1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines malloc/free checker, which checks for potential memory 11 // leaks, double free, and use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/AST/Attr.h" 18 #include "clang/AST/ParentMap.h" 19 #include "clang/Basic/SourceManager.h" 20 #include "clang/Basic/TargetInfo.h" 21 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 22 #include "clang/StaticAnalyzer/Core/Checker.h" 23 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 27 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 28 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 29 #include "llvm/ADT/ImmutableMap.h" 30 #include "llvm/ADT/STLExtras.h" 31 #include "llvm/ADT/SmallString.h" 32 #include "llvm/ADT/StringExtras.h" 33 #include <climits> 34 35 using namespace clang; 36 using namespace ento; 37 38 namespace { 39 40 // Used to check correspondence between allocators and deallocators. 41 enum AllocationFamily { 42 AF_None, 43 AF_Malloc, 44 AF_CXXNew, 45 AF_CXXNewArray, 46 AF_IfNameIndex 47 }; 48 49 class RefState { 50 enum Kind { // Reference to allocated memory. 51 Allocated, 52 // Reference to released/freed memory. 53 Released, 54 // The responsibility for freeing resources has transferred from 55 // this reference. A relinquished symbol should not be freed. 56 Relinquished, 57 // We are no longer guaranteed to have observed all manipulations 58 // of this pointer/memory. For example, it could have been 59 // passed as a parameter to an opaque function. 60 Escaped 61 }; 62 63 const Stmt *S; 64 unsigned K : 2; // Kind enum, but stored as a bitfield. 65 unsigned Family : 30; // Rest of 32-bit word, currently just an allocation 66 // family. 67 68 RefState(Kind k, const Stmt *s, unsigned family) 69 : S(s), K(k), Family(family) { 70 assert(family != AF_None); 71 } 72 public: 73 bool isAllocated() const { return K == Allocated; } 74 bool isReleased() const { return K == Released; } 75 bool isRelinquished() const { return K == Relinquished; } 76 bool isEscaped() const { return K == Escaped; } 77 AllocationFamily getAllocationFamily() const { 78 return (AllocationFamily)Family; 79 } 80 const Stmt *getStmt() const { return S; } 81 82 bool operator==(const RefState &X) const { 83 return K == X.K && S == X.S && Family == X.Family; 84 } 85 86 static RefState getAllocated(unsigned family, const Stmt *s) { 87 return RefState(Allocated, s, family); 88 } 89 static RefState getReleased(unsigned family, const Stmt *s) { 90 return RefState(Released, s, family); 91 } 92 static RefState getRelinquished(unsigned family, const Stmt *s) { 93 return RefState(Relinquished, s, family); 94 } 95 static RefState getEscaped(const RefState *RS) { 96 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily()); 97 } 98 99 void Profile(llvm::FoldingSetNodeID &ID) const { 100 ID.AddInteger(K); 101 ID.AddPointer(S); 102 ID.AddInteger(Family); 103 } 104 105 void dump(raw_ostream &OS) const { 106 switch (static_cast<Kind>(K)) { 107 #define CASE(ID) case ID: OS << #ID; break; 108 CASE(Allocated) 109 CASE(Released) 110 CASE(Relinquished) 111 CASE(Escaped) 112 } 113 } 114 115 LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); } 116 }; 117 118 enum ReallocPairKind { 119 RPToBeFreedAfterFailure, 120 // The symbol has been freed when reallocation failed. 121 RPIsFreeOnFailure, 122 // The symbol does not need to be freed after reallocation fails. 123 RPDoNotTrackAfterFailure 124 }; 125 126 /// \class ReallocPair 127 /// \brief Stores information about the symbol being reallocated by a call to 128 /// 'realloc' to allow modeling failed reallocation later in the path. 129 struct ReallocPair { 130 // \brief The symbol which realloc reallocated. 131 SymbolRef ReallocatedSym; 132 ReallocPairKind Kind; 133 134 ReallocPair(SymbolRef S, ReallocPairKind K) : 135 ReallocatedSym(S), Kind(K) {} 136 void Profile(llvm::FoldingSetNodeID &ID) const { 137 ID.AddInteger(Kind); 138 ID.AddPointer(ReallocatedSym); 139 } 140 bool operator==(const ReallocPair &X) const { 141 return ReallocatedSym == X.ReallocatedSym && 142 Kind == X.Kind; 143 } 144 }; 145 146 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo; 147 148 class MallocChecker : public Checker<check::DeadSymbols, 149 check::PointerEscape, 150 check::ConstPointerEscape, 151 check::PreStmt<ReturnStmt>, 152 check::PreCall, 153 check::PostStmt<CallExpr>, 154 check::PostStmt<CXXNewExpr>, 155 check::PreStmt<CXXDeleteExpr>, 156 check::PostStmt<BlockExpr>, 157 check::PostObjCMessage, 158 check::Location, 159 eval::Assume> 160 { 161 public: 162 MallocChecker() 163 : II_malloc(nullptr), II_free(nullptr), II_realloc(nullptr), 164 II_calloc(nullptr), II_valloc(nullptr), II_reallocf(nullptr), 165 II_strndup(nullptr), II_strdup(nullptr), II_kmalloc(nullptr), 166 II_if_nameindex(nullptr), II_if_freenameindex(nullptr) {} 167 168 /// In pessimistic mode, the checker assumes that it does not know which 169 /// functions might free the memory. 170 enum CheckKind { 171 CK_MallocPessimistic, 172 CK_MallocOptimistic, 173 CK_NewDeleteChecker, 174 CK_NewDeleteLeaksChecker, 175 CK_MismatchedDeallocatorChecker, 176 CK_NumCheckKinds 177 }; 178 179 enum class MemoryOperationKind { 180 MOK_Allocate, 181 MOK_Free, 182 MOK_Any 183 }; 184 185 DefaultBool ChecksEnabled[CK_NumCheckKinds]; 186 CheckName CheckNames[CK_NumCheckKinds]; 187 188 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 189 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 190 void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; 191 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; 192 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 193 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 194 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 195 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 196 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 197 bool Assumption) const; 198 void checkLocation(SVal l, bool isLoad, const Stmt *S, 199 CheckerContext &C) const; 200 201 ProgramStateRef checkPointerEscape(ProgramStateRef State, 202 const InvalidatedSymbols &Escaped, 203 const CallEvent *Call, 204 PointerEscapeKind Kind) const; 205 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 206 const InvalidatedSymbols &Escaped, 207 const CallEvent *Call, 208 PointerEscapeKind Kind) const; 209 210 void printState(raw_ostream &Out, ProgramStateRef State, 211 const char *NL, const char *Sep) const override; 212 213 private: 214 mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds]; 215 mutable std::unique_ptr<BugType> BT_DoubleDelete; 216 mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds]; 217 mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds]; 218 mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds]; 219 mutable std::unique_ptr<BugType> BT_MismatchedDealloc; 220 mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds]; 221 mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc, 222 *II_valloc, *II_reallocf, *II_strndup, *II_strdup, 223 *II_kmalloc, *II_if_nameindex, *II_if_freenameindex; 224 mutable Optional<uint64_t> KernelZeroFlagVal; 225 226 void initIdentifierInfo(ASTContext &C) const; 227 228 /// \brief Determine family of a deallocation expression. 229 AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const; 230 231 /// \brief Print names of allocators and deallocators. 232 /// 233 /// \returns true on success. 234 bool printAllocDeallocName(raw_ostream &os, CheckerContext &C, 235 const Expr *E) const; 236 237 /// \brief Print expected name of an allocator based on the deallocator's 238 /// family derived from the DeallocExpr. 239 void printExpectedAllocName(raw_ostream &os, CheckerContext &C, 240 const Expr *DeallocExpr) const; 241 /// \brief Print expected name of a deallocator based on the allocator's 242 /// family. 243 void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const; 244 245 ///@{ 246 /// Check if this is one of the functions which can allocate/reallocate memory 247 /// pointed to by one of its arguments. 248 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 249 bool isCMemFunction(const FunctionDecl *FD, 250 ASTContext &C, 251 AllocationFamily Family, 252 MemoryOperationKind MemKind) const; 253 bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const; 254 ///@} 255 ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 256 const CallExpr *CE, 257 const OwnershipAttr* Att) const; 258 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 259 const Expr *SizeEx, SVal Init, 260 ProgramStateRef State, 261 AllocationFamily Family = AF_Malloc) { 262 return MallocMemAux(C, CE, 263 State->getSVal(SizeEx, C.getLocationContext()), 264 Init, State, Family); 265 } 266 267 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 268 SVal SizeEx, SVal Init, 269 ProgramStateRef State, 270 AllocationFamily Family = AF_Malloc); 271 272 // Check if this malloc() for special flags. At present that means M_ZERO or 273 // __GFP_ZERO (in which case, treat it like calloc). 274 llvm::Optional<ProgramStateRef> 275 performKernelMalloc(const CallExpr *CE, CheckerContext &C, 276 const ProgramStateRef &State) const; 277 278 /// Update the RefState to reflect the new memory allocation. 279 static ProgramStateRef 280 MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, 281 AllocationFamily Family = AF_Malloc); 282 283 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 284 const OwnershipAttr* Att) const; 285 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 286 ProgramStateRef state, unsigned Num, 287 bool Hold, 288 bool &ReleasedAllocated, 289 bool ReturnsNullOnFailure = false) const; 290 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, 291 const Expr *ParentExpr, 292 ProgramStateRef State, 293 bool Hold, 294 bool &ReleasedAllocated, 295 bool ReturnsNullOnFailure = false) const; 296 297 ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, 298 bool FreesMemOnFailure) const; 299 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE); 300 301 ///\brief Check if the memory associated with this symbol was released. 302 bool isReleased(SymbolRef Sym, CheckerContext &C) const; 303 304 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 305 306 bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const; 307 308 /// Check if the function is known free memory, or if it is 309 /// "interesting" and should be modeled explicitly. 310 /// 311 /// \param [out] EscapingSymbol A function might not free memory in general, 312 /// but could be known to free a particular symbol. In this case, false is 313 /// returned and the single escaping symbol is returned through the out 314 /// parameter. 315 /// 316 /// We assume that pointers do not escape through calls to system functions 317 /// not handled by this checker. 318 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, 319 ProgramStateRef State, 320 SymbolRef &EscapingSymbol) const; 321 322 // Implementation of the checkPointerEscape callabcks. 323 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 324 const InvalidatedSymbols &Escaped, 325 const CallEvent *Call, 326 PointerEscapeKind Kind, 327 bool(*CheckRefState)(const RefState*)) const; 328 329 ///@{ 330 /// Tells if a given family/call/symbol is tracked by the current checker. 331 /// Sets CheckKind to the kind of the checker responsible for this 332 /// family/call/symbol. 333 Optional<CheckKind> getCheckIfTracked(AllocationFamily Family) const; 334 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, 335 const Stmt *AllocDeallocStmt) const; 336 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const; 337 ///@} 338 static bool SummarizeValue(raw_ostream &os, SVal V); 339 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 340 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 341 const Expr *DeallocExpr) const; 342 void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, 343 const Expr *DeallocExpr, const RefState *RS, 344 SymbolRef Sym, bool OwnershipTransferred) const; 345 void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 346 const Expr *DeallocExpr, 347 const Expr *AllocExpr = nullptr) const; 348 void ReportUseAfterFree(CheckerContext &C, SourceRange Range, 349 SymbolRef Sym) const; 350 void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 351 SymbolRef Sym, SymbolRef PrevSym) const; 352 353 void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const; 354 355 /// Find the location of the allocation for Sym on the path leading to the 356 /// exploded node N. 357 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 358 CheckerContext &C) const; 359 360 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 361 362 /// The bug visitor which allows us to print extra diagnostics along the 363 /// BugReport path. For example, showing the allocation site of the leaked 364 /// region. 365 class MallocBugVisitor : public BugReporterVisitorImpl<MallocBugVisitor> { 366 protected: 367 enum NotificationMode { 368 Normal, 369 ReallocationFailed 370 }; 371 372 // The allocated region symbol tracked by the main analysis. 373 SymbolRef Sym; 374 375 // The mode we are in, i.e. what kind of diagnostics will be emitted. 376 NotificationMode Mode; 377 378 // A symbol from when the primary region should have been reallocated. 379 SymbolRef FailedReallocSymbol; 380 381 bool IsLeak; 382 383 public: 384 MallocBugVisitor(SymbolRef S, bool isLeak = false) 385 : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr), IsLeak(isLeak) {} 386 387 virtual ~MallocBugVisitor() {} 388 389 void Profile(llvm::FoldingSetNodeID &ID) const override { 390 static int X = 0; 391 ID.AddPointer(&X); 392 ID.AddPointer(Sym); 393 } 394 395 inline bool isAllocated(const RefState *S, const RefState *SPrev, 396 const Stmt *Stmt) { 397 // Did not track -> allocated. Other state (released) -> allocated. 398 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 399 (S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated())); 400 } 401 402 inline bool isReleased(const RefState *S, const RefState *SPrev, 403 const Stmt *Stmt) { 404 // Did not track -> released. Other state (allocated) -> released. 405 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt)) && 406 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 407 } 408 409 inline bool isRelinquished(const RefState *S, const RefState *SPrev, 410 const Stmt *Stmt) { 411 // Did not track -> relinquished. Other state (allocated) -> relinquished. 412 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 413 isa<ObjCPropertyRefExpr>(Stmt)) && 414 (S && S->isRelinquished()) && 415 (!SPrev || !SPrev->isRelinquished())); 416 } 417 418 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 419 const Stmt *Stmt) { 420 // If the expression is not a call, and the state change is 421 // released -> allocated, it must be the realloc return value 422 // check. If we have to handle more cases here, it might be cleaner just 423 // to track this extra bit in the state itself. 424 return ((!Stmt || !isa<CallExpr>(Stmt)) && 425 (S && S->isAllocated()) && (SPrev && !SPrev->isAllocated())); 426 } 427 428 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 429 const ExplodedNode *PrevN, 430 BugReporterContext &BRC, 431 BugReport &BR) override; 432 433 std::unique_ptr<PathDiagnosticPiece> 434 getEndPath(BugReporterContext &BRC, const ExplodedNode *EndPathNode, 435 BugReport &BR) override { 436 if (!IsLeak) 437 return nullptr; 438 439 PathDiagnosticLocation L = 440 PathDiagnosticLocation::createEndOfPath(EndPathNode, 441 BRC.getSourceManager()); 442 // Do not add the statement itself as a range in case of leak. 443 return llvm::make_unique<PathDiagnosticEventPiece>(L, BR.getDescription(), 444 false); 445 } 446 447 private: 448 class StackHintGeneratorForReallocationFailed 449 : public StackHintGeneratorForSymbol { 450 public: 451 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 452 : StackHintGeneratorForSymbol(S, M) {} 453 454 std::string getMessageForArg(const Expr *ArgE, 455 unsigned ArgIndex) override { 456 // Printed parameters start at 1, not 0. 457 ++ArgIndex; 458 459 SmallString<200> buf; 460 llvm::raw_svector_ostream os(buf); 461 462 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 463 << " parameter failed"; 464 465 return os.str(); 466 } 467 468 std::string getMessageForReturn(const CallExpr *CallExpr) override { 469 return "Reallocation of returned value failed"; 470 } 471 }; 472 }; 473 }; 474 } // end anonymous namespace 475 476 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 477 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 478 479 // A map from the freed symbol to the symbol representing the return value of 480 // the free function. 481 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 482 483 namespace { 484 class StopTrackingCallback : public SymbolVisitor { 485 ProgramStateRef state; 486 public: 487 StopTrackingCallback(ProgramStateRef st) : state(st) {} 488 ProgramStateRef getState() const { return state; } 489 490 bool VisitSymbol(SymbolRef sym) override { 491 state = state->remove<RegionState>(sym); 492 return true; 493 } 494 }; 495 } // end anonymous namespace 496 497 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 498 if (II_malloc) 499 return; 500 II_malloc = &Ctx.Idents.get("malloc"); 501 II_free = &Ctx.Idents.get("free"); 502 II_realloc = &Ctx.Idents.get("realloc"); 503 II_reallocf = &Ctx.Idents.get("reallocf"); 504 II_calloc = &Ctx.Idents.get("calloc"); 505 II_valloc = &Ctx.Idents.get("valloc"); 506 II_strdup = &Ctx.Idents.get("strdup"); 507 II_strndup = &Ctx.Idents.get("strndup"); 508 II_kmalloc = &Ctx.Idents.get("kmalloc"); 509 II_if_nameindex = &Ctx.Idents.get("if_nameindex"); 510 II_if_freenameindex = &Ctx.Idents.get("if_freenameindex"); 511 } 512 513 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 514 if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any)) 515 return true; 516 517 if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) 518 return true; 519 520 if (isStandardNewDelete(FD, C)) 521 return true; 522 523 return false; 524 } 525 526 bool MallocChecker::isCMemFunction(const FunctionDecl *FD, 527 ASTContext &C, 528 AllocationFamily Family, 529 MemoryOperationKind MemKind) const { 530 if (!FD) 531 return false; 532 533 bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any || 534 MemKind == MemoryOperationKind::MOK_Free); 535 bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any || 536 MemKind == MemoryOperationKind::MOK_Allocate); 537 538 if (FD->getKind() == Decl::Function) { 539 const IdentifierInfo *FunI = FD->getIdentifier(); 540 initIdentifierInfo(C); 541 542 if (Family == AF_Malloc && CheckFree) { 543 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf) 544 return true; 545 } 546 547 if (Family == AF_Malloc && CheckAlloc) { 548 if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf || 549 FunI == II_calloc || FunI == II_valloc || FunI == II_strdup || 550 FunI == II_strndup || FunI == II_kmalloc) 551 return true; 552 } 553 554 if (Family == AF_IfNameIndex && CheckFree) { 555 if (FunI == II_if_freenameindex) 556 return true; 557 } 558 559 if (Family == AF_IfNameIndex && CheckAlloc) { 560 if (FunI == II_if_nameindex) 561 return true; 562 } 563 } 564 565 if (Family != AF_Malloc) 566 return false; 567 568 if (ChecksEnabled[CK_MallocOptimistic] && FD->hasAttrs()) { 569 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 570 OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind(); 571 if(OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) { 572 if (CheckFree) 573 return true; 574 } else if (OwnKind == OwnershipAttr::Returns) { 575 if (CheckAlloc) 576 return true; 577 } 578 } 579 } 580 581 return false; 582 } 583 584 // Tells if the callee is one of the following: 585 // 1) A global non-placement new/delete operator function. 586 // 2) A global placement operator function with the single placement argument 587 // of type std::nothrow_t. 588 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD, 589 ASTContext &C) const { 590 if (!FD) 591 return false; 592 593 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 594 if (Kind != OO_New && Kind != OO_Array_New && 595 Kind != OO_Delete && Kind != OO_Array_Delete) 596 return false; 597 598 // Skip all operator new/delete methods. 599 if (isa<CXXMethodDecl>(FD)) 600 return false; 601 602 // Return true if tested operator is a standard placement nothrow operator. 603 if (FD->getNumParams() == 2) { 604 QualType T = FD->getParamDecl(1)->getType(); 605 if (const IdentifierInfo *II = T.getBaseTypeIdentifier()) 606 return II->getName().equals("nothrow_t"); 607 } 608 609 // Skip placement operators. 610 if (FD->getNumParams() != 1 || FD->isVariadic()) 611 return false; 612 613 // One of the standard new/new[]/delete/delete[] non-placement operators. 614 return true; 615 } 616 617 llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc( 618 const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const { 619 // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels: 620 // 621 // void *malloc(unsigned long size, struct malloc_type *mtp, int flags); 622 // 623 // One of the possible flags is M_ZERO, which means 'give me back an 624 // allocation which is already zeroed', like calloc. 625 626 // 2-argument kmalloc(), as used in the Linux kernel: 627 // 628 // void *kmalloc(size_t size, gfp_t flags); 629 // 630 // Has the similar flag value __GFP_ZERO. 631 632 // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some 633 // code could be shared. 634 635 ASTContext &Ctx = C.getASTContext(); 636 llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS(); 637 638 if (!KernelZeroFlagVal.hasValue()) { 639 if (OS == llvm::Triple::FreeBSD) 640 KernelZeroFlagVal = 0x0100; 641 else if (OS == llvm::Triple::NetBSD) 642 KernelZeroFlagVal = 0x0002; 643 else if (OS == llvm::Triple::OpenBSD) 644 KernelZeroFlagVal = 0x0008; 645 else if (OS == llvm::Triple::Linux) 646 // __GFP_ZERO 647 KernelZeroFlagVal = 0x8000; 648 else 649 // FIXME: We need a more general way of getting the M_ZERO value. 650 // See also: O_CREAT in UnixAPIChecker.cpp. 651 652 // Fall back to normal malloc behavior on platforms where we don't 653 // know M_ZERO. 654 return None; 655 } 656 657 // We treat the last argument as the flags argument, and callers fall-back to 658 // normal malloc on a None return. This works for the FreeBSD kernel malloc 659 // as well as Linux kmalloc. 660 if (CE->getNumArgs() < 2) 661 return None; 662 663 const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1); 664 const SVal V = State->getSVal(FlagsEx, C.getLocationContext()); 665 if (!V.getAs<NonLoc>()) { 666 // The case where 'V' can be a location can only be due to a bad header, 667 // so in this case bail out. 668 return None; 669 } 670 671 NonLoc Flags = V.castAs<NonLoc>(); 672 NonLoc ZeroFlag = C.getSValBuilder() 673 .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType()) 674 .castAs<NonLoc>(); 675 SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And, 676 Flags, ZeroFlag, 677 FlagsEx->getType()); 678 if (MaskedFlagsUC.isUnknownOrUndef()) 679 return None; 680 DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>(); 681 682 // Check if maskedFlags is non-zero. 683 ProgramStateRef TrueState, FalseState; 684 std::tie(TrueState, FalseState) = State->assume(MaskedFlags); 685 686 // If M_ZERO is set, treat this like calloc (initialized). 687 if (TrueState && !FalseState) { 688 SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy); 689 return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState); 690 } 691 692 return None; 693 } 694 695 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 696 if (C.wasInlined) 697 return; 698 699 const FunctionDecl *FD = C.getCalleeDecl(CE); 700 if (!FD) 701 return; 702 703 ProgramStateRef State = C.getState(); 704 bool ReleasedAllocatedMemory = false; 705 706 if (FD->getKind() == Decl::Function) { 707 initIdentifierInfo(C.getASTContext()); 708 IdentifierInfo *FunI = FD->getIdentifier(); 709 710 if (FunI == II_malloc) { 711 if (CE->getNumArgs() < 1) 712 return; 713 if (CE->getNumArgs() < 3) { 714 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 715 } else if (CE->getNumArgs() == 3) { 716 llvm::Optional<ProgramStateRef> MaybeState = 717 performKernelMalloc(CE, C, State); 718 if (MaybeState.hasValue()) 719 State = MaybeState.getValue(); 720 else 721 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 722 } 723 } else if (FunI == II_kmalloc) { 724 llvm::Optional<ProgramStateRef> MaybeState = 725 performKernelMalloc(CE, C, State); 726 if (MaybeState.hasValue()) 727 State = MaybeState.getValue(); 728 else 729 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 730 } else if (FunI == II_valloc) { 731 if (CE->getNumArgs() < 1) 732 return; 733 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 734 } else if (FunI == II_realloc) { 735 State = ReallocMem(C, CE, false); 736 } else if (FunI == II_reallocf) { 737 State = ReallocMem(C, CE, true); 738 } else if (FunI == II_calloc) { 739 State = CallocMem(C, CE); 740 } else if (FunI == II_free) { 741 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 742 } else if (FunI == II_strdup) { 743 State = MallocUpdateRefState(C, CE, State); 744 } else if (FunI == II_strndup) { 745 State = MallocUpdateRefState(C, CE, State); 746 } 747 else if (isStandardNewDelete(FD, C.getASTContext())) { 748 // Process direct calls to operator new/new[]/delete/delete[] functions 749 // as distinct from new/new[]/delete/delete[] expressions that are 750 // processed by the checkPostStmt callbacks for CXXNewExpr and 751 // CXXDeleteExpr. 752 OverloadedOperatorKind K = FD->getOverloadedOperator(); 753 if (K == OO_New) 754 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 755 AF_CXXNew); 756 else if (K == OO_Array_New) 757 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 758 AF_CXXNewArray); 759 else if (K == OO_Delete || K == OO_Array_Delete) 760 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 761 else 762 llvm_unreachable("not a new/delete operator"); 763 } else if (FunI == II_if_nameindex) { 764 // Should we model this differently? We can allocate a fixed number of 765 // elements with zeros in the last one. 766 State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State, 767 AF_IfNameIndex); 768 } else if (FunI == II_if_freenameindex) { 769 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 770 } 771 } 772 773 if (ChecksEnabled[CK_MallocOptimistic] || 774 ChecksEnabled[CK_MismatchedDeallocatorChecker]) { 775 // Check all the attributes, if there are any. 776 // There can be multiple of these attributes. 777 if (FD->hasAttrs()) 778 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 779 switch (I->getOwnKind()) { 780 case OwnershipAttr::Returns: 781 State = MallocMemReturnsAttr(C, CE, I); 782 break; 783 case OwnershipAttr::Takes: 784 case OwnershipAttr::Holds: 785 State = FreeMemAttr(C, CE, I); 786 break; 787 } 788 } 789 } 790 C.addTransition(State); 791 } 792 793 static QualType getDeepPointeeType(QualType T) { 794 QualType Result = T, PointeeType = T->getPointeeType(); 795 while (!PointeeType.isNull()) { 796 Result = PointeeType; 797 PointeeType = PointeeType->getPointeeType(); 798 } 799 return Result; 800 } 801 802 static bool treatUnusedNewEscaped(const CXXNewExpr *NE) { 803 804 const CXXConstructExpr *ConstructE = NE->getConstructExpr(); 805 if (!ConstructE) 806 return false; 807 808 if (!NE->getAllocatedType()->getAsCXXRecordDecl()) 809 return false; 810 811 const CXXConstructorDecl *CtorD = ConstructE->getConstructor(); 812 813 // Iterate over the constructor parameters. 814 for (const auto *CtorParam : CtorD->params()) { 815 816 QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType(); 817 if (CtorParamPointeeT.isNull()) 818 continue; 819 820 CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT); 821 822 if (CtorParamPointeeT->getAsCXXRecordDecl()) 823 return true; 824 } 825 826 return false; 827 } 828 829 void MallocChecker::checkPostStmt(const CXXNewExpr *NE, 830 CheckerContext &C) const { 831 832 if (NE->getNumPlacementArgs()) 833 for (CXXNewExpr::const_arg_iterator I = NE->placement_arg_begin(), 834 E = NE->placement_arg_end(); I != E; ++I) 835 if (SymbolRef Sym = C.getSVal(*I).getAsSymbol()) 836 checkUseAfterFree(Sym, C, *I); 837 838 if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext())) 839 return; 840 841 ParentMap &PM = C.getLocationContext()->getParentMap(); 842 if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE)) 843 return; 844 845 ProgramStateRef State = C.getState(); 846 // The return value from operator new is bound to a specified initialization 847 // value (if any) and we don't want to loose this value. So we call 848 // MallocUpdateRefState() instead of MallocMemAux() which breakes the 849 // existing binding. 850 State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray 851 : AF_CXXNew); 852 C.addTransition(State); 853 } 854 855 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, 856 CheckerContext &C) const { 857 858 if (!ChecksEnabled[CK_NewDeleteChecker]) 859 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 860 checkUseAfterFree(Sym, C, DE->getArgument()); 861 862 if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext())) 863 return; 864 865 ProgramStateRef State = C.getState(); 866 bool ReleasedAllocated; 867 State = FreeMemAux(C, DE->getArgument(), DE, State, 868 /*Hold*/false, ReleasedAllocated); 869 870 C.addTransition(State); 871 } 872 873 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 874 // If the first selector piece is one of the names below, assume that the 875 // object takes ownership of the memory, promising to eventually deallocate it 876 // with free(). 877 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 878 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 879 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 880 if (FirstSlot == "dataWithBytesNoCopy" || 881 FirstSlot == "initWithBytesNoCopy" || 882 FirstSlot == "initWithCharactersNoCopy") 883 return true; 884 885 return false; 886 } 887 888 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 889 Selector S = Call.getSelector(); 890 891 // FIXME: We should not rely on fully-constrained symbols being folded. 892 for (unsigned i = 1; i < S.getNumArgs(); ++i) 893 if (S.getNameForSlot(i).equals("freeWhenDone")) 894 return !Call.getArgSVal(i).isZeroConstant(); 895 896 return None; 897 } 898 899 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 900 CheckerContext &C) const { 901 if (C.wasInlined) 902 return; 903 904 if (!isKnownDeallocObjCMethodName(Call)) 905 return; 906 907 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 908 if (!*FreeWhenDone) 909 return; 910 911 bool ReleasedAllocatedMemory; 912 ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0), 913 Call.getOriginExpr(), C.getState(), 914 /*Hold=*/true, ReleasedAllocatedMemory, 915 /*RetNullOnFailure=*/true); 916 917 C.addTransition(State); 918 } 919 920 ProgramStateRef 921 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE, 922 const OwnershipAttr *Att) const { 923 if (Att->getModule() != II_malloc) 924 return nullptr; 925 926 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 927 if (I != E) { 928 return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), C.getState()); 929 } 930 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), C.getState()); 931 } 932 933 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 934 const CallExpr *CE, 935 SVal Size, SVal Init, 936 ProgramStateRef State, 937 AllocationFamily Family) { 938 939 // We expect the malloc functions to return a pointer. 940 if (!Loc::isLocType(CE->getType())) 941 return nullptr; 942 943 // Bind the return value to the symbolic value from the heap region. 944 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 945 // side effects other than what we model here. 946 unsigned Count = C.blockCount(); 947 SValBuilder &svalBuilder = C.getSValBuilder(); 948 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 949 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 950 .castAs<DefinedSVal>(); 951 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 952 953 // Fill the region with the initialization value. 954 State = State->bindDefault(RetVal, Init); 955 956 // Set the region's extent equal to the Size parameter. 957 const SymbolicRegion *R = 958 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 959 if (!R) 960 return nullptr; 961 if (Optional<DefinedOrUnknownSVal> DefinedSize = 962 Size.getAs<DefinedOrUnknownSVal>()) { 963 SValBuilder &svalBuilder = C.getSValBuilder(); 964 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 965 DefinedOrUnknownSVal extentMatchesSize = 966 svalBuilder.evalEQ(State, Extent, *DefinedSize); 967 968 State = State->assume(extentMatchesSize, true); 969 assert(State); 970 } 971 972 return MallocUpdateRefState(C, CE, State, Family); 973 } 974 975 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 976 const Expr *E, 977 ProgramStateRef State, 978 AllocationFamily Family) { 979 // Get the return value. 980 SVal retVal = State->getSVal(E, C.getLocationContext()); 981 982 // We expect the malloc functions to return a pointer. 983 if (!retVal.getAs<Loc>()) 984 return nullptr; 985 986 SymbolRef Sym = retVal.getAsLocSymbol(); 987 assert(Sym); 988 989 // Set the symbol's state to Allocated. 990 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 991 } 992 993 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 994 const CallExpr *CE, 995 const OwnershipAttr *Att) const { 996 if (Att->getModule() != II_malloc) 997 return nullptr; 998 999 ProgramStateRef State = C.getState(); 1000 bool ReleasedAllocated = false; 1001 1002 for (const auto &Arg : Att->args()) { 1003 ProgramStateRef StateI = FreeMemAux(C, CE, State, Arg, 1004 Att->getOwnKind() == OwnershipAttr::Holds, 1005 ReleasedAllocated); 1006 if (StateI) 1007 State = StateI; 1008 } 1009 return State; 1010 } 1011 1012 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1013 const CallExpr *CE, 1014 ProgramStateRef state, 1015 unsigned Num, 1016 bool Hold, 1017 bool &ReleasedAllocated, 1018 bool ReturnsNullOnFailure) const { 1019 if (CE->getNumArgs() < (Num + 1)) 1020 return nullptr; 1021 1022 return FreeMemAux(C, CE->getArg(Num), CE, state, Hold, 1023 ReleasedAllocated, ReturnsNullOnFailure); 1024 } 1025 1026 /// Checks if the previous call to free on the given symbol failed - if free 1027 /// failed, returns true. Also, returns the corresponding return value symbol. 1028 static bool didPreviousFreeFail(ProgramStateRef State, 1029 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 1030 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 1031 if (Ret) { 1032 assert(*Ret && "We should not store the null return symbol"); 1033 ConstraintManager &CMgr = State->getConstraintManager(); 1034 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 1035 RetStatusSymbol = *Ret; 1036 return FreeFailed.isConstrainedTrue(); 1037 } 1038 return false; 1039 } 1040 1041 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C, 1042 const Stmt *S) const { 1043 if (!S) 1044 return AF_None; 1045 1046 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 1047 const FunctionDecl *FD = C.getCalleeDecl(CE); 1048 1049 if (!FD) 1050 FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl()); 1051 1052 ASTContext &Ctx = C.getASTContext(); 1053 1054 if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any)) 1055 return AF_Malloc; 1056 1057 if (isStandardNewDelete(FD, Ctx)) { 1058 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 1059 if (Kind == OO_New || Kind == OO_Delete) 1060 return AF_CXXNew; 1061 else if (Kind == OO_Array_New || Kind == OO_Array_Delete) 1062 return AF_CXXNewArray; 1063 } 1064 1065 if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) 1066 return AF_IfNameIndex; 1067 1068 return AF_None; 1069 } 1070 1071 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S)) 1072 return NE->isArray() ? AF_CXXNewArray : AF_CXXNew; 1073 1074 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S)) 1075 return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew; 1076 1077 if (isa<ObjCMessageExpr>(S)) 1078 return AF_Malloc; 1079 1080 return AF_None; 1081 } 1082 1083 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C, 1084 const Expr *E) const { 1085 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 1086 // FIXME: This doesn't handle indirect calls. 1087 const FunctionDecl *FD = CE->getDirectCallee(); 1088 if (!FD) 1089 return false; 1090 1091 os << *FD; 1092 if (!FD->isOverloadedOperator()) 1093 os << "()"; 1094 return true; 1095 } 1096 1097 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 1098 if (Msg->isInstanceMessage()) 1099 os << "-"; 1100 else 1101 os << "+"; 1102 Msg->getSelector().print(os); 1103 return true; 1104 } 1105 1106 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 1107 os << "'" 1108 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 1109 << "'"; 1110 return true; 1111 } 1112 1113 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 1114 os << "'" 1115 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 1116 << "'"; 1117 return true; 1118 } 1119 1120 return false; 1121 } 1122 1123 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C, 1124 const Expr *E) const { 1125 AllocationFamily Family = getAllocationFamily(C, E); 1126 1127 switch(Family) { 1128 case AF_Malloc: os << "malloc()"; return; 1129 case AF_CXXNew: os << "'new'"; return; 1130 case AF_CXXNewArray: os << "'new[]'"; return; 1131 case AF_IfNameIndex: os << "'if_nameindex()'"; return; 1132 case AF_None: llvm_unreachable("not a deallocation expression"); 1133 } 1134 } 1135 1136 void MallocChecker::printExpectedDeallocName(raw_ostream &os, 1137 AllocationFamily Family) const { 1138 switch(Family) { 1139 case AF_Malloc: os << "free()"; return; 1140 case AF_CXXNew: os << "'delete'"; return; 1141 case AF_CXXNewArray: os << "'delete[]'"; return; 1142 case AF_IfNameIndex: os << "'if_freenameindex()'"; return; 1143 case AF_None: llvm_unreachable("suspicious AF_None argument"); 1144 } 1145 } 1146 1147 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1148 const Expr *ArgExpr, 1149 const Expr *ParentExpr, 1150 ProgramStateRef State, 1151 bool Hold, 1152 bool &ReleasedAllocated, 1153 bool ReturnsNullOnFailure) const { 1154 1155 SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext()); 1156 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 1157 return nullptr; 1158 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 1159 1160 // Check for null dereferences. 1161 if (!location.getAs<Loc>()) 1162 return nullptr; 1163 1164 // The explicit NULL case, no operation is performed. 1165 ProgramStateRef notNullState, nullState; 1166 std::tie(notNullState, nullState) = State->assume(location); 1167 if (nullState && !notNullState) 1168 return nullptr; 1169 1170 // Unknown values could easily be okay 1171 // Undefined values are handled elsewhere 1172 if (ArgVal.isUnknownOrUndef()) 1173 return nullptr; 1174 1175 const MemRegion *R = ArgVal.getAsRegion(); 1176 1177 // Nonlocs can't be freed, of course. 1178 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 1179 if (!R) { 1180 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1181 return nullptr; 1182 } 1183 1184 R = R->StripCasts(); 1185 1186 // Blocks might show up as heap data, but should not be free()d 1187 if (isa<BlockDataRegion>(R)) { 1188 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1189 return nullptr; 1190 } 1191 1192 const MemSpaceRegion *MS = R->getMemorySpace(); 1193 1194 // Parameters, locals, statics, globals, and memory returned by alloca() 1195 // shouldn't be freed. 1196 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 1197 // FIXME: at the time this code was written, malloc() regions were 1198 // represented by conjured symbols, which are all in UnknownSpaceRegion. 1199 // This means that there isn't actually anything from HeapSpaceRegion 1200 // that should be freed, even though we allow it here. 1201 // Of course, free() can work on memory allocated outside the current 1202 // function, so UnknownSpaceRegion is always a possibility. 1203 // False negatives are better than false positives. 1204 1205 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1206 return nullptr; 1207 } 1208 1209 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 1210 // Various cases could lead to non-symbol values here. 1211 // For now, ignore them. 1212 if (!SrBase) 1213 return nullptr; 1214 1215 SymbolRef SymBase = SrBase->getSymbol(); 1216 const RefState *RsBase = State->get<RegionState>(SymBase); 1217 SymbolRef PreviousRetStatusSymbol = nullptr; 1218 1219 if (RsBase) { 1220 1221 // Check for double free first. 1222 if ((RsBase->isReleased() || RsBase->isRelinquished()) && 1223 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1224 ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1225 SymBase, PreviousRetStatusSymbol); 1226 return nullptr; 1227 1228 // If the pointer is allocated or escaped, but we are now trying to free it, 1229 // check that the call to free is proper. 1230 } else if (RsBase->isAllocated() || RsBase->isEscaped()) { 1231 1232 // Check if an expected deallocation function matches the real one. 1233 bool DeallocMatchesAlloc = 1234 RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr); 1235 if (!DeallocMatchesAlloc) { 1236 ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), 1237 ParentExpr, RsBase, SymBase, Hold); 1238 return nullptr; 1239 } 1240 1241 // Check if the memory location being freed is the actual location 1242 // allocated, or an offset. 1243 RegionOffset Offset = R->getAsOffset(); 1244 if (Offset.isValid() && 1245 !Offset.hasSymbolicOffset() && 1246 Offset.getOffset() != 0) { 1247 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1248 ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1249 AllocExpr); 1250 return nullptr; 1251 } 1252 } 1253 } 1254 1255 ReleasedAllocated = (RsBase != nullptr) && RsBase->isAllocated(); 1256 1257 // Clean out the info on previous call to free return info. 1258 State = State->remove<FreeReturnValue>(SymBase); 1259 1260 // Keep track of the return value. If it is NULL, we will know that free 1261 // failed. 1262 if (ReturnsNullOnFailure) { 1263 SVal RetVal = C.getSVal(ParentExpr); 1264 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 1265 if (RetStatusSymbol) { 1266 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 1267 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 1268 } 1269 } 1270 1271 AllocationFamily Family = RsBase ? RsBase->getAllocationFamily() 1272 : getAllocationFamily(C, ParentExpr); 1273 // Normal free. 1274 if (Hold) 1275 return State->set<RegionState>(SymBase, 1276 RefState::getRelinquished(Family, 1277 ParentExpr)); 1278 1279 return State->set<RegionState>(SymBase, 1280 RefState::getReleased(Family, ParentExpr)); 1281 } 1282 1283 Optional<MallocChecker::CheckKind> 1284 MallocChecker::getCheckIfTracked(AllocationFamily Family) const { 1285 switch (Family) { 1286 case AF_Malloc: 1287 case AF_IfNameIndex: { 1288 if (ChecksEnabled[CK_MallocOptimistic]) { 1289 return CK_MallocOptimistic; 1290 } else if (ChecksEnabled[CK_MallocPessimistic]) { 1291 return CK_MallocPessimistic; 1292 } 1293 return Optional<MallocChecker::CheckKind>(); 1294 } 1295 case AF_CXXNew: 1296 case AF_CXXNewArray: { 1297 if (ChecksEnabled[CK_NewDeleteChecker]) { 1298 return CK_NewDeleteChecker; 1299 } 1300 return Optional<MallocChecker::CheckKind>(); 1301 } 1302 case AF_None: { 1303 llvm_unreachable("no family"); 1304 } 1305 } 1306 llvm_unreachable("unhandled family"); 1307 } 1308 1309 Optional<MallocChecker::CheckKind> 1310 MallocChecker::getCheckIfTracked(CheckerContext &C, 1311 const Stmt *AllocDeallocStmt) const { 1312 return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt)); 1313 } 1314 1315 Optional<MallocChecker::CheckKind> 1316 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const { 1317 1318 const RefState *RS = C.getState()->get<RegionState>(Sym); 1319 assert(RS); 1320 return getCheckIfTracked(RS->getAllocationFamily()); 1321 } 1322 1323 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 1324 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 1325 os << "an integer (" << IntVal->getValue() << ")"; 1326 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 1327 os << "a constant address (" << ConstAddr->getValue() << ")"; 1328 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 1329 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 1330 else 1331 return false; 1332 1333 return true; 1334 } 1335 1336 bool MallocChecker::SummarizeRegion(raw_ostream &os, 1337 const MemRegion *MR) { 1338 switch (MR->getKind()) { 1339 case MemRegion::FunctionTextRegionKind: { 1340 const NamedDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 1341 if (FD) 1342 os << "the address of the function '" << *FD << '\''; 1343 else 1344 os << "the address of a function"; 1345 return true; 1346 } 1347 case MemRegion::BlockTextRegionKind: 1348 os << "block text"; 1349 return true; 1350 case MemRegion::BlockDataRegionKind: 1351 // FIXME: where the block came from? 1352 os << "a block"; 1353 return true; 1354 default: { 1355 const MemSpaceRegion *MS = MR->getMemorySpace(); 1356 1357 if (isa<StackLocalsSpaceRegion>(MS)) { 1358 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1359 const VarDecl *VD; 1360 if (VR) 1361 VD = VR->getDecl(); 1362 else 1363 VD = nullptr; 1364 1365 if (VD) 1366 os << "the address of the local variable '" << VD->getName() << "'"; 1367 else 1368 os << "the address of a local stack variable"; 1369 return true; 1370 } 1371 1372 if (isa<StackArgumentsSpaceRegion>(MS)) { 1373 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1374 const VarDecl *VD; 1375 if (VR) 1376 VD = VR->getDecl(); 1377 else 1378 VD = nullptr; 1379 1380 if (VD) 1381 os << "the address of the parameter '" << VD->getName() << "'"; 1382 else 1383 os << "the address of a parameter"; 1384 return true; 1385 } 1386 1387 if (isa<GlobalsSpaceRegion>(MS)) { 1388 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1389 const VarDecl *VD; 1390 if (VR) 1391 VD = VR->getDecl(); 1392 else 1393 VD = nullptr; 1394 1395 if (VD) { 1396 if (VD->isStaticLocal()) 1397 os << "the address of the static variable '" << VD->getName() << "'"; 1398 else 1399 os << "the address of the global variable '" << VD->getName() << "'"; 1400 } else 1401 os << "the address of a global variable"; 1402 return true; 1403 } 1404 1405 return false; 1406 } 1407 } 1408 } 1409 1410 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 1411 SourceRange Range, 1412 const Expr *DeallocExpr) const { 1413 1414 if (!ChecksEnabled[CK_MallocOptimistic] && 1415 !ChecksEnabled[CK_MallocPessimistic] && 1416 !ChecksEnabled[CK_NewDeleteChecker]) 1417 return; 1418 1419 Optional<MallocChecker::CheckKind> CheckKind = 1420 getCheckIfTracked(C, DeallocExpr); 1421 if (!CheckKind.hasValue()) 1422 return; 1423 1424 if (ExplodedNode *N = C.generateSink()) { 1425 if (!BT_BadFree[*CheckKind]) 1426 BT_BadFree[*CheckKind].reset( 1427 new BugType(CheckNames[*CheckKind], "Bad free", "Memory Error")); 1428 1429 SmallString<100> buf; 1430 llvm::raw_svector_ostream os(buf); 1431 1432 const MemRegion *MR = ArgVal.getAsRegion(); 1433 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 1434 MR = ER->getSuperRegion(); 1435 1436 if (MR && isa<AllocaRegion>(MR)) 1437 os << "Memory allocated by alloca() should not be deallocated"; 1438 else { 1439 os << "Argument to "; 1440 if (!printAllocDeallocName(os, C, DeallocExpr)) 1441 os << "deallocator"; 1442 1443 os << " is "; 1444 bool Summarized = MR ? SummarizeRegion(os, MR) 1445 : SummarizeValue(os, ArgVal); 1446 if (Summarized) 1447 os << ", which is not memory allocated by "; 1448 else 1449 os << "not memory allocated by "; 1450 1451 printExpectedAllocName(os, C, DeallocExpr); 1452 } 1453 1454 BugReport *R = new BugReport(*BT_BadFree[*CheckKind], os.str(), N); 1455 R->markInteresting(MR); 1456 R->addRange(Range); 1457 C.emitReport(R); 1458 } 1459 } 1460 1461 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, 1462 SourceRange Range, 1463 const Expr *DeallocExpr, 1464 const RefState *RS, 1465 SymbolRef Sym, 1466 bool OwnershipTransferred) const { 1467 1468 if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) 1469 return; 1470 1471 if (ExplodedNode *N = C.generateSink()) { 1472 if (!BT_MismatchedDealloc) 1473 BT_MismatchedDealloc.reset( 1474 new BugType(CheckNames[CK_MismatchedDeallocatorChecker], 1475 "Bad deallocator", "Memory Error")); 1476 1477 SmallString<100> buf; 1478 llvm::raw_svector_ostream os(buf); 1479 1480 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 1481 SmallString<20> AllocBuf; 1482 llvm::raw_svector_ostream AllocOs(AllocBuf); 1483 SmallString<20> DeallocBuf; 1484 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 1485 1486 if (OwnershipTransferred) { 1487 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1488 os << DeallocOs.str() << " cannot"; 1489 else 1490 os << "Cannot"; 1491 1492 os << " take ownership of memory"; 1493 1494 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1495 os << " allocated by " << AllocOs.str(); 1496 } else { 1497 os << "Memory"; 1498 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1499 os << " allocated by " << AllocOs.str(); 1500 1501 os << " should be deallocated by "; 1502 printExpectedDeallocName(os, RS->getAllocationFamily()); 1503 1504 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1505 os << ", not " << DeallocOs.str(); 1506 } 1507 1508 BugReport *R = new BugReport(*BT_MismatchedDealloc, os.str(), N); 1509 R->markInteresting(Sym); 1510 R->addRange(Range); 1511 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1512 C.emitReport(R); 1513 } 1514 } 1515 1516 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, 1517 SourceRange Range, const Expr *DeallocExpr, 1518 const Expr *AllocExpr) const { 1519 1520 if (!ChecksEnabled[CK_MallocOptimistic] && 1521 !ChecksEnabled[CK_MallocPessimistic] && 1522 !ChecksEnabled[CK_NewDeleteChecker]) 1523 return; 1524 1525 Optional<MallocChecker::CheckKind> CheckKind = 1526 getCheckIfTracked(C, AllocExpr); 1527 if (!CheckKind.hasValue()) 1528 return; 1529 1530 ExplodedNode *N = C.generateSink(); 1531 if (!N) 1532 return; 1533 1534 if (!BT_OffsetFree[*CheckKind]) 1535 BT_OffsetFree[*CheckKind].reset( 1536 new BugType(CheckNames[*CheckKind], "Offset free", "Memory Error")); 1537 1538 SmallString<100> buf; 1539 llvm::raw_svector_ostream os(buf); 1540 SmallString<20> AllocNameBuf; 1541 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 1542 1543 const MemRegion *MR = ArgVal.getAsRegion(); 1544 assert(MR && "Only MemRegion based symbols can have offset free errors"); 1545 1546 RegionOffset Offset = MR->getAsOffset(); 1547 assert((Offset.isValid() && 1548 !Offset.hasSymbolicOffset() && 1549 Offset.getOffset() != 0) && 1550 "Only symbols with a valid offset can have offset free errors"); 1551 1552 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 1553 1554 os << "Argument to "; 1555 if (!printAllocDeallocName(os, C, DeallocExpr)) 1556 os << "deallocator"; 1557 os << " is offset by " 1558 << offsetBytes 1559 << " " 1560 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 1561 << " from the start of "; 1562 if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) 1563 os << "memory allocated by " << AllocNameOs.str(); 1564 else 1565 os << "allocated memory"; 1566 1567 BugReport *R = new BugReport(*BT_OffsetFree[*CheckKind], os.str(), N); 1568 R->markInteresting(MR->getBaseRegion()); 1569 R->addRange(Range); 1570 C.emitReport(R); 1571 } 1572 1573 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, 1574 SymbolRef Sym) const { 1575 1576 if (!ChecksEnabled[CK_MallocOptimistic] && 1577 !ChecksEnabled[CK_MallocPessimistic] && 1578 !ChecksEnabled[CK_NewDeleteChecker]) 1579 return; 1580 1581 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1582 if (!CheckKind.hasValue()) 1583 return; 1584 1585 if (ExplodedNode *N = C.generateSink()) { 1586 if (!BT_UseFree[*CheckKind]) 1587 BT_UseFree[*CheckKind].reset(new BugType( 1588 CheckNames[*CheckKind], "Use-after-free", "Memory Error")); 1589 1590 BugReport *R = new BugReport(*BT_UseFree[*CheckKind], 1591 "Use of memory after it is freed", N); 1592 1593 R->markInteresting(Sym); 1594 R->addRange(Range); 1595 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1596 C.emitReport(R); 1597 } 1598 } 1599 1600 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, 1601 bool Released, SymbolRef Sym, 1602 SymbolRef PrevSym) const { 1603 1604 if (!ChecksEnabled[CK_MallocOptimistic] && 1605 !ChecksEnabled[CK_MallocPessimistic] && 1606 !ChecksEnabled[CK_NewDeleteChecker]) 1607 return; 1608 1609 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1610 if (!CheckKind.hasValue()) 1611 return; 1612 1613 if (ExplodedNode *N = C.generateSink()) { 1614 if (!BT_DoubleFree[*CheckKind]) 1615 BT_DoubleFree[*CheckKind].reset( 1616 new BugType(CheckNames[*CheckKind], "Double free", "Memory Error")); 1617 1618 BugReport *R = 1619 new BugReport(*BT_DoubleFree[*CheckKind], 1620 (Released ? "Attempt to free released memory" 1621 : "Attempt to free non-owned memory"), 1622 N); 1623 R->addRange(Range); 1624 R->markInteresting(Sym); 1625 if (PrevSym) 1626 R->markInteresting(PrevSym); 1627 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1628 C.emitReport(R); 1629 } 1630 } 1631 1632 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const { 1633 1634 if (!ChecksEnabled[CK_NewDeleteChecker]) 1635 return; 1636 1637 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1638 if (!CheckKind.hasValue()) 1639 return; 1640 assert(*CheckKind == CK_NewDeleteChecker && "invalid check kind"); 1641 1642 if (ExplodedNode *N = C.generateSink()) { 1643 if (!BT_DoubleDelete) 1644 BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker], 1645 "Double delete", "Memory Error")); 1646 1647 BugReport *R = new BugReport(*BT_DoubleDelete, 1648 "Attempt to delete released memory", N); 1649 1650 R->markInteresting(Sym); 1651 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1652 C.emitReport(R); 1653 } 1654 } 1655 1656 ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, 1657 const CallExpr *CE, 1658 bool FreesOnFail) const { 1659 if (CE->getNumArgs() < 2) 1660 return nullptr; 1661 1662 ProgramStateRef state = C.getState(); 1663 const Expr *arg0Expr = CE->getArg(0); 1664 const LocationContext *LCtx = C.getLocationContext(); 1665 SVal Arg0Val = state->getSVal(arg0Expr, LCtx); 1666 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 1667 return nullptr; 1668 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 1669 1670 SValBuilder &svalBuilder = C.getSValBuilder(); 1671 1672 DefinedOrUnknownSVal PtrEQ = 1673 svalBuilder.evalEQ(state, arg0Val, svalBuilder.makeNull()); 1674 1675 // Get the size argument. If there is no size arg then give up. 1676 const Expr *Arg1 = CE->getArg(1); 1677 if (!Arg1) 1678 return nullptr; 1679 1680 // Get the value of the size argument. 1681 SVal Arg1ValG = state->getSVal(Arg1, LCtx); 1682 if (!Arg1ValG.getAs<DefinedOrUnknownSVal>()) 1683 return nullptr; 1684 DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>(); 1685 1686 // Compare the size argument to 0. 1687 DefinedOrUnknownSVal SizeZero = 1688 svalBuilder.evalEQ(state, Arg1Val, 1689 svalBuilder.makeIntValWithPtrWidth(0, false)); 1690 1691 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 1692 std::tie(StatePtrIsNull, StatePtrNotNull) = state->assume(PtrEQ); 1693 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 1694 std::tie(StateSizeIsZero, StateSizeNotZero) = state->assume(SizeZero); 1695 // We only assume exceptional states if they are definitely true; if the 1696 // state is under-constrained, assume regular realloc behavior. 1697 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 1698 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 1699 1700 // If the ptr is NULL and the size is not 0, the call is equivalent to 1701 // malloc(size). 1702 if ( PrtIsNull && !SizeIsZero) { 1703 ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), 1704 UndefinedVal(), StatePtrIsNull); 1705 return stateMalloc; 1706 } 1707 1708 if (PrtIsNull && SizeIsZero) 1709 return nullptr; 1710 1711 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 1712 assert(!PrtIsNull); 1713 SymbolRef FromPtr = arg0Val.getAsSymbol(); 1714 SVal RetVal = state->getSVal(CE, LCtx); 1715 SymbolRef ToPtr = RetVal.getAsSymbol(); 1716 if (!FromPtr || !ToPtr) 1717 return nullptr; 1718 1719 bool ReleasedAllocated = false; 1720 1721 // If the size is 0, free the memory. 1722 if (SizeIsZero) 1723 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, 1724 false, ReleasedAllocated)){ 1725 // The semantics of the return value are: 1726 // If size was equal to 0, either NULL or a pointer suitable to be passed 1727 // to free() is returned. We just free the input pointer and do not add 1728 // any constrains on the output pointer. 1729 return stateFree; 1730 } 1731 1732 // Default behavior. 1733 if (ProgramStateRef stateFree = 1734 FreeMemAux(C, CE, state, 0, false, ReleasedAllocated)) { 1735 1736 ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), 1737 UnknownVal(), stateFree); 1738 if (!stateRealloc) 1739 return nullptr; 1740 1741 ReallocPairKind Kind = RPToBeFreedAfterFailure; 1742 if (FreesOnFail) 1743 Kind = RPIsFreeOnFailure; 1744 else if (!ReleasedAllocated) 1745 Kind = RPDoNotTrackAfterFailure; 1746 1747 // Record the info about the reallocated symbol so that we could properly 1748 // process failed reallocation. 1749 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 1750 ReallocPair(FromPtr, Kind)); 1751 // The reallocated symbol should stay alive for as long as the new symbol. 1752 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 1753 return stateRealloc; 1754 } 1755 return nullptr; 1756 } 1757 1758 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE){ 1759 if (CE->getNumArgs() < 2) 1760 return nullptr; 1761 1762 ProgramStateRef state = C.getState(); 1763 SValBuilder &svalBuilder = C.getSValBuilder(); 1764 const LocationContext *LCtx = C.getLocationContext(); 1765 SVal count = state->getSVal(CE->getArg(0), LCtx); 1766 SVal elementSize = state->getSVal(CE->getArg(1), LCtx); 1767 SVal TotalSize = svalBuilder.evalBinOp(state, BO_Mul, count, elementSize, 1768 svalBuilder.getContext().getSizeType()); 1769 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 1770 1771 return MallocMemAux(C, CE, TotalSize, zeroVal, state); 1772 } 1773 1774 LeakInfo 1775 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 1776 CheckerContext &C) const { 1777 const LocationContext *LeakContext = N->getLocationContext(); 1778 // Walk the ExplodedGraph backwards and find the first node that referred to 1779 // the tracked symbol. 1780 const ExplodedNode *AllocNode = N; 1781 const MemRegion *ReferenceRegion = nullptr; 1782 1783 while (N) { 1784 ProgramStateRef State = N->getState(); 1785 if (!State->get<RegionState>(Sym)) 1786 break; 1787 1788 // Find the most recent expression bound to the symbol in the current 1789 // context. 1790 if (!ReferenceRegion) { 1791 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 1792 SVal Val = State->getSVal(MR); 1793 if (Val.getAsLocSymbol() == Sym) { 1794 const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>(); 1795 // Do not show local variables belonging to a function other than 1796 // where the error is reported. 1797 if (!VR || 1798 (VR->getStackFrame() == LeakContext->getCurrentStackFrame())) 1799 ReferenceRegion = MR; 1800 } 1801 } 1802 } 1803 1804 // Allocation node, is the last node in the current or parent context in 1805 // which the symbol was tracked. 1806 const LocationContext *NContext = N->getLocationContext(); 1807 if (NContext == LeakContext || 1808 NContext->isParentOf(LeakContext)) 1809 AllocNode = N; 1810 N = N->pred_empty() ? nullptr : *(N->pred_begin()); 1811 } 1812 1813 return LeakInfo(AllocNode, ReferenceRegion); 1814 } 1815 1816 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 1817 CheckerContext &C) const { 1818 1819 if (!ChecksEnabled[CK_MallocOptimistic] && 1820 !ChecksEnabled[CK_MallocPessimistic] && 1821 !ChecksEnabled[CK_NewDeleteLeaksChecker]) 1822 return; 1823 1824 const RefState *RS = C.getState()->get<RegionState>(Sym); 1825 assert(RS && "cannot leak an untracked symbol"); 1826 AllocationFamily Family = RS->getAllocationFamily(); 1827 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 1828 if (!CheckKind.hasValue()) 1829 return; 1830 1831 // Special case for new and new[]; these are controlled by a separate checker 1832 // flag so that they can be selectively disabled. 1833 if (Family == AF_CXXNew || Family == AF_CXXNewArray) 1834 if (!ChecksEnabled[CK_NewDeleteLeaksChecker]) 1835 return; 1836 1837 assert(N); 1838 if (!BT_Leak[*CheckKind]) { 1839 BT_Leak[*CheckKind].reset( 1840 new BugType(CheckNames[*CheckKind], "Memory leak", "Memory Error")); 1841 // Leaks should not be reported if they are post-dominated by a sink: 1842 // (1) Sinks are higher importance bugs. 1843 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 1844 // with __noreturn functions such as assert() or exit(). We choose not 1845 // to report leaks on such paths. 1846 BT_Leak[*CheckKind]->setSuppressOnSink(true); 1847 } 1848 1849 // Most bug reports are cached at the location where they occurred. 1850 // With leaks, we want to unique them by the location where they were 1851 // allocated, and only report a single path. 1852 PathDiagnosticLocation LocUsedForUniqueing; 1853 const ExplodedNode *AllocNode = nullptr; 1854 const MemRegion *Region = nullptr; 1855 std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 1856 1857 ProgramPoint P = AllocNode->getLocation(); 1858 const Stmt *AllocationStmt = nullptr; 1859 if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>()) 1860 AllocationStmt = Exit->getCalleeContext()->getCallSite(); 1861 else if (Optional<StmtPoint> SP = P.getAs<StmtPoint>()) 1862 AllocationStmt = SP->getStmt(); 1863 if (AllocationStmt) 1864 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 1865 C.getSourceManager(), 1866 AllocNode->getLocationContext()); 1867 1868 SmallString<200> buf; 1869 llvm::raw_svector_ostream os(buf); 1870 if (Region && Region->canPrintPretty()) { 1871 os << "Potential leak of memory pointed to by "; 1872 Region->printPretty(os); 1873 } else { 1874 os << "Potential memory leak"; 1875 } 1876 1877 BugReport *R = 1878 new BugReport(*BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing, 1879 AllocNode->getLocationContext()->getDecl()); 1880 R->markInteresting(Sym); 1881 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym, true)); 1882 C.emitReport(R); 1883 } 1884 1885 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 1886 CheckerContext &C) const 1887 { 1888 if (!SymReaper.hasDeadSymbols()) 1889 return; 1890 1891 ProgramStateRef state = C.getState(); 1892 RegionStateTy RS = state->get<RegionState>(); 1893 RegionStateTy::Factory &F = state->get_context<RegionState>(); 1894 1895 SmallVector<SymbolRef, 2> Errors; 1896 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1897 if (SymReaper.isDead(I->first)) { 1898 if (I->second.isAllocated()) 1899 Errors.push_back(I->first); 1900 // Remove the dead symbol from the map. 1901 RS = F.remove(RS, I->first); 1902 1903 } 1904 } 1905 1906 // Cleanup the Realloc Pairs Map. 1907 ReallocPairsTy RP = state->get<ReallocPairs>(); 1908 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1909 if (SymReaper.isDead(I->first) || 1910 SymReaper.isDead(I->second.ReallocatedSym)) { 1911 state = state->remove<ReallocPairs>(I->first); 1912 } 1913 } 1914 1915 // Cleanup the FreeReturnValue Map. 1916 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 1917 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 1918 if (SymReaper.isDead(I->first) || 1919 SymReaper.isDead(I->second)) { 1920 state = state->remove<FreeReturnValue>(I->first); 1921 } 1922 } 1923 1924 // Generate leak node. 1925 ExplodedNode *N = C.getPredecessor(); 1926 if (!Errors.empty()) { 1927 static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak"); 1928 N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); 1929 for (SmallVectorImpl<SymbolRef>::iterator 1930 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 1931 reportLeak(*I, N, C); 1932 } 1933 } 1934 1935 C.addTransition(state->set<RegionState>(RS), N); 1936 } 1937 1938 void MallocChecker::checkPreCall(const CallEvent &Call, 1939 CheckerContext &C) const { 1940 1941 if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) { 1942 SymbolRef Sym = DC->getCXXThisVal().getAsSymbol(); 1943 if (!Sym || checkDoubleDelete(Sym, C)) 1944 return; 1945 } 1946 1947 // We will check for double free in the post visit. 1948 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { 1949 const FunctionDecl *FD = FC->getDecl(); 1950 if (!FD) 1951 return; 1952 1953 ASTContext &Ctx = C.getASTContext(); 1954 if ((ChecksEnabled[CK_MallocOptimistic] || 1955 ChecksEnabled[CK_MallocPessimistic]) && 1956 (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) || 1957 isCMemFunction(FD, Ctx, AF_IfNameIndex, 1958 MemoryOperationKind::MOK_Free))) 1959 return; 1960 1961 if (ChecksEnabled[CK_NewDeleteChecker] && 1962 isStandardNewDelete(FD, Ctx)) 1963 return; 1964 } 1965 1966 // Check if the callee of a method is deleted. 1967 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { 1968 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); 1969 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) 1970 return; 1971 } 1972 1973 // Check arguments for being used after free. 1974 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { 1975 SVal ArgSVal = Call.getArgSVal(I); 1976 if (ArgSVal.getAs<Loc>()) { 1977 SymbolRef Sym = ArgSVal.getAsSymbol(); 1978 if (!Sym) 1979 continue; 1980 if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) 1981 return; 1982 } 1983 } 1984 } 1985 1986 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 1987 const Expr *E = S->getRetValue(); 1988 if (!E) 1989 return; 1990 1991 // Check if we are returning a symbol. 1992 ProgramStateRef State = C.getState(); 1993 SVal RetVal = State->getSVal(E, C.getLocationContext()); 1994 SymbolRef Sym = RetVal.getAsSymbol(); 1995 if (!Sym) 1996 // If we are returning a field of the allocated struct or an array element, 1997 // the callee could still free the memory. 1998 // TODO: This logic should be a part of generic symbol escape callback. 1999 if (const MemRegion *MR = RetVal.getAsRegion()) 2000 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 2001 if (const SymbolicRegion *BMR = 2002 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 2003 Sym = BMR->getSymbol(); 2004 2005 // Check if we are returning freed memory. 2006 if (Sym) 2007 checkUseAfterFree(Sym, C, E); 2008 } 2009 2010 // TODO: Blocks should be either inlined or should call invalidate regions 2011 // upon invocation. After that's in place, special casing here will not be 2012 // needed. 2013 void MallocChecker::checkPostStmt(const BlockExpr *BE, 2014 CheckerContext &C) const { 2015 2016 // Scan the BlockDecRefExprs for any object the retain count checker 2017 // may be tracking. 2018 if (!BE->getBlockDecl()->hasCaptures()) 2019 return; 2020 2021 ProgramStateRef state = C.getState(); 2022 const BlockDataRegion *R = 2023 cast<BlockDataRegion>(state->getSVal(BE, 2024 C.getLocationContext()).getAsRegion()); 2025 2026 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 2027 E = R->referenced_vars_end(); 2028 2029 if (I == E) 2030 return; 2031 2032 SmallVector<const MemRegion*, 10> Regions; 2033 const LocationContext *LC = C.getLocationContext(); 2034 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 2035 2036 for ( ; I != E; ++I) { 2037 const VarRegion *VR = I.getCapturedRegion(); 2038 if (VR->getSuperRegion() == R) { 2039 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 2040 } 2041 Regions.push_back(VR); 2042 } 2043 2044 state = 2045 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 2046 Regions.data() + Regions.size()).getState(); 2047 C.addTransition(state); 2048 } 2049 2050 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { 2051 assert(Sym); 2052 const RefState *RS = C.getState()->get<RegionState>(Sym); 2053 return (RS && RS->isReleased()); 2054 } 2055 2056 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 2057 const Stmt *S) const { 2058 2059 if (isReleased(Sym, C)) { 2060 ReportUseAfterFree(C, S->getSourceRange(), Sym); 2061 return true; 2062 } 2063 2064 return false; 2065 } 2066 2067 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { 2068 2069 if (isReleased(Sym, C)) { 2070 ReportDoubleDelete(C, Sym); 2071 return true; 2072 } 2073 return false; 2074 } 2075 2076 // Check if the location is a freed symbolic region. 2077 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 2078 CheckerContext &C) const { 2079 SymbolRef Sym = l.getLocSymbolInBase(); 2080 if (Sym) 2081 checkUseAfterFree(Sym, C, S); 2082 } 2083 2084 // If a symbolic region is assumed to NULL (or another constant), stop tracking 2085 // it - assuming that allocation failed on this path. 2086 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 2087 SVal Cond, 2088 bool Assumption) const { 2089 RegionStateTy RS = state->get<RegionState>(); 2090 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2091 // If the symbol is assumed to be NULL, remove it from consideration. 2092 ConstraintManager &CMgr = state->getConstraintManager(); 2093 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2094 if (AllocFailed.isConstrainedTrue()) 2095 state = state->remove<RegionState>(I.getKey()); 2096 } 2097 2098 // Realloc returns 0 when reallocation fails, which means that we should 2099 // restore the state of the pointer being reallocated. 2100 ReallocPairsTy RP = state->get<ReallocPairs>(); 2101 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 2102 // If the symbol is assumed to be NULL, remove it from consideration. 2103 ConstraintManager &CMgr = state->getConstraintManager(); 2104 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2105 if (!AllocFailed.isConstrainedTrue()) 2106 continue; 2107 2108 SymbolRef ReallocSym = I.getData().ReallocatedSym; 2109 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 2110 if (RS->isReleased()) { 2111 if (I.getData().Kind == RPToBeFreedAfterFailure) 2112 state = state->set<RegionState>(ReallocSym, 2113 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 2114 else if (I.getData().Kind == RPDoNotTrackAfterFailure) 2115 state = state->remove<RegionState>(ReallocSym); 2116 else 2117 assert(I.getData().Kind == RPIsFreeOnFailure); 2118 } 2119 } 2120 state = state->remove<ReallocPairs>(I.getKey()); 2121 } 2122 2123 return state; 2124 } 2125 2126 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly( 2127 const CallEvent *Call, 2128 ProgramStateRef State, 2129 SymbolRef &EscapingSymbol) const { 2130 assert(Call); 2131 EscapingSymbol = nullptr; 2132 2133 // For now, assume that any C++ or block call can free memory. 2134 // TODO: If we want to be more optimistic here, we'll need to make sure that 2135 // regions escape to C++ containers. They seem to do that even now, but for 2136 // mysterious reasons. 2137 if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 2138 return true; 2139 2140 // Check Objective-C messages by selector name. 2141 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 2142 // If it's not a framework call, or if it takes a callback, assume it 2143 // can free memory. 2144 if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg()) 2145 return true; 2146 2147 // If it's a method we know about, handle it explicitly post-call. 2148 // This should happen before the "freeWhenDone" check below. 2149 if (isKnownDeallocObjCMethodName(*Msg)) 2150 return false; 2151 2152 // If there's a "freeWhenDone" parameter, but the method isn't one we know 2153 // about, we can't be sure that the object will use free() to deallocate the 2154 // memory, so we can't model it explicitly. The best we can do is use it to 2155 // decide whether the pointer escapes. 2156 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 2157 return *FreeWhenDone; 2158 2159 // If the first selector piece ends with "NoCopy", and there is no 2160 // "freeWhenDone" parameter set to zero, we know ownership is being 2161 // transferred. Again, though, we can't be sure that the object will use 2162 // free() to deallocate the memory, so we can't model it explicitly. 2163 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 2164 if (FirstSlot.endswith("NoCopy")) 2165 return true; 2166 2167 // If the first selector starts with addPointer, insertPointer, 2168 // or replacePointer, assume we are dealing with NSPointerArray or similar. 2169 // This is similar to C++ containers (vector); we still might want to check 2170 // that the pointers get freed by following the container itself. 2171 if (FirstSlot.startswith("addPointer") || 2172 FirstSlot.startswith("insertPointer") || 2173 FirstSlot.startswith("replacePointer") || 2174 FirstSlot.equals("valueWithPointer")) { 2175 return true; 2176 } 2177 2178 // We should escape receiver on call to 'init'. This is especially relevant 2179 // to the receiver, as the corresponding symbol is usually not referenced 2180 // after the call. 2181 if (Msg->getMethodFamily() == OMF_init) { 2182 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol(); 2183 return true; 2184 } 2185 2186 // Otherwise, assume that the method does not free memory. 2187 // Most framework methods do not free memory. 2188 return false; 2189 } 2190 2191 // At this point the only thing left to handle is straight function calls. 2192 const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl(); 2193 if (!FD) 2194 return true; 2195 2196 ASTContext &ASTC = State->getStateManager().getContext(); 2197 2198 // If it's one of the allocation functions we can reason about, we model 2199 // its behavior explicitly. 2200 if (isMemFunction(FD, ASTC)) 2201 return false; 2202 2203 // If it's not a system call, assume it frees memory. 2204 if (!Call->isInSystemHeader()) 2205 return true; 2206 2207 // White list the system functions whose arguments escape. 2208 const IdentifierInfo *II = FD->getIdentifier(); 2209 if (!II) 2210 return true; 2211 StringRef FName = II->getName(); 2212 2213 // White list the 'XXXNoCopy' CoreFoundation functions. 2214 // We specifically check these before 2215 if (FName.endswith("NoCopy")) { 2216 // Look for the deallocator argument. We know that the memory ownership 2217 // is not transferred only if the deallocator argument is 2218 // 'kCFAllocatorNull'. 2219 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 2220 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 2221 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 2222 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 2223 if (DeallocatorName == "kCFAllocatorNull") 2224 return false; 2225 } 2226 } 2227 return true; 2228 } 2229 2230 // Associating streams with malloced buffers. The pointer can escape if 2231 // 'closefn' is specified (and if that function does free memory), 2232 // but it will not if closefn is not specified. 2233 // Currently, we do not inspect the 'closefn' function (PR12101). 2234 if (FName == "funopen") 2235 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 2236 return false; 2237 2238 // Do not warn on pointers passed to 'setbuf' when used with std streams, 2239 // these leaks might be intentional when setting the buffer for stdio. 2240 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 2241 if (FName == "setbuf" || FName =="setbuffer" || 2242 FName == "setlinebuf" || FName == "setvbuf") { 2243 if (Call->getNumArgs() >= 1) { 2244 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 2245 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 2246 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 2247 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 2248 return true; 2249 } 2250 } 2251 2252 // A bunch of other functions which either take ownership of a pointer or 2253 // wrap the result up in a struct or object, meaning it can be freed later. 2254 // (See RetainCountChecker.) Not all the parameters here are invalidated, 2255 // but the Malloc checker cannot differentiate between them. The right way 2256 // of doing this would be to implement a pointer escapes callback. 2257 if (FName == "CGBitmapContextCreate" || 2258 FName == "CGBitmapContextCreateWithData" || 2259 FName == "CVPixelBufferCreateWithBytes" || 2260 FName == "CVPixelBufferCreateWithPlanarBytes" || 2261 FName == "OSAtomicEnqueue") { 2262 return true; 2263 } 2264 2265 // Handle cases where we know a buffer's /address/ can escape. 2266 // Note that the above checks handle some special cases where we know that 2267 // even though the address escapes, it's still our responsibility to free the 2268 // buffer. 2269 if (Call->argumentsMayEscape()) 2270 return true; 2271 2272 // Otherwise, assume that the function does not free memory. 2273 // Most system calls do not free the memory. 2274 return false; 2275 } 2276 2277 static bool retTrue(const RefState *RS) { 2278 return true; 2279 } 2280 2281 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 2282 return (RS->getAllocationFamily() == AF_CXXNewArray || 2283 RS->getAllocationFamily() == AF_CXXNew); 2284 } 2285 2286 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 2287 const InvalidatedSymbols &Escaped, 2288 const CallEvent *Call, 2289 PointerEscapeKind Kind) const { 2290 return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue); 2291 } 2292 2293 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 2294 const InvalidatedSymbols &Escaped, 2295 const CallEvent *Call, 2296 PointerEscapeKind Kind) const { 2297 return checkPointerEscapeAux(State, Escaped, Call, Kind, 2298 &checkIfNewOrNewArrayFamily); 2299 } 2300 2301 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State, 2302 const InvalidatedSymbols &Escaped, 2303 const CallEvent *Call, 2304 PointerEscapeKind Kind, 2305 bool(*CheckRefState)(const RefState*)) const { 2306 // If we know that the call does not free memory, or we want to process the 2307 // call later, keep tracking the top level arguments. 2308 SymbolRef EscapingSymbol = nullptr; 2309 if (Kind == PSK_DirectEscapeOnCall && 2310 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State, 2311 EscapingSymbol) && 2312 !EscapingSymbol) { 2313 return State; 2314 } 2315 2316 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 2317 E = Escaped.end(); 2318 I != E; ++I) { 2319 SymbolRef sym = *I; 2320 2321 if (EscapingSymbol && EscapingSymbol != sym) 2322 continue; 2323 2324 if (const RefState *RS = State->get<RegionState>(sym)) { 2325 if (RS->isAllocated() && CheckRefState(RS)) { 2326 State = State->remove<RegionState>(sym); 2327 State = State->set<RegionState>(sym, RefState::getEscaped(RS)); 2328 } 2329 } 2330 } 2331 return State; 2332 } 2333 2334 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 2335 ProgramStateRef prevState) { 2336 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 2337 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 2338 2339 for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end(); 2340 I != E; ++I) { 2341 SymbolRef sym = I.getKey(); 2342 if (!currMap.lookup(sym)) 2343 return sym; 2344 } 2345 2346 return nullptr; 2347 } 2348 2349 PathDiagnosticPiece * 2350 MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N, 2351 const ExplodedNode *PrevN, 2352 BugReporterContext &BRC, 2353 BugReport &BR) { 2354 ProgramStateRef state = N->getState(); 2355 ProgramStateRef statePrev = PrevN->getState(); 2356 2357 const RefState *RS = state->get<RegionState>(Sym); 2358 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 2359 if (!RS) 2360 return nullptr; 2361 2362 const Stmt *S = nullptr; 2363 const char *Msg = nullptr; 2364 StackHintGeneratorForSymbol *StackHint = nullptr; 2365 2366 // Retrieve the associated statement. 2367 ProgramPoint ProgLoc = N->getLocation(); 2368 if (Optional<StmtPoint> SP = ProgLoc.getAs<StmtPoint>()) { 2369 S = SP->getStmt(); 2370 } else if (Optional<CallExitEnd> Exit = ProgLoc.getAs<CallExitEnd>()) { 2371 S = Exit->getCalleeContext()->getCallSite(); 2372 } else if (Optional<BlockEdge> Edge = ProgLoc.getAs<BlockEdge>()) { 2373 // If an assumption was made on a branch, it should be caught 2374 // here by looking at the state transition. 2375 S = Edge->getSrc()->getTerminator(); 2376 } 2377 2378 if (!S) 2379 return nullptr; 2380 2381 // FIXME: We will eventually need to handle non-statement-based events 2382 // (__attribute__((cleanup))). 2383 2384 // Find out if this is an interesting point and what is the kind. 2385 if (Mode == Normal) { 2386 if (isAllocated(RS, RSPrev, S)) { 2387 Msg = "Memory is allocated"; 2388 StackHint = new StackHintGeneratorForSymbol(Sym, 2389 "Returned allocated memory"); 2390 } else if (isReleased(RS, RSPrev, S)) { 2391 Msg = "Memory is released"; 2392 StackHint = new StackHintGeneratorForSymbol(Sym, 2393 "Returning; memory was released"); 2394 } else if (isRelinquished(RS, RSPrev, S)) { 2395 Msg = "Memory ownership is transferred"; 2396 StackHint = new StackHintGeneratorForSymbol(Sym, ""); 2397 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 2398 Mode = ReallocationFailed; 2399 Msg = "Reallocation failed"; 2400 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 2401 "Reallocation failed"); 2402 2403 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 2404 // Is it possible to fail two reallocs WITHOUT testing in between? 2405 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 2406 "We only support one failed realloc at a time."); 2407 BR.markInteresting(sym); 2408 FailedReallocSymbol = sym; 2409 } 2410 } 2411 2412 // We are in a special mode if a reallocation failed later in the path. 2413 } else if (Mode == ReallocationFailed) { 2414 assert(FailedReallocSymbol && "No symbol to look for."); 2415 2416 // Is this is the first appearance of the reallocated symbol? 2417 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 2418 // We're at the reallocation point. 2419 Msg = "Attempt to reallocate memory"; 2420 StackHint = new StackHintGeneratorForSymbol(Sym, 2421 "Returned reallocated memory"); 2422 FailedReallocSymbol = nullptr; 2423 Mode = Normal; 2424 } 2425 } 2426 2427 if (!Msg) 2428 return nullptr; 2429 assert(StackHint); 2430 2431 // Generate the extra diagnostic. 2432 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2433 N->getLocationContext()); 2434 return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint); 2435 } 2436 2437 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 2438 const char *NL, const char *Sep) const { 2439 2440 RegionStateTy RS = State->get<RegionState>(); 2441 2442 if (!RS.isEmpty()) { 2443 Out << Sep << "MallocChecker :" << NL; 2444 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2445 const RefState *RefS = State->get<RegionState>(I.getKey()); 2446 AllocationFamily Family = RefS->getAllocationFamily(); 2447 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2448 2449 I.getKey()->dumpToStream(Out); 2450 Out << " : "; 2451 I.getData().dump(Out); 2452 if (CheckKind.hasValue()) 2453 Out << " (" << CheckNames[*CheckKind].getName() << ")"; 2454 Out << NL; 2455 } 2456 } 2457 } 2458 2459 void ento::registerNewDeleteLeaksChecker(CheckerManager &mgr) { 2460 registerCStringCheckerBasic(mgr); 2461 MallocChecker *checker = mgr.registerChecker<MallocChecker>(); 2462 checker->ChecksEnabled[MallocChecker::CK_NewDeleteLeaksChecker] = true; 2463 checker->CheckNames[MallocChecker::CK_NewDeleteLeaksChecker] = 2464 mgr.getCurrentCheckName(); 2465 // We currently treat NewDeleteLeaks checker as a subchecker of NewDelete 2466 // checker. 2467 if (!checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker]) 2468 checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker] = true; 2469 } 2470 2471 #define REGISTER_CHECKER(name) \ 2472 void ento::register##name(CheckerManager &mgr) { \ 2473 registerCStringCheckerBasic(mgr); \ 2474 MallocChecker *checker = mgr.registerChecker<MallocChecker>(); \ 2475 checker->ChecksEnabled[MallocChecker::CK_##name] = true; \ 2476 checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \ 2477 } 2478 2479 REGISTER_CHECKER(MallocPessimistic) 2480 REGISTER_CHECKER(MallocOptimistic) 2481 REGISTER_CHECKER(NewDeleteChecker) 2482 REGISTER_CHECKER(MismatchedDeallocatorChecker) 2483