1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines malloc/free checker, which checks for potential memory 11 // leaks, double free, and use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/AST/Attr.h" 18 #include "clang/Basic/SourceManager.h" 19 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 20 #include "clang/StaticAnalyzer/Core/Checker.h" 21 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 23 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 27 #include "llvm/ADT/ImmutableMap.h" 28 #include "llvm/ADT/STLExtras.h" 29 #include "llvm/ADT/SmallString.h" 30 #include "llvm/ADT/StringExtras.h" 31 #include <climits> 32 33 using namespace clang; 34 using namespace ento; 35 36 namespace { 37 38 // Used to check correspondence between allocators and deallocators. 39 enum AllocationFamily { 40 AF_None, 41 AF_Malloc, 42 AF_CXXNew, 43 AF_CXXNewArray 44 }; 45 46 class RefState { 47 enum Kind { // Reference to allocated memory. 48 Allocated, 49 // Reference to released/freed memory. 50 Released, 51 // The responsibility for freeing resources has transfered from 52 // this reference. A relinquished symbol should not be freed. 53 Relinquished }; 54 55 const Stmt *S; 56 unsigned K : 2; // Kind enum, but stored as a bitfield. 57 unsigned Family : 30; // Rest of 32-bit word, currently just an allocation 58 // family. 59 60 RefState(Kind k, const Stmt *s, unsigned family) 61 : S(s), K(k), Family(family) {} 62 public: 63 bool isAllocated() const { return K == Allocated; } 64 bool isReleased() const { return K == Released; } 65 bool isRelinquished() const { return K == Relinquished; } 66 AllocationFamily getAllocationFamily() const { 67 return (AllocationFamily)Family; 68 } 69 const Stmt *getStmt() const { return S; } 70 71 bool operator==(const RefState &X) const { 72 return K == X.K && S == X.S && Family == X.Family; 73 } 74 75 static RefState getAllocated(unsigned family, const Stmt *s) { 76 return RefState(Allocated, s, family); 77 } 78 static RefState getReleased(unsigned family, const Stmt *s) { 79 return RefState(Released, s, family); 80 } 81 static RefState getRelinquished(unsigned family, const Stmt *s) { 82 return RefState(Relinquished, s, family); 83 } 84 85 void Profile(llvm::FoldingSetNodeID &ID) const { 86 ID.AddInteger(K); 87 ID.AddPointer(S); 88 ID.AddInteger(Family); 89 } 90 91 void dump(raw_ostream &OS) const { 92 static const char *Table[] = { 93 "Allocated", 94 "Released", 95 "Relinquished" 96 }; 97 OS << Table[(unsigned) K]; 98 } 99 100 LLVM_ATTRIBUTE_USED void dump() const { 101 dump(llvm::errs()); 102 } 103 }; 104 105 enum ReallocPairKind { 106 RPToBeFreedAfterFailure, 107 // The symbol has been freed when reallocation failed. 108 RPIsFreeOnFailure, 109 // The symbol does not need to be freed after reallocation fails. 110 RPDoNotTrackAfterFailure 111 }; 112 113 /// \class ReallocPair 114 /// \brief Stores information about the symbol being reallocated by a call to 115 /// 'realloc' to allow modeling failed reallocation later in the path. 116 struct ReallocPair { 117 // \brief The symbol which realloc reallocated. 118 SymbolRef ReallocatedSym; 119 ReallocPairKind Kind; 120 121 ReallocPair(SymbolRef S, ReallocPairKind K) : 122 ReallocatedSym(S), Kind(K) {} 123 void Profile(llvm::FoldingSetNodeID &ID) const { 124 ID.AddInteger(Kind); 125 ID.AddPointer(ReallocatedSym); 126 } 127 bool operator==(const ReallocPair &X) const { 128 return ReallocatedSym == X.ReallocatedSym && 129 Kind == X.Kind; 130 } 131 }; 132 133 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo; 134 135 class MallocChecker : public Checker<check::DeadSymbols, 136 check::PointerEscape, 137 check::ConstPointerEscape, 138 check::PreStmt<ReturnStmt>, 139 check::PreStmt<CallExpr>, 140 check::PostStmt<CallExpr>, 141 check::PostStmt<CXXNewExpr>, 142 check::PreStmt<CXXDeleteExpr>, 143 check::PostStmt<BlockExpr>, 144 check::PostObjCMessage, 145 check::Location, 146 eval::Assume> 147 { 148 mutable OwningPtr<BugType> BT_DoubleFree; 149 mutable OwningPtr<BugType> BT_Leak; 150 mutable OwningPtr<BugType> BT_UseFree; 151 mutable OwningPtr<BugType> BT_BadFree; 152 mutable OwningPtr<BugType> BT_BadDealloc; 153 mutable OwningPtr<BugType> BT_OffsetFree; 154 mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc, 155 *II_valloc, *II_reallocf, *II_strndup, *II_strdup; 156 157 public: 158 MallocChecker() : II_malloc(0), II_free(0), II_realloc(0), II_calloc(0), 159 II_valloc(0), II_reallocf(0), II_strndup(0), II_strdup(0) {} 160 161 /// In pessimistic mode, the checker assumes that it does not know which 162 /// functions might free the memory. 163 struct ChecksFilter { 164 DefaultBool CMallocPessimistic; 165 DefaultBool CMallocOptimistic; 166 DefaultBool CNewDeleteChecker; 167 DefaultBool CMismatchedDeallocatorChecker; 168 }; 169 170 ChecksFilter Filter; 171 172 void checkPreStmt(const CallExpr *S, CheckerContext &C) const; 173 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 174 void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; 175 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; 176 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 177 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 178 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 179 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 180 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 181 bool Assumption) const; 182 void checkLocation(SVal l, bool isLoad, const Stmt *S, 183 CheckerContext &C) const; 184 185 ProgramStateRef checkPointerEscape(ProgramStateRef State, 186 const InvalidatedSymbols &Escaped, 187 const CallEvent *Call, 188 PointerEscapeKind Kind) const; 189 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 190 const InvalidatedSymbols &Escaped, 191 const CallEvent *Call, 192 PointerEscapeKind Kind) const; 193 194 void printState(raw_ostream &Out, ProgramStateRef State, 195 const char *NL, const char *Sep) const; 196 197 private: 198 void initIdentifierInfo(ASTContext &C) const; 199 200 /// \brief Determine family of a deallocation expression. 201 AllocationFamily getAllocationFamily(CheckerContext &C, const Expr *E) const; 202 203 /// \brief Print names of allocators and deallocators. 204 /// 205 /// \returns true on success. 206 bool printAllocDeallocName(raw_ostream &os, CheckerContext &C, 207 const Expr *E) const; 208 209 /// \brief Print expected name of an allocator based on the deallocator's 210 /// family derived from the DeallocExpr. 211 void printExpectedAllocName(raw_ostream &os, CheckerContext &C, 212 const Expr *DeallocExpr) const; 213 /// \brief Print expected name of a deallocator based on the allocator's 214 /// family. 215 void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const; 216 217 ///@{ 218 /// Check if this is one of the functions which can allocate/reallocate memory 219 /// pointed to by one of its arguments. 220 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 221 bool isFreeFunction(const FunctionDecl *FD, ASTContext &C) const; 222 bool isAllocationFunction(const FunctionDecl *FD, ASTContext &C) const; 223 bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const; 224 ///@} 225 static ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 226 const CallExpr *CE, 227 const OwnershipAttr* Att); 228 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 229 const Expr *SizeEx, SVal Init, 230 ProgramStateRef State, 231 AllocationFamily Family = AF_Malloc) { 232 return MallocMemAux(C, CE, 233 State->getSVal(SizeEx, C.getLocationContext()), 234 Init, State, Family); 235 } 236 237 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 238 SVal SizeEx, SVal Init, 239 ProgramStateRef State, 240 AllocationFamily Family = AF_Malloc); 241 242 /// Update the RefState to reflect the new memory allocation. 243 static ProgramStateRef 244 MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, 245 AllocationFamily Family = AF_Malloc); 246 247 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 248 const OwnershipAttr* Att) const; 249 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 250 ProgramStateRef state, unsigned Num, 251 bool Hold, 252 bool &ReleasedAllocated, 253 bool ReturnsNullOnFailure = false) const; 254 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, 255 const Expr *ParentExpr, 256 ProgramStateRef State, 257 bool Hold, 258 bool &ReleasedAllocated, 259 bool ReturnsNullOnFailure = false) const; 260 261 ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, 262 bool FreesMemOnFailure) const; 263 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE); 264 265 ///\brief Check if the memory associated with this symbol was released. 266 bool isReleased(SymbolRef Sym, CheckerContext &C) const; 267 268 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 269 270 /// Check if the function is known not to free memory, or if it is 271 /// "interesting" and should be modeled explicitly. 272 /// 273 /// We assume that pointers do not escape through calls to system functions 274 /// not handled by this checker. 275 bool doesNotFreeMemOrInteresting(const CallEvent *Call, 276 ProgramStateRef State) const; 277 278 // Implementation of the checkPointerEscape callabcks. 279 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 280 const InvalidatedSymbols &Escaped, 281 const CallEvent *Call, 282 PointerEscapeKind Kind, 283 bool(*CheckRefState)(const RefState*)) const; 284 285 static bool SummarizeValue(raw_ostream &os, SVal V); 286 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 287 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 288 const Expr *DeallocExpr) const; 289 void ReportBadDealloc(CheckerContext &C, SourceRange Range, 290 const Expr *DeallocExpr, const RefState *RS) const; 291 void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 292 const Expr *DeallocExpr, 293 const Expr *AllocExpr = 0) const; 294 void ReportUseAfterFree(CheckerContext &C, SourceRange Range, 295 SymbolRef Sym) const; 296 void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 297 SymbolRef Sym, SymbolRef PrevSym) const; 298 299 /// Find the location of the allocation for Sym on the path leading to the 300 /// exploded node N. 301 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 302 CheckerContext &C) const; 303 304 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 305 306 /// The bug visitor which allows us to print extra diagnostics along the 307 /// BugReport path. For example, showing the allocation site of the leaked 308 /// region. 309 class MallocBugVisitor : public BugReporterVisitorImpl<MallocBugVisitor> { 310 protected: 311 enum NotificationMode { 312 Normal, 313 ReallocationFailed 314 }; 315 316 // The allocated region symbol tracked by the main analysis. 317 SymbolRef Sym; 318 319 // The mode we are in, i.e. what kind of diagnostics will be emitted. 320 NotificationMode Mode; 321 322 // A symbol from when the primary region should have been reallocated. 323 SymbolRef FailedReallocSymbol; 324 325 bool IsLeak; 326 327 public: 328 MallocBugVisitor(SymbolRef S, bool isLeak = false) 329 : Sym(S), Mode(Normal), FailedReallocSymbol(0), IsLeak(isLeak) {} 330 331 virtual ~MallocBugVisitor() {} 332 333 void Profile(llvm::FoldingSetNodeID &ID) const { 334 static int X = 0; 335 ID.AddPointer(&X); 336 ID.AddPointer(Sym); 337 } 338 339 inline bool isAllocated(const RefState *S, const RefState *SPrev, 340 const Stmt *Stmt) { 341 // Did not track -> allocated. Other state (released) -> allocated. 342 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 343 (S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated())); 344 } 345 346 inline bool isReleased(const RefState *S, const RefState *SPrev, 347 const Stmt *Stmt) { 348 // Did not track -> released. Other state (allocated) -> released. 349 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt)) && 350 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 351 } 352 353 inline bool isRelinquished(const RefState *S, const RefState *SPrev, 354 const Stmt *Stmt) { 355 // Did not track -> relinquished. Other state (allocated) -> relinquished. 356 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 357 isa<ObjCPropertyRefExpr>(Stmt)) && 358 (S && S->isRelinquished()) && 359 (!SPrev || !SPrev->isRelinquished())); 360 } 361 362 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 363 const Stmt *Stmt) { 364 // If the expression is not a call, and the state change is 365 // released -> allocated, it must be the realloc return value 366 // check. If we have to handle more cases here, it might be cleaner just 367 // to track this extra bit in the state itself. 368 return ((!Stmt || !isa<CallExpr>(Stmt)) && 369 (S && S->isAllocated()) && (SPrev && !SPrev->isAllocated())); 370 } 371 372 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 373 const ExplodedNode *PrevN, 374 BugReporterContext &BRC, 375 BugReport &BR); 376 377 PathDiagnosticPiece* getEndPath(BugReporterContext &BRC, 378 const ExplodedNode *EndPathNode, 379 BugReport &BR) { 380 if (!IsLeak) 381 return 0; 382 383 PathDiagnosticLocation L = 384 PathDiagnosticLocation::createEndOfPath(EndPathNode, 385 BRC.getSourceManager()); 386 // Do not add the statement itself as a range in case of leak. 387 return new PathDiagnosticEventPiece(L, BR.getDescription(), false); 388 } 389 390 private: 391 class StackHintGeneratorForReallocationFailed 392 : public StackHintGeneratorForSymbol { 393 public: 394 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 395 : StackHintGeneratorForSymbol(S, M) {} 396 397 virtual std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) { 398 // Printed parameters start at 1, not 0. 399 ++ArgIndex; 400 401 SmallString<200> buf; 402 llvm::raw_svector_ostream os(buf); 403 404 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 405 << " parameter failed"; 406 407 return os.str(); 408 } 409 410 virtual std::string getMessageForReturn(const CallExpr *CallExpr) { 411 return "Reallocation of returned value failed"; 412 } 413 }; 414 }; 415 }; 416 } // end anonymous namespace 417 418 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 419 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 420 421 // A map from the freed symbol to the symbol representing the return value of 422 // the free function. 423 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 424 425 namespace { 426 class StopTrackingCallback : public SymbolVisitor { 427 ProgramStateRef state; 428 public: 429 StopTrackingCallback(ProgramStateRef st) : state(st) {} 430 ProgramStateRef getState() const { return state; } 431 432 bool VisitSymbol(SymbolRef sym) { 433 state = state->remove<RegionState>(sym); 434 return true; 435 } 436 }; 437 } // end anonymous namespace 438 439 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 440 if (II_malloc) 441 return; 442 II_malloc = &Ctx.Idents.get("malloc"); 443 II_free = &Ctx.Idents.get("free"); 444 II_realloc = &Ctx.Idents.get("realloc"); 445 II_reallocf = &Ctx.Idents.get("reallocf"); 446 II_calloc = &Ctx.Idents.get("calloc"); 447 II_valloc = &Ctx.Idents.get("valloc"); 448 II_strdup = &Ctx.Idents.get("strdup"); 449 II_strndup = &Ctx.Idents.get("strndup"); 450 } 451 452 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 453 if (isFreeFunction(FD, C)) 454 return true; 455 456 if (isAllocationFunction(FD, C)) 457 return true; 458 459 if (isStandardNewDelete(FD, C)) 460 return true; 461 462 return false; 463 } 464 465 bool MallocChecker::isAllocationFunction(const FunctionDecl *FD, 466 ASTContext &C) const { 467 if (!FD) 468 return false; 469 470 if (FD->getKind() == Decl::Function) { 471 IdentifierInfo *FunI = FD->getIdentifier(); 472 initIdentifierInfo(C); 473 474 if (FunI == II_malloc || FunI == II_realloc || 475 FunI == II_reallocf || FunI == II_calloc || FunI == II_valloc || 476 FunI == II_strdup || FunI == II_strndup) 477 return true; 478 } 479 480 if (Filter.CMallocOptimistic && FD->hasAttrs()) 481 for (specific_attr_iterator<OwnershipAttr> 482 i = FD->specific_attr_begin<OwnershipAttr>(), 483 e = FD->specific_attr_end<OwnershipAttr>(); 484 i != e; ++i) 485 if ((*i)->getOwnKind() == OwnershipAttr::Returns) 486 return true; 487 return false; 488 } 489 490 bool MallocChecker::isFreeFunction(const FunctionDecl *FD, ASTContext &C) const { 491 if (!FD) 492 return false; 493 494 if (FD->getKind() == Decl::Function) { 495 IdentifierInfo *FunI = FD->getIdentifier(); 496 initIdentifierInfo(C); 497 498 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf) 499 return true; 500 } 501 502 if (Filter.CMallocOptimistic && FD->hasAttrs()) 503 for (specific_attr_iterator<OwnershipAttr> 504 i = FD->specific_attr_begin<OwnershipAttr>(), 505 e = FD->specific_attr_end<OwnershipAttr>(); 506 i != e; ++i) 507 if ((*i)->getOwnKind() == OwnershipAttr::Takes || 508 (*i)->getOwnKind() == OwnershipAttr::Holds) 509 return true; 510 return false; 511 } 512 513 // Tells if the callee is one of the following: 514 // 1) A global non-placement new/delete operator function. 515 // 2) A global placement operator function with the single placement argument 516 // of type std::nothrow_t. 517 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD, 518 ASTContext &C) const { 519 if (!FD) 520 return false; 521 522 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 523 if (Kind != OO_New && Kind != OO_Array_New && 524 Kind != OO_Delete && Kind != OO_Array_Delete) 525 return false; 526 527 // Skip all operator new/delete methods. 528 if (isa<CXXMethodDecl>(FD)) 529 return false; 530 531 // Return true if tested operator is a standard placement nothrow operator. 532 if (FD->getNumParams() == 2) { 533 QualType T = FD->getParamDecl(1)->getType(); 534 if (const IdentifierInfo *II = T.getBaseTypeIdentifier()) 535 return II->getName().equals("nothrow_t"); 536 } 537 538 // Skip placement operators. 539 if (FD->getNumParams() != 1 || FD->isVariadic()) 540 return false; 541 542 // One of the standard new/new[]/delete/delete[] non-placement operators. 543 return true; 544 } 545 546 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 547 if (C.wasInlined) 548 return; 549 550 const FunctionDecl *FD = C.getCalleeDecl(CE); 551 if (!FD) 552 return; 553 554 ProgramStateRef State = C.getState(); 555 bool ReleasedAllocatedMemory = false; 556 557 if (FD->getKind() == Decl::Function) { 558 initIdentifierInfo(C.getASTContext()); 559 IdentifierInfo *FunI = FD->getIdentifier(); 560 561 if (Filter.CMallocOptimistic || Filter.CMallocPessimistic || 562 Filter.CMismatchedDeallocatorChecker) { 563 if (FunI == II_malloc || FunI == II_valloc) { 564 if (CE->getNumArgs() < 1) 565 return; 566 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 567 } else if (FunI == II_realloc) { 568 State = ReallocMem(C, CE, false); 569 } else if (FunI == II_reallocf) { 570 State = ReallocMem(C, CE, true); 571 } else if (FunI == II_calloc) { 572 State = CallocMem(C, CE); 573 } else if (FunI == II_free) { 574 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 575 } else if (FunI == II_strdup) { 576 State = MallocUpdateRefState(C, CE, State); 577 } else if (FunI == II_strndup) { 578 State = MallocUpdateRefState(C, CE, State); 579 } 580 } 581 582 if (Filter.CNewDeleteChecker || Filter.CMismatchedDeallocatorChecker) { 583 if (isStandardNewDelete(FD, C.getASTContext())) { 584 // Process direct calls to operator new/new[]/delete/delete[] functions 585 // as distinct from new/new[]/delete/delete[] expressions that are 586 // processed by the checkPostStmt callbacks for CXXNewExpr and 587 // CXXDeleteExpr. 588 OverloadedOperatorKind K = FD->getOverloadedOperator(); 589 if (K == OO_New) 590 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 591 AF_CXXNew); 592 else if (K == OO_Array_New) 593 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 594 AF_CXXNewArray); 595 else if (K == OO_Delete || K == OO_Array_Delete) 596 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 597 else 598 llvm_unreachable("not a new/delete operator"); 599 } 600 } 601 } 602 603 if (Filter.CMallocOptimistic || Filter.CMismatchedDeallocatorChecker) { 604 // Check all the attributes, if there are any. 605 // There can be multiple of these attributes. 606 if (FD->hasAttrs()) 607 for (specific_attr_iterator<OwnershipAttr> 608 i = FD->specific_attr_begin<OwnershipAttr>(), 609 e = FD->specific_attr_end<OwnershipAttr>(); 610 i != e; ++i) { 611 switch ((*i)->getOwnKind()) { 612 case OwnershipAttr::Returns: 613 State = MallocMemReturnsAttr(C, CE, *i); 614 break; 615 case OwnershipAttr::Takes: 616 case OwnershipAttr::Holds: 617 State = FreeMemAttr(C, CE, *i); 618 break; 619 } 620 } 621 } 622 C.addTransition(State); 623 } 624 625 void MallocChecker::checkPostStmt(const CXXNewExpr *NE, 626 CheckerContext &C) const { 627 628 if (NE->getNumPlacementArgs()) 629 for (CXXNewExpr::const_arg_iterator I = NE->placement_arg_begin(), 630 E = NE->placement_arg_end(); I != E; ++I) 631 if (SymbolRef Sym = C.getSVal(*I).getAsSymbol()) 632 checkUseAfterFree(Sym, C, *I); 633 634 if (!Filter.CNewDeleteChecker && !Filter.CMismatchedDeallocatorChecker) 635 return; 636 637 if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext())) 638 return; 639 640 ProgramStateRef State = C.getState(); 641 // The return value from operator new is bound to a specified initialization 642 // value (if any) and we don't want to loose this value. So we call 643 // MallocUpdateRefState() instead of MallocMemAux() which breakes the 644 // existing binding. 645 State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray 646 : AF_CXXNew); 647 C.addTransition(State); 648 } 649 650 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, 651 CheckerContext &C) const { 652 653 if (!Filter.CNewDeleteChecker) 654 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 655 checkUseAfterFree(Sym, C, DE->getArgument()); 656 657 if (!Filter.CNewDeleteChecker && !Filter.CMismatchedDeallocatorChecker) 658 return; 659 660 if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext())) 661 return; 662 663 ProgramStateRef State = C.getState(); 664 bool ReleasedAllocated; 665 State = FreeMemAux(C, DE->getArgument(), DE, State, 666 /*Hold*/false, ReleasedAllocated); 667 668 C.addTransition(State); 669 } 670 671 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 672 // If the first selector piece is one of the names below, assume that the 673 // object takes ownership of the memory, promising to eventually deallocate it 674 // with free(). 675 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 676 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 677 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 678 if (FirstSlot == "dataWithBytesNoCopy" || 679 FirstSlot == "initWithBytesNoCopy" || 680 FirstSlot == "initWithCharactersNoCopy") 681 return true; 682 683 return false; 684 } 685 686 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 687 Selector S = Call.getSelector(); 688 689 // FIXME: We should not rely on fully-constrained symbols being folded. 690 for (unsigned i = 1; i < S.getNumArgs(); ++i) 691 if (S.getNameForSlot(i).equals("freeWhenDone")) 692 return !Call.getArgSVal(i).isZeroConstant(); 693 694 return None; 695 } 696 697 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 698 CheckerContext &C) const { 699 if (C.wasInlined) 700 return; 701 702 if (!isKnownDeallocObjCMethodName(Call)) 703 return; 704 705 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 706 if (!*FreeWhenDone) 707 return; 708 709 bool ReleasedAllocatedMemory; 710 ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0), 711 Call.getOriginExpr(), C.getState(), 712 /*Hold=*/true, ReleasedAllocatedMemory, 713 /*RetNullOnFailure=*/true); 714 715 C.addTransition(State); 716 } 717 718 ProgramStateRef MallocChecker::MallocMemReturnsAttr(CheckerContext &C, 719 const CallExpr *CE, 720 const OwnershipAttr* Att) { 721 if (Att->getModule() != "malloc") 722 return 0; 723 724 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 725 if (I != E) { 726 return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), C.getState()); 727 } 728 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), C.getState()); 729 } 730 731 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 732 const CallExpr *CE, 733 SVal Size, SVal Init, 734 ProgramStateRef State, 735 AllocationFamily Family) { 736 737 // Bind the return value to the symbolic value from the heap region. 738 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 739 // side effects other than what we model here. 740 unsigned Count = C.blockCount(); 741 SValBuilder &svalBuilder = C.getSValBuilder(); 742 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 743 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 744 .castAs<DefinedSVal>(); 745 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 746 747 // We expect the malloc functions to return a pointer. 748 if (!RetVal.getAs<Loc>()) 749 return 0; 750 751 // Fill the region with the initialization value. 752 State = State->bindDefault(RetVal, Init); 753 754 // Set the region's extent equal to the Size parameter. 755 const SymbolicRegion *R = 756 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 757 if (!R) 758 return 0; 759 if (Optional<DefinedOrUnknownSVal> DefinedSize = 760 Size.getAs<DefinedOrUnknownSVal>()) { 761 SValBuilder &svalBuilder = C.getSValBuilder(); 762 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 763 DefinedOrUnknownSVal extentMatchesSize = 764 svalBuilder.evalEQ(State, Extent, *DefinedSize); 765 766 State = State->assume(extentMatchesSize, true); 767 assert(State); 768 } 769 770 return MallocUpdateRefState(C, CE, State, Family); 771 } 772 773 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 774 const Expr *E, 775 ProgramStateRef State, 776 AllocationFamily Family) { 777 // Get the return value. 778 SVal retVal = State->getSVal(E, C.getLocationContext()); 779 780 // We expect the malloc functions to return a pointer. 781 if (!retVal.getAs<Loc>()) 782 return 0; 783 784 SymbolRef Sym = retVal.getAsLocSymbol(); 785 assert(Sym); 786 787 // Set the symbol's state to Allocated. 788 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 789 } 790 791 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 792 const CallExpr *CE, 793 const OwnershipAttr* Att) const { 794 if (Att->getModule() != "malloc") 795 return 0; 796 797 ProgramStateRef State = C.getState(); 798 bool ReleasedAllocated = false; 799 800 for (OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 801 I != E; ++I) { 802 ProgramStateRef StateI = FreeMemAux(C, CE, State, *I, 803 Att->getOwnKind() == OwnershipAttr::Holds, 804 ReleasedAllocated); 805 if (StateI) 806 State = StateI; 807 } 808 return State; 809 } 810 811 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 812 const CallExpr *CE, 813 ProgramStateRef state, 814 unsigned Num, 815 bool Hold, 816 bool &ReleasedAllocated, 817 bool ReturnsNullOnFailure) const { 818 if (CE->getNumArgs() < (Num + 1)) 819 return 0; 820 821 return FreeMemAux(C, CE->getArg(Num), CE, state, Hold, 822 ReleasedAllocated, ReturnsNullOnFailure); 823 } 824 825 /// Checks if the previous call to free on the given symbol failed - if free 826 /// failed, returns true. Also, returns the corresponding return value symbol. 827 static bool didPreviousFreeFail(ProgramStateRef State, 828 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 829 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 830 if (Ret) { 831 assert(*Ret && "We should not store the null return symbol"); 832 ConstraintManager &CMgr = State->getConstraintManager(); 833 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 834 RetStatusSymbol = *Ret; 835 return FreeFailed.isConstrainedTrue(); 836 } 837 return false; 838 } 839 840 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C, 841 const Expr *E) const { 842 if (!E) 843 return AF_None; 844 845 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 846 const FunctionDecl *FD = C.getCalleeDecl(CE); 847 ASTContext &Ctx = C.getASTContext(); 848 849 if (isFreeFunction(FD, Ctx)) 850 return AF_Malloc; 851 852 if (isStandardNewDelete(FD, Ctx)) { 853 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 854 if (Kind == OO_Delete) 855 return AF_CXXNew; 856 else if (Kind == OO_Array_Delete) 857 return AF_CXXNewArray; 858 } 859 860 return AF_None; 861 } 862 863 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) 864 return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew; 865 866 if (isa<ObjCMessageExpr>(E)) 867 return AF_Malloc; 868 869 return AF_None; 870 } 871 872 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C, 873 const Expr *E) const { 874 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 875 // FIXME: This doesn't handle indirect calls. 876 const FunctionDecl *FD = CE->getDirectCallee(); 877 if (!FD) 878 return false; 879 880 os << *FD; 881 if (!FD->isOverloadedOperator()) 882 os << "()"; 883 return true; 884 } 885 886 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 887 if (Msg->isInstanceMessage()) 888 os << "-"; 889 else 890 os << "+"; 891 os << Msg->getSelector().getAsString(); 892 return true; 893 } 894 895 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 896 os << "'" 897 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 898 << "'"; 899 return true; 900 } 901 902 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 903 os << "'" 904 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 905 << "'"; 906 return true; 907 } 908 909 return false; 910 } 911 912 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C, 913 const Expr *E) const { 914 AllocationFamily Family = getAllocationFamily(C, E); 915 916 switch(Family) { 917 case AF_Malloc: os << "malloc()"; return; 918 case AF_CXXNew: os << "'new'"; return; 919 case AF_CXXNewArray: os << "'new[]'"; return; 920 case AF_None: llvm_unreachable("not a deallocation expression"); 921 } 922 } 923 924 void MallocChecker::printExpectedDeallocName(raw_ostream &os, 925 AllocationFamily Family) const { 926 switch(Family) { 927 case AF_Malloc: os << "free()"; return; 928 case AF_CXXNew: os << "'delete'"; return; 929 case AF_CXXNewArray: os << "'delete[]'"; return; 930 case AF_None: llvm_unreachable("suspicious AF_None argument"); 931 } 932 } 933 934 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 935 const Expr *ArgExpr, 936 const Expr *ParentExpr, 937 ProgramStateRef State, 938 bool Hold, 939 bool &ReleasedAllocated, 940 bool ReturnsNullOnFailure) const { 941 942 SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext()); 943 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 944 return 0; 945 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 946 947 // Check for null dereferences. 948 if (!location.getAs<Loc>()) 949 return 0; 950 951 // The explicit NULL case, no operation is performed. 952 ProgramStateRef notNullState, nullState; 953 llvm::tie(notNullState, nullState) = State->assume(location); 954 if (nullState && !notNullState) 955 return 0; 956 957 // Unknown values could easily be okay 958 // Undefined values are handled elsewhere 959 if (ArgVal.isUnknownOrUndef()) 960 return 0; 961 962 const MemRegion *R = ArgVal.getAsRegion(); 963 964 // Nonlocs can't be freed, of course. 965 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 966 if (!R) { 967 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 968 return 0; 969 } 970 971 R = R->StripCasts(); 972 973 // Blocks might show up as heap data, but should not be free()d 974 if (isa<BlockDataRegion>(R)) { 975 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 976 return 0; 977 } 978 979 const MemSpaceRegion *MS = R->getMemorySpace(); 980 981 // Parameters, locals, statics, globals, and memory returned by alloca() 982 // shouldn't be freed. 983 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 984 // FIXME: at the time this code was written, malloc() regions were 985 // represented by conjured symbols, which are all in UnknownSpaceRegion. 986 // This means that there isn't actually anything from HeapSpaceRegion 987 // that should be freed, even though we allow it here. 988 // Of course, free() can work on memory allocated outside the current 989 // function, so UnknownSpaceRegion is always a possibility. 990 // False negatives are better than false positives. 991 992 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 993 return 0; 994 } 995 996 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 997 // Various cases could lead to non-symbol values here. 998 // For now, ignore them. 999 if (!SrBase) 1000 return 0; 1001 1002 SymbolRef SymBase = SrBase->getSymbol(); 1003 const RefState *RsBase = State->get<RegionState>(SymBase); 1004 SymbolRef PreviousRetStatusSymbol = 0; 1005 1006 // Check double free. 1007 if (RsBase && 1008 (RsBase->isReleased() || RsBase->isRelinquished()) && 1009 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1010 ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1011 SymBase, PreviousRetStatusSymbol); 1012 return 0; 1013 } 1014 1015 // Check if an expected deallocation function matches the real one. 1016 if (RsBase && 1017 RsBase->getAllocationFamily() != AF_None && 1018 RsBase->getAllocationFamily() != getAllocationFamily(C, ParentExpr) ) { 1019 ReportBadDealloc(C, ArgExpr->getSourceRange(), ParentExpr, RsBase); 1020 return 0; 1021 } 1022 1023 // Check if the memory location being freed is the actual location 1024 // allocated, or an offset. 1025 RegionOffset Offset = R->getAsOffset(); 1026 if (RsBase && RsBase->isAllocated() && 1027 Offset.isValid() && 1028 !Offset.hasSymbolicOffset() && 1029 Offset.getOffset() != 0) { 1030 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1031 ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1032 AllocExpr); 1033 return 0; 1034 } 1035 1036 ReleasedAllocated = (RsBase != 0); 1037 1038 // Clean out the info on previous call to free return info. 1039 State = State->remove<FreeReturnValue>(SymBase); 1040 1041 // Keep track of the return value. If it is NULL, we will know that free 1042 // failed. 1043 if (ReturnsNullOnFailure) { 1044 SVal RetVal = C.getSVal(ParentExpr); 1045 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 1046 if (RetStatusSymbol) { 1047 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 1048 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 1049 } 1050 } 1051 1052 AllocationFamily Family = RsBase ? RsBase->getAllocationFamily() : AF_None; 1053 // Normal free. 1054 if (Hold) 1055 return State->set<RegionState>(SymBase, 1056 RefState::getRelinquished(Family, 1057 ParentExpr)); 1058 1059 return State->set<RegionState>(SymBase, 1060 RefState::getReleased(Family, ParentExpr)); 1061 } 1062 1063 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 1064 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 1065 os << "an integer (" << IntVal->getValue() << ")"; 1066 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 1067 os << "a constant address (" << ConstAddr->getValue() << ")"; 1068 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 1069 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 1070 else 1071 return false; 1072 1073 return true; 1074 } 1075 1076 bool MallocChecker::SummarizeRegion(raw_ostream &os, 1077 const MemRegion *MR) { 1078 switch (MR->getKind()) { 1079 case MemRegion::FunctionTextRegionKind: { 1080 const NamedDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 1081 if (FD) 1082 os << "the address of the function '" << *FD << '\''; 1083 else 1084 os << "the address of a function"; 1085 return true; 1086 } 1087 case MemRegion::BlockTextRegionKind: 1088 os << "block text"; 1089 return true; 1090 case MemRegion::BlockDataRegionKind: 1091 // FIXME: where the block came from? 1092 os << "a block"; 1093 return true; 1094 default: { 1095 const MemSpaceRegion *MS = MR->getMemorySpace(); 1096 1097 if (isa<StackLocalsSpaceRegion>(MS)) { 1098 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1099 const VarDecl *VD; 1100 if (VR) 1101 VD = VR->getDecl(); 1102 else 1103 VD = NULL; 1104 1105 if (VD) 1106 os << "the address of the local variable '" << VD->getName() << "'"; 1107 else 1108 os << "the address of a local stack variable"; 1109 return true; 1110 } 1111 1112 if (isa<StackArgumentsSpaceRegion>(MS)) { 1113 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1114 const VarDecl *VD; 1115 if (VR) 1116 VD = VR->getDecl(); 1117 else 1118 VD = NULL; 1119 1120 if (VD) 1121 os << "the address of the parameter '" << VD->getName() << "'"; 1122 else 1123 os << "the address of a parameter"; 1124 return true; 1125 } 1126 1127 if (isa<GlobalsSpaceRegion>(MS)) { 1128 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1129 const VarDecl *VD; 1130 if (VR) 1131 VD = VR->getDecl(); 1132 else 1133 VD = NULL; 1134 1135 if (VD) { 1136 if (VD->isStaticLocal()) 1137 os << "the address of the static variable '" << VD->getName() << "'"; 1138 else 1139 os << "the address of the global variable '" << VD->getName() << "'"; 1140 } else 1141 os << "the address of a global variable"; 1142 return true; 1143 } 1144 1145 return false; 1146 } 1147 } 1148 } 1149 1150 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 1151 SourceRange Range, 1152 const Expr *DeallocExpr) const { 1153 1154 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1155 !Filter.CNewDeleteChecker) 1156 return; 1157 1158 if (ExplodedNode *N = C.generateSink()) { 1159 if (!BT_BadFree) 1160 BT_BadFree.reset(new BugType("Bad free", "Memory Error")); 1161 1162 SmallString<100> buf; 1163 llvm::raw_svector_ostream os(buf); 1164 1165 const MemRegion *MR = ArgVal.getAsRegion(); 1166 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 1167 MR = ER->getSuperRegion(); 1168 1169 if (MR && isa<AllocaRegion>(MR)) 1170 os << "Memory allocated by alloca() should not be deallocated"; 1171 else { 1172 os << "Argument to "; 1173 if (!printAllocDeallocName(os, C, DeallocExpr)) 1174 os << "deallocator"; 1175 1176 os << " is "; 1177 bool Summarized = MR ? SummarizeRegion(os, MR) 1178 : SummarizeValue(os, ArgVal); 1179 if (Summarized) 1180 os << ", which is not memory allocated by "; 1181 else 1182 os << "not memory allocated by "; 1183 1184 printExpectedAllocName(os, C, DeallocExpr); 1185 } 1186 1187 BugReport *R = new BugReport(*BT_BadFree, os.str(), N); 1188 R->markInteresting(MR); 1189 R->addRange(Range); 1190 C.emitReport(R); 1191 } 1192 } 1193 1194 void MallocChecker::ReportBadDealloc(CheckerContext &C, SourceRange Range, 1195 const Expr *DeallocExpr, 1196 const RefState *RS) const { 1197 1198 if (!Filter.CMismatchedDeallocatorChecker) 1199 return; 1200 1201 if (ExplodedNode *N = C.generateSink()) { 1202 if (!BT_BadDealloc) 1203 BT_BadDealloc.reset(new BugType("Bad deallocator", "Memory Error")); 1204 1205 SmallString<100> buf; 1206 llvm::raw_svector_ostream os(buf); 1207 1208 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 1209 SmallString<20> AllocBuf; 1210 llvm::raw_svector_ostream AllocOs(AllocBuf); 1211 SmallString<20> DeallocBuf; 1212 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 1213 1214 os << "Memory"; 1215 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1216 os << " allocated by " << AllocOs.str(); 1217 1218 os << " should be deallocated by "; 1219 printExpectedDeallocName(os, RS->getAllocationFamily()); 1220 1221 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1222 os << ", not " << DeallocOs.str(); 1223 1224 BugReport *R = new BugReport(*BT_BadDealloc, os.str(), N); 1225 R->addRange(Range); 1226 C.emitReport(R); 1227 } 1228 } 1229 1230 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, 1231 SourceRange Range, const Expr *DeallocExpr, 1232 const Expr *AllocExpr) const { 1233 1234 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1235 !Filter.CNewDeleteChecker) 1236 return; 1237 1238 ExplodedNode *N = C.generateSink(); 1239 if (N == NULL) 1240 return; 1241 1242 if (!BT_OffsetFree) 1243 BT_OffsetFree.reset(new BugType("Offset free", "Memory Error")); 1244 1245 SmallString<100> buf; 1246 llvm::raw_svector_ostream os(buf); 1247 SmallString<20> AllocNameBuf; 1248 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 1249 1250 const MemRegion *MR = ArgVal.getAsRegion(); 1251 assert(MR && "Only MemRegion based symbols can have offset free errors"); 1252 1253 RegionOffset Offset = MR->getAsOffset(); 1254 assert((Offset.isValid() && 1255 !Offset.hasSymbolicOffset() && 1256 Offset.getOffset() != 0) && 1257 "Only symbols with a valid offset can have offset free errors"); 1258 1259 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 1260 1261 os << "Argument to "; 1262 if (!printAllocDeallocName(os, C, DeallocExpr)) 1263 os << "deallocator"; 1264 os << " is offset by " 1265 << offsetBytes 1266 << " " 1267 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 1268 << " from the start of "; 1269 if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) 1270 os << "memory allocated by " << AllocNameOs.str(); 1271 else 1272 os << "allocated memory"; 1273 1274 BugReport *R = new BugReport(*BT_OffsetFree, os.str(), N); 1275 R->markInteresting(MR->getBaseRegion()); 1276 R->addRange(Range); 1277 C.emitReport(R); 1278 } 1279 1280 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, 1281 SymbolRef Sym) const { 1282 1283 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1284 !Filter.CNewDeleteChecker) 1285 return; 1286 1287 if (ExplodedNode *N = C.generateSink()) { 1288 if (!BT_UseFree) 1289 BT_UseFree.reset(new BugType("Use-after-free", "Memory Error")); 1290 1291 BugReport *R = new BugReport(*BT_UseFree, 1292 "Use of memory after it is freed", N); 1293 1294 R->markInteresting(Sym); 1295 R->addRange(Range); 1296 R->addVisitor(new MallocBugVisitor(Sym)); 1297 C.emitReport(R); 1298 } 1299 } 1300 1301 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, 1302 bool Released, SymbolRef Sym, 1303 SymbolRef PrevSym) const { 1304 1305 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1306 !Filter.CNewDeleteChecker) 1307 return; 1308 1309 if (ExplodedNode *N = C.generateSink()) { 1310 if (!BT_DoubleFree) 1311 BT_DoubleFree.reset(new BugType("Double free", "Memory Error")); 1312 1313 BugReport *R = new BugReport(*BT_DoubleFree, 1314 (Released ? "Attempt to free released memory" 1315 : "Attempt to free non-owned memory"), 1316 N); 1317 R->addRange(Range); 1318 R->markInteresting(Sym); 1319 if (PrevSym) 1320 R->markInteresting(PrevSym); 1321 R->addVisitor(new MallocBugVisitor(Sym)); 1322 C.emitReport(R); 1323 } 1324 } 1325 1326 ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, 1327 const CallExpr *CE, 1328 bool FreesOnFail) const { 1329 if (CE->getNumArgs() < 2) 1330 return 0; 1331 1332 ProgramStateRef state = C.getState(); 1333 const Expr *arg0Expr = CE->getArg(0); 1334 const LocationContext *LCtx = C.getLocationContext(); 1335 SVal Arg0Val = state->getSVal(arg0Expr, LCtx); 1336 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 1337 return 0; 1338 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 1339 1340 SValBuilder &svalBuilder = C.getSValBuilder(); 1341 1342 DefinedOrUnknownSVal PtrEQ = 1343 svalBuilder.evalEQ(state, arg0Val, svalBuilder.makeNull()); 1344 1345 // Get the size argument. If there is no size arg then give up. 1346 const Expr *Arg1 = CE->getArg(1); 1347 if (!Arg1) 1348 return 0; 1349 1350 // Get the value of the size argument. 1351 SVal Arg1ValG = state->getSVal(Arg1, LCtx); 1352 if (!Arg1ValG.getAs<DefinedOrUnknownSVal>()) 1353 return 0; 1354 DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>(); 1355 1356 // Compare the size argument to 0. 1357 DefinedOrUnknownSVal SizeZero = 1358 svalBuilder.evalEQ(state, Arg1Val, 1359 svalBuilder.makeIntValWithPtrWidth(0, false)); 1360 1361 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 1362 llvm::tie(StatePtrIsNull, StatePtrNotNull) = state->assume(PtrEQ); 1363 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 1364 llvm::tie(StateSizeIsZero, StateSizeNotZero) = state->assume(SizeZero); 1365 // We only assume exceptional states if they are definitely true; if the 1366 // state is under-constrained, assume regular realloc behavior. 1367 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 1368 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 1369 1370 // If the ptr is NULL and the size is not 0, the call is equivalent to 1371 // malloc(size). 1372 if ( PrtIsNull && !SizeIsZero) { 1373 ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), 1374 UndefinedVal(), StatePtrIsNull); 1375 return stateMalloc; 1376 } 1377 1378 if (PrtIsNull && SizeIsZero) 1379 return 0; 1380 1381 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 1382 assert(!PrtIsNull); 1383 SymbolRef FromPtr = arg0Val.getAsSymbol(); 1384 SVal RetVal = state->getSVal(CE, LCtx); 1385 SymbolRef ToPtr = RetVal.getAsSymbol(); 1386 if (!FromPtr || !ToPtr) 1387 return 0; 1388 1389 bool ReleasedAllocated = false; 1390 1391 // If the size is 0, free the memory. 1392 if (SizeIsZero) 1393 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, 1394 false, ReleasedAllocated)){ 1395 // The semantics of the return value are: 1396 // If size was equal to 0, either NULL or a pointer suitable to be passed 1397 // to free() is returned. We just free the input pointer and do not add 1398 // any constrains on the output pointer. 1399 return stateFree; 1400 } 1401 1402 // Default behavior. 1403 if (ProgramStateRef stateFree = 1404 FreeMemAux(C, CE, state, 0, false, ReleasedAllocated)) { 1405 1406 ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), 1407 UnknownVal(), stateFree); 1408 if (!stateRealloc) 1409 return 0; 1410 1411 ReallocPairKind Kind = RPToBeFreedAfterFailure; 1412 if (FreesOnFail) 1413 Kind = RPIsFreeOnFailure; 1414 else if (!ReleasedAllocated) 1415 Kind = RPDoNotTrackAfterFailure; 1416 1417 // Record the info about the reallocated symbol so that we could properly 1418 // process failed reallocation. 1419 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 1420 ReallocPair(FromPtr, Kind)); 1421 // The reallocated symbol should stay alive for as long as the new symbol. 1422 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 1423 return stateRealloc; 1424 } 1425 return 0; 1426 } 1427 1428 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE){ 1429 if (CE->getNumArgs() < 2) 1430 return 0; 1431 1432 ProgramStateRef state = C.getState(); 1433 SValBuilder &svalBuilder = C.getSValBuilder(); 1434 const LocationContext *LCtx = C.getLocationContext(); 1435 SVal count = state->getSVal(CE->getArg(0), LCtx); 1436 SVal elementSize = state->getSVal(CE->getArg(1), LCtx); 1437 SVal TotalSize = svalBuilder.evalBinOp(state, BO_Mul, count, elementSize, 1438 svalBuilder.getContext().getSizeType()); 1439 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 1440 1441 return MallocMemAux(C, CE, TotalSize, zeroVal, state); 1442 } 1443 1444 LeakInfo 1445 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 1446 CheckerContext &C) const { 1447 const LocationContext *LeakContext = N->getLocationContext(); 1448 // Walk the ExplodedGraph backwards and find the first node that referred to 1449 // the tracked symbol. 1450 const ExplodedNode *AllocNode = N; 1451 const MemRegion *ReferenceRegion = 0; 1452 1453 while (N) { 1454 ProgramStateRef State = N->getState(); 1455 if (!State->get<RegionState>(Sym)) 1456 break; 1457 1458 // Find the most recent expression bound to the symbol in the current 1459 // context. 1460 if (!ReferenceRegion) { 1461 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 1462 SVal Val = State->getSVal(MR); 1463 if (Val.getAsLocSymbol() == Sym) 1464 ReferenceRegion = MR; 1465 } 1466 } 1467 1468 // Allocation node, is the last node in the current context in which the 1469 // symbol was tracked. 1470 if (N->getLocationContext() == LeakContext) 1471 AllocNode = N; 1472 N = N->pred_empty() ? NULL : *(N->pred_begin()); 1473 } 1474 1475 return LeakInfo(AllocNode, ReferenceRegion); 1476 } 1477 1478 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 1479 CheckerContext &C) const { 1480 1481 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1482 !Filter.CNewDeleteChecker) 1483 return; 1484 1485 assert(N); 1486 if (!BT_Leak) { 1487 BT_Leak.reset(new BugType("Memory leak", "Memory Error")); 1488 // Leaks should not be reported if they are post-dominated by a sink: 1489 // (1) Sinks are higher importance bugs. 1490 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 1491 // with __noreturn functions such as assert() or exit(). We choose not 1492 // to report leaks on such paths. 1493 BT_Leak->setSuppressOnSink(true); 1494 } 1495 1496 // Most bug reports are cached at the location where they occurred. 1497 // With leaks, we want to unique them by the location where they were 1498 // allocated, and only report a single path. 1499 PathDiagnosticLocation LocUsedForUniqueing; 1500 const ExplodedNode *AllocNode = 0; 1501 const MemRegion *Region = 0; 1502 llvm::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 1503 1504 ProgramPoint P = AllocNode->getLocation(); 1505 const Stmt *AllocationStmt = 0; 1506 if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>()) 1507 AllocationStmt = Exit->getCalleeContext()->getCallSite(); 1508 else if (Optional<StmtPoint> SP = P.getAs<StmtPoint>()) 1509 AllocationStmt = SP->getStmt(); 1510 if (AllocationStmt) 1511 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 1512 C.getSourceManager(), 1513 AllocNode->getLocationContext()); 1514 1515 SmallString<200> buf; 1516 llvm::raw_svector_ostream os(buf); 1517 os << "Memory is never released; potential leak"; 1518 if (Region && Region->canPrintPretty()) { 1519 os << " of memory pointed to by '"; 1520 Region->printPretty(os); 1521 os << '\''; 1522 } 1523 1524 BugReport *R = new BugReport(*BT_Leak, os.str(), N, 1525 LocUsedForUniqueing, 1526 AllocNode->getLocationContext()->getDecl()); 1527 R->markInteresting(Sym); 1528 R->addVisitor(new MallocBugVisitor(Sym, true)); 1529 C.emitReport(R); 1530 } 1531 1532 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 1533 CheckerContext &C) const 1534 { 1535 if (!SymReaper.hasDeadSymbols()) 1536 return; 1537 1538 ProgramStateRef state = C.getState(); 1539 RegionStateTy RS = state->get<RegionState>(); 1540 RegionStateTy::Factory &F = state->get_context<RegionState>(); 1541 1542 SmallVector<SymbolRef, 2> Errors; 1543 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1544 if (SymReaper.isDead(I->first)) { 1545 if (I->second.isAllocated()) 1546 Errors.push_back(I->first); 1547 // Remove the dead symbol from the map. 1548 RS = F.remove(RS, I->first); 1549 1550 } 1551 } 1552 1553 // Cleanup the Realloc Pairs Map. 1554 ReallocPairsTy RP = state->get<ReallocPairs>(); 1555 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1556 if (SymReaper.isDead(I->first) || 1557 SymReaper.isDead(I->second.ReallocatedSym)) { 1558 state = state->remove<ReallocPairs>(I->first); 1559 } 1560 } 1561 1562 // Cleanup the FreeReturnValue Map. 1563 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 1564 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 1565 if (SymReaper.isDead(I->first) || 1566 SymReaper.isDead(I->second)) { 1567 state = state->remove<FreeReturnValue>(I->first); 1568 } 1569 } 1570 1571 // Generate leak node. 1572 ExplodedNode *N = C.getPredecessor(); 1573 if (!Errors.empty()) { 1574 static SimpleProgramPointTag Tag("MallocChecker : DeadSymbolsLeak"); 1575 N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); 1576 for (SmallVector<SymbolRef, 2>::iterator 1577 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 1578 reportLeak(*I, N, C); 1579 } 1580 } 1581 1582 C.addTransition(state->set<RegionState>(RS), N); 1583 } 1584 1585 void MallocChecker::checkPreStmt(const CallExpr *CE, CheckerContext &C) const { 1586 // We will check for double free in the post visit. 1587 if ((Filter.CMallocOptimistic || Filter.CMallocPessimistic) && 1588 isFreeFunction(C.getCalleeDecl(CE), C.getASTContext())) 1589 return; 1590 1591 if (Filter.CNewDeleteChecker && 1592 isStandardNewDelete(C.getCalleeDecl(CE), C.getASTContext())) 1593 return; 1594 1595 // Check use after free, when a freed pointer is passed to a call. 1596 ProgramStateRef State = C.getState(); 1597 for (CallExpr::const_arg_iterator I = CE->arg_begin(), 1598 E = CE->arg_end(); I != E; ++I) { 1599 const Expr *A = *I; 1600 if (A->getType().getTypePtr()->isAnyPointerType()) { 1601 SymbolRef Sym = C.getSVal(A).getAsSymbol(); 1602 if (!Sym) 1603 continue; 1604 if (checkUseAfterFree(Sym, C, A)) 1605 return; 1606 } 1607 } 1608 } 1609 1610 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 1611 const Expr *E = S->getRetValue(); 1612 if (!E) 1613 return; 1614 1615 // Check if we are returning a symbol. 1616 ProgramStateRef State = C.getState(); 1617 SVal RetVal = State->getSVal(E, C.getLocationContext()); 1618 SymbolRef Sym = RetVal.getAsSymbol(); 1619 if (!Sym) 1620 // If we are returning a field of the allocated struct or an array element, 1621 // the callee could still free the memory. 1622 // TODO: This logic should be a part of generic symbol escape callback. 1623 if (const MemRegion *MR = RetVal.getAsRegion()) 1624 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 1625 if (const SymbolicRegion *BMR = 1626 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 1627 Sym = BMR->getSymbol(); 1628 1629 // Check if we are returning freed memory. 1630 if (Sym) 1631 checkUseAfterFree(Sym, C, E); 1632 } 1633 1634 // TODO: Blocks should be either inlined or should call invalidate regions 1635 // upon invocation. After that's in place, special casing here will not be 1636 // needed. 1637 void MallocChecker::checkPostStmt(const BlockExpr *BE, 1638 CheckerContext &C) const { 1639 1640 // Scan the BlockDecRefExprs for any object the retain count checker 1641 // may be tracking. 1642 if (!BE->getBlockDecl()->hasCaptures()) 1643 return; 1644 1645 ProgramStateRef state = C.getState(); 1646 const BlockDataRegion *R = 1647 cast<BlockDataRegion>(state->getSVal(BE, 1648 C.getLocationContext()).getAsRegion()); 1649 1650 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 1651 E = R->referenced_vars_end(); 1652 1653 if (I == E) 1654 return; 1655 1656 SmallVector<const MemRegion*, 10> Regions; 1657 const LocationContext *LC = C.getLocationContext(); 1658 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 1659 1660 for ( ; I != E; ++I) { 1661 const VarRegion *VR = I.getCapturedRegion(); 1662 if (VR->getSuperRegion() == R) { 1663 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 1664 } 1665 Regions.push_back(VR); 1666 } 1667 1668 state = 1669 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 1670 Regions.data() + Regions.size()).getState(); 1671 C.addTransition(state); 1672 } 1673 1674 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { 1675 assert(Sym); 1676 const RefState *RS = C.getState()->get<RegionState>(Sym); 1677 return (RS && RS->isReleased()); 1678 } 1679 1680 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 1681 const Stmt *S) const { 1682 1683 if (isReleased(Sym, C)) { 1684 ReportUseAfterFree(C, S->getSourceRange(), Sym); 1685 return true; 1686 } 1687 1688 return false; 1689 } 1690 1691 // Check if the location is a freed symbolic region. 1692 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 1693 CheckerContext &C) const { 1694 SymbolRef Sym = l.getLocSymbolInBase(); 1695 if (Sym) 1696 checkUseAfterFree(Sym, C, S); 1697 } 1698 1699 // If a symbolic region is assumed to NULL (or another constant), stop tracking 1700 // it - assuming that allocation failed on this path. 1701 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 1702 SVal Cond, 1703 bool Assumption) const { 1704 RegionStateTy RS = state->get<RegionState>(); 1705 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1706 // If the symbol is assumed to be NULL, remove it from consideration. 1707 ConstraintManager &CMgr = state->getConstraintManager(); 1708 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 1709 if (AllocFailed.isConstrainedTrue()) 1710 state = state->remove<RegionState>(I.getKey()); 1711 } 1712 1713 // Realloc returns 0 when reallocation fails, which means that we should 1714 // restore the state of the pointer being reallocated. 1715 ReallocPairsTy RP = state->get<ReallocPairs>(); 1716 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1717 // If the symbol is assumed to be NULL, remove it from consideration. 1718 ConstraintManager &CMgr = state->getConstraintManager(); 1719 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 1720 if (!AllocFailed.isConstrainedTrue()) 1721 continue; 1722 1723 SymbolRef ReallocSym = I.getData().ReallocatedSym; 1724 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 1725 if (RS->isReleased()) { 1726 if (I.getData().Kind == RPToBeFreedAfterFailure) 1727 state = state->set<RegionState>(ReallocSym, 1728 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 1729 else if (I.getData().Kind == RPDoNotTrackAfterFailure) 1730 state = state->remove<RegionState>(ReallocSym); 1731 else 1732 assert(I.getData().Kind == RPIsFreeOnFailure); 1733 } 1734 } 1735 state = state->remove<ReallocPairs>(I.getKey()); 1736 } 1737 1738 return state; 1739 } 1740 1741 bool MallocChecker::doesNotFreeMemOrInteresting(const CallEvent *Call, 1742 ProgramStateRef State) const { 1743 assert(Call); 1744 1745 // For now, assume that any C++ call can free memory. 1746 // TODO: If we want to be more optimistic here, we'll need to make sure that 1747 // regions escape to C++ containers. They seem to do that even now, but for 1748 // mysterious reasons. 1749 if (!(isa<FunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 1750 return false; 1751 1752 // Check Objective-C messages by selector name. 1753 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 1754 // If it's not a framework call, or if it takes a callback, assume it 1755 // can free memory. 1756 if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg()) 1757 return false; 1758 1759 // If it's a method we know about, handle it explicitly post-call. 1760 // This should happen before the "freeWhenDone" check below. 1761 if (isKnownDeallocObjCMethodName(*Msg)) 1762 return true; 1763 1764 // If there's a "freeWhenDone" parameter, but the method isn't one we know 1765 // about, we can't be sure that the object will use free() to deallocate the 1766 // memory, so we can't model it explicitly. The best we can do is use it to 1767 // decide whether the pointer escapes. 1768 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 1769 return !*FreeWhenDone; 1770 1771 // If the first selector piece ends with "NoCopy", and there is no 1772 // "freeWhenDone" parameter set to zero, we know ownership is being 1773 // transferred. Again, though, we can't be sure that the object will use 1774 // free() to deallocate the memory, so we can't model it explicitly. 1775 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 1776 if (FirstSlot.endswith("NoCopy")) 1777 return false; 1778 1779 // If the first selector starts with addPointer, insertPointer, 1780 // or replacePointer, assume we are dealing with NSPointerArray or similar. 1781 // This is similar to C++ containers (vector); we still might want to check 1782 // that the pointers get freed by following the container itself. 1783 if (FirstSlot.startswith("addPointer") || 1784 FirstSlot.startswith("insertPointer") || 1785 FirstSlot.startswith("replacePointer")) { 1786 return false; 1787 } 1788 1789 // Otherwise, assume that the method does not free memory. 1790 // Most framework methods do not free memory. 1791 return true; 1792 } 1793 1794 // At this point the only thing left to handle is straight function calls. 1795 const FunctionDecl *FD = cast<FunctionCall>(Call)->getDecl(); 1796 if (!FD) 1797 return false; 1798 1799 ASTContext &ASTC = State->getStateManager().getContext(); 1800 1801 // If it's one of the allocation functions we can reason about, we model 1802 // its behavior explicitly. 1803 if (isMemFunction(FD, ASTC)) 1804 return true; 1805 1806 // If it's not a system call, assume it frees memory. 1807 if (!Call->isInSystemHeader()) 1808 return false; 1809 1810 // White list the system functions whose arguments escape. 1811 const IdentifierInfo *II = FD->getIdentifier(); 1812 if (!II) 1813 return false; 1814 StringRef FName = II->getName(); 1815 1816 // White list the 'XXXNoCopy' CoreFoundation functions. 1817 // We specifically check these before 1818 if (FName.endswith("NoCopy")) { 1819 // Look for the deallocator argument. We know that the memory ownership 1820 // is not transferred only if the deallocator argument is 1821 // 'kCFAllocatorNull'. 1822 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 1823 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 1824 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 1825 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 1826 if (DeallocatorName == "kCFAllocatorNull") 1827 return true; 1828 } 1829 } 1830 return false; 1831 } 1832 1833 // Associating streams with malloced buffers. The pointer can escape if 1834 // 'closefn' is specified (and if that function does free memory), 1835 // but it will not if closefn is not specified. 1836 // Currently, we do not inspect the 'closefn' function (PR12101). 1837 if (FName == "funopen") 1838 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 1839 return true; 1840 1841 // Do not warn on pointers passed to 'setbuf' when used with std streams, 1842 // these leaks might be intentional when setting the buffer for stdio. 1843 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 1844 if (FName == "setbuf" || FName =="setbuffer" || 1845 FName == "setlinebuf" || FName == "setvbuf") { 1846 if (Call->getNumArgs() >= 1) { 1847 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 1848 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 1849 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 1850 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 1851 return false; 1852 } 1853 } 1854 1855 // A bunch of other functions which either take ownership of a pointer or 1856 // wrap the result up in a struct or object, meaning it can be freed later. 1857 // (See RetainCountChecker.) Not all the parameters here are invalidated, 1858 // but the Malloc checker cannot differentiate between them. The right way 1859 // of doing this would be to implement a pointer escapes callback. 1860 if (FName == "CGBitmapContextCreate" || 1861 FName == "CGBitmapContextCreateWithData" || 1862 FName == "CVPixelBufferCreateWithBytes" || 1863 FName == "CVPixelBufferCreateWithPlanarBytes" || 1864 FName == "OSAtomicEnqueue") { 1865 return false; 1866 } 1867 1868 // Handle cases where we know a buffer's /address/ can escape. 1869 // Note that the above checks handle some special cases where we know that 1870 // even though the address escapes, it's still our responsibility to free the 1871 // buffer. 1872 if (Call->argumentsMayEscape()) 1873 return false; 1874 1875 // Otherwise, assume that the function does not free memory. 1876 // Most system calls do not free the memory. 1877 return true; 1878 } 1879 1880 static bool retTrue(const RefState *RS) { 1881 return true; 1882 } 1883 1884 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 1885 return (RS->getAllocationFamily() == AF_CXXNewArray || 1886 RS->getAllocationFamily() == AF_CXXNew); 1887 } 1888 1889 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 1890 const InvalidatedSymbols &Escaped, 1891 const CallEvent *Call, 1892 PointerEscapeKind Kind) const { 1893 return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue); 1894 } 1895 1896 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 1897 const InvalidatedSymbols &Escaped, 1898 const CallEvent *Call, 1899 PointerEscapeKind Kind) const { 1900 return checkPointerEscapeAux(State, Escaped, Call, Kind, 1901 &checkIfNewOrNewArrayFamily); 1902 } 1903 1904 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State, 1905 const InvalidatedSymbols &Escaped, 1906 const CallEvent *Call, 1907 PointerEscapeKind Kind, 1908 bool(*CheckRefState)(const RefState*)) const { 1909 // If we know that the call does not free memory, or we want to process the 1910 // call later, keep tracking the top level arguments. 1911 if ((Kind == PSK_DirectEscapeOnCall || 1912 Kind == PSK_IndirectEscapeOnCall) && 1913 doesNotFreeMemOrInteresting(Call, State)) { 1914 return State; 1915 } 1916 1917 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 1918 E = Escaped.end(); 1919 I != E; ++I) { 1920 SymbolRef sym = *I; 1921 1922 if (const RefState *RS = State->get<RegionState>(sym)) { 1923 if (RS->isAllocated() && CheckRefState(RS)) 1924 State = State->remove<RegionState>(sym); 1925 } 1926 } 1927 return State; 1928 } 1929 1930 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 1931 ProgramStateRef prevState) { 1932 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 1933 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 1934 1935 for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end(); 1936 I != E; ++I) { 1937 SymbolRef sym = I.getKey(); 1938 if (!currMap.lookup(sym)) 1939 return sym; 1940 } 1941 1942 return NULL; 1943 } 1944 1945 PathDiagnosticPiece * 1946 MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N, 1947 const ExplodedNode *PrevN, 1948 BugReporterContext &BRC, 1949 BugReport &BR) { 1950 ProgramStateRef state = N->getState(); 1951 ProgramStateRef statePrev = PrevN->getState(); 1952 1953 const RefState *RS = state->get<RegionState>(Sym); 1954 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 1955 if (!RS) 1956 return 0; 1957 1958 const Stmt *S = 0; 1959 const char *Msg = 0; 1960 StackHintGeneratorForSymbol *StackHint = 0; 1961 1962 // Retrieve the associated statement. 1963 ProgramPoint ProgLoc = N->getLocation(); 1964 if (Optional<StmtPoint> SP = ProgLoc.getAs<StmtPoint>()) { 1965 S = SP->getStmt(); 1966 } else if (Optional<CallExitEnd> Exit = ProgLoc.getAs<CallExitEnd>()) { 1967 S = Exit->getCalleeContext()->getCallSite(); 1968 } else if (Optional<BlockEdge> Edge = ProgLoc.getAs<BlockEdge>()) { 1969 // If an assumption was made on a branch, it should be caught 1970 // here by looking at the state transition. 1971 S = Edge->getSrc()->getTerminator(); 1972 } 1973 1974 if (!S) 1975 return 0; 1976 1977 // FIXME: We will eventually need to handle non-statement-based events 1978 // (__attribute__((cleanup))). 1979 1980 // Find out if this is an interesting point and what is the kind. 1981 if (Mode == Normal) { 1982 if (isAllocated(RS, RSPrev, S)) { 1983 Msg = "Memory is allocated"; 1984 StackHint = new StackHintGeneratorForSymbol(Sym, 1985 "Returned allocated memory"); 1986 } else if (isReleased(RS, RSPrev, S)) { 1987 Msg = "Memory is released"; 1988 StackHint = new StackHintGeneratorForSymbol(Sym, 1989 "Returned released memory"); 1990 } else if (isRelinquished(RS, RSPrev, S)) { 1991 Msg = "Memory ownership is transfered"; 1992 StackHint = new StackHintGeneratorForSymbol(Sym, ""); 1993 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 1994 Mode = ReallocationFailed; 1995 Msg = "Reallocation failed"; 1996 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 1997 "Reallocation failed"); 1998 1999 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 2000 // Is it possible to fail two reallocs WITHOUT testing in between? 2001 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 2002 "We only support one failed realloc at a time."); 2003 BR.markInteresting(sym); 2004 FailedReallocSymbol = sym; 2005 } 2006 } 2007 2008 // We are in a special mode if a reallocation failed later in the path. 2009 } else if (Mode == ReallocationFailed) { 2010 assert(FailedReallocSymbol && "No symbol to look for."); 2011 2012 // Is this is the first appearance of the reallocated symbol? 2013 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 2014 // We're at the reallocation point. 2015 Msg = "Attempt to reallocate memory"; 2016 StackHint = new StackHintGeneratorForSymbol(Sym, 2017 "Returned reallocated memory"); 2018 FailedReallocSymbol = NULL; 2019 Mode = Normal; 2020 } 2021 } 2022 2023 if (!Msg) 2024 return 0; 2025 assert(StackHint); 2026 2027 // Generate the extra diagnostic. 2028 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2029 N->getLocationContext()); 2030 return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint); 2031 } 2032 2033 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 2034 const char *NL, const char *Sep) const { 2035 2036 RegionStateTy RS = State->get<RegionState>(); 2037 2038 if (!RS.isEmpty()) { 2039 Out << Sep << "MallocChecker:" << NL; 2040 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2041 I.getKey()->dumpToStream(Out); 2042 Out << " : "; 2043 I.getData().dump(Out); 2044 Out << NL; 2045 } 2046 } 2047 } 2048 2049 #define REGISTER_CHECKER(name) \ 2050 void ento::register##name(CheckerManager &mgr) {\ 2051 registerCStringCheckerBasic(mgr); \ 2052 mgr.registerChecker<MallocChecker>()->Filter.C##name = true;\ 2053 } 2054 2055 REGISTER_CHECKER(MallocPessimistic) 2056 REGISTER_CHECKER(MallocOptimistic) 2057 REGISTER_CHECKER(NewDeleteChecker) 2058 REGISTER_CHECKER(MismatchedDeallocatorChecker) 2059