1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines malloc/free checker, which checks for potential memory 11 // leaks, double free, and use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/AST/Attr.h" 18 #include "clang/Basic/SourceManager.h" 19 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 20 #include "clang/StaticAnalyzer/Core/Checker.h" 21 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 23 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 27 #include "llvm/ADT/ImmutableMap.h" 28 #include "llvm/ADT/STLExtras.h" 29 #include "llvm/ADT/SmallString.h" 30 #include "llvm/ADT/StringExtras.h" 31 #include <climits> 32 33 using namespace clang; 34 using namespace ento; 35 36 namespace { 37 38 // Used to check correspondence between allocators and deallocators. 39 enum AllocationFamily { 40 AF_None, 41 AF_Malloc, 42 AF_CXXNew, 43 AF_CXXNewArray 44 }; 45 46 class RefState { 47 enum Kind { // Reference to allocated memory. 48 Allocated, 49 // Reference to released/freed memory. 50 Released, 51 // The responsibility for freeing resources has transferred from 52 // this reference. A relinquished symbol should not be freed. 53 Relinquished, 54 // We are no longer guaranteed to have observed all manipulations 55 // of this pointer/memory. For example, it could have been 56 // passed as a parameter to an opaque function. 57 Escaped 58 }; 59 60 const Stmt *S; 61 unsigned K : 2; // Kind enum, but stored as a bitfield. 62 unsigned Family : 30; // Rest of 32-bit word, currently just an allocation 63 // family. 64 65 RefState(Kind k, const Stmt *s, unsigned family) 66 : S(s), K(k), Family(family) { 67 assert(family != AF_None); 68 } 69 public: 70 bool isAllocated() const { return K == Allocated; } 71 bool isReleased() const { return K == Released; } 72 bool isRelinquished() const { return K == Relinquished; } 73 bool isEscaped() const { return K == Escaped; } 74 AllocationFamily getAllocationFamily() const { 75 return (AllocationFamily)Family; 76 } 77 const Stmt *getStmt() const { return S; } 78 79 bool operator==(const RefState &X) const { 80 return K == X.K && S == X.S && Family == X.Family; 81 } 82 83 static RefState getAllocated(unsigned family, const Stmt *s) { 84 return RefState(Allocated, s, family); 85 } 86 static RefState getReleased(unsigned family, const Stmt *s) { 87 return RefState(Released, s, family); 88 } 89 static RefState getRelinquished(unsigned family, const Stmt *s) { 90 return RefState(Relinquished, s, family); 91 } 92 static RefState getEscaped(const RefState *RS) { 93 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily()); 94 } 95 96 void Profile(llvm::FoldingSetNodeID &ID) const { 97 ID.AddInteger(K); 98 ID.AddPointer(S); 99 ID.AddInteger(Family); 100 } 101 102 void dump(raw_ostream &OS) const { 103 switch (static_cast<Kind>(K)) { 104 #define CASE(ID) case ID: OS << #ID; break; 105 CASE(Allocated) 106 CASE(Released) 107 CASE(Relinquished) 108 CASE(Escaped) 109 } 110 } 111 112 LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); } 113 }; 114 115 enum ReallocPairKind { 116 RPToBeFreedAfterFailure, 117 // The symbol has been freed when reallocation failed. 118 RPIsFreeOnFailure, 119 // The symbol does not need to be freed after reallocation fails. 120 RPDoNotTrackAfterFailure 121 }; 122 123 /// \class ReallocPair 124 /// \brief Stores information about the symbol being reallocated by a call to 125 /// 'realloc' to allow modeling failed reallocation later in the path. 126 struct ReallocPair { 127 // \brief The symbol which realloc reallocated. 128 SymbolRef ReallocatedSym; 129 ReallocPairKind Kind; 130 131 ReallocPair(SymbolRef S, ReallocPairKind K) : 132 ReallocatedSym(S), Kind(K) {} 133 void Profile(llvm::FoldingSetNodeID &ID) const { 134 ID.AddInteger(Kind); 135 ID.AddPointer(ReallocatedSym); 136 } 137 bool operator==(const ReallocPair &X) const { 138 return ReallocatedSym == X.ReallocatedSym && 139 Kind == X.Kind; 140 } 141 }; 142 143 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo; 144 145 class MallocChecker : public Checker<check::DeadSymbols, 146 check::PointerEscape, 147 check::ConstPointerEscape, 148 check::PreStmt<ReturnStmt>, 149 check::PreCall, 150 check::PostStmt<CallExpr>, 151 check::PostStmt<CXXNewExpr>, 152 check::PreStmt<CXXDeleteExpr>, 153 check::PostStmt<BlockExpr>, 154 check::PostObjCMessage, 155 check::Location, 156 eval::Assume> 157 { 158 public: 159 MallocChecker() : II_malloc(0), II_free(0), II_realloc(0), II_calloc(0), 160 II_valloc(0), II_reallocf(0), II_strndup(0), II_strdup(0) {} 161 162 /// In pessimistic mode, the checker assumes that it does not know which 163 /// functions might free the memory. 164 enum CheckKind { 165 CK_MallocPessimistic, 166 CK_MallocOptimistic, 167 CK_NewDeleteChecker, 168 CK_NewDeleteLeaksChecker, 169 CK_MismatchedDeallocatorChecker, 170 CK_NumCheckKinds 171 }; 172 173 DefaultBool ChecksEnabled[CK_NumCheckKinds]; 174 CheckName CheckNames[CK_NumCheckKinds]; 175 176 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 177 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 178 void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; 179 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; 180 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 181 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 182 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 183 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 184 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 185 bool Assumption) const; 186 void checkLocation(SVal l, bool isLoad, const Stmt *S, 187 CheckerContext &C) const; 188 189 ProgramStateRef checkPointerEscape(ProgramStateRef State, 190 const InvalidatedSymbols &Escaped, 191 const CallEvent *Call, 192 PointerEscapeKind Kind) const; 193 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 194 const InvalidatedSymbols &Escaped, 195 const CallEvent *Call, 196 PointerEscapeKind Kind) const; 197 198 void printState(raw_ostream &Out, ProgramStateRef State, 199 const char *NL, const char *Sep) const; 200 201 private: 202 mutable OwningPtr<BugType> BT_DoubleFree[CK_NumCheckKinds]; 203 mutable OwningPtr<BugType> BT_DoubleDelete; 204 mutable OwningPtr<BugType> BT_Leak[CK_NumCheckKinds]; 205 mutable OwningPtr<BugType> BT_UseFree[CK_NumCheckKinds]; 206 mutable OwningPtr<BugType> BT_BadFree[CK_NumCheckKinds]; 207 mutable OwningPtr<BugType> BT_MismatchedDealloc; 208 mutable OwningPtr<BugType> BT_OffsetFree[CK_NumCheckKinds]; 209 mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc, 210 *II_valloc, *II_reallocf, *II_strndup, *II_strdup; 211 212 void initIdentifierInfo(ASTContext &C) const; 213 214 /// \brief Determine family of a deallocation expression. 215 AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const; 216 217 /// \brief Print names of allocators and deallocators. 218 /// 219 /// \returns true on success. 220 bool printAllocDeallocName(raw_ostream &os, CheckerContext &C, 221 const Expr *E) const; 222 223 /// \brief Print expected name of an allocator based on the deallocator's 224 /// family derived from the DeallocExpr. 225 void printExpectedAllocName(raw_ostream &os, CheckerContext &C, 226 const Expr *DeallocExpr) const; 227 /// \brief Print expected name of a deallocator based on the allocator's 228 /// family. 229 void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const; 230 231 ///@{ 232 /// Check if this is one of the functions which can allocate/reallocate memory 233 /// pointed to by one of its arguments. 234 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 235 bool isFreeFunction(const FunctionDecl *FD, ASTContext &C) const; 236 bool isAllocationFunction(const FunctionDecl *FD, ASTContext &C) const; 237 bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const; 238 ///@} 239 ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 240 const CallExpr *CE, 241 const OwnershipAttr* Att) const; 242 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 243 const Expr *SizeEx, SVal Init, 244 ProgramStateRef State, 245 AllocationFamily Family = AF_Malloc) { 246 return MallocMemAux(C, CE, 247 State->getSVal(SizeEx, C.getLocationContext()), 248 Init, State, Family); 249 } 250 251 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 252 SVal SizeEx, SVal Init, 253 ProgramStateRef State, 254 AllocationFamily Family = AF_Malloc); 255 256 /// Update the RefState to reflect the new memory allocation. 257 static ProgramStateRef 258 MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, 259 AllocationFamily Family = AF_Malloc); 260 261 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 262 const OwnershipAttr* Att) const; 263 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 264 ProgramStateRef state, unsigned Num, 265 bool Hold, 266 bool &ReleasedAllocated, 267 bool ReturnsNullOnFailure = false) const; 268 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, 269 const Expr *ParentExpr, 270 ProgramStateRef State, 271 bool Hold, 272 bool &ReleasedAllocated, 273 bool ReturnsNullOnFailure = false) const; 274 275 ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, 276 bool FreesMemOnFailure) const; 277 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE); 278 279 ///\brief Check if the memory associated with this symbol was released. 280 bool isReleased(SymbolRef Sym, CheckerContext &C) const; 281 282 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 283 284 bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const; 285 286 /// Check if the function is known free memory, or if it is 287 /// "interesting" and should be modeled explicitly. 288 /// 289 /// \param [out] EscapingSymbol A function might not free memory in general, 290 /// but could be known to free a particular symbol. In this case, false is 291 /// returned and the single escaping symbol is returned through the out 292 /// parameter. 293 /// 294 /// We assume that pointers do not escape through calls to system functions 295 /// not handled by this checker. 296 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, 297 ProgramStateRef State, 298 SymbolRef &EscapingSymbol) const; 299 300 // Implementation of the checkPointerEscape callabcks. 301 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 302 const InvalidatedSymbols &Escaped, 303 const CallEvent *Call, 304 PointerEscapeKind Kind, 305 bool(*CheckRefState)(const RefState*)) const; 306 307 ///@{ 308 /// Tells if a given family/call/symbol is tracked by the current checker. 309 /// Sets CheckKind to the kind of the checker responsible for this 310 /// family/call/symbol. 311 Optional<CheckKind> getCheckIfTracked(AllocationFamily Family) const; 312 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, 313 const Stmt *AllocDeallocStmt) const; 314 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const; 315 ///@} 316 static bool SummarizeValue(raw_ostream &os, SVal V); 317 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 318 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 319 const Expr *DeallocExpr) const; 320 void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, 321 const Expr *DeallocExpr, const RefState *RS, 322 SymbolRef Sym, bool OwnershipTransferred) const; 323 void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 324 const Expr *DeallocExpr, 325 const Expr *AllocExpr = 0) const; 326 void ReportUseAfterFree(CheckerContext &C, SourceRange Range, 327 SymbolRef Sym) const; 328 void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 329 SymbolRef Sym, SymbolRef PrevSym) const; 330 331 void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const; 332 333 /// Find the location of the allocation for Sym on the path leading to the 334 /// exploded node N. 335 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 336 CheckerContext &C) const; 337 338 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 339 340 /// The bug visitor which allows us to print extra diagnostics along the 341 /// BugReport path. For example, showing the allocation site of the leaked 342 /// region. 343 class MallocBugVisitor : public BugReporterVisitorImpl<MallocBugVisitor> { 344 protected: 345 enum NotificationMode { 346 Normal, 347 ReallocationFailed 348 }; 349 350 // The allocated region symbol tracked by the main analysis. 351 SymbolRef Sym; 352 353 // The mode we are in, i.e. what kind of diagnostics will be emitted. 354 NotificationMode Mode; 355 356 // A symbol from when the primary region should have been reallocated. 357 SymbolRef FailedReallocSymbol; 358 359 bool IsLeak; 360 361 public: 362 MallocBugVisitor(SymbolRef S, bool isLeak = false) 363 : Sym(S), Mode(Normal), FailedReallocSymbol(0), IsLeak(isLeak) {} 364 365 virtual ~MallocBugVisitor() {} 366 367 void Profile(llvm::FoldingSetNodeID &ID) const { 368 static int X = 0; 369 ID.AddPointer(&X); 370 ID.AddPointer(Sym); 371 } 372 373 inline bool isAllocated(const RefState *S, const RefState *SPrev, 374 const Stmt *Stmt) { 375 // Did not track -> allocated. Other state (released) -> allocated. 376 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 377 (S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated())); 378 } 379 380 inline bool isReleased(const RefState *S, const RefState *SPrev, 381 const Stmt *Stmt) { 382 // Did not track -> released. Other state (allocated) -> released. 383 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt)) && 384 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 385 } 386 387 inline bool isRelinquished(const RefState *S, const RefState *SPrev, 388 const Stmt *Stmt) { 389 // Did not track -> relinquished. Other state (allocated) -> relinquished. 390 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 391 isa<ObjCPropertyRefExpr>(Stmt)) && 392 (S && S->isRelinquished()) && 393 (!SPrev || !SPrev->isRelinquished())); 394 } 395 396 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 397 const Stmt *Stmt) { 398 // If the expression is not a call, and the state change is 399 // released -> allocated, it must be the realloc return value 400 // check. If we have to handle more cases here, it might be cleaner just 401 // to track this extra bit in the state itself. 402 return ((!Stmt || !isa<CallExpr>(Stmt)) && 403 (S && S->isAllocated()) && (SPrev && !SPrev->isAllocated())); 404 } 405 406 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 407 const ExplodedNode *PrevN, 408 BugReporterContext &BRC, 409 BugReport &BR); 410 411 PathDiagnosticPiece* getEndPath(BugReporterContext &BRC, 412 const ExplodedNode *EndPathNode, 413 BugReport &BR) { 414 if (!IsLeak) 415 return 0; 416 417 PathDiagnosticLocation L = 418 PathDiagnosticLocation::createEndOfPath(EndPathNode, 419 BRC.getSourceManager()); 420 // Do not add the statement itself as a range in case of leak. 421 return new PathDiagnosticEventPiece(L, BR.getDescription(), false); 422 } 423 424 private: 425 class StackHintGeneratorForReallocationFailed 426 : public StackHintGeneratorForSymbol { 427 public: 428 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 429 : StackHintGeneratorForSymbol(S, M) {} 430 431 virtual std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) { 432 // Printed parameters start at 1, not 0. 433 ++ArgIndex; 434 435 SmallString<200> buf; 436 llvm::raw_svector_ostream os(buf); 437 438 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 439 << " parameter failed"; 440 441 return os.str(); 442 } 443 444 virtual std::string getMessageForReturn(const CallExpr *CallExpr) { 445 return "Reallocation of returned value failed"; 446 } 447 }; 448 }; 449 }; 450 } // end anonymous namespace 451 452 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 453 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 454 455 // A map from the freed symbol to the symbol representing the return value of 456 // the free function. 457 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 458 459 namespace { 460 class StopTrackingCallback : public SymbolVisitor { 461 ProgramStateRef state; 462 public: 463 StopTrackingCallback(ProgramStateRef st) : state(st) {} 464 ProgramStateRef getState() const { return state; } 465 466 bool VisitSymbol(SymbolRef sym) { 467 state = state->remove<RegionState>(sym); 468 return true; 469 } 470 }; 471 } // end anonymous namespace 472 473 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 474 if (II_malloc) 475 return; 476 II_malloc = &Ctx.Idents.get("malloc"); 477 II_free = &Ctx.Idents.get("free"); 478 II_realloc = &Ctx.Idents.get("realloc"); 479 II_reallocf = &Ctx.Idents.get("reallocf"); 480 II_calloc = &Ctx.Idents.get("calloc"); 481 II_valloc = &Ctx.Idents.get("valloc"); 482 II_strdup = &Ctx.Idents.get("strdup"); 483 II_strndup = &Ctx.Idents.get("strndup"); 484 } 485 486 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 487 if (isFreeFunction(FD, C)) 488 return true; 489 490 if (isAllocationFunction(FD, C)) 491 return true; 492 493 if (isStandardNewDelete(FD, C)) 494 return true; 495 496 return false; 497 } 498 499 bool MallocChecker::isAllocationFunction(const FunctionDecl *FD, 500 ASTContext &C) const { 501 if (!FD) 502 return false; 503 504 if (FD->getKind() == Decl::Function) { 505 IdentifierInfo *FunI = FD->getIdentifier(); 506 initIdentifierInfo(C); 507 508 if (FunI == II_malloc || FunI == II_realloc || 509 FunI == II_reallocf || FunI == II_calloc || FunI == II_valloc || 510 FunI == II_strdup || FunI == II_strndup) 511 return true; 512 } 513 514 if (ChecksEnabled[CK_MallocOptimistic] && FD->hasAttrs()) 515 for (specific_attr_iterator<OwnershipAttr> 516 i = FD->specific_attr_begin<OwnershipAttr>(), 517 e = FD->specific_attr_end<OwnershipAttr>(); 518 i != e; ++i) 519 if ((*i)->getOwnKind() == OwnershipAttr::Returns) 520 return true; 521 return false; 522 } 523 524 bool MallocChecker::isFreeFunction(const FunctionDecl *FD, ASTContext &C) const { 525 if (!FD) 526 return false; 527 528 if (FD->getKind() == Decl::Function) { 529 IdentifierInfo *FunI = FD->getIdentifier(); 530 initIdentifierInfo(C); 531 532 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf) 533 return true; 534 } 535 536 if (ChecksEnabled[CK_MallocOptimistic] && FD->hasAttrs()) 537 for (specific_attr_iterator<OwnershipAttr> 538 i = FD->specific_attr_begin<OwnershipAttr>(), 539 e = FD->specific_attr_end<OwnershipAttr>(); 540 i != e; ++i) 541 if ((*i)->getOwnKind() == OwnershipAttr::Takes || 542 (*i)->getOwnKind() == OwnershipAttr::Holds) 543 return true; 544 return false; 545 } 546 547 // Tells if the callee is one of the following: 548 // 1) A global non-placement new/delete operator function. 549 // 2) A global placement operator function with the single placement argument 550 // of type std::nothrow_t. 551 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD, 552 ASTContext &C) const { 553 if (!FD) 554 return false; 555 556 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 557 if (Kind != OO_New && Kind != OO_Array_New && 558 Kind != OO_Delete && Kind != OO_Array_Delete) 559 return false; 560 561 // Skip all operator new/delete methods. 562 if (isa<CXXMethodDecl>(FD)) 563 return false; 564 565 // Return true if tested operator is a standard placement nothrow operator. 566 if (FD->getNumParams() == 2) { 567 QualType T = FD->getParamDecl(1)->getType(); 568 if (const IdentifierInfo *II = T.getBaseTypeIdentifier()) 569 return II->getName().equals("nothrow_t"); 570 } 571 572 // Skip placement operators. 573 if (FD->getNumParams() != 1 || FD->isVariadic()) 574 return false; 575 576 // One of the standard new/new[]/delete/delete[] non-placement operators. 577 return true; 578 } 579 580 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 581 if (C.wasInlined) 582 return; 583 584 const FunctionDecl *FD = C.getCalleeDecl(CE); 585 if (!FD) 586 return; 587 588 ProgramStateRef State = C.getState(); 589 bool ReleasedAllocatedMemory = false; 590 591 if (FD->getKind() == Decl::Function) { 592 initIdentifierInfo(C.getASTContext()); 593 IdentifierInfo *FunI = FD->getIdentifier(); 594 595 if (FunI == II_malloc || FunI == II_valloc) { 596 if (CE->getNumArgs() < 1) 597 return; 598 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 599 } else if (FunI == II_realloc) { 600 State = ReallocMem(C, CE, false); 601 } else if (FunI == II_reallocf) { 602 State = ReallocMem(C, CE, true); 603 } else if (FunI == II_calloc) { 604 State = CallocMem(C, CE); 605 } else if (FunI == II_free) { 606 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 607 } else if (FunI == II_strdup) { 608 State = MallocUpdateRefState(C, CE, State); 609 } else if (FunI == II_strndup) { 610 State = MallocUpdateRefState(C, CE, State); 611 } 612 else if (isStandardNewDelete(FD, C.getASTContext())) { 613 // Process direct calls to operator new/new[]/delete/delete[] functions 614 // as distinct from new/new[]/delete/delete[] expressions that are 615 // processed by the checkPostStmt callbacks for CXXNewExpr and 616 // CXXDeleteExpr. 617 OverloadedOperatorKind K = FD->getOverloadedOperator(); 618 if (K == OO_New) 619 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 620 AF_CXXNew); 621 else if (K == OO_Array_New) 622 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 623 AF_CXXNewArray); 624 else if (K == OO_Delete || K == OO_Array_Delete) 625 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 626 else 627 llvm_unreachable("not a new/delete operator"); 628 } 629 } 630 631 if (ChecksEnabled[CK_MallocOptimistic] || 632 ChecksEnabled[CK_MismatchedDeallocatorChecker]) { 633 // Check all the attributes, if there are any. 634 // There can be multiple of these attributes. 635 if (FD->hasAttrs()) 636 for (specific_attr_iterator<OwnershipAttr> 637 i = FD->specific_attr_begin<OwnershipAttr>(), 638 e = FD->specific_attr_end<OwnershipAttr>(); 639 i != e; ++i) { 640 switch ((*i)->getOwnKind()) { 641 case OwnershipAttr::Returns: 642 State = MallocMemReturnsAttr(C, CE, *i); 643 break; 644 case OwnershipAttr::Takes: 645 case OwnershipAttr::Holds: 646 State = FreeMemAttr(C, CE, *i); 647 break; 648 } 649 } 650 } 651 C.addTransition(State); 652 } 653 654 void MallocChecker::checkPostStmt(const CXXNewExpr *NE, 655 CheckerContext &C) const { 656 657 if (NE->getNumPlacementArgs()) 658 for (CXXNewExpr::const_arg_iterator I = NE->placement_arg_begin(), 659 E = NE->placement_arg_end(); I != E; ++I) 660 if (SymbolRef Sym = C.getSVal(*I).getAsSymbol()) 661 checkUseAfterFree(Sym, C, *I); 662 663 if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext())) 664 return; 665 666 ProgramStateRef State = C.getState(); 667 // The return value from operator new is bound to a specified initialization 668 // value (if any) and we don't want to loose this value. So we call 669 // MallocUpdateRefState() instead of MallocMemAux() which breakes the 670 // existing binding. 671 State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray 672 : AF_CXXNew); 673 C.addTransition(State); 674 } 675 676 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, 677 CheckerContext &C) const { 678 679 if (!ChecksEnabled[CK_NewDeleteChecker]) 680 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 681 checkUseAfterFree(Sym, C, DE->getArgument()); 682 683 if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext())) 684 return; 685 686 ProgramStateRef State = C.getState(); 687 bool ReleasedAllocated; 688 State = FreeMemAux(C, DE->getArgument(), DE, State, 689 /*Hold*/false, ReleasedAllocated); 690 691 C.addTransition(State); 692 } 693 694 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 695 // If the first selector piece is one of the names below, assume that the 696 // object takes ownership of the memory, promising to eventually deallocate it 697 // with free(). 698 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 699 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 700 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 701 if (FirstSlot == "dataWithBytesNoCopy" || 702 FirstSlot == "initWithBytesNoCopy" || 703 FirstSlot == "initWithCharactersNoCopy") 704 return true; 705 706 return false; 707 } 708 709 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 710 Selector S = Call.getSelector(); 711 712 // FIXME: We should not rely on fully-constrained symbols being folded. 713 for (unsigned i = 1; i < S.getNumArgs(); ++i) 714 if (S.getNameForSlot(i).equals("freeWhenDone")) 715 return !Call.getArgSVal(i).isZeroConstant(); 716 717 return None; 718 } 719 720 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 721 CheckerContext &C) const { 722 if (C.wasInlined) 723 return; 724 725 if (!isKnownDeallocObjCMethodName(Call)) 726 return; 727 728 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 729 if (!*FreeWhenDone) 730 return; 731 732 bool ReleasedAllocatedMemory; 733 ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0), 734 Call.getOriginExpr(), C.getState(), 735 /*Hold=*/true, ReleasedAllocatedMemory, 736 /*RetNullOnFailure=*/true); 737 738 C.addTransition(State); 739 } 740 741 ProgramStateRef 742 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE, 743 const OwnershipAttr *Att) const { 744 if (Att->getModule() != II_malloc) 745 return 0; 746 747 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 748 if (I != E) { 749 return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), C.getState()); 750 } 751 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), C.getState()); 752 } 753 754 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 755 const CallExpr *CE, 756 SVal Size, SVal Init, 757 ProgramStateRef State, 758 AllocationFamily Family) { 759 760 // Bind the return value to the symbolic value from the heap region. 761 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 762 // side effects other than what we model here. 763 unsigned Count = C.blockCount(); 764 SValBuilder &svalBuilder = C.getSValBuilder(); 765 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 766 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 767 .castAs<DefinedSVal>(); 768 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 769 770 // We expect the malloc functions to return a pointer. 771 if (!RetVal.getAs<Loc>()) 772 return 0; 773 774 // Fill the region with the initialization value. 775 State = State->bindDefault(RetVal, Init); 776 777 // Set the region's extent equal to the Size parameter. 778 const SymbolicRegion *R = 779 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 780 if (!R) 781 return 0; 782 if (Optional<DefinedOrUnknownSVal> DefinedSize = 783 Size.getAs<DefinedOrUnknownSVal>()) { 784 SValBuilder &svalBuilder = C.getSValBuilder(); 785 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 786 DefinedOrUnknownSVal extentMatchesSize = 787 svalBuilder.evalEQ(State, Extent, *DefinedSize); 788 789 State = State->assume(extentMatchesSize, true); 790 assert(State); 791 } 792 793 return MallocUpdateRefState(C, CE, State, Family); 794 } 795 796 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 797 const Expr *E, 798 ProgramStateRef State, 799 AllocationFamily Family) { 800 // Get the return value. 801 SVal retVal = State->getSVal(E, C.getLocationContext()); 802 803 // We expect the malloc functions to return a pointer. 804 if (!retVal.getAs<Loc>()) 805 return 0; 806 807 SymbolRef Sym = retVal.getAsLocSymbol(); 808 assert(Sym); 809 810 // Set the symbol's state to Allocated. 811 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 812 } 813 814 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 815 const CallExpr *CE, 816 const OwnershipAttr *Att) const { 817 if (Att->getModule() != II_malloc) 818 return 0; 819 820 ProgramStateRef State = C.getState(); 821 bool ReleasedAllocated = false; 822 823 for (OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 824 I != E; ++I) { 825 ProgramStateRef StateI = FreeMemAux(C, CE, State, *I, 826 Att->getOwnKind() == OwnershipAttr::Holds, 827 ReleasedAllocated); 828 if (StateI) 829 State = StateI; 830 } 831 return State; 832 } 833 834 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 835 const CallExpr *CE, 836 ProgramStateRef state, 837 unsigned Num, 838 bool Hold, 839 bool &ReleasedAllocated, 840 bool ReturnsNullOnFailure) const { 841 if (CE->getNumArgs() < (Num + 1)) 842 return 0; 843 844 return FreeMemAux(C, CE->getArg(Num), CE, state, Hold, 845 ReleasedAllocated, ReturnsNullOnFailure); 846 } 847 848 /// Checks if the previous call to free on the given symbol failed - if free 849 /// failed, returns true. Also, returns the corresponding return value symbol. 850 static bool didPreviousFreeFail(ProgramStateRef State, 851 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 852 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 853 if (Ret) { 854 assert(*Ret && "We should not store the null return symbol"); 855 ConstraintManager &CMgr = State->getConstraintManager(); 856 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 857 RetStatusSymbol = *Ret; 858 return FreeFailed.isConstrainedTrue(); 859 } 860 return false; 861 } 862 863 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C, 864 const Stmt *S) const { 865 if (!S) 866 return AF_None; 867 868 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 869 const FunctionDecl *FD = C.getCalleeDecl(CE); 870 871 if (!FD) 872 FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl()); 873 874 ASTContext &Ctx = C.getASTContext(); 875 876 if (isAllocationFunction(FD, Ctx) || isFreeFunction(FD, Ctx)) 877 return AF_Malloc; 878 879 if (isStandardNewDelete(FD, Ctx)) { 880 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 881 if (Kind == OO_New || Kind == OO_Delete) 882 return AF_CXXNew; 883 else if (Kind == OO_Array_New || Kind == OO_Array_Delete) 884 return AF_CXXNewArray; 885 } 886 887 return AF_None; 888 } 889 890 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S)) 891 return NE->isArray() ? AF_CXXNewArray : AF_CXXNew; 892 893 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S)) 894 return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew; 895 896 if (isa<ObjCMessageExpr>(S)) 897 return AF_Malloc; 898 899 return AF_None; 900 } 901 902 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C, 903 const Expr *E) const { 904 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 905 // FIXME: This doesn't handle indirect calls. 906 const FunctionDecl *FD = CE->getDirectCallee(); 907 if (!FD) 908 return false; 909 910 os << *FD; 911 if (!FD->isOverloadedOperator()) 912 os << "()"; 913 return true; 914 } 915 916 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 917 if (Msg->isInstanceMessage()) 918 os << "-"; 919 else 920 os << "+"; 921 Msg->getSelector().print(os); 922 return true; 923 } 924 925 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 926 os << "'" 927 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 928 << "'"; 929 return true; 930 } 931 932 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 933 os << "'" 934 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 935 << "'"; 936 return true; 937 } 938 939 return false; 940 } 941 942 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C, 943 const Expr *E) const { 944 AllocationFamily Family = getAllocationFamily(C, E); 945 946 switch(Family) { 947 case AF_Malloc: os << "malloc()"; return; 948 case AF_CXXNew: os << "'new'"; return; 949 case AF_CXXNewArray: os << "'new[]'"; return; 950 case AF_None: llvm_unreachable("not a deallocation expression"); 951 } 952 } 953 954 void MallocChecker::printExpectedDeallocName(raw_ostream &os, 955 AllocationFamily Family) const { 956 switch(Family) { 957 case AF_Malloc: os << "free()"; return; 958 case AF_CXXNew: os << "'delete'"; return; 959 case AF_CXXNewArray: os << "'delete[]'"; return; 960 case AF_None: llvm_unreachable("suspicious AF_None argument"); 961 } 962 } 963 964 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 965 const Expr *ArgExpr, 966 const Expr *ParentExpr, 967 ProgramStateRef State, 968 bool Hold, 969 bool &ReleasedAllocated, 970 bool ReturnsNullOnFailure) const { 971 972 SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext()); 973 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 974 return 0; 975 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 976 977 // Check for null dereferences. 978 if (!location.getAs<Loc>()) 979 return 0; 980 981 // The explicit NULL case, no operation is performed. 982 ProgramStateRef notNullState, nullState; 983 llvm::tie(notNullState, nullState) = State->assume(location); 984 if (nullState && !notNullState) 985 return 0; 986 987 // Unknown values could easily be okay 988 // Undefined values are handled elsewhere 989 if (ArgVal.isUnknownOrUndef()) 990 return 0; 991 992 const MemRegion *R = ArgVal.getAsRegion(); 993 994 // Nonlocs can't be freed, of course. 995 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 996 if (!R) { 997 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 998 return 0; 999 } 1000 1001 R = R->StripCasts(); 1002 1003 // Blocks might show up as heap data, but should not be free()d 1004 if (isa<BlockDataRegion>(R)) { 1005 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1006 return 0; 1007 } 1008 1009 const MemSpaceRegion *MS = R->getMemorySpace(); 1010 1011 // Parameters, locals, statics, globals, and memory returned by alloca() 1012 // shouldn't be freed. 1013 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 1014 // FIXME: at the time this code was written, malloc() regions were 1015 // represented by conjured symbols, which are all in UnknownSpaceRegion. 1016 // This means that there isn't actually anything from HeapSpaceRegion 1017 // that should be freed, even though we allow it here. 1018 // Of course, free() can work on memory allocated outside the current 1019 // function, so UnknownSpaceRegion is always a possibility. 1020 // False negatives are better than false positives. 1021 1022 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1023 return 0; 1024 } 1025 1026 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 1027 // Various cases could lead to non-symbol values here. 1028 // For now, ignore them. 1029 if (!SrBase) 1030 return 0; 1031 1032 SymbolRef SymBase = SrBase->getSymbol(); 1033 const RefState *RsBase = State->get<RegionState>(SymBase); 1034 SymbolRef PreviousRetStatusSymbol = 0; 1035 1036 if (RsBase) { 1037 1038 // Check for double free first. 1039 if ((RsBase->isReleased() || RsBase->isRelinquished()) && 1040 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1041 ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1042 SymBase, PreviousRetStatusSymbol); 1043 return 0; 1044 1045 // If the pointer is allocated or escaped, but we are now trying to free it, 1046 // check that the call to free is proper. 1047 } else if (RsBase->isAllocated() || RsBase->isEscaped()) { 1048 1049 // Check if an expected deallocation function matches the real one. 1050 bool DeallocMatchesAlloc = 1051 RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr); 1052 if (!DeallocMatchesAlloc) { 1053 ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), 1054 ParentExpr, RsBase, SymBase, Hold); 1055 return 0; 1056 } 1057 1058 // Check if the memory location being freed is the actual location 1059 // allocated, or an offset. 1060 RegionOffset Offset = R->getAsOffset(); 1061 if (Offset.isValid() && 1062 !Offset.hasSymbolicOffset() && 1063 Offset.getOffset() != 0) { 1064 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1065 ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1066 AllocExpr); 1067 return 0; 1068 } 1069 } 1070 } 1071 1072 ReleasedAllocated = (RsBase != 0) && RsBase->isAllocated(); 1073 1074 // Clean out the info on previous call to free return info. 1075 State = State->remove<FreeReturnValue>(SymBase); 1076 1077 // Keep track of the return value. If it is NULL, we will know that free 1078 // failed. 1079 if (ReturnsNullOnFailure) { 1080 SVal RetVal = C.getSVal(ParentExpr); 1081 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 1082 if (RetStatusSymbol) { 1083 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 1084 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 1085 } 1086 } 1087 1088 AllocationFamily Family = RsBase ? RsBase->getAllocationFamily() 1089 : getAllocationFamily(C, ParentExpr); 1090 // Normal free. 1091 if (Hold) 1092 return State->set<RegionState>(SymBase, 1093 RefState::getRelinquished(Family, 1094 ParentExpr)); 1095 1096 return State->set<RegionState>(SymBase, 1097 RefState::getReleased(Family, ParentExpr)); 1098 } 1099 1100 Optional<MallocChecker::CheckKind> 1101 MallocChecker::getCheckIfTracked(AllocationFamily Family) const { 1102 switch (Family) { 1103 case AF_Malloc: { 1104 if (ChecksEnabled[CK_MallocOptimistic]) { 1105 return CK_MallocOptimistic; 1106 } else if (ChecksEnabled[CK_MallocPessimistic]) { 1107 return CK_MallocPessimistic; 1108 } 1109 return Optional<MallocChecker::CheckKind>(); 1110 } 1111 case AF_CXXNew: 1112 case AF_CXXNewArray: { 1113 if (ChecksEnabled[CK_NewDeleteChecker]) { 1114 return CK_NewDeleteChecker; 1115 } 1116 return Optional<MallocChecker::CheckKind>(); 1117 } 1118 case AF_None: { 1119 llvm_unreachable("no family"); 1120 } 1121 } 1122 llvm_unreachable("unhandled family"); 1123 } 1124 1125 Optional<MallocChecker::CheckKind> 1126 MallocChecker::getCheckIfTracked(CheckerContext &C, 1127 const Stmt *AllocDeallocStmt) const { 1128 return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt)); 1129 } 1130 1131 Optional<MallocChecker::CheckKind> 1132 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const { 1133 1134 const RefState *RS = C.getState()->get<RegionState>(Sym); 1135 assert(RS); 1136 return getCheckIfTracked(RS->getAllocationFamily()); 1137 } 1138 1139 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 1140 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 1141 os << "an integer (" << IntVal->getValue() << ")"; 1142 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 1143 os << "a constant address (" << ConstAddr->getValue() << ")"; 1144 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 1145 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 1146 else 1147 return false; 1148 1149 return true; 1150 } 1151 1152 bool MallocChecker::SummarizeRegion(raw_ostream &os, 1153 const MemRegion *MR) { 1154 switch (MR->getKind()) { 1155 case MemRegion::FunctionTextRegionKind: { 1156 const NamedDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 1157 if (FD) 1158 os << "the address of the function '" << *FD << '\''; 1159 else 1160 os << "the address of a function"; 1161 return true; 1162 } 1163 case MemRegion::BlockTextRegionKind: 1164 os << "block text"; 1165 return true; 1166 case MemRegion::BlockDataRegionKind: 1167 // FIXME: where the block came from? 1168 os << "a block"; 1169 return true; 1170 default: { 1171 const MemSpaceRegion *MS = MR->getMemorySpace(); 1172 1173 if (isa<StackLocalsSpaceRegion>(MS)) { 1174 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1175 const VarDecl *VD; 1176 if (VR) 1177 VD = VR->getDecl(); 1178 else 1179 VD = NULL; 1180 1181 if (VD) 1182 os << "the address of the local variable '" << VD->getName() << "'"; 1183 else 1184 os << "the address of a local stack variable"; 1185 return true; 1186 } 1187 1188 if (isa<StackArgumentsSpaceRegion>(MS)) { 1189 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1190 const VarDecl *VD; 1191 if (VR) 1192 VD = VR->getDecl(); 1193 else 1194 VD = NULL; 1195 1196 if (VD) 1197 os << "the address of the parameter '" << VD->getName() << "'"; 1198 else 1199 os << "the address of a parameter"; 1200 return true; 1201 } 1202 1203 if (isa<GlobalsSpaceRegion>(MS)) { 1204 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1205 const VarDecl *VD; 1206 if (VR) 1207 VD = VR->getDecl(); 1208 else 1209 VD = NULL; 1210 1211 if (VD) { 1212 if (VD->isStaticLocal()) 1213 os << "the address of the static variable '" << VD->getName() << "'"; 1214 else 1215 os << "the address of the global variable '" << VD->getName() << "'"; 1216 } else 1217 os << "the address of a global variable"; 1218 return true; 1219 } 1220 1221 return false; 1222 } 1223 } 1224 } 1225 1226 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 1227 SourceRange Range, 1228 const Expr *DeallocExpr) const { 1229 1230 if (!ChecksEnabled[CK_MallocOptimistic] && 1231 !ChecksEnabled[CK_MallocPessimistic] && 1232 !ChecksEnabled[CK_NewDeleteChecker]) 1233 return; 1234 1235 Optional<MallocChecker::CheckKind> CheckKind = 1236 getCheckIfTracked(C, DeallocExpr); 1237 if (!CheckKind.hasValue()) 1238 return; 1239 1240 if (ExplodedNode *N = C.generateSink()) { 1241 if (!BT_BadFree[*CheckKind]) 1242 BT_BadFree[*CheckKind].reset( 1243 new BugType(CheckNames[*CheckKind], "Bad free", "Memory Error")); 1244 1245 SmallString<100> buf; 1246 llvm::raw_svector_ostream os(buf); 1247 1248 const MemRegion *MR = ArgVal.getAsRegion(); 1249 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 1250 MR = ER->getSuperRegion(); 1251 1252 if (MR && isa<AllocaRegion>(MR)) 1253 os << "Memory allocated by alloca() should not be deallocated"; 1254 else { 1255 os << "Argument to "; 1256 if (!printAllocDeallocName(os, C, DeallocExpr)) 1257 os << "deallocator"; 1258 1259 os << " is "; 1260 bool Summarized = MR ? SummarizeRegion(os, MR) 1261 : SummarizeValue(os, ArgVal); 1262 if (Summarized) 1263 os << ", which is not memory allocated by "; 1264 else 1265 os << "not memory allocated by "; 1266 1267 printExpectedAllocName(os, C, DeallocExpr); 1268 } 1269 1270 BugReport *R = new BugReport(*BT_BadFree[*CheckKind], os.str(), N); 1271 R->markInteresting(MR); 1272 R->addRange(Range); 1273 C.emitReport(R); 1274 } 1275 } 1276 1277 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, 1278 SourceRange Range, 1279 const Expr *DeallocExpr, 1280 const RefState *RS, 1281 SymbolRef Sym, 1282 bool OwnershipTransferred) const { 1283 1284 if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) 1285 return; 1286 1287 if (ExplodedNode *N = C.generateSink()) { 1288 if (!BT_MismatchedDealloc) 1289 BT_MismatchedDealloc.reset( 1290 new BugType(CheckNames[CK_MismatchedDeallocatorChecker], 1291 "Bad deallocator", "Memory Error")); 1292 1293 SmallString<100> buf; 1294 llvm::raw_svector_ostream os(buf); 1295 1296 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 1297 SmallString<20> AllocBuf; 1298 llvm::raw_svector_ostream AllocOs(AllocBuf); 1299 SmallString<20> DeallocBuf; 1300 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 1301 1302 if (OwnershipTransferred) { 1303 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1304 os << DeallocOs.str() << " cannot"; 1305 else 1306 os << "Cannot"; 1307 1308 os << " take ownership of memory"; 1309 1310 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1311 os << " allocated by " << AllocOs.str(); 1312 } else { 1313 os << "Memory"; 1314 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1315 os << " allocated by " << AllocOs.str(); 1316 1317 os << " should be deallocated by "; 1318 printExpectedDeallocName(os, RS->getAllocationFamily()); 1319 1320 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1321 os << ", not " << DeallocOs.str(); 1322 } 1323 1324 BugReport *R = new BugReport(*BT_MismatchedDealloc, os.str(), N); 1325 R->markInteresting(Sym); 1326 R->addRange(Range); 1327 R->addVisitor(new MallocBugVisitor(Sym)); 1328 C.emitReport(R); 1329 } 1330 } 1331 1332 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, 1333 SourceRange Range, const Expr *DeallocExpr, 1334 const Expr *AllocExpr) const { 1335 1336 if (!ChecksEnabled[CK_MallocOptimistic] && 1337 !ChecksEnabled[CK_MallocPessimistic] && 1338 !ChecksEnabled[CK_NewDeleteChecker]) 1339 return; 1340 1341 Optional<MallocChecker::CheckKind> CheckKind = 1342 getCheckIfTracked(C, AllocExpr); 1343 if (!CheckKind.hasValue()) 1344 return; 1345 1346 ExplodedNode *N = C.generateSink(); 1347 if (N == NULL) 1348 return; 1349 1350 if (!BT_OffsetFree[*CheckKind]) 1351 BT_OffsetFree[*CheckKind].reset( 1352 new BugType(CheckNames[*CheckKind], "Offset free", "Memory Error")); 1353 1354 SmallString<100> buf; 1355 llvm::raw_svector_ostream os(buf); 1356 SmallString<20> AllocNameBuf; 1357 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 1358 1359 const MemRegion *MR = ArgVal.getAsRegion(); 1360 assert(MR && "Only MemRegion based symbols can have offset free errors"); 1361 1362 RegionOffset Offset = MR->getAsOffset(); 1363 assert((Offset.isValid() && 1364 !Offset.hasSymbolicOffset() && 1365 Offset.getOffset() != 0) && 1366 "Only symbols with a valid offset can have offset free errors"); 1367 1368 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 1369 1370 os << "Argument to "; 1371 if (!printAllocDeallocName(os, C, DeallocExpr)) 1372 os << "deallocator"; 1373 os << " is offset by " 1374 << offsetBytes 1375 << " " 1376 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 1377 << " from the start of "; 1378 if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) 1379 os << "memory allocated by " << AllocNameOs.str(); 1380 else 1381 os << "allocated memory"; 1382 1383 BugReport *R = new BugReport(*BT_OffsetFree[*CheckKind], os.str(), N); 1384 R->markInteresting(MR->getBaseRegion()); 1385 R->addRange(Range); 1386 C.emitReport(R); 1387 } 1388 1389 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, 1390 SymbolRef Sym) const { 1391 1392 if (!ChecksEnabled[CK_MallocOptimistic] && 1393 !ChecksEnabled[CK_MallocPessimistic] && 1394 !ChecksEnabled[CK_NewDeleteChecker]) 1395 return; 1396 1397 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1398 if (!CheckKind.hasValue()) 1399 return; 1400 1401 if (ExplodedNode *N = C.generateSink()) { 1402 if (!BT_UseFree[*CheckKind]) 1403 BT_UseFree[*CheckKind].reset(new BugType( 1404 CheckNames[*CheckKind], "Use-after-free", "Memory Error")); 1405 1406 BugReport *R = new BugReport(*BT_UseFree[*CheckKind], 1407 "Use of memory after it is freed", N); 1408 1409 R->markInteresting(Sym); 1410 R->addRange(Range); 1411 R->addVisitor(new MallocBugVisitor(Sym)); 1412 C.emitReport(R); 1413 } 1414 } 1415 1416 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, 1417 bool Released, SymbolRef Sym, 1418 SymbolRef PrevSym) const { 1419 1420 if (!ChecksEnabled[CK_MallocOptimistic] && 1421 !ChecksEnabled[CK_MallocPessimistic] && 1422 !ChecksEnabled[CK_NewDeleteChecker]) 1423 return; 1424 1425 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1426 if (!CheckKind.hasValue()) 1427 return; 1428 1429 if (ExplodedNode *N = C.generateSink()) { 1430 if (!BT_DoubleFree[*CheckKind]) 1431 BT_DoubleFree[*CheckKind].reset( 1432 new BugType(CheckNames[*CheckKind], "Double free", "Memory Error")); 1433 1434 BugReport *R = 1435 new BugReport(*BT_DoubleFree[*CheckKind], 1436 (Released ? "Attempt to free released memory" 1437 : "Attempt to free non-owned memory"), 1438 N); 1439 R->addRange(Range); 1440 R->markInteresting(Sym); 1441 if (PrevSym) 1442 R->markInteresting(PrevSym); 1443 R->addVisitor(new MallocBugVisitor(Sym)); 1444 C.emitReport(R); 1445 } 1446 } 1447 1448 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const { 1449 1450 if (!ChecksEnabled[CK_NewDeleteChecker]) 1451 return; 1452 1453 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1454 if (!CheckKind.hasValue()) 1455 return; 1456 assert(*CheckKind == CK_NewDeleteChecker && "invalid check kind"); 1457 1458 if (ExplodedNode *N = C.generateSink()) { 1459 if (!BT_DoubleDelete) 1460 BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker], 1461 "Double delete", "Memory Error")); 1462 1463 BugReport *R = new BugReport(*BT_DoubleDelete, 1464 "Attempt to delete released memory", N); 1465 1466 R->markInteresting(Sym); 1467 R->addVisitor(new MallocBugVisitor(Sym)); 1468 C.emitReport(R); 1469 } 1470 } 1471 1472 ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, 1473 const CallExpr *CE, 1474 bool FreesOnFail) const { 1475 if (CE->getNumArgs() < 2) 1476 return 0; 1477 1478 ProgramStateRef state = C.getState(); 1479 const Expr *arg0Expr = CE->getArg(0); 1480 const LocationContext *LCtx = C.getLocationContext(); 1481 SVal Arg0Val = state->getSVal(arg0Expr, LCtx); 1482 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 1483 return 0; 1484 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 1485 1486 SValBuilder &svalBuilder = C.getSValBuilder(); 1487 1488 DefinedOrUnknownSVal PtrEQ = 1489 svalBuilder.evalEQ(state, arg0Val, svalBuilder.makeNull()); 1490 1491 // Get the size argument. If there is no size arg then give up. 1492 const Expr *Arg1 = CE->getArg(1); 1493 if (!Arg1) 1494 return 0; 1495 1496 // Get the value of the size argument. 1497 SVal Arg1ValG = state->getSVal(Arg1, LCtx); 1498 if (!Arg1ValG.getAs<DefinedOrUnknownSVal>()) 1499 return 0; 1500 DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>(); 1501 1502 // Compare the size argument to 0. 1503 DefinedOrUnknownSVal SizeZero = 1504 svalBuilder.evalEQ(state, Arg1Val, 1505 svalBuilder.makeIntValWithPtrWidth(0, false)); 1506 1507 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 1508 llvm::tie(StatePtrIsNull, StatePtrNotNull) = state->assume(PtrEQ); 1509 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 1510 llvm::tie(StateSizeIsZero, StateSizeNotZero) = state->assume(SizeZero); 1511 // We only assume exceptional states if they are definitely true; if the 1512 // state is under-constrained, assume regular realloc behavior. 1513 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 1514 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 1515 1516 // If the ptr is NULL and the size is not 0, the call is equivalent to 1517 // malloc(size). 1518 if ( PrtIsNull && !SizeIsZero) { 1519 ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), 1520 UndefinedVal(), StatePtrIsNull); 1521 return stateMalloc; 1522 } 1523 1524 if (PrtIsNull && SizeIsZero) 1525 return 0; 1526 1527 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 1528 assert(!PrtIsNull); 1529 SymbolRef FromPtr = arg0Val.getAsSymbol(); 1530 SVal RetVal = state->getSVal(CE, LCtx); 1531 SymbolRef ToPtr = RetVal.getAsSymbol(); 1532 if (!FromPtr || !ToPtr) 1533 return 0; 1534 1535 bool ReleasedAllocated = false; 1536 1537 // If the size is 0, free the memory. 1538 if (SizeIsZero) 1539 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, 1540 false, ReleasedAllocated)){ 1541 // The semantics of the return value are: 1542 // If size was equal to 0, either NULL or a pointer suitable to be passed 1543 // to free() is returned. We just free the input pointer and do not add 1544 // any constrains on the output pointer. 1545 return stateFree; 1546 } 1547 1548 // Default behavior. 1549 if (ProgramStateRef stateFree = 1550 FreeMemAux(C, CE, state, 0, false, ReleasedAllocated)) { 1551 1552 ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), 1553 UnknownVal(), stateFree); 1554 if (!stateRealloc) 1555 return 0; 1556 1557 ReallocPairKind Kind = RPToBeFreedAfterFailure; 1558 if (FreesOnFail) 1559 Kind = RPIsFreeOnFailure; 1560 else if (!ReleasedAllocated) 1561 Kind = RPDoNotTrackAfterFailure; 1562 1563 // Record the info about the reallocated symbol so that we could properly 1564 // process failed reallocation. 1565 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 1566 ReallocPair(FromPtr, Kind)); 1567 // The reallocated symbol should stay alive for as long as the new symbol. 1568 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 1569 return stateRealloc; 1570 } 1571 return 0; 1572 } 1573 1574 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE){ 1575 if (CE->getNumArgs() < 2) 1576 return 0; 1577 1578 ProgramStateRef state = C.getState(); 1579 SValBuilder &svalBuilder = C.getSValBuilder(); 1580 const LocationContext *LCtx = C.getLocationContext(); 1581 SVal count = state->getSVal(CE->getArg(0), LCtx); 1582 SVal elementSize = state->getSVal(CE->getArg(1), LCtx); 1583 SVal TotalSize = svalBuilder.evalBinOp(state, BO_Mul, count, elementSize, 1584 svalBuilder.getContext().getSizeType()); 1585 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 1586 1587 return MallocMemAux(C, CE, TotalSize, zeroVal, state); 1588 } 1589 1590 LeakInfo 1591 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 1592 CheckerContext &C) const { 1593 const LocationContext *LeakContext = N->getLocationContext(); 1594 // Walk the ExplodedGraph backwards and find the first node that referred to 1595 // the tracked symbol. 1596 const ExplodedNode *AllocNode = N; 1597 const MemRegion *ReferenceRegion = 0; 1598 1599 while (N) { 1600 ProgramStateRef State = N->getState(); 1601 if (!State->get<RegionState>(Sym)) 1602 break; 1603 1604 // Find the most recent expression bound to the symbol in the current 1605 // context. 1606 if (!ReferenceRegion) { 1607 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 1608 SVal Val = State->getSVal(MR); 1609 if (Val.getAsLocSymbol() == Sym) { 1610 const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>(); 1611 // Do not show local variables belonging to a function other than 1612 // where the error is reported. 1613 if (!VR || 1614 (VR->getStackFrame() == LeakContext->getCurrentStackFrame())) 1615 ReferenceRegion = MR; 1616 } 1617 } 1618 } 1619 1620 // Allocation node, is the last node in the current context in which the 1621 // symbol was tracked. 1622 if (N->getLocationContext() == LeakContext) 1623 AllocNode = N; 1624 N = N->pred_empty() ? NULL : *(N->pred_begin()); 1625 } 1626 1627 return LeakInfo(AllocNode, ReferenceRegion); 1628 } 1629 1630 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 1631 CheckerContext &C) const { 1632 1633 if (!ChecksEnabled[CK_MallocOptimistic] && 1634 !ChecksEnabled[CK_MallocPessimistic] && 1635 !ChecksEnabled[CK_NewDeleteLeaksChecker]) 1636 return; 1637 1638 const RefState *RS = C.getState()->get<RegionState>(Sym); 1639 assert(RS && "cannot leak an untracked symbol"); 1640 AllocationFamily Family = RS->getAllocationFamily(); 1641 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 1642 if (!CheckKind.hasValue()) 1643 return; 1644 1645 // Special case for new and new[]; these are controlled by a separate checker 1646 // flag so that they can be selectively disabled. 1647 if (Family == AF_CXXNew || Family == AF_CXXNewArray) 1648 if (!ChecksEnabled[CK_NewDeleteLeaksChecker]) 1649 return; 1650 1651 assert(N); 1652 if (!BT_Leak[*CheckKind]) { 1653 BT_Leak[*CheckKind].reset( 1654 new BugType(CheckNames[*CheckKind], "Memory leak", "Memory Error")); 1655 // Leaks should not be reported if they are post-dominated by a sink: 1656 // (1) Sinks are higher importance bugs. 1657 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 1658 // with __noreturn functions such as assert() or exit(). We choose not 1659 // to report leaks on such paths. 1660 BT_Leak[*CheckKind]->setSuppressOnSink(true); 1661 } 1662 1663 // Most bug reports are cached at the location where they occurred. 1664 // With leaks, we want to unique them by the location where they were 1665 // allocated, and only report a single path. 1666 PathDiagnosticLocation LocUsedForUniqueing; 1667 const ExplodedNode *AllocNode = 0; 1668 const MemRegion *Region = 0; 1669 llvm::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 1670 1671 ProgramPoint P = AllocNode->getLocation(); 1672 const Stmt *AllocationStmt = 0; 1673 if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>()) 1674 AllocationStmt = Exit->getCalleeContext()->getCallSite(); 1675 else if (Optional<StmtPoint> SP = P.getAs<StmtPoint>()) 1676 AllocationStmt = SP->getStmt(); 1677 if (AllocationStmt) 1678 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 1679 C.getSourceManager(), 1680 AllocNode->getLocationContext()); 1681 1682 SmallString<200> buf; 1683 llvm::raw_svector_ostream os(buf); 1684 if (Region && Region->canPrintPretty()) { 1685 os << "Potential leak of memory pointed to by "; 1686 Region->printPretty(os); 1687 } else { 1688 os << "Potential memory leak"; 1689 } 1690 1691 BugReport *R = 1692 new BugReport(*BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing, 1693 AllocNode->getLocationContext()->getDecl()); 1694 R->markInteresting(Sym); 1695 R->addVisitor(new MallocBugVisitor(Sym, true)); 1696 C.emitReport(R); 1697 } 1698 1699 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 1700 CheckerContext &C) const 1701 { 1702 if (!SymReaper.hasDeadSymbols()) 1703 return; 1704 1705 ProgramStateRef state = C.getState(); 1706 RegionStateTy RS = state->get<RegionState>(); 1707 RegionStateTy::Factory &F = state->get_context<RegionState>(); 1708 1709 SmallVector<SymbolRef, 2> Errors; 1710 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1711 if (SymReaper.isDead(I->first)) { 1712 if (I->second.isAllocated()) 1713 Errors.push_back(I->first); 1714 // Remove the dead symbol from the map. 1715 RS = F.remove(RS, I->first); 1716 1717 } 1718 } 1719 1720 // Cleanup the Realloc Pairs Map. 1721 ReallocPairsTy RP = state->get<ReallocPairs>(); 1722 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1723 if (SymReaper.isDead(I->first) || 1724 SymReaper.isDead(I->second.ReallocatedSym)) { 1725 state = state->remove<ReallocPairs>(I->first); 1726 } 1727 } 1728 1729 // Cleanup the FreeReturnValue Map. 1730 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 1731 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 1732 if (SymReaper.isDead(I->first) || 1733 SymReaper.isDead(I->second)) { 1734 state = state->remove<FreeReturnValue>(I->first); 1735 } 1736 } 1737 1738 // Generate leak node. 1739 ExplodedNode *N = C.getPredecessor(); 1740 if (!Errors.empty()) { 1741 static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak"); 1742 N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); 1743 for (SmallVectorImpl<SymbolRef>::iterator 1744 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 1745 reportLeak(*I, N, C); 1746 } 1747 } 1748 1749 C.addTransition(state->set<RegionState>(RS), N); 1750 } 1751 1752 void MallocChecker::checkPreCall(const CallEvent &Call, 1753 CheckerContext &C) const { 1754 1755 if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) { 1756 SymbolRef Sym = DC->getCXXThisVal().getAsSymbol(); 1757 if (!Sym || checkDoubleDelete(Sym, C)) 1758 return; 1759 } 1760 1761 // We will check for double free in the post visit. 1762 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { 1763 const FunctionDecl *FD = FC->getDecl(); 1764 if (!FD) 1765 return; 1766 1767 if ((ChecksEnabled[CK_MallocOptimistic] || 1768 ChecksEnabled[CK_MallocPessimistic]) && 1769 isFreeFunction(FD, C.getASTContext())) 1770 return; 1771 1772 if (ChecksEnabled[CK_NewDeleteChecker] && 1773 isStandardNewDelete(FD, C.getASTContext())) 1774 return; 1775 } 1776 1777 // Check if the callee of a method is deleted. 1778 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { 1779 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); 1780 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) 1781 return; 1782 } 1783 1784 // Check arguments for being used after free. 1785 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { 1786 SVal ArgSVal = Call.getArgSVal(I); 1787 if (ArgSVal.getAs<Loc>()) { 1788 SymbolRef Sym = ArgSVal.getAsSymbol(); 1789 if (!Sym) 1790 continue; 1791 if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) 1792 return; 1793 } 1794 } 1795 } 1796 1797 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 1798 const Expr *E = S->getRetValue(); 1799 if (!E) 1800 return; 1801 1802 // Check if we are returning a symbol. 1803 ProgramStateRef State = C.getState(); 1804 SVal RetVal = State->getSVal(E, C.getLocationContext()); 1805 SymbolRef Sym = RetVal.getAsSymbol(); 1806 if (!Sym) 1807 // If we are returning a field of the allocated struct or an array element, 1808 // the callee could still free the memory. 1809 // TODO: This logic should be a part of generic symbol escape callback. 1810 if (const MemRegion *MR = RetVal.getAsRegion()) 1811 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 1812 if (const SymbolicRegion *BMR = 1813 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 1814 Sym = BMR->getSymbol(); 1815 1816 // Check if we are returning freed memory. 1817 if (Sym) 1818 checkUseAfterFree(Sym, C, E); 1819 } 1820 1821 // TODO: Blocks should be either inlined or should call invalidate regions 1822 // upon invocation. After that's in place, special casing here will not be 1823 // needed. 1824 void MallocChecker::checkPostStmt(const BlockExpr *BE, 1825 CheckerContext &C) const { 1826 1827 // Scan the BlockDecRefExprs for any object the retain count checker 1828 // may be tracking. 1829 if (!BE->getBlockDecl()->hasCaptures()) 1830 return; 1831 1832 ProgramStateRef state = C.getState(); 1833 const BlockDataRegion *R = 1834 cast<BlockDataRegion>(state->getSVal(BE, 1835 C.getLocationContext()).getAsRegion()); 1836 1837 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 1838 E = R->referenced_vars_end(); 1839 1840 if (I == E) 1841 return; 1842 1843 SmallVector<const MemRegion*, 10> Regions; 1844 const LocationContext *LC = C.getLocationContext(); 1845 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 1846 1847 for ( ; I != E; ++I) { 1848 const VarRegion *VR = I.getCapturedRegion(); 1849 if (VR->getSuperRegion() == R) { 1850 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 1851 } 1852 Regions.push_back(VR); 1853 } 1854 1855 state = 1856 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 1857 Regions.data() + Regions.size()).getState(); 1858 C.addTransition(state); 1859 } 1860 1861 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { 1862 assert(Sym); 1863 const RefState *RS = C.getState()->get<RegionState>(Sym); 1864 return (RS && RS->isReleased()); 1865 } 1866 1867 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 1868 const Stmt *S) const { 1869 1870 if (isReleased(Sym, C)) { 1871 ReportUseAfterFree(C, S->getSourceRange(), Sym); 1872 return true; 1873 } 1874 1875 return false; 1876 } 1877 1878 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { 1879 1880 if (isReleased(Sym, C)) { 1881 ReportDoubleDelete(C, Sym); 1882 return true; 1883 } 1884 return false; 1885 } 1886 1887 // Check if the location is a freed symbolic region. 1888 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 1889 CheckerContext &C) const { 1890 SymbolRef Sym = l.getLocSymbolInBase(); 1891 if (Sym) 1892 checkUseAfterFree(Sym, C, S); 1893 } 1894 1895 // If a symbolic region is assumed to NULL (or another constant), stop tracking 1896 // it - assuming that allocation failed on this path. 1897 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 1898 SVal Cond, 1899 bool Assumption) const { 1900 RegionStateTy RS = state->get<RegionState>(); 1901 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1902 // If the symbol is assumed to be NULL, remove it from consideration. 1903 ConstraintManager &CMgr = state->getConstraintManager(); 1904 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 1905 if (AllocFailed.isConstrainedTrue()) 1906 state = state->remove<RegionState>(I.getKey()); 1907 } 1908 1909 // Realloc returns 0 when reallocation fails, which means that we should 1910 // restore the state of the pointer being reallocated. 1911 ReallocPairsTy RP = state->get<ReallocPairs>(); 1912 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1913 // If the symbol is assumed to be NULL, remove it from consideration. 1914 ConstraintManager &CMgr = state->getConstraintManager(); 1915 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 1916 if (!AllocFailed.isConstrainedTrue()) 1917 continue; 1918 1919 SymbolRef ReallocSym = I.getData().ReallocatedSym; 1920 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 1921 if (RS->isReleased()) { 1922 if (I.getData().Kind == RPToBeFreedAfterFailure) 1923 state = state->set<RegionState>(ReallocSym, 1924 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 1925 else if (I.getData().Kind == RPDoNotTrackAfterFailure) 1926 state = state->remove<RegionState>(ReallocSym); 1927 else 1928 assert(I.getData().Kind == RPIsFreeOnFailure); 1929 } 1930 } 1931 state = state->remove<ReallocPairs>(I.getKey()); 1932 } 1933 1934 return state; 1935 } 1936 1937 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly( 1938 const CallEvent *Call, 1939 ProgramStateRef State, 1940 SymbolRef &EscapingSymbol) const { 1941 assert(Call); 1942 EscapingSymbol = 0; 1943 1944 // For now, assume that any C++ or block call can free memory. 1945 // TODO: If we want to be more optimistic here, we'll need to make sure that 1946 // regions escape to C++ containers. They seem to do that even now, but for 1947 // mysterious reasons. 1948 if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 1949 return true; 1950 1951 // Check Objective-C messages by selector name. 1952 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 1953 // If it's not a framework call, or if it takes a callback, assume it 1954 // can free memory. 1955 if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg()) 1956 return true; 1957 1958 // If it's a method we know about, handle it explicitly post-call. 1959 // This should happen before the "freeWhenDone" check below. 1960 if (isKnownDeallocObjCMethodName(*Msg)) 1961 return false; 1962 1963 // If there's a "freeWhenDone" parameter, but the method isn't one we know 1964 // about, we can't be sure that the object will use free() to deallocate the 1965 // memory, so we can't model it explicitly. The best we can do is use it to 1966 // decide whether the pointer escapes. 1967 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 1968 return *FreeWhenDone; 1969 1970 // If the first selector piece ends with "NoCopy", and there is no 1971 // "freeWhenDone" parameter set to zero, we know ownership is being 1972 // transferred. Again, though, we can't be sure that the object will use 1973 // free() to deallocate the memory, so we can't model it explicitly. 1974 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 1975 if (FirstSlot.endswith("NoCopy")) 1976 return true; 1977 1978 // If the first selector starts with addPointer, insertPointer, 1979 // or replacePointer, assume we are dealing with NSPointerArray or similar. 1980 // This is similar to C++ containers (vector); we still might want to check 1981 // that the pointers get freed by following the container itself. 1982 if (FirstSlot.startswith("addPointer") || 1983 FirstSlot.startswith("insertPointer") || 1984 FirstSlot.startswith("replacePointer") || 1985 FirstSlot.equals("valueWithPointer")) { 1986 return true; 1987 } 1988 1989 // We should escape receiver on call to 'init'. This is especially relevant 1990 // to the receiver, as the corresponding symbol is usually not referenced 1991 // after the call. 1992 if (Msg->getMethodFamily() == OMF_init) { 1993 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol(); 1994 return true; 1995 } 1996 1997 // Otherwise, assume that the method does not free memory. 1998 // Most framework methods do not free memory. 1999 return false; 2000 } 2001 2002 // At this point the only thing left to handle is straight function calls. 2003 const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl(); 2004 if (!FD) 2005 return true; 2006 2007 ASTContext &ASTC = State->getStateManager().getContext(); 2008 2009 // If it's one of the allocation functions we can reason about, we model 2010 // its behavior explicitly. 2011 if (isMemFunction(FD, ASTC)) 2012 return false; 2013 2014 // If it's not a system call, assume it frees memory. 2015 if (!Call->isInSystemHeader()) 2016 return true; 2017 2018 // White list the system functions whose arguments escape. 2019 const IdentifierInfo *II = FD->getIdentifier(); 2020 if (!II) 2021 return true; 2022 StringRef FName = II->getName(); 2023 2024 // White list the 'XXXNoCopy' CoreFoundation functions. 2025 // We specifically check these before 2026 if (FName.endswith("NoCopy")) { 2027 // Look for the deallocator argument. We know that the memory ownership 2028 // is not transferred only if the deallocator argument is 2029 // 'kCFAllocatorNull'. 2030 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 2031 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 2032 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 2033 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 2034 if (DeallocatorName == "kCFAllocatorNull") 2035 return false; 2036 } 2037 } 2038 return true; 2039 } 2040 2041 // Associating streams with malloced buffers. The pointer can escape if 2042 // 'closefn' is specified (and if that function does free memory), 2043 // but it will not if closefn is not specified. 2044 // Currently, we do not inspect the 'closefn' function (PR12101). 2045 if (FName == "funopen") 2046 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 2047 return false; 2048 2049 // Do not warn on pointers passed to 'setbuf' when used with std streams, 2050 // these leaks might be intentional when setting the buffer for stdio. 2051 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 2052 if (FName == "setbuf" || FName =="setbuffer" || 2053 FName == "setlinebuf" || FName == "setvbuf") { 2054 if (Call->getNumArgs() >= 1) { 2055 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 2056 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 2057 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 2058 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 2059 return true; 2060 } 2061 } 2062 2063 // A bunch of other functions which either take ownership of a pointer or 2064 // wrap the result up in a struct or object, meaning it can be freed later. 2065 // (See RetainCountChecker.) Not all the parameters here are invalidated, 2066 // but the Malloc checker cannot differentiate between them. The right way 2067 // of doing this would be to implement a pointer escapes callback. 2068 if (FName == "CGBitmapContextCreate" || 2069 FName == "CGBitmapContextCreateWithData" || 2070 FName == "CVPixelBufferCreateWithBytes" || 2071 FName == "CVPixelBufferCreateWithPlanarBytes" || 2072 FName == "OSAtomicEnqueue") { 2073 return true; 2074 } 2075 2076 // Handle cases where we know a buffer's /address/ can escape. 2077 // Note that the above checks handle some special cases where we know that 2078 // even though the address escapes, it's still our responsibility to free the 2079 // buffer. 2080 if (Call->argumentsMayEscape()) 2081 return true; 2082 2083 // Otherwise, assume that the function does not free memory. 2084 // Most system calls do not free the memory. 2085 return false; 2086 } 2087 2088 static bool retTrue(const RefState *RS) { 2089 return true; 2090 } 2091 2092 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 2093 return (RS->getAllocationFamily() == AF_CXXNewArray || 2094 RS->getAllocationFamily() == AF_CXXNew); 2095 } 2096 2097 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 2098 const InvalidatedSymbols &Escaped, 2099 const CallEvent *Call, 2100 PointerEscapeKind Kind) const { 2101 return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue); 2102 } 2103 2104 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 2105 const InvalidatedSymbols &Escaped, 2106 const CallEvent *Call, 2107 PointerEscapeKind Kind) const { 2108 return checkPointerEscapeAux(State, Escaped, Call, Kind, 2109 &checkIfNewOrNewArrayFamily); 2110 } 2111 2112 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State, 2113 const InvalidatedSymbols &Escaped, 2114 const CallEvent *Call, 2115 PointerEscapeKind Kind, 2116 bool(*CheckRefState)(const RefState*)) const { 2117 // If we know that the call does not free memory, or we want to process the 2118 // call later, keep tracking the top level arguments. 2119 SymbolRef EscapingSymbol = 0; 2120 if (Kind == PSK_DirectEscapeOnCall && 2121 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State, 2122 EscapingSymbol) && 2123 !EscapingSymbol) { 2124 return State; 2125 } 2126 2127 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 2128 E = Escaped.end(); 2129 I != E; ++I) { 2130 SymbolRef sym = *I; 2131 2132 if (EscapingSymbol && EscapingSymbol != sym) 2133 continue; 2134 2135 if (const RefState *RS = State->get<RegionState>(sym)) { 2136 if (RS->isAllocated() && CheckRefState(RS)) { 2137 State = State->remove<RegionState>(sym); 2138 State = State->set<RegionState>(sym, RefState::getEscaped(RS)); 2139 } 2140 } 2141 } 2142 return State; 2143 } 2144 2145 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 2146 ProgramStateRef prevState) { 2147 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 2148 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 2149 2150 for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end(); 2151 I != E; ++I) { 2152 SymbolRef sym = I.getKey(); 2153 if (!currMap.lookup(sym)) 2154 return sym; 2155 } 2156 2157 return NULL; 2158 } 2159 2160 PathDiagnosticPiece * 2161 MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N, 2162 const ExplodedNode *PrevN, 2163 BugReporterContext &BRC, 2164 BugReport &BR) { 2165 ProgramStateRef state = N->getState(); 2166 ProgramStateRef statePrev = PrevN->getState(); 2167 2168 const RefState *RS = state->get<RegionState>(Sym); 2169 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 2170 if (!RS) 2171 return 0; 2172 2173 const Stmt *S = 0; 2174 const char *Msg = 0; 2175 StackHintGeneratorForSymbol *StackHint = 0; 2176 2177 // Retrieve the associated statement. 2178 ProgramPoint ProgLoc = N->getLocation(); 2179 if (Optional<StmtPoint> SP = ProgLoc.getAs<StmtPoint>()) { 2180 S = SP->getStmt(); 2181 } else if (Optional<CallExitEnd> Exit = ProgLoc.getAs<CallExitEnd>()) { 2182 S = Exit->getCalleeContext()->getCallSite(); 2183 } else if (Optional<BlockEdge> Edge = ProgLoc.getAs<BlockEdge>()) { 2184 // If an assumption was made on a branch, it should be caught 2185 // here by looking at the state transition. 2186 S = Edge->getSrc()->getTerminator(); 2187 } 2188 2189 if (!S) 2190 return 0; 2191 2192 // FIXME: We will eventually need to handle non-statement-based events 2193 // (__attribute__((cleanup))). 2194 2195 // Find out if this is an interesting point and what is the kind. 2196 if (Mode == Normal) { 2197 if (isAllocated(RS, RSPrev, S)) { 2198 Msg = "Memory is allocated"; 2199 StackHint = new StackHintGeneratorForSymbol(Sym, 2200 "Returned allocated memory"); 2201 } else if (isReleased(RS, RSPrev, S)) { 2202 Msg = "Memory is released"; 2203 StackHint = new StackHintGeneratorForSymbol(Sym, 2204 "Returning; memory was released"); 2205 } else if (isRelinquished(RS, RSPrev, S)) { 2206 Msg = "Memory ownership is transferred"; 2207 StackHint = new StackHintGeneratorForSymbol(Sym, ""); 2208 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 2209 Mode = ReallocationFailed; 2210 Msg = "Reallocation failed"; 2211 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 2212 "Reallocation failed"); 2213 2214 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 2215 // Is it possible to fail two reallocs WITHOUT testing in between? 2216 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 2217 "We only support one failed realloc at a time."); 2218 BR.markInteresting(sym); 2219 FailedReallocSymbol = sym; 2220 } 2221 } 2222 2223 // We are in a special mode if a reallocation failed later in the path. 2224 } else if (Mode == ReallocationFailed) { 2225 assert(FailedReallocSymbol && "No symbol to look for."); 2226 2227 // Is this is the first appearance of the reallocated symbol? 2228 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 2229 // We're at the reallocation point. 2230 Msg = "Attempt to reallocate memory"; 2231 StackHint = new StackHintGeneratorForSymbol(Sym, 2232 "Returned reallocated memory"); 2233 FailedReallocSymbol = NULL; 2234 Mode = Normal; 2235 } 2236 } 2237 2238 if (!Msg) 2239 return 0; 2240 assert(StackHint); 2241 2242 // Generate the extra diagnostic. 2243 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2244 N->getLocationContext()); 2245 return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint); 2246 } 2247 2248 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 2249 const char *NL, const char *Sep) const { 2250 2251 RegionStateTy RS = State->get<RegionState>(); 2252 2253 if (!RS.isEmpty()) { 2254 Out << Sep << "MallocChecker :" << NL; 2255 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2256 const RefState *RefS = State->get<RegionState>(I.getKey()); 2257 AllocationFamily Family = RefS->getAllocationFamily(); 2258 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2259 2260 I.getKey()->dumpToStream(Out); 2261 Out << " : "; 2262 I.getData().dump(Out); 2263 if (CheckKind.hasValue()) 2264 Out << " (" << CheckNames[*CheckKind].getName() << ")"; 2265 Out << NL; 2266 } 2267 } 2268 } 2269 2270 void ento::registerNewDeleteLeaksChecker(CheckerManager &mgr) { 2271 registerCStringCheckerBasic(mgr); 2272 MallocChecker *checker = mgr.registerChecker<MallocChecker>(); 2273 checker->ChecksEnabled[MallocChecker::CK_NewDeleteLeaksChecker] = true; 2274 checker->CheckNames[MallocChecker::CK_NewDeleteLeaksChecker] = 2275 mgr.getCurrentCheckName(); 2276 // We currently treat NewDeleteLeaks checker as a subchecker of NewDelete 2277 // checker. 2278 if (!checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker]) 2279 checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker] = true; 2280 } 2281 2282 #define REGISTER_CHECKER(name) \ 2283 void ento::register##name(CheckerManager &mgr) { \ 2284 registerCStringCheckerBasic(mgr); \ 2285 MallocChecker *checker = mgr.registerChecker<MallocChecker>(); \ 2286 checker->ChecksEnabled[MallocChecker::CK_##name] = true; \ 2287 checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \ 2288 } 2289 2290 REGISTER_CHECKER(MallocPessimistic) 2291 REGISTER_CHECKER(MallocOptimistic) 2292 REGISTER_CHECKER(NewDeleteChecker) 2293 REGISTER_CHECKER(MismatchedDeallocatorChecker) 2294