1//=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines a variety of memory management related checkers, such as
10// leak, double free, and use-after-free.
11//
12// The following checkers are defined here:
13//
14// * MallocChecker
15// Despite its name, it models all sorts of memory allocations and
16// de- or reallocation, including but not limited to malloc, free,
17// relloc, new, delete. It also reports on a variety of memory misuse
18// errors.
19// Many other checkers interact very closely with this checker, in fact,
20// most are merely options to this one. Other checkers may register
21// MallocChecker, but do not enable MallocChecker's reports (more details
22// to follow around its field, ChecksEnabled).
23// It also has a boolean "Optimistic" checker option, which if set to true
24// will cause the checker to model user defined memory management related
25// functions annotated via the attribute ownership_takes, ownership_holds
26// and ownership_returns.
27//
28// * NewDeleteChecker
29// Enables the modeling of new, new[], delete, delete[] in MallocChecker,
30// and checks for related double-free and use-after-free errors.
31//
32// * NewDeleteLeaksChecker
33// Checks for leaks related to new, new[], delete, delete[].
34// Depends on NewDeleteChecker.
35//
36// * MismatchedDeallocatorChecker
37// Enables checking whether memory is deallocated with the correspending
38// allocation function in MallocChecker, such as malloc() allocated
39// regions are only freed by free(), new by delete, new[] by delete[].
40//
41// InnerPointerChecker interacts very closely with MallocChecker, but unlike
42// the above checkers, it has it's own file, hence the many InnerPointerChecker
43// related headers and non-static functions.
44//
45//===----------------------------------------------------------------------===//
46
47#include "AllocationState.h"
48#include "InterCheckerAPI.h"
49#include "clang/AST/Attr.h"
50#include "clang/AST/DeclCXX.h"
51#include "clang/AST/DeclTemplate.h"
52#include "clang/AST/Expr.h"
53#include "clang/AST/ExprCXX.h"
54#include "clang/AST/ParentMap.h"
55#include "clang/ASTMatchers/ASTMatchFinder.h"
56#include "clang/ASTMatchers/ASTMatchers.h"
57#include "clang/Analysis/ProgramPoint.h"
58#include "clang/Basic/LLVM.h"
59#include "clang/Basic/SourceManager.h"
60#include "clang/Basic/TargetInfo.h"
61#include "clang/Lex/Lexer.h"
62#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
63#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
64#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
65#include "clang/StaticAnalyzer/Core/Checker.h"
66#include "clang/StaticAnalyzer/Core/CheckerManager.h"
67#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
68#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
69#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
70#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
71#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
72#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
73#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
74#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
75#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
76#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
77#include "clang/StaticAnalyzer/Core/PathSensitive/StoreRef.h"
78#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
79#include "llvm/ADT/STLExtras.h"
80#include "llvm/ADT/SetOperations.h"
81#include "llvm/ADT/SmallString.h"
82#include "llvm/ADT/StringExtras.h"
83#include "llvm/Support/Casting.h"
84#include "llvm/Support/Compiler.h"
85#include "llvm/Support/ErrorHandling.h"
86#include "llvm/Support/raw_ostream.h"
87#include <climits>
88#include <functional>
89#include <optional>
90#include <utility>
91
92using namespace clang;
93using namespace ento;
94using namespace std::placeholders;
95
96//===----------------------------------------------------------------------===//
97// The types of allocation we're modeling. This is used to check whether a
98// dynamically allocated object is deallocated with the correct function, like
99// not using operator delete on an object created by malloc(), or alloca regions
100// aren't ever deallocated manually.
101//===----------------------------------------------------------------------===//
102
103namespace {
104
105// Used to check correspondence between allocators and deallocators.
106enum AllocationFamily {
107 AF_None,
108 AF_Malloc,
109 AF_CXXNew,
110 AF_CXXNewArray,
111 AF_IfNameIndex,
112 AF_Alloca,
113 AF_InnerBuffer
114};
115
116} // end of anonymous namespace
117
118/// Print names of allocators and deallocators.
119///
120/// \returns true on success.
121static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E);
122
123/// Print expected name of an allocator based on the deallocator's family
124/// derived from the DeallocExpr.
125static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family);
126
127/// Print expected name of a deallocator based on the allocator's
128/// family.
129static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family);
130
131//===----------------------------------------------------------------------===//
132// The state of a symbol, in terms of memory management.
133//===----------------------------------------------------------------------===//
134
135namespace {
136
137class RefState {
138 enum Kind {
139 // Reference to allocated memory.
140 Allocated,
141 // Reference to zero-allocated memory.
142 AllocatedOfSizeZero,
143 // Reference to released/freed memory.
144 Released,
145 // The responsibility for freeing resources has transferred from
146 // this reference. A relinquished symbol should not be freed.
147 Relinquished,
148 // We are no longer guaranteed to have observed all manipulations
149 // of this pointer/memory. For example, it could have been
150 // passed as a parameter to an opaque function.
151 Escaped
152 };
153
154 const Stmt *S;
155
156 Kind K;
157 AllocationFamily Family;
158
159 RefState(Kind k, const Stmt *s, AllocationFamily family)
160 : S(s), K(k), Family(family) {
161 assert(family != AF_None);
162 }
163
164public:
165 bool isAllocated() const { return K == Allocated; }
166 bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; }
167 bool isReleased() const { return K == Released; }
168 bool isRelinquished() const { return K == Relinquished; }
169 bool isEscaped() const { return K == Escaped; }
170 AllocationFamily getAllocationFamily() const { return Family; }
171 const Stmt *getStmt() const { return S; }
172
173 bool operator==(const RefState &X) const {
174 return K == X.K && S == X.S && Family == X.Family;
175 }
176
177 static RefState getAllocated(AllocationFamily family, const Stmt *s) {
178 return RefState(Allocated, s, family);
179 }
180 static RefState getAllocatedOfSizeZero(const RefState *RS) {
181 return RefState(AllocatedOfSizeZero, RS->getStmt(),
182 RS->getAllocationFamily());
183 }
184 static RefState getReleased(AllocationFamily family, const Stmt *s) {
185 return RefState(Released, s, family);
186 }
187 static RefState getRelinquished(AllocationFamily family, const Stmt *s) {
188 return RefState(Relinquished, s, family);
189 }
190 static RefState getEscaped(const RefState *RS) {
191 return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());
192 }
193
194 void Profile(llvm::FoldingSetNodeID &ID) const {
195 ID.AddInteger(I: K);
196 ID.AddPointer(Ptr: S);
197 ID.AddInteger(I: Family);
198 }
199
200 LLVM_DUMP_METHOD void dump(raw_ostream &OS) const {
201 switch (K) {
202#define CASE(ID) case ID: OS << #ID; break;
203 CASE(Allocated)
204 CASE(AllocatedOfSizeZero)
205 CASE(Released)
206 CASE(Relinquished)
207 CASE(Escaped)
208 }
209 }
210
211 LLVM_DUMP_METHOD void dump() const { dump(OS&: llvm::errs()); }
212};
213
214} // end of anonymous namespace
215
216REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
217
218/// Check if the memory associated with this symbol was released.
219static bool isReleased(SymbolRef Sym, CheckerContext &C);
220
221/// Update the RefState to reflect the new memory allocation.
222/// The optional \p RetVal parameter specifies the newly allocated pointer
223/// value; if unspecified, the value of expression \p E is used.
224static ProgramStateRef
225MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State,
226 AllocationFamily Family,
227 std::optional<SVal> RetVal = std::nullopt);
228
229//===----------------------------------------------------------------------===//
230// The modeling of memory reallocation.
231//
232// The terminology 'toPtr' and 'fromPtr' will be used:
233// toPtr = realloc(fromPtr, 20);
234//===----------------------------------------------------------------------===//
235
236REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef)
237
238namespace {
239
240/// The state of 'fromPtr' after reallocation is known to have failed.
241enum OwnershipAfterReallocKind {
242 // The symbol needs to be freed (e.g.: realloc)
243 OAR_ToBeFreedAfterFailure,
244 // The symbol has been freed (e.g.: reallocf)
245 OAR_FreeOnFailure,
246 // The symbol doesn't have to freed (e.g.: we aren't sure if, how and where
247 // 'fromPtr' was allocated:
248 // void Haha(int *ptr) {
249 // ptr = realloc(ptr, 67);
250 // // ...
251 // }
252 // ).
253 OAR_DoNotTrackAfterFailure
254};
255
256/// Stores information about the 'fromPtr' symbol after reallocation.
257///
258/// This is important because realloc may fail, and that needs special modeling.
259/// Whether reallocation failed or not will not be known until later, so we'll
260/// store whether upon failure 'fromPtr' will be freed, or needs to be freed
261/// later, etc.
262struct ReallocPair {
263
264 // The 'fromPtr'.
265 SymbolRef ReallocatedSym;
266 OwnershipAfterReallocKind Kind;
267
268 ReallocPair(SymbolRef S, OwnershipAfterReallocKind K)
269 : ReallocatedSym(S), Kind(K) {}
270 void Profile(llvm::FoldingSetNodeID &ID) const {
271 ID.AddInteger(I: Kind);
272 ID.AddPointer(Ptr: ReallocatedSym);
273 }
274 bool operator==(const ReallocPair &X) const {
275 return ReallocatedSym == X.ReallocatedSym &&
276 Kind == X.Kind;
277 }
278};
279
280} // end of anonymous namespace
281
282REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
283
284/// Tells if the callee is one of the builtin new/delete operators, including
285/// placement operators and other standard overloads.
286static bool isStandardNewDelete(const FunctionDecl *FD);
287static bool isStandardNewDelete(const CallEvent &Call) {
288 if (!Call.getDecl() || !isa<FunctionDecl>(Val: Call.getDecl()))
289 return false;
290 return isStandardNewDelete(FD: cast<FunctionDecl>(Val: Call.getDecl()));
291}
292
293//===----------------------------------------------------------------------===//
294// Definition of the MallocChecker class.
295//===----------------------------------------------------------------------===//
296
297namespace {
298
299class MallocChecker
300 : public Checker<check::DeadSymbols, check::PointerEscape,
301 check::ConstPointerEscape, check::PreStmt<ReturnStmt>,
302 check::EndFunction, check::PreCall, check::PostCall,
303 check::NewAllocator, check::PostStmt<BlockExpr>,
304 check::PostObjCMessage, check::Location, eval::Assume> {
305public:
306 /// In pessimistic mode, the checker assumes that it does not know which
307 /// functions might free the memory.
308 /// In optimistic mode, the checker assumes that all user-defined functions
309 /// which might free a pointer are annotated.
310 bool ShouldIncludeOwnershipAnnotatedFunctions = false;
311
312 bool ShouldRegisterNoOwnershipChangeVisitor = false;
313
314 /// Many checkers are essentially built into this one, so enabling them will
315 /// make MallocChecker perform additional modeling and reporting.
316 enum CheckKind {
317 /// When a subchecker is enabled but MallocChecker isn't, model memory
318 /// management but do not emit warnings emitted with MallocChecker only
319 /// enabled.
320 CK_MallocChecker,
321 CK_NewDeleteChecker,
322 CK_NewDeleteLeaksChecker,
323 CK_MismatchedDeallocatorChecker,
324 CK_InnerPointerChecker,
325 CK_NumCheckKinds
326 };
327
328 using LeakInfo = std::pair<const ExplodedNode *, const MemRegion *>;
329
330 bool ChecksEnabled[CK_NumCheckKinds] = {false};
331 CheckerNameRef CheckNames[CK_NumCheckKinds];
332
333 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
334 void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
335 void checkNewAllocator(const CXXAllocatorCall &Call, CheckerContext &C) const;
336 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
337 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
338 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
339 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
340 void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;
341 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
342 bool Assumption) const;
343 void checkLocation(SVal l, bool isLoad, const Stmt *S,
344 CheckerContext &C) const;
345
346 ProgramStateRef checkPointerEscape(ProgramStateRef State,
347 const InvalidatedSymbols &Escaped,
348 const CallEvent *Call,
349 PointerEscapeKind Kind) const;
350 ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
351 const InvalidatedSymbols &Escaped,
352 const CallEvent *Call,
353 PointerEscapeKind Kind) const;
354
355 void printState(raw_ostream &Out, ProgramStateRef State,
356 const char *NL, const char *Sep) const override;
357
358private:
359 mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
360 mutable std::unique_ptr<BugType> BT_DoubleDelete;
361 mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
362 mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
363 mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
364 mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
365 mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
366 mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
367 mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
368
369#define CHECK_FN(NAME) \
370 void NAME(const CallEvent &Call, CheckerContext &C) const;
371
372 CHECK_FN(checkFree)
373 CHECK_FN(checkIfNameIndex)
374 CHECK_FN(checkBasicAlloc)
375 CHECK_FN(checkKernelMalloc)
376 CHECK_FN(checkCalloc)
377 CHECK_FN(checkAlloca)
378 CHECK_FN(checkStrdup)
379 CHECK_FN(checkIfFreeNameIndex)
380 CHECK_FN(checkCXXNewOrCXXDelete)
381 CHECK_FN(checkGMalloc0)
382 CHECK_FN(checkGMemdup)
383 CHECK_FN(checkGMallocN)
384 CHECK_FN(checkGMallocN0)
385 CHECK_FN(preGetdelim)
386 CHECK_FN(checkGetdelim)
387 CHECK_FN(checkReallocN)
388 CHECK_FN(checkOwnershipAttr)
389
390 void checkRealloc(const CallEvent &Call, CheckerContext &C,
391 bool ShouldFreeOnFail) const;
392
393 using CheckFn = std::function<void(const MallocChecker *,
394 const CallEvent &Call, CheckerContext &C)>;
395
396 const CallDescriptionMap<CheckFn> PreFnMap{
397 // NOTE: the following CallDescription also matches the C++ standard
398 // library function std::getline(); the callback will filter it out.
399 {{CDM::CLibrary, {"getline"}, 3}, &MallocChecker::preGetdelim},
400 {{CDM::CLibrary, {"getdelim"}, 4}, &MallocChecker::preGetdelim},
401 };
402
403 const CallDescriptionMap<CheckFn> FreeingMemFnMap{
404 {{CDM::CLibrary, {"free"}, 1}, &MallocChecker::checkFree},
405 {{CDM::CLibrary, {"if_freenameindex"}, 1},
406 &MallocChecker::checkIfFreeNameIndex},
407 {{CDM::CLibrary, {"kfree"}, 1}, &MallocChecker::checkFree},
408 {{CDM::CLibrary, {"g_free"}, 1}, &MallocChecker::checkFree},
409 };
410
411 bool isFreeingCall(const CallEvent &Call) const;
412 static bool isFreeingOwnershipAttrCall(const FunctionDecl *Func);
413
414 friend class NoOwnershipChangeVisitor;
415
416 CallDescriptionMap<CheckFn> AllocatingMemFnMap{
417 {{CDM::CLibrary, {"alloca"}, 1}, &MallocChecker::checkAlloca},
418 {{CDM::CLibrary, {"_alloca"}, 1}, &MallocChecker::checkAlloca},
419 // The line for "alloca" also covers "__builtin_alloca", but the
420 // _with_align variant must be listed separately because it takes an
421 // extra argument:
422 {{CDM::CLibrary, {"__builtin_alloca_with_align"}, 2},
423 &MallocChecker::checkAlloca},
424 {{CDM::CLibrary, {"malloc"}, 1}, &MallocChecker::checkBasicAlloc},
425 {{CDM::CLibrary, {"malloc"}, 3}, &MallocChecker::checkKernelMalloc},
426 {{CDM::CLibrary, {"calloc"}, 2}, &MallocChecker::checkCalloc},
427 {{CDM::CLibrary, {"valloc"}, 1}, &MallocChecker::checkBasicAlloc},
428 {{CDM::CLibrary, {"strndup"}, 2}, &MallocChecker::checkStrdup},
429 {{CDM::CLibrary, {"strdup"}, 1}, &MallocChecker::checkStrdup},
430 {{CDM::CLibrary, {"_strdup"}, 1}, &MallocChecker::checkStrdup},
431 {{CDM::CLibrary, {"kmalloc"}, 2}, &MallocChecker::checkKernelMalloc},
432 {{CDM::CLibrary, {"if_nameindex"}, 1}, &MallocChecker::checkIfNameIndex},
433 {{CDM::CLibrary, {"wcsdup"}, 1}, &MallocChecker::checkStrdup},
434 {{CDM::CLibrary, {"_wcsdup"}, 1}, &MallocChecker::checkStrdup},
435 {{CDM::CLibrary, {"g_malloc"}, 1}, &MallocChecker::checkBasicAlloc},
436 {{CDM::CLibrary, {"g_malloc0"}, 1}, &MallocChecker::checkGMalloc0},
437 {{CDM::CLibrary, {"g_try_malloc"}, 1}, &MallocChecker::checkBasicAlloc},
438 {{CDM::CLibrary, {"g_try_malloc0"}, 1}, &MallocChecker::checkGMalloc0},
439 {{CDM::CLibrary, {"g_memdup"}, 2}, &MallocChecker::checkGMemdup},
440 {{CDM::CLibrary, {"g_malloc_n"}, 2}, &MallocChecker::checkGMallocN},
441 {{CDM::CLibrary, {"g_malloc0_n"}, 2}, &MallocChecker::checkGMallocN0},
442 {{CDM::CLibrary, {"g_try_malloc_n"}, 2}, &MallocChecker::checkGMallocN},
443 {{CDM::CLibrary, {"g_try_malloc0_n"}, 2}, &MallocChecker::checkGMallocN0},
444 };
445
446 CallDescriptionMap<CheckFn> ReallocatingMemFnMap{
447 {{CDM::CLibrary, {"realloc"}, 2},
448 std::bind(f: &MallocChecker::checkRealloc, args: _1, args: _2, args: _3, args: false)},
449 {{CDM::CLibrary, {"reallocf"}, 2},
450 std::bind(f: &MallocChecker::checkRealloc, args: _1, args: _2, args: _3, args: true)},
451 {{CDM::CLibrary, {"g_realloc"}, 2},
452 std::bind(f: &MallocChecker::checkRealloc, args: _1, args: _2, args: _3, args: false)},
453 {{CDM::CLibrary, {"g_try_realloc"}, 2},
454 std::bind(f: &MallocChecker::checkRealloc, args: _1, args: _2, args: _3, args: false)},
455 {{CDM::CLibrary, {"g_realloc_n"}, 3}, &MallocChecker::checkReallocN},
456 {{CDM::CLibrary, {"g_try_realloc_n"}, 3}, &MallocChecker::checkReallocN},
457
458 // NOTE: the following CallDescription also matches the C++ standard
459 // library function std::getline(); the callback will filter it out.
460 {{CDM::CLibrary, {"getline"}, 3}, &MallocChecker::checkGetdelim},
461 {{CDM::CLibrary, {"getdelim"}, 4}, &MallocChecker::checkGetdelim},
462 };
463
464 bool isMemCall(const CallEvent &Call) const;
465
466 // TODO: Remove mutable by moving the initializtaion to the registry function.
467 mutable std::optional<uint64_t> KernelZeroFlagVal;
468
469 using KernelZeroSizePtrValueTy = std::optional<int>;
470 /// Store the value of macro called `ZERO_SIZE_PTR`.
471 /// The value is initialized at first use, before first use the outer
472 /// Optional is empty, afterwards it contains another Optional that indicates
473 /// if the macro value could be determined, and if yes the value itself.
474 mutable std::optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue;
475
476 /// Process C++ operator new()'s allocation, which is the part of C++
477 /// new-expression that goes before the constructor.
478 [[nodiscard]] ProgramStateRef
479 processNewAllocation(const CXXAllocatorCall &Call, CheckerContext &C,
480 AllocationFamily Family) const;
481
482 /// Perform a zero-allocation check.
483 ///
484 /// \param [in] Call The expression that allocates memory.
485 /// \param [in] IndexOfSizeArg Index of the argument that specifies the size
486 /// of the memory that needs to be allocated. E.g. for malloc, this would be
487 /// 0.
488 /// \param [in] RetVal Specifies the newly allocated pointer value;
489 /// if unspecified, the value of expression \p E is used.
490 [[nodiscard]] static ProgramStateRef
491 ProcessZeroAllocCheck(const CallEvent &Call, const unsigned IndexOfSizeArg,
492 ProgramStateRef State,
493 std::optional<SVal> RetVal = std::nullopt);
494
495 /// Model functions with the ownership_returns attribute.
496 ///
497 /// User-defined function may have the ownership_returns attribute, which
498 /// annotates that the function returns with an object that was allocated on
499 /// the heap, and passes the ownertship to the callee.
500 ///
501 /// void __attribute((ownership_returns(malloc, 1))) *my_malloc(size_t);
502 ///
503 /// It has two parameters:
504 /// - first: name of the resource (e.g. 'malloc')
505 /// - (OPTIONAL) second: size of the allocated region
506 ///
507 /// \param [in] Call The expression that allocates memory.
508 /// \param [in] Att The ownership_returns attribute.
509 /// \param [in] State The \c ProgramState right before allocation.
510 /// \returns The ProgramState right after allocation.
511 [[nodiscard]] ProgramStateRef
512 MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
513 const OwnershipAttr *Att, ProgramStateRef State) const;
514
515 /// Models memory allocation.
516 ///
517 /// \param [in] Call The expression that allocates memory.
518 /// \param [in] SizeEx Size of the memory that needs to be allocated.
519 /// \param [in] Init The value the allocated memory needs to be initialized.
520 /// with. For example, \c calloc initializes the allocated memory to 0,
521 /// malloc leaves it undefined.
522 /// \param [in] State The \c ProgramState right before allocation.
523 /// \returns The ProgramState right after allocation.
524 [[nodiscard]] static ProgramStateRef
525 MallocMemAux(CheckerContext &C, const CallEvent &Call, const Expr *SizeEx,
526 SVal Init, ProgramStateRef State, AllocationFamily Family);
527
528 /// Models memory allocation.
529 ///
530 /// \param [in] Call The expression that allocates memory.
531 /// \param [in] Size Size of the memory that needs to be allocated.
532 /// \param [in] Init The value the allocated memory needs to be initialized.
533 /// with. For example, \c calloc initializes the allocated memory to 0,
534 /// malloc leaves it undefined.
535 /// \param [in] State The \c ProgramState right before allocation.
536 /// \returns The ProgramState right after allocation.
537 [[nodiscard]] static ProgramStateRef
538 MallocMemAux(CheckerContext &C, const CallEvent &Call, SVal Size, SVal Init,
539 ProgramStateRef State, AllocationFamily Family);
540
541 // Check if this malloc() for special flags. At present that means M_ZERO or
542 // __GFP_ZERO (in which case, treat it like calloc).
543 [[nodiscard]] std::optional<ProgramStateRef>
544 performKernelMalloc(const CallEvent &Call, CheckerContext &C,
545 const ProgramStateRef &State) const;
546
547 /// Model functions with the ownership_takes and ownership_holds attributes.
548 ///
549 /// User-defined function may have the ownership_takes and/or ownership_holds
550 /// attributes, which annotates that the function frees the memory passed as a
551 /// parameter.
552 ///
553 /// void __attribute((ownership_takes(malloc, 1))) my_free(void *);
554 /// void __attribute((ownership_holds(malloc, 1))) my_hold(void *);
555 ///
556 /// They have two parameters:
557 /// - first: name of the resource (e.g. 'malloc')
558 /// - second: index of the parameter the attribute applies to
559 ///
560 /// \param [in] Call The expression that frees memory.
561 /// \param [in] Att The ownership_takes or ownership_holds attribute.
562 /// \param [in] State The \c ProgramState right before allocation.
563 /// \returns The ProgramState right after deallocation.
564 [[nodiscard]] ProgramStateRef FreeMemAttr(CheckerContext &C,
565 const CallEvent &Call,
566 const OwnershipAttr *Att,
567 ProgramStateRef State) const;
568
569 /// Models memory deallocation.
570 ///
571 /// \param [in] Call The expression that frees memory.
572 /// \param [in] State The \c ProgramState right before allocation.
573 /// \param [in] Num Index of the argument that needs to be freed. This is
574 /// normally 0, but for custom free functions it may be different.
575 /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
576 /// attribute.
577 /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known
578 /// to have been allocated, or in other words, the symbol to be freed was
579 /// registered as allocated by this checker. In the following case, \c ptr
580 /// isn't known to be allocated.
581 /// void Haha(int *ptr) {
582 /// ptr = realloc(ptr, 67);
583 /// // ...
584 /// }
585 /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
586 /// we're modeling returns with Null on failure.
587 /// \returns The ProgramState right after deallocation.
588 [[nodiscard]] ProgramStateRef
589 FreeMemAux(CheckerContext &C, const CallEvent &Call, ProgramStateRef State,
590 unsigned Num, bool Hold, bool &IsKnownToBeAllocated,
591 AllocationFamily Family, bool ReturnsNullOnFailure = false) const;
592
593 /// Models memory deallocation.
594 ///
595 /// \param [in] ArgExpr The variable who's pointee needs to be freed.
596 /// \param [in] Call The expression that frees the memory.
597 /// \param [in] State The \c ProgramState right before allocation.
598 /// normally 0, but for custom free functions it may be different.
599 /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
600 /// attribute.
601 /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known
602 /// to have been allocated, or in other words, the symbol to be freed was
603 /// registered as allocated by this checker. In the following case, \c ptr
604 /// isn't known to be allocated.
605 /// void Haha(int *ptr) {
606 /// ptr = realloc(ptr, 67);
607 /// // ...
608 /// }
609 /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
610 /// we're modeling returns with Null on failure.
611 /// \param [in] ArgValOpt Optional value to use for the argument instead of
612 /// the one obtained from ArgExpr.
613 /// \returns The ProgramState right after deallocation.
614 [[nodiscard]] ProgramStateRef
615 FreeMemAux(CheckerContext &C, const Expr *ArgExpr, const CallEvent &Call,
616 ProgramStateRef State, bool Hold, bool &IsKnownToBeAllocated,
617 AllocationFamily Family, bool ReturnsNullOnFailure = false,
618 std::optional<SVal> ArgValOpt = {}) const;
619
620 // TODO: Needs some refactoring, as all other deallocation modeling
621 // functions are suffering from out parameters and messy code due to how
622 // realloc is handled.
623 //
624 /// Models memory reallocation.
625 ///
626 /// \param [in] Call The expression that reallocated memory
627 /// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied
628 /// memory should be freed.
629 /// \param [in] State The \c ProgramState right before reallocation.
630 /// \param [in] SuffixWithN Whether the reallocation function we're modeling
631 /// has an '_n' suffix, such as g_realloc_n.
632 /// \returns The ProgramState right after reallocation.
633 [[nodiscard]] ProgramStateRef
634 ReallocMemAux(CheckerContext &C, const CallEvent &Call, bool ShouldFreeOnFail,
635 ProgramStateRef State, AllocationFamily Family,
636 bool SuffixWithN = false) const;
637
638 /// Evaluates the buffer size that needs to be allocated.
639 ///
640 /// \param [in] Blocks The amount of blocks that needs to be allocated.
641 /// \param [in] BlockBytes The size of a block.
642 /// \returns The symbolic value of \p Blocks * \p BlockBytes.
643 [[nodiscard]] static SVal evalMulForBufferSize(CheckerContext &C,
644 const Expr *Blocks,
645 const Expr *BlockBytes);
646
647 /// Models zero initialized array allocation.
648 ///
649 /// \param [in] Call The expression that reallocated memory
650 /// \param [in] State The \c ProgramState right before reallocation.
651 /// \returns The ProgramState right after allocation.
652 [[nodiscard]] static ProgramStateRef
653 CallocMem(CheckerContext &C, const CallEvent &Call, ProgramStateRef State);
654
655 /// See if deallocation happens in a suspicious context. If so, escape the
656 /// pointers that otherwise would have been deallocated and return true.
657 bool suppressDeallocationsInSuspiciousContexts(const CallEvent &Call,
658 CheckerContext &C) const;
659
660 /// If in \p S \p Sym is used, check whether \p Sym was already freed.
661 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
662
663 /// If in \p S \p Sym is used, check whether \p Sym was allocated as a zero
664 /// sized memory region.
665 void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
666 const Stmt *S) const;
667
668 /// If in \p S \p Sym is being freed, check whether \p Sym was already freed.
669 bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;
670
671 /// Check if the function is known to free memory, or if it is
672 /// "interesting" and should be modeled explicitly.
673 ///
674 /// \param [out] EscapingSymbol A function might not free memory in general,
675 /// but could be known to free a particular symbol. In this case, false is
676 /// returned and the single escaping symbol is returned through the out
677 /// parameter.
678 ///
679 /// We assume that pointers do not escape through calls to system functions
680 /// not handled by this checker.
681 bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call,
682 ProgramStateRef State,
683 SymbolRef &EscapingSymbol) const;
684
685 /// Implementation of the checkPointerEscape callbacks.
686 [[nodiscard]] ProgramStateRef
687 checkPointerEscapeAux(ProgramStateRef State,
688 const InvalidatedSymbols &Escaped,
689 const CallEvent *Call, PointerEscapeKind Kind,
690 bool IsConstPointerEscape) const;
691
692 // Implementation of the checkPreStmt and checkEndFunction callbacks.
693 void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const;
694
695 ///@{
696 /// Tells if a given family/call/symbol is tracked by the current checker.
697 /// Sets CheckKind to the kind of the checker responsible for this
698 /// family/call/symbol.
699 std::optional<CheckKind> getCheckIfTracked(AllocationFamily Family,
700 bool IsALeakCheck = false) const;
701
702 std::optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
703 bool IsALeakCheck = false) const;
704 ///@}
705 static bool SummarizeValue(raw_ostream &os, SVal V);
706 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
707
708 void HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal, SourceRange Range,
709 const Expr *DeallocExpr,
710 AllocationFamily Family) const;
711
712 void HandleFreeAlloca(CheckerContext &C, SVal ArgVal,
713 SourceRange Range) const;
714
715 void HandleMismatchedDealloc(CheckerContext &C, SourceRange Range,
716 const Expr *DeallocExpr, const RefState *RS,
717 SymbolRef Sym, bool OwnershipTransferred) const;
718
719 void HandleOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
720 const Expr *DeallocExpr, AllocationFamily Family,
721 const Expr *AllocExpr = nullptr) const;
722
723 void HandleUseAfterFree(CheckerContext &C, SourceRange Range,
724 SymbolRef Sym) const;
725
726 void HandleDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
727 SymbolRef Sym, SymbolRef PrevSym) const;
728
729 void HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
730
731 void HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,
732 SymbolRef Sym) const;
733
734 void HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
735 const Expr *FreeExpr,
736 AllocationFamily Family) const;
737
738 /// Find the location of the allocation for Sym on the path leading to the
739 /// exploded node N.
740 static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
741 CheckerContext &C);
742
743 void HandleLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
744
745 /// Test if value in ArgVal equals to value in macro `ZERO_SIZE_PTR`.
746 bool isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C,
747 SVal ArgVal) const;
748};
749} // end anonymous namespace
750
751//===----------------------------------------------------------------------===//
752// Definition of NoOwnershipChangeVisitor.
753//===----------------------------------------------------------------------===//
754
755namespace {
756class NoOwnershipChangeVisitor final : public NoStateChangeFuncVisitor {
757 // The symbol whose (lack of) ownership change we are interested in.
758 SymbolRef Sym;
759 const MallocChecker &Checker;
760 using OwnerSet = llvm::SmallPtrSet<const MemRegion *, 8>;
761
762 // Collect which entities point to the allocated memory, and could be
763 // responsible for deallocating it.
764 class OwnershipBindingsHandler : public StoreManager::BindingsHandler {
765 SymbolRef Sym;
766 OwnerSet &Owners;
767
768 public:
769 OwnershipBindingsHandler(SymbolRef Sym, OwnerSet &Owners)
770 : Sym(Sym), Owners(Owners) {}
771
772 bool HandleBinding(StoreManager &SMgr, Store Store, const MemRegion *Region,
773 SVal Val) override {
774 if (Val.getAsSymbol() == Sym)
775 Owners.insert(Ptr: Region);
776 return true;
777 }
778
779 LLVM_DUMP_METHOD void dump() const { dumpToStream(out&: llvm::errs()); }
780 LLVM_DUMP_METHOD void dumpToStream(llvm::raw_ostream &out) const {
781 out << "Owners: {\n";
782 for (const MemRegion *Owner : Owners) {
783 out << " ";
784 Owner->dumpToStream(os&: out);
785 out << ",\n";
786 }
787 out << "}\n";
788 }
789 };
790
791protected:
792 OwnerSet getOwnersAtNode(const ExplodedNode *N) {
793 OwnerSet Ret;
794
795 ProgramStateRef State = N->getState();
796 OwnershipBindingsHandler Handler{Sym, Ret};
797 State->getStateManager().getStoreManager().iterBindings(store: State->getStore(),
798 f&: Handler);
799 return Ret;
800 }
801
802 LLVM_DUMP_METHOD static std::string
803 getFunctionName(const ExplodedNode *CallEnterN) {
804 if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>(
805 Val: CallEnterN->getLocationAs<CallEnter>()->getCallExpr()))
806 if (const FunctionDecl *FD = CE->getDirectCallee())
807 return FD->getQualifiedNameAsString();
808 return "";
809 }
810
811 /// Syntactically checks whether the callee is a deallocating function. Since
812 /// we have no path-sensitive information on this call (we would need a
813 /// CallEvent instead of a CallExpr for that), its possible that a
814 /// deallocation function was called indirectly through a function pointer,
815 /// but we are not able to tell, so this is a best effort analysis.
816 /// See namespace `memory_passed_to_fn_call_free_through_fn_ptr` in
817 /// clang/test/Analysis/NewDeleteLeaks.cpp.
818 bool isFreeingCallAsWritten(const CallExpr &Call) const {
819 if (Checker.FreeingMemFnMap.lookupAsWritten(Call) ||
820 Checker.ReallocatingMemFnMap.lookupAsWritten(Call))
821 return true;
822
823 if (const auto *Func =
824 llvm::dyn_cast_or_null<FunctionDecl>(Val: Call.getCalleeDecl()))
825 return MallocChecker::isFreeingOwnershipAttrCall(Func);
826
827 return false;
828 }
829
830 /// Heuristically guess whether the callee intended to free memory. This is
831 /// done syntactically, because we are trying to argue about alternative
832 /// paths of execution, and as a consequence we don't have path-sensitive
833 /// information.
834 bool doesFnIntendToHandleOwnership(const Decl *Callee, ASTContext &ACtx) {
835 using namespace clang::ast_matchers;
836 const FunctionDecl *FD = dyn_cast<FunctionDecl>(Val: Callee);
837
838 // Given that the stack frame was entered, the body should always be
839 // theoretically obtainable. In case of body farms, the synthesized body
840 // is not attached to declaration, thus triggering the '!FD->hasBody()'
841 // branch. That said, would a synthesized body ever intend to handle
842 // ownership? As of today they don't. And if they did, how would we
843 // put notes inside it, given that it doesn't match any source locations?
844 if (!FD || !FD->hasBody())
845 return false;
846
847 auto Matches = match(Matcher: findAll(Matcher: stmt(anyOf(cxxDeleteExpr().bind(ID: "delete"),
848 callExpr().bind(ID: "call")))),
849 Node: *FD->getBody(), Context&: ACtx);
850 for (BoundNodes Match : Matches) {
851 if (Match.getNodeAs<CXXDeleteExpr>(ID: "delete"))
852 return true;
853
854 if (const auto *Call = Match.getNodeAs<CallExpr>(ID: "call"))
855 if (isFreeingCallAsWritten(Call: *Call))
856 return true;
857 }
858 // TODO: Ownership might change with an attempt to store the allocated
859 // memory, not only through deallocation. Check for attempted stores as
860 // well.
861 return false;
862 }
863
864 bool wasModifiedInFunction(const ExplodedNode *CallEnterN,
865 const ExplodedNode *CallExitEndN) override {
866 if (!doesFnIntendToHandleOwnership(
867 Callee: CallExitEndN->getFirstPred()->getLocationContext()->getDecl(),
868 ACtx&: CallExitEndN->getState()->getAnalysisManager().getASTContext()))
869 return true;
870
871 if (CallEnterN->getState()->get<RegionState>(key: Sym) !=
872 CallExitEndN->getState()->get<RegionState>(key: Sym))
873 return true;
874
875 OwnerSet CurrOwners = getOwnersAtNode(N: CallEnterN);
876 OwnerSet ExitOwners = getOwnersAtNode(N: CallExitEndN);
877
878 // Owners in the current set may be purged from the analyzer later on.
879 // If a variable is dead (is not referenced directly or indirectly after
880 // some point), it will be removed from the Store before the end of its
881 // actual lifetime.
882 // This means that if the ownership status didn't change, CurrOwners
883 // must be a superset of, but not necessarily equal to ExitOwners.
884 return !llvm::set_is_subset(S1: ExitOwners, S2: CurrOwners);
885 }
886
887 static PathDiagnosticPieceRef emitNote(const ExplodedNode *N) {
888 PathDiagnosticLocation L = PathDiagnosticLocation::create(
889 P: N->getLocation(),
890 SMng: N->getState()->getStateManager().getContext().getSourceManager());
891 return std::make_shared<PathDiagnosticEventPiece>(
892 args&: L, args: "Returning without deallocating memory or storing the pointer for "
893 "later deallocation");
894 }
895
896 PathDiagnosticPieceRef
897 maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
898 const ObjCMethodCall &Call,
899 const ExplodedNode *N) override {
900 // TODO: Implement.
901 return nullptr;
902 }
903
904 PathDiagnosticPieceRef
905 maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
906 const CXXConstructorCall &Call,
907 const ExplodedNode *N) override {
908 // TODO: Implement.
909 return nullptr;
910 }
911
912 PathDiagnosticPieceRef
913 maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call,
914 const ExplodedNode *N) override {
915 // TODO: Factor the logic of "what constitutes as an entity being passed
916 // into a function call" out by reusing the code in
917 // NoStoreFuncVisitor::maybeEmitNoteForParameters, maybe by incorporating
918 // the printing technology in UninitializedObject's FieldChainInfo.
919 ArrayRef<ParmVarDecl *> Parameters = Call.parameters();
920 for (unsigned I = 0; I < Call.getNumArgs() && I < Parameters.size(); ++I) {
921 SVal V = Call.getArgSVal(Index: I);
922 if (V.getAsSymbol() == Sym)
923 return emitNote(N);
924 }
925 return nullptr;
926 }
927
928public:
929 NoOwnershipChangeVisitor(SymbolRef Sym, const MallocChecker *Checker)
930 : NoStateChangeFuncVisitor(bugreporter::TrackingKind::Thorough), Sym(Sym),
931 Checker(*Checker) {}
932
933 void Profile(llvm::FoldingSetNodeID &ID) const override {
934 static int Tag = 0;
935 ID.AddPointer(Ptr: &Tag);
936 ID.AddPointer(Ptr: Sym);
937 }
938};
939
940} // end anonymous namespace
941
942//===----------------------------------------------------------------------===//
943// Definition of MallocBugVisitor.
944//===----------------------------------------------------------------------===//
945
946namespace {
947/// The bug visitor which allows us to print extra diagnostics along the
948/// BugReport path. For example, showing the allocation site of the leaked
949/// region.
950class MallocBugVisitor final : public BugReporterVisitor {
951protected:
952 enum NotificationMode { Normal, ReallocationFailed };
953
954 // The allocated region symbol tracked by the main analysis.
955 SymbolRef Sym;
956
957 // The mode we are in, i.e. what kind of diagnostics will be emitted.
958 NotificationMode Mode;
959
960 // A symbol from when the primary region should have been reallocated.
961 SymbolRef FailedReallocSymbol;
962
963 // A C++ destructor stack frame in which memory was released. Used for
964 // miscellaneous false positive suppression.
965 const StackFrameContext *ReleaseDestructorLC;
966
967 bool IsLeak;
968
969public:
970 MallocBugVisitor(SymbolRef S, bool isLeak = false)
971 : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr),
972 ReleaseDestructorLC(nullptr), IsLeak(isLeak) {}
973
974 static void *getTag() {
975 static int Tag = 0;
976 return &Tag;
977 }
978
979 void Profile(llvm::FoldingSetNodeID &ID) const override {
980 ID.AddPointer(Ptr: getTag());
981 ID.AddPointer(Ptr: Sym);
982 }
983
984 /// Did not track -> allocated. Other state (released) -> allocated.
985 static inline bool isAllocated(const RefState *RSCurr, const RefState *RSPrev,
986 const Stmt *Stmt) {
987 return (isa_and_nonnull<CallExpr, CXXNewExpr>(Val: Stmt) &&
988 (RSCurr &&
989 (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) &&
990 (!RSPrev ||
991 !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero())));
992 }
993
994 /// Did not track -> released. Other state (allocated) -> released.
995 /// The statement associated with the release might be missing.
996 static inline bool isReleased(const RefState *RSCurr, const RefState *RSPrev,
997 const Stmt *Stmt) {
998 bool IsReleased =
999 (RSCurr && RSCurr->isReleased()) && (!RSPrev || !RSPrev->isReleased());
1000 assert(!IsReleased || (isa_and_nonnull<CallExpr, CXXDeleteExpr>(Stmt)) ||
1001 (!Stmt && RSCurr->getAllocationFamily() == AF_InnerBuffer));
1002 return IsReleased;
1003 }
1004
1005 /// Did not track -> relinquished. Other state (allocated) -> relinquished.
1006 static inline bool isRelinquished(const RefState *RSCurr,
1007 const RefState *RSPrev, const Stmt *Stmt) {
1008 return (
1009 isa_and_nonnull<CallExpr, ObjCMessageExpr, ObjCPropertyRefExpr>(Val: Stmt) &&
1010 (RSCurr && RSCurr->isRelinquished()) &&
1011 (!RSPrev || !RSPrev->isRelinquished()));
1012 }
1013
1014 /// If the expression is not a call, and the state change is
1015 /// released -> allocated, it must be the realloc return value
1016 /// check. If we have to handle more cases here, it might be cleaner just
1017 /// to track this extra bit in the state itself.
1018 static inline bool hasReallocFailed(const RefState *RSCurr,
1019 const RefState *RSPrev,
1020 const Stmt *Stmt) {
1021 return ((!isa_and_nonnull<CallExpr>(Val: Stmt)) &&
1022 (RSCurr &&
1023 (RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) &&
1024 (RSPrev &&
1025 !(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero())));
1026 }
1027
1028 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
1029 BugReporterContext &BRC,
1030 PathSensitiveBugReport &BR) override;
1031
1032 PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC,
1033 const ExplodedNode *EndPathNode,
1034 PathSensitiveBugReport &BR) override {
1035 if (!IsLeak)
1036 return nullptr;
1037
1038 PathDiagnosticLocation L = BR.getLocation();
1039 // Do not add the statement itself as a range in case of leak.
1040 return std::make_shared<PathDiagnosticEventPiece>(args&: L, args: BR.getDescription(),
1041 args: false);
1042 }
1043
1044private:
1045 class StackHintGeneratorForReallocationFailed
1046 : public StackHintGeneratorForSymbol {
1047 public:
1048 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M)
1049 : StackHintGeneratorForSymbol(S, M) {}
1050
1051 std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) override {
1052 // Printed parameters start at 1, not 0.
1053 ++ArgIndex;
1054
1055 SmallString<200> buf;
1056 llvm::raw_svector_ostream os(buf);
1057
1058 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(Val: ArgIndex)
1059 << " parameter failed";
1060
1061 return std::string(os.str());
1062 }
1063
1064 std::string getMessageForReturn(const CallExpr *CallExpr) override {
1065 return "Reallocation of returned value failed";
1066 }
1067 };
1068};
1069} // end anonymous namespace
1070
1071// A map from the freed symbol to the symbol representing the return value of
1072// the free function.
1073REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef)
1074
1075namespace {
1076class StopTrackingCallback final : public SymbolVisitor {
1077 ProgramStateRef state;
1078
1079public:
1080 StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
1081 ProgramStateRef getState() const { return state; }
1082
1083 bool VisitSymbol(SymbolRef sym) override {
1084 state = state->remove<RegionState>(K: sym);
1085 return true;
1086 }
1087};
1088} // end anonymous namespace
1089
1090static bool isStandardNewDelete(const FunctionDecl *FD) {
1091 if (!FD)
1092 return false;
1093
1094 OverloadedOperatorKind Kind = FD->getOverloadedOperator();
1095 if (Kind != OO_New && Kind != OO_Array_New && Kind != OO_Delete &&
1096 Kind != OO_Array_Delete)
1097 return false;
1098
1099 // This is standard if and only if it's not defined in a user file.
1100 SourceLocation L = FD->getLocation();
1101 // If the header for operator delete is not included, it's still defined
1102 // in an invalid source location. Check to make sure we don't crash.
1103 return !L.isValid() ||
1104 FD->getASTContext().getSourceManager().isInSystemHeader(L);
1105}
1106
1107//===----------------------------------------------------------------------===//
1108// Methods of MallocChecker and MallocBugVisitor.
1109//===----------------------------------------------------------------------===//
1110
1111bool MallocChecker::isFreeingOwnershipAttrCall(const FunctionDecl *Func) {
1112 if (Func->hasAttrs()) {
1113 for (const auto *I : Func->specific_attrs<OwnershipAttr>()) {
1114 OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
1115 if (OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds)
1116 return true;
1117 }
1118 }
1119 return false;
1120}
1121
1122bool MallocChecker::isFreeingCall(const CallEvent &Call) const {
1123 if (FreeingMemFnMap.lookup(Call) || ReallocatingMemFnMap.lookup(Call))
1124 return true;
1125
1126 if (const auto *Func = dyn_cast_or_null<FunctionDecl>(Val: Call.getDecl()))
1127 return isFreeingOwnershipAttrCall(Func);
1128
1129 return false;
1130}
1131
1132bool MallocChecker::isMemCall(const CallEvent &Call) const {
1133 if (FreeingMemFnMap.lookup(Call) || AllocatingMemFnMap.lookup(Call) ||
1134 ReallocatingMemFnMap.lookup(Call))
1135 return true;
1136
1137 if (!ShouldIncludeOwnershipAnnotatedFunctions)
1138 return false;
1139
1140 const auto *Func = dyn_cast<FunctionDecl>(Val: Call.getDecl());
1141 return Func && Func->hasAttr<OwnershipAttr>();
1142}
1143
1144std::optional<ProgramStateRef>
1145MallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C,
1146 const ProgramStateRef &State) const {
1147 // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
1148 //
1149 // void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
1150 //
1151 // One of the possible flags is M_ZERO, which means 'give me back an
1152 // allocation which is already zeroed', like calloc.
1153
1154 // 2-argument kmalloc(), as used in the Linux kernel:
1155 //
1156 // void *kmalloc(size_t size, gfp_t flags);
1157 //
1158 // Has the similar flag value __GFP_ZERO.
1159
1160 // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some
1161 // code could be shared.
1162
1163 ASTContext &Ctx = C.getASTContext();
1164 llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS();
1165
1166 if (!KernelZeroFlagVal) {
1167 switch (OS) {
1168 case llvm::Triple::FreeBSD:
1169 KernelZeroFlagVal = 0x0100;
1170 break;
1171 case llvm::Triple::NetBSD:
1172 KernelZeroFlagVal = 0x0002;
1173 break;
1174 case llvm::Triple::OpenBSD:
1175 KernelZeroFlagVal = 0x0008;
1176 break;
1177 case llvm::Triple::Linux:
1178 // __GFP_ZERO
1179 KernelZeroFlagVal = 0x8000;
1180 break;
1181 default:
1182 // FIXME: We need a more general way of getting the M_ZERO value.
1183 // See also: O_CREAT in UnixAPIChecker.cpp.
1184
1185 // Fall back to normal malloc behavior on platforms where we don't
1186 // know M_ZERO.
1187 return std::nullopt;
1188 }
1189 }
1190
1191 // We treat the last argument as the flags argument, and callers fall-back to
1192 // normal malloc on a None return. This works for the FreeBSD kernel malloc
1193 // as well as Linux kmalloc.
1194 if (Call.getNumArgs() < 2)
1195 return std::nullopt;
1196
1197 const Expr *FlagsEx = Call.getArgExpr(Index: Call.getNumArgs() - 1);
1198 const SVal V = C.getSVal(FlagsEx);
1199 if (!isa<NonLoc>(Val: V)) {
1200 // The case where 'V' can be a location can only be due to a bad header,
1201 // so in this case bail out.
1202 return std::nullopt;
1203 }
1204
1205 NonLoc Flags = V.castAs<NonLoc>();
1206 NonLoc ZeroFlag = C.getSValBuilder()
1207 .makeIntVal(integer: *KernelZeroFlagVal, type: FlagsEx->getType())
1208 .castAs<NonLoc>();
1209 SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(state: State, op: BO_And,
1210 lhs: Flags, rhs: ZeroFlag,
1211 resultTy: FlagsEx->getType());
1212 if (MaskedFlagsUC.isUnknownOrUndef())
1213 return std::nullopt;
1214 DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>();
1215
1216 // Check if maskedFlags is non-zero.
1217 ProgramStateRef TrueState, FalseState;
1218 std::tie(args&: TrueState, args&: FalseState) = State->assume(Cond: MaskedFlags);
1219
1220 // If M_ZERO is set, treat this like calloc (initialized).
1221 if (TrueState && !FalseState) {
1222 SVal ZeroVal = C.getSValBuilder().makeZeroVal(type: Ctx.CharTy);
1223 return MallocMemAux(C, Call, SizeEx: Call.getArgExpr(Index: 0), Init: ZeroVal, State: TrueState,
1224 Family: AF_Malloc);
1225 }
1226
1227 return std::nullopt;
1228}
1229
1230SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
1231 const Expr *BlockBytes) {
1232 SValBuilder &SB = C.getSValBuilder();
1233 SVal BlocksVal = C.getSVal(Blocks);
1234 SVal BlockBytesVal = C.getSVal(BlockBytes);
1235 ProgramStateRef State = C.getState();
1236 SVal TotalSize = SB.evalBinOp(state: State, op: BO_Mul, lhs: BlocksVal, rhs: BlockBytesVal,
1237 type: SB.getContext().getSizeType());
1238 return TotalSize;
1239}
1240
1241void MallocChecker::checkBasicAlloc(const CallEvent &Call,
1242 CheckerContext &C) const {
1243 ProgramStateRef State = C.getState();
1244 State = MallocMemAux(C, Call, SizeEx: Call.getArgExpr(Index: 0), Init: UndefinedVal(), State,
1245 Family: AF_Malloc);
1246 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1247 C.addTransition(State);
1248}
1249
1250void MallocChecker::checkKernelMalloc(const CallEvent &Call,
1251 CheckerContext &C) const {
1252 ProgramStateRef State = C.getState();
1253 std::optional<ProgramStateRef> MaybeState =
1254 performKernelMalloc(Call, C, State);
1255 if (MaybeState)
1256 State = *MaybeState;
1257 else
1258 State = MallocMemAux(C, Call, SizeEx: Call.getArgExpr(Index: 0), Init: UndefinedVal(), State,
1259 Family: AF_Malloc);
1260 C.addTransition(State);
1261}
1262
1263static bool isStandardRealloc(const CallEvent &Call) {
1264 const FunctionDecl *FD = dyn_cast<FunctionDecl>(Val: Call.getDecl());
1265 assert(FD);
1266 ASTContext &AC = FD->getASTContext();
1267
1268 return FD->getDeclaredReturnType().getDesugaredType(Context: AC) == AC.VoidPtrTy &&
1269 FD->getParamDecl(i: 0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
1270 FD->getParamDecl(i: 1)->getType().getDesugaredType(AC) ==
1271 AC.getSizeType();
1272}
1273
1274static bool isGRealloc(const CallEvent &Call) {
1275 const FunctionDecl *FD = dyn_cast<FunctionDecl>(Val: Call.getDecl());
1276 assert(FD);
1277 ASTContext &AC = FD->getASTContext();
1278
1279 return FD->getDeclaredReturnType().getDesugaredType(Context: AC) == AC.VoidPtrTy &&
1280 FD->getParamDecl(i: 0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
1281 FD->getParamDecl(i: 1)->getType().getDesugaredType(AC) ==
1282 AC.UnsignedLongTy;
1283}
1284
1285void MallocChecker::checkRealloc(const CallEvent &Call, CheckerContext &C,
1286 bool ShouldFreeOnFail) const {
1287 // Ignore calls to functions whose type does not match the expected type of
1288 // either the standard realloc or g_realloc from GLib.
1289 // FIXME: Should we perform this kind of checking consistently for each
1290 // function? If yes, then perhaps extend the `CallDescription` interface to
1291 // handle this.
1292 if (!isStandardRealloc(Call) && !isGRealloc(Call))
1293 return;
1294
1295 ProgramStateRef State = C.getState();
1296 State = ReallocMemAux(C, Call, ShouldFreeOnFail, State, Family: AF_Malloc);
1297 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 1, State);
1298 C.addTransition(State);
1299}
1300
1301void MallocChecker::checkCalloc(const CallEvent &Call,
1302 CheckerContext &C) const {
1303 ProgramStateRef State = C.getState();
1304 State = CallocMem(C, Call, State);
1305 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1306 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 1, State);
1307 C.addTransition(State);
1308}
1309
1310void MallocChecker::checkFree(const CallEvent &Call, CheckerContext &C) const {
1311 ProgramStateRef State = C.getState();
1312 bool IsKnownToBeAllocatedMemory = false;
1313 if (suppressDeallocationsInSuspiciousContexts(Call, C))
1314 return;
1315 State = FreeMemAux(C, Call, State, Num: 0, Hold: false, IsKnownToBeAllocated&: IsKnownToBeAllocatedMemory,
1316 Family: AF_Malloc);
1317 C.addTransition(State);
1318}
1319
1320void MallocChecker::checkAlloca(const CallEvent &Call,
1321 CheckerContext &C) const {
1322 ProgramStateRef State = C.getState();
1323 State = MallocMemAux(C, Call, SizeEx: Call.getArgExpr(Index: 0), Init: UndefinedVal(), State,
1324 Family: AF_Alloca);
1325 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1326 C.addTransition(State);
1327}
1328
1329void MallocChecker::checkStrdup(const CallEvent &Call,
1330 CheckerContext &C) const {
1331 ProgramStateRef State = C.getState();
1332 const auto *CE = dyn_cast_or_null<CallExpr>(Val: Call.getOriginExpr());
1333 if (!CE)
1334 return;
1335 State = MallocUpdateRefState(C, CE, State, AF_Malloc);
1336
1337 C.addTransition(State);
1338}
1339
1340void MallocChecker::checkIfNameIndex(const CallEvent &Call,
1341 CheckerContext &C) const {
1342 ProgramStateRef State = C.getState();
1343 // Should we model this differently? We can allocate a fixed number of
1344 // elements with zeros in the last one.
1345 State =
1346 MallocMemAux(C, Call, Size: UnknownVal(), Init: UnknownVal(), State, Family: AF_IfNameIndex);
1347
1348 C.addTransition(State);
1349}
1350
1351void MallocChecker::checkIfFreeNameIndex(const CallEvent &Call,
1352 CheckerContext &C) const {
1353 ProgramStateRef State = C.getState();
1354 bool IsKnownToBeAllocatedMemory = false;
1355 State = FreeMemAux(C, Call, State, Num: 0, Hold: false, IsKnownToBeAllocated&: IsKnownToBeAllocatedMemory,
1356 Family: AF_IfNameIndex);
1357 C.addTransition(State);
1358}
1359
1360void MallocChecker::checkCXXNewOrCXXDelete(const CallEvent &Call,
1361 CheckerContext &C) const {
1362 ProgramStateRef State = C.getState();
1363 bool IsKnownToBeAllocatedMemory = false;
1364 const auto *CE = dyn_cast_or_null<CallExpr>(Val: Call.getOriginExpr());
1365 if (!CE)
1366 return;
1367
1368 assert(isStandardNewDelete(Call));
1369
1370 // Process direct calls to operator new/new[]/delete/delete[] functions
1371 // as distinct from new/new[]/delete/delete[] expressions that are
1372 // processed by the checkPostStmt callbacks for CXXNewExpr and
1373 // CXXDeleteExpr.
1374 const FunctionDecl *FD = C.getCalleeDecl(CE);
1375 switch (FD->getOverloadedOperator()) {
1376 case OO_New:
1377 State =
1378 MallocMemAux(C, Call, SizeEx: CE->getArg(Arg: 0), Init: UndefinedVal(), State, Family: AF_CXXNew);
1379 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1380 break;
1381 case OO_Array_New:
1382 State = MallocMemAux(C, Call, SizeEx: CE->getArg(Arg: 0), Init: UndefinedVal(), State,
1383 Family: AF_CXXNewArray);
1384 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1385 break;
1386 case OO_Delete:
1387 State = FreeMemAux(C, Call, State, Num: 0, Hold: false, IsKnownToBeAllocated&: IsKnownToBeAllocatedMemory,
1388 Family: AF_CXXNew);
1389 break;
1390 case OO_Array_Delete:
1391 State = FreeMemAux(C, Call, State, Num: 0, Hold: false, IsKnownToBeAllocated&: IsKnownToBeAllocatedMemory,
1392 Family: AF_CXXNewArray);
1393 break;
1394 default:
1395 llvm_unreachable("not a new/delete operator");
1396 }
1397
1398 C.addTransition(State);
1399}
1400
1401void MallocChecker::checkGMalloc0(const CallEvent &Call,
1402 CheckerContext &C) const {
1403 ProgramStateRef State = C.getState();
1404 SValBuilder &svalBuilder = C.getSValBuilder();
1405 SVal zeroVal = svalBuilder.makeZeroVal(type: svalBuilder.getContext().CharTy);
1406 State = MallocMemAux(C, Call, SizeEx: Call.getArgExpr(Index: 0), Init: zeroVal, State, Family: AF_Malloc);
1407 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1408 C.addTransition(State);
1409}
1410
1411void MallocChecker::checkGMemdup(const CallEvent &Call,
1412 CheckerContext &C) const {
1413 ProgramStateRef State = C.getState();
1414 State =
1415 MallocMemAux(C, Call, SizeEx: Call.getArgExpr(Index: 1), Init: UnknownVal(), State, Family: AF_Malloc);
1416 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 1, State);
1417 C.addTransition(State);
1418}
1419
1420void MallocChecker::checkGMallocN(const CallEvent &Call,
1421 CheckerContext &C) const {
1422 ProgramStateRef State = C.getState();
1423 SVal Init = UndefinedVal();
1424 SVal TotalSize = evalMulForBufferSize(C, Blocks: Call.getArgExpr(Index: 0), BlockBytes: Call.getArgExpr(Index: 1));
1425 State = MallocMemAux(C, Call, Size: TotalSize, Init, State, Family: AF_Malloc);
1426 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1427 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 1, State);
1428 C.addTransition(State);
1429}
1430
1431void MallocChecker::checkGMallocN0(const CallEvent &Call,
1432 CheckerContext &C) const {
1433 ProgramStateRef State = C.getState();
1434 SValBuilder &SB = C.getSValBuilder();
1435 SVal Init = SB.makeZeroVal(type: SB.getContext().CharTy);
1436 SVal TotalSize = evalMulForBufferSize(C, Blocks: Call.getArgExpr(Index: 0), BlockBytes: Call.getArgExpr(Index: 1));
1437 State = MallocMemAux(C, Call, Size: TotalSize, Init, State, Family: AF_Malloc);
1438 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1439 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 1, State);
1440 C.addTransition(State);
1441}
1442
1443static bool isFromStdNamespace(const CallEvent &Call) {
1444 const Decl *FD = Call.getDecl();
1445 assert(FD && "a CallDescription cannot match a call without a Decl");
1446 return FD->isInStdNamespace();
1447}
1448
1449void MallocChecker::preGetdelim(const CallEvent &Call,
1450 CheckerContext &C) const {
1451 // Discard calls to the C++ standard library function std::getline(), which
1452 // is completely unrelated to the POSIX getline() that we're checking.
1453 if (isFromStdNamespace(Call))
1454 return;
1455
1456 ProgramStateRef State = C.getState();
1457 const auto LinePtr = getPointeeVal(PtrSVal: Call.getArgSVal(Index: 0), State);
1458 if (!LinePtr)
1459 return;
1460
1461 // FreeMemAux takes IsKnownToBeAllocated as an output parameter, and it will
1462 // be true after the call if the symbol was registered by this checker.
1463 // We do not need this value here, as FreeMemAux will take care
1464 // of reporting any violation of the preconditions.
1465 bool IsKnownToBeAllocated = false;
1466 State = FreeMemAux(C, ArgExpr: Call.getArgExpr(Index: 0), Call, State, Hold: false,
1467 IsKnownToBeAllocated, Family: AF_Malloc, ReturnsNullOnFailure: false, ArgValOpt: LinePtr);
1468 if (State)
1469 C.addTransition(State);
1470}
1471
1472void MallocChecker::checkGetdelim(const CallEvent &Call,
1473 CheckerContext &C) const {
1474 // Discard calls to the C++ standard library function std::getline(), which
1475 // is completely unrelated to the POSIX getline() that we're checking.
1476 if (isFromStdNamespace(Call))
1477 return;
1478
1479 ProgramStateRef State = C.getState();
1480 // Handle the post-conditions of getline and getdelim:
1481 // Register the new conjured value as an allocated buffer.
1482 const CallExpr *CE = dyn_cast_or_null<CallExpr>(Val: Call.getOriginExpr());
1483 if (!CE)
1484 return;
1485
1486 SValBuilder &SVB = C.getSValBuilder();
1487
1488 const auto LinePtr =
1489 getPointeeVal(PtrSVal: Call.getArgSVal(Index: 0), State)->getAs<DefinedSVal>();
1490 const auto Size =
1491 getPointeeVal(PtrSVal: Call.getArgSVal(Index: 1), State)->getAs<DefinedSVal>();
1492 if (!LinePtr || !Size || !LinePtr->getAsRegion())
1493 return;
1494
1495 State = setDynamicExtent(State, MR: LinePtr->getAsRegion(), Extent: *Size, SVB);
1496 C.addTransition(State: MallocUpdateRefState(C, CE, State, AF_Malloc, *LinePtr));
1497}
1498
1499void MallocChecker::checkReallocN(const CallEvent &Call,
1500 CheckerContext &C) const {
1501 ProgramStateRef State = C.getState();
1502 State = ReallocMemAux(C, Call, /*ShouldFreeOnFail=*/false, State, Family: AF_Malloc,
1503 /*SuffixWithN=*/true);
1504 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 1, State);
1505 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 2, State);
1506 C.addTransition(State);
1507}
1508
1509void MallocChecker::checkOwnershipAttr(const CallEvent &Call,
1510 CheckerContext &C) const {
1511 ProgramStateRef State = C.getState();
1512 const auto *CE = dyn_cast_or_null<CallExpr>(Val: Call.getOriginExpr());
1513 if (!CE)
1514 return;
1515 const FunctionDecl *FD = C.getCalleeDecl(CE);
1516 if (!FD)
1517 return;
1518 if (ShouldIncludeOwnershipAnnotatedFunctions ||
1519 ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
1520 // Check all the attributes, if there are any.
1521 // There can be multiple of these attributes.
1522 if (FD->hasAttrs())
1523 for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
1524 switch (I->getOwnKind()) {
1525 case OwnershipAttr::Returns:
1526 State = MallocMemReturnsAttr(C, Call, I, State);
1527 break;
1528 case OwnershipAttr::Takes:
1529 case OwnershipAttr::Holds:
1530 State = FreeMemAttr(C, Call, I, State);
1531 break;
1532 }
1533 }
1534 }
1535 C.addTransition(State);
1536}
1537
1538void MallocChecker::checkPostCall(const CallEvent &Call,
1539 CheckerContext &C) const {
1540 if (C.wasInlined)
1541 return;
1542 if (!Call.getOriginExpr())
1543 return;
1544
1545 ProgramStateRef State = C.getState();
1546
1547 if (const CheckFn *Callback = FreeingMemFnMap.lookup(Call)) {
1548 (*Callback)(this, Call, C);
1549 return;
1550 }
1551
1552 if (const CheckFn *Callback = AllocatingMemFnMap.lookup(Call)) {
1553 (*Callback)(this, Call, C);
1554 return;
1555 }
1556
1557 if (const CheckFn *Callback = ReallocatingMemFnMap.lookup(Call)) {
1558 (*Callback)(this, Call, C);
1559 return;
1560 }
1561
1562 if (isStandardNewDelete(Call)) {
1563 checkCXXNewOrCXXDelete(Call, C);
1564 return;
1565 }
1566
1567 checkOwnershipAttr(Call, C);
1568}
1569
1570// Performs a 0-sized allocations check.
1571ProgramStateRef MallocChecker::ProcessZeroAllocCheck(
1572 const CallEvent &Call, const unsigned IndexOfSizeArg, ProgramStateRef State,
1573 std::optional<SVal> RetVal) {
1574 if (!State)
1575 return nullptr;
1576
1577 if (!RetVal)
1578 RetVal = Call.getReturnValue();
1579
1580 const Expr *Arg = nullptr;
1581
1582 if (const CallExpr *CE = dyn_cast<CallExpr>(Val: Call.getOriginExpr())) {
1583 Arg = CE->getArg(Arg: IndexOfSizeArg);
1584 } else if (const CXXNewExpr *NE =
1585 dyn_cast<CXXNewExpr>(Val: Call.getOriginExpr())) {
1586 if (NE->isArray()) {
1587 Arg = *NE->getArraySize();
1588 } else {
1589 return State;
1590 }
1591 } else
1592 llvm_unreachable("not a CallExpr or CXXNewExpr");
1593
1594 assert(Arg);
1595
1596 auto DefArgVal =
1597 State->getSVal(Arg, Call.getLocationContext()).getAs<DefinedSVal>();
1598
1599 if (!DefArgVal)
1600 return State;
1601
1602 // Check if the allocation size is 0.
1603 ProgramStateRef TrueState, FalseState;
1604 SValBuilder &SvalBuilder = State->getStateManager().getSValBuilder();
1605 DefinedSVal Zero =
1606 SvalBuilder.makeZeroVal(type: Arg->getType()).castAs<DefinedSVal>();
1607
1608 std::tie(args&: TrueState, args&: FalseState) =
1609 State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));
1610
1611 if (TrueState && !FalseState) {
1612 SymbolRef Sym = RetVal->getAsLocSymbol();
1613 if (!Sym)
1614 return State;
1615
1616 const RefState *RS = State->get<RegionState>(key: Sym);
1617 if (RS) {
1618 if (RS->isAllocated())
1619 return TrueState->set<RegionState>(K: Sym,
1620 E: RefState::getAllocatedOfSizeZero(RS));
1621 else
1622 return State;
1623 } else {
1624 // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as
1625 // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not
1626 // tracked. Add zero-reallocated Sym to the state to catch references
1627 // to zero-allocated memory.
1628 return TrueState->add<ReallocSizeZeroSymbols>(K: Sym);
1629 }
1630 }
1631
1632 // Assume the value is non-zero going forward.
1633 assert(FalseState);
1634 return FalseState;
1635}
1636
1637static QualType getDeepPointeeType(QualType T) {
1638 QualType Result = T, PointeeType = T->getPointeeType();
1639 while (!PointeeType.isNull()) {
1640 Result = PointeeType;
1641 PointeeType = PointeeType->getPointeeType();
1642 }
1643 return Result;
1644}
1645
1646/// \returns true if the constructor invoked by \p NE has an argument of a
1647/// pointer/reference to a record type.
1648static bool hasNonTrivialConstructorCall(const CXXNewExpr *NE) {
1649
1650 const CXXConstructExpr *ConstructE = NE->getConstructExpr();
1651 if (!ConstructE)
1652 return false;
1653
1654 if (!NE->getAllocatedType()->getAsCXXRecordDecl())
1655 return false;
1656
1657 const CXXConstructorDecl *CtorD = ConstructE->getConstructor();
1658
1659 // Iterate over the constructor parameters.
1660 for (const auto *CtorParam : CtorD->parameters()) {
1661
1662 QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType();
1663 if (CtorParamPointeeT.isNull())
1664 continue;
1665
1666 CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT);
1667
1668 if (CtorParamPointeeT->getAsCXXRecordDecl())
1669 return true;
1670 }
1671
1672 return false;
1673}
1674
1675ProgramStateRef
1676MallocChecker::processNewAllocation(const CXXAllocatorCall &Call,
1677 CheckerContext &C,
1678 AllocationFamily Family) const {
1679 if (!isStandardNewDelete(Call))
1680 return nullptr;
1681
1682 const CXXNewExpr *NE = Call.getOriginExpr();
1683 const ParentMap &PM = C.getLocationContext()->getParentMap();
1684 ProgramStateRef State = C.getState();
1685
1686 // Non-trivial constructors have a chance to escape 'this', but marking all
1687 // invocations of trivial constructors as escaped would cause too great of
1688 // reduction of true positives, so let's just do that for constructors that
1689 // have an argument of a pointer-to-record type.
1690 if (!PM.isConsumedExpr(NE) && hasNonTrivialConstructorCall(NE))
1691 return State;
1692
1693 // The return value from operator new is bound to a specified initialization
1694 // value (if any) and we don't want to loose this value. So we call
1695 // MallocUpdateRefState() instead of MallocMemAux() which breaks the
1696 // existing binding.
1697 SVal Target = Call.getObjectUnderConstruction();
1698 State = MallocUpdateRefState(C, NE, State, Family, Target);
1699 State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State, RetVal: Target);
1700 return State;
1701}
1702
1703void MallocChecker::checkNewAllocator(const CXXAllocatorCall &Call,
1704 CheckerContext &C) const {
1705 if (!C.wasInlined) {
1706 ProgramStateRef State = processNewAllocation(
1707 Call, C,
1708 Family: (Call.getOriginExpr()->isArray() ? AF_CXXNewArray : AF_CXXNew));
1709 C.addTransition(State);
1710 }
1711}
1712
1713static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) {
1714 // If the first selector piece is one of the names below, assume that the
1715 // object takes ownership of the memory, promising to eventually deallocate it
1716 // with free().
1717 // Ex: [NSData dataWithBytesNoCopy:bytes length:10];
1718 // (...unless a 'freeWhenDone' parameter is false, but that's checked later.)
1719 StringRef FirstSlot = Call.getSelector().getNameForSlot(argIndex: 0);
1720 return FirstSlot == "dataWithBytesNoCopy" ||
1721 FirstSlot == "initWithBytesNoCopy" ||
1722 FirstSlot == "initWithCharactersNoCopy";
1723}
1724
1725static std::optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) {
1726 Selector S = Call.getSelector();
1727
1728 // FIXME: We should not rely on fully-constrained symbols being folded.
1729 for (unsigned i = 1; i < S.getNumArgs(); ++i)
1730 if (S.getNameForSlot(argIndex: i).equals(RHS: "freeWhenDone"))
1731 return !Call.getArgSVal(Index: i).isZeroConstant();
1732
1733 return std::nullopt;
1734}
1735
1736void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
1737 CheckerContext &C) const {
1738 if (C.wasInlined)
1739 return;
1740
1741 if (!isKnownDeallocObjCMethodName(Call))
1742 return;
1743
1744 if (std::optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call))
1745 if (!*FreeWhenDone)
1746 return;
1747
1748 if (Call.hasNonZeroCallbackArg())
1749 return;
1750
1751 bool IsKnownToBeAllocatedMemory;
1752 ProgramStateRef State =
1753 FreeMemAux(C, ArgExpr: Call.getArgExpr(Index: 0), Call, State: C.getState(),
1754 /*Hold=*/true, IsKnownToBeAllocated&: IsKnownToBeAllocatedMemory, Family: AF_Malloc,
1755 /*ReturnsNullOnFailure=*/true);
1756
1757 C.addTransition(State);
1758}
1759
1760ProgramStateRef
1761MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
1762 const OwnershipAttr *Att,
1763 ProgramStateRef State) const {
1764 if (!State)
1765 return nullptr;
1766
1767 if (Att->getModule()->getName() != "malloc")
1768 return nullptr;
1769
1770 if (!Att->args().empty()) {
1771 return MallocMemAux(C, Call,
1772 Call.getArgExpr(Index: Att->args_begin()->getASTIndex()),
1773 UndefinedVal(), State, AF_Malloc);
1774 }
1775 return MallocMemAux(C, Call, Size: UnknownVal(), Init: UndefinedVal(), State, Family: AF_Malloc);
1776}
1777
1778ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1779 const CallEvent &Call,
1780 const Expr *SizeEx, SVal Init,
1781 ProgramStateRef State,
1782 AllocationFamily Family) {
1783 if (!State)
1784 return nullptr;
1785
1786 assert(SizeEx);
1787 return MallocMemAux(C, Call, Size: C.getSVal(SizeEx), Init, State, Family);
1788}
1789
1790ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1791 const CallEvent &Call, SVal Size,
1792 SVal Init, ProgramStateRef State,
1793 AllocationFamily Family) {
1794 if (!State)
1795 return nullptr;
1796
1797 const Expr *CE = Call.getOriginExpr();
1798
1799 // We expect the malloc functions to return a pointer.
1800 if (!Loc::isLocType(T: CE->getType()))
1801 return nullptr;
1802
1803 // Bind the return value to the symbolic value from the heap region.
1804 // TODO: move use of this functions to an EvalCall callback, becasue
1805 // BindExpr() should'nt be used elsewhere.
1806 unsigned Count = C.blockCount();
1807 SValBuilder &SVB = C.getSValBuilder();
1808 const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
1809 DefinedSVal RetVal =
1810 ((Family == AF_Alloca) ? SVB.getAllocaRegionVal(E: CE, LCtx, Count)
1811 : SVB.getConjuredHeapSymbolVal(E: CE, LCtx, Count)
1812 .castAs<DefinedSVal>());
1813 State = State->BindExpr(CE, C.getLocationContext(), RetVal);
1814
1815 // Fill the region with the initialization value.
1816 State = State->bindDefaultInitial(loc: RetVal, V: Init, LCtx);
1817
1818 // If Size is somehow undefined at this point, this line prevents a crash.
1819 if (Size.isUndef())
1820 Size = UnknownVal();
1821
1822 // Set the region's extent.
1823 State = setDynamicExtent(State, MR: RetVal.getAsRegion(),
1824 Extent: Size.castAs<DefinedOrUnknownSVal>(), SVB);
1825
1826 return MallocUpdateRefState(C, E: CE, State, Family);
1827}
1828
1829static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
1830 ProgramStateRef State,
1831 AllocationFamily Family,
1832 std::optional<SVal> RetVal) {
1833 if (!State)
1834 return nullptr;
1835
1836 // Get the return value.
1837 if (!RetVal)
1838 RetVal = C.getSVal(E);
1839
1840 // We expect the malloc functions to return a pointer.
1841 if (!RetVal->getAs<Loc>())
1842 return nullptr;
1843
1844 SymbolRef Sym = RetVal->getAsLocSymbol();
1845
1846 // This is a return value of a function that was not inlined, such as malloc()
1847 // or new(). We've checked that in the caller. Therefore, it must be a symbol.
1848 assert(Sym);
1849 // FIXME: In theory this assertion should fail for `alloca()` calls (because
1850 // `AllocaRegion`s are not symbolic); but in practice this does not happen.
1851 // As the current code appears to work correctly, I'm not touching this issue
1852 // now, but it would be good to investigate and clarify this.
1853 // Also note that perhaps the special `AllocaRegion` should be replaced by
1854 // `SymbolicRegion` (or turned into a subclass of `SymbolicRegion`) to enable
1855 // proper tracking of memory allocated by `alloca()` -- and after that change
1856 // this assertion would become valid again.
1857
1858 // Set the symbol's state to Allocated.
1859 return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
1860}
1861
1862ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
1863 const CallEvent &Call,
1864 const OwnershipAttr *Att,
1865 ProgramStateRef State) const {
1866 if (!State)
1867 return nullptr;
1868
1869 if (Att->getModule()->getName() != "malloc")
1870 return nullptr;
1871
1872 bool IsKnownToBeAllocated = false;
1873
1874 for (const auto &Arg : Att->args()) {
1875 ProgramStateRef StateI =
1876 FreeMemAux(C, Call, State, Arg.getASTIndex(),
1877 Att->getOwnKind() == OwnershipAttr::Holds,
1878 IsKnownToBeAllocated, AF_Malloc);
1879 if (StateI)
1880 State = StateI;
1881 }
1882 return State;
1883}
1884
1885ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1886 const CallEvent &Call,
1887 ProgramStateRef State, unsigned Num,
1888 bool Hold, bool &IsKnownToBeAllocated,
1889 AllocationFamily Family,
1890 bool ReturnsNullOnFailure) const {
1891 if (!State)
1892 return nullptr;
1893
1894 if (Call.getNumArgs() < (Num + 1))
1895 return nullptr;
1896
1897 return FreeMemAux(C, ArgExpr: Call.getArgExpr(Index: Num), Call, State, Hold,
1898 IsKnownToBeAllocated, Family, ReturnsNullOnFailure);
1899}
1900
1901/// Checks if the previous call to free on the given symbol failed - if free
1902/// failed, returns true. Also, returns the corresponding return value symbol.
1903static bool didPreviousFreeFail(ProgramStateRef State,
1904 SymbolRef Sym, SymbolRef &RetStatusSymbol) {
1905 const SymbolRef *Ret = State->get<FreeReturnValue>(key: Sym);
1906 if (Ret) {
1907 assert(*Ret && "We should not store the null return symbol");
1908 ConstraintManager &CMgr = State->getConstraintManager();
1909 ConditionTruthVal FreeFailed = CMgr.isNull(State, Sym: *Ret);
1910 RetStatusSymbol = *Ret;
1911 return FreeFailed.isConstrainedTrue();
1912 }
1913 return false;
1914}
1915
1916static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E) {
1917 if (const CallExpr *CE = dyn_cast<CallExpr>(Val: E)) {
1918 // FIXME: This doesn't handle indirect calls.
1919 const FunctionDecl *FD = CE->getDirectCallee();
1920 if (!FD)
1921 return false;
1922
1923 os << *FD;
1924 if (!FD->isOverloadedOperator())
1925 os << "()";
1926 return true;
1927 }
1928
1929 if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(Val: E)) {
1930 if (Msg->isInstanceMessage())
1931 os << "-";
1932 else
1933 os << "+";
1934 Msg->getSelector().print(OS&: os);
1935 return true;
1936 }
1937
1938 if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(Val: E)) {
1939 os << "'"
1940 << getOperatorSpelling(Operator: NE->getOperatorNew()->getOverloadedOperator())
1941 << "'";
1942 return true;
1943 }
1944
1945 if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(Val: E)) {
1946 os << "'"
1947 << getOperatorSpelling(Operator: DE->getOperatorDelete()->getOverloadedOperator())
1948 << "'";
1949 return true;
1950 }
1951
1952 return false;
1953}
1954
1955static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family) {
1956
1957 switch(Family) {
1958 case AF_Malloc: os << "malloc()"; return;
1959 case AF_CXXNew: os << "'new'"; return;
1960 case AF_CXXNewArray: os << "'new[]'"; return;
1961 case AF_IfNameIndex: os << "'if_nameindex()'"; return;
1962 case AF_InnerBuffer: os << "container-specific allocator"; return;
1963 case AF_Alloca:
1964 case AF_None: llvm_unreachable("not a deallocation expression");
1965 }
1966}
1967
1968static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) {
1969 switch(Family) {
1970 case AF_Malloc: os << "free()"; return;
1971 case AF_CXXNew: os << "'delete'"; return;
1972 case AF_CXXNewArray: os << "'delete[]'"; return;
1973 case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
1974 case AF_InnerBuffer: os << "container-specific deallocator"; return;
1975 case AF_Alloca:
1976 case AF_None: llvm_unreachable("suspicious argument");
1977 }
1978}
1979
1980ProgramStateRef
1981MallocChecker::FreeMemAux(CheckerContext &C, const Expr *ArgExpr,
1982 const CallEvent &Call, ProgramStateRef State,
1983 bool Hold, bool &IsKnownToBeAllocated,
1984 AllocationFamily Family, bool ReturnsNullOnFailure,
1985 std::optional<SVal> ArgValOpt) const {
1986
1987 if (!State)
1988 return nullptr;
1989
1990 SVal ArgVal = ArgValOpt.value_or(u: C.getSVal(ArgExpr));
1991 if (!isa<DefinedOrUnknownSVal>(Val: ArgVal))
1992 return nullptr;
1993 DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
1994
1995 // Check for null dereferences.
1996 if (!isa<Loc>(Val: location))
1997 return nullptr;
1998
1999 // The explicit NULL case, no operation is performed.
2000 ProgramStateRef notNullState, nullState;
2001 std::tie(args&: notNullState, args&: nullState) = State->assume(Cond: location);
2002 if (nullState && !notNullState)
2003 return nullptr;
2004
2005 // Unknown values could easily be okay
2006 // Undefined values are handled elsewhere
2007 if (ArgVal.isUnknownOrUndef())
2008 return nullptr;
2009
2010 const MemRegion *R = ArgVal.getAsRegion();
2011 const Expr *ParentExpr = Call.getOriginExpr();
2012
2013 // NOTE: We detected a bug, but the checker under whose name we would emit the
2014 // error could be disabled. Generally speaking, the MallocChecker family is an
2015 // integral part of the Static Analyzer, and disabling any part of it should
2016 // only be done under exceptional circumstances, such as frequent false
2017 // positives. If this is the case, we can reasonably believe that there are
2018 // serious faults in our understanding of the source code, and even if we
2019 // don't emit an warning, we should terminate further analysis with a sink
2020 // node.
2021
2022 // Nonlocs can't be freed, of course.
2023 // Non-region locations (labels and fixed addresses) also shouldn't be freed.
2024 if (!R) {
2025 // Exception:
2026 // If the macro ZERO_SIZE_PTR is defined, this could be a kernel source
2027 // code. In that case, the ZERO_SIZE_PTR defines a special value used for a
2028 // zero-sized memory block which is allowed to be freed, despite not being a
2029 // null pointer.
2030 if (Family != AF_Malloc || !isArgZERO_SIZE_PTR(State, C, ArgVal))
2031 HandleNonHeapDealloc(C, ArgVal, Range: ArgExpr->getSourceRange(), DeallocExpr: ParentExpr,
2032 Family);
2033 return nullptr;
2034 }
2035
2036 R = R->StripCasts();
2037
2038 // Blocks might show up as heap data, but should not be free()d
2039 if (isa<BlockDataRegion>(Val: R)) {
2040 HandleNonHeapDealloc(C, ArgVal, Range: ArgExpr->getSourceRange(), DeallocExpr: ParentExpr,
2041 Family);
2042 return nullptr;
2043 }
2044
2045 const MemSpaceRegion *MS = R->getMemorySpace();
2046
2047 // Parameters, locals, statics, globals, and memory returned by
2048 // __builtin_alloca() shouldn't be freed.
2049 if (!isa<UnknownSpaceRegion, HeapSpaceRegion>(Val: MS)) {
2050 // Regions returned by malloc() are represented by SymbolicRegion objects
2051 // within HeapSpaceRegion. Of course, free() can work on memory allocated
2052 // outside the current function, so UnknownSpaceRegion is also a
2053 // possibility here.
2054
2055 if (isa<AllocaRegion>(Val: R))
2056 HandleFreeAlloca(C, ArgVal, Range: ArgExpr->getSourceRange());
2057 else
2058 HandleNonHeapDealloc(C, ArgVal, Range: ArgExpr->getSourceRange(), DeallocExpr: ParentExpr,
2059 Family);
2060
2061 return nullptr;
2062 }
2063
2064 const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(Val: R->getBaseRegion());
2065 // Various cases could lead to non-symbol values here.
2066 // For now, ignore them.
2067 if (!SrBase)
2068 return nullptr;
2069
2070 SymbolRef SymBase = SrBase->getSymbol();
2071 const RefState *RsBase = State->get<RegionState>(key: SymBase);
2072 SymbolRef PreviousRetStatusSymbol = nullptr;
2073
2074 IsKnownToBeAllocated =
2075 RsBase && (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero());
2076
2077 if (RsBase) {
2078
2079 // Memory returned by alloca() shouldn't be freed.
2080 if (RsBase->getAllocationFamily() == AF_Alloca) {
2081 HandleFreeAlloca(C, ArgVal, Range: ArgExpr->getSourceRange());
2082 return nullptr;
2083 }
2084
2085 // Check for double free first.
2086 if ((RsBase->isReleased() || RsBase->isRelinquished()) &&
2087 !didPreviousFreeFail(State, Sym: SymBase, RetStatusSymbol&: PreviousRetStatusSymbol)) {
2088 HandleDoubleFree(C, Range: ParentExpr->getSourceRange(), Released: RsBase->isReleased(),
2089 Sym: SymBase, PrevSym: PreviousRetStatusSymbol);
2090 return nullptr;
2091
2092 // If the pointer is allocated or escaped, but we are now trying to free it,
2093 // check that the call to free is proper.
2094 } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() ||
2095 RsBase->isEscaped()) {
2096
2097 // Check if an expected deallocation function matches the real one.
2098 bool DeallocMatchesAlloc = RsBase->getAllocationFamily() == Family;
2099 if (!DeallocMatchesAlloc) {
2100 HandleMismatchedDealloc(C, Range: ArgExpr->getSourceRange(), DeallocExpr: ParentExpr,
2101 RS: RsBase, Sym: SymBase, OwnershipTransferred: Hold);
2102 return nullptr;
2103 }
2104
2105 // Check if the memory location being freed is the actual location
2106 // allocated, or an offset.
2107 RegionOffset Offset = R->getAsOffset();
2108 if (Offset.isValid() &&
2109 !Offset.hasSymbolicOffset() &&
2110 Offset.getOffset() != 0) {
2111 const Expr *AllocExpr = cast<Expr>(Val: RsBase->getStmt());
2112 HandleOffsetFree(C, ArgVal, Range: ArgExpr->getSourceRange(), DeallocExpr: ParentExpr,
2113 Family, AllocExpr);
2114 return nullptr;
2115 }
2116 }
2117 }
2118
2119 if (SymBase->getType()->isFunctionPointerType()) {
2120 HandleFunctionPtrFree(C, ArgVal, Range: ArgExpr->getSourceRange(), FreeExpr: ParentExpr,
2121 Family);
2122 return nullptr;
2123 }
2124
2125 // Clean out the info on previous call to free return info.
2126 State = State->remove<FreeReturnValue>(K: SymBase);
2127
2128 // Keep track of the return value. If it is NULL, we will know that free
2129 // failed.
2130 if (ReturnsNullOnFailure) {
2131 SVal RetVal = C.getSVal(ParentExpr);
2132 SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
2133 if (RetStatusSymbol) {
2134 C.getSymbolManager().addSymbolDependency(Primary: SymBase, Dependent: RetStatusSymbol);
2135 State = State->set<FreeReturnValue>(K: SymBase, E: RetStatusSymbol);
2136 }
2137 }
2138
2139 // If we don't know anything about this symbol, a free on it may be totally
2140 // valid. If this is the case, lets assume that the allocation family of the
2141 // freeing function is the same as the symbols allocation family, and go with
2142 // that.
2143 assert(!RsBase || (RsBase && RsBase->getAllocationFamily() == Family));
2144
2145 // Normal free.
2146 if (Hold)
2147 return State->set<RegionState>(SymBase,
2148 RefState::getRelinquished(Family,
2149 ParentExpr));
2150
2151 return State->set<RegionState>(SymBase,
2152 RefState::getReleased(Family, ParentExpr));
2153}
2154
2155std::optional<MallocChecker::CheckKind>
2156MallocChecker::getCheckIfTracked(AllocationFamily Family,
2157 bool IsALeakCheck) const {
2158 switch (Family) {
2159 case AF_Malloc:
2160 case AF_Alloca:
2161 case AF_IfNameIndex: {
2162 if (ChecksEnabled[CK_MallocChecker])
2163 return CK_MallocChecker;
2164 return std::nullopt;
2165 }
2166 case AF_CXXNew:
2167 case AF_CXXNewArray: {
2168 if (IsALeakCheck) {
2169 if (ChecksEnabled[CK_NewDeleteLeaksChecker])
2170 return CK_NewDeleteLeaksChecker;
2171 }
2172 else {
2173 if (ChecksEnabled[CK_NewDeleteChecker])
2174 return CK_NewDeleteChecker;
2175 }
2176 return std::nullopt;
2177 }
2178 case AF_InnerBuffer: {
2179 if (ChecksEnabled[CK_InnerPointerChecker])
2180 return CK_InnerPointerChecker;
2181 return std::nullopt;
2182 }
2183 case AF_None: {
2184 llvm_unreachable("no family");
2185 }
2186 }
2187 llvm_unreachable("unhandled family");
2188}
2189
2190std::optional<MallocChecker::CheckKind>
2191MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
2192 bool IsALeakCheck) const {
2193 if (C.getState()->contains<ReallocSizeZeroSymbols>(key: Sym))
2194 return CK_MallocChecker;
2195
2196 const RefState *RS = C.getState()->get<RegionState>(key: Sym);
2197 assert(RS);
2198 return getCheckIfTracked(Family: RS->getAllocationFamily(), IsALeakCheck);
2199}
2200
2201bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
2202 if (std::optional<nonloc::ConcreteInt> IntVal =
2203 V.getAs<nonloc::ConcreteInt>())
2204 os << "an integer (" << IntVal->getValue() << ")";
2205 else if (std::optional<loc::ConcreteInt> ConstAddr =
2206 V.getAs<loc::ConcreteInt>())
2207 os << "a constant address (" << ConstAddr->getValue() << ")";
2208 else if (std::optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>())
2209 os << "the address of the label '" << Label->getLabel()->getName() << "'";
2210 else
2211 return false;
2212
2213 return true;
2214}
2215
2216bool MallocChecker::SummarizeRegion(raw_ostream &os,
2217 const MemRegion *MR) {
2218 switch (MR->getKind()) {
2219 case MemRegion::FunctionCodeRegionKind: {
2220 const NamedDecl *FD = cast<FunctionCodeRegion>(Val: MR)->getDecl();
2221 if (FD)
2222 os << "the address of the function '" << *FD << '\'';
2223 else
2224 os << "the address of a function";
2225 return true;
2226 }
2227 case MemRegion::BlockCodeRegionKind:
2228 os << "block text";
2229 return true;
2230 case MemRegion::BlockDataRegionKind:
2231 // FIXME: where the block came from?
2232 os << "a block";
2233 return true;
2234 default: {
2235 const MemSpaceRegion *MS = MR->getMemorySpace();
2236
2237 if (isa<StackLocalsSpaceRegion>(Val: MS)) {
2238 const VarRegion *VR = dyn_cast<VarRegion>(Val: MR);
2239 const VarDecl *VD;
2240 if (VR)
2241 VD = VR->getDecl();
2242 else
2243 VD = nullptr;
2244
2245 if (VD)
2246 os << "the address of the local variable '" << VD->getName() << "'";
2247 else
2248 os << "the address of a local stack variable";
2249 return true;
2250 }
2251
2252 if (isa<StackArgumentsSpaceRegion>(Val: MS)) {
2253 const VarRegion *VR = dyn_cast<VarRegion>(Val: MR);
2254 const VarDecl *VD;
2255 if (VR)
2256 VD = VR->getDecl();
2257 else
2258 VD = nullptr;
2259
2260 if (VD)
2261 os << "the address of the parameter '" << VD->getName() << "'";
2262 else
2263 os << "the address of a parameter";
2264 return true;
2265 }
2266
2267 if (isa<GlobalsSpaceRegion>(Val: MS)) {
2268 const VarRegion *VR = dyn_cast<VarRegion>(Val: MR);
2269 const VarDecl *VD;
2270 if (VR)
2271 VD = VR->getDecl();
2272 else
2273 VD = nullptr;
2274
2275 if (VD) {
2276 if (VD->isStaticLocal())
2277 os << "the address of the static variable '" << VD->getName() << "'";
2278 else
2279 os << "the address of the global variable '" << VD->getName() << "'";
2280 } else
2281 os << "the address of a global variable";
2282 return true;
2283 }
2284
2285 return false;
2286 }
2287 }
2288}
2289
2290void MallocChecker::HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal,
2291 SourceRange Range,
2292 const Expr *DeallocExpr,
2293 AllocationFamily Family) const {
2294
2295 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2296 C.addSink();
2297 return;
2298 }
2299
2300 std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2301 if (!CheckKind)
2302 return;
2303
2304 if (ExplodedNode *N = C.generateErrorNode()) {
2305 if (!BT_BadFree[*CheckKind])
2306 BT_BadFree[*CheckKind].reset(p: new BugType(
2307 CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2308
2309 SmallString<100> buf;
2310 llvm::raw_svector_ostream os(buf);
2311
2312 const MemRegion *MR = ArgVal.getAsRegion();
2313 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(Val: MR))
2314 MR = ER->getSuperRegion();
2315
2316 os << "Argument to ";
2317 if (!printMemFnName(os, C, E: DeallocExpr))
2318 os << "deallocator";
2319
2320 os << " is ";
2321 bool Summarized = MR ? SummarizeRegion(os, MR)
2322 : SummarizeValue(os, V: ArgVal);
2323 if (Summarized)
2324 os << ", which is not memory allocated by ";
2325 else
2326 os << "not memory allocated by ";
2327
2328 printExpectedAllocName(os, Family);
2329
2330 auto R = std::make_unique<PathSensitiveBugReport>(args&: *BT_BadFree[*CheckKind],
2331 args: os.str(), args&: N);
2332 R->markInteresting(R: MR);
2333 R->addRange(R: Range);
2334 C.emitReport(R: std::move(R));
2335 }
2336}
2337
2338void MallocChecker::HandleFreeAlloca(CheckerContext &C, SVal ArgVal,
2339 SourceRange Range) const {
2340
2341 std::optional<MallocChecker::CheckKind> CheckKind;
2342
2343 if (ChecksEnabled[CK_MallocChecker])
2344 CheckKind = CK_MallocChecker;
2345 else if (ChecksEnabled[CK_MismatchedDeallocatorChecker])
2346 CheckKind = CK_MismatchedDeallocatorChecker;
2347 else {
2348 C.addSink();
2349 return;
2350 }
2351
2352 if (ExplodedNode *N = C.generateErrorNode()) {
2353 if (!BT_FreeAlloca[*CheckKind])
2354 BT_FreeAlloca[*CheckKind].reset(p: new BugType(
2355 CheckNames[*CheckKind], "Free alloca()", categories::MemoryError));
2356
2357 auto R = std::make_unique<PathSensitiveBugReport>(
2358 args&: *BT_FreeAlloca[*CheckKind],
2359 args: "Memory allocated by alloca() should not be deallocated", args&: N);
2360 R->markInteresting(R: ArgVal.getAsRegion());
2361 R->addRange(R: Range);
2362 C.emitReport(R: std::move(R));
2363 }
2364}
2365
2366void MallocChecker::HandleMismatchedDealloc(CheckerContext &C,
2367 SourceRange Range,
2368 const Expr *DeallocExpr,
2369 const RefState *RS, SymbolRef Sym,
2370 bool OwnershipTransferred) const {
2371
2372 if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
2373 C.addSink();
2374 return;
2375 }
2376
2377 if (ExplodedNode *N = C.generateErrorNode()) {
2378 if (!BT_MismatchedDealloc)
2379 BT_MismatchedDealloc.reset(
2380 p: new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
2381 "Bad deallocator", categories::MemoryError));
2382
2383 SmallString<100> buf;
2384 llvm::raw_svector_ostream os(buf);
2385
2386 const Expr *AllocExpr = cast<Expr>(Val: RS->getStmt());
2387 SmallString<20> AllocBuf;
2388 llvm::raw_svector_ostream AllocOs(AllocBuf);
2389 SmallString<20> DeallocBuf;
2390 llvm::raw_svector_ostream DeallocOs(DeallocBuf);
2391
2392 if (OwnershipTransferred) {
2393 if (printMemFnName(os&: DeallocOs, C, E: DeallocExpr))
2394 os << DeallocOs.str() << " cannot";
2395 else
2396 os << "Cannot";
2397
2398 os << " take ownership of memory";
2399
2400 if (printMemFnName(os&: AllocOs, C, E: AllocExpr))
2401 os << " allocated by " << AllocOs.str();
2402 } else {
2403 os << "Memory";
2404 if (printMemFnName(os&: AllocOs, C, E: AllocExpr))
2405 os << " allocated by " << AllocOs.str();
2406
2407 os << " should be deallocated by ";
2408 printExpectedDeallocName(os, Family: RS->getAllocationFamily());
2409
2410 if (printMemFnName(os&: DeallocOs, C, E: DeallocExpr))
2411 os << ", not " << DeallocOs.str();
2412 }
2413
2414 auto R = std::make_unique<PathSensitiveBugReport>(args&: *BT_MismatchedDealloc,
2415 args: os.str(), args&: N);
2416 R->markInteresting(sym: Sym);
2417 R->addRange(R: Range);
2418 R->addVisitor<MallocBugVisitor>(ConstructorArgs&: Sym);
2419 C.emitReport(R: std::move(R));
2420 }
2421}
2422
2423void MallocChecker::HandleOffsetFree(CheckerContext &C, SVal ArgVal,
2424 SourceRange Range, const Expr *DeallocExpr,
2425 AllocationFamily Family,
2426 const Expr *AllocExpr) const {
2427
2428 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2429 C.addSink();
2430 return;
2431 }
2432
2433 std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2434 if (!CheckKind)
2435 return;
2436
2437 ExplodedNode *N = C.generateErrorNode();
2438 if (!N)
2439 return;
2440
2441 if (!BT_OffsetFree[*CheckKind])
2442 BT_OffsetFree[*CheckKind].reset(p: new BugType(
2443 CheckNames[*CheckKind], "Offset free", categories::MemoryError));
2444
2445 SmallString<100> buf;
2446 llvm::raw_svector_ostream os(buf);
2447 SmallString<20> AllocNameBuf;
2448 llvm::raw_svector_ostream AllocNameOs(AllocNameBuf);
2449
2450 const MemRegion *MR = ArgVal.getAsRegion();
2451 assert(MR && "Only MemRegion based symbols can have offset free errors");
2452
2453 RegionOffset Offset = MR->getAsOffset();
2454 assert((Offset.isValid() &&
2455 !Offset.hasSymbolicOffset() &&
2456 Offset.getOffset() != 0) &&
2457 "Only symbols with a valid offset can have offset free errors");
2458
2459 int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
2460
2461 os << "Argument to ";
2462 if (!printMemFnName(os, C, E: DeallocExpr))
2463 os << "deallocator";
2464 os << " is offset by "
2465 << offsetBytes
2466 << " "
2467 << ((abs(x: offsetBytes) > 1) ? "bytes" : "byte")
2468 << " from the start of ";
2469 if (AllocExpr && printMemFnName(os&: AllocNameOs, C, E: AllocExpr))
2470 os << "memory allocated by " << AllocNameOs.str();
2471 else
2472 os << "allocated memory";
2473
2474 auto R = std::make_unique<PathSensitiveBugReport>(args&: *BT_OffsetFree[*CheckKind],
2475 args: os.str(), args&: N);
2476 R->markInteresting(R: MR->getBaseRegion());
2477 R->addRange(R: Range);
2478 C.emitReport(R: std::move(R));
2479}
2480
2481void MallocChecker::HandleUseAfterFree(CheckerContext &C, SourceRange Range,
2482 SymbolRef Sym) const {
2483
2484 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker] &&
2485 !ChecksEnabled[CK_InnerPointerChecker]) {
2486 C.addSink();
2487 return;
2488 }
2489
2490 std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2491 if (!CheckKind)
2492 return;
2493
2494 if (ExplodedNode *N = C.generateErrorNode()) {
2495 if (!BT_UseFree[*CheckKind])
2496 BT_UseFree[*CheckKind].reset(p: new BugType(
2497 CheckNames[*CheckKind], "Use-after-free", categories::MemoryError));
2498
2499 AllocationFamily AF =
2500 C.getState()->get<RegionState>(key: Sym)->getAllocationFamily();
2501
2502 auto R = std::make_unique<PathSensitiveBugReport>(
2503 args&: *BT_UseFree[*CheckKind],
2504 args: AF == AF_InnerBuffer
2505 ? "Inner pointer of container used after re/deallocation"
2506 : "Use of memory after it is freed",
2507 args&: N);
2508
2509 R->markInteresting(sym: Sym);
2510 R->addRange(R: Range);
2511 R->addVisitor<MallocBugVisitor>(ConstructorArgs&: Sym);
2512
2513 if (AF == AF_InnerBuffer)
2514 R->addVisitor(visitor: allocation_state::getInnerPointerBRVisitor(Sym));
2515
2516 C.emitReport(R: std::move(R));
2517 }
2518}
2519
2520void MallocChecker::HandleDoubleFree(CheckerContext &C, SourceRange Range,
2521 bool Released, SymbolRef Sym,
2522 SymbolRef PrevSym) const {
2523
2524 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2525 C.addSink();
2526 return;
2527 }
2528
2529 std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2530 if (!CheckKind)
2531 return;
2532
2533 if (ExplodedNode *N = C.generateErrorNode()) {
2534 if (!BT_DoubleFree[*CheckKind])
2535 BT_DoubleFree[*CheckKind].reset(p: new BugType(
2536 CheckNames[*CheckKind], "Double free", categories::MemoryError));
2537
2538 auto R = std::make_unique<PathSensitiveBugReport>(
2539 args&: *BT_DoubleFree[*CheckKind],
2540 args: (Released ? "Attempt to free released memory"
2541 : "Attempt to free non-owned memory"),
2542 args&: N);
2543 R->addRange(R: Range);
2544 R->markInteresting(sym: Sym);
2545 if (PrevSym)
2546 R->markInteresting(sym: PrevSym);
2547 R->addVisitor<MallocBugVisitor>(ConstructorArgs&: Sym);
2548 C.emitReport(R: std::move(R));
2549 }
2550}
2551
2552void MallocChecker::HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
2553
2554 if (!ChecksEnabled[CK_NewDeleteChecker]) {
2555 C.addSink();
2556 return;
2557 }
2558
2559 std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2560 if (!CheckKind)
2561 return;
2562
2563 if (ExplodedNode *N = C.generateErrorNode()) {
2564 if (!BT_DoubleDelete)
2565 BT_DoubleDelete.reset(p: new BugType(CheckNames[CK_NewDeleteChecker],
2566 "Double delete",
2567 categories::MemoryError));
2568
2569 auto R = std::make_unique<PathSensitiveBugReport>(
2570 args&: *BT_DoubleDelete, args: "Attempt to delete released memory", args&: N);
2571
2572 R->markInteresting(sym: Sym);
2573 R->addVisitor<MallocBugVisitor>(ConstructorArgs&: Sym);
2574 C.emitReport(R: std::move(R));
2575 }
2576}
2577
2578void MallocChecker::HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,
2579 SymbolRef Sym) const {
2580
2581 if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2582 C.addSink();
2583 return;
2584 }
2585
2586 std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2587
2588 if (!CheckKind)
2589 return;
2590
2591 if (ExplodedNode *N = C.generateErrorNode()) {
2592 if (!BT_UseZerroAllocated[*CheckKind])
2593 BT_UseZerroAllocated[*CheckKind].reset(
2594 p: new BugType(CheckNames[*CheckKind], "Use of zero allocated",
2595 categories::MemoryError));
2596
2597 auto R = std::make_unique<PathSensitiveBugReport>(
2598 args&: *BT_UseZerroAllocated[*CheckKind],
2599 args: "Use of memory allocated with size zero", args&: N);
2600
2601 R->addRange(R: Range);
2602 if (Sym) {
2603 R->markInteresting(sym: Sym);
2604 R->addVisitor<MallocBugVisitor>(ConstructorArgs&: Sym);
2605 }
2606 C.emitReport(R: std::move(R));
2607 }
2608}
2609
2610void MallocChecker::HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal,
2611 SourceRange Range,
2612 const Expr *FreeExpr,
2613 AllocationFamily Family) const {
2614 if (!ChecksEnabled[CK_MallocChecker]) {
2615 C.addSink();
2616 return;
2617 }
2618
2619 std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2620 if (!CheckKind)
2621 return;
2622
2623 if (ExplodedNode *N = C.generateErrorNode()) {
2624 if (!BT_BadFree[*CheckKind])
2625 BT_BadFree[*CheckKind].reset(p: new BugType(
2626 CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2627
2628 SmallString<100> Buf;
2629 llvm::raw_svector_ostream Os(Buf);
2630
2631 const MemRegion *MR = ArgVal.getAsRegion();
2632 while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(Val: MR))
2633 MR = ER->getSuperRegion();
2634
2635 Os << "Argument to ";
2636 if (!printMemFnName(os&: Os, C, E: FreeExpr))
2637 Os << "deallocator";
2638
2639 Os << " is a function pointer";
2640
2641 auto R = std::make_unique<PathSensitiveBugReport>(args&: *BT_BadFree[*CheckKind],
2642 args: Os.str(), args&: N);
2643 R->markInteresting(R: MR);
2644 R->addRange(R: Range);
2645 C.emitReport(R: std::move(R));
2646 }
2647}
2648
2649ProgramStateRef
2650MallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call,
2651 bool ShouldFreeOnFail, ProgramStateRef State,
2652 AllocationFamily Family, bool SuffixWithN) const {
2653 if (!State)
2654 return nullptr;
2655
2656 const CallExpr *CE = cast<CallExpr>(Val: Call.getOriginExpr());
2657
2658 if (SuffixWithN && CE->getNumArgs() < 3)
2659 return nullptr;
2660 else if (CE->getNumArgs() < 2)
2661 return nullptr;
2662
2663 const Expr *arg0Expr = CE->getArg(Arg: 0);
2664 SVal Arg0Val = C.getSVal(arg0Expr);
2665 if (!isa<DefinedOrUnknownSVal>(Val: Arg0Val))
2666 return nullptr;
2667 DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
2668
2669 SValBuilder &svalBuilder = C.getSValBuilder();
2670
2671 DefinedOrUnknownSVal PtrEQ = svalBuilder.evalEQ(
2672 state: State, lhs: arg0Val, rhs: svalBuilder.makeNullWithType(type: arg0Expr->getType()));
2673
2674 // Get the size argument.
2675 const Expr *Arg1 = CE->getArg(Arg: 1);
2676
2677 // Get the value of the size argument.
2678 SVal TotalSize = C.getSVal(Arg1);
2679 if (SuffixWithN)
2680 TotalSize = evalMulForBufferSize(C, Blocks: Arg1, BlockBytes: CE->getArg(Arg: 2));
2681 if (!isa<DefinedOrUnknownSVal>(Val: TotalSize))
2682 return nullptr;
2683
2684 // Compare the size argument to 0.
2685 DefinedOrUnknownSVal SizeZero =
2686 svalBuilder.evalEQ(state: State, lhs: TotalSize.castAs<DefinedOrUnknownSVal>(),
2687 rhs: svalBuilder.makeIntValWithWidth(
2688 ptrType: svalBuilder.getContext().getSizeType(), integer: 0));
2689
2690 ProgramStateRef StatePtrIsNull, StatePtrNotNull;
2691 std::tie(args&: StatePtrIsNull, args&: StatePtrNotNull) = State->assume(Cond: PtrEQ);
2692 ProgramStateRef StateSizeIsZero, StateSizeNotZero;
2693 std::tie(args&: StateSizeIsZero, args&: StateSizeNotZero) = State->assume(Cond: SizeZero);
2694 // We only assume exceptional states if they are definitely true; if the
2695 // state is under-constrained, assume regular realloc behavior.
2696 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
2697 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
2698
2699 // If the ptr is NULL and the size is not 0, the call is equivalent to
2700 // malloc(size).
2701 if (PrtIsNull && !SizeIsZero) {
2702 ProgramStateRef stateMalloc = MallocMemAux(
2703 C, Call, Size: TotalSize, Init: UndefinedVal(), State: StatePtrIsNull, Family);
2704 return stateMalloc;
2705 }
2706
2707 if (PrtIsNull && SizeIsZero)
2708 return State;
2709
2710 assert(!PrtIsNull);
2711
2712 bool IsKnownToBeAllocated = false;
2713
2714 // If the size is 0, free the memory.
2715 if (SizeIsZero)
2716 // The semantics of the return value are:
2717 // If size was equal to 0, either NULL or a pointer suitable to be passed
2718 // to free() is returned. We just free the input pointer and do not add
2719 // any constrains on the output pointer.
2720 if (ProgramStateRef stateFree = FreeMemAux(
2721 C, Call, State: StateSizeIsZero, Num: 0, Hold: false, IsKnownToBeAllocated, Family))
2722 return stateFree;
2723
2724 // Default behavior.
2725 if (ProgramStateRef stateFree =
2726 FreeMemAux(C, Call, State, Num: 0, Hold: false, IsKnownToBeAllocated, Family)) {
2727
2728 ProgramStateRef stateRealloc =
2729 MallocMemAux(C, Call, Size: TotalSize, Init: UnknownVal(), State: stateFree, Family);
2730 if (!stateRealloc)
2731 return nullptr;
2732
2733 OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure;
2734 if (ShouldFreeOnFail)
2735 Kind = OAR_FreeOnFailure;
2736 else if (!IsKnownToBeAllocated)
2737 Kind = OAR_DoNotTrackAfterFailure;
2738
2739 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
2740 SymbolRef FromPtr = arg0Val.getLocSymbolInBase();
2741 SVal RetVal = C.getSVal(CE);
2742 SymbolRef ToPtr = RetVal.getAsSymbol();
2743 assert(FromPtr && ToPtr &&
2744 "By this point, FreeMemAux and MallocMemAux should have checked "
2745 "whether the argument or the return value is symbolic!");
2746
2747 // Record the info about the reallocated symbol so that we could properly
2748 // process failed reallocation.
2749 stateRealloc = stateRealloc->set<ReallocPairs>(K: ToPtr,
2750 E: ReallocPair(FromPtr, Kind));
2751 // The reallocated symbol should stay alive for as long as the new symbol.
2752 C.getSymbolManager().addSymbolDependency(Primary: ToPtr, Dependent: FromPtr);
2753 return stateRealloc;
2754 }
2755 return nullptr;
2756}
2757
2758ProgramStateRef MallocChecker::CallocMem(CheckerContext &C,
2759 const CallEvent &Call,
2760 ProgramStateRef State) {
2761 if (!State)
2762 return nullptr;
2763
2764 if (Call.getNumArgs() < 2)
2765 return nullptr;
2766
2767 SValBuilder &svalBuilder = C.getSValBuilder();
2768 SVal zeroVal = svalBuilder.makeZeroVal(type: svalBuilder.getContext().CharTy);
2769 SVal TotalSize =
2770 evalMulForBufferSize(C, Blocks: Call.getArgExpr(Index: 0), BlockBytes: Call.getArgExpr(Index: 1));
2771
2772 return MallocMemAux(C, Call, Size: TotalSize, Init: zeroVal, State, Family: AF_Malloc);
2773}
2774
2775MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N,
2776 SymbolRef Sym,
2777 CheckerContext &C) {
2778 const LocationContext *LeakContext = N->getLocationContext();
2779 // Walk the ExplodedGraph backwards and find the first node that referred to
2780 // the tracked symbol.
2781 const ExplodedNode *AllocNode = N;
2782 const MemRegion *ReferenceRegion = nullptr;
2783
2784 while (N) {
2785 ProgramStateRef State = N->getState();
2786 if (!State->get<RegionState>(key: Sym))
2787 break;
2788
2789 // Find the most recent expression bound to the symbol in the current
2790 // context.
2791 if (!ReferenceRegion) {
2792 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) {
2793 SVal Val = State->getSVal(R: MR);
2794 if (Val.getAsLocSymbol() == Sym) {
2795 const VarRegion *VR = MR->getBaseRegion()->getAs<VarRegion>();
2796 // Do not show local variables belonging to a function other than
2797 // where the error is reported.
2798 if (!VR || (VR->getStackFrame() == LeakContext->getStackFrame()))
2799 ReferenceRegion = MR;
2800 }
2801 }
2802 }
2803
2804 // Allocation node, is the last node in the current or parent context in
2805 // which the symbol was tracked.
2806 const LocationContext *NContext = N->getLocationContext();
2807 if (NContext == LeakContext ||
2808 NContext->isParentOf(LC: LeakContext))
2809 AllocNode = N;
2810 N = N->pred_empty() ? nullptr : *(N->pred_begin());
2811 }
2812
2813 return LeakInfo(AllocNode, ReferenceRegion);
2814}
2815
2816void MallocChecker::HandleLeak(SymbolRef Sym, ExplodedNode *N,
2817 CheckerContext &C) const {
2818
2819 if (!ChecksEnabled[CK_MallocChecker] &&
2820 !ChecksEnabled[CK_NewDeleteLeaksChecker])
2821 return;
2822
2823 const RefState *RS = C.getState()->get<RegionState>(key: Sym);
2824 assert(RS && "cannot leak an untracked symbol");
2825 AllocationFamily Family = RS->getAllocationFamily();
2826
2827 if (Family == AF_Alloca)
2828 return;
2829
2830 std::optional<MallocChecker::CheckKind> CheckKind =
2831 getCheckIfTracked(Family, IsALeakCheck: true);
2832
2833 if (!CheckKind)
2834 return;
2835
2836 assert(N);
2837 if (!BT_Leak[*CheckKind]) {
2838 // Leaks should not be reported if they are post-dominated by a sink:
2839 // (1) Sinks are higher importance bugs.
2840 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
2841 // with __noreturn functions such as assert() or exit(). We choose not
2842 // to report leaks on such paths.
2843 BT_Leak[*CheckKind].reset(p: new BugType(CheckNames[*CheckKind], "Memory leak",
2844 categories::MemoryError,
2845 /*SuppressOnSink=*/true));
2846 }
2847
2848 // Most bug reports are cached at the location where they occurred.
2849 // With leaks, we want to unique them by the location where they were
2850 // allocated, and only report a single path.
2851 PathDiagnosticLocation LocUsedForUniqueing;
2852 const ExplodedNode *AllocNode = nullptr;
2853 const MemRegion *Region = nullptr;
2854 std::tie(args&: AllocNode, args&: Region) = getAllocationSite(N, Sym, C);
2855
2856 const Stmt *AllocationStmt = AllocNode->getStmtForDiagnostics();
2857 if (AllocationStmt)
2858 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(S: AllocationStmt,
2859 SM: C.getSourceManager(),
2860 LAC: AllocNode->getLocationContext());
2861
2862 SmallString<200> buf;
2863 llvm::raw_svector_ostream os(buf);
2864 if (Region && Region->canPrintPretty()) {
2865 os << "Potential leak of memory pointed to by ";
2866 Region->printPretty(os);
2867 } else {
2868 os << "Potential memory leak";
2869 }
2870
2871 auto R = std::make_unique<PathSensitiveBugReport>(
2872 args&: *BT_Leak[*CheckKind], args: os.str(), args&: N, args&: LocUsedForUniqueing,
2873 args: AllocNode->getLocationContext()->getDecl());
2874 R->markInteresting(sym: Sym);
2875 R->addVisitor<MallocBugVisitor>(ConstructorArgs&: Sym, ConstructorArgs: true);
2876 if (ShouldRegisterNoOwnershipChangeVisitor)
2877 R->addVisitor<NoOwnershipChangeVisitor>(ConstructorArgs&: Sym, ConstructorArgs: this);
2878 C.emitReport(R: std::move(R));
2879}
2880
2881void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
2882 CheckerContext &C) const
2883{
2884 ProgramStateRef state = C.getState();
2885 RegionStateTy OldRS = state->get<RegionState>();
2886 RegionStateTy::Factory &F = state->get_context<RegionState>();
2887
2888 RegionStateTy RS = OldRS;
2889 SmallVector<SymbolRef, 2> Errors;
2890 for (auto [Sym, State] : RS) {
2891 if (SymReaper.isDead(sym: Sym)) {
2892 if (State.isAllocated() || State.isAllocatedOfSizeZero())
2893 Errors.push_back(Elt: Sym);
2894 // Remove the dead symbol from the map.
2895 RS = F.remove(Old: RS, K: Sym);
2896 }
2897 }
2898
2899 if (RS == OldRS) {
2900 // We shouldn't have touched other maps yet.
2901 assert(state->get<ReallocPairs>() ==
2902 C.getState()->get<ReallocPairs>());
2903 assert(state->get<FreeReturnValue>() ==
2904 C.getState()->get<FreeReturnValue>());
2905 return;
2906 }
2907
2908 // Cleanup the Realloc Pairs Map.
2909 ReallocPairsTy RP = state->get<ReallocPairs>();
2910 for (auto [Sym, ReallocPair] : RP) {
2911 if (SymReaper.isDead(sym: Sym) || SymReaper.isDead(sym: ReallocPair.ReallocatedSym)) {
2912 state = state->remove<ReallocPairs>(K: Sym);
2913 }
2914 }
2915
2916 // Cleanup the FreeReturnValue Map.
2917 FreeReturnValueTy FR = state->get<FreeReturnValue>();
2918 for (auto [Sym, RetSym] : FR) {
2919 if (SymReaper.isDead(sym: Sym) || SymReaper.isDead(sym: RetSym)) {
2920 state = state->remove<FreeReturnValue>(K: Sym);
2921 }
2922 }
2923
2924 // Generate leak node.
2925 ExplodedNode *N = C.getPredecessor();
2926 if (!Errors.empty()) {
2927 static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
2928 N = C.generateNonFatalErrorNode(State: C.getState(), Tag: &Tag);
2929 if (N) {
2930 for (SymbolRef Sym : Errors) {
2931 HandleLeak(Sym, N, C);
2932 }
2933 }
2934 }
2935
2936 C.addTransition(State: state->set<RegionState>(RS), Pred: N);
2937}
2938
2939void MallocChecker::checkPreCall(const CallEvent &Call,
2940 CheckerContext &C) const {
2941
2942 if (const auto *DC = dyn_cast<CXXDeallocatorCall>(Val: &Call)) {
2943 const CXXDeleteExpr *DE = DC->getOriginExpr();
2944
2945 if (!ChecksEnabled[CK_NewDeleteChecker])
2946 if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
2947 checkUseAfterFree(Sym, C, DE->getArgument());
2948
2949 if (!isStandardNewDelete(FD: DC->getDecl()))
2950 return;
2951
2952 ProgramStateRef State = C.getState();
2953 bool IsKnownToBeAllocated;
2954 State = FreeMemAux(C, ArgExpr: DE->getArgument(), Call, State,
2955 /*Hold*/ false, IsKnownToBeAllocated,
2956 Family: (DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew));
2957
2958 C.addTransition(State);
2959 return;
2960 }
2961
2962 if (const auto *DC = dyn_cast<CXXDestructorCall>(Val: &Call)) {
2963 SymbolRef Sym = DC->getCXXThisVal().getAsSymbol();
2964 if (!Sym || checkDoubleDelete(Sym, C))
2965 return;
2966 }
2967
2968 // We need to handle getline pre-conditions here before the pointed region
2969 // gets invalidated by StreamChecker
2970 if (const auto *PreFN = PreFnMap.lookup(Call)) {
2971 (*PreFN)(this, Call, C);
2972 return;
2973 }
2974
2975 // We will check for double free in the post visit.
2976 if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(Val: &Call)) {
2977 const FunctionDecl *FD = FC->getDecl();
2978 if (!FD)
2979 return;
2980
2981 if (ChecksEnabled[CK_MallocChecker] && isFreeingCall(Call))
2982 return;
2983 }
2984
2985 // Check if the callee of a method is deleted.
2986 if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(Val: &Call)) {
2987 SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
2988 if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
2989 return;
2990 }
2991
2992 // Check arguments for being used after free.
2993 for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
2994 SVal ArgSVal = Call.getArgSVal(Index: I);
2995 if (isa<Loc>(Val: ArgSVal)) {
2996 SymbolRef Sym = ArgSVal.getAsSymbol();
2997 if (!Sym)
2998 continue;
2999 if (checkUseAfterFree(Sym, C, Call.getArgExpr(Index: I)))
3000 return;
3001 }
3002 }
3003}
3004
3005void MallocChecker::checkPreStmt(const ReturnStmt *S,
3006 CheckerContext &C) const {
3007 checkEscapeOnReturn(S, C);
3008}
3009
3010// In the CFG, automatic destructors come after the return statement.
3011// This callback checks for returning memory that is freed by automatic
3012// destructors, as those cannot be reached in checkPreStmt().
3013void MallocChecker::checkEndFunction(const ReturnStmt *S,
3014 CheckerContext &C) const {
3015 checkEscapeOnReturn(S, C);
3016}
3017
3018void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S,
3019 CheckerContext &C) const {
3020 if (!S)
3021 return;
3022
3023 const Expr *E = S->getRetValue();
3024 if (!E)
3025 return;
3026
3027 // Check if we are returning a symbol.
3028 ProgramStateRef State = C.getState();
3029 SVal RetVal = C.getSVal(E);
3030 SymbolRef Sym = RetVal.getAsSymbol();
3031 if (!Sym)
3032 // If we are returning a field of the allocated struct or an array element,
3033 // the callee could still free the memory.
3034 // TODO: This logic should be a part of generic symbol escape callback.
3035 if (const MemRegion *MR = RetVal.getAsRegion())
3036 if (isa<FieldRegion, ElementRegion>(Val: MR))
3037 if (const SymbolicRegion *BMR =
3038 dyn_cast<SymbolicRegion>(Val: MR->getBaseRegion()))
3039 Sym = BMR->getSymbol();
3040
3041 // Check if we are returning freed memory.
3042 if (Sym)
3043 checkUseAfterFree(Sym, C, E);
3044}
3045
3046// TODO: Blocks should be either inlined or should call invalidate regions
3047// upon invocation. After that's in place, special casing here will not be
3048// needed.
3049void MallocChecker::checkPostStmt(const BlockExpr *BE,
3050 CheckerContext &C) const {
3051
3052 // Scan the BlockDecRefExprs for any object the retain count checker
3053 // may be tracking.
3054 if (!BE->getBlockDecl()->hasCaptures())
3055 return;
3056
3057 ProgramStateRef state = C.getState();
3058 const BlockDataRegion *R =
3059 cast<BlockDataRegion>(Val: C.getSVal(BE).getAsRegion());
3060
3061 auto ReferencedVars = R->referenced_vars();
3062 if (ReferencedVars.empty())
3063 return;
3064
3065 SmallVector<const MemRegion*, 10> Regions;
3066 const LocationContext *LC = C.getLocationContext();
3067 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
3068
3069 for (const auto &Var : ReferencedVars) {
3070 const VarRegion *VR = Var.getCapturedRegion();
3071 if (VR->getSuperRegion() == R) {
3072 VR = MemMgr.getVarRegion(VR->getDecl(), LC);
3073 }
3074 Regions.push_back(VR);
3075 }
3076
3077 state =
3078 state->scanReachableSymbols<StopTrackingCallback>(Reachable: Regions).getState();
3079 C.addTransition(State: state);
3080}
3081
3082static bool isReleased(SymbolRef Sym, CheckerContext &C) {
3083 assert(Sym);
3084 const RefState *RS = C.getState()->get<RegionState>(key: Sym);
3085 return (RS && RS->isReleased());
3086}
3087
3088bool MallocChecker::suppressDeallocationsInSuspiciousContexts(
3089 const CallEvent &Call, CheckerContext &C) const {
3090 if (Call.getNumArgs() == 0)
3091 return false;
3092
3093 StringRef FunctionStr = "";
3094 if (const auto *FD = dyn_cast<FunctionDecl>(Val: C.getStackFrame()->getDecl()))
3095 if (const Stmt *Body = FD->getBody())
3096 if (Body->getBeginLoc().isValid())
3097 FunctionStr =
3098 Lexer::getSourceText(Range: CharSourceRange::getTokenRange(
3099 {FD->getBeginLoc(), Body->getBeginLoc()}),
3100 SM: C.getSourceManager(), LangOpts: C.getLangOpts());
3101
3102 // We do not model the Integer Set Library's retain-count based allocation.
3103 if (!FunctionStr.contains(Other: "__isl_"))
3104 return false;
3105
3106 ProgramStateRef State = C.getState();
3107
3108 for (const Expr *Arg : cast<CallExpr>(Val: Call.getOriginExpr())->arguments())
3109 if (SymbolRef Sym = C.getSVal(Arg).getAsSymbol())
3110 if (const RefState *RS = State->get<RegionState>(key: Sym))
3111 State = State->set<RegionState>(K: Sym, E: RefState::getEscaped(RS));
3112
3113 C.addTransition(State);
3114 return true;
3115}
3116
3117bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
3118 const Stmt *S) const {
3119
3120 if (isReleased(Sym, C)) {
3121 HandleUseAfterFree(C, Range: S->getSourceRange(), Sym);
3122 return true;
3123 }
3124
3125 return false;
3126}
3127
3128void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
3129 const Stmt *S) const {
3130 assert(Sym);
3131
3132 if (const RefState *RS = C.getState()->get<RegionState>(key: Sym)) {
3133 if (RS->isAllocatedOfSizeZero())
3134 HandleUseZeroAlloc(C, Range: RS->getStmt()->getSourceRange(), Sym);
3135 }
3136 else if (C.getState()->contains<ReallocSizeZeroSymbols>(key: Sym)) {
3137 HandleUseZeroAlloc(C, Range: S->getSourceRange(), Sym);
3138 }
3139}
3140
3141bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
3142
3143 if (isReleased(Sym, C)) {
3144 HandleDoubleDelete(C, Sym);
3145 return true;
3146 }
3147 return false;
3148}
3149
3150// Check if the location is a freed symbolic region.
3151void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
3152 CheckerContext &C) const {
3153 SymbolRef Sym = l.getLocSymbolInBase();
3154 if (Sym) {
3155 checkUseAfterFree(Sym, C, S);
3156 checkUseZeroAllocated(Sym, C, S);
3157 }
3158}
3159
3160// If a symbolic region is assumed to NULL (or another constant), stop tracking
3161// it - assuming that allocation failed on this path.
3162ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
3163 SVal Cond,
3164 bool Assumption) const {
3165 RegionStateTy RS = state->get<RegionState>();
3166 for (SymbolRef Sym : llvm::make_first_range(c&: RS)) {
3167 // If the symbol is assumed to be NULL, remove it from consideration.
3168 ConstraintManager &CMgr = state->getConstraintManager();
3169 ConditionTruthVal AllocFailed = CMgr.isNull(State: state, Sym);
3170 if (AllocFailed.isConstrainedTrue())
3171 state = state->remove<RegionState>(K: Sym);
3172 }
3173
3174 // Realloc returns 0 when reallocation fails, which means that we should
3175 // restore the state of the pointer being reallocated.
3176 ReallocPairsTy RP = state->get<ReallocPairs>();
3177 for (auto [Sym, ReallocPair] : RP) {
3178 // If the symbol is assumed to be NULL, remove it from consideration.
3179 ConstraintManager &CMgr = state->getConstraintManager();
3180 ConditionTruthVal AllocFailed = CMgr.isNull(State: state, Sym);
3181 if (!AllocFailed.isConstrainedTrue())
3182 continue;
3183
3184 SymbolRef ReallocSym = ReallocPair.ReallocatedSym;
3185 if (const RefState *RS = state->get<RegionState>(key: ReallocSym)) {
3186 if (RS->isReleased()) {
3187 switch (ReallocPair.Kind) {
3188 case OAR_ToBeFreedAfterFailure:
3189 state = state->set<RegionState>(K: ReallocSym,
3190 E: RefState::getAllocated(family: RS->getAllocationFamily(), s: RS->getStmt()));
3191 break;
3192 case OAR_DoNotTrackAfterFailure:
3193 state = state->remove<RegionState>(K: ReallocSym);
3194 break;
3195 default:
3196 assert(ReallocPair.Kind == OAR_FreeOnFailure);
3197 }
3198 }
3199 }
3200 state = state->remove<ReallocPairs>(K: Sym);
3201 }
3202
3203 return state;
3204}
3205
3206bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
3207 const CallEvent *Call,
3208 ProgramStateRef State,
3209 SymbolRef &EscapingSymbol) const {
3210 assert(Call);
3211 EscapingSymbol = nullptr;
3212
3213 // For now, assume that any C++ or block call can free memory.
3214 // TODO: If we want to be more optimistic here, we'll need to make sure that
3215 // regions escape to C++ containers. They seem to do that even now, but for
3216 // mysterious reasons.
3217 if (!isa<SimpleFunctionCall, ObjCMethodCall>(Val: Call))
3218 return true;
3219
3220 // Check Objective-C messages by selector name.
3221 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Val: Call)) {
3222 // If it's not a framework call, or if it takes a callback, assume it
3223 // can free memory.
3224 if (!Call->isInSystemHeader() || Call->argumentsMayEscape())
3225 return true;
3226
3227 // If it's a method we know about, handle it explicitly post-call.
3228 // This should happen before the "freeWhenDone" check below.
3229 if (isKnownDeallocObjCMethodName(Call: *Msg))
3230 return false;
3231
3232 // If there's a "freeWhenDone" parameter, but the method isn't one we know
3233 // about, we can't be sure that the object will use free() to deallocate the
3234 // memory, so we can't model it explicitly. The best we can do is use it to
3235 // decide whether the pointer escapes.
3236 if (std::optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call: *Msg))
3237 return *FreeWhenDone;
3238
3239 // If the first selector piece ends with "NoCopy", and there is no
3240 // "freeWhenDone" parameter set to zero, we know ownership is being
3241 // transferred. Again, though, we can't be sure that the object will use
3242 // free() to deallocate the memory, so we can't model it explicitly.
3243 StringRef FirstSlot = Msg->getSelector().getNameForSlot(argIndex: 0);
3244 if (FirstSlot.ends_with(Suffix: "NoCopy"))
3245 return true;
3246
3247 // If the first selector starts with addPointer, insertPointer,
3248 // or replacePointer, assume we are dealing with NSPointerArray or similar.
3249 // This is similar to C++ containers (vector); we still might want to check
3250 // that the pointers get freed by following the container itself.
3251 if (FirstSlot.starts_with(Prefix: "addPointer") ||
3252 FirstSlot.starts_with(Prefix: "insertPointer") ||
3253 FirstSlot.starts_with(Prefix: "replacePointer") ||
3254 FirstSlot.equals(RHS: "valueWithPointer")) {
3255 return true;
3256 }
3257
3258 // We should escape receiver on call to 'init'. This is especially relevant
3259 // to the receiver, as the corresponding symbol is usually not referenced
3260 // after the call.
3261 if (Msg->getMethodFamily() == OMF_init) {
3262 EscapingSymbol = Msg->getReceiverSVal().getAsSymbol();
3263 return true;
3264 }
3265
3266 // Otherwise, assume that the method does not free memory.
3267 // Most framework methods do not free memory.
3268 return false;
3269 }
3270
3271 // At this point the only thing left to handle is straight function calls.
3272 const FunctionDecl *FD = cast<SimpleFunctionCall>(Val: Call)->getDecl();
3273 if (!FD)
3274 return true;
3275
3276 // If it's one of the allocation functions we can reason about, we model
3277 // its behavior explicitly.
3278 if (isMemCall(Call: *Call))
3279 return false;
3280
3281 // If it's not a system call, assume it frees memory.
3282 if (!Call->isInSystemHeader())
3283 return true;
3284
3285 // White list the system functions whose arguments escape.
3286 const IdentifierInfo *II = FD->getIdentifier();
3287 if (!II)
3288 return true;
3289 StringRef FName = II->getName();
3290
3291 // White list the 'XXXNoCopy' CoreFoundation functions.
3292 // We specifically check these before
3293 if (FName.ends_with(Suffix: "NoCopy")) {
3294 // Look for the deallocator argument. We know that the memory ownership
3295 // is not transferred only if the deallocator argument is
3296 // 'kCFAllocatorNull'.
3297 for (unsigned i = 1; i < Call->getNumArgs(); ++i) {
3298 const Expr *ArgE = Call->getArgExpr(Index: i)->IgnoreParenCasts();
3299 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(Val: ArgE)) {
3300 StringRef DeallocatorName = DE->getFoundDecl()->getName();
3301 if (DeallocatorName == "kCFAllocatorNull")
3302 return false;
3303 }
3304 }
3305 return true;
3306 }
3307
3308 // Associating streams with malloced buffers. The pointer can escape if
3309 // 'closefn' is specified (and if that function does free memory),
3310 // but it will not if closefn is not specified.
3311 // Currently, we do not inspect the 'closefn' function (PR12101).
3312 if (FName == "funopen")
3313 if (Call->getNumArgs() >= 4 && Call->getArgSVal(Index: 4).isConstant(I: 0))
3314 return false;
3315
3316 // Do not warn on pointers passed to 'setbuf' when used with std streams,
3317 // these leaks might be intentional when setting the buffer for stdio.
3318 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer
3319 if (FName == "setbuf" || FName =="setbuffer" ||
3320 FName == "setlinebuf" || FName == "setvbuf") {
3321 if (Call->getNumArgs() >= 1) {
3322 const Expr *ArgE = Call->getArgExpr(Index: 0)->IgnoreParenCasts();
3323 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(Val: ArgE))
3324 if (const VarDecl *D = dyn_cast<VarDecl>(Val: ArgDRE->getDecl()))
3325 if (D->getCanonicalDecl()->getName().contains("std"))
3326 return true;
3327 }
3328 }
3329
3330 // A bunch of other functions which either take ownership of a pointer or
3331 // wrap the result up in a struct or object, meaning it can be freed later.
3332 // (See RetainCountChecker.) Not all the parameters here are invalidated,
3333 // but the Malloc checker cannot differentiate between them. The right way
3334 // of doing this would be to implement a pointer escapes callback.
3335 if (FName == "CGBitmapContextCreate" ||
3336 FName == "CGBitmapContextCreateWithData" ||
3337 FName == "CVPixelBufferCreateWithBytes" ||
3338 FName == "CVPixelBufferCreateWithPlanarBytes" ||
3339 FName == "OSAtomicEnqueue") {
3340 return true;
3341 }
3342
3343 if (FName == "postEvent" &&
3344 FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
3345 return true;
3346 }
3347
3348 if (FName == "connectImpl" &&
3349 FD->getQualifiedNameAsString() == "QObject::connectImpl") {
3350 return true;
3351 }
3352
3353 if (FName == "singleShotImpl" &&
3354 FD->getQualifiedNameAsString() == "QTimer::singleShotImpl") {
3355 return true;
3356 }
3357
3358 // Handle cases where we know a buffer's /address/ can escape.
3359 // Note that the above checks handle some special cases where we know that
3360 // even though the address escapes, it's still our responsibility to free the
3361 // buffer.
3362 if (Call->argumentsMayEscape())
3363 return true;
3364
3365 // Otherwise, assume that the function does not free memory.
3366 // Most system calls do not free the memory.
3367 return false;
3368}
3369
3370ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
3371 const InvalidatedSymbols &Escaped,
3372 const CallEvent *Call,
3373 PointerEscapeKind Kind) const {
3374 return checkPointerEscapeAux(State, Escaped, Call, Kind,
3375 /*IsConstPointerEscape*/ false);
3376}
3377
3378ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State,
3379 const InvalidatedSymbols &Escaped,
3380 const CallEvent *Call,
3381 PointerEscapeKind Kind) const {
3382 // If a const pointer escapes, it may not be freed(), but it could be deleted.
3383 return checkPointerEscapeAux(State, Escaped, Call, Kind,
3384 /*IsConstPointerEscape*/ true);
3385}
3386
3387static bool checkIfNewOrNewArrayFamily(const RefState *RS) {
3388 return (RS->getAllocationFamily() == AF_CXXNewArray ||
3389 RS->getAllocationFamily() == AF_CXXNew);
3390}
3391
3392ProgramStateRef MallocChecker::checkPointerEscapeAux(
3393 ProgramStateRef State, const InvalidatedSymbols &Escaped,
3394 const CallEvent *Call, PointerEscapeKind Kind,
3395 bool IsConstPointerEscape) const {
3396 // If we know that the call does not free memory, or we want to process the
3397 // call later, keep tracking the top level arguments.
3398 SymbolRef EscapingSymbol = nullptr;
3399 if (Kind == PSK_DirectEscapeOnCall &&
3400 !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State,
3401 EscapingSymbol) &&
3402 !EscapingSymbol) {
3403 return State;
3404 }
3405
3406 for (SymbolRef sym : Escaped) {
3407 if (EscapingSymbol && EscapingSymbol != sym)
3408 continue;
3409
3410 if (const RefState *RS = State->get<RegionState>(key: sym))
3411 if (RS->isAllocated() || RS->isAllocatedOfSizeZero())
3412 if (!IsConstPointerEscape || checkIfNewOrNewArrayFamily(RS))
3413 State = State->set<RegionState>(K: sym, E: RefState::getEscaped(RS));
3414 }
3415 return State;
3416}
3417
3418bool MallocChecker::isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C,
3419 SVal ArgVal) const {
3420 if (!KernelZeroSizePtrValue)
3421 KernelZeroSizePtrValue =
3422 tryExpandAsInteger(Macro: "ZERO_SIZE_PTR", PP: C.getPreprocessor());
3423
3424 const llvm::APSInt *ArgValKnown =
3425 C.getSValBuilder().getKnownValue(state: State, val: ArgVal);
3426 return ArgValKnown && *KernelZeroSizePtrValue &&
3427 ArgValKnown->getSExtValue() == **KernelZeroSizePtrValue;
3428}
3429
3430static SymbolRef findFailedReallocSymbol(ProgramStateRef currState,
3431 ProgramStateRef prevState) {
3432 ReallocPairsTy currMap = currState->get<ReallocPairs>();
3433 ReallocPairsTy prevMap = prevState->get<ReallocPairs>();
3434
3435 for (const ReallocPairsTy::value_type &Pair : prevMap) {
3436 SymbolRef sym = Pair.first;
3437 if (!currMap.lookup(K: sym))
3438 return sym;
3439 }
3440
3441 return nullptr;
3442}
3443
3444static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD) {
3445 if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) {
3446 StringRef N = II->getName();
3447 if (N.contains_insensitive(Other: "ptr") || N.contains_insensitive(Other: "pointer")) {
3448 if (N.contains_insensitive(Other: "ref") || N.contains_insensitive(Other: "cnt") ||
3449 N.contains_insensitive(Other: "intrusive") ||
3450 N.contains_insensitive(Other: "shared")) {
3451 return true;
3452 }
3453 }
3454 }
3455 return false;
3456}
3457
3458PathDiagnosticPieceRef MallocBugVisitor::VisitNode(const ExplodedNode *N,
3459 BugReporterContext &BRC,
3460 PathSensitiveBugReport &BR) {
3461 ProgramStateRef state = N->getState();
3462 ProgramStateRef statePrev = N->getFirstPred()->getState();
3463
3464 const RefState *RSCurr = state->get<RegionState>(key: Sym);
3465 const RefState *RSPrev = statePrev->get<RegionState>(key: Sym);
3466
3467 const Stmt *S = N->getStmtForDiagnostics();
3468 // When dealing with containers, we sometimes want to give a note
3469 // even if the statement is missing.
3470 if (!S && (!RSCurr || RSCurr->getAllocationFamily() != AF_InnerBuffer))
3471 return nullptr;
3472
3473 const LocationContext *CurrentLC = N->getLocationContext();
3474
3475 // If we find an atomic fetch_add or fetch_sub within the destructor in which
3476 // the pointer was released (before the release), this is likely a destructor
3477 // of a shared pointer.
3478 // Because we don't model atomics, and also because we don't know that the
3479 // original reference count is positive, we should not report use-after-frees
3480 // on objects deleted in such destructors. This can probably be improved
3481 // through better shared pointer modeling.
3482 if (ReleaseDestructorLC) {
3483 if (const auto *AE = dyn_cast<AtomicExpr>(Val: S)) {
3484 AtomicExpr::AtomicOp Op = AE->getOp();
3485 if (Op == AtomicExpr::AO__c11_atomic_fetch_add ||
3486 Op == AtomicExpr::AO__c11_atomic_fetch_sub) {
3487 if (ReleaseDestructorLC == CurrentLC ||
3488 ReleaseDestructorLC->isParentOf(LC: CurrentLC)) {
3489 BR.markInvalid(Tag: getTag(), Data: S);
3490 }
3491 }
3492 }
3493 }
3494
3495 // FIXME: We will eventually need to handle non-statement-based events
3496 // (__attribute__((cleanup))).
3497
3498 // Find out if this is an interesting point and what is the kind.
3499 StringRef Msg;
3500 std::unique_ptr<StackHintGeneratorForSymbol> StackHint = nullptr;
3501 SmallString<256> Buf;
3502 llvm::raw_svector_ostream OS(Buf);
3503
3504 if (Mode == Normal) {
3505 if (isAllocated(RSCurr, RSPrev, Stmt: S)) {
3506 Msg = "Memory is allocated";
3507 StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3508 args&: Sym, args: "Returned allocated memory");
3509 } else if (isReleased(RSCurr, RSPrev, Stmt: S)) {
3510 const auto Family = RSCurr->getAllocationFamily();
3511 switch (Family) {
3512 case AF_Alloca:
3513 case AF_Malloc:
3514 case AF_CXXNew:
3515 case AF_CXXNewArray:
3516 case AF_IfNameIndex:
3517 Msg = "Memory is released";
3518 StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3519 args&: Sym, args: "Returning; memory was released");
3520 break;
3521 case AF_InnerBuffer: {
3522 const MemRegion *ObjRegion =
3523 allocation_state::getContainerObjRegion(State: statePrev, Sym);
3524 const auto *TypedRegion = cast<TypedValueRegion>(Val: ObjRegion);
3525 QualType ObjTy = TypedRegion->getValueType();
3526 OS << "Inner buffer of '" << ObjTy << "' ";
3527
3528 if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) {
3529 OS << "deallocated by call to destructor";
3530 StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3531 args&: Sym, args: "Returning; inner buffer was deallocated");
3532 } else {
3533 OS << "reallocated by call to '";
3534 const Stmt *S = RSCurr->getStmt();
3535 if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(Val: S)) {
3536 OS << MemCallE->getMethodDecl()->getDeclName();
3537 } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(Val: S)) {
3538 OS << OpCallE->getDirectCallee()->getDeclName();
3539 } else if (const auto *CallE = dyn_cast<CallExpr>(Val: S)) {
3540 auto &CEMgr = BRC.getStateManager().getCallEventManager();
3541 CallEventRef<> Call =
3542 CEMgr.getSimpleCall(E: CallE, State: state, LCtx: CurrentLC, ElemRef: {nullptr, 0});
3543 if (const auto *D = dyn_cast_or_null<NamedDecl>(Val: Call->getDecl()))
3544 OS << D->getDeclName();
3545 else
3546 OS << "unknown";
3547 }
3548 OS << "'";
3549 StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3550 args&: Sym, args: "Returning; inner buffer was reallocated");
3551 }
3552 Msg = OS.str();
3553 break;
3554 }
3555 case AF_None:
3556 llvm_unreachable("Unhandled allocation family!");
3557 }
3558
3559 // See if we're releasing memory while inlining a destructor
3560 // (or one of its callees). This turns on various common
3561 // false positive suppressions.
3562 bool FoundAnyDestructor = false;
3563 for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) {
3564 if (const auto *DD = dyn_cast<CXXDestructorDecl>(Val: LC->getDecl())) {
3565 if (isReferenceCountingPointerDestructor(DD)) {
3566 // This immediately looks like a reference-counting destructor.
3567 // We're bad at guessing the original reference count of the object,
3568 // so suppress the report for now.
3569 BR.markInvalid(Tag: getTag(), Data: DD);
3570 } else if (!FoundAnyDestructor) {
3571 assert(!ReleaseDestructorLC &&
3572 "There can be only one release point!");
3573 // Suspect that it's a reference counting pointer destructor.
3574 // On one of the next nodes might find out that it has atomic
3575 // reference counting operations within it (see the code above),
3576 // and if so, we'd conclude that it likely is a reference counting
3577 // pointer destructor.
3578 ReleaseDestructorLC = LC->getStackFrame();
3579 // It is unlikely that releasing memory is delegated to a destructor
3580 // inside a destructor of a shared pointer, because it's fairly hard
3581 // to pass the information that the pointer indeed needs to be
3582 // released into it. So we're only interested in the innermost
3583 // destructor.
3584 FoundAnyDestructor = true;
3585 }
3586 }
3587 }
3588 } else if (isRelinquished(RSCurr, RSPrev, Stmt: S)) {
3589 Msg = "Memory ownership is transferred";
3590 StackHint = std::make_unique<StackHintGeneratorForSymbol>(args&: Sym, args: "");
3591 } else if (hasReallocFailed(RSCurr, RSPrev, Stmt: S)) {
3592 Mode = ReallocationFailed;
3593 Msg = "Reallocation failed";
3594 StackHint = std::make_unique<StackHintGeneratorForReallocationFailed>(
3595 args&: Sym, args: "Reallocation failed");
3596
3597 if (SymbolRef sym = findFailedReallocSymbol(currState: state, prevState: statePrev)) {
3598 // Is it possible to fail two reallocs WITHOUT testing in between?
3599 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) &&
3600 "We only support one failed realloc at a time.");
3601 BR.markInteresting(sym);
3602 FailedReallocSymbol = sym;
3603 }
3604 }
3605
3606 // We are in a special mode if a reallocation failed later in the path.
3607 } else if (Mode == ReallocationFailed) {
3608 assert(FailedReallocSymbol && "No symbol to look for.");
3609
3610 // Is this is the first appearance of the reallocated symbol?
3611 if (!statePrev->get<RegionState>(key: FailedReallocSymbol)) {
3612 // We're at the reallocation point.
3613 Msg = "Attempt to reallocate memory";
3614 StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3615 args&: Sym, args: "Returned reallocated memory");
3616 FailedReallocSymbol = nullptr;
3617 Mode = Normal;
3618 }
3619 }
3620
3621 if (Msg.empty()) {
3622 assert(!StackHint);
3623 return nullptr;
3624 }
3625
3626 assert(StackHint);
3627
3628 // Generate the extra diagnostic.
3629 PathDiagnosticLocation Pos;
3630 if (!S) {
3631 assert(RSCurr->getAllocationFamily() == AF_InnerBuffer);
3632 auto PostImplCall = N->getLocation().getAs<PostImplicitCall>();
3633 if (!PostImplCall)
3634 return nullptr;
3635 Pos = PathDiagnosticLocation(PostImplCall->getLocation(),
3636 BRC.getSourceManager());
3637 } else {
3638 Pos = PathDiagnosticLocation(S, BRC.getSourceManager(),
3639 N->getLocationContext());
3640 }
3641
3642 auto P = std::make_shared<PathDiagnosticEventPiece>(args&: Pos, args&: Msg, args: true);
3643 BR.addCallStackHint(Piece: P, StackHint: std::move(StackHint));
3644 return P;
3645}
3646
3647void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
3648 const char *NL, const char *Sep) const {
3649
3650 RegionStateTy RS = State->get<RegionState>();
3651
3652 if (!RS.isEmpty()) {
3653 Out << Sep << "MallocChecker :" << NL;
3654 for (auto [Sym, Data] : RS) {
3655 const RefState *RefS = State->get<RegionState>(key: Sym);
3656 AllocationFamily Family = RefS->getAllocationFamily();
3657 std::optional<MallocChecker::CheckKind> CheckKind =
3658 getCheckIfTracked(Family);
3659 if (!CheckKind)
3660 CheckKind = getCheckIfTracked(Family, IsALeakCheck: true);
3661
3662 Sym->dumpToStream(os&: Out);
3663 Out << " : ";
3664 Data.dump(OS&: Out);
3665 if (CheckKind)
3666 Out << " (" << CheckNames[*CheckKind].getName() << ")";
3667 Out << NL;
3668 }
3669 }
3670}
3671
3672namespace clang {
3673namespace ento {
3674namespace allocation_state {
3675
3676ProgramStateRef
3677markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin) {
3678 AllocationFamily Family = AF_InnerBuffer;
3679 return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin));
3680}
3681
3682} // end namespace allocation_state
3683} // end namespace ento
3684} // end namespace clang
3685
3686// Intended to be used in InnerPointerChecker to register the part of
3687// MallocChecker connected to it.
3688void ento::registerInnerPointerCheckerAux(CheckerManager &mgr) {
3689 MallocChecker *checker = mgr.getChecker<MallocChecker>();
3690 checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true;
3691 checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =
3692 mgr.getCurrentCheckerName();
3693}
3694
3695void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {
3696 auto *checker = mgr.registerChecker<MallocChecker>();
3697 checker->ShouldIncludeOwnershipAnnotatedFunctions =
3698 mgr.getAnalyzerOptions().getCheckerBooleanOption(C: checker, OptionName: "Optimistic");
3699 checker->ShouldRegisterNoOwnershipChangeVisitor =
3700 mgr.getAnalyzerOptions().getCheckerBooleanOption(
3701 C: checker, OptionName: "AddNoOwnershipChangeNotes");
3702}
3703
3704bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) {
3705 return true;
3706}
3707
3708#define REGISTER_CHECKER(name) \
3709 void ento::register##name(CheckerManager &mgr) { \
3710 MallocChecker *checker = mgr.getChecker<MallocChecker>(); \
3711 checker->ChecksEnabled[MallocChecker::CK_##name] = true; \
3712 checker->CheckNames[MallocChecker::CK_##name] = \
3713 mgr.getCurrentCheckerName(); \
3714 } \
3715 \
3716 bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
3717
3718REGISTER_CHECKER(MallocChecker)
3719REGISTER_CHECKER(NewDeleteChecker)
3720REGISTER_CHECKER(NewDeleteLeaksChecker)
3721REGISTER_CHECKER(MismatchedDeallocatorChecker)
3722

source code of clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp