FuchsiaHandleChecker.cpp source code [clang/lib/StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp]

1	//=== FuchsiaHandleChecker.cpp - Find handle leaks/double closes -- C++ ---=//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// This checker checks if the handle of Fuchsia is properly used according to
10	// following rules.
11	// - If a handle is acquired, it should be released before execution
12	// ends.
13	// - If a handle is released, it should not be released again.
14	// - If a handle is released, it should not be used for other purposes
15	// such as I/O.
16	//
17	// In this checker, each tracked handle is associated with a state. When the
18	// handle variable is passed to different function calls or syscalls, its state
19	// changes. The state changes can be generally represented by following ASCII
20	// Art:
21	//
22	//
23	// +-------------+ +------------+
24	// acquire_func succeeded \| \| Escape \| \|
25	// +-----------------> Allocated +---------> Escaped <--+
26	// \| \| \| \| \| \|
27	// \| +-----+------++ +------------+ \|
28	// \| \| \| \|
29	// acquire_func \| release_func \| +--+ \|
30	// failed \| \| \| handle +--------+ \|
31	// +---------+ \| \| \| dies \| \| \|
32	// \| \| \| +----v-----+ +---------> Leaked \| \|
33	// \| \| \| \| \| \|(REPORT)\| \|
34	// \| +----------+--+ \| Released \| Escape +--------+ \|
35	// \| \| \| \| +---------------------------+
36	// +--> Not tracked \| +----+---+-+
37	// \| \| \| \| As argument by value
38	// +----------+--+ release_func \| +------+ in function call
39	// \| \| \| or by reference in
40	// \| \| \| use_func call
41	// unowned \| +----v-----+ \| +-----------+
42	// acquire_func \| \| Double \| +-----> Use after \|
43	// succeeded \| \| released \| \| released \|
44	// \| \| (REPORT) \| \| (REPORT) \|
45	// +---------------+ +----------+ +-----------+
46	// \| Allocated \|
47	// \| Unowned \| release_func
48	// \| +---------+
49	// +---------------+ \|
50	// \|
51	// +-----v----------+
52	// \| Release of \|
53	// \| unowned handle \|
54	// \| (REPORT) \|
55	// +----------------+
56	//
57	// acquire_func represents the functions or syscalls that may acquire a handle.
58	// release_func represents the functions or syscalls that may release a handle.
59	// use_func represents the functions or syscall that requires an open handle.
60	//
61	// If a tracked handle dies in "Released" or "Not Tracked" state, we assume it
62	// is properly used. Otherwise a bug and will be reported.
63	//
64	// Note that, the analyzer does not always know for sure if a function failed
65	// or succeeded. In those cases we use the state MaybeAllocated.
66	// Thus, the diagram above captures the intent, not implementation details.
67	//
68	// Due to the fact that the number of handle related syscalls in Fuchsia
69	// is large, we adopt the annotation attributes to descript syscalls'
70	// operations(acquire/release/use) on handles instead of hardcoding
71	// everything in the checker.
72	//
73	// We use following annotation attributes for handle related syscalls or
74	// functions:
75	// 1. __attribute__((acquire_handle("Fuchsia"))) \|handle will be acquired
76	// 2. __attribute__((release_handle("Fuchsia"))) \|handle will be released
77	// 3. __attribute__((use_handle("Fuchsia"))) \|handle will not transit to
78	// escaped state, it also needs to be open.
79	//
80	// For example, an annotated syscall:
81	// zx_status_t zx_channel_create(
82	// uint32_t options,
83	// zx_handle_t out0 __attribute__((acquire_handle("Fuchsia"))) ,*
84	// zx_handle_t out1 __attribute__((acquire_handle("Fuchsia"))));*
85	// denotes a syscall which will acquire two handles and save them to 'out0' and
86	// 'out1' when succeeded.
87	//
88	//===----------------------------------------------------------------------===//
89
90	#include "clang/AST/Attr.h"
91	#include "clang/AST/Decl.h"
92	#include "clang/AST/Type.h"
93	#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
94	#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
95	#include "clang/StaticAnalyzer/Core/Checker.h"
96	#include "clang/StaticAnalyzer/Core/CheckerManager.h"
97	#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
98	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
99	#include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h"
100	#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
101	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
102	#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
103	#include "llvm/ADT/StringExtras.h"
104	#include <optional>
105
106	using namespace clang;
107	using namespace ento;
108
109	namespace {
110
111	static const StringRef HandleTypeName = "zx_handle_t";
112	static const StringRef ErrorTypeName = "zx_status_t";
113
114	class HandleState {
115	private:
116	enum class Kind { MaybeAllocated, Allocated, Released, Escaped, Unowned } K;
117	SymbolRef ErrorSym;
118	HandleState(Kind K, SymbolRef ErrorSym) : K(K), ErrorSym(ErrorSym) {}
119
120	public:
121	bool operator==(const HandleState &Other) const {
122	return K == Other.K && ErrorSym == Other.ErrorSym;
123	}
124	bool isAllocated() const { return K == Kind::Allocated; }
125	bool maybeAllocated() const { return K == Kind::MaybeAllocated; }
126	bool isReleased() const { return K == Kind::Released; }
127	bool isEscaped() const { return K == Kind::Escaped; }
128	bool isUnowned() const { return K == Kind::Unowned; }
129
130	static HandleState getMaybeAllocated(SymbolRef ErrorSym) {
131	return HandleState (Kind::MaybeAllocated, ErrorSym);
132	}
133	static HandleState getAllocated(ProgramStateRef State, HandleState S) {
134	assert(S.maybeAllocated());
135	assert(State ->getConstraintManager()
136	.isNull(State, S.getErrorSym())
137	.isConstrained());
138	return HandleState (Kind::Allocated, nullptr);
139	}
140	static HandleState getReleased() {
141	return HandleState (Kind::Released, nullptr);
142	}
143	static HandleState getEscaped() {
144	return HandleState (Kind::Escaped, nullptr);
145	}
146	static HandleState getUnowned() {
147	return HandleState (Kind::Unowned, nullptr);
148	}
149
150	SymbolRef getErrorSym() const { return ErrorSym; }
151
152	void Profile(llvm::FoldingSetNodeID &ID) const {
153	ID.AddInteger(I: static_cast<int>(K));
154	ID.AddPointer(Ptr: ErrorSym);
155	}
156
157	LLVM_DUMP_METHOD void dump(raw_ostream &OS) const {
158	switch (K) {
159	#define CASE(ID) \
160	case ID: \
161	OS << #ID; \
162	break;
163	CASE(Kind::MaybeAllocated)
164	CASE(Kind::Allocated)
165	CASE(Kind::Released)
166	CASE(Kind::Escaped)
167	CASE(Kind::Unowned)
168	}
169	if (ErrorSym) {
170	OS << " ErrorSym: ";
171	ErrorSym->dumpToStream(os&: OS);
172	}
173	}
174
175	LLVM_DUMP_METHOD void dump() const { dump(OS&: llvm::errs()); }
176	};
177
178	template <typename Attr> static bool hasFuchsiaAttr(const Decl *D) {
179	return D->hasAttr<Attr>() && D->getAttr<Attr>()->getHandleType() == "Fuchsia";
180	}
181
182	template <typename Attr> static bool hasFuchsiaUnownedAttr(const Decl *D) {
183	return D->hasAttr<Attr>() &&
184	D->getAttr<Attr>()->getHandleType() == "FuchsiaUnowned";
185	}
186
187	class FuchsiaHandleChecker
188	: public Checker<check::PostCall, check::PreCall, check::DeadSymbols,
189	check::PointerEscape, eval::Assume> {
190	BugType LeakBugType{this, "Fuchsia handle leak", "Fuchsia Handle Error",
191	/SuppressOnSink=/true};
192	BugType DoubleReleaseBugType{this, "Fuchsia handle double release",
193	"Fuchsia Handle Error"};
194	BugType UseAfterReleaseBugType{this, "Fuchsia handle use after release",
195	"Fuchsia Handle Error"};
196	BugType ReleaseUnownedBugType{
197	this, "Fuchsia handle release of unowned handle", "Fuchsia Handle Error"};
198
199	public:
200	void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
201	void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
202	void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
203	ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond,
204	bool Assumption) const;
205	ProgramStateRef checkPointerEscape(ProgramStateRef State,
206	const InvalidatedSymbols &Escaped,
207	const CallEvent *Call,
208	PointerEscapeKind Kind) const;
209
210	ExplodedNode *reportLeaks(ArrayRef<SymbolRef> LeakedHandles,
211	CheckerContext &C, ExplodedNode Pred) const*;
212
213	void reportDoubleRelease(SymbolRef HandleSym, const SourceRange &Range,
214	CheckerContext &C) const;
215
216	void reportUnownedRelease(SymbolRef HandleSym, const SourceRange &Range,
217	CheckerContext &C) const;
218
219	void reportUseAfterFree(SymbolRef HandleSym, const SourceRange &Range,
220	CheckerContext &C) const;
221
222	void reportBug(SymbolRef Sym, ExplodedNode *ErrorNode, CheckerContext &C,
223	const SourceRange Range, const* BugType &Type,
224	StringRef Msg) const;
225
226	void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
227	const char Sep) const* override;
228	};
229	} // end anonymous namespace
230
231	REGISTER_MAP_WITH_PROGRAMSTATE(HStateMap, SymbolRef, HandleState)
232
233	static const ExplodedNode getAcquireSite(const* ExplodedNode *N, SymbolRef Sym,
234	CheckerContext &Ctx) {
235	ProgramStateRef State = N->getState();
236	// When bug type is handle leak, exploded node N does not have state info for
237	// leaking handle. Get the predecessor of N instead.
238	if (!State ->get<HStateMap>(key: Sym))
239	N = N->getFirstPred();
240
241	const ExplodedNode *Pred = N;
242	while (N) {
243	State = N->getState();
244	if (!State ->get<HStateMap>(key: Sym)) {
245	const HandleState *HState = Pred->getState()->get<HStateMap>(key: Sym);
246	if (HState && (HState->isAllocated() \|\| HState->maybeAllocated()))
247	return N;
248	}
249	Pred = N;
250	N = N->getFirstPred();
251	}
252	return nullptr;
253	}
254
255	namespace {
256	class FuchsiaHandleSymbolVisitor final : public SymbolVisitor {
257	public:
258	bool VisitSymbol(SymbolRef S) override {
259	if (const auto *HandleType = S->getType()->getAs<TypedefType>())
260	if (HandleType->getDecl()->getName() == HandleTypeName)
261	Symbols.push_back(Elt: S);
262	return true;
263	}
264
265	SmallVector<SymbolRef, `1024`> GetSymbols() { return Symbols; }
266
267	private:
268	SmallVector<SymbolRef, `1024`> Symbols;
269	};
270	} // end anonymous namespace
271
272	/// Returns the symbols extracted from the argument or empty vector if it cannot
273	/// be found. It is unlikely to have over 1024 symbols in one argument.
274	static SmallVector<SymbolRef, `1024`>
275	getFuchsiaHandleSymbols(QualType QT, SVal Arg, ProgramStateRef State) {
276	int PtrToHandleLevel = `0`;
277	while (QT ->isAnyPointerType() \|\| QT ->isReferenceType()) {
278	++PtrToHandleLevel;
279	QT = QT ->getPointeeType();
280	}
281	if (QT ->isStructureType()) {
282	// If we see a structure, see if there is any handle referenced by the
283	// structure.
284	FuchsiaHandleSymbolVisitor Visitor;
285	State ->scanReachableSymbols(val: Arg, visitor&: Visitor);
286	return Visitor.GetSymbols();
287	}
288	if (const auto *HandleType = QT ->getAs<TypedefType>()) {
289	if (HandleType->getDecl()->getName() != HandleTypeName)
290	return {};
291	if (PtrToHandleLevel > `1`)
292	// Not supported yet.
293	return {};
294
295	if (PtrToHandleLevel == `0`) {
296	SymbolRef Sym = Arg.getAsSymbol();
297	if (Sym) {
298	return {Sym};
299	} else {
300	return {};
301	}
302	} else {
303	assert(PtrToHandleLevel == `1`);
304	if (std::optional<Loc> ArgLoc = Arg.getAs<Loc>()) {
305	SymbolRef Sym = State ->getSVal(LV: *ArgLoc).getAsSymbol();
306	if (Sym) {
307	return {Sym};
308	} else {
309	return {};
310	}
311	}
312	}
313	}
314	return {};
315	}
316
317	void FuchsiaHandleChecker::checkPreCall(const CallEvent &Call,
318	CheckerContext &C) const {
319	ProgramStateRef State = C.getState();
320	const FunctionDecl *FuncDecl = dyn_cast_or_null<FunctionDecl>(Val: Call.getDecl());
321	if (!FuncDecl) {
322	// Unknown call, escape by value handles. They are not covered by
323	// PointerEscape callback.
324	for (unsigned Arg = `0`; Arg < Call.getNumArgs(); ++Arg) {
325	if (SymbolRef Handle = Call.getArgSVal(Index: Arg).getAsSymbol())
326	State = State ->set<HStateMap>(K: Handle, E: HandleState::getEscaped());
327	}
328	C.addTransition(State);
329	return;
330	}
331
332	for (unsigned Arg = `0`; Arg < Call.getNumArgs(); ++Arg) {
333	if (Arg >= FuncDecl->getNumParams())
334	break;
335	const ParmVarDecl *PVD = FuncDecl->getParamDecl(i: Arg);
336	SmallVector<SymbolRef, `1024`> Handles =
337	getFuchsiaHandleSymbols(PVD->getType(), Call.getArgSVal(Index: Arg), State);
338
339	// Handled in checkPostCall.
340	if (hasFuchsiaAttr<ReleaseHandleAttr>(PVD) \|\|
341	hasFuchsiaAttr<AcquireHandleAttr>(PVD))
342	continue;
343
344	for (SymbolRef Handle : Handles) {
345	const HandleState *HState = State->get<HStateMap>(Handle);
346	if (!HState \|\| HState->isEscaped())
347	continue;
348
349	if (hasFuchsiaAttr<UseHandleAttr>(PVD) \|\|
350	PVD->getType()->isIntegerType()) {
351	if (HState->isReleased()) {
352	reportUseAfterFree(Handle, Call.getArgSourceRange(Arg), C);
353	return;
354	}
355	}
356	}
357	}
358	C.addTransition(State);
359	}
360
361	void FuchsiaHandleChecker::checkPostCall(const CallEvent &Call,
362	CheckerContext &C) const {
363	const FunctionDecl *FuncDecl = dyn_cast_or_null<FunctionDecl>(Val: Call.getDecl());
364	if (!FuncDecl)
365	return;
366
367	// If we analyzed the function body, then ignore the annotations.
368	if (C.wasInlined)
369	return;
370
371	ProgramStateRef State = C.getState();
372
373	std::vector<std::function<std::string(BugReport & BR)>> Notes;
374	SymbolRef ResultSymbol = nullptr;
375	if (const auto *TypeDefTy = FuncDecl->getReturnType()->getAs<TypedefType>())
376	if (TypeDefTy->getDecl()->getName() == ErrorTypeName)
377	ResultSymbol = Call.getReturnValue().getAsSymbol();
378
379	// Function returns an open handle.
380	if (hasFuchsiaAttr<AcquireHandleAttr>(FuncDecl)) {
381	SymbolRef RetSym = Call.getReturnValue().getAsSymbol();
382	Notes.push_back(x: [RetSym, FuncDecl](BugReport &BR) -> std::string {
383	auto PathBR = static_cast<PathSensitiveBugReport >(&BR);
384	if (PathBR->getInterestingnessKind(sym: RetSym)) {
385	std::string SBuf;
386	llvm::raw_string_ostream OS(SBuf);
387	OS << "Function '" << FuncDecl->getDeclName()
388	<< "' returns an open handle";
389	return SBuf;
390	} else
391	return "";
392	});
393	State =
394	State ->set<HStateMap>(K: RetSym, E: HandleState::getMaybeAllocated(ErrorSym: nullptr));
395	} else if (hasFuchsiaUnownedAttr<AcquireHandleAttr>(FuncDecl)) {
396	// Function returns an unowned handle
397	SymbolRef RetSym = Call.getReturnValue().getAsSymbol();
398	Notes.push_back(x: [RetSym, FuncDecl](BugReport &BR) -> std::string {
399	auto PathBR = static_cast<PathSensitiveBugReport >(&BR);
400	if (PathBR->getInterestingnessKind(sym: RetSym)) {
401	std::string SBuf;
402	llvm::raw_string_ostream OS(SBuf);
403	OS << "Function '" << FuncDecl->getDeclName()
404	<< "' returns an unowned handle";
405	return SBuf;
406	} else
407	return "";
408	});
409	State = State ->set<HStateMap>(K: RetSym, E: HandleState::getUnowned());
410	}
411
412	for (unsigned Arg = `0`; Arg < Call.getNumArgs(); ++Arg) {
413	if (Arg >= FuncDecl->getNumParams())
414	break;
415	const ParmVarDecl *PVD = FuncDecl->getParamDecl(i: Arg);
416	unsigned ParamDiagIdx = PVD->getFunctionScopeIndex() + `1`;
417	SmallVector<SymbolRef, `1024`> Handles =
418	getFuchsiaHandleSymbols(PVD->getType(), Call.getArgSVal(Index: Arg), State);
419
420	for (SymbolRef Handle : Handles) {
421	const HandleState *HState = State->get<HStateMap>(Handle);
422	if (HState && HState->isEscaped())
423	continue;
424	if (hasFuchsiaAttr<ReleaseHandleAttr>(PVD)) {
425	if (HState && HState->isReleased()) {
426	reportDoubleRelease(Handle, Call.getArgSourceRange(Arg), C);
427	return;
428	} else if (HState && HState->isUnowned()) {
429	reportUnownedRelease(Handle, Call.getArgSourceRange(Arg), C);
430	return;
431	} else {
432	Notes.push_back([Handle, ParamDiagIdx](BugReport &BR) -> std::string {
433	auto PathBR = static_cast<PathSensitiveBugReport >(&BR);
434	if (PathBR->getInterestingnessKind(Handle)) {
435	std::string SBuf;
436	llvm::raw_string_ostream OS(SBuf);
437	OS << "Handle released through " << ParamDiagIdx
438	<< llvm::getOrdinalSuffix(ParamDiagIdx) << " parameter";
439	return SBuf;
440	} else
441	return "";
442	});
443	State = State->set<HStateMap>(Handle, HandleState::getReleased());
444	}
445	} else if (hasFuchsiaAttr<AcquireHandleAttr>(PVD)) {
446	Notes.push_back([Handle, ParamDiagIdx](BugReport &BR) -> std::string {
447	auto PathBR = static_cast<PathSensitiveBugReport >(&BR);
448	if (PathBR->getInterestingnessKind(Handle)) {
449	std::string SBuf;
450	llvm::raw_string_ostream OS(SBuf);
451	OS << "Handle allocated through " << ParamDiagIdx
452	<< llvm::getOrdinalSuffix(ParamDiagIdx) << " parameter";
453	return SBuf;
454	} else
455	return "";
456	});
457	State = State->set<HStateMap>(
458	Handle, HandleState::getMaybeAllocated(ResultSymbol));
459	} else if (hasFuchsiaUnownedAttr<AcquireHandleAttr>(PVD)) {
460	Notes.push_back([Handle, ParamDiagIdx](BugReport &BR) -> std::string {
461	auto PathBR = static_cast<PathSensitiveBugReport >(&BR);
462	if (PathBR->getInterestingnessKind(Handle)) {
463	std::string SBuf;
464	llvm::raw_string_ostream OS(SBuf);
465	OS << "Unowned handle allocated through " << ParamDiagIdx
466	<< llvm::getOrdinalSuffix(ParamDiagIdx) << " parameter";
467	return SBuf;
468	} else
469	return "";
470	});
471	State = State->set<HStateMap>(Handle, HandleState::getUnowned());
472	} else if (!hasFuchsiaAttr<UseHandleAttr>(PVD) &&
473	PVD->getType()->isIntegerType()) {
474	// Working around integer by-value escapes.
475	// The by-value escape would not be captured in checkPointerEscape.
476	// If the function was not analyzed (otherwise wasInlined should be
477	// true) and there is no annotation on the handle, we assume the handle
478	// is escaped.
479	State = State->set<HStateMap>(Handle, HandleState::getEscaped());
480	}
481	}
482	}
483	const NoteTag T = nullptr*;
484	if (!Notes.empty()) {
485	T = C.getNoteTag(Cb: [this, Notes{std::move(Notes)}](
486	PathSensitiveBugReport &BR) -> std::string {
487	if (&BR.getBugType() != &UseAfterReleaseBugType &&
488	&BR.getBugType() != &LeakBugType &&
489	&BR.getBugType() != &DoubleReleaseBugType &&
490	&BR.getBugType() != &ReleaseUnownedBugType)
491	return "";
492	for (auto &Note : Notes) {
493	std::string Text = Note (BR);
494	if (!Text.empty())
495	return Text;
496	}
497	return "";
498	});
499	}
500	C.addTransition(State, Tag: T);
501	}
502
503	void FuchsiaHandleChecker::checkDeadSymbols(SymbolReaper &SymReaper,
504	CheckerContext &C) const {
505	ProgramStateRef State = C.getState();
506	SmallVector<SymbolRef, `2`> LeakedSyms;
507	HStateMapTy TrackedHandles = State ->get<HStateMap>();
508	for (auto &CurItem : TrackedHandles) {
509	SymbolRef ErrorSym = CurItem.second.getErrorSym();
510	// Keeping zombie handle symbols. In case the error symbol is dying later
511	// than the handle symbol we might produce spurious leak warnings (in case
512	// we find out later from the status code that the handle allocation failed
513	// in the first place).
514	if (!SymReaper.isDead(sym: CurItem.first) \|\|
515	(ErrorSym && !SymReaper.isDead(sym: ErrorSym)))
516	continue;
517	if (CurItem.second.isAllocated() \|\| CurItem.second.maybeAllocated())
518	LeakedSyms.push_back(Elt: CurItem.first);
519	State = State ->remove<HStateMap>(K: CurItem.first);
520	}
521
522	ExplodedNode *N = C.getPredecessor();
523	if (!LeakedSyms.empty())
524	N = reportLeaks(LeakedHandles: LeakedSyms, C, Pred: N);
525
526	C.addTransition(State, Pred: N);
527	}
528
529	// Acquiring a handle is not always successful. In Fuchsia most functions
530	// return a status code that determines the status of the handle.
531	// When we split the path based on this status code we know that on one
532	// path we do have the handle and on the other path the acquire failed.
533	// This method helps avoiding false positive leak warnings on paths where
534	// the function failed.
535	// Moreover, when a handle is known to be zero (the invalid handle),
536	// we no longer can follow the symbol on the path, becaue the constant
537	// zero will be used instead of the symbol. We also do not need to release
538	// an invalid handle, so we remove the corresponding symbol from the state.
539	ProgramStateRef FuchsiaHandleChecker::evalAssume(ProgramStateRef State,
540	SVal Cond,
541	bool Assumption) const {
542	// TODO: add notes about successes/fails for APIs.
543	ConstraintManager &Cmr = State ->getConstraintManager();
544	HStateMapTy TrackedHandles = State ->get<HStateMap>();
545	for (auto &CurItem : TrackedHandles) {
546	ConditionTruthVal HandleVal = Cmr.isNull(State, Sym: CurItem.first);
547	if (HandleVal.isConstrainedTrue()) {
548	// The handle is invalid. We can no longer follow the symbol on this path.
549	State = State ->remove<HStateMap>(K: CurItem.first);
550	}
551	SymbolRef ErrorSym = CurItem.second.getErrorSym();
552	if (!ErrorSym)
553	continue;
554	ConditionTruthVal ErrorVal = Cmr.isNull(State, Sym: ErrorSym);
555	if (ErrorVal.isConstrainedTrue()) {
556	// Allocation succeeded.
557	if (CurItem.second.maybeAllocated())
558	State = State ->set<HStateMap>(
559	K: CurItem.first, E: HandleState::getAllocated(State, S: CurItem.second));
560	} else if (ErrorVal.isConstrainedFalse()) {
561	// Allocation failed.
562	if (CurItem.second.maybeAllocated())
563	State = State ->remove<HStateMap>(K: CurItem.first);
564	}
565	}
566	return State;
567	}
568
569	ProgramStateRef FuchsiaHandleChecker::checkPointerEscape(
570	ProgramStateRef State, const InvalidatedSymbols &Escaped,
571	const CallEvent Call, PointerEscapeKind Kind) const* {
572	const FunctionDecl *FuncDecl =
573	Call ? dyn_cast_or_null<FunctionDecl>(Val: Call->getDecl()) : nullptr;
574
575	llvm::DenseSet<SymbolRef> UnEscaped;
576	// Not all calls should escape our symbols.
577	if (FuncDecl &&
578	(Kind == PSK_DirectEscapeOnCall \|\| Kind == PSK_IndirectEscapeOnCall \|\|
579	Kind == PSK_EscapeOutParameters)) {
580	for (unsigned Arg = `0`; Arg < Call->getNumArgs(); ++Arg) {
581	if (Arg >= FuncDecl->getNumParams())
582	break;
583	const ParmVarDecl *PVD = FuncDecl->getParamDecl(i: Arg);
584	SmallVector<SymbolRef, `1024`> Handles =
585	getFuchsiaHandleSymbols(PVD->getType(), Call->getArgSVal(Index: Arg), State);
586	for (SymbolRef Handle : Handles) {
587	if (hasFuchsiaAttr<UseHandleAttr>(PVD) \|\|
588	hasFuchsiaAttr<ReleaseHandleAttr>(PVD)) {
589	UnEscaped.insert(Handle);
590	}
591	}
592	}
593	}
594
595	// For out params, we have to deal with derived symbols. See
596	// MacOSKeychainAPIChecker for details.
597	for (auto I : State ->get<HStateMap>()) {
598	if (Escaped.count(V: I.first) && !UnEscaped.count(V: I.first))
599	State = State ->set<HStateMap>(K: I.first, E: HandleState::getEscaped());
600	if (const auto *SD = dyn_cast<SymbolDerived>(Val: I.first)) {
601	auto ParentSym = SD->getParentSymbol();
602	if (Escaped.count(V: ParentSym))
603	State = State ->set<HStateMap>(K: I.first, E: HandleState::getEscaped());
604	}
605	}
606
607	return State;
608	}
609
610	ExplodedNode *
611	FuchsiaHandleChecker::reportLeaks(ArrayRef<SymbolRef> LeakedHandles,
612	CheckerContext &C, ExplodedNode Pred) const* {
613	ExplodedNode *ErrNode = C.generateNonFatalErrorNode(State: C.getState(), Pred);
614	for (SymbolRef LeakedHandle : LeakedHandles) {
615	reportBug(Sym: LeakedHandle, ErrorNode: ErrNode, C, Range: nullptr, Type: LeakBugType,
616	Msg: "Potential leak of handle");
617	}
618	return ErrNode;
619	}
620
621	void FuchsiaHandleChecker::reportDoubleRelease(SymbolRef HandleSym,
622	const SourceRange &Range,
623	CheckerContext &C) const {
624	ExplodedNode *ErrNode = C.generateErrorNode(State: C.getState());
625	reportBug(Sym: HandleSym, ErrorNode: ErrNode, C, Range: &Range, Type: DoubleReleaseBugType,
626	Msg: "Releasing a previously released handle");
627	}
628
629	void FuchsiaHandleChecker::reportUnownedRelease(SymbolRef HandleSym,
630	const SourceRange &Range,
631	CheckerContext &C) const {
632	ExplodedNode *ErrNode = C.generateErrorNode(State: C.getState());
633	reportBug(Sym: HandleSym, ErrorNode: ErrNode, C, Range: &Range, Type: ReleaseUnownedBugType,
634	Msg: "Releasing an unowned handle");
635	}
636
637	void FuchsiaHandleChecker::reportUseAfterFree(SymbolRef HandleSym,
638	const SourceRange &Range,
639	CheckerContext &C) const {
640	ExplodedNode *ErrNode = C.generateErrorNode(State: C.getState());
641	reportBug(Sym: HandleSym, ErrorNode: ErrNode, C, Range: &Range, Type: UseAfterReleaseBugType,
642	Msg: "Using a previously released handle");
643	}
644
645	void FuchsiaHandleChecker::reportBug(SymbolRef Sym, ExplodedNode *ErrorNode,
646	CheckerContext &C,
647	const SourceRange *Range,
648	const BugType &Type, StringRef Msg) const {
649	if (!ErrorNode)
650	return;
651
652	std::unique_ptr<PathSensitiveBugReport> R;
653	if (Type.isSuppressOnSink()) {
654	const ExplodedNode *AcquireNode = getAcquireSite(N: ErrorNode, Sym, Ctx&: C);
655	if (AcquireNode) {
656	const Stmt *S = AcquireNode->getStmtForDiagnostics();
657	assert(S && "Statement cannot be null.");
658	PathDiagnosticLocation LocUsedForUniqueing =
659	PathDiagnosticLocation::createBegin(
660	S, SM: C.getSourceManager(), LAC: AcquireNode->getLocationContext());
661
662	R = std::make_unique<PathSensitiveBugReport>(
663	args: Type, args&: Msg, args&: ErrorNode, args&: LocUsedForUniqueing,
664	args: AcquireNode->getLocationContext()->getDecl());
665	}
666	}
667	if (!R)
668	R = std::make_unique<PathSensitiveBugReport>(args: Type, args&: Msg, args&: ErrorNode);
669	if (Range)
670	R ->addRange(R: *Range);
671	R ->markInteresting(sym: Sym);
672	C.emitReport(R: std::move(R));
673	}
674
675	void ento::registerFuchsiaHandleChecker(CheckerManager &mgr) {
676	mgr.registerChecker<FuchsiaHandleChecker>();
677	}
678
679	bool ento::shouldRegisterFuchsiaHandleChecker(const CheckerManager &mgr) {
680	return true;
681	}
682
683	void FuchsiaHandleChecker::printState(raw_ostream &Out, ProgramStateRef State,
684	const char NL, const* char Sep) const* {
685
686	HStateMapTy StateMap = State ->get<HStateMap>();
687
688	if (!StateMap.isEmpty()) {
689	Out << Sep << "FuchsiaHandleChecker :" << NL;
690	for (const auto &[Sym, HandleState] : StateMap) {
691	Sym->dumpToStream(os&: Out);
692	Out << " : ";
693	HandleState.dump(OS&: Out);
694	Out << NL;
695	}
696	}
697	}
698

source code of clang/lib/StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp