1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines a variety of memory management related checkers, such as 10 // leak, double free, and use-after-free. 11 // 12 // The following checkers are defined here: 13 // 14 // * MallocChecker 15 // Despite its name, it models all sorts of memory allocations and 16 // de- or reallocation, including but not limited to malloc, free, 17 // relloc, new, delete. It also reports on a variety of memory misuse 18 // errors. 19 // Many other checkers interact very closely with this checker, in fact, 20 // most are merely options to this one. Other checkers may register 21 // MallocChecker, but do not enable MallocChecker's reports (more details 22 // to follow around its field, ChecksEnabled). 23 // It also has a boolean "Optimistic" checker option, which if set to true 24 // will cause the checker to model user defined memory management related 25 // functions annotated via the attribute ownership_takes, ownership_holds 26 // and ownership_returns. 27 // 28 // * NewDeleteChecker 29 // Enables the modeling of new, new[], delete, delete[] in MallocChecker, 30 // and checks for related double-free and use-after-free errors. 31 // 32 // * NewDeleteLeaksChecker 33 // Checks for leaks related to new, new[], delete, delete[]. 34 // Depends on NewDeleteChecker. 35 // 36 // * MismatchedDeallocatorChecker 37 // Enables checking whether memory is deallocated with the correspending 38 // allocation function in MallocChecker, such as malloc() allocated 39 // regions are only freed by free(), new by delete, new[] by delete[]. 40 // 41 // InnerPointerChecker interacts very closely with MallocChecker, but unlike 42 // the above checkers, it has it's own file, hence the many InnerPointerChecker 43 // related headers and non-static functions. 44 // 45 //===----------------------------------------------------------------------===// 46 47 #include "AllocationState.h" 48 #include "InterCheckerAPI.h" 49 #include "clang/AST/Attr.h" 50 #include "clang/AST/ParentMap.h" 51 #include "clang/Basic/SourceManager.h" 52 #include "clang/Basic/TargetInfo.h" 53 #include "clang/Lex/Lexer.h" 54 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 55 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 56 #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" 57 #include "clang/StaticAnalyzer/Core/Checker.h" 58 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 59 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 60 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 61 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h" 62 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 63 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 64 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 65 #include "llvm/ADT/STLExtras.h" 66 #include "llvm/ADT/SmallString.h" 67 #include "llvm/ADT/StringExtras.h" 68 #include "llvm/Support/ErrorHandling.h" 69 #include <climits> 70 #include <utility> 71 72 using namespace clang; 73 using namespace ento; 74 75 //===----------------------------------------------------------------------===// 76 // The types of allocation we're modeling. This is used to check whether a 77 // dynamically allocated object is deallocated with the correct function, like 78 // not using operator delete on an object created by malloc(), or alloca regions 79 // aren't ever deallocated manually. 80 //===----------------------------------------------------------------------===// 81 82 namespace { 83 84 // Used to check correspondence between allocators and deallocators. 85 enum AllocationFamily { 86 AF_None, 87 AF_Malloc, 88 AF_CXXNew, 89 AF_CXXNewArray, 90 AF_IfNameIndex, 91 AF_Alloca, 92 AF_InnerBuffer 93 }; 94 95 struct MemFunctionInfoTy; 96 97 } // end of anonymous namespace 98 99 /// Print names of allocators and deallocators. 100 /// 101 /// \returns true on success. 102 static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E); 103 104 /// Print expected name of an allocator based on the deallocator's family 105 /// derived from the DeallocExpr. 106 static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family); 107 108 /// Print expected name of a deallocator based on the allocator's 109 /// family. 110 static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family); 111 112 //===----------------------------------------------------------------------===// 113 // The state of a symbol, in terms of memory management. 114 //===----------------------------------------------------------------------===// 115 116 namespace { 117 118 class RefState { 119 enum Kind { 120 // Reference to allocated memory. 121 Allocated, 122 // Reference to zero-allocated memory. 123 AllocatedOfSizeZero, 124 // Reference to released/freed memory. 125 Released, 126 // The responsibility for freeing resources has transferred from 127 // this reference. A relinquished symbol should not be freed. 128 Relinquished, 129 // We are no longer guaranteed to have observed all manipulations 130 // of this pointer/memory. For example, it could have been 131 // passed as a parameter to an opaque function. 132 Escaped 133 }; 134 135 const Stmt *S; 136 137 Kind K; 138 AllocationFamily Family; 139 140 RefState(Kind k, const Stmt *s, AllocationFamily family) 141 : S(s), K(k), Family(family) { 142 assert(family != AF_None); 143 } 144 145 public: 146 bool isAllocated() const { return K == Allocated; } 147 bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; } 148 bool isReleased() const { return K == Released; } 149 bool isRelinquished() const { return K == Relinquished; } 150 bool isEscaped() const { return K == Escaped; } 151 AllocationFamily getAllocationFamily() const { return Family; } 152 const Stmt *getStmt() const { return S; } 153 154 bool operator==(const RefState &X) const { 155 return K == X.K && S == X.S && Family == X.Family; 156 } 157 158 static RefState getAllocated(AllocationFamily family, const Stmt *s) { 159 return RefState(Allocated, s, family); 160 } 161 static RefState getAllocatedOfSizeZero(const RefState *RS) { 162 return RefState(AllocatedOfSizeZero, RS->getStmt(), 163 RS->getAllocationFamily()); 164 } 165 static RefState getReleased(AllocationFamily family, const Stmt *s) { 166 return RefState(Released, s, family); 167 } 168 static RefState getRelinquished(AllocationFamily family, const Stmt *s) { 169 return RefState(Relinquished, s, family); 170 } 171 static RefState getEscaped(const RefState *RS) { 172 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily()); 173 } 174 175 void Profile(llvm::FoldingSetNodeID &ID) const { 176 ID.AddInteger(K); 177 ID.AddPointer(S); 178 ID.AddInteger(Family); 179 } 180 181 LLVM_DUMP_METHOD void dump(raw_ostream &OS) const { 182 switch (K) { 183 #define CASE(ID) case ID: OS << #ID; break; 184 CASE(Allocated) 185 CASE(AllocatedOfSizeZero) 186 CASE(Released) 187 CASE(Relinquished) 188 CASE(Escaped) 189 } 190 } 191 192 LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); } 193 }; 194 195 } // end of anonymous namespace 196 197 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 198 199 /// Check if the memory associated with this symbol was released. 200 static bool isReleased(SymbolRef Sym, CheckerContext &C); 201 202 /// Update the RefState to reflect the new memory allocation. 203 /// The optional \p RetVal parameter specifies the newly allocated pointer 204 /// value; if unspecified, the value of expression \p E is used. 205 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, 206 ProgramStateRef State, 207 AllocationFamily Family, 208 Optional<SVal> RetVal = None); 209 210 //===----------------------------------------------------------------------===// 211 // The modeling of memory reallocation. 212 // 213 // The terminology 'toPtr' and 'fromPtr' will be used: 214 // toPtr = realloc(fromPtr, 20); 215 //===----------------------------------------------------------------------===// 216 217 REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef) 218 219 namespace { 220 221 /// The state of 'fromPtr' after reallocation is known to have failed. 222 enum OwnershipAfterReallocKind { 223 // The symbol needs to be freed (e.g.: realloc) 224 OAR_ToBeFreedAfterFailure, 225 // The symbol has been freed (e.g.: reallocf) 226 OAR_FreeOnFailure, 227 // The symbol doesn't have to freed (e.g.: we aren't sure if, how and where 228 // 'fromPtr' was allocated: 229 // void Haha(int *ptr) { 230 // ptr = realloc(ptr, 67); 231 // // ... 232 // } 233 // ). 234 OAR_DoNotTrackAfterFailure 235 }; 236 237 /// Stores information about the 'fromPtr' symbol after reallocation. 238 /// 239 /// This is important because realloc may fail, and that needs special modeling. 240 /// Whether reallocation failed or not will not be known until later, so we'll 241 /// store whether upon failure 'fromPtr' will be freed, or needs to be freed 242 /// later, etc. 243 struct ReallocPair { 244 245 // The 'fromPtr'. 246 SymbolRef ReallocatedSym; 247 OwnershipAfterReallocKind Kind; 248 249 ReallocPair(SymbolRef S, OwnershipAfterReallocKind K) 250 : ReallocatedSym(S), Kind(K) {} 251 void Profile(llvm::FoldingSetNodeID &ID) const { 252 ID.AddInteger(Kind); 253 ID.AddPointer(ReallocatedSym); 254 } 255 bool operator==(const ReallocPair &X) const { 256 return ReallocatedSym == X.ReallocatedSym && 257 Kind == X.Kind; 258 } 259 }; 260 261 } // end of anonymous namespace 262 263 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 264 265 //===----------------------------------------------------------------------===// 266 // Kinds of memory operations, information about resource managing functions. 267 //===----------------------------------------------------------------------===// 268 269 namespace { 270 271 struct MemFunctionInfoTy { 272 /// The value of the MallocChecker:Optimistic is stored in this variable. 273 /// 274 /// In pessimistic mode, the checker assumes that it does not know which 275 /// functions might free the memory. 276 /// In optimistic mode, the checker assumes that all user-defined functions 277 /// which might free a pointer are annotated. 278 DefaultBool ShouldIncludeOwnershipAnnotatedFunctions; 279 280 CallDescription CD_alloca{{"alloca"}, 1}, CD_win_alloca{{"_alloca"}, 1}, 281 CD_malloc{{"malloc"}, 1}, CD_BSD_malloc{{"malloc"}, 3}, 282 CD_free{{"free"}, 1}, CD_realloc{{"realloc"}, 2}, 283 CD_calloc{{"calloc"}, 2}, CD_valloc{{"valloc"}, 1}, 284 CD_reallocf{{"reallocf"}, 2}, CD_strndup{{"strndup"}, 2}, 285 CD_strdup{{"strdup"}, 1}, CD_win_strdup{{"_strdup"}, 1}, 286 CD_kmalloc{{"kmalloc"}, 2}, CD_if_nameindex{{"if_nameindex"}, 1}, 287 CD_if_freenameindex{{"if_freenameindex"}, 1}, CD_wcsdup{{"wcsdup"}, 1}, 288 CD_win_wcsdup{{"_wcsdup"}, 1}, CD_kfree{{"kfree"}, 1}, 289 CD_g_malloc{{"g_malloc"}, 1}, CD_g_malloc0{{"g_malloc0"}, 1}, 290 CD_g_realloc{{"g_realloc"}, 2}, CD_g_try_malloc{{"g_try_malloc"}, 1}, 291 CD_g_try_malloc0{{"g_try_malloc0"}, 1}, 292 CD_g_try_realloc{{"g_try_realloc"}, 2}, CD_g_free{{"g_free"}, 1}, 293 CD_g_memdup{{"g_memdup"}, 2}, CD_g_malloc_n{{"g_malloc_n"}, 2}, 294 CD_g_malloc0_n{{"g_malloc0_n"}, 2}, CD_g_realloc_n{{"g_realloc_n"}, 3}, 295 CD_g_try_malloc_n{{"g_try_malloc_n"}, 2}, 296 CD_g_try_malloc0_n{{"g_try_malloc0_n"}, 2}, 297 CD_g_try_realloc_n{{"g_try_realloc_n"}, 3}; 298 299 bool isMemFunction(const CallEvent &Call) const; 300 bool isCMemFunction(const CallEvent &Call) const; 301 bool isCMemFreeFunction(const CallEvent &Call) const; 302 bool isCMemAllocFunction(const CallEvent &Call) const; 303 }; 304 } // end of anonymous namespace 305 306 /// Tells if the callee is one of the builtin new/delete operators, including 307 /// placement operators and other standard overloads. 308 static bool isStandardNewDelete(const FunctionDecl *FD); 309 static bool isStandardNewDelete(const CallEvent &Call) { 310 if (!Call.getDecl()) 311 return false; 312 return isStandardNewDelete(cast<FunctionDecl>(Call.getDecl())); 313 } 314 315 //===----------------------------------------------------------------------===// 316 // Definition of the MallocChecker class. 317 //===----------------------------------------------------------------------===// 318 319 namespace { 320 321 class MallocChecker 322 : public Checker<check::DeadSymbols, check::PointerEscape, 323 check::ConstPointerEscape, check::PreStmt<ReturnStmt>, 324 check::EndFunction, check::PreCall, check::PostCall, 325 check::PostStmt<CXXNewExpr>, check::NewAllocator, 326 check::PreStmt<CXXDeleteExpr>, check::PostStmt<BlockExpr>, 327 check::PostObjCMessage, check::Location, eval::Assume> { 328 public: 329 MemFunctionInfoTy MemFunctionInfo; 330 331 /// Many checkers are essentially built into this one, so enabling them will 332 /// make MallocChecker perform additional modeling and reporting. 333 enum CheckKind { 334 /// When a subchecker is enabled but MallocChecker isn't, model memory 335 /// management but do not emit warnings emitted with MallocChecker only 336 /// enabled. 337 CK_MallocChecker, 338 CK_NewDeleteChecker, 339 CK_NewDeleteLeaksChecker, 340 CK_MismatchedDeallocatorChecker, 341 CK_InnerPointerChecker, 342 CK_NumCheckKinds 343 }; 344 345 using LeakInfo = std::pair<const ExplodedNode *, const MemRegion *>; 346 347 DefaultBool ChecksEnabled[CK_NumCheckKinds]; 348 CheckerNameRef CheckNames[CK_NumCheckKinds]; 349 350 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 351 void checkPostCall(const CallEvent &Call, CheckerContext &C) const; 352 void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; 353 void checkNewAllocator(const CXXNewExpr *NE, SVal Target, 354 CheckerContext &C) const; 355 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; 356 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 357 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 358 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 359 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 360 void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const; 361 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 362 bool Assumption) const; 363 void checkLocation(SVal l, bool isLoad, const Stmt *S, 364 CheckerContext &C) const; 365 366 ProgramStateRef checkPointerEscape(ProgramStateRef State, 367 const InvalidatedSymbols &Escaped, 368 const CallEvent *Call, 369 PointerEscapeKind Kind) const; 370 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 371 const InvalidatedSymbols &Escaped, 372 const CallEvent *Call, 373 PointerEscapeKind Kind) const; 374 375 void printState(raw_ostream &Out, ProgramStateRef State, 376 const char *NL, const char *Sep) const override; 377 378 private: 379 mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds]; 380 mutable std::unique_ptr<BugType> BT_DoubleDelete; 381 mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds]; 382 mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds]; 383 mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds]; 384 mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds]; 385 mutable std::unique_ptr<BugType> BT_MismatchedDealloc; 386 mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds]; 387 mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds]; 388 389 // TODO: Remove mutable by moving the initializtaion to the registry function. 390 mutable Optional<uint64_t> KernelZeroFlagVal; 391 392 /// Process C++ operator new()'s allocation, which is the part of C++ 393 /// new-expression that goes before the constructor. 394 void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C, 395 SVal Target, AllocationFamily Family) const; 396 397 /// Perform a zero-allocation check. 398 /// 399 /// \param [in] E The expression that allocates memory. 400 /// \param [in] IndexOfSizeArg Index of the argument that specifies the size 401 /// of the memory that needs to be allocated. E.g. for malloc, this would be 402 /// 0. 403 /// \param [in] RetVal Specifies the newly allocated pointer value; 404 /// if unspecified, the value of expression \p E is used. 405 static ProgramStateRef ProcessZeroAllocCheck(CheckerContext &C, const Expr *E, 406 const unsigned IndexOfSizeArg, 407 ProgramStateRef State, 408 Optional<SVal> RetVal = None); 409 410 /// Model functions with the ownership_returns attribute. 411 /// 412 /// User-defined function may have the ownership_returns attribute, which 413 /// annotates that the function returns with an object that was allocated on 414 /// the heap, and passes the ownertship to the callee. 415 /// 416 /// void __attribute((ownership_returns(malloc, 1))) *my_malloc(size_t); 417 /// 418 /// It has two parameters: 419 /// - first: name of the resource (e.g. 'malloc') 420 /// - (OPTIONAL) second: size of the allocated region 421 /// 422 /// \param [in] CE The expression that allocates memory. 423 /// \param [in] Att The ownership_returns attribute. 424 /// \param [in] State The \c ProgramState right before allocation. 425 /// \returns The ProgramState right after allocation. 426 ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 427 const CallExpr *CE, 428 const OwnershipAttr* Att, 429 ProgramStateRef State) const; 430 431 /// Models memory allocation. 432 /// 433 /// \param [in] CE The expression that allocates memory. 434 /// \param [in] SizeEx Size of the memory that needs to be allocated. 435 /// \param [in] Init The value the allocated memory needs to be initialized. 436 /// with. For example, \c calloc initializes the allocated memory to 0, 437 /// malloc leaves it undefined. 438 /// \param [in] State The \c ProgramState right before allocation. 439 /// \returns The ProgramState right after allocation. 440 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 441 const Expr *SizeEx, SVal Init, 442 ProgramStateRef State, 443 AllocationFamily Family); 444 445 /// Models memory allocation. 446 /// 447 /// \param [in] CE The expression that allocates memory. 448 /// \param [in] Size Size of the memory that needs to be allocated. 449 /// \param [in] Init The value the allocated memory needs to be initialized. 450 /// with. For example, \c calloc initializes the allocated memory to 0, 451 /// malloc leaves it undefined. 452 /// \param [in] State The \c ProgramState right before allocation. 453 /// \returns The ProgramState right after allocation. 454 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 455 SVal Size, SVal Init, 456 ProgramStateRef State, 457 AllocationFamily Family); 458 459 static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE, 460 ProgramStateRef State, SVal Target); 461 462 // Check if this malloc() for special flags. At present that means M_ZERO or 463 // __GFP_ZERO (in which case, treat it like calloc). 464 llvm::Optional<ProgramStateRef> 465 performKernelMalloc(const CallExpr *CE, CheckerContext &C, 466 const ProgramStateRef &State) const; 467 468 /// Model functions with the ownership_takes and ownership_holds attributes. 469 /// 470 /// User-defined function may have the ownership_takes and/or ownership_holds 471 /// attributes, which annotates that the function frees the memory passed as a 472 /// parameter. 473 /// 474 /// void __attribute((ownership_takes(malloc, 1))) my_free(void *); 475 /// void __attribute((ownership_holds(malloc, 1))) my_hold(void *); 476 /// 477 /// They have two parameters: 478 /// - first: name of the resource (e.g. 'malloc') 479 /// - second: index of the parameter the attribute applies to 480 /// 481 /// \param [in] CE The expression that frees memory. 482 /// \param [in] Att The ownership_takes or ownership_holds attribute. 483 /// \param [in] State The \c ProgramState right before allocation. 484 /// \returns The ProgramState right after deallocation. 485 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 486 const OwnershipAttr* Att, 487 ProgramStateRef State) const; 488 489 /// Models memory deallocation. 490 /// 491 /// \param [in] CE The expression that frees memory. 492 /// \param [in] State The \c ProgramState right before allocation. 493 /// \param [in] Num Index of the argument that needs to be freed. This is 494 /// normally 0, but for custom free functions it may be different. 495 /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds 496 /// attribute. 497 /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known 498 /// to have been allocated, or in other words, the symbol to be freed was 499 /// registered as allocated by this checker. In the following case, \c ptr 500 /// isn't known to be allocated. 501 /// void Haha(int *ptr) { 502 /// ptr = realloc(ptr, 67); 503 /// // ... 504 /// } 505 /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function 506 /// we're modeling returns with Null on failure. 507 /// \returns The ProgramState right after deallocation. 508 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 509 ProgramStateRef State, unsigned Num, bool Hold, 510 bool &IsKnownToBeAllocated, 511 AllocationFamily Family, 512 bool ReturnsNullOnFailure = false) const; 513 514 /// Models memory deallocation. 515 /// 516 /// \param [in] ArgExpr The variable who's pointee needs to be freed. 517 /// \param [in] ParentExpr The expression that frees the memory. 518 /// \param [in] State The \c ProgramState right before allocation. 519 /// normally 0, but for custom free functions it may be different. 520 /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds 521 /// attribute. 522 /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known 523 /// to have been allocated, or in other words, the symbol to be freed was 524 /// registered as allocated by this checker. In the following case, \c ptr 525 /// isn't known to be allocated. 526 /// void Haha(int *ptr) { 527 /// ptr = realloc(ptr, 67); 528 /// // ... 529 /// } 530 /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function 531 /// we're modeling returns with Null on failure. 532 /// \returns The ProgramState right after deallocation. 533 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *ArgExpr, 534 const Expr *ParentExpr, ProgramStateRef State, 535 bool Hold, bool &IsKnownToBeAllocated, 536 AllocationFamily Family, 537 bool ReturnsNullOnFailure = false) const; 538 539 // TODO: Needs some refactoring, as all other deallocation modeling 540 // functions are suffering from out parameters and messy code due to how 541 // realloc is handled. 542 // 543 /// Models memory reallocation. 544 /// 545 /// \param [in] CE The expression that reallocated memory 546 /// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied 547 /// memory should be freed. 548 /// \param [in] State The \c ProgramState right before reallocation. 549 /// \param [in] SuffixWithN Whether the reallocation function we're modeling 550 /// has an '_n' suffix, such as g_realloc_n. 551 /// \returns The ProgramState right after reallocation. 552 ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE, 553 bool ShouldFreeOnFail, ProgramStateRef State, 554 AllocationFamily Family, 555 bool SuffixWithN = false) const; 556 557 /// Evaluates the buffer size that needs to be allocated. 558 /// 559 /// \param [in] Blocks The amount of blocks that needs to be allocated. 560 /// \param [in] BlockBytes The size of a block. 561 /// \returns The symbolic value of \p Blocks * \p BlockBytes. 562 static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, 563 const Expr *BlockBytes); 564 565 /// Models zero initialized array allocation. 566 /// 567 /// \param [in] CE The expression that reallocated memory 568 /// \param [in] State The \c ProgramState right before reallocation. 569 /// \returns The ProgramState right after allocation. 570 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE, 571 ProgramStateRef State); 572 573 /// See if deallocation happens in a suspicious context. If so, escape the 574 /// pointers that otherwise would have been deallocated and return true. 575 bool suppressDeallocationsInSuspiciousContexts(const CallExpr *CE, 576 CheckerContext &C) const; 577 578 /// If in \p S \p Sym is used, check whether \p Sym was already freed. 579 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 580 581 /// If in \p S \p Sym is used, check whether \p Sym was allocated as a zero 582 /// sized memory region. 583 void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, 584 const Stmt *S) const; 585 586 /// If in \p S \p Sym is being freed, check whether \p Sym was already freed. 587 bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const; 588 589 /// Check if the function is known to free memory, or if it is 590 /// "interesting" and should be modeled explicitly. 591 /// 592 /// \param [out] EscapingSymbol A function might not free memory in general, 593 /// but could be known to free a particular symbol. In this case, false is 594 /// returned and the single escaping symbol is returned through the out 595 /// parameter. 596 /// 597 /// We assume that pointers do not escape through calls to system functions 598 /// not handled by this checker. 599 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, 600 ProgramStateRef State, 601 SymbolRef &EscapingSymbol) const; 602 603 /// Implementation of the checkPointerEscape callbacks. 604 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 605 const InvalidatedSymbols &Escaped, 606 const CallEvent *Call, 607 PointerEscapeKind Kind, 608 bool IsConstPointerEscape) const; 609 610 // Implementation of the checkPreStmt and checkEndFunction callbacks. 611 void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const; 612 613 ///@{ 614 /// Tells if a given family/call/symbol is tracked by the current checker. 615 /// Sets CheckKind to the kind of the checker responsible for this 616 /// family/call/symbol. 617 Optional<CheckKind> getCheckIfTracked(AllocationFamily Family, 618 bool IsALeakCheck = false) const; 619 620 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym, 621 bool IsALeakCheck = false) const; 622 ///@} 623 static bool SummarizeValue(raw_ostream &os, SVal V); 624 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 625 626 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 627 const Expr *DeallocExpr, AllocationFamily Family) const; 628 629 void ReportFreeAlloca(CheckerContext &C, SVal ArgVal, 630 SourceRange Range) const; 631 632 void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, 633 const Expr *DeallocExpr, const RefState *RS, 634 SymbolRef Sym, bool OwnershipTransferred) const; 635 636 void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 637 const Expr *DeallocExpr, AllocationFamily Family, 638 const Expr *AllocExpr = nullptr) const; 639 640 void ReportUseAfterFree(CheckerContext &C, SourceRange Range, 641 SymbolRef Sym) const; 642 643 void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 644 SymbolRef Sym, SymbolRef PrevSym) const; 645 646 void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const; 647 648 void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range, 649 SymbolRef Sym) const; 650 651 void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal, 652 SourceRange Range, const Expr *FreeExpr, 653 AllocationFamily Family) const; 654 655 /// Find the location of the allocation for Sym on the path leading to the 656 /// exploded node N. 657 static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 658 CheckerContext &C); 659 660 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 661 }; 662 663 //===----------------------------------------------------------------------===// 664 // Definition of MallocBugVisitor. 665 //===----------------------------------------------------------------------===// 666 667 /// The bug visitor which allows us to print extra diagnostics along the 668 /// BugReport path. For example, showing the allocation site of the leaked 669 /// region. 670 class MallocBugVisitor final : public BugReporterVisitor { 671 protected: 672 enum NotificationMode { Normal, ReallocationFailed }; 673 674 // The allocated region symbol tracked by the main analysis. 675 SymbolRef Sym; 676 677 // The mode we are in, i.e. what kind of diagnostics will be emitted. 678 NotificationMode Mode; 679 680 // A symbol from when the primary region should have been reallocated. 681 SymbolRef FailedReallocSymbol; 682 683 // A C++ destructor stack frame in which memory was released. Used for 684 // miscellaneous false positive suppression. 685 const StackFrameContext *ReleaseDestructorLC; 686 687 bool IsLeak; 688 689 public: 690 MallocBugVisitor(SymbolRef S, bool isLeak = false) 691 : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr), 692 ReleaseDestructorLC(nullptr), IsLeak(isLeak) {} 693 694 static void *getTag() { 695 static int Tag = 0; 696 return &Tag; 697 } 698 699 void Profile(llvm::FoldingSetNodeID &ID) const override { 700 ID.AddPointer(getTag()); 701 ID.AddPointer(Sym); 702 } 703 704 /// Did not track -> allocated. Other state (released) -> allocated. 705 static inline bool isAllocated(const RefState *RSCurr, const RefState *RSPrev, 706 const Stmt *Stmt) { 707 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 708 (RSCurr && 709 (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) && 710 (!RSPrev || 711 !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero()))); 712 } 713 714 /// Did not track -> released. Other state (allocated) -> released. 715 /// The statement associated with the release might be missing. 716 static inline bool isReleased(const RefState *RSCurr, const RefState *RSPrev, 717 const Stmt *Stmt) { 718 bool IsReleased = 719 (RSCurr && RSCurr->isReleased()) && (!RSPrev || !RSPrev->isReleased()); 720 assert(!IsReleased || 721 (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) || 722 (!Stmt && RSCurr->getAllocationFamily() == AF_InnerBuffer)); 723 return IsReleased; 724 } 725 726 /// Did not track -> relinquished. Other state (allocated) -> relinquished. 727 static inline bool isRelinquished(const RefState *RSCurr, 728 const RefState *RSPrev, const Stmt *Stmt) { 729 return (Stmt && 730 (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 731 isa<ObjCPropertyRefExpr>(Stmt)) && 732 (RSCurr && RSCurr->isRelinquished()) && 733 (!RSPrev || !RSPrev->isRelinquished())); 734 } 735 736 /// If the expression is not a call, and the state change is 737 /// released -> allocated, it must be the realloc return value 738 /// check. If we have to handle more cases here, it might be cleaner just 739 /// to track this extra bit in the state itself. 740 static inline bool hasReallocFailed(const RefState *RSCurr, 741 const RefState *RSPrev, 742 const Stmt *Stmt) { 743 return ((!Stmt || !isa<CallExpr>(Stmt)) && 744 (RSCurr && 745 (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) && 746 (RSPrev && 747 !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero()))); 748 } 749 750 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 751 BugReporterContext &BRC, 752 PathSensitiveBugReport &BR) override; 753 754 PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC, 755 const ExplodedNode *EndPathNode, 756 PathSensitiveBugReport &BR) override { 757 if (!IsLeak) 758 return nullptr; 759 760 PathDiagnosticLocation L = BR.getLocation(); 761 // Do not add the statement itself as a range in case of leak. 762 return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(), 763 false); 764 } 765 766 private: 767 class StackHintGeneratorForReallocationFailed 768 : public StackHintGeneratorForSymbol { 769 public: 770 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 771 : StackHintGeneratorForSymbol(S, M) {} 772 773 std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) override { 774 // Printed parameters start at 1, not 0. 775 ++ArgIndex; 776 777 SmallString<200> buf; 778 llvm::raw_svector_ostream os(buf); 779 780 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 781 << " parameter failed"; 782 783 return std::string(os.str()); 784 } 785 786 std::string getMessageForReturn(const CallExpr *CallExpr) override { 787 return "Reallocation of returned value failed"; 788 } 789 }; 790 }; 791 792 } // end anonymous namespace 793 794 // A map from the freed symbol to the symbol representing the return value of 795 // the free function. 796 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 797 798 namespace { 799 class StopTrackingCallback final : public SymbolVisitor { 800 ProgramStateRef state; 801 802 public: 803 StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {} 804 ProgramStateRef getState() const { return state; } 805 806 bool VisitSymbol(SymbolRef sym) override { 807 state = state->remove<RegionState>(sym); 808 return true; 809 } 810 }; 811 } // end anonymous namespace 812 813 //===----------------------------------------------------------------------===// 814 // Methods of MemFunctionInfoTy. 815 //===----------------------------------------------------------------------===// 816 817 bool MemFunctionInfoTy::isMemFunction(const CallEvent &Call) const { 818 return isCMemFunction(Call) || isStandardNewDelete(Call); 819 } 820 821 bool MemFunctionInfoTy::isCMemFunction(const CallEvent &Call) const { 822 return isCMemFreeFunction(Call) || isCMemAllocFunction(Call); 823 } 824 825 bool MemFunctionInfoTy::isCMemFreeFunction(const CallEvent &Call) const { 826 if (Call.isCalled(CD_free, CD_realloc, CD_reallocf, CD_g_free, CD_kfree)) 827 return true; 828 829 if (Call.isCalled(CD_if_freenameindex)) 830 return true; 831 832 if (!ShouldIncludeOwnershipAnnotatedFunctions) 833 return false; 834 835 const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl()); 836 if (Func && Func->hasAttrs()) { 837 for (const auto *I : Func->specific_attrs<OwnershipAttr>()) { 838 OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind(); 839 if (OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) 840 return true; 841 } 842 } 843 return false; 844 } 845 846 bool MemFunctionInfoTy::isCMemAllocFunction(const CallEvent &Call) const { 847 if (Call.isCalled(CD_malloc, CD_realloc, CD_reallocf, CD_calloc, CD_valloc, 848 CD_strdup, CD_win_strdup, CD_strndup, CD_wcsdup, 849 CD_win_wcsdup, CD_kmalloc, CD_g_malloc, CD_g_malloc0, 850 CD_g_realloc, CD_g_try_malloc, CD_g_try_malloc0, 851 CD_g_try_realloc, CD_g_memdup, CD_g_malloc_n, 852 CD_g_malloc0_n, CD_g_realloc_n, CD_g_try_malloc_n, 853 CD_g_try_malloc0_n, CD_g_try_realloc_n)) 854 return true; 855 856 if (Call.isCalled(CD_if_nameindex)) 857 return true; 858 859 if (Call.isCalled(CD_alloca, CD_win_alloca)) 860 return true; 861 862 if (!ShouldIncludeOwnershipAnnotatedFunctions) 863 return false; 864 865 const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl()); 866 if (Func && Func->hasAttrs()) { 867 for (const auto *I : Func->specific_attrs<OwnershipAttr>()) { 868 OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind(); 869 if (OwnKind == OwnershipAttr::Returns) 870 return true; 871 } 872 } 873 874 return false; 875 } 876 877 static bool isStandardNewDelete(const FunctionDecl *FD) { 878 if (!FD) 879 return false; 880 881 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 882 if (Kind != OO_New && Kind != OO_Array_New && Kind != OO_Delete && 883 Kind != OO_Array_Delete) 884 return false; 885 886 // This is standard if and only if it's not defined in a user file. 887 SourceLocation L = FD->getLocation(); 888 // If the header for operator delete is not included, it's still defined 889 // in an invalid source location. Check to make sure we don't crash. 890 return !L.isValid() || 891 FD->getASTContext().getSourceManager().isInSystemHeader(L); 892 } 893 894 //===----------------------------------------------------------------------===// 895 // Methods of MallocChecker and MallocBugVisitor. 896 //===----------------------------------------------------------------------===// 897 898 llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc( 899 const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const { 900 // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels: 901 // 902 // void *malloc(unsigned long size, struct malloc_type *mtp, int flags); 903 // 904 // One of the possible flags is M_ZERO, which means 'give me back an 905 // allocation which is already zeroed', like calloc. 906 907 // 2-argument kmalloc(), as used in the Linux kernel: 908 // 909 // void *kmalloc(size_t size, gfp_t flags); 910 // 911 // Has the similar flag value __GFP_ZERO. 912 913 // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some 914 // code could be shared. 915 916 ASTContext &Ctx = C.getASTContext(); 917 llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS(); 918 919 if (!KernelZeroFlagVal.hasValue()) { 920 if (OS == llvm::Triple::FreeBSD) 921 KernelZeroFlagVal = 0x0100; 922 else if (OS == llvm::Triple::NetBSD) 923 KernelZeroFlagVal = 0x0002; 924 else if (OS == llvm::Triple::OpenBSD) 925 KernelZeroFlagVal = 0x0008; 926 else if (OS == llvm::Triple::Linux) 927 // __GFP_ZERO 928 KernelZeroFlagVal = 0x8000; 929 else 930 // FIXME: We need a more general way of getting the M_ZERO value. 931 // See also: O_CREAT in UnixAPIChecker.cpp. 932 933 // Fall back to normal malloc behavior on platforms where we don't 934 // know M_ZERO. 935 return None; 936 } 937 938 // We treat the last argument as the flags argument, and callers fall-back to 939 // normal malloc on a None return. This works for the FreeBSD kernel malloc 940 // as well as Linux kmalloc. 941 if (CE->getNumArgs() < 2) 942 return None; 943 944 const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1); 945 const SVal V = C.getSVal(FlagsEx); 946 if (!V.getAs<NonLoc>()) { 947 // The case where 'V' can be a location can only be due to a bad header, 948 // so in this case bail out. 949 return None; 950 } 951 952 NonLoc Flags = V.castAs<NonLoc>(); 953 NonLoc ZeroFlag = C.getSValBuilder() 954 .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType()) 955 .castAs<NonLoc>(); 956 SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And, 957 Flags, ZeroFlag, 958 FlagsEx->getType()); 959 if (MaskedFlagsUC.isUnknownOrUndef()) 960 return None; 961 DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>(); 962 963 // Check if maskedFlags is non-zero. 964 ProgramStateRef TrueState, FalseState; 965 std::tie(TrueState, FalseState) = State->assume(MaskedFlags); 966 967 // If M_ZERO is set, treat this like calloc (initialized). 968 if (TrueState && !FalseState) { 969 SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy); 970 return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState, AF_Malloc); 971 } 972 973 return None; 974 } 975 976 SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, 977 const Expr *BlockBytes) { 978 SValBuilder &SB = C.getSValBuilder(); 979 SVal BlocksVal = C.getSVal(Blocks); 980 SVal BlockBytesVal = C.getSVal(BlockBytes); 981 ProgramStateRef State = C.getState(); 982 SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal, 983 SB.getContext().getSizeType()); 984 return TotalSize; 985 } 986 987 void MallocChecker::checkPostCall(const CallEvent &Call, 988 CheckerContext &C) const { 989 if (C.wasInlined) 990 return; 991 992 const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); 993 if (!CE) 994 return; 995 996 const FunctionDecl *FD = C.getCalleeDecl(CE); 997 if (!FD) 998 return; 999 1000 ProgramStateRef State = C.getState(); 1001 bool IsKnownToBeAllocatedMemory = false; 1002 1003 if (FD->getKind() == Decl::Function) { 1004 if (Call.isCalled(MemFunctionInfo.CD_malloc, MemFunctionInfo.CD_BSD_malloc, 1005 MemFunctionInfo.CD_g_malloc, 1006 MemFunctionInfo.CD_g_try_malloc)) { 1007 switch (CE->getNumArgs()) { 1008 default: 1009 return; 1010 case 1: 1011 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 1012 AF_Malloc); 1013 State = ProcessZeroAllocCheck(C, CE, 0, State); 1014 break; 1015 case 2: 1016 llvm_unreachable("There shouldn't be a 2-argument malloc!"); 1017 break; 1018 case 3: 1019 llvm::Optional<ProgramStateRef> MaybeState = 1020 performKernelMalloc(CE, C, State); 1021 if (MaybeState.hasValue()) 1022 State = MaybeState.getValue(); 1023 else 1024 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 1025 AF_Malloc); 1026 break; 1027 } 1028 } else if (Call.isCalled(MemFunctionInfo.CD_kmalloc)) { 1029 if (CE->getNumArgs() < 1) 1030 return; 1031 llvm::Optional<ProgramStateRef> MaybeState = 1032 performKernelMalloc(CE, C, State); 1033 if (MaybeState.hasValue()) 1034 State = MaybeState.getValue(); 1035 else 1036 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 1037 AF_Malloc); 1038 } else if (Call.isCalled(MemFunctionInfo.CD_valloc)) { 1039 if (CE->getNumArgs() < 1) 1040 return; 1041 State = 1042 MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_Malloc); 1043 State = ProcessZeroAllocCheck(C, CE, 0, State); 1044 } else if (Call.isCalled(MemFunctionInfo.CD_realloc, 1045 MemFunctionInfo.CD_g_realloc, 1046 MemFunctionInfo.CD_g_try_realloc)) { 1047 State = 1048 ReallocMemAux(C, CE, /*ShouldFreeOnFail*/ false, State, AF_Malloc); 1049 State = ProcessZeroAllocCheck(C, CE, 1, State); 1050 } else if (Call.isCalled(MemFunctionInfo.CD_reallocf)) { 1051 State = ReallocMemAux(C, CE, /*ShouldFreeOnFail*/ true, State, AF_Malloc); 1052 State = ProcessZeroAllocCheck(C, CE, 1, State); 1053 } else if (Call.isCalled(MemFunctionInfo.CD_calloc)) { 1054 State = CallocMem(C, CE, State); 1055 State = ProcessZeroAllocCheck(C, CE, 0, State); 1056 State = ProcessZeroAllocCheck(C, CE, 1, State); 1057 } else if (Call.isCalled(MemFunctionInfo.CD_free, MemFunctionInfo.CD_g_free, 1058 MemFunctionInfo.CD_kfree)) { 1059 if (suppressDeallocationsInSuspiciousContexts(CE, C)) 1060 return; 1061 1062 State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory, 1063 AF_Malloc); 1064 } else if (Call.isCalled( 1065 MemFunctionInfo.CD_strdup, MemFunctionInfo.CD_win_strdup, 1066 MemFunctionInfo.CD_wcsdup, MemFunctionInfo.CD_win_wcsdup)) { 1067 State = MallocUpdateRefState(C, CE, State, AF_Malloc); 1068 } else if (Call.isCalled(MemFunctionInfo.CD_strndup)) { 1069 State = MallocUpdateRefState(C, CE, State, AF_Malloc); 1070 } else if (Call.isCalled(MemFunctionInfo.CD_alloca, 1071 MemFunctionInfo.CD_win_alloca)) { 1072 if (CE->getNumArgs() < 1) 1073 return; 1074 State = 1075 MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_Alloca); 1076 State = ProcessZeroAllocCheck(C, CE, 0, State); 1077 } else if (isStandardNewDelete(FD)) { 1078 // Process direct calls to operator new/new[]/delete/delete[] functions 1079 // as distinct from new/new[]/delete/delete[] expressions that are 1080 // processed by the checkPostStmt callbacks for CXXNewExpr and 1081 // CXXDeleteExpr. 1082 switch (FD->getOverloadedOperator()) { 1083 case OO_New: 1084 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 1085 AF_CXXNew); 1086 State = ProcessZeroAllocCheck(C, CE, 0, State); 1087 break; 1088 case OO_Array_New: 1089 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 1090 AF_CXXNewArray); 1091 State = ProcessZeroAllocCheck(C, CE, 0, State); 1092 break; 1093 case OO_Delete: 1094 State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory, 1095 AF_CXXNew); 1096 break; 1097 case OO_Array_Delete: 1098 State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory, 1099 AF_CXXNewArray); 1100 break; 1101 default: 1102 llvm_unreachable("not a new/delete operator"); 1103 } 1104 } else if (Call.isCalled(MemFunctionInfo.CD_if_nameindex)) { 1105 // Should we model this differently? We can allocate a fixed number of 1106 // elements with zeros in the last one. 1107 State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State, 1108 AF_IfNameIndex); 1109 } else if (Call.isCalled(MemFunctionInfo.CD_if_freenameindex)) { 1110 State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory, 1111 AF_IfNameIndex); 1112 } else if (Call.isCalled(MemFunctionInfo.CD_g_malloc0, 1113 MemFunctionInfo.CD_g_try_malloc0)) { 1114 if (CE->getNumArgs() < 1) 1115 return; 1116 SValBuilder &svalBuilder = C.getSValBuilder(); 1117 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 1118 State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State, AF_Malloc); 1119 State = ProcessZeroAllocCheck(C, CE, 0, State); 1120 } else if (Call.isCalled(MemFunctionInfo.CD_g_memdup)) { 1121 if (CE->getNumArgs() < 2) 1122 return; 1123 State = 1124 MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State, AF_Malloc); 1125 State = ProcessZeroAllocCheck(C, CE, 1, State); 1126 } else if (Call.isCalled(MemFunctionInfo.CD_g_malloc_n, 1127 MemFunctionInfo.CD_g_try_malloc_n, 1128 MemFunctionInfo.CD_g_malloc0_n, 1129 MemFunctionInfo.CD_g_try_malloc0_n)) { 1130 if (CE->getNumArgs() < 2) 1131 return; 1132 SVal Init = UndefinedVal(); 1133 if (Call.isCalled(MemFunctionInfo.CD_g_malloc0_n, 1134 MemFunctionInfo.CD_g_try_malloc0_n)) { 1135 SValBuilder &SB = C.getSValBuilder(); 1136 Init = SB.makeZeroVal(SB.getContext().CharTy); 1137 } 1138 SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1)); 1139 State = MallocMemAux(C, CE, TotalSize, Init, State, AF_Malloc); 1140 State = ProcessZeroAllocCheck(C, CE, 0, State); 1141 State = ProcessZeroAllocCheck(C, CE, 1, State); 1142 } else if (Call.isCalled(MemFunctionInfo.CD_g_realloc_n, 1143 MemFunctionInfo.CD_g_try_realloc_n)) { 1144 if (CE->getNumArgs() < 3) 1145 return; 1146 State = ReallocMemAux(C, CE, /*ShouldFreeOnFail*/ false, State, AF_Malloc, 1147 /*SuffixWithN*/ true); 1148 State = ProcessZeroAllocCheck(C, CE, 1, State); 1149 State = ProcessZeroAllocCheck(C, CE, 2, State); 1150 } 1151 } 1152 1153 if (MemFunctionInfo.ShouldIncludeOwnershipAnnotatedFunctions || 1154 ChecksEnabled[CK_MismatchedDeallocatorChecker]) { 1155 // Check all the attributes, if there are any. 1156 // There can be multiple of these attributes. 1157 if (FD->hasAttrs()) 1158 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 1159 switch (I->getOwnKind()) { 1160 case OwnershipAttr::Returns: 1161 State = MallocMemReturnsAttr(C, CE, I, State); 1162 break; 1163 case OwnershipAttr::Takes: 1164 case OwnershipAttr::Holds: 1165 State = FreeMemAttr(C, CE, I, State); 1166 break; 1167 } 1168 } 1169 } 1170 C.addTransition(State); 1171 } 1172 1173 // Performs a 0-sized allocations check. 1174 ProgramStateRef MallocChecker::ProcessZeroAllocCheck( 1175 CheckerContext &C, const Expr *E, const unsigned IndexOfSizeArg, 1176 ProgramStateRef State, Optional<SVal> RetVal) { 1177 if (!State) 1178 return nullptr; 1179 1180 if (!RetVal) 1181 RetVal = C.getSVal(E); 1182 1183 const Expr *Arg = nullptr; 1184 1185 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 1186 Arg = CE->getArg(IndexOfSizeArg); 1187 } 1188 else if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 1189 if (NE->isArray()) 1190 Arg = *NE->getArraySize(); 1191 else 1192 return State; 1193 } 1194 else 1195 llvm_unreachable("not a CallExpr or CXXNewExpr"); 1196 1197 assert(Arg); 1198 1199 Optional<DefinedSVal> DefArgVal = C.getSVal(Arg).getAs<DefinedSVal>(); 1200 1201 if (!DefArgVal) 1202 return State; 1203 1204 // Check if the allocation size is 0. 1205 ProgramStateRef TrueState, FalseState; 1206 SValBuilder &SvalBuilder = C.getSValBuilder(); 1207 DefinedSVal Zero = 1208 SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>(); 1209 1210 std::tie(TrueState, FalseState) = 1211 State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero)); 1212 1213 if (TrueState && !FalseState) { 1214 SymbolRef Sym = RetVal->getAsLocSymbol(); 1215 if (!Sym) 1216 return State; 1217 1218 const RefState *RS = State->get<RegionState>(Sym); 1219 if (RS) { 1220 if (RS->isAllocated()) 1221 return TrueState->set<RegionState>(Sym, 1222 RefState::getAllocatedOfSizeZero(RS)); 1223 else 1224 return State; 1225 } else { 1226 // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as 1227 // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not 1228 // tracked. Add zero-reallocated Sym to the state to catch references 1229 // to zero-allocated memory. 1230 return TrueState->add<ReallocSizeZeroSymbols>(Sym); 1231 } 1232 } 1233 1234 // Assume the value is non-zero going forward. 1235 assert(FalseState); 1236 return FalseState; 1237 } 1238 1239 static QualType getDeepPointeeType(QualType T) { 1240 QualType Result = T, PointeeType = T->getPointeeType(); 1241 while (!PointeeType.isNull()) { 1242 Result = PointeeType; 1243 PointeeType = PointeeType->getPointeeType(); 1244 } 1245 return Result; 1246 } 1247 1248 /// \returns true if the constructor invoked by \p NE has an argument of a 1249 /// pointer/reference to a record type. 1250 static bool hasNonTrivialConstructorCall(const CXXNewExpr *NE) { 1251 1252 const CXXConstructExpr *ConstructE = NE->getConstructExpr(); 1253 if (!ConstructE) 1254 return false; 1255 1256 if (!NE->getAllocatedType()->getAsCXXRecordDecl()) 1257 return false; 1258 1259 const CXXConstructorDecl *CtorD = ConstructE->getConstructor(); 1260 1261 // Iterate over the constructor parameters. 1262 for (const auto *CtorParam : CtorD->parameters()) { 1263 1264 QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType(); 1265 if (CtorParamPointeeT.isNull()) 1266 continue; 1267 1268 CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT); 1269 1270 if (CtorParamPointeeT->getAsCXXRecordDecl()) 1271 return true; 1272 } 1273 1274 return false; 1275 } 1276 1277 void MallocChecker::processNewAllocation(const CXXNewExpr *NE, 1278 CheckerContext &C, SVal Target, 1279 AllocationFamily Family) const { 1280 if (!isStandardNewDelete(NE->getOperatorNew())) 1281 return; 1282 1283 const ParentMap &PM = C.getLocationContext()->getParentMap(); 1284 1285 // Non-trivial constructors have a chance to escape 'this', but marking all 1286 // invocations of trivial constructors as escaped would cause too great of 1287 // reduction of true positives, so let's just do that for constructors that 1288 // have an argument of a pointer-to-record type. 1289 if (!PM.isConsumedExpr(NE) && hasNonTrivialConstructorCall(NE)) 1290 return; 1291 1292 ProgramStateRef State = C.getState(); 1293 // The return value from operator new is bound to a specified initialization 1294 // value (if any) and we don't want to loose this value. So we call 1295 // MallocUpdateRefState() instead of MallocMemAux() which breaks the 1296 // existing binding. 1297 State = MallocUpdateRefState(C, NE, State, Family, Target); 1298 State = addExtentSize(C, NE, State, Target); 1299 State = ProcessZeroAllocCheck(C, NE, 0, State, Target); 1300 C.addTransition(State); 1301 } 1302 1303 void MallocChecker::checkPostStmt(const CXXNewExpr *NE, 1304 CheckerContext &C) const { 1305 if (!C.getAnalysisManager().getAnalyzerOptions().MayInlineCXXAllocator) { 1306 if (NE->isArray()) 1307 processNewAllocation(NE, C, C.getSVal(NE), 1308 (NE->isArray() ? AF_CXXNewArray : AF_CXXNew)); 1309 } 1310 } 1311 1312 void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target, 1313 CheckerContext &C) const { 1314 if (!C.wasInlined) { 1315 processNewAllocation(NE, C, Target, 1316 (NE->isArray() ? AF_CXXNewArray : AF_CXXNew)); 1317 } 1318 } 1319 1320 // Sets the extent value of the MemRegion allocated by 1321 // new expression NE to its size in Bytes. 1322 // 1323 ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C, 1324 const CXXNewExpr *NE, 1325 ProgramStateRef State, 1326 SVal Target) { 1327 if (!State) 1328 return nullptr; 1329 SValBuilder &svalBuilder = C.getSValBuilder(); 1330 SVal ElementCount; 1331 const SubRegion *Region; 1332 if (NE->isArray()) { 1333 const Expr *SizeExpr = *NE->getArraySize(); 1334 ElementCount = C.getSVal(SizeExpr); 1335 // Store the extent size for the (symbolic)region 1336 // containing the elements. 1337 Region = Target.getAsRegion() 1338 ->castAs<SubRegion>() 1339 ->StripCasts() 1340 ->castAs<SubRegion>(); 1341 } else { 1342 ElementCount = svalBuilder.makeIntVal(1, true); 1343 Region = Target.getAsRegion()->castAs<SubRegion>(); 1344 } 1345 1346 // Set the region's extent equal to the Size in Bytes. 1347 QualType ElementType = NE->getAllocatedType(); 1348 ASTContext &AstContext = C.getASTContext(); 1349 CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType); 1350 1351 if (ElementCount.getAs<NonLoc>()) { 1352 DefinedOrUnknownSVal DynSize = getDynamicSize(State, Region, svalBuilder); 1353 1354 // size in Bytes = ElementCount*TypeSize 1355 SVal SizeInBytes = svalBuilder.evalBinOpNN( 1356 State, BO_Mul, ElementCount.castAs<NonLoc>(), 1357 svalBuilder.makeArrayIndex(TypeSize.getQuantity()), 1358 svalBuilder.getArrayIndexType()); 1359 DefinedOrUnknownSVal DynSizeMatchesSize = svalBuilder.evalEQ( 1360 State, DynSize, SizeInBytes.castAs<DefinedOrUnknownSVal>()); 1361 State = State->assume(DynSizeMatchesSize, true); 1362 } 1363 return State; 1364 } 1365 1366 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, 1367 CheckerContext &C) const { 1368 1369 if (!ChecksEnabled[CK_NewDeleteChecker]) 1370 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 1371 checkUseAfterFree(Sym, C, DE->getArgument()); 1372 1373 if (!isStandardNewDelete(DE->getOperatorDelete())) 1374 return; 1375 1376 ProgramStateRef State = C.getState(); 1377 bool IsKnownToBeAllocated; 1378 State = FreeMemAux(C, DE->getArgument(), DE, State, 1379 /*Hold*/ false, IsKnownToBeAllocated, 1380 (DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew)); 1381 1382 C.addTransition(State); 1383 } 1384 1385 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 1386 // If the first selector piece is one of the names below, assume that the 1387 // object takes ownership of the memory, promising to eventually deallocate it 1388 // with free(). 1389 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 1390 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 1391 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 1392 return FirstSlot == "dataWithBytesNoCopy" || 1393 FirstSlot == "initWithBytesNoCopy" || 1394 FirstSlot == "initWithCharactersNoCopy"; 1395 } 1396 1397 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 1398 Selector S = Call.getSelector(); 1399 1400 // FIXME: We should not rely on fully-constrained symbols being folded. 1401 for (unsigned i = 1; i < S.getNumArgs(); ++i) 1402 if (S.getNameForSlot(i).equals("freeWhenDone")) 1403 return !Call.getArgSVal(i).isZeroConstant(); 1404 1405 return None; 1406 } 1407 1408 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 1409 CheckerContext &C) const { 1410 if (C.wasInlined) 1411 return; 1412 1413 if (!isKnownDeallocObjCMethodName(Call)) 1414 return; 1415 1416 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 1417 if (!*FreeWhenDone) 1418 return; 1419 1420 if (Call.hasNonZeroCallbackArg()) 1421 return; 1422 1423 bool IsKnownToBeAllocatedMemory; 1424 ProgramStateRef State = 1425 FreeMemAux(C, Call.getArgExpr(0), Call.getOriginExpr(), C.getState(), 1426 /*Hold=*/true, IsKnownToBeAllocatedMemory, AF_Malloc, 1427 /*RetNullOnFailure=*/true); 1428 1429 C.addTransition(State); 1430 } 1431 1432 ProgramStateRef 1433 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE, 1434 const OwnershipAttr *Att, 1435 ProgramStateRef State) const { 1436 if (!State) 1437 return nullptr; 1438 1439 if (Att->getModule()->getName() != 1440 MemFunctionInfo.CD_malloc.getFunctionName()) 1441 return nullptr; 1442 1443 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 1444 if (I != E) { 1445 return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(), 1446 State, AF_Malloc); 1447 } 1448 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State, AF_Malloc); 1449 } 1450 1451 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 1452 const CallExpr *CE, 1453 const Expr *SizeEx, SVal Init, 1454 ProgramStateRef State, 1455 AllocationFamily Family) { 1456 if (!State) 1457 return nullptr; 1458 1459 return MallocMemAux(C, CE, C.getSVal(SizeEx), Init, State, Family); 1460 } 1461 1462 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 1463 const CallExpr *CE, SVal Size, 1464 SVal Init, ProgramStateRef State, 1465 AllocationFamily Family) { 1466 if (!State) 1467 return nullptr; 1468 1469 // We expect the malloc functions to return a pointer. 1470 if (!Loc::isLocType(CE->getType())) 1471 return nullptr; 1472 1473 // Bind the return value to the symbolic value from the heap region. 1474 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 1475 // side effects other than what we model here. 1476 unsigned Count = C.blockCount(); 1477 SValBuilder &svalBuilder = C.getSValBuilder(); 1478 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 1479 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 1480 .castAs<DefinedSVal>(); 1481 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 1482 1483 // Fill the region with the initialization value. 1484 State = State->bindDefaultInitial(RetVal, Init, LCtx); 1485 1486 // Set the region's extent equal to the Size parameter. 1487 const SymbolicRegion *R = 1488 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 1489 if (!R) 1490 return nullptr; 1491 if (Optional<DefinedOrUnknownSVal> DefinedSize = 1492 Size.getAs<DefinedOrUnknownSVal>()) { 1493 DefinedOrUnknownSVal DynSize = getDynamicSize(State, R, svalBuilder); 1494 1495 DefinedOrUnknownSVal DynSizeMatchesSize = 1496 svalBuilder.evalEQ(State, DynSize, *DefinedSize); 1497 1498 State = State->assume(DynSizeMatchesSize, true); 1499 assert(State); 1500 } 1501 1502 return MallocUpdateRefState(C, CE, State, Family); 1503 } 1504 1505 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, 1506 ProgramStateRef State, 1507 AllocationFamily Family, 1508 Optional<SVal> RetVal) { 1509 if (!State) 1510 return nullptr; 1511 1512 // Get the return value. 1513 if (!RetVal) 1514 RetVal = C.getSVal(E); 1515 1516 // We expect the malloc functions to return a pointer. 1517 if (!RetVal->getAs<Loc>()) 1518 return nullptr; 1519 1520 SymbolRef Sym = RetVal->getAsLocSymbol(); 1521 // This is a return value of a function that was not inlined, such as malloc() 1522 // or new(). We've checked that in the caller. Therefore, it must be a symbol. 1523 assert(Sym); 1524 1525 // Set the symbol's state to Allocated. 1526 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 1527 } 1528 1529 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 1530 const CallExpr *CE, 1531 const OwnershipAttr *Att, 1532 ProgramStateRef State) const { 1533 if (!State) 1534 return nullptr; 1535 1536 if (Att->getModule()->getName() != 1537 MemFunctionInfo.CD_malloc.getFunctionName()) 1538 return nullptr; 1539 1540 bool IsKnownToBeAllocated = false; 1541 1542 for (const auto &Arg : Att->args()) { 1543 ProgramStateRef StateI = 1544 FreeMemAux(C, CE, State, Arg.getASTIndex(), 1545 Att->getOwnKind() == OwnershipAttr::Holds, 1546 IsKnownToBeAllocated, AF_Malloc); 1547 if (StateI) 1548 State = StateI; 1549 } 1550 return State; 1551 } 1552 1553 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, const CallExpr *CE, 1554 ProgramStateRef State, unsigned Num, 1555 bool Hold, bool &IsKnownToBeAllocated, 1556 AllocationFamily Family, 1557 bool ReturnsNullOnFailure) const { 1558 if (!State) 1559 return nullptr; 1560 1561 if (CE->getNumArgs() < (Num + 1)) 1562 return nullptr; 1563 1564 return FreeMemAux(C, CE->getArg(Num), CE, State, Hold, IsKnownToBeAllocated, 1565 Family, ReturnsNullOnFailure); 1566 } 1567 1568 /// Checks if the previous call to free on the given symbol failed - if free 1569 /// failed, returns true. Also, returns the corresponding return value symbol. 1570 static bool didPreviousFreeFail(ProgramStateRef State, 1571 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 1572 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 1573 if (Ret) { 1574 assert(*Ret && "We should not store the null return symbol"); 1575 ConstraintManager &CMgr = State->getConstraintManager(); 1576 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 1577 RetStatusSymbol = *Ret; 1578 return FreeFailed.isConstrainedTrue(); 1579 } 1580 return false; 1581 } 1582 1583 static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E) { 1584 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 1585 // FIXME: This doesn't handle indirect calls. 1586 const FunctionDecl *FD = CE->getDirectCallee(); 1587 if (!FD) 1588 return false; 1589 1590 os << *FD; 1591 if (!FD->isOverloadedOperator()) 1592 os << "()"; 1593 return true; 1594 } 1595 1596 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 1597 if (Msg->isInstanceMessage()) 1598 os << "-"; 1599 else 1600 os << "+"; 1601 Msg->getSelector().print(os); 1602 return true; 1603 } 1604 1605 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 1606 os << "'" 1607 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 1608 << "'"; 1609 return true; 1610 } 1611 1612 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 1613 os << "'" 1614 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 1615 << "'"; 1616 return true; 1617 } 1618 1619 return false; 1620 } 1621 1622 static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family) { 1623 1624 switch(Family) { 1625 case AF_Malloc: os << "malloc()"; return; 1626 case AF_CXXNew: os << "'new'"; return; 1627 case AF_CXXNewArray: os << "'new[]'"; return; 1628 case AF_IfNameIndex: os << "'if_nameindex()'"; return; 1629 case AF_InnerBuffer: os << "container-specific allocator"; return; 1630 case AF_Alloca: 1631 case AF_None: llvm_unreachable("not a deallocation expression"); 1632 } 1633 } 1634 1635 static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) { 1636 switch(Family) { 1637 case AF_Malloc: os << "free()"; return; 1638 case AF_CXXNew: os << "'delete'"; return; 1639 case AF_CXXNewArray: os << "'delete[]'"; return; 1640 case AF_IfNameIndex: os << "'if_freenameindex()'"; return; 1641 case AF_InnerBuffer: os << "container-specific deallocator"; return; 1642 case AF_Alloca: 1643 case AF_None: llvm_unreachable("suspicious argument"); 1644 } 1645 } 1646 1647 ProgramStateRef MallocChecker::FreeMemAux( 1648 CheckerContext &C, const Expr *ArgExpr, const Expr *ParentExpr, 1649 ProgramStateRef State, bool Hold, bool &IsKnownToBeAllocated, 1650 AllocationFamily Family, bool ReturnsNullOnFailure) const { 1651 1652 if (!State) 1653 return nullptr; 1654 1655 SVal ArgVal = C.getSVal(ArgExpr); 1656 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 1657 return nullptr; 1658 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 1659 1660 // Check for null dereferences. 1661 if (!location.getAs<Loc>()) 1662 return nullptr; 1663 1664 // The explicit NULL case, no operation is performed. 1665 ProgramStateRef notNullState, nullState; 1666 std::tie(notNullState, nullState) = State->assume(location); 1667 if (nullState && !notNullState) 1668 return nullptr; 1669 1670 // Unknown values could easily be okay 1671 // Undefined values are handled elsewhere 1672 if (ArgVal.isUnknownOrUndef()) 1673 return nullptr; 1674 1675 const MemRegion *R = ArgVal.getAsRegion(); 1676 1677 // Nonlocs can't be freed, of course. 1678 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 1679 if (!R) { 1680 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family); 1681 return nullptr; 1682 } 1683 1684 R = R->StripCasts(); 1685 1686 // Blocks might show up as heap data, but should not be free()d 1687 if (isa<BlockDataRegion>(R)) { 1688 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family); 1689 return nullptr; 1690 } 1691 1692 const MemSpaceRegion *MS = R->getMemorySpace(); 1693 1694 // Parameters, locals, statics, globals, and memory returned by 1695 // __builtin_alloca() shouldn't be freed. 1696 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 1697 // FIXME: at the time this code was written, malloc() regions were 1698 // represented by conjured symbols, which are all in UnknownSpaceRegion. 1699 // This means that there isn't actually anything from HeapSpaceRegion 1700 // that should be freed, even though we allow it here. 1701 // Of course, free() can work on memory allocated outside the current 1702 // function, so UnknownSpaceRegion is always a possibility. 1703 // False negatives are better than false positives. 1704 1705 if (isa<AllocaRegion>(R)) 1706 ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1707 else 1708 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family); 1709 1710 return nullptr; 1711 } 1712 1713 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 1714 // Various cases could lead to non-symbol values here. 1715 // For now, ignore them. 1716 if (!SrBase) 1717 return nullptr; 1718 1719 SymbolRef SymBase = SrBase->getSymbol(); 1720 const RefState *RsBase = State->get<RegionState>(SymBase); 1721 SymbolRef PreviousRetStatusSymbol = nullptr; 1722 1723 IsKnownToBeAllocated = 1724 RsBase && (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero()); 1725 1726 if (RsBase) { 1727 1728 // Memory returned by alloca() shouldn't be freed. 1729 if (RsBase->getAllocationFamily() == AF_Alloca) { 1730 ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1731 return nullptr; 1732 } 1733 1734 // Check for double free first. 1735 if ((RsBase->isReleased() || RsBase->isRelinquished()) && 1736 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1737 ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1738 SymBase, PreviousRetStatusSymbol); 1739 return nullptr; 1740 1741 // If the pointer is allocated or escaped, but we are now trying to free it, 1742 // check that the call to free is proper. 1743 } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() || 1744 RsBase->isEscaped()) { 1745 1746 // Check if an expected deallocation function matches the real one. 1747 bool DeallocMatchesAlloc = RsBase->getAllocationFamily() == Family; 1748 if (!DeallocMatchesAlloc) { 1749 ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), 1750 ParentExpr, RsBase, SymBase, Hold); 1751 return nullptr; 1752 } 1753 1754 // Check if the memory location being freed is the actual location 1755 // allocated, or an offset. 1756 RegionOffset Offset = R->getAsOffset(); 1757 if (Offset.isValid() && 1758 !Offset.hasSymbolicOffset() && 1759 Offset.getOffset() != 0) { 1760 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1761 ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1762 Family, AllocExpr); 1763 return nullptr; 1764 } 1765 } 1766 } 1767 1768 if (SymBase->getType()->isFunctionPointerType()) { 1769 ReportFunctionPointerFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1770 Family); 1771 return nullptr; 1772 } 1773 1774 // Clean out the info on previous call to free return info. 1775 State = State->remove<FreeReturnValue>(SymBase); 1776 1777 // Keep track of the return value. If it is NULL, we will know that free 1778 // failed. 1779 if (ReturnsNullOnFailure) { 1780 SVal RetVal = C.getSVal(ParentExpr); 1781 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 1782 if (RetStatusSymbol) { 1783 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 1784 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 1785 } 1786 } 1787 1788 // If we don't know anything about this symbol, a free on it may be totally 1789 // valid. If this is the case, lets assume that the allocation family of the 1790 // freeing function is the same as the symbols allocation family, and go with 1791 // that. 1792 assert(!RsBase || (RsBase && RsBase->getAllocationFamily() == Family)); 1793 1794 // Normal free. 1795 if (Hold) 1796 return State->set<RegionState>(SymBase, 1797 RefState::getRelinquished(Family, 1798 ParentExpr)); 1799 1800 return State->set<RegionState>(SymBase, 1801 RefState::getReleased(Family, ParentExpr)); 1802 } 1803 1804 Optional<MallocChecker::CheckKind> 1805 MallocChecker::getCheckIfTracked(AllocationFamily Family, 1806 bool IsALeakCheck) const { 1807 switch (Family) { 1808 case AF_Malloc: 1809 case AF_Alloca: 1810 case AF_IfNameIndex: { 1811 if (ChecksEnabled[CK_MallocChecker]) 1812 return CK_MallocChecker; 1813 return None; 1814 } 1815 case AF_CXXNew: 1816 case AF_CXXNewArray: { 1817 if (IsALeakCheck) { 1818 if (ChecksEnabled[CK_NewDeleteLeaksChecker]) 1819 return CK_NewDeleteLeaksChecker; 1820 } 1821 else { 1822 if (ChecksEnabled[CK_NewDeleteChecker]) 1823 return CK_NewDeleteChecker; 1824 } 1825 return None; 1826 } 1827 case AF_InnerBuffer: { 1828 if (ChecksEnabled[CK_InnerPointerChecker]) 1829 return CK_InnerPointerChecker; 1830 return None; 1831 } 1832 case AF_None: { 1833 llvm_unreachable("no family"); 1834 } 1835 } 1836 llvm_unreachable("unhandled family"); 1837 } 1838 1839 Optional<MallocChecker::CheckKind> 1840 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym, 1841 bool IsALeakCheck) const { 1842 if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) 1843 return CK_MallocChecker; 1844 1845 const RefState *RS = C.getState()->get<RegionState>(Sym); 1846 assert(RS); 1847 return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck); 1848 } 1849 1850 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 1851 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 1852 os << "an integer (" << IntVal->getValue() << ")"; 1853 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 1854 os << "a constant address (" << ConstAddr->getValue() << ")"; 1855 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 1856 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 1857 else 1858 return false; 1859 1860 return true; 1861 } 1862 1863 bool MallocChecker::SummarizeRegion(raw_ostream &os, 1864 const MemRegion *MR) { 1865 switch (MR->getKind()) { 1866 case MemRegion::FunctionCodeRegionKind: { 1867 const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl(); 1868 if (FD) 1869 os << "the address of the function '" << *FD << '\''; 1870 else 1871 os << "the address of a function"; 1872 return true; 1873 } 1874 case MemRegion::BlockCodeRegionKind: 1875 os << "block text"; 1876 return true; 1877 case MemRegion::BlockDataRegionKind: 1878 // FIXME: where the block came from? 1879 os << "a block"; 1880 return true; 1881 default: { 1882 const MemSpaceRegion *MS = MR->getMemorySpace(); 1883 1884 if (isa<StackLocalsSpaceRegion>(MS)) { 1885 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1886 const VarDecl *VD; 1887 if (VR) 1888 VD = VR->getDecl(); 1889 else 1890 VD = nullptr; 1891 1892 if (VD) 1893 os << "the address of the local variable '" << VD->getName() << "'"; 1894 else 1895 os << "the address of a local stack variable"; 1896 return true; 1897 } 1898 1899 if (isa<StackArgumentsSpaceRegion>(MS)) { 1900 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1901 const VarDecl *VD; 1902 if (VR) 1903 VD = VR->getDecl(); 1904 else 1905 VD = nullptr; 1906 1907 if (VD) 1908 os << "the address of the parameter '" << VD->getName() << "'"; 1909 else 1910 os << "the address of a parameter"; 1911 return true; 1912 } 1913 1914 if (isa<GlobalsSpaceRegion>(MS)) { 1915 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1916 const VarDecl *VD; 1917 if (VR) 1918 VD = VR->getDecl(); 1919 else 1920 VD = nullptr; 1921 1922 if (VD) { 1923 if (VD->isStaticLocal()) 1924 os << "the address of the static variable '" << VD->getName() << "'"; 1925 else 1926 os << "the address of the global variable '" << VD->getName() << "'"; 1927 } else 1928 os << "the address of a global variable"; 1929 return true; 1930 } 1931 1932 return false; 1933 } 1934 } 1935 } 1936 1937 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 1938 SourceRange Range, const Expr *DeallocExpr, 1939 AllocationFamily Family) const { 1940 1941 if (!ChecksEnabled[CK_MallocChecker] && 1942 !ChecksEnabled[CK_NewDeleteChecker]) 1943 return; 1944 1945 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 1946 if (!CheckKind.hasValue()) 1947 return; 1948 1949 if (ExplodedNode *N = C.generateErrorNode()) { 1950 if (!BT_BadFree[*CheckKind]) 1951 BT_BadFree[*CheckKind].reset(new BugType( 1952 CheckNames[*CheckKind], "Bad free", categories::MemoryError)); 1953 1954 SmallString<100> buf; 1955 llvm::raw_svector_ostream os(buf); 1956 1957 const MemRegion *MR = ArgVal.getAsRegion(); 1958 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 1959 MR = ER->getSuperRegion(); 1960 1961 os << "Argument to "; 1962 if (!printMemFnName(os, C, DeallocExpr)) 1963 os << "deallocator"; 1964 1965 os << " is "; 1966 bool Summarized = MR ? SummarizeRegion(os, MR) 1967 : SummarizeValue(os, ArgVal); 1968 if (Summarized) 1969 os << ", which is not memory allocated by "; 1970 else 1971 os << "not memory allocated by "; 1972 1973 printExpectedAllocName(os, Family); 1974 1975 auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind], 1976 os.str(), N); 1977 R->markInteresting(MR); 1978 R->addRange(Range); 1979 C.emitReport(std::move(R)); 1980 } 1981 } 1982 1983 void MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal, 1984 SourceRange Range) const { 1985 1986 Optional<MallocChecker::CheckKind> CheckKind; 1987 1988 if (ChecksEnabled[CK_MallocChecker]) 1989 CheckKind = CK_MallocChecker; 1990 else if (ChecksEnabled[CK_MismatchedDeallocatorChecker]) 1991 CheckKind = CK_MismatchedDeallocatorChecker; 1992 else 1993 return; 1994 1995 if (ExplodedNode *N = C.generateErrorNode()) { 1996 if (!BT_FreeAlloca[*CheckKind]) 1997 BT_FreeAlloca[*CheckKind].reset(new BugType( 1998 CheckNames[*CheckKind], "Free alloca()", categories::MemoryError)); 1999 2000 auto R = std::make_unique<PathSensitiveBugReport>( 2001 *BT_FreeAlloca[*CheckKind], 2002 "Memory allocated by alloca() should not be deallocated", N); 2003 R->markInteresting(ArgVal.getAsRegion()); 2004 R->addRange(Range); 2005 C.emitReport(std::move(R)); 2006 } 2007 } 2008 2009 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, 2010 SourceRange Range, 2011 const Expr *DeallocExpr, 2012 const RefState *RS, 2013 SymbolRef Sym, 2014 bool OwnershipTransferred) const { 2015 2016 if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) 2017 return; 2018 2019 if (ExplodedNode *N = C.generateErrorNode()) { 2020 if (!BT_MismatchedDealloc) 2021 BT_MismatchedDealloc.reset( 2022 new BugType(CheckNames[CK_MismatchedDeallocatorChecker], 2023 "Bad deallocator", categories::MemoryError)); 2024 2025 SmallString<100> buf; 2026 llvm::raw_svector_ostream os(buf); 2027 2028 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 2029 SmallString<20> AllocBuf; 2030 llvm::raw_svector_ostream AllocOs(AllocBuf); 2031 SmallString<20> DeallocBuf; 2032 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 2033 2034 if (OwnershipTransferred) { 2035 if (printMemFnName(DeallocOs, C, DeallocExpr)) 2036 os << DeallocOs.str() << " cannot"; 2037 else 2038 os << "Cannot"; 2039 2040 os << " take ownership of memory"; 2041 2042 if (printMemFnName(AllocOs, C, AllocExpr)) 2043 os << " allocated by " << AllocOs.str(); 2044 } else { 2045 os << "Memory"; 2046 if (printMemFnName(AllocOs, C, AllocExpr)) 2047 os << " allocated by " << AllocOs.str(); 2048 2049 os << " should be deallocated by "; 2050 printExpectedDeallocName(os, RS->getAllocationFamily()); 2051 2052 if (printMemFnName(DeallocOs, C, DeallocExpr)) 2053 os << ", not " << DeallocOs.str(); 2054 } 2055 2056 auto R = std::make_unique<PathSensitiveBugReport>(*BT_MismatchedDealloc, 2057 os.str(), N); 2058 R->markInteresting(Sym); 2059 R->addRange(Range); 2060 R->addVisitor(std::make_unique<MallocBugVisitor>(Sym)); 2061 C.emitReport(std::move(R)); 2062 } 2063 } 2064 2065 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, 2066 SourceRange Range, const Expr *DeallocExpr, 2067 AllocationFamily Family, 2068 const Expr *AllocExpr) const { 2069 2070 if (!ChecksEnabled[CK_MallocChecker] && 2071 !ChecksEnabled[CK_NewDeleteChecker]) 2072 return; 2073 2074 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2075 if (!CheckKind.hasValue()) 2076 return; 2077 2078 ExplodedNode *N = C.generateErrorNode(); 2079 if (!N) 2080 return; 2081 2082 if (!BT_OffsetFree[*CheckKind]) 2083 BT_OffsetFree[*CheckKind].reset(new BugType( 2084 CheckNames[*CheckKind], "Offset free", categories::MemoryError)); 2085 2086 SmallString<100> buf; 2087 llvm::raw_svector_ostream os(buf); 2088 SmallString<20> AllocNameBuf; 2089 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 2090 2091 const MemRegion *MR = ArgVal.getAsRegion(); 2092 assert(MR && "Only MemRegion based symbols can have offset free errors"); 2093 2094 RegionOffset Offset = MR->getAsOffset(); 2095 assert((Offset.isValid() && 2096 !Offset.hasSymbolicOffset() && 2097 Offset.getOffset() != 0) && 2098 "Only symbols with a valid offset can have offset free errors"); 2099 2100 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 2101 2102 os << "Argument to "; 2103 if (!printMemFnName(os, C, DeallocExpr)) 2104 os << "deallocator"; 2105 os << " is offset by " 2106 << offsetBytes 2107 << " " 2108 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 2109 << " from the start of "; 2110 if (AllocExpr && printMemFnName(AllocNameOs, C, AllocExpr)) 2111 os << "memory allocated by " << AllocNameOs.str(); 2112 else 2113 os << "allocated memory"; 2114 2115 auto R = std::make_unique<PathSensitiveBugReport>(*BT_OffsetFree[*CheckKind], 2116 os.str(), N); 2117 R->markInteresting(MR->getBaseRegion()); 2118 R->addRange(Range); 2119 C.emitReport(std::move(R)); 2120 } 2121 2122 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, 2123 SymbolRef Sym) const { 2124 2125 if (!ChecksEnabled[CK_MallocChecker] && 2126 !ChecksEnabled[CK_NewDeleteChecker] && 2127 !ChecksEnabled[CK_InnerPointerChecker]) 2128 return; 2129 2130 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2131 if (!CheckKind.hasValue()) 2132 return; 2133 2134 if (ExplodedNode *N = C.generateErrorNode()) { 2135 if (!BT_UseFree[*CheckKind]) 2136 BT_UseFree[*CheckKind].reset(new BugType( 2137 CheckNames[*CheckKind], "Use-after-free", categories::MemoryError)); 2138 2139 AllocationFamily AF = 2140 C.getState()->get<RegionState>(Sym)->getAllocationFamily(); 2141 2142 auto R = std::make_unique<PathSensitiveBugReport>( 2143 *BT_UseFree[*CheckKind], 2144 AF == AF_InnerBuffer 2145 ? "Inner pointer of container used after re/deallocation" 2146 : "Use of memory after it is freed", 2147 N); 2148 2149 R->markInteresting(Sym); 2150 R->addRange(Range); 2151 R->addVisitor(std::make_unique<MallocBugVisitor>(Sym)); 2152 2153 if (AF == AF_InnerBuffer) 2154 R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym)); 2155 2156 C.emitReport(std::move(R)); 2157 } 2158 } 2159 2160 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, 2161 bool Released, SymbolRef Sym, 2162 SymbolRef PrevSym) const { 2163 2164 if (!ChecksEnabled[CK_MallocChecker] && 2165 !ChecksEnabled[CK_NewDeleteChecker]) 2166 return; 2167 2168 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2169 if (!CheckKind.hasValue()) 2170 return; 2171 2172 if (ExplodedNode *N = C.generateErrorNode()) { 2173 if (!BT_DoubleFree[*CheckKind]) 2174 BT_DoubleFree[*CheckKind].reset(new BugType( 2175 CheckNames[*CheckKind], "Double free", categories::MemoryError)); 2176 2177 auto R = std::make_unique<PathSensitiveBugReport>( 2178 *BT_DoubleFree[*CheckKind], 2179 (Released ? "Attempt to free released memory" 2180 : "Attempt to free non-owned memory"), 2181 N); 2182 R->addRange(Range); 2183 R->markInteresting(Sym); 2184 if (PrevSym) 2185 R->markInteresting(PrevSym); 2186 R->addVisitor(std::make_unique<MallocBugVisitor>(Sym)); 2187 C.emitReport(std::move(R)); 2188 } 2189 } 2190 2191 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const { 2192 2193 if (!ChecksEnabled[CK_NewDeleteChecker]) 2194 return; 2195 2196 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2197 if (!CheckKind.hasValue()) 2198 return; 2199 2200 if (ExplodedNode *N = C.generateErrorNode()) { 2201 if (!BT_DoubleDelete) 2202 BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker], 2203 "Double delete", 2204 categories::MemoryError)); 2205 2206 auto R = std::make_unique<PathSensitiveBugReport>( 2207 *BT_DoubleDelete, "Attempt to delete released memory", N); 2208 2209 R->markInteresting(Sym); 2210 R->addVisitor(std::make_unique<MallocBugVisitor>(Sym)); 2211 C.emitReport(std::move(R)); 2212 } 2213 } 2214 2215 void MallocChecker::ReportUseZeroAllocated(CheckerContext &C, 2216 SourceRange Range, 2217 SymbolRef Sym) const { 2218 2219 if (!ChecksEnabled[CK_MallocChecker] && 2220 !ChecksEnabled[CK_NewDeleteChecker]) 2221 return; 2222 2223 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2224 2225 if (!CheckKind.hasValue()) 2226 return; 2227 2228 if (ExplodedNode *N = C.generateErrorNode()) { 2229 if (!BT_UseZerroAllocated[*CheckKind]) 2230 BT_UseZerroAllocated[*CheckKind].reset( 2231 new BugType(CheckNames[*CheckKind], "Use of zero allocated", 2232 categories::MemoryError)); 2233 2234 auto R = std::make_unique<PathSensitiveBugReport>( 2235 *BT_UseZerroAllocated[*CheckKind], "Use of zero-allocated memory", N); 2236 2237 R->addRange(Range); 2238 if (Sym) { 2239 R->markInteresting(Sym); 2240 R->addVisitor(std::make_unique<MallocBugVisitor>(Sym)); 2241 } 2242 C.emitReport(std::move(R)); 2243 } 2244 } 2245 2246 void MallocChecker::ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal, 2247 SourceRange Range, 2248 const Expr *FreeExpr, 2249 AllocationFamily Family) const { 2250 if (!ChecksEnabled[CK_MallocChecker]) 2251 return; 2252 2253 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2254 if (!CheckKind.hasValue()) 2255 return; 2256 2257 if (ExplodedNode *N = C.generateErrorNode()) { 2258 if (!BT_BadFree[*CheckKind]) 2259 BT_BadFree[*CheckKind].reset(new BugType( 2260 CheckNames[*CheckKind], "Bad free", categories::MemoryError)); 2261 2262 SmallString<100> Buf; 2263 llvm::raw_svector_ostream Os(Buf); 2264 2265 const MemRegion *MR = ArgVal.getAsRegion(); 2266 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 2267 MR = ER->getSuperRegion(); 2268 2269 Os << "Argument to "; 2270 if (!printMemFnName(Os, C, FreeExpr)) 2271 Os << "deallocator"; 2272 2273 Os << " is a function pointer"; 2274 2275 auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind], 2276 Os.str(), N); 2277 R->markInteresting(MR); 2278 R->addRange(Range); 2279 C.emitReport(std::move(R)); 2280 } 2281 } 2282 2283 ProgramStateRef 2284 MallocChecker::ReallocMemAux(CheckerContext &C, const CallExpr *CE, 2285 bool ShouldFreeOnFail, ProgramStateRef State, 2286 AllocationFamily Family, bool SuffixWithN) const { 2287 if (!State) 2288 return nullptr; 2289 2290 if (SuffixWithN && CE->getNumArgs() < 3) 2291 return nullptr; 2292 else if (CE->getNumArgs() < 2) 2293 return nullptr; 2294 2295 const Expr *arg0Expr = CE->getArg(0); 2296 SVal Arg0Val = C.getSVal(arg0Expr); 2297 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 2298 return nullptr; 2299 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 2300 2301 SValBuilder &svalBuilder = C.getSValBuilder(); 2302 2303 DefinedOrUnknownSVal PtrEQ = 2304 svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull()); 2305 2306 // Get the size argument. 2307 const Expr *Arg1 = CE->getArg(1); 2308 2309 // Get the value of the size argument. 2310 SVal TotalSize = C.getSVal(Arg1); 2311 if (SuffixWithN) 2312 TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2)); 2313 if (!TotalSize.getAs<DefinedOrUnknownSVal>()) 2314 return nullptr; 2315 2316 // Compare the size argument to 0. 2317 DefinedOrUnknownSVal SizeZero = 2318 svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(), 2319 svalBuilder.makeIntValWithPtrWidth(0, false)); 2320 2321 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 2322 std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ); 2323 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 2324 std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero); 2325 // We only assume exceptional states if they are definitely true; if the 2326 // state is under-constrained, assume regular realloc behavior. 2327 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 2328 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 2329 2330 // If the ptr is NULL and the size is not 0, the call is equivalent to 2331 // malloc(size). 2332 if (PrtIsNull && !SizeIsZero) { 2333 ProgramStateRef stateMalloc = 2334 MallocMemAux(C, CE, TotalSize, UndefinedVal(), StatePtrIsNull, Family); 2335 return stateMalloc; 2336 } 2337 2338 if (PrtIsNull && SizeIsZero) 2339 return State; 2340 2341 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 2342 assert(!PrtIsNull); 2343 SymbolRef FromPtr = arg0Val.getAsSymbol(); 2344 SVal RetVal = C.getSVal(CE); 2345 SymbolRef ToPtr = RetVal.getAsSymbol(); 2346 if (!FromPtr || !ToPtr) 2347 return nullptr; 2348 2349 bool IsKnownToBeAllocated = false; 2350 2351 // If the size is 0, free the memory. 2352 if (SizeIsZero) 2353 // The semantics of the return value are: 2354 // If size was equal to 0, either NULL or a pointer suitable to be passed 2355 // to free() is returned. We just free the input pointer and do not add 2356 // any constrains on the output pointer. 2357 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, false, 2358 IsKnownToBeAllocated, Family)) 2359 return stateFree; 2360 2361 // Default behavior. 2362 if (ProgramStateRef stateFree = 2363 FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocated, Family)) { 2364 2365 ProgramStateRef stateRealloc = 2366 MallocMemAux(C, CE, TotalSize, UnknownVal(), stateFree, Family); 2367 if (!stateRealloc) 2368 return nullptr; 2369 2370 OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure; 2371 if (ShouldFreeOnFail) 2372 Kind = OAR_FreeOnFailure; 2373 else if (!IsKnownToBeAllocated) 2374 Kind = OAR_DoNotTrackAfterFailure; 2375 2376 // Record the info about the reallocated symbol so that we could properly 2377 // process failed reallocation. 2378 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 2379 ReallocPair(FromPtr, Kind)); 2380 // The reallocated symbol should stay alive for as long as the new symbol. 2381 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 2382 return stateRealloc; 2383 } 2384 return nullptr; 2385 } 2386 2387 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE, 2388 ProgramStateRef State) { 2389 if (!State) 2390 return nullptr; 2391 2392 if (CE->getNumArgs() < 2) 2393 return nullptr; 2394 2395 SValBuilder &svalBuilder = C.getSValBuilder(); 2396 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 2397 SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1)); 2398 2399 return MallocMemAux(C, CE, TotalSize, zeroVal, State, AF_Malloc); 2400 } 2401 2402 MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N, 2403 SymbolRef Sym, 2404 CheckerContext &C) { 2405 const LocationContext *LeakContext = N->getLocationContext(); 2406 // Walk the ExplodedGraph backwards and find the first node that referred to 2407 // the tracked symbol. 2408 const ExplodedNode *AllocNode = N; 2409 const MemRegion *ReferenceRegion = nullptr; 2410 2411 while (N) { 2412 ProgramStateRef State = N->getState(); 2413 if (!State->get<RegionState>(Sym)) 2414 break; 2415 2416 // Find the most recent expression bound to the symbol in the current 2417 // context. 2418 if (!ReferenceRegion) { 2419 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 2420 SVal Val = State->getSVal(MR); 2421 if (Val.getAsLocSymbol() == Sym) { 2422 const VarRegion *VR = MR->getBaseRegion()->getAs<VarRegion>(); 2423 // Do not show local variables belonging to a function other than 2424 // where the error is reported. 2425 if (!VR || (VR->getStackFrame() == LeakContext->getStackFrame())) 2426 ReferenceRegion = MR; 2427 } 2428 } 2429 } 2430 2431 // Allocation node, is the last node in the current or parent context in 2432 // which the symbol was tracked. 2433 const LocationContext *NContext = N->getLocationContext(); 2434 if (NContext == LeakContext || 2435 NContext->isParentOf(LeakContext)) 2436 AllocNode = N; 2437 N = N->pred_empty() ? nullptr : *(N->pred_begin()); 2438 } 2439 2440 return LeakInfo(AllocNode, ReferenceRegion); 2441 } 2442 2443 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 2444 CheckerContext &C) const { 2445 2446 if (!ChecksEnabled[CK_MallocChecker] && 2447 !ChecksEnabled[CK_NewDeleteLeaksChecker]) 2448 return; 2449 2450 const RefState *RS = C.getState()->get<RegionState>(Sym); 2451 assert(RS && "cannot leak an untracked symbol"); 2452 AllocationFamily Family = RS->getAllocationFamily(); 2453 2454 if (Family == AF_Alloca) 2455 return; 2456 2457 Optional<MallocChecker::CheckKind> 2458 CheckKind = getCheckIfTracked(Family, true); 2459 2460 if (!CheckKind.hasValue()) 2461 return; 2462 2463 assert(N); 2464 if (!BT_Leak[*CheckKind]) { 2465 // Leaks should not be reported if they are post-dominated by a sink: 2466 // (1) Sinks are higher importance bugs. 2467 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 2468 // with __noreturn functions such as assert() or exit(). We choose not 2469 // to report leaks on such paths. 2470 BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak", 2471 categories::MemoryError, 2472 /*SuppressOnSink=*/true)); 2473 } 2474 2475 // Most bug reports are cached at the location where they occurred. 2476 // With leaks, we want to unique them by the location where they were 2477 // allocated, and only report a single path. 2478 PathDiagnosticLocation LocUsedForUniqueing; 2479 const ExplodedNode *AllocNode = nullptr; 2480 const MemRegion *Region = nullptr; 2481 std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 2482 2483 const Stmt *AllocationStmt = AllocNode->getStmtForDiagnostics(); 2484 if (AllocationStmt) 2485 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 2486 C.getSourceManager(), 2487 AllocNode->getLocationContext()); 2488 2489 SmallString<200> buf; 2490 llvm::raw_svector_ostream os(buf); 2491 if (Region && Region->canPrintPretty()) { 2492 os << "Potential leak of memory pointed to by "; 2493 Region->printPretty(os); 2494 } else { 2495 os << "Potential memory leak"; 2496 } 2497 2498 auto R = std::make_unique<PathSensitiveBugReport>( 2499 *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing, 2500 AllocNode->getLocationContext()->getDecl()); 2501 R->markInteresting(Sym); 2502 R->addVisitor(std::make_unique<MallocBugVisitor>(Sym, true)); 2503 C.emitReport(std::move(R)); 2504 } 2505 2506 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 2507 CheckerContext &C) const 2508 { 2509 ProgramStateRef state = C.getState(); 2510 RegionStateTy OldRS = state->get<RegionState>(); 2511 RegionStateTy::Factory &F = state->get_context<RegionState>(); 2512 2513 RegionStateTy RS = OldRS; 2514 SmallVector<SymbolRef, 2> Errors; 2515 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2516 if (SymReaper.isDead(I->first)) { 2517 if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero()) 2518 Errors.push_back(I->first); 2519 // Remove the dead symbol from the map. 2520 RS = F.remove(RS, I->first); 2521 } 2522 } 2523 2524 if (RS == OldRS) { 2525 // We shouldn't have touched other maps yet. 2526 assert(state->get<ReallocPairs>() == 2527 C.getState()->get<ReallocPairs>()); 2528 assert(state->get<FreeReturnValue>() == 2529 C.getState()->get<FreeReturnValue>()); 2530 return; 2531 } 2532 2533 // Cleanup the Realloc Pairs Map. 2534 ReallocPairsTy RP = state->get<ReallocPairs>(); 2535 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 2536 if (SymReaper.isDead(I->first) || 2537 SymReaper.isDead(I->second.ReallocatedSym)) { 2538 state = state->remove<ReallocPairs>(I->first); 2539 } 2540 } 2541 2542 // Cleanup the FreeReturnValue Map. 2543 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 2544 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 2545 if (SymReaper.isDead(I->first) || 2546 SymReaper.isDead(I->second)) { 2547 state = state->remove<FreeReturnValue>(I->first); 2548 } 2549 } 2550 2551 // Generate leak node. 2552 ExplodedNode *N = C.getPredecessor(); 2553 if (!Errors.empty()) { 2554 static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak"); 2555 N = C.generateNonFatalErrorNode(C.getState(), &Tag); 2556 if (N) { 2557 for (SmallVectorImpl<SymbolRef>::iterator 2558 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 2559 reportLeak(*I, N, C); 2560 } 2561 } 2562 } 2563 2564 C.addTransition(state->set<RegionState>(RS), N); 2565 } 2566 2567 void MallocChecker::checkPreCall(const CallEvent &Call, 2568 CheckerContext &C) const { 2569 2570 if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) { 2571 SymbolRef Sym = DC->getCXXThisVal().getAsSymbol(); 2572 if (!Sym || checkDoubleDelete(Sym, C)) 2573 return; 2574 } 2575 2576 // We will check for double free in the post visit. 2577 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { 2578 const FunctionDecl *FD = FC->getDecl(); 2579 if (!FD) 2580 return; 2581 2582 if (ChecksEnabled[CK_MallocChecker] && 2583 (MemFunctionInfo.isCMemFreeFunction(Call))) 2584 return; 2585 } 2586 2587 // Check if the callee of a method is deleted. 2588 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { 2589 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); 2590 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) 2591 return; 2592 } 2593 2594 // Check arguments for being used after free. 2595 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { 2596 SVal ArgSVal = Call.getArgSVal(I); 2597 if (ArgSVal.getAs<Loc>()) { 2598 SymbolRef Sym = ArgSVal.getAsSymbol(); 2599 if (!Sym) 2600 continue; 2601 if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) 2602 return; 2603 } 2604 } 2605 } 2606 2607 void MallocChecker::checkPreStmt(const ReturnStmt *S, 2608 CheckerContext &C) const { 2609 checkEscapeOnReturn(S, C); 2610 } 2611 2612 // In the CFG, automatic destructors come after the return statement. 2613 // This callback checks for returning memory that is freed by automatic 2614 // destructors, as those cannot be reached in checkPreStmt(). 2615 void MallocChecker::checkEndFunction(const ReturnStmt *S, 2616 CheckerContext &C) const { 2617 checkEscapeOnReturn(S, C); 2618 } 2619 2620 void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S, 2621 CheckerContext &C) const { 2622 if (!S) 2623 return; 2624 2625 const Expr *E = S->getRetValue(); 2626 if (!E) 2627 return; 2628 2629 // Check if we are returning a symbol. 2630 ProgramStateRef State = C.getState(); 2631 SVal RetVal = C.getSVal(E); 2632 SymbolRef Sym = RetVal.getAsSymbol(); 2633 if (!Sym) 2634 // If we are returning a field of the allocated struct or an array element, 2635 // the callee could still free the memory. 2636 // TODO: This logic should be a part of generic symbol escape callback. 2637 if (const MemRegion *MR = RetVal.getAsRegion()) 2638 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 2639 if (const SymbolicRegion *BMR = 2640 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 2641 Sym = BMR->getSymbol(); 2642 2643 // Check if we are returning freed memory. 2644 if (Sym) 2645 checkUseAfterFree(Sym, C, E); 2646 } 2647 2648 // TODO: Blocks should be either inlined or should call invalidate regions 2649 // upon invocation. After that's in place, special casing here will not be 2650 // needed. 2651 void MallocChecker::checkPostStmt(const BlockExpr *BE, 2652 CheckerContext &C) const { 2653 2654 // Scan the BlockDecRefExprs for any object the retain count checker 2655 // may be tracking. 2656 if (!BE->getBlockDecl()->hasCaptures()) 2657 return; 2658 2659 ProgramStateRef state = C.getState(); 2660 const BlockDataRegion *R = 2661 cast<BlockDataRegion>(C.getSVal(BE).getAsRegion()); 2662 2663 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 2664 E = R->referenced_vars_end(); 2665 2666 if (I == E) 2667 return; 2668 2669 SmallVector<const MemRegion*, 10> Regions; 2670 const LocationContext *LC = C.getLocationContext(); 2671 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 2672 2673 for ( ; I != E; ++I) { 2674 const VarRegion *VR = I.getCapturedRegion(); 2675 if (VR->getSuperRegion() == R) { 2676 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 2677 } 2678 Regions.push_back(VR); 2679 } 2680 2681 state = 2682 state->scanReachableSymbols<StopTrackingCallback>(Regions).getState(); 2683 C.addTransition(state); 2684 } 2685 2686 static bool isReleased(SymbolRef Sym, CheckerContext &C) { 2687 assert(Sym); 2688 const RefState *RS = C.getState()->get<RegionState>(Sym); 2689 return (RS && RS->isReleased()); 2690 } 2691 2692 bool MallocChecker::suppressDeallocationsInSuspiciousContexts( 2693 const CallExpr *CE, CheckerContext &C) const { 2694 if (CE->getNumArgs() == 0) 2695 return false; 2696 2697 StringRef FunctionStr = ""; 2698 if (const auto *FD = dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl())) 2699 if (const Stmt *Body = FD->getBody()) 2700 if (Body->getBeginLoc().isValid()) 2701 FunctionStr = 2702 Lexer::getSourceText(CharSourceRange::getTokenRange( 2703 {FD->getBeginLoc(), Body->getBeginLoc()}), 2704 C.getSourceManager(), C.getLangOpts()); 2705 2706 // We do not model the Integer Set Library's retain-count based allocation. 2707 if (!FunctionStr.contains("__isl_")) 2708 return false; 2709 2710 ProgramStateRef State = C.getState(); 2711 2712 for (const Expr *Arg : CE->arguments()) 2713 if (SymbolRef Sym = C.getSVal(Arg).getAsSymbol()) 2714 if (const RefState *RS = State->get<RegionState>(Sym)) 2715 State = State->set<RegionState>(Sym, RefState::getEscaped(RS)); 2716 2717 C.addTransition(State); 2718 return true; 2719 } 2720 2721 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 2722 const Stmt *S) const { 2723 2724 if (isReleased(Sym, C)) { 2725 ReportUseAfterFree(C, S->getSourceRange(), Sym); 2726 return true; 2727 } 2728 2729 return false; 2730 } 2731 2732 void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, 2733 const Stmt *S) const { 2734 assert(Sym); 2735 2736 if (const RefState *RS = C.getState()->get<RegionState>(Sym)) { 2737 if (RS->isAllocatedOfSizeZero()) 2738 ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym); 2739 } 2740 else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) { 2741 ReportUseZeroAllocated(C, S->getSourceRange(), Sym); 2742 } 2743 } 2744 2745 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { 2746 2747 if (isReleased(Sym, C)) { 2748 ReportDoubleDelete(C, Sym); 2749 return true; 2750 } 2751 return false; 2752 } 2753 2754 // Check if the location is a freed symbolic region. 2755 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 2756 CheckerContext &C) const { 2757 SymbolRef Sym = l.getLocSymbolInBase(); 2758 if (Sym) { 2759 checkUseAfterFree(Sym, C, S); 2760 checkUseZeroAllocated(Sym, C, S); 2761 } 2762 } 2763 2764 // If a symbolic region is assumed to NULL (or another constant), stop tracking 2765 // it - assuming that allocation failed on this path. 2766 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 2767 SVal Cond, 2768 bool Assumption) const { 2769 RegionStateTy RS = state->get<RegionState>(); 2770 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2771 // If the symbol is assumed to be NULL, remove it from consideration. 2772 ConstraintManager &CMgr = state->getConstraintManager(); 2773 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2774 if (AllocFailed.isConstrainedTrue()) 2775 state = state->remove<RegionState>(I.getKey()); 2776 } 2777 2778 // Realloc returns 0 when reallocation fails, which means that we should 2779 // restore the state of the pointer being reallocated. 2780 ReallocPairsTy RP = state->get<ReallocPairs>(); 2781 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 2782 // If the symbol is assumed to be NULL, remove it from consideration. 2783 ConstraintManager &CMgr = state->getConstraintManager(); 2784 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2785 if (!AllocFailed.isConstrainedTrue()) 2786 continue; 2787 2788 SymbolRef ReallocSym = I.getData().ReallocatedSym; 2789 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 2790 if (RS->isReleased()) { 2791 switch (I.getData().Kind) { 2792 case OAR_ToBeFreedAfterFailure: 2793 state = state->set<RegionState>(ReallocSym, 2794 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 2795 break; 2796 case OAR_DoNotTrackAfterFailure: 2797 state = state->remove<RegionState>(ReallocSym); 2798 break; 2799 default: 2800 assert(I.getData().Kind == OAR_FreeOnFailure); 2801 } 2802 } 2803 } 2804 state = state->remove<ReallocPairs>(I.getKey()); 2805 } 2806 2807 return state; 2808 } 2809 2810 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly( 2811 const CallEvent *Call, 2812 ProgramStateRef State, 2813 SymbolRef &EscapingSymbol) const { 2814 assert(Call); 2815 EscapingSymbol = nullptr; 2816 2817 // For now, assume that any C++ or block call can free memory. 2818 // TODO: If we want to be more optimistic here, we'll need to make sure that 2819 // regions escape to C++ containers. They seem to do that even now, but for 2820 // mysterious reasons. 2821 if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 2822 return true; 2823 2824 // Check Objective-C messages by selector name. 2825 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 2826 // If it's not a framework call, or if it takes a callback, assume it 2827 // can free memory. 2828 if (!Call->isInSystemHeader() || Call->argumentsMayEscape()) 2829 return true; 2830 2831 // If it's a method we know about, handle it explicitly post-call. 2832 // This should happen before the "freeWhenDone" check below. 2833 if (isKnownDeallocObjCMethodName(*Msg)) 2834 return false; 2835 2836 // If there's a "freeWhenDone" parameter, but the method isn't one we know 2837 // about, we can't be sure that the object will use free() to deallocate the 2838 // memory, so we can't model it explicitly. The best we can do is use it to 2839 // decide whether the pointer escapes. 2840 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 2841 return *FreeWhenDone; 2842 2843 // If the first selector piece ends with "NoCopy", and there is no 2844 // "freeWhenDone" parameter set to zero, we know ownership is being 2845 // transferred. Again, though, we can't be sure that the object will use 2846 // free() to deallocate the memory, so we can't model it explicitly. 2847 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 2848 if (FirstSlot.endswith("NoCopy")) 2849 return true; 2850 2851 // If the first selector starts with addPointer, insertPointer, 2852 // or replacePointer, assume we are dealing with NSPointerArray or similar. 2853 // This is similar to C++ containers (vector); we still might want to check 2854 // that the pointers get freed by following the container itself. 2855 if (FirstSlot.startswith("addPointer") || 2856 FirstSlot.startswith("insertPointer") || 2857 FirstSlot.startswith("replacePointer") || 2858 FirstSlot.equals("valueWithPointer")) { 2859 return true; 2860 } 2861 2862 // We should escape receiver on call to 'init'. This is especially relevant 2863 // to the receiver, as the corresponding symbol is usually not referenced 2864 // after the call. 2865 if (Msg->getMethodFamily() == OMF_init) { 2866 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol(); 2867 return true; 2868 } 2869 2870 // Otherwise, assume that the method does not free memory. 2871 // Most framework methods do not free memory. 2872 return false; 2873 } 2874 2875 // At this point the only thing left to handle is straight function calls. 2876 const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl(); 2877 if (!FD) 2878 return true; 2879 2880 // If it's one of the allocation functions we can reason about, we model 2881 // its behavior explicitly. 2882 if (MemFunctionInfo.isMemFunction(*Call)) 2883 return false; 2884 2885 // If it's not a system call, assume it frees memory. 2886 if (!Call->isInSystemHeader()) 2887 return true; 2888 2889 // White list the system functions whose arguments escape. 2890 const IdentifierInfo *II = FD->getIdentifier(); 2891 if (!II) 2892 return true; 2893 StringRef FName = II->getName(); 2894 2895 // White list the 'XXXNoCopy' CoreFoundation functions. 2896 // We specifically check these before 2897 if (FName.endswith("NoCopy")) { 2898 // Look for the deallocator argument. We know that the memory ownership 2899 // is not transferred only if the deallocator argument is 2900 // 'kCFAllocatorNull'. 2901 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 2902 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 2903 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 2904 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 2905 if (DeallocatorName == "kCFAllocatorNull") 2906 return false; 2907 } 2908 } 2909 return true; 2910 } 2911 2912 // Associating streams with malloced buffers. The pointer can escape if 2913 // 'closefn' is specified (and if that function does free memory), 2914 // but it will not if closefn is not specified. 2915 // Currently, we do not inspect the 'closefn' function (PR12101). 2916 if (FName == "funopen") 2917 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 2918 return false; 2919 2920 // Do not warn on pointers passed to 'setbuf' when used with std streams, 2921 // these leaks might be intentional when setting the buffer for stdio. 2922 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 2923 if (FName == "setbuf" || FName =="setbuffer" || 2924 FName == "setlinebuf" || FName == "setvbuf") { 2925 if (Call->getNumArgs() >= 1) { 2926 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 2927 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 2928 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 2929 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 2930 return true; 2931 } 2932 } 2933 2934 // A bunch of other functions which either take ownership of a pointer or 2935 // wrap the result up in a struct or object, meaning it can be freed later. 2936 // (See RetainCountChecker.) Not all the parameters here are invalidated, 2937 // but the Malloc checker cannot differentiate between them. The right way 2938 // of doing this would be to implement a pointer escapes callback. 2939 if (FName == "CGBitmapContextCreate" || 2940 FName == "CGBitmapContextCreateWithData" || 2941 FName == "CVPixelBufferCreateWithBytes" || 2942 FName == "CVPixelBufferCreateWithPlanarBytes" || 2943 FName == "OSAtomicEnqueue") { 2944 return true; 2945 } 2946 2947 if (FName == "postEvent" && 2948 FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") { 2949 return true; 2950 } 2951 2952 if (FName == "postEvent" && 2953 FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") { 2954 return true; 2955 } 2956 2957 if (FName == "connectImpl" && 2958 FD->getQualifiedNameAsString() == "QObject::connectImpl") { 2959 return true; 2960 } 2961 2962 // Handle cases where we know a buffer's /address/ can escape. 2963 // Note that the above checks handle some special cases where we know that 2964 // even though the address escapes, it's still our responsibility to free the 2965 // buffer. 2966 if (Call->argumentsMayEscape()) 2967 return true; 2968 2969 // Otherwise, assume that the function does not free memory. 2970 // Most system calls do not free the memory. 2971 return false; 2972 } 2973 2974 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 2975 const InvalidatedSymbols &Escaped, 2976 const CallEvent *Call, 2977 PointerEscapeKind Kind) const { 2978 return checkPointerEscapeAux(State, Escaped, Call, Kind, 2979 /*IsConstPointerEscape*/ false); 2980 } 2981 2982 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 2983 const InvalidatedSymbols &Escaped, 2984 const CallEvent *Call, 2985 PointerEscapeKind Kind) const { 2986 // If a const pointer escapes, it may not be freed(), but it could be deleted. 2987 return checkPointerEscapeAux(State, Escaped, Call, Kind, 2988 /*IsConstPointerEscape*/ true); 2989 } 2990 2991 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 2992 return (RS->getAllocationFamily() == AF_CXXNewArray || 2993 RS->getAllocationFamily() == AF_CXXNew); 2994 } 2995 2996 ProgramStateRef MallocChecker::checkPointerEscapeAux( 2997 ProgramStateRef State, const InvalidatedSymbols &Escaped, 2998 const CallEvent *Call, PointerEscapeKind Kind, 2999 bool IsConstPointerEscape) const { 3000 // If we know that the call does not free memory, or we want to process the 3001 // call later, keep tracking the top level arguments. 3002 SymbolRef EscapingSymbol = nullptr; 3003 if (Kind == PSK_DirectEscapeOnCall && 3004 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State, 3005 EscapingSymbol) && 3006 !EscapingSymbol) { 3007 return State; 3008 } 3009 3010 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 3011 E = Escaped.end(); 3012 I != E; ++I) { 3013 SymbolRef sym = *I; 3014 3015 if (EscapingSymbol && EscapingSymbol != sym) 3016 continue; 3017 3018 if (const RefState *RS = State->get<RegionState>(sym)) 3019 if (RS->isAllocated() || RS->isAllocatedOfSizeZero()) 3020 if (!IsConstPointerEscape || checkIfNewOrNewArrayFamily(RS)) 3021 State = State->set<RegionState>(sym, RefState::getEscaped(RS)); 3022 } 3023 return State; 3024 } 3025 3026 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 3027 ProgramStateRef prevState) { 3028 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 3029 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 3030 3031 for (const ReallocPairsTy::value_type &Pair : prevMap) { 3032 SymbolRef sym = Pair.first; 3033 if (!currMap.lookup(sym)) 3034 return sym; 3035 } 3036 3037 return nullptr; 3038 } 3039 3040 static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD) { 3041 if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) { 3042 StringRef N = II->getName(); 3043 if (N.contains_lower("ptr") || N.contains_lower("pointer")) { 3044 if (N.contains_lower("ref") || N.contains_lower("cnt") || 3045 N.contains_lower("intrusive") || N.contains_lower("shared")) { 3046 return true; 3047 } 3048 } 3049 } 3050 return false; 3051 } 3052 3053 PathDiagnosticPieceRef MallocBugVisitor::VisitNode(const ExplodedNode *N, 3054 BugReporterContext &BRC, 3055 PathSensitiveBugReport &BR) { 3056 ProgramStateRef state = N->getState(); 3057 ProgramStateRef statePrev = N->getFirstPred()->getState(); 3058 3059 const RefState *RSCurr = state->get<RegionState>(Sym); 3060 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 3061 3062 const Stmt *S = N->getStmtForDiagnostics(); 3063 // When dealing with containers, we sometimes want to give a note 3064 // even if the statement is missing. 3065 if (!S && (!RSCurr || RSCurr->getAllocationFamily() != AF_InnerBuffer)) 3066 return nullptr; 3067 3068 const LocationContext *CurrentLC = N->getLocationContext(); 3069 3070 // If we find an atomic fetch_add or fetch_sub within the destructor in which 3071 // the pointer was released (before the release), this is likely a destructor 3072 // of a shared pointer. 3073 // Because we don't model atomics, and also because we don't know that the 3074 // original reference count is positive, we should not report use-after-frees 3075 // on objects deleted in such destructors. This can probably be improved 3076 // through better shared pointer modeling. 3077 if (ReleaseDestructorLC) { 3078 if (const auto *AE = dyn_cast<AtomicExpr>(S)) { 3079 AtomicExpr::AtomicOp Op = AE->getOp(); 3080 if (Op == AtomicExpr::AO__c11_atomic_fetch_add || 3081 Op == AtomicExpr::AO__c11_atomic_fetch_sub) { 3082 if (ReleaseDestructorLC == CurrentLC || 3083 ReleaseDestructorLC->isParentOf(CurrentLC)) { 3084 BR.markInvalid(getTag(), S); 3085 } 3086 } 3087 } 3088 } 3089 3090 // FIXME: We will eventually need to handle non-statement-based events 3091 // (__attribute__((cleanup))). 3092 3093 // Find out if this is an interesting point and what is the kind. 3094 StringRef Msg; 3095 std::unique_ptr<StackHintGeneratorForSymbol> StackHint = nullptr; 3096 SmallString<256> Buf; 3097 llvm::raw_svector_ostream OS(Buf); 3098 3099 if (Mode == Normal) { 3100 if (isAllocated(RSCurr, RSPrev, S)) { 3101 Msg = "Memory is allocated"; 3102 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3103 Sym, "Returned allocated memory"); 3104 } else if (isReleased(RSCurr, RSPrev, S)) { 3105 const auto Family = RSCurr->getAllocationFamily(); 3106 switch (Family) { 3107 case AF_Alloca: 3108 case AF_Malloc: 3109 case AF_CXXNew: 3110 case AF_CXXNewArray: 3111 case AF_IfNameIndex: 3112 Msg = "Memory is released"; 3113 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3114 Sym, "Returning; memory was released"); 3115 break; 3116 case AF_InnerBuffer: { 3117 const MemRegion *ObjRegion = 3118 allocation_state::getContainerObjRegion(statePrev, Sym); 3119 const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion); 3120 QualType ObjTy = TypedRegion->getValueType(); 3121 OS << "Inner buffer of '" << ObjTy.getAsString() << "' "; 3122 3123 if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) { 3124 OS << "deallocated by call to destructor"; 3125 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3126 Sym, "Returning; inner buffer was deallocated"); 3127 } else { 3128 OS << "reallocated by call to '"; 3129 const Stmt *S = RSCurr->getStmt(); 3130 if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) { 3131 OS << MemCallE->getMethodDecl()->getNameAsString(); 3132 } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) { 3133 OS << OpCallE->getDirectCallee()->getNameAsString(); 3134 } else if (const auto *CallE = dyn_cast<CallExpr>(S)) { 3135 auto &CEMgr = BRC.getStateManager().getCallEventManager(); 3136 CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC); 3137 const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl()); 3138 OS << (D ? D->getNameAsString() : "unknown"); 3139 } 3140 OS << "'"; 3141 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3142 Sym, "Returning; inner buffer was reallocated"); 3143 } 3144 Msg = OS.str(); 3145 break; 3146 } 3147 case AF_None: 3148 llvm_unreachable("Unhandled allocation family!"); 3149 } 3150 3151 // See if we're releasing memory while inlining a destructor 3152 // (or one of its callees). This turns on various common 3153 // false positive suppressions. 3154 bool FoundAnyDestructor = false; 3155 for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) { 3156 if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) { 3157 if (isReferenceCountingPointerDestructor(DD)) { 3158 // This immediately looks like a reference-counting destructor. 3159 // We're bad at guessing the original reference count of the object, 3160 // so suppress the report for now. 3161 BR.markInvalid(getTag(), DD); 3162 } else if (!FoundAnyDestructor) { 3163 assert(!ReleaseDestructorLC && 3164 "There can be only one release point!"); 3165 // Suspect that it's a reference counting pointer destructor. 3166 // On one of the next nodes might find out that it has atomic 3167 // reference counting operations within it (see the code above), 3168 // and if so, we'd conclude that it likely is a reference counting 3169 // pointer destructor. 3170 ReleaseDestructorLC = LC->getStackFrame(); 3171 // It is unlikely that releasing memory is delegated to a destructor 3172 // inside a destructor of a shared pointer, because it's fairly hard 3173 // to pass the information that the pointer indeed needs to be 3174 // released into it. So we're only interested in the innermost 3175 // destructor. 3176 FoundAnyDestructor = true; 3177 } 3178 } 3179 } 3180 } else if (isRelinquished(RSCurr, RSPrev, S)) { 3181 Msg = "Memory ownership is transferred"; 3182 StackHint = std::make_unique<StackHintGeneratorForSymbol>(Sym, ""); 3183 } else if (hasReallocFailed(RSCurr, RSPrev, S)) { 3184 Mode = ReallocationFailed; 3185 Msg = "Reallocation failed"; 3186 StackHint = std::make_unique<StackHintGeneratorForReallocationFailed>( 3187 Sym, "Reallocation failed"); 3188 3189 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 3190 // Is it possible to fail two reallocs WITHOUT testing in between? 3191 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 3192 "We only support one failed realloc at a time."); 3193 BR.markInteresting(sym); 3194 FailedReallocSymbol = sym; 3195 } 3196 } 3197 3198 // We are in a special mode if a reallocation failed later in the path. 3199 } else if (Mode == ReallocationFailed) { 3200 assert(FailedReallocSymbol && "No symbol to look for."); 3201 3202 // Is this is the first appearance of the reallocated symbol? 3203 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 3204 // We're at the reallocation point. 3205 Msg = "Attempt to reallocate memory"; 3206 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3207 Sym, "Returned reallocated memory"); 3208 FailedReallocSymbol = nullptr; 3209 Mode = Normal; 3210 } 3211 } 3212 3213 if (Msg.empty()) { 3214 assert(!StackHint); 3215 return nullptr; 3216 } 3217 3218 assert(StackHint); 3219 3220 // Generate the extra diagnostic. 3221 PathDiagnosticLocation Pos; 3222 if (!S) { 3223 assert(RSCurr->getAllocationFamily() == AF_InnerBuffer); 3224 auto PostImplCall = N->getLocation().getAs<PostImplicitCall>(); 3225 if (!PostImplCall) 3226 return nullptr; 3227 Pos = PathDiagnosticLocation(PostImplCall->getLocation(), 3228 BRC.getSourceManager()); 3229 } else { 3230 Pos = PathDiagnosticLocation(S, BRC.getSourceManager(), 3231 N->getLocationContext()); 3232 } 3233 3234 auto P = std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true); 3235 BR.addCallStackHint(P, std::move(StackHint)); 3236 return P; 3237 } 3238 3239 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 3240 const char *NL, const char *Sep) const { 3241 3242 RegionStateTy RS = State->get<RegionState>(); 3243 3244 if (!RS.isEmpty()) { 3245 Out << Sep << "MallocChecker :" << NL; 3246 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 3247 const RefState *RefS = State->get<RegionState>(I.getKey()); 3248 AllocationFamily Family = RefS->getAllocationFamily(); 3249 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 3250 if (!CheckKind.hasValue()) 3251 CheckKind = getCheckIfTracked(Family, true); 3252 3253 I.getKey()->dumpToStream(Out); 3254 Out << " : "; 3255 I.getData().dump(Out); 3256 if (CheckKind.hasValue()) 3257 Out << " (" << CheckNames[*CheckKind].getName() << ")"; 3258 Out << NL; 3259 } 3260 } 3261 } 3262 3263 namespace clang { 3264 namespace ento { 3265 namespace allocation_state { 3266 3267 ProgramStateRef 3268 markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin) { 3269 AllocationFamily Family = AF_InnerBuffer; 3270 return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin)); 3271 } 3272 3273 } // end namespace allocation_state 3274 } // end namespace ento 3275 } // end namespace clang 3276 3277 // Intended to be used in InnerPointerChecker to register the part of 3278 // MallocChecker connected to it. 3279 void ento::registerInnerPointerCheckerAux(CheckerManager &mgr) { 3280 MallocChecker *checker = mgr.getChecker<MallocChecker>(); 3281 checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true; 3282 checker->CheckNames[MallocChecker::CK_InnerPointerChecker] = 3283 mgr.getCurrentCheckerName(); 3284 } 3285 3286 void ento::registerDynamicMemoryModeling(CheckerManager &mgr) { 3287 auto *checker = mgr.registerChecker<MallocChecker>(); 3288 checker->MemFunctionInfo.ShouldIncludeOwnershipAnnotatedFunctions = 3289 mgr.getAnalyzerOptions().getCheckerBooleanOption(checker, "Optimistic"); 3290 } 3291 3292 bool ento::shouldRegisterDynamicMemoryModeling(const LangOptions &LO) { 3293 return true; 3294 } 3295 3296 #define REGISTER_CHECKER(name) \ 3297 void ento::register##name(CheckerManager &mgr) { \ 3298 MallocChecker *checker = mgr.getChecker<MallocChecker>(); \ 3299 checker->ChecksEnabled[MallocChecker::CK_##name] = true; \ 3300 checker->CheckNames[MallocChecker::CK_##name] = \ 3301 mgr.getCurrentCheckerName(); \ 3302 } \ 3303 \ 3304 bool ento::shouldRegister##name(const LangOptions &LO) { return true; } 3305 3306 REGISTER_CHECKER(MallocChecker) 3307 REGISTER_CHECKER(NewDeleteChecker) 3308 REGISTER_CHECKER(NewDeleteLeaksChecker) 3309 REGISTER_CHECKER(MismatchedDeallocatorChecker) 3310