1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines malloc/free checker, which checks for potential memory 11 // leaks, double free, and use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/AST/Attr.h" 18 #include "clang/AST/ParentMap.h" 19 #include "clang/Basic/SourceManager.h" 20 #include "clang/Basic/TargetInfo.h" 21 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 22 #include "clang/StaticAnalyzer/Core/Checker.h" 23 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 27 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 28 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 29 #include "llvm/ADT/STLExtras.h" 30 #include "llvm/ADT/SmallString.h" 31 #include "llvm/ADT/StringExtras.h" 32 #include <climits> 33 #include <utility> 34 35 using namespace clang; 36 using namespace ento; 37 38 namespace { 39 40 // Used to check correspondence between allocators and deallocators. 41 enum AllocationFamily { 42 AF_None, 43 AF_Malloc, 44 AF_CXXNew, 45 AF_CXXNewArray, 46 AF_IfNameIndex, 47 AF_Alloca 48 }; 49 50 class RefState { 51 enum Kind { // Reference to allocated memory. 52 Allocated, 53 // Reference to zero-allocated memory. 54 AllocatedOfSizeZero, 55 // Reference to released/freed memory. 56 Released, 57 // The responsibility for freeing resources has transferred from 58 // this reference. A relinquished symbol should not be freed. 59 Relinquished, 60 // We are no longer guaranteed to have observed all manipulations 61 // of this pointer/memory. For example, it could have been 62 // passed as a parameter to an opaque function. 63 Escaped 64 }; 65 66 const Stmt *S; 67 unsigned K : 3; // Kind enum, but stored as a bitfield. 68 unsigned Family : 29; // Rest of 32-bit word, currently just an allocation 69 // family. 70 71 RefState(Kind k, const Stmt *s, unsigned family) 72 : S(s), K(k), Family(family) { 73 assert(family != AF_None); 74 } 75 public: 76 bool isAllocated() const { return K == Allocated; } 77 bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; } 78 bool isReleased() const { return K == Released; } 79 bool isRelinquished() const { return K == Relinquished; } 80 bool isEscaped() const { return K == Escaped; } 81 AllocationFamily getAllocationFamily() const { 82 return (AllocationFamily)Family; 83 } 84 const Stmt *getStmt() const { return S; } 85 86 bool operator==(const RefState &X) const { 87 return K == X.K && S == X.S && Family == X.Family; 88 } 89 90 static RefState getAllocated(unsigned family, const Stmt *s) { 91 return RefState(Allocated, s, family); 92 } 93 static RefState getAllocatedOfSizeZero(const RefState *RS) { 94 return RefState(AllocatedOfSizeZero, RS->getStmt(), 95 RS->getAllocationFamily()); 96 } 97 static RefState getReleased(unsigned family, const Stmt *s) { 98 return RefState(Released, s, family); 99 } 100 static RefState getRelinquished(unsigned family, const Stmt *s) { 101 return RefState(Relinquished, s, family); 102 } 103 static RefState getEscaped(const RefState *RS) { 104 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily()); 105 } 106 107 void Profile(llvm::FoldingSetNodeID &ID) const { 108 ID.AddInteger(K); 109 ID.AddPointer(S); 110 ID.AddInteger(Family); 111 } 112 113 void dump(raw_ostream &OS) const { 114 switch (static_cast<Kind>(K)) { 115 #define CASE(ID) case ID: OS << #ID; break; 116 CASE(Allocated) 117 CASE(AllocatedOfSizeZero) 118 CASE(Released) 119 CASE(Relinquished) 120 CASE(Escaped) 121 } 122 } 123 124 LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); } 125 }; 126 127 enum ReallocPairKind { 128 RPToBeFreedAfterFailure, 129 // The symbol has been freed when reallocation failed. 130 RPIsFreeOnFailure, 131 // The symbol does not need to be freed after reallocation fails. 132 RPDoNotTrackAfterFailure 133 }; 134 135 /// \class ReallocPair 136 /// \brief Stores information about the symbol being reallocated by a call to 137 /// 'realloc' to allow modeling failed reallocation later in the path. 138 struct ReallocPair { 139 // \brief The symbol which realloc reallocated. 140 SymbolRef ReallocatedSym; 141 ReallocPairKind Kind; 142 143 ReallocPair(SymbolRef S, ReallocPairKind K) : 144 ReallocatedSym(S), Kind(K) {} 145 void Profile(llvm::FoldingSetNodeID &ID) const { 146 ID.AddInteger(Kind); 147 ID.AddPointer(ReallocatedSym); 148 } 149 bool operator==(const ReallocPair &X) const { 150 return ReallocatedSym == X.ReallocatedSym && 151 Kind == X.Kind; 152 } 153 }; 154 155 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo; 156 157 class MallocChecker : public Checker<check::DeadSymbols, 158 check::PointerEscape, 159 check::ConstPointerEscape, 160 check::PreStmt<ReturnStmt>, 161 check::PreCall, 162 check::PostStmt<CallExpr>, 163 check::PostStmt<CXXNewExpr>, 164 check::PreStmt<CXXDeleteExpr>, 165 check::PostStmt<BlockExpr>, 166 check::PostObjCMessage, 167 check::Location, 168 eval::Assume> 169 { 170 public: 171 MallocChecker() 172 : II_alloca(nullptr), II_win_alloca(nullptr), II_malloc(nullptr), 173 II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr), 174 II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr), 175 II_strdup(nullptr), II_win_strdup(nullptr), II_kmalloc(nullptr), 176 II_if_nameindex(nullptr), II_if_freenameindex(nullptr), 177 II_wcsdup(nullptr), II_win_wcsdup(nullptr) {} 178 179 /// In pessimistic mode, the checker assumes that it does not know which 180 /// functions might free the memory. 181 enum CheckKind { 182 CK_MallocChecker, 183 CK_NewDeleteChecker, 184 CK_NewDeleteLeaksChecker, 185 CK_MismatchedDeallocatorChecker, 186 CK_NumCheckKinds 187 }; 188 189 enum class MemoryOperationKind { 190 MOK_Allocate, 191 MOK_Free, 192 MOK_Any 193 }; 194 195 DefaultBool IsOptimistic; 196 197 DefaultBool ChecksEnabled[CK_NumCheckKinds]; 198 CheckName CheckNames[CK_NumCheckKinds]; 199 200 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 201 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 202 void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; 203 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; 204 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 205 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 206 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 207 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 208 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 209 bool Assumption) const; 210 void checkLocation(SVal l, bool isLoad, const Stmt *S, 211 CheckerContext &C) const; 212 213 ProgramStateRef checkPointerEscape(ProgramStateRef State, 214 const InvalidatedSymbols &Escaped, 215 const CallEvent *Call, 216 PointerEscapeKind Kind) const; 217 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 218 const InvalidatedSymbols &Escaped, 219 const CallEvent *Call, 220 PointerEscapeKind Kind) const; 221 222 void printState(raw_ostream &Out, ProgramStateRef State, 223 const char *NL, const char *Sep) const override; 224 225 private: 226 mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds]; 227 mutable std::unique_ptr<BugType> BT_DoubleDelete; 228 mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds]; 229 mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds]; 230 mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds]; 231 mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds]; 232 mutable std::unique_ptr<BugType> BT_MismatchedDealloc; 233 mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds]; 234 mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds]; 235 mutable IdentifierInfo *II_alloca, *II_win_alloca, *II_malloc, *II_free, 236 *II_realloc, *II_calloc, *II_valloc, *II_reallocf, 237 *II_strndup, *II_strdup, *II_win_strdup, *II_kmalloc, 238 *II_if_nameindex, *II_if_freenameindex, *II_wcsdup, 239 *II_win_wcsdup; 240 mutable Optional<uint64_t> KernelZeroFlagVal; 241 242 void initIdentifierInfo(ASTContext &C) const; 243 244 /// \brief Determine family of a deallocation expression. 245 AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const; 246 247 /// \brief Print names of allocators and deallocators. 248 /// 249 /// \returns true on success. 250 bool printAllocDeallocName(raw_ostream &os, CheckerContext &C, 251 const Expr *E) const; 252 253 /// \brief Print expected name of an allocator based on the deallocator's 254 /// family derived from the DeallocExpr. 255 void printExpectedAllocName(raw_ostream &os, CheckerContext &C, 256 const Expr *DeallocExpr) const; 257 /// \brief Print expected name of a deallocator based on the allocator's 258 /// family. 259 void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const; 260 261 ///@{ 262 /// Check if this is one of the functions which can allocate/reallocate memory 263 /// pointed to by one of its arguments. 264 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 265 bool isCMemFunction(const FunctionDecl *FD, 266 ASTContext &C, 267 AllocationFamily Family, 268 MemoryOperationKind MemKind) const; 269 bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const; 270 ///@} 271 272 /// \brief Perform a zero-allocation check. 273 ProgramStateRef ProcessZeroAllocation(CheckerContext &C, const Expr *E, 274 const unsigned AllocationSizeArg, 275 ProgramStateRef State) const; 276 277 ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 278 const CallExpr *CE, 279 const OwnershipAttr* Att, 280 ProgramStateRef State) const; 281 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 282 const Expr *SizeEx, SVal Init, 283 ProgramStateRef State, 284 AllocationFamily Family = AF_Malloc); 285 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 286 SVal SizeEx, SVal Init, 287 ProgramStateRef State, 288 AllocationFamily Family = AF_Malloc); 289 290 // Check if this malloc() for special flags. At present that means M_ZERO or 291 // __GFP_ZERO (in which case, treat it like calloc). 292 llvm::Optional<ProgramStateRef> 293 performKernelMalloc(const CallExpr *CE, CheckerContext &C, 294 const ProgramStateRef &State) const; 295 296 /// Update the RefState to reflect the new memory allocation. 297 static ProgramStateRef 298 MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, 299 AllocationFamily Family = AF_Malloc); 300 301 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 302 const OwnershipAttr* Att, 303 ProgramStateRef State) const; 304 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 305 ProgramStateRef state, unsigned Num, 306 bool Hold, 307 bool &ReleasedAllocated, 308 bool ReturnsNullOnFailure = false) const; 309 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, 310 const Expr *ParentExpr, 311 ProgramStateRef State, 312 bool Hold, 313 bool &ReleasedAllocated, 314 bool ReturnsNullOnFailure = false) const; 315 316 ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, 317 bool FreesMemOnFailure, 318 ProgramStateRef State) const; 319 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE, 320 ProgramStateRef State); 321 322 ///\brief Check if the memory associated with this symbol was released. 323 bool isReleased(SymbolRef Sym, CheckerContext &C) const; 324 325 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 326 327 void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, 328 const Stmt *S) const; 329 330 bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const; 331 332 /// Check if the function is known free memory, or if it is 333 /// "interesting" and should be modeled explicitly. 334 /// 335 /// \param [out] EscapingSymbol A function might not free memory in general, 336 /// but could be known to free a particular symbol. In this case, false is 337 /// returned and the single escaping symbol is returned through the out 338 /// parameter. 339 /// 340 /// We assume that pointers do not escape through calls to system functions 341 /// not handled by this checker. 342 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, 343 ProgramStateRef State, 344 SymbolRef &EscapingSymbol) const; 345 346 // Implementation of the checkPointerEscape callabcks. 347 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 348 const InvalidatedSymbols &Escaped, 349 const CallEvent *Call, 350 PointerEscapeKind Kind, 351 bool(*CheckRefState)(const RefState*)) const; 352 353 ///@{ 354 /// Tells if a given family/call/symbol is tracked by the current checker. 355 /// Sets CheckKind to the kind of the checker responsible for this 356 /// family/call/symbol. 357 Optional<CheckKind> getCheckIfTracked(AllocationFamily Family, 358 bool IsALeakCheck = false) const; 359 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, 360 const Stmt *AllocDeallocStmt, 361 bool IsALeakCheck = false) const; 362 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym, 363 bool IsALeakCheck = false) const; 364 ///@} 365 static bool SummarizeValue(raw_ostream &os, SVal V); 366 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 367 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 368 const Expr *DeallocExpr) const; 369 void ReportFreeAlloca(CheckerContext &C, SVal ArgVal, 370 SourceRange Range) const; 371 void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, 372 const Expr *DeallocExpr, const RefState *RS, 373 SymbolRef Sym, bool OwnershipTransferred) const; 374 void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 375 const Expr *DeallocExpr, 376 const Expr *AllocExpr = nullptr) const; 377 void ReportUseAfterFree(CheckerContext &C, SourceRange Range, 378 SymbolRef Sym) const; 379 void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 380 SymbolRef Sym, SymbolRef PrevSym) const; 381 382 void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const; 383 384 void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range, 385 SymbolRef Sym) const; 386 387 /// Find the location of the allocation for Sym on the path leading to the 388 /// exploded node N. 389 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 390 CheckerContext &C) const; 391 392 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 393 394 /// The bug visitor which allows us to print extra diagnostics along the 395 /// BugReport path. For example, showing the allocation site of the leaked 396 /// region. 397 class MallocBugVisitor final 398 : public BugReporterVisitorImpl<MallocBugVisitor> { 399 protected: 400 enum NotificationMode { 401 Normal, 402 ReallocationFailed 403 }; 404 405 // The allocated region symbol tracked by the main analysis. 406 SymbolRef Sym; 407 408 // The mode we are in, i.e. what kind of diagnostics will be emitted. 409 NotificationMode Mode; 410 411 // A symbol from when the primary region should have been reallocated. 412 SymbolRef FailedReallocSymbol; 413 414 bool IsLeak; 415 416 public: 417 MallocBugVisitor(SymbolRef S, bool isLeak = false) 418 : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr), IsLeak(isLeak) {} 419 420 void Profile(llvm::FoldingSetNodeID &ID) const override { 421 static int X = 0; 422 ID.AddPointer(&X); 423 ID.AddPointer(Sym); 424 } 425 426 inline bool isAllocated(const RefState *S, const RefState *SPrev, 427 const Stmt *Stmt) { 428 // Did not track -> allocated. Other state (released) -> allocated. 429 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 430 (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) && 431 (!SPrev || !(SPrev->isAllocated() || 432 SPrev->isAllocatedOfSizeZero()))); 433 } 434 435 inline bool isReleased(const RefState *S, const RefState *SPrev, 436 const Stmt *Stmt) { 437 // Did not track -> released. Other state (allocated) -> released. 438 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt)) && 439 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 440 } 441 442 inline bool isRelinquished(const RefState *S, const RefState *SPrev, 443 const Stmt *Stmt) { 444 // Did not track -> relinquished. Other state (allocated) -> relinquished. 445 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 446 isa<ObjCPropertyRefExpr>(Stmt)) && 447 (S && S->isRelinquished()) && 448 (!SPrev || !SPrev->isRelinquished())); 449 } 450 451 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 452 const Stmt *Stmt) { 453 // If the expression is not a call, and the state change is 454 // released -> allocated, it must be the realloc return value 455 // check. If we have to handle more cases here, it might be cleaner just 456 // to track this extra bit in the state itself. 457 return ((!Stmt || !isa<CallExpr>(Stmt)) && 458 (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) && 459 (SPrev && !(SPrev->isAllocated() || 460 SPrev->isAllocatedOfSizeZero()))); 461 } 462 463 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 464 const ExplodedNode *PrevN, 465 BugReporterContext &BRC, 466 BugReport &BR) override; 467 468 std::unique_ptr<PathDiagnosticPiece> 469 getEndPath(BugReporterContext &BRC, const ExplodedNode *EndPathNode, 470 BugReport &BR) override { 471 if (!IsLeak) 472 return nullptr; 473 474 PathDiagnosticLocation L = 475 PathDiagnosticLocation::createEndOfPath(EndPathNode, 476 BRC.getSourceManager()); 477 // Do not add the statement itself as a range in case of leak. 478 return llvm::make_unique<PathDiagnosticEventPiece>(L, BR.getDescription(), 479 false); 480 } 481 482 private: 483 class StackHintGeneratorForReallocationFailed 484 : public StackHintGeneratorForSymbol { 485 public: 486 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 487 : StackHintGeneratorForSymbol(S, M) {} 488 489 std::string getMessageForArg(const Expr *ArgE, 490 unsigned ArgIndex) override { 491 // Printed parameters start at 1, not 0. 492 ++ArgIndex; 493 494 SmallString<200> buf; 495 llvm::raw_svector_ostream os(buf); 496 497 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 498 << " parameter failed"; 499 500 return os.str(); 501 } 502 503 std::string getMessageForReturn(const CallExpr *CallExpr) override { 504 return "Reallocation of returned value failed"; 505 } 506 }; 507 }; 508 }; 509 } // end anonymous namespace 510 511 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 512 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 513 REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef) 514 515 // A map from the freed symbol to the symbol representing the return value of 516 // the free function. 517 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 518 519 namespace { 520 class StopTrackingCallback final : public SymbolVisitor { 521 ProgramStateRef state; 522 public: 523 StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {} 524 ProgramStateRef getState() const { return state; } 525 526 bool VisitSymbol(SymbolRef sym) override { 527 state = state->remove<RegionState>(sym); 528 return true; 529 } 530 }; 531 } // end anonymous namespace 532 533 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 534 if (II_malloc) 535 return; 536 II_alloca = &Ctx.Idents.get("alloca"); 537 II_malloc = &Ctx.Idents.get("malloc"); 538 II_free = &Ctx.Idents.get("free"); 539 II_realloc = &Ctx.Idents.get("realloc"); 540 II_reallocf = &Ctx.Idents.get("reallocf"); 541 II_calloc = &Ctx.Idents.get("calloc"); 542 II_valloc = &Ctx.Idents.get("valloc"); 543 II_strdup = &Ctx.Idents.get("strdup"); 544 II_strndup = &Ctx.Idents.get("strndup"); 545 II_wcsdup = &Ctx.Idents.get("wcsdup"); 546 II_kmalloc = &Ctx.Idents.get("kmalloc"); 547 II_if_nameindex = &Ctx.Idents.get("if_nameindex"); 548 II_if_freenameindex = &Ctx.Idents.get("if_freenameindex"); 549 550 //MSVC uses `_`-prefixed instead, so we check for them too. 551 II_win_strdup = &Ctx.Idents.get("_strdup"); 552 II_win_wcsdup = &Ctx.Idents.get("_wcsdup"); 553 II_win_alloca = &Ctx.Idents.get("_alloca"); 554 } 555 556 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 557 if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any)) 558 return true; 559 560 if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) 561 return true; 562 563 if (isCMemFunction(FD, C, AF_Alloca, MemoryOperationKind::MOK_Any)) 564 return true; 565 566 if (isStandardNewDelete(FD, C)) 567 return true; 568 569 return false; 570 } 571 572 bool MallocChecker::isCMemFunction(const FunctionDecl *FD, 573 ASTContext &C, 574 AllocationFamily Family, 575 MemoryOperationKind MemKind) const { 576 if (!FD) 577 return false; 578 579 bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any || 580 MemKind == MemoryOperationKind::MOK_Free); 581 bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any || 582 MemKind == MemoryOperationKind::MOK_Allocate); 583 584 if (FD->getKind() == Decl::Function) { 585 const IdentifierInfo *FunI = FD->getIdentifier(); 586 initIdentifierInfo(C); 587 588 if (Family == AF_Malloc && CheckFree) { 589 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf) 590 return true; 591 } 592 593 if (Family == AF_Malloc && CheckAlloc) { 594 if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf || 595 FunI == II_calloc || FunI == II_valloc || FunI == II_strdup || 596 FunI == II_win_strdup || FunI == II_strndup || FunI == II_wcsdup || 597 FunI == II_win_wcsdup || FunI == II_kmalloc) 598 return true; 599 } 600 601 if (Family == AF_IfNameIndex && CheckFree) { 602 if (FunI == II_if_freenameindex) 603 return true; 604 } 605 606 if (Family == AF_IfNameIndex && CheckAlloc) { 607 if (FunI == II_if_nameindex) 608 return true; 609 } 610 611 if (Family == AF_Alloca && CheckAlloc) { 612 if (FunI == II_alloca || FunI == II_win_alloca) 613 return true; 614 } 615 } 616 617 if (Family != AF_Malloc) 618 return false; 619 620 if (IsOptimistic && FD->hasAttrs()) { 621 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 622 OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind(); 623 if(OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) { 624 if (CheckFree) 625 return true; 626 } else if (OwnKind == OwnershipAttr::Returns) { 627 if (CheckAlloc) 628 return true; 629 } 630 } 631 } 632 633 return false; 634 } 635 636 // Tells if the callee is one of the following: 637 // 1) A global non-placement new/delete operator function. 638 // 2) A global placement operator function with the single placement argument 639 // of type std::nothrow_t. 640 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD, 641 ASTContext &C) const { 642 if (!FD) 643 return false; 644 645 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 646 if (Kind != OO_New && Kind != OO_Array_New && 647 Kind != OO_Delete && Kind != OO_Array_Delete) 648 return false; 649 650 // Skip all operator new/delete methods. 651 if (isa<CXXMethodDecl>(FD)) 652 return false; 653 654 // Return true if tested operator is a standard placement nothrow operator. 655 if (FD->getNumParams() == 2) { 656 QualType T = FD->getParamDecl(1)->getType(); 657 if (const IdentifierInfo *II = T.getBaseTypeIdentifier()) 658 return II->getName().equals("nothrow_t"); 659 } 660 661 // Skip placement operators. 662 if (FD->getNumParams() != 1 || FD->isVariadic()) 663 return false; 664 665 // One of the standard new/new[]/delete/delete[] non-placement operators. 666 return true; 667 } 668 669 llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc( 670 const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const { 671 // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels: 672 // 673 // void *malloc(unsigned long size, struct malloc_type *mtp, int flags); 674 // 675 // One of the possible flags is M_ZERO, which means 'give me back an 676 // allocation which is already zeroed', like calloc. 677 678 // 2-argument kmalloc(), as used in the Linux kernel: 679 // 680 // void *kmalloc(size_t size, gfp_t flags); 681 // 682 // Has the similar flag value __GFP_ZERO. 683 684 // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some 685 // code could be shared. 686 687 ASTContext &Ctx = C.getASTContext(); 688 llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS(); 689 690 if (!KernelZeroFlagVal.hasValue()) { 691 if (OS == llvm::Triple::FreeBSD) 692 KernelZeroFlagVal = 0x0100; 693 else if (OS == llvm::Triple::NetBSD) 694 KernelZeroFlagVal = 0x0002; 695 else if (OS == llvm::Triple::OpenBSD) 696 KernelZeroFlagVal = 0x0008; 697 else if (OS == llvm::Triple::Linux) 698 // __GFP_ZERO 699 KernelZeroFlagVal = 0x8000; 700 else 701 // FIXME: We need a more general way of getting the M_ZERO value. 702 // See also: O_CREAT in UnixAPIChecker.cpp. 703 704 // Fall back to normal malloc behavior on platforms where we don't 705 // know M_ZERO. 706 return None; 707 } 708 709 // We treat the last argument as the flags argument, and callers fall-back to 710 // normal malloc on a None return. This works for the FreeBSD kernel malloc 711 // as well as Linux kmalloc. 712 if (CE->getNumArgs() < 2) 713 return None; 714 715 const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1); 716 const SVal V = State->getSVal(FlagsEx, C.getLocationContext()); 717 if (!V.getAs<NonLoc>()) { 718 // The case where 'V' can be a location can only be due to a bad header, 719 // so in this case bail out. 720 return None; 721 } 722 723 NonLoc Flags = V.castAs<NonLoc>(); 724 NonLoc ZeroFlag = C.getSValBuilder() 725 .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType()) 726 .castAs<NonLoc>(); 727 SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And, 728 Flags, ZeroFlag, 729 FlagsEx->getType()); 730 if (MaskedFlagsUC.isUnknownOrUndef()) 731 return None; 732 DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>(); 733 734 // Check if maskedFlags is non-zero. 735 ProgramStateRef TrueState, FalseState; 736 std::tie(TrueState, FalseState) = State->assume(MaskedFlags); 737 738 // If M_ZERO is set, treat this like calloc (initialized). 739 if (TrueState && !FalseState) { 740 SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy); 741 return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState); 742 } 743 744 return None; 745 } 746 747 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 748 if (C.wasInlined) 749 return; 750 751 const FunctionDecl *FD = C.getCalleeDecl(CE); 752 if (!FD) 753 return; 754 755 ProgramStateRef State = C.getState(); 756 bool ReleasedAllocatedMemory = false; 757 758 if (FD->getKind() == Decl::Function) { 759 initIdentifierInfo(C.getASTContext()); 760 IdentifierInfo *FunI = FD->getIdentifier(); 761 762 if (FunI == II_malloc) { 763 if (CE->getNumArgs() < 1) 764 return; 765 if (CE->getNumArgs() < 3) { 766 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 767 if (CE->getNumArgs() == 1) 768 State = ProcessZeroAllocation(C, CE, 0, State); 769 } else if (CE->getNumArgs() == 3) { 770 llvm::Optional<ProgramStateRef> MaybeState = 771 performKernelMalloc(CE, C, State); 772 if (MaybeState.hasValue()) 773 State = MaybeState.getValue(); 774 else 775 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 776 } 777 } else if (FunI == II_kmalloc) { 778 llvm::Optional<ProgramStateRef> MaybeState = 779 performKernelMalloc(CE, C, State); 780 if (MaybeState.hasValue()) 781 State = MaybeState.getValue(); 782 else 783 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 784 } else if (FunI == II_valloc) { 785 if (CE->getNumArgs() < 1) 786 return; 787 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 788 State = ProcessZeroAllocation(C, CE, 0, State); 789 } else if (FunI == II_realloc) { 790 State = ReallocMem(C, CE, false, State); 791 State = ProcessZeroAllocation(C, CE, 1, State); 792 } else if (FunI == II_reallocf) { 793 State = ReallocMem(C, CE, true, State); 794 State = ProcessZeroAllocation(C, CE, 1, State); 795 } else if (FunI == II_calloc) { 796 State = CallocMem(C, CE, State); 797 State = ProcessZeroAllocation(C, CE, 0, State); 798 State = ProcessZeroAllocation(C, CE, 1, State); 799 } else if (FunI == II_free) { 800 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 801 } else if (FunI == II_strdup || FunI == II_win_strdup || 802 FunI == II_wcsdup || FunI == II_win_wcsdup) { 803 State = MallocUpdateRefState(C, CE, State); 804 } else if (FunI == II_strndup) { 805 State = MallocUpdateRefState(C, CE, State); 806 } else if (FunI == II_alloca || FunI == II_win_alloca) { 807 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 808 AF_Alloca); 809 State = ProcessZeroAllocation(C, CE, 0, State); 810 } else if (isStandardNewDelete(FD, C.getASTContext())) { 811 // Process direct calls to operator new/new[]/delete/delete[] functions 812 // as distinct from new/new[]/delete/delete[] expressions that are 813 // processed by the checkPostStmt callbacks for CXXNewExpr and 814 // CXXDeleteExpr. 815 OverloadedOperatorKind K = FD->getOverloadedOperator(); 816 if (K == OO_New) { 817 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 818 AF_CXXNew); 819 State = ProcessZeroAllocation(C, CE, 0, State); 820 } 821 else if (K == OO_Array_New) { 822 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 823 AF_CXXNewArray); 824 State = ProcessZeroAllocation(C, CE, 0, State); 825 } 826 else if (K == OO_Delete || K == OO_Array_Delete) 827 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 828 else 829 llvm_unreachable("not a new/delete operator"); 830 } else if (FunI == II_if_nameindex) { 831 // Should we model this differently? We can allocate a fixed number of 832 // elements with zeros in the last one. 833 State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State, 834 AF_IfNameIndex); 835 } else if (FunI == II_if_freenameindex) { 836 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 837 } 838 } 839 840 if (IsOptimistic || ChecksEnabled[CK_MismatchedDeallocatorChecker]) { 841 // Check all the attributes, if there are any. 842 // There can be multiple of these attributes. 843 if (FD->hasAttrs()) 844 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 845 switch (I->getOwnKind()) { 846 case OwnershipAttr::Returns: 847 State = MallocMemReturnsAttr(C, CE, I, State); 848 break; 849 case OwnershipAttr::Takes: 850 case OwnershipAttr::Holds: 851 State = FreeMemAttr(C, CE, I, State); 852 break; 853 } 854 } 855 } 856 C.addTransition(State); 857 } 858 859 // Performs a 0-sized allocations check. 860 ProgramStateRef MallocChecker::ProcessZeroAllocation(CheckerContext &C, 861 const Expr *E, 862 const unsigned AllocationSizeArg, 863 ProgramStateRef State) const { 864 if (!State) 865 return nullptr; 866 867 const Expr *Arg = nullptr; 868 869 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 870 Arg = CE->getArg(AllocationSizeArg); 871 } 872 else if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 873 if (NE->isArray()) 874 Arg = NE->getArraySize(); 875 else 876 return State; 877 } 878 else 879 llvm_unreachable("not a CallExpr or CXXNewExpr"); 880 881 assert(Arg); 882 883 Optional<DefinedSVal> DefArgVal = 884 State->getSVal(Arg, C.getLocationContext()).getAs<DefinedSVal>(); 885 886 if (!DefArgVal) 887 return State; 888 889 // Check if the allocation size is 0. 890 ProgramStateRef TrueState, FalseState; 891 SValBuilder &SvalBuilder = C.getSValBuilder(); 892 DefinedSVal Zero = 893 SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>(); 894 895 std::tie(TrueState, FalseState) = 896 State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero)); 897 898 if (TrueState && !FalseState) { 899 SVal retVal = State->getSVal(E, C.getLocationContext()); 900 SymbolRef Sym = retVal.getAsLocSymbol(); 901 if (!Sym) 902 return State; 903 904 const RefState *RS = State->get<RegionState>(Sym); 905 if (RS) { 906 if (RS->isAllocated()) 907 return TrueState->set<RegionState>(Sym, 908 RefState::getAllocatedOfSizeZero(RS)); 909 else 910 return State; 911 } else { 912 // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as 913 // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not 914 // tracked. Add zero-reallocated Sym to the state to catch references 915 // to zero-allocated memory. 916 return TrueState->add<ReallocSizeZeroSymbols>(Sym); 917 } 918 } 919 920 // Assume the value is non-zero going forward. 921 assert(FalseState); 922 return FalseState; 923 } 924 925 static QualType getDeepPointeeType(QualType T) { 926 QualType Result = T, PointeeType = T->getPointeeType(); 927 while (!PointeeType.isNull()) { 928 Result = PointeeType; 929 PointeeType = PointeeType->getPointeeType(); 930 } 931 return Result; 932 } 933 934 static bool treatUnusedNewEscaped(const CXXNewExpr *NE) { 935 936 const CXXConstructExpr *ConstructE = NE->getConstructExpr(); 937 if (!ConstructE) 938 return false; 939 940 if (!NE->getAllocatedType()->getAsCXXRecordDecl()) 941 return false; 942 943 const CXXConstructorDecl *CtorD = ConstructE->getConstructor(); 944 945 // Iterate over the constructor parameters. 946 for (const auto *CtorParam : CtorD->parameters()) { 947 948 QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType(); 949 if (CtorParamPointeeT.isNull()) 950 continue; 951 952 CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT); 953 954 if (CtorParamPointeeT->getAsCXXRecordDecl()) 955 return true; 956 } 957 958 return false; 959 } 960 961 void MallocChecker::checkPostStmt(const CXXNewExpr *NE, 962 CheckerContext &C) const { 963 964 if (NE->getNumPlacementArgs()) 965 for (CXXNewExpr::const_arg_iterator I = NE->placement_arg_begin(), 966 E = NE->placement_arg_end(); I != E; ++I) 967 if (SymbolRef Sym = C.getSVal(*I).getAsSymbol()) 968 checkUseAfterFree(Sym, C, *I); 969 970 if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext())) 971 return; 972 973 ParentMap &PM = C.getLocationContext()->getParentMap(); 974 if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE)) 975 return; 976 977 ProgramStateRef State = C.getState(); 978 // The return value from operator new is bound to a specified initialization 979 // value (if any) and we don't want to loose this value. So we call 980 // MallocUpdateRefState() instead of MallocMemAux() which breakes the 981 // existing binding. 982 State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray 983 : AF_CXXNew); 984 State = ProcessZeroAllocation(C, NE, 0, State); 985 C.addTransition(State); 986 } 987 988 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, 989 CheckerContext &C) const { 990 991 if (!ChecksEnabled[CK_NewDeleteChecker]) 992 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 993 checkUseAfterFree(Sym, C, DE->getArgument()); 994 995 if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext())) 996 return; 997 998 ProgramStateRef State = C.getState(); 999 bool ReleasedAllocated; 1000 State = FreeMemAux(C, DE->getArgument(), DE, State, 1001 /*Hold*/false, ReleasedAllocated); 1002 1003 C.addTransition(State); 1004 } 1005 1006 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 1007 // If the first selector piece is one of the names below, assume that the 1008 // object takes ownership of the memory, promising to eventually deallocate it 1009 // with free(). 1010 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 1011 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 1012 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 1013 return FirstSlot == "dataWithBytesNoCopy" || 1014 FirstSlot == "initWithBytesNoCopy" || 1015 FirstSlot == "initWithCharactersNoCopy"; 1016 } 1017 1018 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 1019 Selector S = Call.getSelector(); 1020 1021 // FIXME: We should not rely on fully-constrained symbols being folded. 1022 for (unsigned i = 1; i < S.getNumArgs(); ++i) 1023 if (S.getNameForSlot(i).equals("freeWhenDone")) 1024 return !Call.getArgSVal(i).isZeroConstant(); 1025 1026 return None; 1027 } 1028 1029 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 1030 CheckerContext &C) const { 1031 if (C.wasInlined) 1032 return; 1033 1034 if (!isKnownDeallocObjCMethodName(Call)) 1035 return; 1036 1037 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 1038 if (!*FreeWhenDone) 1039 return; 1040 1041 bool ReleasedAllocatedMemory; 1042 ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0), 1043 Call.getOriginExpr(), C.getState(), 1044 /*Hold=*/true, ReleasedAllocatedMemory, 1045 /*RetNullOnFailure=*/true); 1046 1047 C.addTransition(State); 1048 } 1049 1050 ProgramStateRef 1051 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE, 1052 const OwnershipAttr *Att, 1053 ProgramStateRef State) const { 1054 if (!State) 1055 return nullptr; 1056 1057 if (Att->getModule() != II_malloc) 1058 return nullptr; 1059 1060 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 1061 if (I != E) { 1062 return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), State); 1063 } 1064 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State); 1065 } 1066 1067 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 1068 const CallExpr *CE, 1069 const Expr *SizeEx, SVal Init, 1070 ProgramStateRef State, 1071 AllocationFamily Family) { 1072 if (!State) 1073 return nullptr; 1074 1075 return MallocMemAux(C, CE, State->getSVal(SizeEx, C.getLocationContext()), 1076 Init, State, Family); 1077 } 1078 1079 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 1080 const CallExpr *CE, 1081 SVal Size, SVal Init, 1082 ProgramStateRef State, 1083 AllocationFamily Family) { 1084 if (!State) 1085 return nullptr; 1086 1087 // We expect the malloc functions to return a pointer. 1088 if (!Loc::isLocType(CE->getType())) 1089 return nullptr; 1090 1091 // Bind the return value to the symbolic value from the heap region. 1092 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 1093 // side effects other than what we model here. 1094 unsigned Count = C.blockCount(); 1095 SValBuilder &svalBuilder = C.getSValBuilder(); 1096 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 1097 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 1098 .castAs<DefinedSVal>(); 1099 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 1100 1101 // Fill the region with the initialization value. 1102 State = State->bindDefault(RetVal, Init); 1103 1104 // Set the region's extent equal to the Size parameter. 1105 const SymbolicRegion *R = 1106 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 1107 if (!R) 1108 return nullptr; 1109 if (Optional<DefinedOrUnknownSVal> DefinedSize = 1110 Size.getAs<DefinedOrUnknownSVal>()) { 1111 SValBuilder &svalBuilder = C.getSValBuilder(); 1112 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 1113 DefinedOrUnknownSVal extentMatchesSize = 1114 svalBuilder.evalEQ(State, Extent, *DefinedSize); 1115 1116 State = State->assume(extentMatchesSize, true); 1117 assert(State); 1118 } 1119 1120 return MallocUpdateRefState(C, CE, State, Family); 1121 } 1122 1123 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 1124 const Expr *E, 1125 ProgramStateRef State, 1126 AllocationFamily Family) { 1127 if (!State) 1128 return nullptr; 1129 1130 // Get the return value. 1131 SVal retVal = State->getSVal(E, C.getLocationContext()); 1132 1133 // We expect the malloc functions to return a pointer. 1134 if (!retVal.getAs<Loc>()) 1135 return nullptr; 1136 1137 SymbolRef Sym = retVal.getAsLocSymbol(); 1138 assert(Sym); 1139 1140 // Set the symbol's state to Allocated. 1141 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 1142 } 1143 1144 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 1145 const CallExpr *CE, 1146 const OwnershipAttr *Att, 1147 ProgramStateRef State) const { 1148 if (!State) 1149 return nullptr; 1150 1151 if (Att->getModule() != II_malloc) 1152 return nullptr; 1153 1154 bool ReleasedAllocated = false; 1155 1156 for (const auto &Arg : Att->args()) { 1157 ProgramStateRef StateI = FreeMemAux(C, CE, State, Arg, 1158 Att->getOwnKind() == OwnershipAttr::Holds, 1159 ReleasedAllocated); 1160 if (StateI) 1161 State = StateI; 1162 } 1163 return State; 1164 } 1165 1166 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1167 const CallExpr *CE, 1168 ProgramStateRef State, 1169 unsigned Num, 1170 bool Hold, 1171 bool &ReleasedAllocated, 1172 bool ReturnsNullOnFailure) const { 1173 if (!State) 1174 return nullptr; 1175 1176 if (CE->getNumArgs() < (Num + 1)) 1177 return nullptr; 1178 1179 return FreeMemAux(C, CE->getArg(Num), CE, State, Hold, 1180 ReleasedAllocated, ReturnsNullOnFailure); 1181 } 1182 1183 /// Checks if the previous call to free on the given symbol failed - if free 1184 /// failed, returns true. Also, returns the corresponding return value symbol. 1185 static bool didPreviousFreeFail(ProgramStateRef State, 1186 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 1187 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 1188 if (Ret) { 1189 assert(*Ret && "We should not store the null return symbol"); 1190 ConstraintManager &CMgr = State->getConstraintManager(); 1191 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 1192 RetStatusSymbol = *Ret; 1193 return FreeFailed.isConstrainedTrue(); 1194 } 1195 return false; 1196 } 1197 1198 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C, 1199 const Stmt *S) const { 1200 if (!S) 1201 return AF_None; 1202 1203 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 1204 const FunctionDecl *FD = C.getCalleeDecl(CE); 1205 1206 if (!FD) 1207 FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl()); 1208 1209 ASTContext &Ctx = C.getASTContext(); 1210 1211 if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any)) 1212 return AF_Malloc; 1213 1214 if (isStandardNewDelete(FD, Ctx)) { 1215 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 1216 if (Kind == OO_New || Kind == OO_Delete) 1217 return AF_CXXNew; 1218 else if (Kind == OO_Array_New || Kind == OO_Array_Delete) 1219 return AF_CXXNewArray; 1220 } 1221 1222 if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) 1223 return AF_IfNameIndex; 1224 1225 if (isCMemFunction(FD, Ctx, AF_Alloca, MemoryOperationKind::MOK_Any)) 1226 return AF_Alloca; 1227 1228 return AF_None; 1229 } 1230 1231 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S)) 1232 return NE->isArray() ? AF_CXXNewArray : AF_CXXNew; 1233 1234 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S)) 1235 return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew; 1236 1237 if (isa<ObjCMessageExpr>(S)) 1238 return AF_Malloc; 1239 1240 return AF_None; 1241 } 1242 1243 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C, 1244 const Expr *E) const { 1245 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 1246 // FIXME: This doesn't handle indirect calls. 1247 const FunctionDecl *FD = CE->getDirectCallee(); 1248 if (!FD) 1249 return false; 1250 1251 os << *FD; 1252 if (!FD->isOverloadedOperator()) 1253 os << "()"; 1254 return true; 1255 } 1256 1257 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 1258 if (Msg->isInstanceMessage()) 1259 os << "-"; 1260 else 1261 os << "+"; 1262 Msg->getSelector().print(os); 1263 return true; 1264 } 1265 1266 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 1267 os << "'" 1268 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 1269 << "'"; 1270 return true; 1271 } 1272 1273 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 1274 os << "'" 1275 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 1276 << "'"; 1277 return true; 1278 } 1279 1280 return false; 1281 } 1282 1283 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C, 1284 const Expr *E) const { 1285 AllocationFamily Family = getAllocationFamily(C, E); 1286 1287 switch(Family) { 1288 case AF_Malloc: os << "malloc()"; return; 1289 case AF_CXXNew: os << "'new'"; return; 1290 case AF_CXXNewArray: os << "'new[]'"; return; 1291 case AF_IfNameIndex: os << "'if_nameindex()'"; return; 1292 case AF_Alloca: 1293 case AF_None: llvm_unreachable("not a deallocation expression"); 1294 } 1295 } 1296 1297 void MallocChecker::printExpectedDeallocName(raw_ostream &os, 1298 AllocationFamily Family) const { 1299 switch(Family) { 1300 case AF_Malloc: os << "free()"; return; 1301 case AF_CXXNew: os << "'delete'"; return; 1302 case AF_CXXNewArray: os << "'delete[]'"; return; 1303 case AF_IfNameIndex: os << "'if_freenameindex()'"; return; 1304 case AF_Alloca: 1305 case AF_None: llvm_unreachable("suspicious argument"); 1306 } 1307 } 1308 1309 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1310 const Expr *ArgExpr, 1311 const Expr *ParentExpr, 1312 ProgramStateRef State, 1313 bool Hold, 1314 bool &ReleasedAllocated, 1315 bool ReturnsNullOnFailure) const { 1316 1317 if (!State) 1318 return nullptr; 1319 1320 SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext()); 1321 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 1322 return nullptr; 1323 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 1324 1325 // Check for null dereferences. 1326 if (!location.getAs<Loc>()) 1327 return nullptr; 1328 1329 // The explicit NULL case, no operation is performed. 1330 ProgramStateRef notNullState, nullState; 1331 std::tie(notNullState, nullState) = State->assume(location); 1332 if (nullState && !notNullState) 1333 return nullptr; 1334 1335 // Unknown values could easily be okay 1336 // Undefined values are handled elsewhere 1337 if (ArgVal.isUnknownOrUndef()) 1338 return nullptr; 1339 1340 const MemRegion *R = ArgVal.getAsRegion(); 1341 1342 // Nonlocs can't be freed, of course. 1343 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 1344 if (!R) { 1345 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1346 return nullptr; 1347 } 1348 1349 R = R->StripCasts(); 1350 1351 // Blocks might show up as heap data, but should not be free()d 1352 if (isa<BlockDataRegion>(R)) { 1353 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1354 return nullptr; 1355 } 1356 1357 const MemSpaceRegion *MS = R->getMemorySpace(); 1358 1359 // Parameters, locals, statics, globals, and memory returned by 1360 // __builtin_alloca() shouldn't be freed. 1361 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 1362 // FIXME: at the time this code was written, malloc() regions were 1363 // represented by conjured symbols, which are all in UnknownSpaceRegion. 1364 // This means that there isn't actually anything from HeapSpaceRegion 1365 // that should be freed, even though we allow it here. 1366 // Of course, free() can work on memory allocated outside the current 1367 // function, so UnknownSpaceRegion is always a possibility. 1368 // False negatives are better than false positives. 1369 1370 if (isa<AllocaRegion>(R)) 1371 ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1372 else 1373 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1374 1375 return nullptr; 1376 } 1377 1378 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 1379 // Various cases could lead to non-symbol values here. 1380 // For now, ignore them. 1381 if (!SrBase) 1382 return nullptr; 1383 1384 SymbolRef SymBase = SrBase->getSymbol(); 1385 const RefState *RsBase = State->get<RegionState>(SymBase); 1386 SymbolRef PreviousRetStatusSymbol = nullptr; 1387 1388 if (RsBase) { 1389 1390 // Memory returned by alloca() shouldn't be freed. 1391 if (RsBase->getAllocationFamily() == AF_Alloca) { 1392 ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1393 return nullptr; 1394 } 1395 1396 // Check for double free first. 1397 if ((RsBase->isReleased() || RsBase->isRelinquished()) && 1398 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1399 ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1400 SymBase, PreviousRetStatusSymbol); 1401 return nullptr; 1402 1403 // If the pointer is allocated or escaped, but we are now trying to free it, 1404 // check that the call to free is proper. 1405 } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() || 1406 RsBase->isEscaped()) { 1407 1408 // Check if an expected deallocation function matches the real one. 1409 bool DeallocMatchesAlloc = 1410 RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr); 1411 if (!DeallocMatchesAlloc) { 1412 ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), 1413 ParentExpr, RsBase, SymBase, Hold); 1414 return nullptr; 1415 } 1416 1417 // Check if the memory location being freed is the actual location 1418 // allocated, or an offset. 1419 RegionOffset Offset = R->getAsOffset(); 1420 if (Offset.isValid() && 1421 !Offset.hasSymbolicOffset() && 1422 Offset.getOffset() != 0) { 1423 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1424 ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1425 AllocExpr); 1426 return nullptr; 1427 } 1428 } 1429 } 1430 1431 ReleasedAllocated = (RsBase != nullptr) && (RsBase->isAllocated() || 1432 RsBase->isAllocatedOfSizeZero()); 1433 1434 // Clean out the info on previous call to free return info. 1435 State = State->remove<FreeReturnValue>(SymBase); 1436 1437 // Keep track of the return value. If it is NULL, we will know that free 1438 // failed. 1439 if (ReturnsNullOnFailure) { 1440 SVal RetVal = C.getSVal(ParentExpr); 1441 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 1442 if (RetStatusSymbol) { 1443 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 1444 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 1445 } 1446 } 1447 1448 AllocationFamily Family = RsBase ? RsBase->getAllocationFamily() 1449 : getAllocationFamily(C, ParentExpr); 1450 // Normal free. 1451 if (Hold) 1452 return State->set<RegionState>(SymBase, 1453 RefState::getRelinquished(Family, 1454 ParentExpr)); 1455 1456 return State->set<RegionState>(SymBase, 1457 RefState::getReleased(Family, ParentExpr)); 1458 } 1459 1460 Optional<MallocChecker::CheckKind> 1461 MallocChecker::getCheckIfTracked(AllocationFamily Family, 1462 bool IsALeakCheck) const { 1463 switch (Family) { 1464 case AF_Malloc: 1465 case AF_Alloca: 1466 case AF_IfNameIndex: { 1467 if (ChecksEnabled[CK_MallocChecker]) 1468 return CK_MallocChecker; 1469 1470 return Optional<MallocChecker::CheckKind>(); 1471 } 1472 case AF_CXXNew: 1473 case AF_CXXNewArray: { 1474 if (IsALeakCheck) { 1475 if (ChecksEnabled[CK_NewDeleteLeaksChecker]) 1476 return CK_NewDeleteLeaksChecker; 1477 } 1478 else { 1479 if (ChecksEnabled[CK_NewDeleteChecker]) 1480 return CK_NewDeleteChecker; 1481 } 1482 return Optional<MallocChecker::CheckKind>(); 1483 } 1484 case AF_None: { 1485 llvm_unreachable("no family"); 1486 } 1487 } 1488 llvm_unreachable("unhandled family"); 1489 } 1490 1491 Optional<MallocChecker::CheckKind> 1492 MallocChecker::getCheckIfTracked(CheckerContext &C, 1493 const Stmt *AllocDeallocStmt, 1494 bool IsALeakCheck) const { 1495 return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt), 1496 IsALeakCheck); 1497 } 1498 1499 Optional<MallocChecker::CheckKind> 1500 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym, 1501 bool IsALeakCheck) const { 1502 if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) 1503 return CK_MallocChecker; 1504 1505 const RefState *RS = C.getState()->get<RegionState>(Sym); 1506 assert(RS); 1507 return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck); 1508 } 1509 1510 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 1511 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 1512 os << "an integer (" << IntVal->getValue() << ")"; 1513 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 1514 os << "a constant address (" << ConstAddr->getValue() << ")"; 1515 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 1516 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 1517 else 1518 return false; 1519 1520 return true; 1521 } 1522 1523 bool MallocChecker::SummarizeRegion(raw_ostream &os, 1524 const MemRegion *MR) { 1525 switch (MR->getKind()) { 1526 case MemRegion::FunctionCodeRegionKind: { 1527 const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl(); 1528 if (FD) 1529 os << "the address of the function '" << *FD << '\''; 1530 else 1531 os << "the address of a function"; 1532 return true; 1533 } 1534 case MemRegion::BlockCodeRegionKind: 1535 os << "block text"; 1536 return true; 1537 case MemRegion::BlockDataRegionKind: 1538 // FIXME: where the block came from? 1539 os << "a block"; 1540 return true; 1541 default: { 1542 const MemSpaceRegion *MS = MR->getMemorySpace(); 1543 1544 if (isa<StackLocalsSpaceRegion>(MS)) { 1545 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1546 const VarDecl *VD; 1547 if (VR) 1548 VD = VR->getDecl(); 1549 else 1550 VD = nullptr; 1551 1552 if (VD) 1553 os << "the address of the local variable '" << VD->getName() << "'"; 1554 else 1555 os << "the address of a local stack variable"; 1556 return true; 1557 } 1558 1559 if (isa<StackArgumentsSpaceRegion>(MS)) { 1560 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1561 const VarDecl *VD; 1562 if (VR) 1563 VD = VR->getDecl(); 1564 else 1565 VD = nullptr; 1566 1567 if (VD) 1568 os << "the address of the parameter '" << VD->getName() << "'"; 1569 else 1570 os << "the address of a parameter"; 1571 return true; 1572 } 1573 1574 if (isa<GlobalsSpaceRegion>(MS)) { 1575 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1576 const VarDecl *VD; 1577 if (VR) 1578 VD = VR->getDecl(); 1579 else 1580 VD = nullptr; 1581 1582 if (VD) { 1583 if (VD->isStaticLocal()) 1584 os << "the address of the static variable '" << VD->getName() << "'"; 1585 else 1586 os << "the address of the global variable '" << VD->getName() << "'"; 1587 } else 1588 os << "the address of a global variable"; 1589 return true; 1590 } 1591 1592 return false; 1593 } 1594 } 1595 } 1596 1597 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 1598 SourceRange Range, 1599 const Expr *DeallocExpr) const { 1600 1601 if (!ChecksEnabled[CK_MallocChecker] && 1602 !ChecksEnabled[CK_NewDeleteChecker]) 1603 return; 1604 1605 Optional<MallocChecker::CheckKind> CheckKind = 1606 getCheckIfTracked(C, DeallocExpr); 1607 if (!CheckKind.hasValue()) 1608 return; 1609 1610 if (ExplodedNode *N = C.generateErrorNode()) { 1611 if (!BT_BadFree[*CheckKind]) 1612 BT_BadFree[*CheckKind].reset( 1613 new BugType(CheckNames[*CheckKind], "Bad free", "Memory Error")); 1614 1615 SmallString<100> buf; 1616 llvm::raw_svector_ostream os(buf); 1617 1618 const MemRegion *MR = ArgVal.getAsRegion(); 1619 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 1620 MR = ER->getSuperRegion(); 1621 1622 os << "Argument to "; 1623 if (!printAllocDeallocName(os, C, DeallocExpr)) 1624 os << "deallocator"; 1625 1626 os << " is "; 1627 bool Summarized = MR ? SummarizeRegion(os, MR) 1628 : SummarizeValue(os, ArgVal); 1629 if (Summarized) 1630 os << ", which is not memory allocated by "; 1631 else 1632 os << "not memory allocated by "; 1633 1634 printExpectedAllocName(os, C, DeallocExpr); 1635 1636 auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], os.str(), N); 1637 R->markInteresting(MR); 1638 R->addRange(Range); 1639 C.emitReport(std::move(R)); 1640 } 1641 } 1642 1643 void MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal, 1644 SourceRange Range) const { 1645 1646 Optional<MallocChecker::CheckKind> CheckKind; 1647 1648 if (ChecksEnabled[CK_MallocChecker]) 1649 CheckKind = CK_MallocChecker; 1650 else if (ChecksEnabled[CK_MismatchedDeallocatorChecker]) 1651 CheckKind = CK_MismatchedDeallocatorChecker; 1652 else 1653 return; 1654 1655 if (ExplodedNode *N = C.generateErrorNode()) { 1656 if (!BT_FreeAlloca[*CheckKind]) 1657 BT_FreeAlloca[*CheckKind].reset( 1658 new BugType(CheckNames[*CheckKind], "Free alloca()", "Memory Error")); 1659 1660 auto R = llvm::make_unique<BugReport>( 1661 *BT_FreeAlloca[*CheckKind], 1662 "Memory allocated by alloca() should not be deallocated", N); 1663 R->markInteresting(ArgVal.getAsRegion()); 1664 R->addRange(Range); 1665 C.emitReport(std::move(R)); 1666 } 1667 } 1668 1669 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, 1670 SourceRange Range, 1671 const Expr *DeallocExpr, 1672 const RefState *RS, 1673 SymbolRef Sym, 1674 bool OwnershipTransferred) const { 1675 1676 if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) 1677 return; 1678 1679 if (ExplodedNode *N = C.generateErrorNode()) { 1680 if (!BT_MismatchedDealloc) 1681 BT_MismatchedDealloc.reset( 1682 new BugType(CheckNames[CK_MismatchedDeallocatorChecker], 1683 "Bad deallocator", "Memory Error")); 1684 1685 SmallString<100> buf; 1686 llvm::raw_svector_ostream os(buf); 1687 1688 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 1689 SmallString<20> AllocBuf; 1690 llvm::raw_svector_ostream AllocOs(AllocBuf); 1691 SmallString<20> DeallocBuf; 1692 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 1693 1694 if (OwnershipTransferred) { 1695 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1696 os << DeallocOs.str() << " cannot"; 1697 else 1698 os << "Cannot"; 1699 1700 os << " take ownership of memory"; 1701 1702 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1703 os << " allocated by " << AllocOs.str(); 1704 } else { 1705 os << "Memory"; 1706 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1707 os << " allocated by " << AllocOs.str(); 1708 1709 os << " should be deallocated by "; 1710 printExpectedDeallocName(os, RS->getAllocationFamily()); 1711 1712 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1713 os << ", not " << DeallocOs.str(); 1714 } 1715 1716 auto R = llvm::make_unique<BugReport>(*BT_MismatchedDealloc, os.str(), N); 1717 R->markInteresting(Sym); 1718 R->addRange(Range); 1719 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1720 C.emitReport(std::move(R)); 1721 } 1722 } 1723 1724 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, 1725 SourceRange Range, const Expr *DeallocExpr, 1726 const Expr *AllocExpr) const { 1727 1728 1729 if (!ChecksEnabled[CK_MallocChecker] && 1730 !ChecksEnabled[CK_NewDeleteChecker]) 1731 return; 1732 1733 Optional<MallocChecker::CheckKind> CheckKind = 1734 getCheckIfTracked(C, AllocExpr); 1735 if (!CheckKind.hasValue()) 1736 return; 1737 1738 ExplodedNode *N = C.generateErrorNode(); 1739 if (!N) 1740 return; 1741 1742 if (!BT_OffsetFree[*CheckKind]) 1743 BT_OffsetFree[*CheckKind].reset( 1744 new BugType(CheckNames[*CheckKind], "Offset free", "Memory Error")); 1745 1746 SmallString<100> buf; 1747 llvm::raw_svector_ostream os(buf); 1748 SmallString<20> AllocNameBuf; 1749 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 1750 1751 const MemRegion *MR = ArgVal.getAsRegion(); 1752 assert(MR && "Only MemRegion based symbols can have offset free errors"); 1753 1754 RegionOffset Offset = MR->getAsOffset(); 1755 assert((Offset.isValid() && 1756 !Offset.hasSymbolicOffset() && 1757 Offset.getOffset() != 0) && 1758 "Only symbols with a valid offset can have offset free errors"); 1759 1760 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 1761 1762 os << "Argument to "; 1763 if (!printAllocDeallocName(os, C, DeallocExpr)) 1764 os << "deallocator"; 1765 os << " is offset by " 1766 << offsetBytes 1767 << " " 1768 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 1769 << " from the start of "; 1770 if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) 1771 os << "memory allocated by " << AllocNameOs.str(); 1772 else 1773 os << "allocated memory"; 1774 1775 auto R = llvm::make_unique<BugReport>(*BT_OffsetFree[*CheckKind], os.str(), N); 1776 R->markInteresting(MR->getBaseRegion()); 1777 R->addRange(Range); 1778 C.emitReport(std::move(R)); 1779 } 1780 1781 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, 1782 SymbolRef Sym) const { 1783 1784 if (!ChecksEnabled[CK_MallocChecker] && 1785 !ChecksEnabled[CK_NewDeleteChecker]) 1786 return; 1787 1788 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1789 if (!CheckKind.hasValue()) 1790 return; 1791 1792 if (ExplodedNode *N = C.generateErrorNode()) { 1793 if (!BT_UseFree[*CheckKind]) 1794 BT_UseFree[*CheckKind].reset(new BugType( 1795 CheckNames[*CheckKind], "Use-after-free", "Memory Error")); 1796 1797 auto R = llvm::make_unique<BugReport>(*BT_UseFree[*CheckKind], 1798 "Use of memory after it is freed", N); 1799 1800 R->markInteresting(Sym); 1801 R->addRange(Range); 1802 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1803 C.emitReport(std::move(R)); 1804 } 1805 } 1806 1807 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, 1808 bool Released, SymbolRef Sym, 1809 SymbolRef PrevSym) const { 1810 1811 if (!ChecksEnabled[CK_MallocChecker] && 1812 !ChecksEnabled[CK_NewDeleteChecker]) 1813 return; 1814 1815 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1816 if (!CheckKind.hasValue()) 1817 return; 1818 1819 if (ExplodedNode *N = C.generateErrorNode()) { 1820 if (!BT_DoubleFree[*CheckKind]) 1821 BT_DoubleFree[*CheckKind].reset( 1822 new BugType(CheckNames[*CheckKind], "Double free", "Memory Error")); 1823 1824 auto R = llvm::make_unique<BugReport>( 1825 *BT_DoubleFree[*CheckKind], 1826 (Released ? "Attempt to free released memory" 1827 : "Attempt to free non-owned memory"), 1828 N); 1829 R->addRange(Range); 1830 R->markInteresting(Sym); 1831 if (PrevSym) 1832 R->markInteresting(PrevSym); 1833 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1834 C.emitReport(std::move(R)); 1835 } 1836 } 1837 1838 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const { 1839 1840 if (!ChecksEnabled[CK_NewDeleteChecker]) 1841 return; 1842 1843 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1844 if (!CheckKind.hasValue()) 1845 return; 1846 1847 if (ExplodedNode *N = C.generateErrorNode()) { 1848 if (!BT_DoubleDelete) 1849 BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker], 1850 "Double delete", "Memory Error")); 1851 1852 auto R = llvm::make_unique<BugReport>( 1853 *BT_DoubleDelete, "Attempt to delete released memory", N); 1854 1855 R->markInteresting(Sym); 1856 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1857 C.emitReport(std::move(R)); 1858 } 1859 } 1860 1861 void MallocChecker::ReportUseZeroAllocated(CheckerContext &C, 1862 SourceRange Range, 1863 SymbolRef Sym) const { 1864 1865 if (!ChecksEnabled[CK_MallocChecker] && 1866 !ChecksEnabled[CK_NewDeleteChecker]) 1867 return; 1868 1869 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1870 1871 if (!CheckKind.hasValue()) 1872 return; 1873 1874 if (ExplodedNode *N = C.generateErrorNode()) { 1875 if (!BT_UseZerroAllocated[*CheckKind]) 1876 BT_UseZerroAllocated[*CheckKind].reset(new BugType( 1877 CheckNames[*CheckKind], "Use of zero allocated", "Memory Error")); 1878 1879 auto R = llvm::make_unique<BugReport>(*BT_UseZerroAllocated[*CheckKind], 1880 "Use of zero-allocated memory", N); 1881 1882 R->addRange(Range); 1883 if (Sym) { 1884 R->markInteresting(Sym); 1885 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1886 } 1887 C.emitReport(std::move(R)); 1888 } 1889 } 1890 1891 ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, 1892 const CallExpr *CE, 1893 bool FreesOnFail, 1894 ProgramStateRef State) const { 1895 if (!State) 1896 return nullptr; 1897 1898 if (CE->getNumArgs() < 2) 1899 return nullptr; 1900 1901 const Expr *arg0Expr = CE->getArg(0); 1902 const LocationContext *LCtx = C.getLocationContext(); 1903 SVal Arg0Val = State->getSVal(arg0Expr, LCtx); 1904 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 1905 return nullptr; 1906 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 1907 1908 SValBuilder &svalBuilder = C.getSValBuilder(); 1909 1910 DefinedOrUnknownSVal PtrEQ = 1911 svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull()); 1912 1913 // Get the size argument. If there is no size arg then give up. 1914 const Expr *Arg1 = CE->getArg(1); 1915 if (!Arg1) 1916 return nullptr; 1917 1918 // Get the value of the size argument. 1919 SVal Arg1ValG = State->getSVal(Arg1, LCtx); 1920 if (!Arg1ValG.getAs<DefinedOrUnknownSVal>()) 1921 return nullptr; 1922 DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>(); 1923 1924 // Compare the size argument to 0. 1925 DefinedOrUnknownSVal SizeZero = 1926 svalBuilder.evalEQ(State, Arg1Val, 1927 svalBuilder.makeIntValWithPtrWidth(0, false)); 1928 1929 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 1930 std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ); 1931 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 1932 std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero); 1933 // We only assume exceptional states if they are definitely true; if the 1934 // state is under-constrained, assume regular realloc behavior. 1935 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 1936 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 1937 1938 // If the ptr is NULL and the size is not 0, the call is equivalent to 1939 // malloc(size). 1940 if ( PrtIsNull && !SizeIsZero) { 1941 ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), 1942 UndefinedVal(), StatePtrIsNull); 1943 return stateMalloc; 1944 } 1945 1946 if (PrtIsNull && SizeIsZero) 1947 return State; 1948 1949 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 1950 assert(!PrtIsNull); 1951 SymbolRef FromPtr = arg0Val.getAsSymbol(); 1952 SVal RetVal = State->getSVal(CE, LCtx); 1953 SymbolRef ToPtr = RetVal.getAsSymbol(); 1954 if (!FromPtr || !ToPtr) 1955 return nullptr; 1956 1957 bool ReleasedAllocated = false; 1958 1959 // If the size is 0, free the memory. 1960 if (SizeIsZero) 1961 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, 1962 false, ReleasedAllocated)){ 1963 // The semantics of the return value are: 1964 // If size was equal to 0, either NULL or a pointer suitable to be passed 1965 // to free() is returned. We just free the input pointer and do not add 1966 // any constrains on the output pointer. 1967 return stateFree; 1968 } 1969 1970 // Default behavior. 1971 if (ProgramStateRef stateFree = 1972 FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) { 1973 1974 ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), 1975 UnknownVal(), stateFree); 1976 if (!stateRealloc) 1977 return nullptr; 1978 1979 ReallocPairKind Kind = RPToBeFreedAfterFailure; 1980 if (FreesOnFail) 1981 Kind = RPIsFreeOnFailure; 1982 else if (!ReleasedAllocated) 1983 Kind = RPDoNotTrackAfterFailure; 1984 1985 // Record the info about the reallocated symbol so that we could properly 1986 // process failed reallocation. 1987 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 1988 ReallocPair(FromPtr, Kind)); 1989 // The reallocated symbol should stay alive for as long as the new symbol. 1990 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 1991 return stateRealloc; 1992 } 1993 return nullptr; 1994 } 1995 1996 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE, 1997 ProgramStateRef State) { 1998 if (!State) 1999 return nullptr; 2000 2001 if (CE->getNumArgs() < 2) 2002 return nullptr; 2003 2004 SValBuilder &svalBuilder = C.getSValBuilder(); 2005 const LocationContext *LCtx = C.getLocationContext(); 2006 SVal count = State->getSVal(CE->getArg(0), LCtx); 2007 SVal elementSize = State->getSVal(CE->getArg(1), LCtx); 2008 SVal TotalSize = svalBuilder.evalBinOp(State, BO_Mul, count, elementSize, 2009 svalBuilder.getContext().getSizeType()); 2010 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 2011 2012 return MallocMemAux(C, CE, TotalSize, zeroVal, State); 2013 } 2014 2015 LeakInfo 2016 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 2017 CheckerContext &C) const { 2018 const LocationContext *LeakContext = N->getLocationContext(); 2019 // Walk the ExplodedGraph backwards and find the first node that referred to 2020 // the tracked symbol. 2021 const ExplodedNode *AllocNode = N; 2022 const MemRegion *ReferenceRegion = nullptr; 2023 2024 while (N) { 2025 ProgramStateRef State = N->getState(); 2026 if (!State->get<RegionState>(Sym)) 2027 break; 2028 2029 // Find the most recent expression bound to the symbol in the current 2030 // context. 2031 if (!ReferenceRegion) { 2032 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 2033 SVal Val = State->getSVal(MR); 2034 if (Val.getAsLocSymbol() == Sym) { 2035 const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>(); 2036 // Do not show local variables belonging to a function other than 2037 // where the error is reported. 2038 if (!VR || 2039 (VR->getStackFrame() == LeakContext->getCurrentStackFrame())) 2040 ReferenceRegion = MR; 2041 } 2042 } 2043 } 2044 2045 // Allocation node, is the last node in the current or parent context in 2046 // which the symbol was tracked. 2047 const LocationContext *NContext = N->getLocationContext(); 2048 if (NContext == LeakContext || 2049 NContext->isParentOf(LeakContext)) 2050 AllocNode = N; 2051 N = N->pred_empty() ? nullptr : *(N->pred_begin()); 2052 } 2053 2054 return LeakInfo(AllocNode, ReferenceRegion); 2055 } 2056 2057 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 2058 CheckerContext &C) const { 2059 2060 if (!ChecksEnabled[CK_MallocChecker] && 2061 !ChecksEnabled[CK_NewDeleteLeaksChecker]) 2062 return; 2063 2064 const RefState *RS = C.getState()->get<RegionState>(Sym); 2065 assert(RS && "cannot leak an untracked symbol"); 2066 AllocationFamily Family = RS->getAllocationFamily(); 2067 2068 if (Family == AF_Alloca) 2069 return; 2070 2071 Optional<MallocChecker::CheckKind> 2072 CheckKind = getCheckIfTracked(Family, true); 2073 2074 if (!CheckKind.hasValue()) 2075 return; 2076 2077 assert(N); 2078 if (!BT_Leak[*CheckKind]) { 2079 BT_Leak[*CheckKind].reset( 2080 new BugType(CheckNames[*CheckKind], "Memory leak", "Memory Error")); 2081 // Leaks should not be reported if they are post-dominated by a sink: 2082 // (1) Sinks are higher importance bugs. 2083 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 2084 // with __noreturn functions such as assert() or exit(). We choose not 2085 // to report leaks on such paths. 2086 BT_Leak[*CheckKind]->setSuppressOnSink(true); 2087 } 2088 2089 // Most bug reports are cached at the location where they occurred. 2090 // With leaks, we want to unique them by the location where they were 2091 // allocated, and only report a single path. 2092 PathDiagnosticLocation LocUsedForUniqueing; 2093 const ExplodedNode *AllocNode = nullptr; 2094 const MemRegion *Region = nullptr; 2095 std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 2096 2097 ProgramPoint P = AllocNode->getLocation(); 2098 const Stmt *AllocationStmt = nullptr; 2099 if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>()) 2100 AllocationStmt = Exit->getCalleeContext()->getCallSite(); 2101 else if (Optional<StmtPoint> SP = P.getAs<StmtPoint>()) 2102 AllocationStmt = SP->getStmt(); 2103 if (AllocationStmt) 2104 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 2105 C.getSourceManager(), 2106 AllocNode->getLocationContext()); 2107 2108 SmallString<200> buf; 2109 llvm::raw_svector_ostream os(buf); 2110 if (Region && Region->canPrintPretty()) { 2111 os << "Potential leak of memory pointed to by "; 2112 Region->printPretty(os); 2113 } else { 2114 os << "Potential memory leak"; 2115 } 2116 2117 auto R = llvm::make_unique<BugReport>( 2118 *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing, 2119 AllocNode->getLocationContext()->getDecl()); 2120 R->markInteresting(Sym); 2121 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym, true)); 2122 C.emitReport(std::move(R)); 2123 } 2124 2125 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 2126 CheckerContext &C) const 2127 { 2128 if (!SymReaper.hasDeadSymbols()) 2129 return; 2130 2131 ProgramStateRef state = C.getState(); 2132 RegionStateTy RS = state->get<RegionState>(); 2133 RegionStateTy::Factory &F = state->get_context<RegionState>(); 2134 2135 SmallVector<SymbolRef, 2> Errors; 2136 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2137 if (SymReaper.isDead(I->first)) { 2138 if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero()) 2139 Errors.push_back(I->first); 2140 // Remove the dead symbol from the map. 2141 RS = F.remove(RS, I->first); 2142 2143 } 2144 } 2145 2146 // Cleanup the Realloc Pairs Map. 2147 ReallocPairsTy RP = state->get<ReallocPairs>(); 2148 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 2149 if (SymReaper.isDead(I->first) || 2150 SymReaper.isDead(I->second.ReallocatedSym)) { 2151 state = state->remove<ReallocPairs>(I->first); 2152 } 2153 } 2154 2155 // Cleanup the FreeReturnValue Map. 2156 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 2157 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 2158 if (SymReaper.isDead(I->first) || 2159 SymReaper.isDead(I->second)) { 2160 state = state->remove<FreeReturnValue>(I->first); 2161 } 2162 } 2163 2164 // Generate leak node. 2165 ExplodedNode *N = C.getPredecessor(); 2166 if (!Errors.empty()) { 2167 static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak"); 2168 N = C.generateNonFatalErrorNode(C.getState(), &Tag); 2169 if (N) { 2170 for (SmallVectorImpl<SymbolRef>::iterator 2171 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 2172 reportLeak(*I, N, C); 2173 } 2174 } 2175 } 2176 2177 C.addTransition(state->set<RegionState>(RS), N); 2178 } 2179 2180 void MallocChecker::checkPreCall(const CallEvent &Call, 2181 CheckerContext &C) const { 2182 2183 if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) { 2184 SymbolRef Sym = DC->getCXXThisVal().getAsSymbol(); 2185 if (!Sym || checkDoubleDelete(Sym, C)) 2186 return; 2187 } 2188 2189 // We will check for double free in the post visit. 2190 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { 2191 const FunctionDecl *FD = FC->getDecl(); 2192 if (!FD) 2193 return; 2194 2195 ASTContext &Ctx = C.getASTContext(); 2196 if (ChecksEnabled[CK_MallocChecker] && 2197 (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) || 2198 isCMemFunction(FD, Ctx, AF_IfNameIndex, 2199 MemoryOperationKind::MOK_Free))) 2200 return; 2201 2202 if (ChecksEnabled[CK_NewDeleteChecker] && 2203 isStandardNewDelete(FD, Ctx)) 2204 return; 2205 } 2206 2207 // Check if the callee of a method is deleted. 2208 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { 2209 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); 2210 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) 2211 return; 2212 } 2213 2214 // Check arguments for being used after free. 2215 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { 2216 SVal ArgSVal = Call.getArgSVal(I); 2217 if (ArgSVal.getAs<Loc>()) { 2218 SymbolRef Sym = ArgSVal.getAsSymbol(); 2219 if (!Sym) 2220 continue; 2221 if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) 2222 return; 2223 } 2224 } 2225 } 2226 2227 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 2228 const Expr *E = S->getRetValue(); 2229 if (!E) 2230 return; 2231 2232 // Check if we are returning a symbol. 2233 ProgramStateRef State = C.getState(); 2234 SVal RetVal = State->getSVal(E, C.getLocationContext()); 2235 SymbolRef Sym = RetVal.getAsSymbol(); 2236 if (!Sym) 2237 // If we are returning a field of the allocated struct or an array element, 2238 // the callee could still free the memory. 2239 // TODO: This logic should be a part of generic symbol escape callback. 2240 if (const MemRegion *MR = RetVal.getAsRegion()) 2241 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 2242 if (const SymbolicRegion *BMR = 2243 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 2244 Sym = BMR->getSymbol(); 2245 2246 // Check if we are returning freed memory. 2247 if (Sym) 2248 checkUseAfterFree(Sym, C, E); 2249 } 2250 2251 // TODO: Blocks should be either inlined or should call invalidate regions 2252 // upon invocation. After that's in place, special casing here will not be 2253 // needed. 2254 void MallocChecker::checkPostStmt(const BlockExpr *BE, 2255 CheckerContext &C) const { 2256 2257 // Scan the BlockDecRefExprs for any object the retain count checker 2258 // may be tracking. 2259 if (!BE->getBlockDecl()->hasCaptures()) 2260 return; 2261 2262 ProgramStateRef state = C.getState(); 2263 const BlockDataRegion *R = 2264 cast<BlockDataRegion>(state->getSVal(BE, 2265 C.getLocationContext()).getAsRegion()); 2266 2267 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 2268 E = R->referenced_vars_end(); 2269 2270 if (I == E) 2271 return; 2272 2273 SmallVector<const MemRegion*, 10> Regions; 2274 const LocationContext *LC = C.getLocationContext(); 2275 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 2276 2277 for ( ; I != E; ++I) { 2278 const VarRegion *VR = I.getCapturedRegion(); 2279 if (VR->getSuperRegion() == R) { 2280 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 2281 } 2282 Regions.push_back(VR); 2283 } 2284 2285 state = 2286 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 2287 Regions.data() + Regions.size()).getState(); 2288 C.addTransition(state); 2289 } 2290 2291 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { 2292 assert(Sym); 2293 const RefState *RS = C.getState()->get<RegionState>(Sym); 2294 return (RS && RS->isReleased()); 2295 } 2296 2297 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 2298 const Stmt *S) const { 2299 2300 if (isReleased(Sym, C)) { 2301 ReportUseAfterFree(C, S->getSourceRange(), Sym); 2302 return true; 2303 } 2304 2305 return false; 2306 } 2307 2308 void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, 2309 const Stmt *S) const { 2310 assert(Sym); 2311 2312 if (const RefState *RS = C.getState()->get<RegionState>(Sym)) { 2313 if (RS->isAllocatedOfSizeZero()) 2314 ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym); 2315 } 2316 else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) { 2317 ReportUseZeroAllocated(C, S->getSourceRange(), Sym); 2318 } 2319 } 2320 2321 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { 2322 2323 if (isReleased(Sym, C)) { 2324 ReportDoubleDelete(C, Sym); 2325 return true; 2326 } 2327 return false; 2328 } 2329 2330 // Check if the location is a freed symbolic region. 2331 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 2332 CheckerContext &C) const { 2333 SymbolRef Sym = l.getLocSymbolInBase(); 2334 if (Sym) { 2335 checkUseAfterFree(Sym, C, S); 2336 checkUseZeroAllocated(Sym, C, S); 2337 } 2338 } 2339 2340 // If a symbolic region is assumed to NULL (or another constant), stop tracking 2341 // it - assuming that allocation failed on this path. 2342 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 2343 SVal Cond, 2344 bool Assumption) const { 2345 RegionStateTy RS = state->get<RegionState>(); 2346 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2347 // If the symbol is assumed to be NULL, remove it from consideration. 2348 ConstraintManager &CMgr = state->getConstraintManager(); 2349 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2350 if (AllocFailed.isConstrainedTrue()) 2351 state = state->remove<RegionState>(I.getKey()); 2352 } 2353 2354 // Realloc returns 0 when reallocation fails, which means that we should 2355 // restore the state of the pointer being reallocated. 2356 ReallocPairsTy RP = state->get<ReallocPairs>(); 2357 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 2358 // If the symbol is assumed to be NULL, remove it from consideration. 2359 ConstraintManager &CMgr = state->getConstraintManager(); 2360 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2361 if (!AllocFailed.isConstrainedTrue()) 2362 continue; 2363 2364 SymbolRef ReallocSym = I.getData().ReallocatedSym; 2365 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 2366 if (RS->isReleased()) { 2367 if (I.getData().Kind == RPToBeFreedAfterFailure) 2368 state = state->set<RegionState>(ReallocSym, 2369 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 2370 else if (I.getData().Kind == RPDoNotTrackAfterFailure) 2371 state = state->remove<RegionState>(ReallocSym); 2372 else 2373 assert(I.getData().Kind == RPIsFreeOnFailure); 2374 } 2375 } 2376 state = state->remove<ReallocPairs>(I.getKey()); 2377 } 2378 2379 return state; 2380 } 2381 2382 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly( 2383 const CallEvent *Call, 2384 ProgramStateRef State, 2385 SymbolRef &EscapingSymbol) const { 2386 assert(Call); 2387 EscapingSymbol = nullptr; 2388 2389 // For now, assume that any C++ or block call can free memory. 2390 // TODO: If we want to be more optimistic here, we'll need to make sure that 2391 // regions escape to C++ containers. They seem to do that even now, but for 2392 // mysterious reasons. 2393 if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 2394 return true; 2395 2396 // Check Objective-C messages by selector name. 2397 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 2398 // If it's not a framework call, or if it takes a callback, assume it 2399 // can free memory. 2400 if (!Call->isInSystemHeader() || Call->argumentsMayEscape()) 2401 return true; 2402 2403 // If it's a method we know about, handle it explicitly post-call. 2404 // This should happen before the "freeWhenDone" check below. 2405 if (isKnownDeallocObjCMethodName(*Msg)) 2406 return false; 2407 2408 // If there's a "freeWhenDone" parameter, but the method isn't one we know 2409 // about, we can't be sure that the object will use free() to deallocate the 2410 // memory, so we can't model it explicitly. The best we can do is use it to 2411 // decide whether the pointer escapes. 2412 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 2413 return *FreeWhenDone; 2414 2415 // If the first selector piece ends with "NoCopy", and there is no 2416 // "freeWhenDone" parameter set to zero, we know ownership is being 2417 // transferred. Again, though, we can't be sure that the object will use 2418 // free() to deallocate the memory, so we can't model it explicitly. 2419 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 2420 if (FirstSlot.endswith("NoCopy")) 2421 return true; 2422 2423 // If the first selector starts with addPointer, insertPointer, 2424 // or replacePointer, assume we are dealing with NSPointerArray or similar. 2425 // This is similar to C++ containers (vector); we still might want to check 2426 // that the pointers get freed by following the container itself. 2427 if (FirstSlot.startswith("addPointer") || 2428 FirstSlot.startswith("insertPointer") || 2429 FirstSlot.startswith("replacePointer") || 2430 FirstSlot.equals("valueWithPointer")) { 2431 return true; 2432 } 2433 2434 // We should escape receiver on call to 'init'. This is especially relevant 2435 // to the receiver, as the corresponding symbol is usually not referenced 2436 // after the call. 2437 if (Msg->getMethodFamily() == OMF_init) { 2438 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol(); 2439 return true; 2440 } 2441 2442 // Otherwise, assume that the method does not free memory. 2443 // Most framework methods do not free memory. 2444 return false; 2445 } 2446 2447 // At this point the only thing left to handle is straight function calls. 2448 const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl(); 2449 if (!FD) 2450 return true; 2451 2452 ASTContext &ASTC = State->getStateManager().getContext(); 2453 2454 // If it's one of the allocation functions we can reason about, we model 2455 // its behavior explicitly. 2456 if (isMemFunction(FD, ASTC)) 2457 return false; 2458 2459 // If it's not a system call, assume it frees memory. 2460 if (!Call->isInSystemHeader()) 2461 return true; 2462 2463 // White list the system functions whose arguments escape. 2464 const IdentifierInfo *II = FD->getIdentifier(); 2465 if (!II) 2466 return true; 2467 StringRef FName = II->getName(); 2468 2469 // White list the 'XXXNoCopy' CoreFoundation functions. 2470 // We specifically check these before 2471 if (FName.endswith("NoCopy")) { 2472 // Look for the deallocator argument. We know that the memory ownership 2473 // is not transferred only if the deallocator argument is 2474 // 'kCFAllocatorNull'. 2475 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 2476 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 2477 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 2478 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 2479 if (DeallocatorName == "kCFAllocatorNull") 2480 return false; 2481 } 2482 } 2483 return true; 2484 } 2485 2486 // Associating streams with malloced buffers. The pointer can escape if 2487 // 'closefn' is specified (and if that function does free memory), 2488 // but it will not if closefn is not specified. 2489 // Currently, we do not inspect the 'closefn' function (PR12101). 2490 if (FName == "funopen") 2491 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 2492 return false; 2493 2494 // Do not warn on pointers passed to 'setbuf' when used with std streams, 2495 // these leaks might be intentional when setting the buffer for stdio. 2496 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 2497 if (FName == "setbuf" || FName =="setbuffer" || 2498 FName == "setlinebuf" || FName == "setvbuf") { 2499 if (Call->getNumArgs() >= 1) { 2500 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 2501 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 2502 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 2503 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 2504 return true; 2505 } 2506 } 2507 2508 // A bunch of other functions which either take ownership of a pointer or 2509 // wrap the result up in a struct or object, meaning it can be freed later. 2510 // (See RetainCountChecker.) Not all the parameters here are invalidated, 2511 // but the Malloc checker cannot differentiate between them. The right way 2512 // of doing this would be to implement a pointer escapes callback. 2513 if (FName == "CGBitmapContextCreate" || 2514 FName == "CGBitmapContextCreateWithData" || 2515 FName == "CVPixelBufferCreateWithBytes" || 2516 FName == "CVPixelBufferCreateWithPlanarBytes" || 2517 FName == "OSAtomicEnqueue") { 2518 return true; 2519 } 2520 2521 if (FName == "postEvent" && 2522 FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") { 2523 return true; 2524 } 2525 2526 if (FName == "postEvent" && 2527 FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") { 2528 return true; 2529 } 2530 2531 // Handle cases where we know a buffer's /address/ can escape. 2532 // Note that the above checks handle some special cases where we know that 2533 // even though the address escapes, it's still our responsibility to free the 2534 // buffer. 2535 if (Call->argumentsMayEscape()) 2536 return true; 2537 2538 // Otherwise, assume that the function does not free memory. 2539 // Most system calls do not free the memory. 2540 return false; 2541 } 2542 2543 static bool retTrue(const RefState *RS) { 2544 return true; 2545 } 2546 2547 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 2548 return (RS->getAllocationFamily() == AF_CXXNewArray || 2549 RS->getAllocationFamily() == AF_CXXNew); 2550 } 2551 2552 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 2553 const InvalidatedSymbols &Escaped, 2554 const CallEvent *Call, 2555 PointerEscapeKind Kind) const { 2556 return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue); 2557 } 2558 2559 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 2560 const InvalidatedSymbols &Escaped, 2561 const CallEvent *Call, 2562 PointerEscapeKind Kind) const { 2563 return checkPointerEscapeAux(State, Escaped, Call, Kind, 2564 &checkIfNewOrNewArrayFamily); 2565 } 2566 2567 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State, 2568 const InvalidatedSymbols &Escaped, 2569 const CallEvent *Call, 2570 PointerEscapeKind Kind, 2571 bool(*CheckRefState)(const RefState*)) const { 2572 // If we know that the call does not free memory, or we want to process the 2573 // call later, keep tracking the top level arguments. 2574 SymbolRef EscapingSymbol = nullptr; 2575 if (Kind == PSK_DirectEscapeOnCall && 2576 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State, 2577 EscapingSymbol) && 2578 !EscapingSymbol) { 2579 return State; 2580 } 2581 2582 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 2583 E = Escaped.end(); 2584 I != E; ++I) { 2585 SymbolRef sym = *I; 2586 2587 if (EscapingSymbol && EscapingSymbol != sym) 2588 continue; 2589 2590 if (const RefState *RS = State->get<RegionState>(sym)) { 2591 if ((RS->isAllocated() || RS->isAllocatedOfSizeZero()) && 2592 CheckRefState(RS)) { 2593 State = State->remove<RegionState>(sym); 2594 State = State->set<RegionState>(sym, RefState::getEscaped(RS)); 2595 } 2596 } 2597 } 2598 return State; 2599 } 2600 2601 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 2602 ProgramStateRef prevState) { 2603 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 2604 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 2605 2606 for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end(); 2607 I != E; ++I) { 2608 SymbolRef sym = I.getKey(); 2609 if (!currMap.lookup(sym)) 2610 return sym; 2611 } 2612 2613 return nullptr; 2614 } 2615 2616 PathDiagnosticPiece * 2617 MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N, 2618 const ExplodedNode *PrevN, 2619 BugReporterContext &BRC, 2620 BugReport &BR) { 2621 ProgramStateRef state = N->getState(); 2622 ProgramStateRef statePrev = PrevN->getState(); 2623 2624 const RefState *RS = state->get<RegionState>(Sym); 2625 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 2626 if (!RS) 2627 return nullptr; 2628 2629 const Stmt *S = nullptr; 2630 const char *Msg = nullptr; 2631 StackHintGeneratorForSymbol *StackHint = nullptr; 2632 2633 // Retrieve the associated statement. 2634 ProgramPoint ProgLoc = N->getLocation(); 2635 if (Optional<StmtPoint> SP = ProgLoc.getAs<StmtPoint>()) { 2636 S = SP->getStmt(); 2637 } else if (Optional<CallExitEnd> Exit = ProgLoc.getAs<CallExitEnd>()) { 2638 S = Exit->getCalleeContext()->getCallSite(); 2639 } else if (Optional<BlockEdge> Edge = ProgLoc.getAs<BlockEdge>()) { 2640 // If an assumption was made on a branch, it should be caught 2641 // here by looking at the state transition. 2642 S = Edge->getSrc()->getTerminator(); 2643 } 2644 2645 if (!S) 2646 return nullptr; 2647 2648 // FIXME: We will eventually need to handle non-statement-based events 2649 // (__attribute__((cleanup))). 2650 2651 // Find out if this is an interesting point and what is the kind. 2652 if (Mode == Normal) { 2653 if (isAllocated(RS, RSPrev, S)) { 2654 Msg = "Memory is allocated"; 2655 StackHint = new StackHintGeneratorForSymbol(Sym, 2656 "Returned allocated memory"); 2657 } else if (isReleased(RS, RSPrev, S)) { 2658 Msg = "Memory is released"; 2659 StackHint = new StackHintGeneratorForSymbol(Sym, 2660 "Returning; memory was released"); 2661 } else if (isRelinquished(RS, RSPrev, S)) { 2662 Msg = "Memory ownership is transferred"; 2663 StackHint = new StackHintGeneratorForSymbol(Sym, ""); 2664 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 2665 Mode = ReallocationFailed; 2666 Msg = "Reallocation failed"; 2667 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 2668 "Reallocation failed"); 2669 2670 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 2671 // Is it possible to fail two reallocs WITHOUT testing in between? 2672 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 2673 "We only support one failed realloc at a time."); 2674 BR.markInteresting(sym); 2675 FailedReallocSymbol = sym; 2676 } 2677 } 2678 2679 // We are in a special mode if a reallocation failed later in the path. 2680 } else if (Mode == ReallocationFailed) { 2681 assert(FailedReallocSymbol && "No symbol to look for."); 2682 2683 // Is this is the first appearance of the reallocated symbol? 2684 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 2685 // We're at the reallocation point. 2686 Msg = "Attempt to reallocate memory"; 2687 StackHint = new StackHintGeneratorForSymbol(Sym, 2688 "Returned reallocated memory"); 2689 FailedReallocSymbol = nullptr; 2690 Mode = Normal; 2691 } 2692 } 2693 2694 if (!Msg) 2695 return nullptr; 2696 assert(StackHint); 2697 2698 // Generate the extra diagnostic. 2699 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2700 N->getLocationContext()); 2701 return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint); 2702 } 2703 2704 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 2705 const char *NL, const char *Sep) const { 2706 2707 RegionStateTy RS = State->get<RegionState>(); 2708 2709 if (!RS.isEmpty()) { 2710 Out << Sep << "MallocChecker :" << NL; 2711 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2712 const RefState *RefS = State->get<RegionState>(I.getKey()); 2713 AllocationFamily Family = RefS->getAllocationFamily(); 2714 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2715 if (!CheckKind.hasValue()) 2716 CheckKind = getCheckIfTracked(Family, true); 2717 2718 I.getKey()->dumpToStream(Out); 2719 Out << " : "; 2720 I.getData().dump(Out); 2721 if (CheckKind.hasValue()) 2722 Out << " (" << CheckNames[*CheckKind].getName() << ")"; 2723 Out << NL; 2724 } 2725 } 2726 } 2727 2728 void ento::registerNewDeleteLeaksChecker(CheckerManager &mgr) { 2729 registerCStringCheckerBasic(mgr); 2730 MallocChecker *checker = mgr.registerChecker<MallocChecker>(); 2731 checker->IsOptimistic = mgr.getAnalyzerOptions().getBooleanOption( 2732 "Optimistic", false, checker); 2733 checker->ChecksEnabled[MallocChecker::CK_NewDeleteLeaksChecker] = true; 2734 checker->CheckNames[MallocChecker::CK_NewDeleteLeaksChecker] = 2735 mgr.getCurrentCheckName(); 2736 // We currently treat NewDeleteLeaks checker as a subchecker of NewDelete 2737 // checker. 2738 if (!checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker]) 2739 checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker] = true; 2740 } 2741 2742 #define REGISTER_CHECKER(name) \ 2743 void ento::register##name(CheckerManager &mgr) { \ 2744 registerCStringCheckerBasic(mgr); \ 2745 MallocChecker *checker = mgr.registerChecker<MallocChecker>(); \ 2746 checker->IsOptimistic = mgr.getAnalyzerOptions().getBooleanOption( \ 2747 "Optimistic", false, checker); \ 2748 checker->ChecksEnabled[MallocChecker::CK_##name] = true; \ 2749 checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \ 2750 } 2751 2752 REGISTER_CHECKER(MallocChecker) 2753 REGISTER_CHECKER(NewDeleteChecker) 2754 REGISTER_CHECKER(MismatchedDeallocatorChecker) 2755