1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines malloc/free checker, which checks for potential memory 11 // leaks, double free, and use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/AST/Attr.h" 18 #include "clang/Basic/SourceManager.h" 19 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 20 #include "clang/StaticAnalyzer/Core/Checker.h" 21 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 23 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 27 #include "llvm/ADT/ImmutableMap.h" 28 #include "llvm/ADT/STLExtras.h" 29 #include "llvm/ADT/SmallString.h" 30 #include "llvm/ADT/StringExtras.h" 31 #include <climits> 32 33 using namespace clang; 34 using namespace ento; 35 36 namespace { 37 38 // Used to check correspondence between allocators and deallocators. 39 enum AllocationFamily { 40 AF_None, 41 AF_Malloc, 42 AF_CXXNew, 43 AF_CXXNewArray 44 }; 45 46 class RefState { 47 enum Kind { // Reference to allocated memory. 48 Allocated, 49 // Reference to released/freed memory. 50 Released, 51 // The responsibility for freeing resources has transferred from 52 // this reference. A relinquished symbol should not be freed. 53 Relinquished, 54 // We are no longer guaranteed to have observed all manipulations 55 // of this pointer/memory. For example, it could have been 56 // passed as a parameter to an opaque function. 57 Escaped 58 }; 59 60 const Stmt *S; 61 unsigned K : 2; // Kind enum, but stored as a bitfield. 62 unsigned Family : 30; // Rest of 32-bit word, currently just an allocation 63 // family. 64 65 RefState(Kind k, const Stmt *s, unsigned family) 66 : S(s), K(k), Family(family) { 67 assert(family != AF_None); 68 } 69 public: 70 bool isAllocated() const { return K == Allocated; } 71 bool isReleased() const { return K == Released; } 72 bool isRelinquished() const { return K == Relinquished; } 73 bool isEscaped() const { return K == Escaped; } 74 AllocationFamily getAllocationFamily() const { 75 return (AllocationFamily)Family; 76 } 77 const Stmt *getStmt() const { return S; } 78 79 bool operator==(const RefState &X) const { 80 return K == X.K && S == X.S && Family == X.Family; 81 } 82 83 static RefState getAllocated(unsigned family, const Stmt *s) { 84 return RefState(Allocated, s, family); 85 } 86 static RefState getReleased(unsigned family, const Stmt *s) { 87 return RefState(Released, s, family); 88 } 89 static RefState getRelinquished(unsigned family, const Stmt *s) { 90 return RefState(Relinquished, s, family); 91 } 92 static RefState getEscaped(const RefState *RS) { 93 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily()); 94 } 95 96 void Profile(llvm::FoldingSetNodeID &ID) const { 97 ID.AddInteger(K); 98 ID.AddPointer(S); 99 ID.AddInteger(Family); 100 } 101 102 void dump(raw_ostream &OS) const { 103 switch (static_cast<Kind>(K)) { 104 #define CASE(ID) case ID: OS << #ID; break; 105 CASE(Allocated) 106 CASE(Released) 107 CASE(Relinquished) 108 CASE(Escaped) 109 } 110 } 111 112 LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); } 113 }; 114 115 enum ReallocPairKind { 116 RPToBeFreedAfterFailure, 117 // The symbol has been freed when reallocation failed. 118 RPIsFreeOnFailure, 119 // The symbol does not need to be freed after reallocation fails. 120 RPDoNotTrackAfterFailure 121 }; 122 123 /// \class ReallocPair 124 /// \brief Stores information about the symbol being reallocated by a call to 125 /// 'realloc' to allow modeling failed reallocation later in the path. 126 struct ReallocPair { 127 // \brief The symbol which realloc reallocated. 128 SymbolRef ReallocatedSym; 129 ReallocPairKind Kind; 130 131 ReallocPair(SymbolRef S, ReallocPairKind K) : 132 ReallocatedSym(S), Kind(K) {} 133 void Profile(llvm::FoldingSetNodeID &ID) const { 134 ID.AddInteger(Kind); 135 ID.AddPointer(ReallocatedSym); 136 } 137 bool operator==(const ReallocPair &X) const { 138 return ReallocatedSym == X.ReallocatedSym && 139 Kind == X.Kind; 140 } 141 }; 142 143 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo; 144 145 class MallocChecker : public Checker<check::DeadSymbols, 146 check::PointerEscape, 147 check::ConstPointerEscape, 148 check::PreStmt<ReturnStmt>, 149 check::PreCall, 150 check::PostStmt<CallExpr>, 151 check::PostStmt<CXXNewExpr>, 152 check::PreStmt<CXXDeleteExpr>, 153 check::PostStmt<BlockExpr>, 154 check::PostObjCMessage, 155 check::Location, 156 eval::Assume> 157 { 158 mutable OwningPtr<BugType> BT_DoubleFree; 159 mutable OwningPtr<BugType> BT_DoubleDelete; 160 mutable OwningPtr<BugType> BT_Leak; 161 mutable OwningPtr<BugType> BT_UseFree; 162 mutable OwningPtr<BugType> BT_BadFree; 163 mutable OwningPtr<BugType> BT_MismatchedDealloc; 164 mutable OwningPtr<BugType> BT_OffsetFree; 165 mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc, 166 *II_valloc, *II_reallocf, *II_strndup, *II_strdup; 167 168 public: 169 MallocChecker() : II_malloc(0), II_free(0), II_realloc(0), II_calloc(0), 170 II_valloc(0), II_reallocf(0), II_strndup(0), II_strdup(0) {} 171 172 /// In pessimistic mode, the checker assumes that it does not know which 173 /// functions might free the memory. 174 struct ChecksFilter { 175 DefaultBool CMallocPessimistic; 176 DefaultBool CMallocOptimistic; 177 DefaultBool CNewDeleteChecker; 178 DefaultBool CNewDeleteLeaksChecker; 179 DefaultBool CMismatchedDeallocatorChecker; 180 }; 181 182 ChecksFilter Filter; 183 184 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 185 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 186 void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; 187 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; 188 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 189 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 190 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 191 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 192 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 193 bool Assumption) const; 194 void checkLocation(SVal l, bool isLoad, const Stmt *S, 195 CheckerContext &C) const; 196 197 ProgramStateRef checkPointerEscape(ProgramStateRef State, 198 const InvalidatedSymbols &Escaped, 199 const CallEvent *Call, 200 PointerEscapeKind Kind) const; 201 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 202 const InvalidatedSymbols &Escaped, 203 const CallEvent *Call, 204 PointerEscapeKind Kind) const; 205 206 void printState(raw_ostream &Out, ProgramStateRef State, 207 const char *NL, const char *Sep) const; 208 209 private: 210 void initIdentifierInfo(ASTContext &C) const; 211 212 /// \brief Determine family of a deallocation expression. 213 AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const; 214 215 /// \brief Print names of allocators and deallocators. 216 /// 217 /// \returns true on success. 218 bool printAllocDeallocName(raw_ostream &os, CheckerContext &C, 219 const Expr *E) const; 220 221 /// \brief Print expected name of an allocator based on the deallocator's 222 /// family derived from the DeallocExpr. 223 void printExpectedAllocName(raw_ostream &os, CheckerContext &C, 224 const Expr *DeallocExpr) const; 225 /// \brief Print expected name of a deallocator based on the allocator's 226 /// family. 227 void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const; 228 229 ///@{ 230 /// Check if this is one of the functions which can allocate/reallocate memory 231 /// pointed to by one of its arguments. 232 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 233 bool isFreeFunction(const FunctionDecl *FD, ASTContext &C) const; 234 bool isAllocationFunction(const FunctionDecl *FD, ASTContext &C) const; 235 bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const; 236 ///@} 237 ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 238 const CallExpr *CE, 239 const OwnershipAttr* Att) const; 240 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 241 const Expr *SizeEx, SVal Init, 242 ProgramStateRef State, 243 AllocationFamily Family = AF_Malloc) { 244 return MallocMemAux(C, CE, 245 State->getSVal(SizeEx, C.getLocationContext()), 246 Init, State, Family); 247 } 248 249 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 250 SVal SizeEx, SVal Init, 251 ProgramStateRef State, 252 AllocationFamily Family = AF_Malloc); 253 254 /// Update the RefState to reflect the new memory allocation. 255 static ProgramStateRef 256 MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, 257 AllocationFamily Family = AF_Malloc); 258 259 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 260 const OwnershipAttr* Att) const; 261 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 262 ProgramStateRef state, unsigned Num, 263 bool Hold, 264 bool &ReleasedAllocated, 265 bool ReturnsNullOnFailure = false) const; 266 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, 267 const Expr *ParentExpr, 268 ProgramStateRef State, 269 bool Hold, 270 bool &ReleasedAllocated, 271 bool ReturnsNullOnFailure = false) const; 272 273 ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, 274 bool FreesMemOnFailure) const; 275 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE); 276 277 ///\brief Check if the memory associated with this symbol was released. 278 bool isReleased(SymbolRef Sym, CheckerContext &C) const; 279 280 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 281 282 bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const; 283 284 /// Check if the function is known free memory, or if it is 285 /// "interesting" and should be modeled explicitly. 286 /// 287 /// \param [out] EscapingSymbol A function might not free memory in general, 288 /// but could be known to free a particular symbol. In this case, false is 289 /// returned and the single escaping symbol is returned through the out 290 /// parameter. 291 /// 292 /// We assume that pointers do not escape through calls to system functions 293 /// not handled by this checker. 294 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, 295 ProgramStateRef State, 296 SymbolRef &EscapingSymbol) const; 297 298 // Implementation of the checkPointerEscape callabcks. 299 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 300 const InvalidatedSymbols &Escaped, 301 const CallEvent *Call, 302 PointerEscapeKind Kind, 303 bool(*CheckRefState)(const RefState*)) const; 304 305 ///@{ 306 /// Tells if a given family/call/symbol is tracked by the current checker. 307 bool isTrackedByCurrentChecker(AllocationFamily Family) const; 308 bool isTrackedByCurrentChecker(CheckerContext &C, 309 const Stmt *AllocDeallocStmt) const; 310 bool isTrackedByCurrentChecker(CheckerContext &C, SymbolRef Sym) const; 311 ///@} 312 static bool SummarizeValue(raw_ostream &os, SVal V); 313 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 314 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 315 const Expr *DeallocExpr) const; 316 void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, 317 const Expr *DeallocExpr, const RefState *RS, 318 SymbolRef Sym, bool OwnershipTransferred) const; 319 void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 320 const Expr *DeallocExpr, 321 const Expr *AllocExpr = 0) const; 322 void ReportUseAfterFree(CheckerContext &C, SourceRange Range, 323 SymbolRef Sym) const; 324 void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 325 SymbolRef Sym, SymbolRef PrevSym) const; 326 327 void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const; 328 329 /// Find the location of the allocation for Sym on the path leading to the 330 /// exploded node N. 331 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 332 CheckerContext &C) const; 333 334 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 335 336 /// The bug visitor which allows us to print extra diagnostics along the 337 /// BugReport path. For example, showing the allocation site of the leaked 338 /// region. 339 class MallocBugVisitor : public BugReporterVisitorImpl<MallocBugVisitor> { 340 protected: 341 enum NotificationMode { 342 Normal, 343 ReallocationFailed 344 }; 345 346 // The allocated region symbol tracked by the main analysis. 347 SymbolRef Sym; 348 349 // The mode we are in, i.e. what kind of diagnostics will be emitted. 350 NotificationMode Mode; 351 352 // A symbol from when the primary region should have been reallocated. 353 SymbolRef FailedReallocSymbol; 354 355 bool IsLeak; 356 357 public: 358 MallocBugVisitor(SymbolRef S, bool isLeak = false) 359 : Sym(S), Mode(Normal), FailedReallocSymbol(0), IsLeak(isLeak) {} 360 361 virtual ~MallocBugVisitor() {} 362 363 void Profile(llvm::FoldingSetNodeID &ID) const { 364 static int X = 0; 365 ID.AddPointer(&X); 366 ID.AddPointer(Sym); 367 } 368 369 inline bool isAllocated(const RefState *S, const RefState *SPrev, 370 const Stmt *Stmt) { 371 // Did not track -> allocated. Other state (released) -> allocated. 372 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 373 (S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated())); 374 } 375 376 inline bool isReleased(const RefState *S, const RefState *SPrev, 377 const Stmt *Stmt) { 378 // Did not track -> released. Other state (allocated) -> released. 379 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt)) && 380 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 381 } 382 383 inline bool isRelinquished(const RefState *S, const RefState *SPrev, 384 const Stmt *Stmt) { 385 // Did not track -> relinquished. Other state (allocated) -> relinquished. 386 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 387 isa<ObjCPropertyRefExpr>(Stmt)) && 388 (S && S->isRelinquished()) && 389 (!SPrev || !SPrev->isRelinquished())); 390 } 391 392 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 393 const Stmt *Stmt) { 394 // If the expression is not a call, and the state change is 395 // released -> allocated, it must be the realloc return value 396 // check. If we have to handle more cases here, it might be cleaner just 397 // to track this extra bit in the state itself. 398 return ((!Stmt || !isa<CallExpr>(Stmt)) && 399 (S && S->isAllocated()) && (SPrev && !SPrev->isAllocated())); 400 } 401 402 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 403 const ExplodedNode *PrevN, 404 BugReporterContext &BRC, 405 BugReport &BR); 406 407 PathDiagnosticPiece* getEndPath(BugReporterContext &BRC, 408 const ExplodedNode *EndPathNode, 409 BugReport &BR) { 410 if (!IsLeak) 411 return 0; 412 413 PathDiagnosticLocation L = 414 PathDiagnosticLocation::createEndOfPath(EndPathNode, 415 BRC.getSourceManager()); 416 // Do not add the statement itself as a range in case of leak. 417 return new PathDiagnosticEventPiece(L, BR.getDescription(), false); 418 } 419 420 private: 421 class StackHintGeneratorForReallocationFailed 422 : public StackHintGeneratorForSymbol { 423 public: 424 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 425 : StackHintGeneratorForSymbol(S, M) {} 426 427 virtual std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) { 428 // Printed parameters start at 1, not 0. 429 ++ArgIndex; 430 431 SmallString<200> buf; 432 llvm::raw_svector_ostream os(buf); 433 434 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 435 << " parameter failed"; 436 437 return os.str(); 438 } 439 440 virtual std::string getMessageForReturn(const CallExpr *CallExpr) { 441 return "Reallocation of returned value failed"; 442 } 443 }; 444 }; 445 }; 446 } // end anonymous namespace 447 448 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 449 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 450 451 // A map from the freed symbol to the symbol representing the return value of 452 // the free function. 453 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 454 455 namespace { 456 class StopTrackingCallback : public SymbolVisitor { 457 ProgramStateRef state; 458 public: 459 StopTrackingCallback(ProgramStateRef st) : state(st) {} 460 ProgramStateRef getState() const { return state; } 461 462 bool VisitSymbol(SymbolRef sym) { 463 state = state->remove<RegionState>(sym); 464 return true; 465 } 466 }; 467 } // end anonymous namespace 468 469 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 470 if (II_malloc) 471 return; 472 II_malloc = &Ctx.Idents.get("malloc"); 473 II_free = &Ctx.Idents.get("free"); 474 II_realloc = &Ctx.Idents.get("realloc"); 475 II_reallocf = &Ctx.Idents.get("reallocf"); 476 II_calloc = &Ctx.Idents.get("calloc"); 477 II_valloc = &Ctx.Idents.get("valloc"); 478 II_strdup = &Ctx.Idents.get("strdup"); 479 II_strndup = &Ctx.Idents.get("strndup"); 480 } 481 482 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 483 if (isFreeFunction(FD, C)) 484 return true; 485 486 if (isAllocationFunction(FD, C)) 487 return true; 488 489 if (isStandardNewDelete(FD, C)) 490 return true; 491 492 return false; 493 } 494 495 bool MallocChecker::isAllocationFunction(const FunctionDecl *FD, 496 ASTContext &C) const { 497 if (!FD) 498 return false; 499 500 if (FD->getKind() == Decl::Function) { 501 IdentifierInfo *FunI = FD->getIdentifier(); 502 initIdentifierInfo(C); 503 504 if (FunI == II_malloc || FunI == II_realloc || 505 FunI == II_reallocf || FunI == II_calloc || FunI == II_valloc || 506 FunI == II_strdup || FunI == II_strndup) 507 return true; 508 } 509 510 if (Filter.CMallocOptimistic && FD->hasAttrs()) 511 for (specific_attr_iterator<OwnershipAttr> 512 i = FD->specific_attr_begin<OwnershipAttr>(), 513 e = FD->specific_attr_end<OwnershipAttr>(); 514 i != e; ++i) 515 if ((*i)->getOwnKind() == OwnershipAttr::Returns) 516 return true; 517 return false; 518 } 519 520 bool MallocChecker::isFreeFunction(const FunctionDecl *FD, ASTContext &C) const { 521 if (!FD) 522 return false; 523 524 if (FD->getKind() == Decl::Function) { 525 IdentifierInfo *FunI = FD->getIdentifier(); 526 initIdentifierInfo(C); 527 528 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf) 529 return true; 530 } 531 532 if (Filter.CMallocOptimistic && FD->hasAttrs()) 533 for (specific_attr_iterator<OwnershipAttr> 534 i = FD->specific_attr_begin<OwnershipAttr>(), 535 e = FD->specific_attr_end<OwnershipAttr>(); 536 i != e; ++i) 537 if ((*i)->getOwnKind() == OwnershipAttr::Takes || 538 (*i)->getOwnKind() == OwnershipAttr::Holds) 539 return true; 540 return false; 541 } 542 543 // Tells if the callee is one of the following: 544 // 1) A global non-placement new/delete operator function. 545 // 2) A global placement operator function with the single placement argument 546 // of type std::nothrow_t. 547 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD, 548 ASTContext &C) const { 549 if (!FD) 550 return false; 551 552 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 553 if (Kind != OO_New && Kind != OO_Array_New && 554 Kind != OO_Delete && Kind != OO_Array_Delete) 555 return false; 556 557 // Skip all operator new/delete methods. 558 if (isa<CXXMethodDecl>(FD)) 559 return false; 560 561 // Return true if tested operator is a standard placement nothrow operator. 562 if (FD->getNumParams() == 2) { 563 QualType T = FD->getParamDecl(1)->getType(); 564 if (const IdentifierInfo *II = T.getBaseTypeIdentifier()) 565 return II->getName().equals("nothrow_t"); 566 } 567 568 // Skip placement operators. 569 if (FD->getNumParams() != 1 || FD->isVariadic()) 570 return false; 571 572 // One of the standard new/new[]/delete/delete[] non-placement operators. 573 return true; 574 } 575 576 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 577 if (C.wasInlined) 578 return; 579 580 const FunctionDecl *FD = C.getCalleeDecl(CE); 581 if (!FD) 582 return; 583 584 ProgramStateRef State = C.getState(); 585 bool ReleasedAllocatedMemory = false; 586 587 if (FD->getKind() == Decl::Function) { 588 initIdentifierInfo(C.getASTContext()); 589 IdentifierInfo *FunI = FD->getIdentifier(); 590 591 if (FunI == II_malloc || FunI == II_valloc) { 592 if (CE->getNumArgs() < 1) 593 return; 594 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 595 } else if (FunI == II_realloc) { 596 State = ReallocMem(C, CE, false); 597 } else if (FunI == II_reallocf) { 598 State = ReallocMem(C, CE, true); 599 } else if (FunI == II_calloc) { 600 State = CallocMem(C, CE); 601 } else if (FunI == II_free) { 602 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 603 } else if (FunI == II_strdup) { 604 State = MallocUpdateRefState(C, CE, State); 605 } else if (FunI == II_strndup) { 606 State = MallocUpdateRefState(C, CE, State); 607 } 608 else if (isStandardNewDelete(FD, C.getASTContext())) { 609 // Process direct calls to operator new/new[]/delete/delete[] functions 610 // as distinct from new/new[]/delete/delete[] expressions that are 611 // processed by the checkPostStmt callbacks for CXXNewExpr and 612 // CXXDeleteExpr. 613 OverloadedOperatorKind K = FD->getOverloadedOperator(); 614 if (K == OO_New) 615 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 616 AF_CXXNew); 617 else if (K == OO_Array_New) 618 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 619 AF_CXXNewArray); 620 else if (K == OO_Delete || K == OO_Array_Delete) 621 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 622 else 623 llvm_unreachable("not a new/delete operator"); 624 } 625 } 626 627 if (Filter.CMallocOptimistic || Filter.CMismatchedDeallocatorChecker) { 628 // Check all the attributes, if there are any. 629 // There can be multiple of these attributes. 630 if (FD->hasAttrs()) 631 for (specific_attr_iterator<OwnershipAttr> 632 i = FD->specific_attr_begin<OwnershipAttr>(), 633 e = FD->specific_attr_end<OwnershipAttr>(); 634 i != e; ++i) { 635 switch ((*i)->getOwnKind()) { 636 case OwnershipAttr::Returns: 637 State = MallocMemReturnsAttr(C, CE, *i); 638 break; 639 case OwnershipAttr::Takes: 640 case OwnershipAttr::Holds: 641 State = FreeMemAttr(C, CE, *i); 642 break; 643 } 644 } 645 } 646 C.addTransition(State); 647 } 648 649 void MallocChecker::checkPostStmt(const CXXNewExpr *NE, 650 CheckerContext &C) const { 651 652 if (NE->getNumPlacementArgs()) 653 for (CXXNewExpr::const_arg_iterator I = NE->placement_arg_begin(), 654 E = NE->placement_arg_end(); I != E; ++I) 655 if (SymbolRef Sym = C.getSVal(*I).getAsSymbol()) 656 checkUseAfterFree(Sym, C, *I); 657 658 if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext())) 659 return; 660 661 ProgramStateRef State = C.getState(); 662 // The return value from operator new is bound to a specified initialization 663 // value (if any) and we don't want to loose this value. So we call 664 // MallocUpdateRefState() instead of MallocMemAux() which breakes the 665 // existing binding. 666 State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray 667 : AF_CXXNew); 668 C.addTransition(State); 669 } 670 671 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, 672 CheckerContext &C) const { 673 674 if (!Filter.CNewDeleteChecker) 675 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 676 checkUseAfterFree(Sym, C, DE->getArgument()); 677 678 if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext())) 679 return; 680 681 ProgramStateRef State = C.getState(); 682 bool ReleasedAllocated; 683 State = FreeMemAux(C, DE->getArgument(), DE, State, 684 /*Hold*/false, ReleasedAllocated); 685 686 C.addTransition(State); 687 } 688 689 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 690 // If the first selector piece is one of the names below, assume that the 691 // object takes ownership of the memory, promising to eventually deallocate it 692 // with free(). 693 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 694 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 695 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 696 if (FirstSlot == "dataWithBytesNoCopy" || 697 FirstSlot == "initWithBytesNoCopy" || 698 FirstSlot == "initWithCharactersNoCopy") 699 return true; 700 701 return false; 702 } 703 704 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 705 Selector S = Call.getSelector(); 706 707 // FIXME: We should not rely on fully-constrained symbols being folded. 708 for (unsigned i = 1; i < S.getNumArgs(); ++i) 709 if (S.getNameForSlot(i).equals("freeWhenDone")) 710 return !Call.getArgSVal(i).isZeroConstant(); 711 712 return None; 713 } 714 715 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 716 CheckerContext &C) const { 717 if (C.wasInlined) 718 return; 719 720 if (!isKnownDeallocObjCMethodName(Call)) 721 return; 722 723 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 724 if (!*FreeWhenDone) 725 return; 726 727 bool ReleasedAllocatedMemory; 728 ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0), 729 Call.getOriginExpr(), C.getState(), 730 /*Hold=*/true, ReleasedAllocatedMemory, 731 /*RetNullOnFailure=*/true); 732 733 C.addTransition(State); 734 } 735 736 ProgramStateRef 737 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE, 738 const OwnershipAttr *Att) const { 739 if (Att->getModule() != II_malloc) 740 return 0; 741 742 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 743 if (I != E) { 744 return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), C.getState()); 745 } 746 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), C.getState()); 747 } 748 749 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 750 const CallExpr *CE, 751 SVal Size, SVal Init, 752 ProgramStateRef State, 753 AllocationFamily Family) { 754 755 // Bind the return value to the symbolic value from the heap region. 756 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 757 // side effects other than what we model here. 758 unsigned Count = C.blockCount(); 759 SValBuilder &svalBuilder = C.getSValBuilder(); 760 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 761 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 762 .castAs<DefinedSVal>(); 763 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 764 765 // We expect the malloc functions to return a pointer. 766 if (!RetVal.getAs<Loc>()) 767 return 0; 768 769 // Fill the region with the initialization value. 770 State = State->bindDefault(RetVal, Init); 771 772 // Set the region's extent equal to the Size parameter. 773 const SymbolicRegion *R = 774 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 775 if (!R) 776 return 0; 777 if (Optional<DefinedOrUnknownSVal> DefinedSize = 778 Size.getAs<DefinedOrUnknownSVal>()) { 779 SValBuilder &svalBuilder = C.getSValBuilder(); 780 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 781 DefinedOrUnknownSVal extentMatchesSize = 782 svalBuilder.evalEQ(State, Extent, *DefinedSize); 783 784 State = State->assume(extentMatchesSize, true); 785 assert(State); 786 } 787 788 return MallocUpdateRefState(C, CE, State, Family); 789 } 790 791 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 792 const Expr *E, 793 ProgramStateRef State, 794 AllocationFamily Family) { 795 // Get the return value. 796 SVal retVal = State->getSVal(E, C.getLocationContext()); 797 798 // We expect the malloc functions to return a pointer. 799 if (!retVal.getAs<Loc>()) 800 return 0; 801 802 SymbolRef Sym = retVal.getAsLocSymbol(); 803 assert(Sym); 804 805 // Set the symbol's state to Allocated. 806 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 807 } 808 809 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 810 const CallExpr *CE, 811 const OwnershipAttr *Att) const { 812 if (Att->getModule() != II_malloc) 813 return 0; 814 815 ProgramStateRef State = C.getState(); 816 bool ReleasedAllocated = false; 817 818 for (OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 819 I != E; ++I) { 820 ProgramStateRef StateI = FreeMemAux(C, CE, State, *I, 821 Att->getOwnKind() == OwnershipAttr::Holds, 822 ReleasedAllocated); 823 if (StateI) 824 State = StateI; 825 } 826 return State; 827 } 828 829 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 830 const CallExpr *CE, 831 ProgramStateRef state, 832 unsigned Num, 833 bool Hold, 834 bool &ReleasedAllocated, 835 bool ReturnsNullOnFailure) const { 836 if (CE->getNumArgs() < (Num + 1)) 837 return 0; 838 839 return FreeMemAux(C, CE->getArg(Num), CE, state, Hold, 840 ReleasedAllocated, ReturnsNullOnFailure); 841 } 842 843 /// Checks if the previous call to free on the given symbol failed - if free 844 /// failed, returns true. Also, returns the corresponding return value symbol. 845 static bool didPreviousFreeFail(ProgramStateRef State, 846 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 847 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 848 if (Ret) { 849 assert(*Ret && "We should not store the null return symbol"); 850 ConstraintManager &CMgr = State->getConstraintManager(); 851 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 852 RetStatusSymbol = *Ret; 853 return FreeFailed.isConstrainedTrue(); 854 } 855 return false; 856 } 857 858 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C, 859 const Stmt *S) const { 860 if (!S) 861 return AF_None; 862 863 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 864 const FunctionDecl *FD = C.getCalleeDecl(CE); 865 866 if (!FD) 867 FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl()); 868 869 ASTContext &Ctx = C.getASTContext(); 870 871 if (isAllocationFunction(FD, Ctx) || isFreeFunction(FD, Ctx)) 872 return AF_Malloc; 873 874 if (isStandardNewDelete(FD, Ctx)) { 875 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 876 if (Kind == OO_New || Kind == OO_Delete) 877 return AF_CXXNew; 878 else if (Kind == OO_Array_New || Kind == OO_Array_Delete) 879 return AF_CXXNewArray; 880 } 881 882 return AF_None; 883 } 884 885 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S)) 886 return NE->isArray() ? AF_CXXNewArray : AF_CXXNew; 887 888 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S)) 889 return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew; 890 891 if (isa<ObjCMessageExpr>(S)) 892 return AF_Malloc; 893 894 return AF_None; 895 } 896 897 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C, 898 const Expr *E) const { 899 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 900 // FIXME: This doesn't handle indirect calls. 901 const FunctionDecl *FD = CE->getDirectCallee(); 902 if (!FD) 903 return false; 904 905 os << *FD; 906 if (!FD->isOverloadedOperator()) 907 os << "()"; 908 return true; 909 } 910 911 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 912 if (Msg->isInstanceMessage()) 913 os << "-"; 914 else 915 os << "+"; 916 Msg->getSelector().print(os); 917 return true; 918 } 919 920 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 921 os << "'" 922 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 923 << "'"; 924 return true; 925 } 926 927 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 928 os << "'" 929 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 930 << "'"; 931 return true; 932 } 933 934 return false; 935 } 936 937 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C, 938 const Expr *E) const { 939 AllocationFamily Family = getAllocationFamily(C, E); 940 941 switch(Family) { 942 case AF_Malloc: os << "malloc()"; return; 943 case AF_CXXNew: os << "'new'"; return; 944 case AF_CXXNewArray: os << "'new[]'"; return; 945 case AF_None: llvm_unreachable("not a deallocation expression"); 946 } 947 } 948 949 void MallocChecker::printExpectedDeallocName(raw_ostream &os, 950 AllocationFamily Family) const { 951 switch(Family) { 952 case AF_Malloc: os << "free()"; return; 953 case AF_CXXNew: os << "'delete'"; return; 954 case AF_CXXNewArray: os << "'delete[]'"; return; 955 case AF_None: llvm_unreachable("suspicious AF_None argument"); 956 } 957 } 958 959 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 960 const Expr *ArgExpr, 961 const Expr *ParentExpr, 962 ProgramStateRef State, 963 bool Hold, 964 bool &ReleasedAllocated, 965 bool ReturnsNullOnFailure) const { 966 967 SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext()); 968 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 969 return 0; 970 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 971 972 // Check for null dereferences. 973 if (!location.getAs<Loc>()) 974 return 0; 975 976 // The explicit NULL case, no operation is performed. 977 ProgramStateRef notNullState, nullState; 978 llvm::tie(notNullState, nullState) = State->assume(location); 979 if (nullState && !notNullState) 980 return 0; 981 982 // Unknown values could easily be okay 983 // Undefined values are handled elsewhere 984 if (ArgVal.isUnknownOrUndef()) 985 return 0; 986 987 const MemRegion *R = ArgVal.getAsRegion(); 988 989 // Nonlocs can't be freed, of course. 990 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 991 if (!R) { 992 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 993 return 0; 994 } 995 996 R = R->StripCasts(); 997 998 // Blocks might show up as heap data, but should not be free()d 999 if (isa<BlockDataRegion>(R)) { 1000 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1001 return 0; 1002 } 1003 1004 const MemSpaceRegion *MS = R->getMemorySpace(); 1005 1006 // Parameters, locals, statics, globals, and memory returned by alloca() 1007 // shouldn't be freed. 1008 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 1009 // FIXME: at the time this code was written, malloc() regions were 1010 // represented by conjured symbols, which are all in UnknownSpaceRegion. 1011 // This means that there isn't actually anything from HeapSpaceRegion 1012 // that should be freed, even though we allow it here. 1013 // Of course, free() can work on memory allocated outside the current 1014 // function, so UnknownSpaceRegion is always a possibility. 1015 // False negatives are better than false positives. 1016 1017 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1018 return 0; 1019 } 1020 1021 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 1022 // Various cases could lead to non-symbol values here. 1023 // For now, ignore them. 1024 if (!SrBase) 1025 return 0; 1026 1027 SymbolRef SymBase = SrBase->getSymbol(); 1028 const RefState *RsBase = State->get<RegionState>(SymBase); 1029 SymbolRef PreviousRetStatusSymbol = 0; 1030 1031 if (RsBase) { 1032 1033 // Check for double free first. 1034 if ((RsBase->isReleased() || RsBase->isRelinquished()) && 1035 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1036 ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1037 SymBase, PreviousRetStatusSymbol); 1038 return 0; 1039 1040 // If the pointer is allocated or escaped, but we are now trying to free it, 1041 // check that the call to free is proper. 1042 } else if (RsBase->isAllocated() || RsBase->isEscaped()) { 1043 1044 // Check if an expected deallocation function matches the real one. 1045 bool DeallocMatchesAlloc = 1046 RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr); 1047 if (!DeallocMatchesAlloc) { 1048 ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), 1049 ParentExpr, RsBase, SymBase, Hold); 1050 return 0; 1051 } 1052 1053 // Check if the memory location being freed is the actual location 1054 // allocated, or an offset. 1055 RegionOffset Offset = R->getAsOffset(); 1056 if (Offset.isValid() && 1057 !Offset.hasSymbolicOffset() && 1058 Offset.getOffset() != 0) { 1059 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1060 ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1061 AllocExpr); 1062 return 0; 1063 } 1064 } 1065 } 1066 1067 ReleasedAllocated = (RsBase != 0) && RsBase->isAllocated(); 1068 1069 // Clean out the info on previous call to free return info. 1070 State = State->remove<FreeReturnValue>(SymBase); 1071 1072 // Keep track of the return value. If it is NULL, we will know that free 1073 // failed. 1074 if (ReturnsNullOnFailure) { 1075 SVal RetVal = C.getSVal(ParentExpr); 1076 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 1077 if (RetStatusSymbol) { 1078 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 1079 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 1080 } 1081 } 1082 1083 AllocationFamily Family = RsBase ? RsBase->getAllocationFamily() 1084 : getAllocationFamily(C, ParentExpr); 1085 // Normal free. 1086 if (Hold) 1087 return State->set<RegionState>(SymBase, 1088 RefState::getRelinquished(Family, 1089 ParentExpr)); 1090 1091 return State->set<RegionState>(SymBase, 1092 RefState::getReleased(Family, ParentExpr)); 1093 } 1094 1095 bool MallocChecker::isTrackedByCurrentChecker(AllocationFamily Family) const { 1096 switch (Family) { 1097 case AF_Malloc: { 1098 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic) 1099 return false; 1100 return true; 1101 } 1102 case AF_CXXNew: 1103 case AF_CXXNewArray: { 1104 if (!Filter.CNewDeleteChecker) 1105 return false; 1106 return true; 1107 } 1108 case AF_None: { 1109 llvm_unreachable("no family"); 1110 } 1111 } 1112 llvm_unreachable("unhandled family"); 1113 } 1114 1115 bool 1116 MallocChecker::isTrackedByCurrentChecker(CheckerContext &C, 1117 const Stmt *AllocDeallocStmt) const { 1118 return isTrackedByCurrentChecker(getAllocationFamily(C, AllocDeallocStmt)); 1119 } 1120 1121 bool MallocChecker::isTrackedByCurrentChecker(CheckerContext &C, 1122 SymbolRef Sym) const { 1123 1124 const RefState *RS = C.getState()->get<RegionState>(Sym); 1125 assert(RS); 1126 return isTrackedByCurrentChecker(RS->getAllocationFamily()); 1127 } 1128 1129 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 1130 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 1131 os << "an integer (" << IntVal->getValue() << ")"; 1132 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 1133 os << "a constant address (" << ConstAddr->getValue() << ")"; 1134 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 1135 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 1136 else 1137 return false; 1138 1139 return true; 1140 } 1141 1142 bool MallocChecker::SummarizeRegion(raw_ostream &os, 1143 const MemRegion *MR) { 1144 switch (MR->getKind()) { 1145 case MemRegion::FunctionTextRegionKind: { 1146 const NamedDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 1147 if (FD) 1148 os << "the address of the function '" << *FD << '\''; 1149 else 1150 os << "the address of a function"; 1151 return true; 1152 } 1153 case MemRegion::BlockTextRegionKind: 1154 os << "block text"; 1155 return true; 1156 case MemRegion::BlockDataRegionKind: 1157 // FIXME: where the block came from? 1158 os << "a block"; 1159 return true; 1160 default: { 1161 const MemSpaceRegion *MS = MR->getMemorySpace(); 1162 1163 if (isa<StackLocalsSpaceRegion>(MS)) { 1164 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1165 const VarDecl *VD; 1166 if (VR) 1167 VD = VR->getDecl(); 1168 else 1169 VD = NULL; 1170 1171 if (VD) 1172 os << "the address of the local variable '" << VD->getName() << "'"; 1173 else 1174 os << "the address of a local stack variable"; 1175 return true; 1176 } 1177 1178 if (isa<StackArgumentsSpaceRegion>(MS)) { 1179 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1180 const VarDecl *VD; 1181 if (VR) 1182 VD = VR->getDecl(); 1183 else 1184 VD = NULL; 1185 1186 if (VD) 1187 os << "the address of the parameter '" << VD->getName() << "'"; 1188 else 1189 os << "the address of a parameter"; 1190 return true; 1191 } 1192 1193 if (isa<GlobalsSpaceRegion>(MS)) { 1194 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1195 const VarDecl *VD; 1196 if (VR) 1197 VD = VR->getDecl(); 1198 else 1199 VD = NULL; 1200 1201 if (VD) { 1202 if (VD->isStaticLocal()) 1203 os << "the address of the static variable '" << VD->getName() << "'"; 1204 else 1205 os << "the address of the global variable '" << VD->getName() << "'"; 1206 } else 1207 os << "the address of a global variable"; 1208 return true; 1209 } 1210 1211 return false; 1212 } 1213 } 1214 } 1215 1216 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 1217 SourceRange Range, 1218 const Expr *DeallocExpr) const { 1219 1220 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1221 !Filter.CNewDeleteChecker) 1222 return; 1223 1224 if (!isTrackedByCurrentChecker(C, DeallocExpr)) 1225 return; 1226 1227 if (ExplodedNode *N = C.generateSink()) { 1228 if (!BT_BadFree) 1229 BT_BadFree.reset(new BugType("Bad free", "Memory Error")); 1230 1231 SmallString<100> buf; 1232 llvm::raw_svector_ostream os(buf); 1233 1234 const MemRegion *MR = ArgVal.getAsRegion(); 1235 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 1236 MR = ER->getSuperRegion(); 1237 1238 if (MR && isa<AllocaRegion>(MR)) 1239 os << "Memory allocated by alloca() should not be deallocated"; 1240 else { 1241 os << "Argument to "; 1242 if (!printAllocDeallocName(os, C, DeallocExpr)) 1243 os << "deallocator"; 1244 1245 os << " is "; 1246 bool Summarized = MR ? SummarizeRegion(os, MR) 1247 : SummarizeValue(os, ArgVal); 1248 if (Summarized) 1249 os << ", which is not memory allocated by "; 1250 else 1251 os << "not memory allocated by "; 1252 1253 printExpectedAllocName(os, C, DeallocExpr); 1254 } 1255 1256 BugReport *R = new BugReport(*BT_BadFree, os.str(), N); 1257 R->markInteresting(MR); 1258 R->addRange(Range); 1259 C.emitReport(R); 1260 } 1261 } 1262 1263 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, 1264 SourceRange Range, 1265 const Expr *DeallocExpr, 1266 const RefState *RS, 1267 SymbolRef Sym, 1268 bool OwnershipTransferred) const { 1269 1270 if (!Filter.CMismatchedDeallocatorChecker) 1271 return; 1272 1273 if (ExplodedNode *N = C.generateSink()) { 1274 if (!BT_MismatchedDealloc) 1275 BT_MismatchedDealloc.reset(new BugType("Bad deallocator", 1276 "Memory Error")); 1277 1278 SmallString<100> buf; 1279 llvm::raw_svector_ostream os(buf); 1280 1281 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 1282 SmallString<20> AllocBuf; 1283 llvm::raw_svector_ostream AllocOs(AllocBuf); 1284 SmallString<20> DeallocBuf; 1285 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 1286 1287 if (OwnershipTransferred) { 1288 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1289 os << DeallocOs.str() << " cannot"; 1290 else 1291 os << "Cannot"; 1292 1293 os << " take ownership of memory"; 1294 1295 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1296 os << " allocated by " << AllocOs.str(); 1297 } else { 1298 os << "Memory"; 1299 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1300 os << " allocated by " << AllocOs.str(); 1301 1302 os << " should be deallocated by "; 1303 printExpectedDeallocName(os, RS->getAllocationFamily()); 1304 1305 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1306 os << ", not " << DeallocOs.str(); 1307 } 1308 1309 BugReport *R = new BugReport(*BT_MismatchedDealloc, os.str(), N); 1310 R->markInteresting(Sym); 1311 R->addRange(Range); 1312 R->addVisitor(new MallocBugVisitor(Sym)); 1313 C.emitReport(R); 1314 } 1315 } 1316 1317 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, 1318 SourceRange Range, const Expr *DeallocExpr, 1319 const Expr *AllocExpr) const { 1320 1321 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1322 !Filter.CNewDeleteChecker) 1323 return; 1324 1325 if (!isTrackedByCurrentChecker(C, AllocExpr)) 1326 return; 1327 1328 ExplodedNode *N = C.generateSink(); 1329 if (N == NULL) 1330 return; 1331 1332 if (!BT_OffsetFree) 1333 BT_OffsetFree.reset(new BugType("Offset free", "Memory Error")); 1334 1335 SmallString<100> buf; 1336 llvm::raw_svector_ostream os(buf); 1337 SmallString<20> AllocNameBuf; 1338 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 1339 1340 const MemRegion *MR = ArgVal.getAsRegion(); 1341 assert(MR && "Only MemRegion based symbols can have offset free errors"); 1342 1343 RegionOffset Offset = MR->getAsOffset(); 1344 assert((Offset.isValid() && 1345 !Offset.hasSymbolicOffset() && 1346 Offset.getOffset() != 0) && 1347 "Only symbols with a valid offset can have offset free errors"); 1348 1349 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 1350 1351 os << "Argument to "; 1352 if (!printAllocDeallocName(os, C, DeallocExpr)) 1353 os << "deallocator"; 1354 os << " is offset by " 1355 << offsetBytes 1356 << " " 1357 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 1358 << " from the start of "; 1359 if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) 1360 os << "memory allocated by " << AllocNameOs.str(); 1361 else 1362 os << "allocated memory"; 1363 1364 BugReport *R = new BugReport(*BT_OffsetFree, os.str(), N); 1365 R->markInteresting(MR->getBaseRegion()); 1366 R->addRange(Range); 1367 C.emitReport(R); 1368 } 1369 1370 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, 1371 SymbolRef Sym) const { 1372 1373 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1374 !Filter.CNewDeleteChecker) 1375 return; 1376 1377 if (!isTrackedByCurrentChecker(C, Sym)) 1378 return; 1379 1380 if (ExplodedNode *N = C.generateSink()) { 1381 if (!BT_UseFree) 1382 BT_UseFree.reset(new BugType("Use-after-free", "Memory Error")); 1383 1384 BugReport *R = new BugReport(*BT_UseFree, 1385 "Use of memory after it is freed", N); 1386 1387 R->markInteresting(Sym); 1388 R->addRange(Range); 1389 R->addVisitor(new MallocBugVisitor(Sym)); 1390 C.emitReport(R); 1391 } 1392 } 1393 1394 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, 1395 bool Released, SymbolRef Sym, 1396 SymbolRef PrevSym) const { 1397 1398 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1399 !Filter.CNewDeleteChecker) 1400 return; 1401 1402 if (!isTrackedByCurrentChecker(C, Sym)) 1403 return; 1404 1405 if (ExplodedNode *N = C.generateSink()) { 1406 if (!BT_DoubleFree) 1407 BT_DoubleFree.reset(new BugType("Double free", "Memory Error")); 1408 1409 BugReport *R = new BugReport(*BT_DoubleFree, 1410 (Released ? "Attempt to free released memory" 1411 : "Attempt to free non-owned memory"), 1412 N); 1413 R->addRange(Range); 1414 R->markInteresting(Sym); 1415 if (PrevSym) 1416 R->markInteresting(PrevSym); 1417 R->addVisitor(new MallocBugVisitor(Sym)); 1418 C.emitReport(R); 1419 } 1420 } 1421 1422 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const { 1423 1424 if (!Filter.CNewDeleteChecker) 1425 return; 1426 1427 if (!isTrackedByCurrentChecker(C, Sym)) 1428 return; 1429 1430 if (ExplodedNode *N = C.generateSink()) { 1431 if (!BT_DoubleDelete) 1432 BT_DoubleDelete.reset(new BugType("Double delete", "Memory Error")); 1433 1434 BugReport *R = new BugReport(*BT_DoubleDelete, 1435 "Attempt to delete released memory", N); 1436 1437 R->markInteresting(Sym); 1438 R->addVisitor(new MallocBugVisitor(Sym)); 1439 C.emitReport(R); 1440 } 1441 } 1442 1443 ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, 1444 const CallExpr *CE, 1445 bool FreesOnFail) const { 1446 if (CE->getNumArgs() < 2) 1447 return 0; 1448 1449 ProgramStateRef state = C.getState(); 1450 const Expr *arg0Expr = CE->getArg(0); 1451 const LocationContext *LCtx = C.getLocationContext(); 1452 SVal Arg0Val = state->getSVal(arg0Expr, LCtx); 1453 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 1454 return 0; 1455 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 1456 1457 SValBuilder &svalBuilder = C.getSValBuilder(); 1458 1459 DefinedOrUnknownSVal PtrEQ = 1460 svalBuilder.evalEQ(state, arg0Val, svalBuilder.makeNull()); 1461 1462 // Get the size argument. If there is no size arg then give up. 1463 const Expr *Arg1 = CE->getArg(1); 1464 if (!Arg1) 1465 return 0; 1466 1467 // Get the value of the size argument. 1468 SVal Arg1ValG = state->getSVal(Arg1, LCtx); 1469 if (!Arg1ValG.getAs<DefinedOrUnknownSVal>()) 1470 return 0; 1471 DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>(); 1472 1473 // Compare the size argument to 0. 1474 DefinedOrUnknownSVal SizeZero = 1475 svalBuilder.evalEQ(state, Arg1Val, 1476 svalBuilder.makeIntValWithPtrWidth(0, false)); 1477 1478 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 1479 llvm::tie(StatePtrIsNull, StatePtrNotNull) = state->assume(PtrEQ); 1480 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 1481 llvm::tie(StateSizeIsZero, StateSizeNotZero) = state->assume(SizeZero); 1482 // We only assume exceptional states if they are definitely true; if the 1483 // state is under-constrained, assume regular realloc behavior. 1484 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 1485 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 1486 1487 // If the ptr is NULL and the size is not 0, the call is equivalent to 1488 // malloc(size). 1489 if ( PrtIsNull && !SizeIsZero) { 1490 ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), 1491 UndefinedVal(), StatePtrIsNull); 1492 return stateMalloc; 1493 } 1494 1495 if (PrtIsNull && SizeIsZero) 1496 return 0; 1497 1498 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 1499 assert(!PrtIsNull); 1500 SymbolRef FromPtr = arg0Val.getAsSymbol(); 1501 SVal RetVal = state->getSVal(CE, LCtx); 1502 SymbolRef ToPtr = RetVal.getAsSymbol(); 1503 if (!FromPtr || !ToPtr) 1504 return 0; 1505 1506 bool ReleasedAllocated = false; 1507 1508 // If the size is 0, free the memory. 1509 if (SizeIsZero) 1510 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, 1511 false, ReleasedAllocated)){ 1512 // The semantics of the return value are: 1513 // If size was equal to 0, either NULL or a pointer suitable to be passed 1514 // to free() is returned. We just free the input pointer and do not add 1515 // any constrains on the output pointer. 1516 return stateFree; 1517 } 1518 1519 // Default behavior. 1520 if (ProgramStateRef stateFree = 1521 FreeMemAux(C, CE, state, 0, false, ReleasedAllocated)) { 1522 1523 ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), 1524 UnknownVal(), stateFree); 1525 if (!stateRealloc) 1526 return 0; 1527 1528 ReallocPairKind Kind = RPToBeFreedAfterFailure; 1529 if (FreesOnFail) 1530 Kind = RPIsFreeOnFailure; 1531 else if (!ReleasedAllocated) 1532 Kind = RPDoNotTrackAfterFailure; 1533 1534 // Record the info about the reallocated symbol so that we could properly 1535 // process failed reallocation. 1536 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 1537 ReallocPair(FromPtr, Kind)); 1538 // The reallocated symbol should stay alive for as long as the new symbol. 1539 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 1540 return stateRealloc; 1541 } 1542 return 0; 1543 } 1544 1545 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE){ 1546 if (CE->getNumArgs() < 2) 1547 return 0; 1548 1549 ProgramStateRef state = C.getState(); 1550 SValBuilder &svalBuilder = C.getSValBuilder(); 1551 const LocationContext *LCtx = C.getLocationContext(); 1552 SVal count = state->getSVal(CE->getArg(0), LCtx); 1553 SVal elementSize = state->getSVal(CE->getArg(1), LCtx); 1554 SVal TotalSize = svalBuilder.evalBinOp(state, BO_Mul, count, elementSize, 1555 svalBuilder.getContext().getSizeType()); 1556 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 1557 1558 return MallocMemAux(C, CE, TotalSize, zeroVal, state); 1559 } 1560 1561 LeakInfo 1562 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 1563 CheckerContext &C) const { 1564 const LocationContext *LeakContext = N->getLocationContext(); 1565 // Walk the ExplodedGraph backwards and find the first node that referred to 1566 // the tracked symbol. 1567 const ExplodedNode *AllocNode = N; 1568 const MemRegion *ReferenceRegion = 0; 1569 1570 while (N) { 1571 ProgramStateRef State = N->getState(); 1572 if (!State->get<RegionState>(Sym)) 1573 break; 1574 1575 // Find the most recent expression bound to the symbol in the current 1576 // context. 1577 if (!ReferenceRegion) { 1578 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 1579 SVal Val = State->getSVal(MR); 1580 if (Val.getAsLocSymbol() == Sym) { 1581 const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>(); 1582 // Do not show local variables belonging to a function other than 1583 // where the error is reported. 1584 if (!VR || 1585 (VR->getStackFrame() == LeakContext->getCurrentStackFrame())) 1586 ReferenceRegion = MR; 1587 } 1588 } 1589 } 1590 1591 // Allocation node, is the last node in the current context in which the 1592 // symbol was tracked. 1593 if (N->getLocationContext() == LeakContext) 1594 AllocNode = N; 1595 N = N->pred_empty() ? NULL : *(N->pred_begin()); 1596 } 1597 1598 return LeakInfo(AllocNode, ReferenceRegion); 1599 } 1600 1601 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 1602 CheckerContext &C) const { 1603 1604 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1605 !Filter.CNewDeleteLeaksChecker) 1606 return; 1607 1608 const RefState *RS = C.getState()->get<RegionState>(Sym); 1609 assert(RS && "cannot leak an untracked symbol"); 1610 AllocationFamily Family = RS->getAllocationFamily(); 1611 if (!isTrackedByCurrentChecker(Family)) 1612 return; 1613 1614 // Special case for new and new[]; these are controlled by a separate checker 1615 // flag so that they can be selectively disabled. 1616 if (Family == AF_CXXNew || Family == AF_CXXNewArray) 1617 if (!Filter.CNewDeleteLeaksChecker) 1618 return; 1619 1620 assert(N); 1621 if (!BT_Leak) { 1622 BT_Leak.reset(new BugType("Memory leak", "Memory Error")); 1623 // Leaks should not be reported if they are post-dominated by a sink: 1624 // (1) Sinks are higher importance bugs. 1625 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 1626 // with __noreturn functions such as assert() or exit(). We choose not 1627 // to report leaks on such paths. 1628 BT_Leak->setSuppressOnSink(true); 1629 } 1630 1631 // Most bug reports are cached at the location where they occurred. 1632 // With leaks, we want to unique them by the location where they were 1633 // allocated, and only report a single path. 1634 PathDiagnosticLocation LocUsedForUniqueing; 1635 const ExplodedNode *AllocNode = 0; 1636 const MemRegion *Region = 0; 1637 llvm::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 1638 1639 ProgramPoint P = AllocNode->getLocation(); 1640 const Stmt *AllocationStmt = 0; 1641 if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>()) 1642 AllocationStmt = Exit->getCalleeContext()->getCallSite(); 1643 else if (Optional<StmtPoint> SP = P.getAs<StmtPoint>()) 1644 AllocationStmt = SP->getStmt(); 1645 if (AllocationStmt) 1646 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 1647 C.getSourceManager(), 1648 AllocNode->getLocationContext()); 1649 1650 SmallString<200> buf; 1651 llvm::raw_svector_ostream os(buf); 1652 if (Region && Region->canPrintPretty()) { 1653 os << "Potential leak of memory pointed to by "; 1654 Region->printPretty(os); 1655 } else { 1656 os << "Potential memory leak"; 1657 } 1658 1659 BugReport *R = new BugReport(*BT_Leak, os.str(), N, 1660 LocUsedForUniqueing, 1661 AllocNode->getLocationContext()->getDecl()); 1662 R->markInteresting(Sym); 1663 R->addVisitor(new MallocBugVisitor(Sym, true)); 1664 C.emitReport(R); 1665 } 1666 1667 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 1668 CheckerContext &C) const 1669 { 1670 if (!SymReaper.hasDeadSymbols()) 1671 return; 1672 1673 ProgramStateRef state = C.getState(); 1674 RegionStateTy RS = state->get<RegionState>(); 1675 RegionStateTy::Factory &F = state->get_context<RegionState>(); 1676 1677 SmallVector<SymbolRef, 2> Errors; 1678 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1679 if (SymReaper.isDead(I->first)) { 1680 if (I->second.isAllocated()) 1681 Errors.push_back(I->first); 1682 // Remove the dead symbol from the map. 1683 RS = F.remove(RS, I->first); 1684 1685 } 1686 } 1687 1688 // Cleanup the Realloc Pairs Map. 1689 ReallocPairsTy RP = state->get<ReallocPairs>(); 1690 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1691 if (SymReaper.isDead(I->first) || 1692 SymReaper.isDead(I->second.ReallocatedSym)) { 1693 state = state->remove<ReallocPairs>(I->first); 1694 } 1695 } 1696 1697 // Cleanup the FreeReturnValue Map. 1698 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 1699 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 1700 if (SymReaper.isDead(I->first) || 1701 SymReaper.isDead(I->second)) { 1702 state = state->remove<FreeReturnValue>(I->first); 1703 } 1704 } 1705 1706 // Generate leak node. 1707 ExplodedNode *N = C.getPredecessor(); 1708 if (!Errors.empty()) { 1709 static SimpleProgramPointTag Tag("MallocChecker : DeadSymbolsLeak"); 1710 N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); 1711 for (SmallVectorImpl<SymbolRef>::iterator 1712 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 1713 reportLeak(*I, N, C); 1714 } 1715 } 1716 1717 C.addTransition(state->set<RegionState>(RS), N); 1718 } 1719 1720 void MallocChecker::checkPreCall(const CallEvent &Call, 1721 CheckerContext &C) const { 1722 1723 if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) { 1724 SymbolRef Sym = DC->getCXXThisVal().getAsSymbol(); 1725 if (!Sym || checkDoubleDelete(Sym, C)) 1726 return; 1727 } 1728 1729 // We will check for double free in the post visit. 1730 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { 1731 const FunctionDecl *FD = FC->getDecl(); 1732 if (!FD) 1733 return; 1734 1735 if ((Filter.CMallocOptimistic || Filter.CMallocPessimistic) && 1736 isFreeFunction(FD, C.getASTContext())) 1737 return; 1738 1739 if (Filter.CNewDeleteChecker && 1740 isStandardNewDelete(FD, C.getASTContext())) 1741 return; 1742 } 1743 1744 // Check if the callee of a method is deleted. 1745 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { 1746 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); 1747 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) 1748 return; 1749 } 1750 1751 // Check arguments for being used after free. 1752 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { 1753 SVal ArgSVal = Call.getArgSVal(I); 1754 if (ArgSVal.getAs<Loc>()) { 1755 SymbolRef Sym = ArgSVal.getAsSymbol(); 1756 if (!Sym) 1757 continue; 1758 if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) 1759 return; 1760 } 1761 } 1762 } 1763 1764 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 1765 const Expr *E = S->getRetValue(); 1766 if (!E) 1767 return; 1768 1769 // Check if we are returning a symbol. 1770 ProgramStateRef State = C.getState(); 1771 SVal RetVal = State->getSVal(E, C.getLocationContext()); 1772 SymbolRef Sym = RetVal.getAsSymbol(); 1773 if (!Sym) 1774 // If we are returning a field of the allocated struct or an array element, 1775 // the callee could still free the memory. 1776 // TODO: This logic should be a part of generic symbol escape callback. 1777 if (const MemRegion *MR = RetVal.getAsRegion()) 1778 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 1779 if (const SymbolicRegion *BMR = 1780 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 1781 Sym = BMR->getSymbol(); 1782 1783 // Check if we are returning freed memory. 1784 if (Sym) 1785 checkUseAfterFree(Sym, C, E); 1786 } 1787 1788 // TODO: Blocks should be either inlined or should call invalidate regions 1789 // upon invocation. After that's in place, special casing here will not be 1790 // needed. 1791 void MallocChecker::checkPostStmt(const BlockExpr *BE, 1792 CheckerContext &C) const { 1793 1794 // Scan the BlockDecRefExprs for any object the retain count checker 1795 // may be tracking. 1796 if (!BE->getBlockDecl()->hasCaptures()) 1797 return; 1798 1799 ProgramStateRef state = C.getState(); 1800 const BlockDataRegion *R = 1801 cast<BlockDataRegion>(state->getSVal(BE, 1802 C.getLocationContext()).getAsRegion()); 1803 1804 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 1805 E = R->referenced_vars_end(); 1806 1807 if (I == E) 1808 return; 1809 1810 SmallVector<const MemRegion*, 10> Regions; 1811 const LocationContext *LC = C.getLocationContext(); 1812 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 1813 1814 for ( ; I != E; ++I) { 1815 const VarRegion *VR = I.getCapturedRegion(); 1816 if (VR->getSuperRegion() == R) { 1817 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 1818 } 1819 Regions.push_back(VR); 1820 } 1821 1822 state = 1823 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 1824 Regions.data() + Regions.size()).getState(); 1825 C.addTransition(state); 1826 } 1827 1828 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { 1829 assert(Sym); 1830 const RefState *RS = C.getState()->get<RegionState>(Sym); 1831 return (RS && RS->isReleased()); 1832 } 1833 1834 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 1835 const Stmt *S) const { 1836 1837 if (isReleased(Sym, C)) { 1838 ReportUseAfterFree(C, S->getSourceRange(), Sym); 1839 return true; 1840 } 1841 1842 return false; 1843 } 1844 1845 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { 1846 1847 if (isReleased(Sym, C)) { 1848 ReportDoubleDelete(C, Sym); 1849 return true; 1850 } 1851 return false; 1852 } 1853 1854 // Check if the location is a freed symbolic region. 1855 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 1856 CheckerContext &C) const { 1857 SymbolRef Sym = l.getLocSymbolInBase(); 1858 if (Sym) 1859 checkUseAfterFree(Sym, C, S); 1860 } 1861 1862 // If a symbolic region is assumed to NULL (or another constant), stop tracking 1863 // it - assuming that allocation failed on this path. 1864 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 1865 SVal Cond, 1866 bool Assumption) const { 1867 RegionStateTy RS = state->get<RegionState>(); 1868 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1869 // If the symbol is assumed to be NULL, remove it from consideration. 1870 ConstraintManager &CMgr = state->getConstraintManager(); 1871 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 1872 if (AllocFailed.isConstrainedTrue()) 1873 state = state->remove<RegionState>(I.getKey()); 1874 } 1875 1876 // Realloc returns 0 when reallocation fails, which means that we should 1877 // restore the state of the pointer being reallocated. 1878 ReallocPairsTy RP = state->get<ReallocPairs>(); 1879 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1880 // If the symbol is assumed to be NULL, remove it from consideration. 1881 ConstraintManager &CMgr = state->getConstraintManager(); 1882 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 1883 if (!AllocFailed.isConstrainedTrue()) 1884 continue; 1885 1886 SymbolRef ReallocSym = I.getData().ReallocatedSym; 1887 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 1888 if (RS->isReleased()) { 1889 if (I.getData().Kind == RPToBeFreedAfterFailure) 1890 state = state->set<RegionState>(ReallocSym, 1891 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 1892 else if (I.getData().Kind == RPDoNotTrackAfterFailure) 1893 state = state->remove<RegionState>(ReallocSym); 1894 else 1895 assert(I.getData().Kind == RPIsFreeOnFailure); 1896 } 1897 } 1898 state = state->remove<ReallocPairs>(I.getKey()); 1899 } 1900 1901 return state; 1902 } 1903 1904 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly( 1905 const CallEvent *Call, 1906 ProgramStateRef State, 1907 SymbolRef &EscapingSymbol) const { 1908 assert(Call); 1909 EscapingSymbol = 0; 1910 1911 // For now, assume that any C++ or block call can free memory. 1912 // TODO: If we want to be more optimistic here, we'll need to make sure that 1913 // regions escape to C++ containers. They seem to do that even now, but for 1914 // mysterious reasons. 1915 if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 1916 return true; 1917 1918 // Check Objective-C messages by selector name. 1919 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 1920 // If it's not a framework call, or if it takes a callback, assume it 1921 // can free memory. 1922 if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg()) 1923 return true; 1924 1925 // If it's a method we know about, handle it explicitly post-call. 1926 // This should happen before the "freeWhenDone" check below. 1927 if (isKnownDeallocObjCMethodName(*Msg)) 1928 return false; 1929 1930 // If there's a "freeWhenDone" parameter, but the method isn't one we know 1931 // about, we can't be sure that the object will use free() to deallocate the 1932 // memory, so we can't model it explicitly. The best we can do is use it to 1933 // decide whether the pointer escapes. 1934 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 1935 return *FreeWhenDone; 1936 1937 // If the first selector piece ends with "NoCopy", and there is no 1938 // "freeWhenDone" parameter set to zero, we know ownership is being 1939 // transferred. Again, though, we can't be sure that the object will use 1940 // free() to deallocate the memory, so we can't model it explicitly. 1941 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 1942 if (FirstSlot.endswith("NoCopy")) 1943 return true; 1944 1945 // If the first selector starts with addPointer, insertPointer, 1946 // or replacePointer, assume we are dealing with NSPointerArray or similar. 1947 // This is similar to C++ containers (vector); we still might want to check 1948 // that the pointers get freed by following the container itself. 1949 if (FirstSlot.startswith("addPointer") || 1950 FirstSlot.startswith("insertPointer") || 1951 FirstSlot.startswith("replacePointer") || 1952 FirstSlot.equals("valueWithPointer")) { 1953 return true; 1954 } 1955 1956 // We should escape receiver on call to 'init'. This is especially relevant 1957 // to the receiver, as the corresponding symbol is usually not referenced 1958 // after the call. 1959 if (Msg->getMethodFamily() == OMF_init) { 1960 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol(); 1961 return true; 1962 } 1963 1964 // Otherwise, assume that the method does not free memory. 1965 // Most framework methods do not free memory. 1966 return false; 1967 } 1968 1969 // At this point the only thing left to handle is straight function calls. 1970 const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl(); 1971 if (!FD) 1972 return true; 1973 1974 ASTContext &ASTC = State->getStateManager().getContext(); 1975 1976 // If it's one of the allocation functions we can reason about, we model 1977 // its behavior explicitly. 1978 if (isMemFunction(FD, ASTC)) 1979 return false; 1980 1981 // If it's not a system call, assume it frees memory. 1982 if (!Call->isInSystemHeader()) 1983 return true; 1984 1985 // White list the system functions whose arguments escape. 1986 const IdentifierInfo *II = FD->getIdentifier(); 1987 if (!II) 1988 return true; 1989 StringRef FName = II->getName(); 1990 1991 // White list the 'XXXNoCopy' CoreFoundation functions. 1992 // We specifically check these before 1993 if (FName.endswith("NoCopy")) { 1994 // Look for the deallocator argument. We know that the memory ownership 1995 // is not transferred only if the deallocator argument is 1996 // 'kCFAllocatorNull'. 1997 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 1998 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 1999 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 2000 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 2001 if (DeallocatorName == "kCFAllocatorNull") 2002 return false; 2003 } 2004 } 2005 return true; 2006 } 2007 2008 // Associating streams with malloced buffers. The pointer can escape if 2009 // 'closefn' is specified (and if that function does free memory), 2010 // but it will not if closefn is not specified. 2011 // Currently, we do not inspect the 'closefn' function (PR12101). 2012 if (FName == "funopen") 2013 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 2014 return false; 2015 2016 // Do not warn on pointers passed to 'setbuf' when used with std streams, 2017 // these leaks might be intentional when setting the buffer for stdio. 2018 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 2019 if (FName == "setbuf" || FName =="setbuffer" || 2020 FName == "setlinebuf" || FName == "setvbuf") { 2021 if (Call->getNumArgs() >= 1) { 2022 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 2023 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 2024 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 2025 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 2026 return true; 2027 } 2028 } 2029 2030 // A bunch of other functions which either take ownership of a pointer or 2031 // wrap the result up in a struct or object, meaning it can be freed later. 2032 // (See RetainCountChecker.) Not all the parameters here are invalidated, 2033 // but the Malloc checker cannot differentiate between them. The right way 2034 // of doing this would be to implement a pointer escapes callback. 2035 if (FName == "CGBitmapContextCreate" || 2036 FName == "CGBitmapContextCreateWithData" || 2037 FName == "CVPixelBufferCreateWithBytes" || 2038 FName == "CVPixelBufferCreateWithPlanarBytes" || 2039 FName == "OSAtomicEnqueue") { 2040 return true; 2041 } 2042 2043 // Handle cases where we know a buffer's /address/ can escape. 2044 // Note that the above checks handle some special cases where we know that 2045 // even though the address escapes, it's still our responsibility to free the 2046 // buffer. 2047 if (Call->argumentsMayEscape()) 2048 return true; 2049 2050 // Otherwise, assume that the function does not free memory. 2051 // Most system calls do not free the memory. 2052 return false; 2053 } 2054 2055 static bool retTrue(const RefState *RS) { 2056 return true; 2057 } 2058 2059 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 2060 return (RS->getAllocationFamily() == AF_CXXNewArray || 2061 RS->getAllocationFamily() == AF_CXXNew); 2062 } 2063 2064 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 2065 const InvalidatedSymbols &Escaped, 2066 const CallEvent *Call, 2067 PointerEscapeKind Kind) const { 2068 return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue); 2069 } 2070 2071 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 2072 const InvalidatedSymbols &Escaped, 2073 const CallEvent *Call, 2074 PointerEscapeKind Kind) const { 2075 return checkPointerEscapeAux(State, Escaped, Call, Kind, 2076 &checkIfNewOrNewArrayFamily); 2077 } 2078 2079 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State, 2080 const InvalidatedSymbols &Escaped, 2081 const CallEvent *Call, 2082 PointerEscapeKind Kind, 2083 bool(*CheckRefState)(const RefState*)) const { 2084 // If we know that the call does not free memory, or we want to process the 2085 // call later, keep tracking the top level arguments. 2086 SymbolRef EscapingSymbol = 0; 2087 if (Kind == PSK_DirectEscapeOnCall && 2088 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State, 2089 EscapingSymbol) && 2090 !EscapingSymbol) { 2091 return State; 2092 } 2093 2094 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 2095 E = Escaped.end(); 2096 I != E; ++I) { 2097 SymbolRef sym = *I; 2098 2099 if (EscapingSymbol && EscapingSymbol != sym) 2100 continue; 2101 2102 if (const RefState *RS = State->get<RegionState>(sym)) { 2103 if (RS->isAllocated() && CheckRefState(RS)) { 2104 State = State->remove<RegionState>(sym); 2105 State = State->set<RegionState>(sym, RefState::getEscaped(RS)); 2106 } 2107 } 2108 } 2109 return State; 2110 } 2111 2112 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 2113 ProgramStateRef prevState) { 2114 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 2115 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 2116 2117 for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end(); 2118 I != E; ++I) { 2119 SymbolRef sym = I.getKey(); 2120 if (!currMap.lookup(sym)) 2121 return sym; 2122 } 2123 2124 return NULL; 2125 } 2126 2127 PathDiagnosticPiece * 2128 MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N, 2129 const ExplodedNode *PrevN, 2130 BugReporterContext &BRC, 2131 BugReport &BR) { 2132 ProgramStateRef state = N->getState(); 2133 ProgramStateRef statePrev = PrevN->getState(); 2134 2135 const RefState *RS = state->get<RegionState>(Sym); 2136 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 2137 if (!RS) 2138 return 0; 2139 2140 const Stmt *S = 0; 2141 const char *Msg = 0; 2142 StackHintGeneratorForSymbol *StackHint = 0; 2143 2144 // Retrieve the associated statement. 2145 ProgramPoint ProgLoc = N->getLocation(); 2146 if (Optional<StmtPoint> SP = ProgLoc.getAs<StmtPoint>()) { 2147 S = SP->getStmt(); 2148 } else if (Optional<CallExitEnd> Exit = ProgLoc.getAs<CallExitEnd>()) { 2149 S = Exit->getCalleeContext()->getCallSite(); 2150 } else if (Optional<BlockEdge> Edge = ProgLoc.getAs<BlockEdge>()) { 2151 // If an assumption was made on a branch, it should be caught 2152 // here by looking at the state transition. 2153 S = Edge->getSrc()->getTerminator(); 2154 } 2155 2156 if (!S) 2157 return 0; 2158 2159 // FIXME: We will eventually need to handle non-statement-based events 2160 // (__attribute__((cleanup))). 2161 2162 // Find out if this is an interesting point and what is the kind. 2163 if (Mode == Normal) { 2164 if (isAllocated(RS, RSPrev, S)) { 2165 Msg = "Memory is allocated"; 2166 StackHint = new StackHintGeneratorForSymbol(Sym, 2167 "Returned allocated memory"); 2168 } else if (isReleased(RS, RSPrev, S)) { 2169 Msg = "Memory is released"; 2170 StackHint = new StackHintGeneratorForSymbol(Sym, 2171 "Returning; memory was released"); 2172 } else if (isRelinquished(RS, RSPrev, S)) { 2173 Msg = "Memory ownership is transferred"; 2174 StackHint = new StackHintGeneratorForSymbol(Sym, ""); 2175 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 2176 Mode = ReallocationFailed; 2177 Msg = "Reallocation failed"; 2178 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 2179 "Reallocation failed"); 2180 2181 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 2182 // Is it possible to fail two reallocs WITHOUT testing in between? 2183 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 2184 "We only support one failed realloc at a time."); 2185 BR.markInteresting(sym); 2186 FailedReallocSymbol = sym; 2187 } 2188 } 2189 2190 // We are in a special mode if a reallocation failed later in the path. 2191 } else if (Mode == ReallocationFailed) { 2192 assert(FailedReallocSymbol && "No symbol to look for."); 2193 2194 // Is this is the first appearance of the reallocated symbol? 2195 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 2196 // We're at the reallocation point. 2197 Msg = "Attempt to reallocate memory"; 2198 StackHint = new StackHintGeneratorForSymbol(Sym, 2199 "Returned reallocated memory"); 2200 FailedReallocSymbol = NULL; 2201 Mode = Normal; 2202 } 2203 } 2204 2205 if (!Msg) 2206 return 0; 2207 assert(StackHint); 2208 2209 // Generate the extra diagnostic. 2210 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2211 N->getLocationContext()); 2212 return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint); 2213 } 2214 2215 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 2216 const char *NL, const char *Sep) const { 2217 2218 RegionStateTy RS = State->get<RegionState>(); 2219 2220 if (!RS.isEmpty()) { 2221 Out << Sep << "MallocChecker:" << NL; 2222 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2223 I.getKey()->dumpToStream(Out); 2224 Out << " : "; 2225 I.getData().dump(Out); 2226 Out << NL; 2227 } 2228 } 2229 } 2230 2231 void ento::registerNewDeleteLeaksChecker(CheckerManager &mgr) { 2232 registerCStringCheckerBasic(mgr); 2233 mgr.registerChecker<MallocChecker>()->Filter.CNewDeleteLeaksChecker = true; 2234 // We currently treat NewDeleteLeaks checker as a subchecker of NewDelete 2235 // checker. 2236 mgr.registerChecker<MallocChecker>()->Filter.CNewDeleteChecker = true; 2237 } 2238 2239 #define REGISTER_CHECKER(name) \ 2240 void ento::register##name(CheckerManager &mgr) {\ 2241 registerCStringCheckerBasic(mgr); \ 2242 mgr.registerChecker<MallocChecker>()->Filter.C##name = true;\ 2243 } 2244 2245 REGISTER_CHECKER(MallocPessimistic) 2246 REGISTER_CHECKER(MallocOptimistic) 2247 REGISTER_CHECKER(NewDeleteChecker) 2248 REGISTER_CHECKER(MismatchedDeallocatorChecker) 2249