1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines malloc/free checker, which checks for potential memory 11 // leaks, double free, and use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/AST/Attr.h" 18 #include "clang/Basic/SourceManager.h" 19 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 20 #include "clang/StaticAnalyzer/Core/Checker.h" 21 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 23 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 27 #include "llvm/ADT/ImmutableMap.h" 28 #include "llvm/ADT/STLExtras.h" 29 #include "llvm/ADT/SmallString.h" 30 #include "llvm/ADT/StringExtras.h" 31 #include <climits> 32 33 using namespace clang; 34 using namespace ento; 35 36 namespace { 37 38 // Used to check correspondence between allocators and deallocators. 39 enum AllocationFamily { 40 AF_None, 41 AF_Malloc, 42 AF_CXXNew, 43 AF_CXXNewArray 44 }; 45 46 class RefState { 47 enum Kind { // Reference to allocated memory. 48 Allocated, 49 // Reference to released/freed memory. 50 Released, 51 // The responsibility for freeing resources has transfered from 52 // this reference. A relinquished symbol should not be freed. 53 Relinquished }; 54 55 const Stmt *S; 56 unsigned K : 2; // Kind enum, but stored as a bitfield. 57 unsigned Family : 30; // Rest of 32-bit word, currently just an allocation 58 // family. 59 60 RefState(Kind k, const Stmt *s, unsigned family) 61 : S(s), K(k), Family(family) {} 62 public: 63 bool isAllocated() const { return K == Allocated; } 64 bool isReleased() const { return K == Released; } 65 bool isRelinquished() const { return K == Relinquished; } 66 AllocationFamily getAllocationFamily() const { 67 return (AllocationFamily)Family; 68 } 69 const Stmt *getStmt() const { return S; } 70 71 bool operator==(const RefState &X) const { 72 return K == X.K && S == X.S && Family == X.Family; 73 } 74 75 static RefState getAllocated(unsigned family, const Stmt *s) { 76 return RefState(Allocated, s, family); 77 } 78 static RefState getReleased(unsigned family, const Stmt *s) { 79 return RefState(Released, s, family); 80 } 81 static RefState getRelinquished(unsigned family, const Stmt *s) { 82 return RefState(Relinquished, s, family); 83 } 84 85 void Profile(llvm::FoldingSetNodeID &ID) const { 86 ID.AddInteger(K); 87 ID.AddPointer(S); 88 ID.AddInteger(Family); 89 } 90 91 void dump(raw_ostream &OS) const { 92 static const char *Table[] = { 93 "Allocated", 94 "Released", 95 "Relinquished" 96 }; 97 OS << Table[(unsigned) K]; 98 } 99 100 LLVM_ATTRIBUTE_USED void dump() const { 101 dump(llvm::errs()); 102 } 103 }; 104 105 enum ReallocPairKind { 106 RPToBeFreedAfterFailure, 107 // The symbol has been freed when reallocation failed. 108 RPIsFreeOnFailure, 109 // The symbol does not need to be freed after reallocation fails. 110 RPDoNotTrackAfterFailure 111 }; 112 113 /// \class ReallocPair 114 /// \brief Stores information about the symbol being reallocated by a call to 115 /// 'realloc' to allow modeling failed reallocation later in the path. 116 struct ReallocPair { 117 // \brief The symbol which realloc reallocated. 118 SymbolRef ReallocatedSym; 119 ReallocPairKind Kind; 120 121 ReallocPair(SymbolRef S, ReallocPairKind K) : 122 ReallocatedSym(S), Kind(K) {} 123 void Profile(llvm::FoldingSetNodeID &ID) const { 124 ID.AddInteger(Kind); 125 ID.AddPointer(ReallocatedSym); 126 } 127 bool operator==(const ReallocPair &X) const { 128 return ReallocatedSym == X.ReallocatedSym && 129 Kind == X.Kind; 130 } 131 }; 132 133 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo; 134 135 class MallocChecker : public Checker<check::DeadSymbols, 136 check::PointerEscape, 137 check::ConstPointerEscape, 138 check::PreStmt<ReturnStmt>, 139 check::PreStmt<CallExpr>, 140 check::PostStmt<CallExpr>, 141 check::PostStmt<CXXNewExpr>, 142 check::PreStmt<CXXDeleteExpr>, 143 check::PostStmt<BlockExpr>, 144 check::PostObjCMessage, 145 check::Location, 146 eval::Assume> 147 { 148 mutable OwningPtr<BugType> BT_DoubleFree; 149 mutable OwningPtr<BugType> BT_Leak; 150 mutable OwningPtr<BugType> BT_UseFree; 151 mutable OwningPtr<BugType> BT_BadFree; 152 mutable OwningPtr<BugType> BT_MismatchedDealloc; 153 mutable OwningPtr<BugType> BT_OffsetFree; 154 mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc, 155 *II_valloc, *II_reallocf, *II_strndup, *II_strdup; 156 157 public: 158 MallocChecker() : II_malloc(0), II_free(0), II_realloc(0), II_calloc(0), 159 II_valloc(0), II_reallocf(0), II_strndup(0), II_strdup(0) {} 160 161 /// In pessimistic mode, the checker assumes that it does not know which 162 /// functions might free the memory. 163 struct ChecksFilter { 164 DefaultBool CMallocPessimistic; 165 DefaultBool CMallocOptimistic; 166 DefaultBool CNewDeleteChecker; 167 DefaultBool CNewDeleteLeaksChecker; 168 DefaultBool CMismatchedDeallocatorChecker; 169 }; 170 171 ChecksFilter Filter; 172 173 void checkPreStmt(const CallExpr *S, CheckerContext &C) const; 174 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 175 void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; 176 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; 177 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 178 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 179 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 180 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 181 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 182 bool Assumption) const; 183 void checkLocation(SVal l, bool isLoad, const Stmt *S, 184 CheckerContext &C) const; 185 186 ProgramStateRef checkPointerEscape(ProgramStateRef State, 187 const InvalidatedSymbols &Escaped, 188 const CallEvent *Call, 189 PointerEscapeKind Kind) const; 190 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 191 const InvalidatedSymbols &Escaped, 192 const CallEvent *Call, 193 PointerEscapeKind Kind) const; 194 195 void printState(raw_ostream &Out, ProgramStateRef State, 196 const char *NL, const char *Sep) const; 197 198 private: 199 void initIdentifierInfo(ASTContext &C) const; 200 201 /// \brief Determine family of a deallocation expression. 202 AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const; 203 204 /// \brief Print names of allocators and deallocators. 205 /// 206 /// \returns true on success. 207 bool printAllocDeallocName(raw_ostream &os, CheckerContext &C, 208 const Expr *E) const; 209 210 /// \brief Print expected name of an allocator based on the deallocator's 211 /// family derived from the DeallocExpr. 212 void printExpectedAllocName(raw_ostream &os, CheckerContext &C, 213 const Expr *DeallocExpr) const; 214 /// \brief Print expected name of a deallocator based on the allocator's 215 /// family. 216 void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const; 217 218 ///@{ 219 /// Check if this is one of the functions which can allocate/reallocate memory 220 /// pointed to by one of its arguments. 221 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 222 bool isFreeFunction(const FunctionDecl *FD, ASTContext &C) const; 223 bool isAllocationFunction(const FunctionDecl *FD, ASTContext &C) const; 224 bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const; 225 ///@} 226 static ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 227 const CallExpr *CE, 228 const OwnershipAttr* Att); 229 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 230 const Expr *SizeEx, SVal Init, 231 ProgramStateRef State, 232 AllocationFamily Family = AF_Malloc) { 233 return MallocMemAux(C, CE, 234 State->getSVal(SizeEx, C.getLocationContext()), 235 Init, State, Family); 236 } 237 238 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 239 SVal SizeEx, SVal Init, 240 ProgramStateRef State, 241 AllocationFamily Family = AF_Malloc); 242 243 /// Update the RefState to reflect the new memory allocation. 244 static ProgramStateRef 245 MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, 246 AllocationFamily Family = AF_Malloc); 247 248 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 249 const OwnershipAttr* Att) const; 250 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 251 ProgramStateRef state, unsigned Num, 252 bool Hold, 253 bool &ReleasedAllocated, 254 bool ReturnsNullOnFailure = false) const; 255 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, 256 const Expr *ParentExpr, 257 ProgramStateRef State, 258 bool Hold, 259 bool &ReleasedAllocated, 260 bool ReturnsNullOnFailure = false) const; 261 262 ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, 263 bool FreesMemOnFailure) const; 264 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE); 265 266 ///\brief Check if the memory associated with this symbol was released. 267 bool isReleased(SymbolRef Sym, CheckerContext &C) const; 268 269 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 270 271 /// Check if the function is known not to free memory, or if it is 272 /// "interesting" and should be modeled explicitly. 273 /// 274 /// We assume that pointers do not escape through calls to system functions 275 /// not handled by this checker. 276 bool doesNotFreeMemOrInteresting(const CallEvent *Call, 277 ProgramStateRef State) const; 278 279 // Implementation of the checkPointerEscape callabcks. 280 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 281 const InvalidatedSymbols &Escaped, 282 const CallEvent *Call, 283 PointerEscapeKind Kind, 284 bool(*CheckRefState)(const RefState*)) const; 285 286 // Used to suppress warnings if they are not related to the tracked family 287 // (derived from AllocDeallocStmt). 288 bool isTrackedFamily(AllocationFamily Family) const; 289 bool isTrackedFamily(CheckerContext &C, const Stmt *AllocDeallocStmt) const; 290 bool isTrackedFamily(CheckerContext &C, SymbolRef Sym) const; 291 292 static bool SummarizeValue(raw_ostream &os, SVal V); 293 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 294 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 295 const Expr *DeallocExpr) const; 296 void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, 297 const Expr *DeallocExpr, const RefState *RS, 298 SymbolRef Sym) const; 299 void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 300 const Expr *DeallocExpr, 301 const Expr *AllocExpr = 0) const; 302 void ReportUseAfterFree(CheckerContext &C, SourceRange Range, 303 SymbolRef Sym) const; 304 void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 305 SymbolRef Sym, SymbolRef PrevSym) const; 306 307 /// Find the location of the allocation for Sym on the path leading to the 308 /// exploded node N. 309 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 310 CheckerContext &C) const; 311 312 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 313 314 /// The bug visitor which allows us to print extra diagnostics along the 315 /// BugReport path. For example, showing the allocation site of the leaked 316 /// region. 317 class MallocBugVisitor : public BugReporterVisitorImpl<MallocBugVisitor> { 318 protected: 319 enum NotificationMode { 320 Normal, 321 ReallocationFailed 322 }; 323 324 // The allocated region symbol tracked by the main analysis. 325 SymbolRef Sym; 326 327 // The mode we are in, i.e. what kind of diagnostics will be emitted. 328 NotificationMode Mode; 329 330 // A symbol from when the primary region should have been reallocated. 331 SymbolRef FailedReallocSymbol; 332 333 bool IsLeak; 334 335 public: 336 MallocBugVisitor(SymbolRef S, bool isLeak = false) 337 : Sym(S), Mode(Normal), FailedReallocSymbol(0), IsLeak(isLeak) {} 338 339 virtual ~MallocBugVisitor() {} 340 341 void Profile(llvm::FoldingSetNodeID &ID) const { 342 static int X = 0; 343 ID.AddPointer(&X); 344 ID.AddPointer(Sym); 345 } 346 347 inline bool isAllocated(const RefState *S, const RefState *SPrev, 348 const Stmt *Stmt) { 349 // Did not track -> allocated. Other state (released) -> allocated. 350 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 351 (S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated())); 352 } 353 354 inline bool isReleased(const RefState *S, const RefState *SPrev, 355 const Stmt *Stmt) { 356 // Did not track -> released. Other state (allocated) -> released. 357 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt)) && 358 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 359 } 360 361 inline bool isRelinquished(const RefState *S, const RefState *SPrev, 362 const Stmt *Stmt) { 363 // Did not track -> relinquished. Other state (allocated) -> relinquished. 364 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 365 isa<ObjCPropertyRefExpr>(Stmt)) && 366 (S && S->isRelinquished()) && 367 (!SPrev || !SPrev->isRelinquished())); 368 } 369 370 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 371 const Stmt *Stmt) { 372 // If the expression is not a call, and the state change is 373 // released -> allocated, it must be the realloc return value 374 // check. If we have to handle more cases here, it might be cleaner just 375 // to track this extra bit in the state itself. 376 return ((!Stmt || !isa<CallExpr>(Stmt)) && 377 (S && S->isAllocated()) && (SPrev && !SPrev->isAllocated())); 378 } 379 380 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 381 const ExplodedNode *PrevN, 382 BugReporterContext &BRC, 383 BugReport &BR); 384 385 PathDiagnosticPiece* getEndPath(BugReporterContext &BRC, 386 const ExplodedNode *EndPathNode, 387 BugReport &BR) { 388 if (!IsLeak) 389 return 0; 390 391 PathDiagnosticLocation L = 392 PathDiagnosticLocation::createEndOfPath(EndPathNode, 393 BRC.getSourceManager()); 394 // Do not add the statement itself as a range in case of leak. 395 return new PathDiagnosticEventPiece(L, BR.getDescription(), false); 396 } 397 398 private: 399 class StackHintGeneratorForReallocationFailed 400 : public StackHintGeneratorForSymbol { 401 public: 402 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 403 : StackHintGeneratorForSymbol(S, M) {} 404 405 virtual std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) { 406 // Printed parameters start at 1, not 0. 407 ++ArgIndex; 408 409 SmallString<200> buf; 410 llvm::raw_svector_ostream os(buf); 411 412 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 413 << " parameter failed"; 414 415 return os.str(); 416 } 417 418 virtual std::string getMessageForReturn(const CallExpr *CallExpr) { 419 return "Reallocation of returned value failed"; 420 } 421 }; 422 }; 423 }; 424 } // end anonymous namespace 425 426 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 427 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 428 429 // A map from the freed symbol to the symbol representing the return value of 430 // the free function. 431 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 432 433 namespace { 434 class StopTrackingCallback : public SymbolVisitor { 435 ProgramStateRef state; 436 public: 437 StopTrackingCallback(ProgramStateRef st) : state(st) {} 438 ProgramStateRef getState() const { return state; } 439 440 bool VisitSymbol(SymbolRef sym) { 441 state = state->remove<RegionState>(sym); 442 return true; 443 } 444 }; 445 } // end anonymous namespace 446 447 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 448 if (II_malloc) 449 return; 450 II_malloc = &Ctx.Idents.get("malloc"); 451 II_free = &Ctx.Idents.get("free"); 452 II_realloc = &Ctx.Idents.get("realloc"); 453 II_reallocf = &Ctx.Idents.get("reallocf"); 454 II_calloc = &Ctx.Idents.get("calloc"); 455 II_valloc = &Ctx.Idents.get("valloc"); 456 II_strdup = &Ctx.Idents.get("strdup"); 457 II_strndup = &Ctx.Idents.get("strndup"); 458 } 459 460 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 461 if (isFreeFunction(FD, C)) 462 return true; 463 464 if (isAllocationFunction(FD, C)) 465 return true; 466 467 if (isStandardNewDelete(FD, C)) 468 return true; 469 470 return false; 471 } 472 473 bool MallocChecker::isAllocationFunction(const FunctionDecl *FD, 474 ASTContext &C) const { 475 if (!FD) 476 return false; 477 478 if (FD->getKind() == Decl::Function) { 479 IdentifierInfo *FunI = FD->getIdentifier(); 480 initIdentifierInfo(C); 481 482 if (FunI == II_malloc || FunI == II_realloc || 483 FunI == II_reallocf || FunI == II_calloc || FunI == II_valloc || 484 FunI == II_strdup || FunI == II_strndup) 485 return true; 486 } 487 488 if (Filter.CMallocOptimistic && FD->hasAttrs()) 489 for (specific_attr_iterator<OwnershipAttr> 490 i = FD->specific_attr_begin<OwnershipAttr>(), 491 e = FD->specific_attr_end<OwnershipAttr>(); 492 i != e; ++i) 493 if ((*i)->getOwnKind() == OwnershipAttr::Returns) 494 return true; 495 return false; 496 } 497 498 bool MallocChecker::isFreeFunction(const FunctionDecl *FD, ASTContext &C) const { 499 if (!FD) 500 return false; 501 502 if (FD->getKind() == Decl::Function) { 503 IdentifierInfo *FunI = FD->getIdentifier(); 504 initIdentifierInfo(C); 505 506 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf) 507 return true; 508 } 509 510 if (Filter.CMallocOptimistic && FD->hasAttrs()) 511 for (specific_attr_iterator<OwnershipAttr> 512 i = FD->specific_attr_begin<OwnershipAttr>(), 513 e = FD->specific_attr_end<OwnershipAttr>(); 514 i != e; ++i) 515 if ((*i)->getOwnKind() == OwnershipAttr::Takes || 516 (*i)->getOwnKind() == OwnershipAttr::Holds) 517 return true; 518 return false; 519 } 520 521 // Tells if the callee is one of the following: 522 // 1) A global non-placement new/delete operator function. 523 // 2) A global placement operator function with the single placement argument 524 // of type std::nothrow_t. 525 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD, 526 ASTContext &C) const { 527 if (!FD) 528 return false; 529 530 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 531 if (Kind != OO_New && Kind != OO_Array_New && 532 Kind != OO_Delete && Kind != OO_Array_Delete) 533 return false; 534 535 // Skip all operator new/delete methods. 536 if (isa<CXXMethodDecl>(FD)) 537 return false; 538 539 // Return true if tested operator is a standard placement nothrow operator. 540 if (FD->getNumParams() == 2) { 541 QualType T = FD->getParamDecl(1)->getType(); 542 if (const IdentifierInfo *II = T.getBaseTypeIdentifier()) 543 return II->getName().equals("nothrow_t"); 544 } 545 546 // Skip placement operators. 547 if (FD->getNumParams() != 1 || FD->isVariadic()) 548 return false; 549 550 // One of the standard new/new[]/delete/delete[] non-placement operators. 551 return true; 552 } 553 554 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 555 if (C.wasInlined) 556 return; 557 558 const FunctionDecl *FD = C.getCalleeDecl(CE); 559 if (!FD) 560 return; 561 562 ProgramStateRef State = C.getState(); 563 bool ReleasedAllocatedMemory = false; 564 565 if (FD->getKind() == Decl::Function) { 566 initIdentifierInfo(C.getASTContext()); 567 IdentifierInfo *FunI = FD->getIdentifier(); 568 569 if (FunI == II_malloc || FunI == II_valloc) { 570 if (CE->getNumArgs() < 1) 571 return; 572 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 573 } else if (FunI == II_realloc) { 574 State = ReallocMem(C, CE, false); 575 } else if (FunI == II_reallocf) { 576 State = ReallocMem(C, CE, true); 577 } else if (FunI == II_calloc) { 578 State = CallocMem(C, CE); 579 } else if (FunI == II_free) { 580 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 581 } else if (FunI == II_strdup) { 582 State = MallocUpdateRefState(C, CE, State); 583 } else if (FunI == II_strndup) { 584 State = MallocUpdateRefState(C, CE, State); 585 } 586 else if (isStandardNewDelete(FD, C.getASTContext())) { 587 // Process direct calls to operator new/new[]/delete/delete[] functions 588 // as distinct from new/new[]/delete/delete[] expressions that are 589 // processed by the checkPostStmt callbacks for CXXNewExpr and 590 // CXXDeleteExpr. 591 OverloadedOperatorKind K = FD->getOverloadedOperator(); 592 if (K == OO_New) 593 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 594 AF_CXXNew); 595 else if (K == OO_Array_New) 596 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 597 AF_CXXNewArray); 598 else if (K == OO_Delete || K == OO_Array_Delete) 599 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 600 else 601 llvm_unreachable("not a new/delete operator"); 602 } 603 } 604 605 if (Filter.CMallocOptimistic || Filter.CMismatchedDeallocatorChecker) { 606 // Check all the attributes, if there are any. 607 // There can be multiple of these attributes. 608 if (FD->hasAttrs()) 609 for (specific_attr_iterator<OwnershipAttr> 610 i = FD->specific_attr_begin<OwnershipAttr>(), 611 e = FD->specific_attr_end<OwnershipAttr>(); 612 i != e; ++i) { 613 switch ((*i)->getOwnKind()) { 614 case OwnershipAttr::Returns: 615 State = MallocMemReturnsAttr(C, CE, *i); 616 break; 617 case OwnershipAttr::Takes: 618 case OwnershipAttr::Holds: 619 State = FreeMemAttr(C, CE, *i); 620 break; 621 } 622 } 623 } 624 C.addTransition(State); 625 } 626 627 void MallocChecker::checkPostStmt(const CXXNewExpr *NE, 628 CheckerContext &C) const { 629 630 if (NE->getNumPlacementArgs()) 631 for (CXXNewExpr::const_arg_iterator I = NE->placement_arg_begin(), 632 E = NE->placement_arg_end(); I != E; ++I) 633 if (SymbolRef Sym = C.getSVal(*I).getAsSymbol()) 634 checkUseAfterFree(Sym, C, *I); 635 636 if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext())) 637 return; 638 639 ProgramStateRef State = C.getState(); 640 // The return value from operator new is bound to a specified initialization 641 // value (if any) and we don't want to loose this value. So we call 642 // MallocUpdateRefState() instead of MallocMemAux() which breakes the 643 // existing binding. 644 State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray 645 : AF_CXXNew); 646 C.addTransition(State); 647 } 648 649 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, 650 CheckerContext &C) const { 651 652 if (!Filter.CNewDeleteChecker) 653 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 654 checkUseAfterFree(Sym, C, DE->getArgument()); 655 656 if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext())) 657 return; 658 659 ProgramStateRef State = C.getState(); 660 bool ReleasedAllocated; 661 State = FreeMemAux(C, DE->getArgument(), DE, State, 662 /*Hold*/false, ReleasedAllocated); 663 664 C.addTransition(State); 665 } 666 667 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 668 // If the first selector piece is one of the names below, assume that the 669 // object takes ownership of the memory, promising to eventually deallocate it 670 // with free(). 671 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 672 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 673 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 674 if (FirstSlot == "dataWithBytesNoCopy" || 675 FirstSlot == "initWithBytesNoCopy" || 676 FirstSlot == "initWithCharactersNoCopy") 677 return true; 678 679 return false; 680 } 681 682 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 683 Selector S = Call.getSelector(); 684 685 // FIXME: We should not rely on fully-constrained symbols being folded. 686 for (unsigned i = 1; i < S.getNumArgs(); ++i) 687 if (S.getNameForSlot(i).equals("freeWhenDone")) 688 return !Call.getArgSVal(i).isZeroConstant(); 689 690 return None; 691 } 692 693 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 694 CheckerContext &C) const { 695 if (C.wasInlined) 696 return; 697 698 if (!isKnownDeallocObjCMethodName(Call)) 699 return; 700 701 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 702 if (!*FreeWhenDone) 703 return; 704 705 bool ReleasedAllocatedMemory; 706 ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0), 707 Call.getOriginExpr(), C.getState(), 708 /*Hold=*/true, ReleasedAllocatedMemory, 709 /*RetNullOnFailure=*/true); 710 711 C.addTransition(State); 712 } 713 714 ProgramStateRef MallocChecker::MallocMemReturnsAttr(CheckerContext &C, 715 const CallExpr *CE, 716 const OwnershipAttr* Att) { 717 if (Att->getModule() != "malloc") 718 return 0; 719 720 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 721 if (I != E) { 722 return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), C.getState()); 723 } 724 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), C.getState()); 725 } 726 727 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 728 const CallExpr *CE, 729 SVal Size, SVal Init, 730 ProgramStateRef State, 731 AllocationFamily Family) { 732 733 // Bind the return value to the symbolic value from the heap region. 734 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 735 // side effects other than what we model here. 736 unsigned Count = C.blockCount(); 737 SValBuilder &svalBuilder = C.getSValBuilder(); 738 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 739 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 740 .castAs<DefinedSVal>(); 741 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 742 743 // We expect the malloc functions to return a pointer. 744 if (!RetVal.getAs<Loc>()) 745 return 0; 746 747 // Fill the region with the initialization value. 748 State = State->bindDefault(RetVal, Init); 749 750 // Set the region's extent equal to the Size parameter. 751 const SymbolicRegion *R = 752 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 753 if (!R) 754 return 0; 755 if (Optional<DefinedOrUnknownSVal> DefinedSize = 756 Size.getAs<DefinedOrUnknownSVal>()) { 757 SValBuilder &svalBuilder = C.getSValBuilder(); 758 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 759 DefinedOrUnknownSVal extentMatchesSize = 760 svalBuilder.evalEQ(State, Extent, *DefinedSize); 761 762 State = State->assume(extentMatchesSize, true); 763 assert(State); 764 } 765 766 return MallocUpdateRefState(C, CE, State, Family); 767 } 768 769 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 770 const Expr *E, 771 ProgramStateRef State, 772 AllocationFamily Family) { 773 // Get the return value. 774 SVal retVal = State->getSVal(E, C.getLocationContext()); 775 776 // We expect the malloc functions to return a pointer. 777 if (!retVal.getAs<Loc>()) 778 return 0; 779 780 SymbolRef Sym = retVal.getAsLocSymbol(); 781 assert(Sym); 782 783 // Set the symbol's state to Allocated. 784 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 785 } 786 787 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 788 const CallExpr *CE, 789 const OwnershipAttr* Att) const { 790 if (Att->getModule() != "malloc") 791 return 0; 792 793 ProgramStateRef State = C.getState(); 794 bool ReleasedAllocated = false; 795 796 for (OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 797 I != E; ++I) { 798 ProgramStateRef StateI = FreeMemAux(C, CE, State, *I, 799 Att->getOwnKind() == OwnershipAttr::Holds, 800 ReleasedAllocated); 801 if (StateI) 802 State = StateI; 803 } 804 return State; 805 } 806 807 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 808 const CallExpr *CE, 809 ProgramStateRef state, 810 unsigned Num, 811 bool Hold, 812 bool &ReleasedAllocated, 813 bool ReturnsNullOnFailure) const { 814 if (CE->getNumArgs() < (Num + 1)) 815 return 0; 816 817 return FreeMemAux(C, CE->getArg(Num), CE, state, Hold, 818 ReleasedAllocated, ReturnsNullOnFailure); 819 } 820 821 /// Checks if the previous call to free on the given symbol failed - if free 822 /// failed, returns true. Also, returns the corresponding return value symbol. 823 static bool didPreviousFreeFail(ProgramStateRef State, 824 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 825 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 826 if (Ret) { 827 assert(*Ret && "We should not store the null return symbol"); 828 ConstraintManager &CMgr = State->getConstraintManager(); 829 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 830 RetStatusSymbol = *Ret; 831 return FreeFailed.isConstrainedTrue(); 832 } 833 return false; 834 } 835 836 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C, 837 const Stmt *S) const { 838 if (!S) 839 return AF_None; 840 841 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 842 const FunctionDecl *FD = C.getCalleeDecl(CE); 843 844 if (!FD) 845 FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl()); 846 847 ASTContext &Ctx = C.getASTContext(); 848 849 if (isAllocationFunction(FD, Ctx) || isFreeFunction(FD, Ctx)) 850 return AF_Malloc; 851 852 if (isStandardNewDelete(FD, Ctx)) { 853 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 854 if (Kind == OO_New || Kind == OO_Delete) 855 return AF_CXXNew; 856 else if (Kind == OO_Array_New || Kind == OO_Array_Delete) 857 return AF_CXXNewArray; 858 } 859 860 return AF_None; 861 } 862 863 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S)) 864 return NE->isArray() ? AF_CXXNewArray : AF_CXXNew; 865 866 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S)) 867 return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew; 868 869 if (isa<ObjCMessageExpr>(S)) 870 return AF_Malloc; 871 872 return AF_None; 873 } 874 875 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C, 876 const Expr *E) const { 877 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 878 // FIXME: This doesn't handle indirect calls. 879 const FunctionDecl *FD = CE->getDirectCallee(); 880 if (!FD) 881 return false; 882 883 os << *FD; 884 if (!FD->isOverloadedOperator()) 885 os << "()"; 886 return true; 887 } 888 889 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 890 if (Msg->isInstanceMessage()) 891 os << "-"; 892 else 893 os << "+"; 894 os << Msg->getSelector().getAsString(); 895 return true; 896 } 897 898 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 899 os << "'" 900 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 901 << "'"; 902 return true; 903 } 904 905 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 906 os << "'" 907 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 908 << "'"; 909 return true; 910 } 911 912 return false; 913 } 914 915 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C, 916 const Expr *E) const { 917 AllocationFamily Family = getAllocationFamily(C, E); 918 919 switch(Family) { 920 case AF_Malloc: os << "malloc()"; return; 921 case AF_CXXNew: os << "'new'"; return; 922 case AF_CXXNewArray: os << "'new[]'"; return; 923 case AF_None: llvm_unreachable("not a deallocation expression"); 924 } 925 } 926 927 void MallocChecker::printExpectedDeallocName(raw_ostream &os, 928 AllocationFamily Family) const { 929 switch(Family) { 930 case AF_Malloc: os << "free()"; return; 931 case AF_CXXNew: os << "'delete'"; return; 932 case AF_CXXNewArray: os << "'delete[]'"; return; 933 case AF_None: llvm_unreachable("suspicious AF_None argument"); 934 } 935 } 936 937 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 938 const Expr *ArgExpr, 939 const Expr *ParentExpr, 940 ProgramStateRef State, 941 bool Hold, 942 bool &ReleasedAllocated, 943 bool ReturnsNullOnFailure) const { 944 945 SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext()); 946 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 947 return 0; 948 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 949 950 // Check for null dereferences. 951 if (!location.getAs<Loc>()) 952 return 0; 953 954 // The explicit NULL case, no operation is performed. 955 ProgramStateRef notNullState, nullState; 956 llvm::tie(notNullState, nullState) = State->assume(location); 957 if (nullState && !notNullState) 958 return 0; 959 960 // Unknown values could easily be okay 961 // Undefined values are handled elsewhere 962 if (ArgVal.isUnknownOrUndef()) 963 return 0; 964 965 const MemRegion *R = ArgVal.getAsRegion(); 966 967 // Nonlocs can't be freed, of course. 968 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 969 if (!R) { 970 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 971 return 0; 972 } 973 974 R = R->StripCasts(); 975 976 // Blocks might show up as heap data, but should not be free()d 977 if (isa<BlockDataRegion>(R)) { 978 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 979 return 0; 980 } 981 982 const MemSpaceRegion *MS = R->getMemorySpace(); 983 984 // Parameters, locals, statics, globals, and memory returned by alloca() 985 // shouldn't be freed. 986 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 987 // FIXME: at the time this code was written, malloc() regions were 988 // represented by conjured symbols, which are all in UnknownSpaceRegion. 989 // This means that there isn't actually anything from HeapSpaceRegion 990 // that should be freed, even though we allow it here. 991 // Of course, free() can work on memory allocated outside the current 992 // function, so UnknownSpaceRegion is always a possibility. 993 // False negatives are better than false positives. 994 995 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 996 return 0; 997 } 998 999 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 1000 // Various cases could lead to non-symbol values here. 1001 // For now, ignore them. 1002 if (!SrBase) 1003 return 0; 1004 1005 SymbolRef SymBase = SrBase->getSymbol(); 1006 const RefState *RsBase = State->get<RegionState>(SymBase); 1007 SymbolRef PreviousRetStatusSymbol = 0; 1008 1009 if (RsBase) { 1010 1011 bool DeallocMatchesAlloc = 1012 RsBase->getAllocationFamily() == AF_None || 1013 RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr); 1014 1015 // Check if an expected deallocation function matches the real one. 1016 if (!DeallocMatchesAlloc && RsBase->isAllocated()) { 1017 ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), ParentExpr, RsBase, 1018 SymBase); 1019 return 0; 1020 } 1021 1022 // Check double free. 1023 if (DeallocMatchesAlloc && 1024 (RsBase->isReleased() || RsBase->isRelinquished()) && 1025 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1026 ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1027 SymBase, PreviousRetStatusSymbol); 1028 return 0; 1029 } 1030 1031 // Check if the memory location being freed is the actual location 1032 // allocated, or an offset. 1033 RegionOffset Offset = R->getAsOffset(); 1034 if (RsBase->isAllocated() && 1035 Offset.isValid() && 1036 !Offset.hasSymbolicOffset() && 1037 Offset.getOffset() != 0) { 1038 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1039 ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1040 AllocExpr); 1041 return 0; 1042 } 1043 } 1044 1045 ReleasedAllocated = (RsBase != 0); 1046 1047 // Clean out the info on previous call to free return info. 1048 State = State->remove<FreeReturnValue>(SymBase); 1049 1050 // Keep track of the return value. If it is NULL, we will know that free 1051 // failed. 1052 if (ReturnsNullOnFailure) { 1053 SVal RetVal = C.getSVal(ParentExpr); 1054 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 1055 if (RetStatusSymbol) { 1056 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 1057 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 1058 } 1059 } 1060 1061 AllocationFamily Family = RsBase ? RsBase->getAllocationFamily() : AF_None; 1062 // Normal free. 1063 if (Hold) 1064 return State->set<RegionState>(SymBase, 1065 RefState::getRelinquished(Family, 1066 ParentExpr)); 1067 1068 return State->set<RegionState>(SymBase, 1069 RefState::getReleased(Family, ParentExpr)); 1070 } 1071 1072 bool MallocChecker::isTrackedFamily(AllocationFamily Family) const { 1073 switch (Family) { 1074 case AF_Malloc: { 1075 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic) 1076 return false; 1077 return true; 1078 } 1079 case AF_CXXNew: 1080 case AF_CXXNewArray: { 1081 if (!Filter.CNewDeleteChecker) 1082 return false; 1083 return true; 1084 } 1085 case AF_None: { 1086 return true; 1087 } 1088 } 1089 llvm_unreachable("unhandled family"); 1090 } 1091 1092 bool MallocChecker::isTrackedFamily(CheckerContext &C, 1093 const Stmt *AllocDeallocStmt) const { 1094 return isTrackedFamily(getAllocationFamily(C, AllocDeallocStmt)); 1095 } 1096 1097 bool MallocChecker::isTrackedFamily(CheckerContext &C, SymbolRef Sym) const { 1098 const RefState *RS = C.getState()->get<RegionState>(Sym); 1099 1100 return RS ? isTrackedFamily(RS->getAllocationFamily()) 1101 : isTrackedFamily(AF_None); 1102 } 1103 1104 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 1105 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 1106 os << "an integer (" << IntVal->getValue() << ")"; 1107 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 1108 os << "a constant address (" << ConstAddr->getValue() << ")"; 1109 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 1110 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 1111 else 1112 return false; 1113 1114 return true; 1115 } 1116 1117 bool MallocChecker::SummarizeRegion(raw_ostream &os, 1118 const MemRegion *MR) { 1119 switch (MR->getKind()) { 1120 case MemRegion::FunctionTextRegionKind: { 1121 const NamedDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 1122 if (FD) 1123 os << "the address of the function '" << *FD << '\''; 1124 else 1125 os << "the address of a function"; 1126 return true; 1127 } 1128 case MemRegion::BlockTextRegionKind: 1129 os << "block text"; 1130 return true; 1131 case MemRegion::BlockDataRegionKind: 1132 // FIXME: where the block came from? 1133 os << "a block"; 1134 return true; 1135 default: { 1136 const MemSpaceRegion *MS = MR->getMemorySpace(); 1137 1138 if (isa<StackLocalsSpaceRegion>(MS)) { 1139 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1140 const VarDecl *VD; 1141 if (VR) 1142 VD = VR->getDecl(); 1143 else 1144 VD = NULL; 1145 1146 if (VD) 1147 os << "the address of the local variable '" << VD->getName() << "'"; 1148 else 1149 os << "the address of a local stack variable"; 1150 return true; 1151 } 1152 1153 if (isa<StackArgumentsSpaceRegion>(MS)) { 1154 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1155 const VarDecl *VD; 1156 if (VR) 1157 VD = VR->getDecl(); 1158 else 1159 VD = NULL; 1160 1161 if (VD) 1162 os << "the address of the parameter '" << VD->getName() << "'"; 1163 else 1164 os << "the address of a parameter"; 1165 return true; 1166 } 1167 1168 if (isa<GlobalsSpaceRegion>(MS)) { 1169 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1170 const VarDecl *VD; 1171 if (VR) 1172 VD = VR->getDecl(); 1173 else 1174 VD = NULL; 1175 1176 if (VD) { 1177 if (VD->isStaticLocal()) 1178 os << "the address of the static variable '" << VD->getName() << "'"; 1179 else 1180 os << "the address of the global variable '" << VD->getName() << "'"; 1181 } else 1182 os << "the address of a global variable"; 1183 return true; 1184 } 1185 1186 return false; 1187 } 1188 } 1189 } 1190 1191 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 1192 SourceRange Range, 1193 const Expr *DeallocExpr) const { 1194 1195 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1196 !Filter.CNewDeleteChecker) 1197 return; 1198 1199 if (!isTrackedFamily(C, DeallocExpr)) 1200 return; 1201 1202 if (ExplodedNode *N = C.generateSink()) { 1203 if (!BT_BadFree) 1204 BT_BadFree.reset(new BugType("Bad free", "Memory Error")); 1205 1206 SmallString<100> buf; 1207 llvm::raw_svector_ostream os(buf); 1208 1209 const MemRegion *MR = ArgVal.getAsRegion(); 1210 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 1211 MR = ER->getSuperRegion(); 1212 1213 if (MR && isa<AllocaRegion>(MR)) 1214 os << "Memory allocated by alloca() should not be deallocated"; 1215 else { 1216 os << "Argument to "; 1217 if (!printAllocDeallocName(os, C, DeallocExpr)) 1218 os << "deallocator"; 1219 1220 os << " is "; 1221 bool Summarized = MR ? SummarizeRegion(os, MR) 1222 : SummarizeValue(os, ArgVal); 1223 if (Summarized) 1224 os << ", which is not memory allocated by "; 1225 else 1226 os << "not memory allocated by "; 1227 1228 printExpectedAllocName(os, C, DeallocExpr); 1229 } 1230 1231 BugReport *R = new BugReport(*BT_BadFree, os.str(), N); 1232 R->markInteresting(MR); 1233 R->addRange(Range); 1234 C.emitReport(R); 1235 } 1236 } 1237 1238 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, 1239 SourceRange Range, 1240 const Expr *DeallocExpr, 1241 const RefState *RS, 1242 SymbolRef Sym) const { 1243 1244 if (!Filter.CMismatchedDeallocatorChecker) 1245 return; 1246 1247 if (ExplodedNode *N = C.generateSink()) { 1248 if (!BT_MismatchedDealloc) 1249 BT_MismatchedDealloc.reset(new BugType("Bad deallocator", 1250 "Memory Error")); 1251 1252 SmallString<100> buf; 1253 llvm::raw_svector_ostream os(buf); 1254 1255 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 1256 SmallString<20> AllocBuf; 1257 llvm::raw_svector_ostream AllocOs(AllocBuf); 1258 SmallString<20> DeallocBuf; 1259 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 1260 1261 os << "Memory"; 1262 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1263 os << " allocated by " << AllocOs.str(); 1264 1265 os << " should be deallocated by "; 1266 printExpectedDeallocName(os, RS->getAllocationFamily()); 1267 1268 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1269 os << ", not " << DeallocOs.str(); 1270 1271 BugReport *R = new BugReport(*BT_MismatchedDealloc, os.str(), N); 1272 R->markInteresting(Sym); 1273 R->addRange(Range); 1274 R->addVisitor(new MallocBugVisitor(Sym)); 1275 C.emitReport(R); 1276 } 1277 } 1278 1279 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, 1280 SourceRange Range, const Expr *DeallocExpr, 1281 const Expr *AllocExpr) const { 1282 1283 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1284 !Filter.CNewDeleteChecker) 1285 return; 1286 1287 if (!isTrackedFamily(C, AllocExpr)) 1288 return; 1289 1290 ExplodedNode *N = C.generateSink(); 1291 if (N == NULL) 1292 return; 1293 1294 if (!BT_OffsetFree) 1295 BT_OffsetFree.reset(new BugType("Offset free", "Memory Error")); 1296 1297 SmallString<100> buf; 1298 llvm::raw_svector_ostream os(buf); 1299 SmallString<20> AllocNameBuf; 1300 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 1301 1302 const MemRegion *MR = ArgVal.getAsRegion(); 1303 assert(MR && "Only MemRegion based symbols can have offset free errors"); 1304 1305 RegionOffset Offset = MR->getAsOffset(); 1306 assert((Offset.isValid() && 1307 !Offset.hasSymbolicOffset() && 1308 Offset.getOffset() != 0) && 1309 "Only symbols with a valid offset can have offset free errors"); 1310 1311 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 1312 1313 os << "Argument to "; 1314 if (!printAllocDeallocName(os, C, DeallocExpr)) 1315 os << "deallocator"; 1316 os << " is offset by " 1317 << offsetBytes 1318 << " " 1319 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 1320 << " from the start of "; 1321 if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) 1322 os << "memory allocated by " << AllocNameOs.str(); 1323 else 1324 os << "allocated memory"; 1325 1326 BugReport *R = new BugReport(*BT_OffsetFree, os.str(), N); 1327 R->markInteresting(MR->getBaseRegion()); 1328 R->addRange(Range); 1329 C.emitReport(R); 1330 } 1331 1332 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, 1333 SymbolRef Sym) const { 1334 1335 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1336 !Filter.CNewDeleteChecker) 1337 return; 1338 1339 if (!isTrackedFamily(C, Sym)) 1340 return; 1341 1342 if (ExplodedNode *N = C.generateSink()) { 1343 if (!BT_UseFree) 1344 BT_UseFree.reset(new BugType("Use-after-free", "Memory Error")); 1345 1346 BugReport *R = new BugReport(*BT_UseFree, 1347 "Use of memory after it is freed", N); 1348 1349 R->markInteresting(Sym); 1350 R->addRange(Range); 1351 R->addVisitor(new MallocBugVisitor(Sym)); 1352 C.emitReport(R); 1353 } 1354 } 1355 1356 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, 1357 bool Released, SymbolRef Sym, 1358 SymbolRef PrevSym) const { 1359 1360 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1361 !Filter.CNewDeleteChecker) 1362 return; 1363 1364 if (!isTrackedFamily(C, Sym)) 1365 return; 1366 1367 if (ExplodedNode *N = C.generateSink()) { 1368 if (!BT_DoubleFree) 1369 BT_DoubleFree.reset(new BugType("Double free", "Memory Error")); 1370 1371 BugReport *R = new BugReport(*BT_DoubleFree, 1372 (Released ? "Attempt to free released memory" 1373 : "Attempt to free non-owned memory"), 1374 N); 1375 R->addRange(Range); 1376 R->markInteresting(Sym); 1377 if (PrevSym) 1378 R->markInteresting(PrevSym); 1379 R->addVisitor(new MallocBugVisitor(Sym)); 1380 C.emitReport(R); 1381 } 1382 } 1383 1384 ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, 1385 const CallExpr *CE, 1386 bool FreesOnFail) const { 1387 if (CE->getNumArgs() < 2) 1388 return 0; 1389 1390 ProgramStateRef state = C.getState(); 1391 const Expr *arg0Expr = CE->getArg(0); 1392 const LocationContext *LCtx = C.getLocationContext(); 1393 SVal Arg0Val = state->getSVal(arg0Expr, LCtx); 1394 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 1395 return 0; 1396 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 1397 1398 SValBuilder &svalBuilder = C.getSValBuilder(); 1399 1400 DefinedOrUnknownSVal PtrEQ = 1401 svalBuilder.evalEQ(state, arg0Val, svalBuilder.makeNull()); 1402 1403 // Get the size argument. If there is no size arg then give up. 1404 const Expr *Arg1 = CE->getArg(1); 1405 if (!Arg1) 1406 return 0; 1407 1408 // Get the value of the size argument. 1409 SVal Arg1ValG = state->getSVal(Arg1, LCtx); 1410 if (!Arg1ValG.getAs<DefinedOrUnknownSVal>()) 1411 return 0; 1412 DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>(); 1413 1414 // Compare the size argument to 0. 1415 DefinedOrUnknownSVal SizeZero = 1416 svalBuilder.evalEQ(state, Arg1Val, 1417 svalBuilder.makeIntValWithPtrWidth(0, false)); 1418 1419 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 1420 llvm::tie(StatePtrIsNull, StatePtrNotNull) = state->assume(PtrEQ); 1421 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 1422 llvm::tie(StateSizeIsZero, StateSizeNotZero) = state->assume(SizeZero); 1423 // We only assume exceptional states if they are definitely true; if the 1424 // state is under-constrained, assume regular realloc behavior. 1425 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 1426 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 1427 1428 // If the ptr is NULL and the size is not 0, the call is equivalent to 1429 // malloc(size). 1430 if ( PrtIsNull && !SizeIsZero) { 1431 ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), 1432 UndefinedVal(), StatePtrIsNull); 1433 return stateMalloc; 1434 } 1435 1436 if (PrtIsNull && SizeIsZero) 1437 return 0; 1438 1439 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 1440 assert(!PrtIsNull); 1441 SymbolRef FromPtr = arg0Val.getAsSymbol(); 1442 SVal RetVal = state->getSVal(CE, LCtx); 1443 SymbolRef ToPtr = RetVal.getAsSymbol(); 1444 if (!FromPtr || !ToPtr) 1445 return 0; 1446 1447 bool ReleasedAllocated = false; 1448 1449 // If the size is 0, free the memory. 1450 if (SizeIsZero) 1451 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, 1452 false, ReleasedAllocated)){ 1453 // The semantics of the return value are: 1454 // If size was equal to 0, either NULL or a pointer suitable to be passed 1455 // to free() is returned. We just free the input pointer and do not add 1456 // any constrains on the output pointer. 1457 return stateFree; 1458 } 1459 1460 // Default behavior. 1461 if (ProgramStateRef stateFree = 1462 FreeMemAux(C, CE, state, 0, false, ReleasedAllocated)) { 1463 1464 ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), 1465 UnknownVal(), stateFree); 1466 if (!stateRealloc) 1467 return 0; 1468 1469 ReallocPairKind Kind = RPToBeFreedAfterFailure; 1470 if (FreesOnFail) 1471 Kind = RPIsFreeOnFailure; 1472 else if (!ReleasedAllocated) 1473 Kind = RPDoNotTrackAfterFailure; 1474 1475 // Record the info about the reallocated symbol so that we could properly 1476 // process failed reallocation. 1477 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 1478 ReallocPair(FromPtr, Kind)); 1479 // The reallocated symbol should stay alive for as long as the new symbol. 1480 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 1481 return stateRealloc; 1482 } 1483 return 0; 1484 } 1485 1486 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE){ 1487 if (CE->getNumArgs() < 2) 1488 return 0; 1489 1490 ProgramStateRef state = C.getState(); 1491 SValBuilder &svalBuilder = C.getSValBuilder(); 1492 const LocationContext *LCtx = C.getLocationContext(); 1493 SVal count = state->getSVal(CE->getArg(0), LCtx); 1494 SVal elementSize = state->getSVal(CE->getArg(1), LCtx); 1495 SVal TotalSize = svalBuilder.evalBinOp(state, BO_Mul, count, elementSize, 1496 svalBuilder.getContext().getSizeType()); 1497 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 1498 1499 return MallocMemAux(C, CE, TotalSize, zeroVal, state); 1500 } 1501 1502 LeakInfo 1503 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 1504 CheckerContext &C) const { 1505 const LocationContext *LeakContext = N->getLocationContext(); 1506 // Walk the ExplodedGraph backwards and find the first node that referred to 1507 // the tracked symbol. 1508 const ExplodedNode *AllocNode = N; 1509 const MemRegion *ReferenceRegion = 0; 1510 1511 while (N) { 1512 ProgramStateRef State = N->getState(); 1513 if (!State->get<RegionState>(Sym)) 1514 break; 1515 1516 // Find the most recent expression bound to the symbol in the current 1517 // context. 1518 if (!ReferenceRegion) { 1519 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 1520 SVal Val = State->getSVal(MR); 1521 if (Val.getAsLocSymbol() == Sym) 1522 ReferenceRegion = MR; 1523 } 1524 } 1525 1526 // Allocation node, is the last node in the current context in which the 1527 // symbol was tracked. 1528 if (N->getLocationContext() == LeakContext) 1529 AllocNode = N; 1530 N = N->pred_empty() ? NULL : *(N->pred_begin()); 1531 } 1532 1533 return LeakInfo(AllocNode, ReferenceRegion); 1534 } 1535 1536 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 1537 CheckerContext &C) const { 1538 1539 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1540 !Filter.CNewDeleteLeaksChecker) 1541 return; 1542 1543 const RefState *RS = C.getState()->get<RegionState>(Sym); 1544 assert(RS && "cannot leak an untracked symbol"); 1545 AllocationFamily Family = RS->getAllocationFamily(); 1546 if (!isTrackedFamily(Family)) 1547 return; 1548 1549 // Special case for new and new[]; these are controlled by a separate checker 1550 // flag so that they can be selectively disabled. 1551 if (Family == AF_CXXNew || Family == AF_CXXNewArray) 1552 if (!Filter.CNewDeleteLeaksChecker) 1553 return; 1554 1555 assert(N); 1556 if (!BT_Leak) { 1557 BT_Leak.reset(new BugType("Memory leak", "Memory Error")); 1558 // Leaks should not be reported if they are post-dominated by a sink: 1559 // (1) Sinks are higher importance bugs. 1560 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 1561 // with __noreturn functions such as assert() or exit(). We choose not 1562 // to report leaks on such paths. 1563 BT_Leak->setSuppressOnSink(true); 1564 } 1565 1566 // Most bug reports are cached at the location where they occurred. 1567 // With leaks, we want to unique them by the location where they were 1568 // allocated, and only report a single path. 1569 PathDiagnosticLocation LocUsedForUniqueing; 1570 const ExplodedNode *AllocNode = 0; 1571 const MemRegion *Region = 0; 1572 llvm::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 1573 1574 ProgramPoint P = AllocNode->getLocation(); 1575 const Stmt *AllocationStmt = 0; 1576 if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>()) 1577 AllocationStmt = Exit->getCalleeContext()->getCallSite(); 1578 else if (Optional<StmtPoint> SP = P.getAs<StmtPoint>()) 1579 AllocationStmt = SP->getStmt(); 1580 if (AllocationStmt) 1581 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 1582 C.getSourceManager(), 1583 AllocNode->getLocationContext()); 1584 1585 SmallString<200> buf; 1586 llvm::raw_svector_ostream os(buf); 1587 os << "Memory is never released; potential leak"; 1588 if (Region && Region->canPrintPretty()) { 1589 os << " of memory pointed to by '"; 1590 Region->printPretty(os); 1591 os << '\''; 1592 } 1593 1594 BugReport *R = new BugReport(*BT_Leak, os.str(), N, 1595 LocUsedForUniqueing, 1596 AllocNode->getLocationContext()->getDecl()); 1597 R->markInteresting(Sym); 1598 R->addVisitor(new MallocBugVisitor(Sym, true)); 1599 C.emitReport(R); 1600 } 1601 1602 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 1603 CheckerContext &C) const 1604 { 1605 if (!SymReaper.hasDeadSymbols()) 1606 return; 1607 1608 ProgramStateRef state = C.getState(); 1609 RegionStateTy RS = state->get<RegionState>(); 1610 RegionStateTy::Factory &F = state->get_context<RegionState>(); 1611 1612 SmallVector<SymbolRef, 2> Errors; 1613 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1614 if (SymReaper.isDead(I->first)) { 1615 if (I->second.isAllocated()) 1616 Errors.push_back(I->first); 1617 // Remove the dead symbol from the map. 1618 RS = F.remove(RS, I->first); 1619 1620 } 1621 } 1622 1623 // Cleanup the Realloc Pairs Map. 1624 ReallocPairsTy RP = state->get<ReallocPairs>(); 1625 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1626 if (SymReaper.isDead(I->first) || 1627 SymReaper.isDead(I->second.ReallocatedSym)) { 1628 state = state->remove<ReallocPairs>(I->first); 1629 } 1630 } 1631 1632 // Cleanup the FreeReturnValue Map. 1633 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 1634 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 1635 if (SymReaper.isDead(I->first) || 1636 SymReaper.isDead(I->second)) { 1637 state = state->remove<FreeReturnValue>(I->first); 1638 } 1639 } 1640 1641 // Generate leak node. 1642 ExplodedNode *N = C.getPredecessor(); 1643 if (!Errors.empty()) { 1644 static SimpleProgramPointTag Tag("MallocChecker : DeadSymbolsLeak"); 1645 N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); 1646 for (SmallVector<SymbolRef, 2>::iterator 1647 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 1648 reportLeak(*I, N, C); 1649 } 1650 } 1651 1652 C.addTransition(state->set<RegionState>(RS), N); 1653 } 1654 1655 void MallocChecker::checkPreStmt(const CallExpr *CE, CheckerContext &C) const { 1656 // We will check for double free in the post visit. 1657 if ((Filter.CMallocOptimistic || Filter.CMallocPessimistic) && 1658 isFreeFunction(C.getCalleeDecl(CE), C.getASTContext())) 1659 return; 1660 1661 if (Filter.CNewDeleteChecker && 1662 isStandardNewDelete(C.getCalleeDecl(CE), C.getASTContext())) 1663 return; 1664 1665 // Check use after free, when a freed pointer is passed to a call. 1666 ProgramStateRef State = C.getState(); 1667 for (CallExpr::const_arg_iterator I = CE->arg_begin(), 1668 E = CE->arg_end(); I != E; ++I) { 1669 const Expr *A = *I; 1670 if (A->getType().getTypePtr()->isAnyPointerType()) { 1671 SymbolRef Sym = C.getSVal(A).getAsSymbol(); 1672 if (!Sym) 1673 continue; 1674 if (checkUseAfterFree(Sym, C, A)) 1675 return; 1676 } 1677 } 1678 } 1679 1680 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 1681 const Expr *E = S->getRetValue(); 1682 if (!E) 1683 return; 1684 1685 // Check if we are returning a symbol. 1686 ProgramStateRef State = C.getState(); 1687 SVal RetVal = State->getSVal(E, C.getLocationContext()); 1688 SymbolRef Sym = RetVal.getAsSymbol(); 1689 if (!Sym) 1690 // If we are returning a field of the allocated struct or an array element, 1691 // the callee could still free the memory. 1692 // TODO: This logic should be a part of generic symbol escape callback. 1693 if (const MemRegion *MR = RetVal.getAsRegion()) 1694 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 1695 if (const SymbolicRegion *BMR = 1696 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 1697 Sym = BMR->getSymbol(); 1698 1699 // Check if we are returning freed memory. 1700 if (Sym) 1701 checkUseAfterFree(Sym, C, E); 1702 } 1703 1704 // TODO: Blocks should be either inlined or should call invalidate regions 1705 // upon invocation. After that's in place, special casing here will not be 1706 // needed. 1707 void MallocChecker::checkPostStmt(const BlockExpr *BE, 1708 CheckerContext &C) const { 1709 1710 // Scan the BlockDecRefExprs for any object the retain count checker 1711 // may be tracking. 1712 if (!BE->getBlockDecl()->hasCaptures()) 1713 return; 1714 1715 ProgramStateRef state = C.getState(); 1716 const BlockDataRegion *R = 1717 cast<BlockDataRegion>(state->getSVal(BE, 1718 C.getLocationContext()).getAsRegion()); 1719 1720 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 1721 E = R->referenced_vars_end(); 1722 1723 if (I == E) 1724 return; 1725 1726 SmallVector<const MemRegion*, 10> Regions; 1727 const LocationContext *LC = C.getLocationContext(); 1728 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 1729 1730 for ( ; I != E; ++I) { 1731 const VarRegion *VR = I.getCapturedRegion(); 1732 if (VR->getSuperRegion() == R) { 1733 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 1734 } 1735 Regions.push_back(VR); 1736 } 1737 1738 state = 1739 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 1740 Regions.data() + Regions.size()).getState(); 1741 C.addTransition(state); 1742 } 1743 1744 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { 1745 assert(Sym); 1746 const RefState *RS = C.getState()->get<RegionState>(Sym); 1747 return (RS && RS->isReleased()); 1748 } 1749 1750 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 1751 const Stmt *S) const { 1752 1753 if (isReleased(Sym, C)) { 1754 ReportUseAfterFree(C, S->getSourceRange(), Sym); 1755 return true; 1756 } 1757 1758 return false; 1759 } 1760 1761 // Check if the location is a freed symbolic region. 1762 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 1763 CheckerContext &C) const { 1764 SymbolRef Sym = l.getLocSymbolInBase(); 1765 if (Sym) 1766 checkUseAfterFree(Sym, C, S); 1767 } 1768 1769 // If a symbolic region is assumed to NULL (or another constant), stop tracking 1770 // it - assuming that allocation failed on this path. 1771 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 1772 SVal Cond, 1773 bool Assumption) const { 1774 RegionStateTy RS = state->get<RegionState>(); 1775 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1776 // If the symbol is assumed to be NULL, remove it from consideration. 1777 ConstraintManager &CMgr = state->getConstraintManager(); 1778 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 1779 if (AllocFailed.isConstrainedTrue()) 1780 state = state->remove<RegionState>(I.getKey()); 1781 } 1782 1783 // Realloc returns 0 when reallocation fails, which means that we should 1784 // restore the state of the pointer being reallocated. 1785 ReallocPairsTy RP = state->get<ReallocPairs>(); 1786 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1787 // If the symbol is assumed to be NULL, remove it from consideration. 1788 ConstraintManager &CMgr = state->getConstraintManager(); 1789 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 1790 if (!AllocFailed.isConstrainedTrue()) 1791 continue; 1792 1793 SymbolRef ReallocSym = I.getData().ReallocatedSym; 1794 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 1795 if (RS->isReleased()) { 1796 if (I.getData().Kind == RPToBeFreedAfterFailure) 1797 state = state->set<RegionState>(ReallocSym, 1798 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 1799 else if (I.getData().Kind == RPDoNotTrackAfterFailure) 1800 state = state->remove<RegionState>(ReallocSym); 1801 else 1802 assert(I.getData().Kind == RPIsFreeOnFailure); 1803 } 1804 } 1805 state = state->remove<ReallocPairs>(I.getKey()); 1806 } 1807 1808 return state; 1809 } 1810 1811 bool MallocChecker::doesNotFreeMemOrInteresting(const CallEvent *Call, 1812 ProgramStateRef State) const { 1813 assert(Call); 1814 1815 // For now, assume that any C++ call can free memory. 1816 // TODO: If we want to be more optimistic here, we'll need to make sure that 1817 // regions escape to C++ containers. They seem to do that even now, but for 1818 // mysterious reasons. 1819 if (!(isa<FunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 1820 return false; 1821 1822 // Check Objective-C messages by selector name. 1823 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 1824 // If it's not a framework call, or if it takes a callback, assume it 1825 // can free memory. 1826 if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg()) 1827 return false; 1828 1829 // If it's a method we know about, handle it explicitly post-call. 1830 // This should happen before the "freeWhenDone" check below. 1831 if (isKnownDeallocObjCMethodName(*Msg)) 1832 return true; 1833 1834 // If there's a "freeWhenDone" parameter, but the method isn't one we know 1835 // about, we can't be sure that the object will use free() to deallocate the 1836 // memory, so we can't model it explicitly. The best we can do is use it to 1837 // decide whether the pointer escapes. 1838 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 1839 return !*FreeWhenDone; 1840 1841 // If the first selector piece ends with "NoCopy", and there is no 1842 // "freeWhenDone" parameter set to zero, we know ownership is being 1843 // transferred. Again, though, we can't be sure that the object will use 1844 // free() to deallocate the memory, so we can't model it explicitly. 1845 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 1846 if (FirstSlot.endswith("NoCopy")) 1847 return false; 1848 1849 // If the first selector starts with addPointer, insertPointer, 1850 // or replacePointer, assume we are dealing with NSPointerArray or similar. 1851 // This is similar to C++ containers (vector); we still might want to check 1852 // that the pointers get freed by following the container itself. 1853 if (FirstSlot.startswith("addPointer") || 1854 FirstSlot.startswith("insertPointer") || 1855 FirstSlot.startswith("replacePointer")) { 1856 return false; 1857 } 1858 1859 // Otherwise, assume that the method does not free memory. 1860 // Most framework methods do not free memory. 1861 return true; 1862 } 1863 1864 // At this point the only thing left to handle is straight function calls. 1865 const FunctionDecl *FD = cast<FunctionCall>(Call)->getDecl(); 1866 if (!FD) 1867 return false; 1868 1869 ASTContext &ASTC = State->getStateManager().getContext(); 1870 1871 // If it's one of the allocation functions we can reason about, we model 1872 // its behavior explicitly. 1873 if (isMemFunction(FD, ASTC)) 1874 return true; 1875 1876 // If it's not a system call, assume it frees memory. 1877 if (!Call->isInSystemHeader()) 1878 return false; 1879 1880 // White list the system functions whose arguments escape. 1881 const IdentifierInfo *II = FD->getIdentifier(); 1882 if (!II) 1883 return false; 1884 StringRef FName = II->getName(); 1885 1886 // White list the 'XXXNoCopy' CoreFoundation functions. 1887 // We specifically check these before 1888 if (FName.endswith("NoCopy")) { 1889 // Look for the deallocator argument. We know that the memory ownership 1890 // is not transferred only if the deallocator argument is 1891 // 'kCFAllocatorNull'. 1892 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 1893 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 1894 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 1895 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 1896 if (DeallocatorName == "kCFAllocatorNull") 1897 return true; 1898 } 1899 } 1900 return false; 1901 } 1902 1903 // Associating streams with malloced buffers. The pointer can escape if 1904 // 'closefn' is specified (and if that function does free memory), 1905 // but it will not if closefn is not specified. 1906 // Currently, we do not inspect the 'closefn' function (PR12101). 1907 if (FName == "funopen") 1908 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 1909 return true; 1910 1911 // Do not warn on pointers passed to 'setbuf' when used with std streams, 1912 // these leaks might be intentional when setting the buffer for stdio. 1913 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 1914 if (FName == "setbuf" || FName =="setbuffer" || 1915 FName == "setlinebuf" || FName == "setvbuf") { 1916 if (Call->getNumArgs() >= 1) { 1917 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 1918 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 1919 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 1920 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 1921 return false; 1922 } 1923 } 1924 1925 // A bunch of other functions which either take ownership of a pointer or 1926 // wrap the result up in a struct or object, meaning it can be freed later. 1927 // (See RetainCountChecker.) Not all the parameters here are invalidated, 1928 // but the Malloc checker cannot differentiate between them. The right way 1929 // of doing this would be to implement a pointer escapes callback. 1930 if (FName == "CGBitmapContextCreate" || 1931 FName == "CGBitmapContextCreateWithData" || 1932 FName == "CVPixelBufferCreateWithBytes" || 1933 FName == "CVPixelBufferCreateWithPlanarBytes" || 1934 FName == "OSAtomicEnqueue") { 1935 return false; 1936 } 1937 1938 // Handle cases where we know a buffer's /address/ can escape. 1939 // Note that the above checks handle some special cases where we know that 1940 // even though the address escapes, it's still our responsibility to free the 1941 // buffer. 1942 if (Call->argumentsMayEscape()) 1943 return false; 1944 1945 // Otherwise, assume that the function does not free memory. 1946 // Most system calls do not free the memory. 1947 return true; 1948 } 1949 1950 static bool retTrue(const RefState *RS) { 1951 return true; 1952 } 1953 1954 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 1955 return (RS->getAllocationFamily() == AF_CXXNewArray || 1956 RS->getAllocationFamily() == AF_CXXNew); 1957 } 1958 1959 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 1960 const InvalidatedSymbols &Escaped, 1961 const CallEvent *Call, 1962 PointerEscapeKind Kind) const { 1963 return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue); 1964 } 1965 1966 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 1967 const InvalidatedSymbols &Escaped, 1968 const CallEvent *Call, 1969 PointerEscapeKind Kind) const { 1970 return checkPointerEscapeAux(State, Escaped, Call, Kind, 1971 &checkIfNewOrNewArrayFamily); 1972 } 1973 1974 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State, 1975 const InvalidatedSymbols &Escaped, 1976 const CallEvent *Call, 1977 PointerEscapeKind Kind, 1978 bool(*CheckRefState)(const RefState*)) const { 1979 // If we know that the call does not free memory, or we want to process the 1980 // call later, keep tracking the top level arguments. 1981 if ((Kind == PSK_DirectEscapeOnCall || 1982 Kind == PSK_IndirectEscapeOnCall) && 1983 doesNotFreeMemOrInteresting(Call, State)) { 1984 return State; 1985 } 1986 1987 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 1988 E = Escaped.end(); 1989 I != E; ++I) { 1990 SymbolRef sym = *I; 1991 1992 if (const RefState *RS = State->get<RegionState>(sym)) { 1993 if (RS->isAllocated() && CheckRefState(RS)) 1994 State = State->remove<RegionState>(sym); 1995 } 1996 } 1997 return State; 1998 } 1999 2000 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 2001 ProgramStateRef prevState) { 2002 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 2003 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 2004 2005 for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end(); 2006 I != E; ++I) { 2007 SymbolRef sym = I.getKey(); 2008 if (!currMap.lookup(sym)) 2009 return sym; 2010 } 2011 2012 return NULL; 2013 } 2014 2015 PathDiagnosticPiece * 2016 MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N, 2017 const ExplodedNode *PrevN, 2018 BugReporterContext &BRC, 2019 BugReport &BR) { 2020 ProgramStateRef state = N->getState(); 2021 ProgramStateRef statePrev = PrevN->getState(); 2022 2023 const RefState *RS = state->get<RegionState>(Sym); 2024 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 2025 if (!RS) 2026 return 0; 2027 2028 const Stmt *S = 0; 2029 const char *Msg = 0; 2030 StackHintGeneratorForSymbol *StackHint = 0; 2031 2032 // Retrieve the associated statement. 2033 ProgramPoint ProgLoc = N->getLocation(); 2034 if (Optional<StmtPoint> SP = ProgLoc.getAs<StmtPoint>()) { 2035 S = SP->getStmt(); 2036 } else if (Optional<CallExitEnd> Exit = ProgLoc.getAs<CallExitEnd>()) { 2037 S = Exit->getCalleeContext()->getCallSite(); 2038 } else if (Optional<BlockEdge> Edge = ProgLoc.getAs<BlockEdge>()) { 2039 // If an assumption was made on a branch, it should be caught 2040 // here by looking at the state transition. 2041 S = Edge->getSrc()->getTerminator(); 2042 } 2043 2044 if (!S) 2045 return 0; 2046 2047 // FIXME: We will eventually need to handle non-statement-based events 2048 // (__attribute__((cleanup))). 2049 2050 // Find out if this is an interesting point and what is the kind. 2051 if (Mode == Normal) { 2052 if (isAllocated(RS, RSPrev, S)) { 2053 Msg = "Memory is allocated"; 2054 StackHint = new StackHintGeneratorForSymbol(Sym, 2055 "Returned allocated memory"); 2056 } else if (isReleased(RS, RSPrev, S)) { 2057 Msg = "Memory is released"; 2058 StackHint = new StackHintGeneratorForSymbol(Sym, 2059 "Returned released memory"); 2060 } else if (isRelinquished(RS, RSPrev, S)) { 2061 Msg = "Memory ownership is transfered"; 2062 StackHint = new StackHintGeneratorForSymbol(Sym, ""); 2063 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 2064 Mode = ReallocationFailed; 2065 Msg = "Reallocation failed"; 2066 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 2067 "Reallocation failed"); 2068 2069 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 2070 // Is it possible to fail two reallocs WITHOUT testing in between? 2071 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 2072 "We only support one failed realloc at a time."); 2073 BR.markInteresting(sym); 2074 FailedReallocSymbol = sym; 2075 } 2076 } 2077 2078 // We are in a special mode if a reallocation failed later in the path. 2079 } else if (Mode == ReallocationFailed) { 2080 assert(FailedReallocSymbol && "No symbol to look for."); 2081 2082 // Is this is the first appearance of the reallocated symbol? 2083 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 2084 // We're at the reallocation point. 2085 Msg = "Attempt to reallocate memory"; 2086 StackHint = new StackHintGeneratorForSymbol(Sym, 2087 "Returned reallocated memory"); 2088 FailedReallocSymbol = NULL; 2089 Mode = Normal; 2090 } 2091 } 2092 2093 if (!Msg) 2094 return 0; 2095 assert(StackHint); 2096 2097 // Generate the extra diagnostic. 2098 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2099 N->getLocationContext()); 2100 return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint); 2101 } 2102 2103 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 2104 const char *NL, const char *Sep) const { 2105 2106 RegionStateTy RS = State->get<RegionState>(); 2107 2108 if (!RS.isEmpty()) { 2109 Out << Sep << "MallocChecker:" << NL; 2110 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2111 I.getKey()->dumpToStream(Out); 2112 Out << " : "; 2113 I.getData().dump(Out); 2114 Out << NL; 2115 } 2116 } 2117 } 2118 2119 #define REGISTER_CHECKER(name) \ 2120 void ento::register##name(CheckerManager &mgr) {\ 2121 registerCStringCheckerBasic(mgr); \ 2122 mgr.registerChecker<MallocChecker>()->Filter.C##name = true;\ 2123 } 2124 2125 REGISTER_CHECKER(MallocPessimistic) 2126 REGISTER_CHECKER(MallocOptimistic) 2127 REGISTER_CHECKER(NewDeleteChecker) 2128 REGISTER_CHECKER(NewDeleteLeaksChecker) 2129 REGISTER_CHECKER(MismatchedDeallocatorChecker) 2130