1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines malloc/free checker, which checks for potential memory 11 // leaks, double free, and use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/AST/Attr.h" 18 #include "clang/Basic/SourceManager.h" 19 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 20 #include "clang/StaticAnalyzer/Core/Checker.h" 21 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 23 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 27 #include "llvm/ADT/ImmutableMap.h" 28 #include "llvm/ADT/STLExtras.h" 29 #include "llvm/ADT/SmallString.h" 30 #include "llvm/ADT/StringExtras.h" 31 #include <climits> 32 33 using namespace clang; 34 using namespace ento; 35 36 namespace { 37 38 // Used to check correspondence between allocators and deallocators. 39 enum AllocationFamily { 40 AF_None, 41 AF_Malloc, 42 AF_CXXNew, 43 AF_CXXNewArray 44 }; 45 46 class RefState { 47 enum Kind { // Reference to allocated memory. 48 Allocated, 49 // Reference to released/freed memory. 50 Released, 51 // The responsibility for freeing resources has transfered from 52 // this reference. A relinquished symbol should not be freed. 53 Relinquished, 54 // We are no longer guaranteed to have observed all manipulations 55 // of this pointer/memory. For example, it could have been 56 // passed as a parameter to an opaque function. 57 Escaped 58 }; 59 60 const Stmt *S; 61 unsigned K : 2; // Kind enum, but stored as a bitfield. 62 unsigned Family : 30; // Rest of 32-bit word, currently just an allocation 63 // family. 64 65 RefState(Kind k, const Stmt *s, unsigned family) 66 : S(s), K(k), Family(family) { 67 assert(family != AF_None); 68 } 69 public: 70 bool isAllocated() const { return K == Allocated; } 71 bool isReleased() const { return K == Released; } 72 bool isRelinquished() const { return K == Relinquished; } 73 bool isEscaped() const { return K == Escaped; } 74 AllocationFamily getAllocationFamily() const { 75 return (AllocationFamily)Family; 76 } 77 const Stmt *getStmt() const { return S; } 78 79 bool operator==(const RefState &X) const { 80 return K == X.K && S == X.S && Family == X.Family; 81 } 82 83 static RefState getAllocated(unsigned family, const Stmt *s) { 84 return RefState(Allocated, s, family); 85 } 86 static RefState getReleased(unsigned family, const Stmt *s) { 87 return RefState(Released, s, family); 88 } 89 static RefState getRelinquished(unsigned family, const Stmt *s) { 90 return RefState(Relinquished, s, family); 91 } 92 static RefState getEscaped(const RefState *RS) { 93 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily()); 94 } 95 96 void Profile(llvm::FoldingSetNodeID &ID) const { 97 ID.AddInteger(K); 98 ID.AddPointer(S); 99 ID.AddInteger(Family); 100 } 101 102 void dump(raw_ostream &OS) const { 103 static const char *const Table[] = { 104 "Allocated", 105 "Released", 106 "Relinquished" 107 }; 108 OS << Table[(unsigned) K]; 109 } 110 111 LLVM_ATTRIBUTE_USED void dump() const { 112 dump(llvm::errs()); 113 } 114 }; 115 116 enum ReallocPairKind { 117 RPToBeFreedAfterFailure, 118 // The symbol has been freed when reallocation failed. 119 RPIsFreeOnFailure, 120 // The symbol does not need to be freed after reallocation fails. 121 RPDoNotTrackAfterFailure 122 }; 123 124 /// \class ReallocPair 125 /// \brief Stores information about the symbol being reallocated by a call to 126 /// 'realloc' to allow modeling failed reallocation later in the path. 127 struct ReallocPair { 128 // \brief The symbol which realloc reallocated. 129 SymbolRef ReallocatedSym; 130 ReallocPairKind Kind; 131 132 ReallocPair(SymbolRef S, ReallocPairKind K) : 133 ReallocatedSym(S), Kind(K) {} 134 void Profile(llvm::FoldingSetNodeID &ID) const { 135 ID.AddInteger(Kind); 136 ID.AddPointer(ReallocatedSym); 137 } 138 bool operator==(const ReallocPair &X) const { 139 return ReallocatedSym == X.ReallocatedSym && 140 Kind == X.Kind; 141 } 142 }; 143 144 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo; 145 146 class MallocChecker : public Checker<check::DeadSymbols, 147 check::PointerEscape, 148 check::ConstPointerEscape, 149 check::PreStmt<ReturnStmt>, 150 check::PreCall, 151 check::PostStmt<CallExpr>, 152 check::PostStmt<CXXNewExpr>, 153 check::PreStmt<CXXDeleteExpr>, 154 check::PostStmt<BlockExpr>, 155 check::PostObjCMessage, 156 check::Location, 157 eval::Assume> 158 { 159 mutable OwningPtr<BugType> BT_DoubleFree; 160 mutable OwningPtr<BugType> BT_Leak; 161 mutable OwningPtr<BugType> BT_UseFree; 162 mutable OwningPtr<BugType> BT_BadFree; 163 mutable OwningPtr<BugType> BT_MismatchedDealloc; 164 mutable OwningPtr<BugType> BT_OffsetFree; 165 mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc, 166 *II_valloc, *II_reallocf, *II_strndup, *II_strdup; 167 168 public: 169 MallocChecker() : II_malloc(0), II_free(0), II_realloc(0), II_calloc(0), 170 II_valloc(0), II_reallocf(0), II_strndup(0), II_strdup(0) {} 171 172 /// In pessimistic mode, the checker assumes that it does not know which 173 /// functions might free the memory. 174 struct ChecksFilter { 175 DefaultBool CMallocPessimistic; 176 DefaultBool CMallocOptimistic; 177 DefaultBool CNewDeleteChecker; 178 DefaultBool CNewDeleteLeaksChecker; 179 DefaultBool CMismatchedDeallocatorChecker; 180 }; 181 182 ChecksFilter Filter; 183 184 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 185 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 186 void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; 187 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; 188 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 189 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 190 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 191 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 192 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 193 bool Assumption) const; 194 void checkLocation(SVal l, bool isLoad, const Stmt *S, 195 CheckerContext &C) const; 196 197 ProgramStateRef checkPointerEscape(ProgramStateRef State, 198 const InvalidatedSymbols &Escaped, 199 const CallEvent *Call, 200 PointerEscapeKind Kind) const; 201 ProgramStateRef checkConstPointerEscape(ProgramStateRef State, 202 const InvalidatedSymbols &Escaped, 203 const CallEvent *Call, 204 PointerEscapeKind Kind) const; 205 206 void printState(raw_ostream &Out, ProgramStateRef State, 207 const char *NL, const char *Sep) const; 208 209 private: 210 void initIdentifierInfo(ASTContext &C) const; 211 212 /// \brief Determine family of a deallocation expression. 213 AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const; 214 215 /// \brief Print names of allocators and deallocators. 216 /// 217 /// \returns true on success. 218 bool printAllocDeallocName(raw_ostream &os, CheckerContext &C, 219 const Expr *E) const; 220 221 /// \brief Print expected name of an allocator based on the deallocator's 222 /// family derived from the DeallocExpr. 223 void printExpectedAllocName(raw_ostream &os, CheckerContext &C, 224 const Expr *DeallocExpr) const; 225 /// \brief Print expected name of a deallocator based on the allocator's 226 /// family. 227 void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const; 228 229 ///@{ 230 /// Check if this is one of the functions which can allocate/reallocate memory 231 /// pointed to by one of its arguments. 232 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 233 bool isFreeFunction(const FunctionDecl *FD, ASTContext &C) const; 234 bool isAllocationFunction(const FunctionDecl *FD, ASTContext &C) const; 235 bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const; 236 ///@} 237 static ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 238 const CallExpr *CE, 239 const OwnershipAttr* Att); 240 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 241 const Expr *SizeEx, SVal Init, 242 ProgramStateRef State, 243 AllocationFamily Family = AF_Malloc) { 244 return MallocMemAux(C, CE, 245 State->getSVal(SizeEx, C.getLocationContext()), 246 Init, State, Family); 247 } 248 249 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 250 SVal SizeEx, SVal Init, 251 ProgramStateRef State, 252 AllocationFamily Family = AF_Malloc); 253 254 /// Update the RefState to reflect the new memory allocation. 255 static ProgramStateRef 256 MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, 257 AllocationFamily Family = AF_Malloc); 258 259 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 260 const OwnershipAttr* Att) const; 261 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 262 ProgramStateRef state, unsigned Num, 263 bool Hold, 264 bool &ReleasedAllocated, 265 bool ReturnsNullOnFailure = false) const; 266 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, 267 const Expr *ParentExpr, 268 ProgramStateRef State, 269 bool Hold, 270 bool &ReleasedAllocated, 271 bool ReturnsNullOnFailure = false) const; 272 273 ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, 274 bool FreesMemOnFailure) const; 275 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE); 276 277 ///\brief Check if the memory associated with this symbol was released. 278 bool isReleased(SymbolRef Sym, CheckerContext &C) const; 279 280 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; 281 282 /// Check if the function is known free memory, or if it is 283 /// "interesting" and should be modeled explicitly. 284 /// 285 /// \param [out] EscapingSymbol A function might not free memory in general, 286 /// but could be known to free a particular symbol. In this case, false is 287 /// returned and the single escaping symbol is returned through the out 288 /// parameter. 289 /// 290 /// We assume that pointers do not escape through calls to system functions 291 /// not handled by this checker. 292 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, 293 ProgramStateRef State, 294 SymbolRef &EscapingSymbol) const; 295 296 // Implementation of the checkPointerEscape callabcks. 297 ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, 298 const InvalidatedSymbols &Escaped, 299 const CallEvent *Call, 300 PointerEscapeKind Kind, 301 bool(*CheckRefState)(const RefState*)) const; 302 303 ///@{ 304 /// Tells if a given family/call/symbol is tracked by the current checker. 305 bool isTrackedByCurrentChecker(AllocationFamily Family) const; 306 bool isTrackedByCurrentChecker(CheckerContext &C, 307 const Stmt *AllocDeallocStmt) const; 308 bool isTrackedByCurrentChecker(CheckerContext &C, SymbolRef Sym) const; 309 ///@} 310 static bool SummarizeValue(raw_ostream &os, SVal V); 311 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 312 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 313 const Expr *DeallocExpr) const; 314 void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, 315 const Expr *DeallocExpr, const RefState *RS, 316 SymbolRef Sym) const; 317 void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, 318 const Expr *DeallocExpr, 319 const Expr *AllocExpr = 0) const; 320 void ReportUseAfterFree(CheckerContext &C, SourceRange Range, 321 SymbolRef Sym) const; 322 void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, 323 SymbolRef Sym, SymbolRef PrevSym) const; 324 325 /// Find the location of the allocation for Sym on the path leading to the 326 /// exploded node N. 327 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 328 CheckerContext &C) const; 329 330 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 331 332 /// The bug visitor which allows us to print extra diagnostics along the 333 /// BugReport path. For example, showing the allocation site of the leaked 334 /// region. 335 class MallocBugVisitor : public BugReporterVisitorImpl<MallocBugVisitor> { 336 protected: 337 enum NotificationMode { 338 Normal, 339 ReallocationFailed 340 }; 341 342 // The allocated region symbol tracked by the main analysis. 343 SymbolRef Sym; 344 345 // The mode we are in, i.e. what kind of diagnostics will be emitted. 346 NotificationMode Mode; 347 348 // A symbol from when the primary region should have been reallocated. 349 SymbolRef FailedReallocSymbol; 350 351 bool IsLeak; 352 353 public: 354 MallocBugVisitor(SymbolRef S, bool isLeak = false) 355 : Sym(S), Mode(Normal), FailedReallocSymbol(0), IsLeak(isLeak) {} 356 357 virtual ~MallocBugVisitor() {} 358 359 void Profile(llvm::FoldingSetNodeID &ID) const { 360 static int X = 0; 361 ID.AddPointer(&X); 362 ID.AddPointer(Sym); 363 } 364 365 inline bool isAllocated(const RefState *S, const RefState *SPrev, 366 const Stmt *Stmt) { 367 // Did not track -> allocated. Other state (released) -> allocated. 368 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) && 369 (S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated())); 370 } 371 372 inline bool isReleased(const RefState *S, const RefState *SPrev, 373 const Stmt *Stmt) { 374 // Did not track -> released. Other state (allocated) -> released. 375 return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt)) && 376 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 377 } 378 379 inline bool isRelinquished(const RefState *S, const RefState *SPrev, 380 const Stmt *Stmt) { 381 // Did not track -> relinquished. Other state (allocated) -> relinquished. 382 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 383 isa<ObjCPropertyRefExpr>(Stmt)) && 384 (S && S->isRelinquished()) && 385 (!SPrev || !SPrev->isRelinquished())); 386 } 387 388 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 389 const Stmt *Stmt) { 390 // If the expression is not a call, and the state change is 391 // released -> allocated, it must be the realloc return value 392 // check. If we have to handle more cases here, it might be cleaner just 393 // to track this extra bit in the state itself. 394 return ((!Stmt || !isa<CallExpr>(Stmt)) && 395 (S && S->isAllocated()) && (SPrev && !SPrev->isAllocated())); 396 } 397 398 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 399 const ExplodedNode *PrevN, 400 BugReporterContext &BRC, 401 BugReport &BR); 402 403 PathDiagnosticPiece* getEndPath(BugReporterContext &BRC, 404 const ExplodedNode *EndPathNode, 405 BugReport &BR) { 406 if (!IsLeak) 407 return 0; 408 409 PathDiagnosticLocation L = 410 PathDiagnosticLocation::createEndOfPath(EndPathNode, 411 BRC.getSourceManager()); 412 // Do not add the statement itself as a range in case of leak. 413 return new PathDiagnosticEventPiece(L, BR.getDescription(), false); 414 } 415 416 private: 417 class StackHintGeneratorForReallocationFailed 418 : public StackHintGeneratorForSymbol { 419 public: 420 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 421 : StackHintGeneratorForSymbol(S, M) {} 422 423 virtual std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) { 424 // Printed parameters start at 1, not 0. 425 ++ArgIndex; 426 427 SmallString<200> buf; 428 llvm::raw_svector_ostream os(buf); 429 430 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 431 << " parameter failed"; 432 433 return os.str(); 434 } 435 436 virtual std::string getMessageForReturn(const CallExpr *CallExpr) { 437 return "Reallocation of returned value failed"; 438 } 439 }; 440 }; 441 }; 442 } // end anonymous namespace 443 444 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 445 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 446 447 // A map from the freed symbol to the symbol representing the return value of 448 // the free function. 449 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 450 451 namespace { 452 class StopTrackingCallback : public SymbolVisitor { 453 ProgramStateRef state; 454 public: 455 StopTrackingCallback(ProgramStateRef st) : state(st) {} 456 ProgramStateRef getState() const { return state; } 457 458 bool VisitSymbol(SymbolRef sym) { 459 state = state->remove<RegionState>(sym); 460 return true; 461 } 462 }; 463 } // end anonymous namespace 464 465 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 466 if (II_malloc) 467 return; 468 II_malloc = &Ctx.Idents.get("malloc"); 469 II_free = &Ctx.Idents.get("free"); 470 II_realloc = &Ctx.Idents.get("realloc"); 471 II_reallocf = &Ctx.Idents.get("reallocf"); 472 II_calloc = &Ctx.Idents.get("calloc"); 473 II_valloc = &Ctx.Idents.get("valloc"); 474 II_strdup = &Ctx.Idents.get("strdup"); 475 II_strndup = &Ctx.Idents.get("strndup"); 476 } 477 478 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 479 if (isFreeFunction(FD, C)) 480 return true; 481 482 if (isAllocationFunction(FD, C)) 483 return true; 484 485 if (isStandardNewDelete(FD, C)) 486 return true; 487 488 return false; 489 } 490 491 bool MallocChecker::isAllocationFunction(const FunctionDecl *FD, 492 ASTContext &C) const { 493 if (!FD) 494 return false; 495 496 if (FD->getKind() == Decl::Function) { 497 IdentifierInfo *FunI = FD->getIdentifier(); 498 initIdentifierInfo(C); 499 500 if (FunI == II_malloc || FunI == II_realloc || 501 FunI == II_reallocf || FunI == II_calloc || FunI == II_valloc || 502 FunI == II_strdup || FunI == II_strndup) 503 return true; 504 } 505 506 if (Filter.CMallocOptimistic && FD->hasAttrs()) 507 for (specific_attr_iterator<OwnershipAttr> 508 i = FD->specific_attr_begin<OwnershipAttr>(), 509 e = FD->specific_attr_end<OwnershipAttr>(); 510 i != e; ++i) 511 if ((*i)->getOwnKind() == OwnershipAttr::Returns) 512 return true; 513 return false; 514 } 515 516 bool MallocChecker::isFreeFunction(const FunctionDecl *FD, ASTContext &C) const { 517 if (!FD) 518 return false; 519 520 if (FD->getKind() == Decl::Function) { 521 IdentifierInfo *FunI = FD->getIdentifier(); 522 initIdentifierInfo(C); 523 524 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf) 525 return true; 526 } 527 528 if (Filter.CMallocOptimistic && FD->hasAttrs()) 529 for (specific_attr_iterator<OwnershipAttr> 530 i = FD->specific_attr_begin<OwnershipAttr>(), 531 e = FD->specific_attr_end<OwnershipAttr>(); 532 i != e; ++i) 533 if ((*i)->getOwnKind() == OwnershipAttr::Takes || 534 (*i)->getOwnKind() == OwnershipAttr::Holds) 535 return true; 536 return false; 537 } 538 539 // Tells if the callee is one of the following: 540 // 1) A global non-placement new/delete operator function. 541 // 2) A global placement operator function with the single placement argument 542 // of type std::nothrow_t. 543 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD, 544 ASTContext &C) const { 545 if (!FD) 546 return false; 547 548 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 549 if (Kind != OO_New && Kind != OO_Array_New && 550 Kind != OO_Delete && Kind != OO_Array_Delete) 551 return false; 552 553 // Skip all operator new/delete methods. 554 if (isa<CXXMethodDecl>(FD)) 555 return false; 556 557 // Return true if tested operator is a standard placement nothrow operator. 558 if (FD->getNumParams() == 2) { 559 QualType T = FD->getParamDecl(1)->getType(); 560 if (const IdentifierInfo *II = T.getBaseTypeIdentifier()) 561 return II->getName().equals("nothrow_t"); 562 } 563 564 // Skip placement operators. 565 if (FD->getNumParams() != 1 || FD->isVariadic()) 566 return false; 567 568 // One of the standard new/new[]/delete/delete[] non-placement operators. 569 return true; 570 } 571 572 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 573 if (C.wasInlined) 574 return; 575 576 const FunctionDecl *FD = C.getCalleeDecl(CE); 577 if (!FD) 578 return; 579 580 ProgramStateRef State = C.getState(); 581 bool ReleasedAllocatedMemory = false; 582 583 if (FD->getKind() == Decl::Function) { 584 initIdentifierInfo(C.getASTContext()); 585 IdentifierInfo *FunI = FD->getIdentifier(); 586 587 if (FunI == II_malloc || FunI == II_valloc) { 588 if (CE->getNumArgs() < 1) 589 return; 590 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 591 } else if (FunI == II_realloc) { 592 State = ReallocMem(C, CE, false); 593 } else if (FunI == II_reallocf) { 594 State = ReallocMem(C, CE, true); 595 } else if (FunI == II_calloc) { 596 State = CallocMem(C, CE); 597 } else if (FunI == II_free) { 598 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 599 } else if (FunI == II_strdup) { 600 State = MallocUpdateRefState(C, CE, State); 601 } else if (FunI == II_strndup) { 602 State = MallocUpdateRefState(C, CE, State); 603 } 604 else if (isStandardNewDelete(FD, C.getASTContext())) { 605 // Process direct calls to operator new/new[]/delete/delete[] functions 606 // as distinct from new/new[]/delete/delete[] expressions that are 607 // processed by the checkPostStmt callbacks for CXXNewExpr and 608 // CXXDeleteExpr. 609 OverloadedOperatorKind K = FD->getOverloadedOperator(); 610 if (K == OO_New) 611 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 612 AF_CXXNew); 613 else if (K == OO_Array_New) 614 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, 615 AF_CXXNewArray); 616 else if (K == OO_Delete || K == OO_Array_Delete) 617 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 618 else 619 llvm_unreachable("not a new/delete operator"); 620 } 621 } 622 623 if (Filter.CMallocOptimistic || Filter.CMismatchedDeallocatorChecker) { 624 // Check all the attributes, if there are any. 625 // There can be multiple of these attributes. 626 if (FD->hasAttrs()) 627 for (specific_attr_iterator<OwnershipAttr> 628 i = FD->specific_attr_begin<OwnershipAttr>(), 629 e = FD->specific_attr_end<OwnershipAttr>(); 630 i != e; ++i) { 631 switch ((*i)->getOwnKind()) { 632 case OwnershipAttr::Returns: 633 State = MallocMemReturnsAttr(C, CE, *i); 634 break; 635 case OwnershipAttr::Takes: 636 case OwnershipAttr::Holds: 637 State = FreeMemAttr(C, CE, *i); 638 break; 639 } 640 } 641 } 642 C.addTransition(State); 643 } 644 645 void MallocChecker::checkPostStmt(const CXXNewExpr *NE, 646 CheckerContext &C) const { 647 648 if (NE->getNumPlacementArgs()) 649 for (CXXNewExpr::const_arg_iterator I = NE->placement_arg_begin(), 650 E = NE->placement_arg_end(); I != E; ++I) 651 if (SymbolRef Sym = C.getSVal(*I).getAsSymbol()) 652 checkUseAfterFree(Sym, C, *I); 653 654 if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext())) 655 return; 656 657 ProgramStateRef State = C.getState(); 658 // The return value from operator new is bound to a specified initialization 659 // value (if any) and we don't want to loose this value. So we call 660 // MallocUpdateRefState() instead of MallocMemAux() which breakes the 661 // existing binding. 662 State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray 663 : AF_CXXNew); 664 C.addTransition(State); 665 } 666 667 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, 668 CheckerContext &C) const { 669 670 if (!Filter.CNewDeleteChecker) 671 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) 672 checkUseAfterFree(Sym, C, DE->getArgument()); 673 674 if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext())) 675 return; 676 677 ProgramStateRef State = C.getState(); 678 bool ReleasedAllocated; 679 State = FreeMemAux(C, DE->getArgument(), DE, State, 680 /*Hold*/false, ReleasedAllocated); 681 682 C.addTransition(State); 683 } 684 685 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { 686 // If the first selector piece is one of the names below, assume that the 687 // object takes ownership of the memory, promising to eventually deallocate it 688 // with free(). 689 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 690 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.) 691 StringRef FirstSlot = Call.getSelector().getNameForSlot(0); 692 if (FirstSlot == "dataWithBytesNoCopy" || 693 FirstSlot == "initWithBytesNoCopy" || 694 FirstSlot == "initWithCharactersNoCopy") 695 return true; 696 697 return false; 698 } 699 700 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) { 701 Selector S = Call.getSelector(); 702 703 // FIXME: We should not rely on fully-constrained symbols being folded. 704 for (unsigned i = 1; i < S.getNumArgs(); ++i) 705 if (S.getNameForSlot(i).equals("freeWhenDone")) 706 return !Call.getArgSVal(i).isZeroConstant(); 707 708 return None; 709 } 710 711 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 712 CheckerContext &C) const { 713 if (C.wasInlined) 714 return; 715 716 if (!isKnownDeallocObjCMethodName(Call)) 717 return; 718 719 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call)) 720 if (!*FreeWhenDone) 721 return; 722 723 bool ReleasedAllocatedMemory; 724 ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0), 725 Call.getOriginExpr(), C.getState(), 726 /*Hold=*/true, ReleasedAllocatedMemory, 727 /*RetNullOnFailure=*/true); 728 729 C.addTransition(State); 730 } 731 732 ProgramStateRef MallocChecker::MallocMemReturnsAttr(CheckerContext &C, 733 const CallExpr *CE, 734 const OwnershipAttr* Att) { 735 if (Att->getModule() != "malloc") 736 return 0; 737 738 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 739 if (I != E) { 740 return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), C.getState()); 741 } 742 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), C.getState()); 743 } 744 745 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 746 const CallExpr *CE, 747 SVal Size, SVal Init, 748 ProgramStateRef State, 749 AllocationFamily Family) { 750 751 // Bind the return value to the symbolic value from the heap region. 752 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 753 // side effects other than what we model here. 754 unsigned Count = C.blockCount(); 755 SValBuilder &svalBuilder = C.getSValBuilder(); 756 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 757 DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count) 758 .castAs<DefinedSVal>(); 759 State = State->BindExpr(CE, C.getLocationContext(), RetVal); 760 761 // We expect the malloc functions to return a pointer. 762 if (!RetVal.getAs<Loc>()) 763 return 0; 764 765 // Fill the region with the initialization value. 766 State = State->bindDefault(RetVal, Init); 767 768 // Set the region's extent equal to the Size parameter. 769 const SymbolicRegion *R = 770 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 771 if (!R) 772 return 0; 773 if (Optional<DefinedOrUnknownSVal> DefinedSize = 774 Size.getAs<DefinedOrUnknownSVal>()) { 775 SValBuilder &svalBuilder = C.getSValBuilder(); 776 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 777 DefinedOrUnknownSVal extentMatchesSize = 778 svalBuilder.evalEQ(State, Extent, *DefinedSize); 779 780 State = State->assume(extentMatchesSize, true); 781 assert(State); 782 } 783 784 return MallocUpdateRefState(C, CE, State, Family); 785 } 786 787 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 788 const Expr *E, 789 ProgramStateRef State, 790 AllocationFamily Family) { 791 // Get the return value. 792 SVal retVal = State->getSVal(E, C.getLocationContext()); 793 794 // We expect the malloc functions to return a pointer. 795 if (!retVal.getAs<Loc>()) 796 return 0; 797 798 SymbolRef Sym = retVal.getAsLocSymbol(); 799 assert(Sym); 800 801 // Set the symbol's state to Allocated. 802 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); 803 } 804 805 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 806 const CallExpr *CE, 807 const OwnershipAttr* Att) const { 808 if (Att->getModule() != "malloc") 809 return 0; 810 811 ProgramStateRef State = C.getState(); 812 bool ReleasedAllocated = false; 813 814 for (OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 815 I != E; ++I) { 816 ProgramStateRef StateI = FreeMemAux(C, CE, State, *I, 817 Att->getOwnKind() == OwnershipAttr::Holds, 818 ReleasedAllocated); 819 if (StateI) 820 State = StateI; 821 } 822 return State; 823 } 824 825 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 826 const CallExpr *CE, 827 ProgramStateRef state, 828 unsigned Num, 829 bool Hold, 830 bool &ReleasedAllocated, 831 bool ReturnsNullOnFailure) const { 832 if (CE->getNumArgs() < (Num + 1)) 833 return 0; 834 835 return FreeMemAux(C, CE->getArg(Num), CE, state, Hold, 836 ReleasedAllocated, ReturnsNullOnFailure); 837 } 838 839 /// Checks if the previous call to free on the given symbol failed - if free 840 /// failed, returns true. Also, returns the corresponding return value symbol. 841 static bool didPreviousFreeFail(ProgramStateRef State, 842 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 843 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 844 if (Ret) { 845 assert(*Ret && "We should not store the null return symbol"); 846 ConstraintManager &CMgr = State->getConstraintManager(); 847 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 848 RetStatusSymbol = *Ret; 849 return FreeFailed.isConstrainedTrue(); 850 } 851 return false; 852 } 853 854 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C, 855 const Stmt *S) const { 856 if (!S) 857 return AF_None; 858 859 if (const CallExpr *CE = dyn_cast<CallExpr>(S)) { 860 const FunctionDecl *FD = C.getCalleeDecl(CE); 861 862 if (!FD) 863 FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl()); 864 865 ASTContext &Ctx = C.getASTContext(); 866 867 if (isAllocationFunction(FD, Ctx) || isFreeFunction(FD, Ctx)) 868 return AF_Malloc; 869 870 if (isStandardNewDelete(FD, Ctx)) { 871 OverloadedOperatorKind Kind = FD->getOverloadedOperator(); 872 if (Kind == OO_New || Kind == OO_Delete) 873 return AF_CXXNew; 874 else if (Kind == OO_Array_New || Kind == OO_Array_Delete) 875 return AF_CXXNewArray; 876 } 877 878 return AF_None; 879 } 880 881 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S)) 882 return NE->isArray() ? AF_CXXNewArray : AF_CXXNew; 883 884 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S)) 885 return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew; 886 887 if (isa<ObjCMessageExpr>(S)) 888 return AF_Malloc; 889 890 return AF_None; 891 } 892 893 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C, 894 const Expr *E) const { 895 if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { 896 // FIXME: This doesn't handle indirect calls. 897 const FunctionDecl *FD = CE->getDirectCallee(); 898 if (!FD) 899 return false; 900 901 os << *FD; 902 if (!FD->isOverloadedOperator()) 903 os << "()"; 904 return true; 905 } 906 907 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) { 908 if (Msg->isInstanceMessage()) 909 os << "-"; 910 else 911 os << "+"; 912 os << Msg->getSelector().getAsString(); 913 return true; 914 } 915 916 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { 917 os << "'" 918 << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator()) 919 << "'"; 920 return true; 921 } 922 923 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) { 924 os << "'" 925 << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) 926 << "'"; 927 return true; 928 } 929 930 return false; 931 } 932 933 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C, 934 const Expr *E) const { 935 AllocationFamily Family = getAllocationFamily(C, E); 936 937 switch(Family) { 938 case AF_Malloc: os << "malloc()"; return; 939 case AF_CXXNew: os << "'new'"; return; 940 case AF_CXXNewArray: os << "'new[]'"; return; 941 case AF_None: llvm_unreachable("not a deallocation expression"); 942 } 943 } 944 945 void MallocChecker::printExpectedDeallocName(raw_ostream &os, 946 AllocationFamily Family) const { 947 switch(Family) { 948 case AF_Malloc: os << "free()"; return; 949 case AF_CXXNew: os << "'delete'"; return; 950 case AF_CXXNewArray: os << "'delete[]'"; return; 951 case AF_None: llvm_unreachable("suspicious AF_None argument"); 952 } 953 } 954 955 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 956 const Expr *ArgExpr, 957 const Expr *ParentExpr, 958 ProgramStateRef State, 959 bool Hold, 960 bool &ReleasedAllocated, 961 bool ReturnsNullOnFailure) const { 962 963 SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext()); 964 if (!ArgVal.getAs<DefinedOrUnknownSVal>()) 965 return 0; 966 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); 967 968 // Check for null dereferences. 969 if (!location.getAs<Loc>()) 970 return 0; 971 972 // The explicit NULL case, no operation is performed. 973 ProgramStateRef notNullState, nullState; 974 llvm::tie(notNullState, nullState) = State->assume(location); 975 if (nullState && !notNullState) 976 return 0; 977 978 // Unknown values could easily be okay 979 // Undefined values are handled elsewhere 980 if (ArgVal.isUnknownOrUndef()) 981 return 0; 982 983 const MemRegion *R = ArgVal.getAsRegion(); 984 985 // Nonlocs can't be freed, of course. 986 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 987 if (!R) { 988 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 989 return 0; 990 } 991 992 R = R->StripCasts(); 993 994 // Blocks might show up as heap data, but should not be free()d 995 if (isa<BlockDataRegion>(R)) { 996 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 997 return 0; 998 } 999 1000 const MemSpaceRegion *MS = R->getMemorySpace(); 1001 1002 // Parameters, locals, statics, globals, and memory returned by alloca() 1003 // shouldn't be freed. 1004 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 1005 // FIXME: at the time this code was written, malloc() regions were 1006 // represented by conjured symbols, which are all in UnknownSpaceRegion. 1007 // This means that there isn't actually anything from HeapSpaceRegion 1008 // that should be freed, even though we allow it here. 1009 // Of course, free() can work on memory allocated outside the current 1010 // function, so UnknownSpaceRegion is always a possibility. 1011 // False negatives are better than false positives. 1012 1013 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); 1014 return 0; 1015 } 1016 1017 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); 1018 // Various cases could lead to non-symbol values here. 1019 // For now, ignore them. 1020 if (!SrBase) 1021 return 0; 1022 1023 SymbolRef SymBase = SrBase->getSymbol(); 1024 const RefState *RsBase = State->get<RegionState>(SymBase); 1025 SymbolRef PreviousRetStatusSymbol = 0; 1026 1027 if (RsBase) { 1028 1029 // Check for double free first. 1030 if ((RsBase->isReleased() || RsBase->isRelinquished()) && 1031 !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { 1032 ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), 1033 SymBase, PreviousRetStatusSymbol); 1034 return 0; 1035 1036 // If the pointer is allocated or escaped, but we are now trying to free it, 1037 // check that the call to free is proper. 1038 } else if (RsBase->isAllocated() || RsBase->isEscaped()) { 1039 1040 // Check if an expected deallocation function matches the real one. 1041 bool DeallocMatchesAlloc = 1042 RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr); 1043 if (!DeallocMatchesAlloc) { 1044 ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), 1045 ParentExpr, RsBase, SymBase); 1046 return 0; 1047 } 1048 1049 // Check if the memory location being freed is the actual location 1050 // allocated, or an offset. 1051 RegionOffset Offset = R->getAsOffset(); 1052 if (Offset.isValid() && 1053 !Offset.hasSymbolicOffset() && 1054 Offset.getOffset() != 0) { 1055 const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); 1056 ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, 1057 AllocExpr); 1058 return 0; 1059 } 1060 } 1061 } 1062 1063 ReleasedAllocated = (RsBase != 0); 1064 1065 // Clean out the info on previous call to free return info. 1066 State = State->remove<FreeReturnValue>(SymBase); 1067 1068 // Keep track of the return value. If it is NULL, we will know that free 1069 // failed. 1070 if (ReturnsNullOnFailure) { 1071 SVal RetVal = C.getSVal(ParentExpr); 1072 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 1073 if (RetStatusSymbol) { 1074 C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); 1075 State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); 1076 } 1077 } 1078 1079 AllocationFamily Family = RsBase ? RsBase->getAllocationFamily() 1080 : getAllocationFamily(C, ParentExpr); 1081 // Normal free. 1082 if (Hold) 1083 return State->set<RegionState>(SymBase, 1084 RefState::getRelinquished(Family, 1085 ParentExpr)); 1086 1087 return State->set<RegionState>(SymBase, 1088 RefState::getReleased(Family, ParentExpr)); 1089 } 1090 1091 bool MallocChecker::isTrackedByCurrentChecker(AllocationFamily Family) const { 1092 switch (Family) { 1093 case AF_Malloc: { 1094 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic) 1095 return false; 1096 return true; 1097 } 1098 case AF_CXXNew: 1099 case AF_CXXNewArray: { 1100 if (!Filter.CNewDeleteChecker) 1101 return false; 1102 return true; 1103 } 1104 case AF_None: { 1105 llvm_unreachable("no family"); 1106 } 1107 } 1108 llvm_unreachable("unhandled family"); 1109 } 1110 1111 bool 1112 MallocChecker::isTrackedByCurrentChecker(CheckerContext &C, 1113 const Stmt *AllocDeallocStmt) const { 1114 return isTrackedByCurrentChecker(getAllocationFamily(C, AllocDeallocStmt)); 1115 } 1116 1117 bool MallocChecker::isTrackedByCurrentChecker(CheckerContext &C, 1118 SymbolRef Sym) const { 1119 1120 const RefState *RS = C.getState()->get<RegionState>(Sym); 1121 assert(RS); 1122 return isTrackedByCurrentChecker(RS->getAllocationFamily()); 1123 } 1124 1125 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 1126 if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) 1127 os << "an integer (" << IntVal->getValue() << ")"; 1128 else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) 1129 os << "a constant address (" << ConstAddr->getValue() << ")"; 1130 else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) 1131 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 1132 else 1133 return false; 1134 1135 return true; 1136 } 1137 1138 bool MallocChecker::SummarizeRegion(raw_ostream &os, 1139 const MemRegion *MR) { 1140 switch (MR->getKind()) { 1141 case MemRegion::FunctionTextRegionKind: { 1142 const NamedDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 1143 if (FD) 1144 os << "the address of the function '" << *FD << '\''; 1145 else 1146 os << "the address of a function"; 1147 return true; 1148 } 1149 case MemRegion::BlockTextRegionKind: 1150 os << "block text"; 1151 return true; 1152 case MemRegion::BlockDataRegionKind: 1153 // FIXME: where the block came from? 1154 os << "a block"; 1155 return true; 1156 default: { 1157 const MemSpaceRegion *MS = MR->getMemorySpace(); 1158 1159 if (isa<StackLocalsSpaceRegion>(MS)) { 1160 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1161 const VarDecl *VD; 1162 if (VR) 1163 VD = VR->getDecl(); 1164 else 1165 VD = NULL; 1166 1167 if (VD) 1168 os << "the address of the local variable '" << VD->getName() << "'"; 1169 else 1170 os << "the address of a local stack variable"; 1171 return true; 1172 } 1173 1174 if (isa<StackArgumentsSpaceRegion>(MS)) { 1175 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1176 const VarDecl *VD; 1177 if (VR) 1178 VD = VR->getDecl(); 1179 else 1180 VD = NULL; 1181 1182 if (VD) 1183 os << "the address of the parameter '" << VD->getName() << "'"; 1184 else 1185 os << "the address of a parameter"; 1186 return true; 1187 } 1188 1189 if (isa<GlobalsSpaceRegion>(MS)) { 1190 const VarRegion *VR = dyn_cast<VarRegion>(MR); 1191 const VarDecl *VD; 1192 if (VR) 1193 VD = VR->getDecl(); 1194 else 1195 VD = NULL; 1196 1197 if (VD) { 1198 if (VD->isStaticLocal()) 1199 os << "the address of the static variable '" << VD->getName() << "'"; 1200 else 1201 os << "the address of the global variable '" << VD->getName() << "'"; 1202 } else 1203 os << "the address of a global variable"; 1204 return true; 1205 } 1206 1207 return false; 1208 } 1209 } 1210 } 1211 1212 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 1213 SourceRange Range, 1214 const Expr *DeallocExpr) const { 1215 1216 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1217 !Filter.CNewDeleteChecker) 1218 return; 1219 1220 if (!isTrackedByCurrentChecker(C, DeallocExpr)) 1221 return; 1222 1223 if (ExplodedNode *N = C.generateSink()) { 1224 if (!BT_BadFree) 1225 BT_BadFree.reset(new BugType("Bad free", "Memory Error")); 1226 1227 SmallString<100> buf; 1228 llvm::raw_svector_ostream os(buf); 1229 1230 const MemRegion *MR = ArgVal.getAsRegion(); 1231 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) 1232 MR = ER->getSuperRegion(); 1233 1234 if (MR && isa<AllocaRegion>(MR)) 1235 os << "Memory allocated by alloca() should not be deallocated"; 1236 else { 1237 os << "Argument to "; 1238 if (!printAllocDeallocName(os, C, DeallocExpr)) 1239 os << "deallocator"; 1240 1241 os << " is "; 1242 bool Summarized = MR ? SummarizeRegion(os, MR) 1243 : SummarizeValue(os, ArgVal); 1244 if (Summarized) 1245 os << ", which is not memory allocated by "; 1246 else 1247 os << "not memory allocated by "; 1248 1249 printExpectedAllocName(os, C, DeallocExpr); 1250 } 1251 1252 BugReport *R = new BugReport(*BT_BadFree, os.str(), N); 1253 R->markInteresting(MR); 1254 R->addRange(Range); 1255 C.emitReport(R); 1256 } 1257 } 1258 1259 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, 1260 SourceRange Range, 1261 const Expr *DeallocExpr, 1262 const RefState *RS, 1263 SymbolRef Sym) const { 1264 1265 if (!Filter.CMismatchedDeallocatorChecker) 1266 return; 1267 1268 if (ExplodedNode *N = C.generateSink()) { 1269 if (!BT_MismatchedDealloc) 1270 BT_MismatchedDealloc.reset(new BugType("Bad deallocator", 1271 "Memory Error")); 1272 1273 SmallString<100> buf; 1274 llvm::raw_svector_ostream os(buf); 1275 1276 const Expr *AllocExpr = cast<Expr>(RS->getStmt()); 1277 SmallString<20> AllocBuf; 1278 llvm::raw_svector_ostream AllocOs(AllocBuf); 1279 SmallString<20> DeallocBuf; 1280 llvm::raw_svector_ostream DeallocOs(DeallocBuf); 1281 1282 os << "Memory"; 1283 if (printAllocDeallocName(AllocOs, C, AllocExpr)) 1284 os << " allocated by " << AllocOs.str(); 1285 1286 os << " should be deallocated by "; 1287 printExpectedDeallocName(os, RS->getAllocationFamily()); 1288 1289 if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) 1290 os << ", not " << DeallocOs.str(); 1291 1292 BugReport *R = new BugReport(*BT_MismatchedDealloc, os.str(), N); 1293 R->markInteresting(Sym); 1294 R->addRange(Range); 1295 R->addVisitor(new MallocBugVisitor(Sym)); 1296 C.emitReport(R); 1297 } 1298 } 1299 1300 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, 1301 SourceRange Range, const Expr *DeallocExpr, 1302 const Expr *AllocExpr) const { 1303 1304 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1305 !Filter.CNewDeleteChecker) 1306 return; 1307 1308 if (!isTrackedByCurrentChecker(C, AllocExpr)) 1309 return; 1310 1311 ExplodedNode *N = C.generateSink(); 1312 if (N == NULL) 1313 return; 1314 1315 if (!BT_OffsetFree) 1316 BT_OffsetFree.reset(new BugType("Offset free", "Memory Error")); 1317 1318 SmallString<100> buf; 1319 llvm::raw_svector_ostream os(buf); 1320 SmallString<20> AllocNameBuf; 1321 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); 1322 1323 const MemRegion *MR = ArgVal.getAsRegion(); 1324 assert(MR && "Only MemRegion based symbols can have offset free errors"); 1325 1326 RegionOffset Offset = MR->getAsOffset(); 1327 assert((Offset.isValid() && 1328 !Offset.hasSymbolicOffset() && 1329 Offset.getOffset() != 0) && 1330 "Only symbols with a valid offset can have offset free errors"); 1331 1332 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); 1333 1334 os << "Argument to "; 1335 if (!printAllocDeallocName(os, C, DeallocExpr)) 1336 os << "deallocator"; 1337 os << " is offset by " 1338 << offsetBytes 1339 << " " 1340 << ((abs(offsetBytes) > 1) ? "bytes" : "byte") 1341 << " from the start of "; 1342 if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) 1343 os << "memory allocated by " << AllocNameOs.str(); 1344 else 1345 os << "allocated memory"; 1346 1347 BugReport *R = new BugReport(*BT_OffsetFree, os.str(), N); 1348 R->markInteresting(MR->getBaseRegion()); 1349 R->addRange(Range); 1350 C.emitReport(R); 1351 } 1352 1353 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, 1354 SymbolRef Sym) const { 1355 1356 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1357 !Filter.CNewDeleteChecker) 1358 return; 1359 1360 if (!isTrackedByCurrentChecker(C, Sym)) 1361 return; 1362 1363 if (ExplodedNode *N = C.generateSink()) { 1364 if (!BT_UseFree) 1365 BT_UseFree.reset(new BugType("Use-after-free", "Memory Error")); 1366 1367 BugReport *R = new BugReport(*BT_UseFree, 1368 "Use of memory after it is freed", N); 1369 1370 R->markInteresting(Sym); 1371 R->addRange(Range); 1372 R->addVisitor(new MallocBugVisitor(Sym)); 1373 C.emitReport(R); 1374 } 1375 } 1376 1377 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, 1378 bool Released, SymbolRef Sym, 1379 SymbolRef PrevSym) const { 1380 1381 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1382 !Filter.CNewDeleteChecker) 1383 return; 1384 1385 if (!isTrackedByCurrentChecker(C, Sym)) 1386 return; 1387 1388 if (ExplodedNode *N = C.generateSink()) { 1389 if (!BT_DoubleFree) 1390 BT_DoubleFree.reset(new BugType("Double free", "Memory Error")); 1391 1392 BugReport *R = new BugReport(*BT_DoubleFree, 1393 (Released ? "Attempt to free released memory" 1394 : "Attempt to free non-owned memory"), 1395 N); 1396 R->addRange(Range); 1397 R->markInteresting(Sym); 1398 if (PrevSym) 1399 R->markInteresting(PrevSym); 1400 R->addVisitor(new MallocBugVisitor(Sym)); 1401 C.emitReport(R); 1402 } 1403 } 1404 1405 ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, 1406 const CallExpr *CE, 1407 bool FreesOnFail) const { 1408 if (CE->getNumArgs() < 2) 1409 return 0; 1410 1411 ProgramStateRef state = C.getState(); 1412 const Expr *arg0Expr = CE->getArg(0); 1413 const LocationContext *LCtx = C.getLocationContext(); 1414 SVal Arg0Val = state->getSVal(arg0Expr, LCtx); 1415 if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) 1416 return 0; 1417 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); 1418 1419 SValBuilder &svalBuilder = C.getSValBuilder(); 1420 1421 DefinedOrUnknownSVal PtrEQ = 1422 svalBuilder.evalEQ(state, arg0Val, svalBuilder.makeNull()); 1423 1424 // Get the size argument. If there is no size arg then give up. 1425 const Expr *Arg1 = CE->getArg(1); 1426 if (!Arg1) 1427 return 0; 1428 1429 // Get the value of the size argument. 1430 SVal Arg1ValG = state->getSVal(Arg1, LCtx); 1431 if (!Arg1ValG.getAs<DefinedOrUnknownSVal>()) 1432 return 0; 1433 DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>(); 1434 1435 // Compare the size argument to 0. 1436 DefinedOrUnknownSVal SizeZero = 1437 svalBuilder.evalEQ(state, Arg1Val, 1438 svalBuilder.makeIntValWithPtrWidth(0, false)); 1439 1440 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 1441 llvm::tie(StatePtrIsNull, StatePtrNotNull) = state->assume(PtrEQ); 1442 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 1443 llvm::tie(StateSizeIsZero, StateSizeNotZero) = state->assume(SizeZero); 1444 // We only assume exceptional states if they are definitely true; if the 1445 // state is under-constrained, assume regular realloc behavior. 1446 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 1447 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 1448 1449 // If the ptr is NULL and the size is not 0, the call is equivalent to 1450 // malloc(size). 1451 if ( PrtIsNull && !SizeIsZero) { 1452 ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), 1453 UndefinedVal(), StatePtrIsNull); 1454 return stateMalloc; 1455 } 1456 1457 if (PrtIsNull && SizeIsZero) 1458 return 0; 1459 1460 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 1461 assert(!PrtIsNull); 1462 SymbolRef FromPtr = arg0Val.getAsSymbol(); 1463 SVal RetVal = state->getSVal(CE, LCtx); 1464 SymbolRef ToPtr = RetVal.getAsSymbol(); 1465 if (!FromPtr || !ToPtr) 1466 return 0; 1467 1468 bool ReleasedAllocated = false; 1469 1470 // If the size is 0, free the memory. 1471 if (SizeIsZero) 1472 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, 1473 false, ReleasedAllocated)){ 1474 // The semantics of the return value are: 1475 // If size was equal to 0, either NULL or a pointer suitable to be passed 1476 // to free() is returned. We just free the input pointer and do not add 1477 // any constrains on the output pointer. 1478 return stateFree; 1479 } 1480 1481 // Default behavior. 1482 if (ProgramStateRef stateFree = 1483 FreeMemAux(C, CE, state, 0, false, ReleasedAllocated)) { 1484 1485 ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), 1486 UnknownVal(), stateFree); 1487 if (!stateRealloc) 1488 return 0; 1489 1490 ReallocPairKind Kind = RPToBeFreedAfterFailure; 1491 if (FreesOnFail) 1492 Kind = RPIsFreeOnFailure; 1493 else if (!ReleasedAllocated) 1494 Kind = RPDoNotTrackAfterFailure; 1495 1496 // Record the info about the reallocated symbol so that we could properly 1497 // process failed reallocation. 1498 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 1499 ReallocPair(FromPtr, Kind)); 1500 // The reallocated symbol should stay alive for as long as the new symbol. 1501 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 1502 return stateRealloc; 1503 } 1504 return 0; 1505 } 1506 1507 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE){ 1508 if (CE->getNumArgs() < 2) 1509 return 0; 1510 1511 ProgramStateRef state = C.getState(); 1512 SValBuilder &svalBuilder = C.getSValBuilder(); 1513 const LocationContext *LCtx = C.getLocationContext(); 1514 SVal count = state->getSVal(CE->getArg(0), LCtx); 1515 SVal elementSize = state->getSVal(CE->getArg(1), LCtx); 1516 SVal TotalSize = svalBuilder.evalBinOp(state, BO_Mul, count, elementSize, 1517 svalBuilder.getContext().getSizeType()); 1518 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 1519 1520 return MallocMemAux(C, CE, TotalSize, zeroVal, state); 1521 } 1522 1523 LeakInfo 1524 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 1525 CheckerContext &C) const { 1526 const LocationContext *LeakContext = N->getLocationContext(); 1527 // Walk the ExplodedGraph backwards and find the first node that referred to 1528 // the tracked symbol. 1529 const ExplodedNode *AllocNode = N; 1530 const MemRegion *ReferenceRegion = 0; 1531 1532 while (N) { 1533 ProgramStateRef State = N->getState(); 1534 if (!State->get<RegionState>(Sym)) 1535 break; 1536 1537 // Find the most recent expression bound to the symbol in the current 1538 // context. 1539 if (!ReferenceRegion) { 1540 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 1541 SVal Val = State->getSVal(MR); 1542 if (Val.getAsLocSymbol() == Sym) { 1543 const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>(); 1544 // Do not show local variables belonging to a function other than 1545 // where the error is reported. 1546 if (!VR || 1547 (VR->getStackFrame() == LeakContext->getCurrentStackFrame())) 1548 ReferenceRegion = MR; 1549 } 1550 } 1551 } 1552 1553 // Allocation node, is the last node in the current context in which the 1554 // symbol was tracked. 1555 if (N->getLocationContext() == LeakContext) 1556 AllocNode = N; 1557 N = N->pred_empty() ? NULL : *(N->pred_begin()); 1558 } 1559 1560 return LeakInfo(AllocNode, ReferenceRegion); 1561 } 1562 1563 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 1564 CheckerContext &C) const { 1565 1566 if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && 1567 !Filter.CNewDeleteLeaksChecker) 1568 return; 1569 1570 const RefState *RS = C.getState()->get<RegionState>(Sym); 1571 assert(RS && "cannot leak an untracked symbol"); 1572 AllocationFamily Family = RS->getAllocationFamily(); 1573 if (!isTrackedByCurrentChecker(Family)) 1574 return; 1575 1576 // Special case for new and new[]; these are controlled by a separate checker 1577 // flag so that they can be selectively disabled. 1578 if (Family == AF_CXXNew || Family == AF_CXXNewArray) 1579 if (!Filter.CNewDeleteLeaksChecker) 1580 return; 1581 1582 assert(N); 1583 if (!BT_Leak) { 1584 BT_Leak.reset(new BugType("Memory leak", "Memory Error")); 1585 // Leaks should not be reported if they are post-dominated by a sink: 1586 // (1) Sinks are higher importance bugs. 1587 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 1588 // with __noreturn functions such as assert() or exit(). We choose not 1589 // to report leaks on such paths. 1590 BT_Leak->setSuppressOnSink(true); 1591 } 1592 1593 // Most bug reports are cached at the location where they occurred. 1594 // With leaks, we want to unique them by the location where they were 1595 // allocated, and only report a single path. 1596 PathDiagnosticLocation LocUsedForUniqueing; 1597 const ExplodedNode *AllocNode = 0; 1598 const MemRegion *Region = 0; 1599 llvm::tie(AllocNode, Region) = getAllocationSite(N, Sym, C); 1600 1601 ProgramPoint P = AllocNode->getLocation(); 1602 const Stmt *AllocationStmt = 0; 1603 if (Optional<CallExitEnd> Exit = P.getAs<CallExitEnd>()) 1604 AllocationStmt = Exit->getCalleeContext()->getCallSite(); 1605 else if (Optional<StmtPoint> SP = P.getAs<StmtPoint>()) 1606 AllocationStmt = SP->getStmt(); 1607 if (AllocationStmt) 1608 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt, 1609 C.getSourceManager(), 1610 AllocNode->getLocationContext()); 1611 1612 SmallString<200> buf; 1613 llvm::raw_svector_ostream os(buf); 1614 if (Region && Region->canPrintPretty()) { 1615 os << "Potential leak of memory pointed to by "; 1616 Region->printPretty(os); 1617 } else { 1618 os << "Potential memory leak"; 1619 } 1620 1621 BugReport *R = new BugReport(*BT_Leak, os.str(), N, 1622 LocUsedForUniqueing, 1623 AllocNode->getLocationContext()->getDecl()); 1624 R->markInteresting(Sym); 1625 R->addVisitor(new MallocBugVisitor(Sym, true)); 1626 C.emitReport(R); 1627 } 1628 1629 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 1630 CheckerContext &C) const 1631 { 1632 if (!SymReaper.hasDeadSymbols()) 1633 return; 1634 1635 ProgramStateRef state = C.getState(); 1636 RegionStateTy RS = state->get<RegionState>(); 1637 RegionStateTy::Factory &F = state->get_context<RegionState>(); 1638 1639 SmallVector<SymbolRef, 2> Errors; 1640 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1641 if (SymReaper.isDead(I->first)) { 1642 if (I->second.isAllocated()) 1643 Errors.push_back(I->first); 1644 // Remove the dead symbol from the map. 1645 RS = F.remove(RS, I->first); 1646 1647 } 1648 } 1649 1650 // Cleanup the Realloc Pairs Map. 1651 ReallocPairsTy RP = state->get<ReallocPairs>(); 1652 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1653 if (SymReaper.isDead(I->first) || 1654 SymReaper.isDead(I->second.ReallocatedSym)) { 1655 state = state->remove<ReallocPairs>(I->first); 1656 } 1657 } 1658 1659 // Cleanup the FreeReturnValue Map. 1660 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 1661 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 1662 if (SymReaper.isDead(I->first) || 1663 SymReaper.isDead(I->second)) { 1664 state = state->remove<FreeReturnValue>(I->first); 1665 } 1666 } 1667 1668 // Generate leak node. 1669 ExplodedNode *N = C.getPredecessor(); 1670 if (!Errors.empty()) { 1671 static SimpleProgramPointTag Tag("MallocChecker : DeadSymbolsLeak"); 1672 N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); 1673 for (SmallVectorImpl<SymbolRef>::iterator 1674 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 1675 reportLeak(*I, N, C); 1676 } 1677 } 1678 1679 C.addTransition(state->set<RegionState>(RS), N); 1680 } 1681 1682 void MallocChecker::checkPreCall(const CallEvent &Call, 1683 CheckerContext &C) const { 1684 1685 // We will check for double free in the post visit. 1686 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { 1687 const FunctionDecl *FD = FC->getDecl(); 1688 if (!FD) 1689 return; 1690 1691 if ((Filter.CMallocOptimistic || Filter.CMallocPessimistic) && 1692 isFreeFunction(FD, C.getASTContext())) 1693 return; 1694 1695 if (Filter.CNewDeleteChecker && 1696 isStandardNewDelete(FD, C.getASTContext())) 1697 return; 1698 } 1699 1700 // Check if the callee of a method is deleted. 1701 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { 1702 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); 1703 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) 1704 return; 1705 } 1706 1707 // Check arguments for being used after free. 1708 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { 1709 SVal ArgSVal = Call.getArgSVal(I); 1710 if (ArgSVal.getAs<Loc>()) { 1711 SymbolRef Sym = ArgSVal.getAsSymbol(); 1712 if (!Sym) 1713 continue; 1714 if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) 1715 return; 1716 } 1717 } 1718 } 1719 1720 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 1721 const Expr *E = S->getRetValue(); 1722 if (!E) 1723 return; 1724 1725 // Check if we are returning a symbol. 1726 ProgramStateRef State = C.getState(); 1727 SVal RetVal = State->getSVal(E, C.getLocationContext()); 1728 SymbolRef Sym = RetVal.getAsSymbol(); 1729 if (!Sym) 1730 // If we are returning a field of the allocated struct or an array element, 1731 // the callee could still free the memory. 1732 // TODO: This logic should be a part of generic symbol escape callback. 1733 if (const MemRegion *MR = RetVal.getAsRegion()) 1734 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 1735 if (const SymbolicRegion *BMR = 1736 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 1737 Sym = BMR->getSymbol(); 1738 1739 // Check if we are returning freed memory. 1740 if (Sym) 1741 checkUseAfterFree(Sym, C, E); 1742 } 1743 1744 // TODO: Blocks should be either inlined or should call invalidate regions 1745 // upon invocation. After that's in place, special casing here will not be 1746 // needed. 1747 void MallocChecker::checkPostStmt(const BlockExpr *BE, 1748 CheckerContext &C) const { 1749 1750 // Scan the BlockDecRefExprs for any object the retain count checker 1751 // may be tracking. 1752 if (!BE->getBlockDecl()->hasCaptures()) 1753 return; 1754 1755 ProgramStateRef state = C.getState(); 1756 const BlockDataRegion *R = 1757 cast<BlockDataRegion>(state->getSVal(BE, 1758 C.getLocationContext()).getAsRegion()); 1759 1760 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 1761 E = R->referenced_vars_end(); 1762 1763 if (I == E) 1764 return; 1765 1766 SmallVector<const MemRegion*, 10> Regions; 1767 const LocationContext *LC = C.getLocationContext(); 1768 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 1769 1770 for ( ; I != E; ++I) { 1771 const VarRegion *VR = I.getCapturedRegion(); 1772 if (VR->getSuperRegion() == R) { 1773 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 1774 } 1775 Regions.push_back(VR); 1776 } 1777 1778 state = 1779 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 1780 Regions.data() + Regions.size()).getState(); 1781 C.addTransition(state); 1782 } 1783 1784 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { 1785 assert(Sym); 1786 const RefState *RS = C.getState()->get<RegionState>(Sym); 1787 return (RS && RS->isReleased()); 1788 } 1789 1790 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 1791 const Stmt *S) const { 1792 1793 if (isReleased(Sym, C)) { 1794 ReportUseAfterFree(C, S->getSourceRange(), Sym); 1795 return true; 1796 } 1797 1798 return false; 1799 } 1800 1801 // Check if the location is a freed symbolic region. 1802 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 1803 CheckerContext &C) const { 1804 SymbolRef Sym = l.getLocSymbolInBase(); 1805 if (Sym) 1806 checkUseAfterFree(Sym, C, S); 1807 } 1808 1809 // If a symbolic region is assumed to NULL (or another constant), stop tracking 1810 // it - assuming that allocation failed on this path. 1811 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 1812 SVal Cond, 1813 bool Assumption) const { 1814 RegionStateTy RS = state->get<RegionState>(); 1815 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1816 // If the symbol is assumed to be NULL, remove it from consideration. 1817 ConstraintManager &CMgr = state->getConstraintManager(); 1818 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 1819 if (AllocFailed.isConstrainedTrue()) 1820 state = state->remove<RegionState>(I.getKey()); 1821 } 1822 1823 // Realloc returns 0 when reallocation fails, which means that we should 1824 // restore the state of the pointer being reallocated. 1825 ReallocPairsTy RP = state->get<ReallocPairs>(); 1826 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1827 // If the symbol is assumed to be NULL, remove it from consideration. 1828 ConstraintManager &CMgr = state->getConstraintManager(); 1829 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 1830 if (!AllocFailed.isConstrainedTrue()) 1831 continue; 1832 1833 SymbolRef ReallocSym = I.getData().ReallocatedSym; 1834 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 1835 if (RS->isReleased()) { 1836 if (I.getData().Kind == RPToBeFreedAfterFailure) 1837 state = state->set<RegionState>(ReallocSym, 1838 RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt())); 1839 else if (I.getData().Kind == RPDoNotTrackAfterFailure) 1840 state = state->remove<RegionState>(ReallocSym); 1841 else 1842 assert(I.getData().Kind == RPIsFreeOnFailure); 1843 } 1844 } 1845 state = state->remove<ReallocPairs>(I.getKey()); 1846 } 1847 1848 return state; 1849 } 1850 1851 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly( 1852 const CallEvent *Call, 1853 ProgramStateRef State, 1854 SymbolRef &EscapingSymbol) const { 1855 assert(Call); 1856 EscapingSymbol = 0; 1857 1858 // For now, assume that any C++ call can free memory. 1859 // TODO: If we want to be more optimistic here, we'll need to make sure that 1860 // regions escape to C++ containers. They seem to do that even now, but for 1861 // mysterious reasons. 1862 if (!(isa<FunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 1863 return true; 1864 1865 // Check Objective-C messages by selector name. 1866 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 1867 // If it's not a framework call, or if it takes a callback, assume it 1868 // can free memory. 1869 if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg()) 1870 return true; 1871 1872 // If it's a method we know about, handle it explicitly post-call. 1873 // This should happen before the "freeWhenDone" check below. 1874 if (isKnownDeallocObjCMethodName(*Msg)) 1875 return false; 1876 1877 // If there's a "freeWhenDone" parameter, but the method isn't one we know 1878 // about, we can't be sure that the object will use free() to deallocate the 1879 // memory, so we can't model it explicitly. The best we can do is use it to 1880 // decide whether the pointer escapes. 1881 if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg)) 1882 return *FreeWhenDone; 1883 1884 // If the first selector piece ends with "NoCopy", and there is no 1885 // "freeWhenDone" parameter set to zero, we know ownership is being 1886 // transferred. Again, though, we can't be sure that the object will use 1887 // free() to deallocate the memory, so we can't model it explicitly. 1888 StringRef FirstSlot = Msg->getSelector().getNameForSlot(0); 1889 if (FirstSlot.endswith("NoCopy")) 1890 return true; 1891 1892 // If the first selector starts with addPointer, insertPointer, 1893 // or replacePointer, assume we are dealing with NSPointerArray or similar. 1894 // This is similar to C++ containers (vector); we still might want to check 1895 // that the pointers get freed by following the container itself. 1896 if (FirstSlot.startswith("addPointer") || 1897 FirstSlot.startswith("insertPointer") || 1898 FirstSlot.startswith("replacePointer")) { 1899 return true; 1900 } 1901 1902 // We should escape receiver on call to 'init'. This is especially relevant 1903 // to the receiver, as the corresponding symbol is usually not referenced 1904 // after the call. 1905 if (Msg->getMethodFamily() == OMF_init) { 1906 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol(); 1907 return true; 1908 } 1909 1910 // Otherwise, assume that the method does not free memory. 1911 // Most framework methods do not free memory. 1912 return false; 1913 } 1914 1915 // At this point the only thing left to handle is straight function calls. 1916 const FunctionDecl *FD = cast<FunctionCall>(Call)->getDecl(); 1917 if (!FD) 1918 return true; 1919 1920 ASTContext &ASTC = State->getStateManager().getContext(); 1921 1922 // If it's one of the allocation functions we can reason about, we model 1923 // its behavior explicitly. 1924 if (isMemFunction(FD, ASTC)) 1925 return false; 1926 1927 // If it's not a system call, assume it frees memory. 1928 if (!Call->isInSystemHeader()) 1929 return true; 1930 1931 // White list the system functions whose arguments escape. 1932 const IdentifierInfo *II = FD->getIdentifier(); 1933 if (!II) 1934 return true; 1935 StringRef FName = II->getName(); 1936 1937 // White list the 'XXXNoCopy' CoreFoundation functions. 1938 // We specifically check these before 1939 if (FName.endswith("NoCopy")) { 1940 // Look for the deallocator argument. We know that the memory ownership 1941 // is not transferred only if the deallocator argument is 1942 // 'kCFAllocatorNull'. 1943 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 1944 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 1945 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 1946 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 1947 if (DeallocatorName == "kCFAllocatorNull") 1948 return false; 1949 } 1950 } 1951 return true; 1952 } 1953 1954 // Associating streams with malloced buffers. The pointer can escape if 1955 // 'closefn' is specified (and if that function does free memory), 1956 // but it will not if closefn is not specified. 1957 // Currently, we do not inspect the 'closefn' function (PR12101). 1958 if (FName == "funopen") 1959 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 1960 return false; 1961 1962 // Do not warn on pointers passed to 'setbuf' when used with std streams, 1963 // these leaks might be intentional when setting the buffer for stdio. 1964 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 1965 if (FName == "setbuf" || FName =="setbuffer" || 1966 FName == "setlinebuf" || FName == "setvbuf") { 1967 if (Call->getNumArgs() >= 1) { 1968 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 1969 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 1970 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 1971 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 1972 return true; 1973 } 1974 } 1975 1976 // A bunch of other functions which either take ownership of a pointer or 1977 // wrap the result up in a struct or object, meaning it can be freed later. 1978 // (See RetainCountChecker.) Not all the parameters here are invalidated, 1979 // but the Malloc checker cannot differentiate between them. The right way 1980 // of doing this would be to implement a pointer escapes callback. 1981 if (FName == "CGBitmapContextCreate" || 1982 FName == "CGBitmapContextCreateWithData" || 1983 FName == "CVPixelBufferCreateWithBytes" || 1984 FName == "CVPixelBufferCreateWithPlanarBytes" || 1985 FName == "OSAtomicEnqueue") { 1986 return true; 1987 } 1988 1989 // Handle cases where we know a buffer's /address/ can escape. 1990 // Note that the above checks handle some special cases where we know that 1991 // even though the address escapes, it's still our responsibility to free the 1992 // buffer. 1993 if (Call->argumentsMayEscape()) 1994 return true; 1995 1996 // Otherwise, assume that the function does not free memory. 1997 // Most system calls do not free the memory. 1998 return false; 1999 } 2000 2001 static bool retTrue(const RefState *RS) { 2002 return true; 2003 } 2004 2005 static bool checkIfNewOrNewArrayFamily(const RefState *RS) { 2006 return (RS->getAllocationFamily() == AF_CXXNewArray || 2007 RS->getAllocationFamily() == AF_CXXNew); 2008 } 2009 2010 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State, 2011 const InvalidatedSymbols &Escaped, 2012 const CallEvent *Call, 2013 PointerEscapeKind Kind) const { 2014 return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue); 2015 } 2016 2017 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State, 2018 const InvalidatedSymbols &Escaped, 2019 const CallEvent *Call, 2020 PointerEscapeKind Kind) const { 2021 return checkPointerEscapeAux(State, Escaped, Call, Kind, 2022 &checkIfNewOrNewArrayFamily); 2023 } 2024 2025 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State, 2026 const InvalidatedSymbols &Escaped, 2027 const CallEvent *Call, 2028 PointerEscapeKind Kind, 2029 bool(*CheckRefState)(const RefState*)) const { 2030 // If we know that the call does not free memory, or we want to process the 2031 // call later, keep tracking the top level arguments. 2032 SymbolRef EscapingSymbol = 0; 2033 if (Kind == PSK_DirectEscapeOnCall && 2034 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State, 2035 EscapingSymbol) && 2036 !EscapingSymbol) { 2037 return State; 2038 } 2039 2040 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 2041 E = Escaped.end(); 2042 I != E; ++I) { 2043 SymbolRef sym = *I; 2044 2045 if (EscapingSymbol && EscapingSymbol != sym) 2046 continue; 2047 2048 if (const RefState *RS = State->get<RegionState>(sym)) { 2049 if (RS->isAllocated() && CheckRefState(RS)) { 2050 State = State->remove<RegionState>(sym); 2051 State = State->set<RegionState>(sym, RefState::getEscaped(RS)); 2052 } 2053 } 2054 } 2055 return State; 2056 } 2057 2058 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 2059 ProgramStateRef prevState) { 2060 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 2061 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 2062 2063 for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end(); 2064 I != E; ++I) { 2065 SymbolRef sym = I.getKey(); 2066 if (!currMap.lookup(sym)) 2067 return sym; 2068 } 2069 2070 return NULL; 2071 } 2072 2073 PathDiagnosticPiece * 2074 MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N, 2075 const ExplodedNode *PrevN, 2076 BugReporterContext &BRC, 2077 BugReport &BR) { 2078 ProgramStateRef state = N->getState(); 2079 ProgramStateRef statePrev = PrevN->getState(); 2080 2081 const RefState *RS = state->get<RegionState>(Sym); 2082 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 2083 if (!RS) 2084 return 0; 2085 2086 const Stmt *S = 0; 2087 const char *Msg = 0; 2088 StackHintGeneratorForSymbol *StackHint = 0; 2089 2090 // Retrieve the associated statement. 2091 ProgramPoint ProgLoc = N->getLocation(); 2092 if (Optional<StmtPoint> SP = ProgLoc.getAs<StmtPoint>()) { 2093 S = SP->getStmt(); 2094 } else if (Optional<CallExitEnd> Exit = ProgLoc.getAs<CallExitEnd>()) { 2095 S = Exit->getCalleeContext()->getCallSite(); 2096 } else if (Optional<BlockEdge> Edge = ProgLoc.getAs<BlockEdge>()) { 2097 // If an assumption was made on a branch, it should be caught 2098 // here by looking at the state transition. 2099 S = Edge->getSrc()->getTerminator(); 2100 } 2101 2102 if (!S) 2103 return 0; 2104 2105 // FIXME: We will eventually need to handle non-statement-based events 2106 // (__attribute__((cleanup))). 2107 2108 // Find out if this is an interesting point and what is the kind. 2109 if (Mode == Normal) { 2110 if (isAllocated(RS, RSPrev, S)) { 2111 Msg = "Memory is allocated"; 2112 StackHint = new StackHintGeneratorForSymbol(Sym, 2113 "Returned allocated memory"); 2114 } else if (isReleased(RS, RSPrev, S)) { 2115 Msg = "Memory is released"; 2116 StackHint = new StackHintGeneratorForSymbol(Sym, 2117 "Returning; memory was released"); 2118 } else if (isRelinquished(RS, RSPrev, S)) { 2119 Msg = "Memory ownership is transfered"; 2120 StackHint = new StackHintGeneratorForSymbol(Sym, ""); 2121 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 2122 Mode = ReallocationFailed; 2123 Msg = "Reallocation failed"; 2124 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 2125 "Reallocation failed"); 2126 2127 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 2128 // Is it possible to fail two reallocs WITHOUT testing in between? 2129 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 2130 "We only support one failed realloc at a time."); 2131 BR.markInteresting(sym); 2132 FailedReallocSymbol = sym; 2133 } 2134 } 2135 2136 // We are in a special mode if a reallocation failed later in the path. 2137 } else if (Mode == ReallocationFailed) { 2138 assert(FailedReallocSymbol && "No symbol to look for."); 2139 2140 // Is this is the first appearance of the reallocated symbol? 2141 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 2142 // We're at the reallocation point. 2143 Msg = "Attempt to reallocate memory"; 2144 StackHint = new StackHintGeneratorForSymbol(Sym, 2145 "Returned reallocated memory"); 2146 FailedReallocSymbol = NULL; 2147 Mode = Normal; 2148 } 2149 } 2150 2151 if (!Msg) 2152 return 0; 2153 assert(StackHint); 2154 2155 // Generate the extra diagnostic. 2156 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 2157 N->getLocationContext()); 2158 return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint); 2159 } 2160 2161 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 2162 const char *NL, const char *Sep) const { 2163 2164 RegionStateTy RS = State->get<RegionState>(); 2165 2166 if (!RS.isEmpty()) { 2167 Out << Sep << "MallocChecker:" << NL; 2168 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 2169 I.getKey()->dumpToStream(Out); 2170 Out << " : "; 2171 I.getData().dump(Out); 2172 Out << NL; 2173 } 2174 } 2175 } 2176 2177 void ento::registerNewDeleteLeaksChecker(CheckerManager &mgr) { 2178 registerCStringCheckerBasic(mgr); 2179 mgr.registerChecker<MallocChecker>()->Filter.CNewDeleteLeaksChecker = true; 2180 // We currently treat NewDeleteLeaks checker as a subchecker of NewDelete 2181 // checker. 2182 mgr.registerChecker<MallocChecker>()->Filter.CNewDeleteChecker = true; 2183 } 2184 2185 #define REGISTER_CHECKER(name) \ 2186 void ento::register##name(CheckerManager &mgr) {\ 2187 registerCStringCheckerBasic(mgr); \ 2188 mgr.registerChecker<MallocChecker>()->Filter.C##name = true;\ 2189 } 2190 2191 REGISTER_CHECKER(MallocPessimistic) 2192 REGISTER_CHECKER(MallocOptimistic) 2193 REGISTER_CHECKER(NewDeleteChecker) 2194 REGISTER_CHECKER(MismatchedDeallocatorChecker) 2195
