1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines malloc/free checker, which checks for potential memory 11 // leaks, double free, and use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/AST/Attr.h" 18 #include "clang/AST/ParentMap.h" 19 #include "clang/Basic/SourceManager.h" 20 #include "clang/Basic/TargetInfo.h" 21 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 22 #include "clang/StaticAnalyzer/Core/Checker.h" 23 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 27 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 28 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 29 #include "llvm/ADT/ImmutableMap.h" 30 #include "llvm/ADT/STLExtras.h" 31 #include "llvm/ADT/SmallString.h" 32 #include "llvm/ADT/StringExtras.h" 33 #include <climits> 34 35 using namespace clang; 36 using namespace ento; 37 38 namespace { 39 40 // Used to check correspondence between allocators and deallocators. 41 enum AllocationFamily { 42 AF_None, 43 AF_Malloc, 44 AF_CXXNew, 45 AF_CXXNewArray, 46 AF_IfNameIndex 47 }; 48 49 class RefState { 50 enum Kind { // Reference to allocated memory. 51 Allocated, 52 // Reference to released/freed memory. 53 Released, 54 // The responsibility for freeing resources has transferred from 55 // this reference. A relinquished symbol should not be freed. 56 Relinquished, 57 // We are no longer guaranteed to have observed all manipulations 58 // of this pointer/memory. For example, it could have been 59 // passed as a parameter to an opaque function. 60 Escaped 61 }; 62 63 const Stmt *S; 64 unsigned K : 2; // Kind enum, but stored as a bitfield. 65 unsigned Family : 30; // Rest of 32-bit word, currently just an allocation 66 // family. 67 68 RefState(Kind k, const Stmt *s, unsigned family) 69 : S(s), K(k), Family(family) { 70 assert(family != AF_None); 71 } 72 public: 73 bool isAllocated() const { return K == Allocated; } 74 bool isReleased() const { return K == Released; } 75 bool isRelinquished() const { return K == Relinquished; } 76 bool isEscaped() const { return K == Escaped; } 77 AllocationFamily getAllocationFamily() const { 78 return (AllocationFamily)Family; 79 } 80 const Stmt *getStmt() const { return S; } 81 82 bool operator==(const RefState &X) const { 83 return K == X.K && S == X.S && Family == X.Family; 84 } 85 86 static RefState getAllocated(unsigned family, const Stmt *s) { 87 return RefState(Allocated, s, family); 88 } 89 static RefState getReleased(unsigned family, const Stmt *s) { 90 return RefState(Released, s, family); 91 } 92 static RefState getRelinquished(unsigned family, const Stmt *s) { 93 return RefState(Relinquished, s, family); 94 } 95 static RefState getEscaped(const RefState *RS) { 96 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily()); 97 } 98 99 void Profile(llvm::FoldingSetNodeID &ID) const { 100 ID.AddInteger(K); 101 ID.AddPointer(S); 102 ID.AddInteger(Family); 103 } 104 105 void dump(raw_ostream &OS) const { 106 switch (static_cast<Kind>(K)) { 107 #define CASE(ID) case ID: OS << #ID; break; 108 CASE(Allocated) 109 CASE(Released) 110 CASE(Relinquished) 111 CASE(Escaped) 112 } 113 } 114 115 LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); } 116 }; 117 118 enum ReallocPairKind { 119 RPToBeFreedAfterFailure, 120 // The symbol has been freed when reallocation failed. 121 RPIsFreeOnFailure, 122 // The symbol does not need to be freed after reallocation fails. 123 RPDoNotTrackAfterFailure 124 }; 125 126 /// \class ReallocPair 127 /// \brief Stores information about the symbol being reallocated by a call to 128 /// 'realloc' to allow modeling failed reallocation later in the path. 129 struct ReallocPair { 130 // \brief The symbol which realloc reallocated. 131 SymbolRef ReallocatedSym; 132 ReallocPairKind Kind; 133 134 ReallocPair(SymbolRef S, ReallocPairKind K) : 135 ReallocatedSym(S), Kind(K) {} 136 void Profile(llvm::FoldingSetNodeID &ID) const { 137 ID.AddInteger(Kind); 138 ID.AddPointer(ReallocatedSym); 139 } 140 bool operator==(const ReallocPair &X) const { 141 return ReallocatedSym == X.ReallocatedSym && 142 Kind == X.Kind; 143 } 144 }; 145 146 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo; 147 148 class MallocChecker : public Checker<check::DeadSymbols, 149 check::PointerEscape, 150 check::ConstPointerEscape, 151 check::PreStmt<ReturnStmt>, 152 check::PreCall, 153 check::PostStmt<CallExpr>, 154 check::PostStmt<CXXNewExpr>, 155 check::PreStmt<CXXDeleteExpr>, 156 check::PostStmt<BlockExpr>, 157 check::PostObjCMessage, 158 check::Location, 159 eval::Assume> 160 { 161 public: 162 MallocChecker() 163 : II_malloc(nullptr), II_free(nullptr), II_realloc(nullptr), 164 II_calloc(nullptr), II_valloc(nullptr), II_reallocf(nullptr), 165 II_strndup(nullptr), II_strdup(nullptr), II_kmalloc(nullptr), 166 II_if_nameindex(nullptr), II_if_freenameindex(nullptr) {} 167 168 /// In pessimistic mode, the checker assumes that it does not know which 169 /// functions might free the memory. 170 enum CheckKind { 171 CK_MallocPessimistic, 172 CK_MallocOptimistic, 173 CK_NewDeleteChecker, 174 CK_NewDeleteLeaksChecker, 175 CK_MismatchedDeallocatorChecker, 176 CK_NumCheckKinds 177 }; 178 179 enum class MemoryOperationKind { 180 MOK_Allocate, 181 MOK_Free, 182 MOK_Any 183 }; 184 185 DefaultBool ChecksEnabled[CK_NumCheckKinds]; 186 CheckName CheckNames[CK_NumCheckKinds]; 187 188 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 189 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 190 void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; 191 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; 192 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 193 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 194 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 195 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 196 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 197 bool Assumption) const; 198 void checkLocation(SVal l, bool isLoad, const Stmt *S, 199 CheckerContext &C) const; 200 201 ProgramStateRef checkPointerEscape(ProgramStateRef State, 202 const InvalidatedSymbols &Escaped, 203 const CallEvent *Call, 204 PointerEscapeKind Kind) const; 205 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 206 const InvalidatedSymbols &Escaped, 207 const CallEvent *Call, 208 PointerEscapeKind Kind) const; 209 210 void printState(raw_ostream &Out, ProgramStateRef State, 211 const char *NL, const char *Sep) const override; 212 213 private: 214 mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds]; 215 mutable std::unique_ptr<BugType> BT_DoubleDelete; 216 mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds]; 217 mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds]; 218 mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds]; 219 mutable std::unique_ptr<BugType> BT_MismatchedDealloc; 220 mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds]; 221 mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc, 222 *II_valloc, *II_reallocf, *II_strndup, *II_strdup, 223 *II_kmalloc, *II_if_nameindex, *II_if_freenameindex; 224 mutable Optional<uint64_t> KernelZeroFlagVal; 225 226 void initIdentifierInfo(ASTContext &C) const; 227 228 /// \brief Determine family of a deallocation expression. 229 AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const; 230 231 /// \brief Print names of allocators and deallocators. 232 /// 233 /// \returns true on success. 234 bool printAllocDeallocName(raw_ostream &os, CheckerContext &C, 235 const Expr *E) const; 236 237 /// \brief Print expected name of an allocator based on the deallocator's 238 /// family derived from the DeallocExpr. 239 void printExpectedAllocName(raw_ostream &os, CheckerContext &C, 240 const Expr *DeallocExpr) const; 241 /// \brief Print expected name of a deallocator based on the allocator's 242 /// family. 243 void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const; 244 245 ///@{ 246 /// Check if this is one of the functions which can allocate/reallocate memory 247 /// pointed to by one of its arguments. 248 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 249 bool isCMemFunction(const FunctionDecl *FD, 250 ASTContext &C, 251 AllocationFamily Family, 252 MemoryOperationKind MemKind) const; 253 bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const; 254 ///@} 255 ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 256 const CallExpr *CE, 257 const OwnershipAttr* Att, 258 ProgramStateRef State) const; 259 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 260 const Expr *SizeEx, SVal Init, 261 ProgramStateRef State, 262 AllocationFamily Family = AF_Malloc); 263 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 264 SVal SizeEx, SVal Init, 265 ProgramStateRef State, 266 AllocationFamily Family = AF_Malloc); 267 268 // Check if this malloc() for special flags. At present that means M_ZERO or 269 // __GFP_ZERO (in which case, treat it like calloc). 270 llvm::Optional<ProgramStateRef> 271 performKernelMalloc(const CallExpr *CE, CheckerContext &C, 272 const ProgramStateRef &State) const; 273 274 /// Update the RefState to reflect the new memory allocation. 275 static ProgramStateRef 276 MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, 277 AllocationFamily Family = AF_Malloc); 278 279 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 280 const OwnershipAttr* Att, 281 ProgramStateRef State) const; 282 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 283 ProgramStateRef state, unsigned Num, 284 bool Hold, 285 bool &ReleasedAllocated, 286 bool ReturnsNullOnFailure = false) const; 287 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, 288 const Expr *ParentExpr, 289 ProgramStateRef State, 290 bool Hold, 291 bool &ReleasedAllocated, 292 bool ReturnsNullOnFailure = false) const; 293 294 ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, 295 bool FreesMemOnFailure, 296 ProgramStateRef State) const; 297 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE, 298 ProgramStateRef State); 299 300 ///\brief Check if the memory associated with this symbol was released. 301 bool isReleased(SymbolRef Sym, CheckerContext &C) const; 302 303 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 304 305 bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const; 306 307 /// Check if the function is known free memory, or if it is 308 /// "interesting" and should be modeled explicitly. 309 /// 310 /// \param [out] EscapingSymbol A function might not free memory in general, 311 /// but could be known to free a particular symbol. In this case, false is 312 /// returned and the single escaping symbol is returned through the out 313 /// parameter. 314 /// 315 /// We assume that pointers do not escape through calls to system functions 316 /// not handled by this checker. 317 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, 318 ProgramStateRef State, 319 SymbolRef &EscapingSymbol) const; 320 321 // Implementation of the checkPointerEscape callabcks. 322 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 323 const InvalidatedSymbols &Escaped, 324 const CallEvent *Call, 325 PointerEscapeKind Kind, 326 bool(*CheckRefState)(const RefState*)) const; 327 328 ///@{ 329 /// Tells if a given family/call/symbol is tracked by the current checker. 330 /// Sets CheckKind to the kind of the checker responsible for this 331 /// family/call/symbol. 332 Optional<CheckKind> getCheckIfTracked(AllocationFamily Family) const; 333 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, 334 const Stmt *AllocDeallocStmt) const; 335 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const; 336 ///@} 337 static bool SummarizeValue(raw_ostream &os, SVal V); 338 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 339 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 340 const Expr *DeallocExpr) const; 341 void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, 342 const Expr *DeallocExpr, const RefState *RS, 343 SymbolRef Sym, bool OwnershipTransferred) const; 344 void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 345 const Expr *DeallocExpr, 346 const Expr *AllocExpr = nullptr) const; 347 void ReportUseAfterFree(CheckerContext &C, SourceRange Range, 348 SymbolRef Sym) const; 349 void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 350 SymbolRef Sym, SymbolRef PrevSym) const; 351 352 void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const; 353 354 /// Find the location of the allocation for Sym on the path leading to the 355 /// exploded node N. 356 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 357 CheckerContext &C) const; 358 359 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 360 361 /// The bug visitor which allows us to print extra diagnostics along the 362 /// BugReport path. For example, showing the allocation site of the leaked 363 /// region. 364 class MallocBugVisitor : public BugReporterVisitorImpl<MallocBugVisitor> { 365 protected: 366 enum NotificationMode { 367 Normal, 368 ReallocationFailed 369 }; 370 371 // The allocated region symbol tracked by the main analysis. 372 SymbolRef Sym; 373 374 // The mode we are in, i.e. what kind of diagnostics will be emitted. 375 NotificationMode Mode; 376 377 // A symbol from when the primary region should have been reallocated. 378 SymbolRef FailedReallocSymbol; 379 380 bool IsLeak; 381 382 public: 383 MallocBugVisitor(SymbolRef S, bool isLeak = false) 384 : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr), IsLeak(isLeak) {} 385 386 virtual ~MallocBugVisitor() {} 387 388 void Profile(llvm::FoldingSetNodeID &ID) const override { 389 static int X = 0; 390 ID.AddPointer(&X); 391 ID.AddPointer(Sym); 392 } 393 394 inline bool isAllocated(const RefState *S, const RefState *SPrev, 395 const Stmt *Stmt) { 396 // Did not track -> allocated. Other state (released) -> allocated. 397 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 398 (S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated())); 399 } 400 401 inline bool isReleased(const RefState *S, const RefState *SPrev, 402 const Stmt *Stmt) { 403 // Did not track -> released. Other state (allocated) -> released. 404 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt)) && 405 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 406 } 407 408 inline bool isRelinquished(const RefState *S, const RefState *SPrev, 409 const Stmt *Stmt) { 410 // Did not track -> relinquished. Other state (allocated) -> relinquished. 411 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 412 isa<ObjCPropertyRefExpr>(Stmt)) && 413 (S && S->isRelinquished()) && 414 (!SPrev || !SPrev->isRelinquished())); 415 } 416 417 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 418 const Stmt *Stmt) { 419 // If the expression is not a call, and the state change is 420 // released -> allocated, it must be the realloc return value 421 // check. If we have to handle more cases here, it might be cleaner just 422 // to track this extra bit in the state itself. 423 return ((!Stmt || !isa<CallExpr>(Stmt)) && 424 (S && S->isAllocated()) && (SPrev && !SPrev->isAllocated())); 425 } 426 427 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 428 const ExplodedNode *PrevN, 429 BugReporterContext &BRC, 430 BugReport &BR) override; 431 432 std::unique_ptr<PathDiagnosticPiece> 433 getEndPath(BugReporterContext &BRC, const ExplodedNode *EndPathNode, 434 BugReport &BR) override { 435 if (!IsLeak) 436 return nullptr; 437 438 PathDiagnosticLocation L = 439 PathDiagnosticLocation::createEndOfPath(EndPathNode, 440 BRC.getSourceManager()); 441 // Do not add the statement itself as a range in case of leak. 442 return llvm::make_unique<PathDiagnosticEventPiece>(L, BR.getDescription(), 443 false); 444 } 445 446 private: 447 class StackHintGeneratorForReallocationFailed 448 : public StackHintGeneratorForSymbol { 449 public: 450 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 451 : StackHintGeneratorForSymbol(S, M) {} 452 453 std::string getMessageForArg(const Expr *ArgE, 454 unsigned ArgIndex) override { 455 // Printed parameters start at 1, not 0. 456 ++ArgIndex; 457 458 SmallString<200> buf; 459 llvm::raw_svector_ostream os(buf); 460 461 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 462 << " parameter failed"; 463 464 return os.str(); 465 } 466 467 std::string getMessageForReturn(const CallExpr *CallExpr) override { 468 return "Reallocation of returned value failed"; 469 } 470 }; 471 }; 472 }; 473 } // end anonymous namespace 474 475 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 476 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 477 478 // A map from the freed symbol to the symbol representing the return value of 479 // the free function. 480 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 481 482 namespace { 483 class StopTrackingCallback : public SymbolVisitor { 484 ProgramStateRef state; 485 public: 486 StopTrackingCallback(ProgramStateRef st) : state(st) {} 487 ProgramStateRef getState() const { return state; } 488 489 bool VisitSymbol(SymbolRef sym) override { 490 state = state->remove<RegionState>(sym); 491 return true; 492 } 493 }; 494 } // end anonymous namespace 495 496 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 497 if (II_malloc) 498 return; 499 II_malloc = &Ctx.Idents.get("malloc"); 500 II_free = &Ctx.Idents.get("free"); 501 II_realloc = &Ctx.Idents.get("realloc"); 502 II_reallocf = &Ctx.Idents.get("reallocf"); 503 II_calloc = &Ctx.Idents.get("calloc"); 504 II_valloc = &Ctx.Idents.get("valloc"); 505 II_strdup = &Ctx.Idents.get("strdup"); 506 II_strndup = &Ctx.Idents.get("strndup"); 507 II_kmalloc = &Ctx.Idents.get("kmalloc"); 508 II_if_nameindex = &Ctx.Idents.get("if_nameindex"); 509 II_if_freenameindex = &Ctx.Idents.get("if_freenameindex"); 510 } 511 512 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 513 if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any)) 514 return true; 515 516 if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) 517 return true; 518 519 if (isStandardNewDelete(FD, C)) 520 return true; 521 522 return false; 523 } 524 525 bool MallocChecker::isCMemFunction(const FunctionDecl *FD, 526 ASTContext &C, 527 AllocationFamily Family, 528 MemoryOperationKind MemKind) const { 529 if (!FD) 530 return false; 531 532 bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any || 533 MemKind == MemoryOperationKind::MOK_Free); 534 bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any || 535 MemKind == MemoryOperationKind::MOK_Allocate); 536 537 if (FD->getKind() == Decl::Function) { 538 const IdentifierInfo *FunI = FD->getIdentifier(); 539 initIdentifierInfo(C); 540 541 if (Family == AF_Malloc && CheckFree) { 542 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf) 543 return true; 544 } 545 546 if (Family == AF_Malloc && CheckAlloc) { 547 if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf || 548 FunI == II_calloc || FunI == II_valloc || FunI == II_strdup || 549 FunI == II_strndup || FunI == II_kmalloc) 550 return true; 551 } 552 553 if (Family == AF_IfNameIndex && CheckFree) { 554 if (FunI == II_if_freenameindex) 555 return true; 556 } 557 558 if (Family == AF_IfNameIndex && CheckAlloc) { 559 if (FunI == II_if_nameindex) 560 return true; 561 } 562 } 563 564 if (Family != AF_Malloc) 565 return false; 566 567 if (ChecksEnabled[CK_MallocOptimistic] && FD->hasAttrs()) { 568 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 569 OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind(); 570 if(OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) { 571 if (CheckFree) 572 return true; 573 } else if (OwnKind == OwnershipAttr::Returns) { 574 if (CheckAlloc) 575 return true; 576 } 577 } 578 } 579 580 return false; 581 } 582 583 // Tells if the callee is one of the following: 584 // 1) A global non-placement new/delete operator function. 585 // 2) A global placement operator function with the single placement argument 586 // of type std::nothrow_t. 587 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD, 588 ASTContext &C) const { 589 if (!FD) 590 return false; 591 592 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 593 if (Kind != OO_New && Kind != OO_Array_New && 594 Kind != OO_Delete && Kind != OO_Array_Delete) 595 return false; 596 597 // Skip all operator new/delete methods. 598 if (isa<CXXMethodDecl>(FD)) 599 return false; 600 601 // Return true if tested operator is a standard placement nothrow operator. 602 if (FD->getNumParams() == 2) { 603 QualType T = FD->getParamDecl(1)->getType(); 604 if (const IdentifierInfo *II = T.getBaseTypeIdentifier()) 605 return II->getName().equals("nothrow_t"); 606 } 607 608 // Skip placement operators. 609 if (FD->getNumParams() != 1 || FD->isVariadic()) 610 return false; 611 612 // One of the standard new/new[]/delete/delete[] non-placement operators. 613 return true; 614 } 615 616 llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc( 617 const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const { 618 // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels: 619 // 620 // void *malloc(unsigned long size, struct malloc_type *mtp, int flags); 621 // 622 // One of the possible flags is M_ZERO, which means 'give me back an 623 // allocation which is already zeroed', like calloc. 624 625 // 2-argument kmalloc(), as used in the Linux kernel: 626 // 627 // void *kmalloc(size_t size, gfp_t flags); 628 // 629 // Has the similar flag value __GFP_ZERO. 630 631 // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some 632 // code could be shared. 633 634 ASTContext &Ctx = C.getASTContext(); 635 llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS(); 636 637 if (!KernelZeroFlagVal.hasValue()) { 638 if (OS == llvm::Triple::FreeBSD) 639 KernelZeroFlagVal = 0x0100; 640 else if (OS == llvm::Triple::NetBSD) 641 KernelZeroFlagVal = 0x0002; 642 else if (OS == llvm::Triple::OpenBSD) 643 KernelZeroFlagVal = 0x0008; 644 else if (OS == llvm::Triple::Linux) 645 // __GFP_ZERO 646 KernelZeroFlagVal = 0x8000; 647 else 648 // FIXME: We need a more general way of getting the M_ZERO value. 649 // See also: O_CREAT in UnixAPIChecker.cpp. 650 651 // Fall back to normal malloc behavior on platforms where we don't 652 // know M_ZERO. 653 return None; 654 } 655 656 // We treat the last argument as the flags argument, and callers fall-back to 657 // normal malloc on a None return. This works for the FreeBSD kernel malloc 658 // as well as Linux kmalloc. 659 if (CE->getNumArgs() < 2) 660 return None; 661 662 const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1); 663 const SVal V = State->getSVal(FlagsEx, C.getLocationContext()); 664 if (!V.getAs<NonLoc>()) { 665 // The case where 'V' can be a location can only be due to a bad header, 666 // so in this case bail out. 667 return None; 668 } 669 670 NonLoc Flags = V.castAs<NonLoc>(); 671 NonLoc ZeroFlag = C.getSValBuilder() 672 .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType()) 673 .castAs<NonLoc>(); 674 SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And, 675 Flags, ZeroFlag, 676 FlagsEx->getType()); 677 if (MaskedFlagsUC.isUnknownOrUndef()) 678 return None; 679 DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>(); 680 681 // Check if maskedFlags is non-zero. 682 ProgramStateRef TrueState, FalseState; 683 std::tie(TrueState, FalseState) = State->assume(MaskedFlags); 684 685 // If M_ZERO is set, treat this like calloc (initialized). 686 if (TrueState && !FalseState) { 687 SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy); 688 return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState); 689 } 690 691 return None; 692 } 693 694 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 695 if (C.wasInlined) 696 return; 697 698 const FunctionDecl *FD = C.getCalleeDecl(CE); 699 if (!FD) 700 return; 701 702 ProgramStateRef State = C.getState(); 703 bool ReleasedAllocatedMemory = false; 704 705 if (FD->getKind() == Decl::Function) { 706 initIdentifierInfo(C.getASTContext()); 707 IdentifierInfo *FunI = FD->getIdentifier(); 708 709 if (FunI == II_malloc) { 710 if (CE->getNumArgs() < 1) 711 return; 712 if (CE->getNumArgs() < 3) { 713 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 714 } else if (CE->getNumArgs() == 3) { 715 llvm::Optional<ProgramStateRef> MaybeState = 716 performKernelMalloc(CE, C, State); 717 if (MaybeState.hasValue()) 718 State = MaybeState.getValue(); 719 else 720 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 721 } 722 } else if (FunI == II_kmalloc) { 723 llvm::Optional<ProgramStateRef> MaybeState = 724 performKernelMalloc(CE, C, State); 725 if (MaybeState.hasValue()) 726 State = MaybeState.getValue(); 727 else 728 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 729 } else if (FunI == II_valloc) { 730 if (CE->getNumArgs() < 1) 731 return; 732 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 733 } else if (FunI == II_realloc) { 734 State = ReallocMem(C, CE, false, State); 735 } else if (FunI == II_reallocf) { 736 State = ReallocMem(C, CE, true, State); 737 } else if (FunI == II_calloc) { 738 State = CallocMem(C, CE, State); 739 } else if (FunI == II_free) { 740 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 741 } else if (FunI == II_strdup) { 742 State = MallocUpdateRefState(C, CE, State); 743 } else if (FunI == II_strndup) { 744 State = MallocUpdateRefState(C, CE, State); 745 } 746 else if (isStandardNewDelete(FD, C.getASTContext())) { 747 // Process direct calls to operator new/new[]/delete/delete[] functions 748 // as distinct from new/new[]/delete/delete[] expressions that are 749 // processed by the checkPostStmt callbacks for CXXNewExpr and 750 // CXXDeleteExpr. 751 OverloadedOperatorKind K = FD->getOverloadedOperator(); 752 if (K == OO_New) 753 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 754 AF_CXXNew); 755 else if (K == OO_Array_New) 756 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 757 AF_CXXNewArray); 758 else if (K == OO_Delete || K == OO_Array_Delete) 759 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 760 else 761 llvm_unreachable("not a new/delete operator"); 762 } else if (FunI == II_if_nameindex) { 763 // Should we model this differently? We can allocate a fixed number of 764 // elements with zeros in the last one. 765 State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State, 766 AF_IfNameIndex); 767 } else if (FunI == II_if_freenameindex) { 768 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 769 } 770 } 771 772 if (ChecksEnabled[CK_MallocOptimistic] || 773 ChecksEnabled[CK_MismatchedDeallocatorChecker]) { 774 // Check all the attributes, if there are any. 775 // There can be multiple of these attributes. 776 if (FD->hasAttrs()) 777 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 778 switch (I->getOwnKind()) { 779 case OwnershipAttr::Returns: 780 State = MallocMemReturnsAttr(C, CE, I, State); 781 break; 782 case OwnershipAttr::Takes: 783 case OwnershipAttr::Holds: 784 State = FreeMemAttr(C, CE, I, State); 785 break; 786 } 787 } 788 } 789 C.addTransition(State); 790 } 791 792 static QualType getDeepPointeeType(QualType T) { 793 QualType Result = T, PointeeType = T->getPointeeType(); 794 while (!PointeeType.isNull()) { 795 Result = PointeeType; 796 PointeeType = PointeeType->getPointeeType(); 797 } 798 return Result; 799 } 800 801 static bool treatUnusedNewEscaped(const CXXNewExpr *NE) { 802 803 const CXXConstructExpr *ConstructE = NE->getConstructExpr(); 804 if (!ConstructE) 805 return false; 806 807 if (!NE->getAllocatedType()->getAsCXXRecordDecl()) 808 return false; 809 810 const CXXConstructorDecl *CtorD = ConstructE->getConstructor(); 811 812 // Iterate over the constructor parameters. 813 for (const auto *CtorParam : CtorD->params()) { 814 815 QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType(); 816 if (CtorParamPointeeT.isNull()) 817 continue; 818 819 CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT); 820 821 if (CtorParamPointeeT->getAsCXXRecordDecl()) 822 return true; 823 } 824 825 return false; 826 } 827 828 void MallocChecker::checkPostStmt(const CXXNewExpr *NE, 829 CheckerContext &C) const { 830 831 if (NE->getNumPlacementArgs()) 832 for (CXXNewExpr::const_arg_iterator I = NE->placement_arg_begin(), 833 E = NE->placement_arg_end(); I != E; ++I) 834 if (SymbolRef Sym = C.getSVal(*I).getAsSymbol()) 835 checkUseAfterFree(Sym, C, *I); 836 837 if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext())) 838 return; 839 840 ParentMap &PM = C.getLocationContext()->getParentMap(); 841 if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE)) 842 return; 843 844 ProgramStateRef State = C.getState(); 845 // The return value from operator new is bound to a specified initialization 846 // value (if any) and we don't want to loose this value. So we call 847 // MallocUpdateRefState() instead of MallocMemAux() which breakes the 848 // existing binding. 849 State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray 850 : AF_CXXNew); 851 C.addTransition(State); 852 } 853 854 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, 855 CheckerContext &C) const { 856 857 if (!ChecksEnabled[CK_NewDeleteChecker]) 858 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 859 checkUseAfterFree(Sym, C, DE->getArgument()); 860 861 if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext())) 862 return; 863 864 ProgramStateRef State = C.getState(); 865 bool ReleasedAllocated; 866 State = FreeMemAux(C, DE->getArgument(), DE, State, 867 /*Hold*/false, ReleasedAllocated); 868 869 C.addTransition(State); 870 } 871 872 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 873 // If the first selector piece is one of the names below, assume that the 874 // object takes ownership of the memory, promising to eventually deallocate it 875 // with free(). 876 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 877 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 878 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 879 if (FirstSlot == "dataWithBytesNoCopy" || 880 FirstSlot == "initWithBytesNoCopy" || 881 FirstSlot == "initWithCharactersNoCopy") 882 return true; 883 884 return false; 885 } 886 887 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 888 Selector S = Call.getSelector(); 889 890 // FIXME: We should not rely on fully-constrained symbols being folded. 891 for (unsigned i = 1; i < S.getNumArgs(); ++i) 892 if (S.getNameForSlot(i).equals("freeWhenDone")) 893 return !Call.getArgSVal(i).isZeroConstant(); 894 895 return None; 896 } 897 898 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 899 CheckerContext &C) const { 900 if (C.wasInlined) 901 return; 902 903 if (!isKnownDeallocObjCMethodName(Call)) 904 return; 905 906 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 907 if (!*FreeWhenDone) 908 return; 909 910 bool ReleasedAllocatedMemory; 911 ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0), 912 Call.getOriginExpr(), C.getState(), 913 /*Hold=*/true, ReleasedAllocatedMemory, 914 /*RetNullOnFailure=*/true); 915 916 C.addTransition(State); 917 } 918 919 ProgramStateRef 920 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE, 921 const OwnershipAttr *Att, 922 ProgramStateRef State) const { 923 if (!State) 924 return nullptr; 925 926 if (Att->getModule() != II_malloc) 927 return nullptr; 928 929 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 930 if (I != E) { 931 return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), State); 932 } 933 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State); 934 } 935 936 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 937 const CallExpr *CE, 938 const Expr *SizeEx, SVal Init, 939 ProgramStateRef State, 940 AllocationFamily Family) { 941 if (!State) 942 return nullptr; 943 944 return MallocMemAux(C, CE, State->getSVal(SizeEx, C.getLocationContext()), 945 Init, State, Family); 946 } 947 948 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 949 const CallExpr *CE, 950 SVal Size, SVal Init, 951 ProgramStateRef State, 952 AllocationFamily Family) { 953 if (!State) 954 return nullptr; 955 956 // We expect the malloc functions to return a pointer. 957 if (!Loc::isLocType(CE->getType())) 958 return nullptr; 959 960 // Bind the return value to the symbolic value from the heap region. 961 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 962 // side effects other than what we model here. 963 unsigned Count = C.blockCount(); 964 SValBuilder &svalBuilder = C.getSValBuilder(); 965 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 966 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 967 .castAs<DefinedSVal>(); 968 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 969 970 // Fill the region with the initialization value. 971 State = State->bindDefault(RetVal, Init); 972 973 // Set the region's extent equal to the Size parameter. 974 const SymbolicRegion *R = 975 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 976 if (!R) 977 return nullptr; 978 if (Optional<DefinedOrUnknownSVal> DefinedSize = 979 Size.getAs<DefinedOrUnknownSVal>()) { 980 SValBuilder &svalBuilder = C.getSValBuilder(); 981 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 982 DefinedOrUnknownSVal extentMatchesSize = 983 svalBuilder.evalEQ(State, Extent, *DefinedSize); 984 985 State = State->assume(extentMatchesSize, true); 986 assert(State); 987 } 988 989 return MallocUpdateRefState(C, CE, State, Family); 990 } 991 992 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 993 const Expr *E, 994 ProgramStateRef State, 995 AllocationFamily Family) { 996 if (!State) 997 return nullptr; 998 999 // Get the return value. 1000 SVal retVal = State->getSVal(E, C.getLocationContext()); 1001 1002 // We expect the malloc functions to return a pointer. 1003 if (!retVal.getAs<Loc>()) 1004 return nullptr; 1005 1006 SymbolRef Sym = retVal.getAsLocSymbol(); 1007 assert(Sym); 1008 1009 // Set the symbol's state to Allocated. 1010 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 1011 } 1012 1013 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 1014 const CallExpr *CE, 1015 const OwnershipAttr *Att, 1016 ProgramStateRef State) const { 1017 if (!State) 1018 return nullptr; 1019 1020 if (Att->getModule() != II_malloc) 1021 return nullptr; 1022 1023 bool ReleasedAllocated = false; 1024 1025 for (const auto &Arg : Att->args()) { 1026 ProgramStateRef StateI = FreeMemAux(C, CE, State, Arg, 1027 Att->getOwnKind() == OwnershipAttr::Holds, 1028 ReleasedAllocated); 1029 if (StateI) 1030 State = StateI; 1031 } 1032 return State; 1033 } 1034 1035 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1036 const CallExpr *CE, 1037 ProgramStateRef State, 1038 unsigned Num, 1039 bool Hold, 1040 bool &ReleasedAllocated, 1041 bool ReturnsNullOnFailure) const { 1042 if (!State) 1043 return nullptr; 1044 1045 if (CE->getNumArgs() < (Num + 1)) 1046 return nullptr; 1047 1048 return FreeMemAux(C, CE->getArg(Num), CE, State, Hold, 1049 ReleasedAllocated, ReturnsNullOnFailure); 1050 } 1051 1052 /// Checks if the previous call to free on the given symbol failed - if free 1053 /// failed, returns true. Also, returns the corresponding return value symbol. 1054 static bool didPreviousFreeFail(ProgramStateRef State, 1055 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 1056 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 1057 if (Ret) { 1058 assert(*Ret && "We should not store the null return symbol"); 1059 ConstraintManager &CMgr = State->getConstraintManager(); 1060 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 1061 RetStatusSymbol = *Ret; 1062 return FreeFailed.isConstrainedTrue(); 1063 } 1064 return false; 1065 } 1066 1067 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C, 1068 const Stmt *S) const { 1069 if (!S) 1070 return AF_None; 1071 1072 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 1073 const FunctionDecl *FD = C.getCalleeDecl(CE); 1074 1075 if (!FD) 1076 FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl()); 1077 1078 ASTContext &Ctx = C.getASTContext(); 1079 1080 if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any)) 1081 return AF_Malloc; 1082 1083 if (isStandardNewDelete(FD, Ctx)) { 1084 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 1085 if (Kind == OO_New || Kind == OO_Delete) 1086 return AF_CXXNew; 1087 else if (Kind == OO_Array_New || Kind == OO_Array_Delete) 1088 return AF_CXXNewArray; 1089 } 1090 1091 if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) 1092 return AF_IfNameIndex; 1093 1094 return AF_None; 1095 } 1096 1097 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S)) 1098 return NE->isArray() ? AF_CXXNewArray : AF_CXXNew; 1099 1100 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S)) 1101 return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew; 1102 1103 if (isa<ObjCMessageExpr>(S)) 1104 return AF_Malloc; 1105 1106 return AF_None; 1107 } 1108 1109 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C, 1110 const Expr *E) const { 1111 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 1112 // FIXME: This doesn't handle indirect calls. 1113 const FunctionDecl *FD = CE->getDirectCallee(); 1114 if (!FD) 1115 return false; 1116 1117 os << *FD; 1118 if (!FD->isOverloadedOperator()) 1119 os << "()"; 1120 return true; 1121 } 1122 1123 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 1124 if (Msg->isInstanceMessage()) 1125 os << "-"; 1126 else 1127 os << "+"; 1128 Msg->getSelector().print(os); 1129 return true; 1130 } 1131 1132 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 1133 os << "'" 1134 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 1135 << "'"; 1136 return true; 1137 } 1138 1139 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 1140 os << "'" 1141 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 1142 << "'"; 1143 return true; 1144 } 1145 1146 return false; 1147 } 1148 1149 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C, 1150 const Expr *E) const { 1151 AllocationFamily Family = getAllocationFamily(C, E); 1152 1153 switch(Family) { 1154 case AF_Malloc: os << "malloc()"; return; 1155 case AF_CXXNew: os << "'new'"; return; 1156 case AF_CXXNewArray: os << "'new[]'"; return; 1157 case AF_IfNameIndex: os << "'if_nameindex()'"; return; 1158 case AF_None: llvm_unreachable("not a deallocation expression"); 1159 } 1160 } 1161 1162 void MallocChecker::printExpectedDeallocName(raw_ostream &os, 1163 AllocationFamily Family) const { 1164 switch(Family) { 1165 case AF_Malloc: os << "free()"; return; 1166 case AF_CXXNew: os << "'delete'"; return; 1167 case AF_CXXNewArray: os << "'delete[]'"; return; 1168 case AF_IfNameIndex: os << "'if_freenameindex()'"; return; 1169 case AF_None: llvm_unreachable("suspicious AF_None argument"); 1170 } 1171 } 1172 1173 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1174 const Expr *ArgExpr, 1175 const Expr *ParentExpr, 1176 ProgramStateRef State, 1177 bool Hold, 1178 bool &ReleasedAllocated, 1179 bool ReturnsNullOnFailure) const { 1180 1181 if (!State) 1182 return nullptr; 1183 1184 SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext()); 1185 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 1186 return nullptr; 1187 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 1188 1189 // Check for null dereferences. 1190 if (!location.getAs<Loc>()) 1191 return nullptr; 1192 1193 // The explicit NULL case, no operation is performed. 1194 ProgramStateRef notNullState, nullState; 1195 std::tie(notNullState, nullState) = State->assume(location); 1196 if (nullState && !notNullState) 1197 return nullptr; 1198 1199 // Unknown values could easily be okay 1200 // Undefined values are handled elsewhere 1201 if (ArgVal.isUnknownOrUndef()) 1202 return nullptr; 1203 1204 const MemRegion *R = ArgVal.getAsRegion(); 1205 1206 // Nonlocs can't be freed, of course. 1207 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 1208 if (!R) { 1209 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1210 return nullptr; 1211 } 1212 1213 R = R->StripCasts(); 1214 1215 // Blocks might show up as heap data, but should not be free()d 1216 if (isa<BlockDataRegion>(R)) { 1217 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1218 return nullptr; 1219 } 1220 1221 const MemSpaceRegion *MS = R->getMemorySpace(); 1222 1223 // Parameters, locals, statics, globals, and memory returned by alloca() 1224 // shouldn't be freed. 1225 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 1226 // FIXME: at the time this code was written, malloc() regions were 1227 // represented by conjured symbols, which are all in UnknownSpaceRegion. 1228 // This means that there isn't actually anything from HeapSpaceRegion 1229 // that should be freed, even though we allow it here. 1230 // Of course, free() can work on memory allocated outside the current 1231 // function, so UnknownSpaceRegion is always a possibility. 1232 // False negatives are better than false positives. 1233 1234 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1235 return nullptr; 1236 } 1237 1238 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 1239 // Various cases could lead to non-symbol values here. 1240 // For now, ignore them. 1241 if (!SrBase) 1242 return nullptr; 1243 1244 SymbolRef SymBase = SrBase->getSymbol(); 1245 const RefState *RsBase = State->get<RegionState>(SymBase); 1246 SymbolRef PreviousRetStatusSymbol = nullptr; 1247 1248 if (RsBase) { 1249 1250 // Check for double free first. 1251 if ((RsBase->isReleased() || RsBase->isRelinquished()) && 1252 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1253 ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1254 SymBase, PreviousRetStatusSymbol); 1255 return nullptr; 1256 1257 // If the pointer is allocated or escaped, but we are now trying to free it, 1258 // check that the call to free is proper. 1259 } else if (RsBase->isAllocated() || RsBase->isEscaped()) { 1260 1261 // Check if an expected deallocation function matches the real one. 1262 bool DeallocMatchesAlloc = 1263 RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr); 1264 if (!DeallocMatchesAlloc) { 1265 ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), 1266 ParentExpr, RsBase, SymBase, Hold); 1267 return nullptr; 1268 } 1269 1270 // Check if the memory location being freed is the actual location 1271 // allocated, or an offset. 1272 RegionOffset Offset = R->getAsOffset(); 1273 if (Offset.isValid() && 1274 !Offset.hasSymbolicOffset() && 1275 Offset.getOffset() != 0) { 1276 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1277 ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1278 AllocExpr); 1279 return nullptr; 1280 } 1281 } 1282 } 1283 1284 ReleasedAllocated = (RsBase != nullptr) && RsBase->isAllocated(); 1285 1286 // Clean out the info on previous call to free return info. 1287 State = State->remove<FreeReturnValue>(SymBase); 1288 1289 // Keep track of the return value. If it is NULL, we will know that free 1290 // failed. 1291 if (ReturnsNullOnFailure) { 1292 SVal RetVal = C.getSVal(ParentExpr); 1293 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 1294 if (RetStatusSymbol) { 1295 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 1296 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 1297 } 1298 } 1299 1300 AllocationFamily Family = RsBase ? RsBase->getAllocationFamily() 1301 : getAllocationFamily(C, ParentExpr); 1302 // Normal free. 1303 if (Hold) 1304 return State->set<RegionState>(SymBase, 1305 RefState::getRelinquished(Family, 1306 ParentExpr)); 1307 1308 return State->set<RegionState>(SymBase, 1309 RefState::getReleased(Family, ParentExpr)); 1310 } 1311 1312 Optional<MallocChecker::CheckKind> 1313 MallocChecker::getCheckIfTracked(AllocationFamily Family) const { 1314 switch (Family) { 1315 case AF_Malloc: 1316 case AF_IfNameIndex: { 1317 if (ChecksEnabled[CK_MallocOptimistic]) { 1318 return CK_MallocOptimistic; 1319 } else if (ChecksEnabled[CK_MallocPessimistic]) { 1320 return CK_MallocPessimistic; 1321 } 1322 return Optional<MallocChecker::CheckKind>(); 1323 } 1324 case AF_CXXNew: 1325 case AF_CXXNewArray: { 1326 if (ChecksEnabled[CK_NewDeleteChecker]) { 1327 return CK_NewDeleteChecker; 1328 } 1329 return Optional<MallocChecker::CheckKind>(); 1330 } 1331 case AF_None: { 1332 llvm_unreachable("no family"); 1333 } 1334 } 1335 llvm_unreachable("unhandled family"); 1336 } 1337 1338 Optional<MallocChecker::CheckKind> 1339 MallocChecker::getCheckIfTracked(CheckerContext &C, 1340 const Stmt *AllocDeallocStmt) const { 1341 return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt)); 1342 } 1343 1344 Optional<MallocChecker::CheckKind> 1345 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const { 1346 1347 const RefState *RS = C.getState()->get<RegionState>(Sym); 1348 assert(RS); 1349 return getCheckIfTracked(RS->getAllocationFamily()); 1350 } 1351 1352 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 1353 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 1354 os << "an integer (" << IntVal->getValue() << ")"; 1355 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 1356 os << "a constant address (" << ConstAddr->getValue() << ")"; 1357 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 1358 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 1359 else 1360 return false; 1361 1362 return true; 1363 } 1364 1365 bool MallocChecker::SummarizeRegion(raw_ostream &os, 1366 const MemRegion *MR) { 1367 switch (MR->getKind()) { 1368 case MemRegion::FunctionTextRegionKind: { 1369 const NamedDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 1370 if (FD) 1371 os << "the address of the function '" << *FD << '\''; 1372 else 1373 os << "the address of a function"; 1374 return true; 1375 } 1376 case MemRegion::BlockTextRegionKind: 1377 os << "block text"; 1378 return true; 1379 case MemRegion::BlockDataRegionKind: 1380 // FIXME: where the block came from? 1381 os << "a block"; 1382 return true; 1383 default: { 1384 const MemSpaceRegion *MS = MR->getMemorySpace(); 1385 1386 if (isa<StackLocalsSpaceRegion>(MS)) { 1387 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1388 const VarDecl *VD; 1389 if (VR) 1390 VD = VR->getDecl(); 1391 else 1392 VD = nullptr; 1393 1394 if (VD) 1395 os << "the address of the local variable '" << VD->getName() << "'"; 1396 else 1397 os << "the address of a local stack variable"; 1398 return true; 1399 } 1400 1401 if (isa<StackArgumentsSpaceRegion>(MS)) { 1402 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1403 const VarDecl *VD; 1404 if (VR) 1405 VD = VR->getDecl(); 1406 else 1407 VD = nullptr; 1408 1409 if (VD) 1410 os << "the address of the parameter '" << VD->getName() << "'"; 1411 else 1412 os << "the address of a parameter"; 1413 return true; 1414 } 1415 1416 if (isa<GlobalsSpaceRegion>(MS)) { 1417 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1418 const VarDecl *VD; 1419 if (VR) 1420 VD = VR->getDecl(); 1421 else 1422 VD = nullptr; 1423 1424 if (VD) { 1425 if (VD->isStaticLocal()) 1426 os << "the address of the static variable '" << VD->getName() << "'"; 1427 else 1428 os << "the address of the global variable '" << VD->getName() << "'"; 1429 } else 1430 os << "the address of a global variable"; 1431 return true; 1432 } 1433 1434 return false; 1435 } 1436 } 1437 } 1438 1439 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 1440 SourceRange Range, 1441 const Expr *DeallocExpr) const { 1442 1443 if (!ChecksEnabled[CK_MallocOptimistic] && 1444 !ChecksEnabled[CK_MallocPessimistic] && 1445 !ChecksEnabled[CK_NewDeleteChecker]) 1446 return; 1447 1448 Optional<MallocChecker::CheckKind> CheckKind = 1449 getCheckIfTracked(C, DeallocExpr); 1450 if (!CheckKind.hasValue()) 1451 return; 1452 1453 if (ExplodedNode *N = C.generateSink()) { 1454 if (!BT_BadFree[*CheckKind]) 1455 BT_BadFree[*CheckKind].reset( 1456 new BugType(CheckNames[*CheckKind], "Bad free", "Memory Error")); 1457 1458 SmallString<100> buf; 1459 llvm::raw_svector_ostream os(buf); 1460 1461 const MemRegion *MR = ArgVal.getAsRegion(); 1462 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 1463 MR = ER->getSuperRegion(); 1464 1465 if (MR && isa<AllocaRegion>(MR)) 1466 os << "Memory allocated by alloca() should not be deallocated"; 1467 else { 1468 os << "Argument to "; 1469 if (!printAllocDeallocName(os, C, DeallocExpr)) 1470 os << "deallocator"; 1471 1472 os << " is "; 1473 bool Summarized = MR ? SummarizeRegion(os, MR) 1474 : SummarizeValue(os, ArgVal); 1475 if (Summarized) 1476 os << ", which is not memory allocated by "; 1477 else 1478 os << "not memory allocated by "; 1479 1480 printExpectedAllocName(os, C, DeallocExpr); 1481 } 1482 1483 BugReport *R = new BugReport(*BT_BadFree[*CheckKind], os.str(), N); 1484 R->markInteresting(MR); 1485 R->addRange(Range); 1486 C.emitReport(R); 1487 } 1488 } 1489 1490 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, 1491 SourceRange Range, 1492 const Expr *DeallocExpr, 1493 const RefState *RS, 1494 SymbolRef Sym, 1495 bool OwnershipTransferred) const { 1496 1497 if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) 1498 return; 1499 1500 if (ExplodedNode *N = C.generateSink()) { 1501 if (!BT_MismatchedDealloc) 1502 BT_MismatchedDealloc.reset( 1503 new BugType(CheckNames[CK_MismatchedDeallocatorChecker], 1504 "Bad deallocator", "Memory Error")); 1505 1506 SmallString<100> buf; 1507 llvm::raw_svector_ostream os(buf); 1508 1509 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 1510 SmallString<20> AllocBuf; 1511 llvm::raw_svector_ostream AllocOs(AllocBuf); 1512 SmallString<20> DeallocBuf; 1513 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 1514 1515 if (OwnershipTransferred) { 1516 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1517 os << DeallocOs.str() << " cannot"; 1518 else 1519 os << "Cannot"; 1520 1521 os << " take ownership of memory"; 1522 1523 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1524 os << " allocated by " << AllocOs.str(); 1525 } else { 1526 os << "Memory"; 1527 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1528 os << " allocated by " << AllocOs.str(); 1529 1530 os << " should be deallocated by "; 1531 printExpectedDeallocName(os, RS->getAllocationFamily()); 1532 1533 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1534 os << ", not " << DeallocOs.str(); 1535 } 1536 1537 BugReport *R = new BugReport(*BT_MismatchedDealloc, os.str(), N); 1538 R->markInteresting(Sym); 1539 R->addRange(Range); 1540 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1541 C.emitReport(R); 1542 } 1543 } 1544 1545 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, 1546 SourceRange Range, const Expr *DeallocExpr, 1547 const Expr *AllocExpr) const { 1548 1549 if (!ChecksEnabled[CK_MallocOptimistic] && 1550 !ChecksEnabled[CK_MallocPessimistic] && 1551 !ChecksEnabled[CK_NewDeleteChecker]) 1552 return; 1553 1554 Optional<MallocChecker::CheckKind> CheckKind = 1555 getCheckIfTracked(C, AllocExpr); 1556 if (!CheckKind.hasValue()) 1557 return; 1558 1559 ExplodedNode *N = C.generateSink(); 1560 if (!N) 1561 return; 1562 1563 if (!BT_OffsetFree[*CheckKind]) 1564 BT_OffsetFree[*CheckKind].reset( 1565 new BugType(CheckNames[*CheckKind], "Offset free", "Memory Error")); 1566 1567 SmallString<100> buf; 1568 llvm::raw_svector_ostream os(buf); 1569 SmallString<20> AllocNameBuf; 1570 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 1571 1572 const MemRegion *MR = ArgVal.getAsRegion(); 1573 assert(MR && "Only MemRegion based symbols can have offset free errors"); 1574 1575 RegionOffset Offset = MR->getAsOffset(); 1576 assert((Offset.isValid() && 1577 !Offset.hasSymbolicOffset() && 1578 Offset.getOffset() != 0) && 1579 "Only symbols with a valid offset can have offset free errors"); 1580 1581 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 1582 1583 os << "Argument to "; 1584 if (!printAllocDeallocName(os, C, DeallocExpr)) 1585 os << "deallocator"; 1586 os << " is offset by " 1587 << offsetBytes 1588 << " " 1589 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 1590 << " from the start of "; 1591 if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) 1592 os << "memory allocated by " << AllocNameOs.str(); 1593 else 1594 os << "allocated memory"; 1595 1596 BugReport *R = new BugReport(*BT_OffsetFree[*CheckKind], os.str(), N); 1597 R->markInteresting(MR->getBaseRegion()); 1598 R->addRange(Range); 1599 C.emitReport(R); 1600 } 1601 1602 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, 1603 SymbolRef Sym) const { 1604 1605 if (!ChecksEnabled[CK_MallocOptimistic] && 1606 !ChecksEnabled[CK_MallocPessimistic] && 1607 !ChecksEnabled[CK_NewDeleteChecker]) 1608 return; 1609 1610 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1611 if (!CheckKind.hasValue()) 1612 return; 1613 1614 if (ExplodedNode *N = C.generateSink()) { 1615 if (!BT_UseFree[*CheckKind]) 1616 BT_UseFree[*CheckKind].reset(new BugType( 1617 CheckNames[*CheckKind], "Use-after-free", "Memory Error")); 1618 1619 BugReport *R = new BugReport(*BT_UseFree[*CheckKind], 1620 "Use of memory after it is freed", N); 1621 1622 R->markInteresting(Sym); 1623 R->addRange(Range); 1624 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1625 C.emitReport(R); 1626 } 1627 } 1628 1629 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, 1630 bool Released, SymbolRef Sym, 1631 SymbolRef PrevSym) const { 1632 1633 if (!ChecksEnabled[CK_MallocOptimistic] && 1634 !ChecksEnabled[CK_MallocPessimistic] && 1635 !ChecksEnabled[CK_NewDeleteChecker]) 1636 return; 1637 1638 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1639 if (!CheckKind.hasValue()) 1640 return; 1641 1642 if (ExplodedNode *N = C.generateSink()) { 1643 if (!BT_DoubleFree[*CheckKind]) 1644 BT_DoubleFree[*CheckKind].reset( 1645 new BugType(CheckNames[*CheckKind], "Double free", "Memory Error")); 1646 1647 BugReport *R = 1648 new BugReport(*BT_DoubleFree[*CheckKind], 1649 (Released ? "Attempt to free released memory" 1650 : "Attempt to free non-owned memory"), 1651 N); 1652 R->addRange(Range); 1653 R->markInteresting(Sym); 1654 if (PrevSym) 1655 R->markInteresting(PrevSym); 1656 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1657 C.emitReport(R); 1658 } 1659 } 1660 1661 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const { 1662 1663 if (!ChecksEnabled[CK_NewDeleteChecker]) 1664 return; 1665 1666 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1667 if (!CheckKind.hasValue()) 1668 return; 1669 assert(*CheckKind == CK_NewDeleteChecker && "invalid check kind"); 1670 1671 if (ExplodedNode *N = C.generateSink()) { 1672 if (!BT_DoubleDelete) 1673 BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker], 1674 "Double delete", "Memory Error")); 1675 1676 BugReport *R = new BugReport(*BT_DoubleDelete, 1677 "Attempt to delete released memory", N); 1678 1679 R->markInteresting(Sym); 1680 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1681 C.emitReport(R); 1682 } 1683 } 1684 1685 ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, 1686 const CallExpr *CE, 1687 bool FreesOnFail, 1688 ProgramStateRef State) const { 1689 if (!State) 1690 return nullptr; 1691 1692 if (CE->getNumArgs() < 2) 1693 return nullptr; 1694 1695 const Expr *arg0Expr = CE->getArg(0); 1696 const LocationContext *LCtx = C.getLocationContext(); 1697 SVal Arg0Val = State->getSVal(arg0Expr, LCtx); 1698 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 1699 return nullptr; 1700 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 1701 1702 SValBuilder &svalBuilder = C.getSValBuilder(); 1703 1704 DefinedOrUnknownSVal PtrEQ = 1705 svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull()); 1706 1707 // Get the size argument. If there is no size arg then give up. 1708 const Expr *Arg1 = CE->getArg(1); 1709 if (!Arg1) 1710 return nullptr; 1711 1712 // Get the value of the size argument. 1713 SVal Arg1ValG = State->getSVal(Arg1, LCtx); 1714 if (!Arg1ValG.getAs<DefinedOrUnknownSVal>()) 1715 return nullptr; 1716 DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>(); 1717 1718 // Compare the size argument to 0. 1719 DefinedOrUnknownSVal SizeZero = 1720 svalBuilder.evalEQ(State, Arg1Val, 1721 svalBuilder.makeIntValWithPtrWidth(0, false)); 1722 1723 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 1724 std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ); 1725 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 1726 std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero); 1727 // We only assume exceptional states if they are definitely true; if the 1728 // state is under-constrained, assume regular realloc behavior. 1729 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 1730 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 1731 1732 // If the ptr is NULL and the size is not 0, the call is equivalent to 1733 // malloc(size). 1734 if ( PrtIsNull && !SizeIsZero) { 1735 ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), 1736 UndefinedVal(), StatePtrIsNull); 1737 return stateMalloc; 1738 } 1739 1740 if (PrtIsNull && SizeIsZero) 1741 return nullptr; 1742 1743 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 1744 assert(!PrtIsNull); 1745 SymbolRef FromPtr = arg0Val.getAsSymbol(); 1746 SVal RetVal = State->getSVal(CE, LCtx); 1747 SymbolRef ToPtr = RetVal.getAsSymbol(); 1748 if (!FromPtr || !ToPtr) 1749 return nullptr; 1750 1751 bool ReleasedAllocated = false; 1752 1753 // If the size is 0, free the memory. 1754 if (SizeIsZero) 1755 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, 1756 false, ReleasedAllocated)){ 1757 // The semantics of the return value are: 1758 // If size was equal to 0, either NULL or a pointer suitable to be passed 1759 // to free() is returned. We just free the input pointer and do not add 1760 // any constrains on the output pointer. 1761 return stateFree; 1762 } 1763 1764 // Default behavior. 1765 if (ProgramStateRef stateFree = 1766 FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) { 1767 1768 ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), 1769 UnknownVal(), stateFree); 1770 if (!stateRealloc) 1771 return nullptr; 1772 1773 ReallocPairKind Kind = RPToBeFreedAfterFailure; 1774 if (FreesOnFail) 1775 Kind = RPIsFreeOnFailure; 1776 else if (!ReleasedAllocated) 1777 Kind = RPDoNotTrackAfterFailure; 1778 1779 // Record the info about the reallocated symbol so that we could properly 1780 // process failed reallocation. 1781 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 1782 ReallocPair(FromPtr, Kind)); 1783 // The reallocated symbol should stay alive for as long as the new symbol. 1784 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 1785 return stateRealloc; 1786 } 1787 return nullptr; 1788 } 1789 1790 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE, 1791 ProgramStateRef State) { 1792 if (!State) 1793 return nullptr; 1794 1795 if (CE->getNumArgs() < 2) 1796 return nullptr; 1797 1798 SValBuilder &svalBuilder = C.getSValBuilder(); 1799 const LocationContext *LCtx = C.getLocationContext(); 1800 SVal count = State->getSVal(CE->getArg(0), LCtx); 1801 SVal elementSize = State->getSVal(CE->getArg(1), LCtx); 1802 SVal TotalSize = svalBuilder.evalBinOp(State, BO_Mul, count, elementSize, 1803 svalBuilder.getContext().getSizeType()); 1804 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 1805 1806 return MallocMemAux(C, CE, TotalSize, zeroVal, State); 1807 } 1808 1809 LeakInfo 1810 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 1811 CheckerContext &C) const { 1812 const LocationContext *LeakContext = N->getLocationContext(); 1813 // Walk the ExplodedGraph backwards and find the first node that referred to 1814 // the tracked symbol. 1815 const ExplodedNode *AllocNode = N; 1816 const MemRegion *ReferenceRegion = nullptr; 1817 1818 while (N) { 1819 ProgramStateRef State = N->getState(); 1820 if (!State->get<RegionState>(Sym)) 1821 break; 1822 1823 // Find the most recent expression bound to the symbol in the current 1824 // context. 1825 if (!ReferenceRegion) { 1826 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 1827 SVal Val = State->getSVal(MR); 1828 if (Val.getAsLocSymbol() == Sym) { 1829 const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>(); 1830 // Do not show local variables belonging to a function other than 1831 // where the error is reported. 1832 if (!VR || 1833 (VR->getStackFrame() == LeakContext->getCurrentStackFrame())) 1834 ReferenceRegion = MR; 1835 } 1836 } 1837 } 1838 1839 // Allocation node, is the last node in the current or parent context in 1840 // which the symbol was tracked. 1841 const LocationContext *NContext = N->getLocationContext(); 1842 if (NContext == LeakContext || 1843 NContext->isParentOf(LeakContext)) 1844 AllocNode = N; 1845 N = N->pred_empty() ? nullptr : *(N->pred_begin()); 1846 } 1847 1848 return LeakInfo(AllocNode, ReferenceRegion); 1849 } 1850 1851 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 1852 CheckerContext &C) const { 1853 1854 if (!ChecksEnabled[CK_MallocOptimistic] && 1855 !ChecksEnabled[CK_MallocPessimistic] && 1856 !ChecksEnabled[CK_NewDeleteLeaksChecker]) 1857 return; 1858 1859 const RefState *RS = C.getState()->get<RegionState>(Sym); 1860 assert(RS && "cannot leak an untracked symbol"); 1861 AllocationFamily Family = RS->getAllocationFamily(); 1862 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 1863 if (!CheckKind.hasValue()) 1864 return; 1865 1866 // Special case for new and new[]; these are controlled by a separate checker 1867 // flag so that they can be selectively disabled. 1868 if (Family == AF_CXXNew || Family == AF_CXXNewArray) 1869 if (!ChecksEnabled[CK_NewDeleteLeaksChecker]) 1870 return; 1871 1872 assert(N); 1873 if (!BT_Leak[*CheckKind]) { 1874 BT_Leak[*CheckKind].reset( 1875 new BugType(CheckNames[*CheckKind], "Memory leak", "Memory Error")); 1876 // Leaks should not be reported if they are post-dominated by a sink: 1877 // (1) Sinks are higher importance bugs. 1878 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 1879 // with __noreturn functions such as assert() or exit(). We choose not 1880 // to report leaks on such paths. 1881 BT_Leak[*CheckKind]->setSuppressOnSink(true); 1882 } 1883 1884 // Most bug reports are cached at the location where they occurred. 1885 // With leaks, we want to unique them by the location where they were 1886 // allocated, and only report a single path. 1887 PathDiagnosticLocation LocUsedForUniqueing; 1888 const ExplodedNode *AllocNode = nullptr; 1889 const MemRegion *Region = nullptr; 1890 std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 1891 1892 ProgramPoint P = AllocNode->getLocation(); 1893 const Stmt *AllocationStmt = nullptr; 1894 if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>()) 1895 AllocationStmt = Exit->getCalleeContext()->getCallSite(); 1896 else if (Optional<StmtPoint> SP = P.getAs<StmtPoint>()) 1897 AllocationStmt = SP->getStmt(); 1898 if (AllocationStmt) 1899 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 1900 C.getSourceManager(), 1901 AllocNode->getLocationContext()); 1902 1903 SmallString<200> buf; 1904 llvm::raw_svector_ostream os(buf); 1905 if (Region && Region->canPrintPretty()) { 1906 os << "Potential leak of memory pointed to by "; 1907 Region->printPretty(os); 1908 } else { 1909 os << "Potential memory leak"; 1910 } 1911 1912 BugReport *R = 1913 new BugReport(*BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing, 1914 AllocNode->getLocationContext()->getDecl()); 1915 R->markInteresting(Sym); 1916 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym, true)); 1917 C.emitReport(R); 1918 } 1919 1920 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 1921 CheckerContext &C) const 1922 { 1923 if (!SymReaper.hasDeadSymbols()) 1924 return; 1925 1926 ProgramStateRef state = C.getState(); 1927 RegionStateTy RS = state->get<RegionState>(); 1928 RegionStateTy::Factory &F = state->get_context<RegionState>(); 1929 1930 SmallVector<SymbolRef, 2> Errors; 1931 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1932 if (SymReaper.isDead(I->first)) { 1933 if (I->second.isAllocated()) 1934 Errors.push_back(I->first); 1935 // Remove the dead symbol from the map. 1936 RS = F.remove(RS, I->first); 1937 1938 } 1939 } 1940 1941 // Cleanup the Realloc Pairs Map. 1942 ReallocPairsTy RP = state->get<ReallocPairs>(); 1943 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1944 if (SymReaper.isDead(I->first) || 1945 SymReaper.isDead(I->second.ReallocatedSym)) { 1946 state = state->remove<ReallocPairs>(I->first); 1947 } 1948 } 1949 1950 // Cleanup the FreeReturnValue Map. 1951 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 1952 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 1953 if (SymReaper.isDead(I->first) || 1954 SymReaper.isDead(I->second)) { 1955 state = state->remove<FreeReturnValue>(I->first); 1956 } 1957 } 1958 1959 // Generate leak node. 1960 ExplodedNode *N = C.getPredecessor(); 1961 if (!Errors.empty()) { 1962 static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak"); 1963 N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); 1964 for (SmallVectorImpl<SymbolRef>::iterator 1965 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 1966 reportLeak(*I, N, C); 1967 } 1968 } 1969 1970 C.addTransition(state->set<RegionState>(RS), N); 1971 } 1972 1973 void MallocChecker::checkPreCall(const CallEvent &Call, 1974 CheckerContext &C) const { 1975 1976 if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) { 1977 SymbolRef Sym = DC->getCXXThisVal().getAsSymbol(); 1978 if (!Sym || checkDoubleDelete(Sym, C)) 1979 return; 1980 } 1981 1982 // We will check for double free in the post visit. 1983 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { 1984 const FunctionDecl *FD = FC->getDecl(); 1985 if (!FD) 1986 return; 1987 1988 ASTContext &Ctx = C.getASTContext(); 1989 if ((ChecksEnabled[CK_MallocOptimistic] || 1990 ChecksEnabled[CK_MallocPessimistic]) && 1991 (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) || 1992 isCMemFunction(FD, Ctx, AF_IfNameIndex, 1993 MemoryOperationKind::MOK_Free))) 1994 return; 1995 1996 if (ChecksEnabled[CK_NewDeleteChecker] && 1997 isStandardNewDelete(FD, Ctx)) 1998 return; 1999 } 2000 2001 // Check if the callee of a method is deleted. 2002 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { 2003 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); 2004 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) 2005 return; 2006 } 2007 2008 // Check arguments for being used after free. 2009 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { 2010 SVal ArgSVal = Call.getArgSVal(I); 2011 if (ArgSVal.getAs<Loc>()) { 2012 SymbolRef Sym = ArgSVal.getAsSymbol(); 2013 if (!Sym) 2014 continue; 2015 if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) 2016 return; 2017 } 2018 } 2019 } 2020 2021 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 2022 const Expr *E = S->getRetValue(); 2023 if (!E) 2024 return; 2025 2026 // Check if we are returning a symbol. 2027 ProgramStateRef State = C.getState(); 2028 SVal RetVal = State->getSVal(E, C.getLocationContext()); 2029 SymbolRef Sym = RetVal.getAsSymbol(); 2030 if (!Sym) 2031 // If we are returning a field of the allocated struct or an array element, 2032 // the callee could still free the memory. 2033 // TODO: This logic should be a part of generic symbol escape callback. 2034 if (const MemRegion *MR = RetVal.getAsRegion()) 2035 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 2036 if (const SymbolicRegion *BMR = 2037 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 2038 Sym = BMR->getSymbol(); 2039 2040 // Check if we are returning freed memory. 2041 if (Sym) 2042 checkUseAfterFree(Sym, C, E); 2043 } 2044 2045 // TODO: Blocks should be either inlined or should call invalidate regions 2046 // upon invocation. After that's in place, special casing here will not be 2047 // needed. 2048 void MallocChecker::checkPostStmt(const BlockExpr *BE, 2049 CheckerContext &C) const { 2050 2051 // Scan the BlockDecRefExprs for any object the retain count checker 2052 // may be tracking. 2053 if (!BE->getBlockDecl()->hasCaptures()) 2054 return; 2055 2056 ProgramStateRef state = C.getState(); 2057 const BlockDataRegion *R = 2058 cast<BlockDataRegion>(state->getSVal(BE, 2059 C.getLocationContext()).getAsRegion()); 2060 2061 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 2062 E = R->referenced_vars_end(); 2063 2064 if (I == E) 2065 return; 2066 2067 SmallVector<const MemRegion*, 10> Regions; 2068 const LocationContext *LC = C.getLocationContext(); 2069 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 2070 2071 for ( ; I != E; ++I) { 2072 const VarRegion *VR = I.getCapturedRegion(); 2073 if (VR->getSuperRegion() == R) { 2074 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 2075 } 2076 Regions.push_back(VR); 2077 } 2078 2079 state = 2080 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 2081 Regions.data() + Regions.size()).getState(); 2082 C.addTransition(state); 2083 } 2084 2085 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { 2086 assert(Sym); 2087 const RefState *RS = C.getState()->get<RegionState>(Sym); 2088 return (RS && RS->isReleased()); 2089 } 2090 2091 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 2092 const Stmt *S) const { 2093 2094 if (isReleased(Sym, C)) { 2095 ReportUseAfterFree(C, S->getSourceRange(), Sym); 2096 return true; 2097 } 2098 2099 return false; 2100 } 2101 2102 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { 2103 2104 if (isReleased(Sym, C)) { 2105 ReportDoubleDelete(C, Sym); 2106 return true; 2107 } 2108 return false; 2109 } 2110 2111 // Check if the location is a freed symbolic region. 2112 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 2113 CheckerContext &C) const { 2114 SymbolRef Sym = l.getLocSymbolInBase(); 2115 if (Sym) 2116 checkUseAfterFree(Sym, C, S); 2117 } 2118 2119 // If a symbolic region is assumed to NULL (or another constant), stop tracking 2120 // it - assuming that allocation failed on this path. 2121 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 2122 SVal Cond, 2123 bool Assumption) const { 2124 RegionStateTy RS = state->get<RegionState>(); 2125 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2126 // If the symbol is assumed to be NULL, remove it from consideration. 2127 ConstraintManager &CMgr = state->getConstraintManager(); 2128 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2129 if (AllocFailed.isConstrainedTrue()) 2130 state = state->remove<RegionState>(I.getKey()); 2131 } 2132 2133 // Realloc returns 0 when reallocation fails, which means that we should 2134 // restore the state of the pointer being reallocated. 2135 ReallocPairsTy RP = state->get<ReallocPairs>(); 2136 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 2137 // If the symbol is assumed to be NULL, remove it from consideration. 2138 ConstraintManager &CMgr = state->getConstraintManager(); 2139 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2140 if (!AllocFailed.isConstrainedTrue()) 2141 continue; 2142 2143 SymbolRef ReallocSym = I.getData().ReallocatedSym; 2144 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 2145 if (RS->isReleased()) { 2146 if (I.getData().Kind == RPToBeFreedAfterFailure) 2147 state = state->set<RegionState>(ReallocSym, 2148 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 2149 else if (I.getData().Kind == RPDoNotTrackAfterFailure) 2150 state = state->remove<RegionState>(ReallocSym); 2151 else 2152 assert(I.getData().Kind == RPIsFreeOnFailure); 2153 } 2154 } 2155 state = state->remove<ReallocPairs>(I.getKey()); 2156 } 2157 2158 return state; 2159 } 2160 2161 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly( 2162 const CallEvent *Call, 2163 ProgramStateRef State, 2164 SymbolRef &EscapingSymbol) const { 2165 assert(Call); 2166 EscapingSymbol = nullptr; 2167 2168 // For now, assume that any C++ or block call can free memory. 2169 // TODO: If we want to be more optimistic here, we'll need to make sure that 2170 // regions escape to C++ containers. They seem to do that even now, but for 2171 // mysterious reasons. 2172 if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 2173 return true; 2174 2175 // Check Objective-C messages by selector name. 2176 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 2177 // If it's not a framework call, or if it takes a callback, assume it 2178 // can free memory. 2179 if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg()) 2180 return true; 2181 2182 // If it's a method we know about, handle it explicitly post-call. 2183 // This should happen before the "freeWhenDone" check below. 2184 if (isKnownDeallocObjCMethodName(*Msg)) 2185 return false; 2186 2187 // If there's a "freeWhenDone" parameter, but the method isn't one we know 2188 // about, we can't be sure that the object will use free() to deallocate the 2189 // memory, so we can't model it explicitly. The best we can do is use it to 2190 // decide whether the pointer escapes. 2191 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 2192 return *FreeWhenDone; 2193 2194 // If the first selector piece ends with "NoCopy", and there is no 2195 // "freeWhenDone" parameter set to zero, we know ownership is being 2196 // transferred. Again, though, we can't be sure that the object will use 2197 // free() to deallocate the memory, so we can't model it explicitly. 2198 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 2199 if (FirstSlot.endswith("NoCopy")) 2200 return true; 2201 2202 // If the first selector starts with addPointer, insertPointer, 2203 // or replacePointer, assume we are dealing with NSPointerArray or similar. 2204 // This is similar to C++ containers (vector); we still might want to check 2205 // that the pointers get freed by following the container itself. 2206 if (FirstSlot.startswith("addPointer") || 2207 FirstSlot.startswith("insertPointer") || 2208 FirstSlot.startswith("replacePointer") || 2209 FirstSlot.equals("valueWithPointer")) { 2210 return true; 2211 } 2212 2213 // We should escape receiver on call to 'init'. This is especially relevant 2214 // to the receiver, as the corresponding symbol is usually not referenced 2215 // after the call. 2216 if (Msg->getMethodFamily() == OMF_init) { 2217 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol(); 2218 return true; 2219 } 2220 2221 // Otherwise, assume that the method does not free memory. 2222 // Most framework methods do not free memory. 2223 return false; 2224 } 2225 2226 // At this point the only thing left to handle is straight function calls. 2227 const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl(); 2228 if (!FD) 2229 return true; 2230 2231 ASTContext &ASTC = State->getStateManager().getContext(); 2232 2233 // If it's one of the allocation functions we can reason about, we model 2234 // its behavior explicitly. 2235 if (isMemFunction(FD, ASTC)) 2236 return false; 2237 2238 // If it's not a system call, assume it frees memory. 2239 if (!Call->isInSystemHeader()) 2240 return true; 2241 2242 // White list the system functions whose arguments escape. 2243 const IdentifierInfo *II = FD->getIdentifier(); 2244 if (!II) 2245 return true; 2246 StringRef FName = II->getName(); 2247 2248 // White list the 'XXXNoCopy' CoreFoundation functions. 2249 // We specifically check these before 2250 if (FName.endswith("NoCopy")) { 2251 // Look for the deallocator argument. We know that the memory ownership 2252 // is not transferred only if the deallocator argument is 2253 // 'kCFAllocatorNull'. 2254 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 2255 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 2256 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 2257 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 2258 if (DeallocatorName == "kCFAllocatorNull") 2259 return false; 2260 } 2261 } 2262 return true; 2263 } 2264 2265 // Associating streams with malloced buffers. The pointer can escape if 2266 // 'closefn' is specified (and if that function does free memory), 2267 // but it will not if closefn is not specified. 2268 // Currently, we do not inspect the 'closefn' function (PR12101). 2269 if (FName == "funopen") 2270 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 2271 return false; 2272 2273 // Do not warn on pointers passed to 'setbuf' when used with std streams, 2274 // these leaks might be intentional when setting the buffer for stdio. 2275 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 2276 if (FName == "setbuf" || FName =="setbuffer" || 2277 FName == "setlinebuf" || FName == "setvbuf") { 2278 if (Call->getNumArgs() >= 1) { 2279 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 2280 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 2281 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 2282 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 2283 return true; 2284 } 2285 } 2286 2287 // A bunch of other functions which either take ownership of a pointer or 2288 // wrap the result up in a struct or object, meaning it can be freed later. 2289 // (See RetainCountChecker.) Not all the parameters here are invalidated, 2290 // but the Malloc checker cannot differentiate between them. The right way 2291 // of doing this would be to implement a pointer escapes callback. 2292 if (FName == "CGBitmapContextCreate" || 2293 FName == "CGBitmapContextCreateWithData" || 2294 FName == "CVPixelBufferCreateWithBytes" || 2295 FName == "CVPixelBufferCreateWithPlanarBytes" || 2296 FName == "OSAtomicEnqueue") { 2297 return true; 2298 } 2299 2300 // Handle cases where we know a buffer's /address/ can escape. 2301 // Note that the above checks handle some special cases where we know that 2302 // even though the address escapes, it's still our responsibility to free the 2303 // buffer. 2304 if (Call->argumentsMayEscape()) 2305 return true; 2306 2307 // Otherwise, assume that the function does not free memory. 2308 // Most system calls do not free the memory. 2309 return false; 2310 } 2311 2312 static bool retTrue(const RefState *RS) { 2313 return true; 2314 } 2315 2316 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 2317 return (RS->getAllocationFamily() == AF_CXXNewArray || 2318 RS->getAllocationFamily() == AF_CXXNew); 2319 } 2320 2321 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 2322 const InvalidatedSymbols &Escaped, 2323 const CallEvent *Call, 2324 PointerEscapeKind Kind) const { 2325 return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue); 2326 } 2327 2328 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 2329 const InvalidatedSymbols &Escaped, 2330 const CallEvent *Call, 2331 PointerEscapeKind Kind) const { 2332 return checkPointerEscapeAux(State, Escaped, Call, Kind, 2333 &checkIfNewOrNewArrayFamily); 2334 } 2335 2336 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State, 2337 const InvalidatedSymbols &Escaped, 2338 const CallEvent *Call, 2339 PointerEscapeKind Kind, 2340 bool(*CheckRefState)(const RefState*)) const { 2341 // If we know that the call does not free memory, or we want to process the 2342 // call later, keep tracking the top level arguments. 2343 SymbolRef EscapingSymbol = nullptr; 2344 if (Kind == PSK_DirectEscapeOnCall && 2345 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State, 2346 EscapingSymbol) && 2347 !EscapingSymbol) { 2348 return State; 2349 } 2350 2351 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 2352 E = Escaped.end(); 2353 I != E; ++I) { 2354 SymbolRef sym = *I; 2355 2356 if (EscapingSymbol && EscapingSymbol != sym) 2357 continue; 2358 2359 if (const RefState *RS = State->get<RegionState>(sym)) { 2360 if (RS->isAllocated() && CheckRefState(RS)) { 2361 State = State->remove<RegionState>(sym); 2362 State = State->set<RegionState>(sym, RefState::getEscaped(RS)); 2363 } 2364 } 2365 } 2366 return State; 2367 } 2368 2369 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 2370 ProgramStateRef prevState) { 2371 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 2372 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 2373 2374 for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end(); 2375 I != E; ++I) { 2376 SymbolRef sym = I.getKey(); 2377 if (!currMap.lookup(sym)) 2378 return sym; 2379 } 2380 2381 return nullptr; 2382 } 2383 2384 PathDiagnosticPiece * 2385 MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N, 2386 const ExplodedNode *PrevN, 2387 BugReporterContext &BRC, 2388 BugReport &BR) { 2389 ProgramStateRef state = N->getState(); 2390 ProgramStateRef statePrev = PrevN->getState(); 2391 2392 const RefState *RS = state->get<RegionState>(Sym); 2393 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 2394 if (!RS) 2395 return nullptr; 2396 2397 const Stmt *S = nullptr; 2398 const char *Msg = nullptr; 2399 StackHintGeneratorForSymbol *StackHint = nullptr; 2400 2401 // Retrieve the associated statement. 2402 ProgramPoint ProgLoc = N->getLocation(); 2403 if (Optional<StmtPoint> SP = ProgLoc.getAs<StmtPoint>()) { 2404 S = SP->getStmt(); 2405 } else if (Optional<CallExitEnd> Exit = ProgLoc.getAs<CallExitEnd>()) { 2406 S = Exit->getCalleeContext()->getCallSite(); 2407 } else if (Optional<BlockEdge> Edge = ProgLoc.getAs<BlockEdge>()) { 2408 // If an assumption was made on a branch, it should be caught 2409 // here by looking at the state transition. 2410 S = Edge->getSrc()->getTerminator(); 2411 } 2412 2413 if (!S) 2414 return nullptr; 2415 2416 // FIXME: We will eventually need to handle non-statement-based events 2417 // (__attribute__((cleanup))). 2418 2419 // Find out if this is an interesting point and what is the kind. 2420 if (Mode == Normal) { 2421 if (isAllocated(RS, RSPrev, S)) { 2422 Msg = "Memory is allocated"; 2423 StackHint = new StackHintGeneratorForSymbol(Sym, 2424 "Returned allocated memory"); 2425 } else if (isReleased(RS, RSPrev, S)) { 2426 Msg = "Memory is released"; 2427 StackHint = new StackHintGeneratorForSymbol(Sym, 2428 "Returning; memory was released"); 2429 } else if (isRelinquished(RS, RSPrev, S)) { 2430 Msg = "Memory ownership is transferred"; 2431 StackHint = new StackHintGeneratorForSymbol(Sym, ""); 2432 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 2433 Mode = ReallocationFailed; 2434 Msg = "Reallocation failed"; 2435 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 2436 "Reallocation failed"); 2437 2438 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 2439 // Is it possible to fail two reallocs WITHOUT testing in between? 2440 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 2441 "We only support one failed realloc at a time."); 2442 BR.markInteresting(sym); 2443 FailedReallocSymbol = sym; 2444 } 2445 } 2446 2447 // We are in a special mode if a reallocation failed later in the path. 2448 } else if (Mode == ReallocationFailed) { 2449 assert(FailedReallocSymbol && "No symbol to look for."); 2450 2451 // Is this is the first appearance of the reallocated symbol? 2452 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 2453 // We're at the reallocation point. 2454 Msg = "Attempt to reallocate memory"; 2455 StackHint = new StackHintGeneratorForSymbol(Sym, 2456 "Returned reallocated memory"); 2457 FailedReallocSymbol = nullptr; 2458 Mode = Normal; 2459 } 2460 } 2461 2462 if (!Msg) 2463 return nullptr; 2464 assert(StackHint); 2465 2466 // Generate the extra diagnostic. 2467 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2468 N->getLocationContext()); 2469 return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint); 2470 } 2471 2472 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 2473 const char *NL, const char *Sep) const { 2474 2475 RegionStateTy RS = State->get<RegionState>(); 2476 2477 if (!RS.isEmpty()) { 2478 Out << Sep << "MallocChecker :" << NL; 2479 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2480 const RefState *RefS = State->get<RegionState>(I.getKey()); 2481 AllocationFamily Family = RefS->getAllocationFamily(); 2482 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2483 2484 I.getKey()->dumpToStream(Out); 2485 Out << " : "; 2486 I.getData().dump(Out); 2487 if (CheckKind.hasValue()) 2488 Out << " (" << CheckNames[*CheckKind].getName() << ")"; 2489 Out << NL; 2490 } 2491 } 2492 } 2493 2494 void ento::registerNewDeleteLeaksChecker(CheckerManager &mgr) { 2495 registerCStringCheckerBasic(mgr); 2496 MallocChecker *checker = mgr.registerChecker<MallocChecker>(); 2497 checker->ChecksEnabled[MallocChecker::CK_NewDeleteLeaksChecker] = true; 2498 checker->CheckNames[MallocChecker::CK_NewDeleteLeaksChecker] = 2499 mgr.getCurrentCheckName(); 2500 // We currently treat NewDeleteLeaks checker as a subchecker of NewDelete 2501 // checker. 2502 if (!checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker]) 2503 checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker] = true; 2504 } 2505 2506 #define REGISTER_CHECKER(name) \ 2507 void ento::register##name(CheckerManager &mgr) { \ 2508 registerCStringCheckerBasic(mgr); \ 2509 MallocChecker *checker = mgr.registerChecker<MallocChecker>(); \ 2510 checker->ChecksEnabled[MallocChecker::CK_##name] = true; \ 2511 checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \ 2512 } 2513 2514 REGISTER_CHECKER(MallocPessimistic) 2515 REGISTER_CHECKER(MallocOptimistic) 2516 REGISTER_CHECKER(NewDeleteChecker) 2517 REGISTER_CHECKER(MismatchedDeallocatorChecker) 2518