clang  10.0.0svn
MallocChecker.cpp
Go to the documentation of this file.
1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines malloc/free checker, which checks for potential memory
10 // leaks, double free, and use-after-free problems.
11 //
12 //===----------------------------------------------------------------------===//
13 
15 #include "InterCheckerAPI.h"
16 #include "clang/AST/Attr.h"
17 #include "clang/AST/ParentMap.h"
19 #include "clang/Basic/TargetInfo.h"
20 #include "clang/Lex/Lexer.h"
30 #include "llvm/ADT/STLExtras.h"
31 #include "llvm/ADT/SmallString.h"
32 #include "llvm/ADT/StringExtras.h"
33 #include "AllocationState.h"
34 #include <climits>
35 #include <utility>
36 
37 using namespace clang;
38 using namespace ento;
39 
40 namespace {
41 
42 // Used to check correspondence between allocators and deallocators.
44  AF_None,
45  AF_Malloc,
46  AF_CXXNew,
47  AF_CXXNewArray,
48  AF_IfNameIndex,
49  AF_Alloca,
50  AF_InnerBuffer
51 };
52 
53 class RefState {
54  enum Kind { // Reference to allocated memory.
55  Allocated,
56  // Reference to zero-allocated memory.
57  AllocatedOfSizeZero,
58  // Reference to released/freed memory.
59  Released,
60  // The responsibility for freeing resources has transferred from
61  // this reference. A relinquished symbol should not be freed.
62  Relinquished,
63  // We are no longer guaranteed to have observed all manipulations
64  // of this pointer/memory. For example, it could have been
65  // passed as a parameter to an opaque function.
66  Escaped
67  };
68 
69  const Stmt *S;
70  unsigned K : 3; // Kind enum, but stored as a bitfield.
71  unsigned Family : 29; // Rest of 32-bit word, currently just an allocation
72  // family.
73 
74  RefState(Kind k, const Stmt *s, unsigned family)
75  : S(s), K(k), Family(family) {
76  assert(family != AF_None);
77  }
78 public:
79  bool isAllocated() const { return K == Allocated; }
80  bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; }
81  bool isReleased() const { return K == Released; }
82  bool isRelinquished() const { return K == Relinquished; }
83  bool isEscaped() const { return K == Escaped; }
84  AllocationFamily getAllocationFamily() const {
85  return (AllocationFamily)Family;
86  }
87  const Stmt *getStmt() const { return S; }
88 
89  bool operator==(const RefState &X) const {
90  return K == X.K && S == X.S && Family == X.Family;
91  }
92 
93  static RefState getAllocated(unsigned family, const Stmt *s) {
94  return RefState(Allocated, s, family);
95  }
96  static RefState getAllocatedOfSizeZero(const RefState *RS) {
97  return RefState(AllocatedOfSizeZero, RS->getStmt(),
98  RS->getAllocationFamily());
99  }
100  static RefState getReleased(unsigned family, const Stmt *s) {
101  return RefState(Released, s, family);
102  }
103  static RefState getRelinquished(unsigned family, const Stmt *s) {
104  return RefState(Relinquished, s, family);
105  }
106  static RefState getEscaped(const RefState *RS) {
107  return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());
108  }
109 
110  void Profile(llvm::FoldingSetNodeID &ID) const {
111  ID.AddInteger(K);
112  ID.AddPointer(S);
113  ID.AddInteger(Family);
114  }
115 
116  void dump(raw_ostream &OS) const {
117  switch (static_cast<Kind>(K)) {
118 #define CASE(ID) case ID: OS << #ID; break;
119  CASE(Allocated)
120  CASE(AllocatedOfSizeZero)
121  CASE(Released)
122  CASE(Relinquished)
123  CASE(Escaped)
124  }
125  }
126 
127  LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
128 };
129 
131  RPToBeFreedAfterFailure,
132  // The symbol has been freed when reallocation failed.
133  RPIsFreeOnFailure,
134  // The symbol does not need to be freed after reallocation fails.
135  RPDoNotTrackAfterFailure
136 };
137 
138 /// \class ReallocPair
139 /// Stores information about the symbol being reallocated by a call to
140 /// 'realloc' to allow modeling failed reallocation later in the path.
141 struct ReallocPair {
142  // The symbol which realloc reallocated.
143  SymbolRef ReallocatedSym;
145 
146  ReallocPair(SymbolRef S, ReallocPairKind K) :
147  ReallocatedSym(S), Kind(K) {}
148  void Profile(llvm::FoldingSetNodeID &ID) const {
149  ID.AddInteger(Kind);
150  ID.AddPointer(ReallocatedSym);
151  }
152  bool operator==(const ReallocPair &X) const {
153  return ReallocatedSym == X.ReallocatedSym &&
154  Kind == X.Kind;
155  }
156 };
157 
158 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo;
159 
160 class MallocChecker : public Checker<check::DeadSymbols,
161  check::PointerEscape,
162  check::ConstPointerEscape,
163  check::PreStmt<ReturnStmt>,
164  check::EndFunction,
165  check::PreCall,
166  check::PostStmt<CallExpr>,
167  check::PostStmt<CXXNewExpr>,
168  check::NewAllocator,
169  check::PreStmt<CXXDeleteExpr>,
170  check::PostStmt<BlockExpr>,
171  check::PostObjCMessage,
172  check::Location,
173  eval::Assume>
174 {
175 public:
176  MallocChecker()
177  : II_alloca(nullptr), II_win_alloca(nullptr), II_malloc(nullptr),
178  II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr),
179  II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr),
180  II_strdup(nullptr), II_win_strdup(nullptr), II_kmalloc(nullptr),
181  II_kfree(nullptr), II_if_nameindex(nullptr),
182  II_if_freenameindex(nullptr), II_wcsdup(nullptr),
183  II_win_wcsdup(nullptr), II_g_malloc(nullptr), II_g_malloc0(nullptr),
184  II_g_realloc(nullptr), II_g_try_malloc(nullptr),
185  II_g_try_malloc0(nullptr), II_g_try_realloc(nullptr),
186  II_g_free(nullptr), II_g_memdup(nullptr), II_g_malloc_n(nullptr),
187  II_g_malloc0_n(nullptr), II_g_realloc_n(nullptr),
188  II_g_try_malloc_n(nullptr), II_g_try_malloc0_n(nullptr),
189  II_g_try_realloc_n(nullptr) {}
190 
191  /// In pessimistic mode, the checker assumes that it does not know which
192  /// functions might free the memory.
193  enum CheckKind {
194  CK_MallocChecker,
195  CK_NewDeleteChecker,
196  CK_NewDeleteLeaksChecker,
197  CK_MismatchedDeallocatorChecker,
198  CK_InnerPointerChecker,
199  CK_NumCheckKinds
200  };
201 
202  enum class MemoryOperationKind {
203  MOK_Allocate,
204  MOK_Free,
205  MOK_Any
206  };
207 
208  DefaultBool IsOptimistic;
209 
210  DefaultBool ChecksEnabled[CK_NumCheckKinds];
211  CheckName CheckNames[CK_NumCheckKinds];
212 
213  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
214  void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
215  void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;
216  void checkNewAllocator(const CXXNewExpr *NE, SVal Target,
217  CheckerContext &C) const;
218  void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
219  void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
220  void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
221  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
222  void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
223  void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;
224  ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
225  bool Assumption) const;
226  void checkLocation(SVal l, bool isLoad, const Stmt *S,
227  CheckerContext &C) const;
228 
229  ProgramStateRef checkPointerEscape(ProgramStateRef State,
230  const InvalidatedSymbols &Escaped,
231  const CallEvent *Call,
232  PointerEscapeKind Kind) const;
233  ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
234  const InvalidatedSymbols &Escaped,
235  const CallEvent *Call,
236  PointerEscapeKind Kind) const;
237 
238  void printState(raw_ostream &Out, ProgramStateRef State,
239  const char *NL, const char *Sep) const override;
240 
241 private:
242  mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
243  mutable std::unique_ptr<BugType> BT_DoubleDelete;
244  mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
245  mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
246  mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
247  mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
248  mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
249  mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
250  mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
251  mutable IdentifierInfo *II_alloca, *II_win_alloca, *II_malloc, *II_free,
252  *II_realloc, *II_calloc, *II_valloc, *II_reallocf,
253  *II_strndup, *II_strdup, *II_win_strdup, *II_kmalloc,
254  *II_kfree, *II_if_nameindex, *II_if_freenameindex,
255  *II_wcsdup, *II_win_wcsdup, *II_g_malloc,
256  *II_g_malloc0, *II_g_realloc, *II_g_try_malloc,
257  *II_g_try_malloc0, *II_g_try_realloc, *II_g_free,
258  *II_g_memdup, *II_g_malloc_n, *II_g_malloc0_n,
259  *II_g_realloc_n, *II_g_try_malloc_n,
260  *II_g_try_malloc0_n, *II_g_try_realloc_n;
261  mutable Optional<uint64_t> KernelZeroFlagVal;
262 
263  void initIdentifierInfo(ASTContext &C) const;
264 
265  /// Determine family of a deallocation expression.
266  AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const;
267 
268  /// Print names of allocators and deallocators.
269  ///
270  /// \returns true on success.
271  bool printAllocDeallocName(raw_ostream &os, CheckerContext &C,
272  const Expr *E) const;
273 
274  /// Print expected name of an allocator based on the deallocator's
275  /// family derived from the DeallocExpr.
276  void printExpectedAllocName(raw_ostream &os, CheckerContext &C,
277  const Expr *DeallocExpr) const;
278  /// Print expected name of a deallocator based on the allocator's
279  /// family.
280  void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const;
281 
282  ///@{
283  /// Check if this is one of the functions which can allocate/reallocate memory
284  /// pointed to by one of its arguments.
285  bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const;
286  bool isCMemFunction(const FunctionDecl *FD,
287  ASTContext &C,
288  AllocationFamily Family,
289  MemoryOperationKind MemKind) const;
290  bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const;
291  ///@}
292 
293  /// Process C++ operator new()'s allocation, which is the part of C++
294  /// new-expression that goes before the constructor.
295  void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C,
296  SVal Target) const;
297 
298  /// Perform a zero-allocation check.
299  /// The optional \p RetVal parameter specifies the newly allocated pointer
300  /// value; if unspecified, the value of expression \p E is used.
301  ProgramStateRef ProcessZeroAllocation(CheckerContext &C, const Expr *E,
302  const unsigned AllocationSizeArg,
303  ProgramStateRef State,
304  Optional<SVal> RetVal = None) const;
305 
306  ProgramStateRef MallocMemReturnsAttr(CheckerContext &C,
307  const CallExpr *CE,
308  const OwnershipAttr* Att,
309  ProgramStateRef State) const;
310  static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
311  const Expr *SizeEx, SVal Init,
312  ProgramStateRef State,
313  AllocationFamily Family = AF_Malloc);
314  static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
315  SVal SizeEx, SVal Init,
316  ProgramStateRef State,
317  AllocationFamily Family = AF_Malloc);
318 
319  static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE,
320  ProgramStateRef State, SVal Target);
321 
322  // Check if this malloc() for special flags. At present that means M_ZERO or
323  // __GFP_ZERO (in which case, treat it like calloc).
325  performKernelMalloc(const CallExpr *CE, CheckerContext &C,
326  const ProgramStateRef &State) const;
327 
328  /// Update the RefState to reflect the new memory allocation.
329  /// The optional \p RetVal parameter specifies the newly allocated pointer
330  /// value; if unspecified, the value of expression \p E is used.
331  static ProgramStateRef
332  MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State,
333  AllocationFamily Family = AF_Malloc,
334  Optional<SVal> RetVal = None);
335 
336  ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE,
337  const OwnershipAttr* Att,
338  ProgramStateRef State) const;
339  ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE,
340  ProgramStateRef state, unsigned Num,
341  bool Hold,
342  bool &ReleasedAllocated,
343  bool ReturnsNullOnFailure = false) const;
344  ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg,
345  const Expr *ParentExpr,
346  ProgramStateRef State,
347  bool Hold,
348  bool &ReleasedAllocated,
349  bool ReturnsNullOnFailure = false) const;
350 
351  ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE,
352  bool FreesMemOnFailure,
353  ProgramStateRef State,
354  bool SuffixWithN = false) const;
355  static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
356  const Expr *BlockBytes);
357  static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE,
358  ProgramStateRef State);
359 
360  /// Check if the memory associated with this symbol was released.
361  bool isReleased(SymbolRef Sym, CheckerContext &C) const;
362 
363  /// See if deallocation happens in a suspicious context. If so, escape the
364  /// pointers that otherwise would have been deallocated and return true.
365  bool suppressDeallocationsInSuspiciousContexts(const CallExpr *CE,
366  CheckerContext &C) const;
367 
368  bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
369 
370  void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
371  const Stmt *S) const;
372 
373  bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;
374 
375  /// Check if the function is known free memory, or if it is
376  /// "interesting" and should be modeled explicitly.
377  ///
378  /// \param [out] EscapingSymbol A function might not free memory in general,
379  /// but could be known to free a particular symbol. In this case, false is
380  /// returned and the single escaping symbol is returned through the out
381  /// parameter.
382  ///
383  /// We assume that pointers do not escape through calls to system functions
384  /// not handled by this checker.
385  bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call,
386  ProgramStateRef State,
387  SymbolRef &EscapingSymbol) const;
388 
389  // Implementation of the checkPointerEscape callbacks.
390  ProgramStateRef checkPointerEscapeAux(ProgramStateRef State,
391  const InvalidatedSymbols &Escaped,
392  const CallEvent *Call,
393  PointerEscapeKind Kind,
394  bool(*CheckRefState)(const RefState*)) const;
395 
396  // Implementation of the checkPreStmt and checkEndFunction callbacks.
397  void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const;
398 
399  ///@{
400  /// Tells if a given family/call/symbol is tracked by the current checker.
401  /// Sets CheckKind to the kind of the checker responsible for this
402  /// family/call/symbol.
403  Optional<CheckKind> getCheckIfTracked(AllocationFamily Family,
404  bool IsALeakCheck = false) const;
405  Optional<CheckKind> getCheckIfTracked(CheckerContext &C,
406  const Stmt *AllocDeallocStmt,
407  bool IsALeakCheck = false) const;
408  Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
409  bool IsALeakCheck = false) const;
410  ///@}
411  static bool SummarizeValue(raw_ostream &os, SVal V);
412  static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
413  void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
414  const Expr *DeallocExpr) const;
415  void ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
416  SourceRange Range) const;
417  void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range,
418  const Expr *DeallocExpr, const RefState *RS,
419  SymbolRef Sym, bool OwnershipTransferred) const;
420  void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
421  const Expr *DeallocExpr,
422  const Expr *AllocExpr = nullptr) const;
423  void ReportUseAfterFree(CheckerContext &C, SourceRange Range,
424  SymbolRef Sym) const;
425  void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
426  SymbolRef Sym, SymbolRef PrevSym) const;
427 
428  void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
429 
430  void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range,
431  SymbolRef Sym) const;
432 
433  void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
434  SourceRange Range, const Expr *FreeExpr) const;
435 
436  /// Find the location of the allocation for Sym on the path leading to the
437  /// exploded node N.
438  LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
439  CheckerContext &C) const;
440 
441  void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
442 
443  /// The bug visitor which allows us to print extra diagnostics along the
444  /// BugReport path. For example, showing the allocation site of the leaked
445  /// region.
446  class MallocBugVisitor final : public BugReporterVisitor {
447  protected:
448  enum NotificationMode {
449  Normal,
450  ReallocationFailed
451  };
452 
453  // The allocated region symbol tracked by the main analysis.
454  SymbolRef Sym;
455 
456  // The mode we are in, i.e. what kind of diagnostics will be emitted.
457  NotificationMode Mode;
458 
459  // A symbol from when the primary region should have been reallocated.
460  SymbolRef FailedReallocSymbol;
461 
462  // A C++ destructor stack frame in which memory was released. Used for
463  // miscellaneous false positive suppression.
464  const StackFrameContext *ReleaseDestructorLC;
465 
466  bool IsLeak;
467 
468  public:
469  MallocBugVisitor(SymbolRef S, bool isLeak = false)
470  : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr),
471  ReleaseDestructorLC(nullptr), IsLeak(isLeak) {}
472 
473  static void *getTag() {
474  static int Tag = 0;
475  return &Tag;
476  }
477 
478  void Profile(llvm::FoldingSetNodeID &ID) const override {
479  ID.AddPointer(getTag());
480  ID.AddPointer(Sym);
481  }
482 
483  inline bool isAllocated(const RefState *S, const RefState *SPrev,
484  const Stmt *Stmt) {
485  // Did not track -> allocated. Other state (released) -> allocated.
486  return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) &&
487  (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) &&
488  (!SPrev || !(SPrev->isAllocated() ||
489  SPrev->isAllocatedOfSizeZero())));
490  }
491 
492  inline bool isReleased(const RefState *S, const RefState *SPrev,
493  const Stmt *Stmt) {
494  // Did not track -> released. Other state (allocated) -> released.
495  // The statement associated with the release might be missing.
496  bool IsReleased = (S && S->isReleased()) &&
497  (!SPrev || !SPrev->isReleased());
498  assert(!IsReleased ||
499  (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) ||
500  (!Stmt && S->getAllocationFamily() == AF_InnerBuffer));
501  return IsReleased;
502  }
503 
504  inline bool isRelinquished(const RefState *S, const RefState *SPrev,
505  const Stmt *Stmt) {
506  // Did not track -> relinquished. Other state (allocated) -> relinquished.
507  return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) ||
508  isa<ObjCPropertyRefExpr>(Stmt)) &&
509  (S && S->isRelinquished()) &&
510  (!SPrev || !SPrev->isRelinquished()));
511  }
512 
513  inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev,
514  const Stmt *Stmt) {
515  // If the expression is not a call, and the state change is
516  // released -> allocated, it must be the realloc return value
517  // check. If we have to handle more cases here, it might be cleaner just
518  // to track this extra bit in the state itself.
519  return ((!Stmt || !isa<CallExpr>(Stmt)) &&
520  (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) &&
521  (SPrev && !(SPrev->isAllocated() ||
522  SPrev->isAllocatedOfSizeZero())));
523  }
524 
525  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
526  BugReporterContext &BRC,
527  BugReport &BR) override;
528 
529  std::shared_ptr<PathDiagnosticPiece>
530  getEndPath(BugReporterContext &BRC, const ExplodedNode *EndPathNode,
531  BugReport &BR) override {
532  if (!IsLeak)
533  return nullptr;
534 
535  PathDiagnosticLocation L =
537  BRC.getSourceManager());
538  // Do not add the statement itself as a range in case of leak.
539  return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(),
540  false);
541  }
542 
543  private:
544  class StackHintGeneratorForReallocationFailed
545  : public StackHintGeneratorForSymbol {
546  public:
547  StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M)
548  : StackHintGeneratorForSymbol(S, M) {}
549 
550  std::string getMessageForArg(const Expr *ArgE,
551  unsigned ArgIndex) override {
552  // Printed parameters start at 1, not 0.
553  ++ArgIndex;
554 
555  SmallString<200> buf;
556  llvm::raw_svector_ostream os(buf);
557 
558  os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex)
559  << " parameter failed";
560 
561  return os.str();
562  }
563 
564  std::string getMessageForReturn(const CallExpr *CallExpr) override {
565  return "Reallocation of returned value failed";
566  }
567  };
568  };
569 };
570 } // end anonymous namespace
571 
572 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
573 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
574 REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef)
575 
576 // A map from the freed symbol to the symbol representing the return value of
577 // the free function.
579 
580 namespace {
581 class StopTrackingCallback final : public SymbolVisitor {
583 public:
584  StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
585  ProgramStateRef getState() const { return state; }
586 
587  bool VisitSymbol(SymbolRef sym) override {
588  state = state->remove<RegionState>(sym);
589  return true;
590  }
591 };
592 } // end anonymous namespace
593 
594 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const {
595  if (II_malloc)
596  return;
597  II_alloca = &Ctx.Idents.get("alloca");
598  II_malloc = &Ctx.Idents.get("malloc");
599  II_free = &Ctx.Idents.get("free");
600  II_realloc = &Ctx.Idents.get("realloc");
601  II_reallocf = &Ctx.Idents.get("reallocf");
602  II_calloc = &Ctx.Idents.get("calloc");
603  II_valloc = &Ctx.Idents.get("valloc");
604  II_strdup = &Ctx.Idents.get("strdup");
605  II_strndup = &Ctx.Idents.get("strndup");
606  II_wcsdup = &Ctx.Idents.get("wcsdup");
607  II_kmalloc = &Ctx.Idents.get("kmalloc");
608  II_kfree = &Ctx.Idents.get("kfree");
609  II_if_nameindex = &Ctx.Idents.get("if_nameindex");
610  II_if_freenameindex = &Ctx.Idents.get("if_freenameindex");
611 
612  //MSVC uses `_`-prefixed instead, so we check for them too.
613  II_win_strdup = &Ctx.Idents.get("_strdup");
614  II_win_wcsdup = &Ctx.Idents.get("_wcsdup");
615  II_win_alloca = &Ctx.Idents.get("_alloca");
616 
617  // Glib
618  II_g_malloc = &Ctx.Idents.get("g_malloc");
619  II_g_malloc0 = &Ctx.Idents.get("g_malloc0");
620  II_g_realloc = &Ctx.Idents.get("g_realloc");
621  II_g_try_malloc = &Ctx.Idents.get("g_try_malloc");
622  II_g_try_malloc0 = &Ctx.Idents.get("g_try_malloc0");
623  II_g_try_realloc = &Ctx.Idents.get("g_try_realloc");
624  II_g_free = &Ctx.Idents.get("g_free");
625  II_g_memdup = &Ctx.Idents.get("g_memdup");
626  II_g_malloc_n = &Ctx.Idents.get("g_malloc_n");
627  II_g_malloc0_n = &Ctx.Idents.get("g_malloc0_n");
628  II_g_realloc_n = &Ctx.Idents.get("g_realloc_n");
629  II_g_try_malloc_n = &Ctx.Idents.get("g_try_malloc_n");
630  II_g_try_malloc0_n = &Ctx.Idents.get("g_try_malloc0_n");
631  II_g_try_realloc_n = &Ctx.Idents.get("g_try_realloc_n");
632 }
633 
634 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const {
635  if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any))
636  return true;
637 
638  if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
639  return true;
640 
641  if (isCMemFunction(FD, C, AF_Alloca, MemoryOperationKind::MOK_Any))
642  return true;
643 
644  if (isStandardNewDelete(FD, C))
645  return true;
646 
647  return false;
648 }
649 
650 bool MallocChecker::isCMemFunction(const FunctionDecl *FD,
651  ASTContext &C,
652  AllocationFamily Family,
653  MemoryOperationKind MemKind) const {
654  if (!FD)
655  return false;
656 
657  bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any ||
658  MemKind == MemoryOperationKind::MOK_Free);
659  bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any ||
660  MemKind == MemoryOperationKind::MOK_Allocate);
661 
662  if (FD->getKind() == Decl::Function) {
663  const IdentifierInfo *FunI = FD->getIdentifier();
664  initIdentifierInfo(C);
665 
666  if (Family == AF_Malloc && CheckFree) {
667  if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf ||
668  FunI == II_g_free || FunI == II_kfree)
669  return true;
670  }
671 
672  if (Family == AF_Malloc && CheckAlloc) {
673  if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf ||
674  FunI == II_calloc || FunI == II_valloc || FunI == II_strdup ||
675  FunI == II_win_strdup || FunI == II_strndup || FunI == II_wcsdup ||
676  FunI == II_win_wcsdup || FunI == II_kmalloc ||
677  FunI == II_g_malloc || FunI == II_g_malloc0 ||
678  FunI == II_g_realloc || FunI == II_g_try_malloc ||
679  FunI == II_g_try_malloc0 || FunI == II_g_try_realloc ||
680  FunI == II_g_memdup || FunI == II_g_malloc_n ||
681  FunI == II_g_malloc0_n || FunI == II_g_realloc_n ||
682  FunI == II_g_try_malloc_n || FunI == II_g_try_malloc0_n ||
683  FunI == II_g_try_realloc_n)
684  return true;
685  }
686 
687  if (Family == AF_IfNameIndex && CheckFree) {
688  if (FunI == II_if_freenameindex)
689  return true;
690  }
691 
692  if (Family == AF_IfNameIndex && CheckAlloc) {
693  if (FunI == II_if_nameindex)
694  return true;
695  }
696 
697  if (Family == AF_Alloca && CheckAlloc) {
698  if (FunI == II_alloca || FunI == II_win_alloca)
699  return true;
700  }
701  }
702 
703  if (Family != AF_Malloc)
704  return false;
705 
706  if (IsOptimistic && FD->hasAttrs()) {
707  for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
708  OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
709  if(OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) {
710  if (CheckFree)
711  return true;
712  } else if (OwnKind == OwnershipAttr::Returns) {
713  if (CheckAlloc)
714  return true;
715  }
716  }
717  }
718 
719  return false;
720 }
721 
722 // Tells if the callee is one of the builtin new/delete operators, including
723 // placement operators and other standard overloads.
724 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD,
725  ASTContext &C) const {
726  if (!FD)
727  return false;
728 
730  if (Kind != OO_New && Kind != OO_Array_New &&
731  Kind != OO_Delete && Kind != OO_Array_Delete)
732  return false;
733 
734  // This is standard if and only if it's not defined in a user file.
735  SourceLocation L = FD->getLocation();
736  // If the header for operator delete is not included, it's still defined
737  // in an invalid source location. Check to make sure we don't crash.
738  return !L.isValid() || C.getSourceManager().isInSystemHeader(L);
739 }
740 
741 llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc(
742  const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const {
743  // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
744  //
745  // void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
746  //
747  // One of the possible flags is M_ZERO, which means 'give me back an
748  // allocation which is already zeroed', like calloc.
749 
750  // 2-argument kmalloc(), as used in the Linux kernel:
751  //
752  // void *kmalloc(size_t size, gfp_t flags);
753  //
754  // Has the similar flag value __GFP_ZERO.
755 
756  // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some
757  // code could be shared.
758 
759  ASTContext &Ctx = C.getASTContext();
760  llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS();
761 
762  if (!KernelZeroFlagVal.hasValue()) {
763  if (OS == llvm::Triple::FreeBSD)
764  KernelZeroFlagVal = 0x0100;
765  else if (OS == llvm::Triple::NetBSD)
766  KernelZeroFlagVal = 0x0002;
767  else if (OS == llvm::Triple::OpenBSD)
768  KernelZeroFlagVal = 0x0008;
769  else if (OS == llvm::Triple::Linux)
770  // __GFP_ZERO
771  KernelZeroFlagVal = 0x8000;
772  else
773  // FIXME: We need a more general way of getting the M_ZERO value.
774  // See also: O_CREAT in UnixAPIChecker.cpp.
775 
776  // Fall back to normal malloc behavior on platforms where we don't
777  // know M_ZERO.
778  return None;
779  }
780 
781  // We treat the last argument as the flags argument, and callers fall-back to
782  // normal malloc on a None return. This works for the FreeBSD kernel malloc
783  // as well as Linux kmalloc.
784  if (CE->getNumArgs() < 2)
785  return None;
786 
787  const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1);
788  const SVal V = C.getSVal(FlagsEx);
789  if (!V.getAs<NonLoc>()) {
790  // The case where 'V' can be a location can only be due to a bad header,
791  // so in this case bail out.
792  return None;
793  }
794 
795  NonLoc Flags = V.castAs<NonLoc>();
796  NonLoc ZeroFlag = C.getSValBuilder()
797  .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType())
798  .castAs<NonLoc>();
799  SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And,
800  Flags, ZeroFlag,
801  FlagsEx->getType());
802  if (MaskedFlagsUC.isUnknownOrUndef())
803  return None;
804  DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>();
805 
806  // Check if maskedFlags is non-zero.
807  ProgramStateRef TrueState, FalseState;
808  std::tie(TrueState, FalseState) = State->assume(MaskedFlags);
809 
810  // If M_ZERO is set, treat this like calloc (initialized).
811  if (TrueState && !FalseState) {
812  SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy);
813  return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState);
814  }
815 
816  return None;
817 }
818 
819 SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
820  const Expr *BlockBytes) {
821  SValBuilder &SB = C.getSValBuilder();
822  SVal BlocksVal = C.getSVal(Blocks);
823  SVal BlockBytesVal = C.getSVal(BlockBytes);
824  ProgramStateRef State = C.getState();
825  SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,
826  SB.getContext().getSizeType());
827  return TotalSize;
828 }
829 
830 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const {
831  if (C.wasInlined)
832  return;
833 
834  const FunctionDecl *FD = C.getCalleeDecl(CE);
835  if (!FD)
836  return;
837 
838  ProgramStateRef State = C.getState();
839  bool ReleasedAllocatedMemory = false;
840 
841  if (FD->getKind() == Decl::Function) {
842  initIdentifierInfo(C.getASTContext());
843  IdentifierInfo *FunI = FD->getIdentifier();
844 
845  if (FunI == II_malloc || FunI == II_g_malloc || FunI == II_g_try_malloc) {
846  if (CE->getNumArgs() < 1)
847  return;
848  if (CE->getNumArgs() < 3) {
849  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
850  if (CE->getNumArgs() == 1)
851  State = ProcessZeroAllocation(C, CE, 0, State);
852  } else if (CE->getNumArgs() == 3) {
854  performKernelMalloc(CE, C, State);
855  if (MaybeState.hasValue())
856  State = MaybeState.getValue();
857  else
858  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
859  }
860  } else if (FunI == II_kmalloc) {
861  if (CE->getNumArgs() < 1)
862  return;
864  performKernelMalloc(CE, C, State);
865  if (MaybeState.hasValue())
866  State = MaybeState.getValue();
867  else
868  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
869  } else if (FunI == II_valloc) {
870  if (CE->getNumArgs() < 1)
871  return;
872  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
873  State = ProcessZeroAllocation(C, CE, 0, State);
874  } else if (FunI == II_realloc || FunI == II_g_realloc ||
875  FunI == II_g_try_realloc) {
876  State = ReallocMemAux(C, CE, false, State);
877  State = ProcessZeroAllocation(C, CE, 1, State);
878  } else if (FunI == II_reallocf) {
879  State = ReallocMemAux(C, CE, true, State);
880  State = ProcessZeroAllocation(C, CE, 1, State);
881  } else if (FunI == II_calloc) {
882  State = CallocMem(C, CE, State);
883  State = ProcessZeroAllocation(C, CE, 0, State);
884  State = ProcessZeroAllocation(C, CE, 1, State);
885  } else if (FunI == II_free || FunI == II_g_free || FunI == II_kfree) {
886  if (suppressDeallocationsInSuspiciousContexts(CE, C))
887  return;
888 
889  State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
890  } else if (FunI == II_strdup || FunI == II_win_strdup ||
891  FunI == II_wcsdup || FunI == II_win_wcsdup) {
892  State = MallocUpdateRefState(C, CE, State);
893  } else if (FunI == II_strndup) {
894  State = MallocUpdateRefState(C, CE, State);
895  } else if (FunI == II_alloca || FunI == II_win_alloca) {
896  if (CE->getNumArgs() < 1)
897  return;
898  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
899  AF_Alloca);
900  State = ProcessZeroAllocation(C, CE, 0, State);
901  } else if (isStandardNewDelete(FD, C.getASTContext())) {
902  // Process direct calls to operator new/new[]/delete/delete[] functions
903  // as distinct from new/new[]/delete/delete[] expressions that are
904  // processed by the checkPostStmt callbacks for CXXNewExpr and
905  // CXXDeleteExpr.
907  if (K == OO_New) {
908  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
909  AF_CXXNew);
910  State = ProcessZeroAllocation(C, CE, 0, State);
911  }
912  else if (K == OO_Array_New) {
913  State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
914  AF_CXXNewArray);
915  State = ProcessZeroAllocation(C, CE, 0, State);
916  }
917  else if (K == OO_Delete || K == OO_Array_Delete)
918  State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
919  else
920  llvm_unreachable("not a new/delete operator");
921  } else if (FunI == II_if_nameindex) {
922  // Should we model this differently? We can allocate a fixed number of
923  // elements with zeros in the last one.
924  State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State,
925  AF_IfNameIndex);
926  } else if (FunI == II_if_freenameindex) {
927  State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
928  } else if (FunI == II_g_malloc0 || FunI == II_g_try_malloc0) {
929  if (CE->getNumArgs() < 1)
930  return;
931  SValBuilder &svalBuilder = C.getSValBuilder();
932  SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
933  State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State);
934  State = ProcessZeroAllocation(C, CE, 0, State);
935  } else if (FunI == II_g_memdup) {
936  if (CE->getNumArgs() < 2)
937  return;
938  State = MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State);
939  State = ProcessZeroAllocation(C, CE, 1, State);
940  } else if (FunI == II_g_malloc_n || FunI == II_g_try_malloc_n ||
941  FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) {
942  if (CE->getNumArgs() < 2)
943  return;
944  SVal Init = UndefinedVal();
945  if (FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) {
946  SValBuilder &SB = C.getSValBuilder();
947  Init = SB.makeZeroVal(SB.getContext().CharTy);
948  }
949  SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
950  State = MallocMemAux(C, CE, TotalSize, Init, State);
951  State = ProcessZeroAllocation(C, CE, 0, State);
952  State = ProcessZeroAllocation(C, CE, 1, State);
953  } else if (FunI == II_g_realloc_n || FunI == II_g_try_realloc_n) {
954  if (CE->getNumArgs() < 3)
955  return;
956  State = ReallocMemAux(C, CE, false, State, true);
957  State = ProcessZeroAllocation(C, CE, 1, State);
958  State = ProcessZeroAllocation(C, CE, 2, State);
959  }
960  }
961 
962  if (IsOptimistic || ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
963  // Check all the attributes, if there are any.
964  // There can be multiple of these attributes.
965  if (FD->hasAttrs())
966  for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
967  switch (I->getOwnKind()) {
968  case OwnershipAttr::Returns:
969  State = MallocMemReturnsAttr(C, CE, I, State);
970  break;
971  case OwnershipAttr::Takes:
972  case OwnershipAttr::Holds:
973  State = FreeMemAttr(C, CE, I, State);
974  break;
975  }
976  }
977  }
978  C.addTransition(State);
979 }
980 
981 // Performs a 0-sized allocations check.
982 ProgramStateRef MallocChecker::ProcessZeroAllocation(
983  CheckerContext &C, const Expr *E, const unsigned AllocationSizeArg,
984  ProgramStateRef State, Optional<SVal> RetVal) const {
985  if (!State)
986  return nullptr;
987 
988  if (!RetVal)
989  RetVal = C.getSVal(E);
990 
991  const Expr *Arg = nullptr;
992 
993  if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
994  Arg = CE->getArg(AllocationSizeArg);
995  }
996  else if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
997  if (NE->isArray())
998  Arg = *NE->getArraySize();
999  else
1000  return State;
1001  }
1002  else
1003  llvm_unreachable("not a CallExpr or CXXNewExpr");
1004 
1005  assert(Arg);
1006 
1007  Optional<DefinedSVal> DefArgVal = C.getSVal(Arg).getAs<DefinedSVal>();
1008 
1009  if (!DefArgVal)
1010  return State;
1011 
1012  // Check if the allocation size is 0.
1013  ProgramStateRef TrueState, FalseState;
1014  SValBuilder &SvalBuilder = C.getSValBuilder();
1015  DefinedSVal Zero =
1016  SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
1017 
1018  std::tie(TrueState, FalseState) =
1019  State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));
1020 
1021  if (TrueState && !FalseState) {
1022  SymbolRef Sym = RetVal->getAsLocSymbol();
1023  if (!Sym)
1024  return State;
1025 
1026  const RefState *RS = State->get<RegionState>(Sym);
1027  if (RS) {
1028  if (RS->isAllocated())
1029  return TrueState->set<RegionState>(Sym,
1030  RefState::getAllocatedOfSizeZero(RS));
1031  else
1032  return State;
1033  } else {
1034  // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as
1035  // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not
1036  // tracked. Add zero-reallocated Sym to the state to catch references
1037  // to zero-allocated memory.
1038  return TrueState->add<ReallocSizeZeroSymbols>(Sym);
1039  }
1040  }
1041 
1042  // Assume the value is non-zero going forward.
1043  assert(FalseState);
1044  return FalseState;
1045 }
1046 
1048  QualType Result = T, PointeeType = T->getPointeeType();
1049  while (!PointeeType.isNull()) {
1050  Result = PointeeType;
1051  PointeeType = PointeeType->getPointeeType();
1052  }
1053  return Result;
1054 }
1055 
1056 static bool treatUnusedNewEscaped(const CXXNewExpr *NE) {
1057 
1058  const CXXConstructExpr *ConstructE = NE->getConstructExpr();
1059  if (!ConstructE)
1060  return false;
1061 
1062  if (!NE->getAllocatedType()->getAsCXXRecordDecl())
1063  return false;
1064 
1065  const CXXConstructorDecl *CtorD = ConstructE->getConstructor();
1066 
1067  // Iterate over the constructor parameters.
1068  for (const auto *CtorParam : CtorD->parameters()) {
1069 
1070  QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType();
1071  if (CtorParamPointeeT.isNull())
1072  continue;
1073 
1074  CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT);
1075 
1076  if (CtorParamPointeeT->getAsCXXRecordDecl())
1077  return true;
1078  }
1079 
1080  return false;
1081 }
1082 
1083 void MallocChecker::processNewAllocation(const CXXNewExpr *NE,
1084  CheckerContext &C,
1085  SVal Target) const {
1086  if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext()))
1087  return;
1088 
1089  ParentMap &PM = C.getLocationContext()->getParentMap();
1090  if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE))
1091  return;
1092 
1093  ProgramStateRef State = C.getState();
1094  // The return value from operator new is bound to a specified initialization
1095  // value (if any) and we don't want to loose this value. So we call
1096  // MallocUpdateRefState() instead of MallocMemAux() which breaks the
1097  // existing binding.
1098  State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray
1099  : AF_CXXNew, Target);
1100  State = addExtentSize(C, NE, State, Target);
1101  State = ProcessZeroAllocation(C, NE, 0, State, Target);
1102  C.addTransition(State);
1103 }
1104 
1105 void MallocChecker::checkPostStmt(const CXXNewExpr *NE,
1106  CheckerContext &C) const {
1107  if (!C.getAnalysisManager().getAnalyzerOptions().MayInlineCXXAllocator)
1108  processNewAllocation(NE, C, C.getSVal(NE));
1109 }
1110 
1111 void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target,
1112  CheckerContext &C) const {
1113  if (!C.wasInlined)
1114  processNewAllocation(NE, C, Target);
1115 }
1116 
1117 // Sets the extent value of the MemRegion allocated by
1118 // new expression NE to its size in Bytes.
1119 //
1120 ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C,
1121  const CXXNewExpr *NE,
1123  SVal Target) {
1124  if (!State)
1125  return nullptr;
1126  SValBuilder &svalBuilder = C.getSValBuilder();
1127  SVal ElementCount;
1128  const SubRegion *Region;
1129  if (NE->isArray()) {
1130  const Expr *SizeExpr = *NE->getArraySize();
1131  ElementCount = C.getSVal(SizeExpr);
1132  // Store the extent size for the (symbolic)region
1133  // containing the elements.
1134  Region = Target.getAsRegion()
1135  ->getAs<SubRegion>()
1136  ->StripCasts()
1137  ->getAs<SubRegion>();
1138  } else {
1139  ElementCount = svalBuilder.makeIntVal(1, true);
1140  Region = Target.getAsRegion()->getAs<SubRegion>();
1141  }
1142  assert(Region);
1143 
1144  // Set the region's extent equal to the Size in Bytes.
1145  QualType ElementType = NE->getAllocatedType();
1146  ASTContext &AstContext = C.getASTContext();
1147  CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType);
1148 
1149  if (ElementCount.getAs<NonLoc>()) {
1150  DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder);
1151  // size in Bytes = ElementCount*TypeSize
1152  SVal SizeInBytes = svalBuilder.evalBinOpNN(
1153  State, BO_Mul, ElementCount.castAs<NonLoc>(),
1154  svalBuilder.makeArrayIndex(TypeSize.getQuantity()),
1155  svalBuilder.getArrayIndexType());
1156  DefinedOrUnknownSVal extentMatchesSize = svalBuilder.evalEQ(
1157  State, Extent, SizeInBytes.castAs<DefinedOrUnknownSVal>());
1158  State = State->assume(extentMatchesSize, true);
1159  }
1160  return State;
1161 }
1162 
1163 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE,
1164  CheckerContext &C) const {
1165 
1166  if (!ChecksEnabled[CK_NewDeleteChecker])
1167  if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
1168  checkUseAfterFree(Sym, C, DE->getArgument());
1169 
1170  if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext()))
1171  return;
1172 
1173  ProgramStateRef State = C.getState();
1174  bool ReleasedAllocated;
1175  State = FreeMemAux(C, DE->getArgument(), DE, State,
1176  /*Hold*/false, ReleasedAllocated);
1177 
1178  C.addTransition(State);
1179 }
1180 
1182  // If the first selector piece is one of the names below, assume that the
1183  // object takes ownership of the memory, promising to eventually deallocate it
1184  // with free().
1185  // Ex: [NSData dataWithBytesNoCopy:bytes length:10];
1186  // (...unless a 'freeWhenDone' parameter is false, but that's checked later.)
1187  StringRef FirstSlot = Call.getSelector().getNameForSlot(0);
1188  return FirstSlot == "dataWithBytesNoCopy" ||
1189  FirstSlot == "initWithBytesNoCopy" ||
1190  FirstSlot == "initWithCharactersNoCopy";
1191 }
1192 
1194  Selector S = Call.getSelector();
1195 
1196  // FIXME: We should not rely on fully-constrained symbols being folded.
1197  for (unsigned i = 1; i < S.getNumArgs(); ++i)
1198  if (S.getNameForSlot(i).equals("freeWhenDone"))
1199  return !Call.getArgSVal(i).isZeroConstant();
1200 
1201  return None;
1202 }
1203 
1204 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
1205  CheckerContext &C) const {
1206  if (C.wasInlined)
1207  return;
1208 
1209  if (!isKnownDeallocObjCMethodName(Call))
1210  return;
1211 
1212  if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call))
1213  if (!*FreeWhenDone)
1214  return;
1215 
1216  bool ReleasedAllocatedMemory;
1217  ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0),
1218  Call.getOriginExpr(), C.getState(),
1219  /*Hold=*/true, ReleasedAllocatedMemory,
1220  /*ReturnsNullOnFailure=*/true);
1221 
1222  C.addTransition(State);
1223 }
1224 
1226 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE,
1227  const OwnershipAttr *Att,
1228  ProgramStateRef State) const {
1229  if (!State)
1230  return nullptr;
1231 
1232  if (Att->getModule() != II_malloc)
1233  return nullptr;
1234 
1235  OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
1236  if (I != E) {
1237  return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(),
1238  State);
1239  }
1240  return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State);
1241 }
1242 
1243 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1244  const CallExpr *CE,
1245  const Expr *SizeEx, SVal Init,
1247  AllocationFamily Family) {
1248  if (!State)
1249  return nullptr;
1250 
1251  return MallocMemAux(C, CE, C.getSVal(SizeEx), Init, State, Family);
1252 }
1253 
1254 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1255  const CallExpr *CE,
1256  SVal Size, SVal Init,
1258  AllocationFamily Family) {
1259  if (!State)
1260  return nullptr;
1261 
1262  // We expect the malloc functions to return a pointer.
1263  if (!Loc::isLocType(CE->getType()))
1264  return nullptr;
1265 
1266  // Bind the return value to the symbolic value from the heap region.
1267  // TODO: We could rewrite post visit to eval call; 'malloc' does not have
1268  // side effects other than what we model here.
1269  unsigned Count = C.blockCount();
1270  SValBuilder &svalBuilder = C.getSValBuilder();
1271  const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
1272  DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
1273  .castAs<DefinedSVal>();
1274  State = State->BindExpr(CE, C.getLocationContext(), RetVal);
1275 
1276  // Fill the region with the initialization value.
1277  State = State->bindDefaultInitial(RetVal, Init, LCtx);
1278 
1279  // Set the region's extent equal to the Size parameter.
1280  const SymbolicRegion *R =
1281  dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion());
1282  if (!R)
1283  return nullptr;
1284  if (Optional<DefinedOrUnknownSVal> DefinedSize =
1285  Size.getAs<DefinedOrUnknownSVal>()) {
1286  SValBuilder &svalBuilder = C.getSValBuilder();
1287  DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder);
1288  DefinedOrUnknownSVal extentMatchesSize =
1289  svalBuilder.evalEQ(State, Extent, *DefinedSize);
1290 
1291  State = State->assume(extentMatchesSize, true);
1292  assert(State);
1293  }
1294 
1295  return MallocUpdateRefState(C, CE, State, Family);
1296 }
1297 
1298 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C,
1299  const Expr *E,
1301  AllocationFamily Family,
1302  Optional<SVal> RetVal) {
1303  if (!State)
1304  return nullptr;
1305 
1306  // Get the return value.
1307  if (!RetVal)
1308  RetVal = C.getSVal(E);
1309 
1310  // We expect the malloc functions to return a pointer.
1311  if (!RetVal->getAs<Loc>())
1312  return nullptr;
1313 
1314  SymbolRef Sym = RetVal->getAsLocSymbol();
1315  // This is a return value of a function that was not inlined, such as malloc()
1316  // or new(). We've checked that in the caller. Therefore, it must be a symbol.
1317  assert(Sym);
1318 
1319  // Set the symbol's state to Allocated.
1320  return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
1321 }
1322 
1323 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
1324  const CallExpr *CE,
1325  const OwnershipAttr *Att,
1326  ProgramStateRef State) const {
1327  if (!State)
1328  return nullptr;
1329 
1330  if (Att->getModule() != II_malloc)
1331  return nullptr;
1332 
1333  bool ReleasedAllocated = false;
1334 
1335  for (const auto &Arg : Att->args()) {
1336  ProgramStateRef StateI = FreeMemAux(
1337  C, CE, State, Arg.getASTIndex(),
1338  Att->getOwnKind() == OwnershipAttr::Holds, ReleasedAllocated);
1339  if (StateI)
1340  State = StateI;
1341  }
1342  return State;
1343 }
1344 
1345 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1346  const CallExpr *CE,
1348  unsigned Num,
1349  bool Hold,
1350  bool &ReleasedAllocated,
1351  bool ReturnsNullOnFailure) const {
1352  if (!State)
1353  return nullptr;
1354 
1355  if (CE->getNumArgs() < (Num + 1))
1356  return nullptr;
1357 
1358  return FreeMemAux(C, CE->getArg(Num), CE, State, Hold,
1359  ReleasedAllocated, ReturnsNullOnFailure);
1360 }
1361 
1362 /// Checks if the previous call to free on the given symbol failed - if free
1363 /// failed, returns true. Also, returns the corresponding return value symbol.
1365  SymbolRef Sym, SymbolRef &RetStatusSymbol) {
1366  const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
1367  if (Ret) {
1368  assert(*Ret && "We should not store the null return symbol");
1369  ConstraintManager &CMgr = State->getConstraintManager();
1370  ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret);
1371  RetStatusSymbol = *Ret;
1372  return FreeFailed.isConstrainedTrue();
1373  }
1374  return false;
1375 }
1376 
1377 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C,
1378  const Stmt *S) const {
1379  if (!S)
1380  return AF_None;
1381 
1382  if (const CallExpr *CE = dyn_cast<CallExpr>(S)) {
1383  const FunctionDecl *FD = C.getCalleeDecl(CE);
1384 
1385  if (!FD)
1386  FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl());
1387 
1388  ASTContext &Ctx = C.getASTContext();
1389 
1390  if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any))
1391  return AF_Malloc;
1392 
1393  if (isStandardNewDelete(FD, Ctx)) {
1395  if (Kind == OO_New || Kind == OO_Delete)
1396  return AF_CXXNew;
1397  else if (Kind == OO_Array_New || Kind == OO_Array_Delete)
1398  return AF_CXXNewArray;
1399  }
1400 
1401  if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
1402  return AF_IfNameIndex;
1403 
1404  if (isCMemFunction(FD, Ctx, AF_Alloca, MemoryOperationKind::MOK_Any))
1405  return AF_Alloca;
1406 
1407  return AF_None;
1408  }
1409 
1410  if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S))
1411  return NE->isArray() ? AF_CXXNewArray : AF_CXXNew;
1412 
1413  if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S))
1414  return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew;
1415 
1416  if (isa<ObjCMessageExpr>(S))
1417  return AF_Malloc;
1418 
1419  return AF_None;
1420 }
1421 
1422 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C,
1423  const Expr *E) const {
1424  if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
1425  // FIXME: This doesn't handle indirect calls.
1426  const FunctionDecl *FD = CE->getDirectCallee();
1427  if (!FD)
1428  return false;
1429 
1430  os << *FD;
1431  if (!FD->isOverloadedOperator())
1432  os << "()";
1433  return true;
1434  }
1435 
1436  if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) {
1437  if (Msg->isInstanceMessage())
1438  os << "-";
1439  else
1440  os << "+";
1441  Msg->getSelector().print(os);
1442  return true;
1443  }
1444 
1445  if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
1446  os << "'"
1448  << "'";
1449  return true;
1450  }
1451 
1452  if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) {
1453  os << "'"
1455  << "'";
1456  return true;
1457  }
1458 
1459  return false;
1460 }
1461 
1462 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C,
1463  const Expr *E) const {
1464  AllocationFamily Family = getAllocationFamily(C, E);
1465 
1466  switch(Family) {
1467  case AF_Malloc: os << "malloc()"; return;
1468  case AF_CXXNew: os << "'new'"; return;
1469  case AF_CXXNewArray: os << "'new[]'"; return;
1470  case AF_IfNameIndex: os << "'if_nameindex()'"; return;
1471  case AF_InnerBuffer: os << "container-specific allocator"; return;
1472  case AF_Alloca:
1473  case AF_None: llvm_unreachable("not a deallocation expression");
1474  }
1475 }
1476 
1477 void MallocChecker::printExpectedDeallocName(raw_ostream &os,
1478  AllocationFamily Family) const {
1479  switch(Family) {
1480  case AF_Malloc: os << "free()"; return;
1481  case AF_CXXNew: os << "'delete'"; return;
1482  case AF_CXXNewArray: os << "'delete[]'"; return;
1483  case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
1484  case AF_InnerBuffer: os << "container-specific deallocator"; return;
1485  case AF_Alloca:
1486  case AF_None: llvm_unreachable("suspicious argument");
1487  }
1488 }
1489 
1490 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1491  const Expr *ArgExpr,
1492  const Expr *ParentExpr,
1494  bool Hold,
1495  bool &ReleasedAllocated,
1496  bool ReturnsNullOnFailure) const {
1497 
1498  if (!State)
1499  return nullptr;
1500 
1501  SVal ArgVal = C.getSVal(ArgExpr);
1502  if (!ArgVal.getAs<DefinedOrUnknownSVal>())
1503  return nullptr;
1504  DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
1505 
1506  // Check for null dereferences.
1507  if (!location.getAs<Loc>())
1508  return nullptr;
1509 
1510  // The explicit NULL case, no operation is performed.
1511  ProgramStateRef notNullState, nullState;
1512  std::tie(notNullState, nullState) = State->assume(location);
1513  if (nullState && !notNullState)
1514  return nullptr;
1515 
1516  // Unknown values could easily be okay
1517  // Undefined values are handled elsewhere
1518  if (ArgVal.isUnknownOrUndef())
1519  return nullptr;
1520 
1521  const MemRegion *R = ArgVal.getAsRegion();
1522 
1523  // Nonlocs can't be freed, of course.
1524  // Non-region locations (labels and fixed addresses) also shouldn't be freed.
1525  if (!R) {
1526  ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1527  return nullptr;
1528  }
1529 
1530  R = R->StripCasts();
1531 
1532  // Blocks might show up as heap data, but should not be free()d
1533  if (isa<BlockDataRegion>(R)) {
1534  ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1535  return nullptr;
1536  }
1537 
1538  const MemSpaceRegion *MS = R->getMemorySpace();
1539 
1540  // Parameters, locals, statics, globals, and memory returned by
1541  // __builtin_alloca() shouldn't be freed.
1542  if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) {
1543  // FIXME: at the time this code was written, malloc() regions were
1544  // represented by conjured symbols, which are all in UnknownSpaceRegion.
1545  // This means that there isn't actually anything from HeapSpaceRegion
1546  // that should be freed, even though we allow it here.
1547  // Of course, free() can work on memory allocated outside the current
1548  // function, so UnknownSpaceRegion is always a possibility.
1549  // False negatives are better than false positives.
1550 
1551  if (isa<AllocaRegion>(R))
1552  ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1553  else
1554  ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1555 
1556  return nullptr;
1557  }
1558 
1559  const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
1560  // Various cases could lead to non-symbol values here.
1561  // For now, ignore them.
1562  if (!SrBase)
1563  return nullptr;
1564 
1565  SymbolRef SymBase = SrBase->getSymbol();
1566  const RefState *RsBase = State->get<RegionState>(SymBase);
1567  SymbolRef PreviousRetStatusSymbol = nullptr;
1568 
1569  if (RsBase) {
1570 
1571  // Memory returned by alloca() shouldn't be freed.
1572  if (RsBase->getAllocationFamily() == AF_Alloca) {
1573  ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1574  return nullptr;
1575  }
1576 
1577  // Check for double free first.
1578  if ((RsBase->isReleased() || RsBase->isRelinquished()) &&
1579  !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
1580  ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),
1581  SymBase, PreviousRetStatusSymbol);
1582  return nullptr;
1583 
1584  // If the pointer is allocated or escaped, but we are now trying to free it,
1585  // check that the call to free is proper.
1586  } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() ||
1587  RsBase->isEscaped()) {
1588 
1589  // Check if an expected deallocation function matches the real one.
1590  bool DeallocMatchesAlloc =
1591  RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr);
1592  if (!DeallocMatchesAlloc) {
1593  ReportMismatchedDealloc(C, ArgExpr->getSourceRange(),
1594  ParentExpr, RsBase, SymBase, Hold);
1595  return nullptr;
1596  }
1597 
1598  // Check if the memory location being freed is the actual location
1599  // allocated, or an offset.
1600  RegionOffset Offset = R->getAsOffset();
1601  if (Offset.isValid() &&
1602  !Offset.hasSymbolicOffset() &&
1603  Offset.getOffset() != 0) {
1604  const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
1605  ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1606  AllocExpr);
1607  return nullptr;
1608  }
1609  }
1610  }
1611 
1612  if (SymBase->getType()->isFunctionPointerType()) {
1613  ReportFunctionPointerFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1614  return nullptr;
1615  }
1616 
1617  ReleasedAllocated = (RsBase != nullptr) && (RsBase->isAllocated() ||
1618  RsBase->isAllocatedOfSizeZero());
1619 
1620  // Clean out the info on previous call to free return info.
1621  State = State->remove<FreeReturnValue>(SymBase);
1622 
1623  // Keep track of the return value. If it is NULL, we will know that free
1624  // failed.
1625  if (ReturnsNullOnFailure) {
1626  SVal RetVal = C.getSVal(ParentExpr);
1627  SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
1628  if (RetStatusSymbol) {
1629  C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol);
1630  State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol);
1631  }
1632  }
1633 
1634  AllocationFamily Family = RsBase ? RsBase->getAllocationFamily()
1635  : getAllocationFamily(C, ParentExpr);
1636  // Normal free.
1637  if (Hold)
1638  return State->set<RegionState>(SymBase,
1639  RefState::getRelinquished(Family,
1640  ParentExpr));
1641 
1642  return State->set<RegionState>(SymBase,
1643  RefState::getReleased(Family, ParentExpr));
1644 }
1645 
1647 MallocChecker::getCheckIfTracked(AllocationFamily Family,
1648  bool IsALeakCheck) const {
1649  switch (Family) {
1650  case AF_Malloc:
1651  case AF_Alloca:
1652  case AF_IfNameIndex: {
1653  if (ChecksEnabled[CK_MallocChecker])
1654  return CK_MallocChecker;
1655  return None;
1656  }
1657  case AF_CXXNew:
1658  case AF_CXXNewArray: {
1659  if (IsALeakCheck) {
1660  if (ChecksEnabled[CK_NewDeleteLeaksChecker])
1661  return CK_NewDeleteLeaksChecker;
1662  }
1663  else {
1664  if (ChecksEnabled[CK_NewDeleteChecker])
1665  return CK_NewDeleteChecker;
1666  }
1667  return None;
1668  }
1669  case AF_InnerBuffer: {
1670  if (ChecksEnabled[CK_InnerPointerChecker])
1671  return CK_InnerPointerChecker;
1672  return None;
1673  }
1674  case AF_None: {
1675  llvm_unreachable("no family");
1676  }
1677  }
1678  llvm_unreachable("unhandled family");
1679 }
1680 
1682 MallocChecker::getCheckIfTracked(CheckerContext &C,
1683  const Stmt *AllocDeallocStmt,
1684  bool IsALeakCheck) const {
1685  return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt),
1686  IsALeakCheck);
1687 }
1688 
1690 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
1691  bool IsALeakCheck) const {
1692  if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym))
1693  return CK_MallocChecker;
1694 
1695  const RefState *RS = C.getState()->get<RegionState>(Sym);
1696  assert(RS);
1697  return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck);
1698 }
1699 
1700 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
1701  if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>())
1702  os << "an integer (" << IntVal->getValue() << ")";
1703  else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>())
1704  os << "a constant address (" << ConstAddr->getValue() << ")";
1705  else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>())
1706  os << "the address of the label '" << Label->getLabel()->getName() << "'";
1707  else
1708  return false;
1709 
1710  return true;
1711 }
1712 
1713 bool MallocChecker::SummarizeRegion(raw_ostream &os,
1714  const MemRegion *MR) {
1715  switch (MR->getKind()) {
1716  case MemRegion::FunctionCodeRegionKind: {
1717  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
1718  if (FD)
1719  os << "the address of the function '" << *FD << '\'';
1720  else
1721  os << "the address of a function";
1722  return true;
1723  }
1724  case MemRegion::BlockCodeRegionKind:
1725  os << "block text";
1726  return true;
1727  case MemRegion::BlockDataRegionKind:
1728  // FIXME: where the block came from?
1729  os << "a block";
1730  return true;
1731  default: {
1732  const MemSpaceRegion *MS = MR->getMemorySpace();
1733 
1734  if (isa<StackLocalsSpaceRegion>(MS)) {
1735  const VarRegion *VR = dyn_cast<VarRegion>(MR);
1736  const VarDecl *VD;
1737  if (VR)
1738  VD = VR->getDecl();
1739  else
1740  VD = nullptr;
1741 
1742  if (VD)
1743  os << "the address of the local variable '" << VD->getName() << "'";
1744  else
1745  os << "the address of a local stack variable";
1746  return true;
1747  }
1748 
1749  if (isa<StackArgumentsSpaceRegion>(MS)) {
1750  const VarRegion *VR = dyn_cast<VarRegion>(MR);
1751  const VarDecl *VD;
1752  if (VR)
1753  VD = VR->getDecl();
1754  else
1755  VD = nullptr;
1756 
1757  if (VD)
1758  os << "the address of the parameter '" << VD->getName() << "'";
1759  else
1760  os << "the address of a parameter";
1761  return true;
1762  }
1763 
1764  if (isa<GlobalsSpaceRegion>(MS)) {
1765  const VarRegion *VR = dyn_cast<VarRegion>(MR);
1766  const VarDecl *VD;
1767  if (VR)
1768  VD = VR->getDecl();
1769  else
1770  VD = nullptr;
1771 
1772  if (VD) {
1773  if (VD->isStaticLocal())
1774  os << "the address of the static variable '" << VD->getName() << "'";
1775  else
1776  os << "the address of the global variable '" << VD->getName() << "'";
1777  } else
1778  os << "the address of a global variable";
1779  return true;
1780  }
1781 
1782  return false;
1783  }
1784  }
1785 }
1786 
1787 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal,
1788  SourceRange Range,
1789  const Expr *DeallocExpr) const {
1790 
1791  if (!ChecksEnabled[CK_MallocChecker] &&
1792  !ChecksEnabled[CK_NewDeleteChecker])
1793  return;
1794 
1796  getCheckIfTracked(C, DeallocExpr);
1797  if (!CheckKind.hasValue())
1798  return;
1799 
1800  if (ExplodedNode *N = C.generateErrorNode()) {
1801  if (!BT_BadFree[*CheckKind])
1802  BT_BadFree[*CheckKind].reset(new BugType(
1803  CheckNames[*CheckKind], "Bad free", categories::MemoryError));
1804 
1805  SmallString<100> buf;
1806  llvm::raw_svector_ostream os(buf);
1807 
1808  const MemRegion *MR = ArgVal.getAsRegion();
1809  while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
1810  MR = ER->getSuperRegion();
1811 
1812  os << "Argument to ";
1813  if (!printAllocDeallocName(os, C, DeallocExpr))
1814  os << "deallocator";
1815 
1816  os << " is ";
1817  bool Summarized = MR ? SummarizeRegion(os, MR)
1818  : SummarizeValue(os, ArgVal);
1819  if (Summarized)
1820  os << ", which is not memory allocated by ";
1821  else
1822  os << "not memory allocated by ";
1823 
1824  printExpectedAllocName(os, C, DeallocExpr);
1825 
1826  auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], os.str(), N);
1827  R->markInteresting(MR);
1828  R->addRange(Range);
1829  C.emitReport(std::move(R));
1830  }
1831 }
1832 
1833 void MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
1834  SourceRange Range) const {
1835 
1837 
1838  if (ChecksEnabled[CK_MallocChecker])
1839  CheckKind = CK_MallocChecker;
1840  else if (ChecksEnabled[CK_MismatchedDeallocatorChecker])
1841  CheckKind = CK_MismatchedDeallocatorChecker;
1842  else
1843  return;
1844 
1845  if (ExplodedNode *N = C.generateErrorNode()) {
1846  if (!BT_FreeAlloca[*CheckKind])
1847  BT_FreeAlloca[*CheckKind].reset(new BugType(
1848  CheckNames[*CheckKind], "Free alloca()", categories::MemoryError));
1849 
1850  auto R = llvm::make_unique<BugReport>(
1851  *BT_FreeAlloca[*CheckKind],
1852  "Memory allocated by alloca() should not be deallocated", N);
1853  R->markInteresting(ArgVal.getAsRegion());
1854  R->addRange(Range);
1855  C.emitReport(std::move(R));
1856  }
1857 }
1858 
1859 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C,
1860  SourceRange Range,
1861  const Expr *DeallocExpr,
1862  const RefState *RS,
1863  SymbolRef Sym,
1864  bool OwnershipTransferred) const {
1865 
1866  if (!ChecksEnabled[CK_MismatchedDeallocatorChecker])
1867  return;
1868 
1869  if (ExplodedNode *N = C.generateErrorNode()) {
1870  if (!BT_MismatchedDealloc)
1871  BT_MismatchedDealloc.reset(
1872  new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
1873  "Bad deallocator", categories::MemoryError));
1874 
1875  SmallString<100> buf;
1876  llvm::raw_svector_ostream os(buf);
1877 
1878  const Expr *AllocExpr = cast<Expr>(RS->getStmt());
1879  SmallString<20> AllocBuf;
1880  llvm::raw_svector_ostream AllocOs(AllocBuf);
1881  SmallString<20> DeallocBuf;
1882  llvm::raw_svector_ostream DeallocOs(DeallocBuf);
1883 
1884  if (OwnershipTransferred) {
1885  if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1886  os << DeallocOs.str() << " cannot";
1887  else
1888  os << "Cannot";
1889 
1890  os << " take ownership of memory";
1891 
1892  if (printAllocDeallocName(AllocOs, C, AllocExpr))
1893  os << " allocated by " << AllocOs.str();
1894  } else {
1895  os << "Memory";
1896  if (printAllocDeallocName(AllocOs, C, AllocExpr))
1897  os << " allocated by " << AllocOs.str();
1898 
1899  os << " should be deallocated by ";
1900  printExpectedDeallocName(os, RS->getAllocationFamily());
1901 
1902  if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1903  os << ", not " << DeallocOs.str();
1904  }
1905 
1906  auto R = llvm::make_unique<BugReport>(*BT_MismatchedDealloc, os.str(), N);
1907  R->markInteresting(Sym);
1908  R->addRange(Range);
1909  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
1910  C.emitReport(std::move(R));
1911  }
1912 }
1913 
1914 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal,
1915  SourceRange Range, const Expr *DeallocExpr,
1916  const Expr *AllocExpr) const {
1917 
1918 
1919  if (!ChecksEnabled[CK_MallocChecker] &&
1920  !ChecksEnabled[CK_NewDeleteChecker])
1921  return;
1922 
1924  getCheckIfTracked(C, AllocExpr);
1925  if (!CheckKind.hasValue())
1926  return;
1927 
1928  ExplodedNode *N = C.generateErrorNode();
1929  if (!N)
1930  return;
1931 
1932  if (!BT_OffsetFree[*CheckKind])
1933  BT_OffsetFree[*CheckKind].reset(new BugType(
1934  CheckNames[*CheckKind], "Offset free", categories::MemoryError));
1935 
1936  SmallString<100> buf;
1937  llvm::raw_svector_ostream os(buf);
1938  SmallString<20> AllocNameBuf;
1939  llvm::raw_svector_ostream AllocNameOs(AllocNameBuf);
1940 
1941  const MemRegion *MR = ArgVal.getAsRegion();
1942  assert(MR && "Only MemRegion based symbols can have offset free errors");
1943 
1944  RegionOffset Offset = MR->getAsOffset();
1945  assert((Offset.isValid() &&
1946  !Offset.hasSymbolicOffset() &&
1947  Offset.getOffset() != 0) &&
1948  "Only symbols with a valid offset can have offset free errors");
1949 
1950  int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
1951 
1952  os << "Argument to ";
1953  if (!printAllocDeallocName(os, C, DeallocExpr))
1954  os << "deallocator";
1955  os << " is offset by "
1956  << offsetBytes
1957  << " "
1958  << ((abs(offsetBytes) > 1) ? "bytes" : "byte")
1959  << " from the start of ";
1960  if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr))
1961  os << "memory allocated by " << AllocNameOs.str();
1962  else
1963  os << "allocated memory";
1964 
1965  auto R = llvm::make_unique<BugReport>(*BT_OffsetFree[*CheckKind], os.str(), N);
1966  R->markInteresting(MR->getBaseRegion());
1967  R->addRange(Range);
1968  C.emitReport(std::move(R));
1969 }
1970 
1971 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range,
1972  SymbolRef Sym) const {
1973 
1974  if (!ChecksEnabled[CK_MallocChecker] &&
1975  !ChecksEnabled[CK_NewDeleteChecker] &&
1976  !ChecksEnabled[CK_InnerPointerChecker])
1977  return;
1978 
1979  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
1980  if (!CheckKind.hasValue())
1981  return;
1982 
1983  if (ExplodedNode *N = C.generateErrorNode()) {
1984  if (!BT_UseFree[*CheckKind])
1985  BT_UseFree[*CheckKind].reset(new BugType(
1986  CheckNames[*CheckKind], "Use-after-free", categories::MemoryError));
1987 
1988  AllocationFamily AF =
1989  C.getState()->get<RegionState>(Sym)->getAllocationFamily();
1990 
1991  auto R = llvm::make_unique<BugReport>(*BT_UseFree[*CheckKind],
1992  AF == AF_InnerBuffer
1993  ? "Inner pointer of container used after re/deallocation"
1994  : "Use of memory after it is freed",
1995  N);
1996 
1997  R->markInteresting(Sym);
1998  R->addRange(Range);
1999  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2000 
2001  if (AF == AF_InnerBuffer)
2002  R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym));
2003 
2004  C.emitReport(std::move(R));
2005  }
2006 }
2007 
2008 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range,
2009  bool Released, SymbolRef Sym,
2010  SymbolRef PrevSym) const {
2011 
2012  if (!ChecksEnabled[CK_MallocChecker] &&
2013  !ChecksEnabled[CK_NewDeleteChecker])
2014  return;
2015 
2016  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2017  if (!CheckKind.hasValue())
2018  return;
2019 
2020  if (ExplodedNode *N = C.generateErrorNode()) {
2021  if (!BT_DoubleFree[*CheckKind])
2022  BT_DoubleFree[*CheckKind].reset(new BugType(
2023  CheckNames[*CheckKind], "Double free", categories::MemoryError));
2024 
2025  auto R = llvm::make_unique<BugReport>(
2026  *BT_DoubleFree[*CheckKind],
2027  (Released ? "Attempt to free released memory"
2028  : "Attempt to free non-owned memory"),
2029  N);
2030  R->addRange(Range);
2031  R->markInteresting(Sym);
2032  if (PrevSym)
2033  R->markInteresting(PrevSym);
2034  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2035  C.emitReport(std::move(R));
2036  }
2037 }
2038 
2039 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
2040 
2041  if (!ChecksEnabled[CK_NewDeleteChecker])
2042  return;
2043 
2044  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2045  if (!CheckKind.hasValue())
2046  return;
2047 
2048  if (ExplodedNode *N = C.generateErrorNode()) {
2049  if (!BT_DoubleDelete)
2050  BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker],
2051  "Double delete",
2053 
2054  auto R = llvm::make_unique<BugReport>(
2055  *BT_DoubleDelete, "Attempt to delete released memory", N);
2056 
2057  R->markInteresting(Sym);
2058  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2059  C.emitReport(std::move(R));
2060  }
2061 }
2062 
2063 void MallocChecker::ReportUseZeroAllocated(CheckerContext &C,
2064  SourceRange Range,
2065  SymbolRef Sym) const {
2066 
2067  if (!ChecksEnabled[CK_MallocChecker] &&
2068  !ChecksEnabled[CK_NewDeleteChecker])
2069  return;
2070 
2071  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2072 
2073  if (!CheckKind.hasValue())
2074  return;
2075 
2076  if (ExplodedNode *N = C.generateErrorNode()) {
2077  if (!BT_UseZerroAllocated[*CheckKind])
2078  BT_UseZerroAllocated[*CheckKind].reset(
2079  new BugType(CheckNames[*CheckKind], "Use of zero allocated",
2081 
2082  auto R = llvm::make_unique<BugReport>(*BT_UseZerroAllocated[*CheckKind],
2083  "Use of zero-allocated memory", N);
2084 
2085  R->addRange(Range);
2086  if (Sym) {
2087  R->markInteresting(Sym);
2088  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2089  }
2090  C.emitReport(std::move(R));
2091  }
2092 }
2093 
2094 void MallocChecker::ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
2095  SourceRange Range,
2096  const Expr *FreeExpr) const {
2097  if (!ChecksEnabled[CK_MallocChecker])
2098  return;
2099 
2100  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, FreeExpr);
2101  if (!CheckKind.hasValue())
2102  return;
2103 
2104  if (ExplodedNode *N = C.generateErrorNode()) {
2105  if (!BT_BadFree[*CheckKind])
2106  BT_BadFree[*CheckKind].reset(new BugType(
2107  CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2108 
2109  SmallString<100> Buf;
2110  llvm::raw_svector_ostream Os(Buf);
2111 
2112  const MemRegion *MR = ArgVal.getAsRegion();
2113  while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
2114  MR = ER->getSuperRegion();
2115 
2116  Os << "Argument to ";
2117  if (!printAllocDeallocName(Os, C, FreeExpr))
2118  Os << "deallocator";
2119 
2120  Os << " is a function pointer";
2121 
2122  auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], Os.str(), N);
2123  R->markInteresting(MR);
2124  R->addRange(Range);
2125  C.emitReport(std::move(R));
2126  }
2127 }
2128 
2129 ProgramStateRef MallocChecker::ReallocMemAux(CheckerContext &C,
2130  const CallExpr *CE,
2131  bool FreesOnFail,
2133  bool SuffixWithN) const {
2134  if (!State)
2135  return nullptr;
2136 
2137  if (SuffixWithN && CE->getNumArgs() < 3)
2138  return nullptr;
2139  else if (CE->getNumArgs() < 2)
2140  return nullptr;
2141 
2142  const Expr *arg0Expr = CE->getArg(0);
2143  SVal Arg0Val = C.getSVal(arg0Expr);
2144  if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
2145  return nullptr;
2146  DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
2147 
2148  SValBuilder &svalBuilder = C.getSValBuilder();
2149 
2150  DefinedOrUnknownSVal PtrEQ =
2151  svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull());
2152 
2153  // Get the size argument.
2154  const Expr *Arg1 = CE->getArg(1);
2155 
2156  // Get the value of the size argument.
2157  SVal TotalSize = C.getSVal(Arg1);
2158  if (SuffixWithN)
2159  TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2));
2160  if (!TotalSize.getAs<DefinedOrUnknownSVal>())
2161  return nullptr;
2162 
2163  // Compare the size argument to 0.
2164  DefinedOrUnknownSVal SizeZero =
2165  svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(),
2166  svalBuilder.makeIntValWithPtrWidth(0, false));
2167 
2168  ProgramStateRef StatePtrIsNull, StatePtrNotNull;
2169  std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ);
2170  ProgramStateRef StateSizeIsZero, StateSizeNotZero;
2171  std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero);
2172  // We only assume exceptional states if they are definitely true; if the
2173  // state is under-constrained, assume regular realloc behavior.
2174  bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
2175  bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
2176 
2177  // If the ptr is NULL and the size is not 0, the call is equivalent to
2178  // malloc(size).
2179  if (PrtIsNull && !SizeIsZero) {
2180  ProgramStateRef stateMalloc = MallocMemAux(C, CE, TotalSize,
2181  UndefinedVal(), StatePtrIsNull);
2182  return stateMalloc;
2183  }
2184 
2185  if (PrtIsNull && SizeIsZero)
2186  return State;
2187 
2188  // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
2189  assert(!PrtIsNull);
2190  SymbolRef FromPtr = arg0Val.getAsSymbol();
2191  SVal RetVal = C.getSVal(CE);
2192  SymbolRef ToPtr = RetVal.getAsSymbol();
2193  if (!FromPtr || !ToPtr)
2194  return nullptr;
2195 
2196  bool ReleasedAllocated = false;
2197 
2198  // If the size is 0, free the memory.
2199  if (SizeIsZero)
2200  if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0,
2201  false, ReleasedAllocated)){
2202  // The semantics of the return value are:
2203  // If size was equal to 0, either NULL or a pointer suitable to be passed
2204  // to free() is returned. We just free the input pointer and do not add
2205  // any constrains on the output pointer.
2206  return stateFree;
2207  }
2208 
2209  // Default behavior.
2210  if (ProgramStateRef stateFree =
2211  FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) {
2212 
2213  ProgramStateRef stateRealloc = MallocMemAux(C, CE, TotalSize,
2214  UnknownVal(), stateFree);
2215  if (!stateRealloc)
2216  return nullptr;
2217 
2218  ReallocPairKind Kind = RPToBeFreedAfterFailure;
2219  if (FreesOnFail)
2220  Kind = RPIsFreeOnFailure;
2221  else if (!ReleasedAllocated)
2222  Kind = RPDoNotTrackAfterFailure;
2223 
2224  // Record the info about the reallocated symbol so that we could properly
2225  // process failed reallocation.
2226  stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
2227  ReallocPair(FromPtr, Kind));
2228  // The reallocated symbol should stay alive for as long as the new symbol.
2229  C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
2230  return stateRealloc;
2231  }
2232  return nullptr;
2233 }
2234 
2235 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE,
2237  if (!State)
2238  return nullptr;
2239 
2240  if (CE->getNumArgs() < 2)
2241  return nullptr;
2242 
2243  SValBuilder &svalBuilder = C.getSValBuilder();
2244  SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
2245  SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
2246 
2247  return MallocMemAux(C, CE, TotalSize, zeroVal, State);
2248 }
2249 
2250 LeakInfo
2251 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
2252  CheckerContext &C) const {
2253  const LocationContext *LeakContext = N->getLocationContext();
2254  // Walk the ExplodedGraph backwards and find the first node that referred to
2255  // the tracked symbol.
2256  const ExplodedNode *AllocNode = N;
2257  const MemRegion *ReferenceRegion = nullptr;
2258 
2259  while (N) {
2260  ProgramStateRef State = N->getState();
2261  if (!State->get<RegionState>(Sym))
2262  break;
2263 
2264  // Find the most recent expression bound to the symbol in the current
2265  // context.
2266  if (!ReferenceRegion) {
2267  if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) {
2268  SVal Val = State->getSVal(MR);
2269  if (Val.getAsLocSymbol() == Sym) {
2270  const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>();
2271  // Do not show local variables belonging to a function other than
2272  // where the error is reported.
2273  if (!VR ||
2274  (VR->getStackFrame() == LeakContext->getStackFrame()))
2275  ReferenceRegion = MR;
2276  }
2277  }
2278  }
2279 
2280  // Allocation node, is the last node in the current or parent context in
2281  // which the symbol was tracked.
2282  const LocationContext *NContext = N->getLocationContext();
2283  if (NContext == LeakContext ||
2284  NContext->isParentOf(LeakContext))
2285  AllocNode = N;
2286  N = N->pred_empty() ? nullptr : *(N->pred_begin());
2287  }
2288 
2289  return LeakInfo(AllocNode, ReferenceRegion);
2290 }
2291 
2292 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N,
2293  CheckerContext &C) const {
2294 
2295  if (!ChecksEnabled[CK_MallocChecker] &&
2296  !ChecksEnabled[CK_NewDeleteLeaksChecker])
2297  return;
2298 
2299  const RefState *RS = C.getState()->get<RegionState>(Sym);
2300  assert(RS && "cannot leak an untracked symbol");
2301  AllocationFamily Family = RS->getAllocationFamily();
2302 
2303  if (Family == AF_Alloca)
2304  return;
2305 
2307  CheckKind = getCheckIfTracked(Family, true);
2308 
2309  if (!CheckKind.hasValue())
2310  return;
2311 
2312  assert(N);
2313  if (!BT_Leak[*CheckKind]) {
2314  // Leaks should not be reported if they are post-dominated by a sink:
2315  // (1) Sinks are higher importance bugs.
2316  // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
2317  // with __noreturn functions such as assert() or exit(). We choose not
2318  // to report leaks on such paths.
2319  BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak",
2321  /*SuppressOnSink=*/true));
2322  }
2323 
2324  // Most bug reports are cached at the location where they occurred.
2325  // With leaks, we want to unique them by the location where they were
2326  // allocated, and only report a single path.
2327  PathDiagnosticLocation LocUsedForUniqueing;
2328  const ExplodedNode *AllocNode = nullptr;
2329  const MemRegion *Region = nullptr;
2330  std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C);
2331 
2332  const Stmt *AllocationStmt = PathDiagnosticLocation::getStmt(AllocNode);
2333  if (AllocationStmt)
2334  LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt,
2335  C.getSourceManager(),
2336  AllocNode->getLocationContext());
2337 
2338  SmallString<200> buf;
2339  llvm::raw_svector_ostream os(buf);
2340  if (Region && Region->canPrintPretty()) {
2341  os << "Potential leak of memory pointed to by ";
2342  Region->printPretty(os);
2343  } else {
2344  os << "Potential memory leak";
2345  }
2346 
2347  auto R = llvm::make_unique<BugReport>(
2348  *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing,
2349  AllocNode->getLocationContext()->getDecl());
2350  R->markInteresting(Sym);
2351  R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym, true));
2352  C.emitReport(std::move(R));
2353 }
2354 
2355 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
2356  CheckerContext &C) const
2357 {
2358  ProgramStateRef state = C.getState();
2359  RegionStateTy OldRS = state->get<RegionState>();
2360  RegionStateTy::Factory &F = state->get_context<RegionState>();
2361 
2362  RegionStateTy RS = OldRS;
2364  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2365  if (SymReaper.isDead(I->first)) {
2366  if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero())
2367  Errors.push_back(I->first);
2368  // Remove the dead symbol from the map.
2369  RS = F.remove(RS, I->first);
2370  }
2371  }
2372 
2373  if (RS == OldRS) {
2374  // We shouldn't have touched other maps yet.
2375  assert(state->get<ReallocPairs>() ==
2376  C.getState()->get<ReallocPairs>());
2377  assert(state->get<FreeReturnValue>() ==
2378  C.getState()->get<FreeReturnValue>());
2379  return;
2380  }
2381 
2382  // Cleanup the Realloc Pairs Map.
2383  ReallocPairsTy RP = state->get<ReallocPairs>();
2384  for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2385  if (SymReaper.isDead(I->first) ||
2386  SymReaper.isDead(I->second.ReallocatedSym)) {
2387  state = state->remove<ReallocPairs>(I->first);
2388  }
2389  }
2390 
2391  // Cleanup the FreeReturnValue Map.
2392  FreeReturnValueTy FR = state->get<FreeReturnValue>();
2393  for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) {
2394  if (SymReaper.isDead(I->first) ||
2395  SymReaper.isDead(I->second)) {
2396  state = state->remove<FreeReturnValue>(I->first);
2397  }
2398  }
2399 
2400  // Generate leak node.
2401  ExplodedNode *N = C.getPredecessor();
2402  if (!Errors.empty()) {
2403  static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
2404  N = C.generateNonFatalErrorNode(C.getState(), &Tag);
2405  if (N) {
2407  I = Errors.begin(), E = Errors.end(); I != E; ++I) {
2408  reportLeak(*I, N, C);
2409  }
2410  }
2411  }
2412 
2413  C.addTransition(state->set<RegionState>(RS), N);
2414 }
2415 
2416 void MallocChecker::checkPreCall(const CallEvent &Call,
2417  CheckerContext &C) const {
2418 
2419  if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) {
2420  SymbolRef Sym = DC->getCXXThisVal().getAsSymbol();
2421  if (!Sym || checkDoubleDelete(Sym, C))
2422  return;
2423  }
2424 
2425  // We will check for double free in the post visit.
2426  if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) {
2427  const FunctionDecl *FD = FC->getDecl();
2428  if (!FD)
2429  return;
2430 
2431  ASTContext &Ctx = C.getASTContext();
2432  if (ChecksEnabled[CK_MallocChecker] &&
2433  (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) ||
2434  isCMemFunction(FD, Ctx, AF_IfNameIndex,
2435  MemoryOperationKind::MOK_Free)))
2436  return;
2437  }
2438 
2439  // Check if the callee of a method is deleted.
2440  if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
2441  SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
2442  if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
2443  return;
2444  }
2445 
2446  // Check arguments for being used after free.
2447  for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
2448  SVal ArgSVal = Call.getArgSVal(I);
2449  if (ArgSVal.getAs<Loc>()) {
2450  SymbolRef Sym = ArgSVal.getAsSymbol();
2451  if (!Sym)
2452  continue;
2453  if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
2454  return;
2455  }
2456  }
2457 }
2458 
2459 void MallocChecker::checkPreStmt(const ReturnStmt *S,
2460  CheckerContext &C) const {
2461  checkEscapeOnReturn(S, C);
2462 }
2463 
2464 // In the CFG, automatic destructors come after the return statement.
2465 // This callback checks for returning memory that is freed by automatic
2466 // destructors, as those cannot be reached in checkPreStmt().
2467 void MallocChecker::checkEndFunction(const ReturnStmt *S,
2468  CheckerContext &C) const {
2469  checkEscapeOnReturn(S, C);
2470 }
2471 
2472 void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S,
2473  CheckerContext &C) const {
2474  if (!S)
2475  return;
2476 
2477  const Expr *E = S->getRetValue();
2478  if (!E)
2479  return;
2480 
2481  // Check if we are returning a symbol.
2482  ProgramStateRef State = C.getState();
2483  SVal RetVal = C.getSVal(E);
2484  SymbolRef Sym = RetVal.getAsSymbol();
2485  if (!Sym)
2486  // If we are returning a field of the allocated struct or an array element,
2487  // the callee could still free the memory.
2488  // TODO: This logic should be a part of generic symbol escape callback.
2489  if (const MemRegion *MR = RetVal.getAsRegion())
2490  if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR))
2491  if (const SymbolicRegion *BMR =
2492  dyn_cast<SymbolicRegion>(MR->getBaseRegion()))
2493  Sym = BMR->getSymbol();
2494 
2495  // Check if we are returning freed memory.
2496  if (Sym)
2497  checkUseAfterFree(Sym, C, E);
2498 }
2499 
2500 // TODO: Blocks should be either inlined or should call invalidate regions
2501 // upon invocation. After that's in place, special casing here will not be
2502 // needed.
2503 void MallocChecker::checkPostStmt(const BlockExpr *BE,
2504  CheckerContext &C) const {
2505 
2506  // Scan the BlockDecRefExprs for any object the retain count checker
2507  // may be tracking.
2508  if (!BE->getBlockDecl()->hasCaptures())
2509  return;
2510 
2511  ProgramStateRef state = C.getState();
2512  const BlockDataRegion *R =
2513  cast<BlockDataRegion>(C.getSVal(BE).getAsRegion());
2514 
2515  BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(),
2516  E = R->referenced_vars_end();
2517 
2518  if (I == E)
2519  return;
2520 
2522  const LocationContext *LC = C.getLocationContext();
2523  MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
2524 
2525  for ( ; I != E; ++I) {
2526  const VarRegion *VR = I.getCapturedRegion();
2527  if (VR->getSuperRegion() == R) {
2528  VR = MemMgr.getVarRegion(VR->getDecl(), LC);
2529  }
2530  Regions.push_back(VR);
2531  }
2532 
2533  state =
2534  state->scanReachableSymbols<StopTrackingCallback>(Regions).getState();
2535  C.addTransition(state);
2536 }
2537 
2538 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const {
2539  assert(Sym);
2540  const RefState *RS = C.getState()->get<RegionState>(Sym);
2541  return (RS && RS->isReleased());
2542 }
2543 
2544 bool MallocChecker::suppressDeallocationsInSuspiciousContexts(
2545  const CallExpr *CE, CheckerContext &C) const {
2546  if (CE->getNumArgs() == 0)
2547  return false;
2548 
2549  StringRef FunctionStr = "";
2550  if (const auto *FD = dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
2551  if (const Stmt *Body = FD->getBody())
2552  if (Body->getBeginLoc().isValid())
2553  FunctionStr =
2555  {FD->getBeginLoc(), Body->getBeginLoc()}),
2556  C.getSourceManager(), C.getLangOpts());
2557 
2558  // We do not model the Integer Set Library's retain-count based allocation.
2559  if (!FunctionStr.contains("__isl_"))
2560  return false;
2561 
2562  ProgramStateRef State = C.getState();
2563 
2564  for (const Expr *Arg : CE->arguments())
2565  if (SymbolRef Sym = C.getSVal(Arg).getAsSymbol())
2566  if (const RefState *RS = State->get<RegionState>(Sym))
2567  State = State->set<RegionState>(Sym, RefState::getEscaped(RS));
2568 
2569  C.addTransition(State);
2570  return true;
2571 }
2572 
2573 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
2574  const Stmt *S) const {
2575 
2576  if (isReleased(Sym, C)) {
2577  ReportUseAfterFree(C, S->getSourceRange(), Sym);
2578  return true;
2579  }
2580 
2581  return false;
2582 }
2583 
2584 void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
2585  const Stmt *S) const {
2586  assert(Sym);
2587 
2588  if (const RefState *RS = C.getState()->get<RegionState>(Sym)) {
2589  if (RS->isAllocatedOfSizeZero())
2590  ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym);
2591  }
2592  else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) {
2593  ReportUseZeroAllocated(C, S->getSourceRange(), Sym);
2594  }
2595 }
2596 
2597 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
2598 
2599  if (isReleased(Sym, C)) {
2600  ReportDoubleDelete(C, Sym);
2601  return true;
2602  }
2603  return false;
2604 }
2605 
2606 // Check if the location is a freed symbolic region.
2607 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
2608  CheckerContext &C) const {
2609  SymbolRef Sym = l.getLocSymbolInBase();
2610  if (Sym) {
2611  checkUseAfterFree(Sym, C, S);
2612  checkUseZeroAllocated(Sym, C, S);
2613  }
2614 }
2615 
2616 // If a symbolic region is assumed to NULL (or another constant), stop tracking
2617 // it - assuming that allocation failed on this path.
2618 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
2619  SVal Cond,
2620  bool Assumption) const {
2621  RegionStateTy RS = state->get<RegionState>();
2622  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2623  // If the symbol is assumed to be NULL, remove it from consideration.
2624  ConstraintManager &CMgr = state->getConstraintManager();
2625  ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2626  if (AllocFailed.isConstrainedTrue())
2627  state = state->remove<RegionState>(I.getKey());
2628  }
2629 
2630  // Realloc returns 0 when reallocation fails, which means that we should
2631  // restore the state of the pointer being reallocated.
2632  ReallocPairsTy RP = state->get<ReallocPairs>();
2633  for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2634  // If the symbol is assumed to be NULL, remove it from consideration.
2635  ConstraintManager &CMgr = state->getConstraintManager();
2636  ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2637  if (!AllocFailed.isConstrainedTrue())
2638  continue;
2639 
2640  SymbolRef ReallocSym = I.getData().ReallocatedSym;
2641  if (const RefState *RS = state->get<RegionState>(ReallocSym)) {
2642  if (RS->isReleased()) {
2643  if (I.getData().Kind == RPToBeFreedAfterFailure)
2644  state = state->set<RegionState>(ReallocSym,
2645  RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt()));
2646  else if (I.getData().Kind == RPDoNotTrackAfterFailure)
2647  state = state->remove<RegionState>(ReallocSym);
2648  else
2649  assert(I.getData().Kind == RPIsFreeOnFailure);
2650  }
2651  }
2652  state = state->remove<ReallocPairs>(I.getKey());
2653  }
2654 
2655  return state;
2656 }
2657 
2658 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
2659  const CallEvent *Call,
2661  SymbolRef &EscapingSymbol) const {
2662  assert(Call);
2663  EscapingSymbol = nullptr;
2664 
2665  // For now, assume that any C++ or block call can free memory.
2666  // TODO: If we want to be more optimistic here, we'll need to make sure that
2667  // regions escape to C++ containers. They seem to do that even now, but for
2668  // mysterious reasons.
2669  if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call)))
2670  return true;
2671 
2672  // Check Objective-C messages by selector name.
2673  if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
2674  // If it's not a framework call, or if it takes a callback, assume it
2675  // can free memory.
2676  if (!Call->isInSystemHeader() || Call->argumentsMayEscape())
2677  return true;
2678 
2679  // If it's a method we know about, handle it explicitly post-call.
2680  // This should happen before the "freeWhenDone" check below.
2681  if (isKnownDeallocObjCMethodName(*Msg))
2682  return false;
2683 
2684  // If there's a "freeWhenDone" parameter, but the method isn't one we know
2685  // about, we can't be sure that the object will use free() to deallocate the
2686  // memory, so we can't model it explicitly. The best we can do is use it to
2687  // decide whether the pointer escapes.
2688  if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg))
2689  return *FreeWhenDone;
2690 
2691  // If the first selector piece ends with "NoCopy", and there is no
2692  // "freeWhenDone" parameter set to zero, we know ownership is being
2693  // transferred. Again, though, we can't be sure that the object will use
2694  // free() to deallocate the memory, so we can't model it explicitly.
2695  StringRef FirstSlot = Msg->getSelector().getNameForSlot(0);
2696  if (FirstSlot.endswith("NoCopy"))
2697  return true;
2698 
2699  // If the first selector starts with addPointer, insertPointer,
2700  // or replacePointer, assume we are dealing with NSPointerArray or similar.
2701  // This is similar to C++ containers (vector); we still might want to check
2702  // that the pointers get freed by following the container itself.
2703  if (FirstSlot.startswith("addPointer") ||
2704  FirstSlot.startswith("insertPointer") ||
2705  FirstSlot.startswith("replacePointer") ||
2706  FirstSlot.equals("valueWithPointer")) {
2707  return true;
2708  }
2709 
2710  // We should escape receiver on call to 'init'. This is especially relevant
2711  // to the receiver, as the corresponding symbol is usually not referenced
2712  // after the call.
2713  if (Msg->getMethodFamily() == OMF_init) {
2714  EscapingSymbol = Msg->getReceiverSVal().getAsSymbol();
2715  return true;
2716  }
2717 
2718  // Otherwise, assume that the method does not free memory.
2719  // Most framework methods do not free memory.
2720  return false;
2721  }
2722 
2723  // At this point the only thing left to handle is straight function calls.
2724  const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl();
2725  if (!FD)
2726  return true;
2727 
2728  ASTContext &ASTC = State->getStateManager().getContext();
2729 
2730  // If it's one of the allocation functions we can reason about, we model
2731  // its behavior explicitly.
2732  if (isMemFunction(FD, ASTC))
2733  return false;
2734 
2735  // If it's not a system call, assume it frees memory.
2736  if (!Call->isInSystemHeader())
2737  return true;
2738 
2739  // White list the system functions whose arguments escape.
2740  const IdentifierInfo *II = FD->getIdentifier();
2741  if (!II)
2742  return true;
2743  StringRef FName = II->getName();
2744 
2745  // White list the 'XXXNoCopy' CoreFoundation functions.
2746  // We specifically check these before
2747  if (FName.endswith("NoCopy")) {
2748  // Look for the deallocator argument. We know that the memory ownership
2749  // is not transferred only if the deallocator argument is
2750  // 'kCFAllocatorNull'.
2751  for (unsigned i = 1; i < Call->getNumArgs(); ++i) {
2752  const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts();
2753  if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) {
2754  StringRef DeallocatorName = DE->getFoundDecl()->getName();
2755  if (DeallocatorName == "kCFAllocatorNull")
2756  return false;
2757  }
2758  }
2759  return true;
2760  }
2761 
2762  // Associating streams with malloced buffers. The pointer can escape if
2763  // 'closefn' is specified (and if that function does free memory),
2764  // but it will not if closefn is not specified.
2765  // Currently, we do not inspect the 'closefn' function (PR12101).
2766  if (FName == "funopen")
2767  if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0))
2768  return false;
2769 
2770  // Do not warn on pointers passed to 'setbuf' when used with std streams,
2771  // these leaks might be intentional when setting the buffer for stdio.
2772  // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer
2773  if (FName == "setbuf" || FName =="setbuffer" ||
2774  FName == "setlinebuf" || FName == "setvbuf") {
2775  if (Call->getNumArgs() >= 1) {
2776  const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts();
2777  if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE))
2778  if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl()))
2779  if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos)
2780  return true;
2781  }
2782  }
2783 
2784  // A bunch of other functions which either take ownership of a pointer or
2785  // wrap the result up in a struct or object, meaning it can be freed later.
2786  // (See RetainCountChecker.) Not all the parameters here are invalidated,
2787  // but the Malloc checker cannot differentiate between them. The right way
2788  // of doing this would be to implement a pointer escapes callback.
2789  if (FName == "CGBitmapContextCreate" ||
2790  FName == "CGBitmapContextCreateWithData" ||
2791  FName == "CVPixelBufferCreateWithBytes" ||
2792  FName == "CVPixelBufferCreateWithPlanarBytes" ||
2793  FName == "OSAtomicEnqueue") {
2794  return true;
2795  }
2796 
2797  if (FName == "postEvent" &&
2798  FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
2799  return true;
2800  }
2801 
2802  if (FName == "postEvent" &&
2803  FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
2804  return true;
2805  }
2806 
2807  if (FName == "connectImpl" &&
2808  FD->getQualifiedNameAsString() == "QObject::connectImpl") {
2809  return true;
2810  }
2811 
2812  // Handle cases where we know a buffer's /address/ can escape.
2813  // Note that the above checks handle some special cases where we know that
2814  // even though the address escapes, it's still our responsibility to free the
2815  // buffer.
2816  if (Call->argumentsMayEscape())
2817  return true;
2818 
2819  // Otherwise, assume that the function does not free memory.
2820  // Most system calls do not free the memory.
2821  return false;
2822 }
2823 
2824 static bool retTrue(const RefState *RS) {
2825  return true;
2826 }
2827 
2828 static bool checkIfNewOrNewArrayFamily(const RefState *RS) {
2829  return (RS->getAllocationFamily() == AF_CXXNewArray ||
2830  RS->getAllocationFamily() == AF_CXXNew);
2831 }
2832 
2833 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
2834  const InvalidatedSymbols &Escaped,
2835  const CallEvent *Call,
2836  PointerEscapeKind Kind) const {
2837  return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue);
2838 }
2839 
2840 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State,
2841  const InvalidatedSymbols &Escaped,
2842  const CallEvent *Call,
2843  PointerEscapeKind Kind) const {
2844  return checkPointerEscapeAux(State, Escaped, Call, Kind,
2846 }
2847 
2848 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State,
2849  const InvalidatedSymbols &Escaped,
2850  const CallEvent *Call,
2852  bool(*CheckRefState)(const RefState*)) const {
2853  // If we know that the call does not free memory, or we want to process the
2854  // call later, keep tracking the top level arguments.
2855  SymbolRef EscapingSymbol = nullptr;
2856  if (Kind == PSK_DirectEscapeOnCall &&
2857  !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State,
2858  EscapingSymbol) &&
2859  !EscapingSymbol) {
2860  return State;
2861  }
2862 
2863  for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
2864  E = Escaped.end();
2865  I != E; ++I) {
2866  SymbolRef sym = *I;
2867 
2868  if (EscapingSymbol && EscapingSymbol != sym)
2869  continue;
2870 
2871  if (const RefState *RS = State->get<RegionState>(sym)) {
2872  if ((RS->isAllocated() || RS->isAllocatedOfSizeZero()) &&
2873  CheckRefState(RS)) {
2874  State = State->set<RegionState>(sym, RefState::getEscaped(RS));
2875  }
2876  }
2877  }
2878  return State;
2879 }
2880 
2882  ProgramStateRef prevState) {
2883  ReallocPairsTy currMap = currState->get<ReallocPairs>();
2884  ReallocPairsTy prevMap = prevState->get<ReallocPairs>();
2885 
2886  for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end();
2887  I != E; ++I) {
2888  SymbolRef sym = I.getKey();
2889  if (!currMap.lookup(sym))
2890  return sym;
2891  }
2892 
2893  return nullptr;
2894 }
2895 
2897  if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) {
2898  StringRef N = II->getName();
2899  if (N.contains_lower("ptr") || N.contains_lower("pointer")) {
2900  if (N.contains_lower("ref") || N.contains_lower("cnt") ||
2901  N.contains_lower("intrusive") || N.contains_lower("shared")) {
2902  return true;
2903  }
2904  }
2905  }
2906  return false;
2907 }
2908 
2909 std::shared_ptr<PathDiagnosticPiece> MallocChecker::MallocBugVisitor::VisitNode(
2910  const ExplodedNode *N, BugReporterContext &BRC, BugReport &BR) {
2911 
2912  ProgramStateRef state = N->getState();
2913  ProgramStateRef statePrev = N->getFirstPred()->getState();
2914 
2915  const RefState *RS = state->get<RegionState>(Sym);
2916  const RefState *RSPrev = statePrev->get<RegionState>(Sym);
2917 
2918  const Stmt *S = PathDiagnosticLocation::getStmt(N);
2919  // When dealing with containers, we sometimes want to give a note
2920  // even if the statement is missing.
2921  if (!S && (!RS || RS->getAllocationFamily() != AF_InnerBuffer))
2922  return nullptr;
2923 
2924  const LocationContext *CurrentLC = N->getLocationContext();
2925 
2926  // If we find an atomic fetch_add or fetch_sub within the destructor in which
2927  // the pointer was released (before the release), this is likely a destructor
2928  // of a shared pointer.
2929  // Because we don't model atomics, and also because we don't know that the
2930  // original reference count is positive, we should not report use-after-frees
2931  // on objects deleted in such destructors. This can probably be improved
2932  // through better shared pointer modeling.
2933  if (ReleaseDestructorLC) {
2934  if (const auto *AE = dyn_cast<AtomicExpr>(S)) {
2935  AtomicExpr::AtomicOp Op = AE->getOp();
2936  if (Op == AtomicExpr::AO__c11_atomic_fetch_add ||
2937  Op == AtomicExpr::AO__c11_atomic_fetch_sub) {
2938  if (ReleaseDestructorLC == CurrentLC ||
2939  ReleaseDestructorLC->isParentOf(CurrentLC)) {
2940  BR.markInvalid(getTag(), S);
2941  }
2942  }
2943  }
2944  }
2945 
2946  // FIXME: We will eventually need to handle non-statement-based events
2947  // (__attribute__((cleanup))).
2948 
2949  // Find out if this is an interesting point and what is the kind.
2950  StringRef Msg;
2951  StackHintGeneratorForSymbol *StackHint = nullptr;
2952  SmallString<256> Buf;
2953  llvm::raw_svector_ostream OS(Buf);
2954 
2955  if (Mode == Normal) {
2956  if (isAllocated(RS, RSPrev, S)) {
2957  Msg = "Memory is allocated";
2958  StackHint = new StackHintGeneratorForSymbol(Sym,
2959  "Returned allocated memory");
2960  } else if (isReleased(RS, RSPrev, S)) {
2961  const auto Family = RS->getAllocationFamily();
2962  switch (Family) {
2963  case AF_Alloca:
2964  case AF_Malloc:
2965  case AF_CXXNew:
2966  case AF_CXXNewArray:
2967  case AF_IfNameIndex:
2968  Msg = "Memory is released";
2969  StackHint = new StackHintGeneratorForSymbol(Sym,
2970  "Returning; memory was released");
2971  break;
2972  case AF_InnerBuffer: {
2973  const MemRegion *ObjRegion =
2975  const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion);
2976  QualType ObjTy = TypedRegion->getValueType();
2977  OS << "Inner buffer of '" << ObjTy.getAsString() << "' ";
2978 
2979  if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) {
2980  OS << "deallocated by call to destructor";
2981  StackHint = new StackHintGeneratorForSymbol(Sym,
2982  "Returning; inner buffer was deallocated");
2983  } else {
2984  OS << "reallocated by call to '";
2985  const Stmt *S = RS->getStmt();
2986  if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) {
2987  OS << MemCallE->getMethodDecl()->getNameAsString();
2988  } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) {
2989  OS << OpCallE->getDirectCallee()->getNameAsString();
2990  } else if (const auto *CallE = dyn_cast<CallExpr>(S)) {
2991  auto &CEMgr = BRC.getStateManager().getCallEventManager();
2992  CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC);
2993  const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl());
2994  OS << (D ? D->getNameAsString() : "unknown");
2995  }
2996  OS << "'";
2997  StackHint = new StackHintGeneratorForSymbol(Sym,
2998  "Returning; inner buffer was reallocated");
2999  }
3000  Msg = OS.str();
3001  break;
3002  }
3003  case AF_None:
3004  llvm_unreachable("Unhandled allocation family!");
3005  }
3006 
3007  // See if we're releasing memory while inlining a destructor
3008  // (or one of its callees). This turns on various common
3009  // false positive suppressions.
3010  bool FoundAnyDestructor = false;
3011  for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) {
3012  if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) {
3014  // This immediately looks like a reference-counting destructor.
3015  // We're bad at guessing the original reference count of the object,
3016  // so suppress the report for now.
3017  BR.markInvalid(getTag(), DD);
3018  } else if (!FoundAnyDestructor) {
3019  assert(!ReleaseDestructorLC &&
3020  "There can be only one release point!");
3021  // Suspect that it's a reference counting pointer destructor.
3022  // On one of the next nodes might find out that it has atomic
3023  // reference counting operations within it (see the code above),
3024  // and if so, we'd conclude that it likely is a reference counting
3025  // pointer destructor.
3026  ReleaseDestructorLC = LC->getStackFrame();
3027  // It is unlikely that releasing memory is delegated to a destructor
3028  // inside a destructor of a shared pointer, because it's fairly hard
3029  // to pass the information that the pointer indeed needs to be
3030  // released into it. So we're only interested in the innermost
3031  // destructor.
3032  FoundAnyDestructor = true;
3033  }
3034  }
3035  }
3036  } else if (isRelinquished(RS, RSPrev, S)) {
3037  Msg = "Memory ownership is transferred";
3038  StackHint = new StackHintGeneratorForSymbol(Sym, "");
3039  } else if (isReallocFailedCheck(RS, RSPrev, S)) {
3040  Mode = ReallocationFailed;
3041  Msg = "Reallocation failed";
3042  StackHint = new StackHintGeneratorForReallocationFailed(Sym,
3043  "Reallocation failed");
3044 
3045  if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) {
3046  // Is it possible to fail two reallocs WITHOUT testing in between?
3047  assert((!FailedReallocSymbol || FailedReallocSymbol == sym) &&
3048  "We only support one failed realloc at a time.");
3049  BR.markInteresting(sym);
3050  FailedReallocSymbol = sym;
3051  }
3052  }
3053 
3054  // We are in a special mode if a reallocation failed later in the path.
3055  } else if (Mode == ReallocationFailed) {
3056  assert(FailedReallocSymbol && "No symbol to look for.");
3057 
3058  // Is this is the first appearance of the reallocated symbol?
3059  if (!statePrev->get<RegionState>(FailedReallocSymbol)) {
3060  // We're at the reallocation point.
3061  Msg = "Attempt to reallocate memory";
3062  StackHint = new StackHintGeneratorForSymbol(Sym,
3063  "Returned reallocated memory");
3064  FailedReallocSymbol = nullptr;
3065  Mode = Normal;
3066  }
3067  }
3068 
3069  if (Msg.empty())
3070  return nullptr;
3071  assert(StackHint);
3072 
3073  // Generate the extra diagnostic.
3074  PathDiagnosticLocation Pos;
3075  if (!S) {
3076  assert(RS->getAllocationFamily() == AF_InnerBuffer);
3077  auto PostImplCall = N->getLocation().getAs<PostImplicitCall>();
3078  if (!PostImplCall)
3079  return nullptr;
3080  Pos = PathDiagnosticLocation(PostImplCall->getLocation(),
3081  BRC.getSourceManager());
3082  } else {
3083  Pos = PathDiagnosticLocation(S, BRC.getSourceManager(),
3084  N->getLocationContext());
3085  }
3086 
3087  return std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true, StackHint);
3088 }
3089 
3090 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
3091  const char *NL, const char *Sep) const {
3092 
3093  RegionStateTy RS = State->get<RegionState>();
3094 
3095  if (!RS.isEmpty()) {
3096  Out << Sep << "MallocChecker :" << NL;
3097  for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
3098  const RefState *RefS = State->get<RegionState>(I.getKey());
3099  AllocationFamily Family = RefS->getAllocationFamily();
3100  Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
3101  if (!CheckKind.hasValue())
3102  CheckKind = getCheckIfTracked(Family, true);
3103 
3104  I.getKey()->dumpToStream(Out);
3105  Out << " : ";
3106  I.getData().dump(Out);
3107  if (CheckKind.hasValue())
3108  Out << " (" << CheckNames[*CheckKind].getName() << ")";
3109  Out << NL;
3110  }
3111  }
3112 }
3113 
3114 namespace clang {
3115 namespace ento {
3116 namespace allocation_state {
3117 
3120  AllocationFamily Family = AF_InnerBuffer;
3121  return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin));
3122 }
3123 
3124 } // end namespace allocation_state
3125 } // end namespace ento
3126 } // end namespace clang
3127 
3128 // Intended to be used in InnerPointerChecker to register the part of
3129 // MallocChecker connected to it.
3131  MallocChecker *checker = mgr.getChecker<MallocChecker>();
3132  checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true;
3133  checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =
3134  mgr.getCurrentCheckName();
3135 }
3136 
3137 void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {
3138  auto *checker = mgr.registerChecker<MallocChecker>();
3139  checker->IsOptimistic = mgr.getAnalyzerOptions().getCheckerBooleanOption(
3140  checker, "Optimistic");
3141 }
3142 
3143 bool ento::shouldRegisterDynamicMemoryModeling(const LangOptions &LO) {
3144  return true;
3145 }
3146 
3147 #define REGISTER_CHECKER(name) \
3148  void ento::register##name(CheckerManager &mgr) { \
3149  MallocChecker *checker = mgr.getChecker<MallocChecker>(); \
3150  checker->ChecksEnabled[MallocChecker::CK_##name] = true; \
3151  checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \
3152  } \
3153  \
3154  bool ento::shouldRegister##name(const LangOptions &LO) { \
3155  return true; \
3156  }
3157 
3158 REGISTER_CHECKER(MallocChecker)
3159 REGISTER_CHECKER(NewDeleteChecker)
3160 REGISTER_CHECKER(NewDeleteLeaksChecker)
3161 REGISTER_CHECKER(MismatchedDeallocatorChecker)
const BlockDecl * getBlockDecl() const
Definition: Expr.h:5555
Represents a function declaration or definition.
Definition: Decl.h:1748
Smart pointer class that efficiently represents Objective-C method names.
A (possibly-)qualified type.
Definition: Type.h:643
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2673
bool hasCaptures() const
True if this block (or its nested blocks) captures anything of local storage from its enclosing scope...
Definition: Decl.h:4034
bool operator==(CanQual< T > x, CanQual< U > y)
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:51
const SymExpr * SymbolRef
Stmt - This represents one statement.
Definition: Stmt.h:66
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2660
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:505
const llvm::Triple & getTriple() const
Returns the target triple of the primary target.
Definition: TargetInfo.h:985
Defines the SourceManager interface.
static CharSourceRange getTokenRange(SourceRange R)
void registerInnerPointerCheckerAux(CheckerManager &Mgr)
Register the part of MallocChecker connected to InnerPointerChecker.
__DEVICE__ long long abs(long long __n)
FunctionDecl * getOperatorNew() const
Definition: ExprCXX.h:2119
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
const MemRegion * getContainerObjRegion(ProgramStateRef State, SymbolRef Sym)
&#39;Sym&#39; represents a pointer to the inner buffer of a container object.
Represents a call to a C++ constructor.
Definition: ExprCXX.h:1326
const TargetInfo & getTargetInfo() const
Definition: ASTContext.h:693
constexpr XRayInstrMask Function
Definition: XRayInstr.h:38
Represents a C++ constructor within a class.
Definition: DeclCXX.h:2566
bool isConsumedExpr(Expr *E) const
Definition: ParentMap.cpp:171
Represents a variable declaration or definition.
Definition: Decl.h:812
long i
Definition: xmmintrin.h:1456
Symbolic value.
Definition: SymExpr.h:29
bool isParentOf(const LocationContext *LC) const
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:269
static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call)
One of these records is kept for each identifier that is lexed.
void print(raw_ostream &Out, unsigned Indentation=0, bool PrintInstantiation=false) const
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:154
LineState State
const CXXConstructExpr * getConstructExpr() const
Returns the CXXConstructExpr from this new-expression, or null.
Definition: ExprCXX.h:2188
std::unique_ptr< BugReporterVisitor > getInnerPointerBRVisitor(SymbolRef Sym)
This function provides an additional visitor that augments the bug report with information relevant t...
SourceLocation getBeginLoc() const LLVM_READONLY
Definition: Decl.h:738
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:49
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
IdentifierTable & Idents
Definition: ASTContext.h:569
ArrayRef< ParmVarDecl * > parameters() const
Definition: Decl.h:2289
static bool isLocType(QualType T)
Definition: SVals.h:329
Represents any expression that calls an Objective-C method.
Definition: CallEvent.h:937
Optional< Expr * > getArraySize()
Definition: ExprCXX.h:2126
Stmt * getBody(const FunctionDecl *&Definition) const
Retrieve the body (definition) of the function.
Definition: Decl.cpp:2808
FunctionDecl * getOperatorDelete() const
Definition: ExprCXX.h:2300
CharUnits - This is an opaque type for sizes expressed in character units.
Definition: CharUnits.h:37
static void dump(llvm::raw_ostream &OS, StringRef FunctionName, ArrayRef< CounterExpression > Expressions, ArrayRef< CounterMappingRegion > Regions)
const LocationContext * getParent() const
static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD)
static bool didPreviousFreeFail(ProgramStateRef State, SymbolRef Sym, SymbolRef &RetStatusSymbol)
Checks if the previous call to free on the given symbol failed - if free failed, returns true...
CheckName getCurrentCheckName() const
bool isArrayForm() const
Definition: ExprCXX.h:2287
CXXRecordDecl * getAsCXXRecordDecl() const
Retrieves the CXXRecordDecl that this type refers to, either because the type is a RecordType or beca...
Definition: Type.cpp:1636
OverloadedOperatorKind getOverloadedOperator() const
getOverloadedOperator - Which C++ overloaded operator this function represents, if any...
Definition: Decl.cpp:3383
CXXConstructorDecl * getConstructor() const
Get the constructor that this expression will (ultimately) call.
Definition: ExprCXX.h:1398
Represents a non-static C++ member function call, no matter how it is written.
Definition: CallEvent.h:637
QuantityType getQuantity() const
getQuantity - Get the raw integer representation of this quantity.
Definition: CharUnits.h:178
unsigned Offset
Definition: Format.cpp:1713
static StringRef getSourceText(CharSourceRange Range, const SourceManager &SM, const LangOptions &LangOpts, bool *Invalid=nullptr)
Returns a string for the source that the range encompasses.
Definition: Lexer.cpp:930
This represents one expression.
Definition: Expr.h:108
std::string Label
bool isInSystemHeader(SourceLocation Loc) const
Returns if a SourceLocation is in a system header.
Represents an implicit call to a C++ destructor.
Definition: CallEvent.h:767
#define V(N, I)
Definition: ASTContext.h:2907
static bool retTrue(const RefState *RS)
BlockExpr - Adaptor class for mixing a BlockDecl with expressions.
Definition: Expr.h:5541
Represents a C++ destructor within a class.
Definition: DeclCXX.h:2830
The pointer has been passed to a function call directly.
StringRef getNameForSlot(unsigned argIndex) const
Retrieve the name at a given position in the selector.
FunctionDecl * getDirectCallee()
If the callee is a FunctionDecl, return it. Otherwise return null.
Definition: Expr.h:2652
QualType getType() const
Definition: Expr.h:137
ReturnStmt - This represents a return, optionally of an expression: return; return 4;...
Definition: Stmt.h:2610
An expression that sends a message to the given Objective-C object or class.
Definition: ExprObjC.h:950
unsigned getNumArgs() const
bool isNull() const
Return true if this QualType doesn&#39;t point to a type yet.
Definition: Type.h:708
bool hasAttrs() const
Definition: DeclBase.h:484
static const Stmt * getStmt(const ExplodedNode *N)
Given an exploded node, retrieve the statement that should be used for the diagnostic location...
Expr * getArgument()
Definition: ExprCXX.h:2302
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
Kind
AllocationFamily
Encodes a location in the source.
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Expr * getRetValue()
Definition: Stmt.h:2643
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
ReallocPairKind
Represents a new-expression for memory allocation and constructor calls, e.g: "new CXXNewExpr(foo)"...
Definition: ExprCXX.h:2000
ASTContext & getASTContext() const LLVM_READONLY
Definition: DeclBase.cpp:376
static bool checkIfNewOrNewArrayFamily(const RefState *RS)
QualType getAllocatedType() const
Definition: ExprCXX.h:2093
bool isArray() const
Definition: ExprCXX.h:2124
arg_range arguments()
Definition: Expr.h:2710
static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, ProgramStateRef prevState)
static bool treatUnusedNewEscaped(const CXXNewExpr *NE)
StringRef getName() const
Return the actual identifier string.
virtual const ObjCMessageExpr * getOriginExpr() const
Definition: CallEvent.h:961
CanQualType CharTy
Definition: ASTContext.h:1016
#define REGISTER_SET_WITH_PROGRAMSTATE(Name, Elem)
Declares an immutable set of type NameTy, suitable for placement into the ProgramState.
Selector getSelector() const
Definition: CallEvent.h:985
bool getCheckerBooleanOption(StringRef CheckerName, StringRef OptionName, bool SearchInParents=false) const
Interprets an option&#39;s string value as a boolean.
Dataflow Directional Tag Classes.
bool isValid() const
Return true if this is a valid SourceLocation object.
Represents a delete expression for memory deallocation and destructor calls, e.g. ...
Definition: ExprCXX.h:2260
Represents a program point just after an implicit call event.
Definition: ProgramPoint.h:600
static std::string getName(const CallEvent &Call)
OverloadedOperatorKind
Enumeration specifying the different kinds of C++ overloaded operators.
Definition: OperatorKinds.h:21
static QualType getDeepPointeeType(QualType T)
const CXXRecordDecl * getParent() const
Returns the parent of this method declaration, which is the class in which this method is defined...
Definition: DeclCXX.h:2237
Kind getKind() const
Definition: DeclBase.h:432
AnalyzerOptions & getAnalyzerOptions()
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
Indicates that the tracking object is a descendant of a referenced-counted OSObject, used in the Darwin kernel.
#define REGISTER_CHECKER(name)
const char * getOperatorSpelling(OverloadedOperatorKind Operator)
Retrieve the spelling of the given overloaded operator, without the preceding "operator" keyword...
uint64_t getCharWidth() const
Return the size of the character type, in bits.
Definition: ASTContext.h:2083
static Optional< bool > getFreeWhenDoneArg(const ObjCMethodCall &Call)
const StackFrameContext * getStackFrame() const
ProgramStateRef markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin)
SourceManager & getSourceManager()
Definition: ASTContext.h:665
llvm::iterator_range< specific_attr_iterator< T > > specific_attrs() const
Definition: DeclBase.h:524
X
Add a minimal nested name specifier fixit hint to allow lookup of a tag name from an outer enclosing ...
Definition: SemaDecl.cpp:14425
const Expr * getArgExpr(unsigned Index) const override
Definition: CallEvent.h:973
#define CASE(ID)
static PathDiagnosticLocation createEndOfPath(const ExplodedNode *N, const SourceManager &SM)
Create a location corresponding to the next valid ExplodedNode as end of path location.
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:251
Defines the clang::TargetInfo interface.
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2516
StringRef getName() const
Get the name of identifier for this declaration as a StringRef.
Definition: Decl.h:275
std::string getQualifiedNameAsString() const
Definition: Decl.cpp:1548
A reference to a declared variable, function, enum, etc.
Definition: Expr.h:1141
CharUnits getTypeSizeInChars(QualType T) const
Return the size of the specified (complete) type T, in characters.
A trivial tuple used to represent a source range.
This represents a decl that may have a name.
Definition: Decl.h:248
Decl * getCalleeDecl()
Definition: Expr.h:2646
SourceLocation getLocation() const
Definition: DeclBase.h:429