better than false positives.
1930 
1931  if (isa<AllocaRegion>(R))
1932  HandleFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1933  else
1934  HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1935  Family);
1936 
1937  return nullptr;
1938  }
1939 
1940  const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
1941  // Various cases could lead to non-symbol values here.
1942  // For now, ignore them.
1943  if (!SrBase)
1944  return nullptr;
1945 
1946  SymbolRef SymBase = SrBase->getSymbol();
1947  const RefState *RsBase = State->get<RegionState>(SymBase);
1948  SymbolRef PreviousRetStatusSymbol = nullptr;
1949 
1950  IsKnownToBeAllocated =
1951  RsBase && (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero());
1952 
1953  if (RsBase) {
1954 
1955  // Memory returned by alloca() shouldn't be freed.
1956  if (RsBase->getAllocationFamily() == AF_Alloca) {
1957  HandleFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1958  return nullptr;
1959  }
1960 
1961  // Check for double free first.
1962  if ((RsBase->isReleased() || RsBase->isRelinquished()) &&
1963  !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
1964  HandleDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),
1965  SymBase, PreviousRetStatusSymbol);
1966  return nullptr;
1967 
1968  // If the pointer is allocated or escaped, but we are now trying to free it,
1969  // check that the call to free is proper.
1970  } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() ||
1971  RsBase->isEscaped()) {
1972 
1973  // Check if an expected deallocation function matches the real one.
1974  bool DeallocMatchesAlloc = RsBase->getAllocationFamily() == Family;
1975  if (!DeallocMatchesAlloc) {
1976  HandleMismatchedDealloc(C, ArgExpr->getSourceRange(), ParentExpr,
1977  RsBase, SymBase, Hold);
1978  return nullptr;
1979  }
1980 
1981  // Check if the memory location being freed is the actual location
1982  // allocated, or an offset.
1983  RegionOffset Offset = R->getAsOffset();
1984  if (Offset.isValid() &&
1985  !Offset.hasSymbolicOffset() &&
1986  Offset.getOffset() != 0) {
1987  const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
1988  HandleOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1989  Family, AllocExpr);
1990  return nullptr;
1991  }
1992  }
1993  }
1994 
1995  if (SymBase->getType()->isFunctionPointerType()) {
1996  HandleFunctionPtrFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1997  Family);
1998  return nullptr;
1999  }
2000 
2001  // Clean out the info on previous call to free return info.
2002  State = State->remove<FreeReturnValue>(SymBase);
2003 
2004  // Keep track of the return value. If it is NULL, we will know that free
2005  // failed.
2006  if (ReturnsNullOnFailure) {
2007  SVal RetVal = C.getSVal(ParentExpr);
2008  SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
2009  if (RetStatusSymbol) {
2010  C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol);
2011  State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol);
2012  }
2013  }
2014 
2015  // If we don't know anything about this symbol, a free on it may be totally
2016  // valid. If this is the case, lets assume that the allocation family of the
2017  // freeing function is the same as the symbols allocation family, and go with
2018  // that.
2019  assert(!RsBase || (RsBase && RsBase->getAllocationFamily() == Family));
2020 
2021  // Normal free.
2022  if (Hold)
2023  return State->set<RegionState>(SymBase,
2024  RefState::getRelinquished(Family,
2025  ParentExpr));
2026 
2027  return State->set<RegionState>(SymBase,
2028  RefState::getReleased(Family, ParentExpr));
2029 }
2030 
2032 MallocChecker::getCheckIfTracked(AllocationFamily Family,
2033  bool IsALeakCheck) const {
2034  switch (Family) {
2035  case AF_Malloc:
2036  case AF_Alloca:
2037  case AF_IfNameIndex: {
2038  if (ChecksEnabled[CK_MallocChecker])
2039  return CK_MallocChecker;
2040  return None;
2041  }
2042  case AF_CXXNew:
2043  case AF_CXXNewArray: {
2044  if (IsALeakCheck) {
2045  if (ChecksEnabled[CK_NewDeleteLeaksChecker])
2046  return CK_NewDeleteLeaksChecker;
2047  }
2048  else {
2049  if (ChecksEnabled[CK_NewDeleteChecker])
2050  return CK_NewDeleteChecker;
2051  }
2052  return None;
2053  }
2054  case AF_InnerBuffer: {
2055  if (ChecksEnabled[CK_InnerPointerChecker])
2056  return CK_InnerPointerChecker;
2057  return None;
2058  }
2059  case AF_None: {
2060  llvm_unreachable("no family");
2061  }
2062  }
2063  llvm_unreachable("unhandled family");
2064 }
2065 
2067 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
2068  bool IsALeakCheck) const {
2069  if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym))
2070  return CK_MallocChecker;
2071 
2072  const RefState *RS = C.getState()->get<RegionState>(Sym);
2073  assert(RS);
2074  return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck);
2075 }
2076 
2077 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
2078  if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>())
2079  os << "an integer (" << IntVal->getValue() << ")";
2080  else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>())
2081  os << "a constant address (" << ConstAddr->getValue() << ")";
2082  else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>())
2083  os << "the address of the label '" << Label->getLabel()->getName() << "'";
2084  else
2085  return false;
2086 
2087  return true;
2088 }
2089 
2090 bool MallocChecker::SummarizeRegion(raw_ostream &os,
2091  const MemRegion *MR) {
2092  switch (MR->getKind()) {
2093  case MemRegion::FunctionCodeRegionKind: {
2094  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
2095  if (FD)
2096  os << "the address of the function '" << *FD << '\'';
2097  else
2098  os << "the address of a function";
2099  return true;
2100  }
2101  case MemRegion::BlockCodeRegionKind:
2102  os << "block text";
2103  return true;
2104  case MemRegion::BlockDataRegionKind:
2105  // FIXME: where the block came from?
2106  os << "a block";
2107  return true;
2108  default: {
2109  const MemSpaceRegion *MS = MR->getMemorySpace();
2110 
2111  if (isa<StackLocalsSpaceRegion>(MS)) {
2112  const VarRegion *VR = dyn_cast<VarRegion>(MR);
2113  const VarDecl *VD;
2114  if (VR)
2115  VD = VR->getDecl();
2116  else
2117  VD = nullptr;
2118 
2119  if (VD)
2120  os << "the address of the local variable '" << VD->getName() << "'";
2121  else
2122  os << "the address of a local stack variable";
2123  return true;
2124  }
2125 
2126  if (isa<StackArgumentsSpaceRegion>(MS)) {
2127  const VarRegion *VR = dyn_cast<VarRegion>(MR);
2128  const VarDecl *VD;
2129  if (VR)
2130  VD = VR->getDecl();
2131  else
2132  VD = nullptr;
2133 
2134  if (VD)
2135  os << "the address of the parameter '" << VD->getName() << "'";
2136  else
2137  os << "the address of a parameter";
2138  return true;
2139  }
2140 
2141  if (isa<GlobalsSpaceRegion>(MS)) {
2142  const VarRegion *VR = dyn_cast<VarRegion>(MR);
2143  const VarDecl *VD;
2144  if (VR)
2145  VD = VR->getDecl();
2146  else
2147  VD = nullptr;
2148 
2149  if (VD) {
2150  if (VD->isStaticLocal())
2151  os << "the address of the static variable '" << VD->getName() << "'";
2152  else
2153  os << "the address of the global variable '" << VD->getName() << "'";
2154  } else
2155  os << "the address of a global variable";
2156  return true;
2157  }
2158 
2159  return false;
2160  }
2161  }
2162 }
2163 
2164 void MallocChecker::HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal,
2165  SourceRange Range,
2166  const Expr *DeallocExpr,
2167  AllocationFamily Family) const {
2168 
2169  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2170  C.addSink();
2171  return;
2172  }
2173 
2174  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2175  if (!CheckKind.hasValue())
2176  return;
2177 
2178  if (ExplodedNode *N = C.generateErrorNode()) {
2179  if (!BT_BadFree[*CheckKind])
2180  BT_BadFree[*CheckKind].reset(new BugType(
2181  CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2182 
2183  SmallString<100> buf;
2184  llvm::raw_svector_ostream os(buf);
2185 
2186  const MemRegion *MR = ArgVal.getAsRegion();
2187  while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
2188  MR = ER->getSuperRegion();
2189 
2190  os << "Argument to ";
2191  if (!printMemFnName(os, C, DeallocExpr))
2192  os << "deallocator";
2193 
2194  os << " is ";
2195  bool Summarized = MR ? SummarizeRegion(os, MR)
2196  : SummarizeValue(os, ArgVal);
2197  if (Summarized)
2198  os << ", which is not memory allocated by ";
2199  else
2200  os << "not memory allocated by ";
2201 
2202  printExpectedAllocName(os, Family);
2203 
2204  auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind],
2205  os.str(), N);
2206  R->markInteresting(MR);
2207  R->addRange(Range);
2208  C.emitReport(std::move(R));
2209  }
2210 }
2211 
2212 void MallocChecker::HandleFreeAlloca(CheckerContext &C, SVal ArgVal,
2213  SourceRange Range) const {
2214 
2216 
2217  if (ChecksEnabled[CK_MallocChecker])
2218  CheckKind = CK_MallocChecker;
2219  else if (ChecksEnabled[CK_MismatchedDeallocatorChecker])
2220  CheckKind = CK_MismatchedDeallocatorChecker;
2221  else {
2222  C.addSink();
2223  return;
2224  }
2225 
2226  if (ExplodedNode *N = C.generateErrorNode()) {
2227  if (!BT_FreeAlloca[*CheckKind])
2228  BT_FreeAlloca[*CheckKind].reset(new BugType(
2229  CheckNames[*CheckKind], "Free alloca()", categories::MemoryError));
2230 
2231  auto R = std::make_unique<PathSensitiveBugReport>(
2232  *BT_FreeAlloca[*CheckKind],
2233  "Memory allocated by alloca() should not be deallocated", N);
2234  R->markInteresting(ArgVal.getAsRegion());
2235  R->addRange(Range);
2236  C.emitReport(std::move(R));
2237  }
2238 }
2239 
2240 void MallocChecker::HandleMismatchedDealloc(CheckerContext &C,
2241  SourceRange Range,
2242  const Expr *DeallocExpr,
2243  const RefState *RS, SymbolRef Sym,
2244  bool OwnershipTransferred) const {
2245 
2246  if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
2247  C.addSink();
2248  return;
2249  }
2250 
2251  if (ExplodedNode *N = C.generateErrorNode()) {
2252  if (!BT_MismatchedDealloc)
2253  BT_MismatchedDealloc.reset(
2254  new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
2255  "Bad deallocator", categories::MemoryError));
2256 
2257  SmallString<100> buf;
2258  llvm::raw_svector_ostream os(buf);
2259 
2260  const Expr *AllocExpr = cast<Expr>(RS->getStmt());
2261  SmallString<20> AllocBuf;
2262  llvm::raw_svector_ostream AllocOs(AllocBuf);
2263  SmallString<20> DeallocBuf;
2264  llvm::raw_svector_ostream DeallocOs(DeallocBuf);
2265 
2266  if (OwnershipTransferred) {
2267  if (printMemFnName(DeallocOs, C, DeallocExpr))
2268  os << DeallocOs.str() << " cannot";
2269  else
2270  os << "Cannot";
2271 
2272  os << " take ownership of memory";
2273 
2274  if (printMemFnName(AllocOs, C, AllocExpr))
2275  os << " allocated by " << AllocOs.str();
2276  } else {
2277  os << "Memory";
2278  if (printMemFnName(AllocOs, C, AllocExpr))
2279  os << " allocated by " << AllocOs.str();
2280 
2281  os << " should be deallocated by ";
2282  printExpectedDeallocName(os, RS->getAllocationFamily());
2283 
2284  if (printMemFnName(DeallocOs, C, DeallocExpr))
2285  os << ", not " << DeallocOs.str();
2286  }
2287 
2288  auto R = std::make_unique<PathSensitiveBugReport>(*BT_MismatchedDealloc,
2289  os.str(), N);
2290  R->markInteresting(Sym);
2291  R->addRange(Range);
2292  R->addVisitor<MallocBugVisitor>(Sym);
2293  C.emitReport(std::move(R));
2294  }
2295 }
2296 
2297 void MallocChecker::HandleOffsetFree(CheckerContext &C, SVal ArgVal,
2298  SourceRange Range, const Expr *DeallocExpr,
2299  AllocationFamily Family,
2300  const Expr *AllocExpr) const {
2301 
2302  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2303  C.addSink();
2304  return;
2305  }
2306 
2307  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2308  if (!CheckKind.hasValue())
2309  return;
2310 
2311  ExplodedNode *N = C.generateErrorNode();
2312  if (!N)
2313  return;
2314 
2315  if (!BT_OffsetFree[*CheckKind])
2316  BT_OffsetFree[*CheckKind].reset(new BugType(
2317  CheckNames[*CheckKind], "Offset free", categories::MemoryError));
2318 
2319  SmallString<100> buf;
2320  llvm::raw_svector_ostream os(buf);
2321  SmallString<20> AllocNameBuf;
2322  llvm::raw_svector_ostream AllocNameOs(AllocNameBuf);
2323 
2324  const MemRegion *MR = ArgVal.getAsRegion();
2325  assert(MR && "Only MemRegion based symbols can have offset free errors");
2326 
2327  RegionOffset Offset = MR->getAsOffset();
2328  assert((Offset.isValid() &&
2329  !Offset.hasSymbolicOffset() &&
2330  Offset.getOffset() != 0) &&
2331  "Only symbols with a valid offset can have offset free errors");
2332 
2333  int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
2334 
2335  os << "Argument to ";
2336  if (!printMemFnName(os, C, DeallocExpr))
2337  os << "deallocator";
2338  os << " is offset by "
2339  << offsetBytes
2340  << " "
2341  << ((abs(offsetBytes) > 1) ? "bytes" : "byte")
2342  << " from the start of ";
2343  if (AllocExpr && printMemFnName(AllocNameOs, C, AllocExpr))
2344  os << "memory allocated by " << AllocNameOs.str();
2345  else
2346  os << "allocated memory";
2347 
2348  auto R = std::make_unique<PathSensitiveBugReport>(*BT_OffsetFree[*CheckKind],
2349  os.str(), N);
2350  R->markInteresting(MR->getBaseRegion());
2351  R->addRange(Range);
2352  C.emitReport(std::move(R));
2353 }
2354 
2355 void MallocChecker::HandleUseAfterFree(CheckerContext &C, SourceRange Range,
2356  SymbolRef Sym) const {
2357 
2358  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker] &&
2359  !ChecksEnabled[CK_InnerPointerChecker]) {
2360  C.addSink();
2361  return;
2362  }
2363 
2364  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2365  if (!CheckKind.hasValue())
2366  return;
2367 
2368  if (ExplodedNode *N = C.generateErrorNode()) {
2369  if (!BT_UseFree[*CheckKind])
2370  BT_UseFree[*CheckKind].reset(new BugType(
2371  CheckNames[*CheckKind], "Use-after-free", categories::MemoryError));
2372 
2373  AllocationFamily AF =
2374  C.getState()->get<RegionState>(Sym)->getAllocationFamily();
2375 
2376  auto R = std::make_unique<PathSensitiveBugReport>(
2377  *BT_UseFree[*CheckKind],
2378  AF == AF_InnerBuffer
2379  ? "Inner pointer of container used after re/deallocation"
2380  : "Use of memory after it is freed",
2381  N);
2382 
2383  R->markInteresting(Sym);
2384  R->addRange(Range);
2385  R->addVisitor<MallocBugVisitor>(Sym);
2386 
2387  if (AF == AF_InnerBuffer)
2388  R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym));
2389 
2390  C.emitReport(std::move(R));
2391  }
2392 }
2393 
2394 void MallocChecker::HandleDoubleFree(CheckerContext &C, SourceRange Range,
2395  bool Released, SymbolRef Sym,
2396  SymbolRef PrevSym) const {
2397 
2398  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2399  C.addSink();
2400  return;
2401  }
2402 
2403  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2404  if (!CheckKind.hasValue())
2405  return;
2406 
2407  if (ExplodedNode *N = C.generateErrorNode()) {
2408  if (!BT_DoubleFree[*CheckKind])
2409  BT_DoubleFree[*CheckKind].reset(new BugType(
2410  CheckNames[*CheckKind], "Double free", categories::MemoryError));
2411 
2412  auto R = std::make_unique<PathSensitiveBugReport>(
2413  *BT_DoubleFree[*CheckKind],
2414  (Released ? "Attempt to free released memory"
2415  : "Attempt to free non-owned memory"),
2416  N);
2417  R->addRange(Range);
2418  R->markInteresting(Sym);
2419  if (PrevSym)
2420  R->markInteresting(PrevSym);
2421  R->addVisitor<MallocBugVisitor>(Sym);
2422  C.emitReport(std::move(R));
2423  }
2424 }
2425 
2426 void MallocChecker::HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
2427 
2428  if (!ChecksEnabled[CK_NewDeleteChecker]) {
2429  C.addSink();
2430  return;
2431  }
2432 
2433  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2434  if (!CheckKind.hasValue())
2435  return;
2436 
2437  if (ExplodedNode *N = C.generateErrorNode()) {
2438  if (!BT_DoubleDelete)
2439  BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker],
2440  "Double delete",
2442 
2443  auto R = std::make_unique<PathSensitiveBugReport>(
2444  *BT_DoubleDelete, "Attempt to delete released memory", N);
2445 
2446  R->markInteresting(Sym);
2447  R->addVisitor<MallocBugVisitor>(Sym);
2448  C.emitReport(std::move(R));
2449  }
2450 }
2451 
2452 void MallocChecker::HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,
2453  SymbolRef Sym) const {
2454 
2455  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2456  C.addSink();
2457  return;
2458  }
2459 
2460  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2461 
2462  if (!CheckKind.hasValue())
2463  return;
2464 
2465  if (ExplodedNode *N = C.generateErrorNode()) {
2466  if (!BT_UseZerroAllocated[*CheckKind])
2467  BT_UseZerroAllocated[*CheckKind].reset(
2468  new BugType(CheckNames[*CheckKind], "Use of zero allocated",
2470 
2471  auto R = std::make_unique<PathSensitiveBugReport>(
2472  *BT_UseZerroAllocated[*CheckKind],
2473  "Use of memory allocated with size zero", N);
2474 
2475  R->addRange(Range);
2476  if (Sym) {
2477  R->markInteresting(Sym);
2478  R->addVisitor<MallocBugVisitor>(Sym);
2479  }
2480  C.emitReport(std::move(R));
2481  }
2482 }
2483 
2484 void MallocChecker::HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal,
2485  SourceRange Range,
2486  const Expr *FreeExpr,
2487  AllocationFamily Family) const {
2488  if (!ChecksEnabled[CK_MallocChecker]) {
2489  C.addSink();
2490  return;
2491  }
2492 
2493  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2494  if (!CheckKind.hasValue())
2495  return;
2496 
2497  if (ExplodedNode *N = C.generateErrorNode()) {
2498  if (!BT_BadFree[*CheckKind])
2499  BT_BadFree[*CheckKind].reset(new BugType(
2500  CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2501 
2502  SmallString<100> Buf;
2503  llvm::raw_svector_ostream Os(Buf);
2504 
2505  const MemRegion *MR = ArgVal.getAsRegion();
2506  while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
2507  MR = ER->getSuperRegion();
2508 
2509  Os << "Argument to ";
2510  if (!printMemFnName(Os, C, FreeExpr))
2511  Os << "deallocator";
2512 
2513  Os << " is a function pointer";
2514 
2515  auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind],
2516  Os.str(), N);
2517  R->markInteresting(MR);
2518  R->addRange(Range);
2519  C.emitReport(std::move(R));
2520  }
2521 }
2522 
2524 MallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call,
2525  bool ShouldFreeOnFail, ProgramStateRef State,
2526  AllocationFamily Family, bool SuffixWithN) const {
2527  if (!State)
2528  return nullptr;
2529 
2530  const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr());
2531 
2532  if (SuffixWithN && CE->getNumArgs() < 3)
2533  return nullptr;
2534  else if (CE->getNumArgs() < 2)
2535  return nullptr;
2536 
2537  const Expr *arg0Expr = CE->getArg(0);
2538  SVal Arg0Val = C.getSVal(arg0Expr);
2539  if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
2540  return nullptr;
2541  DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
2542 
2543  SValBuilder &svalBuilder = C.getSValBuilder();
2544 
2545  DefinedOrUnknownSVal PtrEQ =
2546  svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull());
2547 
2548  // Get the size argument.
2549  const Expr *Arg1 = CE->getArg(1);
2550 
2551  // Get the value of the size argument.
2552  SVal TotalSize = C.getSVal(Arg1);
2553  if (SuffixWithN)
2554  TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2));
2555  if (!TotalSize.getAs<DefinedOrUnknownSVal>())
2556  return nullptr;
2557 
2558  // Compare the size argument to 0.
2559  DefinedOrUnknownSVal SizeZero =
2560  svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(),
2561  svalBuilder.makeIntValWithPtrWidth(0, false));
2562 
2563  ProgramStateRef StatePtrIsNull, StatePtrNotNull;
2564  std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ);
2565  ProgramStateRef StateSizeIsZero, StateSizeNotZero;
2566  std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero);
2567  // We only assume exceptional states if they are definitely true; if the
2568  // state is under-constrained, assume regular realloc behavior.
2569  bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
2570  bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
2571 
2572  // If the ptr is NULL and the size is not 0, the call is equivalent to
2573  // malloc(size).
2574  if (PrtIsNull && !SizeIsZero) {
2575  ProgramStateRef stateMalloc = MallocMemAux(
2576  C, Call, TotalSize, UndefinedVal(), StatePtrIsNull, Family);
2577  return stateMalloc;
2578  }
2579 
2580  if (PrtIsNull && SizeIsZero)
2581  return State;
2582 
2583  assert(!PrtIsNull);
2584 
2585  bool IsKnownToBeAllocated = false;
2586 
2587  // If the size is 0, free the memory.
2588  if (SizeIsZero)
2589  // The semantics of the return value are:
2590  // If size was equal to 0, either NULL or a pointer suitable to be passed
2591  // to free() is returned. We just free the input pointer and do not add
2592  // any constrains on the output pointer.
2593  if (ProgramStateRef stateFree = FreeMemAux(
2594  C, Call, StateSizeIsZero, 0, false, IsKnownToBeAllocated, Family))
2595  return stateFree;
2596 
2597  // Default behavior.
2598  if (ProgramStateRef stateFree =
2599  FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocated, Family)) {
2600 
2601  ProgramStateRef stateRealloc =
2602  MallocMemAux(C, Call, TotalSize, UnknownVal(), stateFree, Family);
2603  if (!stateRealloc)
2604  return nullptr;
2605 
2606  OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure;
2607  if (ShouldFreeOnFail)
2608  Kind = OAR_FreeOnFailure;
2609  else if (!IsKnownToBeAllocated)
2610  Kind = OAR_DoNotTrackAfterFailure;
2611 
2612  // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
2613  SymbolRef FromPtr = arg0Val.getLocSymbolInBase();
2614  SVal RetVal = C.getSVal(CE);
2615  SymbolRef ToPtr = RetVal.getAsSymbol();
2616  assert(FromPtr && ToPtr &&
2617  "By this point, FreeMemAux and MallocMemAux should have checked "
2618  "whether the argument or the return value is symbolic!");
2619 
2620  // Record the info about the reallocated symbol so that we could properly
2621  // process failed reallocation.
2622  stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
2623  ReallocPair(FromPtr, Kind));
2624  // The reallocated symbol should stay alive for as long as the new symbol.
2625  C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
2626  return stateRealloc;
2627  }
2628  return nullptr;
2629 }
2630 
2631 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C,
2632  const CallEvent &Call,
2634  if (!State)
2635  return nullptr;
2636 
2637  if (Call.getNumArgs() < 2)
2638  return nullptr;
2639 
2640  SValBuilder &svalBuilder = C.getSValBuilder();
2641  SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
2642  SVal TotalSize =
2643  evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
2644 
2645  return MallocMemAux(C, Call, TotalSize, zeroVal, State, AF_Malloc);
2646 }
2647 
2648 MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N,
2649  SymbolRef Sym,
2650  CheckerContext &C) {
2651  const LocationContext *LeakContext = N->getLocationContext();
2652  // Walk the ExplodedGraph backwards and find the first node that referred to
2653  // the tracked symbol.
2654  const ExplodedNode *AllocNode = N;
2655  const MemRegion *ReferenceRegion = nullptr;
2656 
2657  while (N) {
2658  ProgramStateRef State = N->getState();
2659  if (!State->get<RegionState>(Sym))
2660  break;
2661 
2662  // Find the most recent expression bound to the symbol in the current
2663  // context.
2664  if (!ReferenceRegion) {
2665  if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) {
2666  SVal Val = State->getSVal(MR);
2667  if (Val.getAsLocSymbol() == Sym) {
2668  const VarRegion *VR = MR->getBaseRegion()->getAs<VarRegion>();
2669  // Do not show local variables belonging to a function other than
2670  // where the error is reported.
2671  if (!VR || (VR->getStackFrame() == LeakContext->getStackFrame()))
2672  ReferenceRegion = MR;
2673  }
2674  }
2675  }
2676 
2677  // Allocation node, is the last node in the current or parent context in
2678  // which the symbol was tracked.
2679  const LocationContext *NContext = N->getLocationContext();
2680  if (NContext == LeakContext ||
2681  NContext->isParentOf(LeakContext))
2682  AllocNode = N;
2683  N = N->pred_empty() ? nullptr : *(N->pred_begin());
2684  }
2685 
2686  return LeakInfo(AllocNode, ReferenceRegion);
2687 }
2688 
2689 void MallocChecker::HandleLeak(SymbolRef Sym, ExplodedNode *N,
2690  CheckerContext &C) const {
2691 
2692  if (!ChecksEnabled[CK_MallocChecker] &&
2693  !ChecksEnabled[CK_NewDeleteLeaksChecker])
2694  return;
2695 
2696  const RefState *RS = C.getState()->get<RegionState>(Sym);
2697  assert(RS && "cannot leak an untracked symbol");
2698  AllocationFamily Family = RS->getAllocationFamily();
2699 
2700  if (Family == AF_Alloca)
2701  return;
2702 
2704  CheckKind = getCheckIfTracked(Family, true);
2705 
2706  if (!CheckKind.hasValue())
2707  return;
2708 
2709  assert(N);
2710  if (!BT_Leak[*CheckKind]) {
2711  // Leaks should not be reported if they are post-dominated by a sink:
2712  // (1) Sinks are higher importance bugs.
2713  // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
2714  // with __noreturn functions such as assert() or exit(). We choose not
2715  // to report leaks on such paths.
2716  BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak",
2718  /*SuppressOnSink=*/true));
2719  }
2720 
2721  // Most bug reports are cached at the location where they occurred.
2722  // With leaks, we want to unique them by the location where they were
2723  // allocated, and only report a single path.
2724  PathDiagnosticLocation LocUsedForUniqueing;
2725  const ExplodedNode *AllocNode = nullptr;
2726  const MemRegion *Region = nullptr;
2727  std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C);
2728 
2729  const Stmt *AllocationStmt = AllocNode->getStmtForDiagnostics();
2730  if (AllocationStmt)
2731  LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt,
2732  C.getSourceManager(),
2733  AllocNode->getLocationContext());
2734 
2735  SmallString<200> buf;
2736  llvm::raw_svector_ostream os(buf);
2737  if (Region && Region->canPrintPretty()) {
2738  os << "Potential leak of memory pointed to by ";
2739  Region->printPretty(os);
2740  } else {
2741  os << "Potential memory leak";
2742  }
2743 
2744  auto R = std::make_unique<PathSensitiveBugReport>(
2745  *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing,
2746  AllocNode->getLocationContext()->getDecl());
2747  R->markInteresting(Sym);
2748  R->addVisitor<MallocBugVisitor>(Sym, true);
2749  if (ShouldRegisterNoOwnershipChangeVisitor)
2750  R->addVisitor<NoOwnershipChangeVisitor>(Sym);
2751  C.emitReport(std::move(R));
2752 }
2753 
2754 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
2755  CheckerContext &C) const
2756 {
2757  ProgramStateRef state = C.getState();
2758  RegionStateTy OldRS = state->get<RegionState>();
2759  RegionStateTy::Factory &F = state->get_context<RegionState>();
2760 
2761  RegionStateTy RS = OldRS;
2763  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2764  if (SymReaper.isDead(I->first)) {
2765  if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero())
2766  Errors.push_back(I->first);
2767  // Remove the dead symbol from the map.
2768  RS = F.remove(RS, I->first);
2769  }
2770  }
2771 
2772  if (RS == OldRS) {
2773  // We shouldn't have touched other maps yet.
2774  assert(state->get<ReallocPairs>() ==
2775  C.getState()->get<ReallocPairs>());
2776  assert(state->get<FreeReturnValue>() ==
2777  C.getState()->get<FreeReturnValue>());
2778  return;
2779  }
2780 
2781  // Cleanup the Realloc Pairs Map.
2782  ReallocPairsTy RP = state->get<ReallocPairs>();
2783  for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2784  if (SymReaper.isDead(I->first) ||
2785  SymReaper.isDead(I->second.ReallocatedSym)) {
2786  state = state->remove<ReallocPairs>(I->first);
2787  }
2788  }
2789 
2790  // Cleanup the FreeReturnValue Map.
2791  FreeReturnValueTy FR = state->get<FreeReturnValue>();
2792  for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) {
2793  if (SymReaper.isDead(I->first) ||
2794  SymReaper.isDead(I->second)) {
2795  state = state->remove<FreeReturnValue>(I->first);
2796  }
2797  }
2798 
2799  // Generate leak node.
2800  ExplodedNode *N = C.getPredecessor();
2801  if (!Errors.empty()) {
2802  static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
2803  N = C.generateNonFatalErrorNode(C.getState(), &Tag);
2804  if (N) {
2806  I = Errors.begin(), E = Errors.end(); I != E; ++I) {
2807  HandleLeak(*I, N, C);
2808  }
2809  }
2810  }
2811 
2812  C.addTransition(state->set<RegionState>(RS), N);
2813 }
2814 
2815 void MallocChecker::checkPreCall(const CallEvent &Call,
2816  CheckerContext &C) const {
2817 
2818  if (const auto *DC = dyn_cast<CXXDeallocatorCall>(&Call)) {
2819  const CXXDeleteExpr *DE = DC->getOriginExpr();
2820 
2821  if (!ChecksEnabled[CK_NewDeleteChecker])
2822  if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
2823  checkUseAfterFree(Sym, C, DE->getArgument());
2824 
2825  if (!isStandardNewDelete(DC->getDecl()))
2826  return;
2827 
2828  ProgramStateRef State = C.getState();
2829  bool IsKnownToBeAllocated;
2830  State = FreeMemAux(C, DE->getArgument(), Call, State,
2831  /*Hold*/ false, IsKnownToBeAllocated,
2832  (DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew));
2833 
2834  C.addTransition(State);
2835  return;
2836  }
2837 
2838  if (const auto *DC = dyn_cast<CXXDestructorCall>(&Call)) {
2839  SymbolRef Sym = DC->getCXXThisVal().getAsSymbol();
2840  if (!Sym || checkDoubleDelete(Sym, C))
2841  return;
2842  }
2843 
2844  // We will check for double free in the post visit.
2845  if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) {
2846  const FunctionDecl *FD = FC->getDecl();
2847  if (!FD)
2848  return;
2849 
2850  if (ChecksEnabled[CK_MallocChecker] && isFreeingCall(Call))
2851  return;
2852  }
2853 
2854  // Check if the callee of a method is deleted.
2855  if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
2856  SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
2857  if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
2858  return;
2859  }
2860 
2861  // Check arguments for being used after free.
2862  for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
2863  SVal ArgSVal = Call.getArgSVal(I);
2864  if (ArgSVal.getAs<Loc>()) {
2865  SymbolRef Sym = ArgSVal.getAsSymbol();
2866  if (!Sym)
2867  continue;
2868  if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
2869  return;
2870  }
2871  }
2872 }
2873 
2874 void MallocChecker::checkPreStmt(const ReturnStmt *S,
2875  CheckerContext &C) const {
2876  checkEscapeOnReturn(S, C);
2877 }
2878 
2879 // In the CFG, automatic destructors come after the return statement.
2880 // This callback checks for returning memory that is freed by automatic
2881 // destructors, as those cannot be reached in checkPreStmt().
2882 void MallocChecker::checkEndFunction(const ReturnStmt *S,
2883  CheckerContext &C) const {
2884  checkEscapeOnReturn(S, C);
2885 }
2886 
2887 void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S,
2888  CheckerContext &C) const {
2889  if (!S)
2890  return;
2891 
2892  const Expr *E = S->getRetValue();
2893  if (!E)
2894  return;
2895 
2896  // Check if we are returning a symbol.
2897  ProgramStateRef State = C.getState();
2898  SVal RetVal = C.getSVal(E);
2899  SymbolRef Sym = RetVal.getAsSymbol();
2900  if (!Sym)
2901  // If we are returning a field of the allocated struct or an array element,
2902  // the callee could still free the memory.
2903  // TODO: This logic should be a part of generic symbol escape callback.
2904  if (const MemRegion *MR = RetVal.getAsRegion())
2905  if (isa<FieldRegion, ElementRegion>(MR))
2906  if (const SymbolicRegion *BMR =
2907  dyn_cast<SymbolicRegion>(MR->getBaseRegion()))
2908  Sym = BMR->getSymbol();
2909 
2910  // Check if we are returning freed memory.
2911  if (Sym)
2912  checkUseAfterFree(Sym, C, E);
2913 }
2914 
2915 // TODO: Blocks should be either inlined or should call invalidate regions
2916 // upon invocation. After that's in place, special casing here will not be
2917 // needed.
2918 void MallocChecker::checkPostStmt(const BlockExpr *BE,
2919  CheckerContext &C) const {
2920 
2921  // Scan the BlockDecRefExprs for any object the retain count checker
2922  // may be tracking.
2923  if (!BE->getBlockDecl()->hasCaptures())
2924  return;
2925 
2926  ProgramStateRef state = C.getState();
2927  const BlockDataRegion *R =
2928  cast<BlockDataRegion>(C.getSVal(BE).getAsRegion());
2929 
2930  BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(),
2931  E = R->referenced_vars_end();
2932 
2933  if (I == E)
2934  return;
2935 
2937  const LocationContext *LC = C.getLocationContext();
2938  MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
2939 
2940  for ( ; I != E; ++I) {
2941  const VarRegion *VR = I.getCapturedRegion();
2942  if (VR->getSuperRegion() == R) {
2943  VR = MemMgr.getVarRegion(VR->getDecl(), LC);
2944  }
2945  Regions.push_back(VR);
2946  }
2947 
2948  state =
2949  state->scanReachableSymbols<StopTrackingCallback>(Regions).getState();
2950  C.addTransition(state);
2951 }
2952 
2953 static bool isReleased(SymbolRef Sym, CheckerContext &C) {
2954  assert(Sym);
2955  const RefState *RS = C.getState()->get<RegionState>(Sym);
2956  return (RS && RS->isReleased());
2957 }
2958 
2959 bool MallocChecker::suppressDeallocationsInSuspiciousContexts(
2960  const CallEvent &Call, CheckerContext &C) const {
2961  if (Call.getNumArgs() == 0)
2962  return false;
2963 
2964  StringRef FunctionStr = "";
2965  if (const auto *FD = dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
2966  if (const Stmt *Body = FD->getBody())
2967  if (Body->getBeginLoc().isValid())
2968  FunctionStr =
2970  {FD->getBeginLoc(), Body->getBeginLoc()}),
2971  C.getSourceManager(), C.getLangOpts());
2972 
2973  // We do not model the Integer Set Library's retain-count based allocation.
2974  if (!FunctionStr.contains("__isl_"))
2975  return false;
2976 
2977  ProgramStateRef State = C.getState();
2978 
2979  for (const Expr *Arg : cast<CallExpr>(Call.getOriginExpr())->arguments())
2980  if (SymbolRef Sym = C.getSVal(Arg).getAsSymbol())
2981  if (const RefState *RS = State->get<RegionState>(Sym))
2982  State = State->set<RegionState>(Sym, RefState::getEscaped(RS));
2983 
2984  C.addTransition(State);
2985  return true;
2986 }
2987 
2988 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
2989  const Stmt *S) const {
2990 
2991  if (isReleased(Sym, C)) {
2992  HandleUseAfterFree(C, S->getSourceRange(), Sym);
2993  return true;
2994  }
2995 
2996  return false;
2997 }
2998 
2999 void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
3000  const Stmt *S) const {
3001  assert(Sym);
3002 
3003  if (const RefState *RS = C.getState()->get<RegionState>(Sym)) {
3004  if (RS->isAllocatedOfSizeZero())
3005  HandleUseZeroAlloc(C, RS->getStmt()->getSourceRange(), Sym);
3006  }
3007  else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) {
3008  HandleUseZeroAlloc(C, S->getSourceRange(), Sym);
3009  }
3010 }
3011 
3012 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
3013 
3014  if (isReleased(Sym, C)) {
3015  HandleDoubleDelete(C, Sym);
3016  return true;
3017  }
3018  return false;
3019 }
3020 
3021 // Check if the location is a freed symbolic region.
3022 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
3023  CheckerContext &C) const {
3024  SymbolRef Sym = l.getLocSymbolInBase();
3025  if (Sym) {
3026  checkUseAfterFree(Sym, C, S);
3027  checkUseZeroAllocated(Sym, C, S);
3028  }
3029 }
3030 
3031 // If a symbolic region is assumed to NULL (or another constant), stop tracking
3032 // it - assuming that allocation failed on this path.
3033 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
3034  SVal Cond,
3035  bool Assumption) const {
3036  RegionStateTy RS = state->get<RegionState>();
3037  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
3038  // If the symbol is assumed to be NULL, remove it from consideration.
3039  ConstraintManager &CMgr = state->getConstraintManager();
3040  ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
3041  if (AllocFailed.isConstrainedTrue())
3042  state = state->remove<RegionState>(I.getKey());
3043  }
3044 
3045  // Realloc returns 0 when reallocation fails, which means that we should
3046  // restore the state of the pointer being reallocated.
3047  ReallocPairsTy RP = state->get<ReallocPairs>();
3048  for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
3049  // If the symbol is assumed to be NULL, remove it from consideration.
3050  ConstraintManager &CMgr = state->getConstraintManager();
3051  ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
3052  if (!AllocFailed.isConstrainedTrue())
3053  continue;
3054 
3055  SymbolRef ReallocSym = I.getData().ReallocatedSym;
3056  if (const RefState *RS = state->get<RegionState>(ReallocSym)) {
3057  if (RS->isReleased()) {
3058  switch (I.getData().Kind) {
3059  case OAR_ToBeFreedAfterFailure:
3060  state = state->set<RegionState>(ReallocSym,
3061  RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt()));
3062  break;
3063  case OAR_DoNotTrackAfterFailure:
3064  state = state->remove<RegionState>(ReallocSym);
3065  break;
3066  default:
3067  assert(I.getData().Kind == OAR_FreeOnFailure);
3068  }
3069  }
3070  }
3071  state = state->remove<ReallocPairs>(I.getKey());
3072  }
3073 
3074  return state;
3075 }
3076 
3077 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
3078  const CallEvent *Call,
3080  SymbolRef &EscapingSymbol) const {
3081  assert(Call);
3082  EscapingSymbol = nullptr;
3083 
3084  // For now, assume that any C++ or block call can free memory.
3085  // TODO: If we want to be more optimistic here, we'll need to make sure that
3086  // regions escape to C++ containers. They seem to do that even now, but for
3087  // mysterious reasons.
3088  if (!isa<SimpleFunctionCall, ObjCMethodCall>(Call))
3089  return true;
3090 
3091  // Check Objective-C messages by selector name.
3092  if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
3093  // If it's not a framework call, or if it takes a callback, assume it
3094  // can free memory.
3095  if (!Call->isInSystemHeader() || Call->argumentsMayEscape())
3096  return true;
3097 
3098  // If it's a method we know about, handle it explicitly post-call.
3099  // This should happen before the "freeWhenDone" check below.
3100  if (isKnownDeallocObjCMethodName(*Msg))
3101  return false;
3102 
3103  // If there's a "freeWhenDone" parameter, but the method isn't one we know
3104  // about, we can't be sure that the object will use free() to deallocate the
3105  // memory, so we can't model it explicitly. The best we can do is use it to
3106  // decide whether the pointer escapes.
3107  if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg))
3108  return *FreeWhenDone;
3109 
3110  // If the first selector piece ends with "NoCopy", and there is no
3111  // "freeWhenDone" parameter set to zero, we know ownership is being
3112  // transferred. Again, though, we can't be sure that the object will use
3113  // free() to deallocate the memory, so we can't model it explicitly.
3114  StringRef FirstSlot = Msg->getSelector().getNameForSlot(0);
3115  if (FirstSlot.endswith("NoCopy"))
3116  return true;
3117 
3118  // If the first selector starts with addPointer, insertPointer,
3119  // or replacePointer, assume we are dealing with NSPointerArray or similar.
3120  // This is similar to C++ containers (vector); we still might want to check
3121  // that the pointers get freed by following the container itself.
3122  if (FirstSlot.startswith("addPointer") ||
3123  FirstSlot.startswith("insertPointer") ||
3124  FirstSlot.startswith("replacePointer") ||
3125  FirstSlot.equals("valueWithPointer")) {
3126  return true;
3127  }
3128 
3129  // We should escape receiver on call to 'init'. This is especially relevant
3130  // to the receiver, as the corresponding symbol is usually not referenced
3131  // after the call.
3132  if (Msg->getMethodFamily() == OMF_init) {
3133  EscapingSymbol = Msg->getReceiverSVal().getAsSymbol();
3134  return true;
3135  }
3136 
3137  // Otherwise, assume that the method does not free memory.
3138  // Most framework methods do not free memory.
3139  return false;
3140  }
3141 
3142  // At this point the only thing left to handle is straight function calls.
3143  const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl();
3144  if (!FD)
3145  return true;
3146 
3147  // If it's one of the allocation functions we can reason about, we model
3148  // its behavior explicitly.
3149  if (isMemCall(*Call))
3150  return false;
3151 
3152  // If it's not a system call, assume it frees memory.
3153  if (!Call->isInSystemHeader())
3154  return true;
3155 
3156  // White list the system functions whose arguments escape.
3157  const IdentifierInfo *II = FD->getIdentifier();
3158  if (!II)
3159  return true;
3160  StringRef FName = II->getName();
3161 
3162  // White list the 'XXXNoCopy' CoreFoundation functions.
3163  // We specifically check these before
3164  if (FName.endswith("NoCopy")) {
3165  // Look for the deallocator argument. We know that the memory ownership
3166  // is not transferred only if the deallocator argument is
3167  // 'kCFAllocatorNull'.
3168  for (unsigned i = 1; i < Call->getNumArgs(); ++i) {
3169  const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts();
3170  if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) {
3171  StringRef DeallocatorName = DE->getFoundDecl()->getName();
3172  if (DeallocatorName == "kCFAllocatorNull")
3173  return false;
3174  }
3175  }
3176  return true;
3177  }
3178 
3179  // Associating streams with malloced buffers. The pointer can escape if
3180  // 'closefn' is specified (and if that function does free memory),
3181  // but it will not if closefn is not specified.
3182  // Currently, we do not inspect the 'closefn' function (PR12101).
3183  if (FName == "funopen")
3184  if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0))
3185  return false;
3186 
3187  // Do not warn on pointers passed to 'setbuf' when used with std streams,
3188  // these leaks might be intentional when setting the buffer for stdio.
3189  // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer
3190  if (FName == "setbuf" || FName =="setbuffer" ||
3191  FName == "setlinebuf" || FName == "setvbuf") {
3192  if (Call->getNumArgs() >= 1) {
3193  const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts();
3194  if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE))
3195  if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl()))
3196  if (D->getCanonicalDecl()->getName().contains("std"))
3197  return true;
3198  }
3199  }
3200 
3201  // A bunch of other functions which either take ownership of a pointer or
3202  // wrap the result up in a struct or object, meaning it can be freed later.
3203  // (See RetainCountChecker.) Not all the parameters here are invalidated,
3204  // but the Malloc checker cannot differentiate between them. The right way
3205  // of doing this would be to implement a pointer escapes callback.
3206  if (FName == "CGBitmapContextCreate" ||
3207  FName == "CGBitmapContextCreateWithData" ||
3208  FName == "CVPixelBufferCreateWithBytes" ||
3209  FName == "CVPixelBufferCreateWithPlanarBytes" ||
3210  FName == "OSAtomicEnqueue") {
3211  return true;
3212  }
3213 
3214  if (FName == "postEvent" &&
3215  FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
3216  return true;
3217  }
3218 
3219  if (FName == "connectImpl" &&
3220  FD->getQualifiedNameAsString() == "QObject::connectImpl") {
3221  return true;
3222  }
3223 
3224  // Handle cases where we know a buffer's /address/ can escape.
3225  // Note that the above checks handle some special cases where we know that
3226  // even though the address escapes, it's still our responsibility to free the
3227  // buffer.
3228  if (Call->argumentsMayEscape())
3229  return true;
3230 
3231  // Otherwise, assume that the function does not free memory.
3232  // Most system calls do not free the memory.
3233  return false;
3234 }
3235 
3236 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
3237  const InvalidatedSymbols &Escaped,
3238  const CallEvent *Call,
3239  PointerEscapeKind Kind) const {
3240  return checkPointerEscapeAux(State, Escaped, Call, Kind,
3241  /*IsConstPointerEscape*/ false);
3242 }
3243 
3244 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State,
3245  const InvalidatedSymbols &Escaped,
3246  const CallEvent *Call,
3247  PointerEscapeKind Kind) const {
3248  // If a const pointer escapes, it may not be freed(), but it could be deleted.
3249  return checkPointerEscapeAux(State, Escaped, Call, Kind,
3250  /*IsConstPointerEscape*/ true);
3251 }
3252 
3253 static bool checkIfNewOrNewArrayFamily(const RefState *RS) {
3254  return (RS->getAllocationFamily() == AF_CXXNewArray ||
3255  RS->getAllocationFamily() == AF_CXXNew);
3256 }
3257 
3258 ProgramStateRef MallocChecker::checkPointerEscapeAux(
3259  ProgramStateRef State, const InvalidatedSymbols &Escaped,
3260  const CallEvent *Call, PointerEscapeKind Kind,
3261  bool IsConstPointerEscape) const {
3262  // If we know that the call does not free memory, or we want to process the
3263  // call later, keep tracking the top level arguments.
3264  SymbolRef EscapingSymbol = nullptr;
3265  if (Kind == PSK_DirectEscapeOnCall &&
3266  !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State,
3267  EscapingSymbol) &&
3268  !EscapingSymbol) {
3269  return State;
3270  }
3271 
3272  for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
3273  E = Escaped.end();
3274  I != E; ++I) {
3275  SymbolRef sym = *I;
3276 
3277  if (EscapingSymbol && EscapingSymbol != sym)
3278  continue;
3279 
3280  if (const RefState *RS = State->get<RegionState>(sym))
3281  if (RS->isAllocated() || RS->isAllocatedOfSizeZero())
3282  if (!IsConstPointerEscape || checkIfNewOrNewArrayFamily(RS))
3283  State = State->set<RegionState>(sym, RefState::getEscaped(RS));
3284  }
3285  return State;
3286 }
3287 
3288 bool MallocChecker::isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C,
3289  SVal ArgVal) const {
3290  if (!KernelZeroSizePtrValue)
3291  KernelZeroSizePtrValue =
3292  tryExpandAsInteger("ZERO_SIZE_PTR", C.getPreprocessor());
3293 
3294  const llvm::APSInt *ArgValKnown =
3295  C.getSValBuilder().getKnownValue(State, ArgVal);
3296  return ArgValKnown && *KernelZeroSizePtrValue &&
3297  ArgValKnown->getSExtValue() == **KernelZeroSizePtrValue;
3298 }
3299 
3301  ProgramStateRef prevState) {
3302  ReallocPairsTy currMap = currState->get<ReallocPairs>();
3303  ReallocPairsTy prevMap = prevState->get<ReallocPairs>();
3304 
3305  for (const ReallocPairsTy::value_type &Pair : prevMap) {
3306  SymbolRef sym = Pair.first;
3307  if (!currMap.lookup(sym))
3308  return sym;
3309  }
3310 
3311  return nullptr;
3312 }
3313 
3315  if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) {
3316  StringRef N = II->getName();
3317  if (N.contains_insensitive("ptr") || N.contains_insensitive("pointer")) {
3318  if (N.contains_insensitive("ref") || N.contains_insensitive("cnt") ||
3319  N.contains_insensitive("intrusive") ||
3320  N.contains_insensitive("shared")) {
3321  return true;
3322  }
3323  }
3324  }
3325  return false;
3326 }
3327 
3328 PathDiagnosticPieceRef MallocBugVisitor::VisitNode(const ExplodedNode *N,
3329  BugReporterContext &BRC,
3330  PathSensitiveBugReport &BR) {
3331  ProgramStateRef state = N->getState();
3332  ProgramStateRef statePrev = N->getFirstPred()->getState();
3333 
3334  const RefState *RSCurr = state->get<RegionState>(Sym);
3335  const RefState *RSPrev = statePrev->get<RegionState>(Sym);
3336 
3337  const Stmt *S = N->getStmtForDiagnostics();
3338  // When dealing with containers, we sometimes want to give a note
3339  // even if the statement is missing.
3340  if (!S && (!RSCurr || RSCurr->getAllocationFamily() != AF_InnerBuffer))
3341  return nullptr;
3342 
3343  const LocationContext *CurrentLC = N->getLocationContext();
3344 
3345  // If we find an atomic fetch_add or fetch_sub within the destructor in which
3346  // the pointer was released (before the release), this is likely a destructor
3347  // of a shared pointer.
3348  // Because we don't model atomics, and also because we don't know that the
3349  // original reference count is positive, we should not report use-after-frees
3350  // on objects deleted in such destructors. This can probably be improved
3351  // through better shared pointer modeling.
3352  if (ReleaseDestructorLC) {
3353  if (const auto *AE = dyn_cast<AtomicExpr>(S)) {
3354  AtomicExpr::AtomicOp Op = AE->getOp();
3355  if (Op == AtomicExpr::AO__c11_atomic_fetch_add ||
3356  Op == AtomicExpr::AO__c11_atomic_fetch_sub) {
3357  if (ReleaseDestructorLC == CurrentLC ||
3358  ReleaseDestructorLC->isParentOf(CurrentLC)) {
3359  BR.markInvalid(getTag(), S);
3360  }
3361  }
3362  }
3363  }
3364 
3365  // FIXME: We will eventually need to handle non-statement-based events
3366  // (__attribute__((cleanup))).
3367 
3368  // Find out if this is an interesting point and what is the kind.
3369  StringRef Msg;
3370  std::unique_ptr<StackHintGeneratorForSymbol> StackHint = nullptr;
3371  SmallString<256> Buf;
3372  llvm::raw_svector_ostream OS(Buf);
3373 
3374  if (Mode == Normal) {
3375  if (isAllocated(RSCurr, RSPrev, S)) {
3376  Msg = "Memory is allocated";
3377  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3378  Sym, "Returned allocated memory");
3379  } else if (isReleased(RSCurr, RSPrev, S)) {
3380  const auto Family = RSCurr->getAllocationFamily();
3381  switch (Family) {
3382  case AF_Alloca:
3383  case AF_Malloc:
3384  case AF_CXXNew:
3385  case AF_CXXNewArray:
3386  case AF_IfNameIndex:
3387  Msg = "Memory is released";
3388  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3389  Sym, "Returning; memory was released");
3390  break;
3391  case AF_InnerBuffer: {
3392  const MemRegion *ObjRegion =
3394  const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion);
3395  QualType ObjTy = TypedRegion->getValueType();
3396  OS << "Inner buffer of '" << ObjTy.getAsString() << "' ";
3397 
3398  if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) {
3399  OS << "deallocated by call to destructor";
3400  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3401  Sym, "Returning; inner buffer was deallocated");
3402  } else {
3403  OS << "reallocated by call to '";
3404  const Stmt *S = RSCurr->getStmt();
3405  if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) {
3406  OS << MemCallE->getMethodDecl()->getDeclName();
3407  } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) {
3408  OS << OpCallE->getDirectCallee()->getDeclName();
3409  } else if (const auto *CallE = dyn_cast<CallExpr>(S)) {
3410  auto &CEMgr = BRC.getStateManager().getCallEventManager();
3411  CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC);
3412  if (const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl()))
3413  OS << D->getDeclName();
3414  else
3415  OS << "unknown";
3416  }
3417  OS << "'";
3418  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3419  Sym, "Returning; inner buffer was reallocated");
3420  }
3421  Msg = OS.str();
3422  break;
3423  }
3424  case AF_None:
3425  llvm_unreachable("Unhandled allocation family!");
3426  }
3427 
3428  // See if we're releasing memory while inlining a destructor
3429  // (or one of its callees). This turns on various common
3430  // false positive suppressions.
3431  bool FoundAnyDestructor = false;
3432  for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) {
3433  if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) {
3435  // This immediately looks like a reference-counting destructor.
3436  // We're bad at guessing the original reference count of the object,
3437  // so suppress the report for now.
3438  BR.markInvalid(getTag(), DD);
3439  } else if (!FoundAnyDestructor) {
3440  assert(!ReleaseDestructorLC &&
3441  "There can be only one release point!");
3442  // Suspect that it's a reference counting pointer destructor.
3443  // On one of the next nodes might find out that it has atomic
3444  // reference counting operations within it (see the code above),
3445  // and if so, we'd conclude that it likely is a reference counting
3446  // pointer destructor.
3447  ReleaseDestructorLC = LC->getStackFrame();
3448  // It is unlikely that releasing memory is delegated to a destructor
3449  // inside a destructor of a shared pointer, because it's fairly hard
3450  // to pass the information that the pointer indeed needs to be
3451  // released into it. So we're only interested in the innermost
3452  // destructor.
3453  FoundAnyDestructor = true;
3454  }
3455  }
3456  }
3457  } else if (isRelinquished(RSCurr, RSPrev, S)) {
3458  Msg = "Memory ownership is transferred";
3459  StackHint = std::make_unique<StackHintGeneratorForSymbol>(Sym, "");
3460  } else if (hasReallocFailed(RSCurr, RSPrev, S)) {
3461  Mode = ReallocationFailed;
3462  Msg = "Reallocation failed";
3463  StackHint = std::make_unique<StackHintGeneratorForReallocationFailed>(
3464  Sym, "Reallocation failed");
3465 
3466  if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) {
3467  // Is it possible to fail two reallocs WITHOUT testing in between?
3468  assert((!FailedReallocSymbol || FailedReallocSymbol == sym) &&
3469  "We only support one failed realloc at a time.");
3470  BR.markInteresting(sym);
3471  FailedReallocSymbol = sym;
3472  }
3473  }
3474 
3475  // We are in a special mode if a reallocation failed later in the path.
3476  } else if (Mode == ReallocationFailed) {
3477  assert(FailedReallocSymbol && "No symbol to look for.");
3478 
3479  // Is this is the first appearance of the reallocated symbol?
3480  if (!statePrev->get<RegionState>(FailedReallocSymbol)) {
3481  // We're at the reallocation point.
3482  Msg = "Attempt to reallocate memory";
3483  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3484  Sym, "Returned reallocated memory");
3485  FailedReallocSymbol = nullptr;
3486  Mode = Normal;
3487  }
3488  }
3489 
3490  if (Msg.empty()) {
3491  assert(!StackHint);
3492  return nullptr;
3493  }
3494 
3495  assert(StackHint);
3496 
3497  // Generate the extra diagnostic.
3498  PathDiagnosticLocation Pos;
3499  if (!S) {
3500  assert(RSCurr->getAllocationFamily() == AF_InnerBuffer);
3501  auto PostImplCall = N->getLocation().getAs<PostImplicitCall>();
3502  if (!PostImplCall)
3503  return nullptr;
3504  Pos = PathDiagnosticLocation(PostImplCall->getLocation(),
3505  BRC.getSourceManager());
3506  } else {
3507  Pos = PathDiagnosticLocation(S, BRC.getSourceManager(),
3508  N->getLocationContext());
3509  }
3510 
3511  auto P = std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true);
3512  BR.addCallStackHint(P, std::move(StackHint));
3513  return P;
3514 }
3515 
3516 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
3517  const char *NL, const char *Sep) const {
3518 
3519  RegionStateTy RS = State->get<RegionState>();
3520 
3521  if (!RS.isEmpty()) {
3522  Out << Sep << "MallocChecker :" << NL;
3523  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
3524  const RefState *RefS = State->get<RegionState>(I.getKey());
3525  AllocationFamily Family = RefS->getAllocationFamily();
3526  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
3527  if (!CheckKind.hasValue())
3528  CheckKind = getCheckIfTracked(Family, true);
3529 
3530  I.getKey()->dumpToStream(Out);
3531  Out << " : ";
3532  I.getData().dump(Out);
3533  if (CheckKind.hasValue())
3534  Out << " (" << CheckNames[*CheckKind].getName() << ")";
3535  Out << NL;
3536  }
3537  }
3538 }
3539 
3540 namespace clang {
3541 namespace ento {
3542 namespace allocation_state {
3543 
3546  AllocationFamily Family = AF_InnerBuffer;
3547  return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin));
3548 }
3549 
3550 } // end namespace allocation_state
3551 } // end namespace ento
3552 } // end namespace clang
3553 
3554 // Intended to be used in InnerPointerChecker to register the part of
3555 // MallocChecker connected to it.
3557  MallocChecker *checker = mgr.getChecker<MallocChecker>();
3558  checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true;
3559  checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =
3560  mgr.getCurrentCheckerName();
3561 }
3562 
3563 void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {
3564  auto *checker = mgr.registerChecker<MallocChecker>();
3565  checker->ShouldIncludeOwnershipAnnotatedFunctions =
3566  mgr.getAnalyzerOptions().getCheckerBooleanOption(checker, "Optimistic");
3567  checker->ShouldRegisterNoOwnershipChangeVisitor =
3568  mgr.getAnalyzerOptions().getCheckerBooleanOption(
3569  checker, "AddNoOwnershipChangeNotes");
3570 }
3571 
3572 bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) {
3573  return true;
3574 }
3575 
3576 #define REGISTER_CHECKER(name) \
3577  void ento::register##name(CheckerManager &mgr) { \
3578  MallocChecker *checker = mgr.getChecker<MallocChecker>(); \
3579  checker->ChecksEnabled[MallocChecker::CK_##name] = true; \
3580  checker->CheckNames[MallocChecker::CK_##name] = \
3581  mgr.getCurrentCheckerName(); \
3582  } \
3583  \
3584  bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
3585 
3586 REGISTER_CHECKER(MallocChecker)
3587 REGISTER_CHECKER(NewDeleteChecker)
3588 REGISTER_CHECKER(NewDeleteLeaksChecker)
3589 REGISTER_CHECKER(MismatchedDeallocatorChecker)
findFailedReallocSymbol
static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, ProgramStateRef prevState)
Definition: MallocChecker.cpp:3300
clang::ento::Loc::isLocType
static bool isLocType(QualType T)
Definition: SVals.h:336
clang::ento::PSK_DirectEscapeOnCall
@ PSK_DirectEscapeOnCall
The pointer has been passed to a function call directly.
Definition: CheckerManager.h:85
clang::ento::CDF_MaybeBuiltin
@ CDF_MaybeBuiltin
Describes a C standard function that is sometimes implemented as a macro that expands to a compiler b...
Definition: CallEvent.h:1233
clang::Decl::getASTContext
ASTContext & getASTContext() const LLVM_READONLY
Definition: DeclBase.cpp:414
clang::CXXConstructorDecl
Represents a C++ constructor within a class.
Definition: DeclCXX.h:2401
DynamicExtent.h
getDeepPointeeType
static QualType getDeepPointeeType(QualType T)
Definition: MallocChecker.cpp:1527
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::LocationContext::getStackFrame
const StackFrameContext * getStackFrame() const
Definition: AnalysisDeclContext.cpp:463
clang::DeclaratorDecl::getBeginLoc
SourceLocation getBeginLoc() const LLVM_READONLY
Definition: Decl.h:780
SVals.h
clang::SourceRange
A trivial tuple used to represent a source range.
Definition: SourceLocation.h:212
string
string(SUBSTRING ${CMAKE_CURRENT_BINARY_DIR} 0 ${PATH_LIB_START} PATH_HEAD) string(SUBSTRING $
Definition: CMakeLists.txt:22
Ret
static bool Ret(InterpState &S, CodePtr &PC, APValue &Result)
Definition: Interp.cpp:34
clang::ast_matchers::stmt
const internal::VariadicAllOfMatcher< Stmt > stmt
Matches statements.
Definition: ASTMatchersInternal.cpp:809
clang::ento::PathDiagnosticPieceRef
std::shared_ptr< PathDiagnosticPiece > PathDiagnosticPieceRef
Definition: PathDiagnostic.h:494
clang::ento::CheckerManager::getCurrentCheckerName
CheckerNameRef getCurrentCheckerName() const
Definition: CheckerManager.h:164
llvm::SmallVector
Definition: LLVM.h:38
clang::SourceLocation
Encodes a location in the source.
Definition: SourceLocation.h:88
clang::NamedDecl
This represents a decl that may have a name.
Definition: Decl.h:249
clang::ento::registerInnerPointerCheckerAux
void registerInnerPointerCheckerAux(CheckerManager &Mgr)
Register the part of MallocChecker connected to InnerPointerChecker.
Definition: MallocChecker.cpp:3556
TargetInfo.h
clang::MultiVersionKind::Target
@ Target
clang::CXXDeleteExpr::isArrayForm
bool isArrayForm() const
Definition: ExprCXX.h:2424
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:324
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:673
Attr.h
CHECK_FN
#define CHECK_FN(NAME)
Definition: MallocChecker.cpp:367
clang::FunctionDecl::getParamDecl
const ParmVarDecl * getParamDecl(unsigned i) const
Definition: Decl.h:2506
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:54
clang::OMF_init
@ OMF_init
Definition: IdentifierTable.h:696
DeclCXX.h
ProgramState_Fwd.h
SymbolManager.h
clang::CXXNewExpr
Represents a new-expression for memory allocation and constructor calls, e.g: "new CXXNewExpr(foo)".
Definition: ExprCXX.h:2139
clang::ento::SymbolRef
const SymExpr * SymbolRef
Definition: SymExpr.h:110
clang::FunctionDecl::getDeclaredReturnType
QualType getDeclaredReturnType() const
Get the declared return type, which may differ from the actual return type if the return type is dedu...
Definition: Decl.h:2554
llvm::Optional
Definition: LLVM.h:40
clang::ento::bugreporter::TrackingKind
TrackingKind
Specifies the type of tracking for an expression.
Definition: BugReporterVisitors.h:95
llvm::SmallPtrSet
Definition: ASTContext.h:82
clang::Lexer::getSourceText
static StringRef getSourceText(CharSourceRange Range, const SourceManager &SM, const LangOptions &LangOpts, bool *Invalid=nullptr)
Returns a string for the source that the range encompasses.
Definition: Lexer.cpp:957
clang::QualType::getAsString
static std::string getAsString(SplitQualType split, const PrintingPolicy &Policy)
Definition: Type.h:1015
clang::StackFrameContext
It represents a stack frame of the call stack (based on CallEvent).
Definition: AnalysisDeclContext.h:295
SourceManager.h
clang::tooling::X
static ToolExecutorPluginRegistry::Add< AllTUsToolExecutorPlugin > X("all-TUs", "Runs FrontendActions on all TUs in the compilation database. " "Tool results are stored in memory.")
ASTMatchFinder.h
clang::index::SymbolRole::Call
@ Call
CommonBugCategories.h
clang::ento::Store
const void * Store
Store - This opaque type encapsulates an immutable mapping from locations to values.
Definition: StoreRef.h:27
clang::ASTContext::getSourceManager
SourceManager & getSourceManager()
Definition: ASTContext.h:695
clang::ento::tryExpandAsInteger
llvm::Optional< int > tryExpandAsInteger(StringRef Macro, const Preprocessor &PP)
Try to parse the value of a defined preprocessor macro.
Definition: CheckerHelpers.cpp:113
printExpectedAllocName
static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family)
Print expected name of an allocator based on the deallocator's family derived from the DeallocExpr.
Definition: MallocChecker.cpp:1830
clang::PostImplicitCall
Represents a program point just after an implicit call event.
Definition: ProgramPoint.h:600
InterCheckerAPI.h
CallEvent.h
clang::ast_matchers::cxxDeleteExpr
const internal::VariadicDynCastAllOfMatcher< Stmt, CXXDeleteExpr > cxxDeleteExpr
Matches delete expressions.
Definition: ASTMatchersInternal.cpp:878
Offset
unsigned Offset
Definition: Format.cpp:2335
REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:84
APSInt
llvm::APSInt APSInt
Definition: ByteCodeEmitter.cpp:19
AllocationState.h
clang::syntax::NodeRole::Parameters
@ Parameters
V
#define V(N, I)
Definition: ASTContext.h:3121
ProgramPoint.h
clang::ast_matchers
Definition: ASTMatchers.h:98
BuiltinCheckerRegistration.h
DeclTemplate.h
CASE
#define CASE(ID)
clang::Decl::specific_attrs
llvm::iterator_range< specific_attr_iterator< T > > specific_attrs() const
Definition: DeclBase.h:529
clang::VarDecl::isStaticLocal
bool isStaticLocal() const
Returns true if a variable with function scope is a static local variable.
Definition: Decl.h:1125
clang::ento::PathDiagnosticLocation::create
static PathDiagnosticLocation create(const Decl *D, const SourceManager &SM)
Create a location corresponding to the given declaration.
Definition: PathDiagnostic.h:250
clang::XRayInstrKind::None
constexpr XRayInstrMask None
Definition: XRayInstr.h:38
CheckerManager.h
clang::BlockExpr::getBlockDecl
const BlockDecl * getBlockDecl() const
Definition: Expr.h:5977
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:212
ASTMatchers.h
clang::ASTContext::getSizeType
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.
Definition: ASTContext.cpp:5709
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:29
clang::FunctionDecl::getBody
Stmt * getBody(const FunctionDecl *&Definition) const
Retrieve the body (definition) of the function.
Definition: Decl.cpp:3035
clang::LocationContext::isParentOf
bool isParentOf(const LocationContext *LC) const
Definition: AnalysisDeclContext.cpp:477
clang::CallExpr::getArg
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2986
clang::CXXDestructorDecl
Represents a C++ destructor within a class.
Definition: DeclCXX.h:2668
didPreviousFreeFail
static bool didPreviousFreeFail(ProgramStateRef State, SymbolRef Sym, SymbolRef &RetStatusSymbol)
Checks if the previous call to free on the given symbol failed - if free failed, returns true.
Definition: MallocChecker.cpp:1778
Expr.h
llvm::SmallString
Definition: LLVM.h:37
clang::interp::Zero
bool Zero(InterpState &S, CodePtr OpPC)
Definition: Interp.h:814
REGISTER_SET_WITH_PROGRAMSTATE
#define REGISTER_SET_WITH_PROGRAMSTATE(Name, Elem)
Declares an immutable set of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:109
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:876
clang::CallEnter::getCallExpr
const Stmt * getCallExpr() const
Definition: ProgramPoint.h:636
clang::Type::getPointeeType
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee.
Definition: Type.cpp:625
clang::ento::bugreporter::TrackingKind::Thorough
@ Thorough
Default tracking kind – specifies that as much information should be gathered about the tracked expre...
clang::CXXConstructExpr::getConstructor
CXXConstructorDecl * getConstructor() const
Get the constructor that this expression will (ultimately) call.
Definition: ExprCXX.h:1532
clang::Type::getAsCXXRecordDecl
CXXRecordDecl * getAsCXXRecordDecl() const
Retrieves the CXXRecordDecl that this type refers to, either because the type is a RecordType or beca...
Definition: Type.cpp:1760
clang::getOperatorSpelling
const char * getOperatorSpelling(OverloadedOperatorKind Operator)
Retrieve the spelling of the given overloaded operator, without the preceding "operator" keyword.
Definition: IdentifierTable.cpp:735
ExprCXX.h
Label
std::string Label
Definition: UsingDeclarationsSorter.cpp:69
clang::FunctionDecl::getOverloadedOperator
OverloadedOperatorKind getOverloadedOperator() const
getOverloadedOperator - Which C++ overloaded operator this function represents, if any.
Definition: Decl.cpp:3653
clang::AtomicExpr::AtomicOp
AtomicOp
Definition: Expr.h:6231
clang::ObjCMessageExpr
An expression that sends a message to the given Objective-C object or class.
Definition: ExprObjC.h:940
ExplodedGraph.h
clang::OverloadedOperatorKind
OverloadedOperatorKind
Enumeration specifying the different kinds of C++ overloaded operators.
Definition: OperatorKinds.h:21
state
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial state
Definition: README.txt:30
clang::BlockDecl::hasCaptures
bool hasCaptures() const
True if this block (or its nested blocks) captures anything of local storage from its enclosing scope...
Definition: Decl.h:4276
clang::LocationContext::getParent
const LocationContext * getParent() const
Definition: AnalysisDeclContext.h:243
clang::QualType::getDesugaredType
QualType getDesugaredType(const ASTContext &Context) const
Return the specified type with any "sugar" removed from the type.
Definition: Type.h:979
clang::ento::CheckerManager::getChecker
CHECKER * getChecker()
Definition: CheckerManager.h:219
clang::TargetInfo::getTriple
const llvm::Triple & getTriple() const
Returns the target triple of the primary target.
Definition: TargetInfo.h:1130
clang::ASTContext::UnsignedLongTy
CanQualType UnsignedLongTy
Definition: ASTContext.h:1085
clang::ento::categories::MemoryError
const char *const MemoryError
Definition: CommonBugCategories.cpp:20
clang::ParentMap
Definition: ParentMap.h:20
checkIfNewOrNewArrayFamily
static bool checkIfNewOrNewArrayFamily(const RefState *RS)
Definition: MallocChecker.cpp:3253
P
StringRef P
Definition: ASTMatchersInternal.cpp:563
printExpectedDeallocName
static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family)
Print expected name of a deallocator based on the allocator's family.
Definition: MallocChecker.cpp:1843
isReferenceCountingPointerDestructor
static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD)
Definition: MallocChecker.cpp:3314
clang::ASTContext::VoidPtrTy
CanQualType VoidPtrTy
Definition: ASTContext.h:1102
clang::Decl::hasAttrs
bool hasAttrs() const
Definition: DeclBase.h:489
clang::syntax::NodeRole::Size
@ Size
BugType.h
clang::NamedDecl::getIdentifier
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:270
clang::ento::allocation_state::getInnerPointerBRVisitor
std::unique_ptr< BugReporterVisitor > getInnerPointerBRVisitor(SymbolRef Sym)
This function provides an additional visitor that augments the bug report with information relevant t...
Definition: InnerPointerChecker.cpp:291
clang::ProgramPoint::PostImplicitCallKind
@ PostImplicitCallKind
Definition: ProgramPoint.h:83
dump
static void dump(llvm::raw_ostream &OS, StringRef FunctionName, ArrayRef< CounterExpression > Expressions, ArrayRef< CounterMappingRegion > Regions)
Definition: CoverageMappingGen.cpp:1519
clang::CharSourceRange::getTokenRange
static CharSourceRange getTokenRange(SourceRange R)
Definition: SourceLocation.h:263
clang::CallExpr::getNumArgs
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2973
clang::CXXDeleteExpr
Represents a delete expression for memory deallocation and destructor calls, e.g.
Definition: ExprCXX.h:2398
hasNonTrivialConstructorCall
static bool hasNonTrivialConstructorCall(const CXXNewExpr *NE)
Definition: MallocChecker.cpp:1538
clang::QualType::isNull
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:738
clang::BlockExpr
BlockExpr - Adaptor class for mixing a BlockDecl with expressions.
Definition: Expr.h:5965
llvm::ArrayRef
Definition: LLVM.h:34
printMemFnName
static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E)
Print names of allocators and deallocators.
Definition: MallocChecker.cpp:1791
Lexer.h
clang::Decl
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:89
LLVM.h
clang::ASTContext::CharTy
CanQualType CharTy
Definition: ASTContext.h:1077
State
LineState State
Definition: UnwrappedLineFormatter.cpp:986
clang::ast_matchers::hasDescendant
const internal::ArgumentAdaptingMatcherFunc< internal::HasDescendantMatcher > hasDescendant
Matches AST nodes that have descendant AST nodes that match the provided matcher.
Definition: ASTMatchersInternal.cpp:1009
clang::NamedDecl::getQualifiedNameAsString
std::string getQualifiedNameAsString() const
Definition: Decl.cpp:1582
clang::IdentifierInfo
One of these records is kept for each identifier that is lexed.
Definition: IdentifierTable.h:84
clang::ASTContext::getTargetInfo
const TargetInfo & getTargetInfo() const
Definition: ASTContext.h:747
isStandardNewDelete
static bool isStandardNewDelete(const FunctionDecl *FD)
Tells if the callee is one of the builtin new/delete operators, including placement operators and oth...
Definition: MallocChecker.cpp:1042
CheckerContext.h
clang::ento::allocation_state::getContainerObjRegion
const MemRegion * getContainerObjRegion(ProgramStateRef State, SymbolRef Sym)
'Sym' represents a pointer to the inner buffer of a container object.
Definition: InnerPointerChecker.cpp:295
clang::ObjCPropertyAttribute::Kind
Kind
Definition: DeclObjCCommon.h:22
ProgramState.h
Checker.h
MallocUpdateRefState
static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, AllocationFamily Family, Optional< SVal > RetVal=None)
Update the RefState to reflect the new memory allocation.
Definition: MallocChecker.cpp:1713
std
Definition: Format.h:4034
clang::interp::NE
bool NE(InterpState &S, CodePtr OpPC)
Definition: Interp.h:225
ParentMap.h
clang::ento::CheckerManager
Definition: CheckerManager.h:127
clang::IdentifierInfo::getName
StringRef getName() const
Return the actual identifier string.
Definition: IdentifierTable.h:195
clang::Builtin::ID
ID
Definition: Builtins.h:48
clang
Definition: CalledOnceCheck.h:17
clang::Selector
Smart pointer class that efficiently represents Objective-C method names.
Definition: IdentifierTable.h:748
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:69
clang::Decl::print
void print(raw_ostream &Out, unsigned Indentation=0, bool PrintInstantiation=false) const
Definition: DeclPrinter.cpp:126
clang::SourceManager::isInSystemHeader
bool isInSystemHeader(SourceLocation Loc) const
Returns if a SourceLocation is in a system header.
Definition: SourceManager.h:1488
clang::ast_matchers::match
SmallVector< BoundNodes, 1 > match(MatcherT Matcher, const NodeT &Node, ASTContext &Context)
Returns the results of matching Matcher on Node.
Definition: ASTMatchFinder.h:312
isStandardRealloc
static bool isStandardRealloc(const CallEvent &Call)
Definition: MallocChecker.cpp:1203
CheckerHelpers.h
clang::Expr::getType
QualType getType() const
Definition: Expr.h:141
clang::SourceLocation::isValid
bool isValid() const
Return true if this is a valid SourceLocation object.
Definition: SourceLocation.h:112
clang::ento::PathDiagnosticLocation::createBegin
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
Definition: PathDiagnostic.cpp:580
clang::OverloadCandidateParamOrder::Normal
@ Normal
s
__device__ __2f16 float bool s
Definition: __clang_hip_libdevice_declares.h:315
clang::CXXDeleteExpr::getArgument
Expr * getArgument()
Definition: ExprCXX.h:2439
isGRealloc
static bool isGRealloc(const CallEvent &Call)
Definition: MallocChecker.cpp:1217
clang::ento::PointerEscapeKind
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
Definition: CheckerManager.h:79
isReleased
static bool isReleased(SymbolRef Sym, CheckerContext &C)
Check if the memory associated with this symbol was released.
Definition: MallocChecker.cpp:2953
clang::CallEnter
Represents a point when we begin processing an inlined call.
Definition: ProgramPoint.h:630
clang::ento::setDynamicExtent
ProgramStateRef setDynamicExtent(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal Extent, SValBuilder &SVB)
Set the dynamic extent Extent of the region MR.
clang::ento::allocation_state::markReleased
ProgramStateRef markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin)
Definition: MallocChecker.cpp:3545
isKnownDeallocObjCMethodName
static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call)
Definition: MallocChecker.cpp:1603
llvm::SmallVectorImpl
Definition: LLVM.h:39
clang::ParentMap::isConsumedExpr
bool isConsumedExpr(Expr *E) const
Definition: ParentMap.cpp:171
clang::ValueDecl::getType
QualType getType() const
Definition: Decl.h:687
ProgramStateTrait.h
clang::Expr
This represents one expression.
Definition: Expr.h:109
clang::ento::InvalidatedSymbols
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:51
clang::FunctionDecl::parameters
ArrayRef< ParmVarDecl * > parameters() const
Definition: Decl.h:2483
clang::Decl::getLocation
SourceLocation getLocation() const
Definition: DeclBase.h:430
clang::DeclRefExpr
A reference to a declared variable, function, enum, etc.
Definition: Expr.h:1217
clang::LocationContext::getDecl
const Decl * getDecl() const
Definition: AnalysisDeclContext.h:247
clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1856
StoreRef.h
clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2795
REGISTER_CHECKER
#define REGISTER_CHECKER(name)
Definition: MallocChecker.cpp:3576
clang::CXXConstructExpr
Represents a call to a C++ constructor.
Definition: ExprCXX.h:1460
getFreeWhenDoneArg
static Optional< bool > getFreeWhenDoneArg(const ObjCMethodCall &Call)
Definition: MallocChecker.cpp:1615
clang::operator==
bool operator==(const CallGraphNode::CallRecord &LHS, const CallGraphNode::CallRecord &RHS)
Definition: CallGraph.h:207
llvm::IntrusiveRefCntPtr< const ProgramState >
abs
__DEVICE__ long long abs(long long __n)
Definition: __clang_cuda_cmath.h:41
clang::ento::ObjKind::OS
@ OS
Indicates that the tracking object is a descendant of a referenced-counted OSObject,...
clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:2760
clang::CXXMethodDecl::getParent
const CXXRecordDecl * getParent() const
Return the parent of this method declaration, which is the class in which this method is defined.
Definition: DeclCXX.h:2063
clang::NamedDecl::getName
StringRef getName() const
Get the name of identifier for this declaration as a StringRef.
Definition: Decl.h:276