1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines malloc/free checker, which checks for potential memory 10 // leaks, double free, and use-after-free problems. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 15 #include "InterCheckerAPI.h" 16 #include "clang/AST/Attr.h" 17 #include "clang/AST/ParentMap.h" 18 #include "clang/Basic/SourceManager.h" 19 #include "clang/Basic/TargetInfo.h" 20 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 21 #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" 22 #include "clang/StaticAnalyzer/Core/Checker.h" 23 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 27 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 28 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 29 #include "llvm/ADT/STLExtras.h" 30 #include "llvm/ADT/SmallString.h" 31 #include "llvm/ADT/StringExtras.h" 32 #include "AllocationState.h" 33 #include <climits> 34 #include <utility> 35 36 using namespace clang; 37 using namespace ento; 38 39 namespace { 40 41 // Used to check correspondence between allocators and deallocators. 42 enum AllocationFamily { 43 AF_None, 44 AF_Malloc, 45 AF_CXXNew, 46 AF_CXXNewArray, 47 AF_IfNameIndex, 48 AF_Alloca, 49 AF_InnerBuffer 50 }; 51 52 class RefState { 53 enum Kind { // Reference to allocated memory. 54 Allocated, 55 // Reference to zero-allocated memory. 56 AllocatedOfSizeZero, 57 // Reference to released/freed memory. 58 Released, 59 // The responsibility for freeing resources has transferred from 60 // this reference. A relinquished symbol should not be freed. 61 Relinquished, 62 // We are no longer guaranteed to have observed all manipulations 63 // of this pointer/memory. For example, it could have been 64 // passed as a parameter to an opaque function. 65 Escaped 66 }; 67 68 const Stmt *S; 69 unsigned K : 3; // Kind enum, but stored as a bitfield. 70 unsigned Family : 29; // Rest of 32-bit word, currently just an allocation 71 // family. 72 73 RefState(Kind k, const Stmt *s, unsigned family) 74 : S(s), K(k), Family(family) { 75 assert(family != AF_None); 76 } 77 public: 78 bool isAllocated() const { return K == Allocated; } 79 bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; } 80 bool isReleased() const { return K == Released; } 81 bool isRelinquished() const { return K == Relinquished; } 82 bool isEscaped() const { return K == Escaped; } 83 AllocationFamily getAllocationFamily() const { 84 return (AllocationFamily)Family; 85 } 86 const Stmt *getStmt() const { return S; } 87 88 bool operator==(const RefState &X) const { 89 return K == X.K && S == X.S && Family == X.Family; 90 } 91 92 static RefState getAllocated(unsigned family, const Stmt *s) { 93 return RefState(Allocated, s, family); 94 } 95 static RefState getAllocatedOfSizeZero(const RefState *RS) { 96 return RefState(AllocatedOfSizeZero, RS->getStmt(), 97 RS->getAllocationFamily()); 98 } 99 static RefState getReleased(unsigned family, const Stmt *s) { 100 return RefState(Released, s, family); 101 } 102 static RefState getRelinquished(unsigned family, const Stmt *s) { 103 return RefState(Relinquished, s, family); 104 } 105 static RefState getEscaped(const RefState *RS) { 106 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily()); 107 } 108 109 void Profile(llvm::FoldingSetNodeID &ID) const { 110 ID.AddInteger(K); 111 ID.AddPointer(S); 112 ID.AddInteger(Family); 113 } 114 115 void dump(raw_ostream &OS) const { 116 switch (static_cast<Kind>(K)) { 117 #define CASE(ID) case ID: OS << #ID; break; 118 CASE(Allocated) 119 CASE(AllocatedOfSizeZero) 120 CASE(Released) 121 CASE(Relinquished) 122 CASE(Escaped) 123 } 124 } 125 126 LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); } 127 }; 128 129 enum ReallocPairKind { 130 RPToBeFreedAfterFailure, 131 // The symbol has been freed when reallocation failed. 132 RPIsFreeOnFailure, 133 // The symbol does not need to be freed after reallocation fails. 134 RPDoNotTrackAfterFailure 135 }; 136 137 /// \class ReallocPair 138 /// Stores information about the symbol being reallocated by a call to 139 /// 'realloc' to allow modeling failed reallocation later in the path. 140 struct ReallocPair { 141 // The symbol which realloc reallocated. 142 SymbolRef ReallocatedSym; 143 ReallocPairKind Kind; 144 145 ReallocPair(SymbolRef S, ReallocPairKind K) : 146 ReallocatedSym(S), Kind(K) {} 147 void Profile(llvm::FoldingSetNodeID &ID) const { 148 ID.AddInteger(Kind); 149 ID.AddPointer(ReallocatedSym); 150 } 151 bool operator==(const ReallocPair &X) const { 152 return ReallocatedSym == X.ReallocatedSym && 153 Kind == X.Kind; 154 } 155 }; 156 157 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo; 158 159 class MallocChecker : public Checker<check::DeadSymbols, 160 check::PointerEscape, 161 check::ConstPointerEscape, 162 check::PreStmt<ReturnStmt>, 163 check::EndFunction, 164 check::PreCall, 165 check::PostStmt<CallExpr>, 166 check::PostStmt<CXXNewExpr>, 167 check::NewAllocator, 168 check::PreStmt<CXXDeleteExpr>, 169 check::PostStmt<BlockExpr>, 170 check::PostObjCMessage, 171 check::Location, 172 eval::Assume> 173 { 174 public: 175 MallocChecker() 176 : II_alloca(nullptr), II_win_alloca(nullptr), II_malloc(nullptr), 177 II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr), 178 II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr), 179 II_strdup(nullptr), II_win_strdup(nullptr), II_kmalloc(nullptr), 180 II_kfree(nullptr), II_if_nameindex(nullptr), 181 II_if_freenameindex(nullptr), II_wcsdup(nullptr), 182 II_win_wcsdup(nullptr), II_g_malloc(nullptr), II_g_malloc0(nullptr), 183 II_g_realloc(nullptr), II_g_try_malloc(nullptr), 184 II_g_try_malloc0(nullptr), II_g_try_realloc(nullptr), 185 II_g_free(nullptr), II_g_memdup(nullptr), II_g_malloc_n(nullptr), 186 II_g_malloc0_n(nullptr), II_g_realloc_n(nullptr), 187 II_g_try_malloc_n(nullptr), II_g_try_malloc0_n(nullptr), 188 II_g_try_realloc_n(nullptr) {} 189 190 /// In pessimistic mode, the checker assumes that it does not know which 191 /// functions might free the memory. 192 enum CheckKind { 193 CK_MallocChecker, 194 CK_NewDeleteChecker, 195 CK_NewDeleteLeaksChecker, 196 CK_MismatchedDeallocatorChecker, 197 CK_InnerPointerChecker, 198 CK_NumCheckKinds 199 }; 200 201 enum class MemoryOperationKind { 202 MOK_Allocate, 203 MOK_Free, 204 MOK_Any 205 }; 206 207 DefaultBool IsOptimistic; 208 209 DefaultBool ChecksEnabled[CK_NumCheckKinds]; 210 CheckName CheckNames[CK_NumCheckKinds]; 211 212 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 213 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 214 void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; 215 void checkNewAllocator(const CXXNewExpr *NE, SVal Target, 216 CheckerContext &C) const; 217 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; 218 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 219 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 220 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 221 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 222 void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const; 223 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 224 bool Assumption) const; 225 void checkLocation(SVal l, bool isLoad, const Stmt *S, 226 CheckerContext &C) const; 227 228 ProgramStateRef checkPointerEscape(ProgramStateRef State, 229 const InvalidatedSymbols &Escaped, 230 const CallEvent *Call, 231 PointerEscapeKind Kind) const; 232 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 233 const InvalidatedSymbols &Escaped, 234 const CallEvent *Call, 235 PointerEscapeKind Kind) const; 236 237 void printState(raw_ostream &Out, ProgramStateRef State, 238 const char *NL, const char *Sep) const override; 239 240 private: 241 mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds]; 242 mutable std::unique_ptr<BugType> BT_DoubleDelete; 243 mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds]; 244 mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds]; 245 mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds]; 246 mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds]; 247 mutable std::unique_ptr<BugType> BT_MismatchedDealloc; 248 mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds]; 249 mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds]; 250 mutable IdentifierInfo *II_alloca, *II_win_alloca, *II_malloc, *II_free, 251 *II_realloc, *II_calloc, *II_valloc, *II_reallocf, 252 *II_strndup, *II_strdup, *II_win_strdup, *II_kmalloc, 253 *II_kfree, *II_if_nameindex, *II_if_freenameindex, 254 *II_wcsdup, *II_win_wcsdup, *II_g_malloc, 255 *II_g_malloc0, *II_g_realloc, *II_g_try_malloc, 256 *II_g_try_malloc0, *II_g_try_realloc, *II_g_free, 257 *II_g_memdup, *II_g_malloc_n, *II_g_malloc0_n, 258 *II_g_realloc_n, *II_g_try_malloc_n, 259 *II_g_try_malloc0_n, *II_g_try_realloc_n; 260 mutable Optional<uint64_t> KernelZeroFlagVal; 261 262 void initIdentifierInfo(ASTContext &C) const; 263 264 /// Determine family of a deallocation expression. 265 AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const; 266 267 /// Print names of allocators and deallocators. 268 /// 269 /// \returns true on success. 270 bool printAllocDeallocName(raw_ostream &os, CheckerContext &C, 271 const Expr *E) const; 272 273 /// Print expected name of an allocator based on the deallocator's 274 /// family derived from the DeallocExpr. 275 void printExpectedAllocName(raw_ostream &os, CheckerContext &C, 276 const Expr *DeallocExpr) const; 277 /// Print expected name of a deallocator based on the allocator's 278 /// family. 279 void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const; 280 281 ///@{ 282 /// Check if this is one of the functions which can allocate/reallocate memory 283 /// pointed to by one of its arguments. 284 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 285 bool isCMemFunction(const FunctionDecl *FD, 286 ASTContext &C, 287 AllocationFamily Family, 288 MemoryOperationKind MemKind) const; 289 bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const; 290 ///@} 291 292 /// Process C++ operator new()'s allocation, which is the part of C++ 293 /// new-expression that goes before the constructor. 294 void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C, 295 SVal Target) const; 296 297 /// Perform a zero-allocation check. 298 /// The optional \p RetVal parameter specifies the newly allocated pointer 299 /// value; if unspecified, the value of expression \p E is used. 300 ProgramStateRef ProcessZeroAllocation(CheckerContext &C, const Expr *E, 301 const unsigned AllocationSizeArg, 302 ProgramStateRef State, 303 Optional<SVal> RetVal = None) const; 304 305 ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 306 const CallExpr *CE, 307 const OwnershipAttr* Att, 308 ProgramStateRef State) const; 309 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 310 const Expr *SizeEx, SVal Init, 311 ProgramStateRef State, 312 AllocationFamily Family = AF_Malloc); 313 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 314 SVal SizeEx, SVal Init, 315 ProgramStateRef State, 316 AllocationFamily Family = AF_Malloc); 317 318 static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE, 319 ProgramStateRef State, SVal Target); 320 321 // Check if this malloc() for special flags. At present that means M_ZERO or 322 // __GFP_ZERO (in which case, treat it like calloc). 323 llvm::Optional<ProgramStateRef> 324 performKernelMalloc(const CallExpr *CE, CheckerContext &C, 325 const ProgramStateRef &State) const; 326 327 /// Update the RefState to reflect the new memory allocation. 328 /// The optional \p RetVal parameter specifies the newly allocated pointer 329 /// value; if unspecified, the value of expression \p E is used. 330 static ProgramStateRef 331 MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, 332 AllocationFamily Family = AF_Malloc, 333 Optional<SVal> RetVal = None); 334 335 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 336 const OwnershipAttr* Att, 337 ProgramStateRef State) const; 338 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 339 ProgramStateRef state, unsigned Num, 340 bool Hold, 341 bool &ReleasedAllocated, 342 bool ReturnsNullOnFailure = false) const; 343 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, 344 const Expr *ParentExpr, 345 ProgramStateRef State, 346 bool Hold, 347 bool &ReleasedAllocated, 348 bool ReturnsNullOnFailure = false) const; 349 350 ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE, 351 bool FreesMemOnFailure, 352 ProgramStateRef State, 353 bool SuffixWithN = false) const; 354 static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, 355 const Expr *BlockBytes); 356 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE, 357 ProgramStateRef State); 358 359 /// Check if the memory associated with this symbol was released. 360 bool isReleased(SymbolRef Sym, CheckerContext &C) const; 361 362 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 363 364 void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, 365 const Stmt *S) const; 366 367 bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const; 368 369 /// Check if the function is known free memory, or if it is 370 /// "interesting" and should be modeled explicitly. 371 /// 372 /// \param [out] EscapingSymbol A function might not free memory in general, 373 /// but could be known to free a particular symbol. In this case, false is 374 /// returned and the single escaping symbol is returned through the out 375 /// parameter. 376 /// 377 /// We assume that pointers do not escape through calls to system functions 378 /// not handled by this checker. 379 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, 380 ProgramStateRef State, 381 SymbolRef &EscapingSymbol) const; 382 383 // Implementation of the checkPointerEscape callbacks. 384 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 385 const InvalidatedSymbols &Escaped, 386 const CallEvent *Call, 387 PointerEscapeKind Kind, 388 bool(*CheckRefState)(const RefState*)) const; 389 390 // Implementation of the checkPreStmt and checkEndFunction callbacks. 391 void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const; 392 393 ///@{ 394 /// Tells if a given family/call/symbol is tracked by the current checker. 395 /// Sets CheckKind to the kind of the checker responsible for this 396 /// family/call/symbol. 397 Optional<CheckKind> getCheckIfTracked(AllocationFamily Family, 398 bool IsALeakCheck = false) const; 399 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, 400 const Stmt *AllocDeallocStmt, 401 bool IsALeakCheck = false) const; 402 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym, 403 bool IsALeakCheck = false) const; 404 ///@} 405 static bool SummarizeValue(raw_ostream &os, SVal V); 406 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 407 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 408 const Expr *DeallocExpr) const; 409 void ReportFreeAlloca(CheckerContext &C, SVal ArgVal, 410 SourceRange Range) const; 411 void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, 412 const Expr *DeallocExpr, const RefState *RS, 413 SymbolRef Sym, bool OwnershipTransferred) const; 414 void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 415 const Expr *DeallocExpr, 416 const Expr *AllocExpr = nullptr) const; 417 void ReportUseAfterFree(CheckerContext &C, SourceRange Range, 418 SymbolRef Sym) const; 419 void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 420 SymbolRef Sym, SymbolRef PrevSym) const; 421 422 void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const; 423 424 void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range, 425 SymbolRef Sym) const; 426 427 void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal, 428 SourceRange Range, const Expr *FreeExpr) const; 429 430 /// Find the location of the allocation for Sym on the path leading to the 431 /// exploded node N. 432 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 433 CheckerContext &C) const; 434 435 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 436 437 /// The bug visitor which allows us to print extra diagnostics along the 438 /// BugReport path. For example, showing the allocation site of the leaked 439 /// region. 440 class MallocBugVisitor final : public BugReporterVisitor { 441 protected: 442 enum NotificationMode { 443 Normal, 444 ReallocationFailed 445 }; 446 447 // The allocated region symbol tracked by the main analysis. 448 SymbolRef Sym; 449 450 // The mode we are in, i.e. what kind of diagnostics will be emitted. 451 NotificationMode Mode; 452 453 // A symbol from when the primary region should have been reallocated. 454 SymbolRef FailedReallocSymbol; 455 456 // A C++ destructor stack frame in which memory was released. Used for 457 // miscellaneous false positive suppression. 458 const StackFrameContext *ReleaseDestructorLC; 459 460 bool IsLeak; 461 462 public: 463 MallocBugVisitor(SymbolRef S, bool isLeak = false) 464 : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr), 465 ReleaseDestructorLC(nullptr), IsLeak(isLeak) {} 466 467 static void *getTag() { 468 static int Tag = 0; 469 return &Tag; 470 } 471 472 void Profile(llvm::FoldingSetNodeID &ID) const override { 473 ID.AddPointer(getTag()); 474 ID.AddPointer(Sym); 475 } 476 477 inline bool isAllocated(const RefState *S, const RefState *SPrev, 478 const Stmt *Stmt) { 479 // Did not track -> allocated. Other state (released) -> allocated. 480 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 481 (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) && 482 (!SPrev || !(SPrev->isAllocated() || 483 SPrev->isAllocatedOfSizeZero()))); 484 } 485 486 inline bool isReleased(const RefState *S, const RefState *SPrev, 487 const Stmt *Stmt) { 488 // Did not track -> released. Other state (allocated) -> released. 489 // The statement associated with the release might be missing. 490 bool IsReleased = (S && S->isReleased()) && 491 (!SPrev || !SPrev->isReleased()); 492 assert(!IsReleased || 493 (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) || 494 (!Stmt && S->getAllocationFamily() == AF_InnerBuffer)); 495 return IsReleased; 496 } 497 498 inline bool isRelinquished(const RefState *S, const RefState *SPrev, 499 const Stmt *Stmt) { 500 // Did not track -> relinquished. Other state (allocated) -> relinquished. 501 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 502 isa<ObjCPropertyRefExpr>(Stmt)) && 503 (S && S->isRelinquished()) && 504 (!SPrev || !SPrev->isRelinquished())); 505 } 506 507 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 508 const Stmt *Stmt) { 509 // If the expression is not a call, and the state change is 510 // released -> allocated, it must be the realloc return value 511 // check. If we have to handle more cases here, it might be cleaner just 512 // to track this extra bit in the state itself. 513 return ((!Stmt || !isa<CallExpr>(Stmt)) && 514 (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) && 515 (SPrev && !(SPrev->isAllocated() || 516 SPrev->isAllocatedOfSizeZero()))); 517 } 518 519 std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N, 520 BugReporterContext &BRC, 521 BugReport &BR) override; 522 523 std::shared_ptr<PathDiagnosticPiece> 524 getEndPath(BugReporterContext &BRC, const ExplodedNode *EndPathNode, 525 BugReport &BR) override { 526 if (!IsLeak) 527 return nullptr; 528 529 PathDiagnosticLocation L = 530 PathDiagnosticLocation::createEndOfPath(EndPathNode, 531 BRC.getSourceManager()); 532 // Do not add the statement itself as a range in case of leak. 533 return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(), 534 false); 535 } 536 537 private: 538 class StackHintGeneratorForReallocationFailed 539 : public StackHintGeneratorForSymbol { 540 public: 541 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 542 : StackHintGeneratorForSymbol(S, M) {} 543 544 std::string getMessageForArg(const Expr *ArgE, 545 unsigned ArgIndex) override { 546 // Printed parameters start at 1, not 0. 547 ++ArgIndex; 548 549 SmallString<200> buf; 550 llvm::raw_svector_ostream os(buf); 551 552 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 553 << " parameter failed"; 554 555 return os.str(); 556 } 557 558 std::string getMessageForReturn(const CallExpr *CallExpr) override { 559 return "Reallocation of returned value failed"; 560 } 561 }; 562 }; 563 }; 564 } // end anonymous namespace 565 566 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 567 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 568 REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef) 569 570 // A map from the freed symbol to the symbol representing the return value of 571 // the free function. 572 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 573 574 namespace { 575 class StopTrackingCallback final : public SymbolVisitor { 576 ProgramStateRef state; 577 public: 578 StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {} 579 ProgramStateRef getState() const { return state; } 580 581 bool VisitSymbol(SymbolRef sym) override { 582 state = state->remove<RegionState>(sym); 583 return true; 584 } 585 }; 586 } // end anonymous namespace 587 588 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 589 if (II_malloc) 590 return; 591 II_alloca = &Ctx.Idents.get("alloca"); 592 II_malloc = &Ctx.Idents.get("malloc"); 593 II_free = &Ctx.Idents.get("free"); 594 II_realloc = &Ctx.Idents.get("realloc"); 595 II_reallocf = &Ctx.Idents.get("reallocf"); 596 II_calloc = &Ctx.Idents.get("calloc"); 597 II_valloc = &Ctx.Idents.get("valloc"); 598 II_strdup = &Ctx.Idents.get("strdup"); 599 II_strndup = &Ctx.Idents.get("strndup"); 600 II_wcsdup = &Ctx.Idents.get("wcsdup"); 601 II_kmalloc = &Ctx.Idents.get("kmalloc"); 602 II_kfree = &Ctx.Idents.get("kfree"); 603 II_if_nameindex = &Ctx.Idents.get("if_nameindex"); 604 II_if_freenameindex = &Ctx.Idents.get("if_freenameindex"); 605 606 //MSVC uses `_`-prefixed instead, so we check for them too. 607 II_win_strdup = &Ctx.Idents.get("_strdup"); 608 II_win_wcsdup = &Ctx.Idents.get("_wcsdup"); 609 II_win_alloca = &Ctx.Idents.get("_alloca"); 610 611 // Glib 612 II_g_malloc = &Ctx.Idents.get("g_malloc"); 613 II_g_malloc0 = &Ctx.Idents.get("g_malloc0"); 614 II_g_realloc = &Ctx.Idents.get("g_realloc"); 615 II_g_try_malloc = &Ctx.Idents.get("g_try_malloc"); 616 II_g_try_malloc0 = &Ctx.Idents.get("g_try_malloc0"); 617 II_g_try_realloc = &Ctx.Idents.get("g_try_realloc"); 618 II_g_free = &Ctx.Idents.get("g_free"); 619 II_g_memdup = &Ctx.Idents.get("g_memdup"); 620 II_g_malloc_n = &Ctx.Idents.get("g_malloc_n"); 621 II_g_malloc0_n = &Ctx.Idents.get("g_malloc0_n"); 622 II_g_realloc_n = &Ctx.Idents.get("g_realloc_n"); 623 II_g_try_malloc_n = &Ctx.Idents.get("g_try_malloc_n"); 624 II_g_try_malloc0_n = &Ctx.Idents.get("g_try_malloc0_n"); 625 II_g_try_realloc_n = &Ctx.Idents.get("g_try_realloc_n"); 626 } 627 628 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 629 if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any)) 630 return true; 631 632 if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) 633 return true; 634 635 if (isCMemFunction(FD, C, AF_Alloca, MemoryOperationKind::MOK_Any)) 636 return true; 637 638 if (isStandardNewDelete(FD, C)) 639 return true; 640 641 return false; 642 } 643 644 bool MallocChecker::isCMemFunction(const FunctionDecl *FD, 645 ASTContext &C, 646 AllocationFamily Family, 647 MemoryOperationKind MemKind) const { 648 if (!FD) 649 return false; 650 651 bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any || 652 MemKind == MemoryOperationKind::MOK_Free); 653 bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any || 654 MemKind == MemoryOperationKind::MOK_Allocate); 655 656 if (FD->getKind() == Decl::Function) { 657 const IdentifierInfo *FunI = FD->getIdentifier(); 658 initIdentifierInfo(C); 659 660 if (Family == AF_Malloc && CheckFree) { 661 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf || 662 FunI == II_g_free || FunI == II_kfree) 663 return true; 664 } 665 666 if (Family == AF_Malloc && CheckAlloc) { 667 if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf || 668 FunI == II_calloc || FunI == II_valloc || FunI == II_strdup || 669 FunI == II_win_strdup || FunI == II_strndup || FunI == II_wcsdup || 670 FunI == II_win_wcsdup || FunI == II_kmalloc || 671 FunI == II_g_malloc || FunI == II_g_malloc0 || 672 FunI == II_g_realloc || FunI == II_g_try_malloc || 673 FunI == II_g_try_malloc0 || FunI == II_g_try_realloc || 674 FunI == II_g_memdup || FunI == II_g_malloc_n || 675 FunI == II_g_malloc0_n || FunI == II_g_realloc_n || 676 FunI == II_g_try_malloc_n || FunI == II_g_try_malloc0_n || 677 FunI == II_g_try_realloc_n) 678 return true; 679 } 680 681 if (Family == AF_IfNameIndex && CheckFree) { 682 if (FunI == II_if_freenameindex) 683 return true; 684 } 685 686 if (Family == AF_IfNameIndex && CheckAlloc) { 687 if (FunI == II_if_nameindex) 688 return true; 689 } 690 691 if (Family == AF_Alloca && CheckAlloc) { 692 if (FunI == II_alloca || FunI == II_win_alloca) 693 return true; 694 } 695 } 696 697 if (Family != AF_Malloc) 698 return false; 699 700 if (IsOptimistic && FD->hasAttrs()) { 701 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 702 OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind(); 703 if(OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) { 704 if (CheckFree) 705 return true; 706 } else if (OwnKind == OwnershipAttr::Returns) { 707 if (CheckAlloc) 708 return true; 709 } 710 } 711 } 712 713 return false; 714 } 715 716 // Tells if the callee is one of the builtin new/delete operators, including 717 // placement operators and other standard overloads. 718 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD, 719 ASTContext &C) const { 720 if (!FD) 721 return false; 722 723 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 724 if (Kind != OO_New && Kind != OO_Array_New && 725 Kind != OO_Delete && Kind != OO_Array_Delete) 726 return false; 727 728 // This is standard if and only if it's not defined in a user file. 729 SourceLocation L = FD->getLocation(); 730 // If the header for operator delete is not included, it's still defined 731 // in an invalid source location. Check to make sure we don't crash. 732 return !L.isValid() || C.getSourceManager().isInSystemHeader(L); 733 } 734 735 llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc( 736 const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const { 737 // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels: 738 // 739 // void *malloc(unsigned long size, struct malloc_type *mtp, int flags); 740 // 741 // One of the possible flags is M_ZERO, which means 'give me back an 742 // allocation which is already zeroed', like calloc. 743 744 // 2-argument kmalloc(), as used in the Linux kernel: 745 // 746 // void *kmalloc(size_t size, gfp_t flags); 747 // 748 // Has the similar flag value __GFP_ZERO. 749 750 // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some 751 // code could be shared. 752 753 ASTContext &Ctx = C.getASTContext(); 754 llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS(); 755 756 if (!KernelZeroFlagVal.hasValue()) { 757 if (OS == llvm::Triple::FreeBSD) 758 KernelZeroFlagVal = 0x0100; 759 else if (OS == llvm::Triple::NetBSD) 760 KernelZeroFlagVal = 0x0002; 761 else if (OS == llvm::Triple::OpenBSD) 762 KernelZeroFlagVal = 0x0008; 763 else if (OS == llvm::Triple::Linux) 764 // __GFP_ZERO 765 KernelZeroFlagVal = 0x8000; 766 else 767 // FIXME: We need a more general way of getting the M_ZERO value. 768 // See also: O_CREAT in UnixAPIChecker.cpp. 769 770 // Fall back to normal malloc behavior on platforms where we don't 771 // know M_ZERO. 772 return None; 773 } 774 775 // We treat the last argument as the flags argument, and callers fall-back to 776 // normal malloc on a None return. This works for the FreeBSD kernel malloc 777 // as well as Linux kmalloc. 778 if (CE->getNumArgs() < 2) 779 return None; 780 781 const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1); 782 const SVal V = C.getSVal(FlagsEx); 783 if (!V.getAs<NonLoc>()) { 784 // The case where 'V' can be a location can only be due to a bad header, 785 // so in this case bail out. 786 return None; 787 } 788 789 NonLoc Flags = V.castAs<NonLoc>(); 790 NonLoc ZeroFlag = C.getSValBuilder() 791 .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType()) 792 .castAs<NonLoc>(); 793 SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And, 794 Flags, ZeroFlag, 795 FlagsEx->getType()); 796 if (MaskedFlagsUC.isUnknownOrUndef()) 797 return None; 798 DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>(); 799 800 // Check if maskedFlags is non-zero. 801 ProgramStateRef TrueState, FalseState; 802 std::tie(TrueState, FalseState) = State->assume(MaskedFlags); 803 804 // If M_ZERO is set, treat this like calloc (initialized). 805 if (TrueState && !FalseState) { 806 SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy); 807 return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState); 808 } 809 810 return None; 811 } 812 813 SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, 814 const Expr *BlockBytes) { 815 SValBuilder &SB = C.getSValBuilder(); 816 SVal BlocksVal = C.getSVal(Blocks); 817 SVal BlockBytesVal = C.getSVal(BlockBytes); 818 ProgramStateRef State = C.getState(); 819 SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal, 820 SB.getContext().getSizeType()); 821 return TotalSize; 822 } 823 824 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 825 if (C.wasInlined) 826 return; 827 828 const FunctionDecl *FD = C.getCalleeDecl(CE); 829 if (!FD) 830 return; 831 832 ProgramStateRef State = C.getState(); 833 bool ReleasedAllocatedMemory = false; 834 835 if (FD->getKind() == Decl::Function) { 836 initIdentifierInfo(C.getASTContext()); 837 IdentifierInfo *FunI = FD->getIdentifier(); 838 839 if (FunI == II_malloc || FunI == II_g_malloc || FunI == II_g_try_malloc) { 840 if (CE->getNumArgs() < 1) 841 return; 842 if (CE->getNumArgs() < 3) { 843 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 844 if (CE->getNumArgs() == 1) 845 State = ProcessZeroAllocation(C, CE, 0, State); 846 } else if (CE->getNumArgs() == 3) { 847 llvm::Optional<ProgramStateRef> MaybeState = 848 performKernelMalloc(CE, C, State); 849 if (MaybeState.hasValue()) 850 State = MaybeState.getValue(); 851 else 852 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 853 } 854 } else if (FunI == II_kmalloc) { 855 if (CE->getNumArgs() < 1) 856 return; 857 llvm::Optional<ProgramStateRef> MaybeState = 858 performKernelMalloc(CE, C, State); 859 if (MaybeState.hasValue()) 860 State = MaybeState.getValue(); 861 else 862 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 863 } else if (FunI == II_valloc) { 864 if (CE->getNumArgs() < 1) 865 return; 866 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 867 State = ProcessZeroAllocation(C, CE, 0, State); 868 } else if (FunI == II_realloc || FunI == II_g_realloc || 869 FunI == II_g_try_realloc) { 870 State = ReallocMemAux(C, CE, false, State); 871 State = ProcessZeroAllocation(C, CE, 1, State); 872 } else if (FunI == II_reallocf) { 873 State = ReallocMemAux(C, CE, true, State); 874 State = ProcessZeroAllocation(C, CE, 1, State); 875 } else if (FunI == II_calloc) { 876 State = CallocMem(C, CE, State); 877 State = ProcessZeroAllocation(C, CE, 0, State); 878 State = ProcessZeroAllocation(C, CE, 1, State); 879 } else if (FunI == II_free || FunI == II_g_free || FunI == II_kfree) { 880 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 881 } else if (FunI == II_strdup || FunI == II_win_strdup || 882 FunI == II_wcsdup || FunI == II_win_wcsdup) { 883 State = MallocUpdateRefState(C, CE, State); 884 } else if (FunI == II_strndup) { 885 State = MallocUpdateRefState(C, CE, State); 886 } else if (FunI == II_alloca || FunI == II_win_alloca) { 887 if (CE->getNumArgs() < 1) 888 return; 889 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 890 AF_Alloca); 891 State = ProcessZeroAllocation(C, CE, 0, State); 892 } else if (isStandardNewDelete(FD, C.getASTContext())) { 893 // Process direct calls to operator new/new[]/delete/delete[] functions 894 // as distinct from new/new[]/delete/delete[] expressions that are 895 // processed by the checkPostStmt callbacks for CXXNewExpr and 896 // CXXDeleteExpr. 897 OverloadedOperatorKind K = FD->getOverloadedOperator(); 898 if (K == OO_New) { 899 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 900 AF_CXXNew); 901 State = ProcessZeroAllocation(C, CE, 0, State); 902 } 903 else if (K == OO_Array_New) { 904 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 905 AF_CXXNewArray); 906 State = ProcessZeroAllocation(C, CE, 0, State); 907 } 908 else if (K == OO_Delete || K == OO_Array_Delete) 909 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 910 else 911 llvm_unreachable("not a new/delete operator"); 912 } else if (FunI == II_if_nameindex) { 913 // Should we model this differently? We can allocate a fixed number of 914 // elements with zeros in the last one. 915 State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State, 916 AF_IfNameIndex); 917 } else if (FunI == II_if_freenameindex) { 918 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 919 } else if (FunI == II_g_malloc0 || FunI == II_g_try_malloc0) { 920 if (CE->getNumArgs() < 1) 921 return; 922 SValBuilder &svalBuilder = C.getSValBuilder(); 923 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 924 State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State); 925 State = ProcessZeroAllocation(C, CE, 0, State); 926 } else if (FunI == II_g_memdup) { 927 if (CE->getNumArgs() < 2) 928 return; 929 State = MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State); 930 State = ProcessZeroAllocation(C, CE, 1, State); 931 } else if (FunI == II_g_malloc_n || FunI == II_g_try_malloc_n || 932 FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) { 933 if (CE->getNumArgs() < 2) 934 return; 935 SVal Init = UndefinedVal(); 936 if (FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) { 937 SValBuilder &SB = C.getSValBuilder(); 938 Init = SB.makeZeroVal(SB.getContext().CharTy); 939 } 940 SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1)); 941 State = MallocMemAux(C, CE, TotalSize, Init, State); 942 State = ProcessZeroAllocation(C, CE, 0, State); 943 State = ProcessZeroAllocation(C, CE, 1, State); 944 } else if (FunI == II_g_realloc_n || FunI == II_g_try_realloc_n) { 945 if (CE->getNumArgs() < 3) 946 return; 947 State = ReallocMemAux(C, CE, false, State, true); 948 State = ProcessZeroAllocation(C, CE, 1, State); 949 State = ProcessZeroAllocation(C, CE, 2, State); 950 } 951 } 952 953 if (IsOptimistic || ChecksEnabled[CK_MismatchedDeallocatorChecker]) { 954 // Check all the attributes, if there are any. 955 // There can be multiple of these attributes. 956 if (FD->hasAttrs()) 957 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 958 switch (I->getOwnKind()) { 959 case OwnershipAttr::Returns: 960 State = MallocMemReturnsAttr(C, CE, I, State); 961 break; 962 case OwnershipAttr::Takes: 963 case OwnershipAttr::Holds: 964 State = FreeMemAttr(C, CE, I, State); 965 break; 966 } 967 } 968 } 969 C.addTransition(State); 970 } 971 972 // Performs a 0-sized allocations check. 973 ProgramStateRef MallocChecker::ProcessZeroAllocation( 974 CheckerContext &C, const Expr *E, const unsigned AllocationSizeArg, 975 ProgramStateRef State, Optional<SVal> RetVal) const { 976 if (!State) 977 return nullptr; 978 979 if (!RetVal) 980 RetVal = C.getSVal(E); 981 982 const Expr *Arg = nullptr; 983 984 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 985 Arg = CE->getArg(AllocationSizeArg); 986 } 987 else if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 988 if (NE->isArray()) 989 Arg = *NE->getArraySize(); 990 else 991 return State; 992 } 993 else 994 llvm_unreachable("not a CallExpr or CXXNewExpr"); 995 996 assert(Arg); 997 998 Optional<DefinedSVal> DefArgVal = C.getSVal(Arg).getAs<DefinedSVal>(); 999 1000 if (!DefArgVal) 1001 return State; 1002 1003 // Check if the allocation size is 0. 1004 ProgramStateRef TrueState, FalseState; 1005 SValBuilder &SvalBuilder = C.getSValBuilder(); 1006 DefinedSVal Zero = 1007 SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>(); 1008 1009 std::tie(TrueState, FalseState) = 1010 State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero)); 1011 1012 if (TrueState && !FalseState) { 1013 SymbolRef Sym = RetVal->getAsLocSymbol(); 1014 if (!Sym) 1015 return State; 1016 1017 const RefState *RS = State->get<RegionState>(Sym); 1018 if (RS) { 1019 if (RS->isAllocated()) 1020 return TrueState->set<RegionState>(Sym, 1021 RefState::getAllocatedOfSizeZero(RS)); 1022 else 1023 return State; 1024 } else { 1025 // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as 1026 // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not 1027 // tracked. Add zero-reallocated Sym to the state to catch references 1028 // to zero-allocated memory. 1029 return TrueState->add<ReallocSizeZeroSymbols>(Sym); 1030 } 1031 } 1032 1033 // Assume the value is non-zero going forward. 1034 assert(FalseState); 1035 return FalseState; 1036 } 1037 1038 static QualType getDeepPointeeType(QualType T) { 1039 QualType Result = T, PointeeType = T->getPointeeType(); 1040 while (!PointeeType.isNull()) { 1041 Result = PointeeType; 1042 PointeeType = PointeeType->getPointeeType(); 1043 } 1044 return Result; 1045 } 1046 1047 static bool treatUnusedNewEscaped(const CXXNewExpr *NE) { 1048 1049 const CXXConstructExpr *ConstructE = NE->getConstructExpr(); 1050 if (!ConstructE) 1051 return false; 1052 1053 if (!NE->getAllocatedType()->getAsCXXRecordDecl()) 1054 return false; 1055 1056 const CXXConstructorDecl *CtorD = ConstructE->getConstructor(); 1057 1058 // Iterate over the constructor parameters. 1059 for (const auto *CtorParam : CtorD->parameters()) { 1060 1061 QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType(); 1062 if (CtorParamPointeeT.isNull()) 1063 continue; 1064 1065 CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT); 1066 1067 if (CtorParamPointeeT->getAsCXXRecordDecl()) 1068 return true; 1069 } 1070 1071 return false; 1072 } 1073 1074 void MallocChecker::processNewAllocation(const CXXNewExpr *NE, 1075 CheckerContext &C, 1076 SVal Target) const { 1077 if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext())) 1078 return; 1079 1080 ParentMap &PM = C.getLocationContext()->getParentMap(); 1081 if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE)) 1082 return; 1083 1084 ProgramStateRef State = C.getState(); 1085 // The return value from operator new is bound to a specified initialization 1086 // value (if any) and we don't want to loose this value. So we call 1087 // MallocUpdateRefState() instead of MallocMemAux() which breaks the 1088 // existing binding. 1089 State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray 1090 : AF_CXXNew, Target); 1091 State = addExtentSize(C, NE, State, Target); 1092 State = ProcessZeroAllocation(C, NE, 0, State, Target); 1093 C.addTransition(State); 1094 } 1095 1096 void MallocChecker::checkPostStmt(const CXXNewExpr *NE, 1097 CheckerContext &C) const { 1098 if (!C.getAnalysisManager().getAnalyzerOptions().MayInlineCXXAllocator) 1099 processNewAllocation(NE, C, C.getSVal(NE)); 1100 } 1101 1102 void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target, 1103 CheckerContext &C) const { 1104 if (!C.wasInlined) 1105 processNewAllocation(NE, C, Target); 1106 } 1107 1108 // Sets the extent value of the MemRegion allocated by 1109 // new expression NE to its size in Bytes. 1110 // 1111 ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C, 1112 const CXXNewExpr *NE, 1113 ProgramStateRef State, 1114 SVal Target) { 1115 if (!State) 1116 return nullptr; 1117 SValBuilder &svalBuilder = C.getSValBuilder(); 1118 SVal ElementCount; 1119 const SubRegion *Region; 1120 if (NE->isArray()) { 1121 const Expr *SizeExpr = *NE->getArraySize(); 1122 ElementCount = C.getSVal(SizeExpr); 1123 // Store the extent size for the (symbolic)region 1124 // containing the elements. 1125 Region = Target.getAsRegion() 1126 ->getAs<SubRegion>() 1127 ->StripCasts() 1128 ->getAs<SubRegion>(); 1129 } else { 1130 ElementCount = svalBuilder.makeIntVal(1, true); 1131 Region = Target.getAsRegion()->getAs<SubRegion>(); 1132 } 1133 assert(Region); 1134 1135 // Set the region's extent equal to the Size in Bytes. 1136 QualType ElementType = NE->getAllocatedType(); 1137 ASTContext &AstContext = C.getASTContext(); 1138 CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType); 1139 1140 if (ElementCount.getAs<NonLoc>()) { 1141 DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder); 1142 // size in Bytes = ElementCount*TypeSize 1143 SVal SizeInBytes = svalBuilder.evalBinOpNN( 1144 State, BO_Mul, ElementCount.castAs<NonLoc>(), 1145 svalBuilder.makeArrayIndex(TypeSize.getQuantity()), 1146 svalBuilder.getArrayIndexType()); 1147 DefinedOrUnknownSVal extentMatchesSize = svalBuilder.evalEQ( 1148 State, Extent, SizeInBytes.castAs<DefinedOrUnknownSVal>()); 1149 State = State->assume(extentMatchesSize, true); 1150 } 1151 return State; 1152 } 1153 1154 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, 1155 CheckerContext &C) const { 1156 1157 if (!ChecksEnabled[CK_NewDeleteChecker]) 1158 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 1159 checkUseAfterFree(Sym, C, DE->getArgument()); 1160 1161 if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext())) 1162 return; 1163 1164 ProgramStateRef State = C.getState(); 1165 bool ReleasedAllocated; 1166 State = FreeMemAux(C, DE->getArgument(), DE, State, 1167 /*Hold*/false, ReleasedAllocated); 1168 1169 C.addTransition(State); 1170 } 1171 1172 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 1173 // If the first selector piece is one of the names below, assume that the 1174 // object takes ownership of the memory, promising to eventually deallocate it 1175 // with free(). 1176 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 1177 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 1178 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 1179 return FirstSlot == "dataWithBytesNoCopy" || 1180 FirstSlot == "initWithBytesNoCopy" || 1181 FirstSlot == "initWithCharactersNoCopy"; 1182 } 1183 1184 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 1185 Selector S = Call.getSelector(); 1186 1187 // FIXME: We should not rely on fully-constrained symbols being folded. 1188 for (unsigned i = 1; i < S.getNumArgs(); ++i) 1189 if (S.getNameForSlot(i).equals("freeWhenDone")) 1190 return !Call.getArgSVal(i).isZeroConstant(); 1191 1192 return None; 1193 } 1194 1195 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 1196 CheckerContext &C) const { 1197 if (C.wasInlined) 1198 return; 1199 1200 if (!isKnownDeallocObjCMethodName(Call)) 1201 return; 1202 1203 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 1204 if (!*FreeWhenDone) 1205 return; 1206 1207 bool ReleasedAllocatedMemory; 1208 ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0), 1209 Call.getOriginExpr(), C.getState(), 1210 /*Hold=*/true, ReleasedAllocatedMemory, 1211 /*ReturnsNullOnFailure=*/true); 1212 1213 C.addTransition(State); 1214 } 1215 1216 ProgramStateRef 1217 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE, 1218 const OwnershipAttr *Att, 1219 ProgramStateRef State) const { 1220 if (!State) 1221 return nullptr; 1222 1223 if (Att->getModule() != II_malloc) 1224 return nullptr; 1225 1226 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 1227 if (I != E) { 1228 return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(), 1229 State); 1230 } 1231 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State); 1232 } 1233 1234 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 1235 const CallExpr *CE, 1236 const Expr *SizeEx, SVal Init, 1237 ProgramStateRef State, 1238 AllocationFamily Family) { 1239 if (!State) 1240 return nullptr; 1241 1242 return MallocMemAux(C, CE, C.getSVal(SizeEx), Init, State, Family); 1243 } 1244 1245 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 1246 const CallExpr *CE, 1247 SVal Size, SVal Init, 1248 ProgramStateRef State, 1249 AllocationFamily Family) { 1250 if (!State) 1251 return nullptr; 1252 1253 // We expect the malloc functions to return a pointer. 1254 if (!Loc::isLocType(CE->getType())) 1255 return nullptr; 1256 1257 // Bind the return value to the symbolic value from the heap region. 1258 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 1259 // side effects other than what we model here. 1260 unsigned Count = C.blockCount(); 1261 SValBuilder &svalBuilder = C.getSValBuilder(); 1262 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 1263 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 1264 .castAs<DefinedSVal>(); 1265 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 1266 1267 // Fill the region with the initialization value. 1268 State = State->bindDefaultInitial(RetVal, Init, LCtx); 1269 1270 // Set the region's extent equal to the Size parameter. 1271 const SymbolicRegion *R = 1272 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 1273 if (!R) 1274 return nullptr; 1275 if (Optional<DefinedOrUnknownSVal> DefinedSize = 1276 Size.getAs<DefinedOrUnknownSVal>()) { 1277 SValBuilder &svalBuilder = C.getSValBuilder(); 1278 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 1279 DefinedOrUnknownSVal extentMatchesSize = 1280 svalBuilder.evalEQ(State, Extent, *DefinedSize); 1281 1282 State = State->assume(extentMatchesSize, true); 1283 assert(State); 1284 } 1285 1286 return MallocUpdateRefState(C, CE, State, Family); 1287 } 1288 1289 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 1290 const Expr *E, 1291 ProgramStateRef State, 1292 AllocationFamily Family, 1293 Optional<SVal> RetVal) { 1294 if (!State) 1295 return nullptr; 1296 1297 // Get the return value. 1298 if (!RetVal) 1299 RetVal = C.getSVal(E); 1300 1301 // We expect the malloc functions to return a pointer. 1302 if (!RetVal->getAs<Loc>()) 1303 return nullptr; 1304 1305 SymbolRef Sym = RetVal->getAsLocSymbol(); 1306 // This is a return value of a function that was not inlined, such as malloc() 1307 // or new(). We've checked that in the caller. Therefore, it must be a symbol. 1308 assert(Sym); 1309 1310 // Set the symbol's state to Allocated. 1311 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 1312 } 1313 1314 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 1315 const CallExpr *CE, 1316 const OwnershipAttr *Att, 1317 ProgramStateRef State) const { 1318 if (!State) 1319 return nullptr; 1320 1321 if (Att->getModule() != II_malloc) 1322 return nullptr; 1323 1324 bool ReleasedAllocated = false; 1325 1326 for (const auto &Arg : Att->args()) { 1327 ProgramStateRef StateI = FreeMemAux( 1328 C, CE, State, Arg.getASTIndex(), 1329 Att->getOwnKind() == OwnershipAttr::Holds, ReleasedAllocated); 1330 if (StateI) 1331 State = StateI; 1332 } 1333 return State; 1334 } 1335 1336 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1337 const CallExpr *CE, 1338 ProgramStateRef State, 1339 unsigned Num, 1340 bool Hold, 1341 bool &ReleasedAllocated, 1342 bool ReturnsNullOnFailure) const { 1343 if (!State) 1344 return nullptr; 1345 1346 if (CE->getNumArgs() < (Num + 1)) 1347 return nullptr; 1348 1349 return FreeMemAux(C, CE->getArg(Num), CE, State, Hold, 1350 ReleasedAllocated, ReturnsNullOnFailure); 1351 } 1352 1353 /// Checks if the previous call to free on the given symbol failed - if free 1354 /// failed, returns true. Also, returns the corresponding return value symbol. 1355 static bool didPreviousFreeFail(ProgramStateRef State, 1356 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 1357 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 1358 if (Ret) { 1359 assert(*Ret && "We should not store the null return symbol"); 1360 ConstraintManager &CMgr = State->getConstraintManager(); 1361 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 1362 RetStatusSymbol = *Ret; 1363 return FreeFailed.isConstrainedTrue(); 1364 } 1365 return false; 1366 } 1367 1368 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C, 1369 const Stmt *S) const { 1370 if (!S) 1371 return AF_None; 1372 1373 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 1374 const FunctionDecl *FD = C.getCalleeDecl(CE); 1375 1376 if (!FD) 1377 FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl()); 1378 1379 ASTContext &Ctx = C.getASTContext(); 1380 1381 if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any)) 1382 return AF_Malloc; 1383 1384 if (isStandardNewDelete(FD, Ctx)) { 1385 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 1386 if (Kind == OO_New || Kind == OO_Delete) 1387 return AF_CXXNew; 1388 else if (Kind == OO_Array_New || Kind == OO_Array_Delete) 1389 return AF_CXXNewArray; 1390 } 1391 1392 if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) 1393 return AF_IfNameIndex; 1394 1395 if (isCMemFunction(FD, Ctx, AF_Alloca, MemoryOperationKind::MOK_Any)) 1396 return AF_Alloca; 1397 1398 return AF_None; 1399 } 1400 1401 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S)) 1402 return NE->isArray() ? AF_CXXNewArray : AF_CXXNew; 1403 1404 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S)) 1405 return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew; 1406 1407 if (isa<ObjCMessageExpr>(S)) 1408 return AF_Malloc; 1409 1410 return AF_None; 1411 } 1412 1413 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C, 1414 const Expr *E) const { 1415 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 1416 // FIXME: This doesn't handle indirect calls. 1417 const FunctionDecl *FD = CE->getDirectCallee(); 1418 if (!FD) 1419 return false; 1420 1421 os << *FD; 1422 if (!FD->isOverloadedOperator()) 1423 os << "()"; 1424 return true; 1425 } 1426 1427 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 1428 if (Msg->isInstanceMessage()) 1429 os << "-"; 1430 else 1431 os << "+"; 1432 Msg->getSelector().print(os); 1433 return true; 1434 } 1435 1436 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 1437 os << "'" 1438 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 1439 << "'"; 1440 return true; 1441 } 1442 1443 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 1444 os << "'" 1445 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 1446 << "'"; 1447 return true; 1448 } 1449 1450 return false; 1451 } 1452 1453 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C, 1454 const Expr *E) const { 1455 AllocationFamily Family = getAllocationFamily(C, E); 1456 1457 switch(Family) { 1458 case AF_Malloc: os << "malloc()"; return; 1459 case AF_CXXNew: os << "'new'"; return; 1460 case AF_CXXNewArray: os << "'new[]'"; return; 1461 case AF_IfNameIndex: os << "'if_nameindex()'"; return; 1462 case AF_InnerBuffer: os << "container-specific allocator"; return; 1463 case AF_Alloca: 1464 case AF_None: llvm_unreachable("not a deallocation expression"); 1465 } 1466 } 1467 1468 void MallocChecker::printExpectedDeallocName(raw_ostream &os, 1469 AllocationFamily Family) const { 1470 switch(Family) { 1471 case AF_Malloc: os << "free()"; return; 1472 case AF_CXXNew: os << "'delete'"; return; 1473 case AF_CXXNewArray: os << "'delete[]'"; return; 1474 case AF_IfNameIndex: os << "'if_freenameindex()'"; return; 1475 case AF_InnerBuffer: os << "container-specific deallocator"; return; 1476 case AF_Alloca: 1477 case AF_None: llvm_unreachable("suspicious argument"); 1478 } 1479 } 1480 1481 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1482 const Expr *ArgExpr, 1483 const Expr *ParentExpr, 1484 ProgramStateRef State, 1485 bool Hold, 1486 bool &ReleasedAllocated, 1487 bool ReturnsNullOnFailure) const { 1488 1489 if (!State) 1490 return nullptr; 1491 1492 SVal ArgVal = C.getSVal(ArgExpr); 1493 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 1494 return nullptr; 1495 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 1496 1497 // Check for null dereferences. 1498 if (!location.getAs<Loc>()) 1499 return nullptr; 1500 1501 // The explicit NULL case, no operation is performed. 1502 ProgramStateRef notNullState, nullState; 1503 std::tie(notNullState, nullState) = State->assume(location); 1504 if (nullState && !notNullState) 1505 return nullptr; 1506 1507 // Unknown values could easily be okay 1508 // Undefined values are handled elsewhere 1509 if (ArgVal.isUnknownOrUndef()) 1510 return nullptr; 1511 1512 const MemRegion *R = ArgVal.getAsRegion(); 1513 1514 // Nonlocs can't be freed, of course. 1515 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 1516 if (!R) { 1517 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1518 return nullptr; 1519 } 1520 1521 R = R->StripCasts(); 1522 1523 // Blocks might show up as heap data, but should not be free()d 1524 if (isa<BlockDataRegion>(R)) { 1525 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1526 return nullptr; 1527 } 1528 1529 const MemSpaceRegion *MS = R->getMemorySpace(); 1530 1531 // Parameters, locals, statics, globals, and memory returned by 1532 // __builtin_alloca() shouldn't be freed. 1533 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 1534 // FIXME: at the time this code was written, malloc() regions were 1535 // represented by conjured symbols, which are all in UnknownSpaceRegion. 1536 // This means that there isn't actually anything from HeapSpaceRegion 1537 // that should be freed, even though we allow it here. 1538 // Of course, free() can work on memory allocated outside the current 1539 // function, so UnknownSpaceRegion is always a possibility. 1540 // False negatives are better than false positives. 1541 1542 if (isa<AllocaRegion>(R)) 1543 ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1544 else 1545 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1546 1547 return nullptr; 1548 } 1549 1550 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 1551 // Various cases could lead to non-symbol values here. 1552 // For now, ignore them. 1553 if (!SrBase) 1554 return nullptr; 1555 1556 SymbolRef SymBase = SrBase->getSymbol(); 1557 const RefState *RsBase = State->get<RegionState>(SymBase); 1558 SymbolRef PreviousRetStatusSymbol = nullptr; 1559 1560 if (RsBase) { 1561 1562 // Memory returned by alloca() shouldn't be freed. 1563 if (RsBase->getAllocationFamily() == AF_Alloca) { 1564 ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1565 return nullptr; 1566 } 1567 1568 // Check for double free first. 1569 if ((RsBase->isReleased() || RsBase->isRelinquished()) && 1570 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1571 ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1572 SymBase, PreviousRetStatusSymbol); 1573 return nullptr; 1574 1575 // If the pointer is allocated or escaped, but we are now trying to free it, 1576 // check that the call to free is proper. 1577 } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() || 1578 RsBase->isEscaped()) { 1579 1580 // Check if an expected deallocation function matches the real one. 1581 bool DeallocMatchesAlloc = 1582 RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr); 1583 if (!DeallocMatchesAlloc) { 1584 ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), 1585 ParentExpr, RsBase, SymBase, Hold); 1586 return nullptr; 1587 } 1588 1589 // Check if the memory location being freed is the actual location 1590 // allocated, or an offset. 1591 RegionOffset Offset = R->getAsOffset(); 1592 if (Offset.isValid() && 1593 !Offset.hasSymbolicOffset() && 1594 Offset.getOffset() != 0) { 1595 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1596 ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1597 AllocExpr); 1598 return nullptr; 1599 } 1600 } 1601 } 1602 1603 if (SymBase->getType()->isFunctionPointerType()) { 1604 ReportFunctionPointerFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1605 return nullptr; 1606 } 1607 1608 ReleasedAllocated = (RsBase != nullptr) && (RsBase->isAllocated() || 1609 RsBase->isAllocatedOfSizeZero()); 1610 1611 // Clean out the info on previous call to free return info. 1612 State = State->remove<FreeReturnValue>(SymBase); 1613 1614 // Keep track of the return value. If it is NULL, we will know that free 1615 // failed. 1616 if (ReturnsNullOnFailure) { 1617 SVal RetVal = C.getSVal(ParentExpr); 1618 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 1619 if (RetStatusSymbol) { 1620 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 1621 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 1622 } 1623 } 1624 1625 AllocationFamily Family = RsBase ? RsBase->getAllocationFamily() 1626 : getAllocationFamily(C, ParentExpr); 1627 // Normal free. 1628 if (Hold) 1629 return State->set<RegionState>(SymBase, 1630 RefState::getRelinquished(Family, 1631 ParentExpr)); 1632 1633 return State->set<RegionState>(SymBase, 1634 RefState::getReleased(Family, ParentExpr)); 1635 } 1636 1637 Optional<MallocChecker::CheckKind> 1638 MallocChecker::getCheckIfTracked(AllocationFamily Family, 1639 bool IsALeakCheck) const { 1640 switch (Family) { 1641 case AF_Malloc: 1642 case AF_Alloca: 1643 case AF_IfNameIndex: { 1644 if (ChecksEnabled[CK_MallocChecker]) 1645 return CK_MallocChecker; 1646 return None; 1647 } 1648 case AF_CXXNew: 1649 case AF_CXXNewArray: { 1650 if (IsALeakCheck) { 1651 if (ChecksEnabled[CK_NewDeleteLeaksChecker]) 1652 return CK_NewDeleteLeaksChecker; 1653 } 1654 else { 1655 if (ChecksEnabled[CK_NewDeleteChecker]) 1656 return CK_NewDeleteChecker; 1657 } 1658 return None; 1659 } 1660 case AF_InnerBuffer: { 1661 if (ChecksEnabled[CK_InnerPointerChecker]) 1662 return CK_InnerPointerChecker; 1663 return None; 1664 } 1665 case AF_None: { 1666 llvm_unreachable("no family"); 1667 } 1668 } 1669 llvm_unreachable("unhandled family"); 1670 } 1671 1672 Optional<MallocChecker::CheckKind> 1673 MallocChecker::getCheckIfTracked(CheckerContext &C, 1674 const Stmt *AllocDeallocStmt, 1675 bool IsALeakCheck) const { 1676 return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt), 1677 IsALeakCheck); 1678 } 1679 1680 Optional<MallocChecker::CheckKind> 1681 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym, 1682 bool IsALeakCheck) const { 1683 if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) 1684 return CK_MallocChecker; 1685 1686 const RefState *RS = C.getState()->get<RegionState>(Sym); 1687 assert(RS); 1688 return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck); 1689 } 1690 1691 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 1692 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 1693 os << "an integer (" << IntVal->getValue() << ")"; 1694 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 1695 os << "a constant address (" << ConstAddr->getValue() << ")"; 1696 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 1697 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 1698 else 1699 return false; 1700 1701 return true; 1702 } 1703 1704 bool MallocChecker::SummarizeRegion(raw_ostream &os, 1705 const MemRegion *MR) { 1706 switch (MR->getKind()) { 1707 case MemRegion::FunctionCodeRegionKind: { 1708 const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl(); 1709 if (FD) 1710 os << "the address of the function '" << *FD << '\''; 1711 else 1712 os << "the address of a function"; 1713 return true; 1714 } 1715 case MemRegion::BlockCodeRegionKind: 1716 os << "block text"; 1717 return true; 1718 case MemRegion::BlockDataRegionKind: 1719 // FIXME: where the block came from? 1720 os << "a block"; 1721 return true; 1722 default: { 1723 const MemSpaceRegion *MS = MR->getMemorySpace(); 1724 1725 if (isa<StackLocalsSpaceRegion>(MS)) { 1726 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1727 const VarDecl *VD; 1728 if (VR) 1729 VD = VR->getDecl(); 1730 else 1731 VD = nullptr; 1732 1733 if (VD) 1734 os << "the address of the local variable '" << VD->getName() << "'"; 1735 else 1736 os << "the address of a local stack variable"; 1737 return true; 1738 } 1739 1740 if (isa<StackArgumentsSpaceRegion>(MS)) { 1741 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1742 const VarDecl *VD; 1743 if (VR) 1744 VD = VR->getDecl(); 1745 else 1746 VD = nullptr; 1747 1748 if (VD) 1749 os << "the address of the parameter '" << VD->getName() << "'"; 1750 else 1751 os << "the address of a parameter"; 1752 return true; 1753 } 1754 1755 if (isa<GlobalsSpaceRegion>(MS)) { 1756 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1757 const VarDecl *VD; 1758 if (VR) 1759 VD = VR->getDecl(); 1760 else 1761 VD = nullptr; 1762 1763 if (VD) { 1764 if (VD->isStaticLocal()) 1765 os << "the address of the static variable '" << VD->getName() << "'"; 1766 else 1767 os << "the address of the global variable '" << VD->getName() << "'"; 1768 } else 1769 os << "the address of a global variable"; 1770 return true; 1771 } 1772 1773 return false; 1774 } 1775 } 1776 } 1777 1778 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 1779 SourceRange Range, 1780 const Expr *DeallocExpr) const { 1781 1782 if (!ChecksEnabled[CK_MallocChecker] && 1783 !ChecksEnabled[CK_NewDeleteChecker]) 1784 return; 1785 1786 Optional<MallocChecker::CheckKind> CheckKind = 1787 getCheckIfTracked(C, DeallocExpr); 1788 if (!CheckKind.hasValue()) 1789 return; 1790 1791 if (ExplodedNode *N = C.generateErrorNode()) { 1792 if (!BT_BadFree[*CheckKind]) 1793 BT_BadFree[*CheckKind].reset(new BugType( 1794 CheckNames[*CheckKind], "Bad free", categories::MemoryError)); 1795 1796 SmallString<100> buf; 1797 llvm::raw_svector_ostream os(buf); 1798 1799 const MemRegion *MR = ArgVal.getAsRegion(); 1800 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 1801 MR = ER->getSuperRegion(); 1802 1803 os << "Argument to "; 1804 if (!printAllocDeallocName(os, C, DeallocExpr)) 1805 os << "deallocator"; 1806 1807 os << " is "; 1808 bool Summarized = MR ? SummarizeRegion(os, MR) 1809 : SummarizeValue(os, ArgVal); 1810 if (Summarized) 1811 os << ", which is not memory allocated by "; 1812 else 1813 os << "not memory allocated by "; 1814 1815 printExpectedAllocName(os, C, DeallocExpr); 1816 1817 auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], os.str(), N); 1818 R->markInteresting(MR); 1819 R->addRange(Range); 1820 C.emitReport(std::move(R)); 1821 } 1822 } 1823 1824 void MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal, 1825 SourceRange Range) const { 1826 1827 Optional<MallocChecker::CheckKind> CheckKind; 1828 1829 if (ChecksEnabled[CK_MallocChecker]) 1830 CheckKind = CK_MallocChecker; 1831 else if (ChecksEnabled[CK_MismatchedDeallocatorChecker]) 1832 CheckKind = CK_MismatchedDeallocatorChecker; 1833 else 1834 return; 1835 1836 if (ExplodedNode *N = C.generateErrorNode()) { 1837 if (!BT_FreeAlloca[*CheckKind]) 1838 BT_FreeAlloca[*CheckKind].reset(new BugType( 1839 CheckNames[*CheckKind], "Free alloca()", categories::MemoryError)); 1840 1841 auto R = llvm::make_unique<BugReport>( 1842 *BT_FreeAlloca[*CheckKind], 1843 "Memory allocated by alloca() should not be deallocated", N); 1844 R->markInteresting(ArgVal.getAsRegion()); 1845 R->addRange(Range); 1846 C.emitReport(std::move(R)); 1847 } 1848 } 1849 1850 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, 1851 SourceRange Range, 1852 const Expr *DeallocExpr, 1853 const RefState *RS, 1854 SymbolRef Sym, 1855 bool OwnershipTransferred) const { 1856 1857 if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) 1858 return; 1859 1860 if (ExplodedNode *N = C.generateErrorNode()) { 1861 if (!BT_MismatchedDealloc) 1862 BT_MismatchedDealloc.reset( 1863 new BugType(CheckNames[CK_MismatchedDeallocatorChecker], 1864 "Bad deallocator", categories::MemoryError)); 1865 1866 SmallString<100> buf; 1867 llvm::raw_svector_ostream os(buf); 1868 1869 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 1870 SmallString<20> AllocBuf; 1871 llvm::raw_svector_ostream AllocOs(AllocBuf); 1872 SmallString<20> DeallocBuf; 1873 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 1874 1875 if (OwnershipTransferred) { 1876 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1877 os << DeallocOs.str() << " cannot"; 1878 else 1879 os << "Cannot"; 1880 1881 os << " take ownership of memory"; 1882 1883 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1884 os << " allocated by " << AllocOs.str(); 1885 } else { 1886 os << "Memory"; 1887 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1888 os << " allocated by " << AllocOs.str(); 1889 1890 os << " should be deallocated by "; 1891 printExpectedDeallocName(os, RS->getAllocationFamily()); 1892 1893 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1894 os << ", not " << DeallocOs.str(); 1895 } 1896 1897 auto R = llvm::make_unique<BugReport>(*BT_MismatchedDealloc, os.str(), N); 1898 R->markInteresting(Sym); 1899 R->addRange(Range); 1900 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1901 C.emitReport(std::move(R)); 1902 } 1903 } 1904 1905 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, 1906 SourceRange Range, const Expr *DeallocExpr, 1907 const Expr *AllocExpr) const { 1908 1909 1910 if (!ChecksEnabled[CK_MallocChecker] && 1911 !ChecksEnabled[CK_NewDeleteChecker]) 1912 return; 1913 1914 Optional<MallocChecker::CheckKind> CheckKind = 1915 getCheckIfTracked(C, AllocExpr); 1916 if (!CheckKind.hasValue()) 1917 return; 1918 1919 ExplodedNode *N = C.generateErrorNode(); 1920 if (!N) 1921 return; 1922 1923 if (!BT_OffsetFree[*CheckKind]) 1924 BT_OffsetFree[*CheckKind].reset(new BugType( 1925 CheckNames[*CheckKind], "Offset free", categories::MemoryError)); 1926 1927 SmallString<100> buf; 1928 llvm::raw_svector_ostream os(buf); 1929 SmallString<20> AllocNameBuf; 1930 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 1931 1932 const MemRegion *MR = ArgVal.getAsRegion(); 1933 assert(MR && "Only MemRegion based symbols can have offset free errors"); 1934 1935 RegionOffset Offset = MR->getAsOffset(); 1936 assert((Offset.isValid() && 1937 !Offset.hasSymbolicOffset() && 1938 Offset.getOffset() != 0) && 1939 "Only symbols with a valid offset can have offset free errors"); 1940 1941 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 1942 1943 os << "Argument to "; 1944 if (!printAllocDeallocName(os, C, DeallocExpr)) 1945 os << "deallocator"; 1946 os << " is offset by " 1947 << offsetBytes 1948 << " " 1949 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 1950 << " from the start of "; 1951 if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) 1952 os << "memory allocated by " << AllocNameOs.str(); 1953 else 1954 os << "allocated memory"; 1955 1956 auto R = llvm::make_unique<BugReport>(*BT_OffsetFree[*CheckKind], os.str(), N); 1957 R->markInteresting(MR->getBaseRegion()); 1958 R->addRange(Range); 1959 C.emitReport(std::move(R)); 1960 } 1961 1962 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, 1963 SymbolRef Sym) const { 1964 1965 if (!ChecksEnabled[CK_MallocChecker] && 1966 !ChecksEnabled[CK_NewDeleteChecker] && 1967 !ChecksEnabled[CK_InnerPointerChecker]) 1968 return; 1969 1970 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1971 if (!CheckKind.hasValue()) 1972 return; 1973 1974 if (ExplodedNode *N = C.generateErrorNode()) { 1975 if (!BT_UseFree[*CheckKind]) 1976 BT_UseFree[*CheckKind].reset(new BugType( 1977 CheckNames[*CheckKind], "Use-after-free", categories::MemoryError)); 1978 1979 AllocationFamily AF = 1980 C.getState()->get<RegionState>(Sym)->getAllocationFamily(); 1981 1982 auto R = llvm::make_unique<BugReport>(*BT_UseFree[*CheckKind], 1983 AF == AF_InnerBuffer 1984 ? "Inner pointer of container used after re/deallocation" 1985 : "Use of memory after it is freed", 1986 N); 1987 1988 R->markInteresting(Sym); 1989 R->addRange(Range); 1990 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1991 1992 if (AF == AF_InnerBuffer) 1993 R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym)); 1994 1995 C.emitReport(std::move(R)); 1996 } 1997 } 1998 1999 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, 2000 bool Released, SymbolRef Sym, 2001 SymbolRef PrevSym) const { 2002 2003 if (!ChecksEnabled[CK_MallocChecker] && 2004 !ChecksEnabled[CK_NewDeleteChecker]) 2005 return; 2006 2007 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2008 if (!CheckKind.hasValue()) 2009 return; 2010 2011 if (ExplodedNode *N = C.generateErrorNode()) { 2012 if (!BT_DoubleFree[*CheckKind]) 2013 BT_DoubleFree[*CheckKind].reset(new BugType( 2014 CheckNames[*CheckKind], "Double free", categories::MemoryError)); 2015 2016 auto R = llvm::make_unique<BugReport>( 2017 *BT_DoubleFree[*CheckKind], 2018 (Released ? "Attempt to free released memory" 2019 : "Attempt to free non-owned memory"), 2020 N); 2021 R->addRange(Range); 2022 R->markInteresting(Sym); 2023 if (PrevSym) 2024 R->markInteresting(PrevSym); 2025 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 2026 C.emitReport(std::move(R)); 2027 } 2028 } 2029 2030 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const { 2031 2032 if (!ChecksEnabled[CK_NewDeleteChecker]) 2033 return; 2034 2035 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2036 if (!CheckKind.hasValue()) 2037 return; 2038 2039 if (ExplodedNode *N = C.generateErrorNode()) { 2040 if (!BT_DoubleDelete) 2041 BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker], 2042 "Double delete", 2043 categories::MemoryError)); 2044 2045 auto R = llvm::make_unique<BugReport>( 2046 *BT_DoubleDelete, "Attempt to delete released memory", N); 2047 2048 R->markInteresting(Sym); 2049 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 2050 C.emitReport(std::move(R)); 2051 } 2052 } 2053 2054 void MallocChecker::ReportUseZeroAllocated(CheckerContext &C, 2055 SourceRange Range, 2056 SymbolRef Sym) const { 2057 2058 if (!ChecksEnabled[CK_MallocChecker] && 2059 !ChecksEnabled[CK_NewDeleteChecker]) 2060 return; 2061 2062 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2063 2064 if (!CheckKind.hasValue()) 2065 return; 2066 2067 if (ExplodedNode *N = C.generateErrorNode()) { 2068 if (!BT_UseZerroAllocated[*CheckKind]) 2069 BT_UseZerroAllocated[*CheckKind].reset( 2070 new BugType(CheckNames[*CheckKind], "Use of zero allocated", 2071 categories::MemoryError)); 2072 2073 auto R = llvm::make_unique<BugReport>(*BT_UseZerroAllocated[*CheckKind], 2074 "Use of zero-allocated memory", N); 2075 2076 R->addRange(Range); 2077 if (Sym) { 2078 R->markInteresting(Sym); 2079 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 2080 } 2081 C.emitReport(std::move(R)); 2082 } 2083 } 2084 2085 void MallocChecker::ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal, 2086 SourceRange Range, 2087 const Expr *FreeExpr) const { 2088 if (!ChecksEnabled[CK_MallocChecker]) 2089 return; 2090 2091 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, FreeExpr); 2092 if (!CheckKind.hasValue()) 2093 return; 2094 2095 if (ExplodedNode *N = C.generateErrorNode()) { 2096 if (!BT_BadFree[*CheckKind]) 2097 BT_BadFree[*CheckKind].reset(new BugType( 2098 CheckNames[*CheckKind], "Bad free", categories::MemoryError)); 2099 2100 SmallString<100> Buf; 2101 llvm::raw_svector_ostream Os(Buf); 2102 2103 const MemRegion *MR = ArgVal.getAsRegion(); 2104 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 2105 MR = ER->getSuperRegion(); 2106 2107 Os << "Argument to "; 2108 if (!printAllocDeallocName(Os, C, FreeExpr)) 2109 Os << "deallocator"; 2110 2111 Os << " is a function pointer"; 2112 2113 auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], Os.str(), N); 2114 R->markInteresting(MR); 2115 R->addRange(Range); 2116 C.emitReport(std::move(R)); 2117 } 2118 } 2119 2120 ProgramStateRef MallocChecker::ReallocMemAux(CheckerContext &C, 2121 const CallExpr *CE, 2122 bool FreesOnFail, 2123 ProgramStateRef State, 2124 bool SuffixWithN) const { 2125 if (!State) 2126 return nullptr; 2127 2128 if (SuffixWithN && CE->getNumArgs() < 3) 2129 return nullptr; 2130 else if (CE->getNumArgs() < 2) 2131 return nullptr; 2132 2133 const Expr *arg0Expr = CE->getArg(0); 2134 SVal Arg0Val = C.getSVal(arg0Expr); 2135 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 2136 return nullptr; 2137 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 2138 2139 SValBuilder &svalBuilder = C.getSValBuilder(); 2140 2141 DefinedOrUnknownSVal PtrEQ = 2142 svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull()); 2143 2144 // Get the size argument. 2145 const Expr *Arg1 = CE->getArg(1); 2146 2147 // Get the value of the size argument. 2148 SVal TotalSize = C.getSVal(Arg1); 2149 if (SuffixWithN) 2150 TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2)); 2151 if (!TotalSize.getAs<DefinedOrUnknownSVal>()) 2152 return nullptr; 2153 2154 // Compare the size argument to 0. 2155 DefinedOrUnknownSVal SizeZero = 2156 svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(), 2157 svalBuilder.makeIntValWithPtrWidth(0, false)); 2158 2159 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 2160 std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ); 2161 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 2162 std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero); 2163 // We only assume exceptional states if they are definitely true; if the 2164 // state is under-constrained, assume regular realloc behavior. 2165 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 2166 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 2167 2168 // If the ptr is NULL and the size is not 0, the call is equivalent to 2169 // malloc(size). 2170 if (PrtIsNull && !SizeIsZero) { 2171 ProgramStateRef stateMalloc = MallocMemAux(C, CE, TotalSize, 2172 UndefinedVal(), StatePtrIsNull); 2173 return stateMalloc; 2174 } 2175 2176 if (PrtIsNull && SizeIsZero) 2177 return State; 2178 2179 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 2180 assert(!PrtIsNull); 2181 SymbolRef FromPtr = arg0Val.getAsSymbol(); 2182 SVal RetVal = C.getSVal(CE); 2183 SymbolRef ToPtr = RetVal.getAsSymbol(); 2184 if (!FromPtr || !ToPtr) 2185 return nullptr; 2186 2187 bool ReleasedAllocated = false; 2188 2189 // If the size is 0, free the memory. 2190 if (SizeIsZero) 2191 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, 2192 false, ReleasedAllocated)){ 2193 // The semantics of the return value are: 2194 // If size was equal to 0, either NULL or a pointer suitable to be passed 2195 // to free() is returned. We just free the input pointer and do not add 2196 // any constrains on the output pointer. 2197 return stateFree; 2198 } 2199 2200 // Default behavior. 2201 if (ProgramStateRef stateFree = 2202 FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) { 2203 2204 ProgramStateRef stateRealloc = MallocMemAux(C, CE, TotalSize, 2205 UnknownVal(), stateFree); 2206 if (!stateRealloc) 2207 return nullptr; 2208 2209 ReallocPairKind Kind = RPToBeFreedAfterFailure; 2210 if (FreesOnFail) 2211 Kind = RPIsFreeOnFailure; 2212 else if (!ReleasedAllocated) 2213 Kind = RPDoNotTrackAfterFailure; 2214 2215 // Record the info about the reallocated symbol so that we could properly 2216 // process failed reallocation. 2217 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 2218 ReallocPair(FromPtr, Kind)); 2219 // The reallocated symbol should stay alive for as long as the new symbol. 2220 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 2221 return stateRealloc; 2222 } 2223 return nullptr; 2224 } 2225 2226 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE, 2227 ProgramStateRef State) { 2228 if (!State) 2229 return nullptr; 2230 2231 if (CE->getNumArgs() < 2) 2232 return nullptr; 2233 2234 SValBuilder &svalBuilder = C.getSValBuilder(); 2235 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 2236 SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1)); 2237 2238 return MallocMemAux(C, CE, TotalSize, zeroVal, State); 2239 } 2240 2241 LeakInfo 2242 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 2243 CheckerContext &C) const { 2244 const LocationContext *LeakContext = N->getLocationContext(); 2245 // Walk the ExplodedGraph backwards and find the first node that referred to 2246 // the tracked symbol. 2247 const ExplodedNode *AllocNode = N; 2248 const MemRegion *ReferenceRegion = nullptr; 2249 2250 while (N) { 2251 ProgramStateRef State = N->getState(); 2252 if (!State->get<RegionState>(Sym)) 2253 break; 2254 2255 // Find the most recent expression bound to the symbol in the current 2256 // context. 2257 if (!ReferenceRegion) { 2258 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 2259 SVal Val = State->getSVal(MR); 2260 if (Val.getAsLocSymbol() == Sym) { 2261 const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>(); 2262 // Do not show local variables belonging to a function other than 2263 // where the error is reported. 2264 if (!VR || 2265 (VR->getStackFrame() == LeakContext->getStackFrame())) 2266 ReferenceRegion = MR; 2267 } 2268 } 2269 } 2270 2271 // Allocation node, is the last node in the current or parent context in 2272 // which the symbol was tracked. 2273 const LocationContext *NContext = N->getLocationContext(); 2274 if (NContext == LeakContext || 2275 NContext->isParentOf(LeakContext)) 2276 AllocNode = N; 2277 N = N->pred_empty() ? nullptr : *(N->pred_begin()); 2278 } 2279 2280 return LeakInfo(AllocNode, ReferenceRegion); 2281 } 2282 2283 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 2284 CheckerContext &C) const { 2285 2286 if (!ChecksEnabled[CK_MallocChecker] && 2287 !ChecksEnabled[CK_NewDeleteLeaksChecker]) 2288 return; 2289 2290 const RefState *RS = C.getState()->get<RegionState>(Sym); 2291 assert(RS && "cannot leak an untracked symbol"); 2292 AllocationFamily Family = RS->getAllocationFamily(); 2293 2294 if (Family == AF_Alloca) 2295 return; 2296 2297 Optional<MallocChecker::CheckKind> 2298 CheckKind = getCheckIfTracked(Family, true); 2299 2300 if (!CheckKind.hasValue()) 2301 return; 2302 2303 assert(N); 2304 if (!BT_Leak[*CheckKind]) { 2305 // Leaks should not be reported if they are post-dominated by a sink: 2306 // (1) Sinks are higher importance bugs. 2307 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 2308 // with __noreturn functions such as assert() or exit(). We choose not 2309 // to report leaks on such paths. 2310 BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak", 2311 categories::MemoryError, 2312 /*SuppressOnSink=*/true)); 2313 } 2314 2315 // Most bug reports are cached at the location where they occurred. 2316 // With leaks, we want to unique them by the location where they were 2317 // allocated, and only report a single path. 2318 PathDiagnosticLocation LocUsedForUniqueing; 2319 const ExplodedNode *AllocNode = nullptr; 2320 const MemRegion *Region = nullptr; 2321 std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 2322 2323 const Stmt *AllocationStmt = PathDiagnosticLocation::getStmt(AllocNode); 2324 if (AllocationStmt) 2325 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 2326 C.getSourceManager(), 2327 AllocNode->getLocationContext()); 2328 2329 SmallString<200> buf; 2330 llvm::raw_svector_ostream os(buf); 2331 if (Region && Region->canPrintPretty()) { 2332 os << "Potential leak of memory pointed to by "; 2333 Region->printPretty(os); 2334 } else { 2335 os << "Potential memory leak"; 2336 } 2337 2338 auto R = llvm::make_unique<BugReport>( 2339 *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing, 2340 AllocNode->getLocationContext()->getDecl()); 2341 R->markInteresting(Sym); 2342 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym, true)); 2343 C.emitReport(std::move(R)); 2344 } 2345 2346 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 2347 CheckerContext &C) const 2348 { 2349 ProgramStateRef state = C.getState(); 2350 RegionStateTy OldRS = state->get<RegionState>(); 2351 RegionStateTy::Factory &F = state->get_context<RegionState>(); 2352 2353 RegionStateTy RS = OldRS; 2354 SmallVector<SymbolRef, 2> Errors; 2355 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2356 if (SymReaper.isDead(I->first)) { 2357 if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero()) 2358 Errors.push_back(I->first); 2359 // Remove the dead symbol from the map. 2360 RS = F.remove(RS, I->first); 2361 } 2362 } 2363 2364 if (RS == OldRS) { 2365 // We shouldn't have touched other maps yet. 2366 assert(state->get<ReallocPairs>() == 2367 C.getState()->get<ReallocPairs>()); 2368 assert(state->get<FreeReturnValue>() == 2369 C.getState()->get<FreeReturnValue>()); 2370 return; 2371 } 2372 2373 // Cleanup the Realloc Pairs Map. 2374 ReallocPairsTy RP = state->get<ReallocPairs>(); 2375 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 2376 if (SymReaper.isDead(I->first) || 2377 SymReaper.isDead(I->second.ReallocatedSym)) { 2378 state = state->remove<ReallocPairs>(I->first); 2379 } 2380 } 2381 2382 // Cleanup the FreeReturnValue Map. 2383 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 2384 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 2385 if (SymReaper.isDead(I->first) || 2386 SymReaper.isDead(I->second)) { 2387 state = state->remove<FreeReturnValue>(I->first); 2388 } 2389 } 2390 2391 // Generate leak node. 2392 ExplodedNode *N = C.getPredecessor(); 2393 if (!Errors.empty()) { 2394 static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak"); 2395 N = C.generateNonFatalErrorNode(C.getState(), &Tag); 2396 if (N) { 2397 for (SmallVectorImpl<SymbolRef>::iterator 2398 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 2399 reportLeak(*I, N, C); 2400 } 2401 } 2402 } 2403 2404 C.addTransition(state->set<RegionState>(RS), N); 2405 } 2406 2407 void MallocChecker::checkPreCall(const CallEvent &Call, 2408 CheckerContext &C) const { 2409 2410 if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) { 2411 SymbolRef Sym = DC->getCXXThisVal().getAsSymbol(); 2412 if (!Sym || checkDoubleDelete(Sym, C)) 2413 return; 2414 } 2415 2416 // We will check for double free in the post visit. 2417 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { 2418 const FunctionDecl *FD = FC->getDecl(); 2419 if (!FD) 2420 return; 2421 2422 ASTContext &Ctx = C.getASTContext(); 2423 if (ChecksEnabled[CK_MallocChecker] && 2424 (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) || 2425 isCMemFunction(FD, Ctx, AF_IfNameIndex, 2426 MemoryOperationKind::MOK_Free))) 2427 return; 2428 } 2429 2430 // Check if the callee of a method is deleted. 2431 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { 2432 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); 2433 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) 2434 return; 2435 } 2436 2437 // Check arguments for being used after free. 2438 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { 2439 SVal ArgSVal = Call.getArgSVal(I); 2440 if (ArgSVal.getAs<Loc>()) { 2441 SymbolRef Sym = ArgSVal.getAsSymbol(); 2442 if (!Sym) 2443 continue; 2444 if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) 2445 return; 2446 } 2447 } 2448 } 2449 2450 void MallocChecker::checkPreStmt(const ReturnStmt *S, 2451 CheckerContext &C) const { 2452 checkEscapeOnReturn(S, C); 2453 } 2454 2455 // In the CFG, automatic destructors come after the return statement. 2456 // This callback checks for returning memory that is freed by automatic 2457 // destructors, as those cannot be reached in checkPreStmt(). 2458 void MallocChecker::checkEndFunction(const ReturnStmt *S, 2459 CheckerContext &C) const { 2460 checkEscapeOnReturn(S, C); 2461 } 2462 2463 void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S, 2464 CheckerContext &C) const { 2465 if (!S) 2466 return; 2467 2468 const Expr *E = S->getRetValue(); 2469 if (!E) 2470 return; 2471 2472 // Check if we are returning a symbol. 2473 ProgramStateRef State = C.getState(); 2474 SVal RetVal = C.getSVal(E); 2475 SymbolRef Sym = RetVal.getAsSymbol(); 2476 if (!Sym) 2477 // If we are returning a field of the allocated struct or an array element, 2478 // the callee could still free the memory. 2479 // TODO: This logic should be a part of generic symbol escape callback. 2480 if (const MemRegion *MR = RetVal.getAsRegion()) 2481 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 2482 if (const SymbolicRegion *BMR = 2483 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 2484 Sym = BMR->getSymbol(); 2485 2486 // Check if we are returning freed memory. 2487 if (Sym) 2488 checkUseAfterFree(Sym, C, E); 2489 } 2490 2491 // TODO: Blocks should be either inlined or should call invalidate regions 2492 // upon invocation. After that's in place, special casing here will not be 2493 // needed. 2494 void MallocChecker::checkPostStmt(const BlockExpr *BE, 2495 CheckerContext &C) const { 2496 2497 // Scan the BlockDecRefExprs for any object the retain count checker 2498 // may be tracking. 2499 if (!BE->getBlockDecl()->hasCaptures()) 2500 return; 2501 2502 ProgramStateRef state = C.getState(); 2503 const BlockDataRegion *R = 2504 cast<BlockDataRegion>(C.getSVal(BE).getAsRegion()); 2505 2506 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 2507 E = R->referenced_vars_end(); 2508 2509 if (I == E) 2510 return; 2511 2512 SmallVector<const MemRegion*, 10> Regions; 2513 const LocationContext *LC = C.getLocationContext(); 2514 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 2515 2516 for ( ; I != E; ++I) { 2517 const VarRegion *VR = I.getCapturedRegion(); 2518 if (VR->getSuperRegion() == R) { 2519 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 2520 } 2521 Regions.push_back(VR); 2522 } 2523 2524 state = 2525 state->scanReachableSymbols<StopTrackingCallback>(Regions).getState(); 2526 C.addTransition(state); 2527 } 2528 2529 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { 2530 assert(Sym); 2531 const RefState *RS = C.getState()->get<RegionState>(Sym); 2532 return (RS && RS->isReleased()); 2533 } 2534 2535 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 2536 const Stmt *S) const { 2537 2538 if (isReleased(Sym, C)) { 2539 ReportUseAfterFree(C, S->getSourceRange(), Sym); 2540 return true; 2541 } 2542 2543 return false; 2544 } 2545 2546 void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, 2547 const Stmt *S) const { 2548 assert(Sym); 2549 2550 if (const RefState *RS = C.getState()->get<RegionState>(Sym)) { 2551 if (RS->isAllocatedOfSizeZero()) 2552 ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym); 2553 } 2554 else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) { 2555 ReportUseZeroAllocated(C, S->getSourceRange(), Sym); 2556 } 2557 } 2558 2559 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { 2560 2561 if (isReleased(Sym, C)) { 2562 ReportDoubleDelete(C, Sym); 2563 return true; 2564 } 2565 return false; 2566 } 2567 2568 // Check if the location is a freed symbolic region. 2569 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 2570 CheckerContext &C) const { 2571 SymbolRef Sym = l.getLocSymbolInBase(); 2572 if (Sym) { 2573 checkUseAfterFree(Sym, C, S); 2574 checkUseZeroAllocated(Sym, C, S); 2575 } 2576 } 2577 2578 // If a symbolic region is assumed to NULL (or another constant), stop tracking 2579 // it - assuming that allocation failed on this path. 2580 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 2581 SVal Cond, 2582 bool Assumption) const { 2583 RegionStateTy RS = state->get<RegionState>(); 2584 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2585 // If the symbol is assumed to be NULL, remove it from consideration. 2586 ConstraintManager &CMgr = state->getConstraintManager(); 2587 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2588 if (AllocFailed.isConstrainedTrue()) 2589 state = state->remove<RegionState>(I.getKey()); 2590 } 2591 2592 // Realloc returns 0 when reallocation fails, which means that we should 2593 // restore the state of the pointer being reallocated. 2594 ReallocPairsTy RP = state->get<ReallocPairs>(); 2595 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 2596 // If the symbol is assumed to be NULL, remove it from consideration. 2597 ConstraintManager &CMgr = state->getConstraintManager(); 2598 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2599 if (!AllocFailed.isConstrainedTrue()) 2600 continue; 2601 2602 SymbolRef ReallocSym = I.getData().ReallocatedSym; 2603 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 2604 if (RS->isReleased()) { 2605 if (I.getData().Kind == RPToBeFreedAfterFailure) 2606 state = state->set<RegionState>(ReallocSym, 2607 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 2608 else if (I.getData().Kind == RPDoNotTrackAfterFailure) 2609 state = state->remove<RegionState>(ReallocSym); 2610 else 2611 assert(I.getData().Kind == RPIsFreeOnFailure); 2612 } 2613 } 2614 state = state->remove<ReallocPairs>(I.getKey()); 2615 } 2616 2617 return state; 2618 } 2619 2620 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly( 2621 const CallEvent *Call, 2622 ProgramStateRef State, 2623 SymbolRef &EscapingSymbol) const { 2624 assert(Call); 2625 EscapingSymbol = nullptr; 2626 2627 // For now, assume that any C++ or block call can free memory. 2628 // TODO: If we want to be more optimistic here, we'll need to make sure that 2629 // regions escape to C++ containers. They seem to do that even now, but for 2630 // mysterious reasons. 2631 if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 2632 return true; 2633 2634 // Check Objective-C messages by selector name. 2635 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 2636 // If it's not a framework call, or if it takes a callback, assume it 2637 // can free memory. 2638 if (!Call->isInSystemHeader() || Call->argumentsMayEscape()) 2639 return true; 2640 2641 // If it's a method we know about, handle it explicitly post-call. 2642 // This should happen before the "freeWhenDone" check below. 2643 if (isKnownDeallocObjCMethodName(*Msg)) 2644 return false; 2645 2646 // If there's a "freeWhenDone" parameter, but the method isn't one we know 2647 // about, we can't be sure that the object will use free() to deallocate the 2648 // memory, so we can't model it explicitly. The best we can do is use it to 2649 // decide whether the pointer escapes. 2650 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 2651 return *FreeWhenDone; 2652 2653 // If the first selector piece ends with "NoCopy", and there is no 2654 // "freeWhenDone" parameter set to zero, we know ownership is being 2655 // transferred. Again, though, we can't be sure that the object will use 2656 // free() to deallocate the memory, so we can't model it explicitly. 2657 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 2658 if (FirstSlot.endswith("NoCopy")) 2659 return true; 2660 2661 // If the first selector starts with addPointer, insertPointer, 2662 // or replacePointer, assume we are dealing with NSPointerArray or similar. 2663 // This is similar to C++ containers (vector); we still might want to check 2664 // that the pointers get freed by following the container itself. 2665 if (FirstSlot.startswith("addPointer") || 2666 FirstSlot.startswith("insertPointer") || 2667 FirstSlot.startswith("replacePointer") || 2668 FirstSlot.equals("valueWithPointer")) { 2669 return true; 2670 } 2671 2672 // We should escape receiver on call to 'init'. This is especially relevant 2673 // to the receiver, as the corresponding symbol is usually not referenced 2674 // after the call. 2675 if (Msg->getMethodFamily() == OMF_init) { 2676 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol(); 2677 return true; 2678 } 2679 2680 // Otherwise, assume that the method does not free memory. 2681 // Most framework methods do not free memory. 2682 return false; 2683 } 2684 2685 // At this point the only thing left to handle is straight function calls. 2686 const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl(); 2687 if (!FD) 2688 return true; 2689 2690 ASTContext &ASTC = State->getStateManager().getContext(); 2691 2692 // If it's one of the allocation functions we can reason about, we model 2693 // its behavior explicitly. 2694 if (isMemFunction(FD, ASTC)) 2695 return false; 2696 2697 // If it's not a system call, assume it frees memory. 2698 if (!Call->isInSystemHeader()) 2699 return true; 2700 2701 // White list the system functions whose arguments escape. 2702 const IdentifierInfo *II = FD->getIdentifier(); 2703 if (!II) 2704 return true; 2705 StringRef FName = II->getName(); 2706 2707 // White list the 'XXXNoCopy' CoreFoundation functions. 2708 // We specifically check these before 2709 if (FName.endswith("NoCopy")) { 2710 // Look for the deallocator argument. We know that the memory ownership 2711 // is not transferred only if the deallocator argument is 2712 // 'kCFAllocatorNull'. 2713 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 2714 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 2715 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 2716 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 2717 if (DeallocatorName == "kCFAllocatorNull") 2718 return false; 2719 } 2720 } 2721 return true; 2722 } 2723 2724 // Associating streams with malloced buffers. The pointer can escape if 2725 // 'closefn' is specified (and if that function does free memory), 2726 // but it will not if closefn is not specified. 2727 // Currently, we do not inspect the 'closefn' function (PR12101). 2728 if (FName == "funopen") 2729 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 2730 return false; 2731 2732 // Do not warn on pointers passed to 'setbuf' when used with std streams, 2733 // these leaks might be intentional when setting the buffer for stdio. 2734 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 2735 if (FName == "setbuf" || FName =="setbuffer" || 2736 FName == "setlinebuf" || FName == "setvbuf") { 2737 if (Call->getNumArgs() >= 1) { 2738 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 2739 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 2740 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 2741 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 2742 return true; 2743 } 2744 } 2745 2746 // A bunch of other functions which either take ownership of a pointer or 2747 // wrap the result up in a struct or object, meaning it can be freed later. 2748 // (See RetainCountChecker.) Not all the parameters here are invalidated, 2749 // but the Malloc checker cannot differentiate between them. The right way 2750 // of doing this would be to implement a pointer escapes callback. 2751 if (FName == "CGBitmapContextCreate" || 2752 FName == "CGBitmapContextCreateWithData" || 2753 FName == "CVPixelBufferCreateWithBytes" || 2754 FName == "CVPixelBufferCreateWithPlanarBytes" || 2755 FName == "OSAtomicEnqueue") { 2756 return true; 2757 } 2758 2759 if (FName == "postEvent" && 2760 FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") { 2761 return true; 2762 } 2763 2764 if (FName == "postEvent" && 2765 FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") { 2766 return true; 2767 } 2768 2769 if (FName == "connectImpl" && 2770 FD->getQualifiedNameAsString() == "QObject::connectImpl") { 2771 return true; 2772 } 2773 2774 // Handle cases where we know a buffer's /address/ can escape. 2775 // Note that the above checks handle some special cases where we know that 2776 // even though the address escapes, it's still our responsibility to free the 2777 // buffer. 2778 if (Call->argumentsMayEscape()) 2779 return true; 2780 2781 // Otherwise, assume that the function does not free memory. 2782 // Most system calls do not free the memory. 2783 return false; 2784 } 2785 2786 static bool retTrue(const RefState *RS) { 2787 return true; 2788 } 2789 2790 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 2791 return (RS->getAllocationFamily() == AF_CXXNewArray || 2792 RS->getAllocationFamily() == AF_CXXNew); 2793 } 2794 2795 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 2796 const InvalidatedSymbols &Escaped, 2797 const CallEvent *Call, 2798 PointerEscapeKind Kind) const { 2799 return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue); 2800 } 2801 2802 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 2803 const InvalidatedSymbols &Escaped, 2804 const CallEvent *Call, 2805 PointerEscapeKind Kind) const { 2806 return checkPointerEscapeAux(State, Escaped, Call, Kind, 2807 &checkIfNewOrNewArrayFamily); 2808 } 2809 2810 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State, 2811 const InvalidatedSymbols &Escaped, 2812 const CallEvent *Call, 2813 PointerEscapeKind Kind, 2814 bool(*CheckRefState)(const RefState*)) const { 2815 // If we know that the call does not free memory, or we want to process the 2816 // call later, keep tracking the top level arguments. 2817 SymbolRef EscapingSymbol = nullptr; 2818 if (Kind == PSK_DirectEscapeOnCall && 2819 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State, 2820 EscapingSymbol) && 2821 !EscapingSymbol) { 2822 return State; 2823 } 2824 2825 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 2826 E = Escaped.end(); 2827 I != E; ++I) { 2828 SymbolRef sym = *I; 2829 2830 if (EscapingSymbol && EscapingSymbol != sym) 2831 continue; 2832 2833 if (const RefState *RS = State->get<RegionState>(sym)) { 2834 if ((RS->isAllocated() || RS->isAllocatedOfSizeZero()) && 2835 CheckRefState(RS)) { 2836 State = State->remove<RegionState>(sym); 2837 State = State->set<RegionState>(sym, RefState::getEscaped(RS)); 2838 } 2839 } 2840 } 2841 return State; 2842 } 2843 2844 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 2845 ProgramStateRef prevState) { 2846 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 2847 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 2848 2849 for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end(); 2850 I != E; ++I) { 2851 SymbolRef sym = I.getKey(); 2852 if (!currMap.lookup(sym)) 2853 return sym; 2854 } 2855 2856 return nullptr; 2857 } 2858 2859 static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD) { 2860 if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) { 2861 StringRef N = II->getName(); 2862 if (N.contains_lower("ptr") || N.contains_lower("pointer")) { 2863 if (N.contains_lower("ref") || N.contains_lower("cnt") || 2864 N.contains_lower("intrusive") || N.contains_lower("shared")) { 2865 return true; 2866 } 2867 } 2868 } 2869 return false; 2870 } 2871 2872 std::shared_ptr<PathDiagnosticPiece> MallocChecker::MallocBugVisitor::VisitNode( 2873 const ExplodedNode *N, BugReporterContext &BRC, BugReport &BR) { 2874 2875 ProgramStateRef state = N->getState(); 2876 ProgramStateRef statePrev = N->getFirstPred()->getState(); 2877 2878 const RefState *RS = state->get<RegionState>(Sym); 2879 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 2880 2881 const Stmt *S = PathDiagnosticLocation::getStmt(N); 2882 // When dealing with containers, we sometimes want to give a note 2883 // even if the statement is missing. 2884 if (!S && (!RS || RS->getAllocationFamily() != AF_InnerBuffer)) 2885 return nullptr; 2886 2887 const LocationContext *CurrentLC = N->getLocationContext(); 2888 2889 // If we find an atomic fetch_add or fetch_sub within the destructor in which 2890 // the pointer was released (before the release), this is likely a destructor 2891 // of a shared pointer. 2892 // Because we don't model atomics, and also because we don't know that the 2893 // original reference count is positive, we should not report use-after-frees 2894 // on objects deleted in such destructors. This can probably be improved 2895 // through better shared pointer modeling. 2896 if (ReleaseDestructorLC) { 2897 if (const auto *AE = dyn_cast<AtomicExpr>(S)) { 2898 AtomicExpr::AtomicOp Op = AE->getOp(); 2899 if (Op == AtomicExpr::AO__c11_atomic_fetch_add || 2900 Op == AtomicExpr::AO__c11_atomic_fetch_sub) { 2901 if (ReleaseDestructorLC == CurrentLC || 2902 ReleaseDestructorLC->isParentOf(CurrentLC)) { 2903 BR.markInvalid(getTag(), S); 2904 } 2905 } 2906 } 2907 } 2908 2909 // FIXME: We will eventually need to handle non-statement-based events 2910 // (__attribute__((cleanup))). 2911 2912 // Find out if this is an interesting point and what is the kind. 2913 StringRef Msg; 2914 StackHintGeneratorForSymbol *StackHint = nullptr; 2915 SmallString<256> Buf; 2916 llvm::raw_svector_ostream OS(Buf); 2917 2918 if (Mode == Normal) { 2919 if (isAllocated(RS, RSPrev, S)) { 2920 Msg = "Memory is allocated"; 2921 StackHint = new StackHintGeneratorForSymbol(Sym, 2922 "Returned allocated memory"); 2923 } else if (isReleased(RS, RSPrev, S)) { 2924 const auto Family = RS->getAllocationFamily(); 2925 switch (Family) { 2926 case AF_Alloca: 2927 case AF_Malloc: 2928 case AF_CXXNew: 2929 case AF_CXXNewArray: 2930 case AF_IfNameIndex: 2931 Msg = "Memory is released"; 2932 StackHint = new StackHintGeneratorForSymbol(Sym, 2933 "Returning; memory was released"); 2934 break; 2935 case AF_InnerBuffer: { 2936 const MemRegion *ObjRegion = 2937 allocation_state::getContainerObjRegion(statePrev, Sym); 2938 const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion); 2939 QualType ObjTy = TypedRegion->getValueType(); 2940 OS << "Inner buffer of '" << ObjTy.getAsString() << "' "; 2941 2942 if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) { 2943 OS << "deallocated by call to destructor"; 2944 StackHint = new StackHintGeneratorForSymbol(Sym, 2945 "Returning; inner buffer was deallocated"); 2946 } else { 2947 OS << "reallocated by call to '"; 2948 const Stmt *S = RS->getStmt(); 2949 if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) { 2950 OS << MemCallE->getMethodDecl()->getNameAsString(); 2951 } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) { 2952 OS << OpCallE->getDirectCallee()->getNameAsString(); 2953 } else if (const auto *CallE = dyn_cast<CallExpr>(S)) { 2954 auto &CEMgr = BRC.getStateManager().getCallEventManager(); 2955 CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC); 2956 const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl()); 2957 OS << (D ? D->getNameAsString() : "unknown"); 2958 } 2959 OS << "'"; 2960 StackHint = new StackHintGeneratorForSymbol(Sym, 2961 "Returning; inner buffer was reallocated"); 2962 } 2963 Msg = OS.str(); 2964 break; 2965 } 2966 case AF_None: 2967 llvm_unreachable("Unhandled allocation family!"); 2968 } 2969 2970 // See if we're releasing memory while inlining a destructor 2971 // (or one of its callees). This turns on various common 2972 // false positive suppressions. 2973 bool FoundAnyDestructor = false; 2974 for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) { 2975 if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) { 2976 if (isReferenceCountingPointerDestructor(DD)) { 2977 // This immediately looks like a reference-counting destructor. 2978 // We're bad at guessing the original reference count of the object, 2979 // so suppress the report for now. 2980 BR.markInvalid(getTag(), DD); 2981 } else if (!FoundAnyDestructor) { 2982 assert(!ReleaseDestructorLC && 2983 "There can be only one release point!"); 2984 // Suspect that it's a reference counting pointer destructor. 2985 // On one of the next nodes might find out that it has atomic 2986 // reference counting operations within it (see the code above), 2987 // and if so, we'd conclude that it likely is a reference counting 2988 // pointer destructor. 2989 ReleaseDestructorLC = LC->getStackFrame(); 2990 // It is unlikely that releasing memory is delegated to a destructor 2991 // inside a destructor of a shared pointer, because it's fairly hard 2992 // to pass the information that the pointer indeed needs to be 2993 // released into it. So we're only interested in the innermost 2994 // destructor. 2995 FoundAnyDestructor = true; 2996 } 2997 } 2998 } 2999 } else if (isRelinquished(RS, RSPrev, S)) { 3000 Msg = "Memory ownership is transferred"; 3001 StackHint = new StackHintGeneratorForSymbol(Sym, ""); 3002 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 3003 Mode = ReallocationFailed; 3004 Msg = "Reallocation failed"; 3005 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 3006 "Reallocation failed"); 3007 3008 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 3009 // Is it possible to fail two reallocs WITHOUT testing in between? 3010 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 3011 "We only support one failed realloc at a time."); 3012 BR.markInteresting(sym); 3013 FailedReallocSymbol = sym; 3014 } 3015 } 3016 3017 // We are in a special mode if a reallocation failed later in the path. 3018 } else if (Mode == ReallocationFailed) { 3019 assert(FailedReallocSymbol && "No symbol to look for."); 3020 3021 // Is this is the first appearance of the reallocated symbol? 3022 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 3023 // We're at the reallocation point. 3024 Msg = "Attempt to reallocate memory"; 3025 StackHint = new StackHintGeneratorForSymbol(Sym, 3026 "Returned reallocated memory"); 3027 FailedReallocSymbol = nullptr; 3028 Mode = Normal; 3029 } 3030 } 3031 3032 if (Msg.empty()) 3033 return nullptr; 3034 assert(StackHint); 3035 3036 // Generate the extra diagnostic. 3037 PathDiagnosticLocation Pos; 3038 if (!S) { 3039 assert(RS->getAllocationFamily() == AF_InnerBuffer); 3040 auto PostImplCall = N->getLocation().getAs<PostImplicitCall>(); 3041 if (!PostImplCall) 3042 return nullptr; 3043 Pos = PathDiagnosticLocation(PostImplCall->getLocation(), 3044 BRC.getSourceManager()); 3045 } else { 3046 Pos = PathDiagnosticLocation(S, BRC.getSourceManager(), 3047 N->getLocationContext()); 3048 } 3049 3050 return std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true, StackHint); 3051 } 3052 3053 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 3054 const char *NL, const char *Sep) const { 3055 3056 RegionStateTy RS = State->get<RegionState>(); 3057 3058 if (!RS.isEmpty()) { 3059 Out << Sep << "MallocChecker :" << NL; 3060 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 3061 const RefState *RefS = State->get<RegionState>(I.getKey()); 3062 AllocationFamily Family = RefS->getAllocationFamily(); 3063 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 3064 if (!CheckKind.hasValue()) 3065 CheckKind = getCheckIfTracked(Family, true); 3066 3067 I.getKey()->dumpToStream(Out); 3068 Out << " : "; 3069 I.getData().dump(Out); 3070 if (CheckKind.hasValue()) 3071 Out << " (" << CheckNames[*CheckKind].getName() << ")"; 3072 Out << NL; 3073 } 3074 } 3075 } 3076 3077 namespace clang { 3078 namespace ento { 3079 namespace allocation_state { 3080 3081 ProgramStateRef 3082 markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin) { 3083 AllocationFamily Family = AF_InnerBuffer; 3084 return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin)); 3085 } 3086 3087 } // end namespace allocation_state 3088 } // end namespace ento 3089 } // end namespace clang 3090 3091 // Intended to be used in InnerPointerChecker to register the part of 3092 // MallocChecker connected to it. 3093 void ento::registerInnerPointerCheckerAux(CheckerManager &mgr) { 3094 MallocChecker *checker = mgr.getChecker<MallocChecker>(); 3095 checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true; 3096 checker->CheckNames[MallocChecker::CK_InnerPointerChecker] = 3097 mgr.getCurrentCheckName(); 3098 } 3099 3100 void ento::registerDynamicMemoryModeling(CheckerManager &mgr) { 3101 auto *checker = mgr.registerChecker<MallocChecker>(); 3102 checker->IsOptimistic = mgr.getAnalyzerOptions().getCheckerBooleanOption( 3103 checker, "Optimistic"); 3104 } 3105 3106 bool ento::shouldRegisterDynamicMemoryModeling(const LangOptions &LO) { 3107 return true; 3108 } 3109 3110 #define REGISTER_CHECKER(name) \ 3111 void ento::register##name(CheckerManager &mgr) { \ 3112 MallocChecker *checker = mgr.getChecker<MallocChecker>(); \ 3113 checker->ChecksEnabled[MallocChecker::CK_##name] = true; \ 3114 checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \ 3115 } \ 3116 \ 3117 bool ento::shouldRegister##name(const LangOptions &LO) { \ 3118 return true; \ 3119 } 3120 3121 REGISTER_CHECKER(MallocChecker) 3122 REGISTER_CHECKER(NewDeleteChecker) 3123 REGISTER_CHECKER(NewDeleteLeaksChecker) 3124 REGISTER_CHECKER(MismatchedDeallocatorChecker) 3125