1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines malloc/free checker, which checks for potential memory 11 // leaks, double free, and use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/StaticAnalyzer/Core/Checker.h" 18 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 20 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 21 #include "clang/StaticAnalyzer/Core/PathSensitive/ObjCMessage.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 23 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 25 #include "clang/Basic/SourceManager.h" 26 #include "llvm/ADT/ImmutableMap.h" 27 #include "llvm/ADT/SmallString.h" 28 #include "llvm/ADT/STLExtras.h" 29 #include <climits> 30 31 using namespace clang; 32 using namespace ento; 33 34 namespace { 35 36 class RefState { 37 enum Kind { AllocateUnchecked, AllocateFailed, Released, Escaped, 38 Relinquished } K; 39 const Stmt *S; 40 41 public: 42 RefState(Kind k, const Stmt *s) : K(k), S(s) {} 43 44 bool isAllocated() const { return K == AllocateUnchecked; } 45 bool isReleased() const { return K == Released; } 46 47 const Stmt *getStmt() const { return S; } 48 49 bool operator==(const RefState &X) const { 50 return K == X.K && S == X.S; 51 } 52 53 static RefState getAllocateUnchecked(const Stmt *s) { 54 return RefState(AllocateUnchecked, s); 55 } 56 static RefState getAllocateFailed() { 57 return RefState(AllocateFailed, 0); 58 } 59 static RefState getReleased(const Stmt *s) { return RefState(Released, s); } 60 static RefState getEscaped(const Stmt *s) { return RefState(Escaped, s); } 61 static RefState getRelinquished(const Stmt *s) { 62 return RefState(Relinquished, s); 63 } 64 65 void Profile(llvm::FoldingSetNodeID &ID) const { 66 ID.AddInteger(K); 67 ID.AddPointer(S); 68 } 69 }; 70 71 struct ReallocPair { 72 SymbolRef ReallocatedSym; 73 bool IsFreeOnFailure; 74 ReallocPair(SymbolRef S, bool F) : ReallocatedSym(S), IsFreeOnFailure(F) {} 75 void Profile(llvm::FoldingSetNodeID &ID) const { 76 ID.AddInteger(IsFreeOnFailure); 77 ID.AddPointer(ReallocatedSym); 78 } 79 bool operator==(const ReallocPair &X) const { 80 return ReallocatedSym == X.ReallocatedSym && 81 IsFreeOnFailure == X.IsFreeOnFailure; 82 } 83 }; 84 85 typedef std::pair<const Stmt*, const MemRegion*> LeakInfo; 86 87 class MallocChecker : public Checker<check::DeadSymbols, 88 check::EndPath, 89 check::PreStmt<ReturnStmt>, 90 check::PreStmt<CallExpr>, 91 check::PostStmt<CallExpr>, 92 check::PostStmt<BlockExpr>, 93 check::Location, 94 check::Bind, 95 eval::Assume, 96 check::RegionChanges> 97 { 98 mutable OwningPtr<BugType> BT_DoubleFree; 99 mutable OwningPtr<BugType> BT_Leak; 100 mutable OwningPtr<BugType> BT_UseFree; 101 mutable OwningPtr<BugType> BT_BadFree; 102 mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc, 103 *II_valloc, *II_reallocf, *II_strndup, *II_strdup; 104 105 public: 106 MallocChecker() : II_malloc(0), II_free(0), II_realloc(0), II_calloc(0), 107 II_valloc(0), II_reallocf(0), II_strndup(0), II_strdup(0) {} 108 109 /// In pessimistic mode, the checker assumes that it does not know which 110 /// functions might free the memory. 111 struct ChecksFilter { 112 DefaultBool CMallocPessimistic; 113 DefaultBool CMallocOptimistic; 114 }; 115 116 ChecksFilter Filter; 117 118 void checkPreStmt(const CallExpr *S, CheckerContext &C) const; 119 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 120 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 121 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 122 void checkEndPath(CheckerContext &C) const; 123 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 124 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 125 bool Assumption) const; 126 void checkLocation(SVal l, bool isLoad, const Stmt *S, 127 CheckerContext &C) const; 128 void checkBind(SVal location, SVal val, const Stmt*S, 129 CheckerContext &C) const; 130 ProgramStateRef 131 checkRegionChanges(ProgramStateRef state, 132 const StoreManager::InvalidatedSymbols *invalidated, 133 ArrayRef<const MemRegion *> ExplicitRegions, 134 ArrayRef<const MemRegion *> Regions, 135 const CallOrObjCMessage *Call) const; 136 bool wantsRegionChangeUpdate(ProgramStateRef state) const { 137 return true; 138 } 139 140 void printState(raw_ostream &Out, ProgramStateRef State, 141 const char *NL, const char *Sep) const; 142 143 private: 144 void initIdentifierInfo(ASTContext &C) const; 145 146 /// Check if this is one of the functions which can allocate/reallocate memory 147 /// pointed to by one of its arguments. 148 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 149 150 static ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 151 const CallExpr *CE, 152 const OwnershipAttr* Att); 153 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 154 const Expr *SizeEx, SVal Init, 155 ProgramStateRef state) { 156 return MallocMemAux(C, CE, 157 state->getSVal(SizeEx, C.getLocationContext()), 158 Init, state); 159 } 160 161 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 162 SVal SizeEx, SVal Init, 163 ProgramStateRef state); 164 165 /// Update the RefState to reflect the new memory allocation. 166 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, 167 const CallExpr *CE, 168 ProgramStateRef state); 169 170 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 171 const OwnershipAttr* Att) const; 172 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 173 ProgramStateRef state, unsigned Num, 174 bool Hold) const; 175 176 ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, 177 bool FreesMemOnFailure) const; 178 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE); 179 180 bool checkEscape(SymbolRef Sym, const Stmt *S, CheckerContext &C) const; 181 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 182 const Stmt *S = 0) const; 183 184 /// Check if the function is not known to us. So, for example, we could 185 /// conservatively assume it can free/reallocate it's pointer arguments. 186 bool doesNotFreeMemory(const CallOrObjCMessage *Call, 187 ProgramStateRef State) const; 188 189 static bool SummarizeValue(raw_ostream &os, SVal V); 190 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 191 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange range) const; 192 193 /// Find the location of the allocation for Sym on the path leading to the 194 /// exploded node N. 195 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 196 CheckerContext &C) const; 197 198 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 199 200 /// The bug visitor which allows us to print extra diagnostics along the 201 /// BugReport path. For example, showing the allocation site of the leaked 202 /// region. 203 class MallocBugVisitor : public BugReporterVisitorImpl<MallocBugVisitor> { 204 protected: 205 enum NotificationMode { 206 Normal, 207 ReallocationFailed 208 }; 209 210 // The allocated region symbol tracked by the main analysis. 211 SymbolRef Sym; 212 213 // The mode we are in, i.e. what kind of diagnostics will be emitted. 214 NotificationMode Mode; 215 216 // A symbol from when the primary region should have been reallocated. 217 SymbolRef FailedReallocSymbol; 218 219 bool IsLeak; 220 221 public: 222 MallocBugVisitor(SymbolRef S, bool isLeak = false) 223 : Sym(S), Mode(Normal), FailedReallocSymbol(0), IsLeak(isLeak) {} 224 225 virtual ~MallocBugVisitor() {} 226 227 void Profile(llvm::FoldingSetNodeID &ID) const { 228 static int X = 0; 229 ID.AddPointer(&X); 230 ID.AddPointer(Sym); 231 } 232 233 inline bool isAllocated(const RefState *S, const RefState *SPrev, 234 const Stmt *Stmt) { 235 // Did not track -> allocated. Other state (released) -> allocated. 236 return (Stmt && isa<CallExpr>(Stmt) && 237 (S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated())); 238 } 239 240 inline bool isReleased(const RefState *S, const RefState *SPrev, 241 const Stmt *Stmt) { 242 // Did not track -> released. Other state (allocated) -> released. 243 return (Stmt && isa<CallExpr>(Stmt) && 244 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 245 } 246 247 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 248 const Stmt *Stmt) { 249 // If the expression is not a call, and the state change is 250 // released -> allocated, it must be the realloc return value 251 // check. If we have to handle more cases here, it might be cleaner just 252 // to track this extra bit in the state itself. 253 return ((!Stmt || !isa<CallExpr>(Stmt)) && 254 (S && S->isAllocated()) && (SPrev && !SPrev->isAllocated())); 255 } 256 257 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 258 const ExplodedNode *PrevN, 259 BugReporterContext &BRC, 260 BugReport &BR); 261 262 PathDiagnosticPiece* getEndPath(BugReporterContext &BRC, 263 const ExplodedNode *EndPathNode, 264 BugReport &BR) { 265 if (!IsLeak) 266 return 0; 267 268 PathDiagnosticLocation L = 269 PathDiagnosticLocation::createEndOfPath(EndPathNode, 270 BRC.getSourceManager()); 271 // Do not add the statement itself as a range in case of leak. 272 return new PathDiagnosticEventPiece(L, BR.getDescription(), false); 273 } 274 275 private: 276 class StackHintGeneratorForReallocationFailed 277 : public StackHintGeneratorForSymbol { 278 public: 279 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 280 : StackHintGeneratorForSymbol(S, M) {} 281 282 virtual std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) { 283 SmallString<200> buf; 284 llvm::raw_svector_ostream os(buf); 285 286 os << "Reallocation of "; 287 // Printed parameters start at 1, not 0. 288 printOrdinal(++ArgIndex, os); 289 os << " parameter failed"; 290 291 return os.str(); 292 } 293 294 virtual std::string getMessageForReturn(const CallExpr *CallExpr) { 295 return "Reallocation of returned value failed"; 296 } 297 }; 298 }; 299 }; 300 } // end anonymous namespace 301 302 typedef llvm::ImmutableMap<SymbolRef, RefState> RegionStateTy; 303 typedef llvm::ImmutableMap<SymbolRef, ReallocPair > ReallocMap; 304 class RegionState {}; 305 class ReallocPairs {}; 306 namespace clang { 307 namespace ento { 308 template <> 309 struct ProgramStateTrait<RegionState> 310 : public ProgramStatePartialTrait<RegionStateTy> { 311 static void *GDMIndex() { static int x; return &x; } 312 }; 313 314 template <> 315 struct ProgramStateTrait<ReallocPairs> 316 : public ProgramStatePartialTrait<ReallocMap> { 317 static void *GDMIndex() { static int x; return &x; } 318 }; 319 } 320 } 321 322 namespace { 323 class StopTrackingCallback : public SymbolVisitor { 324 ProgramStateRef state; 325 public: 326 StopTrackingCallback(ProgramStateRef st) : state(st) {} 327 ProgramStateRef getState() const { return state; } 328 329 bool VisitSymbol(SymbolRef sym) { 330 state = state->remove<RegionState>(sym); 331 return true; 332 } 333 }; 334 } // end anonymous namespace 335 336 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 337 if (!II_malloc) 338 II_malloc = &Ctx.Idents.get("malloc"); 339 if (!II_free) 340 II_free = &Ctx.Idents.get("free"); 341 if (!II_realloc) 342 II_realloc = &Ctx.Idents.get("realloc"); 343 if (!II_reallocf) 344 II_reallocf = &Ctx.Idents.get("reallocf"); 345 if (!II_calloc) 346 II_calloc = &Ctx.Idents.get("calloc"); 347 if (!II_valloc) 348 II_valloc = &Ctx.Idents.get("valloc"); 349 if (!II_strdup) 350 II_strdup = &Ctx.Idents.get("strdup"); 351 if (!II_strndup) 352 II_strndup = &Ctx.Idents.get("strndup"); 353 } 354 355 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 356 if (!FD) 357 return false; 358 IdentifierInfo *FunI = FD->getIdentifier(); 359 if (!FunI) 360 return false; 361 362 initIdentifierInfo(C); 363 364 if (FunI == II_malloc || FunI == II_free || FunI == II_realloc || 365 FunI == II_reallocf || FunI == II_calloc || FunI == II_valloc || 366 FunI == II_strdup || FunI == II_strndup) 367 return true; 368 369 if (Filter.CMallocOptimistic && FD->hasAttrs() && 370 FD->specific_attr_begin<OwnershipAttr>() != 371 FD->specific_attr_end<OwnershipAttr>()) 372 return true; 373 374 375 return false; 376 } 377 378 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 379 const FunctionDecl *FD = C.getCalleeDecl(CE); 380 if (!FD) 381 return; 382 383 initIdentifierInfo(C.getASTContext()); 384 IdentifierInfo *FunI = FD->getIdentifier(); 385 if (!FunI) 386 return; 387 388 ProgramStateRef State = C.getState(); 389 if (FunI == II_malloc || FunI == II_valloc) { 390 if (CE->getNumArgs() < 1) 391 return; 392 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 393 } else if (FunI == II_realloc) { 394 State = ReallocMem(C, CE, false); 395 } else if (FunI == II_reallocf) { 396 State = ReallocMem(C, CE, true); 397 } else if (FunI == II_calloc) { 398 State = CallocMem(C, CE); 399 } else if (FunI == II_free) { 400 State = FreeMemAux(C, CE, C.getState(), 0, false); 401 } else if (FunI == II_strdup) { 402 State = MallocUpdateRefState(C, CE, State); 403 } else if (FunI == II_strndup) { 404 State = MallocUpdateRefState(C, CE, State); 405 } else if (Filter.CMallocOptimistic) { 406 // Check all the attributes, if there are any. 407 // There can be multiple of these attributes. 408 if (FD->hasAttrs()) 409 for (specific_attr_iterator<OwnershipAttr> 410 i = FD->specific_attr_begin<OwnershipAttr>(), 411 e = FD->specific_attr_end<OwnershipAttr>(); 412 i != e; ++i) { 413 switch ((*i)->getOwnKind()) { 414 case OwnershipAttr::Returns: 415 State = MallocMemReturnsAttr(C, CE, *i); 416 break; 417 case OwnershipAttr::Takes: 418 case OwnershipAttr::Holds: 419 State = FreeMemAttr(C, CE, *i); 420 break; 421 } 422 } 423 } 424 C.addTransition(State); 425 } 426 427 ProgramStateRef MallocChecker::MallocMemReturnsAttr(CheckerContext &C, 428 const CallExpr *CE, 429 const OwnershipAttr* Att) { 430 if (Att->getModule() != "malloc") 431 return 0; 432 433 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 434 if (I != E) { 435 return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), C.getState()); 436 } 437 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), C.getState()); 438 } 439 440 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 441 const CallExpr *CE, 442 SVal Size, SVal Init, 443 ProgramStateRef state) { 444 // Get the return value. 445 SVal retVal = state->getSVal(CE, C.getLocationContext()); 446 447 // We expect the malloc functions to return a pointer. 448 if (!isa<Loc>(retVal)) 449 return 0; 450 451 // Fill the region with the initialization value. 452 state = state->bindDefault(retVal, Init); 453 454 // Set the region's extent equal to the Size parameter. 455 const SymbolicRegion *R = 456 dyn_cast_or_null<SymbolicRegion>(retVal.getAsRegion()); 457 if (!R) 458 return 0; 459 if (isa<DefinedOrUnknownSVal>(Size)) { 460 SValBuilder &svalBuilder = C.getSValBuilder(); 461 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 462 DefinedOrUnknownSVal DefinedSize = cast<DefinedOrUnknownSVal>(Size); 463 DefinedOrUnknownSVal extentMatchesSize = 464 svalBuilder.evalEQ(state, Extent, DefinedSize); 465 466 state = state->assume(extentMatchesSize, true); 467 assert(state); 468 } 469 470 return MallocUpdateRefState(C, CE, state); 471 } 472 473 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 474 const CallExpr *CE, 475 ProgramStateRef state) { 476 // Get the return value. 477 SVal retVal = state->getSVal(CE, C.getLocationContext()); 478 479 // We expect the malloc functions to return a pointer. 480 if (!isa<Loc>(retVal)) 481 return 0; 482 483 SymbolRef Sym = retVal.getAsLocSymbol(); 484 assert(Sym); 485 486 // Set the symbol's state to Allocated. 487 return state->set<RegionState>(Sym, RefState::getAllocateUnchecked(CE)); 488 489 } 490 491 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 492 const CallExpr *CE, 493 const OwnershipAttr* Att) const { 494 if (Att->getModule() != "malloc") 495 return 0; 496 497 ProgramStateRef State = C.getState(); 498 499 for (OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 500 I != E; ++I) { 501 ProgramStateRef StateI = FreeMemAux(C, CE, State, *I, 502 Att->getOwnKind() == OwnershipAttr::Holds); 503 if (StateI) 504 State = StateI; 505 } 506 return State; 507 } 508 509 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 510 const CallExpr *CE, 511 ProgramStateRef state, 512 unsigned Num, 513 bool Hold) const { 514 if (CE->getNumArgs() < (Num + 1)) 515 return 0; 516 517 const Expr *ArgExpr = CE->getArg(Num); 518 SVal ArgVal = state->getSVal(ArgExpr, C.getLocationContext()); 519 if (!isa<DefinedOrUnknownSVal>(ArgVal)) 520 return 0; 521 DefinedOrUnknownSVal location = cast<DefinedOrUnknownSVal>(ArgVal); 522 523 // Check for null dereferences. 524 if (!isa<Loc>(location)) 525 return 0; 526 527 // The explicit NULL case, no operation is performed. 528 ProgramStateRef notNullState, nullState; 529 llvm::tie(notNullState, nullState) = state->assume(location); 530 if (nullState && !notNullState) 531 return 0; 532 533 // Unknown values could easily be okay 534 // Undefined values are handled elsewhere 535 if (ArgVal.isUnknownOrUndef()) 536 return 0; 537 538 const MemRegion *R = ArgVal.getAsRegion(); 539 540 // Nonlocs can't be freed, of course. 541 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 542 if (!R) { 543 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange()); 544 return 0; 545 } 546 547 R = R->StripCasts(); 548 549 // Blocks might show up as heap data, but should not be free()d 550 if (isa<BlockDataRegion>(R)) { 551 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange()); 552 return 0; 553 } 554 555 const MemSpaceRegion *MS = R->getMemorySpace(); 556 557 // Parameters, locals, statics, and globals shouldn't be freed. 558 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 559 // FIXME: at the time this code was written, malloc() regions were 560 // represented by conjured symbols, which are all in UnknownSpaceRegion. 561 // This means that there isn't actually anything from HeapSpaceRegion 562 // that should be freed, even though we allow it here. 563 // Of course, free() can work on memory allocated outside the current 564 // function, so UnknownSpaceRegion is always a possibility. 565 // False negatives are better than false positives. 566 567 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange()); 568 return 0; 569 } 570 571 const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R); 572 // Various cases could lead to non-symbol values here. 573 // For now, ignore them. 574 if (!SR) 575 return 0; 576 577 SymbolRef Sym = SR->getSymbol(); 578 const RefState *RS = state->get<RegionState>(Sym); 579 580 // If the symbol has not been tracked, return. This is possible when free() is 581 // called on a pointer that does not get its pointee directly from malloc(). 582 // Full support of this requires inter-procedural analysis. 583 if (!RS) 584 return 0; 585 586 // Check double free. 587 if (RS->isReleased()) { 588 if (ExplodedNode *N = C.generateSink()) { 589 if (!BT_DoubleFree) 590 BT_DoubleFree.reset( 591 new BugType("Double free", "Memory Error")); 592 BugReport *R = new BugReport(*BT_DoubleFree, 593 "Attempt to free released memory", N); 594 R->addRange(ArgExpr->getSourceRange()); 595 R->markInteresting(Sym); 596 R->addVisitor(new MallocBugVisitor(Sym)); 597 C.EmitReport(R); 598 } 599 return 0; 600 } 601 602 // Normal free. 603 if (Hold) 604 return state->set<RegionState>(Sym, RefState::getRelinquished(CE)); 605 return state->set<RegionState>(Sym, RefState::getReleased(CE)); 606 } 607 608 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 609 if (nonloc::ConcreteInt *IntVal = dyn_cast<nonloc::ConcreteInt>(&V)) 610 os << "an integer (" << IntVal->getValue() << ")"; 611 else if (loc::ConcreteInt *ConstAddr = dyn_cast<loc::ConcreteInt>(&V)) 612 os << "a constant address (" << ConstAddr->getValue() << ")"; 613 else if (loc::GotoLabel *Label = dyn_cast<loc::GotoLabel>(&V)) 614 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 615 else 616 return false; 617 618 return true; 619 } 620 621 bool MallocChecker::SummarizeRegion(raw_ostream &os, 622 const MemRegion *MR) { 623 switch (MR->getKind()) { 624 case MemRegion::FunctionTextRegionKind: { 625 const FunctionDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 626 if (FD) 627 os << "the address of the function '" << *FD << '\''; 628 else 629 os << "the address of a function"; 630 return true; 631 } 632 case MemRegion::BlockTextRegionKind: 633 os << "block text"; 634 return true; 635 case MemRegion::BlockDataRegionKind: 636 // FIXME: where the block came from? 637 os << "a block"; 638 return true; 639 default: { 640 const MemSpaceRegion *MS = MR->getMemorySpace(); 641 642 if (isa<StackLocalsSpaceRegion>(MS)) { 643 const VarRegion *VR = dyn_cast<VarRegion>(MR); 644 const VarDecl *VD; 645 if (VR) 646 VD = VR->getDecl(); 647 else 648 VD = NULL; 649 650 if (VD) 651 os << "the address of the local variable '" << VD->getName() << "'"; 652 else 653 os << "the address of a local stack variable"; 654 return true; 655 } 656 657 if (isa<StackArgumentsSpaceRegion>(MS)) { 658 const VarRegion *VR = dyn_cast<VarRegion>(MR); 659 const VarDecl *VD; 660 if (VR) 661 VD = VR->getDecl(); 662 else 663 VD = NULL; 664 665 if (VD) 666 os << "the address of the parameter '" << VD->getName() << "'"; 667 else 668 os << "the address of a parameter"; 669 return true; 670 } 671 672 if (isa<GlobalsSpaceRegion>(MS)) { 673 const VarRegion *VR = dyn_cast<VarRegion>(MR); 674 const VarDecl *VD; 675 if (VR) 676 VD = VR->getDecl(); 677 else 678 VD = NULL; 679 680 if (VD) { 681 if (VD->isStaticLocal()) 682 os << "the address of the static variable '" << VD->getName() << "'"; 683 else 684 os << "the address of the global variable '" << VD->getName() << "'"; 685 } else 686 os << "the address of a global variable"; 687 return true; 688 } 689 690 return false; 691 } 692 } 693 } 694 695 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 696 SourceRange range) const { 697 if (ExplodedNode *N = C.generateSink()) { 698 if (!BT_BadFree) 699 BT_BadFree.reset(new BugType("Bad free", "Memory Error")); 700 701 SmallString<100> buf; 702 llvm::raw_svector_ostream os(buf); 703 704 const MemRegion *MR = ArgVal.getAsRegion(); 705 if (MR) { 706 while (const ElementRegion *ER = dyn_cast<ElementRegion>(MR)) 707 MR = ER->getSuperRegion(); 708 709 // Special case for alloca() 710 if (isa<AllocaRegion>(MR)) 711 os << "Argument to free() was allocated by alloca(), not malloc()"; 712 else { 713 os << "Argument to free() is "; 714 if (SummarizeRegion(os, MR)) 715 os << ", which is not memory allocated by malloc()"; 716 else 717 os << "not memory allocated by malloc()"; 718 } 719 } else { 720 os << "Argument to free() is "; 721 if (SummarizeValue(os, ArgVal)) 722 os << ", which is not memory allocated by malloc()"; 723 else 724 os << "not memory allocated by malloc()"; 725 } 726 727 BugReport *R = new BugReport(*BT_BadFree, os.str(), N); 728 R->markInteresting(MR); 729 R->addRange(range); 730 C.EmitReport(R); 731 } 732 } 733 734 ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, 735 const CallExpr *CE, 736 bool FreesOnFail) const { 737 if (CE->getNumArgs() < 2) 738 return 0; 739 740 ProgramStateRef state = C.getState(); 741 const Expr *arg0Expr = CE->getArg(0); 742 const LocationContext *LCtx = C.getLocationContext(); 743 SVal Arg0Val = state->getSVal(arg0Expr, LCtx); 744 if (!isa<DefinedOrUnknownSVal>(Arg0Val)) 745 return 0; 746 DefinedOrUnknownSVal arg0Val = cast<DefinedOrUnknownSVal>(Arg0Val); 747 748 SValBuilder &svalBuilder = C.getSValBuilder(); 749 750 DefinedOrUnknownSVal PtrEQ = 751 svalBuilder.evalEQ(state, arg0Val, svalBuilder.makeNull()); 752 753 // Get the size argument. If there is no size arg then give up. 754 const Expr *Arg1 = CE->getArg(1); 755 if (!Arg1) 756 return 0; 757 758 // Get the value of the size argument. 759 SVal Arg1ValG = state->getSVal(Arg1, LCtx); 760 if (!isa<DefinedOrUnknownSVal>(Arg1ValG)) 761 return 0; 762 DefinedOrUnknownSVal Arg1Val = cast<DefinedOrUnknownSVal>(Arg1ValG); 763 764 // Compare the size argument to 0. 765 DefinedOrUnknownSVal SizeZero = 766 svalBuilder.evalEQ(state, Arg1Val, 767 svalBuilder.makeIntValWithPtrWidth(0, false)); 768 769 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 770 llvm::tie(StatePtrIsNull, StatePtrNotNull) = state->assume(PtrEQ); 771 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 772 llvm::tie(StateSizeIsZero, StateSizeNotZero) = state->assume(SizeZero); 773 // We only assume exceptional states if they are definitely true; if the 774 // state is under-constrained, assume regular realloc behavior. 775 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 776 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 777 778 // If the ptr is NULL and the size is not 0, the call is equivalent to 779 // malloc(size). 780 if ( PrtIsNull && !SizeIsZero) { 781 ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), 782 UndefinedVal(), StatePtrIsNull); 783 return stateMalloc; 784 } 785 786 if (PrtIsNull && SizeIsZero) 787 return 0; 788 789 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 790 assert(!PrtIsNull); 791 SymbolRef FromPtr = arg0Val.getAsSymbol(); 792 SVal RetVal = state->getSVal(CE, LCtx); 793 SymbolRef ToPtr = RetVal.getAsSymbol(); 794 if (!FromPtr || !ToPtr) 795 return 0; 796 797 // If the size is 0, free the memory. 798 if (SizeIsZero) 799 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero,0,false)){ 800 // The semantics of the return value are: 801 // If size was equal to 0, either NULL or a pointer suitable to be passed 802 // to free() is returned. 803 stateFree = stateFree->set<ReallocPairs>(ToPtr, 804 ReallocPair(FromPtr, FreesOnFail)); 805 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 806 return stateFree; 807 } 808 809 // Default behavior. 810 if (ProgramStateRef stateFree = FreeMemAux(C, CE, state, 0, false)) { 811 // FIXME: We should copy the content of the original buffer. 812 ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), 813 UnknownVal(), stateFree); 814 if (!stateRealloc) 815 return 0; 816 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 817 ReallocPair(FromPtr, FreesOnFail)); 818 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 819 return stateRealloc; 820 } 821 return 0; 822 } 823 824 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE){ 825 if (CE->getNumArgs() < 2) 826 return 0; 827 828 ProgramStateRef state = C.getState(); 829 SValBuilder &svalBuilder = C.getSValBuilder(); 830 const LocationContext *LCtx = C.getLocationContext(); 831 SVal count = state->getSVal(CE->getArg(0), LCtx); 832 SVal elementSize = state->getSVal(CE->getArg(1), LCtx); 833 SVal TotalSize = svalBuilder.evalBinOp(state, BO_Mul, count, elementSize, 834 svalBuilder.getContext().getSizeType()); 835 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 836 837 return MallocMemAux(C, CE, TotalSize, zeroVal, state); 838 } 839 840 LeakInfo 841 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 842 CheckerContext &C) const { 843 const LocationContext *LeakContext = N->getLocationContext(); 844 // Walk the ExplodedGraph backwards and find the first node that referred to 845 // the tracked symbol. 846 const ExplodedNode *AllocNode = N; 847 const MemRegion *ReferenceRegion = 0; 848 849 while (N) { 850 ProgramStateRef State = N->getState(); 851 if (!State->get<RegionState>(Sym)) 852 break; 853 854 // Find the most recent expression bound to the symbol in the current 855 // context. 856 if (!ReferenceRegion) { 857 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 858 SVal Val = State->getSVal(MR); 859 if (Val.getAsLocSymbol() == Sym) 860 ReferenceRegion = MR; 861 } 862 } 863 864 // Allocation node, is the last node in the current context in which the 865 // symbol was tracked. 866 if (N->getLocationContext() == LeakContext) 867 AllocNode = N; 868 N = N->pred_empty() ? NULL : *(N->pred_begin()); 869 } 870 871 ProgramPoint P = AllocNode->getLocation(); 872 const Stmt *AllocationStmt = 0; 873 if (isa<StmtPoint>(P)) 874 AllocationStmt = cast<StmtPoint>(P).getStmt(); 875 876 return LeakInfo(AllocationStmt, ReferenceRegion); 877 } 878 879 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 880 CheckerContext &C) const { 881 assert(N); 882 if (!BT_Leak) { 883 BT_Leak.reset(new BugType("Memory leak", "Memory Error")); 884 // Leaks should not be reported if they are post-dominated by a sink: 885 // (1) Sinks are higher importance bugs. 886 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 887 // with __noreturn functions such as assert() or exit(). We choose not 888 // to report leaks on such paths. 889 BT_Leak->setSuppressOnSink(true); 890 } 891 892 // Most bug reports are cached at the location where they occurred. 893 // With leaks, we want to unique them by the location where they were 894 // allocated, and only report a single path. 895 PathDiagnosticLocation LocUsedForUniqueing; 896 const Stmt *AllocStmt = 0; 897 const MemRegion *Region = 0; 898 llvm::tie(AllocStmt, Region) = getAllocationSite(N, Sym, C); 899 if (AllocStmt) 900 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocStmt, 901 C.getSourceManager(), N->getLocationContext()); 902 903 SmallString<200> buf; 904 llvm::raw_svector_ostream os(buf); 905 os << "Memory is never released; potential leak"; 906 if (Region) { 907 os << " of memory pointed to by '"; 908 Region->dumpPretty(os); 909 os <<'\''; 910 } 911 912 BugReport *R = new BugReport(*BT_Leak, os.str(), N, LocUsedForUniqueing); 913 R->markInteresting(Sym); 914 R->addVisitor(new MallocBugVisitor(Sym, true)); 915 C.EmitReport(R); 916 } 917 918 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 919 CheckerContext &C) const 920 { 921 if (!SymReaper.hasDeadSymbols()) 922 return; 923 924 ProgramStateRef state = C.getState(); 925 RegionStateTy RS = state->get<RegionState>(); 926 RegionStateTy::Factory &F = state->get_context<RegionState>(); 927 928 bool generateReport = false; 929 llvm::SmallVector<SymbolRef, 2> Errors; 930 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 931 if (SymReaper.isDead(I->first)) { 932 if (I->second.isAllocated()) { 933 generateReport = true; 934 Errors.push_back(I->first); 935 } 936 // Remove the dead symbol from the map. 937 RS = F.remove(RS, I->first); 938 939 } 940 } 941 942 // Cleanup the Realloc Pairs Map. 943 ReallocMap RP = state->get<ReallocPairs>(); 944 for (ReallocMap::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 945 if (SymReaper.isDead(I->first) || 946 SymReaper.isDead(I->second.ReallocatedSym)) { 947 state = state->remove<ReallocPairs>(I->first); 948 } 949 } 950 951 // Generate leak node. 952 static SimpleProgramPointTag Tag("MallocChecker : DeadSymbolsLeak"); 953 ExplodedNode *N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); 954 955 if (generateReport) { 956 for (llvm::SmallVector<SymbolRef, 2>::iterator 957 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 958 reportLeak(*I, N, C); 959 } 960 } 961 C.addTransition(state->set<RegionState>(RS), N); 962 } 963 964 void MallocChecker::checkEndPath(CheckerContext &C) const { 965 ProgramStateRef state = C.getState(); 966 RegionStateTy M = state->get<RegionState>(); 967 968 // If inside inlined call, skip it. 969 if (C.getLocationContext()->getParent() != 0) 970 return; 971 972 for (RegionStateTy::iterator I = M.begin(), E = M.end(); I != E; ++I) { 973 RefState RS = I->second; 974 if (RS.isAllocated()) { 975 ExplodedNode *N = C.addTransition(state); 976 if (N) 977 reportLeak(I->first, N, C); 978 } 979 } 980 } 981 982 bool MallocChecker::checkEscape(SymbolRef Sym, const Stmt *S, 983 CheckerContext &C) const { 984 ProgramStateRef state = C.getState(); 985 const RefState *RS = state->get<RegionState>(Sym); 986 if (!RS) 987 return false; 988 989 if (RS->isAllocated()) { 990 state = state->set<RegionState>(Sym, RefState::getEscaped(S)); 991 C.addTransition(state); 992 return true; 993 } 994 return false; 995 } 996 997 void MallocChecker::checkPreStmt(const CallExpr *CE, CheckerContext &C) const { 998 if (isMemFunction(C.getCalleeDecl(CE), C.getASTContext())) 999 return; 1000 1001 // Check use after free, when a freed pointer is passed to a call. 1002 ProgramStateRef State = C.getState(); 1003 for (CallExpr::const_arg_iterator I = CE->arg_begin(), 1004 E = CE->arg_end(); I != E; ++I) { 1005 const Expr *A = *I; 1006 if (A->getType().getTypePtr()->isAnyPointerType()) { 1007 SymbolRef Sym = State->getSVal(A, C.getLocationContext()).getAsSymbol(); 1008 if (!Sym) 1009 continue; 1010 if (checkUseAfterFree(Sym, C, A)) 1011 return; 1012 } 1013 } 1014 } 1015 1016 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 1017 const Expr *E = S->getRetValue(); 1018 if (!E) 1019 return; 1020 1021 // Check if we are returning a symbol. 1022 SVal RetVal = C.getState()->getSVal(E, C.getLocationContext()); 1023 SymbolRef Sym = RetVal.getAsSymbol(); 1024 if (!Sym) 1025 // If we are returning a field of the allocated struct or an array element, 1026 // the callee could still free the memory. 1027 // TODO: This logic should be a part of generic symbol escape callback. 1028 if (const MemRegion *MR = RetVal.getAsRegion()) 1029 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 1030 if (const SymbolicRegion *BMR = 1031 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 1032 Sym = BMR->getSymbol(); 1033 if (!Sym) 1034 return; 1035 1036 // Check if we are returning freed memory. 1037 if (checkUseAfterFree(Sym, C, E)) 1038 return; 1039 1040 // If this function body is not inlined, check if the symbol is escaping. 1041 if (C.getLocationContext()->getParent() == 0) 1042 checkEscape(Sym, E, C); 1043 } 1044 1045 // TODO: Blocks should be either inlined or should call invalidate regions 1046 // upon invocation. After that's in place, special casing here will not be 1047 // needed. 1048 void MallocChecker::checkPostStmt(const BlockExpr *BE, 1049 CheckerContext &C) const { 1050 1051 // Scan the BlockDecRefExprs for any object the retain count checker 1052 // may be tracking. 1053 if (!BE->getBlockDecl()->hasCaptures()) 1054 return; 1055 1056 ProgramStateRef state = C.getState(); 1057 const BlockDataRegion *R = 1058 cast<BlockDataRegion>(state->getSVal(BE, 1059 C.getLocationContext()).getAsRegion()); 1060 1061 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 1062 E = R->referenced_vars_end(); 1063 1064 if (I == E) 1065 return; 1066 1067 SmallVector<const MemRegion*, 10> Regions; 1068 const LocationContext *LC = C.getLocationContext(); 1069 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 1070 1071 for ( ; I != E; ++I) { 1072 const VarRegion *VR = *I; 1073 if (VR->getSuperRegion() == R) { 1074 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 1075 } 1076 Regions.push_back(VR); 1077 } 1078 1079 state = 1080 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 1081 Regions.data() + Regions.size()).getState(); 1082 C.addTransition(state); 1083 } 1084 1085 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 1086 const Stmt *S) const { 1087 assert(Sym); 1088 const RefState *RS = C.getState()->get<RegionState>(Sym); 1089 if (RS && RS->isReleased()) { 1090 if (ExplodedNode *N = C.generateSink()) { 1091 if (!BT_UseFree) 1092 BT_UseFree.reset(new BugType("Use-after-free", "Memory Error")); 1093 1094 BugReport *R = new BugReport(*BT_UseFree, 1095 "Use of memory after it is freed",N); 1096 if (S) 1097 R->addRange(S->getSourceRange()); 1098 R->markInteresting(Sym); 1099 R->addVisitor(new MallocBugVisitor(Sym)); 1100 C.EmitReport(R); 1101 return true; 1102 } 1103 } 1104 return false; 1105 } 1106 1107 // Check if the location is a freed symbolic region. 1108 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 1109 CheckerContext &C) const { 1110 SymbolRef Sym = l.getLocSymbolInBase(); 1111 if (Sym) 1112 checkUseAfterFree(Sym, C); 1113 } 1114 1115 //===----------------------------------------------------------------------===// 1116 // Check various ways a symbol can be invalidated. 1117 // TODO: This logic (the next 3 functions) is copied/similar to the 1118 // RetainRelease checker. We might want to factor this out. 1119 //===----------------------------------------------------------------------===// 1120 1121 // Stop tracking symbols when a value escapes as a result of checkBind. 1122 // A value escapes in three possible cases: 1123 // (1) we are binding to something that is not a memory region. 1124 // (2) we are binding to a memregion that does not have stack storage 1125 // (3) we are binding to a memregion with stack storage that the store 1126 // does not understand. 1127 void MallocChecker::checkBind(SVal loc, SVal val, const Stmt *S, 1128 CheckerContext &C) const { 1129 // Are we storing to something that causes the value to "escape"? 1130 bool escapes = true; 1131 ProgramStateRef state = C.getState(); 1132 1133 if (loc::MemRegionVal *regionLoc = dyn_cast<loc::MemRegionVal>(&loc)) { 1134 escapes = !regionLoc->getRegion()->hasStackStorage(); 1135 1136 if (!escapes) { 1137 // To test (3), generate a new state with the binding added. If it is 1138 // the same state, then it escapes (since the store cannot represent 1139 // the binding). 1140 // Do this only if we know that the store is not supposed to generate the 1141 // same state. 1142 SVal StoredVal = state->getSVal(regionLoc->getRegion()); 1143 if (StoredVal != val) 1144 escapes = (state == (state->bindLoc(*regionLoc, val))); 1145 } 1146 if (!escapes) { 1147 // Case 4: We do not currently model what happens when a symbol is 1148 // assigned to a struct field, so be conservative here and let the symbol 1149 // go. TODO: This could definitely be improved upon. 1150 escapes = !isa<VarRegion>(regionLoc->getRegion()); 1151 } 1152 } 1153 1154 // If our store can represent the binding and we aren't storing to something 1155 // that doesn't have local storage then just return and have the simulation 1156 // state continue as is. 1157 if (!escapes) 1158 return; 1159 1160 // Otherwise, find all symbols referenced by 'val' that we are tracking 1161 // and stop tracking them. 1162 state = state->scanReachableSymbols<StopTrackingCallback>(val).getState(); 1163 C.addTransition(state); 1164 } 1165 1166 // If a symbolic region is assumed to NULL (or another constant), stop tracking 1167 // it - assuming that allocation failed on this path. 1168 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 1169 SVal Cond, 1170 bool Assumption) const { 1171 RegionStateTy RS = state->get<RegionState>(); 1172 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1173 // If the symbol is assumed to NULL or another constant, this will 1174 // return an APSInt*. 1175 if (state->getSymVal(I.getKey())) 1176 state = state->remove<RegionState>(I.getKey()); 1177 } 1178 1179 // Realloc returns 0 when reallocation fails, which means that we should 1180 // restore the state of the pointer being reallocated. 1181 ReallocMap RP = state->get<ReallocPairs>(); 1182 for (ReallocMap::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1183 // If the symbol is assumed to NULL or another constant, this will 1184 // return an APSInt*. 1185 if (state->getSymVal(I.getKey())) { 1186 SymbolRef ReallocSym = I.getData().ReallocatedSym; 1187 const RefState *RS = state->get<RegionState>(ReallocSym); 1188 if (RS) { 1189 if (RS->isReleased() && ! I.getData().IsFreeOnFailure) 1190 state = state->set<RegionState>(ReallocSym, 1191 RefState::getAllocateUnchecked(RS->getStmt())); 1192 } 1193 state = state->remove<ReallocPairs>(I.getKey()); 1194 } 1195 } 1196 1197 return state; 1198 } 1199 1200 // Check if the function is known to us. So, for example, we could 1201 // conservatively assume it can free/reallocate it's pointer arguments. 1202 // (We assume that the pointers cannot escape through calls to system 1203 // functions not handled by this checker.) 1204 bool MallocChecker::doesNotFreeMemory(const CallOrObjCMessage *Call, 1205 ProgramStateRef State) const { 1206 if (!Call) 1207 return false; 1208 1209 // For now, assume that any C++ call can free memory. 1210 // TODO: If we want to be more optimistic here, we'll need to make sure that 1211 // regions escape to C++ containers. They seem to do that even now, but for 1212 // mysterious reasons. 1213 if (Call->isCXXCall()) 1214 return false; 1215 1216 const Decl *D = Call->getDecl(); 1217 if (!D) 1218 return false; 1219 1220 ASTContext &ASTC = State->getStateManager().getContext(); 1221 1222 // If it's one of the allocation functions we can reason about, we model 1223 // its behavior explicitly. 1224 if (isa<FunctionDecl>(D) && isMemFunction(cast<FunctionDecl>(D), ASTC)) { 1225 return true; 1226 } 1227 1228 // If it's not a system call, assume it frees memory. 1229 SourceManager &SM = ASTC.getSourceManager(); 1230 if (!SM.isInSystemHeader(D->getLocation())) 1231 return false; 1232 1233 // Process C/ObjC functions. 1234 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) { 1235 // White list the system functions whose arguments escape. 1236 const IdentifierInfo *II = FD->getIdentifier(); 1237 if (!II) 1238 return true; 1239 StringRef FName = II->getName(); 1240 1241 // White list thread local storage. 1242 if (FName.equals("pthread_setspecific")) 1243 return false; 1244 1245 // White list the 'XXXNoCopy' ObjC functions. 1246 if (FName.endswith("NoCopy")) { 1247 // Look for the deallocator argument. We know that the memory ownership 1248 // is not transfered only if the deallocator argument is 1249 // 'kCFAllocatorNull'. 1250 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 1251 const Expr *ArgE = Call->getArg(i)->IgnoreParenCasts(); 1252 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 1253 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 1254 if (DeallocatorName == "kCFAllocatorNull") 1255 return true; 1256 } 1257 } 1258 return false; 1259 } 1260 1261 // PR12101 1262 // Many CoreFoundation and CoreGraphics might allow a tracked object 1263 // to escape. 1264 if (Call->isCFCGAllowingEscape(FName)) 1265 return false; 1266 1267 // Associating streams with malloced buffers. The pointer can escape if 1268 // 'closefn' is specified (and if that function does free memory). 1269 // Currently, we do not inspect the 'closefn' function (PR12101). 1270 if (FName == "funopen") 1271 if (Call->getNumArgs() >= 4 && !Call->getArgSVal(4).isConstant(0)) 1272 return false; 1273 1274 // Do not warn on pointers passed to 'setbuf' when used with std streams, 1275 // these leaks might be intentional when setting the buffer for stdio. 1276 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 1277 if (FName == "setbuf" || FName =="setbuffer" || 1278 FName == "setlinebuf" || FName == "setvbuf") { 1279 if (Call->getNumArgs() >= 1) 1280 if (const DeclRefExpr *Arg = 1281 dyn_cast<DeclRefExpr>(Call->getArg(0)->IgnoreParenCasts())) 1282 if (const VarDecl *D = dyn_cast<VarDecl>(Arg->getDecl())) 1283 if (D->getCanonicalDecl()->getName().find("std") 1284 != StringRef::npos) 1285 return false; 1286 } 1287 1288 // A bunch of other functions, which take ownership of a pointer (See retain 1289 // release checker). Not all the parameters here are invalidated, but the 1290 // Malloc checker cannot differentiate between them. The right way of doing 1291 // this would be to implement a pointer escapes callback. 1292 if (FName == "CVPixelBufferCreateWithBytes" || 1293 FName == "CGBitmapContextCreateWithData" || 1294 FName == "CVPixelBufferCreateWithPlanarBytes" || 1295 FName == "OSAtomicEnqueue") { 1296 return false; 1297 } 1298 1299 // Whitelist NSXXInsertXX, for example NSMapInsertIfAbsent, since they can 1300 // be deallocated by NSMapRemove. 1301 if (FName.startswith("NS") && (FName.find("Insert") != StringRef::npos)) 1302 return false; 1303 1304 // If the call has a callback as an argument, assume the memory 1305 // can be freed. 1306 if (Call->hasNonZeroCallbackArg()) 1307 return false; 1308 1309 // Otherwise, assume that the function does not free memory. 1310 // Most system calls, do not free the memory. 1311 return true; 1312 1313 // Process ObjC functions. 1314 } else if (const ObjCMethodDecl * ObjCD = dyn_cast<ObjCMethodDecl>(D)) { 1315 Selector S = ObjCD->getSelector(); 1316 1317 // White list the ObjC functions which do free memory. 1318 // - Anything containing 'freeWhenDone' param set to 1. 1319 // Ex: dataWithBytesNoCopy:length:freeWhenDone. 1320 for (unsigned i = 1; i < S.getNumArgs(); ++i) { 1321 if (S.getNameForSlot(i).equals("freeWhenDone")) { 1322 if (Call->getArgSVal(i).isConstant(1)) 1323 return false; 1324 else 1325 return true; 1326 } 1327 } 1328 1329 // If the first selector ends with NoCopy, assume that the ownership is 1330 // transfered as well. 1331 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 1332 if (S.getNameForSlot(0).endswith("NoCopy")) { 1333 return false; 1334 } 1335 1336 // If the call has a callback as an argument, assume the memory 1337 // can be freed. 1338 if (Call->hasNonZeroCallbackArg()) 1339 return false; 1340 1341 // Otherwise, assume that the function does not free memory. 1342 // Most system calls, do not free the memory. 1343 return true; 1344 } 1345 1346 // Otherwise, assume that the function can free memory. 1347 return false; 1348 1349 } 1350 1351 // If the symbol we are tracking is invalidated, but not explicitly (ex: the &p 1352 // escapes, when we are tracking p), do not track the symbol as we cannot reason 1353 // about it anymore. 1354 ProgramStateRef 1355 MallocChecker::checkRegionChanges(ProgramStateRef State, 1356 const StoreManager::InvalidatedSymbols *invalidated, 1357 ArrayRef<const MemRegion *> ExplicitRegions, 1358 ArrayRef<const MemRegion *> Regions, 1359 const CallOrObjCMessage *Call) const { 1360 if (!invalidated || invalidated->empty()) 1361 return State; 1362 llvm::SmallPtrSet<SymbolRef, 8> WhitelistedSymbols; 1363 1364 // If it's a call which might free or reallocate memory, we assume that all 1365 // regions (explicit and implicit) escaped. 1366 1367 // Otherwise, whitelist explicit pointers; we still can track them. 1368 if (!Call || doesNotFreeMemory(Call, State)) { 1369 for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(), 1370 E = ExplicitRegions.end(); I != E; ++I) { 1371 if (const SymbolicRegion *R = (*I)->StripCasts()->getAs<SymbolicRegion>()) 1372 WhitelistedSymbols.insert(R->getSymbol()); 1373 } 1374 } 1375 1376 for (StoreManager::InvalidatedSymbols::const_iterator I=invalidated->begin(), 1377 E = invalidated->end(); I!=E; ++I) { 1378 SymbolRef sym = *I; 1379 if (WhitelistedSymbols.count(sym)) 1380 continue; 1381 // The symbol escaped. 1382 if (const RefState *RS = State->get<RegionState>(sym)) 1383 State = State->set<RegionState>(sym, RefState::getEscaped(RS->getStmt())); 1384 } 1385 return State; 1386 } 1387 1388 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 1389 ProgramStateRef prevState) { 1390 ReallocMap currMap = currState->get<ReallocPairs>(); 1391 ReallocMap prevMap = prevState->get<ReallocPairs>(); 1392 1393 for (ReallocMap::iterator I = prevMap.begin(), E = prevMap.end(); 1394 I != E; ++I) { 1395 SymbolRef sym = I.getKey(); 1396 if (!currMap.lookup(sym)) 1397 return sym; 1398 } 1399 1400 return NULL; 1401 } 1402 1403 PathDiagnosticPiece * 1404 MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N, 1405 const ExplodedNode *PrevN, 1406 BugReporterContext &BRC, 1407 BugReport &BR) { 1408 ProgramStateRef state = N->getState(); 1409 ProgramStateRef statePrev = PrevN->getState(); 1410 1411 const RefState *RS = state->get<RegionState>(Sym); 1412 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 1413 if (!RS && !RSPrev) 1414 return 0; 1415 1416 const Stmt *S = 0; 1417 const char *Msg = 0; 1418 StackHintGeneratorForSymbol *StackHint = 0; 1419 1420 // Retrieve the associated statement. 1421 ProgramPoint ProgLoc = N->getLocation(); 1422 if (isa<StmtPoint>(ProgLoc)) 1423 S = cast<StmtPoint>(ProgLoc).getStmt(); 1424 // If an assumption was made on a branch, it should be caught 1425 // here by looking at the state transition. 1426 if (isa<BlockEdge>(ProgLoc)) { 1427 const CFGBlock *srcBlk = cast<BlockEdge>(ProgLoc).getSrc(); 1428 S = srcBlk->getTerminator(); 1429 } 1430 if (!S) 1431 return 0; 1432 1433 // Find out if this is an interesting point and what is the kind. 1434 if (Mode == Normal) { 1435 if (isAllocated(RS, RSPrev, S)) { 1436 Msg = "Memory is allocated"; 1437 StackHint = new StackHintGeneratorForSymbol(Sym, 1438 "Returned allocated memory"); 1439 } else if (isReleased(RS, RSPrev, S)) { 1440 Msg = "Memory is released"; 1441 StackHint = new StackHintGeneratorForSymbol(Sym, 1442 "Returned released memory"); 1443 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 1444 Mode = ReallocationFailed; 1445 Msg = "Reallocation failed"; 1446 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 1447 "Reallocation failed"); 1448 1449 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 1450 // Is it possible to fail two reallocs WITHOUT testing in between? 1451 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 1452 "We only support one failed realloc at a time."); 1453 BR.markInteresting(sym); 1454 FailedReallocSymbol = sym; 1455 } 1456 } 1457 1458 // We are in a special mode if a reallocation failed later in the path. 1459 } else if (Mode == ReallocationFailed) { 1460 assert(FailedReallocSymbol && "No symbol to look for."); 1461 1462 // Is this is the first appearance of the reallocated symbol? 1463 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 1464 // If we ever hit this assert, that means BugReporter has decided to skip 1465 // node pairs or visit them out of order. 1466 assert(state->get<RegionState>(FailedReallocSymbol) && 1467 "Missed the reallocation point"); 1468 1469 // We're at the reallocation point. 1470 Msg = "Attempt to reallocate memory"; 1471 StackHint = new StackHintGeneratorForSymbol(Sym, 1472 "Returned reallocated memory"); 1473 FailedReallocSymbol = NULL; 1474 Mode = Normal; 1475 } 1476 } 1477 1478 if (!Msg) 1479 return 0; 1480 assert(StackHint); 1481 1482 // Generate the extra diagnostic. 1483 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 1484 N->getLocationContext()); 1485 return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint); 1486 } 1487 1488 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 1489 const char *NL, const char *Sep) const { 1490 1491 RegionStateTy RS = State->get<RegionState>(); 1492 1493 if (!RS.isEmpty()) 1494 Out << "Has Malloc data" << NL; 1495 } 1496 1497 #define REGISTER_CHECKER(name) \ 1498 void ento::register##name(CheckerManager &mgr) {\ 1499 registerCStringCheckerBasic(mgr); \ 1500 mgr.registerChecker<MallocChecker>()->Filter.C##name = true;\ 1501 } 1502 1503 REGISTER_CHECKER(MallocPessimistic) 1504 REGISTER_CHECKER(MallocOptimistic) 1505