File: | tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp |
Warning: | line 3031, column 12 Potential leak of memory pointed to by 'StackHint' |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// | |||
2 | // | |||
3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. | |||
4 | // See https://llvm.org/LICENSE.txt for license information. | |||
5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception | |||
6 | // | |||
7 | //===----------------------------------------------------------------------===// | |||
8 | // | |||
9 | // This file defines malloc/free checker, which checks for potential memory | |||
10 | // leaks, double free, and use-after-free problems. | |||
11 | // | |||
12 | //===----------------------------------------------------------------------===// | |||
13 | ||||
14 | #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" | |||
15 | #include "InterCheckerAPI.h" | |||
16 | #include "clang/AST/Attr.h" | |||
17 | #include "clang/AST/ParentMap.h" | |||
18 | #include "clang/Basic/SourceManager.h" | |||
19 | #include "clang/Basic/TargetInfo.h" | |||
20 | #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" | |||
21 | #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" | |||
22 | #include "clang/StaticAnalyzer/Core/Checker.h" | |||
23 | #include "clang/StaticAnalyzer/Core/CheckerManager.h" | |||
24 | #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" | |||
25 | #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" | |||
26 | #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" | |||
27 | #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" | |||
28 | #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" | |||
29 | #include "llvm/ADT/STLExtras.h" | |||
30 | #include "llvm/ADT/SmallString.h" | |||
31 | #include "llvm/ADT/StringExtras.h" | |||
32 | #include "AllocationState.h" | |||
33 | #include <climits> | |||
34 | #include <utility> | |||
35 | ||||
36 | using namespace clang; | |||
37 | using namespace ento; | |||
38 | ||||
39 | namespace { | |||
40 | ||||
41 | // Used to check correspondence between allocators and deallocators. | |||
42 | enum AllocationFamily { | |||
43 | AF_None, | |||
44 | AF_Malloc, | |||
45 | AF_CXXNew, | |||
46 | AF_CXXNewArray, | |||
47 | AF_IfNameIndex, | |||
48 | AF_Alloca, | |||
49 | AF_InnerBuffer | |||
50 | }; | |||
51 | ||||
52 | class RefState { | |||
53 | enum Kind { // Reference to allocated memory. | |||
54 | Allocated, | |||
55 | // Reference to zero-allocated memory. | |||
56 | AllocatedOfSizeZero, | |||
57 | // Reference to released/freed memory. | |||
58 | Released, | |||
59 | // The responsibility for freeing resources has transferred from | |||
60 | // this reference. A relinquished symbol should not be freed. | |||
61 | Relinquished, | |||
62 | // We are no longer guaranteed to have observed all manipulations | |||
63 | // of this pointer/memory. For example, it could have been | |||
64 | // passed as a parameter to an opaque function. | |||
65 | Escaped | |||
66 | }; | |||
67 | ||||
68 | const Stmt *S; | |||
69 | unsigned K : 3; // Kind enum, but stored as a bitfield. | |||
70 | unsigned Family : 29; // Rest of 32-bit word, currently just an allocation | |||
71 | // family. | |||
72 | ||||
73 | RefState(Kind k, const Stmt *s, unsigned family) | |||
74 | : S(s), K(k), Family(family) { | |||
75 | assert(family != AF_None)((family != AF_None) ? static_cast<void> (0) : __assert_fail ("family != AF_None", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 75, __PRETTY_FUNCTION__)); | |||
76 | } | |||
77 | public: | |||
78 | bool isAllocated() const { return K == Allocated; } | |||
79 | bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; } | |||
80 | bool isReleased() const { return K == Released; } | |||
81 | bool isRelinquished() const { return K == Relinquished; } | |||
82 | bool isEscaped() const { return K == Escaped; } | |||
83 | AllocationFamily getAllocationFamily() const { | |||
84 | return (AllocationFamily)Family; | |||
85 | } | |||
86 | const Stmt *getStmt() const { return S; } | |||
87 | ||||
88 | bool operator==(const RefState &X) const { | |||
89 | return K == X.K && S == X.S && Family == X.Family; | |||
90 | } | |||
91 | ||||
92 | static RefState getAllocated(unsigned family, const Stmt *s) { | |||
93 | return RefState(Allocated, s, family); | |||
94 | } | |||
95 | static RefState getAllocatedOfSizeZero(const RefState *RS) { | |||
96 | return RefState(AllocatedOfSizeZero, RS->getStmt(), | |||
97 | RS->getAllocationFamily()); | |||
98 | } | |||
99 | static RefState getReleased(unsigned family, const Stmt *s) { | |||
100 | return RefState(Released, s, family); | |||
101 | } | |||
102 | static RefState getRelinquished(unsigned family, const Stmt *s) { | |||
103 | return RefState(Relinquished, s, family); | |||
104 | } | |||
105 | static RefState getEscaped(const RefState *RS) { | |||
106 | return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily()); | |||
107 | } | |||
108 | ||||
109 | void Profile(llvm::FoldingSetNodeID &ID) const { | |||
110 | ID.AddInteger(K); | |||
111 | ID.AddPointer(S); | |||
112 | ID.AddInteger(Family); | |||
113 | } | |||
114 | ||||
115 | void dump(raw_ostream &OS) const { | |||
116 | switch (static_cast<Kind>(K)) { | |||
117 | #define CASE(ID)case ID: OS << "ID"; break; case ID: OS << #ID; break; | |||
118 | CASE(Allocated)case Allocated: OS << "Allocated"; break; | |||
119 | CASE(AllocatedOfSizeZero)case AllocatedOfSizeZero: OS << "AllocatedOfSizeZero"; break ; | |||
120 | CASE(Released)case Released: OS << "Released"; break; | |||
121 | CASE(Relinquished)case Relinquished: OS << "Relinquished"; break; | |||
122 | CASE(Escaped)case Escaped: OS << "Escaped"; break; | |||
123 | } | |||
124 | } | |||
125 | ||||
126 | LLVM_DUMP_METHOD__attribute__((noinline)) __attribute__((__used__)) void dump() const { dump(llvm::errs()); } | |||
127 | }; | |||
128 | ||||
129 | enum ReallocPairKind { | |||
130 | RPToBeFreedAfterFailure, | |||
131 | // The symbol has been freed when reallocation failed. | |||
132 | RPIsFreeOnFailure, | |||
133 | // The symbol does not need to be freed after reallocation fails. | |||
134 | RPDoNotTrackAfterFailure | |||
135 | }; | |||
136 | ||||
137 | /// \class ReallocPair | |||
138 | /// Stores information about the symbol being reallocated by a call to | |||
139 | /// 'realloc' to allow modeling failed reallocation later in the path. | |||
140 | struct ReallocPair { | |||
141 | // The symbol which realloc reallocated. | |||
142 | SymbolRef ReallocatedSym; | |||
143 | ReallocPairKind Kind; | |||
144 | ||||
145 | ReallocPair(SymbolRef S, ReallocPairKind K) : | |||
146 | ReallocatedSym(S), Kind(K) {} | |||
147 | void Profile(llvm::FoldingSetNodeID &ID) const { | |||
148 | ID.AddInteger(Kind); | |||
149 | ID.AddPointer(ReallocatedSym); | |||
150 | } | |||
151 | bool operator==(const ReallocPair &X) const { | |||
152 | return ReallocatedSym == X.ReallocatedSym && | |||
153 | Kind == X.Kind; | |||
154 | } | |||
155 | }; | |||
156 | ||||
157 | typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo; | |||
158 | ||||
159 | class MallocChecker : public Checker<check::DeadSymbols, | |||
160 | check::PointerEscape, | |||
161 | check::ConstPointerEscape, | |||
162 | check::PreStmt<ReturnStmt>, | |||
163 | check::EndFunction, | |||
164 | check::PreCall, | |||
165 | check::PostStmt<CallExpr>, | |||
166 | check::PostStmt<CXXNewExpr>, | |||
167 | check::NewAllocator, | |||
168 | check::PreStmt<CXXDeleteExpr>, | |||
169 | check::PostStmt<BlockExpr>, | |||
170 | check::PostObjCMessage, | |||
171 | check::Location, | |||
172 | eval::Assume> | |||
173 | { | |||
174 | public: | |||
175 | MallocChecker() | |||
176 | : II_alloca(nullptr), II_win_alloca(nullptr), II_malloc(nullptr), | |||
177 | II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr), | |||
178 | II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr), | |||
179 | II_strdup(nullptr), II_win_strdup(nullptr), II_kmalloc(nullptr), | |||
180 | II_if_nameindex(nullptr), II_if_freenameindex(nullptr), | |||
181 | II_wcsdup(nullptr), II_win_wcsdup(nullptr), II_g_malloc(nullptr), | |||
182 | II_g_malloc0(nullptr), II_g_realloc(nullptr), II_g_try_malloc(nullptr), | |||
183 | II_g_try_malloc0(nullptr), II_g_try_realloc(nullptr), | |||
184 | II_g_free(nullptr), II_g_memdup(nullptr), II_g_malloc_n(nullptr), | |||
185 | II_g_malloc0_n(nullptr), II_g_realloc_n(nullptr), | |||
186 | II_g_try_malloc_n(nullptr), II_g_try_malloc0_n(nullptr), | |||
187 | II_g_try_realloc_n(nullptr) {} | |||
188 | ||||
189 | /// In pessimistic mode, the checker assumes that it does not know which | |||
190 | /// functions might free the memory. | |||
191 | enum CheckKind { | |||
192 | CK_MallocChecker, | |||
193 | CK_NewDeleteChecker, | |||
194 | CK_NewDeleteLeaksChecker, | |||
195 | CK_MismatchedDeallocatorChecker, | |||
196 | CK_InnerPointerChecker, | |||
197 | CK_NumCheckKinds | |||
198 | }; | |||
199 | ||||
200 | enum class MemoryOperationKind { | |||
201 | MOK_Allocate, | |||
202 | MOK_Free, | |||
203 | MOK_Any | |||
204 | }; | |||
205 | ||||
206 | DefaultBool IsOptimistic; | |||
207 | ||||
208 | DefaultBool ChecksEnabled[CK_NumCheckKinds]; | |||
209 | CheckName CheckNames[CK_NumCheckKinds]; | |||
210 | ||||
211 | void checkPreCall(const CallEvent &Call, CheckerContext &C) const; | |||
212 | void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; | |||
213 | void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; | |||
214 | void checkNewAllocator(const CXXNewExpr *NE, SVal Target, | |||
215 | CheckerContext &C) const; | |||
216 | void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; | |||
217 | void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; | |||
218 | void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; | |||
219 | void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; | |||
220 | void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; | |||
221 | void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const; | |||
222 | ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, | |||
223 | bool Assumption) const; | |||
224 | void checkLocation(SVal l, bool isLoad, const Stmt *S, | |||
225 | CheckerContext &C) const; | |||
226 | ||||
227 | ProgramStateRef checkPointerEscape(ProgramStateRef State, | |||
228 | const InvalidatedSymbols &Escaped, | |||
229 | const CallEvent *Call, | |||
230 | PointerEscapeKind Kind) const; | |||
231 | ProgramStateRef checkConstPointerEscape(ProgramStateRef State, | |||
232 | const InvalidatedSymbols &Escaped, | |||
233 | const CallEvent *Call, | |||
234 | PointerEscapeKind Kind) const; | |||
235 | ||||
236 | void printState(raw_ostream &Out, ProgramStateRef State, | |||
237 | const char *NL, const char *Sep) const override; | |||
238 | ||||
239 | private: | |||
240 | mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds]; | |||
241 | mutable std::unique_ptr<BugType> BT_DoubleDelete; | |||
242 | mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds]; | |||
243 | mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds]; | |||
244 | mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds]; | |||
245 | mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds]; | |||
246 | mutable std::unique_ptr<BugType> BT_MismatchedDealloc; | |||
247 | mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds]; | |||
248 | mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds]; | |||
249 | mutable IdentifierInfo *II_alloca, *II_win_alloca, *II_malloc, *II_free, | |||
250 | *II_realloc, *II_calloc, *II_valloc, *II_reallocf, | |||
251 | *II_strndup, *II_strdup, *II_win_strdup, *II_kmalloc, | |||
252 | *II_if_nameindex, *II_if_freenameindex, *II_wcsdup, | |||
253 | *II_win_wcsdup, *II_g_malloc, *II_g_malloc0, | |||
254 | *II_g_realloc, *II_g_try_malloc, *II_g_try_malloc0, | |||
255 | *II_g_try_realloc, *II_g_free, *II_g_memdup, | |||
256 | *II_g_malloc_n, *II_g_malloc0_n, *II_g_realloc_n, | |||
257 | *II_g_try_malloc_n, *II_g_try_malloc0_n, | |||
258 | *II_g_try_realloc_n; | |||
259 | mutable Optional<uint64_t> KernelZeroFlagVal; | |||
260 | ||||
261 | void initIdentifierInfo(ASTContext &C) const; | |||
262 | ||||
263 | /// Determine family of a deallocation expression. | |||
264 | AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const; | |||
265 | ||||
266 | /// Print names of allocators and deallocators. | |||
267 | /// | |||
268 | /// \returns true on success. | |||
269 | bool printAllocDeallocName(raw_ostream &os, CheckerContext &C, | |||
270 | const Expr *E) const; | |||
271 | ||||
272 | /// Print expected name of an allocator based on the deallocator's | |||
273 | /// family derived from the DeallocExpr. | |||
274 | void printExpectedAllocName(raw_ostream &os, CheckerContext &C, | |||
275 | const Expr *DeallocExpr) const; | |||
276 | /// Print expected name of a deallocator based on the allocator's | |||
277 | /// family. | |||
278 | void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const; | |||
279 | ||||
280 | ///@{ | |||
281 | /// Check if this is one of the functions which can allocate/reallocate memory | |||
282 | /// pointed to by one of its arguments. | |||
283 | bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; | |||
284 | bool isCMemFunction(const FunctionDecl *FD, | |||
285 | ASTContext &C, | |||
286 | AllocationFamily Family, | |||
287 | MemoryOperationKind MemKind) const; | |||
288 | bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const; | |||
289 | ///@} | |||
290 | ||||
291 | /// Process C++ operator new()'s allocation, which is the part of C++ | |||
292 | /// new-expression that goes before the constructor. | |||
293 | void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C, | |||
294 | SVal Target) const; | |||
295 | ||||
296 | /// Perform a zero-allocation check. | |||
297 | /// The optional \p RetVal parameter specifies the newly allocated pointer | |||
298 | /// value; if unspecified, the value of expression \p E is used. | |||
299 | ProgramStateRef ProcessZeroAllocation(CheckerContext &C, const Expr *E, | |||
300 | const unsigned AllocationSizeArg, | |||
301 | ProgramStateRef State, | |||
302 | Optional<SVal> RetVal = None) const; | |||
303 | ||||
304 | ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, | |||
305 | const CallExpr *CE, | |||
306 | const OwnershipAttr* Att, | |||
307 | ProgramStateRef State) const; | |||
308 | static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, | |||
309 | const Expr *SizeEx, SVal Init, | |||
310 | ProgramStateRef State, | |||
311 | AllocationFamily Family = AF_Malloc); | |||
312 | static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, | |||
313 | SVal SizeEx, SVal Init, | |||
314 | ProgramStateRef State, | |||
315 | AllocationFamily Family = AF_Malloc); | |||
316 | ||||
317 | static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE, | |||
318 | ProgramStateRef State, SVal Target); | |||
319 | ||||
320 | // Check if this malloc() for special flags. At present that means M_ZERO or | |||
321 | // __GFP_ZERO (in which case, treat it like calloc). | |||
322 | llvm::Optional<ProgramStateRef> | |||
323 | performKernelMalloc(const CallExpr *CE, CheckerContext &C, | |||
324 | const ProgramStateRef &State) const; | |||
325 | ||||
326 | /// Update the RefState to reflect the new memory allocation. | |||
327 | /// The optional \p RetVal parameter specifies the newly allocated pointer | |||
328 | /// value; if unspecified, the value of expression \p E is used. | |||
329 | static ProgramStateRef | |||
330 | MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, | |||
331 | AllocationFamily Family = AF_Malloc, | |||
332 | Optional<SVal> RetVal = None); | |||
333 | ||||
334 | ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, | |||
335 | const OwnershipAttr* Att, | |||
336 | ProgramStateRef State) const; | |||
337 | ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, | |||
338 | ProgramStateRef state, unsigned Num, | |||
339 | bool Hold, | |||
340 | bool &ReleasedAllocated, | |||
341 | bool ReturnsNullOnFailure = false) const; | |||
342 | ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, | |||
343 | const Expr *ParentExpr, | |||
344 | ProgramStateRef State, | |||
345 | bool Hold, | |||
346 | bool &ReleasedAllocated, | |||
347 | bool ReturnsNullOnFailure = false) const; | |||
348 | ||||
349 | ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE, | |||
350 | bool FreesMemOnFailure, | |||
351 | ProgramStateRef State, | |||
352 | bool SuffixWithN = false) const; | |||
353 | static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, | |||
354 | const Expr *BlockBytes); | |||
355 | static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE, | |||
356 | ProgramStateRef State); | |||
357 | ||||
358 | /// Check if the memory associated with this symbol was released. | |||
359 | bool isReleased(SymbolRef Sym, CheckerContext &C) const; | |||
360 | ||||
361 | bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; | |||
362 | ||||
363 | void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, | |||
364 | const Stmt *S) const; | |||
365 | ||||
366 | bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const; | |||
367 | ||||
368 | /// Check if the function is known free memory, or if it is | |||
369 | /// "interesting" and should be modeled explicitly. | |||
370 | /// | |||
371 | /// \param [out] EscapingSymbol A function might not free memory in general, | |||
372 | /// but could be known to free a particular symbol. In this case, false is | |||
373 | /// returned and the single escaping symbol is returned through the out | |||
374 | /// parameter. | |||
375 | /// | |||
376 | /// We assume that pointers do not escape through calls to system functions | |||
377 | /// not handled by this checker. | |||
378 | bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, | |||
379 | ProgramStateRef State, | |||
380 | SymbolRef &EscapingSymbol) const; | |||
381 | ||||
382 | // Implementation of the checkPointerEscape callbacks. | |||
383 | ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, | |||
384 | const InvalidatedSymbols &Escaped, | |||
385 | const CallEvent *Call, | |||
386 | PointerEscapeKind Kind, | |||
387 | bool(*CheckRefState)(const RefState*)) const; | |||
388 | ||||
389 | // Implementation of the checkPreStmt and checkEndFunction callbacks. | |||
390 | void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const; | |||
391 | ||||
392 | ///@{ | |||
393 | /// Tells if a given family/call/symbol is tracked by the current checker. | |||
394 | /// Sets CheckKind to the kind of the checker responsible for this | |||
395 | /// family/call/symbol. | |||
396 | Optional<CheckKind> getCheckIfTracked(AllocationFamily Family, | |||
397 | bool IsALeakCheck = false) const; | |||
398 | Optional<CheckKind> getCheckIfTracked(CheckerContext &C, | |||
399 | const Stmt *AllocDeallocStmt, | |||
400 | bool IsALeakCheck = false) const; | |||
401 | Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym, | |||
402 | bool IsALeakCheck = false) const; | |||
403 | ///@} | |||
404 | static bool SummarizeValue(raw_ostream &os, SVal V); | |||
405 | static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); | |||
406 | void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, | |||
407 | const Expr *DeallocExpr) const; | |||
408 | void ReportFreeAlloca(CheckerContext &C, SVal ArgVal, | |||
409 | SourceRange Range) const; | |||
410 | void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, | |||
411 | const Expr *DeallocExpr, const RefState *RS, | |||
412 | SymbolRef Sym, bool OwnershipTransferred) const; | |||
413 | void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, | |||
414 | const Expr *DeallocExpr, | |||
415 | const Expr *AllocExpr = nullptr) const; | |||
416 | void ReportUseAfterFree(CheckerContext &C, SourceRange Range, | |||
417 | SymbolRef Sym) const; | |||
418 | void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, | |||
419 | SymbolRef Sym, SymbolRef PrevSym) const; | |||
420 | ||||
421 | void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const; | |||
422 | ||||
423 | void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range, | |||
424 | SymbolRef Sym) const; | |||
425 | ||||
426 | void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal, | |||
427 | SourceRange Range, const Expr *FreeExpr) const; | |||
428 | ||||
429 | /// Find the location of the allocation for Sym on the path leading to the | |||
430 | /// exploded node N. | |||
431 | LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, | |||
432 | CheckerContext &C) const; | |||
433 | ||||
434 | void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; | |||
435 | ||||
436 | /// The bug visitor which allows us to print extra diagnostics along the | |||
437 | /// BugReport path. For example, showing the allocation site of the leaked | |||
438 | /// region. | |||
439 | class MallocBugVisitor final : public BugReporterVisitor { | |||
440 | protected: | |||
441 | enum NotificationMode { | |||
442 | Normal, | |||
443 | ReallocationFailed | |||
444 | }; | |||
445 | ||||
446 | // The allocated region symbol tracked by the main analysis. | |||
447 | SymbolRef Sym; | |||
448 | ||||
449 | // The mode we are in, i.e. what kind of diagnostics will be emitted. | |||
450 | NotificationMode Mode; | |||
451 | ||||
452 | // A symbol from when the primary region should have been reallocated. | |||
453 | SymbolRef FailedReallocSymbol; | |||
454 | ||||
455 | // A C++ destructor stack frame in which memory was released. Used for | |||
456 | // miscellaneous false positive suppression. | |||
457 | const StackFrameContext *ReleaseDestructorLC; | |||
458 | ||||
459 | bool IsLeak; | |||
460 | ||||
461 | public: | |||
462 | MallocBugVisitor(SymbolRef S, bool isLeak = false) | |||
463 | : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr), | |||
464 | ReleaseDestructorLC(nullptr), IsLeak(isLeak) {} | |||
465 | ||||
466 | static void *getTag() { | |||
467 | static int Tag = 0; | |||
468 | return &Tag; | |||
469 | } | |||
470 | ||||
471 | void Profile(llvm::FoldingSetNodeID &ID) const override { | |||
472 | ID.AddPointer(getTag()); | |||
473 | ID.AddPointer(Sym); | |||
474 | } | |||
475 | ||||
476 | inline bool isAllocated(const RefState *S, const RefState *SPrev, | |||
477 | const Stmt *Stmt) { | |||
478 | // Did not track -> allocated. Other state (released) -> allocated. | |||
479 | return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && | |||
480 | (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) && | |||
481 | (!SPrev || !(SPrev->isAllocated() || | |||
482 | SPrev->isAllocatedOfSizeZero()))); | |||
483 | } | |||
484 | ||||
485 | inline bool isReleased(const RefState *S, const RefState *SPrev, | |||
486 | const Stmt *Stmt) { | |||
487 | // Did not track -> released. Other state (allocated) -> released. | |||
488 | // The statement associated with the release might be missing. | |||
489 | bool IsReleased = (S && S->isReleased()) && | |||
490 | (!SPrev || !SPrev->isReleased()); | |||
491 | assert(!IsReleased ||((!IsReleased || (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) || (!Stmt && S-> getAllocationFamily() == AF_InnerBuffer)) ? static_cast<void > (0) : __assert_fail ("!IsReleased || (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) || (!Stmt && S->getAllocationFamily() == AF_InnerBuffer)" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 493, __PRETTY_FUNCTION__)) | |||
492 | (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) ||((!IsReleased || (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) || (!Stmt && S-> getAllocationFamily() == AF_InnerBuffer)) ? static_cast<void > (0) : __assert_fail ("!IsReleased || (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) || (!Stmt && S->getAllocationFamily() == AF_InnerBuffer)" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 493, __PRETTY_FUNCTION__)) | |||
493 | (!Stmt && S->getAllocationFamily() == AF_InnerBuffer))((!IsReleased || (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) || (!Stmt && S-> getAllocationFamily() == AF_InnerBuffer)) ? static_cast<void > (0) : __assert_fail ("!IsReleased || (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) || (!Stmt && S->getAllocationFamily() == AF_InnerBuffer)" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 493, __PRETTY_FUNCTION__)); | |||
494 | return IsReleased; | |||
495 | } | |||
496 | ||||
497 | inline bool isRelinquished(const RefState *S, const RefState *SPrev, | |||
498 | const Stmt *Stmt) { | |||
499 | // Did not track -> relinquished. Other state (allocated) -> relinquished. | |||
500 | return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || | |||
501 | isa<ObjCPropertyRefExpr>(Stmt)) && | |||
502 | (S && S->isRelinquished()) && | |||
503 | (!SPrev || !SPrev->isRelinquished())); | |||
504 | } | |||
505 | ||||
506 | inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, | |||
507 | const Stmt *Stmt) { | |||
508 | // If the expression is not a call, and the state change is | |||
509 | // released -> allocated, it must be the realloc return value | |||
510 | // check. If we have to handle more cases here, it might be cleaner just | |||
511 | // to track this extra bit in the state itself. | |||
512 | return ((!Stmt || !isa<CallExpr>(Stmt)) && | |||
513 | (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) && | |||
514 | (SPrev && !(SPrev->isAllocated() || | |||
515 | SPrev->isAllocatedOfSizeZero()))); | |||
516 | } | |||
517 | ||||
518 | std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N, | |||
519 | BugReporterContext &BRC, | |||
520 | BugReport &BR) override; | |||
521 | ||||
522 | std::shared_ptr<PathDiagnosticPiece> | |||
523 | getEndPath(BugReporterContext &BRC, const ExplodedNode *EndPathNode, | |||
524 | BugReport &BR) override { | |||
525 | if (!IsLeak) | |||
526 | return nullptr; | |||
527 | ||||
528 | PathDiagnosticLocation L = | |||
529 | PathDiagnosticLocation::createEndOfPath(EndPathNode, | |||
530 | BRC.getSourceManager()); | |||
531 | // Do not add the statement itself as a range in case of leak. | |||
532 | return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(), | |||
533 | false); | |||
534 | } | |||
535 | ||||
536 | private: | |||
537 | class StackHintGeneratorForReallocationFailed | |||
538 | : public StackHintGeneratorForSymbol { | |||
539 | public: | |||
540 | StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) | |||
541 | : StackHintGeneratorForSymbol(S, M) {} | |||
542 | ||||
543 | std::string getMessageForArg(const Expr *ArgE, | |||
544 | unsigned ArgIndex) override { | |||
545 | // Printed parameters start at 1, not 0. | |||
546 | ++ArgIndex; | |||
547 | ||||
548 | SmallString<200> buf; | |||
549 | llvm::raw_svector_ostream os(buf); | |||
550 | ||||
551 | os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) | |||
552 | << " parameter failed"; | |||
553 | ||||
554 | return os.str(); | |||
555 | } | |||
556 | ||||
557 | std::string getMessageForReturn(const CallExpr *CallExpr) override { | |||
558 | return "Reallocation of returned value failed"; | |||
559 | } | |||
560 | }; | |||
561 | }; | |||
562 | }; | |||
563 | } // end anonymous namespace | |||
564 | ||||
565 | REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)namespace { class RegionState {}; using RegionStateTy = llvm:: ImmutableMap<SymbolRef, RefState>; } namespace clang { namespace ento { template <> struct ProgramStateTrait<RegionState > : public ProgramStatePartialTrait<RegionStateTy> { static void *GDMIndex() { static int Index; return &Index ; } }; } } | |||
566 | REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)namespace { class ReallocPairs {}; using ReallocPairsTy = llvm ::ImmutableMap<SymbolRef, ReallocPair>; } namespace clang { namespace ento { template <> struct ProgramStateTrait <ReallocPairs> : public ProgramStatePartialTrait<ReallocPairsTy > { static void *GDMIndex() { static int Index; return & Index; } }; } } | |||
567 | REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef)namespace { class ReallocSizeZeroSymbols {}; using ReallocSizeZeroSymbolsTy = llvm::ImmutableSet<SymbolRef>; } namespace clang { namespace ento { template <> struct ProgramStateTrait<ReallocSizeZeroSymbols > : public ProgramStatePartialTrait<ReallocSizeZeroSymbolsTy > { static void *GDMIndex() { static int Index; return & Index; } }; } } | |||
568 | ||||
569 | // A map from the freed symbol to the symbol representing the return value of | |||
570 | // the free function. | |||
571 | REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef)namespace { class FreeReturnValue {}; using FreeReturnValueTy = llvm::ImmutableMap<SymbolRef, SymbolRef>; } namespace clang { namespace ento { template <> struct ProgramStateTrait <FreeReturnValue> : public ProgramStatePartialTrait< FreeReturnValueTy> { static void *GDMIndex() { static int Index ; return &Index; } }; } } | |||
572 | ||||
573 | namespace { | |||
574 | class StopTrackingCallback final : public SymbolVisitor { | |||
575 | ProgramStateRef state; | |||
576 | public: | |||
577 | StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {} | |||
578 | ProgramStateRef getState() const { return state; } | |||
579 | ||||
580 | bool VisitSymbol(SymbolRef sym) override { | |||
581 | state = state->remove<RegionState>(sym); | |||
582 | return true; | |||
583 | } | |||
584 | }; | |||
585 | } // end anonymous namespace | |||
586 | ||||
587 | void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { | |||
588 | if (II_malloc) | |||
589 | return; | |||
590 | II_alloca = &Ctx.Idents.get("alloca"); | |||
591 | II_malloc = &Ctx.Idents.get("malloc"); | |||
592 | II_free = &Ctx.Idents.get("free"); | |||
593 | II_realloc = &Ctx.Idents.get("realloc"); | |||
594 | II_reallocf = &Ctx.Idents.get("reallocf"); | |||
595 | II_calloc = &Ctx.Idents.get("calloc"); | |||
596 | II_valloc = &Ctx.Idents.get("valloc"); | |||
597 | II_strdup = &Ctx.Idents.get("strdup"); | |||
598 | II_strndup = &Ctx.Idents.get("strndup"); | |||
599 | II_wcsdup = &Ctx.Idents.get("wcsdup"); | |||
600 | II_kmalloc = &Ctx.Idents.get("kmalloc"); | |||
601 | II_if_nameindex = &Ctx.Idents.get("if_nameindex"); | |||
602 | II_if_freenameindex = &Ctx.Idents.get("if_freenameindex"); | |||
603 | ||||
604 | //MSVC uses `_`-prefixed instead, so we check for them too. | |||
605 | II_win_strdup = &Ctx.Idents.get("_strdup"); | |||
606 | II_win_wcsdup = &Ctx.Idents.get("_wcsdup"); | |||
607 | II_win_alloca = &Ctx.Idents.get("_alloca"); | |||
608 | ||||
609 | // Glib | |||
610 | II_g_malloc = &Ctx.Idents.get("g_malloc"); | |||
611 | II_g_malloc0 = &Ctx.Idents.get("g_malloc0"); | |||
612 | II_g_realloc = &Ctx.Idents.get("g_realloc"); | |||
613 | II_g_try_malloc = &Ctx.Idents.get("g_try_malloc"); | |||
614 | II_g_try_malloc0 = &Ctx.Idents.get("g_try_malloc0"); | |||
615 | II_g_try_realloc = &Ctx.Idents.get("g_try_realloc"); | |||
616 | II_g_free = &Ctx.Idents.get("g_free"); | |||
617 | II_g_memdup = &Ctx.Idents.get("g_memdup"); | |||
618 | II_g_malloc_n = &Ctx.Idents.get("g_malloc_n"); | |||
619 | II_g_malloc0_n = &Ctx.Idents.get("g_malloc0_n"); | |||
620 | II_g_realloc_n = &Ctx.Idents.get("g_realloc_n"); | |||
621 | II_g_try_malloc_n = &Ctx.Idents.get("g_try_malloc_n"); | |||
622 | II_g_try_malloc0_n = &Ctx.Idents.get("g_try_malloc0_n"); | |||
623 | II_g_try_realloc_n = &Ctx.Idents.get("g_try_realloc_n"); | |||
624 | } | |||
625 | ||||
626 | bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { | |||
627 | if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any)) | |||
628 | return true; | |||
629 | ||||
630 | if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) | |||
631 | return true; | |||
632 | ||||
633 | if (isCMemFunction(FD, C, AF_Alloca, MemoryOperationKind::MOK_Any)) | |||
634 | return true; | |||
635 | ||||
636 | if (isStandardNewDelete(FD, C)) | |||
637 | return true; | |||
638 | ||||
639 | return false; | |||
640 | } | |||
641 | ||||
642 | bool MallocChecker::isCMemFunction(const FunctionDecl *FD, | |||
643 | ASTContext &C, | |||
644 | AllocationFamily Family, | |||
645 | MemoryOperationKind MemKind) const { | |||
646 | if (!FD) | |||
647 | return false; | |||
648 | ||||
649 | bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any || | |||
650 | MemKind == MemoryOperationKind::MOK_Free); | |||
651 | bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any || | |||
652 | MemKind == MemoryOperationKind::MOK_Allocate); | |||
653 | ||||
654 | if (FD->getKind() == Decl::Function) { | |||
655 | const IdentifierInfo *FunI = FD->getIdentifier(); | |||
656 | initIdentifierInfo(C); | |||
657 | ||||
658 | if (Family == AF_Malloc && CheckFree) { | |||
659 | if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf || | |||
660 | FunI == II_g_free) | |||
661 | return true; | |||
662 | } | |||
663 | ||||
664 | if (Family == AF_Malloc && CheckAlloc) { | |||
665 | if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf || | |||
666 | FunI == II_calloc || FunI == II_valloc || FunI == II_strdup || | |||
667 | FunI == II_win_strdup || FunI == II_strndup || FunI == II_wcsdup || | |||
668 | FunI == II_win_wcsdup || FunI == II_kmalloc || | |||
669 | FunI == II_g_malloc || FunI == II_g_malloc0 || | |||
670 | FunI == II_g_realloc || FunI == II_g_try_malloc || | |||
671 | FunI == II_g_try_malloc0 || FunI == II_g_try_realloc || | |||
672 | FunI == II_g_memdup || FunI == II_g_malloc_n || | |||
673 | FunI == II_g_malloc0_n || FunI == II_g_realloc_n || | |||
674 | FunI == II_g_try_malloc_n || FunI == II_g_try_malloc0_n || | |||
675 | FunI == II_g_try_realloc_n) | |||
676 | return true; | |||
677 | } | |||
678 | ||||
679 | if (Family == AF_IfNameIndex && CheckFree) { | |||
680 | if (FunI == II_if_freenameindex) | |||
681 | return true; | |||
682 | } | |||
683 | ||||
684 | if (Family == AF_IfNameIndex && CheckAlloc) { | |||
685 | if (FunI == II_if_nameindex) | |||
686 | return true; | |||
687 | } | |||
688 | ||||
689 | if (Family == AF_Alloca && CheckAlloc) { | |||
690 | if (FunI == II_alloca || FunI == II_win_alloca) | |||
691 | return true; | |||
692 | } | |||
693 | } | |||
694 | ||||
695 | if (Family != AF_Malloc) | |||
696 | return false; | |||
697 | ||||
698 | if (IsOptimistic && FD->hasAttrs()) { | |||
699 | for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { | |||
700 | OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind(); | |||
701 | if(OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) { | |||
702 | if (CheckFree) | |||
703 | return true; | |||
704 | } else if (OwnKind == OwnershipAttr::Returns) { | |||
705 | if (CheckAlloc) | |||
706 | return true; | |||
707 | } | |||
708 | } | |||
709 | } | |||
710 | ||||
711 | return false; | |||
712 | } | |||
713 | ||||
714 | // Tells if the callee is one of the builtin new/delete operators, including | |||
715 | // placement operators and other standard overloads. | |||
716 | bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD, | |||
717 | ASTContext &C) const { | |||
718 | if (!FD) | |||
719 | return false; | |||
720 | ||||
721 | OverloadedOperatorKind Kind = FD->getOverloadedOperator(); | |||
722 | if (Kind != OO_New && Kind != OO_Array_New && | |||
723 | Kind != OO_Delete && Kind != OO_Array_Delete) | |||
724 | return false; | |||
725 | ||||
726 | // This is standard if and only if it's not defined in a user file. | |||
727 | SourceLocation L = FD->getLocation(); | |||
728 | // If the header for operator delete is not included, it's still defined | |||
729 | // in an invalid source location. Check to make sure we don't crash. | |||
730 | return !L.isValid() || C.getSourceManager().isInSystemHeader(L); | |||
731 | } | |||
732 | ||||
733 | llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc( | |||
734 | const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const { | |||
735 | // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels: | |||
736 | // | |||
737 | // void *malloc(unsigned long size, struct malloc_type *mtp, int flags); | |||
738 | // | |||
739 | // One of the possible flags is M_ZERO, which means 'give me back an | |||
740 | // allocation which is already zeroed', like calloc. | |||
741 | ||||
742 | // 2-argument kmalloc(), as used in the Linux kernel: | |||
743 | // | |||
744 | // void *kmalloc(size_t size, gfp_t flags); | |||
745 | // | |||
746 | // Has the similar flag value __GFP_ZERO. | |||
747 | ||||
748 | // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some | |||
749 | // code could be shared. | |||
750 | ||||
751 | ASTContext &Ctx = C.getASTContext(); | |||
752 | llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS(); | |||
753 | ||||
754 | if (!KernelZeroFlagVal.hasValue()) { | |||
755 | if (OS == llvm::Triple::FreeBSD) | |||
756 | KernelZeroFlagVal = 0x0100; | |||
757 | else if (OS == llvm::Triple::NetBSD) | |||
758 | KernelZeroFlagVal = 0x0002; | |||
759 | else if (OS == llvm::Triple::OpenBSD) | |||
760 | KernelZeroFlagVal = 0x0008; | |||
761 | else if (OS == llvm::Triple::Linux) | |||
762 | // __GFP_ZERO | |||
763 | KernelZeroFlagVal = 0x8000; | |||
764 | else | |||
765 | // FIXME: We need a more general way of getting the M_ZERO value. | |||
766 | // See also: O_CREAT in UnixAPIChecker.cpp. | |||
767 | ||||
768 | // Fall back to normal malloc behavior on platforms where we don't | |||
769 | // know M_ZERO. | |||
770 | return None; | |||
771 | } | |||
772 | ||||
773 | // We treat the last argument as the flags argument, and callers fall-back to | |||
774 | // normal malloc on a None return. This works for the FreeBSD kernel malloc | |||
775 | // as well as Linux kmalloc. | |||
776 | if (CE->getNumArgs() < 2) | |||
777 | return None; | |||
778 | ||||
779 | const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1); | |||
780 | const SVal V = C.getSVal(FlagsEx); | |||
781 | if (!V.getAs<NonLoc>()) { | |||
782 | // The case where 'V' can be a location can only be due to a bad header, | |||
783 | // so in this case bail out. | |||
784 | return None; | |||
785 | } | |||
786 | ||||
787 | NonLoc Flags = V.castAs<NonLoc>(); | |||
788 | NonLoc ZeroFlag = C.getSValBuilder() | |||
789 | .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType()) | |||
790 | .castAs<NonLoc>(); | |||
791 | SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And, | |||
792 | Flags, ZeroFlag, | |||
793 | FlagsEx->getType()); | |||
794 | if (MaskedFlagsUC.isUnknownOrUndef()) | |||
795 | return None; | |||
796 | DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>(); | |||
797 | ||||
798 | // Check if maskedFlags is non-zero. | |||
799 | ProgramStateRef TrueState, FalseState; | |||
800 | std::tie(TrueState, FalseState) = State->assume(MaskedFlags); | |||
801 | ||||
802 | // If M_ZERO is set, treat this like calloc (initialized). | |||
803 | if (TrueState && !FalseState) { | |||
804 | SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy); | |||
805 | return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState); | |||
806 | } | |||
807 | ||||
808 | return None; | |||
809 | } | |||
810 | ||||
811 | SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, | |||
812 | const Expr *BlockBytes) { | |||
813 | SValBuilder &SB = C.getSValBuilder(); | |||
814 | SVal BlocksVal = C.getSVal(Blocks); | |||
815 | SVal BlockBytesVal = C.getSVal(BlockBytes); | |||
816 | ProgramStateRef State = C.getState(); | |||
817 | SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal, | |||
818 | SB.getContext().getSizeType()); | |||
819 | return TotalSize; | |||
820 | } | |||
821 | ||||
822 | void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { | |||
823 | if (C.wasInlined) | |||
824 | return; | |||
825 | ||||
826 | const FunctionDecl *FD = C.getCalleeDecl(CE); | |||
827 | if (!FD) | |||
828 | return; | |||
829 | ||||
830 | ProgramStateRef State = C.getState(); | |||
831 | bool ReleasedAllocatedMemory = false; | |||
832 | ||||
833 | if (FD->getKind() == Decl::Function) { | |||
834 | initIdentifierInfo(C.getASTContext()); | |||
835 | IdentifierInfo *FunI = FD->getIdentifier(); | |||
836 | ||||
837 | if (FunI == II_malloc || FunI == II_g_malloc || FunI == II_g_try_malloc) { | |||
838 | if (CE->getNumArgs() < 1) | |||
839 | return; | |||
840 | if (CE->getNumArgs() < 3) { | |||
841 | State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); | |||
842 | if (CE->getNumArgs() == 1) | |||
843 | State = ProcessZeroAllocation(C, CE, 0, State); | |||
844 | } else if (CE->getNumArgs() == 3) { | |||
845 | llvm::Optional<ProgramStateRef> MaybeState = | |||
846 | performKernelMalloc(CE, C, State); | |||
847 | if (MaybeState.hasValue()) | |||
848 | State = MaybeState.getValue(); | |||
849 | else | |||
850 | State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); | |||
851 | } | |||
852 | } else if (FunI == II_kmalloc) { | |||
853 | if (CE->getNumArgs() < 1) | |||
854 | return; | |||
855 | llvm::Optional<ProgramStateRef> MaybeState = | |||
856 | performKernelMalloc(CE, C, State); | |||
857 | if (MaybeState.hasValue()) | |||
858 | State = MaybeState.getValue(); | |||
859 | else | |||
860 | State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); | |||
861 | } else if (FunI == II_valloc) { | |||
862 | if (CE->getNumArgs() < 1) | |||
863 | return; | |||
864 | State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); | |||
865 | State = ProcessZeroAllocation(C, CE, 0, State); | |||
866 | } else if (FunI == II_realloc || FunI == II_g_realloc || | |||
867 | FunI == II_g_try_realloc) { | |||
868 | State = ReallocMemAux(C, CE, false, State); | |||
869 | State = ProcessZeroAllocation(C, CE, 1, State); | |||
870 | } else if (FunI == II_reallocf) { | |||
871 | State = ReallocMemAux(C, CE, true, State); | |||
872 | State = ProcessZeroAllocation(C, CE, 1, State); | |||
873 | } else if (FunI == II_calloc) { | |||
874 | State = CallocMem(C, CE, State); | |||
875 | State = ProcessZeroAllocation(C, CE, 0, State); | |||
876 | State = ProcessZeroAllocation(C, CE, 1, State); | |||
877 | } else if (FunI == II_free || FunI == II_g_free) { | |||
878 | State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); | |||
879 | } else if (FunI == II_strdup || FunI == II_win_strdup || | |||
880 | FunI == II_wcsdup || FunI == II_win_wcsdup) { | |||
881 | State = MallocUpdateRefState(C, CE, State); | |||
882 | } else if (FunI == II_strndup) { | |||
883 | State = MallocUpdateRefState(C, CE, State); | |||
884 | } else if (FunI == II_alloca || FunI == II_win_alloca) { | |||
885 | if (CE->getNumArgs() < 1) | |||
886 | return; | |||
887 | State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, | |||
888 | AF_Alloca); | |||
889 | State = ProcessZeroAllocation(C, CE, 0, State); | |||
890 | } else if (isStandardNewDelete(FD, C.getASTContext())) { | |||
891 | // Process direct calls to operator new/new[]/delete/delete[] functions | |||
892 | // as distinct from new/new[]/delete/delete[] expressions that are | |||
893 | // processed by the checkPostStmt callbacks for CXXNewExpr and | |||
894 | // CXXDeleteExpr. | |||
895 | OverloadedOperatorKind K = FD->getOverloadedOperator(); | |||
896 | if (K == OO_New) { | |||
897 | State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, | |||
898 | AF_CXXNew); | |||
899 | State = ProcessZeroAllocation(C, CE, 0, State); | |||
900 | } | |||
901 | else if (K == OO_Array_New) { | |||
902 | State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, | |||
903 | AF_CXXNewArray); | |||
904 | State = ProcessZeroAllocation(C, CE, 0, State); | |||
905 | } | |||
906 | else if (K == OO_Delete || K == OO_Array_Delete) | |||
907 | State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); | |||
908 | else | |||
909 | llvm_unreachable("not a new/delete operator")::llvm::llvm_unreachable_internal("not a new/delete operator" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 909); | |||
910 | } else if (FunI == II_if_nameindex) { | |||
911 | // Should we model this differently? We can allocate a fixed number of | |||
912 | // elements with zeros in the last one. | |||
913 | State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State, | |||
914 | AF_IfNameIndex); | |||
915 | } else if (FunI == II_if_freenameindex) { | |||
916 | State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); | |||
917 | } else if (FunI == II_g_malloc0 || FunI == II_g_try_malloc0) { | |||
918 | if (CE->getNumArgs() < 1) | |||
919 | return; | |||
920 | SValBuilder &svalBuilder = C.getSValBuilder(); | |||
921 | SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); | |||
922 | State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State); | |||
923 | State = ProcessZeroAllocation(C, CE, 0, State); | |||
924 | } else if (FunI == II_g_memdup) { | |||
925 | if (CE->getNumArgs() < 2) | |||
926 | return; | |||
927 | State = MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State); | |||
928 | State = ProcessZeroAllocation(C, CE, 1, State); | |||
929 | } else if (FunI == II_g_malloc_n || FunI == II_g_try_malloc_n || | |||
930 | FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) { | |||
931 | if (CE->getNumArgs() < 2) | |||
932 | return; | |||
933 | SVal Init = UndefinedVal(); | |||
934 | if (FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) { | |||
935 | SValBuilder &SB = C.getSValBuilder(); | |||
936 | Init = SB.makeZeroVal(SB.getContext().CharTy); | |||
937 | } | |||
938 | SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1)); | |||
939 | State = MallocMemAux(C, CE, TotalSize, Init, State); | |||
940 | State = ProcessZeroAllocation(C, CE, 0, State); | |||
941 | State = ProcessZeroAllocation(C, CE, 1, State); | |||
942 | } else if (FunI == II_g_realloc_n || FunI == II_g_try_realloc_n) { | |||
943 | if (CE->getNumArgs() < 3) | |||
944 | return; | |||
945 | State = ReallocMemAux(C, CE, false, State, true); | |||
946 | State = ProcessZeroAllocation(C, CE, 1, State); | |||
947 | State = ProcessZeroAllocation(C, CE, 2, State); | |||
948 | } | |||
949 | } | |||
950 | ||||
951 | if (IsOptimistic || ChecksEnabled[CK_MismatchedDeallocatorChecker]) { | |||
952 | // Check all the attributes, if there are any. | |||
953 | // There can be multiple of these attributes. | |||
954 | if (FD->hasAttrs()) | |||
955 | for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { | |||
956 | switch (I->getOwnKind()) { | |||
957 | case OwnershipAttr::Returns: | |||
958 | State = MallocMemReturnsAttr(C, CE, I, State); | |||
959 | break; | |||
960 | case OwnershipAttr::Takes: | |||
961 | case OwnershipAttr::Holds: | |||
962 | State = FreeMemAttr(C, CE, I, State); | |||
963 | break; | |||
964 | } | |||
965 | } | |||
966 | } | |||
967 | C.addTransition(State); | |||
968 | } | |||
969 | ||||
970 | // Performs a 0-sized allocations check. | |||
971 | ProgramStateRef MallocChecker::ProcessZeroAllocation( | |||
972 | CheckerContext &C, const Expr *E, const unsigned AllocationSizeArg, | |||
973 | ProgramStateRef State, Optional<SVal> RetVal) const { | |||
974 | if (!State) | |||
975 | return nullptr; | |||
976 | ||||
977 | if (!RetVal) | |||
978 | RetVal = C.getSVal(E); | |||
979 | ||||
980 | const Expr *Arg = nullptr; | |||
981 | ||||
982 | if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { | |||
983 | Arg = CE->getArg(AllocationSizeArg); | |||
984 | } | |||
985 | else if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { | |||
986 | if (NE->isArray()) | |||
987 | Arg = *NE->getArraySize(); | |||
988 | else | |||
989 | return State; | |||
990 | } | |||
991 | else | |||
992 | llvm_unreachable("not a CallExpr or CXXNewExpr")::llvm::llvm_unreachable_internal("not a CallExpr or CXXNewExpr" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 992); | |||
993 | ||||
994 | assert(Arg)((Arg) ? static_cast<void> (0) : __assert_fail ("Arg", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 994, __PRETTY_FUNCTION__)); | |||
995 | ||||
996 | Optional<DefinedSVal> DefArgVal = C.getSVal(Arg).getAs<DefinedSVal>(); | |||
997 | ||||
998 | if (!DefArgVal) | |||
999 | return State; | |||
1000 | ||||
1001 | // Check if the allocation size is 0. | |||
1002 | ProgramStateRef TrueState, FalseState; | |||
1003 | SValBuilder &SvalBuilder = C.getSValBuilder(); | |||
1004 | DefinedSVal Zero = | |||
1005 | SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>(); | |||
1006 | ||||
1007 | std::tie(TrueState, FalseState) = | |||
1008 | State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero)); | |||
1009 | ||||
1010 | if (TrueState && !FalseState) { | |||
1011 | SymbolRef Sym = RetVal->getAsLocSymbol(); | |||
1012 | if (!Sym) | |||
1013 | return State; | |||
1014 | ||||
1015 | const RefState *RS = State->get<RegionState>(Sym); | |||
1016 | if (RS) { | |||
1017 | if (RS->isAllocated()) | |||
1018 | return TrueState->set<RegionState>(Sym, | |||
1019 | RefState::getAllocatedOfSizeZero(RS)); | |||
1020 | else | |||
1021 | return State; | |||
1022 | } else { | |||
1023 | // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as | |||
1024 | // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not | |||
1025 | // tracked. Add zero-reallocated Sym to the state to catch references | |||
1026 | // to zero-allocated memory. | |||
1027 | return TrueState->add<ReallocSizeZeroSymbols>(Sym); | |||
1028 | } | |||
1029 | } | |||
1030 | ||||
1031 | // Assume the value is non-zero going forward. | |||
1032 | assert(FalseState)((FalseState) ? static_cast<void> (0) : __assert_fail ( "FalseState", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1032, __PRETTY_FUNCTION__)); | |||
1033 | return FalseState; | |||
1034 | } | |||
1035 | ||||
1036 | static QualType getDeepPointeeType(QualType T) { | |||
1037 | QualType Result = T, PointeeType = T->getPointeeType(); | |||
1038 | while (!PointeeType.isNull()) { | |||
1039 | Result = PointeeType; | |||
1040 | PointeeType = PointeeType->getPointeeType(); | |||
1041 | } | |||
1042 | return Result; | |||
1043 | } | |||
1044 | ||||
1045 | static bool treatUnusedNewEscaped(const CXXNewExpr *NE) { | |||
1046 | ||||
1047 | const CXXConstructExpr *ConstructE = NE->getConstructExpr(); | |||
1048 | if (!ConstructE) | |||
1049 | return false; | |||
1050 | ||||
1051 | if (!NE->getAllocatedType()->getAsCXXRecordDecl()) | |||
1052 | return false; | |||
1053 | ||||
1054 | const CXXConstructorDecl *CtorD = ConstructE->getConstructor(); | |||
1055 | ||||
1056 | // Iterate over the constructor parameters. | |||
1057 | for (const auto *CtorParam : CtorD->parameters()) { | |||
1058 | ||||
1059 | QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType(); | |||
1060 | if (CtorParamPointeeT.isNull()) | |||
1061 | continue; | |||
1062 | ||||
1063 | CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT); | |||
1064 | ||||
1065 | if (CtorParamPointeeT->getAsCXXRecordDecl()) | |||
1066 | return true; | |||
1067 | } | |||
1068 | ||||
1069 | return false; | |||
1070 | } | |||
1071 | ||||
1072 | void MallocChecker::processNewAllocation(const CXXNewExpr *NE, | |||
1073 | CheckerContext &C, | |||
1074 | SVal Target) const { | |||
1075 | if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext())) | |||
1076 | return; | |||
1077 | ||||
1078 | ParentMap &PM = C.getLocationContext()->getParentMap(); | |||
1079 | if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE)) | |||
1080 | return; | |||
1081 | ||||
1082 | ProgramStateRef State = C.getState(); | |||
1083 | // The return value from operator new is bound to a specified initialization | |||
1084 | // value (if any) and we don't want to loose this value. So we call | |||
1085 | // MallocUpdateRefState() instead of MallocMemAux() which breaks the | |||
1086 | // existing binding. | |||
1087 | State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray | |||
1088 | : AF_CXXNew, Target); | |||
1089 | State = addExtentSize(C, NE, State, Target); | |||
1090 | State = ProcessZeroAllocation(C, NE, 0, State, Target); | |||
1091 | C.addTransition(State); | |||
1092 | } | |||
1093 | ||||
1094 | void MallocChecker::checkPostStmt(const CXXNewExpr *NE, | |||
1095 | CheckerContext &C) const { | |||
1096 | if (!C.getAnalysisManager().getAnalyzerOptions().MayInlineCXXAllocator) | |||
1097 | processNewAllocation(NE, C, C.getSVal(NE)); | |||
1098 | } | |||
1099 | ||||
1100 | void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target, | |||
1101 | CheckerContext &C) const { | |||
1102 | if (!C.wasInlined) | |||
1103 | processNewAllocation(NE, C, Target); | |||
1104 | } | |||
1105 | ||||
1106 | // Sets the extent value of the MemRegion allocated by | |||
1107 | // new expression NE to its size in Bytes. | |||
1108 | // | |||
1109 | ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C, | |||
1110 | const CXXNewExpr *NE, | |||
1111 | ProgramStateRef State, | |||
1112 | SVal Target) { | |||
1113 | if (!State) | |||
1114 | return nullptr; | |||
1115 | SValBuilder &svalBuilder = C.getSValBuilder(); | |||
1116 | SVal ElementCount; | |||
1117 | const SubRegion *Region; | |||
1118 | if (NE->isArray()) { | |||
1119 | const Expr *SizeExpr = *NE->getArraySize(); | |||
1120 | ElementCount = C.getSVal(SizeExpr); | |||
1121 | // Store the extent size for the (symbolic)region | |||
1122 | // containing the elements. | |||
1123 | Region = Target.getAsRegion() | |||
1124 | ->getAs<SubRegion>() | |||
1125 | ->StripCasts() | |||
1126 | ->getAs<SubRegion>(); | |||
1127 | } else { | |||
1128 | ElementCount = svalBuilder.makeIntVal(1, true); | |||
1129 | Region = Target.getAsRegion()->getAs<SubRegion>(); | |||
1130 | } | |||
1131 | assert(Region)((Region) ? static_cast<void> (0) : __assert_fail ("Region" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1131, __PRETTY_FUNCTION__)); | |||
1132 | ||||
1133 | // Set the region's extent equal to the Size in Bytes. | |||
1134 | QualType ElementType = NE->getAllocatedType(); | |||
1135 | ASTContext &AstContext = C.getASTContext(); | |||
1136 | CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType); | |||
1137 | ||||
1138 | if (ElementCount.getAs<NonLoc>()) { | |||
1139 | DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder); | |||
1140 | // size in Bytes = ElementCount*TypeSize | |||
1141 | SVal SizeInBytes = svalBuilder.evalBinOpNN( | |||
1142 | State, BO_Mul, ElementCount.castAs<NonLoc>(), | |||
1143 | svalBuilder.makeArrayIndex(TypeSize.getQuantity()), | |||
1144 | svalBuilder.getArrayIndexType()); | |||
1145 | DefinedOrUnknownSVal extentMatchesSize = svalBuilder.evalEQ( | |||
1146 | State, Extent, SizeInBytes.castAs<DefinedOrUnknownSVal>()); | |||
1147 | State = State->assume(extentMatchesSize, true); | |||
1148 | } | |||
1149 | return State; | |||
1150 | } | |||
1151 | ||||
1152 | void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, | |||
1153 | CheckerContext &C) const { | |||
1154 | ||||
1155 | if (!ChecksEnabled[CK_NewDeleteChecker]) | |||
1156 | if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) | |||
1157 | checkUseAfterFree(Sym, C, DE->getArgument()); | |||
1158 | ||||
1159 | if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext())) | |||
1160 | return; | |||
1161 | ||||
1162 | ProgramStateRef State = C.getState(); | |||
1163 | bool ReleasedAllocated; | |||
1164 | State = FreeMemAux(C, DE->getArgument(), DE, State, | |||
1165 | /*Hold*/false, ReleasedAllocated); | |||
1166 | ||||
1167 | C.addTransition(State); | |||
1168 | } | |||
1169 | ||||
1170 | static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { | |||
1171 | // If the first selector piece is one of the names below, assume that the | |||
1172 | // object takes ownership of the memory, promising to eventually deallocate it | |||
1173 | // with free(). | |||
1174 | // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; | |||
1175 | // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) | |||
1176 | StringRef FirstSlot = Call.getSelector().getNameForSlot(0); | |||
1177 | return FirstSlot == "dataWithBytesNoCopy" || | |||
1178 | FirstSlot == "initWithBytesNoCopy" || | |||
1179 | FirstSlot == "initWithCharactersNoCopy"; | |||
1180 | } | |||
1181 | ||||
1182 | static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { | |||
1183 | Selector S = Call.getSelector(); | |||
1184 | ||||
1185 | // FIXME: We should not rely on fully-constrained symbols being folded. | |||
1186 | for (unsigned i = 1; i < S.getNumArgs(); ++i) | |||
1187 | if (S.getNameForSlot(i).equals("freeWhenDone")) | |||
1188 | return !Call.getArgSVal(i).isZeroConstant(); | |||
1189 | ||||
1190 | return None; | |||
1191 | } | |||
1192 | ||||
1193 | void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, | |||
1194 | CheckerContext &C) const { | |||
1195 | if (C.wasInlined) | |||
1196 | return; | |||
1197 | ||||
1198 | if (!isKnownDeallocObjCMethodName(Call)) | |||
1199 | return; | |||
1200 | ||||
1201 | if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) | |||
1202 | if (!*FreeWhenDone) | |||
1203 | return; | |||
1204 | ||||
1205 | bool ReleasedAllocatedMemory; | |||
1206 | ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0), | |||
1207 | Call.getOriginExpr(), C.getState(), | |||
1208 | /*Hold=*/true, ReleasedAllocatedMemory, | |||
1209 | /*RetNullOnFailure=*/true); | |||
1210 | ||||
1211 | C.addTransition(State); | |||
1212 | } | |||
1213 | ||||
1214 | ProgramStateRef | |||
1215 | MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE, | |||
1216 | const OwnershipAttr *Att, | |||
1217 | ProgramStateRef State) const { | |||
1218 | if (!State) | |||
1219 | return nullptr; | |||
1220 | ||||
1221 | if (Att->getModule() != II_malloc) | |||
1222 | return nullptr; | |||
1223 | ||||
1224 | OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); | |||
1225 | if (I != E) { | |||
1226 | return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(), | |||
1227 | State); | |||
1228 | } | |||
1229 | return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State); | |||
1230 | } | |||
1231 | ||||
1232 | ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, | |||
1233 | const CallExpr *CE, | |||
1234 | const Expr *SizeEx, SVal Init, | |||
1235 | ProgramStateRef State, | |||
1236 | AllocationFamily Family) { | |||
1237 | if (!State) | |||
1238 | return nullptr; | |||
1239 | ||||
1240 | return MallocMemAux(C, CE, C.getSVal(SizeEx), Init, State, Family); | |||
1241 | } | |||
1242 | ||||
1243 | ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, | |||
1244 | const CallExpr *CE, | |||
1245 | SVal Size, SVal Init, | |||
1246 | ProgramStateRef State, | |||
1247 | AllocationFamily Family) { | |||
1248 | if (!State) | |||
1249 | return nullptr; | |||
1250 | ||||
1251 | // We expect the malloc functions to return a pointer. | |||
1252 | if (!Loc::isLocType(CE->getType())) | |||
1253 | return nullptr; | |||
1254 | ||||
1255 | // Bind the return value to the symbolic value from the heap region. | |||
1256 | // TODO: We could rewrite post visit to eval call; 'malloc' does not have | |||
1257 | // side effects other than what we model here. | |||
1258 | unsigned Count = C.blockCount(); | |||
1259 | SValBuilder &svalBuilder = C.getSValBuilder(); | |||
1260 | const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); | |||
1261 | DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) | |||
1262 | .castAs<DefinedSVal>(); | |||
1263 | State = State->BindExpr(CE, C.getLocationContext(), RetVal); | |||
1264 | ||||
1265 | // Fill the region with the initialization value. | |||
1266 | State = State->bindDefaultInitial(RetVal, Init, LCtx); | |||
1267 | ||||
1268 | // Set the region's extent equal to the Size parameter. | |||
1269 | const SymbolicRegion *R = | |||
1270 | dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); | |||
1271 | if (!R) | |||
1272 | return nullptr; | |||
1273 | if (Optional<DefinedOrUnknownSVal> DefinedSize = | |||
1274 | Size.getAs<DefinedOrUnknownSVal>()) { | |||
1275 | SValBuilder &svalBuilder = C.getSValBuilder(); | |||
1276 | DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); | |||
1277 | DefinedOrUnknownSVal extentMatchesSize = | |||
1278 | svalBuilder.evalEQ(State, Extent, *DefinedSize); | |||
1279 | ||||
1280 | State = State->assume(extentMatchesSize, true); | |||
1281 | assert(State)((State) ? static_cast<void> (0) : __assert_fail ("State" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1281, __PRETTY_FUNCTION__)); | |||
1282 | } | |||
1283 | ||||
1284 | return MallocUpdateRefState(C, CE, State, Family); | |||
1285 | } | |||
1286 | ||||
1287 | ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, | |||
1288 | const Expr *E, | |||
1289 | ProgramStateRef State, | |||
1290 | AllocationFamily Family, | |||
1291 | Optional<SVal> RetVal) { | |||
1292 | if (!State) | |||
1293 | return nullptr; | |||
1294 | ||||
1295 | // Get the return value. | |||
1296 | if (!RetVal) | |||
1297 | RetVal = C.getSVal(E); | |||
1298 | ||||
1299 | // We expect the malloc functions to return a pointer. | |||
1300 | if (!RetVal->getAs<Loc>()) | |||
1301 | return nullptr; | |||
1302 | ||||
1303 | SymbolRef Sym = RetVal->getAsLocSymbol(); | |||
1304 | // This is a return value of a function that was not inlined, such as malloc() | |||
1305 | // or new(). We've checked that in the caller. Therefore, it must be a symbol. | |||
1306 | assert(Sym)((Sym) ? static_cast<void> (0) : __assert_fail ("Sym", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1306, __PRETTY_FUNCTION__)); | |||
1307 | ||||
1308 | // Set the symbol's state to Allocated. | |||
1309 | return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); | |||
1310 | } | |||
1311 | ||||
1312 | ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, | |||
1313 | const CallExpr *CE, | |||
1314 | const OwnershipAttr *Att, | |||
1315 | ProgramStateRef State) const { | |||
1316 | if (!State) | |||
1317 | return nullptr; | |||
1318 | ||||
1319 | if (Att->getModule() != II_malloc) | |||
1320 | return nullptr; | |||
1321 | ||||
1322 | bool ReleasedAllocated = false; | |||
1323 | ||||
1324 | for (const auto &Arg : Att->args()) { | |||
1325 | ProgramStateRef StateI = FreeMemAux( | |||
1326 | C, CE, State, Arg.getASTIndex(), | |||
1327 | Att->getOwnKind() == OwnershipAttr::Holds, ReleasedAllocated); | |||
1328 | if (StateI) | |||
1329 | State = StateI; | |||
1330 | } | |||
1331 | return State; | |||
1332 | } | |||
1333 | ||||
1334 | ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, | |||
1335 | const CallExpr *CE, | |||
1336 | ProgramStateRef State, | |||
1337 | unsigned Num, | |||
1338 | bool Hold, | |||
1339 | bool &ReleasedAllocated, | |||
1340 | bool ReturnsNullOnFailure) const { | |||
1341 | if (!State) | |||
1342 | return nullptr; | |||
1343 | ||||
1344 | if (CE->getNumArgs() < (Num + 1)) | |||
1345 | return nullptr; | |||
1346 | ||||
1347 | return FreeMemAux(C, CE->getArg(Num), CE, State, Hold, | |||
1348 | ReleasedAllocated, ReturnsNullOnFailure); | |||
1349 | } | |||
1350 | ||||
1351 | /// Checks if the previous call to free on the given symbol failed - if free | |||
1352 | /// failed, returns true. Also, returns the corresponding return value symbol. | |||
1353 | static bool didPreviousFreeFail(ProgramStateRef State, | |||
1354 | SymbolRef Sym, SymbolRef &RetStatusSymbol) { | |||
1355 | const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); | |||
1356 | if (Ret) { | |||
1357 | assert(*Ret && "We should not store the null return symbol")((*Ret && "We should not store the null return symbol" ) ? static_cast<void> (0) : __assert_fail ("*Ret && \"We should not store the null return symbol\"" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1357, __PRETTY_FUNCTION__)); | |||
1358 | ConstraintManager &CMgr = State->getConstraintManager(); | |||
1359 | ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); | |||
1360 | RetStatusSymbol = *Ret; | |||
1361 | return FreeFailed.isConstrainedTrue(); | |||
1362 | } | |||
1363 | return false; | |||
1364 | } | |||
1365 | ||||
1366 | AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C, | |||
1367 | const Stmt *S) const { | |||
1368 | if (!S) | |||
1369 | return AF_None; | |||
1370 | ||||
1371 | if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { | |||
1372 | const FunctionDecl *FD = C.getCalleeDecl(CE); | |||
1373 | ||||
1374 | if (!FD) | |||
1375 | FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl()); | |||
1376 | ||||
1377 | ASTContext &Ctx = C.getASTContext(); | |||
1378 | ||||
1379 | if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any)) | |||
1380 | return AF_Malloc; | |||
1381 | ||||
1382 | if (isStandardNewDelete(FD, Ctx)) { | |||
1383 | OverloadedOperatorKind Kind = FD->getOverloadedOperator(); | |||
1384 | if (Kind == OO_New || Kind == OO_Delete) | |||
1385 | return AF_CXXNew; | |||
1386 | else if (Kind == OO_Array_New || Kind == OO_Array_Delete) | |||
1387 | return AF_CXXNewArray; | |||
1388 | } | |||
1389 | ||||
1390 | if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any)) | |||
1391 | return AF_IfNameIndex; | |||
1392 | ||||
1393 | if (isCMemFunction(FD, Ctx, AF_Alloca, MemoryOperationKind::MOK_Any)) | |||
1394 | return AF_Alloca; | |||
1395 | ||||
1396 | return AF_None; | |||
1397 | } | |||
1398 | ||||
1399 | if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S)) | |||
1400 | return NE->isArray() ? AF_CXXNewArray : AF_CXXNew; | |||
1401 | ||||
1402 | if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S)) | |||
1403 | return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew; | |||
1404 | ||||
1405 | if (isa<ObjCMessageExpr>(S)) | |||
1406 | return AF_Malloc; | |||
1407 | ||||
1408 | return AF_None; | |||
1409 | } | |||
1410 | ||||
1411 | bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C, | |||
1412 | const Expr *E) const { | |||
1413 | if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { | |||
1414 | // FIXME: This doesn't handle indirect calls. | |||
1415 | const FunctionDecl *FD = CE->getDirectCallee(); | |||
1416 | if (!FD) | |||
1417 | return false; | |||
1418 | ||||
1419 | os << *FD; | |||
1420 | if (!FD->isOverloadedOperator()) | |||
1421 | os << "()"; | |||
1422 | return true; | |||
1423 | } | |||
1424 | ||||
1425 | if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { | |||
1426 | if (Msg->isInstanceMessage()) | |||
1427 | os << "-"; | |||
1428 | else | |||
1429 | os << "+"; | |||
1430 | Msg->getSelector().print(os); | |||
1431 | return true; | |||
1432 | } | |||
1433 | ||||
1434 | if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { | |||
1435 | os << "'" | |||
1436 | << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) | |||
1437 | << "'"; | |||
1438 | return true; | |||
1439 | } | |||
1440 | ||||
1441 | if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { | |||
1442 | os << "'" | |||
1443 | << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) | |||
1444 | << "'"; | |||
1445 | return true; | |||
1446 | } | |||
1447 | ||||
1448 | return false; | |||
1449 | } | |||
1450 | ||||
1451 | void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C, | |||
1452 | const Expr *E) const { | |||
1453 | AllocationFamily Family = getAllocationFamily(C, E); | |||
1454 | ||||
1455 | switch(Family) { | |||
1456 | case AF_Malloc: os << "malloc()"; return; | |||
1457 | case AF_CXXNew: os << "'new'"; return; | |||
1458 | case AF_CXXNewArray: os << "'new[]'"; return; | |||
1459 | case AF_IfNameIndex: os << "'if_nameindex()'"; return; | |||
1460 | case AF_InnerBuffer: os << "container-specific allocator"; return; | |||
1461 | case AF_Alloca: | |||
1462 | case AF_None: llvm_unreachable("not a deallocation expression")::llvm::llvm_unreachable_internal("not a deallocation expression" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1462); | |||
1463 | } | |||
1464 | } | |||
1465 | ||||
1466 | void MallocChecker::printExpectedDeallocName(raw_ostream &os, | |||
1467 | AllocationFamily Family) const { | |||
1468 | switch(Family) { | |||
1469 | case AF_Malloc: os << "free()"; return; | |||
1470 | case AF_CXXNew: os << "'delete'"; return; | |||
1471 | case AF_CXXNewArray: os << "'delete[]'"; return; | |||
1472 | case AF_IfNameIndex: os << "'if_freenameindex()'"; return; | |||
1473 | case AF_InnerBuffer: os << "container-specific deallocator"; return; | |||
1474 | case AF_Alloca: | |||
1475 | case AF_None: llvm_unreachable("suspicious argument")::llvm::llvm_unreachable_internal("suspicious argument", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1475); | |||
1476 | } | |||
1477 | } | |||
1478 | ||||
1479 | ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, | |||
1480 | const Expr *ArgExpr, | |||
1481 | const Expr *ParentExpr, | |||
1482 | ProgramStateRef State, | |||
1483 | bool Hold, | |||
1484 | bool &ReleasedAllocated, | |||
1485 | bool ReturnsNullOnFailure) const { | |||
1486 | ||||
1487 | if (!State) | |||
1488 | return nullptr; | |||
1489 | ||||
1490 | SVal ArgVal = C.getSVal(ArgExpr); | |||
1491 | if (!ArgVal.getAs<DefinedOrUnknownSVal>()) | |||
1492 | return nullptr; | |||
1493 | DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); | |||
1494 | ||||
1495 | // Check for null dereferences. | |||
1496 | if (!location.getAs<Loc>()) | |||
1497 | return nullptr; | |||
1498 | ||||
1499 | // The explicit NULL case, no operation is performed. | |||
1500 | ProgramStateRef notNullState, nullState; | |||
1501 | std::tie(notNullState, nullState) = State->assume(location); | |||
1502 | if (nullState && !notNullState) | |||
1503 | return nullptr; | |||
1504 | ||||
1505 | // Unknown values could easily be okay | |||
1506 | // Undefined values are handled elsewhere | |||
1507 | if (ArgVal.isUnknownOrUndef()) | |||
1508 | return nullptr; | |||
1509 | ||||
1510 | const MemRegion *R = ArgVal.getAsRegion(); | |||
1511 | ||||
1512 | // Nonlocs can't be freed, of course. | |||
1513 | // Non-region locations (labels and fixed addresses) also shouldn't be freed. | |||
1514 | if (!R) { | |||
1515 | ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); | |||
1516 | return nullptr; | |||
1517 | } | |||
1518 | ||||
1519 | R = R->StripCasts(); | |||
1520 | ||||
1521 | // Blocks might show up as heap data, but should not be free()d | |||
1522 | if (isa<BlockDataRegion>(R)) { | |||
1523 | ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); | |||
1524 | return nullptr; | |||
1525 | } | |||
1526 | ||||
1527 | const MemSpaceRegion *MS = R->getMemorySpace(); | |||
1528 | ||||
1529 | // Parameters, locals, statics, globals, and memory returned by | |||
1530 | // __builtin_alloca() shouldn't be freed. | |||
1531 | if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { | |||
1532 | // FIXME: at the time this code was written, malloc() regions were | |||
1533 | // represented by conjured symbols, which are all in UnknownSpaceRegion. | |||
1534 | // This means that there isn't actually anything from HeapSpaceRegion | |||
1535 | // that should be freed, even though we allow it here. | |||
1536 | // Of course, free() can work on memory allocated outside the current | |||
1537 | // function, so UnknownSpaceRegion is always a possibility. | |||
1538 | // False negatives are better than false positives. | |||
1539 | ||||
1540 | if (isa<AllocaRegion>(R)) | |||
1541 | ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); | |||
1542 | else | |||
1543 | ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); | |||
1544 | ||||
1545 | return nullptr; | |||
1546 | } | |||
1547 | ||||
1548 | const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); | |||
1549 | // Various cases could lead to non-symbol values here. | |||
1550 | // For now, ignore them. | |||
1551 | if (!SrBase) | |||
1552 | return nullptr; | |||
1553 | ||||
1554 | SymbolRef SymBase = SrBase->getSymbol(); | |||
1555 | const RefState *RsBase = State->get<RegionState>(SymBase); | |||
1556 | SymbolRef PreviousRetStatusSymbol = nullptr; | |||
1557 | ||||
1558 | if (RsBase) { | |||
1559 | ||||
1560 | // Memory returned by alloca() shouldn't be freed. | |||
1561 | if (RsBase->getAllocationFamily() == AF_Alloca) { | |||
1562 | ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); | |||
1563 | return nullptr; | |||
1564 | } | |||
1565 | ||||
1566 | // Check for double free first. | |||
1567 | if ((RsBase->isReleased() || RsBase->isRelinquished()) && | |||
1568 | !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { | |||
1569 | ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), | |||
1570 | SymBase, PreviousRetStatusSymbol); | |||
1571 | return nullptr; | |||
1572 | ||||
1573 | // If the pointer is allocated or escaped, but we are now trying to free it, | |||
1574 | // check that the call to free is proper. | |||
1575 | } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() || | |||
1576 | RsBase->isEscaped()) { | |||
1577 | ||||
1578 | // Check if an expected deallocation function matches the real one. | |||
1579 | bool DeallocMatchesAlloc = | |||
1580 | RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr); | |||
1581 | if (!DeallocMatchesAlloc) { | |||
1582 | ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), | |||
1583 | ParentExpr, RsBase, SymBase, Hold); | |||
1584 | return nullptr; | |||
1585 | } | |||
1586 | ||||
1587 | // Check if the memory location being freed is the actual location | |||
1588 | // allocated, or an offset. | |||
1589 | RegionOffset Offset = R->getAsOffset(); | |||
1590 | if (Offset.isValid() && | |||
1591 | !Offset.hasSymbolicOffset() && | |||
1592 | Offset.getOffset() != 0) { | |||
1593 | const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); | |||
1594 | ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, | |||
1595 | AllocExpr); | |||
1596 | return nullptr; | |||
1597 | } | |||
1598 | } | |||
1599 | } | |||
1600 | ||||
1601 | if (SymBase->getType()->isFunctionPointerType()) { | |||
1602 | ReportFunctionPointerFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); | |||
1603 | return nullptr; | |||
1604 | } | |||
1605 | ||||
1606 | ReleasedAllocated = (RsBase != nullptr) && (RsBase->isAllocated() || | |||
1607 | RsBase->isAllocatedOfSizeZero()); | |||
1608 | ||||
1609 | // Clean out the info on previous call to free return info. | |||
1610 | State = State->remove<FreeReturnValue>(SymBase); | |||
1611 | ||||
1612 | // Keep track of the return value. If it is NULL, we will know that free | |||
1613 | // failed. | |||
1614 | if (ReturnsNullOnFailure) { | |||
1615 | SVal RetVal = C.getSVal(ParentExpr); | |||
1616 | SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); | |||
1617 | if (RetStatusSymbol) { | |||
1618 | C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); | |||
1619 | State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); | |||
1620 | } | |||
1621 | } | |||
1622 | ||||
1623 | AllocationFamily Family = RsBase ? RsBase->getAllocationFamily() | |||
1624 | : getAllocationFamily(C, ParentExpr); | |||
1625 | // Normal free. | |||
1626 | if (Hold) | |||
1627 | return State->set<RegionState>(SymBase, | |||
1628 | RefState::getRelinquished(Family, | |||
1629 | ParentExpr)); | |||
1630 | ||||
1631 | return State->set<RegionState>(SymBase, | |||
1632 | RefState::getReleased(Family, ParentExpr)); | |||
1633 | } | |||
1634 | ||||
1635 | Optional<MallocChecker::CheckKind> | |||
1636 | MallocChecker::getCheckIfTracked(AllocationFamily Family, | |||
1637 | bool IsALeakCheck) const { | |||
1638 | switch (Family) { | |||
1639 | case AF_Malloc: | |||
1640 | case AF_Alloca: | |||
1641 | case AF_IfNameIndex: { | |||
1642 | if (ChecksEnabled[CK_MallocChecker]) | |||
1643 | return CK_MallocChecker; | |||
1644 | return None; | |||
1645 | } | |||
1646 | case AF_CXXNew: | |||
1647 | case AF_CXXNewArray: { | |||
1648 | if (IsALeakCheck) { | |||
1649 | if (ChecksEnabled[CK_NewDeleteLeaksChecker]) | |||
1650 | return CK_NewDeleteLeaksChecker; | |||
1651 | } | |||
1652 | else { | |||
1653 | if (ChecksEnabled[CK_NewDeleteChecker]) | |||
1654 | return CK_NewDeleteChecker; | |||
1655 | } | |||
1656 | return None; | |||
1657 | } | |||
1658 | case AF_InnerBuffer: { | |||
1659 | if (ChecksEnabled[CK_InnerPointerChecker]) | |||
1660 | return CK_InnerPointerChecker; | |||
1661 | return None; | |||
1662 | } | |||
1663 | case AF_None: { | |||
1664 | llvm_unreachable("no family")::llvm::llvm_unreachable_internal("no family", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1664); | |||
1665 | } | |||
1666 | } | |||
1667 | llvm_unreachable("unhandled family")::llvm::llvm_unreachable_internal("unhandled family", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1667); | |||
1668 | } | |||
1669 | ||||
1670 | Optional<MallocChecker::CheckKind> | |||
1671 | MallocChecker::getCheckIfTracked(CheckerContext &C, | |||
1672 | const Stmt *AllocDeallocStmt, | |||
1673 | bool IsALeakCheck) const { | |||
1674 | return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt), | |||
1675 | IsALeakCheck); | |||
1676 | } | |||
1677 | ||||
1678 | Optional<MallocChecker::CheckKind> | |||
1679 | MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym, | |||
1680 | bool IsALeakCheck) const { | |||
1681 | if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) | |||
1682 | return CK_MallocChecker; | |||
1683 | ||||
1684 | const RefState *RS = C.getState()->get<RegionState>(Sym); | |||
1685 | assert(RS)((RS) ? static_cast<void> (0) : __assert_fail ("RS", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1685, __PRETTY_FUNCTION__)); | |||
1686 | return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck); | |||
1687 | } | |||
1688 | ||||
1689 | bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { | |||
1690 | if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) | |||
1691 | os << "an integer (" << IntVal->getValue() << ")"; | |||
1692 | else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) | |||
1693 | os << "a constant address (" << ConstAddr->getValue() << ")"; | |||
1694 | else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) | |||
1695 | os << "the address of the label '" << Label->getLabel()->getName() << "'"; | |||
1696 | else | |||
1697 | return false; | |||
1698 | ||||
1699 | return true; | |||
1700 | } | |||
1701 | ||||
1702 | bool MallocChecker::SummarizeRegion(raw_ostream &os, | |||
1703 | const MemRegion *MR) { | |||
1704 | switch (MR->getKind()) { | |||
1705 | case MemRegion::FunctionCodeRegionKind: { | |||
1706 | const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl(); | |||
1707 | if (FD) | |||
1708 | os << "the address of the function '" << *FD << '\''; | |||
1709 | else | |||
1710 | os << "the address of a function"; | |||
1711 | return true; | |||
1712 | } | |||
1713 | case MemRegion::BlockCodeRegionKind: | |||
1714 | os << "block text"; | |||
1715 | return true; | |||
1716 | case MemRegion::BlockDataRegionKind: | |||
1717 | // FIXME: where the block came from? | |||
1718 | os << "a block"; | |||
1719 | return true; | |||
1720 | default: { | |||
1721 | const MemSpaceRegion *MS = MR->getMemorySpace(); | |||
1722 | ||||
1723 | if (isa<StackLocalsSpaceRegion>(MS)) { | |||
1724 | const VarRegion *VR = dyn_cast<VarRegion>(MR); | |||
1725 | const VarDecl *VD; | |||
1726 | if (VR) | |||
1727 | VD = VR->getDecl(); | |||
1728 | else | |||
1729 | VD = nullptr; | |||
1730 | ||||
1731 | if (VD) | |||
1732 | os << "the address of the local variable '" << VD->getName() << "'"; | |||
1733 | else | |||
1734 | os << "the address of a local stack variable"; | |||
1735 | return true; | |||
1736 | } | |||
1737 | ||||
1738 | if (isa<StackArgumentsSpaceRegion>(MS)) { | |||
1739 | const VarRegion *VR = dyn_cast<VarRegion>(MR); | |||
1740 | const VarDecl *VD; | |||
1741 | if (VR) | |||
1742 | VD = VR->getDecl(); | |||
1743 | else | |||
1744 | VD = nullptr; | |||
1745 | ||||
1746 | if (VD) | |||
1747 | os << "the address of the parameter '" << VD->getName() << "'"; | |||
1748 | else | |||
1749 | os << "the address of a parameter"; | |||
1750 | return true; | |||
1751 | } | |||
1752 | ||||
1753 | if (isa<GlobalsSpaceRegion>(MS)) { | |||
1754 | const VarRegion *VR = dyn_cast<VarRegion>(MR); | |||
1755 | const VarDecl *VD; | |||
1756 | if (VR) | |||
1757 | VD = VR->getDecl(); | |||
1758 | else | |||
1759 | VD = nullptr; | |||
1760 | ||||
1761 | if (VD) { | |||
1762 | if (VD->isStaticLocal()) | |||
1763 | os << "the address of the static variable '" << VD->getName() << "'"; | |||
1764 | else | |||
1765 | os << "the address of the global variable '" << VD->getName() << "'"; | |||
1766 | } else | |||
1767 | os << "the address of a global variable"; | |||
1768 | return true; | |||
1769 | } | |||
1770 | ||||
1771 | return false; | |||
1772 | } | |||
1773 | } | |||
1774 | } | |||
1775 | ||||
1776 | void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, | |||
1777 | SourceRange Range, | |||
1778 | const Expr *DeallocExpr) const { | |||
1779 | ||||
1780 | if (!ChecksEnabled[CK_MallocChecker] && | |||
1781 | !ChecksEnabled[CK_NewDeleteChecker]) | |||
1782 | return; | |||
1783 | ||||
1784 | Optional<MallocChecker::CheckKind> CheckKind = | |||
1785 | getCheckIfTracked(C, DeallocExpr); | |||
1786 | if (!CheckKind.hasValue()) | |||
1787 | return; | |||
1788 | ||||
1789 | if (ExplodedNode *N = C.generateErrorNode()) { | |||
1790 | if (!BT_BadFree[*CheckKind]) | |||
1791 | BT_BadFree[*CheckKind].reset(new BugType( | |||
1792 | CheckNames[*CheckKind], "Bad free", categories::MemoryError)); | |||
1793 | ||||
1794 | SmallString<100> buf; | |||
1795 | llvm::raw_svector_ostream os(buf); | |||
1796 | ||||
1797 | const MemRegion *MR = ArgVal.getAsRegion(); | |||
1798 | while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) | |||
1799 | MR = ER->getSuperRegion(); | |||
1800 | ||||
1801 | os << "Argument to "; | |||
1802 | if (!printAllocDeallocName(os, C, DeallocExpr)) | |||
1803 | os << "deallocator"; | |||
1804 | ||||
1805 | os << " is "; | |||
1806 | bool Summarized = MR ? SummarizeRegion(os, MR) | |||
1807 | : SummarizeValue(os, ArgVal); | |||
1808 | if (Summarized) | |||
1809 | os << ", which is not memory allocated by "; | |||
1810 | else | |||
1811 | os << "not memory allocated by "; | |||
1812 | ||||
1813 | printExpectedAllocName(os, C, DeallocExpr); | |||
1814 | ||||
1815 | auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], os.str(), N); | |||
1816 | R->markInteresting(MR); | |||
1817 | R->addRange(Range); | |||
1818 | C.emitReport(std::move(R)); | |||
1819 | } | |||
1820 | } | |||
1821 | ||||
1822 | void MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal, | |||
1823 | SourceRange Range) const { | |||
1824 | ||||
1825 | Optional<MallocChecker::CheckKind> CheckKind; | |||
1826 | ||||
1827 | if (ChecksEnabled[CK_MallocChecker]) | |||
1828 | CheckKind = CK_MallocChecker; | |||
1829 | else if (ChecksEnabled[CK_MismatchedDeallocatorChecker]) | |||
1830 | CheckKind = CK_MismatchedDeallocatorChecker; | |||
1831 | else | |||
1832 | return; | |||
1833 | ||||
1834 | if (ExplodedNode *N = C.generateErrorNode()) { | |||
1835 | if (!BT_FreeAlloca[*CheckKind]) | |||
1836 | BT_FreeAlloca[*CheckKind].reset(new BugType( | |||
1837 | CheckNames[*CheckKind], "Free alloca()", categories::MemoryError)); | |||
1838 | ||||
1839 | auto R = llvm::make_unique<BugReport>( | |||
1840 | *BT_FreeAlloca[*CheckKind], | |||
1841 | "Memory allocated by alloca() should not be deallocated", N); | |||
1842 | R->markInteresting(ArgVal.getAsRegion()); | |||
1843 | R->addRange(Range); | |||
1844 | C.emitReport(std::move(R)); | |||
1845 | } | |||
1846 | } | |||
1847 | ||||
1848 | void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, | |||
1849 | SourceRange Range, | |||
1850 | const Expr *DeallocExpr, | |||
1851 | const RefState *RS, | |||
1852 | SymbolRef Sym, | |||
1853 | bool OwnershipTransferred) const { | |||
1854 | ||||
1855 | if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) | |||
1856 | return; | |||
1857 | ||||
1858 | if (ExplodedNode *N = C.generateErrorNode()) { | |||
1859 | if (!BT_MismatchedDealloc) | |||
1860 | BT_MismatchedDealloc.reset( | |||
1861 | new BugType(CheckNames[CK_MismatchedDeallocatorChecker], | |||
1862 | "Bad deallocator", categories::MemoryError)); | |||
1863 | ||||
1864 | SmallString<100> buf; | |||
1865 | llvm::raw_svector_ostream os(buf); | |||
1866 | ||||
1867 | const Expr *AllocExpr = cast<Expr>(RS->getStmt()); | |||
1868 | SmallString<20> AllocBuf; | |||
1869 | llvm::raw_svector_ostream AllocOs(AllocBuf); | |||
1870 | SmallString<20> DeallocBuf; | |||
1871 | llvm::raw_svector_ostream DeallocOs(DeallocBuf); | |||
1872 | ||||
1873 | if (OwnershipTransferred) { | |||
1874 | if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) | |||
1875 | os << DeallocOs.str() << " cannot"; | |||
1876 | else | |||
1877 | os << "Cannot"; | |||
1878 | ||||
1879 | os << " take ownership of memory"; | |||
1880 | ||||
1881 | if (printAllocDeallocName(AllocOs, C, AllocExpr)) | |||
1882 | os << " allocated by " << AllocOs.str(); | |||
1883 | } else { | |||
1884 | os << "Memory"; | |||
1885 | if (printAllocDeallocName(AllocOs, C, AllocExpr)) | |||
1886 | os << " allocated by " << AllocOs.str(); | |||
1887 | ||||
1888 | os << " should be deallocated by "; | |||
1889 | printExpectedDeallocName(os, RS->getAllocationFamily()); | |||
1890 | ||||
1891 | if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) | |||
1892 | os << ", not " << DeallocOs.str(); | |||
1893 | } | |||
1894 | ||||
1895 | auto R = llvm::make_unique<BugReport>(*BT_MismatchedDealloc, os.str(), N); | |||
1896 | R->markInteresting(Sym); | |||
1897 | R->addRange(Range); | |||
1898 | R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); | |||
1899 | C.emitReport(std::move(R)); | |||
1900 | } | |||
1901 | } | |||
1902 | ||||
1903 | void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, | |||
1904 | SourceRange Range, const Expr *DeallocExpr, | |||
1905 | const Expr *AllocExpr) const { | |||
1906 | ||||
1907 | ||||
1908 | if (!ChecksEnabled[CK_MallocChecker] && | |||
1909 | !ChecksEnabled[CK_NewDeleteChecker]) | |||
1910 | return; | |||
1911 | ||||
1912 | Optional<MallocChecker::CheckKind> CheckKind = | |||
1913 | getCheckIfTracked(C, AllocExpr); | |||
1914 | if (!CheckKind.hasValue()) | |||
1915 | return; | |||
1916 | ||||
1917 | ExplodedNode *N = C.generateErrorNode(); | |||
1918 | if (!N) | |||
1919 | return; | |||
1920 | ||||
1921 | if (!BT_OffsetFree[*CheckKind]) | |||
1922 | BT_OffsetFree[*CheckKind].reset(new BugType( | |||
1923 | CheckNames[*CheckKind], "Offset free", categories::MemoryError)); | |||
1924 | ||||
1925 | SmallString<100> buf; | |||
1926 | llvm::raw_svector_ostream os(buf); | |||
1927 | SmallString<20> AllocNameBuf; | |||
1928 | llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); | |||
1929 | ||||
1930 | const MemRegion *MR = ArgVal.getAsRegion(); | |||
1931 | assert(MR && "Only MemRegion based symbols can have offset free errors")((MR && "Only MemRegion based symbols can have offset free errors" ) ? static_cast<void> (0) : __assert_fail ("MR && \"Only MemRegion based symbols can have offset free errors\"" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1931, __PRETTY_FUNCTION__)); | |||
1932 | ||||
1933 | RegionOffset Offset = MR->getAsOffset(); | |||
1934 | assert((Offset.isValid() &&(((Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && "Only symbols with a valid offset can have offset free errors" ) ? static_cast<void> (0) : __assert_fail ("(Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && \"Only symbols with a valid offset can have offset free errors\"" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1937, __PRETTY_FUNCTION__)) | |||
1935 | !Offset.hasSymbolicOffset() &&(((Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && "Only symbols with a valid offset can have offset free errors" ) ? static_cast<void> (0) : __assert_fail ("(Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && \"Only symbols with a valid offset can have offset free errors\"" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1937, __PRETTY_FUNCTION__)) | |||
1936 | Offset.getOffset() != 0) &&(((Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && "Only symbols with a valid offset can have offset free errors" ) ? static_cast<void> (0) : __assert_fail ("(Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && \"Only symbols with a valid offset can have offset free errors\"" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1937, __PRETTY_FUNCTION__)) | |||
1937 | "Only symbols with a valid offset can have offset free errors")(((Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && "Only symbols with a valid offset can have offset free errors" ) ? static_cast<void> (0) : __assert_fail ("(Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && \"Only symbols with a valid offset can have offset free errors\"" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 1937, __PRETTY_FUNCTION__)); | |||
1938 | ||||
1939 | int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); | |||
1940 | ||||
1941 | os << "Argument to "; | |||
1942 | if (!printAllocDeallocName(os, C, DeallocExpr)) | |||
1943 | os << "deallocator"; | |||
1944 | os << " is offset by " | |||
1945 | << offsetBytes | |||
1946 | << " " | |||
1947 | << ((abs(offsetBytes) > 1) ? "bytes" : "byte") | |||
1948 | << " from the start of "; | |||
1949 | if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) | |||
1950 | os << "memory allocated by " << AllocNameOs.str(); | |||
1951 | else | |||
1952 | os << "allocated memory"; | |||
1953 | ||||
1954 | auto R = llvm::make_unique<BugReport>(*BT_OffsetFree[*CheckKind], os.str(), N); | |||
1955 | R->markInteresting(MR->getBaseRegion()); | |||
1956 | R->addRange(Range); | |||
1957 | C.emitReport(std::move(R)); | |||
1958 | } | |||
1959 | ||||
1960 | void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, | |||
1961 | SymbolRef Sym) const { | |||
1962 | ||||
1963 | if (!ChecksEnabled[CK_MallocChecker] && | |||
1964 | !ChecksEnabled[CK_NewDeleteChecker] && | |||
1965 | !ChecksEnabled[CK_InnerPointerChecker]) | |||
1966 | return; | |||
1967 | ||||
1968 | Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); | |||
1969 | if (!CheckKind.hasValue()) | |||
1970 | return; | |||
1971 | ||||
1972 | if (ExplodedNode *N = C.generateErrorNode()) { | |||
1973 | if (!BT_UseFree[*CheckKind]) | |||
1974 | BT_UseFree[*CheckKind].reset(new BugType( | |||
1975 | CheckNames[*CheckKind], "Use-after-free", categories::MemoryError)); | |||
1976 | ||||
1977 | AllocationFamily AF = | |||
1978 | C.getState()->get<RegionState>(Sym)->getAllocationFamily(); | |||
1979 | ||||
1980 | auto R = llvm::make_unique<BugReport>(*BT_UseFree[*CheckKind], | |||
1981 | AF == AF_InnerBuffer | |||
1982 | ? "Inner pointer of container used after re/deallocation" | |||
1983 | : "Use of memory after it is freed", | |||
1984 | N); | |||
1985 | ||||
1986 | R->markInteresting(Sym); | |||
1987 | R->addRange(Range); | |||
1988 | R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); | |||
1989 | ||||
1990 | if (AF == AF_InnerBuffer) | |||
1991 | R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym)); | |||
1992 | ||||
1993 | C.emitReport(std::move(R)); | |||
1994 | } | |||
1995 | } | |||
1996 | ||||
1997 | void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, | |||
1998 | bool Released, SymbolRef Sym, | |||
1999 | SymbolRef PrevSym) const { | |||
2000 | ||||
2001 | if (!ChecksEnabled[CK_MallocChecker] && | |||
2002 | !ChecksEnabled[CK_NewDeleteChecker]) | |||
2003 | return; | |||
2004 | ||||
2005 | Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); | |||
2006 | if (!CheckKind.hasValue()) | |||
2007 | return; | |||
2008 | ||||
2009 | if (ExplodedNode *N = C.generateErrorNode()) { | |||
2010 | if (!BT_DoubleFree[*CheckKind]) | |||
2011 | BT_DoubleFree[*CheckKind].reset(new BugType( | |||
2012 | CheckNames[*CheckKind], "Double free", categories::MemoryError)); | |||
2013 | ||||
2014 | auto R = llvm::make_unique<BugReport>( | |||
2015 | *BT_DoubleFree[*CheckKind], | |||
2016 | (Released ? "Attempt to free released memory" | |||
2017 | : "Attempt to free non-owned memory"), | |||
2018 | N); | |||
2019 | R->addRange(Range); | |||
2020 | R->markInteresting(Sym); | |||
2021 | if (PrevSym) | |||
2022 | R->markInteresting(PrevSym); | |||
2023 | R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); | |||
2024 | C.emitReport(std::move(R)); | |||
2025 | } | |||
2026 | } | |||
2027 | ||||
2028 | void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const { | |||
2029 | ||||
2030 | if (!ChecksEnabled[CK_NewDeleteChecker]) | |||
2031 | return; | |||
2032 | ||||
2033 | Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); | |||
2034 | if (!CheckKind.hasValue()) | |||
2035 | return; | |||
2036 | ||||
2037 | if (ExplodedNode *N = C.generateErrorNode()) { | |||
2038 | if (!BT_DoubleDelete) | |||
2039 | BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker], | |||
2040 | "Double delete", | |||
2041 | categories::MemoryError)); | |||
2042 | ||||
2043 | auto R = llvm::make_unique<BugReport>( | |||
2044 | *BT_DoubleDelete, "Attempt to delete released memory", N); | |||
2045 | ||||
2046 | R->markInteresting(Sym); | |||
2047 | R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); | |||
2048 | C.emitReport(std::move(R)); | |||
2049 | } | |||
2050 | } | |||
2051 | ||||
2052 | void MallocChecker::ReportUseZeroAllocated(CheckerContext &C, | |||
2053 | SourceRange Range, | |||
2054 | SymbolRef Sym) const { | |||
2055 | ||||
2056 | if (!ChecksEnabled[CK_MallocChecker] && | |||
2057 | !ChecksEnabled[CK_NewDeleteChecker]) | |||
2058 | return; | |||
2059 | ||||
2060 | Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); | |||
2061 | ||||
2062 | if (!CheckKind.hasValue()) | |||
2063 | return; | |||
2064 | ||||
2065 | if (ExplodedNode *N = C.generateErrorNode()) { | |||
2066 | if (!BT_UseZerroAllocated[*CheckKind]) | |||
2067 | BT_UseZerroAllocated[*CheckKind].reset( | |||
2068 | new BugType(CheckNames[*CheckKind], "Use of zero allocated", | |||
2069 | categories::MemoryError)); | |||
2070 | ||||
2071 | auto R = llvm::make_unique<BugReport>(*BT_UseZerroAllocated[*CheckKind], | |||
2072 | "Use of zero-allocated memory", N); | |||
2073 | ||||
2074 | R->addRange(Range); | |||
2075 | if (Sym) { | |||
2076 | R->markInteresting(Sym); | |||
2077 | R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); | |||
2078 | } | |||
2079 | C.emitReport(std::move(R)); | |||
2080 | } | |||
2081 | } | |||
2082 | ||||
2083 | void MallocChecker::ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal, | |||
2084 | SourceRange Range, | |||
2085 | const Expr *FreeExpr) const { | |||
2086 | if (!ChecksEnabled[CK_MallocChecker]) | |||
2087 | return; | |||
2088 | ||||
2089 | Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, FreeExpr); | |||
2090 | if (!CheckKind.hasValue()) | |||
2091 | return; | |||
2092 | ||||
2093 | if (ExplodedNode *N = C.generateErrorNode()) { | |||
2094 | if (!BT_BadFree[*CheckKind]) | |||
2095 | BT_BadFree[*CheckKind].reset(new BugType( | |||
2096 | CheckNames[*CheckKind], "Bad free", categories::MemoryError)); | |||
2097 | ||||
2098 | SmallString<100> Buf; | |||
2099 | llvm::raw_svector_ostream Os(Buf); | |||
2100 | ||||
2101 | const MemRegion *MR = ArgVal.getAsRegion(); | |||
2102 | while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) | |||
2103 | MR = ER->getSuperRegion(); | |||
2104 | ||||
2105 | Os << "Argument to "; | |||
2106 | if (!printAllocDeallocName(Os, C, FreeExpr)) | |||
2107 | Os << "deallocator"; | |||
2108 | ||||
2109 | Os << " is a function pointer"; | |||
2110 | ||||
2111 | auto R = llvm::make_unique<BugReport>(*BT_BadFree[*CheckKind], Os.str(), N); | |||
2112 | R->markInteresting(MR); | |||
2113 | R->addRange(Range); | |||
2114 | C.emitReport(std::move(R)); | |||
2115 | } | |||
2116 | } | |||
2117 | ||||
2118 | ProgramStateRef MallocChecker::ReallocMemAux(CheckerContext &C, | |||
2119 | const CallExpr *CE, | |||
2120 | bool FreesOnFail, | |||
2121 | ProgramStateRef State, | |||
2122 | bool SuffixWithN) const { | |||
2123 | if (!State) | |||
2124 | return nullptr; | |||
2125 | ||||
2126 | if (SuffixWithN && CE->getNumArgs() < 3) | |||
2127 | return nullptr; | |||
2128 | else if (CE->getNumArgs() < 2) | |||
2129 | return nullptr; | |||
2130 | ||||
2131 | const Expr *arg0Expr = CE->getArg(0); | |||
2132 | SVal Arg0Val = C.getSVal(arg0Expr); | |||
2133 | if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) | |||
2134 | return nullptr; | |||
2135 | DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); | |||
2136 | ||||
2137 | SValBuilder &svalBuilder = C.getSValBuilder(); | |||
2138 | ||||
2139 | DefinedOrUnknownSVal PtrEQ = | |||
2140 | svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull()); | |||
2141 | ||||
2142 | // Get the size argument. | |||
2143 | const Expr *Arg1 = CE->getArg(1); | |||
2144 | ||||
2145 | // Get the value of the size argument. | |||
2146 | SVal TotalSize = C.getSVal(Arg1); | |||
2147 | if (SuffixWithN) | |||
2148 | TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2)); | |||
2149 | if (!TotalSize.getAs<DefinedOrUnknownSVal>()) | |||
2150 | return nullptr; | |||
2151 | ||||
2152 | // Compare the size argument to 0. | |||
2153 | DefinedOrUnknownSVal SizeZero = | |||
2154 | svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(), | |||
2155 | svalBuilder.makeIntValWithPtrWidth(0, false)); | |||
2156 | ||||
2157 | ProgramStateRef StatePtrIsNull, StatePtrNotNull; | |||
2158 | std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ); | |||
2159 | ProgramStateRef StateSizeIsZero, StateSizeNotZero; | |||
2160 | std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero); | |||
2161 | // We only assume exceptional states if they are definitely true; if the | |||
2162 | // state is under-constrained, assume regular realloc behavior. | |||
2163 | bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; | |||
2164 | bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; | |||
2165 | ||||
2166 | // If the ptr is NULL and the size is not 0, the call is equivalent to | |||
2167 | // malloc(size). | |||
2168 | if (PrtIsNull && !SizeIsZero) { | |||
2169 | ProgramStateRef stateMalloc = MallocMemAux(C, CE, TotalSize, | |||
2170 | UndefinedVal(), StatePtrIsNull); | |||
2171 | return stateMalloc; | |||
2172 | } | |||
2173 | ||||
2174 | if (PrtIsNull && SizeIsZero) | |||
2175 | return State; | |||
2176 | ||||
2177 | // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). | |||
2178 | assert(!PrtIsNull)((!PrtIsNull) ? static_cast<void> (0) : __assert_fail ( "!PrtIsNull", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2178, __PRETTY_FUNCTION__)); | |||
2179 | SymbolRef FromPtr = arg0Val.getAsSymbol(); | |||
2180 | SVal RetVal = C.getSVal(CE); | |||
2181 | SymbolRef ToPtr = RetVal.getAsSymbol(); | |||
2182 | if (!FromPtr || !ToPtr) | |||
2183 | return nullptr; | |||
2184 | ||||
2185 | bool ReleasedAllocated = false; | |||
2186 | ||||
2187 | // If the size is 0, free the memory. | |||
2188 | if (SizeIsZero) | |||
2189 | if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, | |||
2190 | false, ReleasedAllocated)){ | |||
2191 | // The semantics of the return value are: | |||
2192 | // If size was equal to 0, either NULL or a pointer suitable to be passed | |||
2193 | // to free() is returned. We just free the input pointer and do not add | |||
2194 | // any constrains on the output pointer. | |||
2195 | return stateFree; | |||
2196 | } | |||
2197 | ||||
2198 | // Default behavior. | |||
2199 | if (ProgramStateRef stateFree = | |||
2200 | FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) { | |||
2201 | ||||
2202 | ProgramStateRef stateRealloc = MallocMemAux(C, CE, TotalSize, | |||
2203 | UnknownVal(), stateFree); | |||
2204 | if (!stateRealloc) | |||
2205 | return nullptr; | |||
2206 | ||||
2207 | ReallocPairKind Kind = RPToBeFreedAfterFailure; | |||
2208 | if (FreesOnFail) | |||
2209 | Kind = RPIsFreeOnFailure; | |||
2210 | else if (!ReleasedAllocated) | |||
2211 | Kind = RPDoNotTrackAfterFailure; | |||
2212 | ||||
2213 | // Record the info about the reallocated symbol so that we could properly | |||
2214 | // process failed reallocation. | |||
2215 | stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, | |||
2216 | ReallocPair(FromPtr, Kind)); | |||
2217 | // The reallocated symbol should stay alive for as long as the new symbol. | |||
2218 | C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); | |||
2219 | return stateRealloc; | |||
2220 | } | |||
2221 | return nullptr; | |||
2222 | } | |||
2223 | ||||
2224 | ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE, | |||
2225 | ProgramStateRef State) { | |||
2226 | if (!State) | |||
2227 | return nullptr; | |||
2228 | ||||
2229 | if (CE->getNumArgs() < 2) | |||
2230 | return nullptr; | |||
2231 | ||||
2232 | SValBuilder &svalBuilder = C.getSValBuilder(); | |||
2233 | SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); | |||
2234 | SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1)); | |||
2235 | ||||
2236 | return MallocMemAux(C, CE, TotalSize, zeroVal, State); | |||
2237 | } | |||
2238 | ||||
2239 | LeakInfo | |||
2240 | MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, | |||
2241 | CheckerContext &C) const { | |||
2242 | const LocationContext *LeakContext = N->getLocationContext(); | |||
2243 | // Walk the ExplodedGraph backwards and find the first node that referred to | |||
2244 | // the tracked symbol. | |||
2245 | const ExplodedNode *AllocNode = N; | |||
2246 | const MemRegion *ReferenceRegion = nullptr; | |||
2247 | ||||
2248 | while (N) { | |||
2249 | ProgramStateRef State = N->getState(); | |||
2250 | if (!State->get<RegionState>(Sym)) | |||
2251 | break; | |||
2252 | ||||
2253 | // Find the most recent expression bound to the symbol in the current | |||
2254 | // context. | |||
2255 | if (!ReferenceRegion) { | |||
2256 | if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { | |||
2257 | SVal Val = State->getSVal(MR); | |||
2258 | if (Val.getAsLocSymbol() == Sym) { | |||
2259 | const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>(); | |||
2260 | // Do not show local variables belonging to a function other than | |||
2261 | // where the error is reported. | |||
2262 | if (!VR || | |||
2263 | (VR->getStackFrame() == LeakContext->getStackFrame())) | |||
2264 | ReferenceRegion = MR; | |||
2265 | } | |||
2266 | } | |||
2267 | } | |||
2268 | ||||
2269 | // Allocation node, is the last node in the current or parent context in | |||
2270 | // which the symbol was tracked. | |||
2271 | const LocationContext *NContext = N->getLocationContext(); | |||
2272 | if (NContext == LeakContext || | |||
2273 | NContext->isParentOf(LeakContext)) | |||
2274 | AllocNode = N; | |||
2275 | N = N->pred_empty() ? nullptr : *(N->pred_begin()); | |||
2276 | } | |||
2277 | ||||
2278 | return LeakInfo(AllocNode, ReferenceRegion); | |||
2279 | } | |||
2280 | ||||
2281 | void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, | |||
2282 | CheckerContext &C) const { | |||
2283 | ||||
2284 | if (!ChecksEnabled[CK_MallocChecker] && | |||
2285 | !ChecksEnabled[CK_NewDeleteLeaksChecker]) | |||
2286 | return; | |||
2287 | ||||
2288 | const RefState *RS = C.getState()->get<RegionState>(Sym); | |||
2289 | assert(RS && "cannot leak an untracked symbol")((RS && "cannot leak an untracked symbol") ? static_cast <void> (0) : __assert_fail ("RS && \"cannot leak an untracked symbol\"" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2289, __PRETTY_FUNCTION__)); | |||
2290 | AllocationFamily Family = RS->getAllocationFamily(); | |||
2291 | ||||
2292 | if (Family == AF_Alloca) | |||
2293 | return; | |||
2294 | ||||
2295 | Optional<MallocChecker::CheckKind> | |||
2296 | CheckKind = getCheckIfTracked(Family, true); | |||
2297 | ||||
2298 | if (!CheckKind.hasValue()) | |||
2299 | return; | |||
2300 | ||||
2301 | assert(N)((N) ? static_cast<void> (0) : __assert_fail ("N", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2301, __PRETTY_FUNCTION__)); | |||
2302 | if (!BT_Leak[*CheckKind]) { | |||
2303 | // Leaks should not be reported if they are post-dominated by a sink: | |||
2304 | // (1) Sinks are higher importance bugs. | |||
2305 | // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending | |||
2306 | // with __noreturn functions such as assert() or exit(). We choose not | |||
2307 | // to report leaks on such paths. | |||
2308 | BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak", | |||
2309 | categories::MemoryError, | |||
2310 | /*SuppressOnSink=*/true)); | |||
2311 | } | |||
2312 | ||||
2313 | // Most bug reports are cached at the location where they occurred. | |||
2314 | // With leaks, we want to unique them by the location where they were | |||
2315 | // allocated, and only report a single path. | |||
2316 | PathDiagnosticLocation LocUsedForUniqueing; | |||
2317 | const ExplodedNode *AllocNode = nullptr; | |||
2318 | const MemRegion *Region = nullptr; | |||
2319 | std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); | |||
2320 | ||||
2321 | const Stmt *AllocationStmt = PathDiagnosticLocation::getStmt(AllocNode); | |||
2322 | if (AllocationStmt) | |||
2323 | LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, | |||
2324 | C.getSourceManager(), | |||
2325 | AllocNode->getLocationContext()); | |||
2326 | ||||
2327 | SmallString<200> buf; | |||
2328 | llvm::raw_svector_ostream os(buf); | |||
2329 | if (Region && Region->canPrintPretty()) { | |||
2330 | os << "Potential leak of memory pointed to by "; | |||
2331 | Region->printPretty(os); | |||
2332 | } else { | |||
2333 | os << "Potential memory leak"; | |||
2334 | } | |||
2335 | ||||
2336 | auto R = llvm::make_unique<BugReport>( | |||
2337 | *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing, | |||
2338 | AllocNode->getLocationContext()->getDecl()); | |||
2339 | R->markInteresting(Sym); | |||
2340 | R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym, true)); | |||
2341 | C.emitReport(std::move(R)); | |||
2342 | } | |||
2343 | ||||
2344 | void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, | |||
2345 | CheckerContext &C) const | |||
2346 | { | |||
2347 | ProgramStateRef state = C.getState(); | |||
2348 | RegionStateTy OldRS = state->get<RegionState>(); | |||
2349 | RegionStateTy::Factory &F = state->get_context<RegionState>(); | |||
2350 | ||||
2351 | RegionStateTy RS = OldRS; | |||
2352 | SmallVector<SymbolRef, 2> Errors; | |||
2353 | for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { | |||
2354 | if (SymReaper.isDead(I->first)) { | |||
2355 | if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero()) | |||
2356 | Errors.push_back(I->first); | |||
2357 | // Remove the dead symbol from the map. | |||
2358 | RS = F.remove(RS, I->first); | |||
2359 | } | |||
2360 | } | |||
2361 | ||||
2362 | if (RS == OldRS) { | |||
2363 | // We shouldn't have touched other maps yet. | |||
2364 | assert(state->get<ReallocPairs>() ==((state->get<ReallocPairs>() == C.getState()->get <ReallocPairs>()) ? static_cast<void> (0) : __assert_fail ("state->get<ReallocPairs>() == C.getState()->get<ReallocPairs>()" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2365, __PRETTY_FUNCTION__)) | |||
2365 | C.getState()->get<ReallocPairs>())((state->get<ReallocPairs>() == C.getState()->get <ReallocPairs>()) ? static_cast<void> (0) : __assert_fail ("state->get<ReallocPairs>() == C.getState()->get<ReallocPairs>()" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2365, __PRETTY_FUNCTION__)); | |||
2366 | assert(state->get<FreeReturnValue>() ==((state->get<FreeReturnValue>() == C.getState()-> get<FreeReturnValue>()) ? static_cast<void> (0) : __assert_fail ("state->get<FreeReturnValue>() == C.getState()->get<FreeReturnValue>()" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2367, __PRETTY_FUNCTION__)) | |||
2367 | C.getState()->get<FreeReturnValue>())((state->get<FreeReturnValue>() == C.getState()-> get<FreeReturnValue>()) ? static_cast<void> (0) : __assert_fail ("state->get<FreeReturnValue>() == C.getState()->get<FreeReturnValue>()" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2367, __PRETTY_FUNCTION__)); | |||
2368 | return; | |||
2369 | } | |||
2370 | ||||
2371 | // Cleanup the Realloc Pairs Map. | |||
2372 | ReallocPairsTy RP = state->get<ReallocPairs>(); | |||
2373 | for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { | |||
2374 | if (SymReaper.isDead(I->first) || | |||
2375 | SymReaper.isDead(I->second.ReallocatedSym)) { | |||
2376 | state = state->remove<ReallocPairs>(I->first); | |||
2377 | } | |||
2378 | } | |||
2379 | ||||
2380 | // Cleanup the FreeReturnValue Map. | |||
2381 | FreeReturnValueTy FR = state->get<FreeReturnValue>(); | |||
2382 | for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { | |||
2383 | if (SymReaper.isDead(I->first) || | |||
2384 | SymReaper.isDead(I->second)) { | |||
2385 | state = state->remove<FreeReturnValue>(I->first); | |||
2386 | } | |||
2387 | } | |||
2388 | ||||
2389 | // Generate leak node. | |||
2390 | ExplodedNode *N = C.getPredecessor(); | |||
2391 | if (!Errors.empty()) { | |||
2392 | static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak"); | |||
2393 | N = C.generateNonFatalErrorNode(C.getState(), &Tag); | |||
2394 | if (N) { | |||
2395 | for (SmallVectorImpl<SymbolRef>::iterator | |||
2396 | I = Errors.begin(), E = Errors.end(); I != E; ++I) { | |||
2397 | reportLeak(*I, N, C); | |||
2398 | } | |||
2399 | } | |||
2400 | } | |||
2401 | ||||
2402 | C.addTransition(state->set<RegionState>(RS), N); | |||
2403 | } | |||
2404 | ||||
2405 | void MallocChecker::checkPreCall(const CallEvent &Call, | |||
2406 | CheckerContext &C) const { | |||
2407 | ||||
2408 | if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) { | |||
2409 | SymbolRef Sym = DC->getCXXThisVal().getAsSymbol(); | |||
2410 | if (!Sym || checkDoubleDelete(Sym, C)) | |||
2411 | return; | |||
2412 | } | |||
2413 | ||||
2414 | // We will check for double free in the post visit. | |||
2415 | if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { | |||
2416 | const FunctionDecl *FD = FC->getDecl(); | |||
2417 | if (!FD) | |||
2418 | return; | |||
2419 | ||||
2420 | ASTContext &Ctx = C.getASTContext(); | |||
2421 | if (ChecksEnabled[CK_MallocChecker] && | |||
2422 | (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) || | |||
2423 | isCMemFunction(FD, Ctx, AF_IfNameIndex, | |||
2424 | MemoryOperationKind::MOK_Free))) | |||
2425 | return; | |||
2426 | } | |||
2427 | ||||
2428 | // Check if the callee of a method is deleted. | |||
2429 | if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { | |||
2430 | SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); | |||
2431 | if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) | |||
2432 | return; | |||
2433 | } | |||
2434 | ||||
2435 | // Check arguments for being used after free. | |||
2436 | for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { | |||
2437 | SVal ArgSVal = Call.getArgSVal(I); | |||
2438 | if (ArgSVal.getAs<Loc>()) { | |||
2439 | SymbolRef Sym = ArgSVal.getAsSymbol(); | |||
2440 | if (!Sym) | |||
2441 | continue; | |||
2442 | if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) | |||
2443 | return; | |||
2444 | } | |||
2445 | } | |||
2446 | } | |||
2447 | ||||
2448 | void MallocChecker::checkPreStmt(const ReturnStmt *S, | |||
2449 | CheckerContext &C) const { | |||
2450 | checkEscapeOnReturn(S, C); | |||
2451 | } | |||
2452 | ||||
2453 | // In the CFG, automatic destructors come after the return statement. | |||
2454 | // This callback checks for returning memory that is freed by automatic | |||
2455 | // destructors, as those cannot be reached in checkPreStmt(). | |||
2456 | void MallocChecker::checkEndFunction(const ReturnStmt *S, | |||
2457 | CheckerContext &C) const { | |||
2458 | checkEscapeOnReturn(S, C); | |||
2459 | } | |||
2460 | ||||
2461 | void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S, | |||
2462 | CheckerContext &C) const { | |||
2463 | if (!S) | |||
2464 | return; | |||
2465 | ||||
2466 | const Expr *E = S->getRetValue(); | |||
2467 | if (!E) | |||
2468 | return; | |||
2469 | ||||
2470 | // Check if we are returning a symbol. | |||
2471 | ProgramStateRef State = C.getState(); | |||
2472 | SVal RetVal = C.getSVal(E); | |||
2473 | SymbolRef Sym = RetVal.getAsSymbol(); | |||
2474 | if (!Sym) | |||
2475 | // If we are returning a field of the allocated struct or an array element, | |||
2476 | // the callee could still free the memory. | |||
2477 | // TODO: This logic should be a part of generic symbol escape callback. | |||
2478 | if (const MemRegion *MR = RetVal.getAsRegion()) | |||
2479 | if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) | |||
2480 | if (const SymbolicRegion *BMR = | |||
2481 | dyn_cast<SymbolicRegion>(MR->getBaseRegion())) | |||
2482 | Sym = BMR->getSymbol(); | |||
2483 | ||||
2484 | // Check if we are returning freed memory. | |||
2485 | if (Sym) | |||
2486 | checkUseAfterFree(Sym, C, E); | |||
2487 | } | |||
2488 | ||||
2489 | // TODO: Blocks should be either inlined or should call invalidate regions | |||
2490 | // upon invocation. After that's in place, special casing here will not be | |||
2491 | // needed. | |||
2492 | void MallocChecker::checkPostStmt(const BlockExpr *BE, | |||
2493 | CheckerContext &C) const { | |||
2494 | ||||
2495 | // Scan the BlockDecRefExprs for any object the retain count checker | |||
2496 | // may be tracking. | |||
2497 | if (!BE->getBlockDecl()->hasCaptures()) | |||
2498 | return; | |||
2499 | ||||
2500 | ProgramStateRef state = C.getState(); | |||
2501 | const BlockDataRegion *R = | |||
2502 | cast<BlockDataRegion>(C.getSVal(BE).getAsRegion()); | |||
2503 | ||||
2504 | BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), | |||
2505 | E = R->referenced_vars_end(); | |||
2506 | ||||
2507 | if (I == E) | |||
2508 | return; | |||
2509 | ||||
2510 | SmallVector<const MemRegion*, 10> Regions; | |||
2511 | const LocationContext *LC = C.getLocationContext(); | |||
2512 | MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); | |||
2513 | ||||
2514 | for ( ; I != E; ++I) { | |||
2515 | const VarRegion *VR = I.getCapturedRegion(); | |||
2516 | if (VR->getSuperRegion() == R) { | |||
2517 | VR = MemMgr.getVarRegion(VR->getDecl(), LC); | |||
2518 | } | |||
2519 | Regions.push_back(VR); | |||
2520 | } | |||
2521 | ||||
2522 | state = | |||
2523 | state->scanReachableSymbols<StopTrackingCallback>(Regions).getState(); | |||
2524 | C.addTransition(state); | |||
2525 | } | |||
2526 | ||||
2527 | bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { | |||
2528 | assert(Sym)((Sym) ? static_cast<void> (0) : __assert_fail ("Sym", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2528, __PRETTY_FUNCTION__)); | |||
2529 | const RefState *RS = C.getState()->get<RegionState>(Sym); | |||
2530 | return (RS && RS->isReleased()); | |||
2531 | } | |||
2532 | ||||
2533 | bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, | |||
2534 | const Stmt *S) const { | |||
2535 | ||||
2536 | if (isReleased(Sym, C)) { | |||
2537 | ReportUseAfterFree(C, S->getSourceRange(), Sym); | |||
2538 | return true; | |||
2539 | } | |||
2540 | ||||
2541 | return false; | |||
2542 | } | |||
2543 | ||||
2544 | void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, | |||
2545 | const Stmt *S) const { | |||
2546 | assert(Sym)((Sym) ? static_cast<void> (0) : __assert_fail ("Sym", "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2546, __PRETTY_FUNCTION__)); | |||
2547 | ||||
2548 | if (const RefState *RS = C.getState()->get<RegionState>(Sym)) { | |||
2549 | if (RS->isAllocatedOfSizeZero()) | |||
2550 | ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym); | |||
2551 | } | |||
2552 | else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) { | |||
2553 | ReportUseZeroAllocated(C, S->getSourceRange(), Sym); | |||
2554 | } | |||
2555 | } | |||
2556 | ||||
2557 | bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { | |||
2558 | ||||
2559 | if (isReleased(Sym, C)) { | |||
2560 | ReportDoubleDelete(C, Sym); | |||
2561 | return true; | |||
2562 | } | |||
2563 | return false; | |||
2564 | } | |||
2565 | ||||
2566 | // Check if the location is a freed symbolic region. | |||
2567 | void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, | |||
2568 | CheckerContext &C) const { | |||
2569 | SymbolRef Sym = l.getLocSymbolInBase(); | |||
2570 | if (Sym) { | |||
2571 | checkUseAfterFree(Sym, C, S); | |||
2572 | checkUseZeroAllocated(Sym, C, S); | |||
2573 | } | |||
2574 | } | |||
2575 | ||||
2576 | // If a symbolic region is assumed to NULL (or another constant), stop tracking | |||
2577 | // it - assuming that allocation failed on this path. | |||
2578 | ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, | |||
2579 | SVal Cond, | |||
2580 | bool Assumption) const { | |||
2581 | RegionStateTy RS = state->get<RegionState>(); | |||
2582 | for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { | |||
2583 | // If the symbol is assumed to be NULL, remove it from consideration. | |||
2584 | ConstraintManager &CMgr = state->getConstraintManager(); | |||
2585 | ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); | |||
2586 | if (AllocFailed.isConstrainedTrue()) | |||
2587 | state = state->remove<RegionState>(I.getKey()); | |||
2588 | } | |||
2589 | ||||
2590 | // Realloc returns 0 when reallocation fails, which means that we should | |||
2591 | // restore the state of the pointer being reallocated. | |||
2592 | ReallocPairsTy RP = state->get<ReallocPairs>(); | |||
2593 | for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { | |||
2594 | // If the symbol is assumed to be NULL, remove it from consideration. | |||
2595 | ConstraintManager &CMgr = state->getConstraintManager(); | |||
2596 | ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); | |||
2597 | if (!AllocFailed.isConstrainedTrue()) | |||
2598 | continue; | |||
2599 | ||||
2600 | SymbolRef ReallocSym = I.getData().ReallocatedSym; | |||
2601 | if (const RefState *RS = state->get<RegionState>(ReallocSym)) { | |||
2602 | if (RS->isReleased()) { | |||
2603 | if (I.getData().Kind == RPToBeFreedAfterFailure) | |||
2604 | state = state->set<RegionState>(ReallocSym, | |||
2605 | RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); | |||
2606 | else if (I.getData().Kind == RPDoNotTrackAfterFailure) | |||
2607 | state = state->remove<RegionState>(ReallocSym); | |||
2608 | else | |||
2609 | assert(I.getData().Kind == RPIsFreeOnFailure)((I.getData().Kind == RPIsFreeOnFailure) ? static_cast<void > (0) : __assert_fail ("I.getData().Kind == RPIsFreeOnFailure" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2609, __PRETTY_FUNCTION__)); | |||
2610 | } | |||
2611 | } | |||
2612 | state = state->remove<ReallocPairs>(I.getKey()); | |||
2613 | } | |||
2614 | ||||
2615 | return state; | |||
2616 | } | |||
2617 | ||||
2618 | bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly( | |||
2619 | const CallEvent *Call, | |||
2620 | ProgramStateRef State, | |||
2621 | SymbolRef &EscapingSymbol) const { | |||
2622 | assert(Call)((Call) ? static_cast<void> (0) : __assert_fail ("Call" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2622, __PRETTY_FUNCTION__)); | |||
2623 | EscapingSymbol = nullptr; | |||
2624 | ||||
2625 | // For now, assume that any C++ or block call can free memory. | |||
2626 | // TODO: If we want to be more optimistic here, we'll need to make sure that | |||
2627 | // regions escape to C++ containers. They seem to do that even now, but for | |||
2628 | // mysterious reasons. | |||
2629 | if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call))) | |||
2630 | return true; | |||
2631 | ||||
2632 | // Check Objective-C messages by selector name. | |||
2633 | if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { | |||
2634 | // If it's not a framework call, or if it takes a callback, assume it | |||
2635 | // can free memory. | |||
2636 | if (!Call->isInSystemHeader() || Call->argumentsMayEscape()) | |||
2637 | return true; | |||
2638 | ||||
2639 | // If it's a method we know about, handle it explicitly post-call. | |||
2640 | // This should happen before the "freeWhenDone" check below. | |||
2641 | if (isKnownDeallocObjCMethodName(*Msg)) | |||
2642 | return false; | |||
2643 | ||||
2644 | // If there's a "freeWhenDone" parameter, but the method isn't one we know | |||
2645 | // about, we can't be sure that the object will use free() to deallocate the | |||
2646 | // memory, so we can't model it explicitly. The best we can do is use it to | |||
2647 | // decide whether the pointer escapes. | |||
2648 | if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) | |||
2649 | return *FreeWhenDone; | |||
2650 | ||||
2651 | // If the first selector piece ends with "NoCopy", and there is no | |||
2652 | // "freeWhenDone" parameter set to zero, we know ownership is being | |||
2653 | // transferred. Again, though, we can't be sure that the object will use | |||
2654 | // free() to deallocate the memory, so we can't model it explicitly. | |||
2655 | StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); | |||
2656 | if (FirstSlot.endswith("NoCopy")) | |||
2657 | return true; | |||
2658 | ||||
2659 | // If the first selector starts with addPointer, insertPointer, | |||
2660 | // or replacePointer, assume we are dealing with NSPointerArray or similar. | |||
2661 | // This is similar to C++ containers (vector); we still might want to check | |||
2662 | // that the pointers get freed by following the container itself. | |||
2663 | if (FirstSlot.startswith("addPointer") || | |||
2664 | FirstSlot.startswith("insertPointer") || | |||
2665 | FirstSlot.startswith("replacePointer") || | |||
2666 | FirstSlot.equals("valueWithPointer")) { | |||
2667 | return true; | |||
2668 | } | |||
2669 | ||||
2670 | // We should escape receiver on call to 'init'. This is especially relevant | |||
2671 | // to the receiver, as the corresponding symbol is usually not referenced | |||
2672 | // after the call. | |||
2673 | if (Msg->getMethodFamily() == OMF_init) { | |||
2674 | EscapingSymbol = Msg->getReceiverSVal().getAsSymbol(); | |||
2675 | return true; | |||
2676 | } | |||
2677 | ||||
2678 | // Otherwise, assume that the method does not free memory. | |||
2679 | // Most framework methods do not free memory. | |||
2680 | return false; | |||
2681 | } | |||
2682 | ||||
2683 | // At this point the only thing left to handle is straight function calls. | |||
2684 | const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl(); | |||
2685 | if (!FD) | |||
2686 | return true; | |||
2687 | ||||
2688 | ASTContext &ASTC = State->getStateManager().getContext(); | |||
2689 | ||||
2690 | // If it's one of the allocation functions we can reason about, we model | |||
2691 | // its behavior explicitly. | |||
2692 | if (isMemFunction(FD, ASTC)) | |||
2693 | return false; | |||
2694 | ||||
2695 | // If it's not a system call, assume it frees memory. | |||
2696 | if (!Call->isInSystemHeader()) | |||
2697 | return true; | |||
2698 | ||||
2699 | // White list the system functions whose arguments escape. | |||
2700 | const IdentifierInfo *II = FD->getIdentifier(); | |||
2701 | if (!II) | |||
2702 | return true; | |||
2703 | StringRef FName = II->getName(); | |||
2704 | ||||
2705 | // White list the 'XXXNoCopy' CoreFoundation functions. | |||
2706 | // We specifically check these before | |||
2707 | if (FName.endswith("NoCopy")) { | |||
2708 | // Look for the deallocator argument. We know that the memory ownership | |||
2709 | // is not transferred only if the deallocator argument is | |||
2710 | // 'kCFAllocatorNull'. | |||
2711 | for (unsigned i = 1; i < Call->getNumArgs(); ++i) { | |||
2712 | const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); | |||
2713 | if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { | |||
2714 | StringRef DeallocatorName = DE->getFoundDecl()->getName(); | |||
2715 | if (DeallocatorName == "kCFAllocatorNull") | |||
2716 | return false; | |||
2717 | } | |||
2718 | } | |||
2719 | return true; | |||
2720 | } | |||
2721 | ||||
2722 | // Associating streams with malloced buffers. The pointer can escape if | |||
2723 | // 'closefn' is specified (and if that function does free memory), | |||
2724 | // but it will not if closefn is not specified. | |||
2725 | // Currently, we do not inspect the 'closefn' function (PR12101). | |||
2726 | if (FName == "funopen") | |||
2727 | if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) | |||
2728 | return false; | |||
2729 | ||||
2730 | // Do not warn on pointers passed to 'setbuf' when used with std streams, | |||
2731 | // these leaks might be intentional when setting the buffer for stdio. | |||
2732 | // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer | |||
2733 | if (FName == "setbuf" || FName =="setbuffer" || | |||
2734 | FName == "setlinebuf" || FName == "setvbuf") { | |||
2735 | if (Call->getNumArgs() >= 1) { | |||
2736 | const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); | |||
2737 | if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) | |||
2738 | if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) | |||
2739 | if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) | |||
2740 | return true; | |||
2741 | } | |||
2742 | } | |||
2743 | ||||
2744 | // A bunch of other functions which either take ownership of a pointer or | |||
2745 | // wrap the result up in a struct or object, meaning it can be freed later. | |||
2746 | // (See RetainCountChecker.) Not all the parameters here are invalidated, | |||
2747 | // but the Malloc checker cannot differentiate between them. The right way | |||
2748 | // of doing this would be to implement a pointer escapes callback. | |||
2749 | if (FName == "CGBitmapContextCreate" || | |||
2750 | FName == "CGBitmapContextCreateWithData" || | |||
2751 | FName == "CVPixelBufferCreateWithBytes" || | |||
2752 | FName == "CVPixelBufferCreateWithPlanarBytes" || | |||
2753 | FName == "OSAtomicEnqueue") { | |||
2754 | return true; | |||
2755 | } | |||
2756 | ||||
2757 | if (FName == "postEvent" && | |||
2758 | FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") { | |||
2759 | return true; | |||
2760 | } | |||
2761 | ||||
2762 | if (FName == "postEvent" && | |||
2763 | FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") { | |||
2764 | return true; | |||
2765 | } | |||
2766 | ||||
2767 | if (FName == "connectImpl" && | |||
2768 | FD->getQualifiedNameAsString() == "QObject::connectImpl") { | |||
2769 | return true; | |||
2770 | } | |||
2771 | ||||
2772 | // Handle cases where we know a buffer's /address/ can escape. | |||
2773 | // Note that the above checks handle some special cases where we know that | |||
2774 | // even though the address escapes, it's still our responsibility to free the | |||
2775 | // buffer. | |||
2776 | if (Call->argumentsMayEscape()) | |||
2777 | return true; | |||
2778 | ||||
2779 | // Otherwise, assume that the function does not free memory. | |||
2780 | // Most system calls do not free the memory. | |||
2781 | return false; | |||
2782 | } | |||
2783 | ||||
2784 | static bool retTrue(const RefState *RS) { | |||
2785 | return true; | |||
2786 | } | |||
2787 | ||||
2788 | static bool checkIfNewOrNewArrayFamily(const RefState *RS) { | |||
2789 | return (RS->getAllocationFamily() == AF_CXXNewArray || | |||
2790 | RS->getAllocationFamily() == AF_CXXNew); | |||
2791 | } | |||
2792 | ||||
2793 | ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, | |||
2794 | const InvalidatedSymbols &Escaped, | |||
2795 | const CallEvent *Call, | |||
2796 | PointerEscapeKind Kind) const { | |||
2797 | return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue); | |||
2798 | } | |||
2799 | ||||
2800 | ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, | |||
2801 | const InvalidatedSymbols &Escaped, | |||
2802 | const CallEvent *Call, | |||
2803 | PointerEscapeKind Kind) const { | |||
2804 | return checkPointerEscapeAux(State, Escaped, Call, Kind, | |||
2805 | &checkIfNewOrNewArrayFamily); | |||
2806 | } | |||
2807 | ||||
2808 | ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State, | |||
2809 | const InvalidatedSymbols &Escaped, | |||
2810 | const CallEvent *Call, | |||
2811 | PointerEscapeKind Kind, | |||
2812 | bool(*CheckRefState)(const RefState*)) const { | |||
2813 | // If we know that the call does not free memory, or we want to process the | |||
2814 | // call later, keep tracking the top level arguments. | |||
2815 | SymbolRef EscapingSymbol = nullptr; | |||
2816 | if (Kind == PSK_DirectEscapeOnCall && | |||
2817 | !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State, | |||
2818 | EscapingSymbol) && | |||
2819 | !EscapingSymbol) { | |||
2820 | return State; | |||
2821 | } | |||
2822 | ||||
2823 | for (InvalidatedSymbols::const_iterator I = Escaped.begin(), | |||
2824 | E = Escaped.end(); | |||
2825 | I != E; ++I) { | |||
2826 | SymbolRef sym = *I; | |||
2827 | ||||
2828 | if (EscapingSymbol && EscapingSymbol != sym) | |||
2829 | continue; | |||
2830 | ||||
2831 | if (const RefState *RS = State->get<RegionState>(sym)) { | |||
2832 | if ((RS->isAllocated() || RS->isAllocatedOfSizeZero()) && | |||
2833 | CheckRefState(RS)) { | |||
2834 | State = State->remove<RegionState>(sym); | |||
2835 | State = State->set<RegionState>(sym, RefState::getEscaped(RS)); | |||
2836 | } | |||
2837 | } | |||
2838 | } | |||
2839 | return State; | |||
2840 | } | |||
2841 | ||||
2842 | static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, | |||
2843 | ProgramStateRef prevState) { | |||
2844 | ReallocPairsTy currMap = currState->get<ReallocPairs>(); | |||
2845 | ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); | |||
2846 | ||||
2847 | for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end(); | |||
2848 | I != E; ++I) { | |||
2849 | SymbolRef sym = I.getKey(); | |||
2850 | if (!currMap.lookup(sym)) | |||
2851 | return sym; | |||
2852 | } | |||
2853 | ||||
2854 | return nullptr; | |||
2855 | } | |||
2856 | ||||
2857 | static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD) { | |||
2858 | if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) { | |||
2859 | StringRef N = II->getName(); | |||
2860 | if (N.contains_lower("ptr") || N.contains_lower("pointer")) { | |||
2861 | if (N.contains_lower("ref") || N.contains_lower("cnt") || | |||
2862 | N.contains_lower("intrusive") || N.contains_lower("shared")) { | |||
2863 | return true; | |||
2864 | } | |||
2865 | } | |||
2866 | } | |||
2867 | return false; | |||
2868 | } | |||
2869 | ||||
2870 | std::shared_ptr<PathDiagnosticPiece> MallocChecker::MallocBugVisitor::VisitNode( | |||
2871 | const ExplodedNode *N, BugReporterContext &BRC, BugReport &BR) { | |||
2872 | ||||
2873 | ProgramStateRef state = N->getState(); | |||
2874 | ProgramStateRef statePrev = N->getFirstPred()->getState(); | |||
2875 | ||||
2876 | const RefState *RS = state->get<RegionState>(Sym); | |||
2877 | const RefState *RSPrev = statePrev->get<RegionState>(Sym); | |||
2878 | ||||
2879 | const Stmt *S = PathDiagnosticLocation::getStmt(N); | |||
2880 | // When dealing with containers, we sometimes want to give a note | |||
2881 | // even if the statement is missing. | |||
2882 | if (!S && (!RS || RS->getAllocationFamily() != AF_InnerBuffer)) | |||
| ||||
2883 | return nullptr; | |||
2884 | ||||
2885 | const LocationContext *CurrentLC = N->getLocationContext(); | |||
2886 | ||||
2887 | // If we find an atomic fetch_add or fetch_sub within the destructor in which | |||
2888 | // the pointer was released (before the release), this is likely a destructor | |||
2889 | // of a shared pointer. | |||
2890 | // Because we don't model atomics, and also because we don't know that the | |||
2891 | // original reference count is positive, we should not report use-after-frees | |||
2892 | // on objects deleted in such destructors. This can probably be improved | |||
2893 | // through better shared pointer modeling. | |||
2894 | if (ReleaseDestructorLC) { | |||
2895 | if (const auto *AE = dyn_cast<AtomicExpr>(S)) { | |||
2896 | AtomicExpr::AtomicOp Op = AE->getOp(); | |||
2897 | if (Op == AtomicExpr::AO__c11_atomic_fetch_add || | |||
2898 | Op == AtomicExpr::AO__c11_atomic_fetch_sub) { | |||
2899 | if (ReleaseDestructorLC == CurrentLC || | |||
2900 | ReleaseDestructorLC->isParentOf(CurrentLC)) { | |||
2901 | BR.markInvalid(getTag(), S); | |||
2902 | } | |||
2903 | } | |||
2904 | } | |||
2905 | } | |||
2906 | ||||
2907 | // FIXME: We will eventually need to handle non-statement-based events | |||
2908 | // (__attribute__((cleanup))). | |||
2909 | ||||
2910 | // Find out if this is an interesting point and what is the kind. | |||
2911 | StringRef Msg; | |||
2912 | StackHintGeneratorForSymbol *StackHint = nullptr; | |||
2913 | SmallString<256> Buf; | |||
2914 | llvm::raw_svector_ostream OS(Buf); | |||
2915 | ||||
2916 | if (Mode == Normal) { | |||
2917 | if (isAllocated(RS, RSPrev, S)) { | |||
2918 | Msg = "Memory is allocated"; | |||
2919 | StackHint = new StackHintGeneratorForSymbol(Sym, | |||
2920 | "Returned allocated memory"); | |||
2921 | } else if (isReleased(RS, RSPrev, S)) { | |||
2922 | const auto Family = RS->getAllocationFamily(); | |||
2923 | switch (Family) { | |||
2924 | case AF_Alloca: | |||
2925 | case AF_Malloc: | |||
2926 | case AF_CXXNew: | |||
2927 | case AF_CXXNewArray: | |||
2928 | case AF_IfNameIndex: | |||
2929 | Msg = "Memory is released"; | |||
2930 | StackHint = new StackHintGeneratorForSymbol(Sym, | |||
2931 | "Returning; memory was released"); | |||
2932 | break; | |||
2933 | case AF_InnerBuffer: { | |||
2934 | const MemRegion *ObjRegion = | |||
2935 | allocation_state::getContainerObjRegion(statePrev, Sym); | |||
2936 | const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion); | |||
2937 | QualType ObjTy = TypedRegion->getValueType(); | |||
2938 | OS << "Inner buffer of '" << ObjTy.getAsString() << "' "; | |||
2939 | ||||
2940 | if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) { | |||
2941 | OS << "deallocated by call to destructor"; | |||
2942 | StackHint = new StackHintGeneratorForSymbol(Sym, | |||
2943 | "Returning; inner buffer was deallocated"); | |||
2944 | } else { | |||
2945 | OS << "reallocated by call to '"; | |||
2946 | const Stmt *S = RS->getStmt(); | |||
2947 | if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) { | |||
2948 | OS << MemCallE->getMethodDecl()->getNameAsString(); | |||
2949 | } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) { | |||
2950 | OS << OpCallE->getDirectCallee()->getNameAsString(); | |||
2951 | } else if (const auto *CallE = dyn_cast<CallExpr>(S)) { | |||
2952 | auto &CEMgr = BRC.getStateManager().getCallEventManager(); | |||
2953 | CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC); | |||
2954 | const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl()); | |||
2955 | OS << (D ? D->getNameAsString() : "unknown"); | |||
2956 | } | |||
2957 | OS << "'"; | |||
2958 | StackHint = new StackHintGeneratorForSymbol(Sym, | |||
2959 | "Returning; inner buffer was reallocated"); | |||
2960 | } | |||
2961 | Msg = OS.str(); | |||
2962 | break; | |||
2963 | } | |||
2964 | case AF_None: | |||
2965 | llvm_unreachable("Unhandled allocation family!")::llvm::llvm_unreachable_internal("Unhandled allocation family!" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2965); | |||
2966 | } | |||
2967 | ||||
2968 | // See if we're releasing memory while inlining a destructor | |||
2969 | // (or one of its callees). This turns on various common | |||
2970 | // false positive suppressions. | |||
2971 | bool FoundAnyDestructor = false; | |||
2972 | for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) { | |||
2973 | if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) { | |||
2974 | if (isReferenceCountingPointerDestructor(DD)) { | |||
2975 | // This immediately looks like a reference-counting destructor. | |||
2976 | // We're bad at guessing the original reference count of the object, | |||
2977 | // so suppress the report for now. | |||
2978 | BR.markInvalid(getTag(), DD); | |||
2979 | } else if (!FoundAnyDestructor) { | |||
2980 | assert(!ReleaseDestructorLC &&((!ReleaseDestructorLC && "There can be only one release point!" ) ? static_cast<void> (0) : __assert_fail ("!ReleaseDestructorLC && \"There can be only one release point!\"" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2981, __PRETTY_FUNCTION__)) | |||
2981 | "There can be only one release point!")((!ReleaseDestructorLC && "There can be only one release point!" ) ? static_cast<void> (0) : __assert_fail ("!ReleaseDestructorLC && \"There can be only one release point!\"" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 2981, __PRETTY_FUNCTION__)); | |||
2982 | // Suspect that it's a reference counting pointer destructor. | |||
2983 | // On one of the next nodes might find out that it has atomic | |||
2984 | // reference counting operations within it (see the code above), | |||
2985 | // and if so, we'd conclude that it likely is a reference counting | |||
2986 | // pointer destructor. | |||
2987 | ReleaseDestructorLC = LC->getStackFrame(); | |||
2988 | // It is unlikely that releasing memory is delegated to a destructor | |||
2989 | // inside a destructor of a shared pointer, because it's fairly hard | |||
2990 | // to pass the information that the pointer indeed needs to be | |||
2991 | // released into it. So we're only interested in the innermost | |||
2992 | // destructor. | |||
2993 | FoundAnyDestructor = true; | |||
2994 | } | |||
2995 | } | |||
2996 | } | |||
2997 | } else if (isRelinquished(RS, RSPrev, S)) { | |||
2998 | Msg = "Memory ownership is transferred"; | |||
2999 | StackHint = new StackHintGeneratorForSymbol(Sym, ""); | |||
3000 | } else if (isReallocFailedCheck(RS, RSPrev, S)) { | |||
3001 | Mode = ReallocationFailed; | |||
3002 | Msg = "Reallocation failed"; | |||
3003 | StackHint = new StackHintGeneratorForReallocationFailed(Sym, | |||
3004 | "Reallocation failed"); | |||
3005 | ||||
3006 | if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { | |||
3007 | // Is it possible to fail two reallocs WITHOUT testing in between? | |||
3008 | assert((!FailedReallocSymbol || FailedReallocSymbol == sym) &&(((!FailedReallocSymbol || FailedReallocSymbol == sym) && "We only support one failed realloc at a time.") ? static_cast <void> (0) : __assert_fail ("(!FailedReallocSymbol || FailedReallocSymbol == sym) && \"We only support one failed realloc at a time.\"" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 3009, __PRETTY_FUNCTION__)) | |||
3009 | "We only support one failed realloc at a time.")(((!FailedReallocSymbol || FailedReallocSymbol == sym) && "We only support one failed realloc at a time.") ? static_cast <void> (0) : __assert_fail ("(!FailedReallocSymbol || FailedReallocSymbol == sym) && \"We only support one failed realloc at a time.\"" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 3009, __PRETTY_FUNCTION__)); | |||
3010 | BR.markInteresting(sym); | |||
3011 | FailedReallocSymbol = sym; | |||
3012 | } | |||
3013 | } | |||
3014 | ||||
3015 | // We are in a special mode if a reallocation failed later in the path. | |||
3016 | } else if (Mode == ReallocationFailed) { | |||
3017 | assert(FailedReallocSymbol && "No symbol to look for.")((FailedReallocSymbol && "No symbol to look for.") ? static_cast <void> (0) : __assert_fail ("FailedReallocSymbol && \"No symbol to look for.\"" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 3017, __PRETTY_FUNCTION__)); | |||
3018 | ||||
3019 | // Is this is the first appearance of the reallocated symbol? | |||
3020 | if (!statePrev->get<RegionState>(FailedReallocSymbol)) { | |||
3021 | // We're at the reallocation point. | |||
3022 | Msg = "Attempt to reallocate memory"; | |||
3023 | StackHint = new StackHintGeneratorForSymbol(Sym, | |||
3024 | "Returned reallocated memory"); | |||
3025 | FailedReallocSymbol = nullptr; | |||
3026 | Mode = Normal; | |||
3027 | } | |||
3028 | } | |||
3029 | ||||
3030 | if (Msg.empty()) | |||
3031 | return nullptr; | |||
| ||||
3032 | assert(StackHint)((StackHint) ? static_cast<void> (0) : __assert_fail ("StackHint" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 3032, __PRETTY_FUNCTION__)); | |||
3033 | ||||
3034 | // Generate the extra diagnostic. | |||
3035 | PathDiagnosticLocation Pos; | |||
3036 | if (!S) { | |||
3037 | assert(RS->getAllocationFamily() == AF_InnerBuffer)((RS->getAllocationFamily() == AF_InnerBuffer) ? static_cast <void> (0) : __assert_fail ("RS->getAllocationFamily() == AF_InnerBuffer" , "/build/llvm-toolchain-snapshot-9~svn362543/tools/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp" , 3037, __PRETTY_FUNCTION__)); | |||
3038 | auto PostImplCall = N->getLocation().getAs<PostImplicitCall>(); | |||
3039 | if (!PostImplCall) | |||
3040 | return nullptr; | |||
3041 | Pos = PathDiagnosticLocation(PostImplCall->getLocation(), | |||
3042 | BRC.getSourceManager()); | |||
3043 | } else { | |||
3044 | Pos = PathDiagnosticLocation(S, BRC.getSourceManager(), | |||
3045 | N->getLocationContext()); | |||
3046 | } | |||
3047 | ||||
3048 | return std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true, StackHint); | |||
3049 | } | |||
3050 | ||||
3051 | void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, | |||
3052 | const char *NL, const char *Sep) const { | |||
3053 | ||||
3054 | RegionStateTy RS = State->get<RegionState>(); | |||
3055 | ||||
3056 | if (!RS.isEmpty()) { | |||
3057 | Out << Sep << "MallocChecker :" << NL; | |||
3058 | for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { | |||
3059 | const RefState *RefS = State->get<RegionState>(I.getKey()); | |||
3060 | AllocationFamily Family = RefS->getAllocationFamily(); | |||
3061 | Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); | |||
3062 | if (!CheckKind.hasValue()) | |||
3063 | CheckKind = getCheckIfTracked(Family, true); | |||
3064 | ||||
3065 | I.getKey()->dumpToStream(Out); | |||
3066 | Out << " : "; | |||
3067 | I.getData().dump(Out); | |||
3068 | if (CheckKind.hasValue()) | |||
3069 | Out << " (" << CheckNames[*CheckKind].getName() << ")"; | |||
3070 | Out << NL; | |||
3071 | } | |||
3072 | } | |||
3073 | } | |||
3074 | ||||
3075 | namespace clang { | |||
3076 | namespace ento { | |||
3077 | namespace allocation_state { | |||
3078 | ||||
3079 | ProgramStateRef | |||
3080 | markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin) { | |||
3081 | AllocationFamily Family = AF_InnerBuffer; | |||
3082 | return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin)); | |||
3083 | } | |||
3084 | ||||
3085 | } // end namespace allocation_state | |||
3086 | } // end namespace ento | |||
3087 | } // end namespace clang | |||
3088 | ||||
3089 | // Intended to be used in InnerPointerChecker to register the part of | |||
3090 | // MallocChecker connected to it. | |||
3091 | void ento::registerInnerPointerCheckerAux(CheckerManager &mgr) { | |||
3092 | MallocChecker *checker = mgr.getChecker<MallocChecker>(); | |||
3093 | checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true; | |||
3094 | checker->CheckNames[MallocChecker::CK_InnerPointerChecker] = | |||
3095 | mgr.getCurrentCheckName(); | |||
3096 | } | |||
3097 | ||||
3098 | void ento::registerDynamicMemoryModeling(CheckerManager &mgr) { | |||
3099 | auto *checker = mgr.registerChecker<MallocChecker>(); | |||
3100 | checker->IsOptimistic = mgr.getAnalyzerOptions().getCheckerBooleanOption( | |||
3101 | checker, "Optimistic"); | |||
3102 | } | |||
3103 | ||||
3104 | bool ento::shouldRegisterDynamicMemoryModeling(const LangOptions &LO) { | |||
3105 | return true; | |||
3106 | } | |||
3107 | ||||
3108 | #define REGISTER_CHECKER(name)void ento::registername(CheckerManager &mgr) { MallocChecker *checker = mgr.getChecker<MallocChecker>(); checker-> ChecksEnabled[MallocChecker::CK_name] = true; checker->CheckNames [MallocChecker::CK_name] = mgr.getCurrentCheckName(); } bool ento ::shouldRegistername(const LangOptions &LO) { return true ; } \ | |||
3109 | void ento::register##name(CheckerManager &mgr) { \ | |||
3110 | MallocChecker *checker = mgr.getChecker<MallocChecker>(); \ | |||
3111 | checker->ChecksEnabled[MallocChecker::CK_##name] = true; \ | |||
3112 | checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \ | |||
3113 | } \ | |||
3114 | \ | |||
3115 | bool ento::shouldRegister##name(const LangOptions &LO) { \ | |||
3116 | return true; \ | |||
3117 | } | |||
3118 | ||||
3119 | REGISTER_CHECKER(MallocChecker)void ento::registerMallocChecker(CheckerManager &mgr) { MallocChecker *checker = mgr.getChecker<MallocChecker>(); checker-> ChecksEnabled[MallocChecker::CK_MallocChecker] = true; checker ->CheckNames[MallocChecker::CK_MallocChecker] = mgr.getCurrentCheckName (); } bool ento::shouldRegisterMallocChecker(const LangOptions &LO) { return true; } | |||
3120 | REGISTER_CHECKER(NewDeleteChecker)void ento::registerNewDeleteChecker(CheckerManager &mgr) { MallocChecker *checker = mgr.getChecker<MallocChecker> (); checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker ] = true; checker->CheckNames[MallocChecker::CK_NewDeleteChecker ] = mgr.getCurrentCheckName(); } bool ento::shouldRegisterNewDeleteChecker (const LangOptions &LO) { return true; } | |||
3121 | REGISTER_CHECKER(NewDeleteLeaksChecker)void ento::registerNewDeleteLeaksChecker(CheckerManager & mgr) { MallocChecker *checker = mgr.getChecker<MallocChecker >(); checker->ChecksEnabled[MallocChecker::CK_NewDeleteLeaksChecker ] = true; checker->CheckNames[MallocChecker::CK_NewDeleteLeaksChecker ] = mgr.getCurrentCheckName(); } bool ento::shouldRegisterNewDeleteLeaksChecker (const LangOptions &LO) { return true; } | |||
3122 | REGISTER_CHECKER(MismatchedDeallocatorChecker)void ento::registerMismatchedDeallocatorChecker(CheckerManager &mgr) { MallocChecker *checker = mgr.getChecker<MallocChecker >(); checker->ChecksEnabled[MallocChecker::CK_MismatchedDeallocatorChecker ] = true; checker->CheckNames[MallocChecker::CK_MismatchedDeallocatorChecker ] = mgr.getCurrentCheckName(); } bool ento::shouldRegisterMismatchedDeallocatorChecker (const LangOptions &LO) { return true; } |