clang  15.0.0git
MallocChecker.cpp
Go to the documentation of this file.
1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines a variety of memory management related checkers, such as
10 // leak, double free, and use-after-free.
11 //
12 // The following checkers are defined here:
13 //
14 // * MallocChecker
15 // Despite its name, it models all sorts of memory allocations and
16 // de- or reallocation, including but not limited to malloc, free,
17 // relloc, new, delete. It also reports on a variety of memory misuse
18 // errors.
19 // Many other checkers interact very closely with this checker, in fact,
20 // most are merely options to this one. Other checkers may register
21 // MallocChecker, but do not enable MallocChecker's reports (more details
22 // to follow around its field, ChecksEnabled).
23 // It also has a boolean "Optimistic" checker option, which if set to true
24 // will cause the checker to model user defined memory management related
25 // functions annotated via the attribute ownership_takes, ownership_holds
26 // and ownership_returns.
27 //
28 // * NewDeleteChecker
29 // Enables the modeling of new, new[], delete, delete[] in MallocChecker,
30 // and checks for related double-free and use-after-free errors.
31 //
32 // * NewDeleteLeaksChecker
33 // Checks for leaks related to new, new[], delete, delete[].
34 // Depends on NewDeleteChecker.
35 //
36 // * MismatchedDeallocatorChecker
37 // Enables checking whether memory is deallocated with the correspending
38 // allocation function in MallocChecker, such as malloc() allocated
39 // regions are only freed by free(), new by delete, new[] by delete[].
40 //
41 // InnerPointerChecker interacts very closely with MallocChecker, but unlike
42 // the above checkers, it has it's own file, hence the many InnerPointerChecker
43 // related headers and non-static functions.
44 //
45 //===----------------------------------------------------------------------===//
46 
47 #include "AllocationState.h"
48 #include "InterCheckerAPI.h"
49 #include "clang/AST/Attr.h"
50 #include "clang/AST/DeclCXX.h"
51 #include "clang/AST/DeclTemplate.h"
52 #include "clang/AST/Expr.h"
53 #include "clang/AST/ExprCXX.h"
54 #include "clang/AST/ParentMap.h"
58 #include "clang/Basic/LLVM.h"
60 #include "clang/Basic/TargetInfo.h"
61 #include "clang/Lex/Lexer.h"
79 #include "llvm/ADT/STLExtras.h"
80 #include "llvm/ADT/SetOperations.h"
81 #include "llvm/ADT/SmallString.h"
82 #include "llvm/ADT/StringExtras.h"
83 #include "llvm/Support/Casting.h"
84 #include "llvm/Support/Compiler.h"
85 #include "llvm/Support/ErrorHandling.h"
86 #include "llvm/Support/raw_ostream.h"
87 #include <climits>
88 #include <functional>
89 #include <utility>
90 
91 using namespace clang;
92 using namespace ento;
93 using namespace std::placeholders;
94 
95 //===----------------------------------------------------------------------===//
96 // The types of allocation we're modeling. This is used to check whether a
97 // dynamically allocated object is deallocated with the correct function, like
98 // not using operator delete on an object created by malloc(), or alloca regions
99 // aren't ever deallocated manually.
100 //===----------------------------------------------------------------------===//
101 
102 namespace {
103 
104 // Used to check correspondence between allocators and deallocators.
105 enum AllocationFamily {
106  AF_None,
107  AF_Malloc,
108  AF_CXXNew,
109  AF_CXXNewArray,
110  AF_IfNameIndex,
111  AF_Alloca,
112  AF_InnerBuffer
113 };
114 
115 } // end of anonymous namespace
116 
117 /// Print names of allocators and deallocators.
118 ///
119 /// \returns true on success.
120 static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E);
121 
122 /// Print expected name of an allocator based on the deallocator's family
123 /// derived from the DeallocExpr.
124 static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family);
125 
126 /// Print expected name of a deallocator based on the allocator's
127 /// family.
128 static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family);
129 
130 //===----------------------------------------------------------------------===//
131 // The state of a symbol, in terms of memory management.
132 //===----------------------------------------------------------------------===//
133 
134 namespace {
135 
136 class RefState {
137  enum Kind {
138  // Reference to allocated memory.
139  Allocated,
140  // Reference to zero-allocated memory.
141  AllocatedOfSizeZero,
142  // Reference to released/freed memory.
143  Released,
144  // The responsibility for freeing resources has transferred from
145  // this reference. A relinquished symbol should not be freed.
146  Relinquished,
147  // We are no longer guaranteed to have observed all manipulations
148  // of this pointer/memory. For example, it could have been
149  // passed as a parameter to an opaque function.
150  Escaped
151  };
152 
153  const Stmt *S;
154 
155  Kind K;
156  AllocationFamily Family;
157 
158  RefState(Kind k, const Stmt *s, AllocationFamily family)
159  : S(s), K(k), Family(family) {
160  assert(family != AF_None);
161  }
162 
163 public:
164  bool isAllocated() const { return K == Allocated; }
165  bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; }
166  bool isReleased() const { return K == Released; }
167  bool isRelinquished() const { return K == Relinquished; }
168  bool isEscaped() const { return K == Escaped; }
169  AllocationFamily getAllocationFamily() const { return Family; }
170  const Stmt *getStmt() const { return S; }
171 
172  bool operator==(const RefState &X) const {
173  return K == X.K && S == X.S && Family == X.Family;
174  }
175 
176  static RefState getAllocated(AllocationFamily family, const Stmt *s) {
177  return RefState(Allocated, s, family);
178  }
179  static RefState getAllocatedOfSizeZero(const RefState *RS) {
180  return RefState(AllocatedOfSizeZero, RS->getStmt(),
181  RS->getAllocationFamily());
182  }
183  static RefState getReleased(AllocationFamily family, const Stmt *s) {
184  return RefState(Released, s, family);
185  }
186  static RefState getRelinquished(AllocationFamily family, const Stmt *s) {
187  return RefState(Relinquished, s, family);
188  }
189  static RefState getEscaped(const RefState *RS) {
190  return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());
191  }
192 
193  void Profile(llvm::FoldingSetNodeID &ID) const {
194  ID.AddInteger(K);
195  ID.AddPointer(S);
196  ID.AddInteger(Family);
197  }
198 
199  LLVM_DUMP_METHOD void dump(raw_ostream &OS) const {
200  switch (K) {
201 #define CASE(ID) case ID: OS << #ID; break;
202  CASE(Allocated)
203  CASE(AllocatedOfSizeZero)
204  CASE(Released)
205  CASE(Relinquished)
206  CASE(Escaped)
207  }
208  }
209 
210  LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
211 };
212 
213 } // end of anonymous namespace
214 
215 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
216 
217 /// Check if the memory associated with this symbol was released.
218 static bool isReleased(SymbolRef Sym, CheckerContext &C);
219 
220 /// Update the RefState to reflect the new memory allocation.
221 /// The optional \p RetVal parameter specifies the newly allocated pointer
222 /// value; if unspecified, the value of expression \p E is used.
223 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
225  AllocationFamily Family,
226  Optional<SVal> RetVal = None);
227 
228 //===----------------------------------------------------------------------===//
229 // The modeling of memory reallocation.
230 //
231 // The terminology 'toPtr' and 'fromPtr' will be used:
232 // toPtr = realloc(fromPtr, 20);
233 //===----------------------------------------------------------------------===//
234 
235 REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef)
236 
237 namespace {
238 
239 /// The state of 'fromPtr' after reallocation is known to have failed.
240 enum OwnershipAfterReallocKind {
241  // The symbol needs to be freed (e.g.: realloc)
242  OAR_ToBeFreedAfterFailure,
243  // The symbol has been freed (e.g.: reallocf)
244  OAR_FreeOnFailure,
245  // The symbol doesn't have to freed (e.g.: we aren't sure if, how and where
246  // 'fromPtr' was allocated:
247  // void Haha(int *ptr) {
248  // ptr = realloc(ptr, 67);
249  // // ...
250  // }
251  // ).
252  OAR_DoNotTrackAfterFailure
253 };
254 
255 /// Stores information about the 'fromPtr' symbol after reallocation.
256 ///
257 /// This is important because realloc may fail, and that needs special modeling.
258 /// Whether reallocation failed or not will not be known until later, so we'll
259 /// store whether upon failure 'fromPtr' will be freed, or needs to be freed
260 /// later, etc.
261 struct ReallocPair {
262 
263  // The 'fromPtr'.
264  SymbolRef ReallocatedSym;
265  OwnershipAfterReallocKind Kind;
266 
267  ReallocPair(SymbolRef S, OwnershipAfterReallocKind K)
268  : ReallocatedSym(S), Kind(K) {}
269  void Profile(llvm::FoldingSetNodeID &ID) const {
270  ID.AddInteger(Kind);
271  ID.AddPointer(ReallocatedSym);
272  }
273  bool operator==(const ReallocPair &X) const {
274  return ReallocatedSym == X.ReallocatedSym &&
275  Kind == X.Kind;
276  }
277 };
278 
279 } // end of anonymous namespace
280 
281 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
282 
283 /// Tells if the callee is one of the builtin new/delete operators, including
284 /// placement operators and other standard overloads.
285 static bool isStandardNewDelete(const FunctionDecl *FD);
286 static bool isStandardNewDelete(const CallEvent &Call) {
287  if (!Call.getDecl() || !isa<FunctionDecl>(Call.getDecl()))
288  return false;
289  return isStandardNewDelete(cast<FunctionDecl>(Call.getDecl()));
290 }
291 
292 //===----------------------------------------------------------------------===//
293 // Definition of the MallocChecker class.
294 //===----------------------------------------------------------------------===//
295 
296 namespace {
297 
298 class MallocChecker
299  : public Checker<check::DeadSymbols, check::PointerEscape,
300  check::ConstPointerEscape, check::PreStmt<ReturnStmt>,
301  check::EndFunction, check::PreCall, check::PostCall,
302  check::NewAllocator, check::PostStmt<BlockExpr>,
303  check::PostObjCMessage, check::Location, eval::Assume> {
304 public:
305  /// In pessimistic mode, the checker assumes that it does not know which
306  /// functions might free the memory.
307  /// In optimistic mode, the checker assumes that all user-defined functions
308  /// which might free a pointer are annotated.
309  bool ShouldIncludeOwnershipAnnotatedFunctions = false;
310 
311  bool ShouldRegisterNoOwnershipChangeVisitor = false;
312 
313  /// Many checkers are essentially built into this one, so enabling them will
314  /// make MallocChecker perform additional modeling and reporting.
315  enum CheckKind {
316  /// When a subchecker is enabled but MallocChecker isn't, model memory
317  /// management but do not emit warnings emitted with MallocChecker only
318  /// enabled.
319  CK_MallocChecker,
320  CK_NewDeleteChecker,
321  CK_NewDeleteLeaksChecker,
322  CK_MismatchedDeallocatorChecker,
323  CK_InnerPointerChecker,
324  CK_NumCheckKinds
325  };
326 
327  using LeakInfo = std::pair<const ExplodedNode *, const MemRegion *>;
328 
329  bool ChecksEnabled[CK_NumCheckKinds] = {false};
330  CheckerNameRef CheckNames[CK_NumCheckKinds];
331 
332  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
333  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
334  void checkNewAllocator(const CXXAllocatorCall &Call, CheckerContext &C) const;
335  void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
336  void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
337  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
338  void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
339  void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;
340  ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
341  bool Assumption) const;
342  void checkLocation(SVal l, bool isLoad, const Stmt *S,
343  CheckerContext &C) const;
344 
345  ProgramStateRef checkPointerEscape(ProgramStateRef State,
346  const InvalidatedSymbols &Escaped,
347  const CallEvent *Call,
348  PointerEscapeKind Kind) const;
349  ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
350  const InvalidatedSymbols &Escaped,
351  const CallEvent *Call,
352  PointerEscapeKind Kind) const;
353 
354  void printState(raw_ostream &Out, ProgramStateRef State,
355  const char *NL, const char *Sep) const override;
356 
357 private:
358  mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
359  mutable std::unique_ptr<BugType> BT_DoubleDelete;
360  mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
361  mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
362  mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
363  mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
364  mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
365  mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
366  mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
367 
368 #define CHECK_FN(NAME) \
369  void NAME(const CallEvent &Call, CheckerContext &C) const;
370 
371  CHECK_FN(checkFree)
372  CHECK_FN(checkIfNameIndex)
373  CHECK_FN(checkBasicAlloc)
374  CHECK_FN(checkKernelMalloc)
375  CHECK_FN(checkCalloc)
376  CHECK_FN(checkAlloca)
377  CHECK_FN(checkStrdup)
378  CHECK_FN(checkIfFreeNameIndex)
379  CHECK_FN(checkCXXNewOrCXXDelete)
380  CHECK_FN(checkGMalloc0)
381  CHECK_FN(checkGMemdup)
382  CHECK_FN(checkGMallocN)
383  CHECK_FN(checkGMallocN0)
384  CHECK_FN(checkReallocN)
385  CHECK_FN(checkOwnershipAttr)
386 
387  void checkRealloc(const CallEvent &Call, CheckerContext &C,
388  bool ShouldFreeOnFail) const;
389 
390  using CheckFn = std::function<void(const MallocChecker *,
391  const CallEvent &Call, CheckerContext &C)>;
392 
393  const CallDescriptionMap<CheckFn> FreeingMemFnMap{
394  {{"free", 1}, &MallocChecker::checkFree},
395  {{"if_freenameindex", 1}, &MallocChecker::checkIfFreeNameIndex},
396  {{"kfree", 1}, &MallocChecker::checkFree},
397  {{"g_free", 1}, &MallocChecker::checkFree},
398  };
399 
400  bool isFreeingCall(const CallEvent &Call) const;
401  static bool isFreeingOwnershipAttrCall(const FunctionDecl *Func);
402 
403  friend class NoOwnershipChangeVisitor;
404 
405  CallDescriptionMap<CheckFn> AllocatingMemFnMap{
406  {{"alloca", 1}, &MallocChecker::checkAlloca},
407  {{"_alloca", 1}, &MallocChecker::checkAlloca},
408  {{"malloc", 1}, &MallocChecker::checkBasicAlloc},
409  {{"malloc", 3}, &MallocChecker::checkKernelMalloc},
410  {{"calloc", 2}, &MallocChecker::checkCalloc},
411  {{"valloc", 1}, &MallocChecker::checkBasicAlloc},
412  {{CDF_MaybeBuiltin, "strndup", 2}, &MallocChecker::checkStrdup},
413  {{CDF_MaybeBuiltin, "strdup", 1}, &MallocChecker::checkStrdup},
414  {{"_strdup", 1}, &MallocChecker::checkStrdup},
415  {{"kmalloc", 2}, &MallocChecker::checkKernelMalloc},
416  {{"if_nameindex", 1}, &MallocChecker::checkIfNameIndex},
417  {{CDF_MaybeBuiltin, "wcsdup", 1}, &MallocChecker::checkStrdup},
418  {{CDF_MaybeBuiltin, "_wcsdup", 1}, &MallocChecker::checkStrdup},
419  {{"g_malloc", 1}, &MallocChecker::checkBasicAlloc},
420  {{"g_malloc0", 1}, &MallocChecker::checkGMalloc0},
421  {{"g_try_malloc", 1}, &MallocChecker::checkBasicAlloc},
422  {{"g_try_malloc0", 1}, &MallocChecker::checkGMalloc0},
423  {{"g_memdup", 2}, &MallocChecker::checkGMemdup},
424  {{"g_malloc_n", 2}, &MallocChecker::checkGMallocN},
425  {{"g_malloc0_n", 2}, &MallocChecker::checkGMallocN0},
426  {{"g_try_malloc_n", 2}, &MallocChecker::checkGMallocN},
427  {{"g_try_malloc0_n", 2}, &MallocChecker::checkGMallocN0},
428  };
429 
430  CallDescriptionMap<CheckFn> ReallocatingMemFnMap{
431  {{"realloc", 2},
432  std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)},
433  {{"reallocf", 2},
434  std::bind(&MallocChecker::checkRealloc, _1, _2, _3, true)},
435  {{"g_realloc", 2},
436  std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)},
437  {{"g_try_realloc", 2},
438  std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)},
439  {{"g_realloc_n", 3}, &MallocChecker::checkReallocN},
440  {{"g_try_realloc_n", 3}, &MallocChecker::checkReallocN},
441  };
442 
443  bool isMemCall(const CallEvent &Call) const;
444 
445  // TODO: Remove mutable by moving the initializtaion to the registry function.
446  mutable Optional<uint64_t> KernelZeroFlagVal;
447 
448  using KernelZeroSizePtrValueTy = Optional<int>;
449  /// Store the value of macro called `ZERO_SIZE_PTR`.
450  /// The value is initialized at first use, before first use the outer
451  /// Optional is empty, afterwards it contains another Optional that indicates
452  /// if the macro value could be determined, and if yes the value itself.
453  mutable Optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue;
454 
455  /// Process C++ operator new()'s allocation, which is the part of C++
456  /// new-expression that goes before the constructor.
457  LLVM_NODISCARD
458  ProgramStateRef processNewAllocation(const CXXAllocatorCall &Call,
459  CheckerContext &C,
460  AllocationFamily Family) const;
461 
462  /// Perform a zero-allocation check.
463  ///
464  /// \param [in] Call The expression that allocates memory.
465  /// \param [in] IndexOfSizeArg Index of the argument that specifies the size
466  /// of the memory that needs to be allocated. E.g. for malloc, this would be
467  /// 0.
468  /// \param [in] RetVal Specifies the newly allocated pointer value;
469  /// if unspecified, the value of expression \p E is used.
470  LLVM_NODISCARD
471  static ProgramStateRef ProcessZeroAllocCheck(const CallEvent &Call,
472  const unsigned IndexOfSizeArg,
474  Optional<SVal> RetVal = None);
475 
476  /// Model functions with the ownership_returns attribute.
477  ///
478  /// User-defined function may have the ownership_returns attribute, which
479  /// annotates that the function returns with an object that was allocated on
480  /// the heap, and passes the ownertship to the callee.
481  ///
482  /// void __attribute((ownership_returns(malloc, 1))) *my_malloc(size_t);
483  ///
484  /// It has two parameters:
485  /// - first: name of the resource (e.g. 'malloc')
486  /// - (OPTIONAL) second: size of the allocated region
487  ///
488  /// \param [in] Call The expression that allocates memory.
489  /// \param [in] Att The ownership_returns attribute.
490  /// \param [in] State The \c ProgramState right before allocation.
491  /// \returns The ProgramState right after allocation.
492  LLVM_NODISCARD
493  ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
494  const OwnershipAttr *Att,
495  ProgramStateRef State) const;
496 
497  /// Models memory allocation.
498  ///
499  /// \param [in] Call The expression that allocates memory.
500  /// \param [in] SizeEx Size of the memory that needs to be allocated.
501  /// \param [in] Init The value the allocated memory needs to be initialized.
502  /// with. For example, \c calloc initializes the allocated memory to 0,
503  /// malloc leaves it undefined.
504  /// \param [in] State The \c ProgramState right before allocation.
505  /// \returns The ProgramState right after allocation.
506  LLVM_NODISCARD
507  static ProgramStateRef MallocMemAux(CheckerContext &C, const CallEvent &Call,
508  const Expr *SizeEx, SVal Init,
510  AllocationFamily Family);
511 
512  /// Models memory allocation.
513  ///
514  /// \param [in] Call The expression that allocates memory.
515  /// \param [in] Size Size of the memory that needs to be allocated.
516  /// \param [in] Init The value the allocated memory needs to be initialized.
517  /// with. For example, \c calloc initializes the allocated memory to 0,
518  /// malloc leaves it undefined.
519  /// \param [in] State The \c ProgramState right before allocation.
520  /// \returns The ProgramState right after allocation.
521  LLVM_NODISCARD
522  static ProgramStateRef MallocMemAux(CheckerContext &C, const CallEvent &Call,
523  SVal Size, SVal Init,
525  AllocationFamily Family);
526 
527  // Check if this malloc() for special flags. At present that means M_ZERO or
528  // __GFP_ZERO (in which case, treat it like calloc).
529  LLVM_NODISCARD
531  performKernelMalloc(const CallEvent &Call, CheckerContext &C,
532  const ProgramStateRef &State) const;
533 
534  /// Model functions with the ownership_takes and ownership_holds attributes.
535  ///
536  /// User-defined function may have the ownership_takes and/or ownership_holds
537  /// attributes, which annotates that the function frees the memory passed as a
538  /// parameter.
539  ///
540  /// void __attribute((ownership_takes(malloc, 1))) my_free(void *);
541  /// void __attribute((ownership_holds(malloc, 1))) my_hold(void *);
542  ///
543  /// They have two parameters:
544  /// - first: name of the resource (e.g. 'malloc')
545  /// - second: index of the parameter the attribute applies to
546  ///
547  /// \param [in] Call The expression that frees memory.
548  /// \param [in] Att The ownership_takes or ownership_holds attribute.
549  /// \param [in] State The \c ProgramState right before allocation.
550  /// \returns The ProgramState right after deallocation.
551  LLVM_NODISCARD
552  ProgramStateRef FreeMemAttr(CheckerContext &C, const CallEvent &Call,
553  const OwnershipAttr *Att,
554  ProgramStateRef State) const;
555 
556  /// Models memory deallocation.
557  ///
558  /// \param [in] Call The expression that frees memory.
559  /// \param [in] State The \c ProgramState right before allocation.
560  /// \param [in] Num Index of the argument that needs to be freed. This is
561  /// normally 0, but for custom free functions it may be different.
562  /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
563  /// attribute.
564  /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known
565  /// to have been allocated, or in other words, the symbol to be freed was
566  /// registered as allocated by this checker. In the following case, \c ptr
567  /// isn't known to be allocated.
568  /// void Haha(int *ptr) {
569  /// ptr = realloc(ptr, 67);
570  /// // ...
571  /// }
572  /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
573  /// we're modeling returns with Null on failure.
574  /// \returns The ProgramState right after deallocation.
575  LLVM_NODISCARD
576  ProgramStateRef FreeMemAux(CheckerContext &C, const CallEvent &Call,
577  ProgramStateRef State, unsigned Num, bool Hold,
578  bool &IsKnownToBeAllocated,
579  AllocationFamily Family,
580  bool ReturnsNullOnFailure = false) const;
581 
582  /// Models memory deallocation.
583  ///
584  /// \param [in] ArgExpr The variable who's pointee needs to be freed.
585  /// \param [in] Call The expression that frees the memory.
586  /// \param [in] State The \c ProgramState right before allocation.
587  /// normally 0, but for custom free functions it may be different.
588  /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
589  /// attribute.
590  /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known
591  /// to have been allocated, or in other words, the symbol to be freed was
592  /// registered as allocated by this checker. In the following case, \c ptr
593  /// isn't known to be allocated.
594  /// void Haha(int *ptr) {
595  /// ptr = realloc(ptr, 67);
596  /// // ...
597  /// }
598  /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
599  /// we're modeling returns with Null on failure.
600  /// \returns The ProgramState right after deallocation.
601  LLVM_NODISCARD
602  ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *ArgExpr,
603  const CallEvent &Call, ProgramStateRef State,
604  bool Hold, bool &IsKnownToBeAllocated,
605  AllocationFamily Family,
606  bool ReturnsNullOnFailure = false) const;
607 
608  // TODO: Needs some refactoring, as all other deallocation modeling
609  // functions are suffering from out parameters and messy code due to how
610  // realloc is handled.
611  //
612  /// Models memory reallocation.
613  ///
614  /// \param [in] Call The expression that reallocated memory
615  /// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied
616  /// memory should be freed.
617  /// \param [in] State The \c ProgramState right before reallocation.
618  /// \param [in] SuffixWithN Whether the reallocation function we're modeling
619  /// has an '_n' suffix, such as g_realloc_n.
620  /// \returns The ProgramState right after reallocation.
621  LLVM_NODISCARD
622  ProgramStateRef ReallocMemAux(CheckerContext &C, const CallEvent &Call,
623  bool ShouldFreeOnFail, ProgramStateRef State,
624  AllocationFamily Family,
625  bool SuffixWithN = false) const;
626 
627  /// Evaluates the buffer size that needs to be allocated.
628  ///
629  /// \param [in] Blocks The amount of blocks that needs to be allocated.
630  /// \param [in] BlockBytes The size of a block.
631  /// \returns The symbolic value of \p Blocks * \p BlockBytes.
632  LLVM_NODISCARD
633  static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
634  const Expr *BlockBytes);
635 
636  /// Models zero initialized array allocation.
637  ///
638  /// \param [in] Call The expression that reallocated memory
639  /// \param [in] State The \c ProgramState right before reallocation.
640  /// \returns The ProgramState right after allocation.
641  LLVM_NODISCARD
642  static ProgramStateRef CallocMem(CheckerContext &C, const CallEvent &Call,
644 
645  /// See if deallocation happens in a suspicious context. If so, escape the
646  /// pointers that otherwise would have been deallocated and return true.
647  bool suppressDeallocationsInSuspiciousContexts(const CallEvent &Call,
648  CheckerContext &C) const;
649 
650  /// If in \p S \p Sym is used, check whether \p Sym was already freed.
651  bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
652 
653  /// If in \p S \p Sym is used, check whether \p Sym was allocated as a zero
654  /// sized memory region.
655  void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
656  const Stmt *S) const;
657 
658  /// If in \p S \p Sym is being freed, check whether \p Sym was already freed.
659  bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;
660 
661  /// Check if the function is known to free memory, or if it is
662  /// "interesting" and should be modeled explicitly.
663  ///
664  /// \param [out] EscapingSymbol A function might not free memory in general,
665  /// but could be known to free a particular symbol. In this case, false is
666  /// returned and the single escaping symbol is returned through the out
667  /// parameter.
668  ///
669  /// We assume that pointers do not escape through calls to system functions
670  /// not handled by this checker.
671  bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call,
673  SymbolRef &EscapingSymbol) const;
674 
675  /// Implementation of the checkPointerEscape callbacks.
676  LLVM_NODISCARD
677  ProgramStateRef checkPointerEscapeAux(ProgramStateRef State,
678  const InvalidatedSymbols &Escaped,
679  const CallEvent *Call,
681  bool IsConstPointerEscape) const;
682 
683  // Implementation of the checkPreStmt and checkEndFunction callbacks.
684  void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const;
685 
686  ///@{
687  /// Tells if a given family/call/symbol is tracked by the current checker.
688  /// Sets CheckKind to the kind of the checker responsible for this
689  /// family/call/symbol.
690  Optional<CheckKind> getCheckIfTracked(AllocationFamily Family,
691  bool IsALeakCheck = false) const;
692 
693  Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
694  bool IsALeakCheck = false) const;
695  ///@}
696  static bool SummarizeValue(raw_ostream &os, SVal V);
697  static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
698 
699  void HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal, SourceRange Range,
700  const Expr *DeallocExpr,
701  AllocationFamily Family) const;
702 
703  void HandleFreeAlloca(CheckerContext &C, SVal ArgVal,
704  SourceRange Range) const;
705 
706  void HandleMismatchedDealloc(CheckerContext &C, SourceRange Range,
707  const Expr *DeallocExpr, const RefState *RS,
708  SymbolRef Sym, bool OwnershipTransferred) const;
709 
710  void HandleOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
711  const Expr *DeallocExpr, AllocationFamily Family,
712  const Expr *AllocExpr = nullptr) const;
713 
714  void HandleUseAfterFree(CheckerContext &C, SourceRange Range,
715  SymbolRef Sym) const;
716 
717  void HandleDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
718  SymbolRef Sym, SymbolRef PrevSym) const;
719 
720  void HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
721 
722  void HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,
723  SymbolRef Sym) const;
724 
725  void HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
726  const Expr *FreeExpr,
727  AllocationFamily Family) const;
728 
729  /// Find the location of the allocation for Sym on the path leading to the
730  /// exploded node N.
731  static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
732  CheckerContext &C);
733 
734  void HandleLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
735 
736  /// Test if value in ArgVal equals to value in macro `ZERO_SIZE_PTR`.
737  bool isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C,
738  SVal ArgVal) const;
739 };
740 } // end anonymous namespace
741 
742 //===----------------------------------------------------------------------===//
743 // Definition of NoOwnershipChangeVisitor.
744 //===----------------------------------------------------------------------===//
745 
746 namespace {
747 class NoOwnershipChangeVisitor final : public NoStateChangeFuncVisitor {
748  // The symbol whose (lack of) ownership change we are interested in.
749  SymbolRef Sym;
750  const MallocChecker &Checker;
752 
753  // Collect which entities point to the allocated memory, and could be
754  // responsible for deallocating it.
755  class OwnershipBindingsHandler : public StoreManager::BindingsHandler {
756  SymbolRef Sym;
757  OwnerSet &Owners;
758 
759  public:
760  OwnershipBindingsHandler(SymbolRef Sym, OwnerSet &Owners)
761  : Sym(Sym), Owners(Owners) {}
762 
763  bool HandleBinding(StoreManager &SMgr, Store Store, const MemRegion *Region,
764  SVal Val) override {
765  if (Val.getAsSymbol() == Sym)
766  Owners.insert(Region);
767  return true;
768  }
769 
770  LLVM_DUMP_METHOD void dump() const { dumpToStream(llvm::errs()); }
771  LLVM_DUMP_METHOD void dumpToStream(llvm::raw_ostream &out) const {
772  out << "Owners: {\n";
773  for (const MemRegion *Owner : Owners) {
774  out << " ";
775  Owner->dumpToStream(out);
776  out << ",\n";
777  }
778  out << "}\n";
779  }
780  };
781 
782 protected:
783  OwnerSet getOwnersAtNode(const ExplodedNode *N) {
784  OwnerSet Ret;
785 
786  ProgramStateRef State = N->getState();
787  OwnershipBindingsHandler Handler{Sym, Ret};
788  State->getStateManager().getStoreManager().iterBindings(State->getStore(),
789  Handler);
790  return Ret;
791  }
792 
793  LLVM_DUMP_METHOD static std::string
794  getFunctionName(const ExplodedNode *CallEnterN) {
795  if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>(
796  CallEnterN->getLocationAs<CallEnter>()->getCallExpr()))
797  if (const FunctionDecl *FD = CE->getDirectCallee())
798  return FD->getQualifiedNameAsString();
799  return "";
800  }
801 
802  /// Syntactically checks whether the callee is a deallocating function. Since
803  /// we have no path-sensitive information on this call (we would need a
804  /// CallEvent instead of a CallExpr for that), its possible that a
805  /// deallocation function was called indirectly through a function pointer,
806  /// but we are not able to tell, so this is a best effort analysis.
807  /// See namespace `memory_passed_to_fn_call_free_through_fn_ptr` in
808  /// clang/test/Analysis/NewDeleteLeaks.cpp.
809  bool isFreeingCallAsWritten(const CallExpr &Call) const {
810  if (Checker.FreeingMemFnMap.lookupAsWritten(Call) ||
811  Checker.ReallocatingMemFnMap.lookupAsWritten(Call))
812  return true;
813 
814  if (const auto *Func =
815  llvm::dyn_cast_or_null<FunctionDecl>(Call.getCalleeDecl()))
816  return MallocChecker::isFreeingOwnershipAttrCall(Func);
817 
818  return false;
819  }
820 
821  /// Heuristically guess whether the callee intended to free memory. This is
822  /// done syntactically, because we are trying to argue about alternative
823  /// paths of execution, and as a consequence we don't have path-sensitive
824  /// information.
825  bool doesFnIntendToHandleOwnership(const Decl *Callee, ASTContext &ACtx) {
826  using namespace clang::ast_matchers;
827  const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee);
828 
829  // Given that the stack frame was entered, the body should always be
830  // theoretically obtainable. In case of body farms, the synthesized body
831  // is not attached to declaration, thus triggering the '!FD->hasBody()'
832  // branch. That said, would a synthesized body ever intend to handle
833  // ownership? As of today they don't. And if they did, how would we
834  // put notes inside it, given that it doesn't match any source locations?
835  if (!FD || !FD->hasBody())
836  return false;
837 
838  auto Matches = match(findAll(stmt(anyOf(cxxDeleteExpr().bind("delete"),
839  callExpr().bind("call")))),
840  *FD->getBody(), ACtx);
841  for (BoundNodes Match : Matches) {
842  if (Match.getNodeAs<CXXDeleteExpr>("delete"))
843  return true;
844 
845  if (const auto *Call = Match.getNodeAs<CallExpr>("call"))
846  if (isFreeingCallAsWritten(*Call))
847  return true;
848  }
849  // TODO: Ownership might change with an attempt to store the allocated
850  // memory, not only through deallocation. Check for attempted stores as
851  // well.
852  return false;
853  }
854 
855  virtual bool
856  wasModifiedInFunction(const ExplodedNode *CallEnterN,
857  const ExplodedNode *CallExitEndN) override {
858  if (!doesFnIntendToHandleOwnership(
859  CallExitEndN->getFirstPred()->getLocationContext()->getDecl(),
860  CallExitEndN->getState()->getAnalysisManager().getASTContext()))
861  return true;
862 
863  if (CallEnterN->getState()->get<RegionState>(Sym) !=
864  CallExitEndN->getState()->get<RegionState>(Sym))
865  return true;
866 
867  OwnerSet CurrOwners = getOwnersAtNode(CallEnterN);
868  OwnerSet ExitOwners = getOwnersAtNode(CallExitEndN);
869 
870  // Owners in the current set may be purged from the analyzer later on.
871  // If a variable is dead (is not referenced directly or indirectly after
872  // some point), it will be removed from the Store before the end of its
873  // actual lifetime.
874  // This means that that if the ownership status didn't change, CurrOwners
875  // must be a superset of, but not necessarily equal to ExitOwners.
876  return !llvm::set_is_subset(ExitOwners, CurrOwners);
877  }
878 
879  static PathDiagnosticPieceRef emitNote(const ExplodedNode *N) {
880  PathDiagnosticLocation L = PathDiagnosticLocation::create(
881  N->getLocation(),
882  N->getState()->getStateManager().getContext().getSourceManager());
883  return std::make_shared<PathDiagnosticEventPiece>(
884  L, "Returning without deallocating memory or storing the pointer for "
885  "later deallocation");
886  }
887 
888  virtual PathDiagnosticPieceRef
889  maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
890  const ObjCMethodCall &Call,
891  const ExplodedNode *N) override {
892  // TODO: Implement.
893  return nullptr;
894  }
895 
896  virtual PathDiagnosticPieceRef
897  maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
898  const CXXConstructorCall &Call,
899  const ExplodedNode *N) override {
900  // TODO: Implement.
901  return nullptr;
902  }
903 
904  virtual PathDiagnosticPieceRef
905  maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call,
906  const ExplodedNode *N) override {
907  // TODO: Factor the logic of "what constitutes as an entity being passed
908  // into a function call" out by reusing the code in
909  // NoStoreFuncVisitor::maybeEmitNoteForParameters, maybe by incorporating
910  // the printing technology in UninitializedObject's FieldChainInfo.
911  ArrayRef<ParmVarDecl *> Parameters = Call.parameters();
912  for (unsigned I = 0; I < Call.getNumArgs() && I < Parameters.size(); ++I) {
913  SVal V = Call.getArgSVal(I);
914  if (V.getAsSymbol() == Sym)
915  return emitNote(N);
916  }
917  return nullptr;
918  }
919 
920 public:
921  NoOwnershipChangeVisitor(SymbolRef Sym, const MallocChecker *Checker)
922  : NoStateChangeFuncVisitor(bugreporter::TrackingKind::Thorough), Sym(Sym),
923  Checker(*Checker) {}
924 
925  void Profile(llvm::FoldingSetNodeID &ID) const override {
926  static int Tag = 0;
927  ID.AddPointer(&Tag);
928  ID.AddPointer(Sym);
929  }
930 
931  void *getTag() const {
932  static int Tag = 0;
933  return static_cast<void *>(&Tag);
934  }
935 };
936 
937 } // end anonymous namespace
938 
939 //===----------------------------------------------------------------------===//
940 // Definition of MallocBugVisitor.
941 //===----------------------------------------------------------------------===//
942 
943 namespace {
944 /// The bug visitor which allows us to print extra diagnostics along the
945 /// BugReport path. For example, showing the allocation site of the leaked
946 /// region.
947 class MallocBugVisitor final : public BugReporterVisitor {
948 protected:
949  enum NotificationMode { Normal, ReallocationFailed };
950 
951  // The allocated region symbol tracked by the main analysis.
952  SymbolRef Sym;
953 
954  // The mode we are in, i.e. what kind of diagnostics will be emitted.
955  NotificationMode Mode;
956 
957  // A symbol from when the primary region should have been reallocated.
958  SymbolRef FailedReallocSymbol;
959 
960  // A C++ destructor stack frame in which memory was released. Used for
961  // miscellaneous false positive suppression.
962  const StackFrameContext *ReleaseDestructorLC;
963 
964  bool IsLeak;
965 
966 public:
967  MallocBugVisitor(SymbolRef S, bool isLeak = false)
968  : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr),
969  ReleaseDestructorLC(nullptr), IsLeak(isLeak) {}
970 
971  static void *getTag() {
972  static int Tag = 0;
973  return &Tag;
974  }
975 
976  void Profile(llvm::FoldingSetNodeID &ID) const override {
977  ID.AddPointer(getTag());
978  ID.AddPointer(Sym);
979  }
980 
981  /// Did not track -> allocated. Other state (released) -> allocated.
982  static inline bool isAllocated(const RefState *RSCurr, const RefState *RSPrev,
983  const Stmt *Stmt) {
984  return (isa_and_nonnull<CallExpr, CXXNewExpr>(Stmt) &&
985  (RSCurr &&
986  (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) &&
987  (!RSPrev ||
988  !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero())));
989  }
990 
991  /// Did not track -> released. Other state (allocated) -> released.
992  /// The statement associated with the release might be missing.
993  static inline bool isReleased(const RefState *RSCurr, const RefState *RSPrev,
994  const Stmt *Stmt) {
995  bool IsReleased =
996  (RSCurr && RSCurr->isReleased()) && (!RSPrev || !RSPrev->isReleased());
997  assert(!IsReleased || (isa_and_nonnull<CallExpr, CXXDeleteExpr>(Stmt)) ||
998  (!Stmt && RSCurr->getAllocationFamily() == AF_InnerBuffer));
999  return IsReleased;
1000  }
1001 
1002  /// Did not track -> relinquished. Other state (allocated) -> relinquished.
1003  static inline bool isRelinquished(const RefState *RSCurr,
1004  const RefState *RSPrev, const Stmt *Stmt) {
1005  return (
1006  isa_and_nonnull<CallExpr, ObjCMessageExpr, ObjCPropertyRefExpr>(Stmt) &&
1007  (RSCurr && RSCurr->isRelinquished()) &&
1008  (!RSPrev || !RSPrev->isRelinquished()));
1009  }
1010 
1011  /// If the expression is not a call, and the state change is
1012  /// released -> allocated, it must be the realloc return value
1013  /// check. If we have to handle more cases here, it might be cleaner just
1014  /// to track this extra bit in the state itself.
1015  static inline bool hasReallocFailed(const RefState *RSCurr,
1016  const RefState *RSPrev,
1017  const Stmt *Stmt) {
1018  return ((!isa_and_nonnull<CallExpr>(Stmt)) &&
1019  (RSCurr &&
1020  (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) &&
1021  (RSPrev &&
1022  !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero())));
1023  }
1024 
1025  PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
1026  BugReporterContext &BRC,
1027  PathSensitiveBugReport &BR) override;
1028 
1029  PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC,
1030  const ExplodedNode *EndPathNode,
1031  PathSensitiveBugReport &BR) override {
1032  if (!IsLeak)
1033  return nullptr;
1034 
1035  PathDiagnosticLocation L = BR.getLocation();
1036  // Do not add the statement itself as a range in case of leak.
1037  return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(),
1038  false);
1039  }
1040 
1041 private:
1042  class StackHintGeneratorForReallocationFailed
1043  : public StackHintGeneratorForSymbol {
1044  public:
1045  StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M)
1046  : StackHintGeneratorForSymbol(S, M) {}
1047 
1048  std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) override {
1049  // Printed parameters start at 1, not 0.
1050  ++ArgIndex;
1051 
1052  SmallString<200> buf;
1053  llvm::raw_svector_ostream os(buf);
1054 
1055  os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex)
1056  << " parameter failed";
1057 
1058  return std::string(os.str());
1059  }
1060 
1061  std::string getMessageForReturn(const CallExpr *CallExpr) override {
1062  return "Reallocation of returned value failed";
1063  }
1064  };
1065 };
1066 } // end anonymous namespace
1067 
1068 // A map from the freed symbol to the symbol representing the return value of
1069 // the free function.
1071 
1072 namespace {
1073 class StopTrackingCallback final : public SymbolVisitor {
1075 
1076 public:
1077  StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
1078  ProgramStateRef getState() const { return state; }
1079 
1080  bool VisitSymbol(SymbolRef sym) override {
1081  state = state->remove<RegionState>(sym);
1082  return true;
1083  }
1084 };
1085 } // end anonymous namespace
1086 
1087 static bool isStandardNewDelete(const FunctionDecl *FD) {
1088  if (!FD)
1089  return false;
1090 
1092  if (Kind != OO_New && Kind != OO_Array_New && Kind != OO_Delete &&
1093  Kind != OO_Array_Delete)
1094  return false;
1095 
1096  // This is standard if and only if it's not defined in a user file.
1097  SourceLocation L = FD->getLocation();
1098  // If the header for operator delete is not included, it's still defined
1099  // in an invalid source location. Check to make sure we don't crash.
1100  return !L.isValid() ||
1102 }
1103 
1104 //===----------------------------------------------------------------------===//
1105 // Methods of MallocChecker and MallocBugVisitor.
1106 //===----------------------------------------------------------------------===//
1107 
1108 bool MallocChecker::isFreeingOwnershipAttrCall(const FunctionDecl *Func) {
1109  if (Func->hasAttrs()) {
1110  for (const auto *I : Func->specific_attrs<OwnershipAttr>()) {
1111  OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
1112  if (OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds)
1113  return true;
1114  }
1115  }
1116  return false;
1117 }
1118 
1119 bool MallocChecker::isFreeingCall(const CallEvent &Call) const {
1120  if (FreeingMemFnMap.lookup(Call) || ReallocatingMemFnMap.lookup(Call))
1121  return true;
1122 
1123  if (const auto *Func = dyn_cast_or_null<FunctionDecl>(Call.getDecl()))
1124  return isFreeingOwnershipAttrCall(Func);
1125 
1126  return false;
1127 }
1128 
1129 bool MallocChecker::isMemCall(const CallEvent &Call) const {
1130  if (FreeingMemFnMap.lookup(Call) || AllocatingMemFnMap.lookup(Call) ||
1131  ReallocatingMemFnMap.lookup(Call))
1132  return true;
1133 
1134  if (!ShouldIncludeOwnershipAnnotatedFunctions)
1135  return false;
1136 
1137  const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl());
1138  return Func && Func->hasAttr<OwnershipAttr>();
1139 }
1140 
1142 MallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C,
1143  const ProgramStateRef &State) const {
1144  // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
1145  //
1146  // void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
1147  //
1148  // One of the possible flags is M_ZERO, which means 'give me back an
1149  // allocation which is already zeroed', like calloc.
1150 
1151  // 2-argument kmalloc(), as used in the Linux kernel:
1152  //
1153  // void *kmalloc(size_t size, gfp_t flags);
1154  //
1155  // Has the similar flag value __GFP_ZERO.
1156 
1157  // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some
1158  // code could be shared.
1159 
1160  ASTContext &Ctx = C.getASTContext();
1161  llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS();
1162 
1163  if (!KernelZeroFlagVal.hasValue()) {
1164  if (OS == llvm::Triple::FreeBSD)
1165  KernelZeroFlagVal = 0x0100;
1166  else if (OS == llvm::Triple::NetBSD)
1167  KernelZeroFlagVal = 0x0002;
1168  else if (OS == llvm::Triple::OpenBSD)
1169  KernelZeroFlagVal = 0x0008;
1170  else if (OS == llvm::Triple::Linux)
1171  // __GFP_ZERO
1172  KernelZeroFlagVal = 0x8000;
1173  else
1174  // FIXME: We need a more general way of getting the M_ZERO value.
1175  // See also: O_CREAT in UnixAPIChecker.cpp.
1176 
1177  // Fall back to normal malloc behavior on platforms where we don't
1178  // know M_ZERO.
1179  return None;
1180  }
1181 
1182  // We treat the last argument as the flags argument, and callers fall-back to
1183  // normal malloc on a None return. This works for the FreeBSD kernel malloc
1184  // as well as Linux kmalloc.
1185  if (Call.getNumArgs() < 2)
1186  return None;
1187 
1188  const Expr *FlagsEx = Call.getArgExpr(Call.getNumArgs() - 1);
1189  const SVal V = C.getSVal(FlagsEx);
1190  if (!V.getAs<NonLoc>()) {
1191  // The case where 'V' can be a location can only be due to a bad header,
1192  // so in this case bail out.
1193  return None;
1194  }
1195 
1196  NonLoc Flags = V.castAs<NonLoc>();
1197  NonLoc ZeroFlag = C.getSValBuilder()
1198  .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType())
1199  .castAs<NonLoc>();
1200  SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And,
1201  Flags, ZeroFlag,
1202  FlagsEx->getType());
1203  if (MaskedFlagsUC.isUnknownOrUndef())
1204  return None;
1205  DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>();
1206 
1207  // Check if maskedFlags is non-zero.
1208  ProgramStateRef TrueState, FalseState;
1209  std::tie(TrueState, FalseState) = State->assume(MaskedFlags);
1210 
1211  // If M_ZERO is set, treat this like calloc (initialized).
1212  if (TrueState && !FalseState) {
1213  SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy);
1214  return MallocMemAux(C, Call, Call.getArgExpr(0), ZeroVal, TrueState,
1215  AF_Malloc);
1216  }
1217 
1218  return None;
1219 }
1220 
1221 SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
1222  const Expr *BlockBytes) {
1223  SValBuilder &SB = C.getSValBuilder();
1224  SVal BlocksVal = C.getSVal(Blocks);
1225  SVal BlockBytesVal = C.getSVal(BlockBytes);
1226  ProgramStateRef State = C.getState();
1227  SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,
1228  SB.getContext().getSizeType());
1229  return TotalSize;
1230 }
1231 
1232 void MallocChecker::checkBasicAlloc(const CallEvent &Call,
1233  CheckerContext &C) const {
1234  ProgramStateRef State = C.getState();
1235  State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,
1236  AF_Malloc);
1237  State = ProcessZeroAllocCheck(Call, 0, State);
1238  C.addTransition(State);
1239 }
1240 
1241 void MallocChecker::checkKernelMalloc(const CallEvent &Call,
1242  CheckerContext &C) const {
1243  ProgramStateRef State = C.getState();
1244  llvm::Optional<ProgramStateRef> MaybeState =
1245  performKernelMalloc(Call, C, State);
1246  if (MaybeState.hasValue())
1247  State = MaybeState.getValue();
1248  else
1249  State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,
1250  AF_Malloc);
1251  C.addTransition(State);
1252 }
1253 
1254 static bool isStandardRealloc(const CallEvent &Call) {
1255  const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl());
1256  assert(FD);
1257  ASTContext &AC = FD->getASTContext();
1258 
1259  if (isa<CXXMethodDecl>(FD))
1260  return false;
1261 
1262  return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy &&
1263  FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
1264  FD->getParamDecl(1)->getType().getDesugaredType(AC) ==
1265  AC.getSizeType();
1266 }
1267 
1268 static bool isGRealloc(const CallEvent &Call) {
1269  const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl());
1270  assert(FD);
1271  ASTContext &AC = FD->getASTContext();
1272 
1273  if (isa<CXXMethodDecl>(FD))
1274  return false;
1275 
1276  return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy &&
1277  FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
1278  FD->getParamDecl(1)->getType().getDesugaredType(AC) ==
1279  AC.UnsignedLongTy;
1280 }
1281 
1282 void MallocChecker::checkRealloc(const CallEvent &Call, CheckerContext &C,
1283  bool ShouldFreeOnFail) const {
1284  // HACK: CallDescription currently recognizes non-standard realloc functions
1285  // as standard because it doesn't check the type, or wether its a non-method
1286  // function. This should be solved by making CallDescription smarter.
1287  // Mind that this came from a bug report, and all other functions suffer from
1288  // this.
1289  // https://bugs.llvm.org/show_bug.cgi?id=46253
1290  if (!isStandardRealloc(Call) && !isGRealloc(Call))
1291  return;
1292  ProgramStateRef State = C.getState();
1293  State = ReallocMemAux(C, Call, ShouldFreeOnFail, State, AF_Malloc);
1294  State = ProcessZeroAllocCheck(Call, 1, State);
1295  C.addTransition(State);
1296 }
1297 
1298 void MallocChecker::checkCalloc(const CallEvent &Call,
1299  CheckerContext &C) const {
1300  ProgramStateRef State = C.getState();
1301  State = CallocMem(C, Call, State);
1302  State = ProcessZeroAllocCheck(Call, 0, State);
1303  State = ProcessZeroAllocCheck(Call, 1, State);
1304  C.addTransition(State);
1305 }
1306 
1307 void MallocChecker::checkFree(const CallEvent &Call, CheckerContext &C) const {
1308  ProgramStateRef State = C.getState();
1309  bool IsKnownToBeAllocatedMemory = false;
1310  if (suppressDeallocationsInSuspiciousContexts(Call, C))
1311  return;
1312  State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
1313  AF_Malloc);
1314  C.addTransition(State);
1315 }
1316 
1317 void MallocChecker::checkAlloca(const CallEvent &Call,
1318  CheckerContext &C) const {
1319  ProgramStateRef State = C.getState();
1320  State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,
1321  AF_Alloca);
1322  State = ProcessZeroAllocCheck(Call, 0, State);
1323  C.addTransition(State);
1324 }
1325 
1326 void MallocChecker::checkStrdup(const CallEvent &Call,
1327  CheckerContext &C) const {
1328  ProgramStateRef State = C.getState();
1329  const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
1330  if (!CE)
1331  return;
1332  State = MallocUpdateRefState(C, CE, State, AF_Malloc);
1333 
1334  C.addTransition(State);
1335 }
1336 
1337 void MallocChecker::checkIfNameIndex(const CallEvent &Call,
1338  CheckerContext &C) const {
1339  ProgramStateRef State = C.getState();
1340  // Should we model this differently? We can allocate a fixed number of
1341  // elements with zeros in the last one.
1342  State =
1343  MallocMemAux(C, Call, UnknownVal(), UnknownVal(), State, AF_IfNameIndex);
1344 
1345  C.addTransition(State);
1346 }
1347 
1348 void MallocChecker::checkIfFreeNameIndex(const CallEvent &Call,
1349  CheckerContext &C) const {
1350  ProgramStateRef State = C.getState();
1351  bool IsKnownToBeAllocatedMemory = false;
1352  State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
1353  AF_IfNameIndex);
1354  C.addTransition(State);
1355 }
1356 
1357 void MallocChecker::checkCXXNewOrCXXDelete(const CallEvent &Call,
1358  CheckerContext &C) const {
1359  ProgramStateRef State = C.getState();
1360  bool IsKnownToBeAllocatedMemory = false;
1361  const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
1362  if (!CE)
1363  return;
1364 
1365  assert(isStandardNewDelete(Call));
1366 
1367  // Process direct calls to operator new/new[]/delete/delete[] functions
1368  // as distinct from new/new[]/delete/delete[] expressions that are
1369  // processed by the checkPostStmt callbacks for CXXNewExpr and
1370  // CXXDeleteExpr.
1371  const FunctionDecl *FD = C.getCalleeDecl(CE);
1372  switch (FD->getOverloadedOperator()) {
1373  case OO_New:
1374  State =
1375  MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State, AF_CXXNew);
1376  State = ProcessZeroAllocCheck(Call, 0, State);
1377  break;
1378  case OO_Array_New:
1379  State = MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State,
1380  AF_CXXNewArray);
1381  State = ProcessZeroAllocCheck(Call, 0, State);
1382  break;
1383  case OO_Delete:
1384  State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
1385  AF_CXXNew);
1386  break;
1387  case OO_Array_Delete:
1388  State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
1389  AF_CXXNewArray);
1390  break;
1391  default:
1392  llvm_unreachable("not a new/delete operator");
1393  }
1394 
1395  C.addTransition(State);
1396 }
1397 
1398 void MallocChecker::checkGMalloc0(const CallEvent &Call,
1399  CheckerContext &C) const {
1400  ProgramStateRef State = C.getState();
1401  SValBuilder &svalBuilder = C.getSValBuilder();
1402  SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
1403  State = MallocMemAux(C, Call, Call.getArgExpr(0), zeroVal, State, AF_Malloc);
1404  State = ProcessZeroAllocCheck(Call, 0, State);
1405  C.addTransition(State);
1406 }
1407 
1408 void MallocChecker::checkGMemdup(const CallEvent &Call,
1409  CheckerContext &C) const {
1410  ProgramStateRef State = C.getState();
1411  State =
1412  MallocMemAux(C, Call, Call.getArgExpr(1), UnknownVal(), State, AF_Malloc);
1413  State = ProcessZeroAllocCheck(Call, 1, State);
1414  C.addTransition(State);
1415 }
1416 
1417 void MallocChecker::checkGMallocN(const CallEvent &Call,
1418  CheckerContext &C) const {
1419  ProgramStateRef State = C.getState();
1420  SVal Init = UndefinedVal();
1421  SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
1422  State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc);
1423  State = ProcessZeroAllocCheck(Call, 0, State);
1424  State = ProcessZeroAllocCheck(Call, 1, State);
1425  C.addTransition(State);
1426 }
1427 
1428 void MallocChecker::checkGMallocN0(const CallEvent &Call,
1429  CheckerContext &C) const {
1430  ProgramStateRef State = C.getState();
1431  SValBuilder &SB = C.getSValBuilder();
1432  SVal Init = SB.makeZeroVal(SB.getContext().CharTy);
1433  SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
1434  State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc);
1435  State = ProcessZeroAllocCheck(Call, 0, State);
1436  State = ProcessZeroAllocCheck(Call, 1, State);
1437  C.addTransition(State);
1438 }
1439 
1440 void MallocChecker::checkReallocN(const CallEvent &Call,
1441  CheckerContext &C) const {
1442  ProgramStateRef State = C.getState();
1443  State = ReallocMemAux(C, Call, /*ShouldFreeOnFail=*/false, State, AF_Malloc,
1444  /*SuffixWithN=*/true);
1445  State = ProcessZeroAllocCheck(Call, 1, State);
1446  State = ProcessZeroAllocCheck(Call, 2, State);
1447  C.addTransition(State);
1448 }
1449 
1450 void MallocChecker::checkOwnershipAttr(const CallEvent &Call,
1451  CheckerContext &C) const {
1452  ProgramStateRef State = C.getState();
1453  const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
1454  if (!CE)
1455  return;
1456  const FunctionDecl *FD = C.getCalleeDecl(CE);
1457  if (!FD)
1458  return;
1459  if (ShouldIncludeOwnershipAnnotatedFunctions ||
1460  ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
1461  // Check all the attributes, if there are any.
1462  // There can be multiple of these attributes.
1463  if (FD->hasAttrs())
1464  for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
1465  switch (I->getOwnKind()) {
1466  case OwnershipAttr::Returns:
1467  State = MallocMemReturnsAttr(C, Call, I, State);
1468  break;
1469  case OwnershipAttr::Takes:
1470  case OwnershipAttr::Holds:
1471  State = FreeMemAttr(C, Call, I, State);
1472  break;
1473  }
1474  }
1475  }
1476  C.addTransition(State);
1477 }
1478 
1479 void MallocChecker::checkPostCall(const CallEvent &Call,
1480  CheckerContext &C) const {
1481  if (C.wasInlined)
1482  return;
1483  if (!Call.getOriginExpr())
1484  return;
1485 
1486  ProgramStateRef State = C.getState();
1487 
1488  if (const CheckFn *Callback = FreeingMemFnMap.lookup(Call)) {
1489  (*Callback)(this, Call, C);
1490  return;
1491  }
1492 
1493  if (const CheckFn *Callback = AllocatingMemFnMap.lookup(Call)) {
1494  (*Callback)(this, Call, C);
1495  return;
1496  }
1497 
1498  if (const CheckFn *Callback = ReallocatingMemFnMap.lookup(Call)) {
1499  (*Callback)(this, Call, C);
1500  return;
1501  }
1502 
1503  if (isStandardNewDelete(Call)) {
1504  checkCXXNewOrCXXDelete(Call, C);
1505  return;
1506  }
1507 
1508  checkOwnershipAttr(Call, C);
1509 }
1510 
1511 // Performs a 0-sized allocations check.
1512 ProgramStateRef MallocChecker::ProcessZeroAllocCheck(
1513  const CallEvent &Call, const unsigned IndexOfSizeArg, ProgramStateRef State,
1514  Optional<SVal> RetVal) {
1515  if (!State)
1516  return nullptr;
1517 
1518  if (!RetVal)
1519  RetVal = Call.getReturnValue();
1520 
1521  const Expr *Arg = nullptr;
1522 
1523  if (const CallExpr *CE = dyn_cast<CallExpr>(Call.getOriginExpr())) {
1524  Arg = CE->getArg(IndexOfSizeArg);
1525  } else if (const CXXNewExpr *NE =
1526  dyn_cast<CXXNewExpr>(Call.getOriginExpr())) {
1527  if (NE->isArray()) {
1528  Arg = *NE->getArraySize();
1529  } else {
1530  return State;
1531  }
1532  } else
1533  llvm_unreachable("not a CallExpr or CXXNewExpr");
1534 
1535  assert(Arg);
1536 
1537  auto DefArgVal =
1538  State->getSVal(Arg, Call.getLocationContext()).getAs<DefinedSVal>();
1539 
1540  if (!DefArgVal)
1541  return State;
1542 
1543  // Check if the allocation size is 0.
1544  ProgramStateRef TrueState, FalseState;
1545  SValBuilder &SvalBuilder = State->getStateManager().getSValBuilder();
1546  DefinedSVal Zero =
1547  SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
1548 
1549  std::tie(TrueState, FalseState) =
1550  State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));
1551 
1552  if (TrueState && !FalseState) {
1553  SymbolRef Sym = RetVal->getAsLocSymbol();
1554  if (!Sym)
1555  return State;
1556 
1557  const RefState *RS = State->get<RegionState>(Sym);
1558  if (RS) {
1559  if (RS->isAllocated())
1560  return TrueState->set<RegionState>(Sym,
1561  RefState::getAllocatedOfSizeZero(RS));
1562  else
1563  return State;
1564  } else {
1565  // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as
1566  // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not
1567  // tracked. Add zero-reallocated Sym to the state to catch references
1568  // to zero-allocated memory.
1569  return TrueState->add<ReallocSizeZeroSymbols>(Sym);
1570  }
1571  }
1572 
1573  // Assume the value is non-zero going forward.
1574  assert(FalseState);
1575  return FalseState;
1576 }
1577 
1579  QualType Result = T, PointeeType = T->getPointeeType();
1580  while (!PointeeType.isNull()) {
1581  Result = PointeeType;
1582  PointeeType = PointeeType->getPointeeType();
1583  }
1584  return Result;
1585 }
1586 
1587 /// \returns true if the constructor invoked by \p NE has an argument of a
1588 /// pointer/reference to a record type.
1590 
1591  const CXXConstructExpr *ConstructE = NE->getConstructExpr();
1592  if (!ConstructE)
1593  return false;
1594 
1595  if (!NE->getAllocatedType()->getAsCXXRecordDecl())
1596  return false;
1597 
1598  const CXXConstructorDecl *CtorD = ConstructE->getConstructor();
1599 
1600  // Iterate over the constructor parameters.
1601  for (const auto *CtorParam : CtorD->parameters()) {
1602 
1603  QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType();
1604  if (CtorParamPointeeT.isNull())
1605  continue;
1606 
1607  CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT);
1608 
1609  if (CtorParamPointeeT->getAsCXXRecordDecl())
1610  return true;
1611  }
1612 
1613  return false;
1614 }
1615 
1617 MallocChecker::processNewAllocation(const CXXAllocatorCall &Call,
1618  CheckerContext &C,
1619  AllocationFamily Family) const {
1620  if (!isStandardNewDelete(Call))
1621  return nullptr;
1622 
1623  const CXXNewExpr *NE = Call.getOriginExpr();
1624  const ParentMap &PM = C.getLocationContext()->getParentMap();
1625  ProgramStateRef State = C.getState();
1626 
1627  // Non-trivial constructors have a chance to escape 'this', but marking all
1628  // invocations of trivial constructors as escaped would cause too great of
1629  // reduction of true positives, so let's just do that for constructors that
1630  // have an argument of a pointer-to-record type.
1632  return State;
1633 
1634  // The return value from operator new is bound to a specified initialization
1635  // value (if any) and we don't want to loose this value. So we call
1636  // MallocUpdateRefState() instead of MallocMemAux() which breaks the
1637  // existing binding.
1638  SVal Target = Call.getObjectUnderConstruction();
1639  State = MallocUpdateRefState(C, NE, State, Family, Target);
1640  State = ProcessZeroAllocCheck(Call, 0, State, Target);
1641  return State;
1642 }
1643 
1644 void MallocChecker::checkNewAllocator(const CXXAllocatorCall &Call,
1645  CheckerContext &C) const {
1646  if (!C.wasInlined) {
1647  ProgramStateRef State = processNewAllocation(
1648  Call, C,
1649  (Call.getOriginExpr()->isArray() ? AF_CXXNewArray : AF_CXXNew));
1650  C.addTransition(State);
1651  }
1652 }
1653 
1654 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) {
1655  // If the first selector piece is one of the names below, assume that the
1656  // object takes ownership of the memory, promising to eventually deallocate it
1657  // with free().
1658  // Ex: [NSData dataWithBytesNoCopy:bytes length:10];
1659  // (...unless a 'freeWhenDone' parameter is false, but that's checked later.)
1660  StringRef FirstSlot = Call.getSelector().getNameForSlot(0);
1661  return FirstSlot == "dataWithBytesNoCopy" ||
1662  FirstSlot == "initWithBytesNoCopy" ||
1663  FirstSlot == "initWithCharactersNoCopy";
1664 }
1665 
1666 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) {
1667  Selector S = Call.getSelector();
1668 
1669  // FIXME: We should not rely on fully-constrained symbols being folded.
1670  for (unsigned i = 1; i < S.getNumArgs(); ++i)
1671  if (S.getNameForSlot(i).equals("freeWhenDone"))
1672  return !Call.getArgSVal(i).isZeroConstant();
1673 
1674  return None;
1675 }
1676 
1677 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
1678  CheckerContext &C) const {
1679  if (C.wasInlined)
1680  return;
1681 
1682  if (!isKnownDeallocObjCMethodName(Call))
1683  return;
1684 
1685  if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call))
1686  if (!*FreeWhenDone)
1687  return;
1688 
1689  if (Call.hasNonZeroCallbackArg())
1690  return;
1691 
1692  bool IsKnownToBeAllocatedMemory;
1694  FreeMemAux(C, Call.getArgExpr(0), Call, C.getState(),
1695  /*Hold=*/true, IsKnownToBeAllocatedMemory, AF_Malloc,
1696  /*ReturnsNullOnFailure=*/true);
1697 
1698  C.addTransition(State);
1699 }
1700 
1702 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
1703  const OwnershipAttr *Att,
1704  ProgramStateRef State) const {
1705  if (!State)
1706  return nullptr;
1707 
1708  if (Att->getModule()->getName() != "malloc")
1709  return nullptr;
1710 
1711  OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
1712  if (I != E) {
1713  return MallocMemAux(C, Call, Call.getArgExpr(I->getASTIndex()),
1714  UndefinedVal(), State, AF_Malloc);
1715  }
1716  return MallocMemAux(C, Call, UnknownVal(), UndefinedVal(), State, AF_Malloc);
1717 }
1718 
1719 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1720  const CallEvent &Call,
1721  const Expr *SizeEx, SVal Init,
1723  AllocationFamily Family) {
1724  if (!State)
1725  return nullptr;
1726 
1727  assert(SizeEx);
1728  return MallocMemAux(C, Call, C.getSVal(SizeEx), Init, State, Family);
1729 }
1730 
1731 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1732  const CallEvent &Call, SVal Size,
1733  SVal Init, ProgramStateRef State,
1734  AllocationFamily Family) {
1735  if (!State)
1736  return nullptr;
1737 
1738  const Expr *CE = Call.getOriginExpr();
1739 
1740  // We expect the malloc functions to return a pointer.
1741  if (!Loc::isLocType(CE->getType()))
1742  return nullptr;
1743 
1744  // Bind the return value to the symbolic value from the heap region.
1745  // TODO: We could rewrite post visit to eval call; 'malloc' does not have
1746  // side effects other than what we model here.
1747  unsigned Count = C.blockCount();
1748  SValBuilder &svalBuilder = C.getSValBuilder();
1749  const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
1750  DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
1751  .castAs<DefinedSVal>();
1752  State = State->BindExpr(CE, C.getLocationContext(), RetVal);
1753 
1754  // Fill the region with the initialization value.
1755  State = State->bindDefaultInitial(RetVal, Init, LCtx);
1756 
1757  // Set the region's extent.
1758  State = setDynamicExtent(State, RetVal.getAsRegion(),
1759  Size.castAs<DefinedOrUnknownSVal>(), svalBuilder);
1760 
1761  return MallocUpdateRefState(C, CE, State, Family);
1762 }
1763 
1764 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
1766  AllocationFamily Family,
1767  Optional<SVal> RetVal) {
1768  if (!State)
1769  return nullptr;
1770 
1771  // Get the return value.
1772  if (!RetVal)
1773  RetVal = C.getSVal(E);
1774 
1775  // We expect the malloc functions to return a pointer.
1776  if (!RetVal->getAs<Loc>())
1777  return nullptr;
1778 
1779  SymbolRef Sym = RetVal->getAsLocSymbol();
1780  // This is a return value of a function that was not inlined, such as malloc()
1781  // or new(). We've checked that in the caller. Therefore, it must be a symbol.
1782  assert(Sym);
1783 
1784  // Set the symbol's state to Allocated.
1785  return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
1786 }
1787 
1788 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
1789  const CallEvent &Call,
1790  const OwnershipAttr *Att,
1791  ProgramStateRef State) const {
1792  if (!State)
1793  return nullptr;
1794 
1795  if (Att->getModule()->getName() != "malloc")
1796  return nullptr;
1797 
1798  bool IsKnownToBeAllocated = false;
1799 
1800  for (const auto &Arg : Att->args()) {
1801  ProgramStateRef StateI =
1802  FreeMemAux(C, Call, State, Arg.getASTIndex(),
1803  Att->getOwnKind() == OwnershipAttr::Holds,
1804  IsKnownToBeAllocated, AF_Malloc);
1805  if (StateI)
1806  State = StateI;
1807  }
1808  return State;
1809 }
1810 
1811 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1812  const CallEvent &Call,
1813  ProgramStateRef State, unsigned Num,
1814  bool Hold, bool &IsKnownToBeAllocated,
1815  AllocationFamily Family,
1816  bool ReturnsNullOnFailure) const {
1817  if (!State)
1818  return nullptr;
1819 
1820  if (Call.getNumArgs() < (Num + 1))
1821  return nullptr;
1822 
1823  return FreeMemAux(C, Call.getArgExpr(Num), Call, State, Hold,
1824  IsKnownToBeAllocated, Family, ReturnsNullOnFailure);
1825 }
1826 
1827 /// Checks if the previous call to free on the given symbol failed - if free
1828 /// failed, returns true. Also, returns the corresponding return value symbol.
1830  SymbolRef Sym, SymbolRef &RetStatusSymbol) {
1831  const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
1832  if (Ret) {
1833  assert(*Ret && "We should not store the null return symbol");
1834  ConstraintManager &CMgr = State->getConstraintManager();
1835  ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret);
1836  RetStatusSymbol = *Ret;
1837  return FreeFailed.isConstrainedTrue();
1838  }
1839  return false;
1840 }
1841 
1842 static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E) {
1843  if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
1844  // FIXME: This doesn't handle indirect calls.
1845  const FunctionDecl *FD = CE->getDirectCallee();
1846  if (!FD)
1847  return false;
1848 
1849  os << *FD;
1850  if (!FD->isOverloadedOperator())
1851  os << "()";
1852  return true;
1853  }
1854 
1855  if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) {
1856  if (Msg->isInstanceMessage())
1857  os << "-";
1858  else
1859  os << "+";
1860  Msg->getSelector().print(os);
1861  return true;
1862  }
1863 
1864  if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
1865  os << "'"
1866  << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator())
1867  << "'";
1868  return true;
1869  }
1870 
1871  if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) {
1872  os << "'"
1873  << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator())
1874  << "'";
1875  return true;
1876  }
1877 
1878  return false;
1879 }
1880 
1881 static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family) {
1882 
1883  switch(Family) {
1884  case AF_Malloc: os << "malloc()"; return;
1885  case AF_CXXNew: os << "'new'"; return;
1886  case AF_CXXNewArray: os << "'new[]'"; return;
1887  case AF_IfNameIndex: os << "'if_nameindex()'"; return;
1888  case AF_InnerBuffer: os << "container-specific allocator"; return;
1889  case AF_Alloca:
1890  case AF_None: llvm_unreachable("not a deallocation expression");
1891  }
1892 }
1893 
1894 static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) {
1895  switch(Family) {
1896  case AF_Malloc: os << "free()"; return;
1897  case AF_CXXNew: os << "'delete'"; return;
1898  case AF_CXXNewArray: os << "'delete[]'"; return;
1899  case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
1900  case AF_InnerBuffer: os << "container-specific deallocator"; return;
1901  case AF_Alloca:
1902  case AF_None: llvm_unreachable("suspicious argument");
1903  }
1904 }
1905 
1906 ProgramStateRef MallocChecker::FreeMemAux(
1907  CheckerContext &C, const Expr *ArgExpr, const CallEvent &Call,
1908  ProgramStateRef State, bool Hold, bool &IsKnownToBeAllocated,
1909  AllocationFamily Family, bool ReturnsNullOnFailure) const {
1910 
1911  if (!State)
1912  return nullptr;
1913 
1914  SVal ArgVal = C.getSVal(ArgExpr);
1915  if (!ArgVal.getAs<DefinedOrUnknownSVal>())
1916  return nullptr;
1917  DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
1918 
1919  // Check for null dereferences.
1920  if (!location.getAs<Loc>())
1921  return nullptr;
1922 
1923  // The explicit NULL case, no operation is performed.
1924  ProgramStateRef notNullState, nullState;
1925  std::tie(notNullState, nullState) = State->assume(location);
1926  if (nullState && !notNullState)
1927  return nullptr;
1928 
1929  // Unknown values could easily be okay
1930  // Undefined values are handled elsewhere
1931  if (ArgVal.isUnknownOrUndef())
1932  return nullptr;
1933 
1934  const MemRegion *R = ArgVal.getAsRegion();
1935  const Expr *ParentExpr = Call.getOriginExpr();
1936 
1937  // NOTE: We detected a bug, but the checker under whose name we would emit the
1938  // error could be disabled. Generally speaking, the MallocChecker family is an
1939  // integral part of the Static Analyzer, and disabling any part of it should
1940  // only be done under exceptional circumstances, such as frequent false
1941  // positives. If this is the case, we can reasonably believe that there are
1942  // serious faults in our understanding of the source code, and even if we
1943  // don't emit an warning, we should terminate further analysis with a sink
1944  // node.
1945 
1946  // Nonlocs can't be freed, of course.
1947  // Non-region locations (labels and fixed addresses) also shouldn't be freed.
1948  if (!R) {
1949  // Exception:
1950  // If the macro ZERO_SIZE_PTR is defined, this could be a kernel source
1951  // code. In that case, the ZERO_SIZE_PTR defines a special value used for a
1952  // zero-sized memory block which is allowed to be freed, despite not being a
1953  // null pointer.
1954  if (Family != AF_Malloc || !isArgZERO_SIZE_PTR(State, C, ArgVal))
1955  HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1956  Family);
1957  return nullptr;
1958  }
1959 
1960  R = R->StripCasts();
1961 
1962  // Blocks might show up as heap data, but should not be free()d
1963  if (isa<BlockDataRegion>(R)) {
1964  HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1965  Family);
1966  return nullptr;
1967  }
1968 
1969  const MemSpaceRegion *MS = R->getMemorySpace();
1970 
1971  // Parameters, locals, statics, globals, and memory returned by
1972  // __builtin_alloca() shouldn't be freed.
1973  if (!isa<UnknownSpaceRegion, HeapSpaceRegion>(MS)) {
1974  // FIXME: at the time this code was written, malloc() regions were
1975  // represented by conjured symbols, which are all in UnknownSpaceRegion.
1976  // This means that there isn't actually anything from HeapSpaceRegion
1977  // that should be freed, even though we allow it here.
1978  // Of course, free() can work on memory allocated outside the current
1979  // function, so UnknownSpaceRegion is always a possibility.
1980  // False negatives are better than false positives.
1981 
1982  if (isa<AllocaRegion>(R))
1983  HandleFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1984  else
1985  HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1986  Family);
1987 
1988  return nullptr;
1989  }
1990 
1991  const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
1992  // Various cases could lead to non-symbol values here.
1993  // For now, ignore them.
1994  if (!SrBase)
1995  return nullptr;
1996 
1997  SymbolRef SymBase = SrBase->getSymbol();
1998  const RefState *RsBase = State->get<RegionState>(SymBase);
1999  SymbolRef PreviousRetStatusSymbol = nullptr;
2000 
2001  IsKnownToBeAllocated =
2002  RsBase && (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero());
2003 
2004  if (RsBase) {
2005 
2006  // Memory returned by alloca() shouldn't be freed.
2007  if (RsBase->getAllocationFamily() == AF_Alloca) {
2008  HandleFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
2009  return nullptr;
2010  }
2011 
2012  // Check for double free first.
2013  if ((RsBase->isReleased() || RsBase->isRelinquished()) &&
2014  !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
2015  HandleDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),
2016  SymBase, PreviousRetStatusSymbol);
2017  return nullptr;
2018 
2019  // If the pointer is allocated or escaped, but we are now trying to free it,
2020  // check that the call to free is proper.
2021  } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() ||
2022  RsBase->isEscaped()) {
2023 
2024  // Check if an expected deallocation function matches the real one.
2025  bool DeallocMatchesAlloc = RsBase->getAllocationFamily() == Family;
2026  if (!DeallocMatchesAlloc) {
2027  HandleMismatchedDealloc(C, ArgExpr->getSourceRange(), ParentExpr,
2028  RsBase, SymBase, Hold);
2029  return nullptr;
2030  }
2031 
2032  // Check if the memory location being freed is the actual location
2033  // allocated, or an offset.
2034  RegionOffset Offset = R->getAsOffset();
2035  if (Offset.isValid() &&
2036  !Offset.hasSymbolicOffset() &&
2037  Offset.getOffset() != 0) {
2038  const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
2039  HandleOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
2040  Family, AllocExpr);
2041  return nullptr;
2042  }
2043  }
2044  }
2045 
2046  if (SymBase->getType()->isFunctionPointerType()) {
2047  HandleFunctionPtrFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
2048  Family);
2049  return nullptr;
2050  }
2051 
2052  // Clean out the info on previous call to free return info.
2053  State = State->remove<FreeReturnValue>(SymBase);
2054 
2055  // Keep track of the return value. If it is NULL, we will know that free
2056  // failed.
2057  if (ReturnsNullOnFailure) {
2058  SVal RetVal = C.getSVal(ParentExpr);
2059  SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
2060  if (RetStatusSymbol) {
2061  C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol);
2062  State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol);
2063  }
2064  }
2065 
2066  // If we don't know anything about this symbol, a free on it may be totally
2067  // valid. If this is the case, lets assume that the allocation family of the
2068  // freeing function is the same as the symbols allocation family, and go with
2069  // that.
2070  assert(!RsBase || (RsBase && RsBase->getAllocationFamily() == Family));
2071 
2072  // Normal free.
2073  if (Hold)
2074  return State->set<RegionState>(SymBase,
2075  RefState::getRelinquished(Family,
2076  ParentExpr));
2077 
2078  return State->set<RegionState>(SymBase,
2079  RefState::getReleased(Family, ParentExpr));
2080 }
2081 
2083 MallocChecker::getCheckIfTracked(AllocationFamily Family,
2084  bool IsALeakCheck) const {
2085  switch (Family) {
2086  case AF_Malloc:
2087  case AF_Alloca:
2088  case AF_IfNameIndex: {
2089  if (ChecksEnabled[CK_MallocChecker])
2090  return CK_MallocChecker;
2091  return None;
2092  }
2093  case AF_CXXNew:
2094  case AF_CXXNewArray: {
2095  if (IsALeakCheck) {
2096  if (ChecksEnabled[CK_NewDeleteLeaksChecker])
2097  return CK_NewDeleteLeaksChecker;
2098  }
2099  else {
2100  if (ChecksEnabled[CK_NewDeleteChecker])
2101  return CK_NewDeleteChecker;
2102  }
2103  return None;
2104  }
2105  case AF_InnerBuffer: {
2106  if (ChecksEnabled[CK_InnerPointerChecker])
2107  return CK_InnerPointerChecker;
2108  return None;
2109  }
2110  case AF_None: {
2111  llvm_unreachable("no family");
2112  }
2113  }
2114  llvm_unreachable("unhandled family");
2115 }
2116 
2118 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
2119  bool IsALeakCheck) const {
2120  if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym))
2121  return CK_MallocChecker;
2122 
2123  const RefState *RS = C.getState()->get<RegionState>(Sym);
2124  assert(RS);
2125  return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck);
2126 }
2127 
2128 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
2129  if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>())
2130  os << "an integer (" << IntVal->getValue() << ")";
2131  else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>())
2132  os << "a constant address (" << ConstAddr->getValue() << ")";
2133  else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>())
2134  os << "the address of the label '" << Label->getLabel()->getName() << "'";
2135  else
2136  return false;
2137 
2138  return true;
2139 }
2140 
2141 bool MallocChecker::SummarizeRegion(raw_ostream &os,
2142  const MemRegion *MR) {
2143  switch (MR->getKind()) {
2144  case MemRegion::FunctionCodeRegionKind: {
2145  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
2146  if (FD)
2147  os << "the address of the function '" << *FD << '\'';
2148  else
2149  os << "the address of a function";
2150  return true;
2151  }
2152  case MemRegion::BlockCodeRegionKind:
2153  os << "block text";
2154  return true;
2155  case MemRegion::BlockDataRegionKind:
2156  // FIXME: where the block came from?
2157  os << "a block";
2158  return true;
2159  default: {
2160  const MemSpaceRegion *MS = MR->getMemorySpace();
2161 
2162  if (isa<StackLocalsSpaceRegion>(MS)) {
2163  const VarRegion *VR = dyn_cast<VarRegion>(MR);
2164  const VarDecl *VD;
2165  if (VR)
2166  VD = VR->getDecl();
2167  else
2168  VD = nullptr;
2169 
2170  if (VD)
2171  os << "the address of the local variable '" << VD->getName() << "'";
2172  else
2173  os << "the address of a local stack variable";
2174  return true;
2175  }
2176 
2177  if (isa<StackArgumentsSpaceRegion>(MS)) {
2178  const VarRegion *VR = dyn_cast<VarRegion>(MR);
2179  const VarDecl *VD;
2180  if (VR)
2181  VD = VR->getDecl();
2182  else
2183  VD = nullptr;
2184 
2185  if (VD)
2186  os << "the address of the parameter '" << VD->getName() << "'";
2187  else
2188  os << "the address of a parameter";
2189  return true;
2190  }
2191 
2192  if (isa<GlobalsSpaceRegion>(MS)) {
2193  const VarRegion *VR = dyn_cast<VarRegion>(MR);
2194  const VarDecl *VD;
2195  if (VR)
2196  VD = VR->getDecl();
2197  else
2198  VD = nullptr;
2199 
2200  if (VD) {
2201  if (VD->isStaticLocal())
2202  os << "the address of the static variable '" << VD->getName() << "'";
2203  else
2204  os << "the address of the global variable '" << VD->getName() << "'";
2205  } else
2206  os << "the address of a global variable";
2207  return true;
2208  }
2209 
2210  return false;
2211  }
2212  }
2213 }
2214 
2215 void MallocChecker::HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal,
2216  SourceRange Range,
2217  const Expr *DeallocExpr,
2218  AllocationFamily Family) const {
2219 
2220  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2221  C.addSink();
2222  return;
2223  }
2224 
2225  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2226  if (!CheckKind.hasValue())
2227  return;
2228 
2229  if (ExplodedNode *N = C.generateErrorNode()) {
2230  if (!BT_BadFree[*CheckKind])
2231  BT_BadFree[*CheckKind].reset(new BugType(
2232  CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2233 
2234  SmallString<100> buf;
2235  llvm::raw_svector_ostream os(buf);
2236 
2237  const MemRegion *MR = ArgVal.getAsRegion();
2238  while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
2239  MR = ER->getSuperRegion();
2240 
2241  os << "Argument to ";
2242  if (!printMemFnName(os, C, DeallocExpr))
2243  os << "deallocator";
2244 
2245  os << " is ";
2246  bool Summarized = MR ? SummarizeRegion(os, MR)
2247  : SummarizeValue(os, ArgVal);
2248  if (Summarized)
2249  os << ", which is not memory allocated by ";
2250  else
2251  os << "not memory allocated by ";
2252 
2253  printExpectedAllocName(os, Family);
2254 
2255  auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind],
2256  os.str(), N);
2257  R->markInteresting(MR);
2258  R->addRange(Range);
2259  C.emitReport(std::move(R));
2260  }
2261 }
2262 
2263 void MallocChecker::HandleFreeAlloca(CheckerContext &C, SVal ArgVal,
2264  SourceRange Range) const {
2265 
2267 
2268  if (ChecksEnabled[CK_MallocChecker])
2269  CheckKind = CK_MallocChecker;
2270  else if (ChecksEnabled[CK_MismatchedDeallocatorChecker])
2271  CheckKind = CK_MismatchedDeallocatorChecker;
2272  else {
2273  C.addSink();
2274  return;
2275  }
2276 
2277  if (ExplodedNode *N = C.generateErrorNode()) {
2278  if (!BT_FreeAlloca[*CheckKind])
2279  BT_FreeAlloca[*CheckKind].reset(new BugType(
2280  CheckNames[*CheckKind], "Free alloca()", categories::MemoryError));
2281 
2282  auto R = std::make_unique<PathSensitiveBugReport>(
2283  *BT_FreeAlloca[*CheckKind],
2284  "Memory allocated by alloca() should not be deallocated", N);
2285  R->markInteresting(ArgVal.getAsRegion());
2286  R->addRange(Range);
2287  C.emitReport(std::move(R));
2288  }
2289 }
2290 
2291 void MallocChecker::HandleMismatchedDealloc(CheckerContext &C,
2292  SourceRange Range,
2293  const Expr *DeallocExpr,
2294  const RefState *RS, SymbolRef Sym,
2295  bool OwnershipTransferred) const {
2296 
2297  if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
2298  C.addSink();
2299  return;
2300  }
2301 
2302  if (ExplodedNode *N = C.generateErrorNode()) {
2303  if (!BT_MismatchedDealloc)
2304  BT_MismatchedDealloc.reset(
2305  new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
2306  "Bad deallocator", categories::MemoryError));
2307 
2308  SmallString<100> buf;
2309  llvm::raw_svector_ostream os(buf);
2310 
2311  const Expr *AllocExpr = cast<Expr>(RS->getStmt());
2312  SmallString<20> AllocBuf;
2313  llvm::raw_svector_ostream AllocOs(AllocBuf);
2314  SmallString<20> DeallocBuf;
2315  llvm::raw_svector_ostream DeallocOs(DeallocBuf);
2316 
2317  if (OwnershipTransferred) {
2318  if (printMemFnName(DeallocOs, C, DeallocExpr))
2319  os << DeallocOs.str() << " cannot";
2320  else
2321  os << "Cannot";
2322 
2323  os << " take ownership of memory";
2324 
2325  if (printMemFnName(AllocOs, C, AllocExpr))
2326  os << " allocated by " << AllocOs.str();
2327  } else {
2328  os << "Memory";
2329  if (printMemFnName(AllocOs, C, AllocExpr))
2330  os << " allocated by " << AllocOs.str();
2331 
2332  os << " should be deallocated by ";
2333  printExpectedDeallocName(os, RS->getAllocationFamily());
2334 
2335  if (printMemFnName(DeallocOs, C, DeallocExpr))
2336  os << ", not " << DeallocOs.str();
2337  }
2338 
2339  auto R = std::make_unique<PathSensitiveBugReport>(*BT_MismatchedDealloc,
2340  os.str(), N);
2341  R->markInteresting(Sym);
2342  R->addRange(Range);
2343  R->addVisitor<MallocBugVisitor>(Sym);
2344  C.emitReport(std::move(R));
2345  }
2346 }
2347 
2348 void MallocChecker::HandleOffsetFree(CheckerContext &C, SVal ArgVal,
2349  SourceRange Range, const Expr *DeallocExpr,
2350  AllocationFamily Family,
2351  const Expr *AllocExpr) const {
2352 
2353  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2354  C.addSink();
2355  return;
2356  }
2357 
2358  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2359  if (!CheckKind.hasValue())
2360  return;
2361 
2362  ExplodedNode *N = C.generateErrorNode();
2363  if (!N)
2364  return;
2365 
2366  if (!BT_OffsetFree[*CheckKind])
2367  BT_OffsetFree[*CheckKind].reset(new BugType(
2368  CheckNames[*CheckKind], "Offset free", categories::MemoryError));
2369 
2370  SmallString<100> buf;
2371  llvm::raw_svector_ostream os(buf);
2372  SmallString<20> AllocNameBuf;
2373  llvm::raw_svector_ostream AllocNameOs(AllocNameBuf);
2374 
2375  const MemRegion *MR = ArgVal.getAsRegion();
2376  assert(MR && "Only MemRegion based symbols can have offset free errors");
2377 
2378  RegionOffset Offset = MR->getAsOffset();
2379  assert((Offset.isValid() &&
2380  !Offset.hasSymbolicOffset() &&
2381  Offset.getOffset() != 0) &&
2382  "Only symbols with a valid offset can have offset free errors");
2383 
2384  int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
2385 
2386  os << "Argument to ";
2387  if (!printMemFnName(os, C, DeallocExpr))
2388  os << "deallocator";
2389  os << " is offset by "
2390  << offsetBytes
2391  << " "
2392  << ((abs(offsetBytes) > 1) ? "bytes" : "byte")
2393  << " from the start of ";
2394  if (AllocExpr && printMemFnName(AllocNameOs, C, AllocExpr))
2395  os << "memory allocated by " << AllocNameOs.str();
2396  else
2397  os << "allocated memory";
2398 
2399  auto R = std::make_unique<PathSensitiveBugReport>(*BT_OffsetFree[*CheckKind],
2400  os.str(), N);
2401  R->markInteresting(MR->getBaseRegion());
2402  R->addRange(Range);
2403  C.emitReport(std::move(R));
2404 }
2405 
2406 void MallocChecker::HandleUseAfterFree(CheckerContext &C, SourceRange Range,
2407  SymbolRef Sym) const {
2408 
2409  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker] &&
2410  !ChecksEnabled[CK_InnerPointerChecker]) {
2411  C.addSink();
2412  return;
2413  }
2414 
2415  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2416  if (!CheckKind.hasValue())
2417  return;
2418 
2419  if (ExplodedNode *N = C.generateErrorNode()) {
2420  if (!BT_UseFree[*CheckKind])
2421  BT_UseFree[*CheckKind].reset(new BugType(
2422  CheckNames[*CheckKind], "Use-after-free", categories::MemoryError));
2423 
2424  AllocationFamily AF =
2425  C.getState()->get<RegionState>(Sym)->getAllocationFamily();
2426 
2427  auto R = std::make_unique<PathSensitiveBugReport>(
2428  *BT_UseFree[*CheckKind],
2429  AF == AF_InnerBuffer
2430  ? "Inner pointer of container used after re/deallocation"
2431  : "Use of memory after it is freed",
2432  N);
2433 
2434  R->markInteresting(Sym);
2435  R->addRange(Range);
2436  R->addVisitor<MallocBugVisitor>(Sym);
2437 
2438  if (AF == AF_InnerBuffer)
2439  R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym));
2440 
2441  C.emitReport(std::move(R));
2442  }
2443 }
2444 
2445 void MallocChecker::HandleDoubleFree(CheckerContext &C, SourceRange Range,
2446  bool Released, SymbolRef Sym,
2447  SymbolRef PrevSym) const {
2448 
2449  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2450  C.addSink();
2451  return;
2452  }
2453 
2454  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2455  if (!CheckKind.hasValue())
2456  return;
2457 
2458  if (ExplodedNode *N = C.generateErrorNode()) {
2459  if (!BT_DoubleFree[*CheckKind])
2460  BT_DoubleFree[*CheckKind].reset(new BugType(
2461  CheckNames[*CheckKind], "Double free", categories::MemoryError));
2462 
2463  auto R = std::make_unique<PathSensitiveBugReport>(
2464  *BT_DoubleFree[*CheckKind],
2465  (Released ? "Attempt to free released memory"
2466  : "Attempt to free non-owned memory"),
2467  N);
2468  R->addRange(Range);
2469  R->markInteresting(Sym);
2470  if (PrevSym)
2471  R->markInteresting(PrevSym);
2472  R->addVisitor<MallocBugVisitor>(Sym);
2473  C.emitReport(std::move(R));
2474  }
2475 }
2476 
2477 void MallocChecker::HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
2478 
2479  if (!ChecksEnabled[CK_NewDeleteChecker]) {
2480  C.addSink();
2481  return;
2482  }
2483 
2484  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2485  if (!CheckKind.hasValue())
2486  return;
2487 
2488  if (ExplodedNode *N = C.generateErrorNode()) {
2489  if (!BT_DoubleDelete)
2490  BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker],
2491  "Double delete",
2493 
2494  auto R = std::make_unique<PathSensitiveBugReport>(
2495  *BT_DoubleDelete, "Attempt to delete released memory", N);
2496 
2497  R->markInteresting(Sym);
2498  R->addVisitor<MallocBugVisitor>(Sym);
2499  C.emitReport(std::move(R));
2500  }
2501 }
2502 
2503 void MallocChecker::HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,
2504  SymbolRef Sym) const {
2505 
2506  if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2507  C.addSink();
2508  return;
2509  }
2510 
2511  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2512 
2513  if (!CheckKind.hasValue())
2514  return;
2515 
2516  if (ExplodedNode *N = C.generateErrorNode()) {
2517  if (!BT_UseZerroAllocated[*CheckKind])
2518  BT_UseZerroAllocated[*CheckKind].reset(
2519  new BugType(CheckNames[*CheckKind], "Use of zero allocated",
2521 
2522  auto R = std::make_unique<PathSensitiveBugReport>(
2523  *BT_UseZerroAllocated[*CheckKind],
2524  "Use of memory allocated with size zero", N);
2525 
2526  R->addRange(Range);
2527  if (Sym) {
2528  R->markInteresting(Sym);
2529  R->addVisitor<MallocBugVisitor>(Sym);
2530  }
2531  C.emitReport(std::move(R));
2532  }
2533 }
2534 
2535 void MallocChecker::HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal,
2536  SourceRange Range,
2537  const Expr *FreeExpr,
2538  AllocationFamily Family) const {
2539  if (!ChecksEnabled[CK_MallocChecker]) {
2540  C.addSink();
2541  return;
2542  }
2543 
2544  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2545  if (!CheckKind.hasValue())
2546  return;
2547 
2548  if (ExplodedNode *N = C.generateErrorNode()) {
2549  if (!BT_BadFree[*CheckKind])
2550  BT_BadFree[*CheckKind].reset(new BugType(
2551  CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2552 
2553  SmallString<100> Buf;
2554  llvm::raw_svector_ostream Os(Buf);
2555 
2556  const MemRegion *MR = ArgVal.getAsRegion();
2557  while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
2558  MR = ER->getSuperRegion();
2559 
2560  Os << "Argument to ";
2561  if (!printMemFnName(Os, C, FreeExpr))
2562  Os << "deallocator";
2563 
2564  Os << " is a function pointer";
2565 
2566  auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind],
2567  Os.str(), N);
2568  R->markInteresting(MR);
2569  R->addRange(Range);
2570  C.emitReport(std::move(R));
2571  }
2572 }
2573 
2575 MallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call,
2576  bool ShouldFreeOnFail, ProgramStateRef State,
2577  AllocationFamily Family, bool SuffixWithN) const {
2578  if (!State)
2579  return nullptr;
2580 
2581  const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr());
2582 
2583  if (SuffixWithN && CE->getNumArgs() < 3)
2584  return nullptr;
2585  else if (CE->getNumArgs() < 2)
2586  return nullptr;
2587 
2588  const Expr *arg0Expr = CE->getArg(0);
2589  SVal Arg0Val = C.getSVal(arg0Expr);
2590  if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
2591  return nullptr;
2592  DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
2593 
2594  SValBuilder &svalBuilder = C.getSValBuilder();
2595 
2596  DefinedOrUnknownSVal PtrEQ = svalBuilder.evalEQ(
2597  State, arg0Val, svalBuilder.makeNullWithType(arg0Expr->getType()));
2598 
2599  // Get the size argument.
2600  const Expr *Arg1 = CE->getArg(1);
2601 
2602  // Get the value of the size argument.
2603  SVal TotalSize = C.getSVal(Arg1);
2604  if (SuffixWithN)
2605  TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2));
2606  if (!TotalSize.getAs<DefinedOrUnknownSVal>())
2607  return nullptr;
2608 
2609  // Compare the size argument to 0.
2610  DefinedOrUnknownSVal SizeZero =
2611  svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(),
2612  svalBuilder.makeIntValWithWidth(
2613  svalBuilder.getContext().getSizeType(), 0));
2614 
2615  ProgramStateRef StatePtrIsNull, StatePtrNotNull;
2616  std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ);
2617  ProgramStateRef StateSizeIsZero, StateSizeNotZero;
2618  std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero);
2619  // We only assume exceptional states if they are definitely true; if the
2620  // state is under-constrained, assume regular realloc behavior.
2621  bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
2622  bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
2623 
2624  // If the ptr is NULL and the size is not 0, the call is equivalent to
2625  // malloc(size).
2626  if (PrtIsNull && !SizeIsZero) {
2627  ProgramStateRef stateMalloc = MallocMemAux(
2628  C, Call, TotalSize, UndefinedVal(), StatePtrIsNull, Family);
2629  return stateMalloc;
2630  }
2631 
2632  if (PrtIsNull && SizeIsZero)
2633  return State;
2634 
2635  assert(!PrtIsNull);
2636 
2637  bool IsKnownToBeAllocated = false;
2638 
2639  // If the size is 0, free the memory.
2640  if (SizeIsZero)
2641  // The semantics of the return value are:
2642  // If size was equal to 0, either NULL or a pointer suitable to be passed
2643  // to free() is returned. We just free the input pointer and do not add
2644  // any constrains on the output pointer.
2645  if (ProgramStateRef stateFree = FreeMemAux(
2646  C, Call, StateSizeIsZero, 0, false, IsKnownToBeAllocated, Family))
2647  return stateFree;
2648 
2649  // Default behavior.
2650  if (ProgramStateRef stateFree =
2651  FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocated, Family)) {
2652 
2653  ProgramStateRef stateRealloc =
2654  MallocMemAux(C, Call, TotalSize, UnknownVal(), stateFree, Family);
2655  if (!stateRealloc)
2656  return nullptr;
2657 
2658  OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure;
2659  if (ShouldFreeOnFail)
2660  Kind = OAR_FreeOnFailure;
2661  else if (!IsKnownToBeAllocated)
2662  Kind = OAR_DoNotTrackAfterFailure;
2663 
2664  // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
2665  SymbolRef FromPtr = arg0Val.getLocSymbolInBase();
2666  SVal RetVal = C.getSVal(CE);
2667  SymbolRef ToPtr = RetVal.getAsSymbol();
2668  assert(FromPtr && ToPtr &&
2669  "By this point, FreeMemAux and MallocMemAux should have checked "
2670  "whether the argument or the return value is symbolic!");
2671 
2672  // Record the info about the reallocated symbol so that we could properly
2673  // process failed reallocation.
2674  stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
2675  ReallocPair(FromPtr, Kind));
2676  // The reallocated symbol should stay alive for as long as the new symbol.
2677  C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
2678  return stateRealloc;
2679  }
2680  return nullptr;
2681 }
2682 
2683 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C,
2684  const CallEvent &Call,
2686  if (!State)
2687  return nullptr;
2688 
2689  if (Call.getNumArgs() < 2)
2690  return nullptr;
2691 
2692  SValBuilder &svalBuilder = C.getSValBuilder();
2693  SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
2694  SVal TotalSize =
2695  evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
2696 
2697  return MallocMemAux(C, Call, TotalSize, zeroVal, State, AF_Malloc);
2698 }
2699 
2700 MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N,
2701  SymbolRef Sym,
2702  CheckerContext &C) {
2703  const LocationContext *LeakContext = N->getLocationContext();
2704  // Walk the ExplodedGraph backwards and find the first node that referred to
2705  // the tracked symbol.
2706  const ExplodedNode *AllocNode = N;
2707  const MemRegion *ReferenceRegion = nullptr;
2708 
2709  while (N) {
2710  ProgramStateRef State = N->getState();
2711  if (!State->get<RegionState>(Sym))
2712  break;
2713 
2714  // Find the most recent expression bound to the symbol in the current
2715  // context.
2716  if (!ReferenceRegion) {
2717  if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) {
2718  SVal Val = State->getSVal(MR);
2719  if (Val.getAsLocSymbol() == Sym) {
2720  const VarRegion *VR = MR->getBaseRegion()->getAs<VarRegion>();
2721  // Do not show local variables belonging to a function other than
2722  // where the error is reported.
2723  if (!VR || (VR->getStackFrame() == LeakContext->getStackFrame()))
2724  ReferenceRegion = MR;
2725  }
2726  }
2727  }
2728 
2729  // Allocation node, is the last node in the current or parent context in
2730  // which the symbol was tracked.
2731  const LocationContext *NContext = N->getLocationContext();
2732  if (NContext == LeakContext ||
2733  NContext->isParentOf(LeakContext))
2734  AllocNode = N;
2735  N = N->pred_empty() ? nullptr : *(N->pred_begin());
2736  }
2737 
2738  return LeakInfo(AllocNode, ReferenceRegion);
2739 }
2740 
2741 void MallocChecker::HandleLeak(SymbolRef Sym, ExplodedNode *N,
2742  CheckerContext &C) const {
2743 
2744  if (!ChecksEnabled[CK_MallocChecker] &&
2745  !ChecksEnabled[CK_NewDeleteLeaksChecker])
2746  return;
2747 
2748  const RefState *RS = C.getState()->get<RegionState>(Sym);
2749  assert(RS && "cannot leak an untracked symbol");
2750  AllocationFamily Family = RS->getAllocationFamily();
2751 
2752  if (Family == AF_Alloca)
2753  return;
2754 
2756  CheckKind = getCheckIfTracked(Family, true);
2757 
2758  if (!CheckKind.hasValue())
2759  return;
2760 
2761  assert(N);
2762  if (!BT_Leak[*CheckKind]) {
2763  // Leaks should not be reported if they are post-dominated by a sink:
2764  // (1) Sinks are higher importance bugs.
2765  // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
2766  // with __noreturn functions such as assert() or exit(). We choose not
2767  // to report leaks on such paths.
2768  BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak",
2770  /*SuppressOnSink=*/true));
2771  }
2772 
2773  // Most bug reports are cached at the location where they occurred.
2774  // With leaks, we want to unique them by the location where they were
2775  // allocated, and only report a single path.
2776  PathDiagnosticLocation LocUsedForUniqueing;
2777  const ExplodedNode *AllocNode = nullptr;
2778  const MemRegion *Region = nullptr;
2779  std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C);
2780 
2781  const Stmt *AllocationStmt = AllocNode->getStmtForDiagnostics();
2782  if (AllocationStmt)
2783  LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt,
2784  C.getSourceManager(),
2785  AllocNode->getLocationContext());
2786 
2787  SmallString<200> buf;
2788  llvm::raw_svector_ostream os(buf);
2789  if (Region && Region->canPrintPretty()) {
2790  os << "Potential leak of memory pointed to by ";
2791  Region->printPretty(os);
2792  } else {
2793  os << "Potential memory leak";
2794  }
2795 
2796  auto R = std::make_unique<PathSensitiveBugReport>(
2797  *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing,
2798  AllocNode->getLocationContext()->getDecl());
2799  R->markInteresting(Sym);
2800  R->addVisitor<MallocBugVisitor>(Sym, true);
2801  if (ShouldRegisterNoOwnershipChangeVisitor)
2802  R->addVisitor<NoOwnershipChangeVisitor>(Sym, this);
2803  C.emitReport(std::move(R));
2804 }
2805 
2806 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
2807  CheckerContext &C) const
2808 {
2809  ProgramStateRef state = C.getState();
2810  RegionStateTy OldRS = state->get<RegionState>();
2811  RegionStateTy::Factory &F = state->get_context<RegionState>();
2812 
2813  RegionStateTy RS = OldRS;
2815  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2816  if (SymReaper.isDead(I->first)) {
2817  if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero())
2818  Errors.push_back(I->first);
2819  // Remove the dead symbol from the map.
2820  RS = F.remove(RS, I->first);
2821  }
2822  }
2823 
2824  if (RS == OldRS) {
2825  // We shouldn't have touched other maps yet.
2826  assert(state->get<ReallocPairs>() ==
2827  C.getState()->get<ReallocPairs>());
2828  assert(state->get<FreeReturnValue>() ==
2829  C.getState()->get<FreeReturnValue>());
2830  return;
2831  }
2832 
2833  // Cleanup the Realloc Pairs Map.
2834  ReallocPairsTy RP = state->get<ReallocPairs>();
2835  for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2836  if (SymReaper.isDead(I->first) ||
2837  SymReaper.isDead(I->second.ReallocatedSym)) {
2838  state = state->remove<ReallocPairs>(I->first);
2839  }
2840  }
2841 
2842  // Cleanup the FreeReturnValue Map.
2843  FreeReturnValueTy FR = state->get<FreeReturnValue>();
2844  for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) {
2845  if (SymReaper.isDead(I->first) ||
2846  SymReaper.isDead(I->second)) {
2847  state = state->remove<FreeReturnValue>(I->first);
2848  }
2849  }
2850 
2851  // Generate leak node.
2852  ExplodedNode *N = C.getPredecessor();
2853  if (!Errors.empty()) {
2854  static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
2855  N = C.generateNonFatalErrorNode(C.getState(), &Tag);
2856  if (N) {
2858  I = Errors.begin(), E = Errors.end(); I != E; ++I) {
2859  HandleLeak(*I, N, C);
2860  }
2861  }
2862  }
2863 
2864  C.addTransition(state->set<RegionState>(RS), N);
2865 }
2866 
2867 void MallocChecker::checkPreCall(const CallEvent &Call,
2868  CheckerContext &C) const {
2869 
2870  if (const auto *DC = dyn_cast<CXXDeallocatorCall>(&Call)) {
2871  const CXXDeleteExpr *DE = DC->getOriginExpr();
2872 
2873  if (!ChecksEnabled[CK_NewDeleteChecker])
2874  if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
2875  checkUseAfterFree(Sym, C, DE->getArgument());
2876 
2877  if (!isStandardNewDelete(DC->getDecl()))
2878  return;
2879 
2880  ProgramStateRef State = C.getState();
2881  bool IsKnownToBeAllocated;
2882  State = FreeMemAux(C, DE->getArgument(), Call, State,
2883  /*Hold*/ false, IsKnownToBeAllocated,
2884  (DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew));
2885 
2886  C.addTransition(State);
2887  return;
2888  }
2889 
2890  if (const auto *DC = dyn_cast<CXXDestructorCall>(&Call)) {
2891  SymbolRef Sym = DC->getCXXThisVal().getAsSymbol();
2892  if (!Sym || checkDoubleDelete(Sym, C))
2893  return;
2894  }
2895 
2896  // We will check for double free in the post visit.
2897  if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) {
2898  const FunctionDecl *FD = FC->getDecl();
2899  if (!FD)
2900  return;
2901 
2902  if (ChecksEnabled[CK_MallocChecker] && isFreeingCall(Call))
2903  return;
2904  }
2905 
2906  // Check if the callee of a method is deleted.
2907  if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
2908  SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
2909  if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
2910  return;
2911  }
2912 
2913  // Check arguments for being used after free.
2914  for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
2915  SVal ArgSVal = Call.getArgSVal(I);
2916  if (ArgSVal.getAs<Loc>()) {
2917  SymbolRef Sym = ArgSVal.getAsSymbol();
2918  if (!Sym)
2919  continue;
2920  if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
2921  return;
2922  }
2923  }
2924 }
2925 
2926 void MallocChecker::checkPreStmt(const ReturnStmt *S,
2927  CheckerContext &C) const {
2928  checkEscapeOnReturn(S, C);
2929 }
2930 
2931 // In the CFG, automatic destructors come after the return statement.
2932 // This callback checks for returning memory that is freed by automatic
2933 // destructors, as those cannot be reached in checkPreStmt().
2934 void MallocChecker::checkEndFunction(const ReturnStmt *S,
2935  CheckerContext &C) const {
2936  checkEscapeOnReturn(S, C);
2937 }
2938 
2939 void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S,
2940  CheckerContext &C) const {
2941  if (!S)
2942  return;
2943 
2944  const Expr *E = S->getRetValue();
2945  if (!E)
2946  return;
2947 
2948  // Check if we are returning a symbol.
2949  ProgramStateRef State = C.getState();
2950  SVal RetVal = C.getSVal(E);
2951  SymbolRef Sym = RetVal.getAsSymbol();
2952  if (!Sym)
2953  // If we are returning a field of the allocated struct or an array element,
2954  // the callee could still free the memory.
2955  // TODO: This logic should be a part of generic symbol escape callback.
2956  if (const MemRegion *MR = RetVal.getAsRegion())
2957  if (isa<FieldRegion, ElementRegion>(MR))
2958  if (const SymbolicRegion *BMR =
2959  dyn_cast<SymbolicRegion>(MR->getBaseRegion()))
2960  Sym = BMR->getSymbol();
2961 
2962  // Check if we are returning freed memory.
2963  if (Sym)
2964  checkUseAfterFree(Sym, C, E);
2965 }
2966 
2967 // TODO: Blocks should be either inlined or should call invalidate regions
2968 // upon invocation. After that's in place, special casing here will not be
2969 // needed.
2970 void MallocChecker::checkPostStmt(const BlockExpr *BE,
2971  CheckerContext &C) const {
2972 
2973  // Scan the BlockDecRefExprs for any object the retain count checker
2974  // may be tracking.
2975  if (!BE->getBlockDecl()->hasCaptures())
2976  return;
2977 
2978  ProgramStateRef state = C.getState();
2979  const BlockDataRegion *R =
2980  cast<BlockDataRegion>(C.getSVal(BE).getAsRegion());
2981 
2982  BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(),
2983  E = R->referenced_vars_end();
2984 
2985  if (I == E)
2986  return;
2987 
2989  const LocationContext *LC = C.getLocationContext();
2990  MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
2991 
2992  for ( ; I != E; ++I) {
2993  const VarRegion *VR = I.getCapturedRegion();
2994  if (VR->getSuperRegion() == R) {
2995  VR = MemMgr.getVarRegion(VR->getDecl(), LC);
2996  }
2997  Regions.push_back(VR);
2998  }
2999 
3000  state =
3001  state->scanReachableSymbols<StopTrackingCallback>(Regions).getState();
3002  C.addTransition(state);
3003 }
3004 
3005 static bool isReleased(SymbolRef Sym, CheckerContext &C) {
3006  assert(Sym);
3007  const RefState *RS = C.getState()->get<RegionState>(Sym);
3008  return (RS && RS->isReleased());
3009 }
3010 
3011 bool MallocChecker::suppressDeallocationsInSuspiciousContexts(
3012  const CallEvent &Call, CheckerContext &C) const {
3013  if (Call.getNumArgs() == 0)
3014  return false;
3015 
3016  StringRef FunctionStr = "";
3017  if (const auto *FD = dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
3018  if (const Stmt *Body = FD->getBody())
3019  if (Body->getBeginLoc().isValid())
3020  FunctionStr =
3022  {FD->getBeginLoc(), Body->getBeginLoc()}),
3023  C.getSourceManager(), C.getLangOpts());
3024 
3025  // We do not model the Integer Set Library's retain-count based allocation.
3026  if (!FunctionStr.contains("__isl_"))
3027  return false;
3028 
3029  ProgramStateRef State = C.getState();
3030 
3031  for (const Expr *Arg : cast<CallExpr>(Call.getOriginExpr())->arguments())
3032  if (SymbolRef Sym = C.getSVal(Arg).getAsSymbol())
3033  if (const RefState *RS = State->get<RegionState>(Sym))
3034  State = State->set<RegionState>(Sym, RefState::getEscaped(RS));
3035 
3036  C.addTransition(State);
3037  return true;
3038 }
3039 
3040 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
3041  const Stmt *S) const {
3042 
3043  if (isReleased(Sym, C)) {
3044  HandleUseAfterFree(C, S->getSourceRange(), Sym);
3045  return true;
3046  }
3047 
3048  return false;
3049 }
3050 
3051 void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
3052  const Stmt *S) const {
3053  assert(Sym);
3054 
3055  if (const RefState *RS = C.getState()->get<RegionState>(Sym)) {
3056  if (RS->isAllocatedOfSizeZero())
3057  HandleUseZeroAlloc(C, RS->getStmt()->getSourceRange(), Sym);
3058  }
3059  else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) {
3060  HandleUseZeroAlloc(C, S->getSourceRange(), Sym);
3061  }
3062 }
3063 
3064 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
3065 
3066  if (isReleased(Sym, C)) {
3067  HandleDoubleDelete(C, Sym);
3068  return true;
3069  }
3070  return false;
3071 }
3072 
3073 // Check if the location is a freed symbolic region.
3074 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
3075  CheckerContext &C) const {
3076  SymbolRef Sym = l.getLocSymbolInBase();
3077  if (Sym) {
3078  checkUseAfterFree(Sym, C, S);
3079  checkUseZeroAllocated(Sym, C, S);
3080  }
3081 }
3082 
3083 // If a symbolic region is assumed to NULL (or another constant), stop tracking
3084 // it - assuming that allocation failed on this path.
3085 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
3086  SVal Cond,
3087  bool Assumption) const {
3088  RegionStateTy RS = state->get<RegionState>();
3089  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
3090  // If the symbol is assumed to be NULL, remove it from consideration.
3091  ConstraintManager &CMgr = state->getConstraintManager();
3092  ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
3093  if (AllocFailed.isConstrainedTrue())
3094  state = state->remove<RegionState>(I.getKey());
3095  }
3096 
3097  // Realloc returns 0 when reallocation fails, which means that we should
3098  // restore the state of the pointer being reallocated.
3099  ReallocPairsTy RP = state->get<ReallocPairs>();
3100  for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
3101  // If the symbol is assumed to be NULL, remove it from consideration.
3102  ConstraintManager &CMgr = state->getConstraintManager();
3103  ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
3104  if (!AllocFailed.isConstrainedTrue())
3105  continue;
3106 
3107  SymbolRef ReallocSym = I.getData().ReallocatedSym;
3108  if (const RefState *RS = state->get<RegionState>(ReallocSym)) {
3109  if (RS->isReleased()) {
3110  switch (I.getData().Kind) {
3111  case OAR_ToBeFreedAfterFailure:
3112  state = state->set<RegionState>(ReallocSym,
3113  RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt()));
3114  break;
3115  case OAR_DoNotTrackAfterFailure:
3116  state = state->remove<RegionState>(ReallocSym);
3117  break;
3118  default:
3119  assert(I.getData().Kind == OAR_FreeOnFailure);
3120  }
3121  }
3122  }
3123  state = state->remove<ReallocPairs>(I.getKey());
3124  }
3125 
3126  return state;
3127 }
3128 
3129 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
3130  const CallEvent *Call,
3132  SymbolRef &EscapingSymbol) const {
3133  assert(Call);
3134  EscapingSymbol = nullptr;
3135 
3136  // For now, assume that any C++ or block call can free memory.
3137  // TODO: If we want to be more optimistic here, we'll need to make sure that
3138  // regions escape to C++ containers. They seem to do that even now, but for
3139  // mysterious reasons.
3140  if (!isa<SimpleFunctionCall, ObjCMethodCall>(Call))
3141  return true;
3142 
3143  // Check Objective-C messages by selector name.
3144  if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
3145  // If it's not a framework call, or if it takes a callback, assume it
3146  // can free memory.
3147  if (!Call->isInSystemHeader() || Call->argumentsMayEscape())
3148  return true;
3149 
3150  // If it's a method we know about, handle it explicitly post-call.
3151  // This should happen before the "freeWhenDone" check below.
3152  if (isKnownDeallocObjCMethodName(*Msg))
3153  return false;
3154 
3155  // If there's a "freeWhenDone" parameter, but the method isn't one we know
3156  // about, we can't be sure that the object will use free() to deallocate the
3157  // memory, so we can't model it explicitly. The best we can do is use it to
3158  // decide whether the pointer escapes.
3159  if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg))
3160  return *FreeWhenDone;
3161 
3162  // If the first selector piece ends with "NoCopy", and there is no
3163  // "freeWhenDone" parameter set to zero, we know ownership is being
3164  // transferred. Again, though, we can't be sure that the object will use
3165  // free() to deallocate the memory, so we can't model it explicitly.
3166  StringRef FirstSlot = Msg->getSelector().getNameForSlot(0);
3167  if (FirstSlot.endswith("NoCopy"))
3168  return true;
3169 
3170  // If the first selector starts with addPointer, insertPointer,
3171  // or replacePointer, assume we are dealing with NSPointerArray or similar.
3172  // This is similar to C++ containers (vector); we still might want to check
3173  // that the pointers get freed by following the container itself.
3174  if (FirstSlot.startswith("addPointer") ||
3175  FirstSlot.startswith("insertPointer") ||
3176  FirstSlot.startswith("replacePointer") ||
3177  FirstSlot.equals("valueWithPointer")) {
3178  return true;
3179  }
3180 
3181  // We should escape receiver on call to 'init'. This is especially relevant
3182  // to the receiver, as the corresponding symbol is usually not referenced
3183  // after the call.
3184  if (Msg->getMethodFamily() == OMF_init) {
3185  EscapingSymbol = Msg->getReceiverSVal().getAsSymbol();
3186  return true;
3187  }
3188 
3189  // Otherwise, assume that the method does not free memory.
3190  // Most framework methods do not free memory.
3191  return false;
3192  }
3193 
3194  // At this point the only thing left to handle is straight function calls.
3195  const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl();
3196  if (!FD)
3197  return true;
3198 
3199  // If it's one of the allocation functions we can reason about, we model
3200  // its behavior explicitly.
3201  if (isMemCall(*Call))
3202  return false;
3203 
3204  // If it's not a system call, assume it frees memory.
3205  if (!Call->isInSystemHeader())
3206  return true;
3207 
3208  // White list the system functions whose arguments escape.
3209  const IdentifierInfo *II = FD->getIdentifier();
3210  if (!II)
3211  return true;
3212  StringRef FName = II->getName();
3213 
3214  // White list the 'XXXNoCopy' CoreFoundation functions.
3215  // We specifically check these before
3216  if (FName.endswith("NoCopy")) {
3217  // Look for the deallocator argument. We know that the memory ownership
3218  // is not transferred only if the deallocator argument is
3219  // 'kCFAllocatorNull'.
3220  for (unsigned i = 1; i < Call->getNumArgs(); ++i) {
3221  const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts();
3222  if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) {
3223  StringRef DeallocatorName = DE->getFoundDecl()->getName();
3224  if (DeallocatorName == "kCFAllocatorNull")
3225  return false;
3226  }
3227  }
3228  return true;
3229  }
3230 
3231  // Associating streams with malloced buffers. The pointer can escape if
3232  // 'closefn' is specified (and if that function does free memory),
3233  // but it will not if closefn is not specified.
3234  // Currently, we do not inspect the 'closefn' function (PR12101).
3235  if (FName == "funopen")
3236  if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0))
3237  return false;
3238 
3239  // Do not warn on pointers passed to 'setbuf' when used with std streams,
3240  // these leaks might be intentional when setting the buffer for stdio.
3241  // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer
3242  if (FName == "setbuf" || FName =="setbuffer" ||
3243  FName == "setlinebuf" || FName == "setvbuf") {
3244  if (Call->getNumArgs() >= 1) {
3245  const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts();
3246  if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE))
3247  if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl()))
3248  if (D->getCanonicalDecl()->getName().contains("std"))
3249  return true;
3250  }
3251  }
3252 
3253  // A bunch of other functions which either take ownership of a pointer or
3254  // wrap the result up in a struct or object, meaning it can be freed later.
3255  // (See RetainCountChecker.) Not all the parameters here are invalidated,
3256  // but the Malloc checker cannot differentiate between them. The right way
3257  // of doing this would be to implement a pointer escapes callback.
3258  if (FName == "CGBitmapContextCreate" ||
3259  FName == "CGBitmapContextCreateWithData" ||
3260  FName == "CVPixelBufferCreateWithBytes" ||
3261  FName == "CVPixelBufferCreateWithPlanarBytes" ||
3262  FName == "OSAtomicEnqueue") {
3263  return true;
3264  }
3265 
3266  if (FName == "postEvent" &&
3267  FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
3268  return true;
3269  }
3270 
3271  if (FName == "connectImpl" &&
3272  FD->getQualifiedNameAsString() == "QObject::connectImpl") {
3273  return true;
3274  }
3275 
3276  // Handle cases where we know a buffer's /address/ can escape.
3277  // Note that the above checks handle some special cases where we know that
3278  // even though the address escapes, it's still our responsibility to free the
3279  // buffer.
3280  if (Call->argumentsMayEscape())
3281  return true;
3282 
3283  // Otherwise, assume that the function does not free memory.
3284  // Most system calls do not free the memory.
3285  return false;
3286 }
3287 
3288 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
3289  const InvalidatedSymbols &Escaped,
3290  const CallEvent *Call,
3291  PointerEscapeKind Kind) const {
3292  return checkPointerEscapeAux(State, Escaped, Call, Kind,
3293  /*IsConstPointerEscape*/ false);
3294 }
3295 
3296 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State,
3297  const InvalidatedSymbols &Escaped,
3298  const CallEvent *Call,
3299  PointerEscapeKind Kind) const {
3300  // If a const pointer escapes, it may not be freed(), but it could be deleted.
3301  return checkPointerEscapeAux(State, Escaped, Call, Kind,
3302  /*IsConstPointerEscape*/ true);
3303 }
3304 
3305 static bool checkIfNewOrNewArrayFamily(const RefState *RS) {
3306  return (RS->getAllocationFamily() == AF_CXXNewArray ||
3307  RS->getAllocationFamily() == AF_CXXNew);
3308 }
3309 
3310 ProgramStateRef MallocChecker::checkPointerEscapeAux(
3311  ProgramStateRef State, const InvalidatedSymbols &Escaped,
3312  const CallEvent *Call, PointerEscapeKind Kind,
3313  bool IsConstPointerEscape) const {
3314  // If we know that the call does not free memory, or we want to process the
3315  // call later, keep tracking the top level arguments.
3316  SymbolRef EscapingSymbol = nullptr;
3317  if (Kind == PSK_DirectEscapeOnCall &&
3318  !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State,
3319  EscapingSymbol) &&
3320  !EscapingSymbol) {
3321  return State;
3322  }
3323 
3324  for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
3325  E = Escaped.end();
3326  I != E; ++I) {
3327  SymbolRef sym = *I;
3328 
3329  if (EscapingSymbol && EscapingSymbol != sym)
3330  continue;
3331 
3332  if (const RefState *RS = State->get<RegionState>(sym))
3333  if (RS->isAllocated() || RS->isAllocatedOfSizeZero())
3334  if (!IsConstPointerEscape || checkIfNewOrNewArrayFamily(RS))
3335  State = State->set<RegionState>(sym, RefState::getEscaped(RS));
3336  }
3337  return State;
3338 }
3339 
3340 bool MallocChecker::isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C,
3341  SVal ArgVal) const {
3342  if (!KernelZeroSizePtrValue)
3343  KernelZeroSizePtrValue =
3344  tryExpandAsInteger("ZERO_SIZE_PTR", C.getPreprocessor());
3345 
3346  const llvm::APSInt *ArgValKnown =
3347  C.getSValBuilder().getKnownValue(State, ArgVal);
3348  return ArgValKnown && *KernelZeroSizePtrValue &&
3349  ArgValKnown->getSExtValue() == **KernelZeroSizePtrValue;
3350 }
3351 
3353  ProgramStateRef prevState) {
3354  ReallocPairsTy currMap = currState->get<ReallocPairs>();
3355  ReallocPairsTy prevMap = prevState->get<ReallocPairs>();
3356 
3357  for (const ReallocPairsTy::value_type &Pair : prevMap) {
3358  SymbolRef sym = Pair.first;
3359  if (!currMap.lookup(sym))
3360  return sym;
3361  }
3362 
3363  return nullptr;
3364 }
3365 
3367  if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) {
3368  StringRef N = II->getName();
3369  if (N.contains_insensitive("ptr") || N.contains_insensitive("pointer")) {
3370  if (N.contains_insensitive("ref") || N.contains_insensitive("cnt") ||
3371  N.contains_insensitive("intrusive") ||
3372  N.contains_insensitive("shared")) {
3373  return true;
3374  }
3375  }
3376  }
3377  return false;
3378 }
3379 
3380 PathDiagnosticPieceRef MallocBugVisitor::VisitNode(const ExplodedNode *N,
3381  BugReporterContext &BRC,
3382  PathSensitiveBugReport &BR) {
3383  ProgramStateRef state = N->getState();
3384  ProgramStateRef statePrev = N->getFirstPred()->getState();
3385 
3386  const RefState *RSCurr = state->get<RegionState>(Sym);
3387  const RefState *RSPrev = statePrev->get<RegionState>(Sym);
3388 
3389  const Stmt *S = N->getStmtForDiagnostics();
3390  // When dealing with containers, we sometimes want to give a note
3391  // even if the statement is missing.
3392  if (!S && (!RSCurr || RSCurr->getAllocationFamily() != AF_InnerBuffer))
3393  return nullptr;
3394 
3395  const LocationContext *CurrentLC = N->getLocationContext();
3396 
3397  // If we find an atomic fetch_add or fetch_sub within the destructor in which
3398  // the pointer was released (before the release), this is likely a destructor
3399  // of a shared pointer.
3400  // Because we don't model atomics, and also because we don't know that the
3401  // original reference count is positive, we should not report use-after-frees
3402  // on objects deleted in such destructors. This can probably be improved
3403  // through better shared pointer modeling.
3404  if (ReleaseDestructorLC) {
3405  if (const auto *AE = dyn_cast<AtomicExpr>(S)) {
3406  AtomicExpr::AtomicOp Op = AE->getOp();
3407  if (Op == AtomicExpr::AO__c11_atomic_fetch_add ||
3408  Op == AtomicExpr::AO__c11_atomic_fetch_sub) {
3409  if (ReleaseDestructorLC == CurrentLC ||
3410  ReleaseDestructorLC->isParentOf(CurrentLC)) {
3411  BR.markInvalid(getTag(), S);
3412  }
3413  }
3414  }
3415  }
3416 
3417  // FIXME: We will eventually need to handle non-statement-based events
3418  // (__attribute__((cleanup))).
3419 
3420  // Find out if this is an interesting point and what is the kind.
3421  StringRef Msg;
3422  std::unique_ptr<StackHintGeneratorForSymbol> StackHint = nullptr;
3423  SmallString<256> Buf;
3424  llvm::raw_svector_ostream OS(Buf);
3425 
3426  if (Mode == Normal) {
3427  if (isAllocated(RSCurr, RSPrev, S)) {
3428  Msg = "Memory is allocated";
3429  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3430  Sym, "Returned allocated memory");
3431  } else if (isReleased(RSCurr, RSPrev, S)) {
3432  const auto Family = RSCurr->getAllocationFamily();
3433  switch (Family) {
3434  case AF_Alloca:
3435  case AF_Malloc:
3436  case AF_CXXNew:
3437  case AF_CXXNewArray:
3438  case AF_IfNameIndex:
3439  Msg = "Memory is released";
3440  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3441  Sym, "Returning; memory was released");
3442  break;
3443  case AF_InnerBuffer: {
3444  const MemRegion *ObjRegion =
3446  const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion);
3447  QualType ObjTy = TypedRegion->getValueType();
3448  OS << "Inner buffer of '" << ObjTy << "' ";
3449 
3450  if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) {
3451  OS << "deallocated by call to destructor";
3452  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3453  Sym, "Returning; inner buffer was deallocated");
3454  } else {
3455  OS << "reallocated by call to '";
3456  const Stmt *S = RSCurr->getStmt();
3457  if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) {
3458  OS << MemCallE->getMethodDecl()->getDeclName();
3459  } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) {
3460  OS << OpCallE->getDirectCallee()->getDeclName();
3461  } else if (const auto *CallE = dyn_cast<CallExpr>(S)) {
3462  auto &CEMgr = BRC.getStateManager().getCallEventManager();
3463  CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC);
3464  if (const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl()))
3465  OS << D->getDeclName();
3466  else
3467  OS << "unknown";
3468  }
3469  OS << "'";
3470  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3471  Sym, "Returning; inner buffer was reallocated");
3472  }
3473  Msg = OS.str();
3474  break;
3475  }
3476  case AF_None:
3477  llvm_unreachable("Unhandled allocation family!");
3478  }
3479 
3480  // See if we're releasing memory while inlining a destructor
3481  // (or one of its callees). This turns on various common
3482  // false positive suppressions.
3483  bool FoundAnyDestructor = false;
3484  for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) {
3485  if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) {
3487  // This immediately looks like a reference-counting destructor.
3488  // We're bad at guessing the original reference count of the object,
3489  // so suppress the report for now.
3490  BR.markInvalid(getTag(), DD);
3491  } else if (!FoundAnyDestructor) {
3492  assert(!ReleaseDestructorLC &&
3493  "There can be only one release point!");
3494  // Suspect that it's a reference counting pointer destructor.
3495  // On one of the next nodes might find out that it has atomic
3496  // reference counting operations within it (see the code above),
3497  // and if so, we'd conclude that it likely is a reference counting
3498  // pointer destructor.
3499  ReleaseDestructorLC = LC->getStackFrame();
3500  // It is unlikely that releasing memory is delegated to a destructor
3501  // inside a destructor of a shared pointer, because it's fairly hard
3502  // to pass the information that the pointer indeed needs to be
3503  // released into it. So we're only interested in the innermost
3504  // destructor.
3505  FoundAnyDestructor = true;
3506  }
3507  }
3508  }
3509  } else if (isRelinquished(RSCurr, RSPrev, S)) {
3510  Msg = "Memory ownership is transferred";
3511  StackHint = std::make_unique<StackHintGeneratorForSymbol>(Sym, "");
3512  } else if (hasReallocFailed(RSCurr, RSPrev, S)) {
3513  Mode = ReallocationFailed;
3514  Msg = "Reallocation failed";
3515  StackHint = std::make_unique<StackHintGeneratorForReallocationFailed>(
3516  Sym, "Reallocation failed");
3517 
3518  if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) {
3519  // Is it possible to fail two reallocs WITHOUT testing in between?
3520  assert((!FailedReallocSymbol || FailedReallocSymbol == sym) &&
3521  "We only support one failed realloc at a time.");
3522  BR.markInteresting(sym);
3523  FailedReallocSymbol = sym;
3524  }
3525  }
3526 
3527  // We are in a special mode if a reallocation failed later in the path.
3528  } else if (Mode == ReallocationFailed) {
3529  assert(FailedReallocSymbol && "No symbol to look for.");
3530 
3531  // Is this is the first appearance of the reallocated symbol?
3532  if (!statePrev->get<RegionState>(FailedReallocSymbol)) {
3533  // We're at the reallocation point.
3534  Msg = "Attempt to reallocate memory";
3535  StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3536  Sym, "Returned reallocated memory");
3537  FailedReallocSymbol = nullptr;
3538  Mode = Normal;
3539  }
3540  }
3541 
3542  if (Msg.empty()) {
3543  assert(!StackHint);
3544  return nullptr;
3545  }
3546 
3547  assert(StackHint);
3548 
3549  // Generate the extra diagnostic.
3550  PathDiagnosticLocation Pos;
3551  if (!S) {
3552  assert(RSCurr->getAllocationFamily() == AF_InnerBuffer);
3553  auto PostImplCall = N->getLocation().getAs<PostImplicitCall>();
3554  if (!PostImplCall)
3555  return nullptr;
3556  Pos = PathDiagnosticLocation(PostImplCall->getLocation(),
3557  BRC.getSourceManager());
3558  } else {
3559  Pos = PathDiagnosticLocation(S, BRC.getSourceManager(),
3560  N->getLocationContext());
3561  }
3562 
3563  auto P = std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true);
3564  BR.addCallStackHint(P, std::move(StackHint));
3565  return P;
3566 }
3567 
3568 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
3569  const char *NL, const char *Sep) const {
3570 
3571  RegionStateTy RS = State->get<RegionState>();
3572 
3573  if (!RS.isEmpty()) {
3574  Out << Sep << "MallocChecker :" << NL;
3575  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
3576  const RefState *RefS = State->get<RegionState>(I.getKey());
3577  AllocationFamily Family = RefS->getAllocationFamily();
3578  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
3579  if (!CheckKind.hasValue())
3580  CheckKind = getCheckIfTracked(Family, true);
3581 
3582  I.getKey()->dumpToStream(Out);
3583  Out << " : ";
3584  I.getData().dump(Out);
3585  if (CheckKind.hasValue())
3586  Out << " (" << CheckNames[*CheckKind].getName() << ")";
3587  Out << NL;
3588  }
3589  }
3590 }
3591 
3592 namespace clang {
3593 namespace ento {
3594 namespace allocation_state {
3595 
3598  AllocationFamily Family = AF_InnerBuffer;
3599  return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin));
3600 }
3601 
3602 } // end namespace allocation_state
3603 } // end namespace ento
3604 } // end namespace clang
3605 
3606 // Intended to be used in InnerPointerChecker to register the part of
3607 // MallocChecker connected to it.
3609  MallocChecker *checker = mgr.getChecker<MallocChecker>();
3610  checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true;
3611  checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =
3612  mgr.getCurrentCheckerName();
3613 }
3614 
3615 void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {
3616  auto *checker = mgr.registerChecker<MallocChecker>();
3617  checker->ShouldIncludeOwnershipAnnotatedFunctions =
3618  mgr.getAnalyzerOptions().getCheckerBooleanOption(checker, "Optimistic");
3619  checker->ShouldRegisterNoOwnershipChangeVisitor =
3620  mgr.getAnalyzerOptions().getCheckerBooleanOption(
3621  checker, "AddNoOwnershipChangeNotes");
3622 }
3623 
3624 bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) {
3625  return true;
3626 }
3627 
3628 #define REGISTER_CHECKER(name) \
3629  void ento::register##name(CheckerManager &mgr) { \
3630  MallocChecker *checker = mgr.getChecker<MallocChecker>(); \
3631  checker->ChecksEnabled[MallocChecker::CK_##name] = true; \
3632  checker->CheckNames[MallocChecker::CK_##name] = \
3633  mgr.getCurrentCheckerName(); \
3634  } \
3635  \
3636  bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
3637 
3638 REGISTER_CHECKER(MallocChecker)
3639 REGISTER_CHECKER(NewDeleteChecker)
3640 REGISTER_CHECKER(NewDeleteLeaksChecker)
3641 REGISTER_CHECKER(MismatchedDeallocatorChecker)
findFailedReallocSymbol
static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, ProgramStateRef prevState)
Definition: MallocChecker.cpp:3352
clang::ento::Loc::isLocType
static bool isLocType(QualType T)
Definition: SVals.h:335
clang::ento::PSK_DirectEscapeOnCall
@ PSK_DirectEscapeOnCall
The pointer has been passed to a function call directly.
Definition: CheckerManager.h:84
clang::Decl::getASTContext
ASTContext & getASTContext() const LLVM_READONLY
Definition: DeclBase.cpp:414
clang::CXXConstructorDecl
Represents a C++ constructor within a class.
Definition: DeclCXX.h:2421
DynamicExtent.h
getDeepPointeeType
static QualType getDeepPointeeType(QualType T)
Definition: MallocChecker.cpp:1578
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
CallDescription.h
clang::LocationContext::getStackFrame
const StackFrameContext * getStackFrame() const
Definition: AnalysisDeclContext.cpp:463
clang::DeclaratorDecl::getBeginLoc
SourceLocation getBeginLoc() const LLVM_READONLY
Definition: Decl.h:778
SVals.h
clang::SourceRange
A trivial tuple used to represent a source range.
Definition: SourceLocation.h:210
string
string(SUBSTRING ${CMAKE_CURRENT_BINARY_DIR} 0 ${PATH_LIB_START} PATH_HEAD) string(SUBSTRING $
Definition: CMakeLists.txt:22
Ret
static bool Ret(InterpState &S, CodePtr &PC, APValue &Result)
Definition: Interp.cpp:34
clang::ast_matchers::stmt
const internal::VariadicAllOfMatcher< Stmt > stmt
Matches statements.
Definition: ASTMatchersInternal.cpp:810
clang::Decl::hasAttr
bool hasAttr() const
Definition: DeclBase.h:542
clang::ento::PathDiagnosticPieceRef
std::shared_ptr< PathDiagnosticPiece > PathDiagnosticPieceRef
Definition: PathDiagnostic.h:492
clang::ento::CheckerManager::getCurrentCheckerName
CheckerNameRef getCurrentCheckerName() const
Definition: CheckerManager.h:163
clang::ast_matchers::anyOf
const internal::VariadicOperatorMatcherFunc< 2, std::numeric_limits< unsigned >::max()> anyOf
Matches if any of the given matchers matches.
Definition: ASTMatchersInternal.cpp:989
llvm::SmallVector
Definition: LLVM.h:38
clang::SourceLocation
Encodes a location in the source.
Definition: SourceLocation.h:86
clang::ast_matchers::findAll
internal::Matcher< T > findAll(const internal::Matcher< T > &Matcher)
Matches if the node or any descendant matches.
Definition: ASTMatchers.h:3480
clang::NamedDecl
This represents a decl that may have a name.
Definition: Decl.h:247
clang::ento::registerInnerPointerCheckerAux
void registerInnerPointerCheckerAux(CheckerManager &Mgr)
Register the part of MallocChecker connected to InnerPointerChecker.
Definition: MallocChecker.cpp:3608
TargetInfo.h
clang::MultiVersionKind::Target
@ Target
clang::CXXDeleteExpr::isArrayForm
bool isArrayForm() const
Definition: ExprCXX.h:2441
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:324
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:675
Attr.h
CHECK_FN
#define CHECK_FN(NAME)
Definition: MallocChecker.cpp:368
clang::FunctionDecl::getParamDecl
const ParmVarDecl * getParamDecl(unsigned i) const
Definition: Decl.h:2526
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:55
clang::OMF_init
@ OMF_init
Definition: IdentifierTable.h:700
DeclCXX.h
ProgramState_Fwd.h
SymbolManager.h
clang::CXXNewExpr
Represents a new-expression for memory allocation and constructor calls, e.g: "new CXXNewExpr(foo)".
Definition: ExprCXX.h:2139
clang::ento::SymbolRef
const SymExpr * SymbolRef
Definition: SymExpr.h:110
clang::FunctionDecl::getDeclaredReturnType
QualType getDeclaredReturnType() const
Get the declared return type, which may differ from the actual return type if the return type is dedu...
Definition: Decl.h:2574
llvm::Optional
Definition: LLVM.h:40
clang::ento::bugreporter::TrackingKind
TrackingKind
Specifies the type of tracking for an expression.
Definition: BugReporterVisitors.h:95
llvm::SmallPtrSet
Definition: ASTContext.h:82
clang::Lexer::getSourceText
static StringRef getSourceText(CharSourceRange Range, const SourceManager &SM, const LangOptions &LangOpts, bool *Invalid=nullptr)
Returns a string for the source that the range encompasses.
Definition: Lexer.cpp:962
clang::StackFrameContext
It represents a stack frame of the call stack (based on CallEvent).
Definition: AnalysisDeclContext.h:295
SourceManager.h
clang::tooling::X
static ToolExecutorPluginRegistry::Add< AllTUsToolExecutorPlugin > X("all-TUs", "Runs FrontendActions on all TUs in the compilation database. " "Tool results are stored in memory.")
ASTMatchFinder.h
clang::index::SymbolRole::Call
@ Call
CommonBugCategories.h
clang::ento::Store
const void * Store
Store - This opaque type encapsulates an immutable mapping from locations to values.
Definition: StoreRef.h:27
clang::ASTContext::getSourceManager
SourceManager & getSourceManager()
Definition: ASTContext.h:716
clang::ento::tryExpandAsInteger
llvm::Optional< int > tryExpandAsInteger(StringRef Macro, const Preprocessor &PP)
Try to parse the value of a defined preprocessor macro.
Definition: CheckerHelpers.cpp:113
printExpectedAllocName
static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family)
Print expected name of an allocator based on the deallocator's family derived from the DeallocExpr.
Definition: MallocChecker.cpp:1881
clang::PostImplicitCall
Represents a program point just after an implicit call event.
Definition: ProgramPoint.h:599
InterCheckerAPI.h
CallEvent.h
clang::ast_matchers::cxxDeleteExpr
const internal::VariadicDynCastAllOfMatcher< Stmt, CXXDeleteExpr > cxxDeleteExpr
Matches delete expressions.
Definition: ASTMatchersInternal.cpp:879
Offset
unsigned Offset
Definition: Format.cpp:2553
REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:84
APSInt
llvm::APSInt APSInt
Definition: ByteCodeEmitter.cpp:19
AllocationState.h
clang::syntax::NodeRole::Parameters
@ Parameters
V
#define V(N, I)
Definition: ASTContext.h:3176
ProgramPoint.h
clang::ast_matchers
Definition: ASTMatchers.h:98
BuiltinCheckerRegistration.h
DeclTemplate.h
CASE
#define CASE(ID)
clang::Decl::specific_attrs
llvm::iterator_range< specific_attr_iterator< T > > specific_attrs() const
Definition: DeclBase.h:524
clang::VarDecl::isStaticLocal
bool isStaticLocal() const
Returns true if a variable with function scope is a static local variable.
Definition: Decl.h:1123
clang::ento::PathDiagnosticLocation::create
static PathDiagnosticLocation create(const Decl *D, const SourceManager &SM)
Create a location corresponding to the given declaration.
Definition: PathDiagnostic.h:248
clang::XRayInstrKind::None
constexpr XRayInstrMask None
Definition: XRayInstr.h:38
CheckerManager.h
clang::BlockExpr::getBlockDecl
const BlockDecl * getBlockDecl() const
Definition: Expr.h:5982
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:208
ASTMatchers.h
clang::ASTContext::getSizeType
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.
Definition: ASTContext.cpp:5823
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:29
clang::FunctionDecl::getBody
Stmt * getBody(const FunctionDecl *&Definition) const
Retrieve the body (definition) of the function.
Definition: Decl.cpp:3092
clang::LocationContext::isParentOf
bool isParentOf(const LocationContext *LC) const
Definition: AnalysisDeclContext.cpp:477
clang::CallExpr::getArg
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2992
clang::CXXDestructorDecl
Represents a C++ destructor within a class.
Definition: DeclCXX.h:2688
didPreviousFreeFail
static bool didPreviousFreeFail(ProgramStateRef State, SymbolRef Sym, SymbolRef &RetStatusSymbol)
Checks if the previous call to free on the given symbol failed - if free failed, returns true.
Definition: MallocChecker.cpp:1829
Expr.h
llvm::SmallString
Definition: LLVM.h:37
clang::interp::Zero
bool Zero(InterpState &S, CodePtr OpPC)
Definition: Interp.h:814
REGISTER_SET_WITH_PROGRAMSTATE
#define REGISTER_SET_WITH_PROGRAMSTATE(Name, Elem)
Declares an immutable set of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:109
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:874
clang::CallEnter::getCallExpr
const Stmt * getCallExpr() const
Definition: ProgramPoint.h:635
clang::Type::getPointeeType
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee.
Definition: Type.cpp:625
clang::ento::bugreporter::TrackingKind::Thorough
@ Thorough
Default tracking kind – specifies that as much information should be gathered about the tracked expre...
clang::CXXConstructExpr::getConstructor
CXXConstructorDecl * getConstructor() const
Get the constructor that this expression will (ultimately) call.
Definition: ExprCXX.h:1532
clang::Type::getAsCXXRecordDecl
CXXRecordDecl * getAsCXXRecordDecl() const
Retrieves the CXXRecordDecl that this type refers to, either because the type is a RecordType or beca...
Definition: Type.cpp:1759
clang::getOperatorSpelling
const char * getOperatorSpelling(OverloadedOperatorKind Operator)
Retrieve the spelling of the given overloaded operator, without the preceding "operator" keyword.
Definition: IdentifierTable.cpp:747
ExprCXX.h
Label
std::string Label
Definition: UsingDeclarationsSorter.cpp:69
clang::FunctionDecl::getOverloadedOperator
OverloadedOperatorKind getOverloadedOperator() const
getOverloadedOperator - Which C++ overloaded operator this function represents, if any.
Definition: Decl.cpp:3715
clang::AtomicExpr::AtomicOp
AtomicOp
Definition: Expr.h:6236
clang::ObjCMessageExpr
An expression that sends a message to the given Objective-C object or class.
Definition: ExprObjC.h:940
ExplodedGraph.h
clang::OverloadedOperatorKind
OverloadedOperatorKind
Enumeration specifying the different kinds of C++ overloaded operators.
Definition: OperatorKinds.h:21
state
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial state
Definition: README.txt:30
clang::FunctionDecl::hasBody
bool hasBody(const FunctionDecl *&Definition) const
Returns true if the function has a body.
Definition: Decl.cpp:3012
clang::BlockDecl::hasCaptures
bool hasCaptures() const
True if this block (or its nested blocks) captures anything of local storage from its enclosing scope...
Definition: Decl.h:4320
clang::LocationContext::getParent
const LocationContext * getParent() const
Definition: AnalysisDeclContext.h:243
clang::QualType::getDesugaredType
QualType getDesugaredType(const ASTContext &Context) const
Return the specified type with any "sugar" removed from the type.
Definition: Type.h:987
clang::ento::CheckerManager::getChecker
CHECKER * getChecker()
Definition: CheckerManager.h:218
clang::TargetInfo::getTriple
const llvm::Triple & getTriple() const
Returns the target triple of the primary target.
Definition: TargetInfo.h:1160
clang::ASTContext::UnsignedLongTy
CanQualType UnsignedLongTy
Definition: ASTContext.h:1106
clang::ento::categories::MemoryError
const char *const MemoryError
Definition: CommonBugCategories.cpp:20
clang::ParentMap
Definition: ParentMap.h:20
checkIfNewOrNewArrayFamily
static bool checkIfNewOrNewArrayFamily(const RefState *RS)
Definition: MallocChecker.cpp:3305
P
StringRef P
Definition: ASTMatchersInternal.cpp:563
printExpectedDeallocName
static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family)
Print expected name of a deallocator based on the allocator's family.
Definition: MallocChecker.cpp:1894
isReferenceCountingPointerDestructor
static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD)
Definition: MallocChecker.cpp:3366
clang::ASTContext::VoidPtrTy
CanQualType VoidPtrTy
Definition: ASTContext.h:1123
clang::Decl::hasAttrs
bool hasAttrs() const
Definition: DeclBase.h:484
clang::syntax::NodeRole::Size
@ Size
BugType.h
clang::NamedDecl::getIdentifier
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:268
clang::ento::allocation_state::getInnerPointerBRVisitor
std::unique_ptr< BugReporterVisitor > getInnerPointerBRVisitor(SymbolRef Sym)
This function provides an additional visitor that augments the bug report with information relevant t...
Definition: InnerPointerChecker.cpp:288
clang::ProgramPoint::PostImplicitCallKind
@ PostImplicitCallKind
Definition: ProgramPoint.h:82
dump
static void dump(llvm::raw_ostream &OS, StringRef FunctionName, ArrayRef< CounterExpression > Expressions, ArrayRef< CounterMappingRegion > Regions)
Definition: CoverageMappingGen.cpp:1519
clang::CharSourceRange::getTokenRange
static CharSourceRange getTokenRange(SourceRange R)
Definition: SourceLocation.h:261
clang::CallExpr::getNumArgs
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2979
clang::CXXDeleteExpr
Represents a delete expression for memory deallocation and destructor calls, e.g.
Definition: ExprCXX.h:2415
hasNonTrivialConstructorCall
static bool hasNonTrivialConstructorCall(const CXXNewExpr *NE)
Definition: MallocChecker.cpp:1589
clang::QualType::isNull
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:740
clang::BlockExpr
BlockExpr - Adaptor class for mixing a BlockDecl with expressions.
Definition: Expr.h:5970
llvm::ArrayRef
Definition: LLVM.h:34
printMemFnName
static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E)
Print names of allocators and deallocators.
Definition: MallocChecker.cpp:1842
Lexer.h
clang::Decl
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:83
clang::ento::CDF_MaybeBuiltin
@ CDF_MaybeBuiltin
Describes a C standard function that is sometimes implemented as a macro that expands to a compiler b...
Definition: CallDescription.h:38
LLVM.h
clang::ASTContext::CharTy
CanQualType CharTy
Definition: ASTContext.h:1098
State
LineState State
Definition: UnwrappedLineFormatter.cpp:1090
clang::NamedDecl::getQualifiedNameAsString
std::string getQualifiedNameAsString() const
Definition: Decl.cpp:1605
clang::ast_matchers::callExpr
const internal::VariadicDynCastAllOfMatcher< Stmt, CallExpr > callExpr
Matches call expressions.
Definition: ASTMatchersInternal.cpp:817
clang::IdentifierInfo
One of these records is kept for each identifier that is lexed.
Definition: IdentifierTable.h:84
clang::ASTContext::getTargetInfo
const TargetInfo & getTargetInfo() const
Definition: ASTContext.h:768
isStandardNewDelete
static bool isStandardNewDelete(const FunctionDecl *FD)
Tells if the callee is one of the builtin new/delete operators, including placement operators and oth...
Definition: MallocChecker.cpp:1087
CheckerContext.h
clang::ento::allocation_state::getContainerObjRegion
const MemRegion * getContainerObjRegion(ProgramStateRef State, SymbolRef Sym)
'Sym' represents a pointer to the inner buffer of a container object.
Definition: InnerPointerChecker.cpp:292
clang::ObjCPropertyAttribute::Kind
Kind
Definition: DeclObjCCommon.h:22
ProgramState.h
Checker.h
MallocUpdateRefState
static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, AllocationFamily Family, Optional< SVal > RetVal=None)
Update the RefState to reflect the new memory allocation.
Definition: MallocChecker.cpp:1764
std
Definition: Format.h:4296
clang::interp::NE
bool NE(InterpState &S, CodePtr OpPC)
Definition: Interp.h:225
ParentMap.h
clang::ento::CheckerManager
Definition: CheckerManager.h:126
clang::IdentifierInfo::getName
StringRef getName() const
Return the actual identifier string.
Definition: IdentifierTable.h:195
clang::Builtin::ID
ID
Definition: Builtins.h:51
clang
Definition: CalledOnceCheck.h:17
clang::Selector
Smart pointer class that efficiently represents Objective-C method names.
Definition: IdentifierTable.h:752
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:69
clang::Decl::print
void print(raw_ostream &Out, unsigned Indentation=0, bool PrintInstantiation=false) const
Definition: DeclPrinter.cpp:124
clang::SourceManager::isInSystemHeader
bool isInSystemHeader(SourceLocation Loc) const
Returns if a SourceLocation is in a system header.
Definition: SourceManager.h:1493
clang::ast_matchers::match
SmallVector< BoundNodes, 1 > match(MatcherT Matcher, const NodeT &Node, ASTContext &Context)
Returns the results of matching Matcher on Node.
Definition: ASTMatchFinder.h:312
isStandardRealloc
static bool isStandardRealloc(const CallEvent &Call)
Definition: MallocChecker.cpp:1254
CheckerHelpers.h
clang::Expr::getType
QualType getType() const
Definition: Expr.h:141
clang::SourceLocation::isValid
bool isValid() const
Return true if this is a valid SourceLocation object.
Definition: SourceLocation.h:110
clang::ento::PathDiagnosticLocation::createBegin
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
Definition: PathDiagnostic.cpp:580
clang::OverloadCandidateParamOrder::Normal
@ Normal
s
__device__ __2f16 float bool s
Definition: __clang_hip_libdevice_declares.h:315
clang::CXXDeleteExpr::getArgument
Expr * getArgument()
Definition: ExprCXX.h:2456
isGRealloc
static bool isGRealloc(const CallEvent &Call)
Definition: MallocChecker.cpp:1268
clang::ento::PointerEscapeKind
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
Definition: CheckerManager.h:78
isReleased
static bool isReleased(SymbolRef Sym, CheckerContext &C)
Check if the memory associated with this symbol was released.
Definition: MallocChecker.cpp:3005
clang::CallEnter
Represents a point when we begin processing an inlined call.
Definition: ProgramPoint.h:629
clang::ast_matchers::BoundNodes
Maps string IDs to AST nodes matched by parts of a matcher.
Definition: ASTMatchers.h:107
clang::ento::setDynamicExtent
ProgramStateRef setDynamicExtent(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal Extent, SValBuilder &SVB)
Set the dynamic extent Extent of the region MR.
clang::ento::allocation_state::markReleased
ProgramStateRef markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin)
Definition: MallocChecker.cpp:3597
isKnownDeallocObjCMethodName
static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call)
Definition: MallocChecker.cpp:1654
llvm::SmallVectorImpl
Definition: Randstruct.h:18
clang::ParentMap::isConsumedExpr
bool isConsumedExpr(Expr *E) const
Definition: ParentMap.cpp:170
clang::ValueDecl::getType
QualType getType() const
Definition: Decl.h:685
ProgramStateTrait.h
clang::Expr
This represents one expression.
Definition: Expr.h:109
clang::ento::InvalidatedSymbols
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:51
clang::FunctionDecl::parameters
ArrayRef< ParmVarDecl * > parameters() const
Definition: Decl.h:2503
clang::Decl::getLocation
SourceLocation getLocation() const
Definition: DeclBase.h:425
clang::DeclRefExpr
A reference to a declared variable, function, enum, etc.
Definition: Expr.h:1223
GCCTypeClass::None
@ None
clang::LocationContext::getDecl
const Decl * getDecl() const
Definition: AnalysisDeclContext.h:247
clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1872
StoreRef.h
clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2801
REGISTER_CHECKER
#define REGISTER_CHECKER(name)
Definition: MallocChecker.cpp:3628
clang::CXXConstructExpr
Represents a call to a C++ constructor.
Definition: ExprCXX.h:1460
getFreeWhenDoneArg
static Optional< bool > getFreeWhenDoneArg(const ObjCMethodCall &Call)
Definition: MallocChecker.cpp:1666
clang::operator==
bool operator==(const CallGraphNode::CallRecord &LHS, const CallGraphNode::CallRecord &RHS)
Definition: CallGraph.h:207
llvm::IntrusiveRefCntPtr< const ProgramState >
abs
__DEVICE__ long long abs(long long __n)
Definition: __clang_cuda_cmath.h:41
clang::ento::ObjKind::OS
@ OS
Indicates that the tracking object is a descendant of a referenced-counted OSObject,...
clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:2764
clang::CXXMethodDecl::getParent
const CXXRecordDecl * getParent() const
Return the parent of this method declaration, which is the class in which this method is defined.
Definition: DeclCXX.h:2083
clang::NamedDecl::getName
StringRef getName() const
Get the name of identifier for this declaration as a StringRef.
Definition: Decl.h:274