1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines a variety of memory management related checkers, such as 10 // leak, double free, and use-after-free. 11 // 12 // The following checkers are defined here: 13 // 14 // * MallocChecker 15 // Despite its name, it models all sorts of memory allocations and 16 // de- or reallocation, including but not limited to malloc, free, 17 // relloc, new, delete. It also reports on a variety of memory misuse 18 // errors. 19 // Many other checkers interact very closely with this checker, in fact, 20 // most are merely options to this one. Other checkers may register 21 // MallocChecker, but do not enable MallocChecker's reports (more details 22 // to follow around its field, ChecksEnabled). 23 // It also has a boolean "Optimistic" checker option, which if set to true 24 // will cause the checker to model user defined memory management related 25 // functions annotated via the attribute ownership_takes, ownership_holds 26 // and ownership_returns. 27 // 28 // * NewDeleteChecker 29 // Enables the modeling of new, new[], delete, delete[] in MallocChecker, 30 // and checks for related double-free and use-after-free errors. 31 // 32 // * NewDeleteLeaksChecker 33 // Checks for leaks related to new, new[], delete, delete[]. 34 // Depends on NewDeleteChecker. 35 // 36 // * MismatchedDeallocatorChecker 37 // Enables checking whether memory is deallocated with the correspending 38 // allocation function in MallocChecker, such as malloc() allocated 39 // regions are only freed by free(), new by delete, new[] by delete[]. 40 // 41 // InnerPointerChecker interacts very closely with MallocChecker, but unlike 42 // the above checkers, it has it's own file, hence the many InnerPointerChecker 43 // related headers and non-static functions. 44 // 45 //===----------------------------------------------------------------------===// 46 47 #include "AllocationState.h" 48 #include "InterCheckerAPI.h" 49 #include "clang/AST/Attr.h" 50 #include "clang/AST/DeclCXX.h" 51 #include "clang/AST/DeclTemplate.h" 52 #include "clang/AST/Expr.h" 53 #include "clang/AST/ExprCXX.h" 54 #include "clang/AST/ParentMap.h" 55 #include "clang/ASTMatchers/ASTMatchFinder.h" 56 #include "clang/ASTMatchers/ASTMatchers.h" 57 #include "clang/Analysis/ProgramPoint.h" 58 #include "clang/Basic/LLVM.h" 59 #include "clang/Basic/SourceManager.h" 60 #include "clang/Basic/TargetInfo.h" 61 #include "clang/Lex/Lexer.h" 62 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 63 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 64 #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" 65 #include "clang/StaticAnalyzer/Core/Checker.h" 66 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 67 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 68 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 69 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" 70 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" 71 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h" 72 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 73 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 74 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" 75 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 76 #include "clang/StaticAnalyzer/Core/PathSensitive/StoreRef.h" 77 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 78 #include "llvm/ADT/STLExtras.h" 79 #include "llvm/ADT/SetOperations.h" 80 #include "llvm/ADT/SmallString.h" 81 #include "llvm/ADT/StringExtras.h" 82 #include "llvm/Support/Casting.h" 83 #include "llvm/Support/Compiler.h" 84 #include "llvm/Support/ErrorHandling.h" 85 #include "llvm/Support/raw_ostream.h" 86 #include <climits> 87 #include <functional> 88 #include <utility> 89 90 using namespace clang; 91 using namespace ento; 92 using namespace std::placeholders; 93 94 //===----------------------------------------------------------------------===// 95 // The types of allocation we're modeling. This is used to check whether a 96 // dynamically allocated object is deallocated with the correct function, like 97 // not using operator delete on an object created by malloc(), or alloca regions 98 // aren't ever deallocated manually. 99 //===----------------------------------------------------------------------===// 100 101 namespace { 102 103 // Used to check correspondence between allocators and deallocators. 104 enum AllocationFamily { 105 AF_None, 106 AF_Malloc, 107 AF_CXXNew, 108 AF_CXXNewArray, 109 AF_IfNameIndex, 110 AF_Alloca, 111 AF_InnerBuffer 112 }; 113 114 } // end of anonymous namespace 115 116 /// Print names of allocators and deallocators. 117 /// 118 /// \returns true on success. 119 static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E); 120 121 /// Print expected name of an allocator based on the deallocator's family 122 /// derived from the DeallocExpr. 123 static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family); 124 125 /// Print expected name of a deallocator based on the allocator's 126 /// family. 127 static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family); 128 129 //===----------------------------------------------------------------------===// 130 // The state of a symbol, in terms of memory management. 131 //===----------------------------------------------------------------------===// 132 133 namespace { 134 135 class RefState { 136 enum Kind { 137 // Reference to allocated memory. 138 Allocated, 139 // Reference to zero-allocated memory. 140 AllocatedOfSizeZero, 141 // Reference to released/freed memory. 142 Released, 143 // The responsibility for freeing resources has transferred from 144 // this reference. A relinquished symbol should not be freed. 145 Relinquished, 146 // We are no longer guaranteed to have observed all manipulations 147 // of this pointer/memory. For example, it could have been 148 // passed as a parameter to an opaque function. 149 Escaped 150 }; 151 152 const Stmt *S; 153 154 Kind K; 155 AllocationFamily Family; 156 157 RefState(Kind k, const Stmt *s, AllocationFamily family) 158 : S(s), K(k), Family(family) { 159 assert(family != AF_None); 160 } 161 162 public: 163 bool isAllocated() const { return K == Allocated; } 164 bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; } 165 bool isReleased() const { return K == Released; } 166 bool isRelinquished() const { return K == Relinquished; } 167 bool isEscaped() const { return K == Escaped; } 168 AllocationFamily getAllocationFamily() const { return Family; } 169 const Stmt *getStmt() const { return S; } 170 171 bool operator==(const RefState &X) const { 172 return K == X.K && S == X.S && Family == X.Family; 173 } 174 175 static RefState getAllocated(AllocationFamily family, const Stmt *s) { 176 return RefState(Allocated, s, family); 177 } 178 static RefState getAllocatedOfSizeZero(const RefState *RS) { 179 return RefState(AllocatedOfSizeZero, RS->getStmt(), 180 RS->getAllocationFamily()); 181 } 182 static RefState getReleased(AllocationFamily family, const Stmt *s) { 183 return RefState(Released, s, family); 184 } 185 static RefState getRelinquished(AllocationFamily family, const Stmt *s) { 186 return RefState(Relinquished, s, family); 187 } 188 static RefState getEscaped(const RefState *RS) { 189 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily()); 190 } 191 192 void Profile(llvm::FoldingSetNodeID &ID) const { 193 ID.AddInteger(K); 194 ID.AddPointer(S); 195 ID.AddInteger(Family); 196 } 197 198 LLVM_DUMP_METHOD void dump(raw_ostream &OS) const { 199 switch (K) { 200 #define CASE(ID) case ID: OS << #ID; break; 201 CASE(Allocated) 202 CASE(AllocatedOfSizeZero) 203 CASE(Released) 204 CASE(Relinquished) 205 CASE(Escaped) 206 } 207 } 208 209 LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); } 210 }; 211 212 } // end of anonymous namespace 213 214 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 215 216 /// Check if the memory associated with this symbol was released. 217 static bool isReleased(SymbolRef Sym, CheckerContext &C); 218 219 /// Update the RefState to reflect the new memory allocation. 220 /// The optional \p RetVal parameter specifies the newly allocated pointer 221 /// value; if unspecified, the value of expression \p E is used. 222 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, 223 ProgramStateRef State, 224 AllocationFamily Family, 225 Optional<SVal> RetVal = None); 226 227 //===----------------------------------------------------------------------===// 228 // The modeling of memory reallocation. 229 // 230 // The terminology 'toPtr' and 'fromPtr' will be used: 231 // toPtr = realloc(fromPtr, 20); 232 //===----------------------------------------------------------------------===// 233 234 REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef) 235 236 namespace { 237 238 /// The state of 'fromPtr' after reallocation is known to have failed. 239 enum OwnershipAfterReallocKind { 240 // The symbol needs to be freed (e.g.: realloc) 241 OAR_ToBeFreedAfterFailure, 242 // The symbol has been freed (e.g.: reallocf) 243 OAR_FreeOnFailure, 244 // The symbol doesn't have to freed (e.g.: we aren't sure if, how and where 245 // 'fromPtr' was allocated: 246 // void Haha(int *ptr) { 247 // ptr = realloc(ptr, 67); 248 // // ... 249 // } 250 // ). 251 OAR_DoNotTrackAfterFailure 252 }; 253 254 /// Stores information about the 'fromPtr' symbol after reallocation. 255 /// 256 /// This is important because realloc may fail, and that needs special modeling. 257 /// Whether reallocation failed or not will not be known until later, so we'll 258 /// store whether upon failure 'fromPtr' will be freed, or needs to be freed 259 /// later, etc. 260 struct ReallocPair { 261 262 // The 'fromPtr'. 263 SymbolRef ReallocatedSym; 264 OwnershipAfterReallocKind Kind; 265 266 ReallocPair(SymbolRef S, OwnershipAfterReallocKind K) 267 : ReallocatedSym(S), Kind(K) {} 268 void Profile(llvm::FoldingSetNodeID &ID) const { 269 ID.AddInteger(Kind); 270 ID.AddPointer(ReallocatedSym); 271 } 272 bool operator==(const ReallocPair &X) const { 273 return ReallocatedSym == X.ReallocatedSym && 274 Kind == X.Kind; 275 } 276 }; 277 278 } // end of anonymous namespace 279 280 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 281 282 /// Tells if the callee is one of the builtin new/delete operators, including 283 /// placement operators and other standard overloads. 284 static bool isStandardNewDelete(const FunctionDecl *FD); 285 static bool isStandardNewDelete(const CallEvent &Call) { 286 if (!Call.getDecl() || !isa<FunctionDecl>(Call.getDecl())) 287 return false; 288 return isStandardNewDelete(cast<FunctionDecl>(Call.getDecl())); 289 } 290 291 //===----------------------------------------------------------------------===// 292 // Definition of the MallocChecker class. 293 //===----------------------------------------------------------------------===// 294 295 namespace { 296 297 class MallocChecker 298 : public Checker<check::DeadSymbols, check::PointerEscape, 299 check::ConstPointerEscape, check::PreStmt<ReturnStmt>, 300 check::EndFunction, check::PreCall, check::PostCall, 301 check::NewAllocator, check::PostStmt<BlockExpr>, 302 check::PostObjCMessage, check::Location, eval::Assume> { 303 public: 304 /// In pessimistic mode, the checker assumes that it does not know which 305 /// functions might free the memory. 306 /// In optimistic mode, the checker assumes that all user-defined functions 307 /// which might free a pointer are annotated. 308 DefaultBool ShouldIncludeOwnershipAnnotatedFunctions; 309 310 DefaultBool ShouldRegisterNoOwnershipChangeVisitor; 311 312 /// Many checkers are essentially built into this one, so enabling them will 313 /// make MallocChecker perform additional modeling and reporting. 314 enum CheckKind { 315 /// When a subchecker is enabled but MallocChecker isn't, model memory 316 /// management but do not emit warnings emitted with MallocChecker only 317 /// enabled. 318 CK_MallocChecker, 319 CK_NewDeleteChecker, 320 CK_NewDeleteLeaksChecker, 321 CK_MismatchedDeallocatorChecker, 322 CK_InnerPointerChecker, 323 CK_NumCheckKinds 324 }; 325 326 using LeakInfo = std::pair<const ExplodedNode *, const MemRegion *>; 327 328 DefaultBool ChecksEnabled[CK_NumCheckKinds]; 329 CheckerNameRef CheckNames[CK_NumCheckKinds]; 330 331 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 332 void checkPostCall(const CallEvent &Call, CheckerContext &C) const; 333 void checkNewAllocator(const CXXAllocatorCall &Call, CheckerContext &C) const; 334 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 335 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 336 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 337 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 338 void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const; 339 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 340 bool Assumption) const; 341 void checkLocation(SVal l, bool isLoad, const Stmt *S, 342 CheckerContext &C) const; 343 344 ProgramStateRef checkPointerEscape(ProgramStateRef State, 345 const InvalidatedSymbols &Escaped, 346 const CallEvent *Call, 347 PointerEscapeKind Kind) const; 348 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 349 const InvalidatedSymbols &Escaped, 350 const CallEvent *Call, 351 PointerEscapeKind Kind) const; 352 353 void printState(raw_ostream &Out, ProgramStateRef State, 354 const char *NL, const char *Sep) const override; 355 356 private: 357 mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds]; 358 mutable std::unique_ptr<BugType> BT_DoubleDelete; 359 mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds]; 360 mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds]; 361 mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds]; 362 mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds]; 363 mutable std::unique_ptr<BugType> BT_MismatchedDealloc; 364 mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds]; 365 mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds]; 366 367 #define CHECK_FN(NAME) \ 368 void NAME(const CallEvent &Call, CheckerContext &C) const; 369 370 CHECK_FN(checkFree) 371 CHECK_FN(checkIfNameIndex) 372 CHECK_FN(checkBasicAlloc) 373 CHECK_FN(checkKernelMalloc) 374 CHECK_FN(checkCalloc) 375 CHECK_FN(checkAlloca) 376 CHECK_FN(checkStrdup) 377 CHECK_FN(checkIfFreeNameIndex) 378 CHECK_FN(checkCXXNewOrCXXDelete) 379 CHECK_FN(checkGMalloc0) 380 CHECK_FN(checkGMemdup) 381 CHECK_FN(checkGMallocN) 382 CHECK_FN(checkGMallocN0) 383 CHECK_FN(checkReallocN) 384 CHECK_FN(checkOwnershipAttr) 385 386 void checkRealloc(const CallEvent &Call, CheckerContext &C, 387 bool ShouldFreeOnFail) const; 388 389 using CheckFn = std::function<void(const MallocChecker *, 390 const CallEvent &Call, CheckerContext &C)>; 391 392 const CallDescriptionMap<CheckFn> FreeingMemFnMap{ 393 {{"free", 1}, &MallocChecker::checkFree}, 394 {{"if_freenameindex", 1}, &MallocChecker::checkIfFreeNameIndex}, 395 {{"kfree", 1}, &MallocChecker::checkFree}, 396 {{"g_free", 1}, &MallocChecker::checkFree}, 397 }; 398 399 bool isFreeingCall(const CallEvent &Call) const; 400 401 CallDescriptionMap<CheckFn> AllocatingMemFnMap{ 402 {{"alloca", 1}, &MallocChecker::checkAlloca}, 403 {{"_alloca", 1}, &MallocChecker::checkAlloca}, 404 {{"malloc", 1}, &MallocChecker::checkBasicAlloc}, 405 {{"malloc", 3}, &MallocChecker::checkKernelMalloc}, 406 {{"calloc", 2}, &MallocChecker::checkCalloc}, 407 {{"valloc", 1}, &MallocChecker::checkBasicAlloc}, 408 {{CDF_MaybeBuiltin, "strndup", 2}, &MallocChecker::checkStrdup}, 409 {{CDF_MaybeBuiltin, "strdup", 1}, &MallocChecker::checkStrdup}, 410 {{"_strdup", 1}, &MallocChecker::checkStrdup}, 411 {{"kmalloc", 2}, &MallocChecker::checkKernelMalloc}, 412 {{"if_nameindex", 1}, &MallocChecker::checkIfNameIndex}, 413 {{CDF_MaybeBuiltin, "wcsdup", 1}, &MallocChecker::checkStrdup}, 414 {{CDF_MaybeBuiltin, "_wcsdup", 1}, &MallocChecker::checkStrdup}, 415 {{"g_malloc", 1}, &MallocChecker::checkBasicAlloc}, 416 {{"g_malloc0", 1}, &MallocChecker::checkGMalloc0}, 417 {{"g_try_malloc", 1}, &MallocChecker::checkBasicAlloc}, 418 {{"g_try_malloc0", 1}, &MallocChecker::checkGMalloc0}, 419 {{"g_memdup", 2}, &MallocChecker::checkGMemdup}, 420 {{"g_malloc_n", 2}, &MallocChecker::checkGMallocN}, 421 {{"g_malloc0_n", 2}, &MallocChecker::checkGMallocN0}, 422 {{"g_try_malloc_n", 2}, &MallocChecker::checkGMallocN}, 423 {{"g_try_malloc0_n", 2}, &MallocChecker::checkGMallocN0}, 424 }; 425 426 CallDescriptionMap<CheckFn> ReallocatingMemFnMap{ 427 {{"realloc", 2}, 428 std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)}, 429 {{"reallocf", 2}, 430 std::bind(&MallocChecker::checkRealloc, _1, _2, _3, true)}, 431 {{"g_realloc", 2}, 432 std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)}, 433 {{"g_try_realloc", 2}, 434 std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)}, 435 {{"g_realloc_n", 3}, &MallocChecker::checkReallocN}, 436 {{"g_try_realloc_n", 3}, &MallocChecker::checkReallocN}, 437 }; 438 439 bool isMemCall(const CallEvent &Call) const; 440 441 // TODO: Remove mutable by moving the initializtaion to the registry function. 442 mutable Optional<uint64_t> KernelZeroFlagVal; 443 444 using KernelZeroSizePtrValueTy = Optional<int>; 445 /// Store the value of macro called `ZERO_SIZE_PTR`. 446 /// The value is initialized at first use, before first use the outer 447 /// Optional is empty, afterwards it contains another Optional that indicates 448 /// if the macro value could be determined, and if yes the value itself. 449 mutable Optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue; 450 451 /// Process C++ operator new()'s allocation, which is the part of C++ 452 /// new-expression that goes before the constructor. 453 LLVM_NODISCARD 454 ProgramStateRef processNewAllocation(const CXXAllocatorCall &Call, 455 CheckerContext &C, 456 AllocationFamily Family) const; 457 458 /// Perform a zero-allocation check. 459 /// 460 /// \param [in] Call The expression that allocates memory. 461 /// \param [in] IndexOfSizeArg Index of the argument that specifies the size 462 /// of the memory that needs to be allocated. E.g. for malloc, this would be 463 /// 0. 464 /// \param [in] RetVal Specifies the newly allocated pointer value; 465 /// if unspecified, the value of expression \p E is used. 466 LLVM_NODISCARD 467 static ProgramStateRef ProcessZeroAllocCheck(const CallEvent &Call, 468 const unsigned IndexOfSizeArg, 469 ProgramStateRef State, 470 Optional<SVal> RetVal = None); 471 472 /// Model functions with the ownership_returns attribute. 473 /// 474 /// User-defined function may have the ownership_returns attribute, which 475 /// annotates that the function returns with an object that was allocated on 476 /// the heap, and passes the ownertship to the callee. 477 /// 478 /// void __attribute((ownership_returns(malloc, 1))) *my_malloc(size_t); 479 /// 480 /// It has two parameters: 481 /// - first: name of the resource (e.g. 'malloc') 482 /// - (OPTIONAL) second: size of the allocated region 483 /// 484 /// \param [in] Call The expression that allocates memory. 485 /// \param [in] Att The ownership_returns attribute. 486 /// \param [in] State The \c ProgramState right before allocation. 487 /// \returns The ProgramState right after allocation. 488 LLVM_NODISCARD 489 ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call, 490 const OwnershipAttr *Att, 491 ProgramStateRef State) const; 492 493 /// Models memory allocation. 494 /// 495 /// \param [in] Call The expression that allocates memory. 496 /// \param [in] SizeEx Size of the memory that needs to be allocated. 497 /// \param [in] Init The value the allocated memory needs to be initialized. 498 /// with. For example, \c calloc initializes the allocated memory to 0, 499 /// malloc leaves it undefined. 500 /// \param [in] State The \c ProgramState right before allocation. 501 /// \returns The ProgramState right after allocation. 502 LLVM_NODISCARD 503 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallEvent &Call, 504 const Expr *SizeEx, SVal Init, 505 ProgramStateRef State, 506 AllocationFamily Family); 507 508 /// Models memory allocation. 509 /// 510 /// \param [in] Call The expression that allocates memory. 511 /// \param [in] Size Size of the memory that needs to be allocated. 512 /// \param [in] Init The value the allocated memory needs to be initialized. 513 /// with. For example, \c calloc initializes the allocated memory to 0, 514 /// malloc leaves it undefined. 515 /// \param [in] State The \c ProgramState right before allocation. 516 /// \returns The ProgramState right after allocation. 517 LLVM_NODISCARD 518 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallEvent &Call, 519 SVal Size, SVal Init, 520 ProgramStateRef State, 521 AllocationFamily Family); 522 523 // Check if this malloc() for special flags. At present that means M_ZERO or 524 // __GFP_ZERO (in which case, treat it like calloc). 525 LLVM_NODISCARD 526 llvm::Optional<ProgramStateRef> 527 performKernelMalloc(const CallEvent &Call, CheckerContext &C, 528 const ProgramStateRef &State) const; 529 530 /// Model functions with the ownership_takes and ownership_holds attributes. 531 /// 532 /// User-defined function may have the ownership_takes and/or ownership_holds 533 /// attributes, which annotates that the function frees the memory passed as a 534 /// parameter. 535 /// 536 /// void __attribute((ownership_takes(malloc, 1))) my_free(void *); 537 /// void __attribute((ownership_holds(malloc, 1))) my_hold(void *); 538 /// 539 /// They have two parameters: 540 /// - first: name of the resource (e.g. 'malloc') 541 /// - second: index of the parameter the attribute applies to 542 /// 543 /// \param [in] Call The expression that frees memory. 544 /// \param [in] Att The ownership_takes or ownership_holds attribute. 545 /// \param [in] State The \c ProgramState right before allocation. 546 /// \returns The ProgramState right after deallocation. 547 LLVM_NODISCARD 548 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallEvent &Call, 549 const OwnershipAttr *Att, 550 ProgramStateRef State) const; 551 552 /// Models memory deallocation. 553 /// 554 /// \param [in] Call The expression that frees memory. 555 /// \param [in] State The \c ProgramState right before allocation. 556 /// \param [in] Num Index of the argument that needs to be freed. This is 557 /// normally 0, but for custom free functions it may be different. 558 /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds 559 /// attribute. 560 /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known 561 /// to have been allocated, or in other words, the symbol to be freed was 562 /// registered as allocated by this checker. In the following case, \c ptr 563 /// isn't known to be allocated. 564 /// void Haha(int *ptr) { 565 /// ptr = realloc(ptr, 67); 566 /// // ... 567 /// } 568 /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function 569 /// we're modeling returns with Null on failure. 570 /// \returns The ProgramState right after deallocation. 571 LLVM_NODISCARD 572 ProgramStateRef FreeMemAux(CheckerContext &C, const CallEvent &Call, 573 ProgramStateRef State, unsigned Num, bool Hold, 574 bool &IsKnownToBeAllocated, 575 AllocationFamily Family, 576 bool ReturnsNullOnFailure = false) const; 577 578 /// Models memory deallocation. 579 /// 580 /// \param [in] ArgExpr The variable who's pointee needs to be freed. 581 /// \param [in] Call The expression that frees the memory. 582 /// \param [in] State The \c ProgramState right before allocation. 583 /// normally 0, but for custom free functions it may be different. 584 /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds 585 /// attribute. 586 /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known 587 /// to have been allocated, or in other words, the symbol to be freed was 588 /// registered as allocated by this checker. In the following case, \c ptr 589 /// isn't known to be allocated. 590 /// void Haha(int *ptr) { 591 /// ptr = realloc(ptr, 67); 592 /// // ... 593 /// } 594 /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function 595 /// we're modeling returns with Null on failure. 596 /// \returns The ProgramState right after deallocation. 597 LLVM_NODISCARD 598 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *ArgExpr, 599 const CallEvent &Call, ProgramStateRef State, 600 bool Hold, bool &IsKnownToBeAllocated, 601 AllocationFamily Family, 602 bool ReturnsNullOnFailure = false) const; 603 604 // TODO: Needs some refactoring, as all other deallocation modeling 605 // functions are suffering from out parameters and messy code due to how 606 // realloc is handled. 607 // 608 /// Models memory reallocation. 609 /// 610 /// \param [in] Call The expression that reallocated memory 611 /// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied 612 /// memory should be freed. 613 /// \param [in] State The \c ProgramState right before reallocation. 614 /// \param [in] SuffixWithN Whether the reallocation function we're modeling 615 /// has an '_n' suffix, such as g_realloc_n. 616 /// \returns The ProgramState right after reallocation. 617 LLVM_NODISCARD 618 ProgramStateRef ReallocMemAux(CheckerContext &C, const CallEvent &Call, 619 bool ShouldFreeOnFail, ProgramStateRef State, 620 AllocationFamily Family, 621 bool SuffixWithN = false) const; 622 623 /// Evaluates the buffer size that needs to be allocated. 624 /// 625 /// \param [in] Blocks The amount of blocks that needs to be allocated. 626 /// \param [in] BlockBytes The size of a block. 627 /// \returns The symbolic value of \p Blocks * \p BlockBytes. 628 LLVM_NODISCARD 629 static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, 630 const Expr *BlockBytes); 631 632 /// Models zero initialized array allocation. 633 /// 634 /// \param [in] Call The expression that reallocated memory 635 /// \param [in] State The \c ProgramState right before reallocation. 636 /// \returns The ProgramState right after allocation. 637 LLVM_NODISCARD 638 static ProgramStateRef CallocMem(CheckerContext &C, const CallEvent &Call, 639 ProgramStateRef State); 640 641 /// See if deallocation happens in a suspicious context. If so, escape the 642 /// pointers that otherwise would have been deallocated and return true. 643 bool suppressDeallocationsInSuspiciousContexts(const CallEvent &Call, 644 CheckerContext &C) const; 645 646 /// If in \p S \p Sym is used, check whether \p Sym was already freed. 647 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 648 649 /// If in \p S \p Sym is used, check whether \p Sym was allocated as a zero 650 /// sized memory region. 651 void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, 652 const Stmt *S) const; 653 654 /// If in \p S \p Sym is being freed, check whether \p Sym was already freed. 655 bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const; 656 657 /// Check if the function is known to free memory, or if it is 658 /// "interesting" and should be modeled explicitly. 659 /// 660 /// \param [out] EscapingSymbol A function might not free memory in general, 661 /// but could be known to free a particular symbol. In this case, false is 662 /// returned and the single escaping symbol is returned through the out 663 /// parameter. 664 /// 665 /// We assume that pointers do not escape through calls to system functions 666 /// not handled by this checker. 667 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, 668 ProgramStateRef State, 669 SymbolRef &EscapingSymbol) const; 670 671 /// Implementation of the checkPointerEscape callbacks. 672 LLVM_NODISCARD 673 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 674 const InvalidatedSymbols &Escaped, 675 const CallEvent *Call, 676 PointerEscapeKind Kind, 677 bool IsConstPointerEscape) const; 678 679 // Implementation of the checkPreStmt and checkEndFunction callbacks. 680 void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const; 681 682 ///@{ 683 /// Tells if a given family/call/symbol is tracked by the current checker. 684 /// Sets CheckKind to the kind of the checker responsible for this 685 /// family/call/symbol. 686 Optional<CheckKind> getCheckIfTracked(AllocationFamily Family, 687 bool IsALeakCheck = false) const; 688 689 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym, 690 bool IsALeakCheck = false) const; 691 ///@} 692 static bool SummarizeValue(raw_ostream &os, SVal V); 693 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 694 695 void HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal, SourceRange Range, 696 const Expr *DeallocExpr, 697 AllocationFamily Family) const; 698 699 void HandleFreeAlloca(CheckerContext &C, SVal ArgVal, 700 SourceRange Range) const; 701 702 void HandleMismatchedDealloc(CheckerContext &C, SourceRange Range, 703 const Expr *DeallocExpr, const RefState *RS, 704 SymbolRef Sym, bool OwnershipTransferred) const; 705 706 void HandleOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 707 const Expr *DeallocExpr, AllocationFamily Family, 708 const Expr *AllocExpr = nullptr) const; 709 710 void HandleUseAfterFree(CheckerContext &C, SourceRange Range, 711 SymbolRef Sym) const; 712 713 void HandleDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 714 SymbolRef Sym, SymbolRef PrevSym) const; 715 716 void HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const; 717 718 void HandleUseZeroAlloc(CheckerContext &C, SourceRange Range, 719 SymbolRef Sym) const; 720 721 void HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 722 const Expr *FreeExpr, 723 AllocationFamily Family) const; 724 725 /// Find the location of the allocation for Sym on the path leading to the 726 /// exploded node N. 727 static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 728 CheckerContext &C); 729 730 void HandleLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 731 732 /// Test if value in ArgVal equals to value in macro `ZERO_SIZE_PTR`. 733 bool isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C, 734 SVal ArgVal) const; 735 }; 736 } // end anonymous namespace 737 738 //===----------------------------------------------------------------------===// 739 // Definition of NoOwnershipChangeVisitor. 740 //===----------------------------------------------------------------------===// 741 742 namespace { 743 class NoOwnershipChangeVisitor final : public NoStateChangeFuncVisitor { 744 SymbolRef Sym; 745 using OwnerSet = llvm::SmallPtrSet<const MemRegion *, 8>; 746 747 // Collect which entities point to the allocated memory, and could be 748 // responsible for deallocating it. 749 class OwnershipBindingsHandler : public StoreManager::BindingsHandler { 750 SymbolRef Sym; 751 OwnerSet &Owners; 752 753 public: 754 OwnershipBindingsHandler(SymbolRef Sym, OwnerSet &Owners) 755 : Sym(Sym), Owners(Owners) {} 756 757 bool HandleBinding(StoreManager &SMgr, Store Store, const MemRegion *Region, 758 SVal Val) override { 759 if (Val.getAsSymbol() == Sym) 760 Owners.insert(Region); 761 return true; 762 } 763 764 LLVM_DUMP_METHOD void dump() const { dumpToStream(llvm::errs()); } 765 LLVM_DUMP_METHOD void dumpToStream(llvm::raw_ostream &out) const { 766 out << "Owners: {\n"; 767 for (const MemRegion *Owner : Owners) { 768 out << " "; 769 Owner->dumpToStream(out); 770 out << ",\n"; 771 } 772 out << "}\n"; 773 } 774 }; 775 776 protected: 777 OwnerSet getOwnersAtNode(const ExplodedNode *N) { 778 OwnerSet Ret; 779 780 ProgramStateRef State = N->getState(); 781 OwnershipBindingsHandler Handler{Sym, Ret}; 782 State->getStateManager().getStoreManager().iterBindings(State->getStore(), 783 Handler); 784 return Ret; 785 } 786 787 LLVM_DUMP_METHOD static std::string 788 getFunctionName(const ExplodedNode *CallEnterN) { 789 if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>( 790 CallEnterN->getLocationAs<CallEnter>()->getCallExpr())) 791 if (const FunctionDecl *FD = CE->getDirectCallee()) 792 return FD->getQualifiedNameAsString(); 793 return ""; 794 } 795 796 bool doesFnIntendToHandleOwnership(const Decl *Callee, ASTContext &ACtx) { 797 using namespace clang::ast_matchers; 798 const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee); 799 if (!FD) 800 return false; 801 // TODO: Operator delete is hardly the only deallocator -- Can we reuse 802 // isFreeingCall() or something thats already here? 803 auto Deallocations = match( 804 stmt(hasDescendant(cxxDeleteExpr().bind("delete")) 805 ), *FD->getBody(), ACtx); 806 // TODO: Ownership my change with an attempt to store the allocated memory. 807 return !Deallocations.empty(); 808 } 809 810 virtual bool 811 wasModifiedInFunction(const ExplodedNode *CallEnterN, 812 const ExplodedNode *CallExitEndN) override { 813 if (!doesFnIntendToHandleOwnership( 814 CallExitEndN->getFirstPred()->getLocationContext()->getDecl(), 815 CallExitEndN->getState()->getAnalysisManager().getASTContext())) 816 return true; 817 818 if (CallEnterN->getState()->get<RegionState>(Sym) != 819 CallExitEndN->getState()->get<RegionState>(Sym)) 820 return true; 821 822 OwnerSet CurrOwners = getOwnersAtNode(CallEnterN); 823 OwnerSet ExitOwners = getOwnersAtNode(CallExitEndN); 824 825 // Owners in the current set may be purged from the analyzer later on. 826 // If a variable is dead (is not referenced directly or indirectly after 827 // some point), it will be removed from the Store before the end of its 828 // actual lifetime. 829 // This means that that if the ownership status didn't change, CurrOwners 830 // must be a superset of, but not necessarily equal to ExitOwners. 831 return !llvm::set_is_subset(ExitOwners, CurrOwners); 832 } 833 834 static PathDiagnosticPieceRef emitNote(const ExplodedNode *N) { 835 PathDiagnosticLocation L = PathDiagnosticLocation::create( 836 N->getLocation(), 837 N->getState()->getStateManager().getContext().getSourceManager()); 838 return std::make_shared<PathDiagnosticEventPiece>( 839 L, "Returning without deallocating memory or storing the pointer for " 840 "later deallocation"); 841 } 842 843 virtual PathDiagnosticPieceRef 844 maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R, 845 const ObjCMethodCall &Call, 846 const ExplodedNode *N) override { 847 // TODO: Implement. 848 return nullptr; 849 } 850 851 virtual PathDiagnosticPieceRef 852 maybeEmitNoteForCXXThis(PathSensitiveBugReport &R, 853 const CXXConstructorCall &Call, 854 const ExplodedNode *N) override { 855 // TODO: Implement. 856 return nullptr; 857 } 858 859 virtual PathDiagnosticPieceRef 860 maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call, 861 const ExplodedNode *N) override { 862 // TODO: Factor the logic of "what constitutes as an entity being passed 863 // into a function call" out by reusing the code in 864 // NoStoreFuncVisitor::maybeEmitNoteForParameters, maybe by incorporating 865 // the printing technology in UninitializedObject's FieldChainInfo. 866 ArrayRef<ParmVarDecl *> Parameters = Call.parameters(); 867 for (unsigned I = 0; I < Call.getNumArgs() && I < Parameters.size(); ++I) { 868 SVal V = Call.getArgSVal(I); 869 if (V.getAsSymbol() == Sym) 870 return emitNote(N); 871 } 872 return nullptr; 873 } 874 875 public: 876 NoOwnershipChangeVisitor(SymbolRef Sym) 877 : NoStateChangeFuncVisitor(bugreporter::TrackingKind::Thorough), 878 Sym(Sym) {} 879 880 void Profile(llvm::FoldingSetNodeID &ID) const override { 881 static int Tag = 0; 882 ID.AddPointer(&Tag); 883 ID.AddPointer(Sym); 884 } 885 886 void *getTag() const { 887 static int Tag = 0; 888 return static_cast<void *>(&Tag); 889 } 890 }; 891 892 } // end anonymous namespace 893 894 //===----------------------------------------------------------------------===// 895 // Definition of MallocBugVisitor. 896 //===----------------------------------------------------------------------===// 897 898 namespace { 899 /// The bug visitor which allows us to print extra diagnostics along the 900 /// BugReport path. For example, showing the allocation site of the leaked 901 /// region. 902 class MallocBugVisitor final : public BugReporterVisitor { 903 protected: 904 enum NotificationMode { Normal, ReallocationFailed }; 905 906 // The allocated region symbol tracked by the main analysis. 907 SymbolRef Sym; 908 909 // The mode we are in, i.e. what kind of diagnostics will be emitted. 910 NotificationMode Mode; 911 912 // A symbol from when the primary region should have been reallocated. 913 SymbolRef FailedReallocSymbol; 914 915 // A C++ destructor stack frame in which memory was released. Used for 916 // miscellaneous false positive suppression. 917 const StackFrameContext *ReleaseDestructorLC; 918 919 bool IsLeak; 920 921 public: 922 MallocBugVisitor(SymbolRef S, bool isLeak = false) 923 : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr), 924 ReleaseDestructorLC(nullptr), IsLeak(isLeak) {} 925 926 static void *getTag() { 927 static int Tag = 0; 928 return &Tag; 929 } 930 931 void Profile(llvm::FoldingSetNodeID &ID) const override { 932 ID.AddPointer(getTag()); 933 ID.AddPointer(Sym); 934 } 935 936 /// Did not track -> allocated. Other state (released) -> allocated. 937 static inline bool isAllocated(const RefState *RSCurr, const RefState *RSPrev, 938 const Stmt *Stmt) { 939 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 940 (RSCurr && 941 (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) && 942 (!RSPrev || 943 !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero()))); 944 } 945 946 /// Did not track -> released. Other state (allocated) -> released. 947 /// The statement associated with the release might be missing. 948 static inline bool isReleased(const RefState *RSCurr, const RefState *RSPrev, 949 const Stmt *Stmt) { 950 bool IsReleased = 951 (RSCurr && RSCurr->isReleased()) && (!RSPrev || !RSPrev->isReleased()); 952 assert(!IsReleased || 953 (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) || 954 (!Stmt && RSCurr->getAllocationFamily() == AF_InnerBuffer)); 955 return IsReleased; 956 } 957 958 /// Did not track -> relinquished. Other state (allocated) -> relinquished. 959 static inline bool isRelinquished(const RefState *RSCurr, 960 const RefState *RSPrev, const Stmt *Stmt) { 961 return (Stmt && 962 (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 963 isa<ObjCPropertyRefExpr>(Stmt)) && 964 (RSCurr && RSCurr->isRelinquished()) && 965 (!RSPrev || !RSPrev->isRelinquished())); 966 } 967 968 /// If the expression is not a call, and the state change is 969 /// released -> allocated, it must be the realloc return value 970 /// check. If we have to handle more cases here, it might be cleaner just 971 /// to track this extra bit in the state itself. 972 static inline bool hasReallocFailed(const RefState *RSCurr, 973 const RefState *RSPrev, 974 const Stmt *Stmt) { 975 return ((!Stmt || !isa<CallExpr>(Stmt)) && 976 (RSCurr && 977 (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) && 978 (RSPrev && 979 !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero()))); 980 } 981 982 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 983 BugReporterContext &BRC, 984 PathSensitiveBugReport &BR) override; 985 986 PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC, 987 const ExplodedNode *EndPathNode, 988 PathSensitiveBugReport &BR) override { 989 if (!IsLeak) 990 return nullptr; 991 992 PathDiagnosticLocation L = BR.getLocation(); 993 // Do not add the statement itself as a range in case of leak. 994 return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(), 995 false); 996 } 997 998 private: 999 class StackHintGeneratorForReallocationFailed 1000 : public StackHintGeneratorForSymbol { 1001 public: 1002 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 1003 : StackHintGeneratorForSymbol(S, M) {} 1004 1005 std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) override { 1006 // Printed parameters start at 1, not 0. 1007 ++ArgIndex; 1008 1009 SmallString<200> buf; 1010 llvm::raw_svector_ostream os(buf); 1011 1012 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 1013 << " parameter failed"; 1014 1015 return std::string(os.str()); 1016 } 1017 1018 std::string getMessageForReturn(const CallExpr *CallExpr) override { 1019 return "Reallocation of returned value failed"; 1020 } 1021 }; 1022 }; 1023 } // end anonymous namespace 1024 1025 // A map from the freed symbol to the symbol representing the return value of 1026 // the free function. 1027 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 1028 1029 namespace { 1030 class StopTrackingCallback final : public SymbolVisitor { 1031 ProgramStateRef state; 1032 1033 public: 1034 StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {} 1035 ProgramStateRef getState() const { return state; } 1036 1037 bool VisitSymbol(SymbolRef sym) override { 1038 state = state->remove<RegionState>(sym); 1039 return true; 1040 } 1041 }; 1042 } // end anonymous namespace 1043 1044 static bool isStandardNewDelete(const FunctionDecl *FD) { 1045 if (!FD) 1046 return false; 1047 1048 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 1049 if (Kind != OO_New && Kind != OO_Array_New && Kind != OO_Delete && 1050 Kind != OO_Array_Delete) 1051 return false; 1052 1053 // This is standard if and only if it's not defined in a user file. 1054 SourceLocation L = FD->getLocation(); 1055 // If the header for operator delete is not included, it's still defined 1056 // in an invalid source location. Check to make sure we don't crash. 1057 return !L.isValid() || 1058 FD->getASTContext().getSourceManager().isInSystemHeader(L); 1059 } 1060 1061 //===----------------------------------------------------------------------===// 1062 // Methods of MallocChecker and MallocBugVisitor. 1063 //===----------------------------------------------------------------------===// 1064 1065 bool MallocChecker::isFreeingCall(const CallEvent &Call) const { 1066 if (FreeingMemFnMap.lookup(Call) || ReallocatingMemFnMap.lookup(Call)) 1067 return true; 1068 1069 const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl()); 1070 if (Func && Func->hasAttrs()) { 1071 for (const auto *I : Func->specific_attrs<OwnershipAttr>()) { 1072 OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind(); 1073 if (OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) 1074 return true; 1075 } 1076 } 1077 return false; 1078 } 1079 1080 bool MallocChecker::isMemCall(const CallEvent &Call) const { 1081 if (FreeingMemFnMap.lookup(Call) || AllocatingMemFnMap.lookup(Call) || 1082 ReallocatingMemFnMap.lookup(Call)) 1083 return true; 1084 1085 if (!ShouldIncludeOwnershipAnnotatedFunctions) 1086 return false; 1087 1088 const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl()); 1089 return Func && Func->hasAttr<OwnershipAttr>(); 1090 } 1091 1092 llvm::Optional<ProgramStateRef> 1093 MallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C, 1094 const ProgramStateRef &State) const { 1095 // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels: 1096 // 1097 // void *malloc(unsigned long size, struct malloc_type *mtp, int flags); 1098 // 1099 // One of the possible flags is M_ZERO, which means 'give me back an 1100 // allocation which is already zeroed', like calloc. 1101 1102 // 2-argument kmalloc(), as used in the Linux kernel: 1103 // 1104 // void *kmalloc(size_t size, gfp_t flags); 1105 // 1106 // Has the similar flag value __GFP_ZERO. 1107 1108 // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some 1109 // code could be shared. 1110 1111 ASTContext &Ctx = C.getASTContext(); 1112 llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS(); 1113 1114 if (!KernelZeroFlagVal.hasValue()) { 1115 if (OS == llvm::Triple::FreeBSD) 1116 KernelZeroFlagVal = 0x0100; 1117 else if (OS == llvm::Triple::NetBSD) 1118 KernelZeroFlagVal = 0x0002; 1119 else if (OS == llvm::Triple::OpenBSD) 1120 KernelZeroFlagVal = 0x0008; 1121 else if (OS == llvm::Triple::Linux) 1122 // __GFP_ZERO 1123 KernelZeroFlagVal = 0x8000; 1124 else 1125 // FIXME: We need a more general way of getting the M_ZERO value. 1126 // See also: O_CREAT in UnixAPIChecker.cpp. 1127 1128 // Fall back to normal malloc behavior on platforms where we don't 1129 // know M_ZERO. 1130 return None; 1131 } 1132 1133 // We treat the last argument as the flags argument, and callers fall-back to 1134 // normal malloc on a None return. This works for the FreeBSD kernel malloc 1135 // as well as Linux kmalloc. 1136 if (Call.getNumArgs() < 2) 1137 return None; 1138 1139 const Expr *FlagsEx = Call.getArgExpr(Call.getNumArgs() - 1); 1140 const SVal V = C.getSVal(FlagsEx); 1141 if (!V.getAs<NonLoc>()) { 1142 // The case where 'V' can be a location can only be due to a bad header, 1143 // so in this case bail out. 1144 return None; 1145 } 1146 1147 NonLoc Flags = V.castAs<NonLoc>(); 1148 NonLoc ZeroFlag = C.getSValBuilder() 1149 .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType()) 1150 .castAs<NonLoc>(); 1151 SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And, 1152 Flags, ZeroFlag, 1153 FlagsEx->getType()); 1154 if (MaskedFlagsUC.isUnknownOrUndef()) 1155 return None; 1156 DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>(); 1157 1158 // Check if maskedFlags is non-zero. 1159 ProgramStateRef TrueState, FalseState; 1160 std::tie(TrueState, FalseState) = State->assume(MaskedFlags); 1161 1162 // If M_ZERO is set, treat this like calloc (initialized). 1163 if (TrueState && !FalseState) { 1164 SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy); 1165 return MallocMemAux(C, Call, Call.getArgExpr(0), ZeroVal, TrueState, 1166 AF_Malloc); 1167 } 1168 1169 return None; 1170 } 1171 1172 SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, 1173 const Expr *BlockBytes) { 1174 SValBuilder &SB = C.getSValBuilder(); 1175 SVal BlocksVal = C.getSVal(Blocks); 1176 SVal BlockBytesVal = C.getSVal(BlockBytes); 1177 ProgramStateRef State = C.getState(); 1178 SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal, 1179 SB.getContext().getSizeType()); 1180 return TotalSize; 1181 } 1182 1183 void MallocChecker::checkBasicAlloc(const CallEvent &Call, 1184 CheckerContext &C) const { 1185 ProgramStateRef State = C.getState(); 1186 State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State, 1187 AF_Malloc); 1188 State = ProcessZeroAllocCheck(Call, 0, State); 1189 C.addTransition(State); 1190 } 1191 1192 void MallocChecker::checkKernelMalloc(const CallEvent &Call, 1193 CheckerContext &C) const { 1194 ProgramStateRef State = C.getState(); 1195 llvm::Optional<ProgramStateRef> MaybeState = 1196 performKernelMalloc(Call, C, State); 1197 if (MaybeState.hasValue()) 1198 State = MaybeState.getValue(); 1199 else 1200 State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State, 1201 AF_Malloc); 1202 C.addTransition(State); 1203 } 1204 1205 static bool isStandardRealloc(const CallEvent &Call) { 1206 const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl()); 1207 assert(FD); 1208 ASTContext &AC = FD->getASTContext(); 1209 1210 if (isa<CXXMethodDecl>(FD)) 1211 return false; 1212 1213 return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy && 1214 FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy && 1215 FD->getParamDecl(1)->getType().getDesugaredType(AC) == 1216 AC.getSizeType(); 1217 } 1218 1219 static bool isGRealloc(const CallEvent &Call) { 1220 const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl()); 1221 assert(FD); 1222 ASTContext &AC = FD->getASTContext(); 1223 1224 if (isa<CXXMethodDecl>(FD)) 1225 return false; 1226 1227 return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy && 1228 FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy && 1229 FD->getParamDecl(1)->getType().getDesugaredType(AC) == 1230 AC.UnsignedLongTy; 1231 } 1232 1233 void MallocChecker::checkRealloc(const CallEvent &Call, CheckerContext &C, 1234 bool ShouldFreeOnFail) const { 1235 // HACK: CallDescription currently recognizes non-standard realloc functions 1236 // as standard because it doesn't check the type, or wether its a non-method 1237 // function. This should be solved by making CallDescription smarter. 1238 // Mind that this came from a bug report, and all other functions suffer from 1239 // this. 1240 // https://bugs.llvm.org/show_bug.cgi?id=46253 1241 if (!isStandardRealloc(Call) && !isGRealloc(Call)) 1242 return; 1243 ProgramStateRef State = C.getState(); 1244 State = ReallocMemAux(C, Call, ShouldFreeOnFail, State, AF_Malloc); 1245 State = ProcessZeroAllocCheck(Call, 1, State); 1246 C.addTransition(State); 1247 } 1248 1249 void MallocChecker::checkCalloc(const CallEvent &Call, 1250 CheckerContext &C) const { 1251 ProgramStateRef State = C.getState(); 1252 State = CallocMem(C, Call, State); 1253 State = ProcessZeroAllocCheck(Call, 0, State); 1254 State = ProcessZeroAllocCheck(Call, 1, State); 1255 C.addTransition(State); 1256 } 1257 1258 void MallocChecker::checkFree(const CallEvent &Call, CheckerContext &C) const { 1259 ProgramStateRef State = C.getState(); 1260 bool IsKnownToBeAllocatedMemory = false; 1261 if (suppressDeallocationsInSuspiciousContexts(Call, C)) 1262 return; 1263 State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory, 1264 AF_Malloc); 1265 C.addTransition(State); 1266 } 1267 1268 void MallocChecker::checkAlloca(const CallEvent &Call, 1269 CheckerContext &C) const { 1270 ProgramStateRef State = C.getState(); 1271 State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State, 1272 AF_Alloca); 1273 State = ProcessZeroAllocCheck(Call, 0, State); 1274 C.addTransition(State); 1275 } 1276 1277 void MallocChecker::checkStrdup(const CallEvent &Call, 1278 CheckerContext &C) const { 1279 ProgramStateRef State = C.getState(); 1280 const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); 1281 if (!CE) 1282 return; 1283 State = MallocUpdateRefState(C, CE, State, AF_Malloc); 1284 1285 C.addTransition(State); 1286 } 1287 1288 void MallocChecker::checkIfNameIndex(const CallEvent &Call, 1289 CheckerContext &C) const { 1290 ProgramStateRef State = C.getState(); 1291 // Should we model this differently? We can allocate a fixed number of 1292 // elements with zeros in the last one. 1293 State = 1294 MallocMemAux(C, Call, UnknownVal(), UnknownVal(), State, AF_IfNameIndex); 1295 1296 C.addTransition(State); 1297 } 1298 1299 void MallocChecker::checkIfFreeNameIndex(const CallEvent &Call, 1300 CheckerContext &C) const { 1301 ProgramStateRef State = C.getState(); 1302 bool IsKnownToBeAllocatedMemory = false; 1303 State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory, 1304 AF_IfNameIndex); 1305 C.addTransition(State); 1306 } 1307 1308 void MallocChecker::checkCXXNewOrCXXDelete(const CallEvent &Call, 1309 CheckerContext &C) const { 1310 ProgramStateRef State = C.getState(); 1311 bool IsKnownToBeAllocatedMemory = false; 1312 const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); 1313 if (!CE) 1314 return; 1315 1316 assert(isStandardNewDelete(Call)); 1317 1318 // Process direct calls to operator new/new[]/delete/delete[] functions 1319 // as distinct from new/new[]/delete/delete[] expressions that are 1320 // processed by the checkPostStmt callbacks for CXXNewExpr and 1321 // CXXDeleteExpr. 1322 const FunctionDecl *FD = C.getCalleeDecl(CE); 1323 switch (FD->getOverloadedOperator()) { 1324 case OO_New: 1325 State = 1326 MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State, AF_CXXNew); 1327 State = ProcessZeroAllocCheck(Call, 0, State); 1328 break; 1329 case OO_Array_New: 1330 State = MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State, 1331 AF_CXXNewArray); 1332 State = ProcessZeroAllocCheck(Call, 0, State); 1333 break; 1334 case OO_Delete: 1335 State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory, 1336 AF_CXXNew); 1337 break; 1338 case OO_Array_Delete: 1339 State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory, 1340 AF_CXXNewArray); 1341 break; 1342 default: 1343 llvm_unreachable("not a new/delete operator"); 1344 } 1345 1346 C.addTransition(State); 1347 } 1348 1349 void MallocChecker::checkGMalloc0(const CallEvent &Call, 1350 CheckerContext &C) const { 1351 ProgramStateRef State = C.getState(); 1352 SValBuilder &svalBuilder = C.getSValBuilder(); 1353 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 1354 State = MallocMemAux(C, Call, Call.getArgExpr(0), zeroVal, State, AF_Malloc); 1355 State = ProcessZeroAllocCheck(Call, 0, State); 1356 C.addTransition(State); 1357 } 1358 1359 void MallocChecker::checkGMemdup(const CallEvent &Call, 1360 CheckerContext &C) const { 1361 ProgramStateRef State = C.getState(); 1362 State = MallocMemAux(C, Call, Call.getArgExpr(1), UndefinedVal(), State, 1363 AF_Malloc); 1364 State = ProcessZeroAllocCheck(Call, 1, State); 1365 C.addTransition(State); 1366 } 1367 1368 void MallocChecker::checkGMallocN(const CallEvent &Call, 1369 CheckerContext &C) const { 1370 ProgramStateRef State = C.getState(); 1371 SVal Init = UndefinedVal(); 1372 SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1)); 1373 State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc); 1374 State = ProcessZeroAllocCheck(Call, 0, State); 1375 State = ProcessZeroAllocCheck(Call, 1, State); 1376 C.addTransition(State); 1377 } 1378 1379 void MallocChecker::checkGMallocN0(const CallEvent &Call, 1380 CheckerContext &C) const { 1381 ProgramStateRef State = C.getState(); 1382 SValBuilder &SB = C.getSValBuilder(); 1383 SVal Init = SB.makeZeroVal(SB.getContext().CharTy); 1384 SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1)); 1385 State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc); 1386 State = ProcessZeroAllocCheck(Call, 0, State); 1387 State = ProcessZeroAllocCheck(Call, 1, State); 1388 C.addTransition(State); 1389 } 1390 1391 void MallocChecker::checkReallocN(const CallEvent &Call, 1392 CheckerContext &C) const { 1393 ProgramStateRef State = C.getState(); 1394 State = ReallocMemAux(C, Call, /*ShouldFreeOnFail=*/false, State, AF_Malloc, 1395 /*SuffixWithN=*/true); 1396 State = ProcessZeroAllocCheck(Call, 1, State); 1397 State = ProcessZeroAllocCheck(Call, 2, State); 1398 C.addTransition(State); 1399 } 1400 1401 void MallocChecker::checkOwnershipAttr(const CallEvent &Call, 1402 CheckerContext &C) const { 1403 ProgramStateRef State = C.getState(); 1404 const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); 1405 if (!CE) 1406 return; 1407 const FunctionDecl *FD = C.getCalleeDecl(CE); 1408 if (!FD) 1409 return; 1410 if (ShouldIncludeOwnershipAnnotatedFunctions || 1411 ChecksEnabled[CK_MismatchedDeallocatorChecker]) { 1412 // Check all the attributes, if there are any. 1413 // There can be multiple of these attributes. 1414 if (FD->hasAttrs()) 1415 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 1416 switch (I->getOwnKind()) { 1417 case OwnershipAttr::Returns: 1418 State = MallocMemReturnsAttr(C, Call, I, State); 1419 break; 1420 case OwnershipAttr::Takes: 1421 case OwnershipAttr::Holds: 1422 State = FreeMemAttr(C, Call, I, State); 1423 break; 1424 } 1425 } 1426 } 1427 C.addTransition(State); 1428 } 1429 1430 void MallocChecker::checkPostCall(const CallEvent &Call, 1431 CheckerContext &C) const { 1432 if (C.wasInlined) 1433 return; 1434 if (!Call.getOriginExpr()) 1435 return; 1436 1437 ProgramStateRef State = C.getState(); 1438 1439 if (const CheckFn *Callback = FreeingMemFnMap.lookup(Call)) { 1440 (*Callback)(this, Call, C); 1441 return; 1442 } 1443 1444 if (const CheckFn *Callback = AllocatingMemFnMap.lookup(Call)) { 1445 (*Callback)(this, Call, C); 1446 return; 1447 } 1448 1449 if (const CheckFn *Callback = ReallocatingMemFnMap.lookup(Call)) { 1450 (*Callback)(this, Call, C); 1451 return; 1452 } 1453 1454 if (isStandardNewDelete(Call)) { 1455 checkCXXNewOrCXXDelete(Call, C); 1456 return; 1457 } 1458 1459 checkOwnershipAttr(Call, C); 1460 } 1461 1462 // Performs a 0-sized allocations check. 1463 ProgramStateRef MallocChecker::ProcessZeroAllocCheck( 1464 const CallEvent &Call, const unsigned IndexOfSizeArg, ProgramStateRef State, 1465 Optional<SVal> RetVal) { 1466 if (!State) 1467 return nullptr; 1468 1469 if (!RetVal) 1470 RetVal = Call.getReturnValue(); 1471 1472 const Expr *Arg = nullptr; 1473 1474 if (const CallExpr *CE = dyn_cast<CallExpr>(Call.getOriginExpr())) { 1475 Arg = CE->getArg(IndexOfSizeArg); 1476 } else if (const CXXNewExpr *NE = 1477 dyn_cast<CXXNewExpr>(Call.getOriginExpr())) { 1478 if (NE->isArray()) { 1479 Arg = *NE->getArraySize(); 1480 } else { 1481 return State; 1482 } 1483 } else 1484 llvm_unreachable("not a CallExpr or CXXNewExpr"); 1485 1486 assert(Arg); 1487 1488 auto DefArgVal = 1489 State->getSVal(Arg, Call.getLocationContext()).getAs<DefinedSVal>(); 1490 1491 if (!DefArgVal) 1492 return State; 1493 1494 // Check if the allocation size is 0. 1495 ProgramStateRef TrueState, FalseState; 1496 SValBuilder &SvalBuilder = State->getStateManager().getSValBuilder(); 1497 DefinedSVal Zero = 1498 SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>(); 1499 1500 std::tie(TrueState, FalseState) = 1501 State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero)); 1502 1503 if (TrueState && !FalseState) { 1504 SymbolRef Sym = RetVal->getAsLocSymbol(); 1505 if (!Sym) 1506 return State; 1507 1508 const RefState *RS = State->get<RegionState>(Sym); 1509 if (RS) { 1510 if (RS->isAllocated()) 1511 return TrueState->set<RegionState>(Sym, 1512 RefState::getAllocatedOfSizeZero(RS)); 1513 else 1514 return State; 1515 } else { 1516 // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as 1517 // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not 1518 // tracked. Add zero-reallocated Sym to the state to catch references 1519 // to zero-allocated memory. 1520 return TrueState->add<ReallocSizeZeroSymbols>(Sym); 1521 } 1522 } 1523 1524 // Assume the value is non-zero going forward. 1525 assert(FalseState); 1526 return FalseState; 1527 } 1528 1529 static QualType getDeepPointeeType(QualType T) { 1530 QualType Result = T, PointeeType = T->getPointeeType(); 1531 while (!PointeeType.isNull()) { 1532 Result = PointeeType; 1533 PointeeType = PointeeType->getPointeeType(); 1534 } 1535 return Result; 1536 } 1537 1538 /// \returns true if the constructor invoked by \p NE has an argument of a 1539 /// pointer/reference to a record type. 1540 static bool hasNonTrivialConstructorCall(const CXXNewExpr *NE) { 1541 1542 const CXXConstructExpr *ConstructE = NE->getConstructExpr(); 1543 if (!ConstructE) 1544 return false; 1545 1546 if (!NE->getAllocatedType()->getAsCXXRecordDecl()) 1547 return false; 1548 1549 const CXXConstructorDecl *CtorD = ConstructE->getConstructor(); 1550 1551 // Iterate over the constructor parameters. 1552 for (const auto *CtorParam : CtorD->parameters()) { 1553 1554 QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType(); 1555 if (CtorParamPointeeT.isNull()) 1556 continue; 1557 1558 CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT); 1559 1560 if (CtorParamPointeeT->getAsCXXRecordDecl()) 1561 return true; 1562 } 1563 1564 return false; 1565 } 1566 1567 ProgramStateRef 1568 MallocChecker::processNewAllocation(const CXXAllocatorCall &Call, 1569 CheckerContext &C, 1570 AllocationFamily Family) const { 1571 if (!isStandardNewDelete(Call)) 1572 return nullptr; 1573 1574 const CXXNewExpr *NE = Call.getOriginExpr(); 1575 const ParentMap &PM = C.getLocationContext()->getParentMap(); 1576 ProgramStateRef State = C.getState(); 1577 1578 // Non-trivial constructors have a chance to escape 'this', but marking all 1579 // invocations of trivial constructors as escaped would cause too great of 1580 // reduction of true positives, so let's just do that for constructors that 1581 // have an argument of a pointer-to-record type. 1582 if (!PM.isConsumedExpr(NE) && hasNonTrivialConstructorCall(NE)) 1583 return State; 1584 1585 // The return value from operator new is bound to a specified initialization 1586 // value (if any) and we don't want to loose this value. So we call 1587 // MallocUpdateRefState() instead of MallocMemAux() which breaks the 1588 // existing binding. 1589 SVal Target = Call.getObjectUnderConstruction(); 1590 State = MallocUpdateRefState(C, NE, State, Family, Target); 1591 State = ProcessZeroAllocCheck(Call, 0, State, Target); 1592 return State; 1593 } 1594 1595 void MallocChecker::checkNewAllocator(const CXXAllocatorCall &Call, 1596 CheckerContext &C) const { 1597 if (!C.wasInlined) { 1598 ProgramStateRef State = processNewAllocation( 1599 Call, C, 1600 (Call.getOriginExpr()->isArray() ? AF_CXXNewArray : AF_CXXNew)); 1601 C.addTransition(State); 1602 } 1603 } 1604 1605 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 1606 // If the first selector piece is one of the names below, assume that the 1607 // object takes ownership of the memory, promising to eventually deallocate it 1608 // with free(). 1609 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 1610 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 1611 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 1612 return FirstSlot == "dataWithBytesNoCopy" || 1613 FirstSlot == "initWithBytesNoCopy" || 1614 FirstSlot == "initWithCharactersNoCopy"; 1615 } 1616 1617 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 1618 Selector S = Call.getSelector(); 1619 1620 // FIXME: We should not rely on fully-constrained symbols being folded. 1621 for (unsigned i = 1; i < S.getNumArgs(); ++i) 1622 if (S.getNameForSlot(i).equals("freeWhenDone")) 1623 return !Call.getArgSVal(i).isZeroConstant(); 1624 1625 return None; 1626 } 1627 1628 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 1629 CheckerContext &C) const { 1630 if (C.wasInlined) 1631 return; 1632 1633 if (!isKnownDeallocObjCMethodName(Call)) 1634 return; 1635 1636 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 1637 if (!*FreeWhenDone) 1638 return; 1639 1640 if (Call.hasNonZeroCallbackArg()) 1641 return; 1642 1643 bool IsKnownToBeAllocatedMemory; 1644 ProgramStateRef State = 1645 FreeMemAux(C, Call.getArgExpr(0), Call, C.getState(), 1646 /*Hold=*/true, IsKnownToBeAllocatedMemory, AF_Malloc, 1647 /*RetNullOnFailure=*/true); 1648 1649 C.addTransition(State); 1650 } 1651 1652 ProgramStateRef 1653 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call, 1654 const OwnershipAttr *Att, 1655 ProgramStateRef State) const { 1656 if (!State) 1657 return nullptr; 1658 1659 if (Att->getModule()->getName() != "malloc") 1660 return nullptr; 1661 1662 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 1663 if (I != E) { 1664 return MallocMemAux(C, Call, Call.getArgExpr(I->getASTIndex()), 1665 UndefinedVal(), State, AF_Malloc); 1666 } 1667 return MallocMemAux(C, Call, UnknownVal(), UndefinedVal(), State, AF_Malloc); 1668 } 1669 1670 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 1671 const CallEvent &Call, 1672 const Expr *SizeEx, SVal Init, 1673 ProgramStateRef State, 1674 AllocationFamily Family) { 1675 if (!State) 1676 return nullptr; 1677 1678 assert(SizeEx); 1679 return MallocMemAux(C, Call, C.getSVal(SizeEx), Init, State, Family); 1680 } 1681 1682 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 1683 const CallEvent &Call, SVal Size, 1684 SVal Init, ProgramStateRef State, 1685 AllocationFamily Family) { 1686 if (!State) 1687 return nullptr; 1688 1689 const Expr *CE = Call.getOriginExpr(); 1690 1691 // We expect the malloc functions to return a pointer. 1692 if (!Loc::isLocType(CE->getType())) 1693 return nullptr; 1694 1695 // Bind the return value to the symbolic value from the heap region. 1696 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 1697 // side effects other than what we model here. 1698 unsigned Count = C.blockCount(); 1699 SValBuilder &svalBuilder = C.getSValBuilder(); 1700 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 1701 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 1702 .castAs<DefinedSVal>(); 1703 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 1704 1705 // Fill the region with the initialization value. 1706 State = State->bindDefaultInitial(RetVal, Init, LCtx); 1707 1708 // Set the region's extent. 1709 State = setDynamicExtent(State, RetVal.getAsRegion(), 1710 Size.castAs<DefinedOrUnknownSVal>(), svalBuilder); 1711 1712 return MallocUpdateRefState(C, CE, State, Family); 1713 } 1714 1715 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, 1716 ProgramStateRef State, 1717 AllocationFamily Family, 1718 Optional<SVal> RetVal) { 1719 if (!State) 1720 return nullptr; 1721 1722 // Get the return value. 1723 if (!RetVal) 1724 RetVal = C.getSVal(E); 1725 1726 // We expect the malloc functions to return a pointer. 1727 if (!RetVal->getAs<Loc>()) 1728 return nullptr; 1729 1730 SymbolRef Sym = RetVal->getAsLocSymbol(); 1731 // This is a return value of a function that was not inlined, such as malloc() 1732 // or new(). We've checked that in the caller. Therefore, it must be a symbol. 1733 assert(Sym); 1734 1735 // Set the symbol's state to Allocated. 1736 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 1737 } 1738 1739 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 1740 const CallEvent &Call, 1741 const OwnershipAttr *Att, 1742 ProgramStateRef State) const { 1743 if (!State) 1744 return nullptr; 1745 1746 if (Att->getModule()->getName() != "malloc") 1747 return nullptr; 1748 1749 bool IsKnownToBeAllocated = false; 1750 1751 for (const auto &Arg : Att->args()) { 1752 ProgramStateRef StateI = 1753 FreeMemAux(C, Call, State, Arg.getASTIndex(), 1754 Att->getOwnKind() == OwnershipAttr::Holds, 1755 IsKnownToBeAllocated, AF_Malloc); 1756 if (StateI) 1757 State = StateI; 1758 } 1759 return State; 1760 } 1761 1762 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1763 const CallEvent &Call, 1764 ProgramStateRef State, unsigned Num, 1765 bool Hold, bool &IsKnownToBeAllocated, 1766 AllocationFamily Family, 1767 bool ReturnsNullOnFailure) const { 1768 if (!State) 1769 return nullptr; 1770 1771 if (Call.getNumArgs() < (Num + 1)) 1772 return nullptr; 1773 1774 return FreeMemAux(C, Call.getArgExpr(Num), Call, State, Hold, 1775 IsKnownToBeAllocated, Family, ReturnsNullOnFailure); 1776 } 1777 1778 /// Checks if the previous call to free on the given symbol failed - if free 1779 /// failed, returns true. Also, returns the corresponding return value symbol. 1780 static bool didPreviousFreeFail(ProgramStateRef State, 1781 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 1782 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 1783 if (Ret) { 1784 assert(*Ret && "We should not store the null return symbol"); 1785 ConstraintManager &CMgr = State->getConstraintManager(); 1786 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 1787 RetStatusSymbol = *Ret; 1788 return FreeFailed.isConstrainedTrue(); 1789 } 1790 return false; 1791 } 1792 1793 static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E) { 1794 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 1795 // FIXME: This doesn't handle indirect calls. 1796 const FunctionDecl *FD = CE->getDirectCallee(); 1797 if (!FD) 1798 return false; 1799 1800 os << *FD; 1801 if (!FD->isOverloadedOperator()) 1802 os << "()"; 1803 return true; 1804 } 1805 1806 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 1807 if (Msg->isInstanceMessage()) 1808 os << "-"; 1809 else 1810 os << "+"; 1811 Msg->getSelector().print(os); 1812 return true; 1813 } 1814 1815 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 1816 os << "'" 1817 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 1818 << "'"; 1819 return true; 1820 } 1821 1822 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 1823 os << "'" 1824 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 1825 << "'"; 1826 return true; 1827 } 1828 1829 return false; 1830 } 1831 1832 static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family) { 1833 1834 switch(Family) { 1835 case AF_Malloc: os << "malloc()"; return; 1836 case AF_CXXNew: os << "'new'"; return; 1837 case AF_CXXNewArray: os << "'new[]'"; return; 1838 case AF_IfNameIndex: os << "'if_nameindex()'"; return; 1839 case AF_InnerBuffer: os << "container-specific allocator"; return; 1840 case AF_Alloca: 1841 case AF_None: llvm_unreachable("not a deallocation expression"); 1842 } 1843 } 1844 1845 static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) { 1846 switch(Family) { 1847 case AF_Malloc: os << "free()"; return; 1848 case AF_CXXNew: os << "'delete'"; return; 1849 case AF_CXXNewArray: os << "'delete[]'"; return; 1850 case AF_IfNameIndex: os << "'if_freenameindex()'"; return; 1851 case AF_InnerBuffer: os << "container-specific deallocator"; return; 1852 case AF_Alloca: 1853 case AF_None: llvm_unreachable("suspicious argument"); 1854 } 1855 } 1856 1857 ProgramStateRef MallocChecker::FreeMemAux( 1858 CheckerContext &C, const Expr *ArgExpr, const CallEvent &Call, 1859 ProgramStateRef State, bool Hold, bool &IsKnownToBeAllocated, 1860 AllocationFamily Family, bool ReturnsNullOnFailure) const { 1861 1862 if (!State) 1863 return nullptr; 1864 1865 SVal ArgVal = C.getSVal(ArgExpr); 1866 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 1867 return nullptr; 1868 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 1869 1870 // Check for null dereferences. 1871 if (!location.getAs<Loc>()) 1872 return nullptr; 1873 1874 // The explicit NULL case, no operation is performed. 1875 ProgramStateRef notNullState, nullState; 1876 std::tie(notNullState, nullState) = State->assume(location); 1877 if (nullState && !notNullState) 1878 return nullptr; 1879 1880 // Unknown values could easily be okay 1881 // Undefined values are handled elsewhere 1882 if (ArgVal.isUnknownOrUndef()) 1883 return nullptr; 1884 1885 const MemRegion *R = ArgVal.getAsRegion(); 1886 const Expr *ParentExpr = Call.getOriginExpr(); 1887 1888 // NOTE: We detected a bug, but the checker under whose name we would emit the 1889 // error could be disabled. Generally speaking, the MallocChecker family is an 1890 // integral part of the Static Analyzer, and disabling any part of it should 1891 // only be done under exceptional circumstances, such as frequent false 1892 // positives. If this is the case, we can reasonably believe that there are 1893 // serious faults in our understanding of the source code, and even if we 1894 // don't emit an warning, we should terminate further analysis with a sink 1895 // node. 1896 1897 // Nonlocs can't be freed, of course. 1898 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 1899 if (!R) { 1900 // Exception: 1901 // If the macro ZERO_SIZE_PTR is defined, this could be a kernel source 1902 // code. In that case, the ZERO_SIZE_PTR defines a special value used for a 1903 // zero-sized memory block which is allowed to be freed, despite not being a 1904 // null pointer. 1905 if (Family != AF_Malloc || !isArgZERO_SIZE_PTR(State, C, ArgVal)) 1906 HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1907 Family); 1908 return nullptr; 1909 } 1910 1911 R = R->StripCasts(); 1912 1913 // Blocks might show up as heap data, but should not be free()d 1914 if (isa<BlockDataRegion>(R)) { 1915 HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1916 Family); 1917 return nullptr; 1918 } 1919 1920 const MemSpaceRegion *MS = R->getMemorySpace(); 1921 1922 // Parameters, locals, statics, globals, and memory returned by 1923 // __builtin_alloca() shouldn't be freed. 1924 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 1925 // FIXME: at the time this code was written, malloc() regions were 1926 // represented by conjured symbols, which are all in UnknownSpaceRegion. 1927 // This means that there isn't actually anything from HeapSpaceRegion 1928 // that should be freed, even though we allow it here. 1929 // Of course, free() can work on memory allocated outside the current 1930 // function, so UnknownSpaceRegion is always a possibility. 1931 // False negatives are better than false positives. 1932 1933 if (isa<AllocaRegion>(R)) 1934 HandleFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1935 else 1936 HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1937 Family); 1938 1939 return nullptr; 1940 } 1941 1942 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 1943 // Various cases could lead to non-symbol values here. 1944 // For now, ignore them. 1945 if (!SrBase) 1946 return nullptr; 1947 1948 SymbolRef SymBase = SrBase->getSymbol(); 1949 const RefState *RsBase = State->get<RegionState>(SymBase); 1950 SymbolRef PreviousRetStatusSymbol = nullptr; 1951 1952 IsKnownToBeAllocated = 1953 RsBase && (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero()); 1954 1955 if (RsBase) { 1956 1957 // Memory returned by alloca() shouldn't be freed. 1958 if (RsBase->getAllocationFamily() == AF_Alloca) { 1959 HandleFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1960 return nullptr; 1961 } 1962 1963 // Check for double free first. 1964 if ((RsBase->isReleased() || RsBase->isRelinquished()) && 1965 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1966 HandleDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1967 SymBase, PreviousRetStatusSymbol); 1968 return nullptr; 1969 1970 // If the pointer is allocated or escaped, but we are now trying to free it, 1971 // check that the call to free is proper. 1972 } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() || 1973 RsBase->isEscaped()) { 1974 1975 // Check if an expected deallocation function matches the real one. 1976 bool DeallocMatchesAlloc = RsBase->getAllocationFamily() == Family; 1977 if (!DeallocMatchesAlloc) { 1978 HandleMismatchedDealloc(C, ArgExpr->getSourceRange(), ParentExpr, 1979 RsBase, SymBase, Hold); 1980 return nullptr; 1981 } 1982 1983 // Check if the memory location being freed is the actual location 1984 // allocated, or an offset. 1985 RegionOffset Offset = R->getAsOffset(); 1986 if (Offset.isValid() && 1987 !Offset.hasSymbolicOffset() && 1988 Offset.getOffset() != 0) { 1989 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1990 HandleOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1991 Family, AllocExpr); 1992 return nullptr; 1993 } 1994 } 1995 } 1996 1997 if (SymBase->getType()->isFunctionPointerType()) { 1998 HandleFunctionPtrFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1999 Family); 2000 return nullptr; 2001 } 2002 2003 // Clean out the info on previous call to free return info. 2004 State = State->remove<FreeReturnValue>(SymBase); 2005 2006 // Keep track of the return value. If it is NULL, we will know that free 2007 // failed. 2008 if (ReturnsNullOnFailure) { 2009 SVal RetVal = C.getSVal(ParentExpr); 2010 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 2011 if (RetStatusSymbol) { 2012 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 2013 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 2014 } 2015 } 2016 2017 // If we don't know anything about this symbol, a free on it may be totally 2018 // valid. If this is the case, lets assume that the allocation family of the 2019 // freeing function is the same as the symbols allocation family, and go with 2020 // that. 2021 assert(!RsBase || (RsBase && RsBase->getAllocationFamily() == Family)); 2022 2023 // Normal free. 2024 if (Hold) 2025 return State->set<RegionState>(SymBase, 2026 RefState::getRelinquished(Family, 2027 ParentExpr)); 2028 2029 return State->set<RegionState>(SymBase, 2030 RefState::getReleased(Family, ParentExpr)); 2031 } 2032 2033 Optional<MallocChecker::CheckKind> 2034 MallocChecker::getCheckIfTracked(AllocationFamily Family, 2035 bool IsALeakCheck) const { 2036 switch (Family) { 2037 case AF_Malloc: 2038 case AF_Alloca: 2039 case AF_IfNameIndex: { 2040 if (ChecksEnabled[CK_MallocChecker]) 2041 return CK_MallocChecker; 2042 return None; 2043 } 2044 case AF_CXXNew: 2045 case AF_CXXNewArray: { 2046 if (IsALeakCheck) { 2047 if (ChecksEnabled[CK_NewDeleteLeaksChecker]) 2048 return CK_NewDeleteLeaksChecker; 2049 } 2050 else { 2051 if (ChecksEnabled[CK_NewDeleteChecker]) 2052 return CK_NewDeleteChecker; 2053 } 2054 return None; 2055 } 2056 case AF_InnerBuffer: { 2057 if (ChecksEnabled[CK_InnerPointerChecker]) 2058 return CK_InnerPointerChecker; 2059 return None; 2060 } 2061 case AF_None: { 2062 llvm_unreachable("no family"); 2063 } 2064 } 2065 llvm_unreachable("unhandled family"); 2066 } 2067 2068 Optional<MallocChecker::CheckKind> 2069 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym, 2070 bool IsALeakCheck) const { 2071 if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) 2072 return CK_MallocChecker; 2073 2074 const RefState *RS = C.getState()->get<RegionState>(Sym); 2075 assert(RS); 2076 return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck); 2077 } 2078 2079 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 2080 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 2081 os << "an integer (" << IntVal->getValue() << ")"; 2082 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 2083 os << "a constant address (" << ConstAddr->getValue() << ")"; 2084 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 2085 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 2086 else 2087 return false; 2088 2089 return true; 2090 } 2091 2092 bool MallocChecker::SummarizeRegion(raw_ostream &os, 2093 const MemRegion *MR) { 2094 switch (MR->getKind()) { 2095 case MemRegion::FunctionCodeRegionKind: { 2096 const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl(); 2097 if (FD) 2098 os << "the address of the function '" << *FD << '\''; 2099 else 2100 os << "the address of a function"; 2101 return true; 2102 } 2103 case MemRegion::BlockCodeRegionKind: 2104 os << "block text"; 2105 return true; 2106 case MemRegion::BlockDataRegionKind: 2107 // FIXME: where the block came from? 2108 os << "a block"; 2109 return true; 2110 default: { 2111 const MemSpaceRegion *MS = MR->getMemorySpace(); 2112 2113 if (isa<StackLocalsSpaceRegion>(MS)) { 2114 const VarRegion *VR = dyn_cast<VarRegion>(MR); 2115 const VarDecl *VD; 2116 if (VR) 2117 VD = VR->getDecl(); 2118 else 2119 VD = nullptr; 2120 2121 if (VD) 2122 os << "the address of the local variable '" << VD->getName() << "'"; 2123 else 2124 os << "the address of a local stack variable"; 2125 return true; 2126 } 2127 2128 if (isa<StackArgumentsSpaceRegion>(MS)) { 2129 const VarRegion *VR = dyn_cast<VarRegion>(MR); 2130 const VarDecl *VD; 2131 if (VR) 2132 VD = VR->getDecl(); 2133 else 2134 VD = nullptr; 2135 2136 if (VD) 2137 os << "the address of the parameter '" << VD->getName() << "'"; 2138 else 2139 os << "the address of a parameter"; 2140 return true; 2141 } 2142 2143 if (isa<GlobalsSpaceRegion>(MS)) { 2144 const VarRegion *VR = dyn_cast<VarRegion>(MR); 2145 const VarDecl *VD; 2146 if (VR) 2147 VD = VR->getDecl(); 2148 else 2149 VD = nullptr; 2150 2151 if (VD) { 2152 if (VD->isStaticLocal()) 2153 os << "the address of the static variable '" << VD->getName() << "'"; 2154 else 2155 os << "the address of the global variable '" << VD->getName() << "'"; 2156 } else 2157 os << "the address of a global variable"; 2158 return true; 2159 } 2160 2161 return false; 2162 } 2163 } 2164 } 2165 2166 void MallocChecker::HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal, 2167 SourceRange Range, 2168 const Expr *DeallocExpr, 2169 AllocationFamily Family) const { 2170 2171 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) { 2172 C.addSink(); 2173 return; 2174 } 2175 2176 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2177 if (!CheckKind.hasValue()) 2178 return; 2179 2180 if (ExplodedNode *N = C.generateErrorNode()) { 2181 if (!BT_BadFree[*CheckKind]) 2182 BT_BadFree[*CheckKind].reset(new BugType( 2183 CheckNames[*CheckKind], "Bad free", categories::MemoryError)); 2184 2185 SmallString<100> buf; 2186 llvm::raw_svector_ostream os(buf); 2187 2188 const MemRegion *MR = ArgVal.getAsRegion(); 2189 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 2190 MR = ER->getSuperRegion(); 2191 2192 os << "Argument to "; 2193 if (!printMemFnName(os, C, DeallocExpr)) 2194 os << "deallocator"; 2195 2196 os << " is "; 2197 bool Summarized = MR ? SummarizeRegion(os, MR) 2198 : SummarizeValue(os, ArgVal); 2199 if (Summarized) 2200 os << ", which is not memory allocated by "; 2201 else 2202 os << "not memory allocated by "; 2203 2204 printExpectedAllocName(os, Family); 2205 2206 auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind], 2207 os.str(), N); 2208 R->markInteresting(MR); 2209 R->addRange(Range); 2210 C.emitReport(std::move(R)); 2211 } 2212 } 2213 2214 void MallocChecker::HandleFreeAlloca(CheckerContext &C, SVal ArgVal, 2215 SourceRange Range) const { 2216 2217 Optional<MallocChecker::CheckKind> CheckKind; 2218 2219 if (ChecksEnabled[CK_MallocChecker]) 2220 CheckKind = CK_MallocChecker; 2221 else if (ChecksEnabled[CK_MismatchedDeallocatorChecker]) 2222 CheckKind = CK_MismatchedDeallocatorChecker; 2223 else { 2224 C.addSink(); 2225 return; 2226 } 2227 2228 if (ExplodedNode *N = C.generateErrorNode()) { 2229 if (!BT_FreeAlloca[*CheckKind]) 2230 BT_FreeAlloca[*CheckKind].reset(new BugType( 2231 CheckNames[*CheckKind], "Free alloca()", categories::MemoryError)); 2232 2233 auto R = std::make_unique<PathSensitiveBugReport>( 2234 *BT_FreeAlloca[*CheckKind], 2235 "Memory allocated by alloca() should not be deallocated", N); 2236 R->markInteresting(ArgVal.getAsRegion()); 2237 R->addRange(Range); 2238 C.emitReport(std::move(R)); 2239 } 2240 } 2241 2242 void MallocChecker::HandleMismatchedDealloc(CheckerContext &C, 2243 SourceRange Range, 2244 const Expr *DeallocExpr, 2245 const RefState *RS, SymbolRef Sym, 2246 bool OwnershipTransferred) const { 2247 2248 if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) { 2249 C.addSink(); 2250 return; 2251 } 2252 2253 if (ExplodedNode *N = C.generateErrorNode()) { 2254 if (!BT_MismatchedDealloc) 2255 BT_MismatchedDealloc.reset( 2256 new BugType(CheckNames[CK_MismatchedDeallocatorChecker], 2257 "Bad deallocator", categories::MemoryError)); 2258 2259 SmallString<100> buf; 2260 llvm::raw_svector_ostream os(buf); 2261 2262 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 2263 SmallString<20> AllocBuf; 2264 llvm::raw_svector_ostream AllocOs(AllocBuf); 2265 SmallString<20> DeallocBuf; 2266 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 2267 2268 if (OwnershipTransferred) { 2269 if (printMemFnName(DeallocOs, C, DeallocExpr)) 2270 os << DeallocOs.str() << " cannot"; 2271 else 2272 os << "Cannot"; 2273 2274 os << " take ownership of memory"; 2275 2276 if (printMemFnName(AllocOs, C, AllocExpr)) 2277 os << " allocated by " << AllocOs.str(); 2278 } else { 2279 os << "Memory"; 2280 if (printMemFnName(AllocOs, C, AllocExpr)) 2281 os << " allocated by " << AllocOs.str(); 2282 2283 os << " should be deallocated by "; 2284 printExpectedDeallocName(os, RS->getAllocationFamily()); 2285 2286 if (printMemFnName(DeallocOs, C, DeallocExpr)) 2287 os << ", not " << DeallocOs.str(); 2288 } 2289 2290 auto R = std::make_unique<PathSensitiveBugReport>(*BT_MismatchedDealloc, 2291 os.str(), N); 2292 R->markInteresting(Sym); 2293 R->addRange(Range); 2294 R->addVisitor<MallocBugVisitor>(Sym); 2295 C.emitReport(std::move(R)); 2296 } 2297 } 2298 2299 void MallocChecker::HandleOffsetFree(CheckerContext &C, SVal ArgVal, 2300 SourceRange Range, const Expr *DeallocExpr, 2301 AllocationFamily Family, 2302 const Expr *AllocExpr) const { 2303 2304 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) { 2305 C.addSink(); 2306 return; 2307 } 2308 2309 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2310 if (!CheckKind.hasValue()) 2311 return; 2312 2313 ExplodedNode *N = C.generateErrorNode(); 2314 if (!N) 2315 return; 2316 2317 if (!BT_OffsetFree[*CheckKind]) 2318 BT_OffsetFree[*CheckKind].reset(new BugType( 2319 CheckNames[*CheckKind], "Offset free", categories::MemoryError)); 2320 2321 SmallString<100> buf; 2322 llvm::raw_svector_ostream os(buf); 2323 SmallString<20> AllocNameBuf; 2324 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 2325 2326 const MemRegion *MR = ArgVal.getAsRegion(); 2327 assert(MR && "Only MemRegion based symbols can have offset free errors"); 2328 2329 RegionOffset Offset = MR->getAsOffset(); 2330 assert((Offset.isValid() && 2331 !Offset.hasSymbolicOffset() && 2332 Offset.getOffset() != 0) && 2333 "Only symbols with a valid offset can have offset free errors"); 2334 2335 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 2336 2337 os << "Argument to "; 2338 if (!printMemFnName(os, C, DeallocExpr)) 2339 os << "deallocator"; 2340 os << " is offset by " 2341 << offsetBytes 2342 << " " 2343 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 2344 << " from the start of "; 2345 if (AllocExpr && printMemFnName(AllocNameOs, C, AllocExpr)) 2346 os << "memory allocated by " << AllocNameOs.str(); 2347 else 2348 os << "allocated memory"; 2349 2350 auto R = std::make_unique<PathSensitiveBugReport>(*BT_OffsetFree[*CheckKind], 2351 os.str(), N); 2352 R->markInteresting(MR->getBaseRegion()); 2353 R->addRange(Range); 2354 C.emitReport(std::move(R)); 2355 } 2356 2357 void MallocChecker::HandleUseAfterFree(CheckerContext &C, SourceRange Range, 2358 SymbolRef Sym) const { 2359 2360 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker] && 2361 !ChecksEnabled[CK_InnerPointerChecker]) { 2362 C.addSink(); 2363 return; 2364 } 2365 2366 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2367 if (!CheckKind.hasValue()) 2368 return; 2369 2370 if (ExplodedNode *N = C.generateErrorNode()) { 2371 if (!BT_UseFree[*CheckKind]) 2372 BT_UseFree[*CheckKind].reset(new BugType( 2373 CheckNames[*CheckKind], "Use-after-free", categories::MemoryError)); 2374 2375 AllocationFamily AF = 2376 C.getState()->get<RegionState>(Sym)->getAllocationFamily(); 2377 2378 auto R = std::make_unique<PathSensitiveBugReport>( 2379 *BT_UseFree[*CheckKind], 2380 AF == AF_InnerBuffer 2381 ? "Inner pointer of container used after re/deallocation" 2382 : "Use of memory after it is freed", 2383 N); 2384 2385 R->markInteresting(Sym); 2386 R->addRange(Range); 2387 R->addVisitor<MallocBugVisitor>(Sym); 2388 2389 if (AF == AF_InnerBuffer) 2390 R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym)); 2391 2392 C.emitReport(std::move(R)); 2393 } 2394 } 2395 2396 void MallocChecker::HandleDoubleFree(CheckerContext &C, SourceRange Range, 2397 bool Released, SymbolRef Sym, 2398 SymbolRef PrevSym) const { 2399 2400 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) { 2401 C.addSink(); 2402 return; 2403 } 2404 2405 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2406 if (!CheckKind.hasValue()) 2407 return; 2408 2409 if (ExplodedNode *N = C.generateErrorNode()) { 2410 if (!BT_DoubleFree[*CheckKind]) 2411 BT_DoubleFree[*CheckKind].reset(new BugType( 2412 CheckNames[*CheckKind], "Double free", categories::MemoryError)); 2413 2414 auto R = std::make_unique<PathSensitiveBugReport>( 2415 *BT_DoubleFree[*CheckKind], 2416 (Released ? "Attempt to free released memory" 2417 : "Attempt to free non-owned memory"), 2418 N); 2419 R->addRange(Range); 2420 R->markInteresting(Sym); 2421 if (PrevSym) 2422 R->markInteresting(PrevSym); 2423 R->addVisitor<MallocBugVisitor>(Sym); 2424 C.emitReport(std::move(R)); 2425 } 2426 } 2427 2428 void MallocChecker::HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const { 2429 2430 if (!ChecksEnabled[CK_NewDeleteChecker]) { 2431 C.addSink(); 2432 return; 2433 } 2434 2435 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2436 if (!CheckKind.hasValue()) 2437 return; 2438 2439 if (ExplodedNode *N = C.generateErrorNode()) { 2440 if (!BT_DoubleDelete) 2441 BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker], 2442 "Double delete", 2443 categories::MemoryError)); 2444 2445 auto R = std::make_unique<PathSensitiveBugReport>( 2446 *BT_DoubleDelete, "Attempt to delete released memory", N); 2447 2448 R->markInteresting(Sym); 2449 R->addVisitor<MallocBugVisitor>(Sym); 2450 C.emitReport(std::move(R)); 2451 } 2452 } 2453 2454 void MallocChecker::HandleUseZeroAlloc(CheckerContext &C, SourceRange Range, 2455 SymbolRef Sym) const { 2456 2457 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) { 2458 C.addSink(); 2459 return; 2460 } 2461 2462 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2463 2464 if (!CheckKind.hasValue()) 2465 return; 2466 2467 if (ExplodedNode *N = C.generateErrorNode()) { 2468 if (!BT_UseZerroAllocated[*CheckKind]) 2469 BT_UseZerroAllocated[*CheckKind].reset( 2470 new BugType(CheckNames[*CheckKind], "Use of zero allocated", 2471 categories::MemoryError)); 2472 2473 auto R = std::make_unique<PathSensitiveBugReport>( 2474 *BT_UseZerroAllocated[*CheckKind], "Use of zero-allocated memory", N); 2475 2476 R->addRange(Range); 2477 if (Sym) { 2478 R->markInteresting(Sym); 2479 R->addVisitor<MallocBugVisitor>(Sym); 2480 } 2481 C.emitReport(std::move(R)); 2482 } 2483 } 2484 2485 void MallocChecker::HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal, 2486 SourceRange Range, 2487 const Expr *FreeExpr, 2488 AllocationFamily Family) const { 2489 if (!ChecksEnabled[CK_MallocChecker]) { 2490 C.addSink(); 2491 return; 2492 } 2493 2494 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2495 if (!CheckKind.hasValue()) 2496 return; 2497 2498 if (ExplodedNode *N = C.generateErrorNode()) { 2499 if (!BT_BadFree[*CheckKind]) 2500 BT_BadFree[*CheckKind].reset(new BugType( 2501 CheckNames[*CheckKind], "Bad free", categories::MemoryError)); 2502 2503 SmallString<100> Buf; 2504 llvm::raw_svector_ostream Os(Buf); 2505 2506 const MemRegion *MR = ArgVal.getAsRegion(); 2507 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 2508 MR = ER->getSuperRegion(); 2509 2510 Os << "Argument to "; 2511 if (!printMemFnName(Os, C, FreeExpr)) 2512 Os << "deallocator"; 2513 2514 Os << " is a function pointer"; 2515 2516 auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind], 2517 Os.str(), N); 2518 R->markInteresting(MR); 2519 R->addRange(Range); 2520 C.emitReport(std::move(R)); 2521 } 2522 } 2523 2524 ProgramStateRef 2525 MallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call, 2526 bool ShouldFreeOnFail, ProgramStateRef State, 2527 AllocationFamily Family, bool SuffixWithN) const { 2528 if (!State) 2529 return nullptr; 2530 2531 const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr()); 2532 2533 if (SuffixWithN && CE->getNumArgs() < 3) 2534 return nullptr; 2535 else if (CE->getNumArgs() < 2) 2536 return nullptr; 2537 2538 const Expr *arg0Expr = CE->getArg(0); 2539 SVal Arg0Val = C.getSVal(arg0Expr); 2540 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 2541 return nullptr; 2542 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 2543 2544 SValBuilder &svalBuilder = C.getSValBuilder(); 2545 2546 DefinedOrUnknownSVal PtrEQ = 2547 svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull()); 2548 2549 // Get the size argument. 2550 const Expr *Arg1 = CE->getArg(1); 2551 2552 // Get the value of the size argument. 2553 SVal TotalSize = C.getSVal(Arg1); 2554 if (SuffixWithN) 2555 TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2)); 2556 if (!TotalSize.getAs<DefinedOrUnknownSVal>()) 2557 return nullptr; 2558 2559 // Compare the size argument to 0. 2560 DefinedOrUnknownSVal SizeZero = 2561 svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(), 2562 svalBuilder.makeIntValWithPtrWidth(0, false)); 2563 2564 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 2565 std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ); 2566 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 2567 std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero); 2568 // We only assume exceptional states if they are definitely true; if the 2569 // state is under-constrained, assume regular realloc behavior. 2570 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 2571 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 2572 2573 // If the ptr is NULL and the size is not 0, the call is equivalent to 2574 // malloc(size). 2575 if (PrtIsNull && !SizeIsZero) { 2576 ProgramStateRef stateMalloc = MallocMemAux( 2577 C, Call, TotalSize, UndefinedVal(), StatePtrIsNull, Family); 2578 return stateMalloc; 2579 } 2580 2581 if (PrtIsNull && SizeIsZero) 2582 return State; 2583 2584 assert(!PrtIsNull); 2585 2586 bool IsKnownToBeAllocated = false; 2587 2588 // If the size is 0, free the memory. 2589 if (SizeIsZero) 2590 // The semantics of the return value are: 2591 // If size was equal to 0, either NULL or a pointer suitable to be passed 2592 // to free() is returned. We just free the input pointer and do not add 2593 // any constrains on the output pointer. 2594 if (ProgramStateRef stateFree = FreeMemAux( 2595 C, Call, StateSizeIsZero, 0, false, IsKnownToBeAllocated, Family)) 2596 return stateFree; 2597 2598 // Default behavior. 2599 if (ProgramStateRef stateFree = 2600 FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocated, Family)) { 2601 2602 ProgramStateRef stateRealloc = 2603 MallocMemAux(C, Call, TotalSize, UnknownVal(), stateFree, Family); 2604 if (!stateRealloc) 2605 return nullptr; 2606 2607 OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure; 2608 if (ShouldFreeOnFail) 2609 Kind = OAR_FreeOnFailure; 2610 else if (!IsKnownToBeAllocated) 2611 Kind = OAR_DoNotTrackAfterFailure; 2612 2613 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 2614 SymbolRef FromPtr = arg0Val.getLocSymbolInBase(); 2615 SVal RetVal = C.getSVal(CE); 2616 SymbolRef ToPtr = RetVal.getAsSymbol(); 2617 assert(FromPtr && ToPtr && 2618 "By this point, FreeMemAux and MallocMemAux should have checked " 2619 "whether the argument or the return value is symbolic!"); 2620 2621 // Record the info about the reallocated symbol so that we could properly 2622 // process failed reallocation. 2623 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 2624 ReallocPair(FromPtr, Kind)); 2625 // The reallocated symbol should stay alive for as long as the new symbol. 2626 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 2627 return stateRealloc; 2628 } 2629 return nullptr; 2630 } 2631 2632 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, 2633 const CallEvent &Call, 2634 ProgramStateRef State) { 2635 if (!State) 2636 return nullptr; 2637 2638 if (Call.getNumArgs() < 2) 2639 return nullptr; 2640 2641 SValBuilder &svalBuilder = C.getSValBuilder(); 2642 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 2643 SVal TotalSize = 2644 evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1)); 2645 2646 return MallocMemAux(C, Call, TotalSize, zeroVal, State, AF_Malloc); 2647 } 2648 2649 MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N, 2650 SymbolRef Sym, 2651 CheckerContext &C) { 2652 const LocationContext *LeakContext = N->getLocationContext(); 2653 // Walk the ExplodedGraph backwards and find the first node that referred to 2654 // the tracked symbol. 2655 const ExplodedNode *AllocNode = N; 2656 const MemRegion *ReferenceRegion = nullptr; 2657 2658 while (N) { 2659 ProgramStateRef State = N->getState(); 2660 if (!State->get<RegionState>(Sym)) 2661 break; 2662 2663 // Find the most recent expression bound to the symbol in the current 2664 // context. 2665 if (!ReferenceRegion) { 2666 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 2667 SVal Val = State->getSVal(MR); 2668 if (Val.getAsLocSymbol() == Sym) { 2669 const VarRegion *VR = MR->getBaseRegion()->getAs<VarRegion>(); 2670 // Do not show local variables belonging to a function other than 2671 // where the error is reported. 2672 if (!VR || (VR->getStackFrame() == LeakContext->getStackFrame())) 2673 ReferenceRegion = MR; 2674 } 2675 } 2676 } 2677 2678 // Allocation node, is the last node in the current or parent context in 2679 // which the symbol was tracked. 2680 const LocationContext *NContext = N->getLocationContext(); 2681 if (NContext == LeakContext || 2682 NContext->isParentOf(LeakContext)) 2683 AllocNode = N; 2684 N = N->pred_empty() ? nullptr : *(N->pred_begin()); 2685 } 2686 2687 return LeakInfo(AllocNode, ReferenceRegion); 2688 } 2689 2690 void MallocChecker::HandleLeak(SymbolRef Sym, ExplodedNode *N, 2691 CheckerContext &C) const { 2692 2693 if (!ChecksEnabled[CK_MallocChecker] && 2694 !ChecksEnabled[CK_NewDeleteLeaksChecker]) 2695 return; 2696 2697 const RefState *RS = C.getState()->get<RegionState>(Sym); 2698 assert(RS && "cannot leak an untracked symbol"); 2699 AllocationFamily Family = RS->getAllocationFamily(); 2700 2701 if (Family == AF_Alloca) 2702 return; 2703 2704 Optional<MallocChecker::CheckKind> 2705 CheckKind = getCheckIfTracked(Family, true); 2706 2707 if (!CheckKind.hasValue()) 2708 return; 2709 2710 assert(N); 2711 if (!BT_Leak[*CheckKind]) { 2712 // Leaks should not be reported if they are post-dominated by a sink: 2713 // (1) Sinks are higher importance bugs. 2714 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 2715 // with __noreturn functions such as assert() or exit(). We choose not 2716 // to report leaks on such paths. 2717 BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak", 2718 categories::MemoryError, 2719 /*SuppressOnSink=*/true)); 2720 } 2721 2722 // Most bug reports are cached at the location where they occurred. 2723 // With leaks, we want to unique them by the location where they were 2724 // allocated, and only report a single path. 2725 PathDiagnosticLocation LocUsedForUniqueing; 2726 const ExplodedNode *AllocNode = nullptr; 2727 const MemRegion *Region = nullptr; 2728 std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 2729 2730 const Stmt *AllocationStmt = AllocNode->getStmtForDiagnostics(); 2731 if (AllocationStmt) 2732 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 2733 C.getSourceManager(), 2734 AllocNode->getLocationContext()); 2735 2736 SmallString<200> buf; 2737 llvm::raw_svector_ostream os(buf); 2738 if (Region && Region->canPrintPretty()) { 2739 os << "Potential leak of memory pointed to by "; 2740 Region->printPretty(os); 2741 } else { 2742 os << "Potential memory leak"; 2743 } 2744 2745 auto R = std::make_unique<PathSensitiveBugReport>( 2746 *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing, 2747 AllocNode->getLocationContext()->getDecl()); 2748 R->markInteresting(Sym); 2749 R->addVisitor<MallocBugVisitor>(Sym, true); 2750 if (ShouldRegisterNoOwnershipChangeVisitor) 2751 R->addVisitor<NoOwnershipChangeVisitor>(Sym); 2752 C.emitReport(std::move(R)); 2753 } 2754 2755 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 2756 CheckerContext &C) const 2757 { 2758 ProgramStateRef state = C.getState(); 2759 RegionStateTy OldRS = state->get<RegionState>(); 2760 RegionStateTy::Factory &F = state->get_context<RegionState>(); 2761 2762 RegionStateTy RS = OldRS; 2763 SmallVector<SymbolRef, 2> Errors; 2764 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2765 if (SymReaper.isDead(I->first)) { 2766 if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero()) 2767 Errors.push_back(I->first); 2768 // Remove the dead symbol from the map. 2769 RS = F.remove(RS, I->first); 2770 } 2771 } 2772 2773 if (RS == OldRS) { 2774 // We shouldn't have touched other maps yet. 2775 assert(state->get<ReallocPairs>() == 2776 C.getState()->get<ReallocPairs>()); 2777 assert(state->get<FreeReturnValue>() == 2778 C.getState()->get<FreeReturnValue>()); 2779 return; 2780 } 2781 2782 // Cleanup the Realloc Pairs Map. 2783 ReallocPairsTy RP = state->get<ReallocPairs>(); 2784 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 2785 if (SymReaper.isDead(I->first) || 2786 SymReaper.isDead(I->second.ReallocatedSym)) { 2787 state = state->remove<ReallocPairs>(I->first); 2788 } 2789 } 2790 2791 // Cleanup the FreeReturnValue Map. 2792 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 2793 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 2794 if (SymReaper.isDead(I->first) || 2795 SymReaper.isDead(I->second)) { 2796 state = state->remove<FreeReturnValue>(I->first); 2797 } 2798 } 2799 2800 // Generate leak node. 2801 ExplodedNode *N = C.getPredecessor(); 2802 if (!Errors.empty()) { 2803 static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak"); 2804 N = C.generateNonFatalErrorNode(C.getState(), &Tag); 2805 if (N) { 2806 for (SmallVectorImpl<SymbolRef>::iterator 2807 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 2808 HandleLeak(*I, N, C); 2809 } 2810 } 2811 } 2812 2813 C.addTransition(state->set<RegionState>(RS), N); 2814 } 2815 2816 void MallocChecker::checkPreCall(const CallEvent &Call, 2817 CheckerContext &C) const { 2818 2819 if (const auto *DC = dyn_cast<CXXDeallocatorCall>(&Call)) { 2820 const CXXDeleteExpr *DE = DC->getOriginExpr(); 2821 2822 if (!ChecksEnabled[CK_NewDeleteChecker]) 2823 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 2824 checkUseAfterFree(Sym, C, DE->getArgument()); 2825 2826 if (!isStandardNewDelete(DC->getDecl())) 2827 return; 2828 2829 ProgramStateRef State = C.getState(); 2830 bool IsKnownToBeAllocated; 2831 State = FreeMemAux(C, DE->getArgument(), Call, State, 2832 /*Hold*/ false, IsKnownToBeAllocated, 2833 (DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew)); 2834 2835 C.addTransition(State); 2836 return; 2837 } 2838 2839 if (const auto *DC = dyn_cast<CXXDestructorCall>(&Call)) { 2840 SymbolRef Sym = DC->getCXXThisVal().getAsSymbol(); 2841 if (!Sym || checkDoubleDelete(Sym, C)) 2842 return; 2843 } 2844 2845 // We will check for double free in the post visit. 2846 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { 2847 const FunctionDecl *FD = FC->getDecl(); 2848 if (!FD) 2849 return; 2850 2851 if (ChecksEnabled[CK_MallocChecker] && isFreeingCall(Call)) 2852 return; 2853 } 2854 2855 // Check if the callee of a method is deleted. 2856 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { 2857 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); 2858 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) 2859 return; 2860 } 2861 2862 // Check arguments for being used after free. 2863 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { 2864 SVal ArgSVal = Call.getArgSVal(I); 2865 if (ArgSVal.getAs<Loc>()) { 2866 SymbolRef Sym = ArgSVal.getAsSymbol(); 2867 if (!Sym) 2868 continue; 2869 if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) 2870 return; 2871 } 2872 } 2873 } 2874 2875 void MallocChecker::checkPreStmt(const ReturnStmt *S, 2876 CheckerContext &C) const { 2877 checkEscapeOnReturn(S, C); 2878 } 2879 2880 // In the CFG, automatic destructors come after the return statement. 2881 // This callback checks for returning memory that is freed by automatic 2882 // destructors, as those cannot be reached in checkPreStmt(). 2883 void MallocChecker::checkEndFunction(const ReturnStmt *S, 2884 CheckerContext &C) const { 2885 checkEscapeOnReturn(S, C); 2886 } 2887 2888 void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S, 2889 CheckerContext &C) const { 2890 if (!S) 2891 return; 2892 2893 const Expr *E = S->getRetValue(); 2894 if (!E) 2895 return; 2896 2897 // Check if we are returning a symbol. 2898 ProgramStateRef State = C.getState(); 2899 SVal RetVal = C.getSVal(E); 2900 SymbolRef Sym = RetVal.getAsSymbol(); 2901 if (!Sym) 2902 // If we are returning a field of the allocated struct or an array element, 2903 // the callee could still free the memory. 2904 // TODO: This logic should be a part of generic symbol escape callback. 2905 if (const MemRegion *MR = RetVal.getAsRegion()) 2906 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 2907 if (const SymbolicRegion *BMR = 2908 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 2909 Sym = BMR->getSymbol(); 2910 2911 // Check if we are returning freed memory. 2912 if (Sym) 2913 checkUseAfterFree(Sym, C, E); 2914 } 2915 2916 // TODO: Blocks should be either inlined or should call invalidate regions 2917 // upon invocation. After that's in place, special casing here will not be 2918 // needed. 2919 void MallocChecker::checkPostStmt(const BlockExpr *BE, 2920 CheckerContext &C) const { 2921 2922 // Scan the BlockDecRefExprs for any object the retain count checker 2923 // may be tracking. 2924 if (!BE->getBlockDecl()->hasCaptures()) 2925 return; 2926 2927 ProgramStateRef state = C.getState(); 2928 const BlockDataRegion *R = 2929 cast<BlockDataRegion>(C.getSVal(BE).getAsRegion()); 2930 2931 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 2932 E = R->referenced_vars_end(); 2933 2934 if (I == E) 2935 return; 2936 2937 SmallVector<const MemRegion*, 10> Regions; 2938 const LocationContext *LC = C.getLocationContext(); 2939 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 2940 2941 for ( ; I != E; ++I) { 2942 const VarRegion *VR = I.getCapturedRegion(); 2943 if (VR->getSuperRegion() == R) { 2944 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 2945 } 2946 Regions.push_back(VR); 2947 } 2948 2949 state = 2950 state->scanReachableSymbols<StopTrackingCallback>(Regions).getState(); 2951 C.addTransition(state); 2952 } 2953 2954 static bool isReleased(SymbolRef Sym, CheckerContext &C) { 2955 assert(Sym); 2956 const RefState *RS = C.getState()->get<RegionState>(Sym); 2957 return (RS && RS->isReleased()); 2958 } 2959 2960 bool MallocChecker::suppressDeallocationsInSuspiciousContexts( 2961 const CallEvent &Call, CheckerContext &C) const { 2962 if (Call.getNumArgs() == 0) 2963 return false; 2964 2965 StringRef FunctionStr = ""; 2966 if (const auto *FD = dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl())) 2967 if (const Stmt *Body = FD->getBody()) 2968 if (Body->getBeginLoc().isValid()) 2969 FunctionStr = 2970 Lexer::getSourceText(CharSourceRange::getTokenRange( 2971 {FD->getBeginLoc(), Body->getBeginLoc()}), 2972 C.getSourceManager(), C.getLangOpts()); 2973 2974 // We do not model the Integer Set Library's retain-count based allocation. 2975 if (!FunctionStr.contains("__isl_")) 2976 return false; 2977 2978 ProgramStateRef State = C.getState(); 2979 2980 for (const Expr *Arg : cast<CallExpr>(Call.getOriginExpr())->arguments()) 2981 if (SymbolRef Sym = C.getSVal(Arg).getAsSymbol()) 2982 if (const RefState *RS = State->get<RegionState>(Sym)) 2983 State = State->set<RegionState>(Sym, RefState::getEscaped(RS)); 2984 2985 C.addTransition(State); 2986 return true; 2987 } 2988 2989 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 2990 const Stmt *S) const { 2991 2992 if (isReleased(Sym, C)) { 2993 HandleUseAfterFree(C, S->getSourceRange(), Sym); 2994 return true; 2995 } 2996 2997 return false; 2998 } 2999 3000 void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, 3001 const Stmt *S) const { 3002 assert(Sym); 3003 3004 if (const RefState *RS = C.getState()->get<RegionState>(Sym)) { 3005 if (RS->isAllocatedOfSizeZero()) 3006 HandleUseZeroAlloc(C, RS->getStmt()->getSourceRange(), Sym); 3007 } 3008 else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) { 3009 HandleUseZeroAlloc(C, S->getSourceRange(), Sym); 3010 } 3011 } 3012 3013 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { 3014 3015 if (isReleased(Sym, C)) { 3016 HandleDoubleDelete(C, Sym); 3017 return true; 3018 } 3019 return false; 3020 } 3021 3022 // Check if the location is a freed symbolic region. 3023 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 3024 CheckerContext &C) const { 3025 SymbolRef Sym = l.getLocSymbolInBase(); 3026 if (Sym) { 3027 checkUseAfterFree(Sym, C, S); 3028 checkUseZeroAllocated(Sym, C, S); 3029 } 3030 } 3031 3032 // If a symbolic region is assumed to NULL (or another constant), stop tracking 3033 // it - assuming that allocation failed on this path. 3034 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 3035 SVal Cond, 3036 bool Assumption) const { 3037 RegionStateTy RS = state->get<RegionState>(); 3038 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 3039 // If the symbol is assumed to be NULL, remove it from consideration. 3040 ConstraintManager &CMgr = state->getConstraintManager(); 3041 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 3042 if (AllocFailed.isConstrainedTrue()) 3043 state = state->remove<RegionState>(I.getKey()); 3044 } 3045 3046 // Realloc returns 0 when reallocation fails, which means that we should 3047 // restore the state of the pointer being reallocated. 3048 ReallocPairsTy RP = state->get<ReallocPairs>(); 3049 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 3050 // If the symbol is assumed to be NULL, remove it from consideration. 3051 ConstraintManager &CMgr = state->getConstraintManager(); 3052 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 3053 if (!AllocFailed.isConstrainedTrue()) 3054 continue; 3055 3056 SymbolRef ReallocSym = I.getData().ReallocatedSym; 3057 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 3058 if (RS->isReleased()) { 3059 switch (I.getData().Kind) { 3060 case OAR_ToBeFreedAfterFailure: 3061 state = state->set<RegionState>(ReallocSym, 3062 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 3063 break; 3064 case OAR_DoNotTrackAfterFailure: 3065 state = state->remove<RegionState>(ReallocSym); 3066 break; 3067 default: 3068 assert(I.getData().Kind == OAR_FreeOnFailure); 3069 } 3070 } 3071 } 3072 state = state->remove<ReallocPairs>(I.getKey()); 3073 } 3074 3075 return state; 3076 } 3077 3078 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly( 3079 const CallEvent *Call, 3080 ProgramStateRef State, 3081 SymbolRef &EscapingSymbol) const { 3082 assert(Call); 3083 EscapingSymbol = nullptr; 3084 3085 // For now, assume that any C++ or block call can free memory. 3086 // TODO: If we want to be more optimistic here, we'll need to make sure that 3087 // regions escape to C++ containers. They seem to do that even now, but for 3088 // mysterious reasons. 3089 if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 3090 return true; 3091 3092 // Check Objective-C messages by selector name. 3093 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 3094 // If it's not a framework call, or if it takes a callback, assume it 3095 // can free memory. 3096 if (!Call->isInSystemHeader() || Call->argumentsMayEscape()) 3097 return true; 3098 3099 // If it's a method we know about, handle it explicitly post-call. 3100 // This should happen before the "freeWhenDone" check below. 3101 if (isKnownDeallocObjCMethodName(*Msg)) 3102 return false; 3103 3104 // If there's a "freeWhenDone" parameter, but the method isn't one we know 3105 // about, we can't be sure that the object will use free() to deallocate the 3106 // memory, so we can't model it explicitly. The best we can do is use it to 3107 // decide whether the pointer escapes. 3108 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 3109 return *FreeWhenDone; 3110 3111 // If the first selector piece ends with "NoCopy", and there is no 3112 // "freeWhenDone" parameter set to zero, we know ownership is being 3113 // transferred. Again, though, we can't be sure that the object will use 3114 // free() to deallocate the memory, so we can't model it explicitly. 3115 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 3116 if (FirstSlot.endswith("NoCopy")) 3117 return true; 3118 3119 // If the first selector starts with addPointer, insertPointer, 3120 // or replacePointer, assume we are dealing with NSPointerArray or similar. 3121 // This is similar to C++ containers (vector); we still might want to check 3122 // that the pointers get freed by following the container itself. 3123 if (FirstSlot.startswith("addPointer") || 3124 FirstSlot.startswith("insertPointer") || 3125 FirstSlot.startswith("replacePointer") || 3126 FirstSlot.equals("valueWithPointer")) { 3127 return true; 3128 } 3129 3130 // We should escape receiver on call to 'init'. This is especially relevant 3131 // to the receiver, as the corresponding symbol is usually not referenced 3132 // after the call. 3133 if (Msg->getMethodFamily() == OMF_init) { 3134 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol(); 3135 return true; 3136 } 3137 3138 // Otherwise, assume that the method does not free memory. 3139 // Most framework methods do not free memory. 3140 return false; 3141 } 3142 3143 // At this point the only thing left to handle is straight function calls. 3144 const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl(); 3145 if (!FD) 3146 return true; 3147 3148 // If it's one of the allocation functions we can reason about, we model 3149 // its behavior explicitly. 3150 if (isMemCall(*Call)) 3151 return false; 3152 3153 // If it's not a system call, assume it frees memory. 3154 if (!Call->isInSystemHeader()) 3155 return true; 3156 3157 // White list the system functions whose arguments escape. 3158 const IdentifierInfo *II = FD->getIdentifier(); 3159 if (!II) 3160 return true; 3161 StringRef FName = II->getName(); 3162 3163 // White list the 'XXXNoCopy' CoreFoundation functions. 3164 // We specifically check these before 3165 if (FName.endswith("NoCopy")) { 3166 // Look for the deallocator argument. We know that the memory ownership 3167 // is not transferred only if the deallocator argument is 3168 // 'kCFAllocatorNull'. 3169 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 3170 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 3171 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 3172 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 3173 if (DeallocatorName == "kCFAllocatorNull") 3174 return false; 3175 } 3176 } 3177 return true; 3178 } 3179 3180 // Associating streams with malloced buffers. The pointer can escape if 3181 // 'closefn' is specified (and if that function does free memory), 3182 // but it will not if closefn is not specified. 3183 // Currently, we do not inspect the 'closefn' function (PR12101). 3184 if (FName == "funopen") 3185 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 3186 return false; 3187 3188 // Do not warn on pointers passed to 'setbuf' when used with std streams, 3189 // these leaks might be intentional when setting the buffer for stdio. 3190 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 3191 if (FName == "setbuf" || FName =="setbuffer" || 3192 FName == "setlinebuf" || FName == "setvbuf") { 3193 if (Call->getNumArgs() >= 1) { 3194 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 3195 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 3196 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 3197 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 3198 return true; 3199 } 3200 } 3201 3202 // A bunch of other functions which either take ownership of a pointer or 3203 // wrap the result up in a struct or object, meaning it can be freed later. 3204 // (See RetainCountChecker.) Not all the parameters here are invalidated, 3205 // but the Malloc checker cannot differentiate between them. The right way 3206 // of doing this would be to implement a pointer escapes callback. 3207 if (FName == "CGBitmapContextCreate" || 3208 FName == "CGBitmapContextCreateWithData" || 3209 FName == "CVPixelBufferCreateWithBytes" || 3210 FName == "CVPixelBufferCreateWithPlanarBytes" || 3211 FName == "OSAtomicEnqueue") { 3212 return true; 3213 } 3214 3215 if (FName == "postEvent" && 3216 FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") { 3217 return true; 3218 } 3219 3220 if (FName == "connectImpl" && 3221 FD->getQualifiedNameAsString() == "QObject::connectImpl") { 3222 return true; 3223 } 3224 3225 // Handle cases where we know a buffer's /address/ can escape. 3226 // Note that the above checks handle some special cases where we know that 3227 // even though the address escapes, it's still our responsibility to free the 3228 // buffer. 3229 if (Call->argumentsMayEscape()) 3230 return true; 3231 3232 // Otherwise, assume that the function does not free memory. 3233 // Most system calls do not free the memory. 3234 return false; 3235 } 3236 3237 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 3238 const InvalidatedSymbols &Escaped, 3239 const CallEvent *Call, 3240 PointerEscapeKind Kind) const { 3241 return checkPointerEscapeAux(State, Escaped, Call, Kind, 3242 /*IsConstPointerEscape*/ false); 3243 } 3244 3245 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 3246 const InvalidatedSymbols &Escaped, 3247 const CallEvent *Call, 3248 PointerEscapeKind Kind) const { 3249 // If a const pointer escapes, it may not be freed(), but it could be deleted. 3250 return checkPointerEscapeAux(State, Escaped, Call, Kind, 3251 /*IsConstPointerEscape*/ true); 3252 } 3253 3254 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 3255 return (RS->getAllocationFamily() == AF_CXXNewArray || 3256 RS->getAllocationFamily() == AF_CXXNew); 3257 } 3258 3259 ProgramStateRef MallocChecker::checkPointerEscapeAux( 3260 ProgramStateRef State, const InvalidatedSymbols &Escaped, 3261 const CallEvent *Call, PointerEscapeKind Kind, 3262 bool IsConstPointerEscape) const { 3263 // If we know that the call does not free memory, or we want to process the 3264 // call later, keep tracking the top level arguments. 3265 SymbolRef EscapingSymbol = nullptr; 3266 if (Kind == PSK_DirectEscapeOnCall && 3267 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State, 3268 EscapingSymbol) && 3269 !EscapingSymbol) { 3270 return State; 3271 } 3272 3273 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 3274 E = Escaped.end(); 3275 I != E; ++I) { 3276 SymbolRef sym = *I; 3277 3278 if (EscapingSymbol && EscapingSymbol != sym) 3279 continue; 3280 3281 if (const RefState *RS = State->get<RegionState>(sym)) 3282 if (RS->isAllocated() || RS->isAllocatedOfSizeZero()) 3283 if (!IsConstPointerEscape || checkIfNewOrNewArrayFamily(RS)) 3284 State = State->set<RegionState>(sym, RefState::getEscaped(RS)); 3285 } 3286 return State; 3287 } 3288 3289 bool MallocChecker::isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C, 3290 SVal ArgVal) const { 3291 if (!KernelZeroSizePtrValue) 3292 KernelZeroSizePtrValue = 3293 tryExpandAsInteger("ZERO_SIZE_PTR", C.getPreprocessor()); 3294 3295 const llvm::APSInt *ArgValKnown = 3296 C.getSValBuilder().getKnownValue(State, ArgVal); 3297 return ArgValKnown && *KernelZeroSizePtrValue && 3298 ArgValKnown->getSExtValue() == **KernelZeroSizePtrValue; 3299 } 3300 3301 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 3302 ProgramStateRef prevState) { 3303 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 3304 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 3305 3306 for (const ReallocPairsTy::value_type &Pair : prevMap) { 3307 SymbolRef sym = Pair.first; 3308 if (!currMap.lookup(sym)) 3309 return sym; 3310 } 3311 3312 return nullptr; 3313 } 3314 3315 static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD) { 3316 if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) { 3317 StringRef N = II->getName(); 3318 if (N.contains_insensitive("ptr") || N.contains_insensitive("pointer")) { 3319 if (N.contains_insensitive("ref") || N.contains_insensitive("cnt") || 3320 N.contains_insensitive("intrusive") || 3321 N.contains_insensitive("shared")) { 3322 return true; 3323 } 3324 } 3325 } 3326 return false; 3327 } 3328 3329 PathDiagnosticPieceRef MallocBugVisitor::VisitNode(const ExplodedNode *N, 3330 BugReporterContext &BRC, 3331 PathSensitiveBugReport &BR) { 3332 ProgramStateRef state = N->getState(); 3333 ProgramStateRef statePrev = N->getFirstPred()->getState(); 3334 3335 const RefState *RSCurr = state->get<RegionState>(Sym); 3336 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 3337 3338 const Stmt *S = N->getStmtForDiagnostics(); 3339 // When dealing with containers, we sometimes want to give a note 3340 // even if the statement is missing. 3341 if (!S && (!RSCurr || RSCurr->getAllocationFamily() != AF_InnerBuffer)) 3342 return nullptr; 3343 3344 const LocationContext *CurrentLC = N->getLocationContext(); 3345 3346 // If we find an atomic fetch_add or fetch_sub within the destructor in which 3347 // the pointer was released (before the release), this is likely a destructor 3348 // of a shared pointer. 3349 // Because we don't model atomics, and also because we don't know that the 3350 // original reference count is positive, we should not report use-after-frees 3351 // on objects deleted in such destructors. This can probably be improved 3352 // through better shared pointer modeling. 3353 if (ReleaseDestructorLC) { 3354 if (const auto *AE = dyn_cast<AtomicExpr>(S)) { 3355 AtomicExpr::AtomicOp Op = AE->getOp(); 3356 if (Op == AtomicExpr::AO__c11_atomic_fetch_add || 3357 Op == AtomicExpr::AO__c11_atomic_fetch_sub) { 3358 if (ReleaseDestructorLC == CurrentLC || 3359 ReleaseDestructorLC->isParentOf(CurrentLC)) { 3360 BR.markInvalid(getTag(), S); 3361 } 3362 } 3363 } 3364 } 3365 3366 // FIXME: We will eventually need to handle non-statement-based events 3367 // (__attribute__((cleanup))). 3368 3369 // Find out if this is an interesting point and what is the kind. 3370 StringRef Msg; 3371 std::unique_ptr<StackHintGeneratorForSymbol> StackHint = nullptr; 3372 SmallString<256> Buf; 3373 llvm::raw_svector_ostream OS(Buf); 3374 3375 if (Mode == Normal) { 3376 if (isAllocated(RSCurr, RSPrev, S)) { 3377 Msg = "Memory is allocated"; 3378 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3379 Sym, "Returned allocated memory"); 3380 } else if (isReleased(RSCurr, RSPrev, S)) { 3381 const auto Family = RSCurr->getAllocationFamily(); 3382 switch (Family) { 3383 case AF_Alloca: 3384 case AF_Malloc: 3385 case AF_CXXNew: 3386 case AF_CXXNewArray: 3387 case AF_IfNameIndex: 3388 Msg = "Memory is released"; 3389 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3390 Sym, "Returning; memory was released"); 3391 break; 3392 case AF_InnerBuffer: { 3393 const MemRegion *ObjRegion = 3394 allocation_state::getContainerObjRegion(statePrev, Sym); 3395 const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion); 3396 QualType ObjTy = TypedRegion->getValueType(); 3397 OS << "Inner buffer of '" << ObjTy.getAsString() << "' "; 3398 3399 if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) { 3400 OS << "deallocated by call to destructor"; 3401 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3402 Sym, "Returning; inner buffer was deallocated"); 3403 } else { 3404 OS << "reallocated by call to '"; 3405 const Stmt *S = RSCurr->getStmt(); 3406 if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) { 3407 OS << MemCallE->getMethodDecl()->getDeclName(); 3408 } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) { 3409 OS << OpCallE->getDirectCallee()->getDeclName(); 3410 } else if (const auto *CallE = dyn_cast<CallExpr>(S)) { 3411 auto &CEMgr = BRC.getStateManager().getCallEventManager(); 3412 CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC); 3413 if (const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl())) 3414 OS << D->getDeclName(); 3415 else 3416 OS << "unknown"; 3417 } 3418 OS << "'"; 3419 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3420 Sym, "Returning; inner buffer was reallocated"); 3421 } 3422 Msg = OS.str(); 3423 break; 3424 } 3425 case AF_None: 3426 llvm_unreachable("Unhandled allocation family!"); 3427 } 3428 3429 // See if we're releasing memory while inlining a destructor 3430 // (or one of its callees). This turns on various common 3431 // false positive suppressions. 3432 bool FoundAnyDestructor = false; 3433 for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) { 3434 if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) { 3435 if (isReferenceCountingPointerDestructor(DD)) { 3436 // This immediately looks like a reference-counting destructor. 3437 // We're bad at guessing the original reference count of the object, 3438 // so suppress the report for now. 3439 BR.markInvalid(getTag(), DD); 3440 } else if (!FoundAnyDestructor) { 3441 assert(!ReleaseDestructorLC && 3442 "There can be only one release point!"); 3443 // Suspect that it's a reference counting pointer destructor. 3444 // On one of the next nodes might find out that it has atomic 3445 // reference counting operations within it (see the code above), 3446 // and if so, we'd conclude that it likely is a reference counting 3447 // pointer destructor. 3448 ReleaseDestructorLC = LC->getStackFrame(); 3449 // It is unlikely that releasing memory is delegated to a destructor 3450 // inside a destructor of a shared pointer, because it's fairly hard 3451 // to pass the information that the pointer indeed needs to be 3452 // released into it. So we're only interested in the innermost 3453 // destructor. 3454 FoundAnyDestructor = true; 3455 } 3456 } 3457 } 3458 } else if (isRelinquished(RSCurr, RSPrev, S)) { 3459 Msg = "Memory ownership is transferred"; 3460 StackHint = std::make_unique<StackHintGeneratorForSymbol>(Sym, ""); 3461 } else if (hasReallocFailed(RSCurr, RSPrev, S)) { 3462 Mode = ReallocationFailed; 3463 Msg = "Reallocation failed"; 3464 StackHint = std::make_unique<StackHintGeneratorForReallocationFailed>( 3465 Sym, "Reallocation failed"); 3466 3467 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 3468 // Is it possible to fail two reallocs WITHOUT testing in between? 3469 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 3470 "We only support one failed realloc at a time."); 3471 BR.markInteresting(sym); 3472 FailedReallocSymbol = sym; 3473 } 3474 } 3475 3476 // We are in a special mode if a reallocation failed later in the path. 3477 } else if (Mode == ReallocationFailed) { 3478 assert(FailedReallocSymbol && "No symbol to look for."); 3479 3480 // Is this is the first appearance of the reallocated symbol? 3481 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 3482 // We're at the reallocation point. 3483 Msg = "Attempt to reallocate memory"; 3484 StackHint = std::make_unique<StackHintGeneratorForSymbol>( 3485 Sym, "Returned reallocated memory"); 3486 FailedReallocSymbol = nullptr; 3487 Mode = Normal; 3488 } 3489 } 3490 3491 if (Msg.empty()) { 3492 assert(!StackHint); 3493 return nullptr; 3494 } 3495 3496 assert(StackHint); 3497 3498 // Generate the extra diagnostic. 3499 PathDiagnosticLocation Pos; 3500 if (!S) { 3501 assert(RSCurr->getAllocationFamily() == AF_InnerBuffer); 3502 auto PostImplCall = N->getLocation().getAs<PostImplicitCall>(); 3503 if (!PostImplCall) 3504 return nullptr; 3505 Pos = PathDiagnosticLocation(PostImplCall->getLocation(), 3506 BRC.getSourceManager()); 3507 } else { 3508 Pos = PathDiagnosticLocation(S, BRC.getSourceManager(), 3509 N->getLocationContext()); 3510 } 3511 3512 auto P = std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true); 3513 BR.addCallStackHint(P, std::move(StackHint)); 3514 return P; 3515 } 3516 3517 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 3518 const char *NL, const char *Sep) const { 3519 3520 RegionStateTy RS = State->get<RegionState>(); 3521 3522 if (!RS.isEmpty()) { 3523 Out << Sep << "MallocChecker :" << NL; 3524 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 3525 const RefState *RefS = State->get<RegionState>(I.getKey()); 3526 AllocationFamily Family = RefS->getAllocationFamily(); 3527 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 3528 if (!CheckKind.hasValue()) 3529 CheckKind = getCheckIfTracked(Family, true); 3530 3531 I.getKey()->dumpToStream(Out); 3532 Out << " : "; 3533 I.getData().dump(Out); 3534 if (CheckKind.hasValue()) 3535 Out << " (" << CheckNames[*CheckKind].getName() << ")"; 3536 Out << NL; 3537 } 3538 } 3539 } 3540 3541 namespace clang { 3542 namespace ento { 3543 namespace allocation_state { 3544 3545 ProgramStateRef 3546 markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin) { 3547 AllocationFamily Family = AF_InnerBuffer; 3548 return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin)); 3549 } 3550 3551 } // end namespace allocation_state 3552 } // end namespace ento 3553 } // end namespace clang 3554 3555 // Intended to be used in InnerPointerChecker to register the part of 3556 // MallocChecker connected to it. 3557 void ento::registerInnerPointerCheckerAux(CheckerManager &mgr) { 3558 MallocChecker *checker = mgr.getChecker<MallocChecker>(); 3559 checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true; 3560 checker->CheckNames[MallocChecker::CK_InnerPointerChecker] = 3561 mgr.getCurrentCheckerName(); 3562 } 3563 3564 void ento::registerDynamicMemoryModeling(CheckerManager &mgr) { 3565 auto *checker = mgr.registerChecker<MallocChecker>(); 3566 checker->ShouldIncludeOwnershipAnnotatedFunctions = 3567 mgr.getAnalyzerOptions().getCheckerBooleanOption(checker, "Optimistic"); 3568 checker->ShouldRegisterNoOwnershipChangeVisitor = 3569 mgr.getAnalyzerOptions().getCheckerBooleanOption( 3570 checker, "AddNoOwnershipChangeNotes"); 3571 } 3572 3573 bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) { 3574 return true; 3575 } 3576 3577 #define REGISTER_CHECKER(name) \ 3578 void ento::register##name(CheckerManager &mgr) { \ 3579 MallocChecker *checker = mgr.getChecker<MallocChecker>(); \ 3580 checker->ChecksEnabled[MallocChecker::CK_##name] = true; \ 3581 checker->CheckNames[MallocChecker::CK_##name] = \ 3582 mgr.getCurrentCheckerName(); \ 3583 } \ 3584 \ 3585 bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; } 3586 3587 REGISTER_CHECKER(MallocChecker) 3588 REGISTER_CHECKER(NewDeleteChecker) 3589 REGISTER_CHECKER(NewDeleteLeaksChecker) 3590 REGISTER_CHECKER(MismatchedDeallocatorChecker) 3591