1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines malloc/free checker, which checks for potential memory 11 // leaks, double free, and use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/AST/Attr.h" 18 #include "clang/AST/ParentMap.h" 19 #include "clang/Basic/SourceManager.h" 20 #include "clang/Basic/TargetInfo.h" 21 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 22 #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" 23 #include "clang/StaticAnalyzer/Core/Checker.h" 24 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 27 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 28 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 29 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 30 #include "llvm/ADT/STLExtras.h" 31 #include "llvm/ADT/SmallString.h" 32 #include "llvm/ADT/StringExtras.h" 33 #include "AllocationState.h" 34 #include <climits> 35 #include <utility> 36 37 using namespace clang; 38 using namespace ento; 39 40 namespace { 41 42 // Used to check correspondence between allocators and deallocators. 43 enum AllocationFamily { 44 AF_None, 45 AF_Malloc, 46 AF_CXXNew, 47 AF_CXXNewArray, 48 AF_IfNameIndex, 49 AF_Alloca, 50 AF_InternalBuffer 51 }; 52 53 class RefState { 54 enum Kind { // Reference to allocated memory. 55 Allocated, 56 // Reference to zero-allocated memory. 57 AllocatedOfSizeZero, 58 // Reference to released/freed memory. 59 Released, 60 // The responsibility for freeing resources has transferred from 61 // this reference. A relinquished symbol should not be freed. 62 Relinquished, 63 // We are no longer guaranteed to have observed all manipulations 64 // of this pointer/memory. For example, it could have been 65 // passed as a parameter to an opaque function. 66 Escaped 67 }; 68 69 const Stmt *S; 70 unsigned K : 3; // Kind enum, but stored as a bitfield. 71 unsigned Family : 29; // Rest of 32-bit word, currently just an allocation 72 // family. 73 74 RefState(Kind k, const Stmt *s, unsigned family) 75 : S(s), K(k), Family(family) { 76 assert(family != AF_None); 77 } 78 public: 79 bool isAllocated() const { return K == Allocated; } 80 bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; } 81 bool isReleased() const { return K == Released; } 82 bool isRelinquished() const { return K == Relinquished; } 83 bool isEscaped() const { return K == Escaped; } 84 AllocationFamily getAllocationFamily() const { 85 return (AllocationFamily)Family; 86 } 87 const Stmt *getStmt() const { return S; } 88 89 bool operator==(const RefState &X) const { 90 return K == X.K && S == X.S && Family == X.Family; 91 } 92 93 static RefState getAllocated(unsigned family, const Stmt *s) { 94 return RefState(Allocated, s, family); 95 } 96 static RefState getAllocatedOfSizeZero(const RefState *RS) { 97 return RefState(AllocatedOfSizeZero, RS->getStmt(), 98 RS->getAllocationFamily()); 99 } 100 static RefState getReleased(unsigned family, const Stmt *s) { 101 return RefState(Released, s, family); 102 } 103 static RefState getRelinquished(unsigned family, const Stmt *s) { 104 return RefState(Relinquished, s, family); 105 } 106 static RefState getEscaped(const RefState *RS) { 107 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily()); 108 } 109 110 void Profile(llvm::FoldingSetNodeID &ID) const { 111 ID.AddInteger(K); 112 ID.AddPointer(S); 113 ID.AddInteger(Family); 114 } 115 116 void dump(raw_ostream &OS) const { 117 switch (static_cast<Kind>(K)) { 118 #define CASE(ID) case ID: OS << #ID; break; 119 CASE(Allocated) 120 CASE(AllocatedOfSizeZero) 121 CASE(Released) 122 CASE(Relinquished) 123 CASE(Escaped) 124 } 125 } 126 127 LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); } 128 }; 129 130 enum ReallocPairKind { 131 RPToBeFreedAfterFailure, 132 // The symbol has been freed when reallocation failed. 133 RPIsFreeOnFailure, 134 // The symbol does not need to be freed after reallocation fails. 135 RPDoNotTrackAfterFailure 136 }; 137 138 /// \class ReallocPair 139 /// Stores information about the symbol being reallocated by a call to 140 /// 'realloc' to allow modeling failed reallocation later in the path. 141 struct ReallocPair { 142 // The symbol which realloc reallocated. 143 SymbolRef ReallocatedSym; 144 ReallocPairKind Kind; 145 146 ReallocPair(SymbolRef S, ReallocPairKind K) : 147 ReallocatedSym(S), Kind(K) {} 148 void Profile(llvm::FoldingSetNodeID &ID) const { 149 ID.AddInteger(Kind); 150 ID.AddPointer(ReallocatedSym); 151 } 152 bool operator==(const ReallocPair &X) const { 153 return ReallocatedSym == X.ReallocatedSym && 154 Kind == X.Kind; 155 } 156 }; 157 158 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo; 159 160 class MallocChecker : public Checker<check::DeadSymbols, 161 check::PointerEscape, 162 check::ConstPointerEscape, 163 check::PreStmt<ReturnStmt>, 164 check::PreCall, 165 check::PostStmt<CallExpr>, 166 check::PostStmt<CXXNewExpr>, 167 check::NewAllocator, 168 check::PreStmt<CXXDeleteExpr>, 169 check::PostStmt<BlockExpr>, 170 check::PostObjCMessage, 171 check::Location, 172 eval::Assume> 173 { 174 public: 175 MallocChecker() 176 : II_alloca(nullptr), II_win_alloca(nullptr), II_malloc(nullptr), 177 II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr), 178 II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr), 179 II_strdup(nullptr), II_win_strdup(nullptr), II_kmalloc(nullptr), 180 II_if_nameindex(nullptr), II_if_freenameindex(nullptr), 181 II_wcsdup(nullptr), II_win_wcsdup(nullptr), II_g_malloc(nullptr), 182 II_g_malloc0(nullptr), II_g_realloc(nullptr), II_g_try_malloc(nullptr), 183 II_g_try_malloc0(nullptr), II_g_try_realloc(nullptr), 184 II_g_free(nullptr), II_g_memdup(nullptr), II_g_malloc_n(nullptr), 185 II_g_malloc0_n(nullptr), II_g_realloc_n(nullptr), 186 II_g_try_malloc_n(nullptr), II_g_try_malloc0_n(nullptr), 187 II_g_try_realloc_n(nullptr) {} 188 189 /// In pessimistic mode, the checker assumes that it does not know which 190 /// functions might free the memory. 191 enum CheckKind { 192 CK_MallocChecker, 193 CK_NewDeleteChecker, 194 CK_NewDeleteLeaksChecker, 195 CK_MismatchedDeallocatorChecker, 196 CK_NumCheckKinds 197 }; 198 199 enum class MemoryOperationKind { 200 MOK_Allocate, 201 MOK_Free, 202 MOK_Any 203 }; 204 205 DefaultBool IsOptimistic; 206 207 DefaultBool ChecksEnabled[CK_NumCheckKinds]; 208 CheckName CheckNames[CK_NumCheckKinds]; 209 210 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 211 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 212 void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; 213 void checkNewAllocator(const CXXNewExpr *NE, SVal Target, 214 CheckerContext &C) const; 215 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; 216 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 217 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 218 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 219 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 220 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 221 bool Assumption) const; 222 void checkLocation(SVal l, bool isLoad, const Stmt *S, 223 CheckerContext &C) const; 224 225 ProgramStateRef checkPointerEscape(ProgramStateRef State, 226 const InvalidatedSymbols &Escaped, 227 const CallEvent *Call, 228 PointerEscapeKind Kind) const; 229 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 230 const InvalidatedSymbols &Escaped, 231 const CallEvent *Call, 232 PointerEscapeKind Kind) const; 233 234 void printState(raw_ostream &Out, ProgramStateRef State, 235 const char *NL, const char *Sep) const override; 236 237 private: 238 mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds]; 239 mutable std::unique_ptr<BugType> BT_DoubleDelete; 240 mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds]; 241 mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds]; 242 mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds]; 243 mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds]; 244 mutable std::unique_ptr<BugType> BT_MismatchedDealloc; 245 mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds]; 246 mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds]; 247 mutable IdentifierInfo *II_alloca, *II_win_alloca, *II_malloc, *II_free, 248 *II_realloc, *II_calloc, *II_valloc, *II_reallocf, 249 *II_strndup, *II_strdup, *II_win_strdup, *II_kmalloc, 250 *II_if_nameindex, *II_if_freenameindex, *II_wcsdup, 251 *II_win_wcsdup, *II_g_malloc, *II_g_malloc0, 252 *II_g_realloc, *II_g_try_malloc, *II_g_try_malloc0, 253 *II_g_try_realloc, *II_g_free, *II_g_memdup, 254 *II_g_malloc_n, *II_g_malloc0_n, *II_g_realloc_n, 255 *II_g_try_malloc_n, *II_g_try_malloc0_n, 256 *II_g_try_realloc_n; 257 mutable Optional<uint64_t> KernelZeroFlagVal; 258 259 void initIdentifierInfo(ASTContext &C) const; 260 261 /// Determine family of a deallocation expression. 262 AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const; 263 264 /// Print names of allocators and deallocators. 265 /// 266 /// \returns true on success. 267 bool printAllocDeallocName(raw_ostream &os, CheckerContext &C, 268 const Expr *E) const; 269 270 /// Print expected name of an allocator based on the deallocator's 271 /// family derived from the DeallocExpr. 272 void printExpectedAllocName(raw_ostream &os, CheckerContext &C, 273 const Expr *DeallocExpr) const; 274 /// Print expected name of a deallocator based on the allocator's 275 /// family. 276 void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const; 277 278 ///@{ 279 /// Check if this is one of the functions which can allocate/reallocate memory 280 /// pointed to by one of its arguments. 281 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 282 bool isCMemFunction(const FunctionDecl *FD, 283 ASTContext &C, 284 AllocationFamily Family, 285 MemoryOperationKind MemKind) const; 286 bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const; 287 ///@} 288 289 /// Process C++ operator new()'s allocation, which is the part of C++ 290 /// new-expression that goes before the constructor. 291 void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C, 292 SVal Target) const; 293 294 /// Perform a zero-allocation check. 295 /// The optional \p RetVal parameter specifies the newly allocated pointer 296 /// value; if unspecified, the value of expression \p E is used. 297 ProgramStateRef ProcessZeroAllocation(CheckerContext &C, const Expr *E, 298 const unsigned AllocationSizeArg, 299 ProgramStateRef State, 300 Optional<SVal> RetVal = None) const; 301 302 ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 303 const CallExpr *CE, 304 const OwnershipAttr* Att, 305 ProgramStateRef State) const; 306 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 307 const Expr *SizeEx, SVal Init, 308 ProgramStateRef State, 309 AllocationFamily Family = AF_Malloc); 310 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 311 SVal SizeEx, SVal Init, 312 ProgramStateRef State, 313 AllocationFamily Family = AF_Malloc); 314 315 static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE, 316 ProgramStateRef State, SVal Target); 317 318 // Check if this malloc() for special flags. At present that means M_ZERO or 319 // __GFP_ZERO (in which case, treat it like calloc). 320 llvm::Optional<ProgramStateRef> 321 performKernelMalloc(const CallExpr *CE, CheckerContext &C, 322 const ProgramStateRef &State) const; 323 324 /// Update the RefState to reflect the new memory allocation. 325 /// The optional \p RetVal parameter specifies the newly allocated pointer 326 /// value; if unspecified, the value of expression \p E is used. 327 static ProgramStateRef 328 MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, 329 AllocationFamily Family = AF_Malloc, 330 Optional<SVal> RetVal = None); 331 332 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 333 const OwnershipAttr* Att, 334 ProgramStateRef State) const; 335 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 336 ProgramStateRef state, unsigned Num, 337 bool Hold, 338 bool &ReleasedAllocated, 339 bool ReturnsNullOnFailure = false) const; 340 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, 341 const Expr *ParentExpr, 342 ProgramStateRef State, 343 bool Hold, 344 bool &ReleasedAllocated, 345 bool ReturnsNullOnFailure = false) const; 346 347 ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE, 348 bool FreesMemOnFailure, 349 ProgramStateRef State, 350 bool SuffixWithN = false) const; 351 static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, 352 const Expr *BlockBytes); 353 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE, 354 ProgramStateRef State); 355 356 ///Check if the memory associated with this symbol was released. 357 bool isReleased(SymbolRef Sym, CheckerContext &C) const; 358 359 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 360 361 void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, 362 const Stmt *S) const; 363 364 bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const; 365 366 /// Check if the function is known free memory, or if it is 367 /// "interesting" and should be modeled explicitly. 368 /// 369 /// \param [out] EscapingSymbol A function might not free memory in general, 370 /// but could be known to free a particular symbol. In this case, false is 371 /// returned and the single escaping symbol is returned through the out 372 /// parameter. 373 /// 374 /// We assume that pointers do not escape through calls to system functions 375 /// not handled by this checker. 376 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, 377 ProgramStateRef State, 378 SymbolRef &EscapingSymbol) const; 379 380 // Implementation of the checkPointerEscape callabcks. 381 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 382 const InvalidatedSymbols &Escaped, 383 const CallEvent *Call, 384 PointerEscapeKind Kind, 385 bool(*CheckRefState)(const RefState*)) const; 386 387 ///@{ 388 /// Tells if a given family/call/symbol is tracked by the current checker. 389 /// Sets CheckKind to the kind of the checker responsible for this 390 /// family/call/symbol. 391 Optional<CheckKind> getCheckIfTracked(AllocationFamily Family, 392 bool IsALeakCheck = false) const; 393 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, 394 const Stmt *AllocDeallocStmt, 395 bool IsALeakCheck = false) const; 396 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym, 397 bool IsALeakCheck = false) const; 398 ///@} 399 static bool SummarizeValue(raw_ostream &os, SVal V); 400 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 401 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 402 const Expr *DeallocExpr) const; 403 void ReportFreeAlloca(CheckerContext &C, SVal ArgVal, 404 SourceRange Range) const; 405 void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, 406 const Expr *DeallocExpr, const RefState *RS, 407 SymbolRef Sym, bool OwnershipTransferred) const; 408 void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 409 const Expr *DeallocExpr, 410 const Expr *AllocExpr = nullptr) const; 411 void ReportUseAfterFree(CheckerContext &C, SourceRange Range, 412 SymbolRef Sym) const; 413 void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 414 SymbolRef Sym, SymbolRef PrevSym) const; 415 416 void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const; 417 418 void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range, 419 SymbolRef Sym) const; 420 421 void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal, 422 SourceRange Range, const Expr *FreeExpr) const; 423 424 /// Find the location of the allocation for Sym on the path leading to the 425 /// exploded node N. 426 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 427 CheckerContext &C) const; 428 429 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 430 431 /// The bug visitor which allows us to print extra diagnostics along the 432 /// BugReport path. For example, showing the allocation site of the leaked 433 /// region. 434 class MallocBugVisitor final : public BugReporterVisitor { 435 protected: 436 enum NotificationMode { 437 Normal, 438 ReallocationFailed 439 }; 440 441 // The allocated region symbol tracked by the main analysis. 442 SymbolRef Sym; 443 444 // The mode we are in, i.e. what kind of diagnostics will be emitted. 445 NotificationMode Mode; 446 447 // A symbol from when the primary region should have been reallocated. 448 SymbolRef FailedReallocSymbol; 449 450 // A C++ destructor stack frame in which memory was released. Used for 451 // miscellaneous false positive suppression. 452 const StackFrameContext *ReleaseDestructorLC; 453 454 bool IsLeak; 455 456 public: 457 MallocBugVisitor(SymbolRef S, bool isLeak = false) 458 : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr), 459 ReleaseDestructorLC(nullptr), IsLeak(isLeak) {} 460 461 static void *getTag() { 462 static int Tag = 0; 463 return &Tag; 464 } 465 466 void Profile(llvm::FoldingSetNodeID &ID) const override { 467 ID.AddPointer(getTag()); 468 ID.AddPointer(Sym); 469 } 470 471 inline bool isAllocated(const RefState *S, const RefState *SPrev, 472 const Stmt *Stmt) { 473 // Did not track -> allocated. Other state (released) -> allocated. 474 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 475 (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) && 476 (!SPrev || !(SPrev->isAllocated() || 477 SPrev->isAllocatedOfSizeZero()))); 478 } 479 480 inline bool isReleased(const RefState *S, const RefState *SPrev, 481 const Stmt *Stmt) { 482 // Did not track -> released. Other state (allocated) -> released. 483 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt)) && 484 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 485 } 486 487 inline bool isRelinquished(const RefState *S, const RefState *SPrev, 488 const Stmt *Stmt) { 489 // Did not track -> relinquished. Other state (allocated) -> relinquished. 490 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 491 isa<ObjCPropertyRefExpr>(Stmt)) && 492 (S && S->isRelinquished()) && 493 (!SPrev || !SPrev->isRelinquished())); 494 } 495 496 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 497 const Stmt *Stmt) { 498 // If the expression is not a call, and the state change is 499 // released -> allocated, it must be the realloc return value 500 // check. If we have to handle more cases here, it might be cleaner just 501 // to track this extra bit in the state itself. 502 return ((!Stmt || !isa<CallExpr>(Stmt)) && 503 (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) && 504 (SPrev && !(SPrev->isAllocated() || 505 SPrev->isAllocatedOfSizeZero()))); 506 } 507 508 std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N, 509 const ExplodedNode *PrevN, 510 BugReporterContext &BRC, 511 BugReport &BR) override; 512 513 std::shared_ptr<PathDiagnosticPiece> 514 getEndPath(BugReporterContext &BRC, const ExplodedNode *EndPathNode, 515 BugReport &BR) override { 516 if (!IsLeak) 517 return nullptr; 518 519 PathDiagnosticLocation L = 520 PathDiagnosticLocation::createEndOfPath(EndPathNode, 521 BRC.getSourceManager()); 522 // Do not add the statement itself as a range in case of leak. 523 return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(), 524 false); 525 } 526 527 private: 528 class StackHintGeneratorForReallocationFailed 529 : public StackHintGeneratorForSymbol { 530 public: 531 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 532 : StackHintGeneratorForSymbol(S, M) {} 533 534 std::string getMessageForArg(const Expr *ArgE, 535 unsigned ArgIndex) override { 536 // Printed parameters start at 1, not 0. 537 ++ArgIndex; 538 539 SmallString<200> buf; 540 llvm::raw_svector_ostream os(buf); 541 542 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 543 << " parameter failed"; 544 545 return os.str(); 546 } 547 548 std::string getMessageForReturn(const CallExpr *CallExpr) override { 549 return "Reallocation of returned value failed"; 550 } 551 }; 552 }; 553 }; 554 } // end anonymous namespace 555 556 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 557 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 558 REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef) 559 560 // A map from the freed symbol to the symbol representing the return value of 561 // the free function. 562 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 563 564 namespace { 565 class StopTrackingCallback final : public SymbolVisitor { 566 ProgramStateRef state; 567 public: 568 StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {} 569 ProgramStateRef getState() const { return state; } 570 571 bool VisitSymbol(SymbolRef sym) override { 572 state = state->remove<RegionState>(sym); 573 return true; 574 } 575 }; 576 } // end anonymous namespace 577 578 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 579 if (II_malloc) 580 return; 581 II_alloca = &Ctx.Idents.get("alloca"); 582 II_malloc = &Ctx.Idents.get("malloc"); 583 II_free = &Ctx.Idents.get("free"); 584 II_realloc = &Ctx.Idents.get("realloc"); 585 II_reallocf = &Ctx.Idents.get("reallocf"); 586 II_calloc = &Ctx.Idents.get("calloc"); 587 II_valloc = &Ctx.Idents.get("valloc"); 588 II_strdup = &Ctx.Idents.get("strdup"); 589 II_strndup = &Ctx.Idents.get("strndup"); 590 II_wcsdup = &Ctx.Idents.get("wcsdup"); 591 II_kmalloc = &Ctx.Idents.get("kmalloc"); 592 II_if_nameindex = &Ctx.Idents.get("if_nameindex"); 593 II_if_freenameindex = &Ctx.Idents.get("if_freenameindex"); 594 595 //MSVC uses `_`-prefixed instead, so we check for them too. 596 II_win_strdup = &Ctx.Idents.get("_strdup"); 597 II_win_wcsdup = &Ctx.Idents.get("_wcsdup"); 598 II_win_alloca = &Ctx.Idents.get("_alloca"); 599 600 // Glib 601 II_g_malloc = &Ctx.Idents.get("g_malloc"); 602 II_g_malloc0 = &Ctx.Idents.get("g_malloc0"); 603 II_g_realloc = &Ctx.Idents.get("g_realloc"); 604 II_g_try_malloc = &Ctx.Idents.get("g_try_malloc"); 605 II_g_try_malloc0 = &Ctx.Idents.get("g_try_malloc0"); 606 II_g_try_realloc = &Ctx.Idents.get("g_try_realloc"); 607 II_g_free = &Ctx.Idents.get("g_free"); 608 II_g_memdup = &Ctx.Idents.get("g_memdup"); 609 II_g_malloc_n = &Ctx.Idents.get("g_malloc_n"); 610 II_g_malloc0_n = &Ctx.Idents.get("g_malloc0_n"); 611 II_g_realloc_n = &Ctx.Idents.get("g_realloc_n"); 612 II_g_try_malloc_n = &Ctx.Idents.get("g_try_malloc_n"); 613 II_g_try_malloc0_n = &Ctx.Idents.get("g_try_malloc0_n"); 614 II_g_try_realloc_n = &Ctx.Idents.get("g_try_realloc_n"); 615 } 616 617 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 618 if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any)) 619 return true; 620 621 if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) 622 return true; 623 624 if (isCMemFunction(FD, C, AF_Alloca, MemoryOperationKind::MOK_Any)) 625 return true; 626 627 if (isStandardNewDelete(FD, C)) 628 return true; 629 630 return false; 631 } 632 633 bool MallocChecker::isCMemFunction(const FunctionDecl *FD, 634 ASTContext &C, 635 AllocationFamily Family, 636 MemoryOperationKind MemKind) const { 637 if (!FD) 638 return false; 639 640 bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any || 641 MemKind == MemoryOperationKind::MOK_Free); 642 bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any || 643 MemKind == MemoryOperationKind::MOK_Allocate); 644 645 if (FD->getKind() == Decl::Function) { 646 const IdentifierInfo *FunI = FD->getIdentifier(); 647 initIdentifierInfo(C); 648 649 if (Family == AF_Malloc && CheckFree) { 650 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf || 651 FunI == II_g_free) 652 return true; 653 } 654 655 if (Family == AF_Malloc && CheckAlloc) { 656 if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf || 657 FunI == II_calloc || FunI == II_valloc || FunI == II_strdup || 658 FunI == II_win_strdup || FunI == II_strndup || FunI == II_wcsdup || 659 FunI == II_win_wcsdup || FunI == II_kmalloc || 660 FunI == II_g_malloc || FunI == II_g_malloc0 || 661 FunI == II_g_realloc || FunI == II_g_try_malloc || 662 FunI == II_g_try_malloc0 || FunI == II_g_try_realloc || 663 FunI == II_g_memdup || FunI == II_g_malloc_n || 664 FunI == II_g_malloc0_n || FunI == II_g_realloc_n || 665 FunI == II_g_try_malloc_n || FunI == II_g_try_malloc0_n || 666 FunI == II_g_try_realloc_n) 667 return true; 668 } 669 670 if (Family == AF_IfNameIndex && CheckFree) { 671 if (FunI == II_if_freenameindex) 672 return true; 673 } 674 675 if (Family == AF_IfNameIndex && CheckAlloc) { 676 if (FunI == II_if_nameindex) 677 return true; 678 } 679 680 if (Family == AF_Alloca && CheckAlloc) { 681 if (FunI == II_alloca || FunI == II_win_alloca) 682 return true; 683 } 684 } 685 686 if (Family != AF_Malloc) 687 return false; 688 689 if (IsOptimistic && FD->hasAttrs()) { 690 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 691 OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind(); 692 if(OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) { 693 if (CheckFree) 694 return true; 695 } else if (OwnKind == OwnershipAttr::Returns) { 696 if (CheckAlloc) 697 return true; 698 } 699 } 700 } 701 702 return false; 703 } 704 705 // Tells if the callee is one of the following: 706 // 1) A global non-placement new/delete operator function. 707 // 2) A global placement operator function with the single placement argument 708 // of type std::nothrow_t. 709 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD, 710 ASTContext &C) const { 711 if (!FD) 712 return false; 713 714 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 715 if (Kind != OO_New && Kind != OO_Array_New && 716 Kind != OO_Delete && Kind != OO_Array_Delete) 717 return false; 718 719 // Skip all operator new/delete methods. 720 if (isa<CXXMethodDecl>(FD)) 721 return false; 722 723 // Return true if tested operator is a standard placement nothrow operator. 724 if (FD->getNumParams() == 2) { 725 QualType T = FD->getParamDecl(1)->getType(); 726 if (const IdentifierInfo *II = T.getBaseTypeIdentifier()) 727 return II->getName().equals("nothrow_t"); 728 } 729 730 // Skip placement operators. 731 if (FD->getNumParams() != 1 || FD->isVariadic()) 732 return false; 733 734 // One of the standard new/new[]/delete/delete[] non-placement operators. 735 return true; 736 } 737 738 llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc( 739 const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const { 740 // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels: 741 // 742 // void *malloc(unsigned long size, struct malloc_type *mtp, int flags); 743 // 744 // One of the possible flags is M_ZERO, which means 'give me back an 745 // allocation which is already zeroed', like calloc. 746 747 // 2-argument kmalloc(), as used in the Linux kernel: 748 // 749 // void *kmalloc(size_t size, gfp_t flags); 750 // 751 // Has the similar flag value __GFP_ZERO. 752 753 // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some 754 // code could be shared. 755 756 ASTContext &Ctx = C.getASTContext(); 757 llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS(); 758 759 if (!KernelZeroFlagVal.hasValue()) { 760 if (OS == llvm::Triple::FreeBSD) 761 KernelZeroFlagVal = 0x0100; 762 else if (OS == llvm::Triple::NetBSD) 763 KernelZeroFlagVal = 0x0002; 764 else if (OS == llvm::Triple::OpenBSD) 765 KernelZeroFlagVal = 0x0008; 766 else if (OS == llvm::Triple::Linux) 767 // __GFP_ZERO 768 KernelZeroFlagVal = 0x8000; 769 else 770 // FIXME: We need a more general way of getting the M_ZERO value. 771 // See also: O_CREAT in UnixAPIChecker.cpp. 772 773 // Fall back to normal malloc behavior on platforms where we don't 774 // know M_ZERO. 775 return None; 776 } 777 778 // We treat the last argument as the flags argument, and callers fall-back to 779 // normal malloc on a None return. This works for the FreeBSD kernel malloc 780 // as well as Linux kmalloc. 781 if (CE->getNumArgs() < 2) 782 return None; 783 784 const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1); 785 const SVal V = C.getSVal(FlagsEx); 786 if (!V.getAs<NonLoc>()) { 787 // The case where 'V' can be a location can only be due to a bad header, 788 // so in this case bail out. 789 return None; 790 } 791 792 NonLoc Flags = V.castAs<NonLoc>(); 793 NonLoc ZeroFlag = C.getSValBuilder() 794 .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType()) 795 .castAs<NonLoc>(); 796 SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And, 797 Flags, ZeroFlag, 798 FlagsEx->getType()); 799 if (MaskedFlagsUC.isUnknownOrUndef()) 800 return None; 801 DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>(); 802 803 // Check if maskedFlags is non-zero. 804 ProgramStateRef TrueState, FalseState; 805 std::tie(TrueState, FalseState) = State->assume(MaskedFlags); 806 807 // If M_ZERO is set, treat this like calloc (initialized). 808 if (TrueState && !FalseState) { 809 SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy); 810 return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState); 811 } 812 813 return None; 814 } 815 816 SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, 817 const Expr *BlockBytes) { 818 SValBuilder &SB = C.getSValBuilder(); 819 SVal BlocksVal = C.getSVal(Blocks); 820 SVal BlockBytesVal = C.getSVal(BlockBytes); 821 ProgramStateRef State = C.getState(); 822 SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal, 823 SB.getContext().getSizeType()); 824 return TotalSize; 825 } 826 827 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 828 if (C.wasInlined) 829 return; 830 831 const FunctionDecl *FD = C.getCalleeDecl(CE); 832 if (!FD) 833 return; 834 835 ProgramStateRef State = C.getState(); 836 bool ReleasedAllocatedMemory = false; 837 838 if (FD->getKind() == Decl::Function) { 839 initIdentifierInfo(C.getASTContext()); 840 IdentifierInfo *FunI = FD->getIdentifier(); 841 842 if (FunI == II_malloc || FunI == II_g_malloc || FunI == II_g_try_malloc) { 843 if (CE->getNumArgs() < 1) 844 return; 845 if (CE->getNumArgs() < 3) { 846 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 847 if (CE->getNumArgs() == 1) 848 State = ProcessZeroAllocation(C, CE, 0, State); 849 } else if (CE->getNumArgs() == 3) { 850 llvm::Optional<ProgramStateRef> MaybeState = 851 performKernelMalloc(CE, C, State); 852 if (MaybeState.hasValue()) 853 State = MaybeState.getValue(); 854 else 855 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 856 } 857 } else if (FunI == II_kmalloc) { 858 if (CE->getNumArgs() < 1) 859 return; 860 llvm::Optional<ProgramStateRef> MaybeState = 861 performKernelMalloc(CE, C, State); 862 if (MaybeState.hasValue()) 863 State = MaybeState.getValue(); 864 else 865 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 866 } else if (FunI == II_valloc) { 867 if (CE->getNumArgs() < 1) 868 return; 869 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 870 State = ProcessZeroAllocation(C, CE, 0, State); 871 } else if (FunI == II_realloc || FunI == II_g_realloc || 872 FunI == II_g_try_realloc) { 873 State = ReallocMemAux(C, CE, false, State); 874 State = ProcessZeroAllocation(C, CE, 1, State); 875 } else if (FunI == II_reallocf) { 876 State = ReallocMemAux(C, CE, true, State); 877 State = ProcessZeroAllocation(C, CE, 1, State); 878 } else if (FunI == II_calloc) { 879 State = CallocMem(C, CE, State); 880 State = ProcessZeroAllocation(C, CE, 0, State); 881 State = ProcessZeroAllocation(C, CE, 1, State); 882 } else if (FunI == II_free || FunI == II_g_free) { 883 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 884 } else if (FunI == II_strdup || FunI == II_win_strdup || 885 FunI == II_wcsdup || FunI == II_win_wcsdup) { 886 State = MallocUpdateRefState(C, CE, State); 887 } else if (FunI == II_strndup) { 888 State = MallocUpdateRefState(C, CE, State); 889 } else if (FunI == II_alloca || FunI == II_win_alloca) { 890 if (CE->getNumArgs() < 1) 891 return; 892 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 893 AF_Alloca); 894 State = ProcessZeroAllocation(C, CE, 0, State); 895 } else if (isStandardNewDelete(FD, C.getASTContext())) { 896 // Process direct calls to operator new/new[]/delete/delete[] functions 897 // as distinct from new/new[]/delete/delete[] expressions that are 898 // processed by the checkPostStmt callbacks for CXXNewExpr and 899 // CXXDeleteExpr. 900 OverloadedOperatorKind K = FD->getOverloadedOperator(); 901 if (K == OO_New) { 902 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 903 AF_CXXNew); 904 State = ProcessZeroAllocation(C, CE, 0, State); 905 } 906 else if (K == OO_Array_New) { 907 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 908 AF_CXXNewArray); 909 State = ProcessZeroAllocation(C, CE, 0, State); 910 } 911 else if (K == OO_Delete || K == OO_Array_Delete) 912 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 913 else 914 llvm_unreachable("not a new/delete operator"); 915 } else if (FunI == II_if_nameindex) { 916 // Should we model this differently? We can allocate a fixed number of 917 // elements with zeros in the last one. 918 State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State, 919 AF_IfNameIndex); 920 } else if (FunI == II_if_freenameindex) { 921 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 922 } else if (FunI == II_g_malloc0 || FunI == II_g_try_malloc0) { 923 if (CE->getNumArgs() < 1) 924 return; 925 SValBuilder &svalBuilder = C.getSValBuilder(); 926 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 927 State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State); 928 State = ProcessZeroAllocation(C, CE, 0, State); 929 } else if (FunI == II_g_memdup) { 930 if (CE->getNumArgs() < 2) 931 return; 932 State = MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State); 933 State = ProcessZeroAllocation(C, CE, 1, State); 934 } else if (FunI == II_g_malloc_n || FunI == II_g_try_malloc_n || 935 FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) { 936 if (CE->getNumArgs() < 2) 937 return; 938 SVal Init = UndefinedVal(); 939 if (FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) { 940 SValBuilder &SB = C.getSValBuilder(); 941 Init = SB.makeZeroVal(SB.getContext().CharTy); 942 } 943 SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1)); 944 State = MallocMemAux(C, CE, TotalSize, Init, State); 945 State = ProcessZeroAllocation(C, CE, 0, State); 946 State = ProcessZeroAllocation(C, CE, 1, State); 947 } else if (FunI == II_g_realloc_n || FunI == II_g_try_realloc_n) { 948 if (CE->getNumArgs() < 3) 949 return; 950 State = ReallocMemAux(C, CE, false, State, true); 951 State = ProcessZeroAllocation(C, CE, 1, State); 952 State = ProcessZeroAllocation(C, CE, 2, State); 953 } 954 } 955 956 if (IsOptimistic || ChecksEnabled[CK_MismatchedDeallocatorChecker]) { 957 // Check all the attributes, if there are any. 958 // There can be multiple of these attributes. 959 if (FD->hasAttrs()) 960 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { 961 switch (I->getOwnKind()) { 962 case OwnershipAttr::Returns: 963 State = MallocMemReturnsAttr(C, CE, I, State); 964 break; 965 case OwnershipAttr::Takes: 966 case OwnershipAttr::Holds: 967 State = FreeMemAttr(C, CE, I, State); 968 break; 969 } 970 } 971 } 972 C.addTransition(State); 973 } 974 975 // Performs a 0-sized allocations check. 976 ProgramStateRef MallocChecker::ProcessZeroAllocation( 977 CheckerContext &C, const Expr *E, const unsigned AllocationSizeArg, 978 ProgramStateRef State, Optional<SVal> RetVal) const { 979 if (!State) 980 return nullptr; 981 982 if (!RetVal) 983 RetVal = C.getSVal(E); 984 985 const Expr *Arg = nullptr; 986 987 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 988 Arg = CE->getArg(AllocationSizeArg); 989 } 990 else if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 991 if (NE->isArray()) 992 Arg = NE->getArraySize(); 993 else 994 return State; 995 } 996 else 997 llvm_unreachable("not a CallExpr or CXXNewExpr"); 998 999 assert(Arg); 1000 1001 Optional<DefinedSVal> DefArgVal = C.getSVal(Arg).getAs<DefinedSVal>(); 1002 1003 if (!DefArgVal) 1004 return State; 1005 1006 // Check if the allocation size is 0. 1007 ProgramStateRef TrueState, FalseState; 1008 SValBuilder &SvalBuilder = C.getSValBuilder(); 1009 DefinedSVal Zero = 1010 SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>(); 1011 1012 std::tie(TrueState, FalseState) = 1013 State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero)); 1014 1015 if (TrueState && !FalseState) { 1016 SymbolRef Sym = RetVal->getAsLocSymbol(); 1017 if (!Sym) 1018 return State; 1019 1020 const RefState *RS = State->get<RegionState>(Sym); 1021 if (RS) { 1022 if (RS->isAllocated()) 1023 return TrueState->set<RegionState>(Sym, 1024 RefState::getAllocatedOfSizeZero(RS)); 1025 else 1026 return State; 1027 } else { 1028 // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as 1029 // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not 1030 // tracked. Add zero-reallocated Sym to the state to catch references 1031 // to zero-allocated memory. 1032 return TrueState->add<ReallocSizeZeroSymbols>(Sym); 1033 } 1034 } 1035 1036 // Assume the value is non-zero going forward. 1037 assert(FalseState); 1038 return FalseState; 1039 } 1040 1041 static QualType getDeepPointeeType(QualType T) { 1042 QualType Result = T, PointeeType = T->getPointeeType(); 1043 while (!PointeeType.isNull()) { 1044 Result = PointeeType; 1045 PointeeType = PointeeType->getPointeeType(); 1046 } 1047 return Result; 1048 } 1049 1050 static bool treatUnusedNewEscaped(const CXXNewExpr *NE) { 1051 1052 const CXXConstructExpr *ConstructE = NE->getConstructExpr(); 1053 if (!ConstructE) 1054 return false; 1055 1056 if (!NE->getAllocatedType()->getAsCXXRecordDecl()) 1057 return false; 1058 1059 const CXXConstructorDecl *CtorD = ConstructE->getConstructor(); 1060 1061 // Iterate over the constructor parameters. 1062 for (const auto *CtorParam : CtorD->parameters()) { 1063 1064 QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType(); 1065 if (CtorParamPointeeT.isNull()) 1066 continue; 1067 1068 CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT); 1069 1070 if (CtorParamPointeeT->getAsCXXRecordDecl()) 1071 return true; 1072 } 1073 1074 return false; 1075 } 1076 1077 void MallocChecker::processNewAllocation(const CXXNewExpr *NE, 1078 CheckerContext &C, 1079 SVal Target) const { 1080 if (NE->getNumPlacementArgs()) 1081 for (CXXNewExpr::const_arg_iterator I = NE->placement_arg_begin(), 1082 E = NE->placement_arg_end(); I != E; ++I) 1083 if (SymbolRef Sym = C.getSVal(*I).getAsSymbol()) 1084 checkUseAfterFree(Sym, C, *I); 1085 1086 if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext())) 1087 return; 1088 1089 ParentMap &PM = C.getLocationContext()->getParentMap(); 1090 if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE)) 1091 return; 1092 1093 ProgramStateRef State = C.getState(); 1094 // The return value from operator new is bound to a specified initialization 1095 // value (if any) and we don't want to loose this value. So we call 1096 // MallocUpdateRefState() instead of MallocMemAux() which breakes the 1097 // existing binding. 1098 State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray 1099 : AF_CXXNew, Target); 1100 State = addExtentSize(C, NE, State, Target); 1101 State = ProcessZeroAllocation(C, NE, 0, State, Target); 1102 C.addTransition(State); 1103 } 1104 1105 void MallocChecker::checkPostStmt(const CXXNewExpr *NE, 1106 CheckerContext &C) const { 1107 if (!C.getAnalysisManager().getAnalyzerOptions().mayInlineCXXAllocator()) 1108 processNewAllocation(NE, C, C.getSVal(NE)); 1109 } 1110 1111 void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target, 1112 CheckerContext &C) const { 1113 if (!C.wasInlined) 1114 processNewAllocation(NE, C, Target); 1115 } 1116 1117 // Sets the extent value of the MemRegion allocated by 1118 // new expression NE to its size in Bytes. 1119 // 1120 ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C, 1121 const CXXNewExpr *NE, 1122 ProgramStateRef State, 1123 SVal Target) { 1124 if (!State) 1125 return nullptr; 1126 SValBuilder &svalBuilder = C.getSValBuilder(); 1127 SVal ElementCount; 1128 const SubRegion *Region; 1129 if (NE->isArray()) { 1130 const Expr *SizeExpr = NE->getArraySize(); 1131 ElementCount = C.getSVal(SizeExpr); 1132 // Store the extent size for the (symbolic)region 1133 // containing the elements. 1134 Region = Target.getAsRegion() 1135 ->getAs<SubRegion>() 1136 ->StripCasts() 1137 ->getAs<SubRegion>(); 1138 } else { 1139 ElementCount = svalBuilder.makeIntVal(1, true); 1140 Region = Target.getAsRegion()->getAs<SubRegion>(); 1141 } 1142 assert(Region); 1143 1144 // Set the region's extent equal to the Size in Bytes. 1145 QualType ElementType = NE->getAllocatedType(); 1146 ASTContext &AstContext = C.getASTContext(); 1147 CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType); 1148 1149 if (ElementCount.getAs<NonLoc>()) { 1150 DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder); 1151 // size in Bytes = ElementCount*TypeSize 1152 SVal SizeInBytes = svalBuilder.evalBinOpNN( 1153 State, BO_Mul, ElementCount.castAs<NonLoc>(), 1154 svalBuilder.makeArrayIndex(TypeSize.getQuantity()), 1155 svalBuilder.getArrayIndexType()); 1156 DefinedOrUnknownSVal extentMatchesSize = svalBuilder.evalEQ( 1157 State, Extent, SizeInBytes.castAs<DefinedOrUnknownSVal>()); 1158 State = State->assume(extentMatchesSize, true); 1159 } 1160 return State; 1161 } 1162 1163 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, 1164 CheckerContext &C) const { 1165 1166 if (!ChecksEnabled[CK_NewDeleteChecker]) 1167 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 1168 checkUseAfterFree(Sym, C, DE->getArgument()); 1169 1170 if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext())) 1171 return; 1172 1173 ProgramStateRef State = C.getState(); 1174 bool ReleasedAllocated; 1175 State = FreeMemAux(C, DE->getArgument(), DE, State, 1176 /*Hold*/false, ReleasedAllocated); 1177 1178 C.addTransition(State); 1179 } 1180 1181 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 1182 // If the first selector piece is one of the names below, assume that the 1183 // object takes ownership of the memory, promising to eventually deallocate it 1184 // with free(). 1185 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 1186 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 1187 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 1188 return FirstSlot == "dataWithBytesNoCopy" || 1189 FirstSlot == "initWithBytesNoCopy" || 1190 FirstSlot == "initWithCharactersNoCopy"; 1191 } 1192 1193 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 1194 Selector S = Call.getSelector(); 1195 1196 // FIXME: We should not rely on fully-constrained symbols being folded. 1197 for (unsigned i = 1; i < S.getNumArgs(); ++i) 1198 if (S.getNameForSlot(i).equals("freeWhenDone")) 1199 return !Call.getArgSVal(i).isZeroConstant(); 1200 1201 return None; 1202 } 1203 1204 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 1205 CheckerContext &C) const { 1206 if (C.wasInlined) 1207 return; 1208 1209 if (!isKnownDeallocObjCMethodName(Call)) 1210 return; 1211 1212 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 1213 if (!*FreeWhenDone) 1214 return; 1215 1216 bool ReleasedAllocatedMemory; 1217 ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0), 1218 Call.getOriginExpr(), C.getState(), 1219 /*Hold=*/true, ReleasedAllocatedMemory, 1220 /*RetNullOnFailure=*/true); 1221 1222 C.addTransition(State); 1223 } 1224 1225 ProgramStateRef 1226 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE, 1227 const OwnershipAttr *Att, 1228 ProgramStateRef State) const { 1229 if (!State) 1230 return nullptr; 1231 1232 if (Att->getModule() != II_malloc) 1233 return nullptr; 1234 1235 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 1236 if (I != E) { 1237 return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(), 1238 State); 1239 } 1240 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State); 1241 } 1242 1243 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 1244 const CallExpr *CE, 1245 const Expr *SizeEx, SVal Init, 1246 ProgramStateRef State, 1247 AllocationFamily Family) { 1248 if (!State) 1249 return nullptr; 1250 1251 return MallocMemAux(C, CE, C.getSVal(SizeEx), Init, State, Family); 1252 } 1253 1254 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 1255 const CallExpr *CE, 1256 SVal Size, SVal Init, 1257 ProgramStateRef State, 1258 AllocationFamily Family) { 1259 if (!State) 1260 return nullptr; 1261 1262 // We expect the malloc functions to return a pointer. 1263 if (!Loc::isLocType(CE->getType())) 1264 return nullptr; 1265 1266 // Bind the return value to the symbolic value from the heap region. 1267 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 1268 // side effects other than what we model here. 1269 unsigned Count = C.blockCount(); 1270 SValBuilder &svalBuilder = C.getSValBuilder(); 1271 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 1272 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 1273 .castAs<DefinedSVal>(); 1274 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 1275 1276 // Fill the region with the initialization value. 1277 State = State->bindDefaultInitial(RetVal, Init, LCtx); 1278 1279 // Set the region's extent equal to the Size parameter. 1280 const SymbolicRegion *R = 1281 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 1282 if (!R) 1283 return nullptr; 1284 if (Optional<DefinedOrUnknownSVal> DefinedSize = 1285 Size.getAs<DefinedOrUnknownSVal>()) { 1286 SValBuilder &svalBuilder = C.getSValBuilder(); 1287 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 1288 DefinedOrUnknownSVal extentMatchesSize = 1289 svalBuilder.evalEQ(State, Extent, *DefinedSize); 1290 1291 State = State->assume(extentMatchesSize, true); 1292 assert(State); 1293 } 1294 1295 return MallocUpdateRefState(C, CE, State, Family); 1296 } 1297 1298 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 1299 const Expr *E, 1300 ProgramStateRef State, 1301 AllocationFamily Family, 1302 Optional<SVal> RetVal) { 1303 if (!State) 1304 return nullptr; 1305 1306 // Get the return value. 1307 if (!RetVal) 1308 RetVal = C.getSVal(E); 1309 1310 // We expect the malloc functions to return a pointer. 1311 if (!RetVal->getAs<Loc>()) 1312 return nullptr; 1313 1314 SymbolRef Sym = RetVal->getAsLocSymbol(); 1315 // This is a return value of a function that was not inlined, such as malloc() 1316 // or new(). We've checked that in the caller. Therefore, it must be a symbol. 1317 assert(Sym); 1318 1319 // Set the symbol's state to Allocated. 1320 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 1321 } 1322 1323 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 1324 const CallExpr *CE, 1325 const OwnershipAttr *Att, 1326 ProgramStateRef State) const { 1327 if (!State) 1328 return nullptr; 1329 1330 if (Att->getModule() != II_malloc) 1331 return nullptr; 1332 1333 bool ReleasedAllocated = false; 1334 1335 for (const auto &Arg : Att->args()) { 1336 ProgramStateRef StateI = FreeMemAux( 1337 C, CE, State, Arg.getASTIndex(), 1338 Att->getOwnKind() == OwnershipAttr::Holds, ReleasedAllocated); 1339 if (StateI) 1340 State = StateI; 1341 } 1342 return State; 1343 } 1344 1345 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1346 const CallExpr *CE, 1347 ProgramStateRef State, 1348 unsigned Num, 1349 bool Hold, 1350 bool &ReleasedAllocated, 1351 bool ReturnsNullOnFailure) const { 1352 if (!State) 1353 return nullptr; 1354 1355 if (CE->getNumArgs() < (Num + 1)) 1356 return nullptr; 1357 1358 return FreeMemAux(C, CE->getArg(Num), CE, State, Hold, 1359 ReleasedAllocated, ReturnsNullOnFailure); 1360 } 1361 1362 /// Checks if the previous call to free on the given symbol failed - if free 1363 /// failed, returns true. Also, returns the corresponding return value symbol. 1364 static bool didPreviousFreeFail(ProgramStateRef State, 1365 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 1366 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 1367 if (Ret) { 1368 assert(*Ret && "We should not store the null return symbol"); 1369 ConstraintManager &CMgr = State->getConstraintManager(); 1370 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 1371 RetStatusSymbol = *Ret; 1372 return FreeFailed.isConstrainedTrue(); 1373 } 1374 return false; 1375 } 1376 1377 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C, 1378 const Stmt *S) const { 1379 if (!S) 1380 return AF_None; 1381 1382 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 1383 const FunctionDecl *FD = C.getCalleeDecl(CE); 1384 1385 if (!FD) 1386 FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl()); 1387 1388 ASTContext &Ctx = C.getASTContext(); 1389 1390 if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any)) 1391 return AF_Malloc; 1392 1393 if (isStandardNewDelete(FD, Ctx)) { 1394 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 1395 if (Kind == OO_New || Kind == OO_Delete) 1396 return AF_CXXNew; 1397 else if (Kind == OO_Array_New || Kind == OO_Array_Delete) 1398 return AF_CXXNewArray; 1399 } 1400 1401 if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) 1402 return AF_IfNameIndex; 1403 1404 if (isCMemFunction(FD, Ctx, AF_Alloca, MemoryOperationKind::MOK_Any)) 1405 return AF_Alloca; 1406 1407 return AF_None; 1408 } 1409 1410 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S)) 1411 return NE->isArray() ? AF_CXXNewArray : AF_CXXNew; 1412 1413 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S)) 1414 return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew; 1415 1416 if (isa<ObjCMessageExpr>(S)) 1417 return AF_Malloc; 1418 1419 return AF_None; 1420 } 1421 1422 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C, 1423 const Expr *E) const { 1424 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 1425 // FIXME: This doesn't handle indirect calls. 1426 const FunctionDecl *FD = CE->getDirectCallee(); 1427 if (!FD) 1428 return false; 1429 1430 os << *FD; 1431 if (!FD->isOverloadedOperator()) 1432 os << "()"; 1433 return true; 1434 } 1435 1436 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 1437 if (Msg->isInstanceMessage()) 1438 os << "-"; 1439 else 1440 os << "+"; 1441 Msg->getSelector().print(os); 1442 return true; 1443 } 1444 1445 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 1446 os << "'" 1447 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 1448 << "'"; 1449 return true; 1450 } 1451 1452 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 1453 os << "'" 1454 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 1455 << "'"; 1456 return true; 1457 } 1458 1459 return false; 1460 } 1461 1462 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C, 1463 const Expr *E) const { 1464 AllocationFamily Family = getAllocationFamily(C, E); 1465 1466 switch(Family) { 1467 case AF_Malloc: os << "malloc()"; return; 1468 case AF_CXXNew: os << "'new'"; return; 1469 case AF_CXXNewArray: os << "'new[]'"; return; 1470 case AF_IfNameIndex: os << "'if_nameindex()'"; return; 1471 case AF_InternalBuffer: os << "container-specific allocator"; return; 1472 case AF_Alloca: 1473 case AF_None: llvm_unreachable("not a deallocation expression"); 1474 } 1475 } 1476 1477 void MallocChecker::printExpectedDeallocName(raw_ostream &os, 1478 AllocationFamily Family) const { 1479 switch(Family) { 1480 case AF_Malloc: os << "free()"; return; 1481 case AF_CXXNew: os << "'delete'"; return; 1482 case AF_CXXNewArray: os << "'delete[]'"; return; 1483 case AF_IfNameIndex: os << "'if_freenameindex()'"; return; 1484 case AF_InternalBuffer: os << "container-specific deallocator"; return; 1485 case AF_Alloca: 1486 case AF_None: llvm_unreachable("suspicious argument"); 1487 } 1488 } 1489 1490 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 1491 const Expr *ArgExpr, 1492 const Expr *ParentExpr, 1493 ProgramStateRef State, 1494 bool Hold, 1495 bool &ReleasedAllocated, 1496 bool ReturnsNullOnFailure) const { 1497 1498 if (!State) 1499 return nullptr; 1500 1501 SVal ArgVal = C.getSVal(ArgExpr); 1502 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 1503 return nullptr; 1504 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 1505 1506 // Check for null dereferences. 1507 if (!location.getAs<Loc>()) 1508 return nullptr; 1509 1510 // The explicit NULL case, no operation is performed. 1511 ProgramStateRef notNullState, nullState; 1512 std::tie(notNullState, nullState) = State->assume(location); 1513 if (nullState && !notNullState) 1514 return nullptr; 1515 1516 // Unknown values could easily be okay 1517 // Undefined values are handled elsewhere 1518 if (ArgVal.isUnknownOrUndef()) 1519 return nullptr; 1520 1521 const MemRegion *R = ArgVal.getAsRegion(); 1522 1523 // Nonlocs can't be freed, of course. 1524 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 1525 if (!R) { 1526 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1527 return nullptr; 1528 } 1529 1530 R = R->StripCasts(); 1531 1532 // Blocks might show up as heap data, but should not be free()d 1533 if (isa<BlockDataRegion>(R)) { 1534 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1535 return nullptr; 1536 } 1537 1538 const MemSpaceRegion *MS = R->getMemorySpace(); 1539 1540 // Parameters, locals, statics, globals, and memory returned by 1541 // __builtin_alloca() shouldn't be freed. 1542 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 1543 // FIXME: at the time this code was written, malloc() regions were 1544 // represented by conjured symbols, which are all in UnknownSpaceRegion. 1545 // This means that there isn't actually anything from HeapSpaceRegion 1546 // that should be freed, even though we allow it here. 1547 // Of course, free() can work on memory allocated outside the current 1548 // function, so UnknownSpaceRegion is always a possibility. 1549 // False negatives are better than false positives. 1550 1551 if (isa<AllocaRegion>(R)) 1552 ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1553 else 1554 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1555 1556 return nullptr; 1557 } 1558 1559 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 1560 // Various cases could lead to non-symbol values here. 1561 // For now, ignore them. 1562 if (!SrBase) 1563 return nullptr; 1564 1565 SymbolRef SymBase = SrBase->getSymbol(); 1566 const RefState *RsBase = State->get<RegionState>(SymBase); 1567 SymbolRef PreviousRetStatusSymbol = nullptr; 1568 1569 if (RsBase) { 1570 1571 // Memory returned by alloca() shouldn't be freed. 1572 if (RsBase->getAllocationFamily() == AF_Alloca) { 1573 ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); 1574 return nullptr; 1575 } 1576 1577 // Check for double free first. 1578 if ((RsBase->isReleased() || RsBase->isRelinquished()) && 1579 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1580 ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1581 SymBase, PreviousRetStatusSymbol); 1582 return nullptr; 1583 1584 // If the pointer is allocated or escaped, but we are now trying to free it, 1585 // check that the call to free is proper. 1586 } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() || 1587 RsBase->isEscaped()) { 1588 1589 // Check if an expected deallocation function matches the real one. 1590 bool DeallocMatchesAlloc = 1591 RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr); 1592 if (!DeallocMatchesAlloc) { 1593 ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), 1594 ParentExpr, RsBase, SymBase, Hold); 1595 return nullptr; 1596 } 1597 1598 // Check if the memory location being freed is the actual location 1599 // allocated, or an offset. 1600 RegionOffset Offset = R->getAsOffset(); 1601 if (Offset.isValid() && 1602 !Offset.hasSymbolicOffset() && 1603 Offset.getOffset() != 0) { 1604 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1605 ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1606 AllocExpr); 1607 return nullptr; 1608 } 1609 } 1610 } 1611 1612 if (SymBase->getType()->isFunctionPointerType()) { 1613 ReportFunctionPointerFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1614 return nullptr; 1615 } 1616 1617 ReleasedAllocated = (RsBase != nullptr) && (RsBase->isAllocated() || 1618 RsBase->isAllocatedOfSizeZero()); 1619 1620 // Clean out the info on previous call to free return info. 1621 State = State->remove<FreeReturnValue>(SymBase); 1622 1623 // Keep track of the return value. If it is NULL, we will know that free 1624 // failed. 1625 if (ReturnsNullOnFailure) { 1626 SVal RetVal = C.getSVal(ParentExpr); 1627 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 1628 if (RetStatusSymbol) { 1629 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 1630 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 1631 } 1632 } 1633 1634 AllocationFamily Family = RsBase ? RsBase->getAllocationFamily() 1635 : getAllocationFamily(C, ParentExpr); 1636 // Normal free. 1637 if (Hold) 1638 return State->set<RegionState>(SymBase, 1639 RefState::getRelinquished(Family, 1640 ParentExpr)); 1641 1642 return State->set<RegionState>(SymBase, 1643 RefState::getReleased(Family, ParentExpr)); 1644 } 1645 1646 Optional<MallocChecker::CheckKind> 1647 MallocChecker::getCheckIfTracked(AllocationFamily Family, 1648 bool IsALeakCheck) const { 1649 switch (Family) { 1650 case AF_Malloc: 1651 case AF_Alloca: 1652 case AF_IfNameIndex: { 1653 if (ChecksEnabled[CK_MallocChecker]) 1654 return CK_MallocChecker; 1655 1656 return Optional<MallocChecker::CheckKind>(); 1657 } 1658 case AF_CXXNew: 1659 case AF_CXXNewArray: 1660 // FIXME: Add new CheckKind for AF_InternalBuffer. 1661 case AF_InternalBuffer: { 1662 if (IsALeakCheck) { 1663 if (ChecksEnabled[CK_NewDeleteLeaksChecker]) 1664 return CK_NewDeleteLeaksChecker; 1665 } 1666 else { 1667 if (ChecksEnabled[CK_NewDeleteChecker]) 1668 return CK_NewDeleteChecker; 1669 } 1670 return Optional<MallocChecker::CheckKind>(); 1671 } 1672 case AF_None: { 1673 llvm_unreachable("no family"); 1674 } 1675 } 1676 llvm_unreachable("unhandled family"); 1677 } 1678 1679 Optional<MallocChecker::CheckKind> 1680 MallocChecker::getCheckIfTracked(CheckerContext &C, 1681 const Stmt *AllocDeallocStmt, 1682 bool IsALeakCheck) const { 1683 return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt), 1684 IsALeakCheck); 1685 } 1686 1687 Optional<MallocChecker::CheckKind> 1688 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym, 1689 bool IsALeakCheck) const { 1690 if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) 1691 return CK_MallocChecker; 1692 1693 const RefState *RS = C.getState()->get<RegionState>(Sym); 1694 assert(RS); 1695 return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck); 1696 } 1697 1698 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 1699 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 1700 os << "an integer (" << IntVal->getValue() << ")"; 1701 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 1702 os << "a constant address (" << ConstAddr->getValue() << ")"; 1703 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 1704 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 1705 else 1706 return false; 1707 1708 return true; 1709 } 1710 1711 bool MallocChecker::SummarizeRegion(raw_ostream &os, 1712 const MemRegion *MR) { 1713 switch (MR->getKind()) { 1714 case MemRegion::FunctionCodeRegionKind: { 1715 const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl(); 1716 if (FD) 1717 os << "the address of the function '" << *FD << '\''; 1718 else 1719 os << "the address of a function"; 1720 return true; 1721 } 1722 case MemRegion::BlockCodeRegionKind: 1723 os << "block text"; 1724 return true; 1725 case MemRegion::BlockDataRegionKind: 1726 // FIXME: where the block came from? 1727 os << "a block"; 1728 return true; 1729 default: { 1730 const MemSpaceRegion *MS = MR->getMemorySpace(); 1731 1732 if (isa<StackLocalsSpaceRegion>(MS)) { 1733 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1734 const VarDecl *VD; 1735 if (VR) 1736 VD = VR->getDecl(); 1737 else 1738 VD = nullptr; 1739 1740 if (VD) 1741 os << "the address of the local variable '" << VD->getName() << "'"; 1742 else 1743 os << "the address of a local stack variable"; 1744 return true; 1745 } 1746 1747 if (isa<StackArgumentsSpaceRegion>(MS)) { 1748 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1749 const VarDecl *VD; 1750 if (VR) 1751 VD = VR->getDecl(); 1752 else 1753 VD = nullptr; 1754 1755 if (VD) 1756 os << "the address of the parameter '" << VD->getName() << "'"; 1757 else 1758 os << "the address of a parameter"; 1759 return true; 1760 } 1761 1762 if (isa<GlobalsSpaceRegion>(MS)) { 1763 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1764 const VarDecl *VD; 1765 if (VR) 1766 VD = VR->getDecl(); 1767 else 1768 VD = nullptr; 1769 1770 if (VD) { 1771 if (VD->isStaticLocal()) 1772 os << "the address of the static variable '" << VD->getName() << "'"; 1773 else 1774 os << "the address of the global variable '" << VD->getName() << "'"; 1775 } else 1776 os << "the address of a global variable"; 1777 return true; 1778 } 1779 1780 return false; 1781 } 1782 } 1783 } 1784 1785 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 1786 SourceRange Range, 1787 const Expr *DeallocExpr) const { 1788 1789 if (!ChecksEnabled[CK_MallocChecker] && 1790 !ChecksEnabled[CK_NewDeleteChecker]) 1791 return; 1792 1793 Optional<MallocChecker::CheckKind> CheckKind = 1794 getCheckIfTracked(C, DeallocExpr); 1795 if (!CheckKind.hasValue()) 1796 return; 1797 1798 if (ExplodedNode *N = C.generateErrorNode()) { 1799 if (!BT_BadFree[*CheckKind]) 1800 BT_BadFree[*CheckKind].reset(new BugType( 1801 CheckNames[*CheckKind], "Bad free", categories::MemoryError)); 1802 1803 SmallString<100> buf; 1804 llvm::raw_svector_ostream os(buf); 1805 1806 const MemRegion *MR = ArgVal.getAsRegion(); 1807 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 1808 MR = ER->getSuperRegion(); 1809 1810 os << "Argument to "; 1811 if (!printAllocDeallocName(os, C, DeallocExpr)) 1812 os << "deallocator"; 1813 1814 os << " is "; 1815 bool Summarized = MR ? SummarizeRegion(os, MR) 1816 : SummarizeValue(os, ArgVal); 1817 if (Summarized) 1818 os << ", which is not memory allocated by "; 1819 else 1820 os << "not memory allocated by "; 1821 1822 printExpectedAllocName(os, C, DeallocExpr); 1823 1824 auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], os.str(), N); 1825 R->markInteresting(MR); 1826 R->addRange(Range); 1827 C.emitReport(std::move(R)); 1828 } 1829 } 1830 1831 void MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal, 1832 SourceRange Range) const { 1833 1834 Optional<MallocChecker::CheckKind> CheckKind; 1835 1836 if (ChecksEnabled[CK_MallocChecker]) 1837 CheckKind = CK_MallocChecker; 1838 else if (ChecksEnabled[CK_MismatchedDeallocatorChecker]) 1839 CheckKind = CK_MismatchedDeallocatorChecker; 1840 else 1841 return; 1842 1843 if (ExplodedNode *N = C.generateErrorNode()) { 1844 if (!BT_FreeAlloca[*CheckKind]) 1845 BT_FreeAlloca[*CheckKind].reset(new BugType( 1846 CheckNames[*CheckKind], "Free alloca()", categories::MemoryError)); 1847 1848 auto R = llvm::make_unique<BugReport>( 1849 *BT_FreeAlloca[*CheckKind], 1850 "Memory allocated by alloca() should not be deallocated", N); 1851 R->markInteresting(ArgVal.getAsRegion()); 1852 R->addRange(Range); 1853 C.emitReport(std::move(R)); 1854 } 1855 } 1856 1857 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, 1858 SourceRange Range, 1859 const Expr *DeallocExpr, 1860 const RefState *RS, 1861 SymbolRef Sym, 1862 bool OwnershipTransferred) const { 1863 1864 if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) 1865 return; 1866 1867 if (ExplodedNode *N = C.generateErrorNode()) { 1868 if (!BT_MismatchedDealloc) 1869 BT_MismatchedDealloc.reset( 1870 new BugType(CheckNames[CK_MismatchedDeallocatorChecker], 1871 "Bad deallocator", categories::MemoryError)); 1872 1873 SmallString<100> buf; 1874 llvm::raw_svector_ostream os(buf); 1875 1876 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 1877 SmallString<20> AllocBuf; 1878 llvm::raw_svector_ostream AllocOs(AllocBuf); 1879 SmallString<20> DeallocBuf; 1880 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 1881 1882 if (OwnershipTransferred) { 1883 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1884 os << DeallocOs.str() << " cannot"; 1885 else 1886 os << "Cannot"; 1887 1888 os << " take ownership of memory"; 1889 1890 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1891 os << " allocated by " << AllocOs.str(); 1892 } else { 1893 os << "Memory"; 1894 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1895 os << " allocated by " << AllocOs.str(); 1896 1897 os << " should be deallocated by "; 1898 printExpectedDeallocName(os, RS->getAllocationFamily()); 1899 1900 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1901 os << ", not " << DeallocOs.str(); 1902 } 1903 1904 auto R = llvm::make_unique<BugReport>(*BT_MismatchedDealloc, os.str(), N); 1905 R->markInteresting(Sym); 1906 R->addRange(Range); 1907 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1908 C.emitReport(std::move(R)); 1909 } 1910 } 1911 1912 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, 1913 SourceRange Range, const Expr *DeallocExpr, 1914 const Expr *AllocExpr) const { 1915 1916 1917 if (!ChecksEnabled[CK_MallocChecker] && 1918 !ChecksEnabled[CK_NewDeleteChecker]) 1919 return; 1920 1921 Optional<MallocChecker::CheckKind> CheckKind = 1922 getCheckIfTracked(C, AllocExpr); 1923 if (!CheckKind.hasValue()) 1924 return; 1925 1926 ExplodedNode *N = C.generateErrorNode(); 1927 if (!N) 1928 return; 1929 1930 if (!BT_OffsetFree[*CheckKind]) 1931 BT_OffsetFree[*CheckKind].reset(new BugType( 1932 CheckNames[*CheckKind], "Offset free", categories::MemoryError)); 1933 1934 SmallString<100> buf; 1935 llvm::raw_svector_ostream os(buf); 1936 SmallString<20> AllocNameBuf; 1937 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 1938 1939 const MemRegion *MR = ArgVal.getAsRegion(); 1940 assert(MR && "Only MemRegion based symbols can have offset free errors"); 1941 1942 RegionOffset Offset = MR->getAsOffset(); 1943 assert((Offset.isValid() && 1944 !Offset.hasSymbolicOffset() && 1945 Offset.getOffset() != 0) && 1946 "Only symbols with a valid offset can have offset free errors"); 1947 1948 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 1949 1950 os << "Argument to "; 1951 if (!printAllocDeallocName(os, C, DeallocExpr)) 1952 os << "deallocator"; 1953 os << " is offset by " 1954 << offsetBytes 1955 << " " 1956 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 1957 << " from the start of "; 1958 if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) 1959 os << "memory allocated by " << AllocNameOs.str(); 1960 else 1961 os << "allocated memory"; 1962 1963 auto R = llvm::make_unique<BugReport>(*BT_OffsetFree[*CheckKind], os.str(), N); 1964 R->markInteresting(MR->getBaseRegion()); 1965 R->addRange(Range); 1966 C.emitReport(std::move(R)); 1967 } 1968 1969 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, 1970 SymbolRef Sym) const { 1971 1972 if (!ChecksEnabled[CK_MallocChecker] && 1973 !ChecksEnabled[CK_NewDeleteChecker]) 1974 return; 1975 1976 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 1977 if (!CheckKind.hasValue()) 1978 return; 1979 1980 if (ExplodedNode *N = C.generateErrorNode()) { 1981 if (!BT_UseFree[*CheckKind]) 1982 BT_UseFree[*CheckKind].reset(new BugType( 1983 CheckNames[*CheckKind], "Use-after-free", categories::MemoryError)); 1984 1985 auto R = llvm::make_unique<BugReport>(*BT_UseFree[*CheckKind], 1986 "Use of memory after it is freed", N); 1987 1988 R->markInteresting(Sym); 1989 R->addRange(Range); 1990 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 1991 C.emitReport(std::move(R)); 1992 } 1993 } 1994 1995 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, 1996 bool Released, SymbolRef Sym, 1997 SymbolRef PrevSym) const { 1998 1999 if (!ChecksEnabled[CK_MallocChecker] && 2000 !ChecksEnabled[CK_NewDeleteChecker]) 2001 return; 2002 2003 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2004 if (!CheckKind.hasValue()) 2005 return; 2006 2007 if (ExplodedNode *N = C.generateErrorNode()) { 2008 if (!BT_DoubleFree[*CheckKind]) 2009 BT_DoubleFree[*CheckKind].reset(new BugType( 2010 CheckNames[*CheckKind], "Double free", categories::MemoryError)); 2011 2012 auto R = llvm::make_unique<BugReport>( 2013 *BT_DoubleFree[*CheckKind], 2014 (Released ? "Attempt to free released memory" 2015 : "Attempt to free non-owned memory"), 2016 N); 2017 R->addRange(Range); 2018 R->markInteresting(Sym); 2019 if (PrevSym) 2020 R->markInteresting(PrevSym); 2021 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 2022 C.emitReport(std::move(R)); 2023 } 2024 } 2025 2026 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const { 2027 2028 if (!ChecksEnabled[CK_NewDeleteChecker]) 2029 return; 2030 2031 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2032 if (!CheckKind.hasValue()) 2033 return; 2034 2035 if (ExplodedNode *N = C.generateErrorNode()) { 2036 if (!BT_DoubleDelete) 2037 BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker], 2038 "Double delete", 2039 categories::MemoryError)); 2040 2041 auto R = llvm::make_unique<BugReport>( 2042 *BT_DoubleDelete, "Attempt to delete released memory", N); 2043 2044 R->markInteresting(Sym); 2045 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 2046 C.emitReport(std::move(R)); 2047 } 2048 } 2049 2050 void MallocChecker::ReportUseZeroAllocated(CheckerContext &C, 2051 SourceRange Range, 2052 SymbolRef Sym) const { 2053 2054 if (!ChecksEnabled[CK_MallocChecker] && 2055 !ChecksEnabled[CK_NewDeleteChecker]) 2056 return; 2057 2058 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); 2059 2060 if (!CheckKind.hasValue()) 2061 return; 2062 2063 if (ExplodedNode *N = C.generateErrorNode()) { 2064 if (!BT_UseZerroAllocated[*CheckKind]) 2065 BT_UseZerroAllocated[*CheckKind].reset( 2066 new BugType(CheckNames[*CheckKind], "Use of zero allocated", 2067 categories::MemoryError)); 2068 2069 auto R = llvm::make_unique<BugReport>(*BT_UseZerroAllocated[*CheckKind], 2070 "Use of zero-allocated memory", N); 2071 2072 R->addRange(Range); 2073 if (Sym) { 2074 R->markInteresting(Sym); 2075 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); 2076 } 2077 C.emitReport(std::move(R)); 2078 } 2079 } 2080 2081 void MallocChecker::ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal, 2082 SourceRange Range, 2083 const Expr *FreeExpr) const { 2084 if (!ChecksEnabled[CK_MallocChecker]) 2085 return; 2086 2087 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, FreeExpr); 2088 if (!CheckKind.hasValue()) 2089 return; 2090 2091 if (ExplodedNode *N = C.generateErrorNode()) { 2092 if (!BT_BadFree[*CheckKind]) 2093 BT_BadFree[*CheckKind].reset(new BugType( 2094 CheckNames[*CheckKind], "Bad free", categories::MemoryError)); 2095 2096 SmallString<100> Buf; 2097 llvm::raw_svector_ostream Os(Buf); 2098 2099 const MemRegion *MR = ArgVal.getAsRegion(); 2100 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 2101 MR = ER->getSuperRegion(); 2102 2103 Os << "Argument to "; 2104 if (!printAllocDeallocName(Os, C, FreeExpr)) 2105 Os << "deallocator"; 2106 2107 Os << " is a function pointer"; 2108 2109 auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], Os.str(), N); 2110 R->markInteresting(MR); 2111 R->addRange(Range); 2112 C.emitReport(std::move(R)); 2113 } 2114 } 2115 2116 ProgramStateRef MallocChecker::ReallocMemAux(CheckerContext &C, 2117 const CallExpr *CE, 2118 bool FreesOnFail, 2119 ProgramStateRef State, 2120 bool SuffixWithN) const { 2121 if (!State) 2122 return nullptr; 2123 2124 if (SuffixWithN && CE->getNumArgs() < 3) 2125 return nullptr; 2126 else if (CE->getNumArgs() < 2) 2127 return nullptr; 2128 2129 const Expr *arg0Expr = CE->getArg(0); 2130 SVal Arg0Val = C.getSVal(arg0Expr); 2131 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 2132 return nullptr; 2133 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 2134 2135 SValBuilder &svalBuilder = C.getSValBuilder(); 2136 2137 DefinedOrUnknownSVal PtrEQ = 2138 svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull()); 2139 2140 // Get the size argument. 2141 const Expr *Arg1 = CE->getArg(1); 2142 2143 // Get the value of the size argument. 2144 SVal TotalSize = C.getSVal(Arg1); 2145 if (SuffixWithN) 2146 TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2)); 2147 if (!TotalSize.getAs<DefinedOrUnknownSVal>()) 2148 return nullptr; 2149 2150 // Compare the size argument to 0. 2151 DefinedOrUnknownSVal SizeZero = 2152 svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(), 2153 svalBuilder.makeIntValWithPtrWidth(0, false)); 2154 2155 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 2156 std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ); 2157 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 2158 std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero); 2159 // We only assume exceptional states if they are definitely true; if the 2160 // state is under-constrained, assume regular realloc behavior. 2161 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 2162 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 2163 2164 // If the ptr is NULL and the size is not 0, the call is equivalent to 2165 // malloc(size). 2166 if (PrtIsNull && !SizeIsZero) { 2167 ProgramStateRef stateMalloc = MallocMemAux(C, CE, TotalSize, 2168 UndefinedVal(), StatePtrIsNull); 2169 return stateMalloc; 2170 } 2171 2172 if (PrtIsNull && SizeIsZero) 2173 return State; 2174 2175 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 2176 assert(!PrtIsNull); 2177 SymbolRef FromPtr = arg0Val.getAsSymbol(); 2178 SVal RetVal = C.getSVal(CE); 2179 SymbolRef ToPtr = RetVal.getAsSymbol(); 2180 if (!FromPtr || !ToPtr) 2181 return nullptr; 2182 2183 bool ReleasedAllocated = false; 2184 2185 // If the size is 0, free the memory. 2186 if (SizeIsZero) 2187 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, 2188 false, ReleasedAllocated)){ 2189 // The semantics of the return value are: 2190 // If size was equal to 0, either NULL or a pointer suitable to be passed 2191 // to free() is returned. We just free the input pointer and do not add 2192 // any constrains on the output pointer. 2193 return stateFree; 2194 } 2195 2196 // Default behavior. 2197 if (ProgramStateRef stateFree = 2198 FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) { 2199 2200 ProgramStateRef stateRealloc = MallocMemAux(C, CE, TotalSize, 2201 UnknownVal(), stateFree); 2202 if (!stateRealloc) 2203 return nullptr; 2204 2205 ReallocPairKind Kind = RPToBeFreedAfterFailure; 2206 if (FreesOnFail) 2207 Kind = RPIsFreeOnFailure; 2208 else if (!ReleasedAllocated) 2209 Kind = RPDoNotTrackAfterFailure; 2210 2211 // Record the info about the reallocated symbol so that we could properly 2212 // process failed reallocation. 2213 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 2214 ReallocPair(FromPtr, Kind)); 2215 // The reallocated symbol should stay alive for as long as the new symbol. 2216 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 2217 return stateRealloc; 2218 } 2219 return nullptr; 2220 } 2221 2222 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE, 2223 ProgramStateRef State) { 2224 if (!State) 2225 return nullptr; 2226 2227 if (CE->getNumArgs() < 2) 2228 return nullptr; 2229 2230 SValBuilder &svalBuilder = C.getSValBuilder(); 2231 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 2232 SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1)); 2233 2234 return MallocMemAux(C, CE, TotalSize, zeroVal, State); 2235 } 2236 2237 LeakInfo 2238 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 2239 CheckerContext &C) const { 2240 const LocationContext *LeakContext = N->getLocationContext(); 2241 // Walk the ExplodedGraph backwards and find the first node that referred to 2242 // the tracked symbol. 2243 const ExplodedNode *AllocNode = N; 2244 const MemRegion *ReferenceRegion = nullptr; 2245 2246 while (N) { 2247 ProgramStateRef State = N->getState(); 2248 if (!State->get<RegionState>(Sym)) 2249 break; 2250 2251 // Find the most recent expression bound to the symbol in the current 2252 // context. 2253 if (!ReferenceRegion) { 2254 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 2255 SVal Val = State->getSVal(MR); 2256 if (Val.getAsLocSymbol() == Sym) { 2257 const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>(); 2258 // Do not show local variables belonging to a function other than 2259 // where the error is reported. 2260 if (!VR || 2261 (VR->getStackFrame() == LeakContext->getStackFrame())) 2262 ReferenceRegion = MR; 2263 } 2264 } 2265 } 2266 2267 // Allocation node, is the last node in the current or parent context in 2268 // which the symbol was tracked. 2269 const LocationContext *NContext = N->getLocationContext(); 2270 if (NContext == LeakContext || 2271 NContext->isParentOf(LeakContext)) 2272 AllocNode = N; 2273 N = N->pred_empty() ? nullptr : *(N->pred_begin()); 2274 } 2275 2276 return LeakInfo(AllocNode, ReferenceRegion); 2277 } 2278 2279 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 2280 CheckerContext &C) const { 2281 2282 if (!ChecksEnabled[CK_MallocChecker] && 2283 !ChecksEnabled[CK_NewDeleteLeaksChecker]) 2284 return; 2285 2286 const RefState *RS = C.getState()->get<RegionState>(Sym); 2287 assert(RS && "cannot leak an untracked symbol"); 2288 AllocationFamily Family = RS->getAllocationFamily(); 2289 2290 if (Family == AF_Alloca) 2291 return; 2292 2293 Optional<MallocChecker::CheckKind> 2294 CheckKind = getCheckIfTracked(Family, true); 2295 2296 if (!CheckKind.hasValue()) 2297 return; 2298 2299 assert(N); 2300 if (!BT_Leak[*CheckKind]) { 2301 BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak", 2302 categories::MemoryError)); 2303 // Leaks should not be reported if they are post-dominated by a sink: 2304 // (1) Sinks are higher importance bugs. 2305 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 2306 // with __noreturn functions such as assert() or exit(). We choose not 2307 // to report leaks on such paths. 2308 BT_Leak[*CheckKind]->setSuppressOnSink(true); 2309 } 2310 2311 // Most bug reports are cached at the location where they occurred. 2312 // With leaks, we want to unique them by the location where they were 2313 // allocated, and only report a single path. 2314 PathDiagnosticLocation LocUsedForUniqueing; 2315 const ExplodedNode *AllocNode = nullptr; 2316 const MemRegion *Region = nullptr; 2317 std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 2318 2319 const Stmt *AllocationStmt = PathDiagnosticLocation::getStmt(AllocNode); 2320 if (AllocationStmt) 2321 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 2322 C.getSourceManager(), 2323 AllocNode->getLocationContext()); 2324 2325 SmallString<200> buf; 2326 llvm::raw_svector_ostream os(buf); 2327 if (Region && Region->canPrintPretty()) { 2328 os << "Potential leak of memory pointed to by "; 2329 Region->printPretty(os); 2330 } else { 2331 os << "Potential memory leak"; 2332 } 2333 2334 auto R = llvm::make_unique<BugReport>( 2335 *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing, 2336 AllocNode->getLocationContext()->getDecl()); 2337 R->markInteresting(Sym); 2338 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym, true)); 2339 C.emitReport(std::move(R)); 2340 } 2341 2342 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 2343 CheckerContext &C) const 2344 { 2345 if (!SymReaper.hasDeadSymbols()) 2346 return; 2347 2348 ProgramStateRef state = C.getState(); 2349 RegionStateTy RS = state->get<RegionState>(); 2350 RegionStateTy::Factory &F = state->get_context<RegionState>(); 2351 2352 SmallVector<SymbolRef, 2> Errors; 2353 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2354 if (SymReaper.isDead(I->first)) { 2355 if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero()) 2356 Errors.push_back(I->first); 2357 // Remove the dead symbol from the map. 2358 RS = F.remove(RS, I->first); 2359 2360 } 2361 } 2362 2363 // Cleanup the Realloc Pairs Map. 2364 ReallocPairsTy RP = state->get<ReallocPairs>(); 2365 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 2366 if (SymReaper.isDead(I->first) || 2367 SymReaper.isDead(I->second.ReallocatedSym)) { 2368 state = state->remove<ReallocPairs>(I->first); 2369 } 2370 } 2371 2372 // Cleanup the FreeReturnValue Map. 2373 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 2374 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 2375 if (SymReaper.isDead(I->first) || 2376 SymReaper.isDead(I->second)) { 2377 state = state->remove<FreeReturnValue>(I->first); 2378 } 2379 } 2380 2381 // Generate leak node. 2382 ExplodedNode *N = C.getPredecessor(); 2383 if (!Errors.empty()) { 2384 static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak"); 2385 N = C.generateNonFatalErrorNode(C.getState(), &Tag); 2386 if (N) { 2387 for (SmallVectorImpl<SymbolRef>::iterator 2388 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 2389 reportLeak(*I, N, C); 2390 } 2391 } 2392 } 2393 2394 C.addTransition(state->set<RegionState>(RS), N); 2395 } 2396 2397 void MallocChecker::checkPreCall(const CallEvent &Call, 2398 CheckerContext &C) const { 2399 2400 if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) { 2401 SymbolRef Sym = DC->getCXXThisVal().getAsSymbol(); 2402 if (!Sym || checkDoubleDelete(Sym, C)) 2403 return; 2404 } 2405 2406 // We will check for double free in the post visit. 2407 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { 2408 const FunctionDecl *FD = FC->getDecl(); 2409 if (!FD) 2410 return; 2411 2412 ASTContext &Ctx = C.getASTContext(); 2413 if (ChecksEnabled[CK_MallocChecker] && 2414 (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) || 2415 isCMemFunction(FD, Ctx, AF_IfNameIndex, 2416 MemoryOperationKind::MOK_Free))) 2417 return; 2418 2419 if (ChecksEnabled[CK_NewDeleteChecker] && 2420 isStandardNewDelete(FD, Ctx)) 2421 return; 2422 } 2423 2424 // Check if the callee of a method is deleted. 2425 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { 2426 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); 2427 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) 2428 return; 2429 } 2430 2431 // Check arguments for being used after free. 2432 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { 2433 SVal ArgSVal = Call.getArgSVal(I); 2434 if (ArgSVal.getAs<Loc>()) { 2435 SymbolRef Sym = ArgSVal.getAsSymbol(); 2436 if (!Sym) 2437 continue; 2438 if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) 2439 return; 2440 } 2441 } 2442 } 2443 2444 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 2445 const Expr *E = S->getRetValue(); 2446 if (!E) 2447 return; 2448 2449 // Check if we are returning a symbol. 2450 ProgramStateRef State = C.getState(); 2451 SVal RetVal = C.getSVal(E); 2452 SymbolRef Sym = RetVal.getAsSymbol(); 2453 if (!Sym) 2454 // If we are returning a field of the allocated struct or an array element, 2455 // the callee could still free the memory. 2456 // TODO: This logic should be a part of generic symbol escape callback. 2457 if (const MemRegion *MR = RetVal.getAsRegion()) 2458 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 2459 if (const SymbolicRegion *BMR = 2460 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 2461 Sym = BMR->getSymbol(); 2462 2463 // Check if we are returning freed memory. 2464 if (Sym) 2465 checkUseAfterFree(Sym, C, E); 2466 } 2467 2468 // TODO: Blocks should be either inlined or should call invalidate regions 2469 // upon invocation. After that's in place, special casing here will not be 2470 // needed. 2471 void MallocChecker::checkPostStmt(const BlockExpr *BE, 2472 CheckerContext &C) const { 2473 2474 // Scan the BlockDecRefExprs for any object the retain count checker 2475 // may be tracking. 2476 if (!BE->getBlockDecl()->hasCaptures()) 2477 return; 2478 2479 ProgramStateRef state = C.getState(); 2480 const BlockDataRegion *R = 2481 cast<BlockDataRegion>(C.getSVal(BE).getAsRegion()); 2482 2483 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 2484 E = R->referenced_vars_end(); 2485 2486 if (I == E) 2487 return; 2488 2489 SmallVector<const MemRegion*, 10> Regions; 2490 const LocationContext *LC = C.getLocationContext(); 2491 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 2492 2493 for ( ; I != E; ++I) { 2494 const VarRegion *VR = I.getCapturedRegion(); 2495 if (VR->getSuperRegion() == R) { 2496 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 2497 } 2498 Regions.push_back(VR); 2499 } 2500 2501 state = 2502 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 2503 Regions.data() + Regions.size()).getState(); 2504 C.addTransition(state); 2505 } 2506 2507 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { 2508 assert(Sym); 2509 const RefState *RS = C.getState()->get<RegionState>(Sym); 2510 return (RS && RS->isReleased()); 2511 } 2512 2513 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 2514 const Stmt *S) const { 2515 2516 if (isReleased(Sym, C)) { 2517 ReportUseAfterFree(C, S->getSourceRange(), Sym); 2518 return true; 2519 } 2520 2521 return false; 2522 } 2523 2524 void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, 2525 const Stmt *S) const { 2526 assert(Sym); 2527 2528 if (const RefState *RS = C.getState()->get<RegionState>(Sym)) { 2529 if (RS->isAllocatedOfSizeZero()) 2530 ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym); 2531 } 2532 else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) { 2533 ReportUseZeroAllocated(C, S->getSourceRange(), Sym); 2534 } 2535 } 2536 2537 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { 2538 2539 if (isReleased(Sym, C)) { 2540 ReportDoubleDelete(C, Sym); 2541 return true; 2542 } 2543 return false; 2544 } 2545 2546 // Check if the location is a freed symbolic region. 2547 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 2548 CheckerContext &C) const { 2549 SymbolRef Sym = l.getLocSymbolInBase(); 2550 if (Sym) { 2551 checkUseAfterFree(Sym, C, S); 2552 checkUseZeroAllocated(Sym, C, S); 2553 } 2554 } 2555 2556 // If a symbolic region is assumed to NULL (or another constant), stop tracking 2557 // it - assuming that allocation failed on this path. 2558 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 2559 SVal Cond, 2560 bool Assumption) const { 2561 RegionStateTy RS = state->get<RegionState>(); 2562 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2563 // If the symbol is assumed to be NULL, remove it from consideration. 2564 ConstraintManager &CMgr = state->getConstraintManager(); 2565 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2566 if (AllocFailed.isConstrainedTrue()) 2567 state = state->remove<RegionState>(I.getKey()); 2568 } 2569 2570 // Realloc returns 0 when reallocation fails, which means that we should 2571 // restore the state of the pointer being reallocated. 2572 ReallocPairsTy RP = state->get<ReallocPairs>(); 2573 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 2574 // If the symbol is assumed to be NULL, remove it from consideration. 2575 ConstraintManager &CMgr = state->getConstraintManager(); 2576 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 2577 if (!AllocFailed.isConstrainedTrue()) 2578 continue; 2579 2580 SymbolRef ReallocSym = I.getData().ReallocatedSym; 2581 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 2582 if (RS->isReleased()) { 2583 if (I.getData().Kind == RPToBeFreedAfterFailure) 2584 state = state->set<RegionState>(ReallocSym, 2585 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 2586 else if (I.getData().Kind == RPDoNotTrackAfterFailure) 2587 state = state->remove<RegionState>(ReallocSym); 2588 else 2589 assert(I.getData().Kind == RPIsFreeOnFailure); 2590 } 2591 } 2592 state = state->remove<ReallocPairs>(I.getKey()); 2593 } 2594 2595 return state; 2596 } 2597 2598 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly( 2599 const CallEvent *Call, 2600 ProgramStateRef State, 2601 SymbolRef &EscapingSymbol) const { 2602 assert(Call); 2603 EscapingSymbol = nullptr; 2604 2605 // For now, assume that any C++ or block call can free memory. 2606 // TODO: If we want to be more optimistic here, we'll need to make sure that 2607 // regions escape to C++ containers. They seem to do that even now, but for 2608 // mysterious reasons. 2609 if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 2610 return true; 2611 2612 // Check Objective-C messages by selector name. 2613 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 2614 // If it's not a framework call, or if it takes a callback, assume it 2615 // can free memory. 2616 if (!Call->isInSystemHeader() || Call->argumentsMayEscape()) 2617 return true; 2618 2619 // If it's a method we know about, handle it explicitly post-call. 2620 // This should happen before the "freeWhenDone" check below. 2621 if (isKnownDeallocObjCMethodName(*Msg)) 2622 return false; 2623 2624 // If there's a "freeWhenDone" parameter, but the method isn't one we know 2625 // about, we can't be sure that the object will use free() to deallocate the 2626 // memory, so we can't model it explicitly. The best we can do is use it to 2627 // decide whether the pointer escapes. 2628 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 2629 return *FreeWhenDone; 2630 2631 // If the first selector piece ends with "NoCopy", and there is no 2632 // "freeWhenDone" parameter set to zero, we know ownership is being 2633 // transferred. Again, though, we can't be sure that the object will use 2634 // free() to deallocate the memory, so we can't model it explicitly. 2635 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 2636 if (FirstSlot.endswith("NoCopy")) 2637 return true; 2638 2639 // If the first selector starts with addPointer, insertPointer, 2640 // or replacePointer, assume we are dealing with NSPointerArray or similar. 2641 // This is similar to C++ containers (vector); we still might want to check 2642 // that the pointers get freed by following the container itself. 2643 if (FirstSlot.startswith("addPointer") || 2644 FirstSlot.startswith("insertPointer") || 2645 FirstSlot.startswith("replacePointer") || 2646 FirstSlot.equals("valueWithPointer")) { 2647 return true; 2648 } 2649 2650 // We should escape receiver on call to 'init'. This is especially relevant 2651 // to the receiver, as the corresponding symbol is usually not referenced 2652 // after the call. 2653 if (Msg->getMethodFamily() == OMF_init) { 2654 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol(); 2655 return true; 2656 } 2657 2658 // Otherwise, assume that the method does not free memory. 2659 // Most framework methods do not free memory. 2660 return false; 2661 } 2662 2663 // At this point the only thing left to handle is straight function calls. 2664 const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl(); 2665 if (!FD) 2666 return true; 2667 2668 ASTContext &ASTC = State->getStateManager().getContext(); 2669 2670 // If it's one of the allocation functions we can reason about, we model 2671 // its behavior explicitly. 2672 if (isMemFunction(FD, ASTC)) 2673 return false; 2674 2675 // If it's not a system call, assume it frees memory. 2676 if (!Call->isInSystemHeader()) 2677 return true; 2678 2679 // White list the system functions whose arguments escape. 2680 const IdentifierInfo *II = FD->getIdentifier(); 2681 if (!II) 2682 return true; 2683 StringRef FName = II->getName(); 2684 2685 // White list the 'XXXNoCopy' CoreFoundation functions. 2686 // We specifically check these before 2687 if (FName.endswith("NoCopy")) { 2688 // Look for the deallocator argument. We know that the memory ownership 2689 // is not transferred only if the deallocator argument is 2690 // 'kCFAllocatorNull'. 2691 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 2692 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 2693 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 2694 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 2695 if (DeallocatorName == "kCFAllocatorNull") 2696 return false; 2697 } 2698 } 2699 return true; 2700 } 2701 2702 // Associating streams with malloced buffers. The pointer can escape if 2703 // 'closefn' is specified (and if that function does free memory), 2704 // but it will not if closefn is not specified. 2705 // Currently, we do not inspect the 'closefn' function (PR12101). 2706 if (FName == "funopen") 2707 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 2708 return false; 2709 2710 // Do not warn on pointers passed to 'setbuf' when used with std streams, 2711 // these leaks might be intentional when setting the buffer for stdio. 2712 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 2713 if (FName == "setbuf" || FName =="setbuffer" || 2714 FName == "setlinebuf" || FName == "setvbuf") { 2715 if (Call->getNumArgs() >= 1) { 2716 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 2717 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 2718 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 2719 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 2720 return true; 2721 } 2722 } 2723 2724 // A bunch of other functions which either take ownership of a pointer or 2725 // wrap the result up in a struct or object, meaning it can be freed later. 2726 // (See RetainCountChecker.) Not all the parameters here are invalidated, 2727 // but the Malloc checker cannot differentiate between them. The right way 2728 // of doing this would be to implement a pointer escapes callback. 2729 if (FName == "CGBitmapContextCreate" || 2730 FName == "CGBitmapContextCreateWithData" || 2731 FName == "CVPixelBufferCreateWithBytes" || 2732 FName == "CVPixelBufferCreateWithPlanarBytes" || 2733 FName == "OSAtomicEnqueue") { 2734 return true; 2735 } 2736 2737 if (FName == "postEvent" && 2738 FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") { 2739 return true; 2740 } 2741 2742 if (FName == "postEvent" && 2743 FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") { 2744 return true; 2745 } 2746 2747 if (FName == "connectImpl" && 2748 FD->getQualifiedNameAsString() == "QObject::connectImpl") { 2749 return true; 2750 } 2751 2752 // Handle cases where we know a buffer's /address/ can escape. 2753 // Note that the above checks handle some special cases where we know that 2754 // even though the address escapes, it's still our responsibility to free the 2755 // buffer. 2756 if (Call->argumentsMayEscape()) 2757 return true; 2758 2759 // Otherwise, assume that the function does not free memory. 2760 // Most system calls do not free the memory. 2761 return false; 2762 } 2763 2764 static bool retTrue(const RefState *RS) { 2765 return true; 2766 } 2767 2768 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 2769 return (RS->getAllocationFamily() == AF_CXXNewArray || 2770 RS->getAllocationFamily() == AF_CXXNew); 2771 } 2772 2773 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 2774 const InvalidatedSymbols &Escaped, 2775 const CallEvent *Call, 2776 PointerEscapeKind Kind) const { 2777 return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue); 2778 } 2779 2780 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 2781 const InvalidatedSymbols &Escaped, 2782 const CallEvent *Call, 2783 PointerEscapeKind Kind) const { 2784 return checkPointerEscapeAux(State, Escaped, Call, Kind, 2785 &checkIfNewOrNewArrayFamily); 2786 } 2787 2788 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State, 2789 const InvalidatedSymbols &Escaped, 2790 const CallEvent *Call, 2791 PointerEscapeKind Kind, 2792 bool(*CheckRefState)(const RefState*)) const { 2793 // If we know that the call does not free memory, or we want to process the 2794 // call later, keep tracking the top level arguments. 2795 SymbolRef EscapingSymbol = nullptr; 2796 if (Kind == PSK_DirectEscapeOnCall && 2797 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State, 2798 EscapingSymbol) && 2799 !EscapingSymbol) { 2800 return State; 2801 } 2802 2803 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 2804 E = Escaped.end(); 2805 I != E; ++I) { 2806 SymbolRef sym = *I; 2807 2808 if (EscapingSymbol && EscapingSymbol != sym) 2809 continue; 2810 2811 if (const RefState *RS = State->get<RegionState>(sym)) { 2812 if ((RS->isAllocated() || RS->isAllocatedOfSizeZero()) && 2813 CheckRefState(RS)) { 2814 State = State->remove<RegionState>(sym); 2815 State = State->set<RegionState>(sym, RefState::getEscaped(RS)); 2816 } 2817 } 2818 } 2819 return State; 2820 } 2821 2822 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 2823 ProgramStateRef prevState) { 2824 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 2825 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 2826 2827 for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end(); 2828 I != E; ++I) { 2829 SymbolRef sym = I.getKey(); 2830 if (!currMap.lookup(sym)) 2831 return sym; 2832 } 2833 2834 return nullptr; 2835 } 2836 2837 static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD) { 2838 if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) { 2839 StringRef N = II->getName(); 2840 if (N.contains_lower("ptr") || N.contains_lower("pointer")) { 2841 if (N.contains_lower("ref") || N.contains_lower("cnt") || 2842 N.contains_lower("intrusive") || N.contains_lower("shared")) { 2843 return true; 2844 } 2845 } 2846 } 2847 return false; 2848 } 2849 2850 std::shared_ptr<PathDiagnosticPiece> MallocChecker::MallocBugVisitor::VisitNode( 2851 const ExplodedNode *N, const ExplodedNode *PrevN, BugReporterContext &BRC, 2852 BugReport &BR) { 2853 const Stmt *S = PathDiagnosticLocation::getStmt(N); 2854 if (!S) 2855 return nullptr; 2856 2857 const LocationContext *CurrentLC = N->getLocationContext(); 2858 2859 // If we find an atomic fetch_add or fetch_sub within the destructor in which 2860 // the pointer was released (before the release), this is likely a destructor 2861 // of a shared pointer. 2862 // Because we don't model atomics, and also because we don't know that the 2863 // original reference count is positive, we should not report use-after-frees 2864 // on objects deleted in such destructors. This can probably be improved 2865 // through better shared pointer modeling. 2866 if (ReleaseDestructorLC) { 2867 if (const auto *AE = dyn_cast<AtomicExpr>(S)) { 2868 AtomicExpr::AtomicOp Op = AE->getOp(); 2869 if (Op == AtomicExpr::AO__c11_atomic_fetch_add || 2870 Op == AtomicExpr::AO__c11_atomic_fetch_sub) { 2871 if (ReleaseDestructorLC == CurrentLC || 2872 ReleaseDestructorLC->isParentOf(CurrentLC)) { 2873 BR.markInvalid(getTag(), S); 2874 } 2875 } 2876 } 2877 } 2878 2879 ProgramStateRef state = N->getState(); 2880 ProgramStateRef statePrev = PrevN->getState(); 2881 2882 const RefState *RS = state->get<RegionState>(Sym); 2883 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 2884 if (!RS) 2885 return nullptr; 2886 2887 // FIXME: We will eventually need to handle non-statement-based events 2888 // (__attribute__((cleanup))). 2889 2890 // Find out if this is an interesting point and what is the kind. 2891 const char *Msg = nullptr; 2892 StackHintGeneratorForSymbol *StackHint = nullptr; 2893 if (Mode == Normal) { 2894 if (isAllocated(RS, RSPrev, S)) { 2895 Msg = "Memory is allocated"; 2896 StackHint = new StackHintGeneratorForSymbol(Sym, 2897 "Returned allocated memory"); 2898 } else if (isReleased(RS, RSPrev, S)) { 2899 Msg = "Memory is released"; 2900 StackHint = new StackHintGeneratorForSymbol(Sym, 2901 "Returning; memory was released"); 2902 2903 // See if we're releasing memory while inlining a destructor 2904 // (or one of its callees). This turns on various common 2905 // false positive suppressions. 2906 bool FoundAnyDestructor = false; 2907 for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) { 2908 if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) { 2909 if (isReferenceCountingPointerDestructor(DD)) { 2910 // This immediately looks like a reference-counting destructor. 2911 // We're bad at guessing the original reference count of the object, 2912 // so suppress the report for now. 2913 BR.markInvalid(getTag(), DD); 2914 } else if (!FoundAnyDestructor) { 2915 assert(!ReleaseDestructorLC && 2916 "There can be only one release point!"); 2917 // Suspect that it's a reference counting pointer destructor. 2918 // On one of the next nodes might find out that it has atomic 2919 // reference counting operations within it (see the code above), 2920 // and if so, we'd conclude that it likely is a reference counting 2921 // pointer destructor. 2922 ReleaseDestructorLC = LC->getStackFrame(); 2923 // It is unlikely that releasing memory is delegated to a destructor 2924 // inside a destructor of a shared pointer, because it's fairly hard 2925 // to pass the information that the pointer indeed needs to be 2926 // released into it. So we're only interested in the innermost 2927 // destructor. 2928 FoundAnyDestructor = true; 2929 } 2930 } 2931 } 2932 } else if (isRelinquished(RS, RSPrev, S)) { 2933 Msg = "Memory ownership is transferred"; 2934 StackHint = new StackHintGeneratorForSymbol(Sym, ""); 2935 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 2936 Mode = ReallocationFailed; 2937 Msg = "Reallocation failed"; 2938 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 2939 "Reallocation failed"); 2940 2941 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 2942 // Is it possible to fail two reallocs WITHOUT testing in between? 2943 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 2944 "We only support one failed realloc at a time."); 2945 BR.markInteresting(sym); 2946 FailedReallocSymbol = sym; 2947 } 2948 } 2949 2950 // We are in a special mode if a reallocation failed later in the path. 2951 } else if (Mode == ReallocationFailed) { 2952 assert(FailedReallocSymbol && "No symbol to look for."); 2953 2954 // Is this is the first appearance of the reallocated symbol? 2955 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 2956 // We're at the reallocation point. 2957 Msg = "Attempt to reallocate memory"; 2958 StackHint = new StackHintGeneratorForSymbol(Sym, 2959 "Returned reallocated memory"); 2960 FailedReallocSymbol = nullptr; 2961 Mode = Normal; 2962 } 2963 } 2964 2965 if (!Msg) 2966 return nullptr; 2967 assert(StackHint); 2968 2969 // Generate the extra diagnostic. 2970 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2971 N->getLocationContext()); 2972 return std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true, StackHint); 2973 } 2974 2975 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 2976 const char *NL, const char *Sep) const { 2977 2978 RegionStateTy RS = State->get<RegionState>(); 2979 2980 if (!RS.isEmpty()) { 2981 Out << Sep << "MallocChecker :" << NL; 2982 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2983 const RefState *RefS = State->get<RegionState>(I.getKey()); 2984 AllocationFamily Family = RefS->getAllocationFamily(); 2985 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); 2986 if (!CheckKind.hasValue()) 2987 CheckKind = getCheckIfTracked(Family, true); 2988 2989 I.getKey()->dumpToStream(Out); 2990 Out << " : "; 2991 I.getData().dump(Out); 2992 if (CheckKind.hasValue()) 2993 Out << " (" << CheckNames[*CheckKind].getName() << ")"; 2994 Out << NL; 2995 } 2996 } 2997 } 2998 2999 namespace clang { 3000 namespace ento { 3001 namespace allocation_state { 3002 3003 ProgramStateRef 3004 markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin) { 3005 AllocationFamily Family = AF_InternalBuffer; 3006 return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin)); 3007 } 3008 3009 } // end namespace allocation_state 3010 } // end namespace ento 3011 } // end namespace clang 3012 3013 void ento::registerNewDeleteLeaksChecker(CheckerManager &mgr) { 3014 registerCStringCheckerBasic(mgr); 3015 MallocChecker *checker = mgr.registerChecker<MallocChecker>(); 3016 checker->IsOptimistic = mgr.getAnalyzerOptions().getBooleanOption( 3017 "Optimistic", false, checker); 3018 checker->ChecksEnabled[MallocChecker::CK_NewDeleteLeaksChecker] = true; 3019 checker->CheckNames[MallocChecker::CK_NewDeleteLeaksChecker] = 3020 mgr.getCurrentCheckName(); 3021 // We currently treat NewDeleteLeaks checker as a subchecker of NewDelete 3022 // checker. 3023 if (!checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker]) { 3024 checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker] = true; 3025 // FIXME: This does not set the correct name, but without this workaround 3026 // no name will be set at all. 3027 checker->CheckNames[MallocChecker::CK_NewDeleteChecker] = 3028 mgr.getCurrentCheckName(); 3029 } 3030 } 3031 3032 #define REGISTER_CHECKER(name) \ 3033 void ento::register##name(CheckerManager &mgr) { \ 3034 registerCStringCheckerBasic(mgr); \ 3035 MallocChecker *checker = mgr.registerChecker<MallocChecker>(); \ 3036 checker->IsOptimistic = mgr.getAnalyzerOptions().getBooleanOption( \ 3037 "Optimistic", false, checker); \ 3038 checker->ChecksEnabled[MallocChecker::CK_##name] = true; \ 3039 checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \ 3040 } 3041 3042 REGISTER_CHECKER(MallocChecker) 3043 REGISTER_CHECKER(NewDeleteChecker) 3044 REGISTER_CHECKER(MismatchedDeallocatorChecker) 3045