1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines a variety of memory management related checkers, such as 10 // leak, double free, and use-after-free. 11 // 12 // The following checkers are defined here: 13 // 14 // * MallocChecker 15 // Despite its name, it models all sorts of memory allocations and 16 // de- or reallocation, including but not limited to malloc, free, 17 // relloc, new, delete. It also reports on a variety of memory misuse 18 // errors. 19 // Many other checkers interact very closely with this checker, in fact, 20 // most are merely options to this one. Other checkers may register 21 // MallocChecker, but do not enable MallocChecker's reports (more details 22 // to follow around its field, ChecksEnabled). 23 // It also has a boolean "Optimistic" checker option, which if set to true 24 // will cause the checker to model user defined memory management related 25 // functions annotated via the attribute ownership_takes, ownership_holds 26 // and ownership_returns. 27 // 28 // * NewDeleteChecker 29 // Enables the modeling of new, new[], delete, delete[] in MallocChecker, 30 // and checks for related double-free and use-after-free errors. 31 // 32 // * NewDeleteLeaksChecker 33 // Checks for leaks related to new, new[], delete, delete[]. 34 // Depends on NewDeleteChecker. 35 // 36 // * MismatchedDeallocatorChecker 37 // Enables checking whether memory is deallocated with the correspending 38 // allocation function in MallocChecker, such as malloc() allocated 39 // regions are only freed by free(), new by delete, new[] by delete[]. 40 // 41 // InnerPointerChecker interacts very closely with MallocChecker, but unlike 42 // the above checkers, it has it's own file, hence the many InnerPointerChecker 43 // related headers and non-static functions. 44 // 45 //===----------------------------------------------------------------------===// 46 47 #include "AllocationState.h" 48 #include "InterCheckerAPI.h" 49 #include "clang/AST/Attr.h" 50 #include "clang/AST/DeclCXX.h" 51 #include "clang/AST/DeclTemplate.h" 52 #include "clang/AST/Expr.h" 53 #include "clang/AST/ExprCXX.h" 54 #include "clang/AST/ParentMap.h" 55 #include "clang/Analysis/ProgramPoint.h" 56 #include "clang/Basic/LLVM.h" 57 #include "clang/Basic/SourceManager.h" 58 #include "clang/Basic/TargetInfo.h" 59 #include "clang/Lex/Lexer.h" 60 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 61 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 62 #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" 63 #include "clang/StaticAnalyzer/Core/Checker.h" 64 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 65 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 66 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 67 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" 68 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" 69 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h" 70 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 71 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 72 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" 73 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 74 #include "clang/StaticAnalyzer/Core/PathSensitive/StoreRef.h" 75 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 76 #include "llvm/ADT/STLExtras.h" 77 #include "llvm/ADT/SetOperations.h" 78 #include "llvm/ADT/SmallString.h" 79 #include "llvm/ADT/StringExtras.h" 80 #include "llvm/Support/Casting.h" 81 #include "llvm/Support/Compiler.h" 82 #include "llvm/Support/ErrorHandling.h" 83 #include "llvm/Support/raw_ostream.h" 84 #include <climits> 85 #include <functional> 86 #include <utility> 87 88 using namespace clang; 89 using namespace ento; 90 using namespace std::placeholders; 91 92 //===----------------------------------------------------------------------===// 93 // The types of allocation we're modeling. This is used to check whether a 94 // dynamically allocated object is deallocated with the correct function, like 95 // not using operator delete on an object created by malloc(), or alloca regions 96 // aren't ever deallocated manually. 97 //===----------------------------------------------------------------------===// 98 99 namespace { 100 101 // Used to check correspondence between allocators and deallocators. 102 enum AllocationFamily { 103 AF_None, 104 AF_Malloc, 105 AF_CXXNew, 106 AF_CXXNewArray, 107 AF_IfNameIndex, 108 AF_Alloca, 109 AF_InnerBuffer 110 }; 111 112 } // end of anonymous namespace 113 114 /// Print names of allocators and deallocators. 115 /// 116 /// \returns true on success. 117 static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E); 118 119 /// Print expected name of an allocator based on the deallocator's family 120 /// derived from the DeallocExpr. 121 static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family); 122 123 /// Print expected name of a deallocator based on the allocator's 124 /// family. 125 static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family); 126 127 //===----------------------------------------------------------------------===// 128 // The state of a symbol, in terms of memory management. 129 //===----------------------------------------------------------------------===// 130 131 namespace { 132 133 class RefState { 134 enum Kind { 135 // Reference to allocated memory. 136 Allocated, 137 // Reference to zero-allocated memory. 138 AllocatedOfSizeZero, 139 // Reference to released/freed memory. 140 Released, 141 // The responsibility for freeing resources has transferred from 142 // this reference. A relinquished symbol should not be freed. 143 Relinquished, 144 // We are no longer guaranteed to have observed all manipulations 145 // of this pointer/memory. For example, it could have been 146 // passed as a parameter to an opaque function. 147 Escaped 148 }; 149 150 const Stmt *S; 151 152 Kind K; 153 AllocationFamily Family; 154 155 RefState(Kind k, const Stmt *s, AllocationFamily family) 156 : S(s), K(k), Family(family) { 157 assert(family != AF_None); 158 } 159 160 public: 161 bool isAllocated() const { return K == Allocated; } 162 bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; } 163 bool isReleased() const { return K == Released; } 164 bool isRelinquished() const { return K == Relinquished; } 165 bool isEscaped() const { return K == Escaped; } 166 AllocationFamily getAllocationFamily() const { return Family; } 167 const Stmt *getStmt() const { return S; } 168 169 bool operator==(const RefState &X) const { 170 return K == X.K && S == X.S && Family == X.Family; 171 } 172 173 static RefState getAllocated(AllocationFamily family, const Stmt *s) { 174 return RefState(Allocated, s, family); 175 } 176 static RefState getAllocatedOfSizeZero(const RefState *RS) { 177 return RefState(AllocatedOfSizeZero, RS->getStmt(), 178 RS->getAllocationFamily()); 179 } 180 static RefState getReleased(AllocationFamily family, const Stmt *s) { 181 return RefState(Released, s, family); 182 } 183 static RefState getRelinquished(AllocationFamily family, const Stmt *s) { 184 return RefState(Relinquished, s, family); 185 } 186 static RefState getEscaped(const RefState *RS) { 187 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily()); 188 } 189 190 void Profile(llvm::FoldingSetNodeID &ID) const { 191 ID.AddInteger(K); 192 ID.AddPointer(S); 193 ID.AddInteger(Family); 194 } 195 196 LLVM_DUMP_METHOD void dump(raw_ostream &OS) const { 197 switch (K) { 198 #define CASE(ID) case ID: OS << #ID; break; 199 CASE(Allocated) 200 CASE(AllocatedOfSizeZero) 201 CASE(Released) 202 CASE(Relinquished) 203 CASE(Escaped) 204 } 205 } 206 207 LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); } 208 }; 209 210 } // end of anonymous namespace 211 212 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 213 214 /// Check if the memory associated with this symbol was released. 215 static bool isReleased(SymbolRef Sym, CheckerContext &C); 216 217 /// Update the RefState to reflect the new memory allocation. 218 /// The optional \p RetVal parameter specifies the newly allocated pointer 219 /// value; if unspecified, the value of expression \p E is used. 220 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, 221 ProgramStateRef State, 222 AllocationFamily Family, 223 Optional<SVal> RetVal = None); 224 225 //===----------------------------------------------------------------------===// 226 // The modeling of memory reallocation. 227 // 228 // The terminology 'toPtr' and 'fromPtr' will be used: 229 // toPtr = realloc(fromPtr, 20); 230 //===----------------------------------------------------------------------===// 231 232 REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef) 233 234 namespace { 235 236 /// The state of 'fromPtr' after reallocation is known to have failed. 237 enum OwnershipAfterReallocKind { 238 // The symbol needs to be freed (e.g.: realloc) 239 OAR_ToBeFreedAfterFailure, 240 // The symbol has been freed (e.g.: reallocf) 241 OAR_FreeOnFailure, 242 // The symbol doesn't have to freed (e.g.: we aren't sure if, how and where 243 // 'fromPtr' was allocated: 244 // void Haha(int *ptr) { 245 // ptr = realloc(ptr, 67); 246 // // ... 247 // } 248 // ). 249 OAR_DoNotTrackAfterFailure 250 }; 251 252 /// Stores information about the 'fromPtr' symbol after reallocation. 253 /// 254 /// This is important because realloc may fail, and that needs special modeling. 255 /// Whether reallocation failed or not will not be known until later, so we'll 256 /// store whether upon failure 'fromPtr' will be freed, or needs to be freed 257 /// later, etc. 258 struct ReallocPair { 259 260 // The 'fromPtr'. 261 SymbolRef ReallocatedSym; 262 OwnershipAfterReallocKind Kind; 263 264 ReallocPair(SymbolRef S, OwnershipAfterReallocKind K) 265 : ReallocatedSym(S), Kind(K) {} 266 void Profile(llvm::FoldingSetNodeID &ID) const { 267 ID.AddInteger(Kind); 268 ID.AddPointer(ReallocatedSym); 269 } 270 bool operator==(const ReallocPair &X) const { 271 return ReallocatedSym == X.ReallocatedSym && 272 Kind == X.Kind; 273 } 274 }; 275 276 } // end of anonymous namespace 277 278 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 279 280 /// Tells if the callee is one of the builtin new/delete operators, including 281 /// placement operators and other standard overloads. 282 static bool isStandardNewDelete(const FunctionDecl *FD); 283 static bool isStandardNewDelete(const CallEvent &Call) { 284 if (!Call.getDecl() || !isa<FunctionDecl>(Call.getDecl())) 285 return false; 286 return isStandardNewDelete(cast<FunctionDecl>(Call.getDecl())); 287 } 288 289 //===----------------------------------------------------------------------===// 290 // Definition of the MallocChecker class. 291 //===----------------------------------------------------------------------===// 292 293 namespace { 294 295 class MallocChecker 296 : public Checker<check::DeadSymbols, check::PointerEscape, 297 check::ConstPointerEscape, check::PreStmt<ReturnStmt>, 298 check::EndFunction, check::PreCall, check::PostCall, 299 check::NewAllocator, check::PostStmt<BlockExpr>, 300 check::PostObjCMessage, check::Location, eval::Assume> { 301 public: 302 /// In pessimistic mode, the checker assumes that it does not know which 303 /// functions might free the memory. 304 /// In optimistic mode, the checker assumes that all user-defined functions 305 /// which might free a pointer are annotated. 306 DefaultBool ShouldIncludeOwnershipAnnotatedFunctions; 307 308 DefaultBool ShouldRegisterNoOwnershipChangeVisitor; 309 310 /// Many checkers are essentially built into this one, so enabling them will 311 /// make MallocChecker perform additional modeling and reporting. 312 enum CheckKind { 313 /// When a subchecker is enabled but MallocChecker isn't, model memory 314 /// management but do not emit warnings emitted with MallocChecker only 315 /// enabled. 316 CK_MallocChecker, 317 CK_NewDeleteChecker, 318 CK_NewDeleteLeaksChecker, 319 CK_MismatchedDeallocatorChecker, 320 CK_InnerPointerChecker, 321 CK_NumCheckKinds 322 }; 323 324 using LeakInfo = std::pair<const ExplodedNode *, const MemRegion *>; 325 326 DefaultBool ChecksEnabled[CK_NumCheckKinds]; 327 CheckerNameRef CheckNames[CK_NumCheckKinds]; 328 329 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 330 void checkPostCall(const CallEvent &Call, CheckerContext &C) const; 331 void checkNewAllocator(const CXXAllocatorCall &Call, CheckerContext &C) const; 332 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 333 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 334 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 335 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 336 void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const; 337 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 338 bool Assumption) const; 339 void checkLocation(SVal l, bool isLoad, const Stmt *S, 340 CheckerContext &C) const; 341 342 ProgramStateRef checkPointerEscape(ProgramStateRef State, 343 const InvalidatedSymbols &Escaped, 344 const CallEvent *Call, 345 PointerEscapeKind Kind) const; 346 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 347 const InvalidatedSymbols &Escaped, 348 const CallEvent *Call, 349 PointerEscapeKind Kind) const; 350 351 void printState(raw_ostream &Out, ProgramStateRef State, 352 const char *NL, const char *Sep) const override; 353 354 private: 355 mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds]; 356 mutable std::unique_ptr<BugType> BT_DoubleDelete; 357 mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds]; 358 mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds]; 359 mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds]; 360 mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds]; 361 mutable std::unique_ptr<BugType> BT_MismatchedDealloc; 362 mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds]; 363 mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds]; 364 365 #define CHECK_FN(NAME) \ 366 void NAME(const CallEvent &Call, CheckerContext &C) const; 367 368 CHECK_FN(checkFree) 369 CHECK_FN(checkIfNameIndex) 370 CHECK_FN(checkBasicAlloc) 371 CHECK_FN(checkKernelMalloc) 372 CHECK_FN(checkCalloc) 373 CHECK_FN(checkAlloca) 374 CHECK_FN(checkStrdup) 375 CHECK_FN(checkIfFreeNameIndex) 376 CHECK_FN(checkCXXNewOrCXXDelete) 377 CHECK_FN(checkGMalloc0) 378 CHECK_FN(checkGMemdup) 379 CHECK_FN(checkGMallocN) 380 CHECK_FN(checkGMallocN0) 381 CHECK_FN(checkReallocN) 382 CHECK_FN(checkOwnershipAttr) 383 384 void checkRealloc(const CallEvent &Call, CheckerContext &C, 385 bool ShouldFreeOnFail) const; 386 387 using CheckFn = std::function<void(const MallocChecker *, 388 const CallEvent &Call, CheckerContext &C)>; 389 390 const CallDescriptionMap<CheckFn> FreeingMemFnMap{ 391 {{"free", 1}, &MallocChecker::checkFree}, 392 {{"if_freenameindex", 1}, &MallocChecker::checkIfFreeNameIndex}, 393 {{"kfree", 1}, &MallocChecker::checkFree}, 394 {{"g_free", 1}, &MallocChecker::checkFree}, 395 }; 396 397 bool isFreeingCall(const CallEvent &Call) const; 398 399 CallDescriptionMap<CheckFn> AllocatingMemFnMap{ 400 {{"alloca", 1}, &MallocChecker::checkAlloca}, 401 {{"_alloca", 1}, &MallocChecker::checkAlloca}, 402 {{"malloc", 1}, &MallocChecker::checkBasicAlloc}, 403 {{"malloc", 3}, &MallocChecker::checkKernelMalloc}, 404 {{"calloc", 2}, &MallocChecker::checkCalloc}, 405 {{"valloc", 1}, &MallocChecker::checkBasicAlloc}, 406 {{CDF_MaybeBuiltin, "strndup", 2}, &MallocChecker::checkStrdup}, 407 {{CDF_MaybeBuiltin, "strdup", 1}, &MallocChecker::checkStrdup}, 408 {{"_strdup", 1}, &MallocChecker::checkStrdup}, 409 {{"kmalloc", 2}, &MallocChecker::checkKernelMalloc}, 410 {{"if_nameindex", 1}, &MallocChecker::checkIfNameIndex}, 411 {{CDF_MaybeBuiltin, "wcsdup", 1}, &MallocChecker::checkStrdup}, 412 {{CDF_MaybeBuiltin, "_wcsdup", 1}, &MallocChecker::checkStrdup}, 413 {{"g_malloc", 1}, &MallocChecker::checkBasicAlloc}, 414 {{"g_malloc0", 1}, &MallocChecker::checkGMalloc0}, 415 {{"g_try_malloc", 1}, &MallocChecker::checkBasicAlloc}, 416 {{"g_try_malloc0", 1}, &MallocChecker::checkGMalloc0}, 417 {{"g_memdup", 2}, &MallocChecker::checkGMemdup}, 418 {{"g_malloc_n", 2}, &MallocChecker::checkGMallocN}, 419 {{"g_malloc0_n", 2}, &MallocChecker::checkGMallocN0}, 420 {{"g_try_malloc_n", 2}, &MallocChecker::checkGMallocN}, 421 {{"g_try_malloc0_n", 2}, &MallocChecker::checkGMallocN0}, 422 }; 423 424 CallDescriptionMap<CheckFn> ReallocatingMemFnMap{ 425 {{"realloc", 2}, 426 std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)}, 427 {{"reallocf", 2}, 428 std::bind(&MallocChecker::checkRealloc, _1, _2, _3, true)}, 429 {{"g_realloc", 2}, 430 std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)}, 431 {{"g_try_realloc", 2}, 432 std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)}, 433 {{"g_realloc_n", 3}, &MallocChecker::checkReallocN}, 434 {{"g_try_realloc_n", 3}, &MallocChecker::checkReallocN}, 435 }; 436 437 bool isMemCall(const CallEvent &Call) const; 438 439 // TODO: Remove mutable by moving the initializtaion to the registry function. 440 mutable Optional<uint64_t> KernelZeroFlagVal; 441 442 using KernelZeroSizePtrValueTy = Optional<int>; 443 /// Store the value of macro called `ZERO_SIZE_PTR`. 444 /// The value is initialized at first use, before first use the outer 445 /// Optional is empty, afterwards it contains another Optional that indicates 446 /// if the macro value could be determined, and if yes the value itself. 447 mutable Optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue; 448 449 /// Process C++ operator new()'s allocation, which is the part of C++ 450 /// new-expression that goes before the constructor. 451 LLVM_NODISCARD 452 ProgramStateRef processNewAllocation(const CXXAllocatorCall &Call, 453 CheckerContext &C, 454 AllocationFamily Family) const; 455 456 /// Perform a zero-allocation check. 457 /// 458 /// \param [in] Call The expression that allocates memory. 459 /// \param [in] IndexOfSizeArg Index of the argument that specifies the size 460 /// of the memory that needs to be allocated. E.g. for malloc, this would be 461 /// 0. 462 /// \param [in] RetVal Specifies the newly allocated pointer value; 463 /// if unspecified, the value of expression \p E is used. 464 LLVM_NODISCARD 465 static ProgramStateRef ProcessZeroAllocCheck(const CallEvent &Call, 466 const unsigned IndexOfSizeArg, 467 ProgramStateRef State, 468 Optional<SVal> RetVal = None); 469 470 /// Model functions with the ownership_returns attribute. 471 /// 472 /// User-defined function may have the ownership_returns attribute, which 473 /// annotates that the function returns with an object that was allocated on 474 /// the heap, and passes the ownertship to the callee. 475 /// 476 /// void __attribute((ownership_returns(malloc, 1))) *my_malloc(size_t); 477 /// 478 /// It has two parameters: 479 /// - first: name of the resource (e.g. 'malloc') 480 /// - (OPTIONAL) second: size of the allocated region 481 /// 482 /// \param [in] Call The expression that allocates memory. 483 /// \param [in] Att The ownership_returns attribute. 484 /// \param [in] State The \c ProgramState right before allocation. 485 /// \returns The ProgramState right after allocation. 486 LLVM_NODISCARD 487 ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call, 488 const OwnershipAttr *Att, 489 ProgramStateRef State) const; 490 491 /// Models memory allocation. 492 /// 493 /// \param [in] Call The expression that allocates memory. 494 /// \param [in] SizeEx Size of the memory that needs to be allocated. 495 /// \param [in] Init The value the allocated memory needs to be initialized. 496 /// with. For example, \c calloc initializes the allocated memory to 0, 497 /// malloc leaves it undefined. 498 /// \param [in] State The \c ProgramState right before allocation. 499 /// \returns The ProgramState right after allocation. 500 LLVM_NODISCARD 501 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallEvent &Call, 502 const Expr *SizeEx, SVal Init, 503 ProgramStateRef State, 504 AllocationFamily Family); 505 506 /// Models memory allocation. 507 /// 508 /// \param [in] Call The expression that allocates memory. 509 /// \param [in] Size Size of the memory that needs to be allocated. 510 /// \param [in] Init The value the allocated memory needs to be initialized. 511 /// with. For example, \c calloc initializes the allocated memory to 0, 512 /// malloc leaves it undefined. 513 /// \param [in] State The \c ProgramState right before allocation. 514 /// \returns The ProgramState right after allocation. 515 LLVM_NODISCARD 516 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallEvent &Call, 517 SVal Size, SVal Init, 518 ProgramStateRef State, 519 AllocationFamily Family); 520 521 // Check if this malloc() for special flags. At present that means M_ZERO or 522 // __GFP_ZERO (in which case, treat it like calloc). 523 LLVM_NODISCARD 524 llvm::Optional<ProgramStateRef> 525 performKernelMalloc(const CallEvent &Call, CheckerContext &C, 526 const ProgramStateRef &State) const; 527 528 /// Model functions with the ownership_takes and ownership_holds attributes. 529 /// 530 /// User-defined function may have the ownership_takes and/or ownership_holds 531 /// attributes, which annotates that the function frees the memory passed as a 532 /// parameter. 533 /// 534 /// void __attribute((ownership_takes(malloc, 1))) my_free(void *); 535 /// void __attribute((ownership_holds(malloc, 1))) my_hold(void *); 536 /// 537 /// They have two parameters: 538 /// - first: name of the resource (e.g. 'malloc') 539 /// - second: index of the parameter the attribute applies to 540 /// 541 /// \param [in] Call The expression that frees memory. 542 /// \param [in] Att The ownership_takes or ownership_holds attribute. 543 /// \param [in] State The \c ProgramState right before allocation. 544 /// \returns The ProgramState right after deallocation. 545 LLVM_NODISCARD 546 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallEvent &Call, 547 const OwnershipAttr *Att, 548 ProgramStateRef State) const; 549 550 /// Models memory deallocation. 551 /// 552 /// \param [in] Call The expression that frees memory. 553 /// \param [in] State The \c ProgramState right before allocation. 554 /// \param [in] Num Index of the argument that needs to be freed. This is 555 /// normally 0, but for custom free functions it may be different. 556 /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds 557 /// attribute. 558 /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known 559 /// to have been allocated, or in other words, the symbol to be freed was 560 /// registered as allocated by this checker. In the following case, \c ptr 561 /// isn't known to be allocated. 562 /// void Haha(int *ptr) { 563 /// ptr = realloc(ptr, 67); 564 /// // ... 565 /// } 566 /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function 567 /// we're modeling returns with Null on failure. 568 /// \returns The ProgramState right after deallocation. 569 LLVM_NODISCARD 570 ProgramStateRef FreeMemAux(CheckerContext &C, const CallEvent &Call, 571 ProgramStateRef State, unsigned Num, bool Hold, 572 bool &IsKnownToBeAllocated, 573 AllocationFamily Family, 574 bool ReturnsNullOnFailure = false) const; 575 576 /// Models memory deallocation. 577 /// 578 /// \param [in] ArgExpr The variable who's pointee needs to be freed. 579 /// \param [in] Call The expression that frees the memory. 580 /// \param [in] State The \c ProgramState right before allocation. 581 /// normally 0, but for custom free functions it may be different. 582 /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds 583 /// attribute. 584 /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known 585 /// to have been allocated, or in other words, the symbol to be freed was 586 /// registered as allocated by this checker. In the following case, \c ptr 587 /// isn't known to be allocated. 588 /// void Haha(int *ptr) { 589 /// ptr = realloc(ptr, 67); 590 /// // ... 591 /// } 592 /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function 593 /// we're modeling returns with Null on failure. 594 /// \returns The ProgramState right after deallocation. 595 LLVM_NODISCARD 596 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *ArgExpr, 597 const CallEvent &Call, ProgramStateRef State, 598 bool Hold, bool &IsKnownToBeAllocated, 599 AllocationFamily Family, 600 bool ReturnsNullOnFailure = false) const; 601 602 // TODO: Needs some refactoring, as all other deallocation modeling 603 // functions are suffering from out parameters and messy code due to how 604 // realloc is handled. 605 // 606 /// Models memory reallocation. 607 /// 608 /// \param [in] Call The expression that reallocated memory 609 /// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied 610 /// memory should be freed. 611 /// \param [in] State The \c ProgramState right before reallocation. 612 /// \param [in] SuffixWithN Whether the reallocation function we're modeling 613 /// has an '_n' suffix, such as g_realloc_n. 614 /// \returns The ProgramState right after reallocation. 615 LLVM_NODISCARD 616 ProgramStateRef ReallocMemAux(CheckerContext &C, const CallEvent &Call, 617 bool ShouldFreeOnFail, ProgramStateRef State, 618 AllocationFamily Family, 619 bool SuffixWithN = false) const; 620 621 /// Evaluates the buffer size that needs to be allocated. 622 /// 623 /// \param [in] Blocks The amount of blocks that needs to be allocated. 624 /// \param [in] BlockBytes The size of a block. 625 /// \returns The symbolic value of \p Blocks * \p BlockBytes. 626 LLVM_NODISCARD 627 static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, 628 const Expr *BlockBytes); 629 630 /// Models zero initialized array allocation. 631 /// 632 /// \param [in] Call The expression that reallocated memory 633 /// \param [in] State The \c ProgramState right before reallocation. 634 /// \returns The ProgramState right after allocation. 635 LLVM_NODISCARD 636 static ProgramStateRef CallocMem(CheckerContext &C, const CallEvent &Call, 637 ProgramStateRef State); 638 639 /// See if deallocation happens in a suspicious context. If so, escape the 640 /// pointers that otherwise would have been deallocated and return true. 641 bool suppressDeallocationsInSuspiciousContexts(const CallEvent &Call, 642 CheckerContext &C) const; 643 644 /// If in \p S \p Sym is used, check whether \p Sym was already freed. 645 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 646 647 /// If in \p S \p Sym is used, check whether \p Sym was allocated as a zero 648 /// sized memory region. 649 void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, 650 const Stmt *S) const; 651 652 /// If in \p S \p Sym is being freed, check whether \p Sym was already freed. 653 bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const; 654 655 /// Check if the function is known to free memory, or if it is 656 /// "interesting" and should be modeled explicitly. 657 /// 658 /// \param [out] EscapingSymbol A function might not free memory in general, 659 /// but could be known to free a particular symbol. In this case, false is 660 /// returned and the single escaping symbol is returned through the out 661 /// parameter. 662 /// 663 /// We assume that pointers do not escape through calls to system functions 664 /// not handled by this checker. 665 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, 666 ProgramStateRef State, 667 SymbolRef &EscapingSymbol) const; 668 669 /// Implementation of the checkPointerEscape callbacks. 670 LLVM_NODISCARD 671 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 672 const InvalidatedSymbols &Escaped, 673 const CallEvent *Call, 674 PointerEscapeKind Kind, 675 bool IsConstPointerEscape) const; 676 677 // Implementation of the checkPreStmt and checkEndFunction callbacks. 678 void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const; 679 680 ///@{ 681 /// Tells if a given family/call/symbol is tracked by the current checker. 682 /// Sets CheckKind to the kind of the checker responsible for this 683 /// family/call/symbol. 684 Optional<CheckKind> getCheckIfTracked(AllocationFamily Family, 685 bool IsALeakCheck = false) const; 686 687 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym, 688 bool IsALeakCheck = false) const; 689 ///@} 690 static bool SummarizeValue(raw_ostream &os, SVal V); 691 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 692 693 void HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal, SourceRange Range, 694 const Expr *DeallocExpr, 695 AllocationFamily Family) const; 696 697 void HandleFreeAlloca(CheckerContext &C, SVal ArgVal, 698 SourceRange Range) const; 699 700 void HandleMismatchedDealloc(CheckerContext &C, SourceRange Range, 701 const Expr *DeallocExpr, const RefState *RS, 702 SymbolRef Sym, bool OwnershipTransferred) const; 703 704 void HandleOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 705 const Expr *DeallocExpr, AllocationFamily Family, 706 const Expr *AllocExpr = nullptr) const; 707 708 void HandleUseAfterFree(CheckerContext &C, SourceRange Range, 709 SymbolRef Sym) const; 710 711 void HandleDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 712 SymbolRef Sym, SymbolRef PrevSym) const; 713 714 void HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const; 715 716 void HandleUseZeroAlloc(CheckerContext &C, SourceRange Range, 717 SymbolRef Sym) const; 718 719 void HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 720 const Expr *FreeExpr, 721 AllocationFamily Family) const; 722 723 /// Find the location of the allocation for Sym on the path leading to the 724 /// exploded node N. 725 static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 726 CheckerContext &C); 727 728 void HandleLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 729 730 /// Test if value in ArgVal equals to value in macro `ZERO_SIZE_PTR`. 731 bool isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C, 732 SVal ArgVal) const; 733 }; 734 } // end anonymous namespace 735 736 //===----------------------------------------------------------------------===// 737 // Definition of NoOwnershipChangeVisitor. 738 //===----------------------------------------------------------------------===// 739 740 namespace { 741 class NoOwnershipChangeVisitor final : public NoStateChangeFuncVisitor { 742 SymbolRef Sym; 743 using OwnerSet = llvm::SmallPtrSet<const MemRegion *, 8>; 744 745 // Collect which entities point to the allocated memory, and could be 746 // responsible for deallocating it. 747 class OwnershipBindingsHandler : public StoreManager::BindingsHandler { 748 SymbolRef Sym; 749 OwnerSet &Owners; 750 751 public: 752 OwnershipBindingsHandler(SymbolRef Sym, OwnerSet &Owners) 753 : Sym(Sym), Owners(Owners) {} 754 755 bool HandleBinding(StoreManager &SMgr, Store Store, const MemRegion *Region, 756 SVal Val) override { 757 if (Val.getAsSymbol() == Sym) 758 Owners.insert(Region); 759 return true; 760 } 761 762 LLVM_DUMP_METHOD void dump() const { dumpToStream(llvm::errs()); } 763 LLVM_DUMP_METHOD void dumpToStream(llvm::raw_ostream &out) const { 764 out << "Owners: {\n"; 765 for (const MemRegion *Owner : Owners) { 766 out << " "; 767 Owner->dumpToStream(out); 768 out << ",\n"; 769 } 770 out << "}\n"; 771 } 772 }; 773 774 protected: 775 OwnerSet getOwnersAtNode(const ExplodedNode *N) { 776 OwnerSet Ret; 777 778 ProgramStateRef State = N->getState(); 779 OwnershipBindingsHandler Handler{Sym, Ret}; 780 State->getStateManager().getStoreManager().iterBindings(State->getStore(), 781 Handler); 782 return Ret; 783 } 784 785 LLVM_DUMP_METHOD static std::string 786 getFunctionName(const ExplodedNode *CallEnterN) { 787 if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>( 788 CallEnterN->getLocationAs<CallEnter>()->getCallExpr())) 789 if (const FunctionDecl *FD = CE->getDirectCallee()) 790 return FD->getQualifiedNameAsString(); 791 return ""; 792 } 793 794 virtual bool 795 wasModifiedInFunction(const ExplodedNode *CallEnterN, 796 const ExplodedNode *CallExitEndN) override { 797 if (CallEnterN->getState()->get<RegionState>(Sym) != 798 CallExitEndN->getState()->get<RegionState>(Sym)) 799 return true; 800 801 OwnerSet CurrOwners = getOwnersAtNode(CallEnterN); 802 OwnerSet ExitOwners = getOwnersAtNode(CallExitEndN); 803 804 // Owners in the current set may be purged from the analyzer later on. 805 // If a variable is dead (is not referenced directly or indirectly after 806 // some point), it will be removed from the Store before the end of its 807 // actual lifetime. 808 // This means that that if the ownership status didn't change, CurrOwners 809 // must be a superset of, but not necessarily equal to ExitOwners. 810 return !llvm::set_is_subset(ExitOwners, CurrOwners); 811 } 812 813 static PathDiagnosticPieceRef emitNote(const ExplodedNode *N) { 814 PathDiagnosticLocation L = PathDiagnosticLocation::create( 815 N->getLocation(), 816 N->getState()->getStateManager().getContext().getSourceManager()); 817 return std::make_shared<PathDiagnosticEventPiece>( 818 L, "Returning without deallocating memory or storing the pointer for " 819 "later deallocation"); 820 } 821 822 virtual PathDiagnosticPieceRef 823 maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R, 824 const ObjCMethodCall &Call, 825 const ExplodedNode *N) override { 826 // TODO: Implement. 827 return nullptr; 828 } 829 830 virtual PathDiagnosticPieceRef 831 maybeEmitNoteForCXXThis(PathSensitiveBugReport &R, 832 const CXXConstructorCall &Call, 833 const ExplodedNode *N) override { 834 // TODO: Implement. 835 return nullptr; 836 } 837 838 virtual PathDiagnosticPieceRef 839 maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call, 840 const ExplodedNode *N) override { 841 // TODO: Factor the logic of "what constitutes as an entity being passed 842 // into a function call" out by reusing the code in 843 // NoStoreFuncVisitor::maybeEmitNoteForParameters, maybe by incorporating 844 // the printing technology in UninitializedObject's FieldChainInfo. 845 ArrayRef<ParmVarDecl *> Parameters = Call.parameters(); 846 for (unsigned I = 0; I < Call.getNumArgs() && I < Parameters.size(); ++I) { 847 SVal V = Call.getArgSVal(I); 848 if (V.getAsSymbol() == Sym) 849 return emitNote(N); 850 } 851 return nullptr; 852 } 853 854 public: 855 NoOwnershipChangeVisitor(SymbolRef Sym) 856 : NoStateChangeFuncVisitor(bugreporter::TrackingKind::Thorough), 857 Sym(Sym) {} 858 859 void Profile(llvm::FoldingSetNodeID &ID) const override { 860 static int Tag = 0; 861 ID.AddPointer(&Tag); 862 ID.AddPointer(Sym); 863 } 864 865 void *getTag() const { 866 static int Tag = 0; 867 return static_cast<void *>(&Tag); 868 } 869 }; 870 871 } // end anonymous namespace 872 873 //===----------------------------------------------------------------------===// 874 // Definition of MallocBugVisitor. 875 //===----------------------------------------------------------------------===// 876 877 namespace { 878 /// The bug visitor which allows us to print extra diagnostics along the 879 /// BugReport path. For example, showing the allocation site of the leaked 880 /// region. 881 class MallocBugVisitor final : public BugReporterVisitor { 882 protected: 883 enum NotificationMode { Normal, ReallocationFailed }; 884 885 // The allocated region symbol tracked by the main analysis. 886 SymbolRef Sym; 887 888 // The mode we are in, i.e. what kind of diagnostics will be emitted. 889 NotificationMode Mode; 890 891 // A symbol from when the primary region should have been reallocated. 892 SymbolRef FailedReallocSymbol; 893 894 // A C++ destructor stack frame in which memory was released. Used for 895 // miscellaneous false positive suppression. 896 const StackFrameContext *ReleaseDestructorLC; 897 898 bool IsLeak; 899 900 public: 901 MallocBugVisitor(SymbolRef S, bool isLeak = false) 902 : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr), 903 ReleaseDestructorLC(nullptr), IsLeak(isLeak) {} 904 905 static void *getTag() { 906 static int Tag = 0; 907 return &Tag; 908 } 909 910 void Profile(llvm::FoldingSetNodeID &ID) const override { 911 ID.AddPointer(getTag()); 912 ID.AddPointer(Sym); 913 } 914 915 /// Did not track -> allocated. Other state (released) -> allocated. 916 static inline bool isAllocated(const RefState *RSCurr, const RefState *RSPrev, 917 const Stmt *Stmt) { 918 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 919 (RSCurr && 920 (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) && 921 (!RSPrev || 922 !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero()))); 923 } 924 925 /// Did not track -> released. Other state (allocated) -> released. 926 /// The statement associated with the release might be missing. 927 static inline bool isReleased(const RefState *RSCurr, const RefState *RSPrev, 928 const Stmt *Stmt) { 929 bool IsReleased = 930 (RSCurr && RSCurr->isReleased()) && (!RSPrev || !RSPrev->isReleased()); 931 assert(!IsReleased || 932 (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) || 933 (!Stmt && RSCurr->getAllocationFamily() == AF_InnerBuffer)); 934 return IsReleased; 935 } 936 937 /// Did not track -> relinquished. Other state (allocated) -> relinquished. 938 static inline bool isRelinquished(const RefState *RSCurr, 939 const RefState *RSPrev, const Stmt *Stmt) { 940 return (Stmt && 941 (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 942 isa<ObjCPropertyRefExpr>(Stmt)) && 943 (RSCurr && RSCurr->isRelinquished()) && 944 (!RSPrev || !RSPrev->isRelinquished())); 945 } 946 947 /// If the expression is not a call, and the state change is 948 /// released -> allocated, it must be the realloc return value 949 /// check. If we have to handle more cases here, it might be cleaner just 950 /// to track this extra bit in the state itself. 951 static inline bool hasReallocFailed(const RefState *RSCurr, 952 const RefState *RSPrev, 953 const Stmt *Stmt) { 954 return ((!Stmt || !isa<CallExpr>(Stmt)) && 955 (RSCurr && 956 (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) && 957 (RSPrev && 958 !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero()))); 959 } 960 961 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 962 BugReporterContext &BRC, 963 PathSensitiveBugReport &BR) override; 964 965 PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC, 966 const ExplodedNode *EndPathNode, 967 PathSensitiveBugReport &BR) override { 968 if (!IsLeak) 969 return nullptr; 970 971 PathDiagnosticLocation L = BR.getLocation(); 972 // Do not add the statement itself as a range in case of leak. 973 return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(), 974 false); 975 } 976 977 private: 978 class StackHintGeneratorForReallocationFailed 979 : public StackHintGeneratorForSymbol { 980 public: 981 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 982 : StackHintGeneratorForSymbol(S, M) {} 983 984 std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) override { 985 // Printed parameters start at 1, not 0. 986 ++ArgIndex; 987 988 SmallString<200> buf; 989 llvm::raw_svector_ostream os(buf); 990 991 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 992 << " parameter failed"; 993 994 return std::string(os.str()); 995 } 996 997 std::string getMessageForReturn(const CallExpr *CallExpr) override { 998 return "Reallocation of returned value failed"; 999 } 1000 }; 1001 }; 1002 } // end anonymous namespace 1003 1004 // A map from the freed symbol to the symbol representing the return value of 1005 // the free function. 1006 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 1007 1008 namespace { 1009 class StopTrackingCallback final : public SymbolVisitor { 1010 ProgramStateRef state; 1011 1012 public: 1013 StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {} 1014 ProgramStateRef getState() const { return state; } 1015 1016 bool VisitSymbol(SymbolRef sym) override { 1017 state = state->remove<RegionState>(sym); 1018 return true; 1019 } 1020 }; 1021 } // end anonymous namespace 1022 1023 static bool isStandardNewDelete(const FunctionDecl *FD) { 1024 if (!FD) 1025 return false; 1026 1027 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 1028 if (Kind != OO_New && Kind != OO_Array_New && Kind != OO_Delete && 1029 Kind != OO_Array_Delete) 1030 return false; 1031 1032 // This is standard if and only if it's not defined in a user file. 1033 SourceLocation L = FD->getLocation(); 1034 // If the header for operator delete is not included, it's still defined 1035 // in an invalid source location. Check to make sure we don't crash. 1036 return !L.isValid() || 1037 FD->getASTContext().getSourceManager().isInSystemHeader(L); 1038 } 1039 1040 //===----------------------------------------------------------------------===// 1041 // Methods of MallocChecker and MallocBugVisitor. 1042 //===----------------------------------------------------------------------===// 1043 1044 bool MallocChecker::isFreeingCall(const CallEvent &Call) const { 1045 if (FreeingMemFnMap.lookup(Call) || ReallocatingMemFnMap.lookup(Call)) 1046 return true; 1047 1048 const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl()); 1049 if (Func && Func->hasAttrs()) { 1050 for (const auto *I : Func->specific_attrs<OwnershipAttr>()) { 1051 OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind(); 1052 if (OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) 1053 return true; 1054 } 1055 } 1056 return false; 1057 } 1058 1059 bool MallocChecker::isMemCall(const CallEvent &Call) const { 1060 if (FreeingMemFnMap.lookup(Call) || AllocatingMemFnMap.lookup(Call) || 1061 ReallocatingMemFnMap.lookup(Call)) 1062 return true; 1063 1064 if (!ShouldIncludeOwnershipAnnotatedFunctions) 1065 return false; 1066 1067 const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl()); 1068 return Func && Func->hasAttr<OwnershipAttr>(); 1069 } 1070 1071 llvm::Optional<ProgramStateRef> 1072 MallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C, 1073 const ProgramStateRef &State) const { 1074 // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels: 1075 // 1076 // void *malloc(unsigned long size, struct malloc_type *mtp, int flags); 1077 // 1078 // One of the possible flags is M_ZERO, which means 'give me back an 1079 // allocation which is already zeroed', like calloc. 1080 1081 // 2-argument kmalloc(), as used in the Linux kernel: 1082 // 1083 // void *kmalloc(size_t size, gfp_t flags); 1084 // 1085 // Has the similar flag value __GFP_ZERO. 1086 1087 // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some 1088 // code could be shared. 1089 1090 ASTContext &Ctx = C.getASTContext(); 1091 llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS(); 1092 1093 if (!KernelZeroFlagVal.hasValue()) { 1094 if (OS == llvm::Triple::FreeBSD) 1095 KernelZeroFlagVal = 0x0100; 1096 else if (OS == llvm::Triple::NetBSD) 1097 KernelZeroFlagVal = 0x0002; 1098 else if (OS == llvm::Triple::OpenBSD) 1099 KernelZeroFlagVal = 0x0008; 1100 else if (OS == llvm::Triple::Linux) 1101 // __GFP_ZERO 1102 KernelZeroFlagVal = 0x8000; 1103 else 1104 // FIXME: We need a more general way of getting the M_ZERO value. 1105 // See also: O_CREAT in UnixAPIChecker.cpp. 1106 1107 // Fall back to normal malloc behavior on platforms where we don't 1108 // know M_ZERO. 1109 return None; 1110 } 1111 1112 // We treat the last argument as the flags argument, and callers fall-back to 1113 // normal malloc on a None return. This works for the FreeBSD kernel malloc 1114 // as well as Linux kmalloc. 1115 if (Call.getNumArgs() < 2) 1116 return None; 1117 1118 const Expr *FlagsEx = Call.getArgExpr(Call.getNumArgs() - 1); 1119 const SVal V = C.getSVal(FlagsEx); 1120 if (!V.getAs<NonLoc>()) { 1121 // The case where 'V' can be a location can only be due to a bad header, 1122 // so in this case bail out. 1123 return None; 1124 } 1125 1126 NonLoc Flags = V.castAs<NonLoc>(); 1127 NonLoc ZeroFlag = C.getSValBuilder() 1128 .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType()) 1129 .castAs<NonLoc>(); 1130 SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And, 1131 Flags, ZeroFlag, 1132 FlagsEx->getType()); 1133 if (MaskedFlagsUC.isUnknownOrUndef()) 1134 return None; 1135 DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>(); 1136 1137 // Check if maskedFlags is non-zero. 1138 ProgramStateRef TrueState, FalseState; 1139 std::tie(TrueState, FalseState) = State->assume(MaskedFlags); 1140 1141 // If M_ZERO is set, treat this like calloc (initialized). 1142 if (TrueState && !FalseState) { 1143 SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy); 1144 return MallocMemAux(C, Call, Call.getArgExpr(0), ZeroVal, TrueState, 1145 AF_Malloc); 1146 } 1147 1148 return None; 1149 } 1150 1151 SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, 1152 const Expr *BlockBytes) { 1153 SValBuilder &SB = C.getSValBuilder(); 1154 SVal BlocksVal = C.getSVal(Blocks); 1155 SVal BlockBytesVal = C.getSVal(BlockBytes); 1156 ProgramStateRef State = C.getState(); 1157 SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal, 1158 SB.getContext().getSizeType()); 1159 return TotalSize; 1160 } 1161 1162 void MallocChecker::checkBasicAlloc(const CallEvent &Call, 1163 CheckerContext &C) const { 1164 ProgramStateRef State = C.getState(); 1165 State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State, 1166 AF_Malloc); 1167 State = ProcessZeroAllocCheck(Call, 0, State); 1168 C.addTransition(State); 1169 } 1170 1171 void MallocChecker::checkKernelMalloc(const CallEvent &Call, 1172 CheckerContext &C) const { 1173 ProgramStateRef State = C.getState(); 1174 llvm::Optional<ProgramStateRef> MaybeState = 1175 performKernelMalloc(Call, C, State); 1176 if (MaybeState.hasValue()) 1177 State = MaybeState.getValue(); 1178 else 1179 State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State, 1180 AF_Malloc); 1181 C.addTransition(State); 1182 } 1183 1184 static bool isStandardRealloc(const CallEvent &Call) { 1185 const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl()); 1186 assert(FD); 1187 ASTContext &AC = FD->getASTContext(); 1188 1189 if (isa<CXXMethodDecl>(FD)) 1190 return false; 1191 1192 return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy && 1193 FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy && 1194 FD->getParamDecl(1)->getType().getDesugaredType(AC) == 1195 AC.getSizeType(); 1196 } 1197 1198 static bool isGRealloc(const CallEvent &Call) { 1199 const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl()); 1200 assert(FD); 1201 ASTContext &AC = FD->getASTContext(); 1202 1203 if (isa<CXXMethodDecl>(FD)) 1204 return false; 1205 1206 return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy && 1207 FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy && 1208 FD->getParamDecl(1)->getType().getDesugaredType(AC) == 1209 AC.UnsignedLongTy; 1210 } 1211 1212 void MallocChecker::checkRealloc(const CallEvent &Call, CheckerContext &C, 1213 bool ShouldFreeOnFail) const { 1214 // HACK: CallDescription currently recognizes non-standard realloc functions 1215 // as standard because it doesn't check the type, or wether its a non-method 1216 // function. This should be solved by making CallDescription smarter. 1217 // Mind that this came from a bug report, and all other functions suffer from 1218 // this. 1219 // https://bugs.llvm.org/show_bug.cgi?id=46253 1220 if (!isStandardRealloc(Call) && !isGRealloc(Call)) 1221 return; 1222 ProgramStateRef State = C.getState(); 1223 State = ReallocMemAux(C, Call, ShouldFreeOnFail, State, AF_Malloc); 1224 State = ProcessZeroAllocCheck(Call, 1, State); 1225 C.addTransition(State); 1226 } 1227 1228 void MallocChecker::checkCalloc(const CallEvent &Call, 1229 CheckerContext &C) const { 1230 ProgramStateRef State = C.getState(); 1231 State = CallocMem(C, Call, State); 1232 State = ProcessZeroAllocCheck(Call, 0, State); 1233 State = ProcessZeroAllocCheck(Call, 1, State); 1234 C.addTransition(State); 1235 } 1236 1237 void MallocChecker::checkFree(const CallEvent &Call, CheckerContext &C) const { 1238 ProgramStateRef State = C.getState(); 1239 bool IsKnownToBeAllocatedMemory = false; 1240 if (suppressDeallocationsInSuspiciousContexts(Call, C)) 1241 return; 1242 State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory, 1243 AF_Malloc); 1244 C.addTransition(State); 1245 } 1246 1247 void MallocChecker::checkAlloca(const CallEvent &Call, 1248 CheckerContext &C) const { 1249 ProgramStateRef State = C.getState(); 1250 State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State, 1251 AF_Alloca); 1252 State = ProcessZeroAllocCheck(Call, 0, State); 1253 C.addTransition(State); 1254 } 1255 1256 void MallocChecker::checkStrdup(const CallEvent &Call, 1257 CheckerContext &C) const { 1258 ProgramStateRef State = C.getState(); 1259 const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); 1260 if (!CE) 1261 return; 1262 State = MallocUpdateRefState(C, CE, State, AF_Malloc); 1263 1264 C.addTransition(State); 1265 } 1266 1267 void MallocChecker::checkIfNameIndex(const CallEvent &Call, 1268 CheckerContext &C) const { 1269 ProgramStateRef State = C.getState(); 1270 // Should we model this differently? We can allocate a fixed number of 1271 // elements with zeros in the last one. 1272 State = 1273 MallocMemAux(C, Call, UnknownVal(), UnknownVal(), State, AF_IfNameIndex); 1274 1275 C.addTransition(State); 1276 } 1277 1278 void MallocChecker::checkIfFreeNameIndex(const CallEvent &Call, 1279 CheckerContext &C) const { 1280 ProgramStateRef State = C.getState(); 1281 bool IsKnownToBeAllocatedMemory = false; 1282 State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory, 1283 AF_IfNameIndex); 1284 C.addTransition(State); 1285 } 1286 1287 void MallocChecker::checkCXXNewOrCXXDelete(const CallEvent &Call, 1288 CheckerContext &C) const { 1289 ProgramStateRef State = C.getState(); 1290 bool IsKnownToBeAllocatedMemory = false; 1291 const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); 1292 if (!CE) 1293 return; 1294 1295 assert(isStandardNewDelete(Call)); 1296 1297 // Process direct calls to operator new/new[]/delete/delete[] functions 1298 // as distinct from new/new[]/delete/delete[] expressions that are 1299 // processed by the checkPostStmt callbacks for CXXNewExpr and 1300 // CXXDeleteExpr. 1301 const FunctionDecl *FD = C.getCalleeDecl(CE); 1302 switch (FD->getOverloadedOperator()) { 1303 case OO_New: 1304 State = 1305 MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State, AF_CXXNew); 1306 State = ProcessZeroAllocCheck(Call, 0, State); 1307 break; 1308 case OO_Array_New: 1309 State = MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State, 1310 AF_CXXNewArray); 1311 State = ProcessZeroAllocCheck(Call, 0, State); 1312 break; 1313 case OO_Delete: 1314 State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory, 1315 AF_CXXNew); 1316 break; 1317 case OO_Array_Delete: 1318 State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory, 1319 AF_CXXNewArray); 1320 break; 1321 default: 1322 llvm_unreachable("not a new/delete operator"); 1323 } 1324 1325 C.addTransition(State); 1326 } 1327 1328 void MallocChecker::checkGMalloc0(const CallEvent &Call, 1329 CheckerContext &C) const { 1330 ProgramStateRef State = C.getState(); 1331 SValBuilder &svalBuilder = C.getSValBuilder(); 1332 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 1333 State = MallocMemAux(C, Call, Call.getArgExpr(0), zeroVal, State, AF_Malloc); 1334 State = ProcessZeroAllocCheck(Call, 0, State); 1335 C.addTransition(State); 1336 } 1337 1338 void MallocChecker::checkGMemdup(const CallEvent &Call, 1339 CheckerContext &C) const { 1340 ProgramStateRef State = C.getState(); 1341 State = MallocMemAux(C, Call, Call.getArgExpr(1), UndefinedVal(), State, 1342 AF_Malloc); 1343 State = ProcessZeroAllocCheck(Call, 1, State); 1344 C.addTransition(State); 1345 } 1346 1347 void MallocChecker::checkGMallocN(const CallEvent &Call, 1348 CheckerContext &C) const { 1349 ProgramStateRef State = C.getState(); 1350 SVal Init = UndefinedVal(); 1351 SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1)); 1352 State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc); 1353 State = ProcessZeroAllocCheck(Call, 0, State); 1354 State = ProcessZeroAllocCheck(Call, 1, State); 1355 C.addTransition(State); 1356 } 1357 1358 void MallocChecker::checkGMallocN0(const CallEvent &Call, 1359 CheckerContext &C) const { 1360 ProgramStateRef State = C.getState(); 1361 SValBuilder &SB = C.getSValBuilder(); 1362 SVal Init = SB.makeZeroVal(SB.getContext().CharTy); 1363 SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1)); 1364 State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc); 1365 State = ProcessZeroAllocCheck(Call, 0, State); 1366 State = ProcessZeroAllocCheck(Call, 1, State); 1367 C.addTransition(State); 1368 } 1369 1370 void MallocChecker::checkReallocN(const CallEvent &Call, 1371 CheckerContext &C) const { 1372 ProgramStateRef State = C.getState(); 1373 State = ReallocMemAux(C, Call, /*ShouldFreeOnFail=*/false, State, AF_Malloc, 1374 /*SuffixWithN=*/true); 1375 State = ProcessZeroAllocCheck(Call, 1, State); 1376 State = ProcessZeroAllocCheck(Call, 2, State); 1377 C.addTransition(State); 1378 } 1379 1380 void MallocChecker::checkOwnershipAttr(const CallEvent &Call, 1381 CheckerContext &C) const { 1382 ProgramStateRef State = C.getState(); 1383 const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); 1384 if (!CE) 1385 return; 1386 const FunctionDecl *FD = C.getCalleeDecl(CE); 1387 if (!FD) 1388 return; 1389 if (ShouldIncludeOwnershipAnnotatedFunctions || 1390 ChecksEnabled[CK_MismatchedDeallocatorChecker]) { 1391 // Check all the attributes, if there are any. 1392 // There can be multiple of these attributes. 1393 if (FD->hasAttrs()) 1394 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 1395 switch (I->getOwnKind()) { 1396 case OwnershipAttr::Returns: 1397 State = MallocMemReturnsAttr(C, Call, I, State); 1398 break; 1399 case OwnershipAttr::Takes: 1400 case OwnershipAttr::Holds: 1401 State = FreeMemAttr(C, Call, I, State); 1402 break; 1403 } 1404 } 1405 } 1406 C.addTransition(State); 1407 } 1408 1409 void MallocChecker::checkPostCall(const CallEvent &Call, 1410 CheckerContext &C) const { 1411 if (C.wasInlined) 1412 return; 1413 if (!Call.getOriginExpr()) 1414 return; 1415 1416 ProgramStateRef State = C.getState(); 1417 1418 if (const CheckFn *Callback = FreeingMemFnMap.lookup(Call)) { 1419 (*Callback)(this, Call, C); 1420 return; 1421 } 1422 1423 if (const CheckFn *Callback = AllocatingMemFnMap.lookup(Call)) { 1424 (*Callback)(this, Call, C); 1425 return; 1426 } 1427 1428 if (const CheckFn *Callback = ReallocatingMemFnMap.lookup(Call)) { 1429 (*Callback)(this, Call, C); 1430 return; 1431 } 1432 1433 if (isStandardNewDelete(Call)) { 1434 checkCXXNewOrCXXDelete(Call, C); 1435 return; 1436 } 1437 1438 checkOwnershipAttr(Call, C); 1439 } 1440 1441 // Performs a 0-sized allocations check. 1442 ProgramStateRef MallocChecker::ProcessZeroAllocCheck( 1443 const CallEvent &Call, const unsigned IndexOfSizeArg, ProgramStateRef State, 1444 Optional<SVal> RetVal) { 1445 if (!State) 1446 return nullptr; 1447 1448 if (!RetVal) 1449 RetVal = Call.getReturnValue(); 1450 1451 const Expr *Arg = nullptr; 1452 1453 if (const CallExpr *CE = dyn_cast<CallExpr>(Call.getOriginExpr())) { 1454 Arg = CE->getArg(IndexOfSizeArg); 1455 } else if (const CXXNewExpr *NE = 1456 dyn_cast<CXXNewExpr>(Call.getOriginExpr())) { 1457 if (NE->isArray()) { 1458 Arg = *NE->getArraySize(); 1459 } else { 1460 return State; 1461 } 1462 } else 1463 llvm_unreachable("not a CallExpr or CXXNewExpr"); 1464 1465 assert(Arg); 1466 1467 auto DefArgVal = 1468 State->getSVal(Arg, Call.getLocationContext()).getAs<DefinedSVal>(); 1469 1470 if (!DefArgVal) 1471 return State; 1472 1473 // Check if the allocation size is 0. 1474 ProgramStateRef TrueState, FalseState; 1475 SValBuilder &SvalBuilder = State->getStateManager().getSValBuilder(); 1476 DefinedSVal Zero = 1477 SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>(); 1478 1479 std::tie(TrueState, FalseState) = 1480 State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero)); 1481 1482 if (TrueState && !FalseState) { 1483 SymbolRef Sym = RetVal->getAsLocSymbol(); 1484 if (!Sym) 1485 return State; 1486 1487 const RefState *RS = State->get<RegionState>(Sym); 1488 if (RS) { 1489 if (RS->isAllocated()) 1490 return TrueState->set<RegionState>(Sym, 1491 RefState::getAllocatedOfSizeZero(RS)); 1492 else 1493 return State; 1494 } else { 1495 // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as 1496 // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not 1497 // tracked. Add zero-reallocated Sym to the state to catch references 1498 // to zero-allocated memory. 1499 return TrueState->add<ReallocSizeZeroSymbols>(Sym); 1500 } 1501 } 1502 1503 // Assume the value is non-zero going forward. 1504 assert(FalseState); 1505 return FalseState; 1506 } 1507 1508 static QualType getDeepPointeeType(QualType T) { 1509 QualType Result = T, PointeeType = T->getPointeeType(); 1510 while (!PointeeType.isNull()) { 1511 Result = PointeeType; 1512 PointeeType = PointeeType->getPointeeType(); 1513 } 1514 return Result; 1515 } 1516 1517 /// \returns true if the constructor invoked by \p NE has an argument of a 1518 /// pointer/reference to a record type. 1519 static bool hasNonTrivialConstructorCall(const CXXNewExpr *NE) { 1520 1521 const CXXConstructExpr *ConstructE = NE->getConstructExpr(); 1522 if (!ConstructE) 1523 return false; 1524 1525 if (!NE->getAllocatedType()->getAsCXXRecordDecl()) 1526 return false; 1527 1528 const CXXConstructorDecl *CtorD = ConstructE->getConstructor(); 1529 1530 // Iterate over the constructor parameters. 1531 for (const auto *CtorParam : CtorD->parameters()) { 1532 1533 QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType(); 1534 if (CtorParamPointeeT.isNull()) 1535 continue; 1536 1537 CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT); 1538 1539 if (CtorParamPointeeT->getAsCXXRecordDecl()) 1540 return true; 1541 } 1542 1543 return false; 1544 } 1545 1546 ProgramStateRef 1547 MallocChecker::processNewAllocation(const CXXAllocatorCall &Call, 1548 CheckerContext &C, 1549 AllocationFamily Family) const { 1550 if (!isStandardNewDelete(Call)) 1551 return nullptr; 1552 1553 const CXXNewExpr *NE = Call.getOriginExpr(); 1554 const ParentMap &PM = C.getLocationContext()->getParentMap(); 1555 ProgramStateRef State = C.getState(); 1556 1557 // Non-trivial constructors have a chance to escape 'this', but marking all 1558 // invocations of trivial constructors as escaped would cause too great of 1559 // reduction of true positives, so let's just do that for constructors that 1560 // have an argument of a pointer-to-record type. 1561 if (!PM.isConsumedExpr(NE) && hasNonTrivialConstructorCall(NE)) 1562 return State; 1563 1564 // The return value from operator new is bound to a specified initialization 1565 // value (if any) and we don't want to loose this value. So we call 1566 // MallocUpdateRefState() instead of MallocMemAux() which breaks the 1567 // existing binding. 1568 SVal Target = Call.getObjectUnderConstruction(); 1569 State = MallocUpdateRefState(C, NE, State, Family, Target); 1570 State = ProcessZeroAllocCheck(Call, 0, State, Target); 1571 return State; 1572 } 1573 1574 void MallocChecker::checkNewAllocator(const CXXAllocatorCall &Call, 1575 CheckerContext &C) const { 1576 if (!C.wasInlined) { 1577 ProgramStateRef State = processNewAllocation( 1578 Call, C, 1579 (Call.getOriginExpr()->isArray() ? AF_CXXNewArray : AF_CXXNew)); 1580 C.addTransition(State); 1581 } 1582 } 1583 1584 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 1585 // If the first selector piece is one of the names below, assume that the 1586 // object takes ownership of the memory, promising to eventually deallocate it 1587 // with free(). 1588 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 1589 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 1590 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 1591 return FirstSlot == "dataWithBytesNoCopy" || 1592 FirstSlot == "initWithBytesNoCopy" || 1593 FirstSlot == "initWithCharactersNoCopy"; 1594 } 1595 1596 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 1597 Selector S = Call.getSelector(); 1598 1599 // FIXME: We should not rely on fully-constrained symbols being folded. 1600 for (unsigned i = 1; i < S.getNumArgs(); ++i) 1601 if (S.getNameForSlot(i).equals("freeWhenDone")) 1602 return !Call.getArgSVal(i).isZeroConstant(); 1603 1604 return None; 1605 } 1606 1607 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 1608 CheckerContext &C) const { 1609 if (C.wasInlined) 1610 return; 1611 1612 if (!isKnownDeallocObjCMethodName(Call)) 1613 return; 1614 1615 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 1616 if (!*FreeWhenDone) 1617 return; 1618 1619 if (Call.hasNonZeroCallbackArg()) 1620 return; 1621 1622 bool IsKnownToBeAllocatedMemory; 1623 ProgramStateRef State = 1624 FreeMemAux(C, Call.getArgExpr(0), Call, C.getState(), 1625 /*Hold=*/true, IsKnownToBeAllocatedMemory, AF_Malloc, 1626 /*RetNullOnFailure=*/true); 1627 1628 C.addTransition(State); 1629 } 1630 1631 ProgramStateRef 1632 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call, 1633 const OwnershipAttr *Att, 1634 ProgramStateRef State) const { 1635 if (!State) 1636 return nullptr; 1637 1638 if (Att->getModule()->getName() != "malloc") 1639 return nullptr; 1640 1641 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 1642 if (I != E) { 1643 return MallocMemAux(C, Call, Call.getArgExpr(I->getASTIndex()), 1644 UndefinedVal(), State, AF_Malloc); 1645 } 1646 return MallocMemAux(C, Call, UnknownVal(), UndefinedVal(), State, AF_Malloc); 1647 } 1648 1649 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 1650 const CallEvent &Call, 1651 const Expr *SizeEx, SVal Init, 1652 ProgramStateRef State, 1653 AllocationFamily Family) { 1654 if (!State) 1655 return nullptr; 1656 1657 assert(SizeEx); 1658 return MallocMemAux(C, Call, C.getSVal(SizeEx), Init, State, Family); 1659 } 1660 1661 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 1662 const CallEvent &Call, SVal Size, 1663 SVal Init, ProgramStateRef State, 1664 AllocationFamily Family) { 1665 if (!State) 1666 return nullptr; 1667 1668 const Expr *CE = Call.getOriginExpr(); 1669 1670 // We expect the malloc functions to return a pointer. 1671 if (!Loc::isLocType(CE->getType())) 1672 return nullptr; 1673 1674 // Bind the return value to the symbolic value from the heap region. 1675 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 1676 // side effects other than what we model here. 1677 unsigned Count = C.blockCount(); 1678 SValBuilder &svalBuilder = C.getSValBuilder(); 1679 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 1680 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 1681 .castAs<DefinedSVal>(); 1682 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 1683 1684 // Fill the region with the initialization value. 1685 State = State->bindDefaultInitial(RetVal, Init, LCtx); 1686 1687 // Set the region's extent. 1688 State = setDynamicExtent(State, RetVal.getAsRegion(), 1689 Size.castAs<DefinedOrUnknownSVal>(), svalBuilder); 1690 1691 return MallocUpdateRefState(C, CE, State, Family); 1692 } 1693 1694 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, 1695 ProgramStateRef State, 1696 AllocationFamily Family, 1697 Optional<SVal> RetVal) { 1698 if (!State) 1699 return nullptr; 1700 1701 // Get the return value. 1702 if (!RetVal) 1703 RetVal = C.getSVal(E); 1704 1705 // We expect the malloc functions to return a pointer. 1706 if (!RetVal->getAs<Loc>()) 1707 return nullptr; 1708 1709 SymbolRef Sym = RetVal->getAsLocSymbol(); 1710 // This is a return value of a function that was not inlined, such as malloc() 1711 // or new(). We've checked that in the caller. Therefore, it must be a symbol. 1712 assert(Sym); 1713 1714 // Set the symbol's state to Allocated. 1715 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 1716 } 1717 1718 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 1719 const CallEvent &Call, 1720 const OwnershipAttr *Att, 1721 ProgramStateRef State) const { 1722 if (!State) 1723 return nullptr; 1724 1725 if (Att->getModule()->getName() != "malloc") 1726 return nullptr; 1727 1728 bool IsKnownToBeAllocated = false; 1729 1730 for (const auto &Arg : Att->args()) { 1731 ProgramStateRef StateI = 1732 FreeMemAux(C, Call, State, Arg.getASTIndex(), 1733 Att->getOwnKind() == OwnershipAttr::Holds, 1734 IsKnownToBeAllocated, AF_Malloc); 1735 if (StateI) 1736 State = StateI; 1737 } 1738 return State; 1739 } 1740 1741 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1742 const CallEvent &Call, 1743 ProgramStateRef State, unsigned Num, 1744 bool Hold, bool &IsKnownToBeAllocated, 1745 AllocationFamily Family, 1746 bool ReturnsNullOnFailure) const { 1747 if (!State) 1748 return nullptr; 1749 1750 if (Call.getNumArgs() < (Num + 1)) 1751 return nullptr; 1752 1753 return FreeMemAux(C, Call.getArgExpr(Num), Call, State, Hold, 1754 IsKnownToBeAllocated, Family, ReturnsNullOnFailure); 1755 } 1756 1757 /// Checks if the previous call to free on the given symbol failed - if free 1758 /// failed, returns true. Also, returns the corresponding return value symbol. 1759 static bool didPreviousFreeFail(ProgramStateRef State, 1760 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 1761 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 1762 if (Ret) { 1763 assert(*Ret && "We should not store the null return symbol"); 1764 ConstraintManager &CMgr = State->getConstraintManager(); 1765 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 1766 RetStatusSymbol = *Ret; 1767 return FreeFailed.isConstrainedTrue(); 1768 } 1769 return false; 1770 } 1771 1772 static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E) { 1773 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 1774 // FIXME: This doesn't handle indirect calls. 1775 const FunctionDecl *FD = CE->getDirectCallee(); 1776 if (!FD) 1777 return false; 1778 1779 os << *FD; 1780 if (!FD->isOverloadedOperator()) 1781 os << "()"; 1782 return true; 1783 } 1784 1785 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 1786 if (Msg->isInstanceMessage()) 1787 os << "-"; 1788 else 1789 os << "+"; 1790 Msg->getSelector().print(os); 1791 return true; 1792 } 1793 1794 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 1795 os << "'" 1796 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 1797 << "'"; 1798 return true; 1799 } 1800 1801 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 1802 os << "'" 1803 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 1804 << "'"; 1805 return true; 1806 } 1807 1808 return false; 1809 } 1810 1811 static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family) { 1812 1813 switch(Family) { 1814 case AF_Malloc: os << "malloc()"; return; 1815 case AF_CXXNew: os << "'new'"; return; 1816 case AF_CXXNewArray: os << "'new[]'"; return; 1817 case AF_IfNameIndex: os << "'if_nameindex()'"; return; 1818 case AF_InnerBuffer: os << "container-specific allocator"; return; 1819 case AF_Alloca: 1820 case AF_None: llvm_unreachable("not a deallocation expression"); 1821 } 1822 } 1823 1824 static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) { 1825 switch(Family) { 1826 case AF_Malloc: os << "free()"; return; 1827 case AF_CXXNew: os << "'delete'"; return; 1828 case AF_CXXNewArray: os << "'delete[]'"; return; 1829 case AF_IfNameIndex: os << "'if_freenameindex()'"; return; 1830 case AF_InnerBuffer: os << "container-specific deallocator"; return; 1831 case AF_Alloca: 1832 case AF_None: llvm_unreachable("suspicious argument"); 1833 } 1834 } 1835 1836 ProgramStateRef MallocChecker::FreeMemAux( 1837 CheckerContext &C, const Expr *ArgExpr, const CallEvent &Call, 1838 ProgramStateRef State, bool Hold, bool &IsKnownToBeAllocated, 1839 AllocationFamily Family, bool ReturnsNullOnFailure) const { 1840 1841 if (!State) 1842 return nullptr; 1843 1844 SVal ArgVal = C.getSVal(ArgExpr); 1845 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 1846 return nullptr; 1847 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 1848 1849 // Check for null dereferences. 1850 if (!location.getAs<Loc>()) 1851 return nullptr; 1852 1853 // The explicit NULL case, no operation is performed. 1854 ProgramStateRef notNullState, nullState; 1855 std::tie(notNullState, nullState) = State->assume(location); 1856 if (nullState && !notNullState) 1857 return nullptr; 1858 1859 // Unknown values could easily be okay 1860 // Undefined values are handled elsewhere 1861 if (ArgVal.isUnknownOrUndef()) 1862 return nullptr; 1863 1864 const MemRegion *R = ArgVal.getAsRegion(); 1865 const Expr *ParentExpr = Call.getOriginExpr(); 1866 1867 // NOTE: We detected a bug, but the checker under whose name we would emit the 1868 // error could be disabled. Generally speaking, the MallocChecker family is an 1869 // integral part of the Static Analyzer, and disabling any part of it should 1870 // only be done under exceptional circumstances, such as frequent false 1871 // positives. If this is the case, we can reasonably believe that there are 1872 // serious faults in our understanding of the source code, and even if we 1873 // don't emit an warning, we should terminate further analysis with a sink 1874 // node. 1875 1876 // Nonlocs can't be freed, of course. 1877 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 1878 if (!R) { 1879 // Exception: 1880 // If the macro ZERO_SIZE_PTR is defined, this could be a kernel source 1881 // code. In that case, the ZERO_SIZE_PTR defines a special value used for a 1882 // zero-sized memory block which is allowed to be freed, despite not being a 1883 // null pointer. 1884 if (Family != AF_Malloc || !isArgZERO_SIZE_PTR(State, C, ArgVal)) 1885 HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1886 Family); 1887 return nullptr; 1888 } 1889 1890 R = R->StripCasts(); 1891 1892 // Blocks might show up as heap data, but should not be free()d 1893 if (isa<BlockDataRegion>(R)) { 1894 HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1895 Family); 1896 return nullptr; 1897 } 1898 1899 const MemSpaceRegion *MS = R->getMemorySpace(); 1900 1901 // Parameters, locals, statics, globals, and memory returned by 1902 // __builtin_alloca() shouldn't be freed. 1903 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 1904 // FIXME: at the time this code was written, malloc() regions were 1905 // represented by conjured symbols, which are all in UnknownSpaceRegion. 1906 // This means that there isn't actually anything from HeapSpaceRegion 1907 // that should be freed, even though we allow it here. 1908 // Of course, free() can work on memory allocated outside the current 1909 // function, so UnknownSpaceRegion is always a possibility. 1910 // False negatives are better than false positives. 1911 1912 if (isa<AllocaRegion>(R)) 1913 HandleFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1914 else 1915 HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1916 Family); 1917 1918 return nullptr; 1919 } 1920 1921 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 1922 // Various cases could lead to non-symbol values here. 1923 // For now, ignore them. 1924 if (!SrBase) 1925 return nullptr; 1926 1927 SymbolRef SymBase = SrBase->getSymbol(); 1928 const RefState *RsBase = State->get<RegionState>(SymBase); 1929 SymbolRef PreviousRetStatusSymbol = nullptr; 1930 1931 IsKnownToBeAllocated = 1932 RsBase && (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero()); 1933 1934 if (RsBase) { 1935 1936 // Memory returned by alloca() shouldn't be freed. 1937 if (RsBase->getAllocationFamily() == AF_Alloca) { 1938 HandleFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1939 return nullptr; 1940 } 1941 1942 // Check for double free first. 1943 if ((RsBase->isReleased() || RsBase->isRelinquished()) && 1944 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1945 HandleDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1946 SymBase, PreviousRetStatusSymbol); 1947 return nullptr; 1948 1949 // If the pointer is allocated or escaped, but we are now trying to free it, 1950 // check that the call to free is proper. 1951 } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() || 1952 RsBase->isEscaped()) { 1953 1954 // Check if an expected deallocation function matches the real one. 1955 bool DeallocMatchesAlloc = RsBase->getAllocationFamily() == Family; 1956 if (!DeallocMatchesAlloc) { 1957 HandleMismatchedDealloc(C, ArgExpr->getSourceRange(), ParentExpr, 1958 RsBase, SymBase, Hold); 1959 return nullptr; 1960 } 1961 1962 // Check if the memory location being freed is the actual location 1963 // allocated, or an offset. 1964 RegionOffset Offset = R->getAsOffset(); 1965 if (Offset.isValid() && 1966 !Offset.hasSymbolicOffset() && 1967 Offset.getOffset() != 0) { 1968 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1969 HandleOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1970 Family, AllocExpr); 1971 return nullptr; 1972 } 1973 } 1974 } 1975 1976 if (SymBase->getType()->isFunctionPointerType()) { 1977 HandleFunctionPtrFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1978 Family); 1979 return nullptr; 1980 } 1981 1982 // Clean out the info on previous call to free return info. 1983 State = State->remove<FreeReturnValue>(SymBase); 1984 1985 // Keep track of the return value. If it is NULL, we will know that free 1986 // failed. 1987 if (ReturnsNullOnFailure) { 1988 SVal RetVal = C.getSVal(ParentExpr); 1989 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 1990 if (RetStatusSymbol) { 1991 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 1992 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 1993 } 1994 } 1995 1996 // If we don't know anything about this symbol, a free on it may be totally 1997 // valid. If this is the case, lets assume that the allocation family of the 1998 // freeing function is the same as the symbols allocation family, and go with 1999 // that. 2000 assert(!RsBase || (RsBase && RsBase->getAllocationFamily() == Family)); 2001 2002 // Normal free. 2003 if (Hold) 2004 return State->set<RegionState>(SymBase, 2005 RefState::getRelinquished(Family, 2006 ParentExpr)); 2007 2008 return State->set<RegionState>(SymBase, 2009 RefState::getReleased(Family, ParentExpr)); 2010 } 2011 2012 Optional<MallocChecker::CheckKind> 2013 MallocChecker::getCheckIfTracked(AllocationFamily Family, 2014 bool IsALeakCheck) const { 2015 switch (Family) { 2016 case AF_Malloc: 2017 case AF_Alloca: 2018 case AF_IfNameIndex: { 2019 if (ChecksEnabled[CK_MallocChecker]) 2020 return CK_MallocChecker; 2021 return None; 2022 } 2023 case AF_CXXNew: 2024 case AF_CXXNewArray: { 2025 if (IsALeakCheck) { 2026 if (ChecksEnabled[CK_NewDeleteLeaksChecker]) 2027 return CK_NewDeleteLeaksChecker; 2028 } 2029 else { 2030 if (ChecksEnabled[CK_NewDeleteChecker]) 2031 return CK_NewDeleteChecker; 2032 } 2033 return None; 2034 } 2035 case AF_InnerBuffer: { 2036 if (ChecksEnabled[CK_InnerPointerChecker]) 2037 return CK_InnerPointerChecker; 2038 return None; 2039 } 2040 case AF_None: { 2041 llvm_unreachable("no family"); 2042 } 2043 } 2044 llvm_unreachable("unhandled family"); 2045 } 2046 2047 Optional<MallocChecker::CheckKind> 2048 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym, 2049 bool IsALeakCheck) const { 2050 if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) 2051 return CK_MallocChecker; 2052 2053 const RefState *RS = C.getState()->get<RegionState>(Sym); 2054 assert(RS); 2055 return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck); 2056 } 2057 2058 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 2059 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 2060 os << "an integer (" << IntVal->getValue() << ")"; 2061 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 2062 os << "a constant address (" << ConstAddr->getValue() << ")"; 2063 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 2064 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 2065 else 2066 return false; 2067 2068 return true; 2069 } 2070 2071 bool MallocChecker::SummarizeRegion(raw_ostream &os, 2072 const MemRegion *MR) { 2073 switch (MR->getKind()) { 2074 case MemRegion::FunctionCodeRegionKind: { 2075 const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl(); 2076 if (FD) 2077 os << "the address of the function '" << *FD << '\''; 2078 else 2079 os << "the address of a function"; 2080 return true; 2081 } 2082 case MemRegion::BlockCodeRegionKind: 2083 os << "block text"; 2084 return true; 2085 case MemRegion::BlockDataRegionKind: 2086 // FIXME: where the block came from? 2087 os << "a block"; 2088 return true; 2089 default: { 2090 const MemSpaceRegion *MS = MR->getMemorySpace(); 2091 2092 if (isa<StackLocalsSpaceRegion>(MS)) { 2093 const VarRegion *VR = dyn_cast<VarRegion>(MR); 2094 const VarDecl *VD; 2095 if (VR) 2096 VD = VR->getDecl(); 2097 else 2098 VD = nullptr; 2099 2100 if (VD) 2101 os << "the address of the local variable '" << VD->getName() << "'"; 2102 else 2103 os << "the address of a local stack variable"; 2104 return true; 2105 } 2106 2107 if (isa<StackArgumentsSpaceRegion>(MS)) { 2108 const VarRegion *VR = dyn_cast<VarRegion>(MR); 2109 const VarDecl *VD; 2110 if (VR) 2111 VD = VR->getDecl(); 2112 else 2113 VD = nullptr; 2114 2115 if (VD) 2116 os << "the address of the parameter '" << VD->getName() << "'"; 2117 else 2118 os << "the address of a parameter"; 2119 return true; 2120 } 2121 2122 if (isa<GlobalsSpaceRegion>(MS)) { 2123 const VarRegion *VR = dyn_cast<VarRegion>(MR); 2124 const VarDecl *VD; 2125 if (VR) 2126 VD = VR->getDecl(); 2127 else 2128 VD = nullptr; 2129 2130 if (VD) { 2131 if (VD->isStaticLocal()) 2132 os << "the address of the static variable '" << VD->getName() << "'"; 2133 else 2134 os << "the address of the global variable '" << VD->getName() << "'"; 2135 } else 2136 os << "the address of a global variable"; 2137 return true; 2138 } 2139 2140 return false; 2141 } 2142 } 2143 } 2144 2145 void MallocChecker::HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal, 2146 SourceRange Range, 2147 const Expr *DeallocExpr, 2148 AllocationFamily Family) const { 2149 2150 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) { 2151 C.addSink(); 2152 return; 2153 } 2154 2155 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2156 if (!CheckKind.hasValue()) 2157 return; 2158 2159 if (ExplodedNode *N = C.generateErrorNode()) { 2160 if (!BT_BadFree[*CheckKind]) 2161 BT_BadFree[*CheckKind].reset(new BugType( 2162 CheckNames[*CheckKind], "Bad free", categories::MemoryError)); 2163 2164 SmallString<100> buf; 2165 llvm::raw_svector_ostream os(buf); 2166 2167 const MemRegion *MR = ArgVal.getAsRegion(); 2168 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 2169 MR = ER->getSuperRegion(); 2170 2171 os << "Argument to "; 2172 if (!printMemFnName(os, C, DeallocExpr)) 2173 os << "deallocator"; 2174 2175 os << " is "; 2176 bool Summarized = MR ? SummarizeRegion(os, MR) 2177 : SummarizeValue(os, ArgVal); 2178 if (Summarized) 2179 os << ", which is not memory allocated by "; 2180 else 2181 os << "not memory allocated by "; 2182 2183 printExpectedAllocName(os, Family); 2184 2185 auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind], 2186 os.str(), N); 2187 R->markInteresting(MR); 2188 R->addRange(Range); 2189 C.emitReport(std::move(R)); 2190 } 2191 } 2192 2193 void MallocChecker::HandleFreeAlloca(CheckerContext &C, SVal ArgVal, 2194 SourceRange Range) const { 2195 2196 Optional<MallocChecker::CheckKind> CheckKind; 2197 2198 if (ChecksEnabled[CK_MallocChecker]) 2199 CheckKind = CK_MallocChecker; 2200 else if (ChecksEnabled[CK_MismatchedDeallocatorChecker]) 2201 CheckKind = CK_MismatchedDeallocatorChecker; 2202 else { 2203 C.addSink(); 2204 return; 2205 } 2206 2207 if (ExplodedNode *N = C.generateErrorNode()) { 2208 if (!BT_FreeAlloca[*CheckKind]) 2209 BT_FreeAlloca[*CheckKind].reset(new BugType( 2210 CheckNames[*CheckKind], "Free alloca()", categories::MemoryError)); 2211 2212 auto R = std::make_unique<PathSensitiveBugReport>( 2213 *BT_FreeAlloca[*CheckKind], 2214 "Memory allocated by alloca() should not be deallocated", N); 2215 R->markInteresting(ArgVal.getAsRegion()); 2216 R->addRange(Range); 2217 C.emitReport(std::move(R)); 2218 } 2219 } 2220 2221 void MallocChecker::HandleMismatchedDealloc(CheckerContext &C, 2222 SourceRange Range, 2223 const Expr *DeallocExpr, 2224 const RefState *RS, SymbolRef Sym, 2225 bool OwnershipTransferred) const { 2226 2227 if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) { 2228 C.addSink(); 2229 return; 2230 } 2231 2232 if (ExplodedNode *N = C.generateErrorNode()) { 2233 if (!BT_MismatchedDealloc) 2234 BT_MismatchedDealloc.reset( 2235 new BugType(CheckNames[CK_MismatchedDeallocatorChecker], 2236 "Bad deallocator", categories::MemoryError)); 2237 2238 SmallString<100> buf; 2239 llvm::raw_svector_ostream os(buf); 2240 2241 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 2242 SmallString<20> AllocBuf; 2243 llvm::raw_svector_ostream AllocOs(AllocBuf); 2244 SmallString<20> DeallocBuf; 2245 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 2246 2247 if (OwnershipTransferred) { 2248 if (printMemFnName(DeallocOs, C, DeallocExpr)) 2249 os << DeallocOs.str() << " cannot"; 2250 else 2251 os << "Cannot"; 2252 2253 os << " take ownership of memory"; 2254 2255 if (printMemFnName(AllocOs, C, AllocExpr)) 2256 os << " allocated by " << AllocOs.str(); 2257 } else { 2258 os << "Memory"; 2259 if (printMemFnName(AllocOs, C, AllocExpr)) 2260 os << " allocated by " << AllocOs.str(); 2261 2262 os << " should be deallocated by "; 2263 printExpectedDeallocName(os, RS->getAllocationFamily()); 2264 2265 if (printMemFnName(DeallocOs, C, DeallocExpr)) 2266 os << ", not " << DeallocOs.str(); 2267 } 2268 2269 auto R = std::make_unique<PathSensitiveBugReport>(*BT_MismatchedDealloc, 2270 os.str(), N); 2271 R->markInteresting(Sym); 2272 R->addRange(Range); 2273 R->addVisitor<MallocBugVisitor>(Sym); 2274 C.emitReport(std::move(R)); 2275 } 2276 } 2277 2278 void MallocChecker::HandleOffsetFree(CheckerContext &C, SVal ArgVal, 2279 SourceRange Range, const Expr *DeallocExpr, 2280 AllocationFamily Family, 2281 const Expr *AllocExpr) const { 2282 2283 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) { 2284 C.addSink(); 2285 return; 2286 } 2287 2288 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2289 if (!CheckKind.hasValue()) 2290 return; 2291 2292 ExplodedNode *N = C.generateErrorNode(); 2293 if (!N) 2294 return; 2295 2296 if (!BT_OffsetFree[*CheckKind]) 2297 BT_OffsetFree[*CheckKind].reset(new BugType( 2298 CheckNames[*CheckKind], "Offset free", categories::MemoryError)); 2299 2300 SmallString<100> buf; 2301 llvm::raw_svector_ostream os(buf); 2302 SmallString<20> AllocNameBuf; 2303 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 2304 2305 const MemRegion *MR = ArgVal.getAsRegion(); 2306 assert(MR && "Only MemRegion based symbols can have offset free errors"); 2307 2308 RegionOffset Offset = MR->getAsOffset(); 2309 assert((Offset.isValid() && 2310 !Offset.hasSymbolicOffset() && 2311 Offset.getOffset() != 0) && 2312 "Only symbols with a valid offset can have offset free errors"); 2313 2314 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 2315 2316 os << "Argument to "; 2317 if (!printMemFnName(os, C, DeallocExpr)) 2318 os << "deallocator"; 2319 os << " is offset by " 2320 << offsetBytes 2321 << " " 2322 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 2323 << " from the start of "; 2324 if (AllocExpr && printMemFnName(AllocNameOs, C, AllocExpr)) 2325 os << "memory allocated by " << AllocNameOs.str(); 2326 else 2327 os << "allocated memory"; 2328 2329 auto R = std::make_unique<PathSensitiveBugReport>(*BT_OffsetFree[*CheckKind], 2330 os.str(), N); 2331 R->markInteresting(MR->getBaseRegion()); 2332 R->addRange(Range); 2333 C.emitReport(std::move(R)); 2334 } 2335 2336 void MallocChecker::HandleUseAfterFree(CheckerContext &C, SourceRange Range, 2337 SymbolRef Sym) const { 2338 2339 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker] && 2340 !ChecksEnabled[CK_InnerPointerChecker]) { 2341 C.addSink(); 2342 return; 2343 } 2344 2345 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2346 if (!CheckKind.hasValue()) 2347 return; 2348 2349 if (ExplodedNode *N = C.generateErrorNode()) { 2350 if (!BT_UseFree[*CheckKind]) 2351 BT_UseFree[*CheckKind].reset(new BugType( 2352 CheckNames[*CheckKind], "Use-after-free", categories::MemoryError)); 2353 2354 AllocationFamily AF = 2355 C.getState()->get<RegionState>(Sym)->getAllocationFamily(); 2356 2357 auto R = std::make_unique<PathSensitiveBugReport>( 2358 *BT_UseFree[*CheckKind], 2359 AF == AF_InnerBuffer 2360 ? "Inner pointer of container used after re/deallocation" 2361 : "Use of memory after it is freed", 2362 N); 2363 2364 R->markInteresting(Sym); 2365 R->addRange(Range); 2366 R->addVisitor<MallocBugVisitor>(Sym); 2367 2368 if (AF == AF_InnerBuffer) 2369 R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym)); 2370 2371 C.emitReport(std::move(R)); 2372 } 2373 } 2374 2375 void MallocChecker::HandleDoubleFree(CheckerContext &C, SourceRange Range, 2376 bool Released, SymbolRef Sym, 2377 SymbolRef PrevSym) const { 2378 2379 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) { 2380 C.addSink(); 2381 return; 2382 } 2383 2384 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2385 if (!CheckKind.hasValue()) 2386 return; 2387 2388 if (ExplodedNode *N = C.generateErrorNode()) { 2389 if (!BT_DoubleFree[*CheckKind]) 2390 BT_DoubleFree[*CheckKind].reset(new BugType( 2391 CheckNames[*CheckKind], "Double free", categories::MemoryError)); 2392 2393 auto R = std::make_unique<PathSensitiveBugReport>( 2394 *BT_DoubleFree[*CheckKind], 2395 (Released ? "Attempt to free released memory" 2396 : "Attempt to free non-owned memory"), 2397 N); 2398 R->addRange(Range); 2399 R->markInteresting(Sym); 2400 if (PrevSym) 2401 R->markInteresting(PrevSym); 2402 R->addVisitor<MallocBugVisitor>(Sym); 2403 C.emitReport(std::move(R)); 2404 } 2405 } 2406 2407 void MallocChecker::HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const { 2408 2409 if (!ChecksEnabled[CK_NewDeleteChecker]) { 2410 C.addSink(); 2411 return; 2412 } 2413 2414 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2415 if (!CheckKind.hasValue()) 2416 return; 2417 2418 if (ExplodedNode *N = C.generateErrorNode()) { 2419 if (!BT_DoubleDelete) 2420 BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker], 2421 "Double delete", 2422 categories::MemoryError)); 2423 2424 auto R = std::make_unique<PathSensitiveBugReport>( 2425 *BT_DoubleDelete, "Attempt to delete released memory", N); 2426 2427 R->markInteresting(Sym); 2428 R->addVisitor<MallocBugVisitor>(Sym); 2429 C.emitReport(std::move(R)); 2430 } 2431 } 2432 2433 void MallocChecker::HandleUseZeroAlloc(CheckerContext &C, SourceRange Range, 2434 SymbolRef Sym) const { 2435 2436 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) { 2437 C.addSink(); 2438 return; 2439 } 2440 2441 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2442 2443 if (!CheckKind.hasValue()) 2444 return; 2445 2446 if (ExplodedNode *N = C.generateErrorNode()) { 2447 if (!BT_UseZerroAllocated[*CheckKind]) 2448 BT_UseZerroAllocated[*CheckKind].reset( 2449 new BugType(CheckNames[*CheckKind], "Use of zero allocated", 2450 categories::MemoryError)); 2451 2452 auto R = std::make_unique<PathSensitiveBugReport>( 2453 *BT_UseZerroAllocated[*CheckKind], "Use of zero-allocated memory", N); 2454 2455 R->addRange(Range); 2456 if (Sym) { 2457 R->markInteresting(Sym); 2458 R->addVisitor<MallocBugVisitor>(Sym); 2459 } 2460 C.emitReport(std::move(R)); 2461 } 2462 } 2463 2464 void MallocChecker::HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal, 2465 SourceRange Range, 2466 const Expr *FreeExpr, 2467 AllocationFamily Family) const { 2468 if (!ChecksEnabled[CK_MallocChecker]) { 2469 C.addSink(); 2470 return; 2471 } 2472 2473 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2474 if (!CheckKind.hasValue()) 2475 return; 2476 2477 if (ExplodedNode *N = C.generateErrorNode()) { 2478 if (!BT_BadFree[*CheckKind]) 2479 BT_BadFree[*CheckKind].reset(new BugType( 2480 CheckNames[*CheckKind], "Bad free", categories::MemoryError)); 2481 2482 SmallString<100> Buf; 2483 llvm::raw_svector_ostream Os(Buf); 2484 2485 const MemRegion *MR = ArgVal.getAsRegion(); 2486 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 2487 MR = ER->getSuperRegion(); 2488 2489 Os << "Argument to "; 2490 if (!printMemFnName(Os, C, FreeExpr)) 2491 Os << "deallocator"; 2492 2493 Os << " is a function pointer"; 2494 2495 auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind], 2496 Os.str(), N); 2497 R->markInteresting(MR); 2498 R->addRange(Range); 2499 C.emitReport(std::move(R)); 2500 } 2501 } 2502 2503 ProgramStateRef 2504 MallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call, 2505 bool ShouldFreeOnFail, ProgramStateRef State, 2506 AllocationFamily Family, bool SuffixWithN) const { 2507 if (!State) 2508 return nullptr; 2509 2510 const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr()); 2511 2512 if (SuffixWithN && CE->getNumArgs() < 3) 2513 return nullptr; 2514 else if (CE->getNumArgs() < 2) 2515 return nullptr; 2516 2517 const Expr *arg0Expr = CE->getArg(0); 2518 SVal Arg0Val = C.getSVal(arg0Expr); 2519 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 2520 return nullptr; 2521 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 2522 2523 SValBuilder &svalBuilder = C.getSValBuilder(); 2524 2525 DefinedOrUnknownSVal PtrEQ = 2526 svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull()); 2527 2528 // Get the size argument. 2529 const Expr *Arg1 = CE->getArg(1); 2530 2531 // Get the value of the size argument. 2532 SVal TotalSize = C.getSVal(Arg1); 2533 if (SuffixWithN) 2534 TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2)); 2535 if (!TotalSize.getAs<DefinedOrUnknownSVal>()) 2536 return nullptr; 2537 2538 // Compare the size argument to 0. 2539 DefinedOrUnknownSVal SizeZero = 2540 svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(), 2541 svalBuilder.makeIntValWithPtrWidth(0, false)); 2542 2543 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 2544 std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ); 2545 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 2546 std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero); 2547 // We only assume exceptional states if they are definitely true; if the 2548 // state is under-constrained, assume regular realloc behavior. 2549 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 2550 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 2551 2552 // If the ptr is NULL and the size is not 0, the call is equivalent to 2553 // malloc(size). 2554 if (PrtIsNull && !SizeIsZero) { 2555 ProgramStateRef stateMalloc = MallocMemAux( 2556 C, Call, TotalSize, UndefinedVal(), StatePtrIsNull, Family); 2557 return stateMalloc; 2558 } 2559 2560 if (PrtIsNull && SizeIsZero) 2561 return State; 2562 2563 assert(!PrtIsNull); 2564 2565 bool IsKnownToBeAllocated = false; 2566 2567 // If the size is 0, free the memory. 2568 if (SizeIsZero) 2569 // The semantics of the return value are: 2570 // If size was equal to 0, either NULL or a pointer suitable to be passed 2571 // to free() is returned. We just free the input pointer and do not add 2572 // any constrains on the output pointer. 2573 if (ProgramStateRef stateFree = FreeMemAux( 2574 C, Call, StateSizeIsZero, 0, false, IsKnownToBeAllocated, Family)) 2575 return stateFree; 2576 2577 // Default behavior. 2578 if (ProgramStateRef stateFree = 2579 FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocated, Family)) { 2580 2581 ProgramStateRef stateRealloc = 2582 MallocMemAux(C, Call, TotalSize, UnknownVal(), stateFree, Family); 2583 if (!stateRealloc) 2584 return nullptr; 2585 2586 OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure; 2587 if (ShouldFreeOnFail) 2588 Kind = OAR_FreeOnFailure; 2589 else if (!IsKnownToBeAllocated) 2590 Kind = OAR_DoNotTrackAfterFailure; 2591 2592 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 2593 SymbolRef FromPtr = arg0Val.getLocSymbolInBase(); 2594 SVal RetVal = C.getSVal(CE); 2595 SymbolRef ToPtr = RetVal.getAsSymbol(); 2596 assert(FromPtr && ToPtr && 2597 "By this point, FreeMemAux and MallocMemAux should have checked " 2598 "whether the argument or the return value is symbolic!"); 2599 2600 // Record the info about the reallocated symbol so that we could properly 2601 // process failed reallocation. 2602 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 2603 ReallocPair(FromPtr, Kind)); 2604 // The reallocated symbol should stay alive for as long as the new symbol. 2605 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 2606 return stateRealloc; 2607 } 2608 return nullptr; 2609 } 2610 2611 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, 2612 const CallEvent &Call, 2613 ProgramStateRef State) { 2614 if (!State) 2615 return nullptr; 2616 2617 if (Call.getNumArgs() < 2) 2618 return nullptr; 2619 2620 SValBuilder &svalBuilder = C.getSValBuilder(); 2621 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 2622 SVal TotalSize = 2623 evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1)); 2624 2625 return MallocMemAux(C, Call, TotalSize, zeroVal, State, AF_Malloc); 2626 } 2627 2628 MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N, 2629 SymbolRef Sym, 2630 CheckerContext &C) { 2631 const LocationContext *LeakContext = N->getLocationContext(); 2632 // Walk the ExplodedGraph backwards and find the first node that referred to 2633 // the tracked symbol. 2634 const ExplodedNode *AllocNode = N; 2635 const MemRegion *ReferenceRegion = nullptr; 2636 2637 while (N) { 2638 ProgramStateRef State = N->getState(); 2639 if (!State->get<RegionState>(Sym)) 2640 break; 2641 2642 // Find the most recent expression bound to the symbol in the current 2643 // context. 2644 if (!ReferenceRegion) { 2645 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 2646 SVal Val = State->getSVal(MR); 2647 if (Val.getAsLocSymbol() == Sym) { 2648 const VarRegion *VR = MR->getBaseRegion()->getAs<VarRegion>(); 2649 // Do not show local variables belonging to a function other than 2650 // where the error is reported. 2651 if (!VR || (VR->getStackFrame() == LeakContext->getStackFrame())) 2652 ReferenceRegion = MR; 2653 } 2654 } 2655 } 2656 2657 // Allocation node, is the last node in the current or parent context in 2658 // which the symbol was tracked. 2659 const LocationContext *NContext = N->getLocationContext(); 2660 if (NContext == LeakContext || 2661 NContext->isParentOf(LeakContext)) 2662 AllocNode = N; 2663 N = N->pred_empty() ? nullptr : *(N->pred_begin()); 2664 } 2665 2666 return LeakInfo(AllocNode, ReferenceRegion); 2667 } 2668 2669 void MallocChecker::HandleLeak(SymbolRef Sym, ExplodedNode *N, 2670 CheckerContext &C) const { 2671 2672 if (!ChecksEnabled[CK_MallocChecker] && 2673 !ChecksEnabled[CK_NewDeleteLeaksChecker]) 2674 return; 2675 2676 const RefState *RS = C.getState()->get<RegionState>(Sym); 2677 assert(RS && "cannot leak an untracked symbol"); 2678 AllocationFamily Family = RS->getAllocationFamily(); 2679 2680 if (Family == AF_Alloca) 2681 return; 2682 2683 Optional<MallocChecker::CheckKind> 2684 CheckKind = getCheckIfTracked(Family, true); 2685 2686 if (!CheckKind.hasValue()) 2687 return; 2688 2689 assert(N); 2690 if (!BT_Leak[*CheckKind]) { 2691 // Leaks should not be reported if they are post-dominated by a sink: 2692 // (1) Sinks are higher importance bugs. 2693 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 2694 // with __noreturn functions such as assert() or exit(). We choose not 2695 // to report leaks on such paths. 2696 BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak", 2697 categories::MemoryError, 2698 /*SuppressOnSink=*/true)); 2699 } 2700 2701 // Most bug reports are cached at the location where they occurred. 2702 // With leaks, we want to unique them by the location where they were 2703 // allocated, and only report a single path. 2704 PathDiagnosticLocation LocUsedForUniqueing; 2705 const ExplodedNode *AllocNode = nullptr; 2706 const MemRegion *Region = nullptr; 2707 std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 2708 2709 const Stmt *AllocationStmt = AllocNode->getStmtForDiagnostics(); 2710 if (AllocationStmt) 2711 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 2712 C.getSourceManager(), 2713 AllocNode->getLocationContext()); 2714 2715 SmallString<200> buf; 2716 llvm::raw_svector_ostream os(buf); 2717 if (Region && Region->canPrintPretty()) { 2718 os << "Potential leak of memory pointed to by "; 2719 Region->printPretty(os); 2720 } else { 2721 os << "Potential memory leak"; 2722 } 2723 2724 auto R = std::make_unique<PathSensitiveBugReport>( 2725 *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing, 2726 AllocNode->getLocationContext()->getDecl()); 2727 R->markInteresting(Sym); 2728 R->addVisitor<MallocBugVisitor>(Sym, true); 2729 if (ShouldRegisterNoOwnershipChangeVisitor) 2730 R->addVisitor<NoOwnershipChangeVisitor>(Sym); 2731 C.emitReport(std::move(R)); 2732 } 2733 2734 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 2735 CheckerContext &C) const 2736 { 2737 ProgramStateRef state = C.getState(); 2738 RegionStateTy OldRS = state->get<RegionState>(); 2739 RegionStateTy::Factory &F = state->get_context<RegionState>(); 2740 2741 RegionStateTy RS = OldRS; 2742 SmallVector<SymbolRef, 2> Errors; 2743 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2744 if (SymReaper.isDead(I->first)) { 2745 if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero()) 2746 Errors.push_back(I->first); 2747 // Remove the dead symbol from the map. 2748 RS = F.remove(RS, I->first); 2749 } 2750 } 2751 2752 if (RS == OldRS) { 2753 // We shouldn't have touched other maps yet. 2754 assert(state->get<ReallocPairs>() == 2755 C.getState()->get<ReallocPairs>()); 2756 assert(state->get<FreeReturnValue>() == 2757 C.getState()->get<FreeReturnValue>()); 2758 return; 2759 } 2760 2761 // Cleanup the Realloc Pairs Map. 2762 ReallocPairsTy RP = state->get<ReallocPairs>(); 2763 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 2764 if (SymReaper.isDead(I->first) || 2765 SymReaper.isDead(I->second.ReallocatedSym)) { 2766 state = state->remove<ReallocPairs>(I->first); 2767 } 2768 } 2769 2770 // Cleanup the FreeReturnValue Map. 2771 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 2772 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 2773 if (SymReaper.isDead(I->first) || 2774 SymReaper.isDead(I->second)) { 2775 state = state->remove<FreeReturnValue>(I->first); 2776 } 2777 } 2778 2779 // Generate leak node. 2780 ExplodedNode *N = C.getPredecessor(); 2781 if (!Errors.empty()) { 2782 static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak"); 2783 N = C.generateNonFatalErrorNode(C.getState(), &Tag); 2784 if (N) { 2785 for (SmallVectorImpl<SymbolRef>::iterator 2786 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 2787 HandleLeak(*I, N, C); 2788 } 2789 } 2790 } 2791 2792 C.addTransition(state->set<RegionState>(RS), N); 2793 } 2794 2795 void MallocChecker::checkPreCall(const CallEvent &Call, 2796 CheckerContext &C) const { 2797 2798 if (const auto *DC = dyn_cast<CXXDeallocatorCall>(&Call)) { 2799 const CXXDeleteExpr *DE = DC->getOriginExpr(); 2800 2801 if (!ChecksEnabled[CK_NewDeleteChecker]) 2802 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 2803 checkUseAfterFree(Sym, C, DE->getArgument()); 2804 2805 if (!isStandardNewDelete(DC->getDecl())) 2806 return; 2807 2808 ProgramStateRef State = C.getState(); 2809 bool IsKnownToBeAllocated; 2810 State = FreeMemAux(C, DE->getArgument(), Call, State, 2811 /*Hold*/ false, IsKnownToBeAllocated, 2812 (DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew)); 2813 2814 C.addTransition(State); 2815 return; 2816 } 2817 2818 if (const auto *DC = dyn_cast<CXXDestructorCall>(&Call)) { 2819 SymbolRef Sym = DC->getCXXThisVal().getAsSymbol(); 2820 if (!Sym || checkDoubleDelete(Sym, C)) 2821 return; 2822 } 2823 2824 // We will check for double free in the post visit. 2825 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { 2826 const FunctionDecl *FD = FC->getDecl(); 2827 if (!FD) 2828 return; 2829 2830 if (ChecksEnabled[CK_MallocChecker] && isFreeingCall(Call)) 2831 return; 2832 } 2833 2834 // Check if the callee of a method is deleted. 2835 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { 2836 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); 2837 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) 2838 return; 2839 } 2840 2841 // Check arguments for being used after free. 2842 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { 2843 SVal ArgSVal = Call.getArgSVal(I); 2844 if (ArgSVal.getAs<Loc>()) { 2845 SymbolRef Sym = ArgSVal.getAsSymbol(); 2846 if (!Sym) 2847 continue; 2848 if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) 2849 return; 2850 } 2851 } 2852 } 2853 2854 void MallocChecker::checkPreStmt(const ReturnStmt *S, 2855 CheckerContext &C) const { 2856 checkEscapeOnReturn(S, C); 2857 } 2858 2859 // In the CFG, automatic destructors come after the return statement. 2860 // This callback checks for returning memory that is freed by automatic 2861 // destructors, as those cannot be reached in checkPreStmt(). 2862 void MallocChecker::checkEndFunction(const ReturnStmt *S, 2863 CheckerContext &C) const { 2864 checkEscapeOnReturn(S, C); 2865 } 2866 2867 void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S, 2868 CheckerContext &C) const { 2869 if (!S) 2870 return; 2871 2872 const Expr *E = S->getRetValue(); 2873 if (!E) 2874 return; 2875 2876 // Check if we are returning a symbol. 2877 ProgramStateRef State = C.getState(); 2878 SVal RetVal = C.getSVal(E); 2879 SymbolRef Sym = RetVal.getAsSymbol(); 2880 if (!Sym) 2881 // If we are returning a field of the allocated struct or an array element, 2882 // the callee could still free the memory. 2883 // TODO: This logic should be a part of generic symbol escape callback. 2884 if (const MemRegion *MR = RetVal.getAsRegion()) 2885 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 2886 if (const SymbolicRegion *BMR = 2887 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 2888 Sym = BMR->getSymbol(); 2889 2890 // Check if we are returning freed memory. 2891 if (Sym) 2892 checkUseAfterFree(Sym, C, E); 2893 } 2894 2895 // TODO: Blocks should be either inlined or should call invalidate regions 2896 // upon invocation. After that's in place, special casing here will not be 2897 // needed. 2898 void MallocChecker::checkPostStmt(const BlockExpr *BE, 2899 CheckerContext &C) const { 2900 2901 // Scan the BlockDecRefExprs for any object the retain count checker 2902 // may be tracking. 2903 if (!BE->getBlockDecl()->hasCaptures()) 2904 return; 2905 2906 ProgramStateRef state = C.getState(); 2907 const BlockDataRegion *R = 2908 cast<BlockDataRegion>(C.getSVal(BE).getAsRegion()); 2909 2910 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 2911 E = R->referenced_vars_end(); 2912 2913 if (I == E) 2914 return; 2915 2916 SmallVector<const MemRegion*, 10> Regions; 2917 const LocationContext *LC = C.getLocationContext(); 2918 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 2919 2920 for ( ; I != E; ++I) { 2921 const VarRegion *VR = I.getCapturedRegion(); 2922 if (VR->getSuperRegion() == R) { 2923 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 2924 } 2925 Regions.push_back(VR); 2926 } 2927 2928 state = 2929 state->scanReachableSymbols<StopTrackingCallback>(Regions).getState(); 2930 C.addTransition(state); 2931 } 2932 2933 static bool isReleased(SymbolRef Sym, CheckerContext &C) { 2934 assert(Sym); 2935 const RefState *RS = C.getState()->get<RegionState>(Sym); 2936 return (RS && RS->isReleased()); 2937 } 2938 2939 bool MallocChecker::suppressDeallocationsInSuspiciousContexts( 2940 const CallEvent &Call, CheckerContext &C) const { 2941 if (Call.getNumArgs() == 0) 2942 return false; 2943 2944 StringRef FunctionStr = ""; 2945 if (const auto *FD = dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl())) 2946 if (const Stmt *Body = FD->getBody()) 2947 if (Body->getBeginLoc().isValid()) 2948 FunctionStr = 2949 Lexer::getSourceText(CharSourceRange::getTokenRange( 2950 {FD->getBeginLoc(), Body->getBeginLoc()}), 2951 C.getSourceManager(), C.getLangOpts()); 2952 2953 // We do not model the Integer Set Library's retain-count based allocation. 2954 if (!FunctionStr.contains("__isl_")) 2955 return false; 2956 2957 ProgramStateRef State = C.getState(); 2958 2959 for (const Expr *Arg : cast<CallExpr>(Call.getOriginExpr())->arguments()) 2960 if (SymbolRef Sym = C.getSVal(Arg).getAsSymbol()) 2961 if (const RefState *RS = State->get<RegionState>(Sym)) 2962 State = State->set<RegionState>(Sym, RefState::getEscaped(RS)); 2963 2964 C.addTransition(State); 2965 return true; 2966 } 2967 2968 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 2969 const Stmt *S) const { 2970 2971 if (isReleased(Sym, C)) { 2972 HandleUseAfterFree(C, S->getSourceRange(), Sym); 2973 return true; 2974 } 2975 2976 return false; 2977 } 2978 2979 void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, 2980 const Stmt *S) const { 2981 assert(Sym); 2982 2983 if (const RefState *RS = C.getState()->get<RegionState>(Sym)) { 2984 if (RS->isAllocatedOfSizeZero()) 2985 HandleUseZeroAlloc(C, RS->getStmt()->getSourceRange(), Sym); 2986 } 2987 else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) { 2988 HandleUseZeroAlloc(C, S->getSourceRange(), Sym); 2989 } 2990 } 2991 2992 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { 2993 2994 if (isReleased(Sym, C)) { 2995 HandleDoubleDelete(C, Sym); 2996 return true; 2997 } 2998 return false; 2999 } 3000 3001 // Check if the location is a freed symbolic region. 3002 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 3003 CheckerContext &C) const { 3004 SymbolRef Sym = l.getLocSymbolInBase(); 3005 if (Sym) { 3006 checkUseAfterFree(Sym, C, S); 3007 checkUseZeroAllocated(Sym, C, S); 3008 } 3009 } 3010 3011 // If a symbolic region is assumed to NULL (or another constant), stop tracking 3012 // it - assuming that allocation failed on this path. 3013 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 3014 SVal Cond, 3015 bool Assumption) const { 3016 RegionStateTy RS = state->get<RegionState>(); 3017 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 3018 // If the symbol is assumed to be NULL, remove it from consideration. 3019 ConstraintManager &CMgr = state->getConstraintManager(); 3020 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 3021 if (AllocFailed.isConstrainedTrue()) 3022 state = state->remove<RegionState>(I.getKey()); 3023 } 3024 3025 // Realloc returns 0 when reallocation fails, which means that we should 3026 // restore the state of the pointer being reallocated. 3027 ReallocPairsTy RP = state->get<ReallocPairs>(); 3028 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 3029 // If the symbol is assumed to be NULL, remove it from consideration. 3030 ConstraintManager &CMgr = state->getConstraintManager(); 3031 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 3032 if (!AllocFailed.isConstrainedTrue()) 3033 continue; 3034 3035 SymbolRef ReallocSym = I.getData().ReallocatedSym; 3036 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 3037 if (RS->isReleased()) { 3038 switch (I.getData().Kind) { 3039 case OAR_ToBeFreedAfterFailure: 3040 state = state->set<RegionState>(ReallocSym, 3041 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 3042 break; 3043 case OAR_DoNotTrackAfterFailure: 3044 state = state->remove<RegionState>(ReallocSym); 3045 break; 3046 default: 3047 assert(I.getData().Kind == OAR_FreeOnFailure); 3048 } 3049 } 3050 } 3051 state = state->remove<ReallocPairs>(I.getKey()); 3052 } 3053 3054 return state; 3055 } 3056 3057 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly( 3058 const CallEvent *Call, 3059 ProgramStateRef State, 3060 SymbolRef &EscapingSymbol) const { 3061 assert(Call); 3062 EscapingSymbol = nullptr; 3063 3064 // For now, assume that any C++ or block call can free memory. 3065 // TODO: If we want to be more optimistic here, we'll need to make sure that 3066 // regions escape to C++ containers. They seem to do that even now, but for 3067 // mysterious reasons. 3068 if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 3069 return true; 3070 3071 // Check Objective-C messages by selector name. 3072 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 3073 // If it's not a framework call, or if it takes a callback, assume it 3074 // can free memory. 3075 if (!Call->isInSystemHeader() || Call->argumentsMayEscape()) 3076 return true; 3077 3078 // If it's a method we know about, handle it explicitly post-call. 3079 // This should happen before the "freeWhenDone" check below. 3080 if (isKnownDeallocObjCMethodName(*Msg)) 3081 return false; 3082 3083 // If there's a "freeWhenDone" parameter, but the method isn't one we know 3084 // about, we can't be sure that the object will use free() to deallocate the 3085 // memory, so we can't model it explicitly. The best we can do is use it to 3086 // decide whether the pointer escapes. 3087 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 3088 return *FreeWhenDone; 3089 3090 // If the first selector piece ends with "NoCopy", and there is no 3091 // "freeWhenDone" parameter set to zero, we know ownership is being 3092 // transferred. Again, though, we can't be sure that the object will use 3093 // free() to deallocate the memory, so we can't model it explicitly. 3094 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 3095 if (FirstSlot.endswith("NoCopy")) 3096 return true; 3097 3098 // If the first selector starts with addPointer, insertPointer, 3099 // or replacePointer, assume we are dealing with NSPointerArray or similar. 3100 // This is similar to C++ containers (vector); we still might want to check 3101 // that the pointers get freed by following the container itself. 3102 if (FirstSlot.startswith("addPointer") || 3103 FirstSlot.startswith("insertPointer") || 3104 FirstSlot.startswith("replacePointer") || 3105 FirstSlot.equals("valueWithPointer")) { 3106 return true; 3107 } 3108 3109 // We should escape receiver on call to 'init'. This is especially relevant 3110 // to the receiver, as the corresponding symbol is usually not referenced 3111 // after the call. 3112 if (Msg->getMethodFamily() == OMF_init) { 3113 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol(); 3114 return true; 3115 } 3116 3117 // Otherwise, assume that the method does not free memory. 3118 // Most framework methods do not free memory. 3119 return false; 3120 } 3121 3122 // At this point the only thing left to handle is straight function calls. 3123 const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl(); 3124 if (!FD) 3125 return true; 3126 3127 // If it's one of the allocation functions we can reason about, we model 3128 // its behavior explicitly. 3129 if (isMemCall(*Call)) 3130 return false; 3131 3132 // If it's not a system call, assume it frees memory. 3133 if (!Call->isInSystemHeader()) 3134 return true; 3135 3136 // White list the system functions whose arguments escape. 3137 const IdentifierInfo *II = FD->getIdentifier(); 3138 if (!II) 3139 return true; 3140 StringRef FName = II->getName(); 3141 3142 // White list the 'XXXNoCopy' CoreFoundation functions. 3143 // We specifically check these before 3144 if (FName.endswith("NoCopy")) { 3145 // Look for the deallocator argument. We know that the memory ownership 3146 // is not transferred only if the deallocator argument is 3147 // 'kCFAllocatorNull'. 3148 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 3149 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 3150 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 3151 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 3152 if (DeallocatorName == "kCFAllocatorNull") 3153 return false; 3154 } 3155 } 3156 return true; 3157 } 3158 3159 // Associating streams with malloced buffers. The pointer can escape if 3160 // 'closefn' is specified (and if that function does free memory), 3161 // but it will not if closefn is not specified. 3162 // Currently, we do not inspect the 'closefn' function (PR12101). 3163 if (FName == "funopen") 3164 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 3165 return false; 3166 3167 // Do not warn on pointers passed to 'setbuf' when used with std streams, 3168 // these leaks might be intentional when setting the buffer for stdio. 3169 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 3170 if (FName == "setbuf" || FName =="setbuffer" || 3171 FName == "setlinebuf" || FName == "setvbuf") { 3172 if (Call->getNumArgs() >= 1) { 3173 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 3174 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 3175 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 3176 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 3177 return true; 3178 } 3179 } 3180 3181 // A bunch of other functions which either take ownership of a pointer or 3182 // wrap the result up in a struct or object, meaning it can be freed later. 3183 // (See RetainCountChecker.) Not all the parameters here are invalidated, 3184 // but the Malloc checker cannot differentiate between them. The right way 3185 // of doing this would be to implement a pointer escapes callback. 3186 if (FName == "CGBitmapContextCreate" || 3187 FName == "CGBitmapContextCreateWithData" || 3188 FName == "CVPixelBufferCreateWithBytes" || 3189 FName == "CVPixelBufferCreateWithPlanarBytes" || 3190 FName == "OSAtomicEnqueue") { 3191 return true; 3192 } 3193 3194 if (FName == "postEvent" && 3195 FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") { 3196 return true; 3197 } 3198 3199 if (FName == "connectImpl" && 3200 FD->getQualifiedNameAsString() == "QObject::connectImpl") { 3201 return true; 3202 } 3203 3204 // Handle cases where we know a buffer's /address/ can escape. 3205 // Note that the above checks handle some special cases where we know that 3206 // even though the address escapes, it's still our responsibility to free the 3207 // buffer. 3208 if (Call->argumentsMayEscape()) 3209 return true; 3210 3211 // Otherwise, assume that the function does not free memory. 3212 // Most system calls do not free the memory. 3213 return false; 3214 } 3215 3216 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 3217 const InvalidatedSymbols &Escaped, 3218 const CallEvent *Call, 3219 PointerEscapeKind Kind) const { 3220 return checkPointerEscapeAux(State, Escaped, Call, Kind, 3221 /*IsConstPointerEscape*/ false); 3222 } 3223 3224 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 3225 const InvalidatedSymbols &Escaped, 3226 const CallEvent *Call, 3227 PointerEscapeKind Kind) const { 3228 // If a const pointer escapes, it may not be freed(), but it could be deleted. 3229 return checkPointerEscapeAux(State, Escaped, Call, Kind, 3230 /*IsConstPointerEscape*/ true); 3231 } 3232 3233 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 3234 return (RS->getAllocationFamily() == AF_CXXNewArray || 3235 RS->getAllocationFamily() == AF_CXXNew); 3236 } 3237 3238 ProgramStateRef MallocChecker::checkPointerEscapeAux( 3239 ProgramStateRef State, const InvalidatedSymbols &Escaped, 3240 const CallEvent *Call, PointerEscapeKind Kind, 3241 bool IsConstPointerEscape) const { 3242 // If we know that the call does not free memory, or we want to process the 3243 // call later, keep tracking the top level arguments. 3244 SymbolRef EscapingSymbol = nullptr; 3245 if (Kind == PSK_DirectEscapeOnCall && 3246 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State, 3247 EscapingSymbol) && 3248 !EscapingSymbol) { 3249 return State; 3250 } 3251 3252 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 3253 E = Escaped.end(); 3254 I != E; ++I) { 3255 SymbolRef sym = *I; 3256 3257 if (EscapingSymbol && EscapingSymbol != sym) 3258 continue; 3259 3260 if (const RefState *RS = State->get<RegionState>(sym)) 3261 if (RS->isAllocated() || RS->isAllocatedOfSizeZero()) 3262 if (!IsConstPointerEscape || checkIfNewOrNewArrayFamily(RS)) 3263 State = State->set<RegionState>(sym, RefState::getEscaped(RS)); 3264 } 3265 return State; 3266 } 3267 3268 bool MallocChecker::isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C, 3269 SVal ArgVal) const { 3270 if (!KernelZeroSizePtrValue) 3271 KernelZeroSizePtrValue = 3272 tryExpandAsInteger("ZERO_SIZE_PTR", C.getPreprocessor()); 3273 3274 const llvm::APSInt *ArgValKnown = 3275 C.getSValBuilder().getKnownValue(State, ArgVal); 3276 return ArgValKnown && *KernelZeroSizePtrValue && 3277 ArgValKnown->getSExtValue() == **KernelZeroSizePtrValue; 3278 } 3279 3280 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 3281 ProgramStateRef prevState) { 3282 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 3283 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 3284 3285 for (const ReallocPairsTy::value_type &Pair : prevMap) { 3286 SymbolRef sym = Pair.first; 3287 if (!currMap.lookup(sym)) 3288 return sym; 3289 } 3290 3291 return nullptr; 3292 } 3293 3294 static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD) { 3295 if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) { 3296 StringRef N = II->getName(); 3297 if (N.contains_insensitive("ptr") || N.contains_insensitive("pointer")) { 3298 if (N.contains_insensitive("ref") || N.contains_insensitive("cnt") || 3299 N.contains_insensitive("intrusive") || 3300 N.contains_insensitive("shared")) { 3301 return true; 3302 } 3303 } 3304 } 3305 return false; 3306 } 3307 3308 PathDiagnosticPieceRef MallocBugVisitor::VisitNode(const ExplodedNode *N, 3309 BugReporterContext &BRC, 3310 PathSensitiveBugReport &BR) { 3311 ProgramStateRef state = N->getState(); 3312 ProgramStateRef statePrev = N->getFirstPred()->getState(); 3313 3314 const RefState *RSCurr = state->get<RegionState>(Sym); 3315 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 3316 3317 const Stmt *S = N->getStmtForDiagnostics(); 3318 // When dealing with containers, we sometimes want to give a note 3319 // even if the statement is missing. 3320 if (!S && (!RSCurr || RSCurr->getAllocationFamily() != AF_InnerBuffer)) 3321 return nullptr; 3322 3323 const LocationContext *CurrentLC = N->getLocationContext(); 3324 3325 // If we find an atomic fetch_add or fetch_sub within the destructor in which 3326 // the pointer was released (before the release), this is likely a destructor 3327 // of a shared pointer. 3328 // Because we don't model atomics, and also because we don't know that the 3329 // original reference count is positive, we should not report use-after-frees 3330 // on objects deleted in such destructors. This can probably be improved 3331 // through better shared pointer modeling. 3332 if (ReleaseDestructorLC) { 3333 if (const auto *AE = dyn_cast<AtomicExpr>(S)) { 3334 AtomicExpr::AtomicOp Op = AE->getOp(); 3335 if (Op == AtomicExpr::AO__c11_atomic_fetch_add || 3336 Op == AtomicExpr::AO__c11_atomic_fetch_sub) { 3337 if (ReleaseDestructorLC == CurrentLC || 3338 ReleaseDestructorLC->isParentOf(CurrentLC)) { 3339 BR.markInvalid(getTag(), S); 3340 } 3341 } 3342 } 3343 } 3344 3345 // FIXME: We will eventually need to handle non-statement-based events 3346 // (__attribute__((cleanup))). 3347 3348 // Find out if this is an interesting point and what is the kind. 3349 StringRef Msg; 3350 std::unique_ptr<StackHintGeneratorForSymbol> StackHint = nullptr; 3351 SmallString<256> Buf; 3352 llvm::raw_svector_ostream OS(Buf); 3353 3354 if (Mode == Normal) { 3355 if (isAllocated(RSCurr, RSPrev, S)) { 3356 Msg = "Memory is allocated"; 3357 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3358 Sym, "Returned allocated memory"); 3359 } else if (isReleased(RSCurr, RSPrev, S)) { 3360 const auto Family = RSCurr->getAllocationFamily(); 3361 switch (Family) { 3362 case AF_Alloca: 3363 case AF_Malloc: 3364 case AF_CXXNew: 3365 case AF_CXXNewArray: 3366 case AF_IfNameIndex: 3367 Msg = "Memory is released"; 3368 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3369 Sym, "Returning; memory was released"); 3370 break; 3371 case AF_InnerBuffer: { 3372 const MemRegion *ObjRegion = 3373 allocation_state::getContainerObjRegion(statePrev, Sym); 3374 const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion); 3375 QualType ObjTy = TypedRegion->getValueType(); 3376 OS << "Inner buffer of '" << ObjTy.getAsString() << "' "; 3377 3378 if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) { 3379 OS << "deallocated by call to destructor"; 3380 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3381 Sym, "Returning; inner buffer was deallocated"); 3382 } else { 3383 OS << "reallocated by call to '"; 3384 const Stmt *S = RSCurr->getStmt(); 3385 if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) { 3386 OS << MemCallE->getMethodDecl()->getDeclName(); 3387 } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) { 3388 OS << OpCallE->getDirectCallee()->getDeclName(); 3389 } else if (const auto *CallE = dyn_cast<CallExpr>(S)) { 3390 auto &CEMgr = BRC.getStateManager().getCallEventManager(); 3391 CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC); 3392 if (const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl())) 3393 OS << D->getDeclName(); 3394 else 3395 OS << "unknown"; 3396 } 3397 OS << "'"; 3398 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3399 Sym, "Returning; inner buffer was reallocated"); 3400 } 3401 Msg = OS.str(); 3402 break; 3403 } 3404 case AF_None: 3405 llvm_unreachable("Unhandled allocation family!"); 3406 } 3407 3408 // See if we're releasing memory while inlining a destructor 3409 // (or one of its callees). This turns on various common 3410 // false positive suppressions. 3411 bool FoundAnyDestructor = false; 3412 for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) { 3413 if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) { 3414 if (isReferenceCountingPointerDestructor(DD)) { 3415 // This immediately looks like a reference-counting destructor. 3416 // We're bad at guessing the original reference count of the object, 3417 // so suppress the report for now. 3418 BR.markInvalid(getTag(), DD); 3419 } else if (!FoundAnyDestructor) { 3420 assert(!ReleaseDestructorLC && 3421 "There can be only one release point!"); 3422 // Suspect that it's a reference counting pointer destructor. 3423 // On one of the next nodes might find out that it has atomic 3424 // reference counting operations within it (see the code above), 3425 // and if so, we'd conclude that it likely is a reference counting 3426 // pointer destructor. 3427 ReleaseDestructorLC = LC->getStackFrame(); 3428 // It is unlikely that releasing memory is delegated to a destructor 3429 // inside a destructor of a shared pointer, because it's fairly hard 3430 // to pass the information that the pointer indeed needs to be 3431 // released into it. So we're only interested in the innermost 3432 // destructor. 3433 FoundAnyDestructor = true; 3434 } 3435 } 3436 } 3437 } else if (isRelinquished(RSCurr, RSPrev, S)) { 3438 Msg = "Memory ownership is transferred"; 3439 StackHint = std::make_unique<StackHintGeneratorForSymbol>(Sym, ""); 3440 } else if (hasReallocFailed(RSCurr, RSPrev, S)) { 3441 Mode = ReallocationFailed; 3442 Msg = "Reallocation failed"; 3443 StackHint = std::make_unique<StackHintGeneratorForReallocationFailed>( 3444 Sym, "Reallocation failed"); 3445 3446 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 3447 // Is it possible to fail two reallocs WITHOUT testing in between? 3448 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 3449 "We only support one failed realloc at a time."); 3450 BR.markInteresting(sym); 3451 FailedReallocSymbol = sym; 3452 } 3453 } 3454 3455 // We are in a special mode if a reallocation failed later in the path. 3456 } else if (Mode == ReallocationFailed) { 3457 assert(FailedReallocSymbol && "No symbol to look for."); 3458 3459 // Is this is the first appearance of the reallocated symbol? 3460 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 3461 // We're at the reallocation point. 3462 Msg = "Attempt to reallocate memory"; 3463 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3464 Sym, "Returned reallocated memory"); 3465 FailedReallocSymbol = nullptr; 3466 Mode = Normal; 3467 } 3468 } 3469 3470 if (Msg.empty()) { 3471 assert(!StackHint); 3472 return nullptr; 3473 } 3474 3475 assert(StackHint); 3476 3477 // Generate the extra diagnostic. 3478 PathDiagnosticLocation Pos; 3479 if (!S) { 3480 assert(RSCurr->getAllocationFamily() == AF_InnerBuffer); 3481 auto PostImplCall = N->getLocation().getAs<PostImplicitCall>(); 3482 if (!PostImplCall) 3483 return nullptr; 3484 Pos = PathDiagnosticLocation(PostImplCall->getLocation(), 3485 BRC.getSourceManager()); 3486 } else { 3487 Pos = PathDiagnosticLocation(S, BRC.getSourceManager(), 3488 N->getLocationContext()); 3489 } 3490 3491 auto P = std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true); 3492 BR.addCallStackHint(P, std::move(StackHint)); 3493 return P; 3494 } 3495 3496 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 3497 const char *NL, const char *Sep) const { 3498 3499 RegionStateTy RS = State->get<RegionState>(); 3500 3501 if (!RS.isEmpty()) { 3502 Out << Sep << "MallocChecker :" << NL; 3503 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 3504 const RefState *RefS = State->get<RegionState>(I.getKey()); 3505 AllocationFamily Family = RefS->getAllocationFamily(); 3506 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 3507 if (!CheckKind.hasValue()) 3508 CheckKind = getCheckIfTracked(Family, true); 3509 3510 I.getKey()->dumpToStream(Out); 3511 Out << " : "; 3512 I.getData().dump(Out); 3513 if (CheckKind.hasValue()) 3514 Out << " (" << CheckNames[*CheckKind].getName() << ")"; 3515 Out << NL; 3516 } 3517 } 3518 } 3519 3520 namespace clang { 3521 namespace ento { 3522 namespace allocation_state { 3523 3524 ProgramStateRef 3525 markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin) { 3526 AllocationFamily Family = AF_InnerBuffer; 3527 return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin)); 3528 } 3529 3530 } // end namespace allocation_state 3531 } // end namespace ento 3532 } // end namespace clang 3533 3534 // Intended to be used in InnerPointerChecker to register the part of 3535 // MallocChecker connected to it. 3536 void ento::registerInnerPointerCheckerAux(CheckerManager &mgr) { 3537 MallocChecker *checker = mgr.getChecker<MallocChecker>(); 3538 checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true; 3539 checker->CheckNames[MallocChecker::CK_InnerPointerChecker] = 3540 mgr.getCurrentCheckerName(); 3541 } 3542 3543 void ento::registerDynamicMemoryModeling(CheckerManager &mgr) { 3544 auto *checker = mgr.registerChecker<MallocChecker>(); 3545 checker->ShouldIncludeOwnershipAnnotatedFunctions = 3546 mgr.getAnalyzerOptions().getCheckerBooleanOption(checker, "Optimistic"); 3547 checker->ShouldRegisterNoOwnershipChangeVisitor = 3548 mgr.getAnalyzerOptions().getCheckerBooleanOption( 3549 checker, "AddNoOwnershipChangeNotes"); 3550 } 3551 3552 bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) { 3553 return true; 3554 } 3555 3556 #define REGISTER_CHECKER(name) \ 3557 void ento::register##name(CheckerManager &mgr) { \ 3558 MallocChecker *checker = mgr.getChecker<MallocChecker>(); \ 3559 checker->ChecksEnabled[MallocChecker::CK_##name] = true; \ 3560 checker->CheckNames[MallocChecker::CK_##name] = \ 3561 mgr.getCurrentCheckerName(); \ 3562 } \ 3563 \ 3564 bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; } 3565 3566 REGISTER_CHECKER(MallocChecker) 3567 REGISTER_CHECKER(NewDeleteChecker) 3568 REGISTER_CHECKER(NewDeleteLeaksChecker) 3569 REGISTER_CHECKER(MismatchedDeallocatorChecker) 3570