1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines malloc/free checker, which checks for potential memory 11 // leaks, double free, and use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/AST/Attr.h" 18 #include "clang/AST/ParentMap.h" 19 #include "clang/Basic/SourceManager.h" 20 #include "clang/Basic/TargetInfo.h" 21 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 22 #include "clang/StaticAnalyzer/Core/Checker.h" 23 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 27 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 28 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 29 #include "llvm/ADT/ImmutableMap.h" 30 #include "llvm/ADT/STLExtras.h" 31 #include "llvm/ADT/SmallString.h" 32 #include "llvm/ADT/StringExtras.h" 33 #include <climits> 34 35 using namespace clang; 36 using namespace ento; 37 38 namespace { 39 40 // Used to check correspondence between allocators and deallocators. 41 enum AllocationFamily { 42 AF_None, 43 AF_Malloc, 44 AF_CXXNew, 45 AF_CXXNewArray, 46 AF_IfNameIndex, 47 AF_Alloca 48 }; 49 50 class RefState { 51 enum Kind { // Reference to allocated memory. 52 Allocated, 53 // Reference to released/freed memory. 54 Released, 55 // The responsibility for freeing resources has transferred from 56 // this reference. A relinquished symbol should not be freed. 57 Relinquished, 58 // We are no longer guaranteed to have observed all manipulations 59 // of this pointer/memory. For example, it could have been 60 // passed as a parameter to an opaque function. 61 Escaped 62 }; 63 64 const Stmt *S; 65 unsigned K : 2; // Kind enum, but stored as a bitfield. 66 unsigned Family : 30; // Rest of 32-bit word, currently just an allocation 67 // family. 68 69 RefState(Kind k, const Stmt *s, unsigned family) 70 : S(s), K(k), Family(family) { 71 assert(family != AF_None); 72 } 73 public: 74 bool isAllocated() const { return K == Allocated; } 75 bool isReleased() const { return K == Released; } 76 bool isRelinquished() const { return K == Relinquished; } 77 bool isEscaped() const { return K == Escaped; } 78 AllocationFamily getAllocationFamily() const { 79 return (AllocationFamily)Family; 80 } 81 const Stmt *getStmt() const { return S; } 82 83 bool operator==(const RefState &X) const { 84 return K == X.K && S == X.S && Family == X.Family; 85 } 86 87 static RefState getAllocated(unsigned family, const Stmt *s) { 88 return RefState(Allocated, s, family); 89 } 90 static RefState getReleased(unsigned family, const Stmt *s) { 91 return RefState(Released, s, family); 92 } 93 static RefState getRelinquished(unsigned family, const Stmt *s) { 94 return RefState(Relinquished, s, family); 95 } 96 static RefState getEscaped(const RefState *RS) { 97 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily()); 98 } 99 100 void Profile(llvm::FoldingSetNodeID &ID) const { 101 ID.AddInteger(K); 102 ID.AddPointer(S); 103 ID.AddInteger(Family); 104 } 105 106 void dump(raw_ostream &OS) const { 107 switch (static_cast<Kind>(K)) { 108 #define CASE(ID) case ID: OS << #ID; break; 109 CASE(Allocated) 110 CASE(Released) 111 CASE(Relinquished) 112 CASE(Escaped) 113 } 114 } 115 116 LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); } 117 }; 118 119 enum ReallocPairKind { 120 RPToBeFreedAfterFailure, 121 // The symbol has been freed when reallocation failed. 122 RPIsFreeOnFailure, 123 // The symbol does not need to be freed after reallocation fails. 124 RPDoNotTrackAfterFailure 125 }; 126 127 /// \class ReallocPair 128 /// \brief Stores information about the symbol being reallocated by a call to 129 /// 'realloc' to allow modeling failed reallocation later in the path. 130 struct ReallocPair { 131 // \brief The symbol which realloc reallocated. 132 SymbolRef ReallocatedSym; 133 ReallocPairKind Kind; 134 135 ReallocPair(SymbolRef S, ReallocPairKind K) : 136 ReallocatedSym(S), Kind(K) {} 137 void Profile(llvm::FoldingSetNodeID &ID) const { 138 ID.AddInteger(Kind); 139 ID.AddPointer(ReallocatedSym); 140 } 141 bool operator==(const ReallocPair &X) const { 142 return ReallocatedSym == X.ReallocatedSym && 143 Kind == X.Kind; 144 } 145 }; 146 147 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo; 148 149 class MallocChecker : public Checker<check::DeadSymbols, 150 check::PointerEscape, 151 check::ConstPointerEscape, 152 check::PreStmt<ReturnStmt>, 153 check::PreCall, 154 check::PostStmt<CallExpr>, 155 check::PostStmt<CXXNewExpr>, 156 check::PreStmt<CXXDeleteExpr>, 157 check::PostStmt<BlockExpr>, 158 check::PostObjCMessage, 159 check::Location, 160 eval::Assume> 161 { 162 public: 163 MallocChecker() 164 : II_alloca(nullptr), II_malloc(nullptr), II_free(nullptr), 165 II_realloc(nullptr), II_calloc(nullptr), II_valloc(nullptr), 166 II_reallocf(nullptr), II_strndup(nullptr), II_strdup(nullptr), 167 II_kmalloc(nullptr), II_if_nameindex(nullptr), 168 II_if_freenameindex(nullptr) {} 169 170 /// In pessimistic mode, the checker assumes that it does not know which 171 /// functions might free the memory. 172 enum CheckKind { 173 CK_MallocChecker, 174 CK_NewDeleteChecker, 175 CK_NewDeleteLeaksChecker, 176 CK_MismatchedDeallocatorChecker, 177 CK_NumCheckKinds 178 }; 179 180 enum class MemoryOperationKind { 181 MOK_Allocate, 182 MOK_Free, 183 MOK_Any 184 }; 185 186 DefaultBool IsOptimistic; 187 188 DefaultBool ChecksEnabled[CK_NumCheckKinds]; 189 CheckName CheckNames[CK_NumCheckKinds]; 190 191 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 192 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 193 void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; 194 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; 195 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 196 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 197 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 198 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 199 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 200 bool Assumption) const; 201 void checkLocation(SVal l, bool isLoad, const Stmt *S, 202 CheckerContext &C) const; 203 204 ProgramStateRef checkPointerEscape(ProgramStateRef State, 205 const InvalidatedSymbols &Escaped, 206 const CallEvent *Call, 207 PointerEscapeKind Kind) const; 208 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 209 const InvalidatedSymbols &Escaped, 210 const CallEvent *Call, 211 PointerEscapeKind Kind) const; 212 213 void printState(raw_ostream &Out, ProgramStateRef State, 214 const char *NL, const char *Sep) const override; 215 216 private: 217 mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds]; 218 mutable std::unique_ptr<BugType> BT_DoubleDelete; 219 mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds]; 220 mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds]; 221 mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds]; 222 mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds]; 223 mutable std::unique_ptr<BugType> BT_MismatchedDealloc; 224 mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds]; 225 mutable IdentifierInfo *II_alloca, *II_malloc, *II_free, *II_realloc, 226 *II_calloc, *II_valloc, *II_reallocf, *II_strndup, 227 *II_strdup, *II_kmalloc, *II_if_nameindex, 228 *II_if_freenameindex; 229 mutable Optional<uint64_t> KernelZeroFlagVal; 230 231 void initIdentifierInfo(ASTContext &C) const; 232 233 /// \brief Determine family of a deallocation expression. 234 AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const; 235 236 /// \brief Print names of allocators and deallocators. 237 /// 238 /// \returns true on success. 239 bool printAllocDeallocName(raw_ostream &os, CheckerContext &C, 240 const Expr *E) const; 241 242 /// \brief Print expected name of an allocator based on the deallocator's 243 /// family derived from the DeallocExpr. 244 void printExpectedAllocName(raw_ostream &os, CheckerContext &C, 245 const Expr *DeallocExpr) const; 246 /// \brief Print expected name of a deallocator based on the allocator's 247 /// family. 248 void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const; 249 250 ///@{ 251 /// Check if this is one of the functions which can allocate/reallocate memory 252 /// pointed to by one of its arguments. 253 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 254 bool isCMemFunction(const FunctionDecl *FD, 255 ASTContext &C, 256 AllocationFamily Family, 257 MemoryOperationKind MemKind) const; 258 bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const; 259 ///@} 260 ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 261 const CallExpr *CE, 262 const OwnershipAttr* Att, 263 ProgramStateRef State) const; 264 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 265 const Expr *SizeEx, SVal Init, 266 ProgramStateRef State, 267 AllocationFamily Family = AF_Malloc); 268 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 269 SVal SizeEx, SVal Init, 270 ProgramStateRef State, 271 AllocationFamily Family = AF_Malloc); 272 273 // Check if this malloc() for special flags. At present that means M_ZERO or 274 // __GFP_ZERO (in which case, treat it like calloc). 275 llvm::Optional<ProgramStateRef> 276 performKernelMalloc(const CallExpr *CE, CheckerContext &C, 277 const ProgramStateRef &State) const; 278 279 /// Update the RefState to reflect the new memory allocation. 280 static ProgramStateRef 281 MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, 282 AllocationFamily Family = AF_Malloc); 283 284 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 285 const OwnershipAttr* Att, 286 ProgramStateRef State) const; 287 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 288 ProgramStateRef state, unsigned Num, 289 bool Hold, 290 bool &ReleasedAllocated, 291 bool ReturnsNullOnFailure = false) const; 292 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, 293 const Expr *ParentExpr, 294 ProgramStateRef State, 295 bool Hold, 296 bool &ReleasedAllocated, 297 bool ReturnsNullOnFailure = false) const; 298 299 ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, 300 bool FreesMemOnFailure, 301 ProgramStateRef State) const; 302 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE, 303 ProgramStateRef State); 304 305 ///\brief Check if the memory associated with this symbol was released. 306 bool isReleased(SymbolRef Sym, CheckerContext &C) const; 307 308 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 309 310 bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const; 311 312 /// Check if the function is known free memory, or if it is 313 /// "interesting" and should be modeled explicitly. 314 /// 315 /// \param [out] EscapingSymbol A function might not free memory in general, 316 /// but could be known to free a particular symbol. In this case, false is 317 /// returned and the single escaping symbol is returned through the out 318 /// parameter. 319 /// 320 /// We assume that pointers do not escape through calls to system functions 321 /// not handled by this checker. 322 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, 323 ProgramStateRef State, 324 SymbolRef &EscapingSymbol) const; 325 326 // Implementation of the checkPointerEscape callabcks. 327 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 328 const InvalidatedSymbols &Escaped, 329 const CallEvent *Call, 330 PointerEscapeKind Kind, 331 bool(*CheckRefState)(const RefState*)) const; 332 333 ///@{ 334 /// Tells if a given family/call/symbol is tracked by the current checker. 335 /// Sets CheckKind to the kind of the checker responsible for this 336 /// family/call/symbol. 337 Optional<CheckKind> getCheckIfTracked(AllocationFamily Family) const; 338 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, 339 const Stmt *AllocDeallocStmt) const; 340 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const; 341 ///@} 342 static bool SummarizeValue(raw_ostream &os, SVal V); 343 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 344 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 345 const Expr *DeallocExpr) const; 346 void ReportFreeAlloca(CheckerContext &C, SVal ArgVal, 347 SourceRange Range) const; 348 void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, 349 const Expr *DeallocExpr, const RefState *RS, 350 SymbolRef Sym, bool OwnershipTransferred) const; 351 void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 352 const Expr *DeallocExpr, 353 const Expr *AllocExpr = nullptr) const; 354 void ReportUseAfterFree(CheckerContext &C, SourceRange Range, 355 SymbolRef Sym) const; 356 void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 357 SymbolRef Sym, SymbolRef PrevSym) const; 358 359 void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const; 360 361 /// Find the location of the allocation for Sym on the path leading to the 362 /// exploded node N. 363 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 364 CheckerContext &C) const; 365 366 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 367 368 /// The bug visitor which allows us to print extra diagnostics along the 369 /// BugReport path. For example, showing the allocation site of the leaked 370 /// region. 371 class MallocBugVisitor : public BugReporterVisitorImpl<MallocBugVisitor> { 372 protected: 373 enum NotificationMode { 374 Normal, 375 ReallocationFailed 376 }; 377 378 // The allocated region symbol tracked by the main analysis. 379 SymbolRef Sym; 380 381 // The mode we are in, i.e. what kind of diagnostics will be emitted. 382 NotificationMode Mode; 383 384 // A symbol from when the primary region should have been reallocated. 385 SymbolRef FailedReallocSymbol; 386 387 bool IsLeak; 388 389 public: 390 MallocBugVisitor(SymbolRef S, bool isLeak = false) 391 : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr), IsLeak(isLeak) {} 392 393 virtual ~MallocBugVisitor() {} 394 395 void Profile(llvm::FoldingSetNodeID &ID) const override { 396 static int X = 0; 397 ID.AddPointer(&X); 398 ID.AddPointer(Sym); 399 } 400 401 inline bool isAllocated(const RefState *S, const RefState *SPrev, 402 const Stmt *Stmt) { 403 // Did not track -> allocated. Other state (released) -> allocated. 404 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 405 (S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated())); 406 } 407 408 inline bool isReleased(const RefState *S, const RefState *SPrev, 409 const Stmt *Stmt) { 410 // Did not track -> released. Other state (allocated) -> released. 411 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt)) && 412 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 413 } 414 415 inline bool isRelinquished(const RefState *S, const RefState *SPrev, 416 const Stmt *Stmt) { 417 // Did not track -> relinquished. Other state (allocated) -> relinquished. 418 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 419 isa<ObjCPropertyRefExpr>(Stmt)) && 420 (S && S->isRelinquished()) && 421 (!SPrev || !SPrev->isRelinquished())); 422 } 423 424 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 425 const Stmt *Stmt) { 426 // If the expression is not a call, and the state change is 427 // released -> allocated, it must be the realloc return value 428 // check. If we have to handle more cases here, it might be cleaner just 429 // to track this extra bit in the state itself. 430 return ((!Stmt || !isa<CallExpr>(Stmt)) && 431 (S && S->isAllocated()) && (SPrev && !SPrev->isAllocated())); 432 } 433 434 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 435 const ExplodedNode *PrevN, 436 BugReporterContext &BRC, 437 BugReport &BR) override; 438 439 std::unique_ptr<PathDiagnosticPiece> 440 getEndPath(BugReporterContext &BRC, const ExplodedNode *EndPathNode, 441 BugReport &BR) override { 442 if (!IsLeak) 443 return nullptr; 444 445 PathDiagnosticLocation L = 446 PathDiagnosticLocation::createEndOfPath(EndPathNode, 447 BRC.getSourceManager()); 448 // Do not add the statement itself as a range in case of leak. 449 return llvm::make_unique<PathDiagnosticEventPiece>(L, BR.getDescription(), 450 false); 451 } 452 453 private: 454 class StackHintGeneratorForReallocationFailed 455 : public StackHintGeneratorForSymbol { 456 public: 457 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 458 : StackHintGeneratorForSymbol(S, M) {} 459 460 std::string getMessageForArg(const Expr *ArgE, 461 unsigned ArgIndex) override { 462 // Printed parameters start at 1, not 0. 463 ++ArgIndex; 464 465 SmallString<200> buf; 466 llvm::raw_svector_ostream os(buf); 467 468 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 469 << " parameter failed"; 470 471 return os.str(); 472 } 473 474 std::string getMessageForReturn(const CallExpr *CallExpr) override { 475 return "Reallocation of returned value failed"; 476 } 477 }; 478 }; 479 }; 480 } // end anonymous namespace 481 482 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 483 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 484 485 // A map from the freed symbol to the symbol representing the return value of 486 // the free function. 487 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 488 489 namespace { 490 class StopTrackingCallback : public SymbolVisitor { 491 ProgramStateRef state; 492 public: 493 StopTrackingCallback(ProgramStateRef st) : state(st) {} 494 ProgramStateRef getState() const { return state; } 495 496 bool VisitSymbol(SymbolRef sym) override { 497 state = state->remove<RegionState>(sym); 498 return true; 499 } 500 }; 501 } // end anonymous namespace 502 503 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 504 if (II_malloc) 505 return; 506 II_alloca = &Ctx.Idents.get("alloca"); 507 II_malloc = &Ctx.Idents.get("malloc"); 508 II_free = &Ctx.Idents.get("free"); 509 II_realloc = &Ctx.Idents.get("realloc"); 510 II_reallocf = &Ctx.Idents.get("reallocf"); 511 II_calloc = &Ctx.Idents.get("calloc"); 512 II_valloc = &Ctx.Idents.get("valloc"); 513 II_strdup = &Ctx.Idents.get("strdup"); 514 II_strndup = &Ctx.Idents.get("strndup"); 515 II_kmalloc = &Ctx.Idents.get("kmalloc"); 516 II_if_nameindex = &Ctx.Idents.get("if_nameindex"); 517 II_if_freenameindex = &Ctx.Idents.get("if_freenameindex"); 518 } 519 520 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 521 if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any)) 522 return true; 523 524 if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) 525 return true; 526 527 if (isCMemFunction(FD, C, AF_Alloca, MemoryOperationKind::MOK_Any)) 528 return true; 529 530 if (isStandardNewDelete(FD, C)) 531 return true; 532 533 return false; 534 } 535 536 bool MallocChecker::isCMemFunction(const FunctionDecl *FD, 537 ASTContext &C, 538 AllocationFamily Family, 539 MemoryOperationKind MemKind) const { 540 if (!FD) 541 return false; 542 543 bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any || 544 MemKind == MemoryOperationKind::MOK_Free); 545 bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any || 546 MemKind == MemoryOperationKind::MOK_Allocate); 547 548 if (FD->getKind() == Decl::Function) { 549 const IdentifierInfo *FunI = FD->getIdentifier(); 550 initIdentifierInfo(C); 551 552 if (Family == AF_Malloc && CheckFree) { 553 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf) 554 return true; 555 } 556 557 if (Family == AF_Malloc && CheckAlloc) { 558 if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf || 559 FunI == II_calloc || FunI == II_valloc || FunI == II_strdup || 560 FunI == II_strndup || FunI == II_kmalloc) 561 return true; 562 } 563 564 if (Family == AF_IfNameIndex && CheckFree) { 565 if (FunI == II_if_freenameindex) 566 return true; 567 } 568 569 if (Family == AF_IfNameIndex && CheckAlloc) { 570 if (FunI == II_if_nameindex) 571 return true; 572 } 573 574 if (Family == AF_Alloca && CheckAlloc) { 575 if (FunI == II_alloca) 576 return true; 577 } 578 } 579 580 if (Family != AF_Malloc) 581 return false; 582 583 if (IsOptimistic && FD->hasAttrs()) { 584 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 585 OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind(); 586 if(OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) { 587 if (CheckFree) 588 return true; 589 } else if (OwnKind == OwnershipAttr::Returns) { 590 if (CheckAlloc) 591 return true; 592 } 593 } 594 } 595 596 return false; 597 } 598 599 // Tells if the callee is one of the following: 600 // 1) A global non-placement new/delete operator function. 601 // 2) A global placement operator function with the single placement argument 602 // of type std::nothrow_t. 603 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD, 604 ASTContext &C) const { 605 if (!FD) 606 return false; 607 608 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 609 if (Kind != OO_New && Kind != OO_Array_New && 610 Kind != OO_Delete && Kind != OO_Array_Delete) 611 return false; 612 613 // Skip all operator new/delete methods. 614 if (isa<CXXMethodDecl>(FD)) 615 return false; 616 617 // Return true if tested operator is a standard placement nothrow operator. 618 if (FD->getNumParams() == 2) { 619 QualType T = FD->getParamDecl(1)->getType(); 620 if (const IdentifierInfo *II = T.getBaseTypeIdentifier()) 621 return II->getName().equals("nothrow_t"); 622 } 623 624 // Skip placement operators. 625 if (FD->getNumParams() != 1 || FD->isVariadic()) 626 return false; 627 628 // One of the standard new/new[]/delete/delete[] non-placement operators. 629 return true; 630 } 631 632 llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc( 633 const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const { 634 // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels: 635 // 636 // void *malloc(unsigned long size, struct malloc_type *mtp, int flags); 637 // 638 // One of the possible flags is M_ZERO, which means 'give me back an 639 // allocation which is already zeroed', like calloc. 640 641 // 2-argument kmalloc(), as used in the Linux kernel: 642 // 643 // void *kmalloc(size_t size, gfp_t flags); 644 // 645 // Has the similar flag value __GFP_ZERO. 646 647 // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some 648 // code could be shared. 649 650 ASTContext &Ctx = C.getASTContext(); 651 llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS(); 652 653 if (!KernelZeroFlagVal.hasValue()) { 654 if (OS == llvm::Triple::FreeBSD) 655 KernelZeroFlagVal = 0x0100; 656 else if (OS == llvm::Triple::NetBSD) 657 KernelZeroFlagVal = 0x0002; 658 else if (OS == llvm::Triple::OpenBSD) 659 KernelZeroFlagVal = 0x0008; 660 else if (OS == llvm::Triple::Linux) 661 // __GFP_ZERO 662 KernelZeroFlagVal = 0x8000; 663 else 664 // FIXME: We need a more general way of getting the M_ZERO value. 665 // See also: O_CREAT in UnixAPIChecker.cpp. 666 667 // Fall back to normal malloc behavior on platforms where we don't 668 // know M_ZERO. 669 return None; 670 } 671 672 // We treat the last argument as the flags argument, and callers fall-back to 673 // normal malloc on a None return. This works for the FreeBSD kernel malloc 674 // as well as Linux kmalloc. 675 if (CE->getNumArgs() < 2) 676 return None; 677 678 const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1); 679 const SVal V = State->getSVal(FlagsEx, C.getLocationContext()); 680 if (!V.getAs<NonLoc>()) { 681 // The case where 'V' can be a location can only be due to a bad header, 682 // so in this case bail out. 683 return None; 684 } 685 686 NonLoc Flags = V.castAs<NonLoc>(); 687 NonLoc ZeroFlag = C.getSValBuilder() 688 .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType()) 689 .castAs<NonLoc>(); 690 SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And, 691 Flags, ZeroFlag, 692 FlagsEx->getType()); 693 if (MaskedFlagsUC.isUnknownOrUndef()) 694 return None; 695 DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>(); 696 697 // Check if maskedFlags is non-zero. 698 ProgramStateRef TrueState, FalseState; 699 std::tie(TrueState, FalseState) = State->assume(MaskedFlags); 700 701 // If M_ZERO is set, treat this like calloc (initialized). 702 if (TrueState && !FalseState) { 703 SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy); 704 return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState); 705 } 706 707 return None; 708 } 709 710 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 711 if (C.wasInlined) 712 return; 713 714 const FunctionDecl *FD = C.getCalleeDecl(CE); 715 if (!FD) 716 return; 717 718 ProgramStateRef State = C.getState(); 719 bool ReleasedAllocatedMemory = false; 720 721 if (FD->getKind() == Decl::Function) { 722 initIdentifierInfo(C.getASTContext()); 723 IdentifierInfo *FunI = FD->getIdentifier(); 724 725 if (FunI == II_malloc) { 726 if (CE->getNumArgs() < 1) 727 return; 728 if (CE->getNumArgs() < 3) { 729 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 730 } else if (CE->getNumArgs() == 3) { 731 llvm::Optional<ProgramStateRef> MaybeState = 732 performKernelMalloc(CE, C, State); 733 if (MaybeState.hasValue()) 734 State = MaybeState.getValue(); 735 else 736 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 737 } 738 } else if (FunI == II_kmalloc) { 739 llvm::Optional<ProgramStateRef> MaybeState = 740 performKernelMalloc(CE, C, State); 741 if (MaybeState.hasValue()) 742 State = MaybeState.getValue(); 743 else 744 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 745 } else if (FunI == II_valloc) { 746 if (CE->getNumArgs() < 1) 747 return; 748 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 749 } else if (FunI == II_realloc) { 750 State = ReallocMem(C, CE, false, State); 751 } else if (FunI == II_reallocf) { 752 State = ReallocMem(C, CE, true, State); 753 } else if (FunI == II_calloc) { 754 State = CallocMem(C, CE, State); 755 } else if (FunI == II_free) { 756 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 757 } else if (FunI == II_strdup) { 758 State = MallocUpdateRefState(C, CE, State); 759 } else if (FunI == II_strndup) { 760 State = MallocUpdateRefState(C, CE, State); 761 } else if (FunI == II_alloca) { 762 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 763 AF_Alloca); 764 } else if (isStandardNewDelete(FD, C.getASTContext())) { 765 // Process direct calls to operator new/new[]/delete/delete[] functions 766 // as distinct from new/new[]/delete/delete[] expressions that are 767 // processed by the checkPostStmt callbacks for CXXNewExpr and 768 // CXXDeleteExpr. 769 OverloadedOperatorKind K = FD->getOverloadedOperator(); 770 if (K == OO_New) 771 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 772 AF_CXXNew); 773 else if (K == OO_Array_New) 774 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 775 AF_CXXNewArray); 776 else if (K == OO_Delete || K == OO_Array_Delete) 777 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 778 else 779 llvm_unreachable("not a new/delete operator"); 780 } else if (FunI == II_if_nameindex) { 781 // Should we model this differently? We can allocate a fixed number of 782 // elements with zeros in the last one. 783 State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State, 784 AF_IfNameIndex); 785 } else if (FunI == II_if_freenameindex) { 786 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 787 } 788 } 789 790 if (IsOptimistic || ChecksEnabled[CK_MismatchedDeallocatorChecker]) { 791 // Check all the attributes, if there are any. 792 // There can be multiple of these attributes. 793 if (FD->hasAttrs()) 794 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 795 switch (I->getOwnKind()) { 796 case OwnershipAttr::Returns: 797 State = MallocMemReturnsAttr(C, CE, I, State); 798 break; 799 case OwnershipAttr::Takes: 800 case OwnershipAttr::Holds: 801 State = FreeMemAttr(C, CE, I, State); 802 break; 803 } 804 } 805 } 806 C.addTransition(State); 807 } 808 809 static QualType getDeepPointeeType(QualType T) { 810 QualType Result = T, PointeeType = T->getPointeeType(); 811 while (!PointeeType.isNull()) { 812 Result = PointeeType; 813 PointeeType = PointeeType->getPointeeType(); 814 } 815 return Result; 816 } 817 818 static bool treatUnusedNewEscaped(const CXXNewExpr *NE) { 819 820 const CXXConstructExpr *ConstructE = NE->getConstructExpr(); 821 if (!ConstructE) 822 return false; 823 824 if (!NE->getAllocatedType()->getAsCXXRecordDecl()) 825 return false; 826 827 const CXXConstructorDecl *CtorD = ConstructE->getConstructor(); 828 829 // Iterate over the constructor parameters. 830 for (const auto *CtorParam : CtorD->params()) { 831 832 QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType(); 833 if (CtorParamPointeeT.isNull()) 834 continue; 835 836 CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT); 837 838 if (CtorParamPointeeT->getAsCXXRecordDecl()) 839 return true; 840 } 841 842 return false; 843 } 844 845 void MallocChecker::checkPostStmt(const CXXNewExpr *NE, 846 CheckerContext &C) const { 847 848 if (NE->getNumPlacementArgs()) 849 for (CXXNewExpr::const_arg_iterator I = NE->placement_arg_begin(), 850 E = NE->placement_arg_end(); I != E; ++I) 851 if (SymbolRef Sym = C.getSVal(*I).getAsSymbol()) 852 checkUseAfterFree(Sym, C, *I); 853 854 if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext())) 855 return; 856 857 ParentMap &PM = C.getLocationContext()->getParentMap(); 858 if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE)) 859 return; 860 861 ProgramStateRef State = C.getState(); 862 // The return value from operator new is bound to a specified initialization 863 // value (if any) and we don't want to loose this value. So we call 864 // MallocUpdateRefState() instead of MallocMemAux() which breakes the 865 // existing binding. 866 State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray 867 : AF_CXXNew); 868 C.addTransition(State); 869 } 870 871 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, 872 CheckerContext &C) const { 873 874 if (!ChecksEnabled[CK_NewDeleteChecker]) 875 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 876 checkUseAfterFree(Sym, C, DE->getArgument()); 877 878 if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext())) 879 return; 880 881 ProgramStateRef State = C.getState(); 882 bool ReleasedAllocated; 883 State = FreeMemAux(C, DE->getArgument(), DE, State, 884 /*Hold*/false, ReleasedAllocated); 885 886 C.addTransition(State); 887 } 888 889 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 890 // If the first selector piece is one of the names below, assume that the 891 // object takes ownership of the memory, promising to eventually deallocate it 892 // with free(). 893 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 894 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 895 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 896 if (FirstSlot == "dataWithBytesNoCopy" || 897 FirstSlot == "initWithBytesNoCopy" || 898 FirstSlot == "initWithCharactersNoCopy") 899 return true; 900 901 return false; 902 } 903 904 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 905 Selector S = Call.getSelector(); 906 907 // FIXME: We should not rely on fully-constrained symbols being folded. 908 for (unsigned i = 1; i < S.getNumArgs(); ++i) 909 if (S.getNameForSlot(i).equals("freeWhenDone")) 910 return !Call.getArgSVal(i).isZeroConstant(); 911 912 return None; 913 } 914 915 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 916 CheckerContext &C) const { 917 if (C.wasInlined) 918 return; 919 920 if (!isKnownDeallocObjCMethodName(Call)) 921 return; 922 923 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 924 if (!*FreeWhenDone) 925 return; 926 927 bool ReleasedAllocatedMemory; 928 ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0), 929 Call.getOriginExpr(), C.getState(), 930 /*Hold=*/true, ReleasedAllocatedMemory, 931 /*RetNullOnFailure=*/true); 932 933 C.addTransition(State); 934 } 935 936 ProgramStateRef 937 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE, 938 const OwnershipAttr *Att, 939 ProgramStateRef State) const { 940 if (!State) 941 return nullptr; 942 943 if (Att->getModule() != II_malloc) 944 return nullptr; 945 946 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 947 if (I != E) { 948 return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), State); 949 } 950 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State); 951 } 952 953 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 954 const CallExpr *CE, 955 const Expr *SizeEx, SVal Init, 956 ProgramStateRef State, 957 AllocationFamily Family) { 958 if (!State) 959 return nullptr; 960 961 return MallocMemAux(C, CE, State->getSVal(SizeEx, C.getLocationContext()), 962 Init, State, Family); 963 } 964 965 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 966 const CallExpr *CE, 967 SVal Size, SVal Init, 968 ProgramStateRef State, 969 AllocationFamily Family) { 970 if (!State) 971 return nullptr; 972 973 // We expect the malloc functions to return a pointer. 974 if (!Loc::isLocType(CE->getType())) 975 return nullptr; 976 977 // Bind the return value to the symbolic value from the heap region. 978 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 979 // side effects other than what we model here. 980 unsigned Count = C.blockCount(); 981 SValBuilder &svalBuilder = C.getSValBuilder(); 982 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 983 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 984 .castAs<DefinedSVal>(); 985 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 986 987 // Fill the region with the initialization value. 988 State = State->bindDefault(RetVal, Init); 989 990 // Set the region's extent equal to the Size parameter. 991 const SymbolicRegion *R = 992 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 993 if (!R) 994 return nullptr; 995 if (Optional<DefinedOrUnknownSVal> DefinedSize = 996 Size.getAs<DefinedOrUnknownSVal>()) { 997 SValBuilder &svalBuilder = C.getSValBuilder(); 998 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 999 DefinedOrUnknownSVal extentMatchesSize = 1000 svalBuilder.evalEQ(State, Extent, *DefinedSize); 1001 1002 State = State->assume(extentMatchesSize, true); 1003 assert(State); 1004 } 1005 1006 return MallocUpdateRefState(C, CE, State, Family); 1007 } 1008 1009 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 1010 const Expr *E, 1011 ProgramStateRef State, 1012 AllocationFamily Family) { 1013 if (!State) 1014 return nullptr; 1015 1016 // Get the return value. 1017 SVal retVal = State->getSVal(E, C.getLocationContext()); 1018 1019 // We expect the malloc functions to return a pointer. 1020 if (!retVal.getAs<Loc>()) 1021 return nullptr; 1022 1023 SymbolRef Sym = retVal.getAsLocSymbol(); 1024 assert(Sym); 1025 1026 // Set the symbol's state to Allocated. 1027 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 1028 } 1029 1030 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 1031 const CallExpr *CE, 1032 const OwnershipAttr *Att, 1033 ProgramStateRef State) const { 1034 if (!State) 1035 return nullptr; 1036 1037 if (Att->getModule() != II_malloc) 1038 return nullptr; 1039 1040 bool ReleasedAllocated = false; 1041 1042 for (const auto &Arg : Att->args()) { 1043 ProgramStateRef StateI = FreeMemAux(C, CE, State, Arg, 1044 Att->getOwnKind() == OwnershipAttr::Holds, 1045 ReleasedAllocated); 1046 if (StateI) 1047 State = StateI; 1048 } 1049 return State; 1050 } 1051 1052 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1053 const CallExpr *CE, 1054 ProgramStateRef State, 1055 unsigned Num, 1056 bool Hold, 1057 bool &ReleasedAllocated, 1058 bool ReturnsNullOnFailure) const { 1059 if (!State) 1060 return nullptr; 1061 1062 if (CE->getNumArgs() < (Num + 1)) 1063 return nullptr; 1064 1065 return FreeMemAux(C, CE->getArg(Num), CE, State, Hold, 1066 ReleasedAllocated, ReturnsNullOnFailure); 1067 } 1068 1069 /// Checks if the previous call to free on the given symbol failed - if free 1070 /// failed, returns true. Also, returns the corresponding return value symbol. 1071 static bool didPreviousFreeFail(ProgramStateRef State, 1072 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 1073 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 1074 if (Ret) { 1075 assert(*Ret && "We should not store the null return symbol"); 1076 ConstraintManager &CMgr = State->getConstraintManager(); 1077 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 1078 RetStatusSymbol = *Ret; 1079 return FreeFailed.isConstrainedTrue(); 1080 } 1081 return false; 1082 } 1083 1084 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C, 1085 const Stmt *S) const { 1086 if (!S) 1087 return AF_None; 1088 1089 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 1090 const FunctionDecl *FD = C.getCalleeDecl(CE); 1091 1092 if (!FD) 1093 FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl()); 1094 1095 ASTContext &Ctx = C.getASTContext(); 1096 1097 if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any)) 1098 return AF_Malloc; 1099 1100 if (isStandardNewDelete(FD, Ctx)) { 1101 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 1102 if (Kind == OO_New || Kind == OO_Delete) 1103 return AF_CXXNew; 1104 else if (Kind == OO_Array_New || Kind == OO_Array_Delete) 1105 return AF_CXXNewArray; 1106 } 1107 1108 if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) 1109 return AF_IfNameIndex; 1110 1111 if (isCMemFunction(FD, Ctx, AF_Alloca, MemoryOperationKind::MOK_Any)) 1112 return AF_Alloca; 1113 1114 return AF_None; 1115 } 1116 1117 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S)) 1118 return NE->isArray() ? AF_CXXNewArray : AF_CXXNew; 1119 1120 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S)) 1121 return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew; 1122 1123 if (isa<ObjCMessageExpr>(S)) 1124 return AF_Malloc; 1125 1126 return AF_None; 1127 } 1128 1129 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C, 1130 const Expr *E) const { 1131 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 1132 // FIXME: This doesn't handle indirect calls. 1133 const FunctionDecl *FD = CE->getDirectCallee(); 1134 if (!FD) 1135 return false; 1136 1137 os << *FD; 1138 if (!FD->isOverloadedOperator()) 1139 os << "()"; 1140 return true; 1141 } 1142 1143 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 1144 if (Msg->isInstanceMessage()) 1145 os << "-"; 1146 else 1147 os << "+"; 1148 Msg->getSelector().print(os); 1149 return true; 1150 } 1151 1152 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 1153 os << "'" 1154 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 1155 << "'"; 1156 return true; 1157 } 1158 1159 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 1160 os << "'" 1161 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 1162 << "'"; 1163 return true; 1164 } 1165 1166 return false; 1167 } 1168 1169 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C, 1170 const Expr *E) const { 1171 AllocationFamily Family = getAllocationFamily(C, E); 1172 1173 switch(Family) { 1174 case AF_Malloc: os << "malloc()"; return; 1175 case AF_CXXNew: os << "'new'"; return; 1176 case AF_CXXNewArray: os << "'new[]'"; return; 1177 case AF_IfNameIndex: os << "'if_nameindex()'"; return; 1178 case AF_Alloca: 1179 case AF_None: llvm_unreachable("not a deallocation expression"); 1180 } 1181 } 1182 1183 void MallocChecker::printExpectedDeallocName(raw_ostream &os, 1184 AllocationFamily Family) const { 1185 switch(Family) { 1186 case AF_Malloc: os << "free()"; return; 1187 case AF_CXXNew: os << "'delete'"; return; 1188 case AF_CXXNewArray: os << "'delete[]'"; return; 1189 case AF_IfNameIndex: os << "'if_freenameindex()'"; return; 1190 case AF_Alloca: 1191 case AF_None: llvm_unreachable("suspicious argument"); 1192 } 1193 } 1194 1195 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1196 const Expr *ArgExpr, 1197 const Expr *ParentExpr, 1198 ProgramStateRef State, 1199 bool Hold, 1200 bool &ReleasedAllocated, 1201 bool ReturnsNullOnFailure) const { 1202 1203 if (!State) 1204 return nullptr; 1205 1206 SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext()); 1207 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 1208 return nullptr; 1209 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 1210 1211 // Check for null dereferences. 1212 if (!location.getAs<Loc>()) 1213 return nullptr; 1214 1215 // The explicit NULL case, no operation is performed. 1216 ProgramStateRef notNullState, nullState; 1217 std::tie(notNullState, nullState) = State->assume(location); 1218 if (nullState && !notNullState) 1219 return nullptr; 1220 1221 // Unknown values could easily be okay 1222 // Undefined values are handled elsewhere 1223 if (ArgVal.isUnknownOrUndef()) 1224 return nullptr; 1225 1226 const MemRegion *R = ArgVal.getAsRegion(); 1227 1228 // Nonlocs can't be freed, of course. 1229 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 1230 if (!R) { 1231 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1232 return nullptr; 1233 } 1234 1235 R = R->StripCasts(); 1236 1237 // Blocks might show up as heap data, but should not be free()d 1238 if (isa<BlockDataRegion>(R)) { 1239 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1240 return nullptr; 1241 } 1242 1243 const MemSpaceRegion *MS = R->getMemorySpace(); 1244 1245 // Parameters, locals, statics, globals, and memory returned by 1246 // __builtin_alloca() shouldn't be freed. 1247 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 1248 // FIXME: at the time this code was written, malloc() regions were 1249 // represented by conjured symbols, which are all in UnknownSpaceRegion. 1250 // This means that there isn't actually anything from HeapSpaceRegion 1251 // that should be freed, even though we allow it here. 1252 // Of course, free() can work on memory allocated outside the current 1253 // function, so UnknownSpaceRegion is always a possibility. 1254 // False negatives are better than false positives. 1255 1256 if (isa<AllocaRegion>(R)) 1257 ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1258 else 1259 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1260 1261 return nullptr; 1262 } 1263 1264 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 1265 // Various cases could lead to non-symbol values here. 1266 // For now, ignore them. 1267 if (!SrBase) 1268 return nullptr; 1269 1270 SymbolRef SymBase = SrBase->getSymbol(); 1271 const RefState *RsBase = State->get<RegionState>(SymBase); 1272 SymbolRef PreviousRetStatusSymbol = nullptr; 1273 1274 if (RsBase) { 1275 1276 // Memory returned by alloca() shouldn't be freed. 1277 if (RsBase->getAllocationFamily() == AF_Alloca) { 1278 ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1279 return nullptr; 1280 } 1281 1282 // Check for double free first. 1283 if ((RsBase->isReleased() || RsBase->isRelinquished()) && 1284 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1285 ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1286 SymBase, PreviousRetStatusSymbol); 1287 return nullptr; 1288 1289 // If the pointer is allocated or escaped, but we are now trying to free it, 1290 // check that the call to free is proper. 1291 } else if (RsBase->isAllocated() || RsBase->isEscaped()) { 1292 1293 // Check if an expected deallocation function matches the real one. 1294 bool DeallocMatchesAlloc = 1295 RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr); 1296 if (!DeallocMatchesAlloc) { 1297 ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), 1298 ParentExpr, RsBase, SymBase, Hold); 1299 return nullptr; 1300 } 1301 1302 // Check if the memory location being freed is the actual location 1303 // allocated, or an offset. 1304 RegionOffset Offset = R->getAsOffset(); 1305 if (Offset.isValid() && 1306 !Offset.hasSymbolicOffset() && 1307 Offset.getOffset() != 0) { 1308 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1309 ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1310 AllocExpr); 1311 return nullptr; 1312 } 1313 } 1314 } 1315 1316 ReleasedAllocated = (RsBase != nullptr) && RsBase->isAllocated(); 1317 1318 // Clean out the info on previous call to free return info. 1319 State = State->remove<FreeReturnValue>(SymBase); 1320 1321 // Keep track of the return value. If it is NULL, we will know that free 1322 // failed. 1323 if (ReturnsNullOnFailure) { 1324 SVal RetVal = C.getSVal(ParentExpr); 1325 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 1326 if (RetStatusSymbol) { 1327 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 1328 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 1329 } 1330 } 1331 1332 AllocationFamily Family = RsBase ? RsBase->getAllocationFamily() 1333 : getAllocationFamily(C, ParentExpr); 1334 // Normal free. 1335 if (Hold) 1336 return State->set<RegionState>(SymBase, 1337 RefState::getRelinquished(Family, 1338 ParentExpr)); 1339 1340 return State->set<RegionState>(SymBase, 1341 RefState::getReleased(Family, ParentExpr)); 1342 } 1343 1344 Optional<MallocChecker::CheckKind> 1345 MallocChecker::getCheckIfTracked(AllocationFamily Family) const { 1346 switch (Family) { 1347 case AF_Malloc: 1348 case AF_Alloca: 1349 case AF_IfNameIndex: { 1350 if (ChecksEnabled[CK_MallocChecker]) 1351 return CK_MallocChecker; 1352 1353 return Optional<MallocChecker::CheckKind>(); 1354 } 1355 case AF_CXXNew: 1356 case AF_CXXNewArray: { 1357 if (ChecksEnabled[CK_NewDeleteChecker]) { 1358 return CK_NewDeleteChecker; 1359 } 1360 return Optional<MallocChecker::CheckKind>(); 1361 } 1362 case AF_None: { 1363 llvm_unreachable("no family"); 1364 } 1365 } 1366 llvm_unreachable("unhandled family"); 1367 } 1368 1369 Optional<MallocChecker::CheckKind> 1370 MallocChecker::getCheckIfTracked(CheckerContext &C, 1371 const Stmt *AllocDeallocStmt) const { 1372 return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt)); 1373 } 1374 1375 Optional<MallocChecker::CheckKind> 1376 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const { 1377 1378 const RefState *RS = C.getState()->get<RegionState>(Sym); 1379 assert(RS); 1380 return getCheckIfTracked(RS->getAllocationFamily()); 1381 } 1382 1383 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 1384 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 1385 os << "an integer (" << IntVal->getValue() << ")"; 1386 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 1387 os << "a constant address (" << ConstAddr->getValue() << ")"; 1388 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 1389 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 1390 else 1391 return false; 1392 1393 return true; 1394 } 1395 1396 bool MallocChecker::SummarizeRegion(raw_ostream &os, 1397 const MemRegion *MR) { 1398 switch (MR->getKind()) { 1399 case MemRegion::FunctionTextRegionKind: { 1400 const NamedDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 1401 if (FD) 1402 os << "the address of the function '" << *FD << '\''; 1403 else 1404 os << "the address of a function"; 1405 return true; 1406 } 1407 case MemRegion::BlockTextRegionKind: 1408 os << "block text"; 1409 return true; 1410 case MemRegion::BlockDataRegionKind: 1411 // FIXME: where the block came from? 1412 os << "a block"; 1413 return true; 1414 default: { 1415 const MemSpaceRegion *MS = MR->getMemorySpace(); 1416 1417 if (isa<StackLocalsSpaceRegion>(MS)) { 1418 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1419 const VarDecl *VD; 1420 if (VR) 1421 VD = VR->getDecl(); 1422 else 1423 VD = nullptr; 1424 1425 if (VD) 1426 os << "the address of the local variable '" << VD->getName() << "'"; 1427 else 1428 os << "the address of a local stack variable"; 1429 return true; 1430 } 1431 1432 if (isa<StackArgumentsSpaceRegion>(MS)) { 1433 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1434 const VarDecl *VD; 1435 if (VR) 1436 VD = VR->getDecl(); 1437 else 1438 VD = nullptr; 1439 1440 if (VD) 1441 os << "the address of the parameter '" << VD->getName() << "'"; 1442 else 1443 os << "the address of a parameter"; 1444 return true; 1445 } 1446 1447 if (isa<GlobalsSpaceRegion>(MS)) { 1448 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1449 const VarDecl *VD; 1450 if (VR) 1451 VD = VR->getDecl(); 1452 else 1453 VD = nullptr; 1454 1455 if (VD) { 1456 if (VD->isStaticLocal()) 1457 os << "the address of the static variable '" << VD->getName() << "'"; 1458 else 1459 os << "the address of the global variable '" << VD->getName() << "'"; 1460 } else 1461 os << "the address of a global variable"; 1462 return true; 1463 } 1464 1465 return false; 1466 } 1467 } 1468 } 1469 1470 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 1471 SourceRange Range, 1472 const Expr *DeallocExpr) const { 1473 1474 if (!ChecksEnabled[CK_MallocChecker] && 1475 !ChecksEnabled[CK_NewDeleteChecker]) 1476 return; 1477 1478 Optional<MallocChecker::CheckKind> CheckKind = 1479 getCheckIfTracked(C, DeallocExpr); 1480 if (!CheckKind.hasValue()) 1481 return; 1482 1483 if (ExplodedNode *N = C.generateSink()) { 1484 if (!BT_BadFree[*CheckKind]) 1485 BT_BadFree[*CheckKind].reset( 1486 new BugType(CheckNames[*CheckKind], "Bad free", "Memory Error")); 1487 1488 SmallString<100> buf; 1489 llvm::raw_svector_ostream os(buf); 1490 1491 const MemRegion *MR = ArgVal.getAsRegion(); 1492 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 1493 MR = ER->getSuperRegion(); 1494 1495 os << "Argument to "; 1496 if (!printAllocDeallocName(os, C, DeallocExpr)) 1497 os << "deallocator"; 1498 1499 os << " is "; 1500 bool Summarized = MR ? SummarizeRegion(os, MR) 1501 : SummarizeValue(os, ArgVal); 1502 if (Summarized) 1503 os << ", which is not memory allocated by "; 1504 else 1505 os << "not memory allocated by "; 1506 1507 printExpectedAllocName(os, C, DeallocExpr); 1508 1509 BugReport *R = new BugReport(*BT_BadFree[*CheckKind], os.str(), N); 1510 R->markInteresting(MR); 1511 R->addRange(Range); 1512 C.emitReport(R); 1513 } 1514 } 1515 1516 void MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal, 1517 SourceRange Range) const { 1518 1519 Optional<MallocChecker::CheckKind> CheckKind; 1520 1521 if (ChecksEnabled[CK_MallocChecker]) 1522 CheckKind = CK_MallocChecker; 1523 else if (ChecksEnabled[CK_MismatchedDeallocatorChecker]) 1524 CheckKind = CK_MismatchedDeallocatorChecker; 1525 else 1526 return; 1527 1528 if (ExplodedNode *N = C.generateSink()) { 1529 if (!BT_FreeAlloca[*CheckKind]) 1530 BT_FreeAlloca[*CheckKind].reset( 1531 new BugType(CheckNames[*CheckKind], "Free alloca()", "Memory Error")); 1532 1533 BugReport *R = new BugReport(*BT_FreeAlloca[*CheckKind], 1534 "Memory allocated by alloca() should not be deallocated", N); 1535 R->markInteresting(ArgVal.getAsRegion()); 1536 R->addRange(Range); 1537 C.emitReport(R); 1538 } 1539 } 1540 1541 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, 1542 SourceRange Range, 1543 const Expr *DeallocExpr, 1544 const RefState *RS, 1545 SymbolRef Sym, 1546 bool OwnershipTransferred) const { 1547 1548 if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) 1549 return; 1550 1551 if (ExplodedNode *N = C.generateSink()) { 1552 if (!BT_MismatchedDealloc) 1553 BT_MismatchedDealloc.reset( 1554 new BugType(CheckNames[CK_MismatchedDeallocatorChecker], 1555 "Bad deallocator", "Memory Error")); 1556 1557 SmallString<100> buf; 1558 llvm::raw_svector_ostream os(buf); 1559 1560 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 1561 SmallString<20> AllocBuf; 1562 llvm::raw_svector_ostream AllocOs(AllocBuf); 1563 SmallString<20> DeallocBuf; 1564 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 1565 1566 if (OwnershipTransferred) { 1567 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1568 os << DeallocOs.str() << " cannot"; 1569 else 1570 os << "Cannot"; 1571 1572 os << " take ownership of memory"; 1573 1574 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1575 os << " allocated by " << AllocOs.str(); 1576 } else { 1577 os << "Memory"; 1578 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1579 os << " allocated by " << AllocOs.str(); 1580 1581 os << " should be deallocated by "; 1582 printExpectedDeallocName(os, RS->getAllocationFamily()); 1583 1584 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1585 os << ", not " << DeallocOs.str(); 1586 } 1587 1588 BugReport *R = new BugReport(*BT_MismatchedDealloc, os.str(), N); 1589 R->markInteresting(Sym); 1590 R->addRange(Range); 1591 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1592 C.emitReport(R); 1593 } 1594 } 1595 1596 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, 1597 SourceRange Range, const Expr *DeallocExpr, 1598 const Expr *AllocExpr) const { 1599 1600 1601 if (!ChecksEnabled[CK_MallocChecker] && 1602 !ChecksEnabled[CK_NewDeleteChecker]) 1603 return; 1604 1605 Optional<MallocChecker::CheckKind> CheckKind = 1606 getCheckIfTracked(C, AllocExpr); 1607 if (!CheckKind.hasValue()) 1608 return; 1609 1610 ExplodedNode *N = C.generateSink(); 1611 if (!N) 1612 return; 1613 1614 if (!BT_OffsetFree[*CheckKind]) 1615 BT_OffsetFree[*CheckKind].reset( 1616 new BugType(CheckNames[*CheckKind], "Offset free", "Memory Error")); 1617 1618 SmallString<100> buf; 1619 llvm::raw_svector_ostream os(buf); 1620 SmallString<20> AllocNameBuf; 1621 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 1622 1623 const MemRegion *MR = ArgVal.getAsRegion(); 1624 assert(MR && "Only MemRegion based symbols can have offset free errors"); 1625 1626 RegionOffset Offset = MR->getAsOffset(); 1627 assert((Offset.isValid() && 1628 !Offset.hasSymbolicOffset() && 1629 Offset.getOffset() != 0) && 1630 "Only symbols with a valid offset can have offset free errors"); 1631 1632 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 1633 1634 os << "Argument to "; 1635 if (!printAllocDeallocName(os, C, DeallocExpr)) 1636 os << "deallocator"; 1637 os << " is offset by " 1638 << offsetBytes 1639 << " " 1640 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 1641 << " from the start of "; 1642 if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) 1643 os << "memory allocated by " << AllocNameOs.str(); 1644 else 1645 os << "allocated memory"; 1646 1647 BugReport *R = new BugReport(*BT_OffsetFree[*CheckKind], os.str(), N); 1648 R->markInteresting(MR->getBaseRegion()); 1649 R->addRange(Range); 1650 C.emitReport(R); 1651 } 1652 1653 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, 1654 SymbolRef Sym) const { 1655 1656 if (!ChecksEnabled[CK_MallocChecker] && 1657 !ChecksEnabled[CK_NewDeleteChecker]) 1658 return; 1659 1660 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1661 if (!CheckKind.hasValue()) 1662 return; 1663 1664 if (ExplodedNode *N = C.generateSink()) { 1665 if (!BT_UseFree[*CheckKind]) 1666 BT_UseFree[*CheckKind].reset(new BugType( 1667 CheckNames[*CheckKind], "Use-after-free", "Memory Error")); 1668 1669 BugReport *R = new BugReport(*BT_UseFree[*CheckKind], 1670 "Use of memory after it is freed", N); 1671 1672 R->markInteresting(Sym); 1673 R->addRange(Range); 1674 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1675 C.emitReport(R); 1676 } 1677 } 1678 1679 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, 1680 bool Released, SymbolRef Sym, 1681 SymbolRef PrevSym) const { 1682 1683 if (!ChecksEnabled[CK_MallocChecker] && 1684 !ChecksEnabled[CK_NewDeleteChecker]) 1685 return; 1686 1687 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1688 if (!CheckKind.hasValue()) 1689 return; 1690 1691 if (ExplodedNode *N = C.generateSink()) { 1692 if (!BT_DoubleFree[*CheckKind]) 1693 BT_DoubleFree[*CheckKind].reset( 1694 new BugType(CheckNames[*CheckKind], "Double free", "Memory Error")); 1695 1696 BugReport *R = 1697 new BugReport(*BT_DoubleFree[*CheckKind], 1698 (Released ? "Attempt to free released memory" 1699 : "Attempt to free non-owned memory"), 1700 N); 1701 R->addRange(Range); 1702 R->markInteresting(Sym); 1703 if (PrevSym) 1704 R->markInteresting(PrevSym); 1705 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1706 C.emitReport(R); 1707 } 1708 } 1709 1710 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const { 1711 1712 if (!ChecksEnabled[CK_NewDeleteChecker]) 1713 return; 1714 1715 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1716 if (!CheckKind.hasValue()) 1717 return; 1718 1719 if (ExplodedNode *N = C.generateSink()) { 1720 if (!BT_DoubleDelete) 1721 BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker], 1722 "Double delete", "Memory Error")); 1723 1724 BugReport *R = new BugReport(*BT_DoubleDelete, 1725 "Attempt to delete released memory", N); 1726 1727 R->markInteresting(Sym); 1728 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1729 C.emitReport(R); 1730 } 1731 } 1732 1733 ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, 1734 const CallExpr *CE, 1735 bool FreesOnFail, 1736 ProgramStateRef State) const { 1737 if (!State) 1738 return nullptr; 1739 1740 if (CE->getNumArgs() < 2) 1741 return nullptr; 1742 1743 const Expr *arg0Expr = CE->getArg(0); 1744 const LocationContext *LCtx = C.getLocationContext(); 1745 SVal Arg0Val = State->getSVal(arg0Expr, LCtx); 1746 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 1747 return nullptr; 1748 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 1749 1750 SValBuilder &svalBuilder = C.getSValBuilder(); 1751 1752 DefinedOrUnknownSVal PtrEQ = 1753 svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull()); 1754 1755 // Get the size argument. If there is no size arg then give up. 1756 const Expr *Arg1 = CE->getArg(1); 1757 if (!Arg1) 1758 return nullptr; 1759 1760 // Get the value of the size argument. 1761 SVal Arg1ValG = State->getSVal(Arg1, LCtx); 1762 if (!Arg1ValG.getAs<DefinedOrUnknownSVal>()) 1763 return nullptr; 1764 DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>(); 1765 1766 // Compare the size argument to 0. 1767 DefinedOrUnknownSVal SizeZero = 1768 svalBuilder.evalEQ(State, Arg1Val, 1769 svalBuilder.makeIntValWithPtrWidth(0, false)); 1770 1771 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 1772 std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ); 1773 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 1774 std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero); 1775 // We only assume exceptional states if they are definitely true; if the 1776 // state is under-constrained, assume regular realloc behavior. 1777 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 1778 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 1779 1780 // If the ptr is NULL and the size is not 0, the call is equivalent to 1781 // malloc(size). 1782 if ( PrtIsNull && !SizeIsZero) { 1783 ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), 1784 UndefinedVal(), StatePtrIsNull); 1785 return stateMalloc; 1786 } 1787 1788 if (PrtIsNull && SizeIsZero) 1789 return nullptr; 1790 1791 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 1792 assert(!PrtIsNull); 1793 SymbolRef FromPtr = arg0Val.getAsSymbol(); 1794 SVal RetVal = State->getSVal(CE, LCtx); 1795 SymbolRef ToPtr = RetVal.getAsSymbol(); 1796 if (!FromPtr || !ToPtr) 1797 return nullptr; 1798 1799 bool ReleasedAllocated = false; 1800 1801 // If the size is 0, free the memory. 1802 if (SizeIsZero) 1803 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, 1804 false, ReleasedAllocated)){ 1805 // The semantics of the return value are: 1806 // If size was equal to 0, either NULL or a pointer suitable to be passed 1807 // to free() is returned. We just free the input pointer and do not add 1808 // any constrains on the output pointer. 1809 return stateFree; 1810 } 1811 1812 // Default behavior. 1813 if (ProgramStateRef stateFree = 1814 FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) { 1815 1816 ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), 1817 UnknownVal(), stateFree); 1818 if (!stateRealloc) 1819 return nullptr; 1820 1821 ReallocPairKind Kind = RPToBeFreedAfterFailure; 1822 if (FreesOnFail) 1823 Kind = RPIsFreeOnFailure; 1824 else if (!ReleasedAllocated) 1825 Kind = RPDoNotTrackAfterFailure; 1826 1827 // Record the info about the reallocated symbol so that we could properly 1828 // process failed reallocation. 1829 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 1830 ReallocPair(FromPtr, Kind)); 1831 // The reallocated symbol should stay alive for as long as the new symbol. 1832 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 1833 return stateRealloc; 1834 } 1835 return nullptr; 1836 } 1837 1838 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE, 1839 ProgramStateRef State) { 1840 if (!State) 1841 return nullptr; 1842 1843 if (CE->getNumArgs() < 2) 1844 return nullptr; 1845 1846 SValBuilder &svalBuilder = C.getSValBuilder(); 1847 const LocationContext *LCtx = C.getLocationContext(); 1848 SVal count = State->getSVal(CE->getArg(0), LCtx); 1849 SVal elementSize = State->getSVal(CE->getArg(1), LCtx); 1850 SVal TotalSize = svalBuilder.evalBinOp(State, BO_Mul, count, elementSize, 1851 svalBuilder.getContext().getSizeType()); 1852 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 1853 1854 return MallocMemAux(C, CE, TotalSize, zeroVal, State); 1855 } 1856 1857 LeakInfo 1858 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 1859 CheckerContext &C) const { 1860 const LocationContext *LeakContext = N->getLocationContext(); 1861 // Walk the ExplodedGraph backwards and find the first node that referred to 1862 // the tracked symbol. 1863 const ExplodedNode *AllocNode = N; 1864 const MemRegion *ReferenceRegion = nullptr; 1865 1866 while (N) { 1867 ProgramStateRef State = N->getState(); 1868 if (!State->get<RegionState>(Sym)) 1869 break; 1870 1871 // Find the most recent expression bound to the symbol in the current 1872 // context. 1873 if (!ReferenceRegion) { 1874 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 1875 SVal Val = State->getSVal(MR); 1876 if (Val.getAsLocSymbol() == Sym) { 1877 const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>(); 1878 // Do not show local variables belonging to a function other than 1879 // where the error is reported. 1880 if (!VR || 1881 (VR->getStackFrame() == LeakContext->getCurrentStackFrame())) 1882 ReferenceRegion = MR; 1883 } 1884 } 1885 } 1886 1887 // Allocation node, is the last node in the current or parent context in 1888 // which the symbol was tracked. 1889 const LocationContext *NContext = N->getLocationContext(); 1890 if (NContext == LeakContext || 1891 NContext->isParentOf(LeakContext)) 1892 AllocNode = N; 1893 N = N->pred_empty() ? nullptr : *(N->pred_begin()); 1894 } 1895 1896 return LeakInfo(AllocNode, ReferenceRegion); 1897 } 1898 1899 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 1900 CheckerContext &C) const { 1901 1902 if (!ChecksEnabled[CK_MallocChecker] && 1903 !ChecksEnabled[CK_NewDeleteLeaksChecker]) 1904 return; 1905 1906 const RefState *RS = C.getState()->get<RegionState>(Sym); 1907 assert(RS && "cannot leak an untracked symbol"); 1908 AllocationFamily Family = RS->getAllocationFamily(); 1909 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 1910 if (!CheckKind.hasValue()) 1911 return; 1912 1913 // Special case for new and new[]; these are controlled by a separate checker 1914 // flag so that they can be selectively disabled. 1915 if (Family == AF_CXXNew || Family == AF_CXXNewArray) 1916 if (!ChecksEnabled[CK_NewDeleteLeaksChecker]) 1917 return; 1918 1919 if (RS->getAllocationFamily() == AF_Alloca) 1920 return; 1921 1922 assert(N); 1923 if (!BT_Leak[*CheckKind]) { 1924 BT_Leak[*CheckKind].reset( 1925 new BugType(CheckNames[*CheckKind], "Memory leak", "Memory Error")); 1926 // Leaks should not be reported if they are post-dominated by a sink: 1927 // (1) Sinks are higher importance bugs. 1928 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 1929 // with __noreturn functions such as assert() or exit(). We choose not 1930 // to report leaks on such paths. 1931 BT_Leak[*CheckKind]->setSuppressOnSink(true); 1932 } 1933 1934 // Most bug reports are cached at the location where they occurred. 1935 // With leaks, we want to unique them by the location where they were 1936 // allocated, and only report a single path. 1937 PathDiagnosticLocation LocUsedForUniqueing; 1938 const ExplodedNode *AllocNode = nullptr; 1939 const MemRegion *Region = nullptr; 1940 std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 1941 1942 ProgramPoint P = AllocNode->getLocation(); 1943 const Stmt *AllocationStmt = nullptr; 1944 if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>()) 1945 AllocationStmt = Exit->getCalleeContext()->getCallSite(); 1946 else if (Optional<StmtPoint> SP = P.getAs<StmtPoint>()) 1947 AllocationStmt = SP->getStmt(); 1948 if (AllocationStmt) 1949 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 1950 C.getSourceManager(), 1951 AllocNode->getLocationContext()); 1952 1953 SmallString<200> buf; 1954 llvm::raw_svector_ostream os(buf); 1955 if (Region && Region->canPrintPretty()) { 1956 os << "Potential leak of memory pointed to by "; 1957 Region->printPretty(os); 1958 } else { 1959 os << "Potential memory leak"; 1960 } 1961 1962 BugReport *R = 1963 new BugReport(*BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing, 1964 AllocNode->getLocationContext()->getDecl()); 1965 R->markInteresting(Sym); 1966 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym, true)); 1967 C.emitReport(R); 1968 } 1969 1970 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 1971 CheckerContext &C) const 1972 { 1973 if (!SymReaper.hasDeadSymbols()) 1974 return; 1975 1976 ProgramStateRef state = C.getState(); 1977 RegionStateTy RS = state->get<RegionState>(); 1978 RegionStateTy::Factory &F = state->get_context<RegionState>(); 1979 1980 SmallVector<SymbolRef, 2> Errors; 1981 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1982 if (SymReaper.isDead(I->first)) { 1983 if (I->second.isAllocated()) 1984 Errors.push_back(I->first); 1985 // Remove the dead symbol from the map. 1986 RS = F.remove(RS, I->first); 1987 1988 } 1989 } 1990 1991 // Cleanup the Realloc Pairs Map. 1992 ReallocPairsTy RP = state->get<ReallocPairs>(); 1993 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1994 if (SymReaper.isDead(I->first) || 1995 SymReaper.isDead(I->second.ReallocatedSym)) { 1996 state = state->remove<ReallocPairs>(I->first); 1997 } 1998 } 1999 2000 // Cleanup the FreeReturnValue Map. 2001 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 2002 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 2003 if (SymReaper.isDead(I->first) || 2004 SymReaper.isDead(I->second)) { 2005 state = state->remove<FreeReturnValue>(I->first); 2006 } 2007 } 2008 2009 // Generate leak node. 2010 ExplodedNode *N = C.getPredecessor(); 2011 if (!Errors.empty()) { 2012 static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak"); 2013 N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); 2014 for (SmallVectorImpl<SymbolRef>::iterator 2015 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 2016 reportLeak(*I, N, C); 2017 } 2018 } 2019 2020 C.addTransition(state->set<RegionState>(RS), N); 2021 } 2022 2023 void MallocChecker::checkPreCall(const CallEvent &Call, 2024 CheckerContext &C) const { 2025 2026 if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) { 2027 SymbolRef Sym = DC->getCXXThisVal().getAsSymbol(); 2028 if (!Sym || checkDoubleDelete(Sym, C)) 2029 return; 2030 } 2031 2032 // We will check for double free in the post visit. 2033 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { 2034 const FunctionDecl *FD = FC->getDecl(); 2035 if (!FD) 2036 return; 2037 2038 ASTContext &Ctx = C.getASTContext(); 2039 if (ChecksEnabled[CK_MallocChecker] && 2040 (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) || 2041 isCMemFunction(FD, Ctx, AF_IfNameIndex, 2042 MemoryOperationKind::MOK_Free))) 2043 return; 2044 2045 if (ChecksEnabled[CK_NewDeleteChecker] && 2046 isStandardNewDelete(FD, Ctx)) 2047 return; 2048 } 2049 2050 // Check if the callee of a method is deleted. 2051 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { 2052 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); 2053 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) 2054 return; 2055 } 2056 2057 // Check arguments for being used after free. 2058 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { 2059 SVal ArgSVal = Call.getArgSVal(I); 2060 if (ArgSVal.getAs<Loc>()) { 2061 SymbolRef Sym = ArgSVal.getAsSymbol(); 2062 if (!Sym) 2063 continue; 2064 if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) 2065 return; 2066 } 2067 } 2068 } 2069 2070 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 2071 const Expr *E = S->getRetValue(); 2072 if (!E) 2073 return; 2074 2075 // Check if we are returning a symbol. 2076 ProgramStateRef State = C.getState(); 2077 SVal RetVal = State->getSVal(E, C.getLocationContext()); 2078 SymbolRef Sym = RetVal.getAsSymbol(); 2079 if (!Sym) 2080 // If we are returning a field of the allocated struct or an array element, 2081 // the callee could still free the memory. 2082 // TODO: This logic should be a part of generic symbol escape callback. 2083 if (const MemRegion *MR = RetVal.getAsRegion()) 2084 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 2085 if (const SymbolicRegion *BMR = 2086 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 2087 Sym = BMR->getSymbol(); 2088 2089 // Check if we are returning freed memory. 2090 if (Sym) 2091 checkUseAfterFree(Sym, C, E); 2092 } 2093 2094 // TODO: Blocks should be either inlined or should call invalidate regions 2095 // upon invocation. After that's in place, special casing here will not be 2096 // needed. 2097 void MallocChecker::checkPostStmt(const BlockExpr *BE, 2098 CheckerContext &C) const { 2099 2100 // Scan the BlockDecRefExprs for any object the retain count checker 2101 // may be tracking. 2102 if (!BE->getBlockDecl()->hasCaptures()) 2103 return; 2104 2105 ProgramStateRef state = C.getState(); 2106 const BlockDataRegion *R = 2107 cast<BlockDataRegion>(state->getSVal(BE, 2108 C.getLocationContext()).getAsRegion()); 2109 2110 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 2111 E = R->referenced_vars_end(); 2112 2113 if (I == E) 2114 return; 2115 2116 SmallVector<const MemRegion*, 10> Regions; 2117 const LocationContext *LC = C.getLocationContext(); 2118 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 2119 2120 for ( ; I != E; ++I) { 2121 const VarRegion *VR = I.getCapturedRegion(); 2122 if (VR->getSuperRegion() == R) { 2123 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 2124 } 2125 Regions.push_back(VR); 2126 } 2127 2128 state = 2129 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 2130 Regions.data() + Regions.size()).getState(); 2131 C.addTransition(state); 2132 } 2133 2134 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { 2135 assert(Sym); 2136 const RefState *RS = C.getState()->get<RegionState>(Sym); 2137 return (RS && RS->isReleased()); 2138 } 2139 2140 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 2141 const Stmt *S) const { 2142 2143 if (isReleased(Sym, C)) { 2144 ReportUseAfterFree(C, S->getSourceRange(), Sym); 2145 return true; 2146 } 2147 2148 return false; 2149 } 2150 2151 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { 2152 2153 if (isReleased(Sym, C)) { 2154 ReportDoubleDelete(C, Sym); 2155 return true; 2156 } 2157 return false; 2158 } 2159 2160 // Check if the location is a freed symbolic region. 2161 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 2162 CheckerContext &C) const { 2163 SymbolRef Sym = l.getLocSymbolInBase(); 2164 if (Sym) 2165 checkUseAfterFree(Sym, C, S); 2166 } 2167 2168 // If a symbolic region is assumed to NULL (or another constant), stop tracking 2169 // it - assuming that allocation failed on this path. 2170 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 2171 SVal Cond, 2172 bool Assumption) const { 2173 RegionStateTy RS = state->get<RegionState>(); 2174 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2175 // If the symbol is assumed to be NULL, remove it from consideration. 2176 ConstraintManager &CMgr = state->getConstraintManager(); 2177 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2178 if (AllocFailed.isConstrainedTrue()) 2179 state = state->remove<RegionState>(I.getKey()); 2180 } 2181 2182 // Realloc returns 0 when reallocation fails, which means that we should 2183 // restore the state of the pointer being reallocated. 2184 ReallocPairsTy RP = state->get<ReallocPairs>(); 2185 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 2186 // If the symbol is assumed to be NULL, remove it from consideration. 2187 ConstraintManager &CMgr = state->getConstraintManager(); 2188 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2189 if (!AllocFailed.isConstrainedTrue()) 2190 continue; 2191 2192 SymbolRef ReallocSym = I.getData().ReallocatedSym; 2193 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 2194 if (RS->isReleased()) { 2195 if (I.getData().Kind == RPToBeFreedAfterFailure) 2196 state = state->set<RegionState>(ReallocSym, 2197 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 2198 else if (I.getData().Kind == RPDoNotTrackAfterFailure) 2199 state = state->remove<RegionState>(ReallocSym); 2200 else 2201 assert(I.getData().Kind == RPIsFreeOnFailure); 2202 } 2203 } 2204 state = state->remove<ReallocPairs>(I.getKey()); 2205 } 2206 2207 return state; 2208 } 2209 2210 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly( 2211 const CallEvent *Call, 2212 ProgramStateRef State, 2213 SymbolRef &EscapingSymbol) const { 2214 assert(Call); 2215 EscapingSymbol = nullptr; 2216 2217 // For now, assume that any C++ or block call can free memory. 2218 // TODO: If we want to be more optimistic here, we'll need to make sure that 2219 // regions escape to C++ containers. They seem to do that even now, but for 2220 // mysterious reasons. 2221 if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 2222 return true; 2223 2224 // Check Objective-C messages by selector name. 2225 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 2226 // If it's not a framework call, or if it takes a callback, assume it 2227 // can free memory. 2228 if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg()) 2229 return true; 2230 2231 // If it's a method we know about, handle it explicitly post-call. 2232 // This should happen before the "freeWhenDone" check below. 2233 if (isKnownDeallocObjCMethodName(*Msg)) 2234 return false; 2235 2236 // If there's a "freeWhenDone" parameter, but the method isn't one we know 2237 // about, we can't be sure that the object will use free() to deallocate the 2238 // memory, so we can't model it explicitly. The best we can do is use it to 2239 // decide whether the pointer escapes. 2240 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 2241 return *FreeWhenDone; 2242 2243 // If the first selector piece ends with "NoCopy", and there is no 2244 // "freeWhenDone" parameter set to zero, we know ownership is being 2245 // transferred. Again, though, we can't be sure that the object will use 2246 // free() to deallocate the memory, so we can't model it explicitly. 2247 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 2248 if (FirstSlot.endswith("NoCopy")) 2249 return true; 2250 2251 // If the first selector starts with addPointer, insertPointer, 2252 // or replacePointer, assume we are dealing with NSPointerArray or similar. 2253 // This is similar to C++ containers (vector); we still might want to check 2254 // that the pointers get freed by following the container itself. 2255 if (FirstSlot.startswith("addPointer") || 2256 FirstSlot.startswith("insertPointer") || 2257 FirstSlot.startswith("replacePointer") || 2258 FirstSlot.equals("valueWithPointer")) { 2259 return true; 2260 } 2261 2262 // We should escape receiver on call to 'init'. This is especially relevant 2263 // to the receiver, as the corresponding symbol is usually not referenced 2264 // after the call. 2265 if (Msg->getMethodFamily() == OMF_init) { 2266 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol(); 2267 return true; 2268 } 2269 2270 // Otherwise, assume that the method does not free memory. 2271 // Most framework methods do not free memory. 2272 return false; 2273 } 2274 2275 // At this point the only thing left to handle is straight function calls. 2276 const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl(); 2277 if (!FD) 2278 return true; 2279 2280 ASTContext &ASTC = State->getStateManager().getContext(); 2281 2282 // If it's one of the allocation functions we can reason about, we model 2283 // its behavior explicitly. 2284 if (isMemFunction(FD, ASTC)) 2285 return false; 2286 2287 // If it's not a system call, assume it frees memory. 2288 if (!Call->isInSystemHeader()) 2289 return true; 2290 2291 // White list the system functions whose arguments escape. 2292 const IdentifierInfo *II = FD->getIdentifier(); 2293 if (!II) 2294 return true; 2295 StringRef FName = II->getName(); 2296 2297 // White list the 'XXXNoCopy' CoreFoundation functions. 2298 // We specifically check these before 2299 if (FName.endswith("NoCopy")) { 2300 // Look for the deallocator argument. We know that the memory ownership 2301 // is not transferred only if the deallocator argument is 2302 // 'kCFAllocatorNull'. 2303 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 2304 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 2305 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 2306 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 2307 if (DeallocatorName == "kCFAllocatorNull") 2308 return false; 2309 } 2310 } 2311 return true; 2312 } 2313 2314 // Associating streams with malloced buffers. The pointer can escape if 2315 // 'closefn' is specified (and if that function does free memory), 2316 // but it will not if closefn is not specified. 2317 // Currently, we do not inspect the 'closefn' function (PR12101). 2318 if (FName == "funopen") 2319 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 2320 return false; 2321 2322 // Do not warn on pointers passed to 'setbuf' when used with std streams, 2323 // these leaks might be intentional when setting the buffer for stdio. 2324 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 2325 if (FName == "setbuf" || FName =="setbuffer" || 2326 FName == "setlinebuf" || FName == "setvbuf") { 2327 if (Call->getNumArgs() >= 1) { 2328 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 2329 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 2330 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 2331 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 2332 return true; 2333 } 2334 } 2335 2336 // A bunch of other functions which either take ownership of a pointer or 2337 // wrap the result up in a struct or object, meaning it can be freed later. 2338 // (See RetainCountChecker.) Not all the parameters here are invalidated, 2339 // but the Malloc checker cannot differentiate between them. The right way 2340 // of doing this would be to implement a pointer escapes callback. 2341 if (FName == "CGBitmapContextCreate" || 2342 FName == "CGBitmapContextCreateWithData" || 2343 FName == "CVPixelBufferCreateWithBytes" || 2344 FName == "CVPixelBufferCreateWithPlanarBytes" || 2345 FName == "OSAtomicEnqueue") { 2346 return true; 2347 } 2348 2349 // Handle cases where we know a buffer's /address/ can escape. 2350 // Note that the above checks handle some special cases where we know that 2351 // even though the address escapes, it's still our responsibility to free the 2352 // buffer. 2353 if (Call->argumentsMayEscape()) 2354 return true; 2355 2356 // Otherwise, assume that the function does not free memory. 2357 // Most system calls do not free the memory. 2358 return false; 2359 } 2360 2361 static bool retTrue(const RefState *RS) { 2362 return true; 2363 } 2364 2365 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 2366 return (RS->getAllocationFamily() == AF_CXXNewArray || 2367 RS->getAllocationFamily() == AF_CXXNew); 2368 } 2369 2370 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 2371 const InvalidatedSymbols &Escaped, 2372 const CallEvent *Call, 2373 PointerEscapeKind Kind) const { 2374 return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue); 2375 } 2376 2377 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 2378 const InvalidatedSymbols &Escaped, 2379 const CallEvent *Call, 2380 PointerEscapeKind Kind) const { 2381 return checkPointerEscapeAux(State, Escaped, Call, Kind, 2382 &checkIfNewOrNewArrayFamily); 2383 } 2384 2385 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State, 2386 const InvalidatedSymbols &Escaped, 2387 const CallEvent *Call, 2388 PointerEscapeKind Kind, 2389 bool(*CheckRefState)(const RefState*)) const { 2390 // If we know that the call does not free memory, or we want to process the 2391 // call later, keep tracking the top level arguments. 2392 SymbolRef EscapingSymbol = nullptr; 2393 if (Kind == PSK_DirectEscapeOnCall && 2394 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State, 2395 EscapingSymbol) && 2396 !EscapingSymbol) { 2397 return State; 2398 } 2399 2400 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 2401 E = Escaped.end(); 2402 I != E; ++I) { 2403 SymbolRef sym = *I; 2404 2405 if (EscapingSymbol && EscapingSymbol != sym) 2406 continue; 2407 2408 if (const RefState *RS = State->get<RegionState>(sym)) { 2409 if (RS->isAllocated() && CheckRefState(RS)) { 2410 State = State->remove<RegionState>(sym); 2411 State = State->set<RegionState>(sym, RefState::getEscaped(RS)); 2412 } 2413 } 2414 } 2415 return State; 2416 } 2417 2418 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 2419 ProgramStateRef prevState) { 2420 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 2421 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 2422 2423 for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end(); 2424 I != E; ++I) { 2425 SymbolRef sym = I.getKey(); 2426 if (!currMap.lookup(sym)) 2427 return sym; 2428 } 2429 2430 return nullptr; 2431 } 2432 2433 PathDiagnosticPiece * 2434 MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N, 2435 const ExplodedNode *PrevN, 2436 BugReporterContext &BRC, 2437 BugReport &BR) { 2438 ProgramStateRef state = N->getState(); 2439 ProgramStateRef statePrev = PrevN->getState(); 2440 2441 const RefState *RS = state->get<RegionState>(Sym); 2442 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 2443 if (!RS) 2444 return nullptr; 2445 2446 const Stmt *S = nullptr; 2447 const char *Msg = nullptr; 2448 StackHintGeneratorForSymbol *StackHint = nullptr; 2449 2450 // Retrieve the associated statement. 2451 ProgramPoint ProgLoc = N->getLocation(); 2452 if (Optional<StmtPoint> SP = ProgLoc.getAs<StmtPoint>()) { 2453 S = SP->getStmt(); 2454 } else if (Optional<CallExitEnd> Exit = ProgLoc.getAs<CallExitEnd>()) { 2455 S = Exit->getCalleeContext()->getCallSite(); 2456 } else if (Optional<BlockEdge> Edge = ProgLoc.getAs<BlockEdge>()) { 2457 // If an assumption was made on a branch, it should be caught 2458 // here by looking at the state transition. 2459 S = Edge->getSrc()->getTerminator(); 2460 } 2461 2462 if (!S) 2463 return nullptr; 2464 2465 // FIXME: We will eventually need to handle non-statement-based events 2466 // (__attribute__((cleanup))). 2467 2468 // Find out if this is an interesting point and what is the kind. 2469 if (Mode == Normal) { 2470 if (isAllocated(RS, RSPrev, S)) { 2471 Msg = "Memory is allocated"; 2472 StackHint = new StackHintGeneratorForSymbol(Sym, 2473 "Returned allocated memory"); 2474 } else if (isReleased(RS, RSPrev, S)) { 2475 Msg = "Memory is released"; 2476 StackHint = new StackHintGeneratorForSymbol(Sym, 2477 "Returning; memory was released"); 2478 } else if (isRelinquished(RS, RSPrev, S)) { 2479 Msg = "Memory ownership is transferred"; 2480 StackHint = new StackHintGeneratorForSymbol(Sym, ""); 2481 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 2482 Mode = ReallocationFailed; 2483 Msg = "Reallocation failed"; 2484 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 2485 "Reallocation failed"); 2486 2487 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 2488 // Is it possible to fail two reallocs WITHOUT testing in between? 2489 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 2490 "We only support one failed realloc at a time."); 2491 BR.markInteresting(sym); 2492 FailedReallocSymbol = sym; 2493 } 2494 } 2495 2496 // We are in a special mode if a reallocation failed later in the path. 2497 } else if (Mode == ReallocationFailed) { 2498 assert(FailedReallocSymbol && "No symbol to look for."); 2499 2500 // Is this is the first appearance of the reallocated symbol? 2501 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 2502 // We're at the reallocation point. 2503 Msg = "Attempt to reallocate memory"; 2504 StackHint = new StackHintGeneratorForSymbol(Sym, 2505 "Returned reallocated memory"); 2506 FailedReallocSymbol = nullptr; 2507 Mode = Normal; 2508 } 2509 } 2510 2511 if (!Msg) 2512 return nullptr; 2513 assert(StackHint); 2514 2515 // Generate the extra diagnostic. 2516 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2517 N->getLocationContext()); 2518 return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint); 2519 } 2520 2521 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 2522 const char *NL, const char *Sep) const { 2523 2524 RegionStateTy RS = State->get<RegionState>(); 2525 2526 if (!RS.isEmpty()) { 2527 Out << Sep << "MallocChecker :" << NL; 2528 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2529 const RefState *RefS = State->get<RegionState>(I.getKey()); 2530 AllocationFamily Family = RefS->getAllocationFamily(); 2531 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2532 2533 I.getKey()->dumpToStream(Out); 2534 Out << " : "; 2535 I.getData().dump(Out); 2536 if (CheckKind.hasValue()) 2537 Out << " (" << CheckNames[*CheckKind].getName() << ")"; 2538 Out << NL; 2539 } 2540 } 2541 } 2542 2543 void ento::registerNewDeleteLeaksChecker(CheckerManager &mgr) { 2544 registerCStringCheckerBasic(mgr); 2545 MallocChecker *checker = mgr.registerChecker<MallocChecker>(); 2546 checker->IsOptimistic = mgr.getAnalyzerOptions().getBooleanOption( 2547 "Optimistic", false, checker); 2548 checker->ChecksEnabled[MallocChecker::CK_NewDeleteLeaksChecker] = true; 2549 checker->CheckNames[MallocChecker::CK_NewDeleteLeaksChecker] = 2550 mgr.getCurrentCheckName(); 2551 // We currently treat NewDeleteLeaks checker as a subchecker of NewDelete 2552 // checker. 2553 if (!checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker]) 2554 checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker] = true; 2555 } 2556 2557 #define REGISTER_CHECKER(name) \ 2558 void ento::register##name(CheckerManager &mgr) { \ 2559 registerCStringCheckerBasic(mgr); \ 2560 MallocChecker *checker = mgr.registerChecker<MallocChecker>(); \ 2561 checker->IsOptimistic = mgr.getAnalyzerOptions().getBooleanOption( \ 2562 "Optimistic", false, checker); \ 2563 checker->ChecksEnabled[MallocChecker::CK_##name] = true; \ 2564 checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \ 2565 } 2566 2567 REGISTER_CHECKER(MallocChecker) 2568 REGISTER_CHECKER(NewDeleteChecker) 2569 REGISTER_CHECKER(MismatchedDeallocatorChecker) 2570