Bug Summary

File:tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
Warning:line 3031, column 12
Potential leak of memory pointed to by 'StackHint'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name MallocChecker.cpp -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -analyzer-config-compatibility-mode=true -mrelocation-model pic -pic-level 2 -mthread-model posix -relaxed-aliasing -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -dwarf-column-info -debugger-tuning=gdb -momit-leaf-frame-pointer -ffunction-sections -fdata-sections -resource-dir /usr/lib/llvm-9/lib/clang/9.0.0 -D CLANG_VENDOR="Debian " -D _DEBUG -D _GNU_SOURCE -D __STDC_CONSTANT_MACROS -D __STDC_FORMAT_MACROS -D __STDC_LIMIT_MACROS -I /build/llvm-toolchain-snapshot-9~svn362543/build-llvm/tools/clang/lib/StaticAnalyzer/Checkers -I /build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers -I /build/llvm-toolchain-snapshot-9~svn362543/tools/clang/include -I /build/llvm-toolchain-snapshot-9~svn362543/build-llvm/tools/clang/include -I /build/llvm-toolchain-snapshot-9~svn362543/build-llvm/include -I /build/llvm-toolchain-snapshot-9~svn362543/include -U NDEBUG -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/6.3.0/../../../../include/c++/6.3.0 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/6.3.0/../../../../include/x86_64-linux-gnu/c++/6.3.0 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/6.3.0/../../../../include/x86_64-linux-gnu/c++/6.3.0 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/6.3.0/../../../../include/c++/6.3.0/backward -internal-isystem /usr/include/clang/9.0.0/include/ -internal-isystem /usr/local/include -internal-isystem /usr/lib/llvm-9/lib/clang/9.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O2 -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-long-long -Wno-maybe-uninitialized -Wno-comment -std=c++11 -fdeprecated-macro -fdebug-compilation-dir /build/llvm-toolchain-snapshot-9~svn362543/build-llvm/tools/clang/lib/StaticAnalyzer/Checkers -fdebug-prefix-map=/build/llvm-toolchain-snapshot-9~svn362543=. -ferror-limit 19 -fmessage-length 0 -fvisibility-inlines-hidden -stack-protector 2 -fobjc-runtime=gcc -fno-common -fdiagnostics-show-option -vectorize-loops -vectorize-slp -analyzer-output=html -analyzer-config stable-report-filename=true -o /tmp/scan-build-2019-06-05-060531-1271-1 -x c++ /build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp -faddrsig
1//=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines malloc/free checker, which checks for potential memory
10// leaks, double free, and use-after-free problems.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15#include "InterCheckerAPI.h"
16#include "clang/AST/Attr.h"
17#include "clang/AST/ParentMap.h"
18#include "clang/Basic/SourceManager.h"
19#include "clang/Basic/TargetInfo.h"
20#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
21#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
22#include "clang/StaticAnalyzer/Core/Checker.h"
23#include "clang/StaticAnalyzer/Core/CheckerManager.h"
24#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
25#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
26#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
27#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
28#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
29#include "llvm/ADT/STLExtras.h"
30#include "llvm/ADT/SmallString.h"
31#include "llvm/ADT/StringExtras.h"
32#include "AllocationState.h"
33#include <climits>
34#include <utility>
35
36using namespace clang;
37using namespace ento;
38
39namespace {
40
41// Used to check correspondence between allocators and deallocators.
42enum AllocationFamily {
43 AF_None,
44 AF_Malloc,
45 AF_CXXNew,
46 AF_CXXNewArray,
47 AF_IfNameIndex,
48 AF_Alloca,
49 AF_InnerBuffer
50};
51
52class RefState {
53 enum Kind { // Reference to allocated memory.
54 Allocated,
55 // Reference to zero-allocated memory.
56 AllocatedOfSizeZero,
57 // Reference to released/freed memory.
58 Released,
59 // The responsibility for freeing resources has transferred from
60 // this reference. A relinquished symbol should not be freed.
61 Relinquished,
62 // We are no longer guaranteed to have observed all manipulations
63 // of this pointer/memory. For example, it could have been
64 // passed as a parameter to an opaque function.
65 Escaped
66 };
67
68 const Stmt *S;
69 unsigned K : 3; // Kind enum, but stored as a bitfield.
70 unsigned Family : 29; // Rest of 32-bit word, currently just an allocation
71 // family.
72
73 RefState(Kind k, const Stmt *s, unsigned family)
74 : S(s), K(k), Family(family) {
75 assert(family != AF_None)((family != AF_None) ? static_cast<void> (0) : __assert_fail
("family != AF_None", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 75, __PRETTY_FUNCTION__))
;
76 }
77public:
78 bool isAllocated() const { return K == Allocated; }
79 bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; }
80 bool isReleased() const { return K == Released; }
81 bool isRelinquished() const { return K == Relinquished; }
82 bool isEscaped() const { return K == Escaped; }
83 AllocationFamily getAllocationFamily() const {
84 return (AllocationFamily)Family;
85 }
86 const Stmt *getStmt() const { return S; }
87
88 bool operator==(const RefState &X) const {
89 return K == X.K && S == X.S && Family == X.Family;
90 }
91
92 static RefState getAllocated(unsigned family, const Stmt *s) {
93 return RefState(Allocated, s, family);
94 }
95 static RefState getAllocatedOfSizeZero(const RefState *RS) {
96 return RefState(AllocatedOfSizeZero, RS->getStmt(),
97 RS->getAllocationFamily());
98 }
99 static RefState getReleased(unsigned family, const Stmt *s) {
100 return RefState(Released, s, family);
101 }
102 static RefState getRelinquished(unsigned family, const Stmt *s) {
103 return RefState(Relinquished, s, family);
104 }
105 static RefState getEscaped(const RefState *RS) {
106 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());
107 }
108
109 void Profile(llvm::FoldingSetNodeID &ID) const {
110 ID.AddInteger(K);
111 ID.AddPointer(S);
112 ID.AddInteger(Family);
113 }
114
115 void dump(raw_ostream &OS) const {
116 switch (static_cast<Kind>(K)) {
117#define CASE(ID)case ID: OS << "ID"; break; case ID: OS << #ID; break;
118 CASE(Allocated)case Allocated: OS << "Allocated"; break;
119 CASE(AllocatedOfSizeZero)case AllocatedOfSizeZero: OS << "AllocatedOfSizeZero"; break
;
120 CASE(Released)case Released: OS << "Released"; break;
121 CASE(Relinquished)case Relinquished: OS << "Relinquished"; break;
122 CASE(Escaped)case Escaped: OS << "Escaped"; break;
123 }
124 }
125
126 LLVM_DUMP_METHOD__attribute__((noinline)) __attribute__((__used__)) void dump() const { dump(llvm::errs()); }
127};
128
129enum ReallocPairKind {
130 RPToBeFreedAfterFailure,
131 // The symbol has been freed when reallocation failed.
132 RPIsFreeOnFailure,
133 // The symbol does not need to be freed after reallocation fails.
134 RPDoNotTrackAfterFailure
135};
136
137/// \class ReallocPair
138/// Stores information about the symbol being reallocated by a call to
139/// 'realloc' to allow modeling failed reallocation later in the path.
140struct ReallocPair {
141 // The symbol which realloc reallocated.
142 SymbolRef ReallocatedSym;
143 ReallocPairKind Kind;
144
145 ReallocPair(SymbolRef S, ReallocPairKind K) :
146 ReallocatedSym(S), Kind(K) {}
147 void Profile(llvm::FoldingSetNodeID &ID) const {
148 ID.AddInteger(Kind);
149 ID.AddPointer(ReallocatedSym);
150 }
151 bool operator==(const ReallocPair &X) const {
152 return ReallocatedSym == X.ReallocatedSym &&
153 Kind == X.Kind;
154 }
155};
156
157typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo;
158
159class MallocChecker : public Checker<check::DeadSymbols,
160 check::PointerEscape,
161 check::ConstPointerEscape,
162 check::PreStmt<ReturnStmt>,
163 check::EndFunction,
164 check::PreCall,
165 check::PostStmt<CallExpr>,
166 check::PostStmt<CXXNewExpr>,
167 check::NewAllocator,
168 check::PreStmt<CXXDeleteExpr>,
169 check::PostStmt<BlockExpr>,
170 check::PostObjCMessage,
171 check::Location,
172 eval::Assume>
173{
174public:
175 MallocChecker()
176 : II_alloca(nullptr), II_win_alloca(nullptr), II_malloc(nullptr),
177 II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr),
178 II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr),
179 II_strdup(nullptr), II_win_strdup(nullptr), II_kmalloc(nullptr),
180 II_if_nameindex(nullptr), II_if_freenameindex(nullptr),
181 II_wcsdup(nullptr), II_win_wcsdup(nullptr), II_g_malloc(nullptr),
182 II_g_malloc0(nullptr), II_g_realloc(nullptr), II_g_try_malloc(nullptr),
183 II_g_try_malloc0(nullptr), II_g_try_realloc(nullptr),
184 II_g_free(nullptr), II_g_memdup(nullptr), II_g_malloc_n(nullptr),
185 II_g_malloc0_n(nullptr), II_g_realloc_n(nullptr),
186 II_g_try_malloc_n(nullptr), II_g_try_malloc0_n(nullptr),
187 II_g_try_realloc_n(nullptr) {}
188
189 /// In pessimistic mode, the checker assumes that it does not know which
190 /// functions might free the memory.
191 enum CheckKind {
192 CK_MallocChecker,
193 CK_NewDeleteChecker,
194 CK_NewDeleteLeaksChecker,
195 CK_MismatchedDeallocatorChecker,
196 CK_InnerPointerChecker,
197 CK_NumCheckKinds
198 };
199
200 enum class MemoryOperationKind {
201 MOK_Allocate,
202 MOK_Free,
203 MOK_Any
204 };
205
206 DefaultBool IsOptimistic;
207
208 DefaultBool ChecksEnabled[CK_NumCheckKinds];
209 CheckName CheckNames[CK_NumCheckKinds];
210
211 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
212 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
213 void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;
214 void checkNewAllocator(const CXXNewExpr *NE, SVal Target,
215 CheckerContext &C) const;
216 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
217 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
218 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
219 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
220 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
221 void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;
222 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
223 bool Assumption) const;
224 void checkLocation(SVal l, bool isLoad, const Stmt *S,
225 CheckerContext &C) const;
226
227 ProgramStateRef checkPointerEscape(ProgramStateRef State,
228 const InvalidatedSymbols &Escaped,
229 const CallEvent *Call,
230 PointerEscapeKind Kind) const;
231 ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
232 const InvalidatedSymbols &Escaped,
233 const CallEvent *Call,
234 PointerEscapeKind Kind) const;
235
236 void printState(raw_ostream &Out, ProgramStateRef State,
237 const char *NL, const char *Sep) const override;
238
239private:
240 mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
241 mutable std::unique_ptr<BugType> BT_DoubleDelete;
242 mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
243 mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
244 mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
245 mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
246 mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
247 mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
248 mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
249 mutable IdentifierInfo *II_alloca, *II_win_alloca, *II_malloc, *II_free,
250 *II_realloc, *II_calloc, *II_valloc, *II_reallocf,
251 *II_strndup, *II_strdup, *II_win_strdup, *II_kmalloc,
252 *II_if_nameindex, *II_if_freenameindex, *II_wcsdup,
253 *II_win_wcsdup, *II_g_malloc, *II_g_malloc0,
254 *II_g_realloc, *II_g_try_malloc, *II_g_try_malloc0,
255 *II_g_try_realloc, *II_g_free, *II_g_memdup,
256 *II_g_malloc_n, *II_g_malloc0_n, *II_g_realloc_n,
257 *II_g_try_malloc_n, *II_g_try_malloc0_n,
258 *II_g_try_realloc_n;
259 mutable Optional<uint64_t> KernelZeroFlagVal;
260
261 void initIdentifierInfo(ASTContext &C) const;
262
263 /// Determine family of a deallocation expression.
264 AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const;
265
266 /// Print names of allocators and deallocators.
267 ///
268 /// \returns true on success.
269 bool printAllocDeallocName(raw_ostream &os, CheckerContext &C,
270 const Expr *E) const;
271
272 /// Print expected name of an allocator based on the deallocator's
273 /// family derived from the DeallocExpr.
274 void printExpectedAllocName(raw_ostream &os, CheckerContext &C,
275 const Expr *DeallocExpr) const;
276 /// Print expected name of a deallocator based on the allocator's
277 /// family.
278 void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const;
279
280 ///@{
281 /// Check if this is one of the functions which can allocate/reallocate memory
282 /// pointed to by one of its arguments.
283 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const;
284 bool isCMemFunction(const FunctionDecl *FD,
285 ASTContext &C,
286 AllocationFamily Family,
287 MemoryOperationKind MemKind) const;
288 bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const;
289 ///@}
290
291 /// Process C++ operator new()'s allocation, which is the part of C++
292 /// new-expression that goes before the constructor.
293 void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C,
294 SVal Target) const;
295
296 /// Perform a zero-allocation check.
297 /// The optional \p RetVal parameter specifies the newly allocated pointer
298 /// value; if unspecified, the value of expression \p E is used.
299 ProgramStateRef ProcessZeroAllocation(CheckerContext &C, const Expr *E,
300 const unsigned AllocationSizeArg,
301 ProgramStateRef State,
302 Optional<SVal> RetVal = None) const;
303
304 ProgramStateRef MallocMemReturnsAttr(CheckerContext &C,
305 const CallExpr *CE,
306 const OwnershipAttr* Att,
307 ProgramStateRef State) const;
308 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
309 const Expr *SizeEx, SVal Init,
310 ProgramStateRef State,
311 AllocationFamily Family = AF_Malloc);
312 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
313 SVal SizeEx, SVal Init,
314 ProgramStateRef State,
315 AllocationFamily Family = AF_Malloc);
316
317 static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE,
318 ProgramStateRef State, SVal Target);
319
320 // Check if this malloc() for special flags. At present that means M_ZERO or
321 // __GFP_ZERO (in which case, treat it like calloc).
322 llvm::Optional<ProgramStateRef>
323 performKernelMalloc(const CallExpr *CE, CheckerContext &C,
324 const ProgramStateRef &State) const;
325
326 /// Update the RefState to reflect the new memory allocation.
327 /// The optional \p RetVal parameter specifies the newly allocated pointer
328 /// value; if unspecified, the value of expression \p E is used.
329 static ProgramStateRef
330 MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State,
331 AllocationFamily Family = AF_Malloc,
332 Optional<SVal> RetVal = None);
333
334 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE,
335 const OwnershipAttr* Att,
336 ProgramStateRef State) const;
337 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE,
338 ProgramStateRef state, unsigned Num,
339 bool Hold,
340 bool &ReleasedAllocated,
341 bool ReturnsNullOnFailure = false) const;
342 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg,
343 const Expr *ParentExpr,
344 ProgramStateRef State,
345 bool Hold,
346 bool &ReleasedAllocated,
347 bool ReturnsNullOnFailure = false) const;
348
349 ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE,
350 bool FreesMemOnFailure,
351 ProgramStateRef State,
352 bool SuffixWithN = false) const;
353 static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
354 const Expr *BlockBytes);
355 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE,
356 ProgramStateRef State);
357
358 /// Check if the memory associated with this symbol was released.
359 bool isReleased(SymbolRef Sym, CheckerContext &C) const;
360
361 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
362
363 void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
364 const Stmt *S) const;
365
366 bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;
367
368 /// Check if the function is known free memory, or if it is
369 /// "interesting" and should be modeled explicitly.
370 ///
371 /// \param [out] EscapingSymbol A function might not free memory in general,
372 /// but could be known to free a particular symbol. In this case, false is
373 /// returned and the single escaping symbol is returned through the out
374 /// parameter.
375 ///
376 /// We assume that pointers do not escape through calls to system functions
377 /// not handled by this checker.
378 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call,
379 ProgramStateRef State,
380 SymbolRef &EscapingSymbol) const;
381
382 // Implementation of the checkPointerEscape callbacks.
383 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State,
384 const InvalidatedSymbols &Escaped,
385 const CallEvent *Call,
386 PointerEscapeKind Kind,
387 bool(*CheckRefState)(const RefState*)) const;
388
389 // Implementation of the checkPreStmt and checkEndFunction callbacks.
390 void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const;
391
392 ///@{
393 /// Tells if a given family/call/symbol is tracked by the current checker.
394 /// Sets CheckKind to the kind of the checker responsible for this
395 /// family/call/symbol.
396 Optional<CheckKind> getCheckIfTracked(AllocationFamily Family,
397 bool IsALeakCheck = false) const;
398 Optional<CheckKind> getCheckIfTracked(CheckerContext &C,
399 const Stmt *AllocDeallocStmt,
400 bool IsALeakCheck = false) const;
401 Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
402 bool IsALeakCheck = false) const;
403 ///@}
404 static bool SummarizeValue(raw_ostream &os, SVal V);
405 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
406 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
407 const Expr *DeallocExpr) const;
408 void ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
409 SourceRange Range) const;
410 void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range,
411 const Expr *DeallocExpr, const RefState *RS,
412 SymbolRef Sym, bool OwnershipTransferred) const;
413 void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
414 const Expr *DeallocExpr,
415 const Expr *AllocExpr = nullptr) const;
416 void ReportUseAfterFree(CheckerContext &C, SourceRange Range,
417 SymbolRef Sym) const;
418 void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
419 SymbolRef Sym, SymbolRef PrevSym) const;
420
421 void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
422
423 void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range,
424 SymbolRef Sym) const;
425
426 void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
427 SourceRange Range, const Expr *FreeExpr) const;
428
429 /// Find the location of the allocation for Sym on the path leading to the
430 /// exploded node N.
431 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
432 CheckerContext &C) const;
433
434 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
435
436 /// The bug visitor which allows us to print extra diagnostics along the
437 /// BugReport path. For example, showing the allocation site of the leaked
438 /// region.
439 class MallocBugVisitor final : public BugReporterVisitor {
440 protected:
441 enum NotificationMode {
442 Normal,
443 ReallocationFailed
444 };
445
446 // The allocated region symbol tracked by the main analysis.
447 SymbolRef Sym;
448
449 // The mode we are in, i.e. what kind of diagnostics will be emitted.
450 NotificationMode Mode;
451
452 // A symbol from when the primary region should have been reallocated.
453 SymbolRef FailedReallocSymbol;
454
455 // A C++ destructor stack frame in which memory was released. Used for
456 // miscellaneous false positive suppression.
457 const StackFrameContext *ReleaseDestructorLC;
458
459 bool IsLeak;
460
461 public:
462 MallocBugVisitor(SymbolRef S, bool isLeak = false)
463 : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr),
464 ReleaseDestructorLC(nullptr), IsLeak(isLeak) {}
465
466 static void *getTag() {
467 static int Tag = 0;
468 return &Tag;
469 }
470
471 void Profile(llvm::FoldingSetNodeID &ID) const override {
472 ID.AddPointer(getTag());
473 ID.AddPointer(Sym);
474 }
475
476 inline bool isAllocated(const RefState *S, const RefState *SPrev,
477 const Stmt *Stmt) {
478 // Did not track -> allocated. Other state (released) -> allocated.
479 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) &&
480 (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) &&
481 (!SPrev || !(SPrev->isAllocated() ||
482 SPrev->isAllocatedOfSizeZero())));
483 }
484
485 inline bool isReleased(const RefState *S, const RefState *SPrev,
486 const Stmt *Stmt) {
487 // Did not track -> released. Other state (allocated) -> released.
488 // The statement associated with the release might be missing.
489 bool IsReleased = (S && S->isReleased()) &&
490 (!SPrev || !SPrev->isReleased());
491 assert(!IsReleased ||((!IsReleased || (Stmt && (isa<CallExpr>(Stmt) ||
isa<CXXDeleteExpr>(Stmt))) || (!Stmt && S->
getAllocationFamily() == AF_InnerBuffer)) ? static_cast<void
> (0) : __assert_fail ("!IsReleased || (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) || (!Stmt && S->getAllocationFamily() == AF_InnerBuffer)"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 493, __PRETTY_FUNCTION__))
492 (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) ||((!IsReleased || (Stmt && (isa<CallExpr>(Stmt) ||
isa<CXXDeleteExpr>(Stmt))) || (!Stmt && S->
getAllocationFamily() == AF_InnerBuffer)) ? static_cast<void
> (0) : __assert_fail ("!IsReleased || (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) || (!Stmt && S->getAllocationFamily() == AF_InnerBuffer)"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 493, __PRETTY_FUNCTION__))
493 (!Stmt && S->getAllocationFamily() == AF_InnerBuffer))((!IsReleased || (Stmt && (isa<CallExpr>(Stmt) ||
isa<CXXDeleteExpr>(Stmt))) || (!Stmt && S->
getAllocationFamily() == AF_InnerBuffer)) ? static_cast<void
> (0) : __assert_fail ("!IsReleased || (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) || (!Stmt && S->getAllocationFamily() == AF_InnerBuffer)"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 493, __PRETTY_FUNCTION__))
;
494 return IsReleased;
495 }
496
497 inline bool isRelinquished(const RefState *S, const RefState *SPrev,
498 const Stmt *Stmt) {
499 // Did not track -> relinquished. Other state (allocated) -> relinquished.
500 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) ||
501 isa<ObjCPropertyRefExpr>(Stmt)) &&
502 (S && S->isRelinquished()) &&
503 (!SPrev || !SPrev->isRelinquished()));
504 }
505
506 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev,
507 const Stmt *Stmt) {
508 // If the expression is not a call, and the state change is
509 // released -> allocated, it must be the realloc return value
510 // check. If we have to handle more cases here, it might be cleaner just
511 // to track this extra bit in the state itself.
512 return ((!Stmt || !isa<CallExpr>(Stmt)) &&
513 (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) &&
514 (SPrev && !(SPrev->isAllocated() ||
515 SPrev->isAllocatedOfSizeZero())));
516 }
517
518 std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
519 BugReporterContext &BRC,
520 BugReport &BR) override;
521
522 std::shared_ptr<PathDiagnosticPiece>
523 getEndPath(BugReporterContext &BRC, const ExplodedNode *EndPathNode,
524 BugReport &BR) override {
525 if (!IsLeak)
526 return nullptr;
527
528 PathDiagnosticLocation L =
529 PathDiagnosticLocation::createEndOfPath(EndPathNode,
530 BRC.getSourceManager());
531 // Do not add the statement itself as a range in case of leak.
532 return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(),
533 false);
534 }
535
536 private:
537 class StackHintGeneratorForReallocationFailed
538 : public StackHintGeneratorForSymbol {
539 public:
540 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M)
541 : StackHintGeneratorForSymbol(S, M) {}
542
543 std::string getMessageForArg(const Expr *ArgE,
544 unsigned ArgIndex) override {
545 // Printed parameters start at 1, not 0.
546 ++ArgIndex;
547
548 SmallString<200> buf;
549 llvm::raw_svector_ostream os(buf);
550
551 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex)
552 << " parameter failed";
553
554 return os.str();
555 }
556
557 std::string getMessageForReturn(const CallExpr *CallExpr) override {
558 return "Reallocation of returned value failed";
559 }
560 };
561 };
562};
563} // end anonymous namespace
564
565REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)namespace { class RegionState {}; using RegionStateTy = llvm::
ImmutableMap<SymbolRef, RefState>; } namespace clang { namespace
ento { template <> struct ProgramStateTrait<RegionState
> : public ProgramStatePartialTrait<RegionStateTy> {
static void *GDMIndex() { static int Index; return &Index
; } }; } }
566REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)namespace { class ReallocPairs {}; using ReallocPairsTy = llvm
::ImmutableMap<SymbolRef, ReallocPair>; } namespace clang
{ namespace ento { template <> struct ProgramStateTrait
<ReallocPairs> : public ProgramStatePartialTrait<ReallocPairsTy
> { static void *GDMIndex() { static int Index; return &
Index; } }; } }
567REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef)namespace { class ReallocSizeZeroSymbols {}; using ReallocSizeZeroSymbolsTy
= llvm::ImmutableSet<SymbolRef>; } namespace clang { namespace
ento { template <> struct ProgramStateTrait<ReallocSizeZeroSymbols
> : public ProgramStatePartialTrait<ReallocSizeZeroSymbolsTy
> { static void *GDMIndex() { static int Index; return &
Index; } }; } }
568
569// A map from the freed symbol to the symbol representing the return value of
570// the free function.
571REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef)namespace { class FreeReturnValue {}; using FreeReturnValueTy
= llvm::ImmutableMap<SymbolRef, SymbolRef>; } namespace
clang { namespace ento { template <> struct ProgramStateTrait
<FreeReturnValue> : public ProgramStatePartialTrait<
FreeReturnValueTy> { static void *GDMIndex() { static int Index
; return &Index; } }; } }
572
573namespace {
574class StopTrackingCallback final : public SymbolVisitor {
575 ProgramStateRef state;
576public:
577 StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
578 ProgramStateRef getState() const { return state; }
579
580 bool VisitSymbol(SymbolRef sym) override {
581 state = state->remove<RegionState>(sym);
582 return true;
583 }
584};
585} // end anonymous namespace
586
587void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const {
588 if (II_malloc)
589 return;
590 II_alloca = &Ctx.Idents.get("alloca");
591 II_malloc = &Ctx.Idents.get("malloc");
592 II_free = &Ctx.Idents.get("free");
593 II_realloc = &Ctx.Idents.get("realloc");
594 II_reallocf = &Ctx.Idents.get("reallocf");
595 II_calloc = &Ctx.Idents.get("calloc");
596 II_valloc = &Ctx.Idents.get("valloc");
597 II_strdup = &Ctx.Idents.get("strdup");
598 II_strndup = &Ctx.Idents.get("strndup");
599 II_wcsdup = &Ctx.Idents.get("wcsdup");
600 II_kmalloc = &Ctx.Idents.get("kmalloc");
601 II_if_nameindex = &Ctx.Idents.get("if_nameindex");
602 II_if_freenameindex = &Ctx.Idents.get("if_freenameindex");
603
604 //MSVC uses `_`-prefixed instead, so we check for them too.
605 II_win_strdup = &Ctx.Idents.get("_strdup");
606 II_win_wcsdup = &Ctx.Idents.get("_wcsdup");
607 II_win_alloca = &Ctx.Idents.get("_alloca");
608
609 // Glib
610 II_g_malloc = &Ctx.Idents.get("g_malloc");
611 II_g_malloc0 = &Ctx.Idents.get("g_malloc0");
612 II_g_realloc = &Ctx.Idents.get("g_realloc");
613 II_g_try_malloc = &Ctx.Idents.get("g_try_malloc");
614 II_g_try_malloc0 = &Ctx.Idents.get("g_try_malloc0");
615 II_g_try_realloc = &Ctx.Idents.get("g_try_realloc");
616 II_g_free = &Ctx.Idents.get("g_free");
617 II_g_memdup = &Ctx.Idents.get("g_memdup");
618 II_g_malloc_n = &Ctx.Idents.get("g_malloc_n");
619 II_g_malloc0_n = &Ctx.Idents.get("g_malloc0_n");
620 II_g_realloc_n = &Ctx.Idents.get("g_realloc_n");
621 II_g_try_malloc_n = &Ctx.Idents.get("g_try_malloc_n");
622 II_g_try_malloc0_n = &Ctx.Idents.get("g_try_malloc0_n");
623 II_g_try_realloc_n = &Ctx.Idents.get("g_try_realloc_n");
624}
625
626bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const {
627 if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any))
628 return true;
629
630 if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
631 return true;
632
633 if (isCMemFunction(FD, C, AF_Alloca, MemoryOperationKind::MOK_Any))
634 return true;
635
636 if (isStandardNewDelete(FD, C))
637 return true;
638
639 return false;
640}
641
642bool MallocChecker::isCMemFunction(const FunctionDecl *FD,
643 ASTContext &C,
644 AllocationFamily Family,
645 MemoryOperationKind MemKind) const {
646 if (!FD)
647 return false;
648
649 bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any ||
650 MemKind == MemoryOperationKind::MOK_Free);
651 bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any ||
652 MemKind == MemoryOperationKind::MOK_Allocate);
653
654 if (FD->getKind() == Decl::Function) {
655 const IdentifierInfo *FunI = FD->getIdentifier();
656 initIdentifierInfo(C);
657
658 if (Family == AF_Malloc && CheckFree) {
659 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf ||
660 FunI == II_g_free)
661 return true;
662 }
663
664 if (Family == AF_Malloc && CheckAlloc) {
665 if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf ||
666 FunI == II_calloc || FunI == II_valloc || FunI == II_strdup ||
667 FunI == II_win_strdup || FunI == II_strndup || FunI == II_wcsdup ||
668 FunI == II_win_wcsdup || FunI == II_kmalloc ||
669 FunI == II_g_malloc || FunI == II_g_malloc0 ||
670 FunI == II_g_realloc || FunI == II_g_try_malloc ||
671 FunI == II_g_try_malloc0 || FunI == II_g_try_realloc ||
672 FunI == II_g_memdup || FunI == II_g_malloc_n ||
673 FunI == II_g_malloc0_n || FunI == II_g_realloc_n ||
674 FunI == II_g_try_malloc_n || FunI == II_g_try_malloc0_n ||
675 FunI == II_g_try_realloc_n)
676 return true;
677 }
678
679 if (Family == AF_IfNameIndex && CheckFree) {
680 if (FunI == II_if_freenameindex)
681 return true;
682 }
683
684 if (Family == AF_IfNameIndex && CheckAlloc) {
685 if (FunI == II_if_nameindex)
686 return true;
687 }
688
689 if (Family == AF_Alloca && CheckAlloc) {
690 if (FunI == II_alloca || FunI == II_win_alloca)
691 return true;
692 }
693 }
694
695 if (Family != AF_Malloc)
696 return false;
697
698 if (IsOptimistic && FD->hasAttrs()) {
699 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
700 OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
701 if(OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) {
702 if (CheckFree)
703 return true;
704 } else if (OwnKind == OwnershipAttr::Returns) {
705 if (CheckAlloc)
706 return true;
707 }
708 }
709 }
710
711 return false;
712}
713
714// Tells if the callee is one of the builtin new/delete operators, including
715// placement operators and other standard overloads.
716bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD,
717 ASTContext &C) const {
718 if (!FD)
719 return false;
720
721 OverloadedOperatorKind Kind = FD->getOverloadedOperator();
722 if (Kind != OO_New && Kind != OO_Array_New &&
723 Kind != OO_Delete && Kind != OO_Array_Delete)
724 return false;
725
726 // This is standard if and only if it's not defined in a user file.
727 SourceLocation L = FD->getLocation();
728 // If the header for operator delete is not included, it's still defined
729 // in an invalid source location. Check to make sure we don't crash.
730 return !L.isValid() || C.getSourceManager().isInSystemHeader(L);
731}
732
733llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc(
734 const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const {
735 // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
736 //
737 // void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
738 //
739 // One of the possible flags is M_ZERO, which means 'give me back an
740 // allocation which is already zeroed', like calloc.
741
742 // 2-argument kmalloc(), as used in the Linux kernel:
743 //
744 // void *kmalloc(size_t size, gfp_t flags);
745 //
746 // Has the similar flag value __GFP_ZERO.
747
748 // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some
749 // code could be shared.
750
751 ASTContext &Ctx = C.getASTContext();
752 llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS();
753
754 if (!KernelZeroFlagVal.hasValue()) {
755 if (OS == llvm::Triple::FreeBSD)
756 KernelZeroFlagVal = 0x0100;
757 else if (OS == llvm::Triple::NetBSD)
758 KernelZeroFlagVal = 0x0002;
759 else if (OS == llvm::Triple::OpenBSD)
760 KernelZeroFlagVal = 0x0008;
761 else if (OS == llvm::Triple::Linux)
762 // __GFP_ZERO
763 KernelZeroFlagVal = 0x8000;
764 else
765 // FIXME: We need a more general way of getting the M_ZERO value.
766 // See also: O_CREAT in UnixAPIChecker.cpp.
767
768 // Fall back to normal malloc behavior on platforms where we don't
769 // know M_ZERO.
770 return None;
771 }
772
773 // We treat the last argument as the flags argument, and callers fall-back to
774 // normal malloc on a None return. This works for the FreeBSD kernel malloc
775 // as well as Linux kmalloc.
776 if (CE->getNumArgs() < 2)
777 return None;
778
779 const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1);
780 const SVal V = C.getSVal(FlagsEx);
781 if (!V.getAs<NonLoc>()) {
782 // The case where 'V' can be a location can only be due to a bad header,
783 // so in this case bail out.
784 return None;
785 }
786
787 NonLoc Flags = V.castAs<NonLoc>();
788 NonLoc ZeroFlag = C.getSValBuilder()
789 .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType())
790 .castAs<NonLoc>();
791 SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And,
792 Flags, ZeroFlag,
793 FlagsEx->getType());
794 if (MaskedFlagsUC.isUnknownOrUndef())
795 return None;
796 DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>();
797
798 // Check if maskedFlags is non-zero.
799 ProgramStateRef TrueState, FalseState;
800 std::tie(TrueState, FalseState) = State->assume(MaskedFlags);
801
802 // If M_ZERO is set, treat this like calloc (initialized).
803 if (TrueState && !FalseState) {
804 SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy);
805 return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState);
806 }
807
808 return None;
809}
810
811SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
812 const Expr *BlockBytes) {
813 SValBuilder &SB = C.getSValBuilder();
814 SVal BlocksVal = C.getSVal(Blocks);
815 SVal BlockBytesVal = C.getSVal(BlockBytes);
816 ProgramStateRef State = C.getState();
817 SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,
818 SB.getContext().getSizeType());
819 return TotalSize;
820}
821
822void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const {
823 if (C.wasInlined)
824 return;
825
826 const FunctionDecl *FD = C.getCalleeDecl(CE);
827 if (!FD)
828 return;
829
830 ProgramStateRef State = C.getState();
831 bool ReleasedAllocatedMemory = false;
832
833 if (FD->getKind() == Decl::Function) {
834 initIdentifierInfo(C.getASTContext());
835 IdentifierInfo *FunI = FD->getIdentifier();
836
837 if (FunI == II_malloc || FunI == II_g_malloc || FunI == II_g_try_malloc) {
838 if (CE->getNumArgs() < 1)
839 return;
840 if (CE->getNumArgs() < 3) {
841 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
842 if (CE->getNumArgs() == 1)
843 State = ProcessZeroAllocation(C, CE, 0, State);
844 } else if (CE->getNumArgs() == 3) {
845 llvm::Optional<ProgramStateRef> MaybeState =
846 performKernelMalloc(CE, C, State);
847 if (MaybeState.hasValue())
848 State = MaybeState.getValue();
849 else
850 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
851 }
852 } else if (FunI == II_kmalloc) {
853 if (CE->getNumArgs() < 1)
854 return;
855 llvm::Optional<ProgramStateRef> MaybeState =
856 performKernelMalloc(CE, C, State);
857 if (MaybeState.hasValue())
858 State = MaybeState.getValue();
859 else
860 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
861 } else if (FunI == II_valloc) {
862 if (CE->getNumArgs() < 1)
863 return;
864 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
865 State = ProcessZeroAllocation(C, CE, 0, State);
866 } else if (FunI == II_realloc || FunI == II_g_realloc ||
867 FunI == II_g_try_realloc) {
868 State = ReallocMemAux(C, CE, false, State);
869 State = ProcessZeroAllocation(C, CE, 1, State);
870 } else if (FunI == II_reallocf) {
871 State = ReallocMemAux(C, CE, true, State);
872 State = ProcessZeroAllocation(C, CE, 1, State);
873 } else if (FunI == II_calloc) {
874 State = CallocMem(C, CE, State);
875 State = ProcessZeroAllocation(C, CE, 0, State);
876 State = ProcessZeroAllocation(C, CE, 1, State);
877 } else if (FunI == II_free || FunI == II_g_free) {
878 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
879 } else if (FunI == II_strdup || FunI == II_win_strdup ||
880 FunI == II_wcsdup || FunI == II_win_wcsdup) {
881 State = MallocUpdateRefState(C, CE, State);
882 } else if (FunI == II_strndup) {
883 State = MallocUpdateRefState(C, CE, State);
884 } else if (FunI == II_alloca || FunI == II_win_alloca) {
885 if (CE->getNumArgs() < 1)
886 return;
887 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
888 AF_Alloca);
889 State = ProcessZeroAllocation(C, CE, 0, State);
890 } else if (isStandardNewDelete(FD, C.getASTContext())) {
891 // Process direct calls to operator new/new[]/delete/delete[] functions
892 // as distinct from new/new[]/delete/delete[] expressions that are
893 // processed by the checkPostStmt callbacks for CXXNewExpr and
894 // CXXDeleteExpr.
895 OverloadedOperatorKind K = FD->getOverloadedOperator();
896 if (K == OO_New) {
897 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
898 AF_CXXNew);
899 State = ProcessZeroAllocation(C, CE, 0, State);
900 }
901 else if (K == OO_Array_New) {
902 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
903 AF_CXXNewArray);
904 State = ProcessZeroAllocation(C, CE, 0, State);
905 }
906 else if (K == OO_Delete || K == OO_Array_Delete)
907 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
908 else
909 llvm_unreachable("not a new/delete operator")::llvm::llvm_unreachable_internal("not a new/delete operator"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 909)
;
910 } else if (FunI == II_if_nameindex) {
911 // Should we model this differently? We can allocate a fixed number of
912 // elements with zeros in the last one.
913 State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State,
914 AF_IfNameIndex);
915 } else if (FunI == II_if_freenameindex) {
916 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
917 } else if (FunI == II_g_malloc0 || FunI == II_g_try_malloc0) {
918 if (CE->getNumArgs() < 1)
919 return;
920 SValBuilder &svalBuilder = C.getSValBuilder();
921 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
922 State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State);
923 State = ProcessZeroAllocation(C, CE, 0, State);
924 } else if (FunI == II_g_memdup) {
925 if (CE->getNumArgs() < 2)
926 return;
927 State = MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State);
928 State = ProcessZeroAllocation(C, CE, 1, State);
929 } else if (FunI == II_g_malloc_n || FunI == II_g_try_malloc_n ||
930 FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) {
931 if (CE->getNumArgs() < 2)
932 return;
933 SVal Init = UndefinedVal();
934 if (FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) {
935 SValBuilder &SB = C.getSValBuilder();
936 Init = SB.makeZeroVal(SB.getContext().CharTy);
937 }
938 SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
939 State = MallocMemAux(C, CE, TotalSize, Init, State);
940 State = ProcessZeroAllocation(C, CE, 0, State);
941 State = ProcessZeroAllocation(C, CE, 1, State);
942 } else if (FunI == II_g_realloc_n || FunI == II_g_try_realloc_n) {
943 if (CE->getNumArgs() < 3)
944 return;
945 State = ReallocMemAux(C, CE, false, State, true);
946 State = ProcessZeroAllocation(C, CE, 1, State);
947 State = ProcessZeroAllocation(C, CE, 2, State);
948 }
949 }
950
951 if (IsOptimistic || ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
952 // Check all the attributes, if there are any.
953 // There can be multiple of these attributes.
954 if (FD->hasAttrs())
955 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
956 switch (I->getOwnKind()) {
957 case OwnershipAttr::Returns:
958 State = MallocMemReturnsAttr(C, CE, I, State);
959 break;
960 case OwnershipAttr::Takes:
961 case OwnershipAttr::Holds:
962 State = FreeMemAttr(C, CE, I, State);
963 break;
964 }
965 }
966 }
967 C.addTransition(State);
968}
969
970// Performs a 0-sized allocations check.
971ProgramStateRef MallocChecker::ProcessZeroAllocation(
972 CheckerContext &C, const Expr *E, const unsigned AllocationSizeArg,
973 ProgramStateRef State, Optional<SVal> RetVal) const {
974 if (!State)
975 return nullptr;
976
977 if (!RetVal)
978 RetVal = C.getSVal(E);
979
980 const Expr *Arg = nullptr;
981
982 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
983 Arg = CE->getArg(AllocationSizeArg);
984 }
985 else if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
986 if (NE->isArray())
987 Arg = *NE->getArraySize();
988 else
989 return State;
990 }
991 else
992 llvm_unreachable("not a CallExpr or CXXNewExpr")::llvm::llvm_unreachable_internal("not a CallExpr or CXXNewExpr"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 992)
;
993
994 assert(Arg)((Arg) ? static_cast<void> (0) : __assert_fail ("Arg", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 994, __PRETTY_FUNCTION__))
;
995
996 Optional<DefinedSVal> DefArgVal = C.getSVal(Arg).getAs<DefinedSVal>();
997
998 if (!DefArgVal)
999 return State;
1000
1001 // Check if the allocation size is 0.
1002 ProgramStateRef TrueState, FalseState;
1003 SValBuilder &SvalBuilder = C.getSValBuilder();
1004 DefinedSVal Zero =
1005 SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
1006
1007 std::tie(TrueState, FalseState) =
1008 State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));
1009
1010 if (TrueState && !FalseState) {
1011 SymbolRef Sym = RetVal->getAsLocSymbol();
1012 if (!Sym)
1013 return State;
1014
1015 const RefState *RS = State->get<RegionState>(Sym);
1016 if (RS) {
1017 if (RS->isAllocated())
1018 return TrueState->set<RegionState>(Sym,
1019 RefState::getAllocatedOfSizeZero(RS));
1020 else
1021 return State;
1022 } else {
1023 // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as
1024 // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not
1025 // tracked. Add zero-reallocated Sym to the state to catch references
1026 // to zero-allocated memory.
1027 return TrueState->add<ReallocSizeZeroSymbols>(Sym);
1028 }
1029 }
1030
1031 // Assume the value is non-zero going forward.
1032 assert(FalseState)((FalseState) ? static_cast<void> (0) : __assert_fail (
"FalseState", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1032, __PRETTY_FUNCTION__))
;
1033 return FalseState;
1034}
1035
1036static QualType getDeepPointeeType(QualType T) {
1037 QualType Result = T, PointeeType = T->getPointeeType();
1038 while (!PointeeType.isNull()) {
1039 Result = PointeeType;
1040 PointeeType = PointeeType->getPointeeType();
1041 }
1042 return Result;
1043}
1044
1045static bool treatUnusedNewEscaped(const CXXNewExpr *NE) {
1046
1047 const CXXConstructExpr *ConstructE = NE->getConstructExpr();
1048 if (!ConstructE)
1049 return false;
1050
1051 if (!NE->getAllocatedType()->getAsCXXRecordDecl())
1052 return false;
1053
1054 const CXXConstructorDecl *CtorD = ConstructE->getConstructor();
1055
1056 // Iterate over the constructor parameters.
1057 for (const auto *CtorParam : CtorD->parameters()) {
1058
1059 QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType();
1060 if (CtorParamPointeeT.isNull())
1061 continue;
1062
1063 CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT);
1064
1065 if (CtorParamPointeeT->getAsCXXRecordDecl())
1066 return true;
1067 }
1068
1069 return false;
1070}
1071
1072void MallocChecker::processNewAllocation(const CXXNewExpr *NE,
1073 CheckerContext &C,
1074 SVal Target) const {
1075 if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext()))
1076 return;
1077
1078 ParentMap &PM = C.getLocationContext()->getParentMap();
1079 if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE))
1080 return;
1081
1082 ProgramStateRef State = C.getState();
1083 // The return value from operator new is bound to a specified initialization
1084 // value (if any) and we don't want to loose this value. So we call
1085 // MallocUpdateRefState() instead of MallocMemAux() which breaks the
1086 // existing binding.
1087 State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray
1088 : AF_CXXNew, Target);
1089 State = addExtentSize(C, NE, State, Target);
1090 State = ProcessZeroAllocation(C, NE, 0, State, Target);
1091 C.addTransition(State);
1092}
1093
1094void MallocChecker::checkPostStmt(const CXXNewExpr *NE,
1095 CheckerContext &C) const {
1096 if (!C.getAnalysisManager().getAnalyzerOptions().MayInlineCXXAllocator)
1097 processNewAllocation(NE, C, C.getSVal(NE));
1098}
1099
1100void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target,
1101 CheckerContext &C) const {
1102 if (!C.wasInlined)
1103 processNewAllocation(NE, C, Target);
1104}
1105
1106// Sets the extent value of the MemRegion allocated by
1107// new expression NE to its size in Bytes.
1108//
1109ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C,
1110 const CXXNewExpr *NE,
1111 ProgramStateRef State,
1112 SVal Target) {
1113 if (!State)
1114 return nullptr;
1115 SValBuilder &svalBuilder = C.getSValBuilder();
1116 SVal ElementCount;
1117 const SubRegion *Region;
1118 if (NE->isArray()) {
1119 const Expr *SizeExpr = *NE->getArraySize();
1120 ElementCount = C.getSVal(SizeExpr);
1121 // Store the extent size for the (symbolic)region
1122 // containing the elements.
1123 Region = Target.getAsRegion()
1124 ->getAs<SubRegion>()
1125 ->StripCasts()
1126 ->getAs<SubRegion>();
1127 } else {
1128 ElementCount = svalBuilder.makeIntVal(1, true);
1129 Region = Target.getAsRegion()->getAs<SubRegion>();
1130 }
1131 assert(Region)((Region) ? static_cast<void> (0) : __assert_fail ("Region"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1131, __PRETTY_FUNCTION__))
;
1132
1133 // Set the region's extent equal to the Size in Bytes.
1134 QualType ElementType = NE->getAllocatedType();
1135 ASTContext &AstContext = C.getASTContext();
1136 CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType);
1137
1138 if (ElementCount.getAs<NonLoc>()) {
1139 DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder);
1140 // size in Bytes = ElementCount*TypeSize
1141 SVal SizeInBytes = svalBuilder.evalBinOpNN(
1142 State, BO_Mul, ElementCount.castAs<NonLoc>(),
1143 svalBuilder.makeArrayIndex(TypeSize.getQuantity()),
1144 svalBuilder.getArrayIndexType());
1145 DefinedOrUnknownSVal extentMatchesSize = svalBuilder.evalEQ(
1146 State, Extent, SizeInBytes.castAs<DefinedOrUnknownSVal>());
1147 State = State->assume(extentMatchesSize, true);
1148 }
1149 return State;
1150}
1151
1152void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE,
1153 CheckerContext &C) const {
1154
1155 if (!ChecksEnabled[CK_NewDeleteChecker])
1156 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
1157 checkUseAfterFree(Sym, C, DE->getArgument());
1158
1159 if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext()))
1160 return;
1161
1162 ProgramStateRef State = C.getState();
1163 bool ReleasedAllocated;
1164 State = FreeMemAux(C, DE->getArgument(), DE, State,
1165 /*Hold*/false, ReleasedAllocated);
1166
1167 C.addTransition(State);
1168}
1169
1170static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) {
1171 // If the first selector piece is one of the names below, assume that the
1172 // object takes ownership of the memory, promising to eventually deallocate it
1173 // with free().
1174 // Ex: [NSData dataWithBytesNoCopy:bytes length:10];
1175 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.)
1176 StringRef FirstSlot = Call.getSelector().getNameForSlot(0);
1177 return FirstSlot == "dataWithBytesNoCopy" ||
1178 FirstSlot == "initWithBytesNoCopy" ||
1179 FirstSlot == "initWithCharactersNoCopy";
1180}
1181
1182static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) {
1183 Selector S = Call.getSelector();
1184
1185 // FIXME: We should not rely on fully-constrained symbols being folded.
1186 for (unsigned i = 1; i < S.getNumArgs(); ++i)
1187 if (S.getNameForSlot(i).equals("freeWhenDone"))
1188 return !Call.getArgSVal(i).isZeroConstant();
1189
1190 return None;
1191}
1192
1193void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
1194 CheckerContext &C) const {
1195 if (C.wasInlined)
1196 return;
1197
1198 if (!isKnownDeallocObjCMethodName(Call))
1199 return;
1200
1201 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call))
1202 if (!*FreeWhenDone)
1203 return;
1204
1205 bool ReleasedAllocatedMemory;
1206 ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0),
1207 Call.getOriginExpr(), C.getState(),
1208 /*Hold=*/true, ReleasedAllocatedMemory,
1209 /*RetNullOnFailure=*/true);
1210
1211 C.addTransition(State);
1212}
1213
1214ProgramStateRef
1215MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE,
1216 const OwnershipAttr *Att,
1217 ProgramStateRef State) const {
1218 if (!State)
1219 return nullptr;
1220
1221 if (Att->getModule() != II_malloc)
1222 return nullptr;
1223
1224 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
1225 if (I != E) {
1226 return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(),
1227 State);
1228 }
1229 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State);
1230}
1231
1232ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1233 const CallExpr *CE,
1234 const Expr *SizeEx, SVal Init,
1235 ProgramStateRef State,
1236 AllocationFamily Family) {
1237 if (!State)
1238 return nullptr;
1239
1240 return MallocMemAux(C, CE, C.getSVal(SizeEx), Init, State, Family);
1241}
1242
1243ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1244 const CallExpr *CE,
1245 SVal Size, SVal Init,
1246 ProgramStateRef State,
1247 AllocationFamily Family) {
1248 if (!State)
1249 return nullptr;
1250
1251 // We expect the malloc functions to return a pointer.
1252 if (!Loc::isLocType(CE->getType()))
1253 return nullptr;
1254
1255 // Bind the return value to the symbolic value from the heap region.
1256 // TODO: We could rewrite post visit to eval call; 'malloc' does not have
1257 // side effects other than what we model here.
1258 unsigned Count = C.blockCount();
1259 SValBuilder &svalBuilder = C.getSValBuilder();
1260 const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
1261 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
1262 .castAs<DefinedSVal>();
1263 State = State->BindExpr(CE, C.getLocationContext(), RetVal);
1264
1265 // Fill the region with the initialization value.
1266 State = State->bindDefaultInitial(RetVal, Init, LCtx);
1267
1268 // Set the region's extent equal to the Size parameter.
1269 const SymbolicRegion *R =
1270 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion());
1271 if (!R)
1272 return nullptr;
1273 if (Optional<DefinedOrUnknownSVal> DefinedSize =
1274 Size.getAs<DefinedOrUnknownSVal>()) {
1275 SValBuilder &svalBuilder = C.getSValBuilder();
1276 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder);
1277 DefinedOrUnknownSVal extentMatchesSize =
1278 svalBuilder.evalEQ(State, Extent, *DefinedSize);
1279
1280 State = State->assume(extentMatchesSize, true);
1281 assert(State)((State) ? static_cast<void> (0) : __assert_fail ("State"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1281, __PRETTY_FUNCTION__))
;
1282 }
1283
1284 return MallocUpdateRefState(C, CE, State, Family);
1285}
1286
1287ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C,
1288 const Expr *E,
1289 ProgramStateRef State,
1290 AllocationFamily Family,
1291 Optional<SVal> RetVal) {
1292 if (!State)
1293 return nullptr;
1294
1295 // Get the return value.
1296 if (!RetVal)
1297 RetVal = C.getSVal(E);
1298
1299 // We expect the malloc functions to return a pointer.
1300 if (!RetVal->getAs<Loc>())
1301 return nullptr;
1302
1303 SymbolRef Sym = RetVal->getAsLocSymbol();
1304 // This is a return value of a function that was not inlined, such as malloc()
1305 // or new(). We've checked that in the caller. Therefore, it must be a symbol.
1306 assert(Sym)((Sym) ? static_cast<void> (0) : __assert_fail ("Sym", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1306, __PRETTY_FUNCTION__))
;
1307
1308 // Set the symbol's state to Allocated.
1309 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
1310}
1311
1312ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
1313 const CallExpr *CE,
1314 const OwnershipAttr *Att,
1315 ProgramStateRef State) const {
1316 if (!State)
1317 return nullptr;
1318
1319 if (Att->getModule() != II_malloc)
1320 return nullptr;
1321
1322 bool ReleasedAllocated = false;
1323
1324 for (const auto &Arg : Att->args()) {
1325 ProgramStateRef StateI = FreeMemAux(
1326 C, CE, State, Arg.getASTIndex(),
1327 Att->getOwnKind() == OwnershipAttr::Holds, ReleasedAllocated);
1328 if (StateI)
1329 State = StateI;
1330 }
1331 return State;
1332}
1333
1334ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1335 const CallExpr *CE,
1336 ProgramStateRef State,
1337 unsigned Num,
1338 bool Hold,
1339 bool &ReleasedAllocated,
1340 bool ReturnsNullOnFailure) const {
1341 if (!State)
1342 return nullptr;
1343
1344 if (CE->getNumArgs() < (Num + 1))
1345 return nullptr;
1346
1347 return FreeMemAux(C, CE->getArg(Num), CE, State, Hold,
1348 ReleasedAllocated, ReturnsNullOnFailure);
1349}
1350
1351/// Checks if the previous call to free on the given symbol failed - if free
1352/// failed, returns true. Also, returns the corresponding return value symbol.
1353static bool didPreviousFreeFail(ProgramStateRef State,
1354 SymbolRef Sym, SymbolRef &RetStatusSymbol) {
1355 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
1356 if (Ret) {
1357 assert(*Ret && "We should not store the null return symbol")((*Ret && "We should not store the null return symbol"
) ? static_cast<void> (0) : __assert_fail ("*Ret && \"We should not store the null return symbol\""
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1357, __PRETTY_FUNCTION__))
;
1358 ConstraintManager &CMgr = State->getConstraintManager();
1359 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret);
1360 RetStatusSymbol = *Ret;
1361 return FreeFailed.isConstrainedTrue();
1362 }
1363 return false;
1364}
1365
1366AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C,
1367 const Stmt *S) const {
1368 if (!S)
1369 return AF_None;
1370
1371 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) {
1372 const FunctionDecl *FD = C.getCalleeDecl(CE);
1373
1374 if (!FD)
1375 FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl());
1376
1377 ASTContext &Ctx = C.getASTContext();
1378
1379 if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any))
1380 return AF_Malloc;
1381
1382 if (isStandardNewDelete(FD, Ctx)) {
1383 OverloadedOperatorKind Kind = FD->getOverloadedOperator();
1384 if (Kind == OO_New || Kind == OO_Delete)
1385 return AF_CXXNew;
1386 else if (Kind == OO_Array_New || Kind == OO_Array_Delete)
1387 return AF_CXXNewArray;
1388 }
1389
1390 if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
1391 return AF_IfNameIndex;
1392
1393 if (isCMemFunction(FD, Ctx, AF_Alloca, MemoryOperationKind::MOK_Any))
1394 return AF_Alloca;
1395
1396 return AF_None;
1397 }
1398
1399 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S))
1400 return NE->isArray() ? AF_CXXNewArray : AF_CXXNew;
1401
1402 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S))
1403 return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew;
1404
1405 if (isa<ObjCMessageExpr>(S))
1406 return AF_Malloc;
1407
1408 return AF_None;
1409}
1410
1411bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C,
1412 const Expr *E) const {
1413 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
1414 // FIXME: This doesn't handle indirect calls.
1415 const FunctionDecl *FD = CE->getDirectCallee();
1416 if (!FD)
1417 return false;
1418
1419 os << *FD;
1420 if (!FD->isOverloadedOperator())
1421 os << "()";
1422 return true;
1423 }
1424
1425 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) {
1426 if (Msg->isInstanceMessage())
1427 os << "-";
1428 else
1429 os << "+";
1430 Msg->getSelector().print(os);
1431 return true;
1432 }
1433
1434 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
1435 os << "'"
1436 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator())
1437 << "'";
1438 return true;
1439 }
1440
1441 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) {
1442 os << "'"
1443 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator())
1444 << "'";
1445 return true;
1446 }
1447
1448 return false;
1449}
1450
1451void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C,
1452 const Expr *E) const {
1453 AllocationFamily Family = getAllocationFamily(C, E);
1454
1455 switch(Family) {
1456 case AF_Malloc: os << "malloc()"; return;
1457 case AF_CXXNew: os << "'new'"; return;
1458 case AF_CXXNewArray: os << "'new[]'"; return;
1459 case AF_IfNameIndex: os << "'if_nameindex()'"; return;
1460 case AF_InnerBuffer: os << "container-specific allocator"; return;
1461 case AF_Alloca:
1462 case AF_None: llvm_unreachable("not a deallocation expression")::llvm::llvm_unreachable_internal("not a deallocation expression"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1462)
;
1463 }
1464}
1465
1466void MallocChecker::printExpectedDeallocName(raw_ostream &os,
1467 AllocationFamily Family) const {
1468 switch(Family) {
1469 case AF_Malloc: os << "free()"; return;
1470 case AF_CXXNew: os << "'delete'"; return;
1471 case AF_CXXNewArray: os << "'delete[]'"; return;
1472 case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
1473 case AF_InnerBuffer: os << "container-specific deallocator"; return;
1474 case AF_Alloca:
1475 case AF_None: llvm_unreachable("suspicious argument")::llvm::llvm_unreachable_internal("suspicious argument", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1475)
;
1476 }
1477}
1478
1479ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1480 const Expr *ArgExpr,
1481 const Expr *ParentExpr,
1482 ProgramStateRef State,
1483 bool Hold,
1484 bool &ReleasedAllocated,
1485 bool ReturnsNullOnFailure) const {
1486
1487 if (!State)
1488 return nullptr;
1489
1490 SVal ArgVal = C.getSVal(ArgExpr);
1491 if (!ArgVal.getAs<DefinedOrUnknownSVal>())
1492 return nullptr;
1493 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
1494
1495 // Check for null dereferences.
1496 if (!location.getAs<Loc>())
1497 return nullptr;
1498
1499 // The explicit NULL case, no operation is performed.
1500 ProgramStateRef notNullState, nullState;
1501 std::tie(notNullState, nullState) = State->assume(location);
1502 if (nullState && !notNullState)
1503 return nullptr;
1504
1505 // Unknown values could easily be okay
1506 // Undefined values are handled elsewhere
1507 if (ArgVal.isUnknownOrUndef())
1508 return nullptr;
1509
1510 const MemRegion *R = ArgVal.getAsRegion();
1511
1512 // Nonlocs can't be freed, of course.
1513 // Non-region locations (labels and fixed addresses) also shouldn't be freed.
1514 if (!R) {
1515 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1516 return nullptr;
1517 }
1518
1519 R = R->StripCasts();
1520
1521 // Blocks might show up as heap data, but should not be free()d
1522 if (isa<BlockDataRegion>(R)) {
1523 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1524 return nullptr;
1525 }
1526
1527 const MemSpaceRegion *MS = R->getMemorySpace();
1528
1529 // Parameters, locals, statics, globals, and memory returned by
1530 // __builtin_alloca() shouldn't be freed.
1531 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) {
1532 // FIXME: at the time this code was written, malloc() regions were
1533 // represented by conjured symbols, which are all in UnknownSpaceRegion.
1534 // This means that there isn't actually anything from HeapSpaceRegion
1535 // that should be freed, even though we allow it here.
1536 // Of course, free() can work on memory allocated outside the current
1537 // function, so UnknownSpaceRegion is always a possibility.
1538 // False negatives are better than false positives.
1539
1540 if (isa<AllocaRegion>(R))
1541 ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1542 else
1543 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1544
1545 return nullptr;
1546 }
1547
1548 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
1549 // Various cases could lead to non-symbol values here.
1550 // For now, ignore them.
1551 if (!SrBase)
1552 return nullptr;
1553
1554 SymbolRef SymBase = SrBase->getSymbol();
1555 const RefState *RsBase = State->get<RegionState>(SymBase);
1556 SymbolRef PreviousRetStatusSymbol = nullptr;
1557
1558 if (RsBase) {
1559
1560 // Memory returned by alloca() shouldn't be freed.
1561 if (RsBase->getAllocationFamily() == AF_Alloca) {
1562 ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1563 return nullptr;
1564 }
1565
1566 // Check for double free first.
1567 if ((RsBase->isReleased() || RsBase->isRelinquished()) &&
1568 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
1569 ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),
1570 SymBase, PreviousRetStatusSymbol);
1571 return nullptr;
1572
1573 // If the pointer is allocated or escaped, but we are now trying to free it,
1574 // check that the call to free is proper.
1575 } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() ||
1576 RsBase->isEscaped()) {
1577
1578 // Check if an expected deallocation function matches the real one.
1579 bool DeallocMatchesAlloc =
1580 RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr);
1581 if (!DeallocMatchesAlloc) {
1582 ReportMismatchedDealloc(C, ArgExpr->getSourceRange(),
1583 ParentExpr, RsBase, SymBase, Hold);
1584 return nullptr;
1585 }
1586
1587 // Check if the memory location being freed is the actual location
1588 // allocated, or an offset.
1589 RegionOffset Offset = R->getAsOffset();
1590 if (Offset.isValid() &&
1591 !Offset.hasSymbolicOffset() &&
1592 Offset.getOffset() != 0) {
1593 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
1594 ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1595 AllocExpr);
1596 return nullptr;
1597 }
1598 }
1599 }
1600
1601 if (SymBase->getType()->isFunctionPointerType()) {
1602 ReportFunctionPointerFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1603 return nullptr;
1604 }
1605
1606 ReleasedAllocated = (RsBase != nullptr) && (RsBase->isAllocated() ||
1607 RsBase->isAllocatedOfSizeZero());
1608
1609 // Clean out the info on previous call to free return info.
1610 State = State->remove<FreeReturnValue>(SymBase);
1611
1612 // Keep track of the return value. If it is NULL, we will know that free
1613 // failed.
1614 if (ReturnsNullOnFailure) {
1615 SVal RetVal = C.getSVal(ParentExpr);
1616 SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
1617 if (RetStatusSymbol) {
1618 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol);
1619 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol);
1620 }
1621 }
1622
1623 AllocationFamily Family = RsBase ? RsBase->getAllocationFamily()
1624 : getAllocationFamily(C, ParentExpr);
1625 // Normal free.
1626 if (Hold)
1627 return State->set<RegionState>(SymBase,
1628 RefState::getRelinquished(Family,
1629 ParentExpr));
1630
1631 return State->set<RegionState>(SymBase,
1632 RefState::getReleased(Family, ParentExpr));
1633}
1634
1635Optional<MallocChecker::CheckKind>
1636MallocChecker::getCheckIfTracked(AllocationFamily Family,
1637 bool IsALeakCheck) const {
1638 switch (Family) {
1639 case AF_Malloc:
1640 case AF_Alloca:
1641 case AF_IfNameIndex: {
1642 if (ChecksEnabled[CK_MallocChecker])
1643 return CK_MallocChecker;
1644 return None;
1645 }
1646 case AF_CXXNew:
1647 case AF_CXXNewArray: {
1648 if (IsALeakCheck) {
1649 if (ChecksEnabled[CK_NewDeleteLeaksChecker])
1650 return CK_NewDeleteLeaksChecker;
1651 }
1652 else {
1653 if (ChecksEnabled[CK_NewDeleteChecker])
1654 return CK_NewDeleteChecker;
1655 }
1656 return None;
1657 }
1658 case AF_InnerBuffer: {
1659 if (ChecksEnabled[CK_InnerPointerChecker])
1660 return CK_InnerPointerChecker;
1661 return None;
1662 }
1663 case AF_None: {
1664 llvm_unreachable("no family")::llvm::llvm_unreachable_internal("no family", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1664)
;
1665 }
1666 }
1667 llvm_unreachable("unhandled family")::llvm::llvm_unreachable_internal("unhandled family", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1667)
;
1668}
1669
1670Optional<MallocChecker::CheckKind>
1671MallocChecker::getCheckIfTracked(CheckerContext &C,
1672 const Stmt *AllocDeallocStmt,
1673 bool IsALeakCheck) const {
1674 return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt),
1675 IsALeakCheck);
1676}
1677
1678Optional<MallocChecker::CheckKind>
1679MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
1680 bool IsALeakCheck) const {
1681 if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym))
1682 return CK_MallocChecker;
1683
1684 const RefState *RS = C.getState()->get<RegionState>(Sym);
1685 assert(RS)((RS) ? static_cast<void> (0) : __assert_fail ("RS", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1685, __PRETTY_FUNCTION__))
;
1686 return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck);
1687}
1688
1689bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
1690 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>())
1691 os << "an integer (" << IntVal->getValue() << ")";
1692 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>())
1693 os << "a constant address (" << ConstAddr->getValue() << ")";
1694 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>())
1695 os << "the address of the label '" << Label->getLabel()->getName() << "'";
1696 else
1697 return false;
1698
1699 return true;
1700}
1701
1702bool MallocChecker::SummarizeRegion(raw_ostream &os,
1703 const MemRegion *MR) {
1704 switch (MR->getKind()) {
1705 case MemRegion::FunctionCodeRegionKind: {
1706 const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
1707 if (FD)
1708 os << "the address of the function '" << *FD << '\'';
1709 else
1710 os << "the address of a function";
1711 return true;
1712 }
1713 case MemRegion::BlockCodeRegionKind:
1714 os << "block text";
1715 return true;
1716 case MemRegion::BlockDataRegionKind:
1717 // FIXME: where the block came from?
1718 os << "a block";
1719 return true;
1720 default: {
1721 const MemSpaceRegion *MS = MR->getMemorySpace();
1722
1723 if (isa<StackLocalsSpaceRegion>(MS)) {
1724 const VarRegion *VR = dyn_cast<VarRegion>(MR);
1725 const VarDecl *VD;
1726 if (VR)
1727 VD = VR->getDecl();
1728 else
1729 VD = nullptr;
1730
1731 if (VD)
1732 os << "the address of the local variable '" << VD->getName() << "'";
1733 else
1734 os << "the address of a local stack variable";
1735 return true;
1736 }
1737
1738 if (isa<StackArgumentsSpaceRegion>(MS)) {
1739 const VarRegion *VR = dyn_cast<VarRegion>(MR);
1740 const VarDecl *VD;
1741 if (VR)
1742 VD = VR->getDecl();
1743 else
1744 VD = nullptr;
1745
1746 if (VD)
1747 os << "the address of the parameter '" << VD->getName() << "'";
1748 else
1749 os << "the address of a parameter";
1750 return true;
1751 }
1752
1753 if (isa<GlobalsSpaceRegion>(MS)) {
1754 const VarRegion *VR = dyn_cast<VarRegion>(MR);
1755 const VarDecl *VD;
1756 if (VR)
1757 VD = VR->getDecl();
1758 else
1759 VD = nullptr;
1760
1761 if (VD) {
1762 if (VD->isStaticLocal())
1763 os << "the address of the static variable '" << VD->getName() << "'";
1764 else
1765 os << "the address of the global variable '" << VD->getName() << "'";
1766 } else
1767 os << "the address of a global variable";
1768 return true;
1769 }
1770
1771 return false;
1772 }
1773 }
1774}
1775
1776void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal,
1777 SourceRange Range,
1778 const Expr *DeallocExpr) const {
1779
1780 if (!ChecksEnabled[CK_MallocChecker] &&
1781 !ChecksEnabled[CK_NewDeleteChecker])
1782 return;
1783
1784 Optional<MallocChecker::CheckKind> CheckKind =
1785 getCheckIfTracked(C, DeallocExpr);
1786 if (!CheckKind.hasValue())
1787 return;
1788
1789 if (ExplodedNode *N = C.generateErrorNode()) {
1790 if (!BT_BadFree[*CheckKind])
1791 BT_BadFree[*CheckKind].reset(new BugType(
1792 CheckNames[*CheckKind], "Bad free", categories::MemoryError));
1793
1794 SmallString<100> buf;
1795 llvm::raw_svector_ostream os(buf);
1796
1797 const MemRegion *MR = ArgVal.getAsRegion();
1798 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
1799 MR = ER->getSuperRegion();
1800
1801 os << "Argument to ";
1802 if (!printAllocDeallocName(os, C, DeallocExpr))
1803 os << "deallocator";
1804
1805 os << " is ";
1806 bool Summarized = MR ? SummarizeRegion(os, MR)
1807 : SummarizeValue(os, ArgVal);
1808 if (Summarized)
1809 os << ", which is not memory allocated by ";
1810 else
1811 os << "not memory allocated by ";
1812
1813 printExpectedAllocName(os, C, DeallocExpr);
1814
1815 auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], os.str(), N);
1816 R->markInteresting(MR);
1817 R->addRange(Range);
1818 C.emitReport(std::move(R));
1819 }
1820}
1821
1822void MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
1823 SourceRange Range) const {
1824
1825 Optional<MallocChecker::CheckKind> CheckKind;
1826
1827 if (ChecksEnabled[CK_MallocChecker])
1828 CheckKind = CK_MallocChecker;
1829 else if (ChecksEnabled[CK_MismatchedDeallocatorChecker])
1830 CheckKind = CK_MismatchedDeallocatorChecker;
1831 else
1832 return;
1833
1834 if (ExplodedNode *N = C.generateErrorNode()) {
1835 if (!BT_FreeAlloca[*CheckKind])
1836 BT_FreeAlloca[*CheckKind].reset(new BugType(
1837 CheckNames[*CheckKind], "Free alloca()", categories::MemoryError));
1838
1839 auto R = llvm::make_unique<BugReport>(
1840 *BT_FreeAlloca[*CheckKind],
1841 "Memory allocated by alloca() should not be deallocated", N);
1842 R->markInteresting(ArgVal.getAsRegion());
1843 R->addRange(Range);
1844 C.emitReport(std::move(R));
1845 }
1846}
1847
1848void MallocChecker::ReportMismatchedDealloc(CheckerContext &C,
1849 SourceRange Range,
1850 const Expr *DeallocExpr,
1851 const RefState *RS,
1852 SymbolRef Sym,
1853 bool OwnershipTransferred) const {
1854
1855 if (!ChecksEnabled[CK_MismatchedDeallocatorChecker])
1856 return;
1857
1858 if (ExplodedNode *N = C.generateErrorNode()) {
1859 if (!BT_MismatchedDealloc)
1860 BT_MismatchedDealloc.reset(
1861 new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
1862 "Bad deallocator", categories::MemoryError));
1863
1864 SmallString<100> buf;
1865 llvm::raw_svector_ostream os(buf);
1866
1867 const Expr *AllocExpr = cast<Expr>(RS->getStmt());
1868 SmallString<20> AllocBuf;
1869 llvm::raw_svector_ostream AllocOs(AllocBuf);
1870 SmallString<20> DeallocBuf;
1871 llvm::raw_svector_ostream DeallocOs(DeallocBuf);
1872
1873 if (OwnershipTransferred) {
1874 if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1875 os << DeallocOs.str() << " cannot";
1876 else
1877 os << "Cannot";
1878
1879 os << " take ownership of memory";
1880
1881 if (printAllocDeallocName(AllocOs, C, AllocExpr))
1882 os << " allocated by " << AllocOs.str();
1883 } else {
1884 os << "Memory";
1885 if (printAllocDeallocName(AllocOs, C, AllocExpr))
1886 os << " allocated by " << AllocOs.str();
1887
1888 os << " should be deallocated by ";
1889 printExpectedDeallocName(os, RS->getAllocationFamily());
1890
1891 if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1892 os << ", not " << DeallocOs.str();
1893 }
1894
1895 auto R = llvm::make_unique<BugReport>(*BT_MismatchedDealloc, os.str(), N);
1896 R->markInteresting(Sym);
1897 R->addRange(Range);
1898 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
1899 C.emitReport(std::move(R));
1900 }
1901}
1902
1903void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal,
1904 SourceRange Range, const Expr *DeallocExpr,
1905 const Expr *AllocExpr) const {
1906
1907
1908 if (!ChecksEnabled[CK_MallocChecker] &&
1909 !ChecksEnabled[CK_NewDeleteChecker])
1910 return;
1911
1912 Optional<MallocChecker::CheckKind> CheckKind =
1913 getCheckIfTracked(C, AllocExpr);
1914 if (!CheckKind.hasValue())
1915 return;
1916
1917 ExplodedNode *N = C.generateErrorNode();
1918 if (!N)
1919 return;
1920
1921 if (!BT_OffsetFree[*CheckKind])
1922 BT_OffsetFree[*CheckKind].reset(new BugType(
1923 CheckNames[*CheckKind], "Offset free", categories::MemoryError));
1924
1925 SmallString<100> buf;
1926 llvm::raw_svector_ostream os(buf);
1927 SmallString<20> AllocNameBuf;
1928 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf);
1929
1930 const MemRegion *MR = ArgVal.getAsRegion();
1931 assert(MR && "Only MemRegion based symbols can have offset free errors")((MR && "Only MemRegion based symbols can have offset free errors"
) ? static_cast<void> (0) : __assert_fail ("MR && \"Only MemRegion based symbols can have offset free errors\""
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1931, __PRETTY_FUNCTION__))
;
1932
1933 RegionOffset Offset = MR->getAsOffset();
1934 assert((Offset.isValid() &&(((Offset.isValid() && !Offset.hasSymbolicOffset() &&
Offset.getOffset() != 0) && "Only symbols with a valid offset can have offset free errors"
) ? static_cast<void> (0) : __assert_fail ("(Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && \"Only symbols with a valid offset can have offset free errors\""
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1937, __PRETTY_FUNCTION__))
1935 !Offset.hasSymbolicOffset() &&(((Offset.isValid() && !Offset.hasSymbolicOffset() &&
Offset.getOffset() != 0) && "Only symbols with a valid offset can have offset free errors"
) ? static_cast<void> (0) : __assert_fail ("(Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && \"Only symbols with a valid offset can have offset free errors\""
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1937, __PRETTY_FUNCTION__))
1936 Offset.getOffset() != 0) &&(((Offset.isValid() && !Offset.hasSymbolicOffset() &&
Offset.getOffset() != 0) && "Only symbols with a valid offset can have offset free errors"
) ? static_cast<void> (0) : __assert_fail ("(Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && \"Only symbols with a valid offset can have offset free errors\""
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1937, __PRETTY_FUNCTION__))
1937 "Only symbols with a valid offset can have offset free errors")(((Offset.isValid() && !Offset.hasSymbolicOffset() &&
Offset.getOffset() != 0) && "Only symbols with a valid offset can have offset free errors"
) ? static_cast<void> (0) : __assert_fail ("(Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && \"Only symbols with a valid offset can have offset free errors\""
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 1937, __PRETTY_FUNCTION__))
;
1938
1939 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
1940
1941 os << "Argument to ";
1942 if (!printAllocDeallocName(os, C, DeallocExpr))
1943 os << "deallocator";
1944 os << " is offset by "
1945 << offsetBytes
1946 << " "
1947 << ((abs(offsetBytes) > 1) ? "bytes" : "byte")
1948 << " from the start of ";
1949 if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr))
1950 os << "memory allocated by " << AllocNameOs.str();
1951 else
1952 os << "allocated memory";
1953
1954 auto R = llvm::make_unique<BugReport>(*BT_OffsetFree[*CheckKind], os.str(), N);
1955 R->markInteresting(MR->getBaseRegion());
1956 R->addRange(Range);
1957 C.emitReport(std::move(R));
1958}
1959
1960void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range,
1961 SymbolRef Sym) const {
1962
1963 if (!ChecksEnabled[CK_MallocChecker] &&
1964 !ChecksEnabled[CK_NewDeleteChecker] &&
1965 !ChecksEnabled[CK_InnerPointerChecker])
1966 return;
1967
1968 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
1969 if (!CheckKind.hasValue())
1970 return;
1971
1972 if (ExplodedNode *N = C.generateErrorNode()) {
1973 if (!BT_UseFree[*CheckKind])
1974 BT_UseFree[*CheckKind].reset(new BugType(
1975 CheckNames[*CheckKind], "Use-after-free", categories::MemoryError));
1976
1977 AllocationFamily AF =
1978 C.getState()->get<RegionState>(Sym)->getAllocationFamily();
1979
1980 auto R = llvm::make_unique<BugReport>(*BT_UseFree[*CheckKind],
1981 AF == AF_InnerBuffer
1982 ? "Inner pointer of container used after re/deallocation"
1983 : "Use of memory after it is freed",
1984 N);
1985
1986 R->markInteresting(Sym);
1987 R->addRange(Range);
1988 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
1989
1990 if (AF == AF_InnerBuffer)
1991 R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym));
1992
1993 C.emitReport(std::move(R));
1994 }
1995}
1996
1997void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range,
1998 bool Released, SymbolRef Sym,
1999 SymbolRef PrevSym) const {
2000
2001 if (!ChecksEnabled[CK_MallocChecker] &&
2002 !ChecksEnabled[CK_NewDeleteChecker])
2003 return;
2004
2005 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2006 if (!CheckKind.hasValue())
2007 return;
2008
2009 if (ExplodedNode *N = C.generateErrorNode()) {
2010 if (!BT_DoubleFree[*CheckKind])
2011 BT_DoubleFree[*CheckKind].reset(new BugType(
2012 CheckNames[*CheckKind], "Double free", categories::MemoryError));
2013
2014 auto R = llvm::make_unique<BugReport>(
2015 *BT_DoubleFree[*CheckKind],
2016 (Released ? "Attempt to free released memory"
2017 : "Attempt to free non-owned memory"),
2018 N);
2019 R->addRange(Range);
2020 R->markInteresting(Sym);
2021 if (PrevSym)
2022 R->markInteresting(PrevSym);
2023 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2024 C.emitReport(std::move(R));
2025 }
2026}
2027
2028void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
2029
2030 if (!ChecksEnabled[CK_NewDeleteChecker])
2031 return;
2032
2033 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2034 if (!CheckKind.hasValue())
2035 return;
2036
2037 if (ExplodedNode *N = C.generateErrorNode()) {
2038 if (!BT_DoubleDelete)
2039 BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker],
2040 "Double delete",
2041 categories::MemoryError));
2042
2043 auto R = llvm::make_unique<BugReport>(
2044 *BT_DoubleDelete, "Attempt to delete released memory", N);
2045
2046 R->markInteresting(Sym);
2047 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2048 C.emitReport(std::move(R));
2049 }
2050}
2051
2052void MallocChecker::ReportUseZeroAllocated(CheckerContext &C,
2053 SourceRange Range,
2054 SymbolRef Sym) const {
2055
2056 if (!ChecksEnabled[CK_MallocChecker] &&
2057 !ChecksEnabled[CK_NewDeleteChecker])
2058 return;
2059
2060 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2061
2062 if (!CheckKind.hasValue())
2063 return;
2064
2065 if (ExplodedNode *N = C.generateErrorNode()) {
2066 if (!BT_UseZerroAllocated[*CheckKind])
2067 BT_UseZerroAllocated[*CheckKind].reset(
2068 new BugType(CheckNames[*CheckKind], "Use of zero allocated",
2069 categories::MemoryError));
2070
2071 auto R = llvm::make_unique<BugReport>(*BT_UseZerroAllocated[*CheckKind],
2072 "Use of zero-allocated memory", N);
2073
2074 R->addRange(Range);
2075 if (Sym) {
2076 R->markInteresting(Sym);
2077 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2078 }
2079 C.emitReport(std::move(R));
2080 }
2081}
2082
2083void MallocChecker::ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
2084 SourceRange Range,
2085 const Expr *FreeExpr) const {
2086 if (!ChecksEnabled[CK_MallocChecker])
2087 return;
2088
2089 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, FreeExpr);
2090 if (!CheckKind.hasValue())
2091 return;
2092
2093 if (ExplodedNode *N = C.generateErrorNode()) {
2094 if (!BT_BadFree[*CheckKind])
2095 BT_BadFree[*CheckKind].reset(new BugType(
2096 CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2097
2098 SmallString<100> Buf;
2099 llvm::raw_svector_ostream Os(Buf);
2100
2101 const MemRegion *MR = ArgVal.getAsRegion();
2102 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
2103 MR = ER->getSuperRegion();
2104
2105 Os << "Argument to ";
2106 if (!printAllocDeallocName(Os, C, FreeExpr))
2107 Os << "deallocator";
2108
2109 Os << " is a function pointer";
2110
2111 auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], Os.str(), N);
2112 R->markInteresting(MR);
2113 R->addRange(Range);
2114 C.emitReport(std::move(R));
2115 }
2116}
2117
2118ProgramStateRef MallocChecker::ReallocMemAux(CheckerContext &C,
2119 const CallExpr *CE,
2120 bool FreesOnFail,
2121 ProgramStateRef State,
2122 bool SuffixWithN) const {
2123 if (!State)
2124 return nullptr;
2125
2126 if (SuffixWithN && CE->getNumArgs() < 3)
2127 return nullptr;
2128 else if (CE->getNumArgs() < 2)
2129 return nullptr;
2130
2131 const Expr *arg0Expr = CE->getArg(0);
2132 SVal Arg0Val = C.getSVal(arg0Expr);
2133 if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
2134 return nullptr;
2135 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
2136
2137 SValBuilder &svalBuilder = C.getSValBuilder();
2138
2139 DefinedOrUnknownSVal PtrEQ =
2140 svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull());
2141
2142 // Get the size argument.
2143 const Expr *Arg1 = CE->getArg(1);
2144
2145 // Get the value of the size argument.
2146 SVal TotalSize = C.getSVal(Arg1);
2147 if (SuffixWithN)
2148 TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2));
2149 if (!TotalSize.getAs<DefinedOrUnknownSVal>())
2150 return nullptr;
2151
2152 // Compare the size argument to 0.
2153 DefinedOrUnknownSVal SizeZero =
2154 svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(),
2155 svalBuilder.makeIntValWithPtrWidth(0, false));
2156
2157 ProgramStateRef StatePtrIsNull, StatePtrNotNull;
2158 std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ);
2159 ProgramStateRef StateSizeIsZero, StateSizeNotZero;
2160 std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero);
2161 // We only assume exceptional states if they are definitely true; if the
2162 // state is under-constrained, assume regular realloc behavior.
2163 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
2164 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
2165
2166 // If the ptr is NULL and the size is not 0, the call is equivalent to
2167 // malloc(size).
2168 if (PrtIsNull && !SizeIsZero) {
2169 ProgramStateRef stateMalloc = MallocMemAux(C, CE, TotalSize,
2170 UndefinedVal(), StatePtrIsNull);
2171 return stateMalloc;
2172 }
2173
2174 if (PrtIsNull && SizeIsZero)
2175 return State;
2176
2177 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
2178 assert(!PrtIsNull)((!PrtIsNull) ? static_cast<void> (0) : __assert_fail (
"!PrtIsNull", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2178, __PRETTY_FUNCTION__))
;
2179 SymbolRef FromPtr = arg0Val.getAsSymbol();
2180 SVal RetVal = C.getSVal(CE);
2181 SymbolRef ToPtr = RetVal.getAsSymbol();
2182 if (!FromPtr || !ToPtr)
2183 return nullptr;
2184
2185 bool ReleasedAllocated = false;
2186
2187 // If the size is 0, free the memory.
2188 if (SizeIsZero)
2189 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0,
2190 false, ReleasedAllocated)){
2191 // The semantics of the return value are:
2192 // If size was equal to 0, either NULL or a pointer suitable to be passed
2193 // to free() is returned. We just free the input pointer and do not add
2194 // any constrains on the output pointer.
2195 return stateFree;
2196 }
2197
2198 // Default behavior.
2199 if (ProgramStateRef stateFree =
2200 FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) {
2201
2202 ProgramStateRef stateRealloc = MallocMemAux(C, CE, TotalSize,
2203 UnknownVal(), stateFree);
2204 if (!stateRealloc)
2205 return nullptr;
2206
2207 ReallocPairKind Kind = RPToBeFreedAfterFailure;
2208 if (FreesOnFail)
2209 Kind = RPIsFreeOnFailure;
2210 else if (!ReleasedAllocated)
2211 Kind = RPDoNotTrackAfterFailure;
2212
2213 // Record the info about the reallocated symbol so that we could properly
2214 // process failed reallocation.
2215 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
2216 ReallocPair(FromPtr, Kind));
2217 // The reallocated symbol should stay alive for as long as the new symbol.
2218 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
2219 return stateRealloc;
2220 }
2221 return nullptr;
2222}
2223
2224ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE,
2225 ProgramStateRef State) {
2226 if (!State)
2227 return nullptr;
2228
2229 if (CE->getNumArgs() < 2)
2230 return nullptr;
2231
2232 SValBuilder &svalBuilder = C.getSValBuilder();
2233 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
2234 SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
2235
2236 return MallocMemAux(C, CE, TotalSize, zeroVal, State);
2237}
2238
2239LeakInfo
2240MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
2241 CheckerContext &C) const {
2242 const LocationContext *LeakContext = N->getLocationContext();
2243 // Walk the ExplodedGraph backwards and find the first node that referred to
2244 // the tracked symbol.
2245 const ExplodedNode *AllocNode = N;
2246 const MemRegion *ReferenceRegion = nullptr;
2247
2248 while (N) {
2249 ProgramStateRef State = N->getState();
2250 if (!State->get<RegionState>(Sym))
2251 break;
2252
2253 // Find the most recent expression bound to the symbol in the current
2254 // context.
2255 if (!ReferenceRegion) {
2256 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) {
2257 SVal Val = State->getSVal(MR);
2258 if (Val.getAsLocSymbol() == Sym) {
2259 const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>();
2260 // Do not show local variables belonging to a function other than
2261 // where the error is reported.
2262 if (!VR ||
2263 (VR->getStackFrame() == LeakContext->getStackFrame()))
2264 ReferenceRegion = MR;
2265 }
2266 }
2267 }
2268
2269 // Allocation node, is the last node in the current or parent context in
2270 // which the symbol was tracked.
2271 const LocationContext *NContext = N->getLocationContext();
2272 if (NContext == LeakContext ||
2273 NContext->isParentOf(LeakContext))
2274 AllocNode = N;
2275 N = N->pred_empty() ? nullptr : *(N->pred_begin());
2276 }
2277
2278 return LeakInfo(AllocNode, ReferenceRegion);
2279}
2280
2281void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N,
2282 CheckerContext &C) const {
2283
2284 if (!ChecksEnabled[CK_MallocChecker] &&
2285 !ChecksEnabled[CK_NewDeleteLeaksChecker])
2286 return;
2287
2288 const RefState *RS = C.getState()->get<RegionState>(Sym);
2289 assert(RS && "cannot leak an untracked symbol")((RS && "cannot leak an untracked symbol") ? static_cast
<void> (0) : __assert_fail ("RS && \"cannot leak an untracked symbol\""
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2289, __PRETTY_FUNCTION__))
;
2290 AllocationFamily Family = RS->getAllocationFamily();
2291
2292 if (Family == AF_Alloca)
2293 return;
2294
2295 Optional<MallocChecker::CheckKind>
2296 CheckKind = getCheckIfTracked(Family, true);
2297
2298 if (!CheckKind.hasValue())
2299 return;
2300
2301 assert(N)((N) ? static_cast<void> (0) : __assert_fail ("N", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2301, __PRETTY_FUNCTION__))
;
2302 if (!BT_Leak[*CheckKind]) {
2303 // Leaks should not be reported if they are post-dominated by a sink:
2304 // (1) Sinks are higher importance bugs.
2305 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
2306 // with __noreturn functions such as assert() or exit(). We choose not
2307 // to report leaks on such paths.
2308 BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak",
2309 categories::MemoryError,
2310 /*SuppressOnSink=*/true));
2311 }
2312
2313 // Most bug reports are cached at the location where they occurred.
2314 // With leaks, we want to unique them by the location where they were
2315 // allocated, and only report a single path.
2316 PathDiagnosticLocation LocUsedForUniqueing;
2317 const ExplodedNode *AllocNode = nullptr;
2318 const MemRegion *Region = nullptr;
2319 std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C);
2320
2321 const Stmt *AllocationStmt = PathDiagnosticLocation::getStmt(AllocNode);
2322 if (AllocationStmt)
2323 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt,
2324 C.getSourceManager(),
2325 AllocNode->getLocationContext());
2326
2327 SmallString<200> buf;
2328 llvm::raw_svector_ostream os(buf);
2329 if (Region && Region->canPrintPretty()) {
2330 os << "Potential leak of memory pointed to by ";
2331 Region->printPretty(os);
2332 } else {
2333 os << "Potential memory leak";
2334 }
2335
2336 auto R = llvm::make_unique<BugReport>(
2337 *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing,
2338 AllocNode->getLocationContext()->getDecl());
2339 R->markInteresting(Sym);
2340 R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym, true));
2341 C.emitReport(std::move(R));
2342}
2343
2344void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
2345 CheckerContext &C) const
2346{
2347 ProgramStateRef state = C.getState();
2348 RegionStateTy OldRS = state->get<RegionState>();
2349 RegionStateTy::Factory &F = state->get_context<RegionState>();
2350
2351 RegionStateTy RS = OldRS;
2352 SmallVector<SymbolRef, 2> Errors;
2353 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2354 if (SymReaper.isDead(I->first)) {
2355 if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero())
2356 Errors.push_back(I->first);
2357 // Remove the dead symbol from the map.
2358 RS = F.remove(RS, I->first);
2359 }
2360 }
2361
2362 if (RS == OldRS) {
2363 // We shouldn't have touched other maps yet.
2364 assert(state->get<ReallocPairs>() ==((state->get<ReallocPairs>() == C.getState()->get
<ReallocPairs>()) ? static_cast<void> (0) : __assert_fail
("state->get<ReallocPairs>() == C.getState()->get<ReallocPairs>()"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2365, __PRETTY_FUNCTION__))
2365 C.getState()->get<ReallocPairs>())((state->get<ReallocPairs>() == C.getState()->get
<ReallocPairs>()) ? static_cast<void> (0) : __assert_fail
("state->get<ReallocPairs>() == C.getState()->get<ReallocPairs>()"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2365, __PRETTY_FUNCTION__))
;
2366 assert(state->get<FreeReturnValue>() ==((state->get<FreeReturnValue>() == C.getState()->
get<FreeReturnValue>()) ? static_cast<void> (0) :
__assert_fail ("state->get<FreeReturnValue>() == C.getState()->get<FreeReturnValue>()"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2367, __PRETTY_FUNCTION__))
2367 C.getState()->get<FreeReturnValue>())((state->get<FreeReturnValue>() == C.getState()->
get<FreeReturnValue>()) ? static_cast<void> (0) :
__assert_fail ("state->get<FreeReturnValue>() == C.getState()->get<FreeReturnValue>()"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2367, __PRETTY_FUNCTION__))
;
2368 return;
2369 }
2370
2371 // Cleanup the Realloc Pairs Map.
2372 ReallocPairsTy RP = state->get<ReallocPairs>();
2373 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2374 if (SymReaper.isDead(I->first) ||
2375 SymReaper.isDead(I->second.ReallocatedSym)) {
2376 state = state->remove<ReallocPairs>(I->first);
2377 }
2378 }
2379
2380 // Cleanup the FreeReturnValue Map.
2381 FreeReturnValueTy FR = state->get<FreeReturnValue>();
2382 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) {
2383 if (SymReaper.isDead(I->first) ||
2384 SymReaper.isDead(I->second)) {
2385 state = state->remove<FreeReturnValue>(I->first);
2386 }
2387 }
2388
2389 // Generate leak node.
2390 ExplodedNode *N = C.getPredecessor();
2391 if (!Errors.empty()) {
2392 static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
2393 N = C.generateNonFatalErrorNode(C.getState(), &Tag);
2394 if (N) {
2395 for (SmallVectorImpl<SymbolRef>::iterator
2396 I = Errors.begin(), E = Errors.end(); I != E; ++I) {
2397 reportLeak(*I, N, C);
2398 }
2399 }
2400 }
2401
2402 C.addTransition(state->set<RegionState>(RS), N);
2403}
2404
2405void MallocChecker::checkPreCall(const CallEvent &Call,
2406 CheckerContext &C) const {
2407
2408 if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) {
2409 SymbolRef Sym = DC->getCXXThisVal().getAsSymbol();
2410 if (!Sym || checkDoubleDelete(Sym, C))
2411 return;
2412 }
2413
2414 // We will check for double free in the post visit.
2415 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) {
2416 const FunctionDecl *FD = FC->getDecl();
2417 if (!FD)
2418 return;
2419
2420 ASTContext &Ctx = C.getASTContext();
2421 if (ChecksEnabled[CK_MallocChecker] &&
2422 (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) ||
2423 isCMemFunction(FD, Ctx, AF_IfNameIndex,
2424 MemoryOperationKind::MOK_Free)))
2425 return;
2426 }
2427
2428 // Check if the callee of a method is deleted.
2429 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
2430 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
2431 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
2432 return;
2433 }
2434
2435 // Check arguments for being used after free.
2436 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
2437 SVal ArgSVal = Call.getArgSVal(I);
2438 if (ArgSVal.getAs<Loc>()) {
2439 SymbolRef Sym = ArgSVal.getAsSymbol();
2440 if (!Sym)
2441 continue;
2442 if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
2443 return;
2444 }
2445 }
2446}
2447
2448void MallocChecker::checkPreStmt(const ReturnStmt *S,
2449 CheckerContext &C) const {
2450 checkEscapeOnReturn(S, C);
2451}
2452
2453// In the CFG, automatic destructors come after the return statement.
2454// This callback checks for returning memory that is freed by automatic
2455// destructors, as those cannot be reached in checkPreStmt().
2456void MallocChecker::checkEndFunction(const ReturnStmt *S,
2457 CheckerContext &C) const {
2458 checkEscapeOnReturn(S, C);
2459}
2460
2461void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S,
2462 CheckerContext &C) const {
2463 if (!S)
2464 return;
2465
2466 const Expr *E = S->getRetValue();
2467 if (!E)
2468 return;
2469
2470 // Check if we are returning a symbol.
2471 ProgramStateRef State = C.getState();
2472 SVal RetVal = C.getSVal(E);
2473 SymbolRef Sym = RetVal.getAsSymbol();
2474 if (!Sym)
2475 // If we are returning a field of the allocated struct or an array element,
2476 // the callee could still free the memory.
2477 // TODO: This logic should be a part of generic symbol escape callback.
2478 if (const MemRegion *MR = RetVal.getAsRegion())
2479 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR))
2480 if (const SymbolicRegion *BMR =
2481 dyn_cast<SymbolicRegion>(MR->getBaseRegion()))
2482 Sym = BMR->getSymbol();
2483
2484 // Check if we are returning freed memory.
2485 if (Sym)
2486 checkUseAfterFree(Sym, C, E);
2487}
2488
2489// TODO: Blocks should be either inlined or should call invalidate regions
2490// upon invocation. After that's in place, special casing here will not be
2491// needed.
2492void MallocChecker::checkPostStmt(const BlockExpr *BE,
2493 CheckerContext &C) const {
2494
2495 // Scan the BlockDecRefExprs for any object the retain count checker
2496 // may be tracking.
2497 if (!BE->getBlockDecl()->hasCaptures())
2498 return;
2499
2500 ProgramStateRef state = C.getState();
2501 const BlockDataRegion *R =
2502 cast<BlockDataRegion>(C.getSVal(BE).getAsRegion());
2503
2504 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(),
2505 E = R->referenced_vars_end();
2506
2507 if (I == E)
2508 return;
2509
2510 SmallVector<const MemRegion*, 10> Regions;
2511 const LocationContext *LC = C.getLocationContext();
2512 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
2513
2514 for ( ; I != E; ++I) {
2515 const VarRegion *VR = I.getCapturedRegion();
2516 if (VR->getSuperRegion() == R) {
2517 VR = MemMgr.getVarRegion(VR->getDecl(), LC);
2518 }
2519 Regions.push_back(VR);
2520 }
2521
2522 state =
2523 state->scanReachableSymbols<StopTrackingCallback>(Regions).getState();
2524 C.addTransition(state);
2525}
2526
2527bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const {
2528 assert(Sym)((Sym) ? static_cast<void> (0) : __assert_fail ("Sym", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2528, __PRETTY_FUNCTION__))
;
2529 const RefState *RS = C.getState()->get<RegionState>(Sym);
2530 return (RS && RS->isReleased());
2531}
2532
2533bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
2534 const Stmt *S) const {
2535
2536 if (isReleased(Sym, C)) {
2537 ReportUseAfterFree(C, S->getSourceRange(), Sym);
2538 return true;
2539 }
2540
2541 return false;
2542}
2543
2544void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
2545 const Stmt *S) const {
2546 assert(Sym)((Sym) ? static_cast<void> (0) : __assert_fail ("Sym", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2546, __PRETTY_FUNCTION__))
;
2547
2548 if (const RefState *RS = C.getState()->get<RegionState>(Sym)) {
2549 if (RS->isAllocatedOfSizeZero())
2550 ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym);
2551 }
2552 else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) {
2553 ReportUseZeroAllocated(C, S->getSourceRange(), Sym);
2554 }
2555}
2556
2557bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
2558
2559 if (isReleased(Sym, C)) {
2560 ReportDoubleDelete(C, Sym);
2561 return true;
2562 }
2563 return false;
2564}
2565
2566// Check if the location is a freed symbolic region.
2567void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
2568 CheckerContext &C) const {
2569 SymbolRef Sym = l.getLocSymbolInBase();
2570 if (Sym) {
2571 checkUseAfterFree(Sym, C, S);
2572 checkUseZeroAllocated(Sym, C, S);
2573 }
2574}
2575
2576// If a symbolic region is assumed to NULL (or another constant), stop tracking
2577// it - assuming that allocation failed on this path.
2578ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
2579 SVal Cond,
2580 bool Assumption) const {
2581 RegionStateTy RS = state->get<RegionState>();
2582 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2583 // If the symbol is assumed to be NULL, remove it from consideration.
2584 ConstraintManager &CMgr = state->getConstraintManager();
2585 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2586 if (AllocFailed.isConstrainedTrue())
2587 state = state->remove<RegionState>(I.getKey());
2588 }
2589
2590 // Realloc returns 0 when reallocation fails, which means that we should
2591 // restore the state of the pointer being reallocated.
2592 ReallocPairsTy RP = state->get<ReallocPairs>();
2593 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2594 // If the symbol is assumed to be NULL, remove it from consideration.
2595 ConstraintManager &CMgr = state->getConstraintManager();
2596 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2597 if (!AllocFailed.isConstrainedTrue())
2598 continue;
2599
2600 SymbolRef ReallocSym = I.getData().ReallocatedSym;
2601 if (const RefState *RS = state->get<RegionState>(ReallocSym)) {
2602 if (RS->isReleased()) {
2603 if (I.getData().Kind == RPToBeFreedAfterFailure)
2604 state = state->set<RegionState>(ReallocSym,
2605 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt()));
2606 else if (I.getData().Kind == RPDoNotTrackAfterFailure)
2607 state = state->remove<RegionState>(ReallocSym);
2608 else
2609 assert(I.getData().Kind == RPIsFreeOnFailure)((I.getData().Kind == RPIsFreeOnFailure) ? static_cast<void
> (0) : __assert_fail ("I.getData().Kind == RPIsFreeOnFailure"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2609, __PRETTY_FUNCTION__))
;
2610 }
2611 }
2612 state = state->remove<ReallocPairs>(I.getKey());
2613 }
2614
2615 return state;
2616}
2617
2618bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
2619 const CallEvent *Call,
2620 ProgramStateRef State,
2621 SymbolRef &EscapingSymbol) const {
2622 assert(Call)((Call) ? static_cast<void> (0) : __assert_fail ("Call"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2622, __PRETTY_FUNCTION__))
;
2623 EscapingSymbol = nullptr;
2624
2625 // For now, assume that any C++ or block call can free memory.
2626 // TODO: If we want to be more optimistic here, we'll need to make sure that
2627 // regions escape to C++ containers. They seem to do that even now, but for
2628 // mysterious reasons.
2629 if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call)))
2630 return true;
2631
2632 // Check Objective-C messages by selector name.
2633 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
2634 // If it's not a framework call, or if it takes a callback, assume it
2635 // can free memory.
2636 if (!Call->isInSystemHeader() || Call->argumentsMayEscape())
2637 return true;
2638
2639 // If it's a method we know about, handle it explicitly post-call.
2640 // This should happen before the "freeWhenDone" check below.
2641 if (isKnownDeallocObjCMethodName(*Msg))
2642 return false;
2643
2644 // If there's a "freeWhenDone" parameter, but the method isn't one we know
2645 // about, we can't be sure that the object will use free() to deallocate the
2646 // memory, so we can't model it explicitly. The best we can do is use it to
2647 // decide whether the pointer escapes.
2648 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg))
2649 return *FreeWhenDone;
2650
2651 // If the first selector piece ends with "NoCopy", and there is no
2652 // "freeWhenDone" parameter set to zero, we know ownership is being
2653 // transferred. Again, though, we can't be sure that the object will use
2654 // free() to deallocate the memory, so we can't model it explicitly.
2655 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0);
2656 if (FirstSlot.endswith("NoCopy"))
2657 return true;
2658
2659 // If the first selector starts with addPointer, insertPointer,
2660 // or replacePointer, assume we are dealing with NSPointerArray or similar.
2661 // This is similar to C++ containers (vector); we still might want to check
2662 // that the pointers get freed by following the container itself.
2663 if (FirstSlot.startswith("addPointer") ||
2664 FirstSlot.startswith("insertPointer") ||
2665 FirstSlot.startswith("replacePointer") ||
2666 FirstSlot.equals("valueWithPointer")) {
2667 return true;
2668 }
2669
2670 // We should escape receiver on call to 'init'. This is especially relevant
2671 // to the receiver, as the corresponding symbol is usually not referenced
2672 // after the call.
2673 if (Msg->getMethodFamily() == OMF_init) {
2674 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol();
2675 return true;
2676 }
2677
2678 // Otherwise, assume that the method does not free memory.
2679 // Most framework methods do not free memory.
2680 return false;
2681 }
2682
2683 // At this point the only thing left to handle is straight function calls.
2684 const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl();
2685 if (!FD)
2686 return true;
2687
2688 ASTContext &ASTC = State->getStateManager().getContext();
2689
2690 // If it's one of the allocation functions we can reason about, we model
2691 // its behavior explicitly.
2692 if (isMemFunction(FD, ASTC))
2693 return false;
2694
2695 // If it's not a system call, assume it frees memory.
2696 if (!Call->isInSystemHeader())
2697 return true;
2698
2699 // White list the system functions whose arguments escape.
2700 const IdentifierInfo *II = FD->getIdentifier();
2701 if (!II)
2702 return true;
2703 StringRef FName = II->getName();
2704
2705 // White list the 'XXXNoCopy' CoreFoundation functions.
2706 // We specifically check these before
2707 if (FName.endswith("NoCopy")) {
2708 // Look for the deallocator argument. We know that the memory ownership
2709 // is not transferred only if the deallocator argument is
2710 // 'kCFAllocatorNull'.
2711 for (unsigned i = 1; i < Call->getNumArgs(); ++i) {
2712 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts();
2713 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) {
2714 StringRef DeallocatorName = DE->getFoundDecl()->getName();
2715 if (DeallocatorName == "kCFAllocatorNull")
2716 return false;
2717 }
2718 }
2719 return true;
2720 }
2721
2722 // Associating streams with malloced buffers. The pointer can escape if
2723 // 'closefn' is specified (and if that function does free memory),
2724 // but it will not if closefn is not specified.
2725 // Currently, we do not inspect the 'closefn' function (PR12101).
2726 if (FName == "funopen")
2727 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0))
2728 return false;
2729
2730 // Do not warn on pointers passed to 'setbuf' when used with std streams,
2731 // these leaks might be intentional when setting the buffer for stdio.
2732 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer
2733 if (FName == "setbuf" || FName =="setbuffer" ||
2734 FName == "setlinebuf" || FName == "setvbuf") {
2735 if (Call->getNumArgs() >= 1) {
2736 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts();
2737 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE))
2738 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl()))
2739 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos)
2740 return true;
2741 }
2742 }
2743
2744 // A bunch of other functions which either take ownership of a pointer or
2745 // wrap the result up in a struct or object, meaning it can be freed later.
2746 // (See RetainCountChecker.) Not all the parameters here are invalidated,
2747 // but the Malloc checker cannot differentiate between them. The right way
2748 // of doing this would be to implement a pointer escapes callback.
2749 if (FName == "CGBitmapContextCreate" ||
2750 FName == "CGBitmapContextCreateWithData" ||
2751 FName == "CVPixelBufferCreateWithBytes" ||
2752 FName == "CVPixelBufferCreateWithPlanarBytes" ||
2753 FName == "OSAtomicEnqueue") {
2754 return true;
2755 }
2756
2757 if (FName == "postEvent" &&
2758 FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
2759 return true;
2760 }
2761
2762 if (FName == "postEvent" &&
2763 FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
2764 return true;
2765 }
2766
2767 if (FName == "connectImpl" &&
2768 FD->getQualifiedNameAsString() == "QObject::connectImpl") {
2769 return true;
2770 }
2771
2772 // Handle cases where we know a buffer's /address/ can escape.
2773 // Note that the above checks handle some special cases where we know that
2774 // even though the address escapes, it's still our responsibility to free the
2775 // buffer.
2776 if (Call->argumentsMayEscape())
2777 return true;
2778
2779 // Otherwise, assume that the function does not free memory.
2780 // Most system calls do not free the memory.
2781 return false;
2782}
2783
2784static bool retTrue(const RefState *RS) {
2785 return true;
2786}
2787
2788static bool checkIfNewOrNewArrayFamily(const RefState *RS) {
2789 return (RS->getAllocationFamily() == AF_CXXNewArray ||
2790 RS->getAllocationFamily() == AF_CXXNew);
2791}
2792
2793ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
2794 const InvalidatedSymbols &Escaped,
2795 const CallEvent *Call,
2796 PointerEscapeKind Kind) const {
2797 return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue);
2798}
2799
2800ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State,
2801 const InvalidatedSymbols &Escaped,
2802 const CallEvent *Call,
2803 PointerEscapeKind Kind) const {
2804 return checkPointerEscapeAux(State, Escaped, Call, Kind,
2805 &checkIfNewOrNewArrayFamily);
2806}
2807
2808ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State,
2809 const InvalidatedSymbols &Escaped,
2810 const CallEvent *Call,
2811 PointerEscapeKind Kind,
2812 bool(*CheckRefState)(const RefState*)) const {
2813 // If we know that the call does not free memory, or we want to process the
2814 // call later, keep tracking the top level arguments.
2815 SymbolRef EscapingSymbol = nullptr;
2816 if (Kind == PSK_DirectEscapeOnCall &&
2817 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State,
2818 EscapingSymbol) &&
2819 !EscapingSymbol) {
2820 return State;
2821 }
2822
2823 for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
2824 E = Escaped.end();
2825 I != E; ++I) {
2826 SymbolRef sym = *I;
2827
2828 if (EscapingSymbol && EscapingSymbol != sym)
2829 continue;
2830
2831 if (const RefState *RS = State->get<RegionState>(sym)) {
2832 if ((RS->isAllocated() || RS->isAllocatedOfSizeZero()) &&
2833 CheckRefState(RS)) {
2834 State = State->remove<RegionState>(sym);
2835 State = State->set<RegionState>(sym, RefState::getEscaped(RS));
2836 }
2837 }
2838 }
2839 return State;
2840}
2841
2842static SymbolRef findFailedReallocSymbol(ProgramStateRef currState,
2843 ProgramStateRef prevState) {
2844 ReallocPairsTy currMap = currState->get<ReallocPairs>();
2845 ReallocPairsTy prevMap = prevState->get<ReallocPairs>();
2846
2847 for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end();
2848 I != E; ++I) {
2849 SymbolRef sym = I.getKey();
2850 if (!currMap.lookup(sym))
2851 return sym;
2852 }
2853
2854 return nullptr;
2855}
2856
2857static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD) {
2858 if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) {
2859 StringRef N = II->getName();
2860 if (N.contains_lower("ptr") || N.contains_lower("pointer")) {
2861 if (N.contains_lower("ref") || N.contains_lower("cnt") ||
2862 N.contains_lower("intrusive") || N.contains_lower("shared")) {
2863 return true;
2864 }
2865 }
2866 }
2867 return false;
2868}
2869
2870std::shared_ptr<PathDiagnosticPiece> MallocChecker::MallocBugVisitor::VisitNode(
2871 const ExplodedNode *N, BugReporterContext &BRC, BugReport &BR) {
2872
2873 ProgramStateRef state = N->getState();
2874 ProgramStateRef statePrev = N->getFirstPred()->getState();
2875
2876 const RefState *RS = state->get<RegionState>(Sym);
2877 const RefState *RSPrev = statePrev->get<RegionState>(Sym);
2878
2879 const Stmt *S = PathDiagnosticLocation::getStmt(N);
2880 // When dealing with containers, we sometimes want to give a note
2881 // even if the statement is missing.
2882 if (!S && (!RS || RS->getAllocationFamily() != AF_InnerBuffer))
1
Assuming 'S' is non-null
2883 return nullptr;
2884
2885 const LocationContext *CurrentLC = N->getLocationContext();
2886
2887 // If we find an atomic fetch_add or fetch_sub within the destructor in which
2888 // the pointer was released (before the release), this is likely a destructor
2889 // of a shared pointer.
2890 // Because we don't model atomics, and also because we don't know that the
2891 // original reference count is positive, we should not report use-after-frees
2892 // on objects deleted in such destructors. This can probably be improved
2893 // through better shared pointer modeling.
2894 if (ReleaseDestructorLC) {
2
Assuming the condition is false
3
Taking false branch
2895 if (const auto *AE = dyn_cast<AtomicExpr>(S)) {
2896 AtomicExpr::AtomicOp Op = AE->getOp();
2897 if (Op == AtomicExpr::AO__c11_atomic_fetch_add ||
2898 Op == AtomicExpr::AO__c11_atomic_fetch_sub) {
2899 if (ReleaseDestructorLC == CurrentLC ||
2900 ReleaseDestructorLC->isParentOf(CurrentLC)) {
2901 BR.markInvalid(getTag(), S);
2902 }
2903 }
2904 }
2905 }
2906
2907 // FIXME: We will eventually need to handle non-statement-based events
2908 // (__attribute__((cleanup))).
2909
2910 // Find out if this is an interesting point and what is the kind.
2911 StringRef Msg;
2912 StackHintGeneratorForSymbol *StackHint = nullptr;
2913 SmallString<256> Buf;
2914 llvm::raw_svector_ostream OS(Buf);
2915
2916 if (Mode == Normal) {
4
Assuming the condition is true
5
Taking true branch
2917 if (isAllocated(RS, RSPrev, S)) {
6
Taking true branch
2918 Msg = "Memory is allocated";
2919 StackHint = new StackHintGeneratorForSymbol(Sym,
7
Memory is allocated
2920 "Returned allocated memory");
2921 } else if (isReleased(RS, RSPrev, S)) {
2922 const auto Family = RS->getAllocationFamily();
2923 switch (Family) {
2924 case AF_Alloca:
2925 case AF_Malloc:
2926 case AF_CXXNew:
2927 case AF_CXXNewArray:
2928 case AF_IfNameIndex:
2929 Msg = "Memory is released";
2930 StackHint = new StackHintGeneratorForSymbol(Sym,
2931 "Returning; memory was released");
2932 break;
2933 case AF_InnerBuffer: {
2934 const MemRegion *ObjRegion =
2935 allocation_state::getContainerObjRegion(statePrev, Sym);
2936 const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion);
2937 QualType ObjTy = TypedRegion->getValueType();
2938 OS << "Inner buffer of '" << ObjTy.getAsString() << "' ";
2939
2940 if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) {
2941 OS << "deallocated by call to destructor";
2942 StackHint = new StackHintGeneratorForSymbol(Sym,
2943 "Returning; inner buffer was deallocated");
2944 } else {
2945 OS << "reallocated by call to '";
2946 const Stmt *S = RS->getStmt();
2947 if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) {
2948 OS << MemCallE->getMethodDecl()->getNameAsString();
2949 } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) {
2950 OS << OpCallE->getDirectCallee()->getNameAsString();
2951 } else if (const auto *CallE = dyn_cast<CallExpr>(S)) {
2952 auto &CEMgr = BRC.getStateManager().getCallEventManager();
2953 CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC);
2954 const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl());
2955 OS << (D ? D->getNameAsString() : "unknown");
2956 }
2957 OS << "'";
2958 StackHint = new StackHintGeneratorForSymbol(Sym,
2959 "Returning; inner buffer was reallocated");
2960 }
2961 Msg = OS.str();
2962 break;
2963 }
2964 case AF_None:
2965 llvm_unreachable("Unhandled allocation family!")::llvm::llvm_unreachable_internal("Unhandled allocation family!"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2965)
;
2966 }
2967
2968 // See if we're releasing memory while inlining a destructor
2969 // (or one of its callees). This turns on various common
2970 // false positive suppressions.
2971 bool FoundAnyDestructor = false;
2972 for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) {
2973 if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) {
2974 if (isReferenceCountingPointerDestructor(DD)) {
2975 // This immediately looks like a reference-counting destructor.
2976 // We're bad at guessing the original reference count of the object,
2977 // so suppress the report for now.
2978 BR.markInvalid(getTag(), DD);
2979 } else if (!FoundAnyDestructor) {
2980 assert(!ReleaseDestructorLC &&((!ReleaseDestructorLC && "There can be only one release point!"
) ? static_cast<void> (0) : __assert_fail ("!ReleaseDestructorLC && \"There can be only one release point!\""
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2981, __PRETTY_FUNCTION__))
2981 "There can be only one release point!")((!ReleaseDestructorLC && "There can be only one release point!"
) ? static_cast<void> (0) : __assert_fail ("!ReleaseDestructorLC && \"There can be only one release point!\""
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 2981, __PRETTY_FUNCTION__))
;
2982 // Suspect that it's a reference counting pointer destructor.
2983 // On one of the next nodes might find out that it has atomic
2984 // reference counting operations within it (see the code above),
2985 // and if so, we'd conclude that it likely is a reference counting
2986 // pointer destructor.
2987 ReleaseDestructorLC = LC->getStackFrame();
2988 // It is unlikely that releasing memory is delegated to a destructor
2989 // inside a destructor of a shared pointer, because it's fairly hard
2990 // to pass the information that the pointer indeed needs to be
2991 // released into it. So we're only interested in the innermost
2992 // destructor.
2993 FoundAnyDestructor = true;
2994 }
2995 }
2996 }
2997 } else if (isRelinquished(RS, RSPrev, S)) {
2998 Msg = "Memory ownership is transferred";
2999 StackHint = new StackHintGeneratorForSymbol(Sym, "");
3000 } else if (isReallocFailedCheck(RS, RSPrev, S)) {
3001 Mode = ReallocationFailed;
3002 Msg = "Reallocation failed";
3003 StackHint = new StackHintGeneratorForReallocationFailed(Sym,
3004 "Reallocation failed");
3005
3006 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) {
3007 // Is it possible to fail two reallocs WITHOUT testing in between?
3008 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) &&(((!FailedReallocSymbol || FailedReallocSymbol == sym) &&
"We only support one failed realloc at a time.") ? static_cast
<void> (0) : __assert_fail ("(!FailedReallocSymbol || FailedReallocSymbol == sym) && \"We only support one failed realloc at a time.\""
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 3009, __PRETTY_FUNCTION__))
3009 "We only support one failed realloc at a time.")(((!FailedReallocSymbol || FailedReallocSymbol == sym) &&
"We only support one failed realloc at a time.") ? static_cast
<void> (0) : __assert_fail ("(!FailedReallocSymbol || FailedReallocSymbol == sym) && \"We only support one failed realloc at a time.\""
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 3009, __PRETTY_FUNCTION__))
;
3010 BR.markInteresting(sym);
3011 FailedReallocSymbol = sym;
3012 }
3013 }
3014
3015 // We are in a special mode if a reallocation failed later in the path.
3016 } else if (Mode == ReallocationFailed) {
3017 assert(FailedReallocSymbol && "No symbol to look for.")((FailedReallocSymbol && "No symbol to look for.") ? static_cast
<void> (0) : __assert_fail ("FailedReallocSymbol && \"No symbol to look for.\""
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 3017, __PRETTY_FUNCTION__))
;
3018
3019 // Is this is the first appearance of the reallocated symbol?
3020 if (!statePrev->get<RegionState>(FailedReallocSymbol)) {
3021 // We're at the reallocation point.
3022 Msg = "Attempt to reallocate memory";
3023 StackHint = new StackHintGeneratorForSymbol(Sym,
3024 "Returned reallocated memory");
3025 FailedReallocSymbol = nullptr;
3026 Mode = Normal;
3027 }
3028 }
3029
3030 if (Msg.empty())
8
Assuming the condition is true
9
Taking true branch
3031 return nullptr;
10
Potential leak of memory pointed to by 'StackHint'
3032 assert(StackHint)((StackHint) ? static_cast<void> (0) : __assert_fail ("StackHint"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 3032, __PRETTY_FUNCTION__))
;
3033
3034 // Generate the extra diagnostic.
3035 PathDiagnosticLocation Pos;
3036 if (!S) {
3037 assert(RS->getAllocationFamily() == AF_InnerBuffer)((RS->getAllocationFamily() == AF_InnerBuffer) ? static_cast
<void> (0) : __assert_fail ("RS->getAllocationFamily() == AF_InnerBuffer"
, "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp"
, 3037, __PRETTY_FUNCTION__))
;
3038 auto PostImplCall = N->getLocation().getAs<PostImplicitCall>();
3039 if (!PostImplCall)
3040 return nullptr;
3041 Pos = PathDiagnosticLocation(PostImplCall->getLocation(),
3042 BRC.getSourceManager());
3043 } else {
3044 Pos = PathDiagnosticLocation(S, BRC.getSourceManager(),
3045 N->getLocationContext());
3046 }
3047
3048 return std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true, StackHint);
3049}
3050
3051void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
3052 const char *NL, const char *Sep) const {
3053
3054 RegionStateTy RS = State->get<RegionState>();
3055
3056 if (!RS.isEmpty()) {
3057 Out << Sep << "MallocChecker :" << NL;
3058 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
3059 const RefState *RefS = State->get<RegionState>(I.getKey());
3060 AllocationFamily Family = RefS->getAllocationFamily();
3061 Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
3062 if (!CheckKind.hasValue())
3063 CheckKind = getCheckIfTracked(Family, true);
3064
3065 I.getKey()->dumpToStream(Out);
3066 Out << " : ";
3067 I.getData().dump(Out);
3068 if (CheckKind.hasValue())
3069 Out << " (" << CheckNames[*CheckKind].getName() << ")";
3070 Out << NL;
3071 }
3072 }
3073}
3074
3075namespace clang {
3076namespace ento {
3077namespace allocation_state {
3078
3079ProgramStateRef
3080markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin) {
3081 AllocationFamily Family = AF_InnerBuffer;
3082 return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin));
3083}
3084
3085} // end namespace allocation_state
3086} // end namespace ento
3087} // end namespace clang
3088
3089// Intended to be used in InnerPointerChecker to register the part of
3090// MallocChecker connected to it.
3091void ento::registerInnerPointerCheckerAux(CheckerManager &mgr) {
3092 MallocChecker *checker = mgr.getChecker<MallocChecker>();
3093 checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true;
3094 checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =
3095 mgr.getCurrentCheckName();
3096}
3097
3098void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {
3099 auto *checker = mgr.registerChecker<MallocChecker>();
3100 checker->IsOptimistic = mgr.getAnalyzerOptions().getCheckerBooleanOption(
3101 checker, "Optimistic");
3102}
3103
3104bool ento::shouldRegisterDynamicMemoryModeling(const LangOptions &LO) {
3105 return true;
3106}
3107
3108#define REGISTER_CHECKER(name)void ento::registername(CheckerManager &mgr) { MallocChecker
*checker = mgr.getChecker<MallocChecker>(); checker->
ChecksEnabled[MallocChecker::CK_name] = true; checker->CheckNames
[MallocChecker::CK_name] = mgr.getCurrentCheckName(); } bool ento
::shouldRegistername(const LangOptions &LO) { return true
; }
\
3109 void ento::register##name(CheckerManager &mgr) { \
3110 MallocChecker *checker = mgr.getChecker<MallocChecker>(); \
3111 checker->ChecksEnabled[MallocChecker::CK_##name] = true; \
3112 checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \
3113 } \
3114 \
3115 bool ento::shouldRegister##name(const LangOptions &LO) { \
3116 return true; \
3117 }
3118
3119REGISTER_CHECKER(MallocChecker)void ento::registerMallocChecker(CheckerManager &mgr) { MallocChecker
*checker = mgr.getChecker<MallocChecker>(); checker->
ChecksEnabled[MallocChecker::CK_MallocChecker] = true; checker
->CheckNames[MallocChecker::CK_MallocChecker] = mgr.getCurrentCheckName
(); } bool ento::shouldRegisterMallocChecker(const LangOptions
&LO) { return true; }
3120REGISTER_CHECKER(NewDeleteChecker)void ento::registerNewDeleteChecker(CheckerManager &mgr) {
MallocChecker *checker = mgr.getChecker<MallocChecker>
(); checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker
] = true; checker->CheckNames[MallocChecker::CK_NewDeleteChecker
] = mgr.getCurrentCheckName(); } bool ento::shouldRegisterNewDeleteChecker
(const LangOptions &LO) { return true; }
3121REGISTER_CHECKER(NewDeleteLeaksChecker)void ento::registerNewDeleteLeaksChecker(CheckerManager &
mgr) { MallocChecker *checker = mgr.getChecker<MallocChecker
>(); checker->ChecksEnabled[MallocChecker::CK_NewDeleteLeaksChecker
] = true; checker->CheckNames[MallocChecker::CK_NewDeleteLeaksChecker
] = mgr.getCurrentCheckName(); } bool ento::shouldRegisterNewDeleteLeaksChecker
(const LangOptions &LO) { return true; }
3122REGISTER_CHECKER(MismatchedDeallocatorChecker)void ento::registerMismatchedDeallocatorChecker(CheckerManager
&mgr) { MallocChecker *checker = mgr.getChecker<MallocChecker
>(); checker->ChecksEnabled[MallocChecker::CK_MismatchedDeallocatorChecker
] = true; checker->CheckNames[MallocChecker::CK_MismatchedDeallocatorChecker
] = mgr.getCurrentCheckName(); } bool ento::shouldRegisterMismatchedDeallocatorChecker
(const LangOptions &LO) { return true; }