xref: /llvm-project/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp (revision b3fa86d6f3bdc1b0eb86934b9ecf4ff85295b79e)
1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file defines malloc/free checker, which checks for potential memory
11 // leaks, double free, and use-after-free problems.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "InterCheckerAPI.h"
17 #include "clang/AST/Attr.h"
18 #include "clang/AST/ParentMap.h"
19 #include "clang/Basic/SourceManager.h"
20 #include "clang/Basic/TargetInfo.h"
21 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
22 #include "clang/StaticAnalyzer/Core/Checker.h"
23 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
24 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
25 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
26 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
27 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
28 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
29 #include "llvm/ADT/ImmutableMap.h"
30 #include "llvm/ADT/STLExtras.h"
31 #include "llvm/ADT/SmallString.h"
32 #include "llvm/ADT/StringExtras.h"
33 #include <climits>
34 
35 using namespace clang;
36 using namespace ento;
37 
38 namespace {
39 
40 // Used to check correspondence between allocators and deallocators.
41 enum AllocationFamily {
42   AF_None,
43   AF_Malloc,
44   AF_CXXNew,
45   AF_CXXNewArray,
46   AF_IfNameIndex
47 };
48 
49 class RefState {
50   enum Kind { // Reference to allocated memory.
51               Allocated,
52               // Reference to released/freed memory.
53               Released,
54               // The responsibility for freeing resources has transferred from
55               // this reference. A relinquished symbol should not be freed.
56               Relinquished,
57               // We are no longer guaranteed to have observed all manipulations
58               // of this pointer/memory. For example, it could have been
59               // passed as a parameter to an opaque function.
60               Escaped
61   };
62 
63   const Stmt *S;
64   unsigned K : 2; // Kind enum, but stored as a bitfield.
65   unsigned Family : 30; // Rest of 32-bit word, currently just an allocation
66                         // family.
67 
68   RefState(Kind k, const Stmt *s, unsigned family)
69     : S(s), K(k), Family(family) {
70     assert(family != AF_None);
71   }
72 public:
73   bool isAllocated() const { return K == Allocated; }
74   bool isReleased() const { return K == Released; }
75   bool isRelinquished() const { return K == Relinquished; }
76   bool isEscaped() const { return K == Escaped; }
77   AllocationFamily getAllocationFamily() const {
78     return (AllocationFamily)Family;
79   }
80   const Stmt *getStmt() const { return S; }
81 
82   bool operator==(const RefState &X) const {
83     return K == X.K && S == X.S && Family == X.Family;
84   }
85 
86   static RefState getAllocated(unsigned family, const Stmt *s) {
87     return RefState(Allocated, s, family);
88   }
89   static RefState getReleased(unsigned family, const Stmt *s) {
90     return RefState(Released, s, family);
91   }
92   static RefState getRelinquished(unsigned family, const Stmt *s) {
93     return RefState(Relinquished, s, family);
94   }
95   static RefState getEscaped(const RefState *RS) {
96     return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());
97   }
98 
99   void Profile(llvm::FoldingSetNodeID &ID) const {
100     ID.AddInteger(K);
101     ID.AddPointer(S);
102     ID.AddInteger(Family);
103   }
104 
105   void dump(raw_ostream &OS) const {
106     switch (static_cast<Kind>(K)) {
107 #define CASE(ID) case ID: OS << #ID; break;
108     CASE(Allocated)
109     CASE(Released)
110     CASE(Relinquished)
111     CASE(Escaped)
112     }
113   }
114 
115   LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
116 };
117 
118 enum ReallocPairKind {
119   RPToBeFreedAfterFailure,
120   // The symbol has been freed when reallocation failed.
121   RPIsFreeOnFailure,
122   // The symbol does not need to be freed after reallocation fails.
123   RPDoNotTrackAfterFailure
124 };
125 
126 /// \class ReallocPair
127 /// \brief Stores information about the symbol being reallocated by a call to
128 /// 'realloc' to allow modeling failed reallocation later in the path.
129 struct ReallocPair {
130   // \brief The symbol which realloc reallocated.
131   SymbolRef ReallocatedSym;
132   ReallocPairKind Kind;
133 
134   ReallocPair(SymbolRef S, ReallocPairKind K) :
135     ReallocatedSym(S), Kind(K) {}
136   void Profile(llvm::FoldingSetNodeID &ID) const {
137     ID.AddInteger(Kind);
138     ID.AddPointer(ReallocatedSym);
139   }
140   bool operator==(const ReallocPair &X) const {
141     return ReallocatedSym == X.ReallocatedSym &&
142            Kind == X.Kind;
143   }
144 };
145 
146 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo;
147 
148 class MallocChecker : public Checker<check::DeadSymbols,
149                                      check::PointerEscape,
150                                      check::ConstPointerEscape,
151                                      check::PreStmt<ReturnStmt>,
152                                      check::PreCall,
153                                      check::PostStmt<CallExpr>,
154                                      check::PostStmt<CXXNewExpr>,
155                                      check::PreStmt<CXXDeleteExpr>,
156                                      check::PostStmt<BlockExpr>,
157                                      check::PostObjCMessage,
158                                      check::Location,
159                                      eval::Assume>
160 {
161 public:
162   MallocChecker()
163       : II_malloc(nullptr), II_free(nullptr), II_realloc(nullptr),
164         II_calloc(nullptr), II_valloc(nullptr), II_reallocf(nullptr),
165         II_strndup(nullptr), II_strdup(nullptr), II_kmalloc(nullptr),
166         II_if_nameindex(nullptr), II_if_freenameindex(nullptr) {}
167 
168   /// In pessimistic mode, the checker assumes that it does not know which
169   /// functions might free the memory.
170   enum CheckKind {
171     CK_MallocPessimistic,
172     CK_MallocOptimistic,
173     CK_NewDeleteChecker,
174     CK_NewDeleteLeaksChecker,
175     CK_MismatchedDeallocatorChecker,
176     CK_NumCheckKinds
177   };
178 
179   enum class MemoryOperationKind {
180     MOK_Allocate,
181     MOK_Free,
182     MOK_Any
183   };
184 
185   DefaultBool ChecksEnabled[CK_NumCheckKinds];
186   CheckName CheckNames[CK_NumCheckKinds];
187 
188   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
189   void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
190   void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;
191   void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
192   void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
193   void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
194   void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
195   void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
196   ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
197                             bool Assumption) const;
198   void checkLocation(SVal l, bool isLoad, const Stmt *S,
199                      CheckerContext &C) const;
200 
201   ProgramStateRef checkPointerEscape(ProgramStateRef State,
202                                     const InvalidatedSymbols &Escaped,
203                                     const CallEvent *Call,
204                                     PointerEscapeKind Kind) const;
205   ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
206                                           const InvalidatedSymbols &Escaped,
207                                           const CallEvent *Call,
208                                           PointerEscapeKind Kind) const;
209 
210   void printState(raw_ostream &Out, ProgramStateRef State,
211                   const char *NL, const char *Sep) const override;
212 
213 private:
214   mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
215   mutable std::unique_ptr<BugType> BT_DoubleDelete;
216   mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
217   mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
218   mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
219   mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
220   mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
221   mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc,
222                          *II_valloc, *II_reallocf, *II_strndup, *II_strdup,
223                          *II_kmalloc, *II_if_nameindex, *II_if_freenameindex;
224   mutable Optional<uint64_t> KernelZeroFlagVal;
225 
226   void initIdentifierInfo(ASTContext &C) const;
227 
228   /// \brief Determine family of a deallocation expression.
229   AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const;
230 
231   /// \brief Print names of allocators and deallocators.
232   ///
233   /// \returns true on success.
234   bool printAllocDeallocName(raw_ostream &os, CheckerContext &C,
235                              const Expr *E) const;
236 
237   /// \brief Print expected name of an allocator based on the deallocator's
238   /// family derived from the DeallocExpr.
239   void printExpectedAllocName(raw_ostream &os, CheckerContext &C,
240                               const Expr *DeallocExpr) const;
241   /// \brief Print expected name of a deallocator based on the allocator's
242   /// family.
243   void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const;
244 
245   ///@{
246   /// Check if this is one of the functions which can allocate/reallocate memory
247   /// pointed to by one of its arguments.
248   bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const;
249   bool isCMemFunction(const FunctionDecl *FD,
250                       ASTContext &C,
251                       AllocationFamily Family,
252                       MemoryOperationKind MemKind) const;
253   bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const;
254   ///@}
255   ProgramStateRef MallocMemReturnsAttr(CheckerContext &C,
256                                        const CallExpr *CE,
257                                        const OwnershipAttr* Att,
258                                        ProgramStateRef State) const;
259   static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
260                                       const Expr *SizeEx, SVal Init,
261                                       ProgramStateRef State,
262                                       AllocationFamily Family = AF_Malloc);
263   static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
264                                       SVal SizeEx, SVal Init,
265                                       ProgramStateRef State,
266                                       AllocationFamily Family = AF_Malloc);
267 
268   // Check if this malloc() for special flags. At present that means M_ZERO or
269   // __GFP_ZERO (in which case, treat it like calloc).
270   llvm::Optional<ProgramStateRef>
271   performKernelMalloc(const CallExpr *CE, CheckerContext &C,
272                       const ProgramStateRef &State) const;
273 
274   /// Update the RefState to reflect the new memory allocation.
275   static ProgramStateRef
276   MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State,
277                        AllocationFamily Family = AF_Malloc);
278 
279   ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE,
280                               const OwnershipAttr* Att,
281                               ProgramStateRef State) const;
282   ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE,
283                              ProgramStateRef state, unsigned Num,
284                              bool Hold,
285                              bool &ReleasedAllocated,
286                              bool ReturnsNullOnFailure = false) const;
287   ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg,
288                              const Expr *ParentExpr,
289                              ProgramStateRef State,
290                              bool Hold,
291                              bool &ReleasedAllocated,
292                              bool ReturnsNullOnFailure = false) const;
293 
294   ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE,
295                              bool FreesMemOnFailure,
296                              ProgramStateRef State) const;
297   static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE,
298                                    ProgramStateRef State);
299 
300   ///\brief Check if the memory associated with this symbol was released.
301   bool isReleased(SymbolRef Sym, CheckerContext &C) const;
302 
303   bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
304 
305   bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;
306 
307   /// Check if the function is known free memory, or if it is
308   /// "interesting" and should be modeled explicitly.
309   ///
310   /// \param [out] EscapingSymbol A function might not free memory in general,
311   ///   but could be known to free a particular symbol. In this case, false is
312   ///   returned and the single escaping symbol is returned through the out
313   ///   parameter.
314   ///
315   /// We assume that pointers do not escape through calls to system functions
316   /// not handled by this checker.
317   bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call,
318                                    ProgramStateRef State,
319                                    SymbolRef &EscapingSymbol) const;
320 
321   // Implementation of the checkPointerEscape callabcks.
322   ProgramStateRef checkPointerEscapeAux(ProgramStateRef State,
323                                   const InvalidatedSymbols &Escaped,
324                                   const CallEvent *Call,
325                                   PointerEscapeKind Kind,
326                                   bool(*CheckRefState)(const RefState*)) const;
327 
328   ///@{
329   /// Tells if a given family/call/symbol is tracked by the current checker.
330   /// Sets CheckKind to the kind of the checker responsible for this
331   /// family/call/symbol.
332   Optional<CheckKind> getCheckIfTracked(AllocationFamily Family) const;
333   Optional<CheckKind> getCheckIfTracked(CheckerContext &C,
334                                         const Stmt *AllocDeallocStmt) const;
335   Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const;
336   ///@}
337   static bool SummarizeValue(raw_ostream &os, SVal V);
338   static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
339   void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
340                      const Expr *DeallocExpr) const;
341   void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range,
342                                const Expr *DeallocExpr, const RefState *RS,
343                                SymbolRef Sym, bool OwnershipTransferred) const;
344   void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
345                         const Expr *DeallocExpr,
346                         const Expr *AllocExpr = nullptr) const;
347   void ReportUseAfterFree(CheckerContext &C, SourceRange Range,
348                           SymbolRef Sym) const;
349   void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
350                         SymbolRef Sym, SymbolRef PrevSym) const;
351 
352   void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
353 
354   /// Find the location of the allocation for Sym on the path leading to the
355   /// exploded node N.
356   LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
357                              CheckerContext &C) const;
358 
359   void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
360 
361   /// The bug visitor which allows us to print extra diagnostics along the
362   /// BugReport path. For example, showing the allocation site of the leaked
363   /// region.
364   class MallocBugVisitor : public BugReporterVisitorImpl<MallocBugVisitor> {
365   protected:
366     enum NotificationMode {
367       Normal,
368       ReallocationFailed
369     };
370 
371     // The allocated region symbol tracked by the main analysis.
372     SymbolRef Sym;
373 
374     // The mode we are in, i.e. what kind of diagnostics will be emitted.
375     NotificationMode Mode;
376 
377     // A symbol from when the primary region should have been reallocated.
378     SymbolRef FailedReallocSymbol;
379 
380     bool IsLeak;
381 
382   public:
383     MallocBugVisitor(SymbolRef S, bool isLeak = false)
384        : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr), IsLeak(isLeak) {}
385 
386     virtual ~MallocBugVisitor() {}
387 
388     void Profile(llvm::FoldingSetNodeID &ID) const override {
389       static int X = 0;
390       ID.AddPointer(&X);
391       ID.AddPointer(Sym);
392     }
393 
394     inline bool isAllocated(const RefState *S, const RefState *SPrev,
395                             const Stmt *Stmt) {
396       // Did not track -> allocated. Other state (released) -> allocated.
397       return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) &&
398               (S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated()));
399     }
400 
401     inline bool isReleased(const RefState *S, const RefState *SPrev,
402                            const Stmt *Stmt) {
403       // Did not track -> released. Other state (allocated) -> released.
404       return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt)) &&
405               (S && S->isReleased()) && (!SPrev || !SPrev->isReleased()));
406     }
407 
408     inline bool isRelinquished(const RefState *S, const RefState *SPrev,
409                                const Stmt *Stmt) {
410       // Did not track -> relinquished. Other state (allocated) -> relinquished.
411       return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) ||
412                                               isa<ObjCPropertyRefExpr>(Stmt)) &&
413               (S && S->isRelinquished()) &&
414               (!SPrev || !SPrev->isRelinquished()));
415     }
416 
417     inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev,
418                                      const Stmt *Stmt) {
419       // If the expression is not a call, and the state change is
420       // released -> allocated, it must be the realloc return value
421       // check. If we have to handle more cases here, it might be cleaner just
422       // to track this extra bit in the state itself.
423       return ((!Stmt || !isa<CallExpr>(Stmt)) &&
424               (S && S->isAllocated()) && (SPrev && !SPrev->isAllocated()));
425     }
426 
427     PathDiagnosticPiece *VisitNode(const ExplodedNode *N,
428                                    const ExplodedNode *PrevN,
429                                    BugReporterContext &BRC,
430                                    BugReport &BR) override;
431 
432     std::unique_ptr<PathDiagnosticPiece>
433     getEndPath(BugReporterContext &BRC, const ExplodedNode *EndPathNode,
434                BugReport &BR) override {
435       if (!IsLeak)
436         return nullptr;
437 
438       PathDiagnosticLocation L =
439         PathDiagnosticLocation::createEndOfPath(EndPathNode,
440                                                 BRC.getSourceManager());
441       // Do not add the statement itself as a range in case of leak.
442       return llvm::make_unique<PathDiagnosticEventPiece>(L, BR.getDescription(),
443                                                          false);
444     }
445 
446   private:
447     class StackHintGeneratorForReallocationFailed
448         : public StackHintGeneratorForSymbol {
449     public:
450       StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M)
451         : StackHintGeneratorForSymbol(S, M) {}
452 
453       std::string getMessageForArg(const Expr *ArgE,
454                                    unsigned ArgIndex) override {
455         // Printed parameters start at 1, not 0.
456         ++ArgIndex;
457 
458         SmallString<200> buf;
459         llvm::raw_svector_ostream os(buf);
460 
461         os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex)
462            << " parameter failed";
463 
464         return os.str();
465       }
466 
467       std::string getMessageForReturn(const CallExpr *CallExpr) override {
468         return "Reallocation of returned value failed";
469       }
470     };
471   };
472 };
473 } // end anonymous namespace
474 
475 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
476 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
477 
478 // A map from the freed symbol to the symbol representing the return value of
479 // the free function.
480 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef)
481 
482 namespace {
483 class StopTrackingCallback : public SymbolVisitor {
484   ProgramStateRef state;
485 public:
486   StopTrackingCallback(ProgramStateRef st) : state(st) {}
487   ProgramStateRef getState() const { return state; }
488 
489   bool VisitSymbol(SymbolRef sym) override {
490     state = state->remove<RegionState>(sym);
491     return true;
492   }
493 };
494 } // end anonymous namespace
495 
496 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const {
497   if (II_malloc)
498     return;
499   II_malloc = &Ctx.Idents.get("malloc");
500   II_free = &Ctx.Idents.get("free");
501   II_realloc = &Ctx.Idents.get("realloc");
502   II_reallocf = &Ctx.Idents.get("reallocf");
503   II_calloc = &Ctx.Idents.get("calloc");
504   II_valloc = &Ctx.Idents.get("valloc");
505   II_strdup = &Ctx.Idents.get("strdup");
506   II_strndup = &Ctx.Idents.get("strndup");
507   II_kmalloc = &Ctx.Idents.get("kmalloc");
508   II_if_nameindex = &Ctx.Idents.get("if_nameindex");
509   II_if_freenameindex = &Ctx.Idents.get("if_freenameindex");
510 }
511 
512 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const {
513   if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any))
514     return true;
515 
516   if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
517     return true;
518 
519   if (isStandardNewDelete(FD, C))
520     return true;
521 
522   return false;
523 }
524 
525 bool MallocChecker::isCMemFunction(const FunctionDecl *FD,
526                                    ASTContext &C,
527                                    AllocationFamily Family,
528                                    MemoryOperationKind MemKind) const {
529   if (!FD)
530     return false;
531 
532   bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any ||
533                     MemKind == MemoryOperationKind::MOK_Free);
534   bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any ||
535                      MemKind == MemoryOperationKind::MOK_Allocate);
536 
537   if (FD->getKind() == Decl::Function) {
538     const IdentifierInfo *FunI = FD->getIdentifier();
539     initIdentifierInfo(C);
540 
541     if (Family == AF_Malloc && CheckFree) {
542       if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf)
543         return true;
544     }
545 
546     if (Family == AF_Malloc && CheckAlloc) {
547       if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf ||
548           FunI == II_calloc || FunI == II_valloc || FunI == II_strdup ||
549           FunI == II_strndup || FunI == II_kmalloc)
550         return true;
551     }
552 
553     if (Family == AF_IfNameIndex && CheckFree) {
554       if (FunI == II_if_freenameindex)
555         return true;
556     }
557 
558     if (Family == AF_IfNameIndex && CheckAlloc) {
559       if (FunI == II_if_nameindex)
560         return true;
561     }
562   }
563 
564   if (Family != AF_Malloc)
565     return false;
566 
567   if (ChecksEnabled[CK_MallocOptimistic] && FD->hasAttrs()) {
568     for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
569       OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
570       if(OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) {
571         if (CheckFree)
572           return true;
573       } else if (OwnKind == OwnershipAttr::Returns) {
574         if (CheckAlloc)
575           return true;
576       }
577     }
578   }
579 
580   return false;
581 }
582 
583 // Tells if the callee is one of the following:
584 // 1) A global non-placement new/delete operator function.
585 // 2) A global placement operator function with the single placement argument
586 //    of type std::nothrow_t.
587 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD,
588                                         ASTContext &C) const {
589   if (!FD)
590     return false;
591 
592   OverloadedOperatorKind Kind = FD->getOverloadedOperator();
593   if (Kind != OO_New && Kind != OO_Array_New &&
594       Kind != OO_Delete && Kind != OO_Array_Delete)
595     return false;
596 
597   // Skip all operator new/delete methods.
598   if (isa<CXXMethodDecl>(FD))
599     return false;
600 
601   // Return true if tested operator is a standard placement nothrow operator.
602   if (FD->getNumParams() == 2) {
603     QualType T = FD->getParamDecl(1)->getType();
604     if (const IdentifierInfo *II = T.getBaseTypeIdentifier())
605       return II->getName().equals("nothrow_t");
606   }
607 
608   // Skip placement operators.
609   if (FD->getNumParams() != 1 || FD->isVariadic())
610     return false;
611 
612   // One of the standard new/new[]/delete/delete[] non-placement operators.
613   return true;
614 }
615 
616 llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc(
617   const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const {
618   // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
619   //
620   // void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
621   //
622   // One of the possible flags is M_ZERO, which means 'give me back an
623   // allocation which is already zeroed', like calloc.
624 
625   // 2-argument kmalloc(), as used in the Linux kernel:
626   //
627   // void *kmalloc(size_t size, gfp_t flags);
628   //
629   // Has the similar flag value __GFP_ZERO.
630 
631   // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some
632   // code could be shared.
633 
634   ASTContext &Ctx = C.getASTContext();
635   llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS();
636 
637   if (!KernelZeroFlagVal.hasValue()) {
638     if (OS == llvm::Triple::FreeBSD)
639       KernelZeroFlagVal = 0x0100;
640     else if (OS == llvm::Triple::NetBSD)
641       KernelZeroFlagVal = 0x0002;
642     else if (OS == llvm::Triple::OpenBSD)
643       KernelZeroFlagVal = 0x0008;
644     else if (OS == llvm::Triple::Linux)
645       // __GFP_ZERO
646       KernelZeroFlagVal = 0x8000;
647     else
648       // FIXME: We need a more general way of getting the M_ZERO value.
649       // See also: O_CREAT in UnixAPIChecker.cpp.
650 
651       // Fall back to normal malloc behavior on platforms where we don't
652       // know M_ZERO.
653       return None;
654   }
655 
656   // We treat the last argument as the flags argument, and callers fall-back to
657   // normal malloc on a None return. This works for the FreeBSD kernel malloc
658   // as well as Linux kmalloc.
659   if (CE->getNumArgs() < 2)
660     return None;
661 
662   const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1);
663   const SVal V = State->getSVal(FlagsEx, C.getLocationContext());
664   if (!V.getAs<NonLoc>()) {
665     // The case where 'V' can be a location can only be due to a bad header,
666     // so in this case bail out.
667     return None;
668   }
669 
670   NonLoc Flags = V.castAs<NonLoc>();
671   NonLoc ZeroFlag = C.getSValBuilder()
672       .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType())
673       .castAs<NonLoc>();
674   SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And,
675                                                       Flags, ZeroFlag,
676                                                       FlagsEx->getType());
677   if (MaskedFlagsUC.isUnknownOrUndef())
678     return None;
679   DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>();
680 
681   // Check if maskedFlags is non-zero.
682   ProgramStateRef TrueState, FalseState;
683   std::tie(TrueState, FalseState) = State->assume(MaskedFlags);
684 
685   // If M_ZERO is set, treat this like calloc (initialized).
686   if (TrueState && !FalseState) {
687     SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy);
688     return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState);
689   }
690 
691   return None;
692 }
693 
694 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const {
695   if (C.wasInlined)
696     return;
697 
698   const FunctionDecl *FD = C.getCalleeDecl(CE);
699   if (!FD)
700     return;
701 
702   ProgramStateRef State = C.getState();
703   bool ReleasedAllocatedMemory = false;
704 
705   if (FD->getKind() == Decl::Function) {
706     initIdentifierInfo(C.getASTContext());
707     IdentifierInfo *FunI = FD->getIdentifier();
708 
709     if (FunI == II_malloc) {
710       if (CE->getNumArgs() < 1)
711         return;
712       if (CE->getNumArgs() < 3) {
713         State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
714       } else if (CE->getNumArgs() == 3) {
715         llvm::Optional<ProgramStateRef> MaybeState =
716           performKernelMalloc(CE, C, State);
717         if (MaybeState.hasValue())
718           State = MaybeState.getValue();
719         else
720           State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
721       }
722     } else if (FunI == II_kmalloc) {
723       llvm::Optional<ProgramStateRef> MaybeState =
724         performKernelMalloc(CE, C, State);
725       if (MaybeState.hasValue())
726         State = MaybeState.getValue();
727       else
728         State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
729     } else if (FunI == II_valloc) {
730       if (CE->getNumArgs() < 1)
731         return;
732       State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
733     } else if (FunI == II_realloc) {
734       State = ReallocMem(C, CE, false, State);
735     } else if (FunI == II_reallocf) {
736       State = ReallocMem(C, CE, true, State);
737     } else if (FunI == II_calloc) {
738       State = CallocMem(C, CE, State);
739     } else if (FunI == II_free) {
740       State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
741     } else if (FunI == II_strdup) {
742       State = MallocUpdateRefState(C, CE, State);
743     } else if (FunI == II_strndup) {
744       State = MallocUpdateRefState(C, CE, State);
745     }
746     else if (isStandardNewDelete(FD, C.getASTContext())) {
747       // Process direct calls to operator new/new[]/delete/delete[] functions
748       // as distinct from new/new[]/delete/delete[] expressions that are
749       // processed by the checkPostStmt callbacks for CXXNewExpr and
750       // CXXDeleteExpr.
751       OverloadedOperatorKind K = FD->getOverloadedOperator();
752       if (K == OO_New)
753         State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
754                              AF_CXXNew);
755       else if (K == OO_Array_New)
756         State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
757                              AF_CXXNewArray);
758       else if (K == OO_Delete || K == OO_Array_Delete)
759         State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
760       else
761         llvm_unreachable("not a new/delete operator");
762     } else if (FunI == II_if_nameindex) {
763       // Should we model this differently? We can allocate a fixed number of
764       // elements with zeros in the last one.
765       State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State,
766                            AF_IfNameIndex);
767     } else if (FunI == II_if_freenameindex) {
768       State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
769     }
770   }
771 
772   if (ChecksEnabled[CK_MallocOptimistic] ||
773       ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
774     // Check all the attributes, if there are any.
775     // There can be multiple of these attributes.
776     if (FD->hasAttrs())
777       for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
778         switch (I->getOwnKind()) {
779         case OwnershipAttr::Returns:
780           State = MallocMemReturnsAttr(C, CE, I, State);
781           break;
782         case OwnershipAttr::Takes:
783         case OwnershipAttr::Holds:
784           State = FreeMemAttr(C, CE, I, State);
785           break;
786         }
787       }
788   }
789   C.addTransition(State);
790 }
791 
792 static QualType getDeepPointeeType(QualType T) {
793   QualType Result = T, PointeeType = T->getPointeeType();
794   while (!PointeeType.isNull()) {
795     Result = PointeeType;
796     PointeeType = PointeeType->getPointeeType();
797   }
798   return Result;
799 }
800 
801 static bool treatUnusedNewEscaped(const CXXNewExpr *NE) {
802 
803   const CXXConstructExpr *ConstructE = NE->getConstructExpr();
804   if (!ConstructE)
805     return false;
806 
807   if (!NE->getAllocatedType()->getAsCXXRecordDecl())
808     return false;
809 
810   const CXXConstructorDecl *CtorD = ConstructE->getConstructor();
811 
812   // Iterate over the constructor parameters.
813   for (const auto *CtorParam : CtorD->params()) {
814 
815     QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType();
816     if (CtorParamPointeeT.isNull())
817       continue;
818 
819     CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT);
820 
821     if (CtorParamPointeeT->getAsCXXRecordDecl())
822       return true;
823   }
824 
825   return false;
826 }
827 
828 void MallocChecker::checkPostStmt(const CXXNewExpr *NE,
829                                   CheckerContext &C) const {
830 
831   if (NE->getNumPlacementArgs())
832     for (CXXNewExpr::const_arg_iterator I = NE->placement_arg_begin(),
833          E = NE->placement_arg_end(); I != E; ++I)
834       if (SymbolRef Sym = C.getSVal(*I).getAsSymbol())
835         checkUseAfterFree(Sym, C, *I);
836 
837   if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext()))
838     return;
839 
840   ParentMap &PM = C.getLocationContext()->getParentMap();
841   if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE))
842     return;
843 
844   ProgramStateRef State = C.getState();
845   // The return value from operator new is bound to a specified initialization
846   // value (if any) and we don't want to loose this value. So we call
847   // MallocUpdateRefState() instead of MallocMemAux() which breakes the
848   // existing binding.
849   State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray
850                                                            : AF_CXXNew);
851   C.addTransition(State);
852 }
853 
854 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE,
855                                  CheckerContext &C) const {
856 
857   if (!ChecksEnabled[CK_NewDeleteChecker])
858     if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
859       checkUseAfterFree(Sym, C, DE->getArgument());
860 
861   if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext()))
862     return;
863 
864   ProgramStateRef State = C.getState();
865   bool ReleasedAllocated;
866   State = FreeMemAux(C, DE->getArgument(), DE, State,
867                      /*Hold*/false, ReleasedAllocated);
868 
869   C.addTransition(State);
870 }
871 
872 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) {
873   // If the first selector piece is one of the names below, assume that the
874   // object takes ownership of the memory, promising to eventually deallocate it
875   // with free().
876   // Ex:  [NSData dataWithBytesNoCopy:bytes length:10];
877   // (...unless a 'freeWhenDone' parameter is false, but that's checked later.)
878   StringRef FirstSlot = Call.getSelector().getNameForSlot(0);
879   if (FirstSlot == "dataWithBytesNoCopy" ||
880       FirstSlot == "initWithBytesNoCopy" ||
881       FirstSlot == "initWithCharactersNoCopy")
882     return true;
883 
884   return false;
885 }
886 
887 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) {
888   Selector S = Call.getSelector();
889 
890   // FIXME: We should not rely on fully-constrained symbols being folded.
891   for (unsigned i = 1; i < S.getNumArgs(); ++i)
892     if (S.getNameForSlot(i).equals("freeWhenDone"))
893       return !Call.getArgSVal(i).isZeroConstant();
894 
895   return None;
896 }
897 
898 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
899                                          CheckerContext &C) const {
900   if (C.wasInlined)
901     return;
902 
903   if (!isKnownDeallocObjCMethodName(Call))
904     return;
905 
906   if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call))
907     if (!*FreeWhenDone)
908       return;
909 
910   bool ReleasedAllocatedMemory;
911   ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0),
912                                      Call.getOriginExpr(), C.getState(),
913                                      /*Hold=*/true, ReleasedAllocatedMemory,
914                                      /*RetNullOnFailure=*/true);
915 
916   C.addTransition(State);
917 }
918 
919 ProgramStateRef
920 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE,
921                                     const OwnershipAttr *Att,
922                                     ProgramStateRef State) const {
923   if (!State)
924     return nullptr;
925 
926   if (Att->getModule() != II_malloc)
927     return nullptr;
928 
929   OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
930   if (I != E) {
931     return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), State);
932   }
933   return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State);
934 }
935 
936 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
937                                             const CallExpr *CE,
938                                             const Expr *SizeEx, SVal Init,
939                                             ProgramStateRef State,
940                                             AllocationFamily Family) {
941   if (!State)
942     return nullptr;
943 
944   return MallocMemAux(C, CE, State->getSVal(SizeEx, C.getLocationContext()),
945                       Init, State, Family);
946 }
947 
948 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
949                                            const CallExpr *CE,
950                                            SVal Size, SVal Init,
951                                            ProgramStateRef State,
952                                            AllocationFamily Family) {
953   if (!State)
954     return nullptr;
955 
956   // We expect the malloc functions to return a pointer.
957   if (!Loc::isLocType(CE->getType()))
958     return nullptr;
959 
960   // Bind the return value to the symbolic value from the heap region.
961   // TODO: We could rewrite post visit to eval call; 'malloc' does not have
962   // side effects other than what we model here.
963   unsigned Count = C.blockCount();
964   SValBuilder &svalBuilder = C.getSValBuilder();
965   const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
966   DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
967       .castAs<DefinedSVal>();
968   State = State->BindExpr(CE, C.getLocationContext(), RetVal);
969 
970   // Fill the region with the initialization value.
971   State = State->bindDefault(RetVal, Init);
972 
973   // Set the region's extent equal to the Size parameter.
974   const SymbolicRegion *R =
975       dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion());
976   if (!R)
977     return nullptr;
978   if (Optional<DefinedOrUnknownSVal> DefinedSize =
979           Size.getAs<DefinedOrUnknownSVal>()) {
980     SValBuilder &svalBuilder = C.getSValBuilder();
981     DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder);
982     DefinedOrUnknownSVal extentMatchesSize =
983         svalBuilder.evalEQ(State, Extent, *DefinedSize);
984 
985     State = State->assume(extentMatchesSize, true);
986     assert(State);
987   }
988 
989   return MallocUpdateRefState(C, CE, State, Family);
990 }
991 
992 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C,
993                                                     const Expr *E,
994                                                     ProgramStateRef State,
995                                                     AllocationFamily Family) {
996   if (!State)
997     return nullptr;
998 
999   // Get the return value.
1000   SVal retVal = State->getSVal(E, C.getLocationContext());
1001 
1002   // We expect the malloc functions to return a pointer.
1003   if (!retVal.getAs<Loc>())
1004     return nullptr;
1005 
1006   SymbolRef Sym = retVal.getAsLocSymbol();
1007   assert(Sym);
1008 
1009   // Set the symbol's state to Allocated.
1010   return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
1011 }
1012 
1013 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
1014                                            const CallExpr *CE,
1015                                            const OwnershipAttr *Att,
1016                                            ProgramStateRef State) const {
1017   if (!State)
1018     return nullptr;
1019 
1020   if (Att->getModule() != II_malloc)
1021     return nullptr;
1022 
1023   bool ReleasedAllocated = false;
1024 
1025   for (const auto &Arg : Att->args()) {
1026     ProgramStateRef StateI = FreeMemAux(C, CE, State, Arg,
1027                                Att->getOwnKind() == OwnershipAttr::Holds,
1028                                ReleasedAllocated);
1029     if (StateI)
1030       State = StateI;
1031   }
1032   return State;
1033 }
1034 
1035 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1036                                           const CallExpr *CE,
1037                                           ProgramStateRef State,
1038                                           unsigned Num,
1039                                           bool Hold,
1040                                           bool &ReleasedAllocated,
1041                                           bool ReturnsNullOnFailure) const {
1042   if (!State)
1043     return nullptr;
1044 
1045   if (CE->getNumArgs() < (Num + 1))
1046     return nullptr;
1047 
1048   return FreeMemAux(C, CE->getArg(Num), CE, State, Hold,
1049                     ReleasedAllocated, ReturnsNullOnFailure);
1050 }
1051 
1052 /// Checks if the previous call to free on the given symbol failed - if free
1053 /// failed, returns true. Also, returns the corresponding return value symbol.
1054 static bool didPreviousFreeFail(ProgramStateRef State,
1055                                 SymbolRef Sym, SymbolRef &RetStatusSymbol) {
1056   const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
1057   if (Ret) {
1058     assert(*Ret && "We should not store the null return symbol");
1059     ConstraintManager &CMgr = State->getConstraintManager();
1060     ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret);
1061     RetStatusSymbol = *Ret;
1062     return FreeFailed.isConstrainedTrue();
1063   }
1064   return false;
1065 }
1066 
1067 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C,
1068                                                     const Stmt *S) const {
1069   if (!S)
1070     return AF_None;
1071 
1072   if (const CallExpr *CE = dyn_cast<CallExpr>(S)) {
1073     const FunctionDecl *FD = C.getCalleeDecl(CE);
1074 
1075     if (!FD)
1076       FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl());
1077 
1078     ASTContext &Ctx = C.getASTContext();
1079 
1080     if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any))
1081       return AF_Malloc;
1082 
1083     if (isStandardNewDelete(FD, Ctx)) {
1084       OverloadedOperatorKind Kind = FD->getOverloadedOperator();
1085       if (Kind == OO_New || Kind == OO_Delete)
1086         return AF_CXXNew;
1087       else if (Kind == OO_Array_New || Kind == OO_Array_Delete)
1088         return AF_CXXNewArray;
1089     }
1090 
1091     if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
1092       return AF_IfNameIndex;
1093 
1094     return AF_None;
1095   }
1096 
1097   if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S))
1098     return NE->isArray() ? AF_CXXNewArray : AF_CXXNew;
1099 
1100   if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S))
1101     return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew;
1102 
1103   if (isa<ObjCMessageExpr>(S))
1104     return AF_Malloc;
1105 
1106   return AF_None;
1107 }
1108 
1109 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C,
1110                                           const Expr *E) const {
1111   if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
1112     // FIXME: This doesn't handle indirect calls.
1113     const FunctionDecl *FD = CE->getDirectCallee();
1114     if (!FD)
1115       return false;
1116 
1117     os << *FD;
1118     if (!FD->isOverloadedOperator())
1119       os << "()";
1120     return true;
1121   }
1122 
1123   if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) {
1124     if (Msg->isInstanceMessage())
1125       os << "-";
1126     else
1127       os << "+";
1128     Msg->getSelector().print(os);
1129     return true;
1130   }
1131 
1132   if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
1133     os << "'"
1134        << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator())
1135        << "'";
1136     return true;
1137   }
1138 
1139   if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) {
1140     os << "'"
1141        << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator())
1142        << "'";
1143     return true;
1144   }
1145 
1146   return false;
1147 }
1148 
1149 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C,
1150                                            const Expr *E) const {
1151   AllocationFamily Family = getAllocationFamily(C, E);
1152 
1153   switch(Family) {
1154     case AF_Malloc: os << "malloc()"; return;
1155     case AF_CXXNew: os << "'new'"; return;
1156     case AF_CXXNewArray: os << "'new[]'"; return;
1157     case AF_IfNameIndex: os << "'if_nameindex()'"; return;
1158     case AF_None: llvm_unreachable("not a deallocation expression");
1159   }
1160 }
1161 
1162 void MallocChecker::printExpectedDeallocName(raw_ostream &os,
1163                                              AllocationFamily Family) const {
1164   switch(Family) {
1165     case AF_Malloc: os << "free()"; return;
1166     case AF_CXXNew: os << "'delete'"; return;
1167     case AF_CXXNewArray: os << "'delete[]'"; return;
1168     case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
1169     case AF_None: llvm_unreachable("suspicious AF_None argument");
1170   }
1171 }
1172 
1173 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1174                                           const Expr *ArgExpr,
1175                                           const Expr *ParentExpr,
1176                                           ProgramStateRef State,
1177                                           bool Hold,
1178                                           bool &ReleasedAllocated,
1179                                           bool ReturnsNullOnFailure) const {
1180 
1181   if (!State)
1182     return nullptr;
1183 
1184   SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext());
1185   if (!ArgVal.getAs<DefinedOrUnknownSVal>())
1186     return nullptr;
1187   DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
1188 
1189   // Check for null dereferences.
1190   if (!location.getAs<Loc>())
1191     return nullptr;
1192 
1193   // The explicit NULL case, no operation is performed.
1194   ProgramStateRef notNullState, nullState;
1195   std::tie(notNullState, nullState) = State->assume(location);
1196   if (nullState && !notNullState)
1197     return nullptr;
1198 
1199   // Unknown values could easily be okay
1200   // Undefined values are handled elsewhere
1201   if (ArgVal.isUnknownOrUndef())
1202     return nullptr;
1203 
1204   const MemRegion *R = ArgVal.getAsRegion();
1205 
1206   // Nonlocs can't be freed, of course.
1207   // Non-region locations (labels and fixed addresses) also shouldn't be freed.
1208   if (!R) {
1209     ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1210     return nullptr;
1211   }
1212 
1213   R = R->StripCasts();
1214 
1215   // Blocks might show up as heap data, but should not be free()d
1216   if (isa<BlockDataRegion>(R)) {
1217     ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1218     return nullptr;
1219   }
1220 
1221   const MemSpaceRegion *MS = R->getMemorySpace();
1222 
1223   // Parameters, locals, statics, globals, and memory returned by alloca()
1224   // shouldn't be freed.
1225   if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) {
1226     // FIXME: at the time this code was written, malloc() regions were
1227     // represented by conjured symbols, which are all in UnknownSpaceRegion.
1228     // This means that there isn't actually anything from HeapSpaceRegion
1229     // that should be freed, even though we allow it here.
1230     // Of course, free() can work on memory allocated outside the current
1231     // function, so UnknownSpaceRegion is always a possibility.
1232     // False negatives are better than false positives.
1233 
1234     ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1235     return nullptr;
1236   }
1237 
1238   const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
1239   // Various cases could lead to non-symbol values here.
1240   // For now, ignore them.
1241   if (!SrBase)
1242     return nullptr;
1243 
1244   SymbolRef SymBase = SrBase->getSymbol();
1245   const RefState *RsBase = State->get<RegionState>(SymBase);
1246   SymbolRef PreviousRetStatusSymbol = nullptr;
1247 
1248   if (RsBase) {
1249 
1250     // Check for double free first.
1251     if ((RsBase->isReleased() || RsBase->isRelinquished()) &&
1252         !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
1253       ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),
1254                        SymBase, PreviousRetStatusSymbol);
1255       return nullptr;
1256 
1257     // If the pointer is allocated or escaped, but we are now trying to free it,
1258     // check that the call to free is proper.
1259     } else if (RsBase->isAllocated() || RsBase->isEscaped()) {
1260 
1261       // Check if an expected deallocation function matches the real one.
1262       bool DeallocMatchesAlloc =
1263         RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr);
1264       if (!DeallocMatchesAlloc) {
1265         ReportMismatchedDealloc(C, ArgExpr->getSourceRange(),
1266                                 ParentExpr, RsBase, SymBase, Hold);
1267         return nullptr;
1268       }
1269 
1270       // Check if the memory location being freed is the actual location
1271       // allocated, or an offset.
1272       RegionOffset Offset = R->getAsOffset();
1273       if (Offset.isValid() &&
1274           !Offset.hasSymbolicOffset() &&
1275           Offset.getOffset() != 0) {
1276         const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
1277         ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1278                          AllocExpr);
1279         return nullptr;
1280       }
1281     }
1282   }
1283 
1284   ReleasedAllocated = (RsBase != nullptr) && RsBase->isAllocated();
1285 
1286   // Clean out the info on previous call to free return info.
1287   State = State->remove<FreeReturnValue>(SymBase);
1288 
1289   // Keep track of the return value. If it is NULL, we will know that free
1290   // failed.
1291   if (ReturnsNullOnFailure) {
1292     SVal RetVal = C.getSVal(ParentExpr);
1293     SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
1294     if (RetStatusSymbol) {
1295       C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol);
1296       State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol);
1297     }
1298   }
1299 
1300   AllocationFamily Family = RsBase ? RsBase->getAllocationFamily()
1301                                    : getAllocationFamily(C, ParentExpr);
1302   // Normal free.
1303   if (Hold)
1304     return State->set<RegionState>(SymBase,
1305                                    RefState::getRelinquished(Family,
1306                                                              ParentExpr));
1307 
1308   return State->set<RegionState>(SymBase,
1309                                  RefState::getReleased(Family, ParentExpr));
1310 }
1311 
1312 Optional<MallocChecker::CheckKind>
1313 MallocChecker::getCheckIfTracked(AllocationFamily Family) const {
1314   switch (Family) {
1315   case AF_Malloc:
1316   case AF_IfNameIndex: {
1317     if (ChecksEnabled[CK_MallocOptimistic]) {
1318       return CK_MallocOptimistic;
1319     } else if (ChecksEnabled[CK_MallocPessimistic]) {
1320       return CK_MallocPessimistic;
1321     }
1322     return Optional<MallocChecker::CheckKind>();
1323   }
1324   case AF_CXXNew:
1325   case AF_CXXNewArray: {
1326     if (ChecksEnabled[CK_NewDeleteChecker]) {
1327       return CK_NewDeleteChecker;
1328     }
1329     return Optional<MallocChecker::CheckKind>();
1330   }
1331   case AF_None: {
1332     llvm_unreachable("no family");
1333   }
1334   }
1335   llvm_unreachable("unhandled family");
1336 }
1337 
1338 Optional<MallocChecker::CheckKind>
1339 MallocChecker::getCheckIfTracked(CheckerContext &C,
1340                                  const Stmt *AllocDeallocStmt) const {
1341   return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt));
1342 }
1343 
1344 Optional<MallocChecker::CheckKind>
1345 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const {
1346 
1347   const RefState *RS = C.getState()->get<RegionState>(Sym);
1348   assert(RS);
1349   return getCheckIfTracked(RS->getAllocationFamily());
1350 }
1351 
1352 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
1353   if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>())
1354     os << "an integer (" << IntVal->getValue() << ")";
1355   else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>())
1356     os << "a constant address (" << ConstAddr->getValue() << ")";
1357   else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>())
1358     os << "the address of the label '" << Label->getLabel()->getName() << "'";
1359   else
1360     return false;
1361 
1362   return true;
1363 }
1364 
1365 bool MallocChecker::SummarizeRegion(raw_ostream &os,
1366                                     const MemRegion *MR) {
1367   switch (MR->getKind()) {
1368   case MemRegion::FunctionTextRegionKind: {
1369     const NamedDecl *FD = cast<FunctionTextRegion>(MR)->getDecl();
1370     if (FD)
1371       os << "the address of the function '" << *FD << '\'';
1372     else
1373       os << "the address of a function";
1374     return true;
1375   }
1376   case MemRegion::BlockTextRegionKind:
1377     os << "block text";
1378     return true;
1379   case MemRegion::BlockDataRegionKind:
1380     // FIXME: where the block came from?
1381     os << "a block";
1382     return true;
1383   default: {
1384     const MemSpaceRegion *MS = MR->getMemorySpace();
1385 
1386     if (isa<StackLocalsSpaceRegion>(MS)) {
1387       const VarRegion *VR = dyn_cast<VarRegion>(MR);
1388       const VarDecl *VD;
1389       if (VR)
1390         VD = VR->getDecl();
1391       else
1392         VD = nullptr;
1393 
1394       if (VD)
1395         os << "the address of the local variable '" << VD->getName() << "'";
1396       else
1397         os << "the address of a local stack variable";
1398       return true;
1399     }
1400 
1401     if (isa<StackArgumentsSpaceRegion>(MS)) {
1402       const VarRegion *VR = dyn_cast<VarRegion>(MR);
1403       const VarDecl *VD;
1404       if (VR)
1405         VD = VR->getDecl();
1406       else
1407         VD = nullptr;
1408 
1409       if (VD)
1410         os << "the address of the parameter '" << VD->getName() << "'";
1411       else
1412         os << "the address of a parameter";
1413       return true;
1414     }
1415 
1416     if (isa<GlobalsSpaceRegion>(MS)) {
1417       const VarRegion *VR = dyn_cast<VarRegion>(MR);
1418       const VarDecl *VD;
1419       if (VR)
1420         VD = VR->getDecl();
1421       else
1422         VD = nullptr;
1423 
1424       if (VD) {
1425         if (VD->isStaticLocal())
1426           os << "the address of the static variable '" << VD->getName() << "'";
1427         else
1428           os << "the address of the global variable '" << VD->getName() << "'";
1429       } else
1430         os << "the address of a global variable";
1431       return true;
1432     }
1433 
1434     return false;
1435   }
1436   }
1437 }
1438 
1439 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal,
1440                                   SourceRange Range,
1441                                   const Expr *DeallocExpr) const {
1442 
1443   if (!ChecksEnabled[CK_MallocOptimistic] &&
1444       !ChecksEnabled[CK_MallocPessimistic] &&
1445       !ChecksEnabled[CK_NewDeleteChecker])
1446     return;
1447 
1448   Optional<MallocChecker::CheckKind> CheckKind =
1449       getCheckIfTracked(C, DeallocExpr);
1450   if (!CheckKind.hasValue())
1451     return;
1452 
1453   if (ExplodedNode *N = C.generateSink()) {
1454     if (!BT_BadFree[*CheckKind])
1455       BT_BadFree[*CheckKind].reset(
1456           new BugType(CheckNames[*CheckKind], "Bad free", "Memory Error"));
1457 
1458     SmallString<100> buf;
1459     llvm::raw_svector_ostream os(buf);
1460 
1461     const MemRegion *MR = ArgVal.getAsRegion();
1462     while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
1463       MR = ER->getSuperRegion();
1464 
1465     if (MR && isa<AllocaRegion>(MR))
1466       os << "Memory allocated by alloca() should not be deallocated";
1467     else {
1468       os << "Argument to ";
1469       if (!printAllocDeallocName(os, C, DeallocExpr))
1470         os << "deallocator";
1471 
1472       os << " is ";
1473       bool Summarized = MR ? SummarizeRegion(os, MR)
1474                            : SummarizeValue(os, ArgVal);
1475       if (Summarized)
1476         os << ", which is not memory allocated by ";
1477       else
1478         os << "not memory allocated by ";
1479 
1480       printExpectedAllocName(os, C, DeallocExpr);
1481     }
1482 
1483     BugReport *R = new BugReport(*BT_BadFree[*CheckKind], os.str(), N);
1484     R->markInteresting(MR);
1485     R->addRange(Range);
1486     C.emitReport(R);
1487   }
1488 }
1489 
1490 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C,
1491                                             SourceRange Range,
1492                                             const Expr *DeallocExpr,
1493                                             const RefState *RS,
1494                                             SymbolRef Sym,
1495                                             bool OwnershipTransferred) const {
1496 
1497   if (!ChecksEnabled[CK_MismatchedDeallocatorChecker])
1498     return;
1499 
1500   if (ExplodedNode *N = C.generateSink()) {
1501     if (!BT_MismatchedDealloc)
1502       BT_MismatchedDealloc.reset(
1503           new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
1504                       "Bad deallocator", "Memory Error"));
1505 
1506     SmallString<100> buf;
1507     llvm::raw_svector_ostream os(buf);
1508 
1509     const Expr *AllocExpr = cast<Expr>(RS->getStmt());
1510     SmallString<20> AllocBuf;
1511     llvm::raw_svector_ostream AllocOs(AllocBuf);
1512     SmallString<20> DeallocBuf;
1513     llvm::raw_svector_ostream DeallocOs(DeallocBuf);
1514 
1515     if (OwnershipTransferred) {
1516       if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1517         os << DeallocOs.str() << " cannot";
1518       else
1519         os << "Cannot";
1520 
1521       os << " take ownership of memory";
1522 
1523       if (printAllocDeallocName(AllocOs, C, AllocExpr))
1524         os << " allocated by " << AllocOs.str();
1525     } else {
1526       os << "Memory";
1527       if (printAllocDeallocName(AllocOs, C, AllocExpr))
1528         os << " allocated by " << AllocOs.str();
1529 
1530       os << " should be deallocated by ";
1531         printExpectedDeallocName(os, RS->getAllocationFamily());
1532 
1533       if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1534         os << ", not " << DeallocOs.str();
1535     }
1536 
1537     BugReport *R = new BugReport(*BT_MismatchedDealloc, os.str(), N);
1538     R->markInteresting(Sym);
1539     R->addRange(Range);
1540     R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
1541     C.emitReport(R);
1542   }
1543 }
1544 
1545 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal,
1546                                      SourceRange Range, const Expr *DeallocExpr,
1547                                      const Expr *AllocExpr) const {
1548 
1549   if (!ChecksEnabled[CK_MallocOptimistic] &&
1550       !ChecksEnabled[CK_MallocPessimistic] &&
1551       !ChecksEnabled[CK_NewDeleteChecker])
1552     return;
1553 
1554   Optional<MallocChecker::CheckKind> CheckKind =
1555       getCheckIfTracked(C, AllocExpr);
1556   if (!CheckKind.hasValue())
1557     return;
1558 
1559   ExplodedNode *N = C.generateSink();
1560   if (!N)
1561     return;
1562 
1563   if (!BT_OffsetFree[*CheckKind])
1564     BT_OffsetFree[*CheckKind].reset(
1565         new BugType(CheckNames[*CheckKind], "Offset free", "Memory Error"));
1566 
1567   SmallString<100> buf;
1568   llvm::raw_svector_ostream os(buf);
1569   SmallString<20> AllocNameBuf;
1570   llvm::raw_svector_ostream AllocNameOs(AllocNameBuf);
1571 
1572   const MemRegion *MR = ArgVal.getAsRegion();
1573   assert(MR && "Only MemRegion based symbols can have offset free errors");
1574 
1575   RegionOffset Offset = MR->getAsOffset();
1576   assert((Offset.isValid() &&
1577           !Offset.hasSymbolicOffset() &&
1578           Offset.getOffset() != 0) &&
1579          "Only symbols with a valid offset can have offset free errors");
1580 
1581   int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
1582 
1583   os << "Argument to ";
1584   if (!printAllocDeallocName(os, C, DeallocExpr))
1585     os << "deallocator";
1586   os << " is offset by "
1587      << offsetBytes
1588      << " "
1589      << ((abs(offsetBytes) > 1) ? "bytes" : "byte")
1590      << " from the start of ";
1591   if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr))
1592     os << "memory allocated by " << AllocNameOs.str();
1593   else
1594     os << "allocated memory";
1595 
1596   BugReport *R = new BugReport(*BT_OffsetFree[*CheckKind], os.str(), N);
1597   R->markInteresting(MR->getBaseRegion());
1598   R->addRange(Range);
1599   C.emitReport(R);
1600 }
1601 
1602 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range,
1603                                        SymbolRef Sym) const {
1604 
1605   if (!ChecksEnabled[CK_MallocOptimistic] &&
1606       !ChecksEnabled[CK_MallocPessimistic] &&
1607       !ChecksEnabled[CK_NewDeleteChecker])
1608     return;
1609 
1610   Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
1611   if (!CheckKind.hasValue())
1612     return;
1613 
1614   if (ExplodedNode *N = C.generateSink()) {
1615     if (!BT_UseFree[*CheckKind])
1616       BT_UseFree[*CheckKind].reset(new BugType(
1617           CheckNames[*CheckKind], "Use-after-free", "Memory Error"));
1618 
1619     BugReport *R = new BugReport(*BT_UseFree[*CheckKind],
1620                                  "Use of memory after it is freed", N);
1621 
1622     R->markInteresting(Sym);
1623     R->addRange(Range);
1624     R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
1625     C.emitReport(R);
1626   }
1627 }
1628 
1629 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range,
1630                                      bool Released, SymbolRef Sym,
1631                                      SymbolRef PrevSym) const {
1632 
1633   if (!ChecksEnabled[CK_MallocOptimistic] &&
1634       !ChecksEnabled[CK_MallocPessimistic] &&
1635       !ChecksEnabled[CK_NewDeleteChecker])
1636     return;
1637 
1638   Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
1639   if (!CheckKind.hasValue())
1640     return;
1641 
1642   if (ExplodedNode *N = C.generateSink()) {
1643     if (!BT_DoubleFree[*CheckKind])
1644       BT_DoubleFree[*CheckKind].reset(
1645           new BugType(CheckNames[*CheckKind], "Double free", "Memory Error"));
1646 
1647     BugReport *R =
1648         new BugReport(*BT_DoubleFree[*CheckKind],
1649                       (Released ? "Attempt to free released memory"
1650                                 : "Attempt to free non-owned memory"),
1651                       N);
1652     R->addRange(Range);
1653     R->markInteresting(Sym);
1654     if (PrevSym)
1655       R->markInteresting(PrevSym);
1656     R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
1657     C.emitReport(R);
1658   }
1659 }
1660 
1661 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
1662 
1663   if (!ChecksEnabled[CK_NewDeleteChecker])
1664     return;
1665 
1666   Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
1667   if (!CheckKind.hasValue())
1668     return;
1669   assert(*CheckKind == CK_NewDeleteChecker && "invalid check kind");
1670 
1671   if (ExplodedNode *N = C.generateSink()) {
1672     if (!BT_DoubleDelete)
1673       BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker],
1674                                         "Double delete", "Memory Error"));
1675 
1676     BugReport *R = new BugReport(*BT_DoubleDelete,
1677                                  "Attempt to delete released memory", N);
1678 
1679     R->markInteresting(Sym);
1680     R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
1681     C.emitReport(R);
1682   }
1683 }
1684 
1685 ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C,
1686                                           const CallExpr *CE,
1687                                           bool FreesOnFail,
1688                                           ProgramStateRef State) const {
1689   if (!State)
1690     return nullptr;
1691 
1692   if (CE->getNumArgs() < 2)
1693     return nullptr;
1694 
1695   const Expr *arg0Expr = CE->getArg(0);
1696   const LocationContext *LCtx = C.getLocationContext();
1697   SVal Arg0Val = State->getSVal(arg0Expr, LCtx);
1698   if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
1699     return nullptr;
1700   DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
1701 
1702   SValBuilder &svalBuilder = C.getSValBuilder();
1703 
1704   DefinedOrUnknownSVal PtrEQ =
1705     svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull());
1706 
1707   // Get the size argument. If there is no size arg then give up.
1708   const Expr *Arg1 = CE->getArg(1);
1709   if (!Arg1)
1710     return nullptr;
1711 
1712   // Get the value of the size argument.
1713   SVal Arg1ValG = State->getSVal(Arg1, LCtx);
1714   if (!Arg1ValG.getAs<DefinedOrUnknownSVal>())
1715     return nullptr;
1716   DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>();
1717 
1718   // Compare the size argument to 0.
1719   DefinedOrUnknownSVal SizeZero =
1720     svalBuilder.evalEQ(State, Arg1Val,
1721                        svalBuilder.makeIntValWithPtrWidth(0, false));
1722 
1723   ProgramStateRef StatePtrIsNull, StatePtrNotNull;
1724   std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ);
1725   ProgramStateRef StateSizeIsZero, StateSizeNotZero;
1726   std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero);
1727   // We only assume exceptional states if they are definitely true; if the
1728   // state is under-constrained, assume regular realloc behavior.
1729   bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
1730   bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
1731 
1732   // If the ptr is NULL and the size is not 0, the call is equivalent to
1733   // malloc(size).
1734   if ( PrtIsNull && !SizeIsZero) {
1735     ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1),
1736                                                UndefinedVal(), StatePtrIsNull);
1737     return stateMalloc;
1738   }
1739 
1740   if (PrtIsNull && SizeIsZero)
1741     return nullptr;
1742 
1743   // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
1744   assert(!PrtIsNull);
1745   SymbolRef FromPtr = arg0Val.getAsSymbol();
1746   SVal RetVal = State->getSVal(CE, LCtx);
1747   SymbolRef ToPtr = RetVal.getAsSymbol();
1748   if (!FromPtr || !ToPtr)
1749     return nullptr;
1750 
1751   bool ReleasedAllocated = false;
1752 
1753   // If the size is 0, free the memory.
1754   if (SizeIsZero)
1755     if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0,
1756                                                false, ReleasedAllocated)){
1757       // The semantics of the return value are:
1758       // If size was equal to 0, either NULL or a pointer suitable to be passed
1759       // to free() is returned. We just free the input pointer and do not add
1760       // any constrains on the output pointer.
1761       return stateFree;
1762     }
1763 
1764   // Default behavior.
1765   if (ProgramStateRef stateFree =
1766         FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) {
1767 
1768     ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1),
1769                                                 UnknownVal(), stateFree);
1770     if (!stateRealloc)
1771       return nullptr;
1772 
1773     ReallocPairKind Kind = RPToBeFreedAfterFailure;
1774     if (FreesOnFail)
1775       Kind = RPIsFreeOnFailure;
1776     else if (!ReleasedAllocated)
1777       Kind = RPDoNotTrackAfterFailure;
1778 
1779     // Record the info about the reallocated symbol so that we could properly
1780     // process failed reallocation.
1781     stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
1782                                                    ReallocPair(FromPtr, Kind));
1783     // The reallocated symbol should stay alive for as long as the new symbol.
1784     C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
1785     return stateRealloc;
1786   }
1787   return nullptr;
1788 }
1789 
1790 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE,
1791                                          ProgramStateRef State) {
1792   if (!State)
1793     return nullptr;
1794 
1795   if (CE->getNumArgs() < 2)
1796     return nullptr;
1797 
1798   SValBuilder &svalBuilder = C.getSValBuilder();
1799   const LocationContext *LCtx = C.getLocationContext();
1800   SVal count = State->getSVal(CE->getArg(0), LCtx);
1801   SVal elementSize = State->getSVal(CE->getArg(1), LCtx);
1802   SVal TotalSize = svalBuilder.evalBinOp(State, BO_Mul, count, elementSize,
1803                                         svalBuilder.getContext().getSizeType());
1804   SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
1805 
1806   return MallocMemAux(C, CE, TotalSize, zeroVal, State);
1807 }
1808 
1809 LeakInfo
1810 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
1811                                  CheckerContext &C) const {
1812   const LocationContext *LeakContext = N->getLocationContext();
1813   // Walk the ExplodedGraph backwards and find the first node that referred to
1814   // the tracked symbol.
1815   const ExplodedNode *AllocNode = N;
1816   const MemRegion *ReferenceRegion = nullptr;
1817 
1818   while (N) {
1819     ProgramStateRef State = N->getState();
1820     if (!State->get<RegionState>(Sym))
1821       break;
1822 
1823     // Find the most recent expression bound to the symbol in the current
1824     // context.
1825       if (!ReferenceRegion) {
1826         if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) {
1827           SVal Val = State->getSVal(MR);
1828           if (Val.getAsLocSymbol() == Sym) {
1829             const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>();
1830             // Do not show local variables belonging to a function other than
1831             // where the error is reported.
1832             if (!VR ||
1833                 (VR->getStackFrame() == LeakContext->getCurrentStackFrame()))
1834               ReferenceRegion = MR;
1835           }
1836         }
1837       }
1838 
1839     // Allocation node, is the last node in the current or parent context in
1840     // which the symbol was tracked.
1841     const LocationContext *NContext = N->getLocationContext();
1842     if (NContext == LeakContext ||
1843         NContext->isParentOf(LeakContext))
1844       AllocNode = N;
1845     N = N->pred_empty() ? nullptr : *(N->pred_begin());
1846   }
1847 
1848   return LeakInfo(AllocNode, ReferenceRegion);
1849 }
1850 
1851 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N,
1852                                CheckerContext &C) const {
1853 
1854   if (!ChecksEnabled[CK_MallocOptimistic] &&
1855       !ChecksEnabled[CK_MallocPessimistic] &&
1856       !ChecksEnabled[CK_NewDeleteLeaksChecker])
1857     return;
1858 
1859   const RefState *RS = C.getState()->get<RegionState>(Sym);
1860   assert(RS && "cannot leak an untracked symbol");
1861   AllocationFamily Family = RS->getAllocationFamily();
1862   Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
1863   if (!CheckKind.hasValue())
1864     return;
1865 
1866   // Special case for new and new[]; these are controlled by a separate checker
1867   // flag so that they can be selectively disabled.
1868   if (Family == AF_CXXNew || Family == AF_CXXNewArray)
1869     if (!ChecksEnabled[CK_NewDeleteLeaksChecker])
1870       return;
1871 
1872   assert(N);
1873   if (!BT_Leak[*CheckKind]) {
1874     BT_Leak[*CheckKind].reset(
1875         new BugType(CheckNames[*CheckKind], "Memory leak", "Memory Error"));
1876     // Leaks should not be reported if they are post-dominated by a sink:
1877     // (1) Sinks are higher importance bugs.
1878     // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
1879     //     with __noreturn functions such as assert() or exit(). We choose not
1880     //     to report leaks on such paths.
1881     BT_Leak[*CheckKind]->setSuppressOnSink(true);
1882   }
1883 
1884   // Most bug reports are cached at the location where they occurred.
1885   // With leaks, we want to unique them by the location where they were
1886   // allocated, and only report a single path.
1887   PathDiagnosticLocation LocUsedForUniqueing;
1888   const ExplodedNode *AllocNode = nullptr;
1889   const MemRegion *Region = nullptr;
1890   std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C);
1891 
1892   ProgramPoint P = AllocNode->getLocation();
1893   const Stmt *AllocationStmt = nullptr;
1894   if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>())
1895     AllocationStmt = Exit->getCalleeContext()->getCallSite();
1896   else if (Optional<StmtPoint> SP = P.getAs<StmtPoint>())
1897     AllocationStmt = SP->getStmt();
1898   if (AllocationStmt)
1899     LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt,
1900                                               C.getSourceManager(),
1901                                               AllocNode->getLocationContext());
1902 
1903   SmallString<200> buf;
1904   llvm::raw_svector_ostream os(buf);
1905   if (Region && Region->canPrintPretty()) {
1906     os << "Potential leak of memory pointed to by ";
1907     Region->printPretty(os);
1908   } else {
1909     os << "Potential memory leak";
1910   }
1911 
1912   BugReport *R =
1913       new BugReport(*BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing,
1914                     AllocNode->getLocationContext()->getDecl());
1915   R->markInteresting(Sym);
1916   R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym, true));
1917   C.emitReport(R);
1918 }
1919 
1920 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
1921                                      CheckerContext &C) const
1922 {
1923   if (!SymReaper.hasDeadSymbols())
1924     return;
1925 
1926   ProgramStateRef state = C.getState();
1927   RegionStateTy RS = state->get<RegionState>();
1928   RegionStateTy::Factory &F = state->get_context<RegionState>();
1929 
1930   SmallVector<SymbolRef, 2> Errors;
1931   for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
1932     if (SymReaper.isDead(I->first)) {
1933       if (I->second.isAllocated())
1934         Errors.push_back(I->first);
1935       // Remove the dead symbol from the map.
1936       RS = F.remove(RS, I->first);
1937 
1938     }
1939   }
1940 
1941   // Cleanup the Realloc Pairs Map.
1942   ReallocPairsTy RP = state->get<ReallocPairs>();
1943   for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
1944     if (SymReaper.isDead(I->first) ||
1945         SymReaper.isDead(I->second.ReallocatedSym)) {
1946       state = state->remove<ReallocPairs>(I->first);
1947     }
1948   }
1949 
1950   // Cleanup the FreeReturnValue Map.
1951   FreeReturnValueTy FR = state->get<FreeReturnValue>();
1952   for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) {
1953     if (SymReaper.isDead(I->first) ||
1954         SymReaper.isDead(I->second)) {
1955       state = state->remove<FreeReturnValue>(I->first);
1956     }
1957   }
1958 
1959   // Generate leak node.
1960   ExplodedNode *N = C.getPredecessor();
1961   if (!Errors.empty()) {
1962     static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
1963     N = C.addTransition(C.getState(), C.getPredecessor(), &Tag);
1964     for (SmallVectorImpl<SymbolRef>::iterator
1965            I = Errors.begin(), E = Errors.end(); I != E; ++I) {
1966       reportLeak(*I, N, C);
1967     }
1968   }
1969 
1970   C.addTransition(state->set<RegionState>(RS), N);
1971 }
1972 
1973 void MallocChecker::checkPreCall(const CallEvent &Call,
1974                                  CheckerContext &C) const {
1975 
1976   if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) {
1977     SymbolRef Sym = DC->getCXXThisVal().getAsSymbol();
1978     if (!Sym || checkDoubleDelete(Sym, C))
1979       return;
1980   }
1981 
1982   // We will check for double free in the post visit.
1983   if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) {
1984     const FunctionDecl *FD = FC->getDecl();
1985     if (!FD)
1986       return;
1987 
1988     ASTContext &Ctx = C.getASTContext();
1989     if ((ChecksEnabled[CK_MallocOptimistic] ||
1990          ChecksEnabled[CK_MallocPessimistic]) &&
1991         (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) ||
1992          isCMemFunction(FD, Ctx, AF_IfNameIndex,
1993                         MemoryOperationKind::MOK_Free)))
1994       return;
1995 
1996     if (ChecksEnabled[CK_NewDeleteChecker] &&
1997         isStandardNewDelete(FD, Ctx))
1998       return;
1999   }
2000 
2001   // Check if the callee of a method is deleted.
2002   if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
2003     SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
2004     if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
2005       return;
2006   }
2007 
2008   // Check arguments for being used after free.
2009   for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
2010     SVal ArgSVal = Call.getArgSVal(I);
2011     if (ArgSVal.getAs<Loc>()) {
2012       SymbolRef Sym = ArgSVal.getAsSymbol();
2013       if (!Sym)
2014         continue;
2015       if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
2016         return;
2017     }
2018   }
2019 }
2020 
2021 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const {
2022   const Expr *E = S->getRetValue();
2023   if (!E)
2024     return;
2025 
2026   // Check if we are returning a symbol.
2027   ProgramStateRef State = C.getState();
2028   SVal RetVal = State->getSVal(E, C.getLocationContext());
2029   SymbolRef Sym = RetVal.getAsSymbol();
2030   if (!Sym)
2031     // If we are returning a field of the allocated struct or an array element,
2032     // the callee could still free the memory.
2033     // TODO: This logic should be a part of generic symbol escape callback.
2034     if (const MemRegion *MR = RetVal.getAsRegion())
2035       if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR))
2036         if (const SymbolicRegion *BMR =
2037               dyn_cast<SymbolicRegion>(MR->getBaseRegion()))
2038           Sym = BMR->getSymbol();
2039 
2040   // Check if we are returning freed memory.
2041   if (Sym)
2042     checkUseAfterFree(Sym, C, E);
2043 }
2044 
2045 // TODO: Blocks should be either inlined or should call invalidate regions
2046 // upon invocation. After that's in place, special casing here will not be
2047 // needed.
2048 void MallocChecker::checkPostStmt(const BlockExpr *BE,
2049                                   CheckerContext &C) const {
2050 
2051   // Scan the BlockDecRefExprs for any object the retain count checker
2052   // may be tracking.
2053   if (!BE->getBlockDecl()->hasCaptures())
2054     return;
2055 
2056   ProgramStateRef state = C.getState();
2057   const BlockDataRegion *R =
2058     cast<BlockDataRegion>(state->getSVal(BE,
2059                                          C.getLocationContext()).getAsRegion());
2060 
2061   BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(),
2062                                             E = R->referenced_vars_end();
2063 
2064   if (I == E)
2065     return;
2066 
2067   SmallVector<const MemRegion*, 10> Regions;
2068   const LocationContext *LC = C.getLocationContext();
2069   MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
2070 
2071   for ( ; I != E; ++I) {
2072     const VarRegion *VR = I.getCapturedRegion();
2073     if (VR->getSuperRegion() == R) {
2074       VR = MemMgr.getVarRegion(VR->getDecl(), LC);
2075     }
2076     Regions.push_back(VR);
2077   }
2078 
2079   state =
2080     state->scanReachableSymbols<StopTrackingCallback>(Regions.data(),
2081                                     Regions.data() + Regions.size()).getState();
2082   C.addTransition(state);
2083 }
2084 
2085 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const {
2086   assert(Sym);
2087   const RefState *RS = C.getState()->get<RegionState>(Sym);
2088   return (RS && RS->isReleased());
2089 }
2090 
2091 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
2092                                       const Stmt *S) const {
2093 
2094   if (isReleased(Sym, C)) {
2095     ReportUseAfterFree(C, S->getSourceRange(), Sym);
2096     return true;
2097   }
2098 
2099   return false;
2100 }
2101 
2102 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
2103 
2104   if (isReleased(Sym, C)) {
2105     ReportDoubleDelete(C, Sym);
2106     return true;
2107   }
2108   return false;
2109 }
2110 
2111 // Check if the location is a freed symbolic region.
2112 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
2113                                   CheckerContext &C) const {
2114   SymbolRef Sym = l.getLocSymbolInBase();
2115   if (Sym)
2116     checkUseAfterFree(Sym, C, S);
2117 }
2118 
2119 // If a symbolic region is assumed to NULL (or another constant), stop tracking
2120 // it - assuming that allocation failed on this path.
2121 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
2122                                               SVal Cond,
2123                                               bool Assumption) const {
2124   RegionStateTy RS = state->get<RegionState>();
2125   for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2126     // If the symbol is assumed to be NULL, remove it from consideration.
2127     ConstraintManager &CMgr = state->getConstraintManager();
2128     ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2129     if (AllocFailed.isConstrainedTrue())
2130       state = state->remove<RegionState>(I.getKey());
2131   }
2132 
2133   // Realloc returns 0 when reallocation fails, which means that we should
2134   // restore the state of the pointer being reallocated.
2135   ReallocPairsTy RP = state->get<ReallocPairs>();
2136   for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2137     // If the symbol is assumed to be NULL, remove it from consideration.
2138     ConstraintManager &CMgr = state->getConstraintManager();
2139     ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2140     if (!AllocFailed.isConstrainedTrue())
2141       continue;
2142 
2143     SymbolRef ReallocSym = I.getData().ReallocatedSym;
2144     if (const RefState *RS = state->get<RegionState>(ReallocSym)) {
2145       if (RS->isReleased()) {
2146         if (I.getData().Kind == RPToBeFreedAfterFailure)
2147           state = state->set<RegionState>(ReallocSym,
2148               RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt()));
2149         else if (I.getData().Kind == RPDoNotTrackAfterFailure)
2150           state = state->remove<RegionState>(ReallocSym);
2151         else
2152           assert(I.getData().Kind == RPIsFreeOnFailure);
2153       }
2154     }
2155     state = state->remove<ReallocPairs>(I.getKey());
2156   }
2157 
2158   return state;
2159 }
2160 
2161 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
2162                                               const CallEvent *Call,
2163                                               ProgramStateRef State,
2164                                               SymbolRef &EscapingSymbol) const {
2165   assert(Call);
2166   EscapingSymbol = nullptr;
2167 
2168   // For now, assume that any C++ or block call can free memory.
2169   // TODO: If we want to be more optimistic here, we'll need to make sure that
2170   // regions escape to C++ containers. They seem to do that even now, but for
2171   // mysterious reasons.
2172   if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call)))
2173     return true;
2174 
2175   // Check Objective-C messages by selector name.
2176   if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
2177     // If it's not a framework call, or if it takes a callback, assume it
2178     // can free memory.
2179     if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg())
2180       return true;
2181 
2182     // If it's a method we know about, handle it explicitly post-call.
2183     // This should happen before the "freeWhenDone" check below.
2184     if (isKnownDeallocObjCMethodName(*Msg))
2185       return false;
2186 
2187     // If there's a "freeWhenDone" parameter, but the method isn't one we know
2188     // about, we can't be sure that the object will use free() to deallocate the
2189     // memory, so we can't model it explicitly. The best we can do is use it to
2190     // decide whether the pointer escapes.
2191     if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg))
2192       return *FreeWhenDone;
2193 
2194     // If the first selector piece ends with "NoCopy", and there is no
2195     // "freeWhenDone" parameter set to zero, we know ownership is being
2196     // transferred. Again, though, we can't be sure that the object will use
2197     // free() to deallocate the memory, so we can't model it explicitly.
2198     StringRef FirstSlot = Msg->getSelector().getNameForSlot(0);
2199     if (FirstSlot.endswith("NoCopy"))
2200       return true;
2201 
2202     // If the first selector starts with addPointer, insertPointer,
2203     // or replacePointer, assume we are dealing with NSPointerArray or similar.
2204     // This is similar to C++ containers (vector); we still might want to check
2205     // that the pointers get freed by following the container itself.
2206     if (FirstSlot.startswith("addPointer") ||
2207         FirstSlot.startswith("insertPointer") ||
2208         FirstSlot.startswith("replacePointer") ||
2209         FirstSlot.equals("valueWithPointer")) {
2210       return true;
2211     }
2212 
2213     // We should escape receiver on call to 'init'. This is especially relevant
2214     // to the receiver, as the corresponding symbol is usually not referenced
2215     // after the call.
2216     if (Msg->getMethodFamily() == OMF_init) {
2217       EscapingSymbol = Msg->getReceiverSVal().getAsSymbol();
2218       return true;
2219     }
2220 
2221     // Otherwise, assume that the method does not free memory.
2222     // Most framework methods do not free memory.
2223     return false;
2224   }
2225 
2226   // At this point the only thing left to handle is straight function calls.
2227   const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl();
2228   if (!FD)
2229     return true;
2230 
2231   ASTContext &ASTC = State->getStateManager().getContext();
2232 
2233   // If it's one of the allocation functions we can reason about, we model
2234   // its behavior explicitly.
2235   if (isMemFunction(FD, ASTC))
2236     return false;
2237 
2238   // If it's not a system call, assume it frees memory.
2239   if (!Call->isInSystemHeader())
2240     return true;
2241 
2242   // White list the system functions whose arguments escape.
2243   const IdentifierInfo *II = FD->getIdentifier();
2244   if (!II)
2245     return true;
2246   StringRef FName = II->getName();
2247 
2248   // White list the 'XXXNoCopy' CoreFoundation functions.
2249   // We specifically check these before
2250   if (FName.endswith("NoCopy")) {
2251     // Look for the deallocator argument. We know that the memory ownership
2252     // is not transferred only if the deallocator argument is
2253     // 'kCFAllocatorNull'.
2254     for (unsigned i = 1; i < Call->getNumArgs(); ++i) {
2255       const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts();
2256       if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) {
2257         StringRef DeallocatorName = DE->getFoundDecl()->getName();
2258         if (DeallocatorName == "kCFAllocatorNull")
2259           return false;
2260       }
2261     }
2262     return true;
2263   }
2264 
2265   // Associating streams with malloced buffers. The pointer can escape if
2266   // 'closefn' is specified (and if that function does free memory),
2267   // but it will not if closefn is not specified.
2268   // Currently, we do not inspect the 'closefn' function (PR12101).
2269   if (FName == "funopen")
2270     if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0))
2271       return false;
2272 
2273   // Do not warn on pointers passed to 'setbuf' when used with std streams,
2274   // these leaks might be intentional when setting the buffer for stdio.
2275   // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer
2276   if (FName == "setbuf" || FName =="setbuffer" ||
2277       FName == "setlinebuf" || FName == "setvbuf") {
2278     if (Call->getNumArgs() >= 1) {
2279       const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts();
2280       if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE))
2281         if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl()))
2282           if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos)
2283             return true;
2284     }
2285   }
2286 
2287   // A bunch of other functions which either take ownership of a pointer or
2288   // wrap the result up in a struct or object, meaning it can be freed later.
2289   // (See RetainCountChecker.) Not all the parameters here are invalidated,
2290   // but the Malloc checker cannot differentiate between them. The right way
2291   // of doing this would be to implement a pointer escapes callback.
2292   if (FName == "CGBitmapContextCreate" ||
2293       FName == "CGBitmapContextCreateWithData" ||
2294       FName == "CVPixelBufferCreateWithBytes" ||
2295       FName == "CVPixelBufferCreateWithPlanarBytes" ||
2296       FName == "OSAtomicEnqueue") {
2297     return true;
2298   }
2299 
2300   // Handle cases where we know a buffer's /address/ can escape.
2301   // Note that the above checks handle some special cases where we know that
2302   // even though the address escapes, it's still our responsibility to free the
2303   // buffer.
2304   if (Call->argumentsMayEscape())
2305     return true;
2306 
2307   // Otherwise, assume that the function does not free memory.
2308   // Most system calls do not free the memory.
2309   return false;
2310 }
2311 
2312 static bool retTrue(const RefState *RS) {
2313   return true;
2314 }
2315 
2316 static bool checkIfNewOrNewArrayFamily(const RefState *RS) {
2317   return (RS->getAllocationFamily() == AF_CXXNewArray ||
2318           RS->getAllocationFamily() == AF_CXXNew);
2319 }
2320 
2321 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
2322                                              const InvalidatedSymbols &Escaped,
2323                                              const CallEvent *Call,
2324                                              PointerEscapeKind Kind) const {
2325   return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue);
2326 }
2327 
2328 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State,
2329                                               const InvalidatedSymbols &Escaped,
2330                                               const CallEvent *Call,
2331                                               PointerEscapeKind Kind) const {
2332   return checkPointerEscapeAux(State, Escaped, Call, Kind,
2333                                &checkIfNewOrNewArrayFamily);
2334 }
2335 
2336 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State,
2337                                               const InvalidatedSymbols &Escaped,
2338                                               const CallEvent *Call,
2339                                               PointerEscapeKind Kind,
2340                                   bool(*CheckRefState)(const RefState*)) const {
2341   // If we know that the call does not free memory, or we want to process the
2342   // call later, keep tracking the top level arguments.
2343   SymbolRef EscapingSymbol = nullptr;
2344   if (Kind == PSK_DirectEscapeOnCall &&
2345       !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State,
2346                                                     EscapingSymbol) &&
2347       !EscapingSymbol) {
2348     return State;
2349   }
2350 
2351   for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
2352        E = Escaped.end();
2353        I != E; ++I) {
2354     SymbolRef sym = *I;
2355 
2356     if (EscapingSymbol && EscapingSymbol != sym)
2357       continue;
2358 
2359     if (const RefState *RS = State->get<RegionState>(sym)) {
2360       if (RS->isAllocated() && CheckRefState(RS)) {
2361         State = State->remove<RegionState>(sym);
2362         State = State->set<RegionState>(sym, RefState::getEscaped(RS));
2363       }
2364     }
2365   }
2366   return State;
2367 }
2368 
2369 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState,
2370                                          ProgramStateRef prevState) {
2371   ReallocPairsTy currMap = currState->get<ReallocPairs>();
2372   ReallocPairsTy prevMap = prevState->get<ReallocPairs>();
2373 
2374   for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end();
2375        I != E; ++I) {
2376     SymbolRef sym = I.getKey();
2377     if (!currMap.lookup(sym))
2378       return sym;
2379   }
2380 
2381   return nullptr;
2382 }
2383 
2384 PathDiagnosticPiece *
2385 MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N,
2386                                            const ExplodedNode *PrevN,
2387                                            BugReporterContext &BRC,
2388                                            BugReport &BR) {
2389   ProgramStateRef state = N->getState();
2390   ProgramStateRef statePrev = PrevN->getState();
2391 
2392   const RefState *RS = state->get<RegionState>(Sym);
2393   const RefState *RSPrev = statePrev->get<RegionState>(Sym);
2394   if (!RS)
2395     return nullptr;
2396 
2397   const Stmt *S = nullptr;
2398   const char *Msg = nullptr;
2399   StackHintGeneratorForSymbol *StackHint = nullptr;
2400 
2401   // Retrieve the associated statement.
2402   ProgramPoint ProgLoc = N->getLocation();
2403   if (Optional<StmtPoint> SP = ProgLoc.getAs<StmtPoint>()) {
2404     S = SP->getStmt();
2405   } else if (Optional<CallExitEnd> Exit = ProgLoc.getAs<CallExitEnd>()) {
2406     S = Exit->getCalleeContext()->getCallSite();
2407   } else if (Optional<BlockEdge> Edge = ProgLoc.getAs<BlockEdge>()) {
2408     // If an assumption was made on a branch, it should be caught
2409     // here by looking at the state transition.
2410     S = Edge->getSrc()->getTerminator();
2411   }
2412 
2413   if (!S)
2414     return nullptr;
2415 
2416   // FIXME: We will eventually need to handle non-statement-based events
2417   // (__attribute__((cleanup))).
2418 
2419   // Find out if this is an interesting point and what is the kind.
2420   if (Mode == Normal) {
2421     if (isAllocated(RS, RSPrev, S)) {
2422       Msg = "Memory is allocated";
2423       StackHint = new StackHintGeneratorForSymbol(Sym,
2424                                                   "Returned allocated memory");
2425     } else if (isReleased(RS, RSPrev, S)) {
2426       Msg = "Memory is released";
2427       StackHint = new StackHintGeneratorForSymbol(Sym,
2428                                              "Returning; memory was released");
2429     } else if (isRelinquished(RS, RSPrev, S)) {
2430       Msg = "Memory ownership is transferred";
2431       StackHint = new StackHintGeneratorForSymbol(Sym, "");
2432     } else if (isReallocFailedCheck(RS, RSPrev, S)) {
2433       Mode = ReallocationFailed;
2434       Msg = "Reallocation failed";
2435       StackHint = new StackHintGeneratorForReallocationFailed(Sym,
2436                                                        "Reallocation failed");
2437 
2438       if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) {
2439         // Is it possible to fail two reallocs WITHOUT testing in between?
2440         assert((!FailedReallocSymbol || FailedReallocSymbol == sym) &&
2441           "We only support one failed realloc at a time.");
2442         BR.markInteresting(sym);
2443         FailedReallocSymbol = sym;
2444       }
2445     }
2446 
2447   // We are in a special mode if a reallocation failed later in the path.
2448   } else if (Mode == ReallocationFailed) {
2449     assert(FailedReallocSymbol && "No symbol to look for.");
2450 
2451     // Is this is the first appearance of the reallocated symbol?
2452     if (!statePrev->get<RegionState>(FailedReallocSymbol)) {
2453       // We're at the reallocation point.
2454       Msg = "Attempt to reallocate memory";
2455       StackHint = new StackHintGeneratorForSymbol(Sym,
2456                                                  "Returned reallocated memory");
2457       FailedReallocSymbol = nullptr;
2458       Mode = Normal;
2459     }
2460   }
2461 
2462   if (!Msg)
2463     return nullptr;
2464   assert(StackHint);
2465 
2466   // Generate the extra diagnostic.
2467   PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
2468                              N->getLocationContext());
2469   return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint);
2470 }
2471 
2472 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
2473                                const char *NL, const char *Sep) const {
2474 
2475   RegionStateTy RS = State->get<RegionState>();
2476 
2477   if (!RS.isEmpty()) {
2478     Out << Sep << "MallocChecker :" << NL;
2479     for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2480       const RefState *RefS = State->get<RegionState>(I.getKey());
2481       AllocationFamily Family = RefS->getAllocationFamily();
2482       Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2483 
2484       I.getKey()->dumpToStream(Out);
2485       Out << " : ";
2486       I.getData().dump(Out);
2487       if (CheckKind.hasValue())
2488         Out << " (" << CheckNames[*CheckKind].getName() << ")";
2489       Out << NL;
2490     }
2491   }
2492 }
2493 
2494 void ento::registerNewDeleteLeaksChecker(CheckerManager &mgr) {
2495   registerCStringCheckerBasic(mgr);
2496   MallocChecker *checker = mgr.registerChecker<MallocChecker>();
2497   checker->ChecksEnabled[MallocChecker::CK_NewDeleteLeaksChecker] = true;
2498   checker->CheckNames[MallocChecker::CK_NewDeleteLeaksChecker] =
2499       mgr.getCurrentCheckName();
2500   // We currently treat NewDeleteLeaks checker as a subchecker of NewDelete
2501   // checker.
2502   if (!checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker])
2503     checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker] = true;
2504 }
2505 
2506 #define REGISTER_CHECKER(name)                                                 \
2507   void ento::register##name(CheckerManager &mgr) {                             \
2508     registerCStringCheckerBasic(mgr);                                          \
2509     MallocChecker *checker = mgr.registerChecker<MallocChecker>();             \
2510     checker->ChecksEnabled[MallocChecker::CK_##name] = true;                   \
2511     checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \
2512   }
2513 
2514 REGISTER_CHECKER(MallocPessimistic)
2515 REGISTER_CHECKER(MallocOptimistic)
2516 REGISTER_CHECKER(NewDeleteChecker)
2517 REGISTER_CHECKER(MismatchedDeallocatorChecker)
2518