1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines malloc/free checker, which checks for potential memory 11 // leaks, double free, and use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/StaticAnalyzer/Core/Checker.h" 18 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 20 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 21 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 23 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 25 #include "clang/Basic/SourceManager.h" 26 #include "llvm/ADT/ImmutableMap.h" 27 #include "llvm/ADT/SmallString.h" 28 #include "llvm/ADT/STLExtras.h" 29 #include <climits> 30 31 using namespace clang; 32 using namespace ento; 33 34 namespace { 35 36 class RefState { 37 enum Kind { // Reference to allocated memory. 38 Allocated, 39 // Reference to released/freed memory. 40 Released, 41 // The responsibility for freeing resources has transfered from 42 // this reference. A relinquished symbol should not be freed. 43 Relinquished } K; 44 const Stmt *S; 45 46 public: 47 RefState(Kind k, const Stmt *s) : K(k), S(s) {} 48 49 bool isAllocated() const { return K == Allocated; } 50 bool isReleased() const { return K == Released; } 51 bool isRelinquished() const { return K == Relinquished; } 52 53 const Stmt *getStmt() const { return S; } 54 55 bool operator==(const RefState &X) const { 56 return K == X.K && S == X.S; 57 } 58 59 static RefState getAllocated(const Stmt *s) { 60 return RefState(Allocated, s); 61 } 62 static RefState getReleased(const Stmt *s) { return RefState(Released, s); } 63 static RefState getRelinquished(const Stmt *s) { 64 return RefState(Relinquished, s); 65 } 66 67 void Profile(llvm::FoldingSetNodeID &ID) const { 68 ID.AddInteger(K); 69 ID.AddPointer(S); 70 } 71 }; 72 73 enum ReallocPairKind { 74 RPToBeFreedAfterFailure, 75 // The symbol has been freed when reallocation failed. 76 RPIsFreeOnFailure, 77 // The symbol does not need to be freed after reallocation fails. 78 RPDoNotTrackAfterFailure 79 }; 80 81 /// \class ReallocPair 82 /// \brief Stores information about the symbol being reallocated by a call to 83 /// 'realloc' to allow modeling failed reallocation later in the path. 84 struct ReallocPair { 85 // \brief The symbol which realloc reallocated. 86 SymbolRef ReallocatedSym; 87 ReallocPairKind Kind; 88 89 ReallocPair(SymbolRef S, ReallocPairKind K) : 90 ReallocatedSym(S), Kind(K) {} 91 void Profile(llvm::FoldingSetNodeID &ID) const { 92 ID.AddInteger(Kind); 93 ID.AddPointer(ReallocatedSym); 94 } 95 bool operator==(const ReallocPair &X) const { 96 return ReallocatedSym == X.ReallocatedSym && 97 Kind == X.Kind; 98 } 99 }; 100 101 typedef std::pair<const Stmt*, const MemRegion*> LeakInfo; 102 103 class MallocChecker : public Checker<check::DeadSymbols, 104 check::EndPath, 105 check::PreStmt<ReturnStmt>, 106 check::PreStmt<CallExpr>, 107 check::PostStmt<CallExpr>, 108 check::PostStmt<BlockExpr>, 109 check::PreObjCMessage, 110 check::Location, 111 check::Bind, 112 eval::Assume, 113 check::RegionChanges> 114 { 115 mutable OwningPtr<BugType> BT_DoubleFree; 116 mutable OwningPtr<BugType> BT_Leak; 117 mutable OwningPtr<BugType> BT_UseFree; 118 mutable OwningPtr<BugType> BT_BadFree; 119 mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc, 120 *II_valloc, *II_reallocf, *II_strndup, *II_strdup; 121 122 public: 123 MallocChecker() : II_malloc(0), II_free(0), II_realloc(0), II_calloc(0), 124 II_valloc(0), II_reallocf(0), II_strndup(0), II_strdup(0) {} 125 126 /// In pessimistic mode, the checker assumes that it does not know which 127 /// functions might free the memory. 128 struct ChecksFilter { 129 DefaultBool CMallocPessimistic; 130 DefaultBool CMallocOptimistic; 131 }; 132 133 ChecksFilter Filter; 134 135 void checkPreStmt(const CallExpr *S, CheckerContext &C) const; 136 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 137 void checkPreObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 138 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 139 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 140 void checkEndPath(CheckerContext &C) const; 141 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 142 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 143 bool Assumption) const; 144 void checkLocation(SVal l, bool isLoad, const Stmt *S, 145 CheckerContext &C) const; 146 void checkBind(SVal location, SVal val, const Stmt*S, 147 CheckerContext &C) const; 148 ProgramStateRef 149 checkRegionChanges(ProgramStateRef state, 150 const StoreManager::InvalidatedSymbols *invalidated, 151 ArrayRef<const MemRegion *> ExplicitRegions, 152 ArrayRef<const MemRegion *> Regions, 153 const CallEvent *Call) const; 154 bool wantsRegionChangeUpdate(ProgramStateRef state) const { 155 return true; 156 } 157 158 void printState(raw_ostream &Out, ProgramStateRef State, 159 const char *NL, const char *Sep) const; 160 161 private: 162 void initIdentifierInfo(ASTContext &C) const; 163 164 /// Check if this is one of the functions which can allocate/reallocate memory 165 /// pointed to by one of its arguments. 166 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 167 bool isFreeFunction(const FunctionDecl *FD, ASTContext &C) const; 168 bool isAllocationFunction(const FunctionDecl *FD, ASTContext &C) const; 169 170 static ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 171 const CallExpr *CE, 172 const OwnershipAttr* Att); 173 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 174 const Expr *SizeEx, SVal Init, 175 ProgramStateRef state) { 176 return MallocMemAux(C, CE, 177 state->getSVal(SizeEx, C.getLocationContext()), 178 Init, state); 179 } 180 181 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 182 SVal SizeEx, SVal Init, 183 ProgramStateRef state); 184 185 /// Update the RefState to reflect the new memory allocation. 186 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, 187 const CallExpr *CE, 188 ProgramStateRef state); 189 190 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 191 const OwnershipAttr* Att) const; 192 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 193 ProgramStateRef state, unsigned Num, 194 bool Hold, 195 bool &ReleasedAllocated) const; 196 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, 197 const Expr *ParentExpr, 198 ProgramStateRef state, 199 bool Hold, 200 bool &ReleasedAllocated) const; 201 202 ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, 203 bool FreesMemOnFailure) const; 204 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE); 205 206 ///\brief Check if the memory associated with this symbol was released. 207 bool isReleased(SymbolRef Sym, CheckerContext &C) const; 208 209 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 210 const Stmt *S = 0) const; 211 212 /// Check if the function is not known to us. So, for example, we could 213 /// conservatively assume it can free/reallocate it's pointer arguments. 214 bool doesNotFreeMemory(const CallEvent *Call, 215 ProgramStateRef State) const; 216 217 static bool SummarizeValue(raw_ostream &os, SVal V); 218 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 219 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange range) const; 220 221 /// Find the location of the allocation for Sym on the path leading to the 222 /// exploded node N. 223 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 224 CheckerContext &C) const; 225 226 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 227 228 /// The bug visitor which allows us to print extra diagnostics along the 229 /// BugReport path. For example, showing the allocation site of the leaked 230 /// region. 231 class MallocBugVisitor : public BugReporterVisitorImpl<MallocBugVisitor> { 232 protected: 233 enum NotificationMode { 234 Normal, 235 ReallocationFailed 236 }; 237 238 // The allocated region symbol tracked by the main analysis. 239 SymbolRef Sym; 240 241 // The mode we are in, i.e. what kind of diagnostics will be emitted. 242 NotificationMode Mode; 243 244 // A symbol from when the primary region should have been reallocated. 245 SymbolRef FailedReallocSymbol; 246 247 bool IsLeak; 248 249 public: 250 MallocBugVisitor(SymbolRef S, bool isLeak = false) 251 : Sym(S), Mode(Normal), FailedReallocSymbol(0), IsLeak(isLeak) {} 252 253 virtual ~MallocBugVisitor() {} 254 255 void Profile(llvm::FoldingSetNodeID &ID) const { 256 static int X = 0; 257 ID.AddPointer(&X); 258 ID.AddPointer(Sym); 259 } 260 261 inline bool isAllocated(const RefState *S, const RefState *SPrev, 262 const Stmt *Stmt) { 263 // Did not track -> allocated. Other state (released) -> allocated. 264 return (Stmt && isa<CallExpr>(Stmt) && 265 (S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated())); 266 } 267 268 inline bool isReleased(const RefState *S, const RefState *SPrev, 269 const Stmt *Stmt) { 270 // Did not track -> released. Other state (allocated) -> released. 271 return (Stmt && isa<CallExpr>(Stmt) && 272 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 273 } 274 275 inline bool isRelinquished(const RefState *S, const RefState *SPrev, 276 const Stmt *Stmt) { 277 // Did not track -> relinquished. Other state (allocated) -> relinquished. 278 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 279 isa<ObjCPropertyRefExpr>(Stmt)) && 280 (S && S->isRelinquished()) && 281 (!SPrev || !SPrev->isRelinquished())); 282 } 283 284 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 285 const Stmt *Stmt) { 286 // If the expression is not a call, and the state change is 287 // released -> allocated, it must be the realloc return value 288 // check. If we have to handle more cases here, it might be cleaner just 289 // to track this extra bit in the state itself. 290 return ((!Stmt || !isa<CallExpr>(Stmt)) && 291 (S && S->isAllocated()) && (SPrev && !SPrev->isAllocated())); 292 } 293 294 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 295 const ExplodedNode *PrevN, 296 BugReporterContext &BRC, 297 BugReport &BR); 298 299 PathDiagnosticPiece* getEndPath(BugReporterContext &BRC, 300 const ExplodedNode *EndPathNode, 301 BugReport &BR) { 302 if (!IsLeak) 303 return 0; 304 305 PathDiagnosticLocation L = 306 PathDiagnosticLocation::createEndOfPath(EndPathNode, 307 BRC.getSourceManager()); 308 // Do not add the statement itself as a range in case of leak. 309 return new PathDiagnosticEventPiece(L, BR.getDescription(), false); 310 } 311 312 private: 313 class StackHintGeneratorForReallocationFailed 314 : public StackHintGeneratorForSymbol { 315 public: 316 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 317 : StackHintGeneratorForSymbol(S, M) {} 318 319 virtual std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) { 320 SmallString<200> buf; 321 llvm::raw_svector_ostream os(buf); 322 323 os << "Reallocation of "; 324 // Printed parameters start at 1, not 0. 325 printOrdinal(++ArgIndex, os); 326 os << " parameter failed"; 327 328 return os.str(); 329 } 330 331 virtual std::string getMessageForReturn(const CallExpr *CallExpr) { 332 return "Reallocation of returned value failed"; 333 } 334 }; 335 }; 336 }; 337 } // end anonymous namespace 338 339 typedef llvm::ImmutableMap<SymbolRef, RefState> RegionStateTy; 340 typedef llvm::ImmutableMap<SymbolRef, ReallocPair > ReallocMap; 341 class RegionState {}; 342 class ReallocPairs {}; 343 namespace clang { 344 namespace ento { 345 template <> 346 struct ProgramStateTrait<RegionState> 347 : public ProgramStatePartialTrait<RegionStateTy> { 348 static void *GDMIndex() { static int x; return &x; } 349 }; 350 351 template <> 352 struct ProgramStateTrait<ReallocPairs> 353 : public ProgramStatePartialTrait<ReallocMap> { 354 static void *GDMIndex() { static int x; return &x; } 355 }; 356 } 357 } 358 359 namespace { 360 class StopTrackingCallback : public SymbolVisitor { 361 ProgramStateRef state; 362 public: 363 StopTrackingCallback(ProgramStateRef st) : state(st) {} 364 ProgramStateRef getState() const { return state; } 365 366 bool VisitSymbol(SymbolRef sym) { 367 state = state->remove<RegionState>(sym); 368 return true; 369 } 370 }; 371 } // end anonymous namespace 372 373 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 374 if (II_malloc) 375 return; 376 II_malloc = &Ctx.Idents.get("malloc"); 377 II_free = &Ctx.Idents.get("free"); 378 II_realloc = &Ctx.Idents.get("realloc"); 379 II_reallocf = &Ctx.Idents.get("reallocf"); 380 II_calloc = &Ctx.Idents.get("calloc"); 381 II_valloc = &Ctx.Idents.get("valloc"); 382 II_strdup = &Ctx.Idents.get("strdup"); 383 II_strndup = &Ctx.Idents.get("strndup"); 384 } 385 386 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 387 if (isFreeFunction(FD, C)) 388 return true; 389 390 if (isAllocationFunction(FD, C)) 391 return true; 392 393 return false; 394 } 395 396 bool MallocChecker::isAllocationFunction(const FunctionDecl *FD, 397 ASTContext &C) const { 398 if (!FD) 399 return false; 400 401 if (FD->getKind() == Decl::Function) { 402 IdentifierInfo *FunI = FD->getIdentifier(); 403 initIdentifierInfo(C); 404 405 if (FunI == II_malloc || FunI == II_realloc || 406 FunI == II_reallocf || FunI == II_calloc || FunI == II_valloc || 407 FunI == II_strdup || FunI == II_strndup) 408 return true; 409 } 410 411 if (Filter.CMallocOptimistic && FD->hasAttrs()) 412 for (specific_attr_iterator<OwnershipAttr> 413 i = FD->specific_attr_begin<OwnershipAttr>(), 414 e = FD->specific_attr_end<OwnershipAttr>(); 415 i != e; ++i) 416 if ((*i)->getOwnKind() == OwnershipAttr::Returns) 417 return true; 418 return false; 419 } 420 421 bool MallocChecker::isFreeFunction(const FunctionDecl *FD, ASTContext &C) const { 422 if (!FD) 423 return false; 424 425 if (FD->getKind() == Decl::Function) { 426 IdentifierInfo *FunI = FD->getIdentifier(); 427 initIdentifierInfo(C); 428 429 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf) 430 return true; 431 } 432 433 if (Filter.CMallocOptimistic && FD->hasAttrs()) 434 for (specific_attr_iterator<OwnershipAttr> 435 i = FD->specific_attr_begin<OwnershipAttr>(), 436 e = FD->specific_attr_end<OwnershipAttr>(); 437 i != e; ++i) 438 if ((*i)->getOwnKind() == OwnershipAttr::Takes || 439 (*i)->getOwnKind() == OwnershipAttr::Holds) 440 return true; 441 return false; 442 } 443 444 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 445 const FunctionDecl *FD = C.getCalleeDecl(CE); 446 if (!FD) 447 return; 448 449 ProgramStateRef State = C.getState(); 450 bool ReleasedAllocatedMemory = false; 451 452 if (FD->getKind() == Decl::Function) { 453 initIdentifierInfo(C.getASTContext()); 454 IdentifierInfo *FunI = FD->getIdentifier(); 455 456 if (FunI == II_malloc || FunI == II_valloc) { 457 if (CE->getNumArgs() < 1) 458 return; 459 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 460 } else if (FunI == II_realloc) { 461 State = ReallocMem(C, CE, false); 462 } else if (FunI == II_reallocf) { 463 State = ReallocMem(C, CE, true); 464 } else if (FunI == II_calloc) { 465 State = CallocMem(C, CE); 466 } else if (FunI == II_free) { 467 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 468 } else if (FunI == II_strdup) { 469 State = MallocUpdateRefState(C, CE, State); 470 } else if (FunI == II_strndup) { 471 State = MallocUpdateRefState(C, CE, State); 472 } 473 } 474 475 if (Filter.CMallocOptimistic) { 476 // Check all the attributes, if there are any. 477 // There can be multiple of these attributes. 478 if (FD->hasAttrs()) 479 for (specific_attr_iterator<OwnershipAttr> 480 i = FD->specific_attr_begin<OwnershipAttr>(), 481 e = FD->specific_attr_end<OwnershipAttr>(); 482 i != e; ++i) { 483 switch ((*i)->getOwnKind()) { 484 case OwnershipAttr::Returns: 485 State = MallocMemReturnsAttr(C, CE, *i); 486 break; 487 case OwnershipAttr::Takes: 488 case OwnershipAttr::Holds: 489 State = FreeMemAttr(C, CE, *i); 490 break; 491 } 492 } 493 } 494 C.addTransition(State); 495 } 496 497 static bool isFreeWhenDoneSetToZero(const ObjCMethodCall &Call) { 498 Selector S = Call.getSelector(); 499 for (unsigned i = 1; i < S.getNumArgs(); ++i) 500 if (S.getNameForSlot(i).equals("freeWhenDone")) 501 if (Call.getArgSVal(i).isConstant(0)) 502 return true; 503 504 return false; 505 } 506 507 void MallocChecker::checkPreObjCMessage(const ObjCMethodCall &Call, 508 CheckerContext &C) const { 509 // If the first selector is dataWithBytesNoCopy, assume that the memory will 510 // be released with 'free' by the new object. 511 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 512 // Unless 'freeWhenDone' param set to 0. 513 // TODO: Check that the memory was allocated with malloc. 514 bool ReleasedAllocatedMemory = false; 515 Selector S = Call.getSelector(); 516 if ((S.getNameForSlot(0) == "dataWithBytesNoCopy" || 517 S.getNameForSlot(0) == "initWithBytesNoCopy" || 518 S.getNameForSlot(0) == "initWithCharactersNoCopy") && 519 !isFreeWhenDoneSetToZero(Call)){ 520 unsigned int argIdx = 0; 521 C.addTransition(FreeMemAux(C, Call.getArgExpr(argIdx), 522 Call.getOriginExpr(), C.getState(), true, 523 ReleasedAllocatedMemory)); 524 } 525 } 526 527 ProgramStateRef MallocChecker::MallocMemReturnsAttr(CheckerContext &C, 528 const CallExpr *CE, 529 const OwnershipAttr* Att) { 530 if (Att->getModule() != "malloc") 531 return 0; 532 533 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 534 if (I != E) { 535 return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), C.getState()); 536 } 537 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), C.getState()); 538 } 539 540 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 541 const CallExpr *CE, 542 SVal Size, SVal Init, 543 ProgramStateRef state) { 544 545 // Bind the return value to the symbolic value from the heap region. 546 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 547 // side effects other than what we model here. 548 unsigned Count = C.blockCount(); 549 SValBuilder &svalBuilder = C.getSValBuilder(); 550 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 551 DefinedSVal RetVal = 552 cast<DefinedSVal>(svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)); 553 state = state->BindExpr(CE, C.getLocationContext(), RetVal); 554 555 // We expect the malloc functions to return a pointer. 556 if (!isa<Loc>(RetVal)) 557 return 0; 558 559 // Fill the region with the initialization value. 560 state = state->bindDefault(RetVal, Init); 561 562 // Set the region's extent equal to the Size parameter. 563 const SymbolicRegion *R = 564 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 565 if (!R) 566 return 0; 567 if (isa<DefinedOrUnknownSVal>(Size)) { 568 SValBuilder &svalBuilder = C.getSValBuilder(); 569 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 570 DefinedOrUnknownSVal DefinedSize = cast<DefinedOrUnknownSVal>(Size); 571 DefinedOrUnknownSVal extentMatchesSize = 572 svalBuilder.evalEQ(state, Extent, DefinedSize); 573 574 state = state->assume(extentMatchesSize, true); 575 assert(state); 576 } 577 578 return MallocUpdateRefState(C, CE, state); 579 } 580 581 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 582 const CallExpr *CE, 583 ProgramStateRef state) { 584 // Get the return value. 585 SVal retVal = state->getSVal(CE, C.getLocationContext()); 586 587 // We expect the malloc functions to return a pointer. 588 if (!isa<Loc>(retVal)) 589 return 0; 590 591 SymbolRef Sym = retVal.getAsLocSymbol(); 592 assert(Sym); 593 594 // Set the symbol's state to Allocated. 595 return state->set<RegionState>(Sym, RefState::getAllocated(CE)); 596 597 } 598 599 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 600 const CallExpr *CE, 601 const OwnershipAttr* Att) const { 602 if (Att->getModule() != "malloc") 603 return 0; 604 605 ProgramStateRef State = C.getState(); 606 bool ReleasedAllocated = false; 607 608 for (OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 609 I != E; ++I) { 610 ProgramStateRef StateI = FreeMemAux(C, CE, State, *I, 611 Att->getOwnKind() == OwnershipAttr::Holds, 612 ReleasedAllocated); 613 if (StateI) 614 State = StateI; 615 } 616 return State; 617 } 618 619 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 620 const CallExpr *CE, 621 ProgramStateRef state, 622 unsigned Num, 623 bool Hold, 624 bool &ReleasedAllocated) const { 625 if (CE->getNumArgs() < (Num + 1)) 626 return 0; 627 628 return FreeMemAux(C, CE->getArg(Num), CE, state, Hold, ReleasedAllocated); 629 } 630 631 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 632 const Expr *ArgExpr, 633 const Expr *ParentExpr, 634 ProgramStateRef state, 635 bool Hold, 636 bool &ReleasedAllocated) const { 637 638 SVal ArgVal = state->getSVal(ArgExpr, C.getLocationContext()); 639 if (!isa<DefinedOrUnknownSVal>(ArgVal)) 640 return 0; 641 DefinedOrUnknownSVal location = cast<DefinedOrUnknownSVal>(ArgVal); 642 643 // Check for null dereferences. 644 if (!isa<Loc>(location)) 645 return 0; 646 647 // The explicit NULL case, no operation is performed. 648 ProgramStateRef notNullState, nullState; 649 llvm::tie(notNullState, nullState) = state->assume(location); 650 if (nullState && !notNullState) 651 return 0; 652 653 // Unknown values could easily be okay 654 // Undefined values are handled elsewhere 655 if (ArgVal.isUnknownOrUndef()) 656 return 0; 657 658 const MemRegion *R = ArgVal.getAsRegion(); 659 660 // Nonlocs can't be freed, of course. 661 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 662 if (!R) { 663 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange()); 664 return 0; 665 } 666 667 R = R->StripCasts(); 668 669 // Blocks might show up as heap data, but should not be free()d 670 if (isa<BlockDataRegion>(R)) { 671 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange()); 672 return 0; 673 } 674 675 const MemSpaceRegion *MS = R->getMemorySpace(); 676 677 // Parameters, locals, statics, and globals shouldn't be freed. 678 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 679 // FIXME: at the time this code was written, malloc() regions were 680 // represented by conjured symbols, which are all in UnknownSpaceRegion. 681 // This means that there isn't actually anything from HeapSpaceRegion 682 // that should be freed, even though we allow it here. 683 // Of course, free() can work on memory allocated outside the current 684 // function, so UnknownSpaceRegion is always a possibility. 685 // False negatives are better than false positives. 686 687 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange()); 688 return 0; 689 } 690 691 const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R); 692 // Various cases could lead to non-symbol values here. 693 // For now, ignore them. 694 if (!SR) 695 return 0; 696 697 SymbolRef Sym = SR->getSymbol(); 698 const RefState *RS = state->get<RegionState>(Sym); 699 700 // Check double free. 701 if (RS && (RS->isReleased() || RS->isRelinquished())) { 702 if (ExplodedNode *N = C.generateSink()) { 703 if (!BT_DoubleFree) 704 BT_DoubleFree.reset( 705 new BugType("Double free", "Memory Error")); 706 BugReport *R = new BugReport(*BT_DoubleFree, 707 (RS->isReleased() ? "Attempt to free released memory" : 708 "Attempt to free non-owned memory"), N); 709 R->addRange(ArgExpr->getSourceRange()); 710 R->markInteresting(Sym); 711 R->addVisitor(new MallocBugVisitor(Sym)); 712 C.EmitReport(R); 713 } 714 return 0; 715 } 716 717 ReleasedAllocated = (RS != 0); 718 719 // Normal free. 720 if (Hold) 721 return state->set<RegionState>(Sym, RefState::getRelinquished(ParentExpr)); 722 return state->set<RegionState>(Sym, RefState::getReleased(ParentExpr)); 723 } 724 725 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 726 if (nonloc::ConcreteInt *IntVal = dyn_cast<nonloc::ConcreteInt>(&V)) 727 os << "an integer (" << IntVal->getValue() << ")"; 728 else if (loc::ConcreteInt *ConstAddr = dyn_cast<loc::ConcreteInt>(&V)) 729 os << "a constant address (" << ConstAddr->getValue() << ")"; 730 else if (loc::GotoLabel *Label = dyn_cast<loc::GotoLabel>(&V)) 731 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 732 else 733 return false; 734 735 return true; 736 } 737 738 bool MallocChecker::SummarizeRegion(raw_ostream &os, 739 const MemRegion *MR) { 740 switch (MR->getKind()) { 741 case MemRegion::FunctionTextRegionKind: { 742 const FunctionDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 743 if (FD) 744 os << "the address of the function '" << *FD << '\''; 745 else 746 os << "the address of a function"; 747 return true; 748 } 749 case MemRegion::BlockTextRegionKind: 750 os << "block text"; 751 return true; 752 case MemRegion::BlockDataRegionKind: 753 // FIXME: where the block came from? 754 os << "a block"; 755 return true; 756 default: { 757 const MemSpaceRegion *MS = MR->getMemorySpace(); 758 759 if (isa<StackLocalsSpaceRegion>(MS)) { 760 const VarRegion *VR = dyn_cast<VarRegion>(MR); 761 const VarDecl *VD; 762 if (VR) 763 VD = VR->getDecl(); 764 else 765 VD = NULL; 766 767 if (VD) 768 os << "the address of the local variable '" << VD->getName() << "'"; 769 else 770 os << "the address of a local stack variable"; 771 return true; 772 } 773 774 if (isa<StackArgumentsSpaceRegion>(MS)) { 775 const VarRegion *VR = dyn_cast<VarRegion>(MR); 776 const VarDecl *VD; 777 if (VR) 778 VD = VR->getDecl(); 779 else 780 VD = NULL; 781 782 if (VD) 783 os << "the address of the parameter '" << VD->getName() << "'"; 784 else 785 os << "the address of a parameter"; 786 return true; 787 } 788 789 if (isa<GlobalsSpaceRegion>(MS)) { 790 const VarRegion *VR = dyn_cast<VarRegion>(MR); 791 const VarDecl *VD; 792 if (VR) 793 VD = VR->getDecl(); 794 else 795 VD = NULL; 796 797 if (VD) { 798 if (VD->isStaticLocal()) 799 os << "the address of the static variable '" << VD->getName() << "'"; 800 else 801 os << "the address of the global variable '" << VD->getName() << "'"; 802 } else 803 os << "the address of a global variable"; 804 return true; 805 } 806 807 return false; 808 } 809 } 810 } 811 812 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 813 SourceRange range) const { 814 if (ExplodedNode *N = C.generateSink()) { 815 if (!BT_BadFree) 816 BT_BadFree.reset(new BugType("Bad free", "Memory Error")); 817 818 SmallString<100> buf; 819 llvm::raw_svector_ostream os(buf); 820 821 const MemRegion *MR = ArgVal.getAsRegion(); 822 if (MR) { 823 while (const ElementRegion *ER = dyn_cast<ElementRegion>(MR)) 824 MR = ER->getSuperRegion(); 825 826 // Special case for alloca() 827 if (isa<AllocaRegion>(MR)) 828 os << "Argument to free() was allocated by alloca(), not malloc()"; 829 else { 830 os << "Argument to free() is "; 831 if (SummarizeRegion(os, MR)) 832 os << ", which is not memory allocated by malloc()"; 833 else 834 os << "not memory allocated by malloc()"; 835 } 836 } else { 837 os << "Argument to free() is "; 838 if (SummarizeValue(os, ArgVal)) 839 os << ", which is not memory allocated by malloc()"; 840 else 841 os << "not memory allocated by malloc()"; 842 } 843 844 BugReport *R = new BugReport(*BT_BadFree, os.str(), N); 845 R->markInteresting(MR); 846 R->addRange(range); 847 C.EmitReport(R); 848 } 849 } 850 851 ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, 852 const CallExpr *CE, 853 bool FreesOnFail) const { 854 if (CE->getNumArgs() < 2) 855 return 0; 856 857 ProgramStateRef state = C.getState(); 858 const Expr *arg0Expr = CE->getArg(0); 859 const LocationContext *LCtx = C.getLocationContext(); 860 SVal Arg0Val = state->getSVal(arg0Expr, LCtx); 861 if (!isa<DefinedOrUnknownSVal>(Arg0Val)) 862 return 0; 863 DefinedOrUnknownSVal arg0Val = cast<DefinedOrUnknownSVal>(Arg0Val); 864 865 SValBuilder &svalBuilder = C.getSValBuilder(); 866 867 DefinedOrUnknownSVal PtrEQ = 868 svalBuilder.evalEQ(state, arg0Val, svalBuilder.makeNull()); 869 870 // Get the size argument. If there is no size arg then give up. 871 const Expr *Arg1 = CE->getArg(1); 872 if (!Arg1) 873 return 0; 874 875 // Get the value of the size argument. 876 SVal Arg1ValG = state->getSVal(Arg1, LCtx); 877 if (!isa<DefinedOrUnknownSVal>(Arg1ValG)) 878 return 0; 879 DefinedOrUnknownSVal Arg1Val = cast<DefinedOrUnknownSVal>(Arg1ValG); 880 881 // Compare the size argument to 0. 882 DefinedOrUnknownSVal SizeZero = 883 svalBuilder.evalEQ(state, Arg1Val, 884 svalBuilder.makeIntValWithPtrWidth(0, false)); 885 886 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 887 llvm::tie(StatePtrIsNull, StatePtrNotNull) = state->assume(PtrEQ); 888 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 889 llvm::tie(StateSizeIsZero, StateSizeNotZero) = state->assume(SizeZero); 890 // We only assume exceptional states if they are definitely true; if the 891 // state is under-constrained, assume regular realloc behavior. 892 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 893 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 894 895 // If the ptr is NULL and the size is not 0, the call is equivalent to 896 // malloc(size). 897 if ( PrtIsNull && !SizeIsZero) { 898 ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), 899 UndefinedVal(), StatePtrIsNull); 900 return stateMalloc; 901 } 902 903 if (PrtIsNull && SizeIsZero) 904 return 0; 905 906 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 907 assert(!PrtIsNull); 908 SymbolRef FromPtr = arg0Val.getAsSymbol(); 909 SVal RetVal = state->getSVal(CE, LCtx); 910 SymbolRef ToPtr = RetVal.getAsSymbol(); 911 if (!FromPtr || !ToPtr) 912 return 0; 913 914 bool ReleasedAllocated = false; 915 916 // If the size is 0, free the memory. 917 if (SizeIsZero) 918 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, 919 false, ReleasedAllocated)){ 920 // The semantics of the return value are: 921 // If size was equal to 0, either NULL or a pointer suitable to be passed 922 // to free() is returned. We just free the input pointer and do not add 923 // any constrains on the output pointer. 924 return stateFree; 925 } 926 927 // Default behavior. 928 if (ProgramStateRef stateFree = 929 FreeMemAux(C, CE, state, 0, false, ReleasedAllocated)) { 930 931 ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), 932 UnknownVal(), stateFree); 933 if (!stateRealloc) 934 return 0; 935 936 ReallocPairKind Kind = RPToBeFreedAfterFailure; 937 if (FreesOnFail) 938 Kind = RPIsFreeOnFailure; 939 else if (!ReleasedAllocated) 940 Kind = RPDoNotTrackAfterFailure; 941 942 // Record the info about the reallocated symbol so that we could properly 943 // process failed reallocation. 944 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 945 ReallocPair(FromPtr, Kind)); 946 // The reallocated symbol should stay alive for as long as the new symbol. 947 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 948 return stateRealloc; 949 } 950 return 0; 951 } 952 953 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE){ 954 if (CE->getNumArgs() < 2) 955 return 0; 956 957 ProgramStateRef state = C.getState(); 958 SValBuilder &svalBuilder = C.getSValBuilder(); 959 const LocationContext *LCtx = C.getLocationContext(); 960 SVal count = state->getSVal(CE->getArg(0), LCtx); 961 SVal elementSize = state->getSVal(CE->getArg(1), LCtx); 962 SVal TotalSize = svalBuilder.evalBinOp(state, BO_Mul, count, elementSize, 963 svalBuilder.getContext().getSizeType()); 964 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 965 966 return MallocMemAux(C, CE, TotalSize, zeroVal, state); 967 } 968 969 LeakInfo 970 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 971 CheckerContext &C) const { 972 const LocationContext *LeakContext = N->getLocationContext(); 973 // Walk the ExplodedGraph backwards and find the first node that referred to 974 // the tracked symbol. 975 const ExplodedNode *AllocNode = N; 976 const MemRegion *ReferenceRegion = 0; 977 978 while (N) { 979 ProgramStateRef State = N->getState(); 980 if (!State->get<RegionState>(Sym)) 981 break; 982 983 // Find the most recent expression bound to the symbol in the current 984 // context. 985 if (!ReferenceRegion) { 986 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 987 SVal Val = State->getSVal(MR); 988 if (Val.getAsLocSymbol() == Sym) 989 ReferenceRegion = MR; 990 } 991 } 992 993 // Allocation node, is the last node in the current context in which the 994 // symbol was tracked. 995 if (N->getLocationContext() == LeakContext) 996 AllocNode = N; 997 N = N->pred_empty() ? NULL : *(N->pred_begin()); 998 } 999 1000 ProgramPoint P = AllocNode->getLocation(); 1001 const Stmt *AllocationStmt = 0; 1002 if (CallExitEnd *Exit = dyn_cast<CallExitEnd>(&P)) 1003 AllocationStmt = Exit->getCalleeContext()->getCallSite(); 1004 else if (StmtPoint *SP = dyn_cast<StmtPoint>(&P)) 1005 AllocationStmt = SP->getStmt(); 1006 1007 return LeakInfo(AllocationStmt, ReferenceRegion); 1008 } 1009 1010 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 1011 CheckerContext &C) const { 1012 assert(N); 1013 if (!BT_Leak) { 1014 BT_Leak.reset(new BugType("Memory leak", "Memory Error")); 1015 // Leaks should not be reported if they are post-dominated by a sink: 1016 // (1) Sinks are higher importance bugs. 1017 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 1018 // with __noreturn functions such as assert() or exit(). We choose not 1019 // to report leaks on such paths. 1020 BT_Leak->setSuppressOnSink(true); 1021 } 1022 1023 // Most bug reports are cached at the location where they occurred. 1024 // With leaks, we want to unique them by the location where they were 1025 // allocated, and only report a single path. 1026 PathDiagnosticLocation LocUsedForUniqueing; 1027 const Stmt *AllocStmt = 0; 1028 const MemRegion *Region = 0; 1029 llvm::tie(AllocStmt, Region) = getAllocationSite(N, Sym, C); 1030 if (AllocStmt) 1031 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocStmt, 1032 C.getSourceManager(), N->getLocationContext()); 1033 1034 SmallString<200> buf; 1035 llvm::raw_svector_ostream os(buf); 1036 os << "Memory is never released; potential leak"; 1037 if (Region && Region->canPrintPretty()) { 1038 os << " of memory pointed to by '"; 1039 Region->printPretty(os); 1040 os << '\''; 1041 } 1042 1043 BugReport *R = new BugReport(*BT_Leak, os.str(), N, LocUsedForUniqueing); 1044 R->markInteresting(Sym); 1045 R->addVisitor(new MallocBugVisitor(Sym, true)); 1046 C.EmitReport(R); 1047 } 1048 1049 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 1050 CheckerContext &C) const 1051 { 1052 if (!SymReaper.hasDeadSymbols()) 1053 return; 1054 1055 ProgramStateRef state = C.getState(); 1056 RegionStateTy RS = state->get<RegionState>(); 1057 RegionStateTy::Factory &F = state->get_context<RegionState>(); 1058 1059 bool generateReport = false; 1060 llvm::SmallVector<SymbolRef, 2> Errors; 1061 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1062 if (SymReaper.isDead(I->first)) { 1063 if (I->second.isAllocated()) { 1064 generateReport = true; 1065 Errors.push_back(I->first); 1066 } 1067 // Remove the dead symbol from the map. 1068 RS = F.remove(RS, I->first); 1069 1070 } 1071 } 1072 1073 // Cleanup the Realloc Pairs Map. 1074 ReallocMap RP = state->get<ReallocPairs>(); 1075 for (ReallocMap::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1076 if (SymReaper.isDead(I->first) || 1077 SymReaper.isDead(I->second.ReallocatedSym)) { 1078 state = state->remove<ReallocPairs>(I->first); 1079 } 1080 } 1081 1082 // Generate leak node. 1083 static SimpleProgramPointTag Tag("MallocChecker : DeadSymbolsLeak"); 1084 ExplodedNode *N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); 1085 1086 if (generateReport) { 1087 for (llvm::SmallVector<SymbolRef, 2>::iterator 1088 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 1089 reportLeak(*I, N, C); 1090 } 1091 } 1092 C.addTransition(state->set<RegionState>(RS), N); 1093 } 1094 1095 void MallocChecker::checkEndPath(CheckerContext &C) const { 1096 ProgramStateRef state = C.getState(); 1097 RegionStateTy M = state->get<RegionState>(); 1098 1099 // If inside inlined call, skip it. 1100 if (C.getLocationContext()->getParent() != 0) 1101 return; 1102 1103 for (RegionStateTy::iterator I = M.begin(), E = M.end(); I != E; ++I) { 1104 RefState RS = I->second; 1105 if (RS.isAllocated()) { 1106 ExplodedNode *N = C.addTransition(state); 1107 if (N) 1108 reportLeak(I->first, N, C); 1109 } 1110 } 1111 } 1112 1113 void MallocChecker::checkPreStmt(const CallExpr *CE, CheckerContext &C) const { 1114 // We will check for double free in the post visit. 1115 if (isFreeFunction(C.getCalleeDecl(CE), C.getASTContext())) 1116 return; 1117 1118 // Check use after free, when a freed pointer is passed to a call. 1119 ProgramStateRef State = C.getState(); 1120 for (CallExpr::const_arg_iterator I = CE->arg_begin(), 1121 E = CE->arg_end(); I != E; ++I) { 1122 const Expr *A = *I; 1123 if (A->getType().getTypePtr()->isAnyPointerType()) { 1124 SymbolRef Sym = State->getSVal(A, C.getLocationContext()).getAsSymbol(); 1125 if (!Sym) 1126 continue; 1127 if (checkUseAfterFree(Sym, C, A)) 1128 return; 1129 } 1130 } 1131 } 1132 1133 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 1134 const Expr *E = S->getRetValue(); 1135 if (!E) 1136 return; 1137 1138 // Check if we are returning a symbol. 1139 ProgramStateRef State = C.getState(); 1140 SVal RetVal = State->getSVal(E, C.getLocationContext()); 1141 SymbolRef Sym = RetVal.getAsSymbol(); 1142 if (!Sym) 1143 // If we are returning a field of the allocated struct or an array element, 1144 // the callee could still free the memory. 1145 // TODO: This logic should be a part of generic symbol escape callback. 1146 if (const MemRegion *MR = RetVal.getAsRegion()) 1147 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 1148 if (const SymbolicRegion *BMR = 1149 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 1150 Sym = BMR->getSymbol(); 1151 1152 // Check if we are returning freed memory. 1153 if (Sym) 1154 if (checkUseAfterFree(Sym, C, E)) 1155 return; 1156 1157 // If this function body is not inlined, stop tracking any returned symbols. 1158 if (C.getLocationContext()->getParent() == 0) { 1159 State = 1160 State->scanReachableSymbols<StopTrackingCallback>(RetVal).getState(); 1161 C.addTransition(State); 1162 } 1163 } 1164 1165 // TODO: Blocks should be either inlined or should call invalidate regions 1166 // upon invocation. After that's in place, special casing here will not be 1167 // needed. 1168 void MallocChecker::checkPostStmt(const BlockExpr *BE, 1169 CheckerContext &C) const { 1170 1171 // Scan the BlockDecRefExprs for any object the retain count checker 1172 // may be tracking. 1173 if (!BE->getBlockDecl()->hasCaptures()) 1174 return; 1175 1176 ProgramStateRef state = C.getState(); 1177 const BlockDataRegion *R = 1178 cast<BlockDataRegion>(state->getSVal(BE, 1179 C.getLocationContext()).getAsRegion()); 1180 1181 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 1182 E = R->referenced_vars_end(); 1183 1184 if (I == E) 1185 return; 1186 1187 SmallVector<const MemRegion*, 10> Regions; 1188 const LocationContext *LC = C.getLocationContext(); 1189 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 1190 1191 for ( ; I != E; ++I) { 1192 const VarRegion *VR = *I; 1193 if (VR->getSuperRegion() == R) { 1194 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 1195 } 1196 Regions.push_back(VR); 1197 } 1198 1199 state = 1200 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 1201 Regions.data() + Regions.size()).getState(); 1202 C.addTransition(state); 1203 } 1204 1205 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { 1206 assert(Sym); 1207 const RefState *RS = C.getState()->get<RegionState>(Sym); 1208 return (RS && RS->isReleased()); 1209 } 1210 1211 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 1212 const Stmt *S) const { 1213 if (isReleased(Sym, C)) { 1214 if (ExplodedNode *N = C.generateSink()) { 1215 if (!BT_UseFree) 1216 BT_UseFree.reset(new BugType("Use-after-free", "Memory Error")); 1217 1218 BugReport *R = new BugReport(*BT_UseFree, 1219 "Use of memory after it is freed",N); 1220 if (S) 1221 R->addRange(S->getSourceRange()); 1222 R->markInteresting(Sym); 1223 R->addVisitor(new MallocBugVisitor(Sym)); 1224 C.EmitReport(R); 1225 return true; 1226 } 1227 } 1228 return false; 1229 } 1230 1231 // Check if the location is a freed symbolic region. 1232 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 1233 CheckerContext &C) const { 1234 SymbolRef Sym = l.getLocSymbolInBase(); 1235 if (Sym) 1236 checkUseAfterFree(Sym, C, S); 1237 } 1238 1239 //===----------------------------------------------------------------------===// 1240 // Check various ways a symbol can be invalidated. 1241 // TODO: This logic (the next 3 functions) is copied/similar to the 1242 // RetainRelease checker. We might want to factor this out. 1243 //===----------------------------------------------------------------------===// 1244 1245 // Stop tracking symbols when a value escapes as a result of checkBind. 1246 // A value escapes in three possible cases: 1247 // (1) we are binding to something that is not a memory region. 1248 // (2) we are binding to a memregion that does not have stack storage 1249 // (3) we are binding to a memregion with stack storage that the store 1250 // does not understand. 1251 void MallocChecker::checkBind(SVal loc, SVal val, const Stmt *S, 1252 CheckerContext &C) const { 1253 // Are we storing to something that causes the value to "escape"? 1254 bool escapes = true; 1255 ProgramStateRef state = C.getState(); 1256 1257 if (loc::MemRegionVal *regionLoc = dyn_cast<loc::MemRegionVal>(&loc)) { 1258 escapes = !regionLoc->getRegion()->hasStackStorage(); 1259 1260 if (!escapes) { 1261 // To test (3), generate a new state with the binding added. If it is 1262 // the same state, then it escapes (since the store cannot represent 1263 // the binding). 1264 // Do this only if we know that the store is not supposed to generate the 1265 // same state. 1266 SVal StoredVal = state->getSVal(regionLoc->getRegion()); 1267 if (StoredVal != val) 1268 escapes = (state == (state->bindLoc(*regionLoc, val))); 1269 } 1270 } 1271 1272 // If our store can represent the binding and we aren't storing to something 1273 // that doesn't have local storage then just return and have the simulation 1274 // state continue as is. 1275 if (!escapes) 1276 return; 1277 1278 // Otherwise, find all symbols referenced by 'val' that we are tracking 1279 // and stop tracking them. 1280 state = state->scanReachableSymbols<StopTrackingCallback>(val).getState(); 1281 C.addTransition(state); 1282 } 1283 1284 // If a symbolic region is assumed to NULL (or another constant), stop tracking 1285 // it - assuming that allocation failed on this path. 1286 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 1287 SVal Cond, 1288 bool Assumption) const { 1289 RegionStateTy RS = state->get<RegionState>(); 1290 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1291 // If the symbol is assumed to be NULL, remove it from consideration. 1292 if (state->getConstraintManager().isNull(state, I.getKey()).isTrue()) 1293 state = state->remove<RegionState>(I.getKey()); 1294 } 1295 1296 // Realloc returns 0 when reallocation fails, which means that we should 1297 // restore the state of the pointer being reallocated. 1298 ReallocMap RP = state->get<ReallocPairs>(); 1299 for (ReallocMap::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1300 // If the symbol is assumed to be NULL, remove it from consideration. 1301 if (!state->getConstraintManager().isNull(state, I.getKey()).isTrue()) 1302 continue; 1303 SymbolRef ReallocSym = I.getData().ReallocatedSym; 1304 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 1305 if (RS->isReleased()) { 1306 if (I.getData().Kind == RPToBeFreedAfterFailure) 1307 state = state->set<RegionState>(ReallocSym, 1308 RefState::getAllocated(RS->getStmt())); 1309 else if (I.getData().Kind == RPDoNotTrackAfterFailure) 1310 state = state->remove<RegionState>(ReallocSym); 1311 else 1312 assert(I.getData().Kind == RPIsFreeOnFailure); 1313 } 1314 } 1315 state = state->remove<ReallocPairs>(I.getKey()); 1316 } 1317 1318 return state; 1319 } 1320 1321 // Check if the function is known to us. So, for example, we could 1322 // conservatively assume it can free/reallocate its pointer arguments. 1323 // (We assume that the pointers cannot escape through calls to system 1324 // functions not handled by this checker.) 1325 bool MallocChecker::doesNotFreeMemory(const CallEvent *Call, 1326 ProgramStateRef State) const { 1327 assert(Call); 1328 1329 // For now, assume that any C++ call can free memory. 1330 // TODO: If we want to be more optimistic here, we'll need to make sure that 1331 // regions escape to C++ containers. They seem to do that even now, but for 1332 // mysterious reasons. 1333 if (!(isa<FunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 1334 return false; 1335 1336 // Check Objective-C messages by selector name. 1337 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 1338 // If it's not a framework call, or if it takes a callback, assume it 1339 // can free memory. 1340 if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg()) 1341 return false; 1342 1343 Selector S = Msg->getSelector(); 1344 1345 // Whitelist the ObjC methods which do free memory. 1346 // - Anything containing 'freeWhenDone' param set to 1. 1347 // Ex: dataWithBytesNoCopy:length:freeWhenDone. 1348 for (unsigned i = 1; i < S.getNumArgs(); ++i) { 1349 if (S.getNameForSlot(i).equals("freeWhenDone")) { 1350 if (Call->getArgSVal(i).isConstant(1)) 1351 return false; 1352 else 1353 return true; 1354 } 1355 } 1356 1357 // If the first selector ends with NoCopy, assume that the ownership is 1358 // transferred as well. 1359 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 1360 StringRef FirstSlot = S.getNameForSlot(0); 1361 if (FirstSlot.endswith("NoCopy")) 1362 return false; 1363 1364 // If the first selector starts with addPointer, insertPointer, 1365 // or replacePointer, assume we are dealing with NSPointerArray or similar. 1366 // This is similar to C++ containers (vector); we still might want to check 1367 // that the pointers get freed by following the container itself. 1368 if (FirstSlot.startswith("addPointer") || 1369 FirstSlot.startswith("insertPointer") || 1370 FirstSlot.startswith("replacePointer")) { 1371 return false; 1372 } 1373 1374 // Otherwise, assume that the method does not free memory. 1375 // Most framework methods do not free memory. 1376 return true; 1377 } 1378 1379 // At this point the only thing left to handle is straight function calls. 1380 const FunctionDecl *FD = cast<FunctionCall>(Call)->getDecl(); 1381 if (!FD) 1382 return false; 1383 1384 ASTContext &ASTC = State->getStateManager().getContext(); 1385 1386 // If it's one of the allocation functions we can reason about, we model 1387 // its behavior explicitly. 1388 if (isMemFunction(FD, ASTC)) 1389 return true; 1390 1391 // If it's not a system call, assume it frees memory. 1392 if (!Call->isInSystemHeader()) 1393 return false; 1394 1395 // White list the system functions whose arguments escape. 1396 const IdentifierInfo *II = FD->getIdentifier(); 1397 if (!II) 1398 return false; 1399 StringRef FName = II->getName(); 1400 1401 // White list the 'XXXNoCopy' CoreFoundation functions. 1402 // We specifically check these before 1403 if (FName.endswith("NoCopy")) { 1404 // Look for the deallocator argument. We know that the memory ownership 1405 // is not transferred only if the deallocator argument is 1406 // 'kCFAllocatorNull'. 1407 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 1408 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 1409 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 1410 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 1411 if (DeallocatorName == "kCFAllocatorNull") 1412 return true; 1413 } 1414 } 1415 return false; 1416 } 1417 1418 // Associating streams with malloced buffers. The pointer can escape if 1419 // 'closefn' is specified (and if that function does free memory), 1420 // but it will not if closefn is not specified. 1421 // Currently, we do not inspect the 'closefn' function (PR12101). 1422 if (FName == "funopen") 1423 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 1424 return true; 1425 1426 // Do not warn on pointers passed to 'setbuf' when used with std streams, 1427 // these leaks might be intentional when setting the buffer for stdio. 1428 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 1429 if (FName == "setbuf" || FName =="setbuffer" || 1430 FName == "setlinebuf" || FName == "setvbuf") { 1431 if (Call->getNumArgs() >= 1) { 1432 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 1433 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 1434 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 1435 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 1436 return false; 1437 } 1438 } 1439 1440 // A bunch of other functions which either take ownership of a pointer or 1441 // wrap the result up in a struct or object, meaning it can be freed later. 1442 // (See RetainCountChecker.) Not all the parameters here are invalidated, 1443 // but the Malloc checker cannot differentiate between them. The right way 1444 // of doing this would be to implement a pointer escapes callback. 1445 if (FName == "CGBitmapContextCreate" || 1446 FName == "CGBitmapContextCreateWithData" || 1447 FName == "CVPixelBufferCreateWithBytes" || 1448 FName == "CVPixelBufferCreateWithPlanarBytes" || 1449 FName == "OSAtomicEnqueue") { 1450 return false; 1451 } 1452 1453 // Handle cases where we know a buffer's /address/ can escape. 1454 // Note that the above checks handle some special cases where we know that 1455 // even though the address escapes, it's still our responsibility to free the 1456 // buffer. 1457 if (Call->argumentsMayEscape()) 1458 return false; 1459 1460 // Otherwise, assume that the function does not free memory. 1461 // Most system calls do not free the memory. 1462 return true; 1463 } 1464 1465 // If the symbol we are tracking is invalidated, but not explicitly (ex: the &p 1466 // escapes, when we are tracking p), do not track the symbol as we cannot reason 1467 // about it anymore. 1468 ProgramStateRef 1469 MallocChecker::checkRegionChanges(ProgramStateRef State, 1470 const StoreManager::InvalidatedSymbols *invalidated, 1471 ArrayRef<const MemRegion *> ExplicitRegions, 1472 ArrayRef<const MemRegion *> Regions, 1473 const CallEvent *Call) const { 1474 if (!invalidated || invalidated->empty()) 1475 return State; 1476 llvm::SmallPtrSet<SymbolRef, 8> WhitelistedSymbols; 1477 1478 // If it's a call which might free or reallocate memory, we assume that all 1479 // regions (explicit and implicit) escaped. 1480 1481 // Otherwise, whitelist explicit pointers; we still can track them. 1482 if (!Call || doesNotFreeMemory(Call, State)) { 1483 for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(), 1484 E = ExplicitRegions.end(); I != E; ++I) { 1485 if (const SymbolicRegion *R = (*I)->StripCasts()->getAs<SymbolicRegion>()) 1486 WhitelistedSymbols.insert(R->getSymbol()); 1487 } 1488 } 1489 1490 for (StoreManager::InvalidatedSymbols::const_iterator I=invalidated->begin(), 1491 E = invalidated->end(); I!=E; ++I) { 1492 SymbolRef sym = *I; 1493 if (WhitelistedSymbols.count(sym)) 1494 continue; 1495 // The symbol escaped. Note, we assume that if the symbol is released, 1496 // passing it out will result in a use after free. We also keep tracking 1497 // relinquished symbols. 1498 if (const RefState *RS = State->get<RegionState>(sym)) { 1499 if (RS->isAllocated()) 1500 State = State->remove<RegionState>(sym); 1501 } 1502 } 1503 return State; 1504 } 1505 1506 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 1507 ProgramStateRef prevState) { 1508 ReallocMap currMap = currState->get<ReallocPairs>(); 1509 ReallocMap prevMap = prevState->get<ReallocPairs>(); 1510 1511 for (ReallocMap::iterator I = prevMap.begin(), E = prevMap.end(); 1512 I != E; ++I) { 1513 SymbolRef sym = I.getKey(); 1514 if (!currMap.lookup(sym)) 1515 return sym; 1516 } 1517 1518 return NULL; 1519 } 1520 1521 PathDiagnosticPiece * 1522 MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N, 1523 const ExplodedNode *PrevN, 1524 BugReporterContext &BRC, 1525 BugReport &BR) { 1526 ProgramStateRef state = N->getState(); 1527 ProgramStateRef statePrev = PrevN->getState(); 1528 1529 const RefState *RS = state->get<RegionState>(Sym); 1530 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 1531 if (!RS) 1532 return 0; 1533 1534 const Stmt *S = 0; 1535 const char *Msg = 0; 1536 StackHintGeneratorForSymbol *StackHint = 0; 1537 1538 // Retrieve the associated statement. 1539 ProgramPoint ProgLoc = N->getLocation(); 1540 if (StmtPoint *SP = dyn_cast<StmtPoint>(&ProgLoc)) 1541 S = SP->getStmt(); 1542 else if (CallExitEnd *Exit = dyn_cast<CallExitEnd>(&ProgLoc)) 1543 S = Exit->getCalleeContext()->getCallSite(); 1544 // If an assumption was made on a branch, it should be caught 1545 // here by looking at the state transition. 1546 else if (BlockEdge *Edge = dyn_cast<BlockEdge>(&ProgLoc)) { 1547 const CFGBlock *srcBlk = Edge->getSrc(); 1548 S = srcBlk->getTerminator(); 1549 } 1550 if (!S) 1551 return 0; 1552 1553 // FIXME: We will eventually need to handle non-statement-based events 1554 // (__attribute__((cleanup))). 1555 1556 // Find out if this is an interesting point and what is the kind. 1557 if (Mode == Normal) { 1558 if (isAllocated(RS, RSPrev, S)) { 1559 Msg = "Memory is allocated"; 1560 StackHint = new StackHintGeneratorForSymbol(Sym, 1561 "Returned allocated memory"); 1562 } else if (isReleased(RS, RSPrev, S)) { 1563 Msg = "Memory is released"; 1564 StackHint = new StackHintGeneratorForSymbol(Sym, 1565 "Returned released memory"); 1566 } else if (isRelinquished(RS, RSPrev, S)) { 1567 Msg = "Memory ownership is transfered"; 1568 StackHint = new StackHintGeneratorForSymbol(Sym, ""); 1569 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 1570 Mode = ReallocationFailed; 1571 Msg = "Reallocation failed"; 1572 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 1573 "Reallocation failed"); 1574 1575 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 1576 // Is it possible to fail two reallocs WITHOUT testing in between? 1577 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 1578 "We only support one failed realloc at a time."); 1579 BR.markInteresting(sym); 1580 FailedReallocSymbol = sym; 1581 } 1582 } 1583 1584 // We are in a special mode if a reallocation failed later in the path. 1585 } else if (Mode == ReallocationFailed) { 1586 assert(FailedReallocSymbol && "No symbol to look for."); 1587 1588 // Is this is the first appearance of the reallocated symbol? 1589 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 1590 // We're at the reallocation point. 1591 Msg = "Attempt to reallocate memory"; 1592 StackHint = new StackHintGeneratorForSymbol(Sym, 1593 "Returned reallocated memory"); 1594 FailedReallocSymbol = NULL; 1595 Mode = Normal; 1596 } 1597 } 1598 1599 if (!Msg) 1600 return 0; 1601 assert(StackHint); 1602 1603 // Generate the extra diagnostic. 1604 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 1605 N->getLocationContext()); 1606 return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint); 1607 } 1608 1609 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 1610 const char *NL, const char *Sep) const { 1611 1612 RegionStateTy RS = State->get<RegionState>(); 1613 1614 if (!RS.isEmpty()) 1615 Out << "Has Malloc data" << NL; 1616 } 1617 1618 #define REGISTER_CHECKER(name) \ 1619 void ento::register##name(CheckerManager &mgr) {\ 1620 registerCStringCheckerBasic(mgr); \ 1621 mgr.registerChecker<MallocChecker>()->Filter.C##name = true;\ 1622 } 1623 1624 REGISTER_CHECKER(MallocPessimistic) 1625 REGISTER_CHECKER(MallocOptimistic) 1626