1	//=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// This file defines a variety of memory management related checkers, such as
10	// leak, double free, and use-after-free.
11	//
12	// The following checkers are defined here:
13	//
14	// * MallocChecker
15	// Despite its name, it models all sorts of memory allocations and
16	// de- or reallocation, including but not limited to malloc, free,
17	// relloc, new, delete. It also reports on a variety of memory misuse
18	// errors.
19	// Many other checkers interact very closely with this checker, in fact,
20	// most are merely options to this one. Other checkers may register
21	// MallocChecker, but do not enable MallocChecker's reports (more details
22	// to follow around its field, ChecksEnabled).
23	// It also has a boolean "Optimistic" checker option, which if set to true
24	// will cause the checker to model user defined memory management related
25	// functions annotated via the attribute ownership_takes, ownership_holds
26	// and ownership_returns.
27	//
28	// * NewDeleteChecker
29	// Enables the modeling of new, new[], delete, delete[] in MallocChecker,
30	// and checks for related double-free and use-after-free errors.
31	//
32	// * NewDeleteLeaksChecker
33	// Checks for leaks related to new, new[], delete, delete[].
34	// Depends on NewDeleteChecker.
35	//
36	// * MismatchedDeallocatorChecker
37	// Enables checking whether memory is deallocated with the correspending
38	// allocation function in MallocChecker, such as malloc() allocated
39	// regions are only freed by free(), new by delete, new[] by delete[].
40	//
41	// InnerPointerChecker interacts very closely with MallocChecker, but unlike
42	// the above checkers, it has it's own file, hence the many InnerPointerChecker
43	// related headers and non-static functions.
44	//
45	//===----------------------------------------------------------------------===//
46
47	#include "AllocationState.h"
48	#include "InterCheckerAPI.h"
49	#include "clang/AST/Attr.h"
50	#include "clang/AST/DeclCXX.h"
51	#include "clang/AST/DeclTemplate.h"
52	#include "clang/AST/Expr.h"
53	#include "clang/AST/ExprCXX.h"
54	#include "clang/AST/ParentMap.h"
55	#include "clang/ASTMatchers/ASTMatchFinder.h"
56	#include "clang/ASTMatchers/ASTMatchers.h"
57	#include "clang/Analysis/ProgramPoint.h"
58	#include "clang/Basic/LLVM.h"
59	#include "clang/Basic/SourceManager.h"
60	#include "clang/Basic/TargetInfo.h"
61	#include "clang/Lex/Lexer.h"
62	#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
63	#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
64	#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
65	#include "clang/StaticAnalyzer/Core/Checker.h"
66	#include "clang/StaticAnalyzer/Core/CheckerManager.h"
67	#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
68	#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
69	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
70	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
71	#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
72	#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
73	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
74	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
75	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
76	#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
77	#include "clang/StaticAnalyzer/Core/PathSensitive/StoreRef.h"
78	#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
79	#include "llvm/ADT/STLExtras.h"
80	#include "llvm/ADT/SetOperations.h"
81	#include "llvm/ADT/SmallString.h"
82	#include "llvm/ADT/StringExtras.h"
83	#include "llvm/Support/Casting.h"
84	#include "llvm/Support/Compiler.h"
85	#include "llvm/Support/ErrorHandling.h"
86	#include "llvm/Support/raw_ostream.h"
87	#include <climits>
88	#include <functional>
89	#include <optional>
90	#include <utility>
91
92	using namespace clang;
93	using namespace ento;
94	using namespace std::placeholders;
95
96	//===----------------------------------------------------------------------===//
97	// The types of allocation we're modeling. This is used to check whether a
98	// dynamically allocated object is deallocated with the correct function, like
99	// not using operator delete on an object created by malloc(), or alloca regions
100	// aren't ever deallocated manually.
101	//===----------------------------------------------------------------------===//
102
103	namespace {
104
105	// Used to check correspondence between allocators and deallocators.
106	enum AllocationFamily {
107	AF_None,
108	AF_Malloc,
109	AF_CXXNew,
110	AF_CXXNewArray,
111	AF_IfNameIndex,
112	AF_Alloca,
113	AF_InnerBuffer
114	};
115
116	} // end of anonymous namespace
117
118	/// Print names of allocators and deallocators.
119	///
120	/// \returns true on success.
121	static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E);
122
123	/// Print expected name of an allocator based on the deallocator's family
124	/// derived from the DeallocExpr.
125	static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family);
126
127	/// Print expected name of a deallocator based on the allocator's
128	/// family.
129	static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family);
130
131	//===----------------------------------------------------------------------===//
132	// The state of a symbol, in terms of memory management.
133	//===----------------------------------------------------------------------===//
134
135	namespace {
136
137	class RefState {
138	enum Kind {
139	// Reference to allocated memory.
140	Allocated,
141	// Reference to zero-allocated memory.
142	AllocatedOfSizeZero,
143	// Reference to released/freed memory.
144	Released,
145	// The responsibility for freeing resources has transferred from
146	// this reference. A relinquished symbol should not be freed.
147	Relinquished,
148	// We are no longer guaranteed to have observed all manipulations
149	// of this pointer/memory. For example, it could have been
150	// passed as a parameter to an opaque function.
151	Escaped
152	};
153
154	const Stmt *S;
155
156	Kind K;
157	AllocationFamily Family;
158
159	RefState(Kind k, const Stmt *s, AllocationFamily family)
160	: S(s), K(k), Family(family) {
161	assert(family != AF_None);
162	}
163
164	public:
165	bool isAllocated() const { return K == Allocated; }
166	bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; }
167	bool isReleased() const { return K == Released; }
168	bool isRelinquished() const { return K == Relinquished; }
169	bool isEscaped() const { return K == Escaped; }
170	AllocationFamily getAllocationFamily() const { return Family; }
171	const Stmt *getStmt() const { return S; }
172
173	bool operator==(const RefState &X) const {
174	return K == X.K && S == X.S && Family == X.Family;
175	}
176
177	static RefState getAllocated(AllocationFamily family, const Stmt *s) {
178	return RefState(Allocated, s, family);
179	}
180	static RefState getAllocatedOfSizeZero(const RefState *RS) {
181	return RefState(AllocatedOfSizeZero, RS->getStmt(),
182	RS->getAllocationFamily());
183	}
184	static RefState getReleased(AllocationFamily family, const Stmt *s) {
185	return RefState(Released, s, family);
186	}
187	static RefState getRelinquished(AllocationFamily family, const Stmt *s) {
188	return RefState(Relinquished, s, family);
189	}
190	static RefState getEscaped(const RefState *RS) {
191	return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());
192	}
193
194	void Profile(llvm::FoldingSetNodeID &ID) const {
195	ID.AddInteger(I: K);
196	ID.AddPointer(Ptr: S);
197	ID.AddInteger(I: Family);
198	}
199
200	LLVM_DUMP_METHOD void dump(raw_ostream &OS) const {
201	switch (K) {
202	#define CASE(ID) case ID: OS << #ID; break;
203	CASE(Allocated)
204	CASE(AllocatedOfSizeZero)
205	CASE(Released)
206	CASE(Relinquished)
207	CASE(Escaped)
208	}
209	}
210
211	LLVM_DUMP_METHOD void dump() const { dump(OS&: llvm::errs()); }
212	};
213
214	} // end of anonymous namespace
215
216	REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
217
218	/// Check if the memory associated with this symbol was released.
219	static bool isReleased(SymbolRef Sym, CheckerContext &C);
220
221	/// Update the RefState to reflect the new memory allocation.
222	/// The optional \p RetVal parameter specifies the newly allocated pointer
223	/// value; if unspecified, the value of expression \p E is used.
224	static ProgramStateRef
225	MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State,
226	AllocationFamily Family,
227	std::optional<SVal> RetVal = std::nullopt);
228
229	//===----------------------------------------------------------------------===//
230	// The modeling of memory reallocation.
231	//
232	// The terminology 'toPtr' and 'fromPtr' will be used:
233	// toPtr = realloc(fromPtr, 20);
234	//===----------------------------------------------------------------------===//
235
236	REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef)
237
238	namespace {
239
240	/// The state of 'fromPtr' after reallocation is known to have failed.
241	enum OwnershipAfterReallocKind {
242	// The symbol needs to be freed (e.g.: realloc)
243	OAR_ToBeFreedAfterFailure,
244	// The symbol has been freed (e.g.: reallocf)
245	OAR_FreeOnFailure,
246	// The symbol doesn't have to freed (e.g.: we aren't sure if, how and where
247	// 'fromPtr' was allocated:
248	// void Haha(int *ptr) {
249	// ptr = realloc(ptr, 67);
250	// // ...
251	// }
252	// ).
253	OAR_DoNotTrackAfterFailure
254	};
255
256	/// Stores information about the 'fromPtr' symbol after reallocation.
257	///
258	/// This is important because realloc may fail, and that needs special modeling.
259	/// Whether reallocation failed or not will not be known until later, so we'll
260	/// store whether upon failure 'fromPtr' will be freed, or needs to be freed
261	/// later, etc.
262	struct ReallocPair {
263
264	// The 'fromPtr'.
265	SymbolRef ReallocatedSym;
266	OwnershipAfterReallocKind Kind;
267
268	ReallocPair(SymbolRef S, OwnershipAfterReallocKind K)
269	: ReallocatedSym(S), Kind(K) {}
270	void Profile(llvm::FoldingSetNodeID &ID) const {
271	ID.AddInteger(I: Kind);
272	ID.AddPointer(Ptr: ReallocatedSym);
273	}
274	bool operator==(const ReallocPair &X) const {
275	return ReallocatedSym == X.ReallocatedSym &&
276	Kind == X.Kind;
277	}
278	};
279
280	} // end of anonymous namespace
281
282	REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
283
284	/// Tells if the callee is one of the builtin new/delete operators, including
285	/// placement operators and other standard overloads.
286	static bool isStandardNewDelete(const FunctionDecl *FD);
287	static bool isStandardNewDelete(const CallEvent &Call) {
288	if (!Call.getDecl() || !isa<FunctionDecl>(Val: Call.getDecl()))
289	return false;
290	return isStandardNewDelete(FD: cast<FunctionDecl>(Val: Call.getDecl()));
291	}
292
293	//===----------------------------------------------------------------------===//
294	// Definition of the MallocChecker class.
295	//===----------------------------------------------------------------------===//
296
297	namespace {
298
299	class MallocChecker
300	: public Checker<check::DeadSymbols, check::PointerEscape,
301	check::ConstPointerEscape, check::PreStmt<ReturnStmt>,
302	check::EndFunction, check::PreCall, check::PostCall,
303	check::NewAllocator, check::PostStmt<BlockExpr>,
304	check::PostObjCMessage, check::Location, eval::Assume> {
305	public:
306	/// In pessimistic mode, the checker assumes that it does not know which
307	/// functions might free the memory.
308	/// In optimistic mode, the checker assumes that all user-defined functions
309	/// which might free a pointer are annotated.
310	bool ShouldIncludeOwnershipAnnotatedFunctions = false;
311
312	bool ShouldRegisterNoOwnershipChangeVisitor = false;
313
314	/// Many checkers are essentially built into this one, so enabling them will
315	/// make MallocChecker perform additional modeling and reporting.
316	enum CheckKind {
317	/// When a subchecker is enabled but MallocChecker isn't, model memory
318	/// management but do not emit warnings emitted with MallocChecker only
319	/// enabled.
320	CK_MallocChecker,
321	CK_NewDeleteChecker,
322	CK_NewDeleteLeaksChecker,
323	CK_MismatchedDeallocatorChecker,
324	CK_InnerPointerChecker,
325	CK_NumCheckKinds
326	};
327
328	using LeakInfo = std::pair<const ExplodedNode *, const MemRegion *>;
329
330	bool ChecksEnabled[CK_NumCheckKinds] = {false};
331	CheckerNameRef CheckNames[CK_NumCheckKinds];
332
333	void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
334	void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
335	void checkNewAllocator(const CXXAllocatorCall &Call, CheckerContext &C) const;
336	void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
337	void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
338	void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
339	void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
340	void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;
341	ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
342	bool Assumption) const;
343	void checkLocation(SVal l, bool isLoad, const Stmt *S,
344	CheckerContext &C) const;
345
346	ProgramStateRef checkPointerEscape(ProgramStateRef State,
347	const InvalidatedSymbols &Escaped,
348	const CallEvent *Call,
349	PointerEscapeKind Kind) const;
350	ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
351	const InvalidatedSymbols &Escaped,
352	const CallEvent *Call,
353	PointerEscapeKind Kind) const;
354
355	void printState(raw_ostream &Out, ProgramStateRef State,
356	const char *NL, const char *Sep) const override;
357
358	private:
359	mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
360	mutable std::unique_ptr<BugType> BT_DoubleDelete;
361	mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
362	mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
363	mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
364	mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
365	mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
366	mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
367	mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
368
369	#define CHECK_FN(NAME) \
370	void NAME(const CallEvent &Call, CheckerContext &C) const;
371
372	CHECK_FN(checkFree)
373	CHECK_FN(checkIfNameIndex)
374	CHECK_FN(checkBasicAlloc)
375	CHECK_FN(checkKernelMalloc)
376	CHECK_FN(checkCalloc)
377	CHECK_FN(checkAlloca)
378	CHECK_FN(checkStrdup)
379	CHECK_FN(checkIfFreeNameIndex)
380	CHECK_FN(checkCXXNewOrCXXDelete)
381	CHECK_FN(checkGMalloc0)
382	CHECK_FN(checkGMemdup)
383	CHECK_FN(checkGMallocN)
384	CHECK_FN(checkGMallocN0)
385	CHECK_FN(preGetdelim)
386	CHECK_FN(checkGetdelim)
387	CHECK_FN(checkReallocN)
388	CHECK_FN(checkOwnershipAttr)
389
390	void checkRealloc(const CallEvent &Call, CheckerContext &C,
391	bool ShouldFreeOnFail) const;
392
393	using CheckFn = std::function<void(const MallocChecker *,
394	const CallEvent &Call, CheckerContext &C)>;
395
396	const CallDescriptionMap<CheckFn> PreFnMap{
397	// NOTE: the following CallDescription also matches the C++ standard
398	// library function std::getline(); the callback will filter it out.
399	{{CDM::CLibrary, {"getline"}, 3}, &MallocChecker::preGetdelim},
400	{{CDM::CLibrary, {"getdelim"}, 4}, &MallocChecker::preGetdelim},
401	};
402
403	const CallDescriptionMap<CheckFn> FreeingMemFnMap{
404	{{CDM::CLibrary, {"free"}, 1}, &MallocChecker::checkFree},
405	{{CDM::CLibrary, {"if_freenameindex"}, 1},
406	&MallocChecker::checkIfFreeNameIndex},
407	{{CDM::CLibrary, {"kfree"}, 1}, &MallocChecker::checkFree},
408	{{CDM::CLibrary, {"g_free"}, 1}, &MallocChecker::checkFree},
409	};
410
411	bool isFreeingCall(const CallEvent &Call) const;
412	static bool isFreeingOwnershipAttrCall(const FunctionDecl *Func);
413
414	friend class NoOwnershipChangeVisitor;
415
416	CallDescriptionMap<CheckFn> AllocatingMemFnMap{
417	{{CDM::CLibrary, {"alloca"}, 1}, &MallocChecker::checkAlloca},
418	{{CDM::CLibrary, {"_alloca"}, 1}, &MallocChecker::checkAlloca},
419	// The line for "alloca" also covers "__builtin_alloca", but the
420	// _with_align variant must be listed separately because it takes an
421	// extra argument:
422	{{CDM::CLibrary, {"__builtin_alloca_with_align"}, 2},
423	&MallocChecker::checkAlloca},
424	{{CDM::CLibrary, {"malloc"}, 1}, &MallocChecker::checkBasicAlloc},
425	{{CDM::CLibrary, {"malloc"}, 3}, &MallocChecker::checkKernelMalloc},
426	{{CDM::CLibrary, {"calloc"}, 2}, &MallocChecker::checkCalloc},
427	{{CDM::CLibrary, {"valloc"}, 1}, &MallocChecker::checkBasicAlloc},
428	{{CDM::CLibrary, {"strndup"}, 2}, &MallocChecker::checkStrdup},
429	{{CDM::CLibrary, {"strdup"}, 1}, &MallocChecker::checkStrdup},
430	{{CDM::CLibrary, {"_strdup"}, 1}, &MallocChecker::checkStrdup},
431	{{CDM::CLibrary, {"kmalloc"}, 2}, &MallocChecker::checkKernelMalloc},
432	{{CDM::CLibrary, {"if_nameindex"}, 1}, &MallocChecker::checkIfNameIndex},
433	{{CDM::CLibrary, {"wcsdup"}, 1}, &MallocChecker::checkStrdup},
434	{{CDM::CLibrary, {"_wcsdup"}, 1}, &MallocChecker::checkStrdup},
435	{{CDM::CLibrary, {"g_malloc"}, 1}, &MallocChecker::checkBasicAlloc},
436	{{CDM::CLibrary, {"g_malloc0"}, 1}, &MallocChecker::checkGMalloc0},
437	{{CDM::CLibrary, {"g_try_malloc"}, 1}, &MallocChecker::checkBasicAlloc},
438	{{CDM::CLibrary, {"g_try_malloc0"}, 1}, &MallocChecker::checkGMalloc0},
439	{{CDM::CLibrary, {"g_memdup"}, 2}, &MallocChecker::checkGMemdup},
440	{{CDM::CLibrary, {"g_malloc_n"}, 2}, &MallocChecker::checkGMallocN},
441	{{CDM::CLibrary, {"g_malloc0_n"}, 2}, &MallocChecker::checkGMallocN0},
442	{{CDM::CLibrary, {"g_try_malloc_n"}, 2}, &MallocChecker::checkGMallocN},
443	{{CDM::CLibrary, {"g_try_malloc0_n"}, 2}, &MallocChecker::checkGMallocN0},
444	};
445
446	CallDescriptionMap<CheckFn> ReallocatingMemFnMap{
447	{{CDM::CLibrary, {"realloc"}, 2},
448	std::bind(f: &MallocChecker::checkRealloc, args: _1, args: _2, args: _3, args: false)},
449	{{CDM::CLibrary, {"reallocf"}, 2},
450	std::bind(f: &MallocChecker::checkRealloc, args: _1, args: _2, args: _3, args: true)},
451	{{CDM::CLibrary, {"g_realloc"}, 2},
452	std::bind(f: &MallocChecker::checkRealloc, args: _1, args: _2, args: _3, args: false)},
453	{{CDM::CLibrary, {"g_try_realloc"}, 2},
454	std::bind(f: &MallocChecker::checkRealloc, args: _1, args: _2, args: _3, args: false)},
455	{{CDM::CLibrary, {"g_realloc_n"}, 3}, &MallocChecker::checkReallocN},
456	{{CDM::CLibrary, {"g_try_realloc_n"}, 3}, &MallocChecker::checkReallocN},
457
458	// NOTE: the following CallDescription also matches the C++ standard
459	// library function std::getline(); the callback will filter it out.
460	{{CDM::CLibrary, {"getline"}, 3}, &MallocChecker::checkGetdelim},
461	{{CDM::CLibrary, {"getdelim"}, 4}, &MallocChecker::checkGetdelim},
462	};
463
464	bool isMemCall(const CallEvent &Call) const;
465
466	// TODO: Remove mutable by moving the initializtaion to the registry function.
467	mutable std::optional<uint64_t> KernelZeroFlagVal;
468
469	using KernelZeroSizePtrValueTy = std::optional<int>;
470	/// Store the value of macro called `ZERO_SIZE_PTR`.
471	/// The value is initialized at first use, before first use the outer
472	/// Optional is empty, afterwards it contains another Optional that indicates
473	/// if the macro value could be determined, and if yes the value itself.
474	mutable std::optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue;
475
476	/// Process C++ operator new()'s allocation, which is the part of C++
477	/// new-expression that goes before the constructor.
478	[[nodiscard]] ProgramStateRef
479	processNewAllocation(const CXXAllocatorCall &Call, CheckerContext &C,
480	AllocationFamily Family) const;
481
482	/// Perform a zero-allocation check.
483	///
484	/// \param [in] Call The expression that allocates memory.
485	/// \param [in] IndexOfSizeArg Index of the argument that specifies the size
486	/// of the memory that needs to be allocated. E.g. for malloc, this would be
487	/// 0.
488	/// \param [in] RetVal Specifies the newly allocated pointer value;
489	/// if unspecified, the value of expression \p E is used.
490	[[nodiscard]] static ProgramStateRef
491	ProcessZeroAllocCheck(const CallEvent &Call, const unsigned IndexOfSizeArg,
492	ProgramStateRef State,
493	std::optional<SVal> RetVal = std::nullopt);
494
495	/// Model functions with the ownership_returns attribute.
496	///
497	/// User-defined function may have the ownership_returns attribute, which
498	/// annotates that the function returns with an object that was allocated on
499	/// the heap, and passes the ownertship to the callee.
500	///
501	/// void __attribute((ownership_returns(malloc, 1))) *my_malloc(size_t);
502	///
503	/// It has two parameters:
504	/// - first: name of the resource (e.g. 'malloc')
505	/// - (OPTIONAL) second: size of the allocated region
506	///
507	/// \param [in] Call The expression that allocates memory.
508	/// \param [in] Att The ownership_returns attribute.
509	/// \param [in] State The \c ProgramState right before allocation.
510	/// \returns The ProgramState right after allocation.
511	[[nodiscard]] ProgramStateRef
512	MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
513	const OwnershipAttr *Att, ProgramStateRef State) const;
514
515	/// Models memory allocation.
516	///
517	/// \param [in] Call The expression that allocates memory.
518	/// \param [in] SizeEx Size of the memory that needs to be allocated.
519	/// \param [in] Init The value the allocated memory needs to be initialized.
520	/// with. For example, \c calloc initializes the allocated memory to 0,
521	/// malloc leaves it undefined.
522	/// \param [in] State The \c ProgramState right before allocation.
523	/// \returns The ProgramState right after allocation.
524	[[nodiscard]] static ProgramStateRef
525	MallocMemAux(CheckerContext &C, const CallEvent &Call, const Expr *SizeEx,
526	SVal Init, ProgramStateRef State, AllocationFamily Family);
527
528	/// Models memory allocation.
529	///
530	/// \param [in] Call The expression that allocates memory.
531	/// \param [in] Size Size of the memory that needs to be allocated.
532	/// \param [in] Init The value the allocated memory needs to be initialized.
533	/// with. For example, \c calloc initializes the allocated memory to 0,
534	/// malloc leaves it undefined.
535	/// \param [in] State The \c ProgramState right before allocation.
536	/// \returns The ProgramState right after allocation.
537	[[nodiscard]] static ProgramStateRef
538	MallocMemAux(CheckerContext &C, const CallEvent &Call, SVal Size, SVal Init,
539	ProgramStateRef State, AllocationFamily Family);
540
541	// Check if this malloc() for special flags. At present that means M_ZERO or
542	// __GFP_ZERO (in which case, treat it like calloc).
543	[[nodiscard]] std::optional<ProgramStateRef>
544	performKernelMalloc(const CallEvent &Call, CheckerContext &C,
545	const ProgramStateRef &State) const;
546
547	/// Model functions with the ownership_takes and ownership_holds attributes.
548	///
549	/// User-defined function may have the ownership_takes and/or ownership_holds
550	/// attributes, which annotates that the function frees the memory passed as a
551	/// parameter.
552	///
553	/// void __attribute((ownership_takes(malloc, 1))) my_free(void *);
554	/// void __attribute((ownership_holds(malloc, 1))) my_hold(void *);
555	///
556	/// They have two parameters:
557	/// - first: name of the resource (e.g. 'malloc')
558	/// - second: index of the parameter the attribute applies to
559	///
560	/// \param [in] Call The expression that frees memory.
561	/// \param [in] Att The ownership_takes or ownership_holds attribute.
562	/// \param [in] State The \c ProgramState right before allocation.
563	/// \returns The ProgramState right after deallocation.
564	[[nodiscard]] ProgramStateRef FreeMemAttr(CheckerContext &C,
565	const CallEvent &Call,
566	const OwnershipAttr *Att,
567	ProgramStateRef State) const;
568
569	/// Models memory deallocation.
570	///
571	/// \param [in] Call The expression that frees memory.
572	/// \param [in] State The \c ProgramState right before allocation.
573	/// \param [in] Num Index of the argument that needs to be freed. This is
574	/// normally 0, but for custom free functions it may be different.
575	/// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
576	/// attribute.
577	/// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known
578	/// to have been allocated, or in other words, the symbol to be freed was
579	/// registered as allocated by this checker. In the following case, \c ptr
580	/// isn't known to be allocated.
581	/// void Haha(int *ptr) {
582	/// ptr = realloc(ptr, 67);
583	/// // ...
584	/// }
585	/// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
586	/// we're modeling returns with Null on failure.
587	/// \returns The ProgramState right after deallocation.
588	[[nodiscard]] ProgramStateRef
589	FreeMemAux(CheckerContext &C, const CallEvent &Call, ProgramStateRef State,
590	unsigned Num, bool Hold, bool &IsKnownToBeAllocated,
591	AllocationFamily Family, bool ReturnsNullOnFailure = false) const;
592
593	/// Models memory deallocation.
594	///
595	/// \param [in] ArgExpr The variable who's pointee needs to be freed.
596	/// \param [in] Call The expression that frees the memory.
597	/// \param [in] State The \c ProgramState right before allocation.
598	/// normally 0, but for custom free functions it may be different.
599	/// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
600	/// attribute.
601	/// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known
602	/// to have been allocated, or in other words, the symbol to be freed was
603	/// registered as allocated by this checker. In the following case, \c ptr
604	/// isn't known to be allocated.
605	/// void Haha(int *ptr) {
606	/// ptr = realloc(ptr, 67);
607	/// // ...
608	/// }
609	/// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
610	/// we're modeling returns with Null on failure.
611	/// \param [in] ArgValOpt Optional value to use for the argument instead of
612	/// the one obtained from ArgExpr.
613	/// \returns The ProgramState right after deallocation.
614	[[nodiscard]] ProgramStateRef
615	FreeMemAux(CheckerContext &C, const Expr *ArgExpr, const CallEvent &Call,
616	ProgramStateRef State, bool Hold, bool &IsKnownToBeAllocated,
617	AllocationFamily Family, bool ReturnsNullOnFailure = false,
618	std::optional<SVal> ArgValOpt = {}) const;
619
620	// TODO: Needs some refactoring, as all other deallocation modeling
621	// functions are suffering from out parameters and messy code due to how
622	// realloc is handled.
623	//
624	/// Models memory reallocation.
625	///
626	/// \param [in] Call The expression that reallocated memory
627	/// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied
628	/// memory should be freed.
629	/// \param [in] State The \c ProgramState right before reallocation.
630	/// \param [in] SuffixWithN Whether the reallocation function we're modeling
631	/// has an '_n' suffix, such as g_realloc_n.
632	/// \returns The ProgramState right after reallocation.
633	[[nodiscard]] ProgramStateRef
634	ReallocMemAux(CheckerContext &C, const CallEvent &Call, bool ShouldFreeOnFail,
635	ProgramStateRef State, AllocationFamily Family,
636	bool SuffixWithN = false) const;
637
638	/// Evaluates the buffer size that needs to be allocated.
639	///
640	/// \param [in] Blocks The amount of blocks that needs to be allocated.
641	/// \param [in] BlockBytes The size of a block.
642	/// \returns The symbolic value of \p Blocks * \p BlockBytes.
643	[[nodiscard]] static SVal evalMulForBufferSize(CheckerContext &C,
644	const Expr *Blocks,
645	const Expr *BlockBytes);
646
647	/// Models zero initialized array allocation.
648	///
649	/// \param [in] Call The expression that reallocated memory
650	/// \param [in] State The \c ProgramState right before reallocation.
651	/// \returns The ProgramState right after allocation.
652	[[nodiscard]] static ProgramStateRef
653	CallocMem(CheckerContext &C, const CallEvent &Call, ProgramStateRef State);
654
655	/// See if deallocation happens in a suspicious context. If so, escape the
656	/// pointers that otherwise would have been deallocated and return true.
657	bool suppressDeallocationsInSuspiciousContexts(const CallEvent &Call,
658	CheckerContext &C) const;
659
660	/// If in \p S \p Sym is used, check whether \p Sym was already freed.
661	bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
662
663	/// If in \p S \p Sym is used, check whether \p Sym was allocated as a zero
664	/// sized memory region.
665	void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
666	const Stmt *S) const;
667
668	/// If in \p S \p Sym is being freed, check whether \p Sym was already freed.
669	bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;
670
671	/// Check if the function is known to free memory, or if it is
672	/// "interesting" and should be modeled explicitly.
673	///
674	/// \param [out] EscapingSymbol A function might not free memory in general,
675	/// but could be known to free a particular symbol. In this case, false is
676	/// returned and the single escaping symbol is returned through the out
677	/// parameter.
678	///
679	/// We assume that pointers do not escape through calls to system functions
680	/// not handled by this checker.
681	bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call,
682	ProgramStateRef State,
683	SymbolRef &EscapingSymbol) const;
684
685	/// Implementation of the checkPointerEscape callbacks.
686	[[nodiscard]] ProgramStateRef
687	checkPointerEscapeAux(ProgramStateRef State,
688	const InvalidatedSymbols &Escaped,
689	const CallEvent *Call, PointerEscapeKind Kind,
690	bool IsConstPointerEscape) const;
691
692	// Implementation of the checkPreStmt and checkEndFunction callbacks.
693	void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const;
694
695	///@{
696	/// Tells if a given family/call/symbol is tracked by the current checker.
697	/// Sets CheckKind to the kind of the checker responsible for this
698	/// family/call/symbol.
699	std::optional<CheckKind> getCheckIfTracked(AllocationFamily Family,
700	bool IsALeakCheck = false) const;
701
702	std::optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
703	bool IsALeakCheck = false) const;
704	///@}
705	static bool SummarizeValue(raw_ostream &os, SVal V);
706	static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
707
708	void HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal, SourceRange Range,
709	const Expr *DeallocExpr,
710	AllocationFamily Family) const;
711
712	void HandleFreeAlloca(CheckerContext &C, SVal ArgVal,
713	SourceRange Range) const;
714
715	void HandleMismatchedDealloc(CheckerContext &C, SourceRange Range,
716	const Expr *DeallocExpr, const RefState *RS,
717	SymbolRef Sym, bool OwnershipTransferred) const;
718
719	void HandleOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
720	const Expr *DeallocExpr, AllocationFamily Family,
721	const Expr *AllocExpr = nullptr) const;
722
723	void HandleUseAfterFree(CheckerContext &C, SourceRange Range,
724	SymbolRef Sym) const;
725
726	void HandleDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
727	SymbolRef Sym, SymbolRef PrevSym) const;
728
729	void HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
730
731	void HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,
732	SymbolRef Sym) const;
733
734	void HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
735	const Expr *FreeExpr,
736	AllocationFamily Family) const;
737
738	/// Find the location of the allocation for Sym on the path leading to the
739	/// exploded node N.
740	static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
741	CheckerContext &C);
742
743	void HandleLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
744
745	/// Test if value in ArgVal equals to value in macro `ZERO_SIZE_PTR`.
746	bool isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C,
747	SVal ArgVal) const;
748	};
749	} // end anonymous namespace
750
751	//===----------------------------------------------------------------------===//
752	// Definition of NoOwnershipChangeVisitor.
753	//===----------------------------------------------------------------------===//
754
755	namespace {
756	class NoOwnershipChangeVisitor final : public NoStateChangeFuncVisitor {
757	// The symbol whose (lack of) ownership change we are interested in.
758	SymbolRef Sym;
759	const MallocChecker &Checker;
760	using OwnerSet = llvm::SmallPtrSet<const MemRegion *, 8>;
761
762	// Collect which entities point to the allocated memory, and could be
763	// responsible for deallocating it.
764	class OwnershipBindingsHandler : public StoreManager::BindingsHandler {
765	SymbolRef Sym;
766	OwnerSet &Owners;
767
768	public:
769	OwnershipBindingsHandler(SymbolRef Sym, OwnerSet &Owners)
770	: Sym(Sym), Owners(Owners) {}
771
772	bool HandleBinding(StoreManager &SMgr, Store Store, const MemRegion *Region,
773	SVal Val) override {
774	if (Val.getAsSymbol() == Sym)
775	Owners.insert(Ptr: Region);
776	return true;
777	}
778
779	LLVM_DUMP_METHOD void dump() const { dumpToStream(out&: llvm::errs()); }
780	LLVM_DUMP_METHOD void dumpToStream(llvm::raw_ostream &out) const {
781	out << "Owners: {\n";
782	for (const MemRegion *Owner : Owners) {
783	out << " ";
784	Owner->dumpToStream(os&: out);
785	out << ",\n";
786	}
787	out << "}\n";
788	}
789	};
790
791	protected:
792	OwnerSet getOwnersAtNode(const ExplodedNode *N) {
793	OwnerSet Ret;
794
795	ProgramStateRef State = N->getState();
796	OwnershipBindingsHandler Handler{Sym, Ret};
797	State->getStateManager().getStoreManager().iterBindings(store: State->getStore(),
798	f&: Handler);
799	return Ret;
800	}
801
802	LLVM_DUMP_METHOD static std::string
803	getFunctionName(const ExplodedNode *CallEnterN) {
804	if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>(
805	Val: CallEnterN->getLocationAs<CallEnter>()->getCallExpr()))
806	if (const FunctionDecl *FD = CE->getDirectCallee())
807	return FD->getQualifiedNameAsString();
808	return "";
809	}
810
811	/// Syntactically checks whether the callee is a deallocating function. Since
812	/// we have no path-sensitive information on this call (we would need a
813	/// CallEvent instead of a CallExpr for that), its possible that a
814	/// deallocation function was called indirectly through a function pointer,
815	/// but we are not able to tell, so this is a best effort analysis.
816	/// See namespace `memory_passed_to_fn_call_free_through_fn_ptr` in
817	/// clang/test/Analysis/NewDeleteLeaks.cpp.
818	bool isFreeingCallAsWritten(const CallExpr &Call) const {
819	if (Checker.FreeingMemFnMap.lookupAsWritten(Call) ||
820	Checker.ReallocatingMemFnMap.lookupAsWritten(Call))
821	return true;
822
823	if (const auto *Func =
824	llvm::dyn_cast_or_null<FunctionDecl>(Val: Call.getCalleeDecl()))
825	return MallocChecker::isFreeingOwnershipAttrCall(Func);
826
827	return false;
828	}
829
830	/// Heuristically guess whether the callee intended to free memory. This is
831	/// done syntactically, because we are trying to argue about alternative
832	/// paths of execution, and as a consequence we don't have path-sensitive
833	/// information.
834	bool doesFnIntendToHandleOwnership(const Decl *Callee, ASTContext &ACtx) {
835	using namespace clang::ast_matchers;
836	const FunctionDecl *FD = dyn_cast<FunctionDecl>(Val: Callee);
837
838	// Given that the stack frame was entered, the body should always be
839	// theoretically obtainable. In case of body farms, the synthesized body
840	// is not attached to declaration, thus triggering the '!FD->hasBody()'
841	// branch. That said, would a synthesized body ever intend to handle
842	// ownership? As of today they don't. And if they did, how would we
843	// put notes inside it, given that it doesn't match any source locations?
844	if (!FD || !FD->hasBody())
845	return false;
846
847	auto Matches = match(Matcher: findAll(Matcher: stmt(anyOf(cxxDeleteExpr().bind(ID: "delete"),
848	callExpr().bind(ID: "call")))),
849	Node: *FD->getBody(), Context&: ACtx);
850	for (BoundNodes Match : Matches) {
851	if (Match.getNodeAs<CXXDeleteExpr>(ID: "delete"))
852	return true;
853
854	if (const auto *Call = Match.getNodeAs<CallExpr>(ID: "call"))
855	if (isFreeingCallAsWritten(Call: *Call))
856	return true;
857	}
858	// TODO: Ownership might change with an attempt to store the allocated
859	// memory, not only through deallocation. Check for attempted stores as
860	// well.
861	return false;
862	}
863
864	bool wasModifiedInFunction(const ExplodedNode *CallEnterN,
865	const ExplodedNode *CallExitEndN) override {
866	if (!doesFnIntendToHandleOwnership(
867	Callee: CallExitEndN->getFirstPred()->getLocationContext()->getDecl(),
868	ACtx&: CallExitEndN->getState()->getAnalysisManager().getASTContext()))
869	return true;
870
871	if (CallEnterN->getState()->get<RegionState>(key: Sym) !=
872	CallExitEndN->getState()->get<RegionState>(key: Sym))
873	return true;
874
875	OwnerSet CurrOwners = getOwnersAtNode(N: CallEnterN);
876	OwnerSet ExitOwners = getOwnersAtNode(N: CallExitEndN);
877
878	// Owners in the current set may be purged from the analyzer later on.
879	// If a variable is dead (is not referenced directly or indirectly after
880	// some point), it will be removed from the Store before the end of its
881	// actual lifetime.
882	// This means that if the ownership status didn't change, CurrOwners
883	// must be a superset of, but not necessarily equal to ExitOwners.
884	return !llvm::set_is_subset(S1: ExitOwners, S2: CurrOwners);
885	}
886
887	static PathDiagnosticPieceRef emitNote(const ExplodedNode *N) {
888	PathDiagnosticLocation L = PathDiagnosticLocation::create(
889	P: N->getLocation(),
890	SMng: N->getState()->getStateManager().getContext().getSourceManager());
891	return std::make_shared<PathDiagnosticEventPiece>(
892	args&: L, args: "Returning without deallocating memory or storing the pointer for "
893	"later deallocation");
894	}
895
896	PathDiagnosticPieceRef
897	maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
898	const ObjCMethodCall &Call,
899	const ExplodedNode *N) override {
900	// TODO: Implement.
901	return nullptr;
902	}
903
904	PathDiagnosticPieceRef
905	maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
906	const CXXConstructorCall &Call,
907	const ExplodedNode *N) override {
908	// TODO: Implement.
909	return nullptr;
910	}
911
912	PathDiagnosticPieceRef
913	maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call,
914	const ExplodedNode *N) override {
915	// TODO: Factor the logic of "what constitutes as an entity being passed
916	// into a function call" out by reusing the code in
917	// NoStoreFuncVisitor::maybeEmitNoteForParameters, maybe by incorporating
918	// the printing technology in UninitializedObject's FieldChainInfo.
919	ArrayRef<ParmVarDecl *> Parameters = Call.parameters();
920	for (unsigned I = 0; I < Call.getNumArgs() && I < Parameters.size(); ++I) {
921	SVal V = Call.getArgSVal(Index: I);
922	if (V.getAsSymbol() == Sym)
923	return emitNote(N);
924	}
925	return nullptr;
926	}
927
928	public:
929	NoOwnershipChangeVisitor(SymbolRef Sym, const MallocChecker *Checker)
930	: NoStateChangeFuncVisitor(bugreporter::TrackingKind::Thorough), Sym(Sym),
931	Checker(*Checker) {}
932
933	void Profile(llvm::FoldingSetNodeID &ID) const override {
934	static int Tag = 0;
935	ID.AddPointer(Ptr: &Tag);
936	ID.AddPointer(Ptr: Sym);
937	}
938	};
939
940	} // end anonymous namespace
941
942	//===----------------------------------------------------------------------===//
943	// Definition of MallocBugVisitor.
944	//===----------------------------------------------------------------------===//
945
946	namespace {
947	/// The bug visitor which allows us to print extra diagnostics along the
948	/// BugReport path. For example, showing the allocation site of the leaked
949	/// region.
950	class MallocBugVisitor final : public BugReporterVisitor {
951	protected:
952	enum NotificationMode { Normal, ReallocationFailed };
953
954	// The allocated region symbol tracked by the main analysis.
955	SymbolRef Sym;
956
957	// The mode we are in, i.e. what kind of diagnostics will be emitted.
958	NotificationMode Mode;
959
960	// A symbol from when the primary region should have been reallocated.
961	SymbolRef FailedReallocSymbol;
962
963	// A C++ destructor stack frame in which memory was released. Used for
964	// miscellaneous false positive suppression.
965	const StackFrameContext *ReleaseDestructorLC;
966
967	bool IsLeak;
968
969	public:
970	MallocBugVisitor(SymbolRef S, bool isLeak = false)
971	: Sym(S), Mode(Normal), FailedReallocSymbol(nullptr),
972	ReleaseDestructorLC(nullptr), IsLeak(isLeak) {}
973
974	static void *getTag() {
975	static int Tag = 0;
976	return &Tag;
977	}
978
979	void Profile(llvm::FoldingSetNodeID &ID) const override {
980	ID.AddPointer(Ptr: getTag());
981	ID.AddPointer(Ptr: Sym);
982	}
983
984	/// Did not track -> allocated. Other state (released) -> allocated.
985	static inline bool isAllocated(const RefState *RSCurr, const RefState *RSPrev,
986	const Stmt *Stmt) {
987	return (isa_and_nonnull<CallExpr, CXXNewExpr>(Val: Stmt) &&
988	(RSCurr &&
989	(RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) &&
990	(!RSPrev ||
991	!(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero())));
992	}
993
994	/// Did not track -> released. Other state (allocated) -> released.
995	/// The statement associated with the release might be missing.
996	static inline bool isReleased(const RefState *RSCurr, const RefState *RSPrev,
997	const Stmt *Stmt) {
998	bool IsReleased =
999	(RSCurr && RSCurr->isReleased()) && (!RSPrev || !RSPrev->isReleased());
1000	assert(!IsReleased || (isa_and_nonnull<CallExpr, CXXDeleteExpr>(Stmt)) ||
1001	(!Stmt && RSCurr->getAllocationFamily() == AF_InnerBuffer));
1002	return IsReleased;
1003	}
1004
1005	/// Did not track -> relinquished. Other state (allocated) -> relinquished.
1006	static inline bool isRelinquished(const RefState *RSCurr,
1007	const RefState *RSPrev, const Stmt *Stmt) {
1008	return (
1009	isa_and_nonnull<CallExpr, ObjCMessageExpr, ObjCPropertyRefExpr>(Val: Stmt) &&
1010	(RSCurr && RSCurr->isRelinquished()) &&
1011	(!RSPrev || !RSPrev->isRelinquished()));
1012	}
1013
1014	/// If the expression is not a call, and the state change is
1015	/// released -> allocated, it must be the realloc return value
1016	/// check. If we have to handle more cases here, it might be cleaner just
1017	/// to track this extra bit in the state itself.
1018	static inline bool hasReallocFailed(const RefState *RSCurr,
1019	const RefState *RSPrev,
1020	const Stmt *Stmt) {
1021	return ((!isa_and_nonnull<CallExpr>(Val: Stmt)) &&
1022	(RSCurr &&
1023	(RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) &&
1024	(RSPrev &&
1025	!(RSPrev->isAllocated() || RSPrev->isAllocatedOfSizeZero())));
1026	}
1027
1028	PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
1029	BugReporterContext &BRC,
1030	PathSensitiveBugReport &BR) override;
1031
1032	PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC,
1033	const ExplodedNode *EndPathNode,
1034	PathSensitiveBugReport &BR) override {
1035	if (!IsLeak)
1036	return nullptr;
1037
1038	PathDiagnosticLocation L = BR.getLocation();
1039	// Do not add the statement itself as a range in case of leak.
1040	return std::make_shared<PathDiagnosticEventPiece>(args&: L, args: BR.getDescription(),
1041	args: false);
1042	}
1043
1044	private:
1045	class StackHintGeneratorForReallocationFailed
1046	: public StackHintGeneratorForSymbol {
1047	public:
1048	StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M)
1049	: StackHintGeneratorForSymbol(S, M) {}
1050
1051	std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) override {
1052	// Printed parameters start at 1, not 0.
1053	++ArgIndex;
1054
1055	SmallString<200> buf;
1056	llvm::raw_svector_ostream os(buf);
1057
1058	os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(Val: ArgIndex)
1059	<< " parameter failed";
1060
1061	return std::string(os.str());
1062	}
1063
1064	std::string getMessageForReturn(const CallExpr *CallExpr) override {
1065	return "Reallocation of returned value failed";
1066	}
1067	};
1068	};
1069	} // end anonymous namespace
1070
1071	// A map from the freed symbol to the symbol representing the return value of
1072	// the free function.
1073	REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef)
1074
1075	namespace {
1076	class StopTrackingCallback final : public SymbolVisitor {
1077	ProgramStateRef state;
1078
1079	public:
1080	StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
1081	ProgramStateRef getState() const { return state; }
1082
1083	bool VisitSymbol(SymbolRef sym) override {
1084	state = state->remove<RegionState>(K: sym);
1085	return true;
1086	}
1087	};
1088	} // end anonymous namespace
1089
1090	static bool isStandardNewDelete(const FunctionDecl *FD) {
1091	if (!FD)
1092	return false;
1093
1094	OverloadedOperatorKind Kind = FD->getOverloadedOperator();
1095	if (Kind != OO_New && Kind != OO_Array_New && Kind != OO_Delete &&
1096	Kind != OO_Array_Delete)
1097	return false;
1098
1099	// This is standard if and only if it's not defined in a user file.
1100	SourceLocation L = FD->getLocation();
1101	// If the header for operator delete is not included, it's still defined
1102	// in an invalid source location. Check to make sure we don't crash.
1103	return !L.isValid() ||
1104	FD->getASTContext().getSourceManager().isInSystemHeader(L);
1105	}
1106
1107	//===----------------------------------------------------------------------===//
1108	// Methods of MallocChecker and MallocBugVisitor.
1109	//===----------------------------------------------------------------------===//
1110
1111	bool MallocChecker::isFreeingOwnershipAttrCall(const FunctionDecl *Func) {
1112	if (Func->hasAttrs()) {
1113	for (const auto *I : Func->specific_attrs<OwnershipAttr>()) {
1114	OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
1115	if (OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds)
1116	return true;
1117	}
1118	}
1119	return false;
1120	}
1121
1122	bool MallocChecker::isFreeingCall(const CallEvent &Call) const {
1123	if (FreeingMemFnMap.lookup(Call) || ReallocatingMemFnMap.lookup(Call))
1124	return true;
1125
1126	if (const auto *Func = dyn_cast_or_null<FunctionDecl>(Val: Call.getDecl()))
1127	return isFreeingOwnershipAttrCall(Func);
1128
1129	return false;
1130	}
1131
1132	bool MallocChecker::isMemCall(const CallEvent &Call) const {
1133	if (FreeingMemFnMap.lookup(Call) || AllocatingMemFnMap.lookup(Call) ||
1134	ReallocatingMemFnMap.lookup(Call))
1135	return true;
1136
1137	if (!ShouldIncludeOwnershipAnnotatedFunctions)
1138	return false;
1139
1140	const auto *Func = dyn_cast<FunctionDecl>(Val: Call.getDecl());
1141	return Func && Func->hasAttr<OwnershipAttr>();
1142	}
1143
1144	std::optional<ProgramStateRef>
1145	MallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C,
1146	const ProgramStateRef &State) const {
1147	// 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
1148	//
1149	// void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
1150	//
1151	// One of the possible flags is M_ZERO, which means 'give me back an
1152	// allocation which is already zeroed', like calloc.
1153
1154	// 2-argument kmalloc(), as used in the Linux kernel:
1155	//
1156	// void *kmalloc(size_t size, gfp_t flags);
1157	//
1158	// Has the similar flag value __GFP_ZERO.
1159
1160	// This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some
1161	// code could be shared.
1162
1163	ASTContext &Ctx = C.getASTContext();
1164	llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS();
1165
1166	if (!KernelZeroFlagVal) {
1167	switch (OS) {
1168	case llvm::Triple::FreeBSD:
1169	KernelZeroFlagVal = 0x0100;
1170	break;
1171	case llvm::Triple::NetBSD:
1172	KernelZeroFlagVal = 0x0002;
1173	break;
1174	case llvm::Triple::OpenBSD:
1175	KernelZeroFlagVal = 0x0008;
1176	break;
1177	case llvm::Triple::Linux:
1178	// __GFP_ZERO
1179	KernelZeroFlagVal = 0x8000;
1180	break;
1181	default:
1182	// FIXME: We need a more general way of getting the M_ZERO value.
1183	// See also: O_CREAT in UnixAPIChecker.cpp.
1184
1185	// Fall back to normal malloc behavior on platforms where we don't
1186	// know M_ZERO.
1187	return std::nullopt;
1188	}
1189	}
1190
1191	// We treat the last argument as the flags argument, and callers fall-back to
1192	// normal malloc on a None return. This works for the FreeBSD kernel malloc
1193	// as well as Linux kmalloc.
1194	if (Call.getNumArgs() < 2)
1195	return std::nullopt;
1196
1197	const Expr *FlagsEx = Call.getArgExpr(Index: Call.getNumArgs() - 1);
1198	const SVal V = C.getSVal(FlagsEx);
1199	if (!isa<NonLoc>(Val: V)) {
1200	// The case where 'V' can be a location can only be due to a bad header,
1201	// so in this case bail out.
1202	return std::nullopt;
1203	}
1204
1205	NonLoc Flags = V.castAs<NonLoc>();
1206	NonLoc ZeroFlag = C.getSValBuilder()
1207	.makeIntVal(integer: *KernelZeroFlagVal, type: FlagsEx->getType())
1208	.castAs<NonLoc>();
1209	SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(state: State, op: BO_And,
1210	lhs: Flags, rhs: ZeroFlag,
1211	resultTy: FlagsEx->getType());
1212	if (MaskedFlagsUC.isUnknownOrUndef())
1213	return std::nullopt;
1214	DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>();
1215
1216	// Check if maskedFlags is non-zero.
1217	ProgramStateRef TrueState, FalseState;
1218	std::tie(args&: TrueState, args&: FalseState) = State->assume(Cond: MaskedFlags);
1219
1220	// If M_ZERO is set, treat this like calloc (initialized).
1221	if (TrueState && !FalseState) {
1222	SVal ZeroVal = C.getSValBuilder().makeZeroVal(type: Ctx.CharTy);
1223	return MallocMemAux(C, Call, SizeEx: Call.getArgExpr(Index: 0), Init: ZeroVal, State: TrueState,
1224	Family: AF_Malloc);
1225	}
1226
1227	return std::nullopt;
1228	}
1229
1230	SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
1231	const Expr *BlockBytes) {
1232	SValBuilder &SB = C.getSValBuilder();
1233	SVal BlocksVal = C.getSVal(Blocks);
1234	SVal BlockBytesVal = C.getSVal(BlockBytes);
1235	ProgramStateRef State = C.getState();
1236	SVal TotalSize = SB.evalBinOp(state: State, op: BO_Mul, lhs: BlocksVal, rhs: BlockBytesVal,
1237	type: SB.getContext().getSizeType());
1238	return TotalSize;
1239	}
1240
1241	void MallocChecker::checkBasicAlloc(const CallEvent &Call,
1242	CheckerContext &C) const {
1243	ProgramStateRef State = C.getState();
1244	State = MallocMemAux(C, Call, SizeEx: Call.getArgExpr(Index: 0), Init: UndefinedVal(), State,
1245	Family: AF_Malloc);
1246	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1247	C.addTransition(State);
1248	}
1249
1250	void MallocChecker::checkKernelMalloc(const CallEvent &Call,
1251	CheckerContext &C) const {
1252	ProgramStateRef State = C.getState();
1253	std::optional<ProgramStateRef> MaybeState =
1254	performKernelMalloc(Call, C, State);
1255	if (MaybeState)
1256	State = *MaybeState;
1257	else
1258	State = MallocMemAux(C, Call, SizeEx: Call.getArgExpr(Index: 0), Init: UndefinedVal(), State,
1259	Family: AF_Malloc);
1260	C.addTransition(State);
1261	}
1262
1263	static bool isStandardRealloc(const CallEvent &Call) {
1264	const FunctionDecl *FD = dyn_cast<FunctionDecl>(Val: Call.getDecl());
1265	assert(FD);
1266	ASTContext &AC = FD->getASTContext();
1267
1268	return FD->getDeclaredReturnType().getDesugaredType(Context: AC) == AC.VoidPtrTy &&
1269	FD->getParamDecl(i: 0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
1270	FD->getParamDecl(i: 1)->getType().getDesugaredType(AC) ==
1271	AC.getSizeType();
1272	}
1273
1274	static bool isGRealloc(const CallEvent &Call) {
1275	const FunctionDecl *FD = dyn_cast<FunctionDecl>(Val: Call.getDecl());
1276	assert(FD);
1277	ASTContext &AC = FD->getASTContext();
1278
1279	return FD->getDeclaredReturnType().getDesugaredType(Context: AC) == AC.VoidPtrTy &&
1280	FD->getParamDecl(i: 0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
1281	FD->getParamDecl(i: 1)->getType().getDesugaredType(AC) ==
1282	AC.UnsignedLongTy;
1283	}
1284
1285	void MallocChecker::checkRealloc(const CallEvent &Call, CheckerContext &C,
1286	bool ShouldFreeOnFail) const {
1287	// Ignore calls to functions whose type does not match the expected type of
1288	// either the standard realloc or g_realloc from GLib.
1289	// FIXME: Should we perform this kind of checking consistently for each
1290	// function? If yes, then perhaps extend the `CallDescription` interface to
1291	// handle this.
1292	if (!isStandardRealloc(Call) && !isGRealloc(Call))
1293	return;
1294
1295	ProgramStateRef State = C.getState();
1296	State = ReallocMemAux(C, Call, ShouldFreeOnFail, State, Family: AF_Malloc);
1297	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 1, State);
1298	C.addTransition(State);
1299	}
1300
1301	void MallocChecker::checkCalloc(const CallEvent &Call,
1302	CheckerContext &C) const {
1303	ProgramStateRef State = C.getState();
1304	State = CallocMem(C, Call, State);
1305	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1306	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 1, State);
1307	C.addTransition(State);
1308	}
1309
1310	void MallocChecker::checkFree(const CallEvent &Call, CheckerContext &C) const {
1311	ProgramStateRef State = C.getState();
1312	bool IsKnownToBeAllocatedMemory = false;
1313	if (suppressDeallocationsInSuspiciousContexts(Call, C))
1314	return;
1315	State = FreeMemAux(C, Call, State, Num: 0, Hold: false, IsKnownToBeAllocated&: IsKnownToBeAllocatedMemory,
1316	Family: AF_Malloc);
1317	C.addTransition(State);
1318	}
1319
1320	void MallocChecker::checkAlloca(const CallEvent &Call,
1321	CheckerContext &C) const {
1322	ProgramStateRef State = C.getState();
1323	State = MallocMemAux(C, Call, SizeEx: Call.getArgExpr(Index: 0), Init: UndefinedVal(), State,
1324	Family: AF_Alloca);
1325	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1326	C.addTransition(State);
1327	}
1328
1329	void MallocChecker::checkStrdup(const CallEvent &Call,
1330	CheckerContext &C) const {
1331	ProgramStateRef State = C.getState();
1332	const auto *CE = dyn_cast_or_null<CallExpr>(Val: Call.getOriginExpr());
1333	if (!CE)
1334	return;
1335	State = MallocUpdateRefState(C, CE, State, AF_Malloc);
1336
1337	C.addTransition(State);
1338	}
1339
1340	void MallocChecker::checkIfNameIndex(const CallEvent &Call,
1341	CheckerContext &C) const {
1342	ProgramStateRef State = C.getState();
1343	// Should we model this differently? We can allocate a fixed number of
1344	// elements with zeros in the last one.
1345	State =
1346	MallocMemAux(C, Call, Size: UnknownVal(), Init: UnknownVal(), State, Family: AF_IfNameIndex);
1347
1348	C.addTransition(State);
1349	}
1350
1351	void MallocChecker::checkIfFreeNameIndex(const CallEvent &Call,
1352	CheckerContext &C) const {
1353	ProgramStateRef State = C.getState();
1354	bool IsKnownToBeAllocatedMemory = false;
1355	State = FreeMemAux(C, Call, State, Num: 0, Hold: false, IsKnownToBeAllocated&: IsKnownToBeAllocatedMemory,
1356	Family: AF_IfNameIndex);
1357	C.addTransition(State);
1358	}
1359
1360	void MallocChecker::checkCXXNewOrCXXDelete(const CallEvent &Call,
1361	CheckerContext &C) const {
1362	ProgramStateRef State = C.getState();
1363	bool IsKnownToBeAllocatedMemory = false;
1364	const auto *CE = dyn_cast_or_null<CallExpr>(Val: Call.getOriginExpr());
1365	if (!CE)
1366	return;
1367
1368	assert(isStandardNewDelete(Call));
1369
1370	// Process direct calls to operator new/new[]/delete/delete[] functions
1371	// as distinct from new/new[]/delete/delete[] expressions that are
1372	// processed by the checkPostStmt callbacks for CXXNewExpr and
1373	// CXXDeleteExpr.
1374	const FunctionDecl *FD = C.getCalleeDecl(CE);
1375	switch (FD->getOverloadedOperator()) {
1376	case OO_New:
1377	State =
1378	MallocMemAux(C, Call, SizeEx: CE->getArg(Arg: 0), Init: UndefinedVal(), State, Family: AF_CXXNew);
1379	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1380	break;
1381	case OO_Array_New:
1382	State = MallocMemAux(C, Call, SizeEx: CE->getArg(Arg: 0), Init: UndefinedVal(), State,
1383	Family: AF_CXXNewArray);
1384	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1385	break;
1386	case OO_Delete:
1387	State = FreeMemAux(C, Call, State, Num: 0, Hold: false, IsKnownToBeAllocated&: IsKnownToBeAllocatedMemory,
1388	Family: AF_CXXNew);
1389	break;
1390	case OO_Array_Delete:
1391	State = FreeMemAux(C, Call, State, Num: 0, Hold: false, IsKnownToBeAllocated&: IsKnownToBeAllocatedMemory,
1392	Family: AF_CXXNewArray);
1393	break;
1394	default:
1395	llvm_unreachable("not a new/delete operator");
1396	}
1397
1398	C.addTransition(State);
1399	}
1400
1401	void MallocChecker::checkGMalloc0(const CallEvent &Call,
1402	CheckerContext &C) const {
1403	ProgramStateRef State = C.getState();
1404	SValBuilder &svalBuilder = C.getSValBuilder();
1405	SVal zeroVal = svalBuilder.makeZeroVal(type: svalBuilder.getContext().CharTy);
1406	State = MallocMemAux(C, Call, SizeEx: Call.getArgExpr(Index: 0), Init: zeroVal, State, Family: AF_Malloc);
1407	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1408	C.addTransition(State);
1409	}
1410
1411	void MallocChecker::checkGMemdup(const CallEvent &Call,
1412	CheckerContext &C) const {
1413	ProgramStateRef State = C.getState();
1414	State =
1415	MallocMemAux(C, Call, SizeEx: Call.getArgExpr(Index: 1), Init: UnknownVal(), State, Family: AF_Malloc);
1416	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 1, State);
1417	C.addTransition(State);
1418	}
1419
1420	void MallocChecker::checkGMallocN(const CallEvent &Call,
1421	CheckerContext &C) const {
1422	ProgramStateRef State = C.getState();
1423	SVal Init = UndefinedVal();
1424	SVal TotalSize = evalMulForBufferSize(C, Blocks: Call.getArgExpr(Index: 0), BlockBytes: Call.getArgExpr(Index: 1));
1425	State = MallocMemAux(C, Call, Size: TotalSize, Init, State, Family: AF_Malloc);
1426	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1427	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 1, State);
1428	C.addTransition(State);
1429	}
1430
1431	void MallocChecker::checkGMallocN0(const CallEvent &Call,
1432	CheckerContext &C) const {
1433	ProgramStateRef State = C.getState();
1434	SValBuilder &SB = C.getSValBuilder();
1435	SVal Init = SB.makeZeroVal(type: SB.getContext().CharTy);
1436	SVal TotalSize = evalMulForBufferSize(C, Blocks: Call.getArgExpr(Index: 0), BlockBytes: Call.getArgExpr(Index: 1));
1437	State = MallocMemAux(C, Call, Size: TotalSize, Init, State, Family: AF_Malloc);
1438	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State);
1439	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 1, State);
1440	C.addTransition(State);
1441	}
1442
1443	static bool isFromStdNamespace(const CallEvent &Call) {
1444	const Decl *FD = Call.getDecl();
1445	assert(FD && "a CallDescription cannot match a call without a Decl");
1446	return FD->isInStdNamespace();
1447	}
1448
1449	void MallocChecker::preGetdelim(const CallEvent &Call,
1450	CheckerContext &C) const {
1451	// Discard calls to the C++ standard library function std::getline(), which
1452	// is completely unrelated to the POSIX getline() that we're checking.
1453	if (isFromStdNamespace(Call))
1454	return;
1455
1456	ProgramStateRef State = C.getState();
1457	const auto LinePtr = getPointeeVal(PtrSVal: Call.getArgSVal(Index: 0), State);
1458	if (!LinePtr)
1459	return;
1460
1461	// FreeMemAux takes IsKnownToBeAllocated as an output parameter, and it will
1462	// be true after the call if the symbol was registered by this checker.
1463	// We do not need this value here, as FreeMemAux will take care
1464	// of reporting any violation of the preconditions.
1465	bool IsKnownToBeAllocated = false;
1466	State = FreeMemAux(C, ArgExpr: Call.getArgExpr(Index: 0), Call, State, Hold: false,
1467	IsKnownToBeAllocated, Family: AF_Malloc, ReturnsNullOnFailure: false, ArgValOpt: LinePtr);
1468	if (State)
1469	C.addTransition(State);
1470	}
1471
1472	void MallocChecker::checkGetdelim(const CallEvent &Call,
1473	CheckerContext &C) const {
1474	// Discard calls to the C++ standard library function std::getline(), which
1475	// is completely unrelated to the POSIX getline() that we're checking.
1476	if (isFromStdNamespace(Call))
1477	return;
1478
1479	ProgramStateRef State = C.getState();
1480	// Handle the post-conditions of getline and getdelim:
1481	// Register the new conjured value as an allocated buffer.
1482	const CallExpr *CE = dyn_cast_or_null<CallExpr>(Val: Call.getOriginExpr());
1483	if (!CE)
1484	return;
1485
1486	SValBuilder &SVB = C.getSValBuilder();
1487
1488	const auto LinePtr =
1489	getPointeeVal(PtrSVal: Call.getArgSVal(Index: 0), State)->getAs<DefinedSVal>();
1490	const auto Size =
1491	getPointeeVal(PtrSVal: Call.getArgSVal(Index: 1), State)->getAs<DefinedSVal>();
1492	if (!LinePtr || !Size || !LinePtr->getAsRegion())
1493	return;
1494
1495	State = setDynamicExtent(State, MR: LinePtr->getAsRegion(), Extent: *Size, SVB);
1496	C.addTransition(State: MallocUpdateRefState(C, CE, State, AF_Malloc, *LinePtr));
1497	}
1498
1499	void MallocChecker::checkReallocN(const CallEvent &Call,
1500	CheckerContext &C) const {
1501	ProgramStateRef State = C.getState();
1502	State = ReallocMemAux(C, Call, /*ShouldFreeOnFail=*/false, State, Family: AF_Malloc,
1503	/*SuffixWithN=*/true);
1504	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 1, State);
1505	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 2, State);
1506	C.addTransition(State);
1507	}
1508
1509	void MallocChecker::checkOwnershipAttr(const CallEvent &Call,
1510	CheckerContext &C) const {
1511	ProgramStateRef State = C.getState();
1512	const auto *CE = dyn_cast_or_null<CallExpr>(Val: Call.getOriginExpr());
1513	if (!CE)
1514	return;
1515	const FunctionDecl *FD = C.getCalleeDecl(CE);
1516	if (!FD)
1517	return;
1518	if (ShouldIncludeOwnershipAnnotatedFunctions ||
1519	ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
1520	// Check all the attributes, if there are any.
1521	// There can be multiple of these attributes.
1522	if (FD->hasAttrs())
1523	for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
1524	switch (I->getOwnKind()) {
1525	case OwnershipAttr::Returns:
1526	State = MallocMemReturnsAttr(C, Call, I, State);
1527	break;
1528	case OwnershipAttr::Takes:
1529	case OwnershipAttr::Holds:
1530	State = FreeMemAttr(C, Call, I, State);
1531	break;
1532	}
1533	}
1534	}
1535	C.addTransition(State);
1536	}
1537
1538	void MallocChecker::checkPostCall(const CallEvent &Call,
1539	CheckerContext &C) const {
1540	if (C.wasInlined)
1541	return;
1542	if (!Call.getOriginExpr())
1543	return;
1544
1545	ProgramStateRef State = C.getState();
1546
1547	if (const CheckFn *Callback = FreeingMemFnMap.lookup(Call)) {
1548	(*Callback)(this, Call, C);
1549	return;
1550	}
1551
1552	if (const CheckFn *Callback = AllocatingMemFnMap.lookup(Call)) {
1553	(*Callback)(this, Call, C);
1554	return;
1555	}
1556
1557	if (const CheckFn *Callback = ReallocatingMemFnMap.lookup(Call)) {
1558	(*Callback)(this, Call, C);
1559	return;
1560	}
1561
1562	if (isStandardNewDelete(Call)) {
1563	checkCXXNewOrCXXDelete(Call, C);
1564	return;
1565	}
1566
1567	checkOwnershipAttr(Call, C);
1568	}
1569
1570	// Performs a 0-sized allocations check.
1571	ProgramStateRef MallocChecker::ProcessZeroAllocCheck(
1572	const CallEvent &Call, const unsigned IndexOfSizeArg, ProgramStateRef State,
1573	std::optional<SVal> RetVal) {
1574	if (!State)
1575	return nullptr;
1576
1577	if (!RetVal)
1578	RetVal = Call.getReturnValue();
1579
1580	const Expr *Arg = nullptr;
1581
1582	if (const CallExpr *CE = dyn_cast<CallExpr>(Val: Call.getOriginExpr())) {
1583	Arg = CE->getArg(Arg: IndexOfSizeArg);
1584	} else if (const CXXNewExpr *NE =
1585	dyn_cast<CXXNewExpr>(Val: Call.getOriginExpr())) {
1586	if (NE->isArray()) {
1587	Arg = *NE->getArraySize();
1588	} else {
1589	return State;
1590	}
1591	} else
1592	llvm_unreachable("not a CallExpr or CXXNewExpr");
1593
1594	assert(Arg);
1595
1596	auto DefArgVal =
1597	State->getSVal(Arg, Call.getLocationContext()).getAs<DefinedSVal>();
1598
1599	if (!DefArgVal)
1600	return State;
1601
1602	// Check if the allocation size is 0.
1603	ProgramStateRef TrueState, FalseState;
1604	SValBuilder &SvalBuilder = State->getStateManager().getSValBuilder();
1605	DefinedSVal Zero =
1606	SvalBuilder.makeZeroVal(type: Arg->getType()).castAs<DefinedSVal>();
1607
1608	std::tie(args&: TrueState, args&: FalseState) =
1609	State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));
1610
1611	if (TrueState && !FalseState) {
1612	SymbolRef Sym = RetVal->getAsLocSymbol();
1613	if (!Sym)
1614	return State;
1615
1616	const RefState *RS = State->get<RegionState>(key: Sym);
1617	if (RS) {
1618	if (RS->isAllocated())
1619	return TrueState->set<RegionState>(K: Sym,
1620	E: RefState::getAllocatedOfSizeZero(RS));
1621	else
1622	return State;
1623	} else {
1624	// Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as
1625	// 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not
1626	// tracked. Add zero-reallocated Sym to the state to catch references
1627	// to zero-allocated memory.
1628	return TrueState->add<ReallocSizeZeroSymbols>(K: Sym);
1629	}
1630	}
1631
1632	// Assume the value is non-zero going forward.
1633	assert(FalseState);
1634	return FalseState;
1635	}
1636
1637	static QualType getDeepPointeeType(QualType T) {
1638	QualType Result = T, PointeeType = T->getPointeeType();
1639	while (!PointeeType.isNull()) {
1640	Result = PointeeType;
1641	PointeeType = PointeeType->getPointeeType();
1642	}
1643	return Result;
1644	}
1645
1646	/// \returns true if the constructor invoked by \p NE has an argument of a
1647	/// pointer/reference to a record type.
1648	static bool hasNonTrivialConstructorCall(const CXXNewExpr *NE) {
1649
1650	const CXXConstructExpr *ConstructE = NE->getConstructExpr();
1651	if (!ConstructE)
1652	return false;
1653
1654	if (!NE->getAllocatedType()->getAsCXXRecordDecl())
1655	return false;
1656
1657	const CXXConstructorDecl *CtorD = ConstructE->getConstructor();
1658
1659	// Iterate over the constructor parameters.
1660	for (const auto *CtorParam : CtorD->parameters()) {
1661
1662	QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType();
1663	if (CtorParamPointeeT.isNull())
1664	continue;
1665
1666	CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT);
1667
1668	if (CtorParamPointeeT->getAsCXXRecordDecl())
1669	return true;
1670	}
1671
1672	return false;
1673	}
1674
1675	ProgramStateRef
1676	MallocChecker::processNewAllocation(const CXXAllocatorCall &Call,
1677	CheckerContext &C,
1678	AllocationFamily Family) const {
1679	if (!isStandardNewDelete(Call))
1680	return nullptr;
1681
1682	const CXXNewExpr *NE = Call.getOriginExpr();
1683	const ParentMap &PM = C.getLocationContext()->getParentMap();
1684	ProgramStateRef State = C.getState();
1685
1686	// Non-trivial constructors have a chance to escape 'this', but marking all
1687	// invocations of trivial constructors as escaped would cause too great of
1688	// reduction of true positives, so let's just do that for constructors that
1689	// have an argument of a pointer-to-record type.
1690	if (!PM.isConsumedExpr(NE) && hasNonTrivialConstructorCall(NE))
1691	return State;
1692
1693	// The return value from operator new is bound to a specified initialization
1694	// value (if any) and we don't want to loose this value. So we call
1695	// MallocUpdateRefState() instead of MallocMemAux() which breaks the
1696	// existing binding.
1697	SVal Target = Call.getObjectUnderConstruction();
1698	State = MallocUpdateRefState(C, NE, State, Family, Target);
1699	State = ProcessZeroAllocCheck(Call, IndexOfSizeArg: 0, State, RetVal: Target);
1700	return State;
1701	}
1702
1703	void MallocChecker::checkNewAllocator(const CXXAllocatorCall &Call,
1704	CheckerContext &C) const {
1705	if (!C.wasInlined) {
1706	ProgramStateRef State = processNewAllocation(
1707	Call, C,
1708	Family: (Call.getOriginExpr()->isArray() ? AF_CXXNewArray : AF_CXXNew));
1709	C.addTransition(State);
1710	}
1711	}
1712
1713	static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) {
1714	// If the first selector piece is one of the names below, assume that the
1715	// object takes ownership of the memory, promising to eventually deallocate it
1716	// with free().
1717	// Ex: [NSData dataWithBytesNoCopy:bytes length:10];
1718	// (...unless a 'freeWhenDone' parameter is false, but that's checked later.)
1719	StringRef FirstSlot = Call.getSelector().getNameForSlot(argIndex: 0);
1720	return FirstSlot == "dataWithBytesNoCopy" ||
1721	FirstSlot == "initWithBytesNoCopy" ||
1722	FirstSlot == "initWithCharactersNoCopy";
1723	}
1724
1725	static std::optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) {
1726	Selector S = Call.getSelector();
1727
1728	// FIXME: We should not rely on fully-constrained symbols being folded.
1729	for (unsigned i = 1; i < S.getNumArgs(); ++i)
1730	if (S.getNameForSlot(argIndex: i).equals(RHS: "freeWhenDone"))
1731	return !Call.getArgSVal(Index: i).isZeroConstant();
1732
1733	return std::nullopt;
1734	}
1735
1736	void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
1737	CheckerContext &C) const {
1738	if (C.wasInlined)
1739	return;
1740
1741	if (!isKnownDeallocObjCMethodName(Call))
1742	return;
1743
1744	if (std::optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call))
1745	if (!*FreeWhenDone)
1746	return;
1747
1748	if (Call.hasNonZeroCallbackArg())
1749	return;
1750
1751	bool IsKnownToBeAllocatedMemory;
1752	ProgramStateRef State =
1753	FreeMemAux(C, ArgExpr: Call.getArgExpr(Index: 0), Call, State: C.getState(),
1754	/*Hold=*/true, IsKnownToBeAllocated&: IsKnownToBeAllocatedMemory, Family: AF_Malloc,
1755	/*ReturnsNullOnFailure=*/true);
1756
1757	C.addTransition(State);
1758	}
1759
1760	ProgramStateRef
1761	MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
1762	const OwnershipAttr *Att,
1763	ProgramStateRef State) const {
1764	if (!State)
1765	return nullptr;
1766
1767	if (Att->getModule()->getName() != "malloc")
1768	return nullptr;
1769
1770	if (!Att->args().empty()) {
1771	return MallocMemAux(C, Call,
1772	Call.getArgExpr(Index: Att->args_begin()->getASTIndex()),
1773	UndefinedVal(), State, AF_Malloc);
1774	}
1775	return MallocMemAux(C, Call, Size: UnknownVal(), Init: UndefinedVal(), State, Family: AF_Malloc);
1776	}
1777
1778	ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1779	const CallEvent &Call,
1780	const Expr *SizeEx, SVal Init,
1781	ProgramStateRef State,
1782	AllocationFamily Family) {
1783	if (!State)
1784	return nullptr;
1785
1786	assert(SizeEx);
1787	return MallocMemAux(C, Call, Size: C.getSVal(SizeEx), Init, State, Family);
1788	}
1789
1790	ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1791	const CallEvent &Call, SVal Size,
1792	SVal Init, ProgramStateRef State,
1793	AllocationFamily Family) {
1794	if (!State)
1795	return nullptr;
1796
1797	const Expr *CE = Call.getOriginExpr();
1798
1799	// We expect the malloc functions to return a pointer.
1800	if (!Loc::isLocType(T: CE->getType()))
1801	return nullptr;
1802
1803	// Bind the return value to the symbolic value from the heap region.
1804	// TODO: move use of this functions to an EvalCall callback, becasue
1805	// BindExpr() should'nt be used elsewhere.
1806	unsigned Count = C.blockCount();
1807	SValBuilder &SVB = C.getSValBuilder();
1808	const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
1809	DefinedSVal RetVal =
1810	((Family == AF_Alloca) ? SVB.getAllocaRegionVal(E: CE, LCtx, Count)
1811	: SVB.getConjuredHeapSymbolVal(E: CE, LCtx, Count)
1812	.castAs<DefinedSVal>());
1813	State = State->BindExpr(CE, C.getLocationContext(), RetVal);
1814
1815	// Fill the region with the initialization value.
1816	State = State->bindDefaultInitial(loc: RetVal, V: Init, LCtx);
1817
1818	// If Size is somehow undefined at this point, this line prevents a crash.
1819	if (Size.isUndef())
1820	Size = UnknownVal();
1821
1822	// Set the region's extent.
1823	State = setDynamicExtent(State, MR: RetVal.getAsRegion(),
1824	Extent: Size.castAs<DefinedOrUnknownSVal>(), SVB);
1825
1826	return MallocUpdateRefState(C, E: CE, State, Family);
1827	}
1828
1829	static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
1830	ProgramStateRef State,
1831	AllocationFamily Family,
1832	std::optional<SVal> RetVal) {
1833	if (!State)
1834	return nullptr;
1835
1836	// Get the return value.
1837	if (!RetVal)
1838	RetVal = C.getSVal(E);
1839
1840	// We expect the malloc functions to return a pointer.
1841	if (!RetVal->getAs<Loc>())
1842	return nullptr;
1843
1844	SymbolRef Sym = RetVal->getAsLocSymbol();
1845
1846	// This is a return value of a function that was not inlined, such as malloc()
1847	// or new(). We've checked that in the caller. Therefore, it must be a symbol.
1848	assert(Sym);
1849	// FIXME: In theory this assertion should fail for `alloca()` calls (because
1850	// `AllocaRegion`s are not symbolic); but in practice this does not happen.
1851	// As the current code appears to work correctly, I'm not touching this issue
1852	// now, but it would be good to investigate and clarify this.
1853	// Also note that perhaps the special `AllocaRegion` should be replaced by
1854	// `SymbolicRegion` (or turned into a subclass of `SymbolicRegion`) to enable
1855	// proper tracking of memory allocated by `alloca()` -- and after that change
1856	// this assertion would become valid again.
1857
1858	// Set the symbol's state to Allocated.
1859	return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
1860	}
1861
1862	ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
1863	const CallEvent &Call,
1864	const OwnershipAttr *Att,
1865	ProgramStateRef State) const {
1866	if (!State)
1867	return nullptr;
1868
1869	if (Att->getModule()->getName() != "malloc")
1870	return nullptr;
1871
1872	bool IsKnownToBeAllocated = false;
1873
1874	for (const auto &Arg : Att->args()) {
1875	ProgramStateRef StateI =
1876	FreeMemAux(C, Call, State, Arg.getASTIndex(),
1877	Att->getOwnKind() == OwnershipAttr::Holds,
1878	IsKnownToBeAllocated, AF_Malloc);
1879	if (StateI)
1880	State = StateI;
1881	}
1882	return State;
1883	}
1884
1885	ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1886	const CallEvent &Call,
1887	ProgramStateRef State, unsigned Num,
1888	bool Hold, bool &IsKnownToBeAllocated,
1889	AllocationFamily Family,
1890	bool ReturnsNullOnFailure) const {
1891	if (!State)
1892	return nullptr;
1893
1894	if (Call.getNumArgs() < (Num + 1))
1895	return nullptr;
1896
1897	return FreeMemAux(C, ArgExpr: Call.getArgExpr(Index: Num), Call, State, Hold,
1898	IsKnownToBeAllocated, Family, ReturnsNullOnFailure);
1899	}
1900
1901	/// Checks if the previous call to free on the given symbol failed - if free
1902	/// failed, returns true. Also, returns the corresponding return value symbol.
1903	static bool didPreviousFreeFail(ProgramStateRef State,
1904	SymbolRef Sym, SymbolRef &RetStatusSymbol) {
1905	const SymbolRef *Ret = State->get<FreeReturnValue>(key: Sym);
1906	if (Ret) {
1907	assert(*Ret && "We should not store the null return symbol");
1908	ConstraintManager &CMgr = State->getConstraintManager();
1909	ConditionTruthVal FreeFailed = CMgr.isNull(State, Sym: *Ret);
1910	RetStatusSymbol = *Ret;
1911	return FreeFailed.isConstrainedTrue();
1912	}
1913	return false;
1914	}
1915
1916	static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E) {
1917	if (const CallExpr *CE = dyn_cast<CallExpr>(Val: E)) {
1918	// FIXME: This doesn't handle indirect calls.
1919	const FunctionDecl *FD = CE->getDirectCallee();
1920	if (!FD)
1921	return false;
1922
1923	os << *FD;
1924	if (!FD->isOverloadedOperator())
1925	os << "()";
1926	return true;
1927	}
1928
1929	if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(Val: E)) {
1930	if (Msg->isInstanceMessage())
1931	os << "-";
1932	else
1933	os << "+";
1934	Msg->getSelector().print(OS&: os);
1935	return true;
1936	}
1937
1938	if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(Val: E)) {
1939	os << "'"
1940	<< getOperatorSpelling(Operator: NE->getOperatorNew()->getOverloadedOperator())
1941	<< "'";
1942	return true;
1943	}
1944
1945	if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(Val: E)) {
1946	os << "'"
1947	<< getOperatorSpelling(Operator: DE->getOperatorDelete()->getOverloadedOperator())
1948	<< "'";
1949	return true;
1950	}
1951
1952	return false;
1953	}
1954
1955	static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family) {
1956
1957	switch(Family) {
1958	case AF_Malloc: os << "malloc()"; return;
1959	case AF_CXXNew: os << "'new'"; return;
1960	case AF_CXXNewArray: os << "'new[]'"; return;
1961	case AF_IfNameIndex: os << "'if_nameindex()'"; return;
1962	case AF_InnerBuffer: os << "container-specific allocator"; return;
1963	case AF_Alloca:
1964	case AF_None: llvm_unreachable("not a deallocation expression");
1965	}
1966	}
1967
1968	static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) {
1969	switch(Family) {
1970	case AF_Malloc: os << "free()"; return;
1971	case AF_CXXNew: os << "'delete'"; return;
1972	case AF_CXXNewArray: os << "'delete[]'"; return;
1973	case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
1974	case AF_InnerBuffer: os << "container-specific deallocator"; return;
1975	case AF_Alloca:
1976	case AF_None: llvm_unreachable("suspicious argument");
1977	}
1978	}
1979
1980	ProgramStateRef
1981	MallocChecker::FreeMemAux(CheckerContext &C, const Expr *ArgExpr,
1982	const CallEvent &Call, ProgramStateRef State,
1983	bool Hold, bool &IsKnownToBeAllocated,
1984	AllocationFamily Family, bool ReturnsNullOnFailure,
1985	std::optional<SVal> ArgValOpt) const {
1986
1987	if (!State)
1988	return nullptr;
1989
1990	SVal ArgVal = ArgValOpt.value_or(u: C.getSVal(ArgExpr));
1991	if (!isa<DefinedOrUnknownSVal>(Val: ArgVal))
1992	return nullptr;
1993	DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
1994
1995	// Check for null dereferences.
1996	if (!isa<Loc>(Val: location))
1997	return nullptr;
1998
1999	// The explicit NULL case, no operation is performed.
2000	ProgramStateRef notNullState, nullState;
2001	std::tie(args&: notNullState, args&: nullState) = State->assume(Cond: location);
2002	if (nullState && !notNullState)
2003	return nullptr;
2004
2005	// Unknown values could easily be okay
2006	// Undefined values are handled elsewhere
2007	if (ArgVal.isUnknownOrUndef())
2008	return nullptr;
2009
2010	const MemRegion *R = ArgVal.getAsRegion();
2011	const Expr *ParentExpr = Call.getOriginExpr();
2012
2013	// NOTE: We detected a bug, but the checker under whose name we would emit the
2014	// error could be disabled. Generally speaking, the MallocChecker family is an
2015	// integral part of the Static Analyzer, and disabling any part of it should
2016	// only be done under exceptional circumstances, such as frequent false
2017	// positives. If this is the case, we can reasonably believe that there are
2018	// serious faults in our understanding of the source code, and even if we
2019	// don't emit an warning, we should terminate further analysis with a sink
2020	// node.
2021
2022	// Nonlocs can't be freed, of course.
2023	// Non-region locations (labels and fixed addresses) also shouldn't be freed.
2024	if (!R) {
2025	// Exception:
2026	// If the macro ZERO_SIZE_PTR is defined, this could be a kernel source
2027	// code. In that case, the ZERO_SIZE_PTR defines a special value used for a
2028	// zero-sized memory block which is allowed to be freed, despite not being a
2029	// null pointer.
2030	if (Family != AF_Malloc || !isArgZERO_SIZE_PTR(State, C, ArgVal))
2031	HandleNonHeapDealloc(C, ArgVal, Range: ArgExpr->getSourceRange(), DeallocExpr: ParentExpr,
2032	Family);
2033	return nullptr;
2034	}
2035
2036	R = R->StripCasts();
2037
2038	// Blocks might show up as heap data, but should not be free()d
2039	if (isa<BlockDataRegion>(Val: R)) {
2040	HandleNonHeapDealloc(C, ArgVal, Range: ArgExpr->getSourceRange(), DeallocExpr: ParentExpr,
2041	Family);
2042	return nullptr;
2043	}
2044
2045	const MemSpaceRegion *MS = R->getMemorySpace();
2046
2047	// Parameters, locals, statics, globals, and memory returned by
2048	// __builtin_alloca() shouldn't be freed.
2049	if (!isa<UnknownSpaceRegion, HeapSpaceRegion>(Val: MS)) {
2050	// Regions returned by malloc() are represented by SymbolicRegion objects
2051	// within HeapSpaceRegion. Of course, free() can work on memory allocated
2052	// outside the current function, so UnknownSpaceRegion is also a
2053	// possibility here.
2054
2055	if (isa<AllocaRegion>(Val: R))
2056	HandleFreeAlloca(C, ArgVal, Range: ArgExpr->getSourceRange());
2057	else
2058	HandleNonHeapDealloc(C, ArgVal, Range: ArgExpr->getSourceRange(), DeallocExpr: ParentExpr,
2059	Family);
2060
2061	return nullptr;
2062	}
2063
2064	const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(Val: R->getBaseRegion());
2065	// Various cases could lead to non-symbol values here.
2066	// For now, ignore them.
2067	if (!SrBase)
2068	return nullptr;
2069
2070	SymbolRef SymBase = SrBase->getSymbol();
2071	const RefState *RsBase = State->get<RegionState>(key: SymBase);
2072	SymbolRef PreviousRetStatusSymbol = nullptr;
2073
2074	IsKnownToBeAllocated =
2075	RsBase && (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero());
2076
2077	if (RsBase) {
2078
2079	// Memory returned by alloca() shouldn't be freed.
2080	if (RsBase->getAllocationFamily() == AF_Alloca) {
2081	HandleFreeAlloca(C, ArgVal, Range: ArgExpr->getSourceRange());
2082	return nullptr;
2083	}
2084
2085	// Check for double free first.
2086	if ((RsBase->isReleased() || RsBase->isRelinquished()) &&
2087	!didPreviousFreeFail(State, Sym: SymBase, RetStatusSymbol&: PreviousRetStatusSymbol)) {
2088	HandleDoubleFree(C, Range: ParentExpr->getSourceRange(), Released: RsBase->isReleased(),
2089	Sym: SymBase, PrevSym: PreviousRetStatusSymbol);
2090	return nullptr;
2091
2092	// If the pointer is allocated or escaped, but we are now trying to free it,
2093	// check that the call to free is proper.
2094	} else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() ||
2095	RsBase->isEscaped()) {
2096
2097	// Check if an expected deallocation function matches the real one.
2098	bool DeallocMatchesAlloc = RsBase->getAllocationFamily() == Family;
2099	if (!DeallocMatchesAlloc) {
2100	HandleMismatchedDealloc(C, Range: ArgExpr->getSourceRange(), DeallocExpr: ParentExpr,
2101	RS: RsBase, Sym: SymBase, OwnershipTransferred: Hold);
2102	return nullptr;
2103	}
2104
2105	// Check if the memory location being freed is the actual location
2106	// allocated, or an offset.
2107	RegionOffset Offset = R->getAsOffset();
2108	if (Offset.isValid() &&
2109	!Offset.hasSymbolicOffset() &&
2110	Offset.getOffset() != 0) {
2111	const Expr *AllocExpr = cast<Expr>(Val: RsBase->getStmt());
2112	HandleOffsetFree(C, ArgVal, Range: ArgExpr->getSourceRange(), DeallocExpr: ParentExpr,
2113	Family, AllocExpr);
2114	return nullptr;
2115	}
2116	}
2117	}
2118
2119	if (SymBase->getType()->isFunctionPointerType()) {
2120	HandleFunctionPtrFree(C, ArgVal, Range: ArgExpr->getSourceRange(), FreeExpr: ParentExpr,
2121	Family);
2122	return nullptr;
2123	}
2124
2125	// Clean out the info on previous call to free return info.
2126	State = State->remove<FreeReturnValue>(K: SymBase);
2127
2128	// Keep track of the return value. If it is NULL, we will know that free
2129	// failed.
2130	if (ReturnsNullOnFailure) {
2131	SVal RetVal = C.getSVal(ParentExpr);
2132	SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
2133	if (RetStatusSymbol) {
2134	C.getSymbolManager().addSymbolDependency(Primary: SymBase, Dependent: RetStatusSymbol);
2135	State = State->set<FreeReturnValue>(K: SymBase, E: RetStatusSymbol);
2136	}
2137	}
2138
2139	// If we don't know anything about this symbol, a free on it may be totally
2140	// valid. If this is the case, lets assume that the allocation family of the
2141	// freeing function is the same as the symbols allocation family, and go with
2142	// that.
2143	assert(!RsBase || (RsBase && RsBase->getAllocationFamily() == Family));
2144
2145	// Normal free.
2146	if (Hold)
2147	return State->set<RegionState>(SymBase,
2148	RefState::getRelinquished(Family,
2149	ParentExpr));
2150
2151	return State->set<RegionState>(SymBase,
2152	RefState::getReleased(Family, ParentExpr));
2153	}
2154
2155	std::optional<MallocChecker::CheckKind>
2156	MallocChecker::getCheckIfTracked(AllocationFamily Family,
2157	bool IsALeakCheck) const {
2158	switch (Family) {
2159	case AF_Malloc:
2160	case AF_Alloca:
2161	case AF_IfNameIndex: {
2162	if (ChecksEnabled[CK_MallocChecker])
2163	return CK_MallocChecker;
2164	return std::nullopt;
2165	}
2166	case AF_CXXNew:
2167	case AF_CXXNewArray: {
2168	if (IsALeakCheck) {
2169	if (ChecksEnabled[CK_NewDeleteLeaksChecker])
2170	return CK_NewDeleteLeaksChecker;
2171	}
2172	else {
2173	if (ChecksEnabled[CK_NewDeleteChecker])
2174	return CK_NewDeleteChecker;
2175	}
2176	return std::nullopt;
2177	}
2178	case AF_InnerBuffer: {
2179	if (ChecksEnabled[CK_InnerPointerChecker])
2180	return CK_InnerPointerChecker;
2181	return std::nullopt;
2182	}
2183	case AF_None: {
2184	llvm_unreachable("no family");
2185	}
2186	}
2187	llvm_unreachable("unhandled family");
2188	}
2189
2190	std::optional<MallocChecker::CheckKind>
2191	MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
2192	bool IsALeakCheck) const {
2193	if (C.getState()->contains<ReallocSizeZeroSymbols>(key: Sym))
2194	return CK_MallocChecker;
2195
2196	const RefState *RS = C.getState()->get<RegionState>(key: Sym);
2197	assert(RS);
2198	return getCheckIfTracked(Family: RS->getAllocationFamily(), IsALeakCheck);
2199	}
2200
2201	bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
2202	if (std::optional<nonloc::ConcreteInt> IntVal =
2203	V.getAs<nonloc::ConcreteInt>())
2204	os << "an integer (" << IntVal->getValue() << ")";
2205	else if (std::optional<loc::ConcreteInt> ConstAddr =
2206	V.getAs<loc::ConcreteInt>())
2207	os << "a constant address (" << ConstAddr->getValue() << ")";
2208	else if (std::optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>())
2209	os << "the address of the label '" << Label->getLabel()->getName() << "'";
2210	else
2211	return false;
2212
2213	return true;
2214	}
2215
2216	bool MallocChecker::SummarizeRegion(raw_ostream &os,
2217	const MemRegion *MR) {
2218	switch (MR->getKind()) {
2219	case MemRegion::FunctionCodeRegionKind: {
2220	const NamedDecl *FD = cast<FunctionCodeRegion>(Val: MR)->getDecl();
2221	if (FD)
2222	os << "the address of the function '" << *FD << '\'';
2223	else
2224	os << "the address of a function";
2225	return true;
2226	}
2227	case MemRegion::BlockCodeRegionKind:
2228	os << "block text";
2229	return true;
2230	case MemRegion::BlockDataRegionKind:
2231	// FIXME: where the block came from?
2232	os << "a block";
2233	return true;
2234	default: {
2235	const MemSpaceRegion *MS = MR->getMemorySpace();
2236
2237	if (isa<StackLocalsSpaceRegion>(Val: MS)) {
2238	const VarRegion *VR = dyn_cast<VarRegion>(Val: MR);
2239	const VarDecl *VD;
2240	if (VR)
2241	VD = VR->getDecl();
2242	else
2243	VD = nullptr;
2244
2245	if (VD)
2246	os << "the address of the local variable '" << VD->getName() << "'";
2247	else
2248	os << "the address of a local stack variable";
2249	return true;
2250	}
2251
2252	if (isa<StackArgumentsSpaceRegion>(Val: MS)) {
2253	const VarRegion *VR = dyn_cast<VarRegion>(Val: MR);
2254	const VarDecl *VD;
2255	if (VR)
2256	VD = VR->getDecl();
2257	else
2258	VD = nullptr;
2259
2260	if (VD)
2261	os << "the address of the parameter '" << VD->getName() << "'";
2262	else
2263	os << "the address of a parameter";
2264	return true;
2265	}
2266
2267	if (isa<GlobalsSpaceRegion>(Val: MS)) {
2268	const VarRegion *VR = dyn_cast<VarRegion>(Val: MR);
2269	const VarDecl *VD;
2270	if (VR)
2271	VD = VR->getDecl();
2272	else
2273	VD = nullptr;
2274
2275	if (VD) {
2276	if (VD->isStaticLocal())
2277	os << "the address of the static variable '" << VD->getName() << "'";
2278	else
2279	os << "the address of the global variable '" << VD->getName() << "'";
2280	} else
2281	os << "the address of a global variable";
2282	return true;
2283	}
2284
2285	return false;
2286	}
2287	}
2288	}
2289
2290	void MallocChecker::HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal,
2291	SourceRange Range,
2292	const Expr *DeallocExpr,
2293	AllocationFamily Family) const {
2294
2295	if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2296	C.addSink();
2297	return;
2298	}
2299
2300	std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2301	if (!CheckKind)
2302	return;
2303
2304	if (ExplodedNode *N = C.generateErrorNode()) {
2305	if (!BT_BadFree[*CheckKind])
2306	BT_BadFree[*CheckKind].reset(p: new BugType(
2307	CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2308
2309	SmallString<100> buf;
2310	llvm::raw_svector_ostream os(buf);
2311
2312	const MemRegion *MR = ArgVal.getAsRegion();
2313	while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(Val: MR))
2314	MR = ER->getSuperRegion();
2315
2316	os << "Argument to ";
2317	if (!printMemFnName(os, C, E: DeallocExpr))
2318	os << "deallocator";
2319
2320	os << " is ";
2321	bool Summarized = MR ? SummarizeRegion(os, MR)
2322	: SummarizeValue(os, V: ArgVal);
2323	if (Summarized)
2324	os << ", which is not memory allocated by ";
2325	else
2326	os << "not memory allocated by ";
2327
2328	printExpectedAllocName(os, Family);
2329
2330	auto R = std::make_unique<PathSensitiveBugReport>(args&: *BT_BadFree[*CheckKind],
2331	args: os.str(), args&: N);
2332	R->markInteresting(R: MR);
2333	R->addRange(R: Range);
2334	C.emitReport(R: std::move(R));
2335	}
2336	}
2337
2338	void MallocChecker::HandleFreeAlloca(CheckerContext &C, SVal ArgVal,
2339	SourceRange Range) const {
2340
2341	std::optional<MallocChecker::CheckKind> CheckKind;
2342
2343	if (ChecksEnabled[CK_MallocChecker])
2344	CheckKind = CK_MallocChecker;
2345	else if (ChecksEnabled[CK_MismatchedDeallocatorChecker])
2346	CheckKind = CK_MismatchedDeallocatorChecker;
2347	else {
2348	C.addSink();
2349	return;
2350	}
2351
2352	if (ExplodedNode *N = C.generateErrorNode()) {
2353	if (!BT_FreeAlloca[*CheckKind])
2354	BT_FreeAlloca[*CheckKind].reset(p: new BugType(
2355	CheckNames[*CheckKind], "Free alloca()", categories::MemoryError));
2356
2357	auto R = std::make_unique<PathSensitiveBugReport>(
2358	args&: *BT_FreeAlloca[*CheckKind],
2359	args: "Memory allocated by alloca() should not be deallocated", args&: N);
2360	R->markInteresting(R: ArgVal.getAsRegion());
2361	R->addRange(R: Range);
2362	C.emitReport(R: std::move(R));
2363	}
2364	}
2365
2366	void MallocChecker::HandleMismatchedDealloc(CheckerContext &C,
2367	SourceRange Range,
2368	const Expr *DeallocExpr,
2369	const RefState *RS, SymbolRef Sym,
2370	bool OwnershipTransferred) const {
2371
2372	if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
2373	C.addSink();
2374	return;
2375	}
2376
2377	if (ExplodedNode *N = C.generateErrorNode()) {
2378	if (!BT_MismatchedDealloc)
2379	BT_MismatchedDealloc.reset(
2380	p: new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
2381	"Bad deallocator", categories::MemoryError));
2382
2383	SmallString<100> buf;
2384	llvm::raw_svector_ostream os(buf);
2385
2386	const Expr *AllocExpr = cast<Expr>(Val: RS->getStmt());
2387	SmallString<20> AllocBuf;
2388	llvm::raw_svector_ostream AllocOs(AllocBuf);
2389	SmallString<20> DeallocBuf;
2390	llvm::raw_svector_ostream DeallocOs(DeallocBuf);
2391
2392	if (OwnershipTransferred) {
2393	if (printMemFnName(os&: DeallocOs, C, E: DeallocExpr))
2394	os << DeallocOs.str() << " cannot";
2395	else
2396	os << "Cannot";
2397
2398	os << " take ownership of memory";
2399
2400	if (printMemFnName(os&: AllocOs, C, E: AllocExpr))
2401	os << " allocated by " << AllocOs.str();
2402	} else {
2403	os << "Memory";
2404	if (printMemFnName(os&: AllocOs, C, E: AllocExpr))
2405	os << " allocated by " << AllocOs.str();
2406
2407	os << " should be deallocated by ";
2408	printExpectedDeallocName(os, Family: RS->getAllocationFamily());
2409
2410	if (printMemFnName(os&: DeallocOs, C, E: DeallocExpr))
2411	os << ", not " << DeallocOs.str();
2412	}
2413
2414	auto R = std::make_unique<PathSensitiveBugReport>(args&: *BT_MismatchedDealloc,
2415	args: os.str(), args&: N);
2416	R->markInteresting(sym: Sym);
2417	R->addRange(R: Range);
2418	R->addVisitor<MallocBugVisitor>(ConstructorArgs&: Sym);
2419	C.emitReport(R: std::move(R));
2420	}
2421	}
2422
2423	void MallocChecker::HandleOffsetFree(CheckerContext &C, SVal ArgVal,
2424	SourceRange Range, const Expr *DeallocExpr,
2425	AllocationFamily Family,
2426	const Expr *AllocExpr) const {
2427
2428	if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2429	C.addSink();
2430	return;
2431	}
2432
2433	std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2434	if (!CheckKind)
2435	return;
2436
2437	ExplodedNode *N = C.generateErrorNode();
2438	if (!N)
2439	return;
2440
2441	if (!BT_OffsetFree[*CheckKind])
2442	BT_OffsetFree[*CheckKind].reset(p: new BugType(
2443	CheckNames[*CheckKind], "Offset free", categories::MemoryError));
2444
2445	SmallString<100> buf;
2446	llvm::raw_svector_ostream os(buf);
2447	SmallString<20> AllocNameBuf;
2448	llvm::raw_svector_ostream AllocNameOs(AllocNameBuf);
2449
2450	const MemRegion *MR = ArgVal.getAsRegion();
2451	assert(MR && "Only MemRegion based symbols can have offset free errors");
2452
2453	RegionOffset Offset = MR->getAsOffset();
2454	assert((Offset.isValid() &&
2455	!Offset.hasSymbolicOffset() &&
2456	Offset.getOffset() != 0) &&
2457	"Only symbols with a valid offset can have offset free errors");
2458
2459	int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
2460
2461	os << "Argument to ";
2462	if (!printMemFnName(os, C, E: DeallocExpr))
2463	os << "deallocator";
2464	os << " is offset by "
2465	<< offsetBytes
2466	<< " "
2467	<< ((abs(x: offsetBytes) > 1) ? "bytes" : "byte")
2468	<< " from the start of ";
2469	if (AllocExpr && printMemFnName(os&: AllocNameOs, C, E: AllocExpr))
2470	os << "memory allocated by " << AllocNameOs.str();
2471	else
2472	os << "allocated memory";
2473
2474	auto R = std::make_unique<PathSensitiveBugReport>(args&: *BT_OffsetFree[*CheckKind],
2475	args: os.str(), args&: N);
2476	R->markInteresting(R: MR->getBaseRegion());
2477	R->addRange(R: Range);
2478	C.emitReport(R: std::move(R));
2479	}
2480
2481	void MallocChecker::HandleUseAfterFree(CheckerContext &C, SourceRange Range,
2482	SymbolRef Sym) const {
2483
2484	if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker] &&
2485	!ChecksEnabled[CK_InnerPointerChecker]) {
2486	C.addSink();
2487	return;
2488	}
2489
2490	std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2491	if (!CheckKind)
2492	return;
2493
2494	if (ExplodedNode *N = C.generateErrorNode()) {
2495	if (!BT_UseFree[*CheckKind])
2496	BT_UseFree[*CheckKind].reset(p: new BugType(
2497	CheckNames[*CheckKind], "Use-after-free", categories::MemoryError));
2498
2499	AllocationFamily AF =
2500	C.getState()->get<RegionState>(key: Sym)->getAllocationFamily();
2501
2502	auto R = std::make_unique<PathSensitiveBugReport>(
2503	args&: *BT_UseFree[*CheckKind],
2504	args: AF == AF_InnerBuffer
2505	? "Inner pointer of container used after re/deallocation"
2506	: "Use of memory after it is freed",
2507	args&: N);
2508
2509	R->markInteresting(sym: Sym);
2510	R->addRange(R: Range);
2511	R->addVisitor<MallocBugVisitor>(ConstructorArgs&: Sym);
2512
2513	if (AF == AF_InnerBuffer)
2514	R->addVisitor(visitor: allocation_state::getInnerPointerBRVisitor(Sym));
2515
2516	C.emitReport(R: std::move(R));
2517	}
2518	}
2519
2520	void MallocChecker::HandleDoubleFree(CheckerContext &C, SourceRange Range,
2521	bool Released, SymbolRef Sym,
2522	SymbolRef PrevSym) const {
2523
2524	if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2525	C.addSink();
2526	return;
2527	}
2528
2529	std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2530	if (!CheckKind)
2531	return;
2532
2533	if (ExplodedNode *N = C.generateErrorNode()) {
2534	if (!BT_DoubleFree[*CheckKind])
2535	BT_DoubleFree[*CheckKind].reset(p: new BugType(
2536	CheckNames[*CheckKind], "Double free", categories::MemoryError));
2537
2538	auto R = std::make_unique<PathSensitiveBugReport>(
2539	args&: *BT_DoubleFree[*CheckKind],
2540	args: (Released ? "Attempt to free released memory"
2541	: "Attempt to free non-owned memory"),
2542	args&: N);
2543	R->addRange(R: Range);
2544	R->markInteresting(sym: Sym);
2545	if (PrevSym)
2546	R->markInteresting(sym: PrevSym);
2547	R->addVisitor<MallocBugVisitor>(ConstructorArgs&: Sym);
2548	C.emitReport(R: std::move(R));
2549	}
2550	}
2551
2552	void MallocChecker::HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
2553
2554	if (!ChecksEnabled[CK_NewDeleteChecker]) {
2555	C.addSink();
2556	return;
2557	}
2558
2559	std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2560	if (!CheckKind)
2561	return;
2562
2563	if (ExplodedNode *N = C.generateErrorNode()) {
2564	if (!BT_DoubleDelete)
2565	BT_DoubleDelete.reset(p: new BugType(CheckNames[CK_NewDeleteChecker],
2566	"Double delete",
2567	categories::MemoryError));
2568
2569	auto R = std::make_unique<PathSensitiveBugReport>(
2570	args&: *BT_DoubleDelete, args: "Attempt to delete released memory", args&: N);
2571
2572	R->markInteresting(sym: Sym);
2573	R->addVisitor<MallocBugVisitor>(ConstructorArgs&: Sym);
2574	C.emitReport(R: std::move(R));
2575	}
2576	}
2577
2578	void MallocChecker::HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,
2579	SymbolRef Sym) const {
2580
2581	if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
2582	C.addSink();
2583	return;
2584	}
2585
2586	std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2587
2588	if (!CheckKind)
2589	return;
2590
2591	if (ExplodedNode *N = C.generateErrorNode()) {
2592	if (!BT_UseZerroAllocated[*CheckKind])
2593	BT_UseZerroAllocated[*CheckKind].reset(
2594	p: new BugType(CheckNames[*CheckKind], "Use of zero allocated",
2595	categories::MemoryError));
2596
2597	auto R = std::make_unique<PathSensitiveBugReport>(
2598	args&: *BT_UseZerroAllocated[*CheckKind],
2599	args: "Use of memory allocated with size zero", args&: N);
2600
2601	R->addRange(R: Range);
2602	if (Sym) {
2603	R->markInteresting(sym: Sym);
2604	R->addVisitor<MallocBugVisitor>(ConstructorArgs&: Sym);
2605	}
2606	C.emitReport(R: std::move(R));
2607	}
2608	}
2609
2610	void MallocChecker::HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal,
2611	SourceRange Range,
2612	const Expr *FreeExpr,
2613	AllocationFamily Family) const {
2614	if (!ChecksEnabled[CK_MallocChecker]) {
2615	C.addSink();
2616	return;
2617	}
2618
2619	std::optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
2620	if (!CheckKind)
2621	return;
2622
2623	if (ExplodedNode *N = C.generateErrorNode()) {
2624	if (!BT_BadFree[*CheckKind])
2625	BT_BadFree[*CheckKind].reset(p: new BugType(
2626	CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2627
2628	SmallString<100> Buf;
2629	llvm::raw_svector_ostream Os(Buf);
2630
2631	const MemRegion *MR = ArgVal.getAsRegion();
2632	while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(Val: MR))
2633	MR = ER->getSuperRegion();
2634
2635	Os << "Argument to ";
2636	if (!printMemFnName(os&: Os, C, E: FreeExpr))
2637	Os << "deallocator";
2638
2639	Os << " is a function pointer";
2640
2641	auto R = std::make_unique<PathSensitiveBugReport>(args&: *BT_BadFree[*CheckKind],
2642	args: Os.str(), args&: N);
2643	R->markInteresting(R: MR);
2644	R->addRange(R: Range);
2645	C.emitReport(R: std::move(R));
2646	}
2647	}
2648
2649	ProgramStateRef
2650	MallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call,
2651	bool ShouldFreeOnFail, ProgramStateRef State,
2652	AllocationFamily Family, bool SuffixWithN) const {
2653	if (!State)
2654	return nullptr;
2655
2656	const CallExpr *CE = cast<CallExpr>(Val: Call.getOriginExpr());
2657
2658	if (SuffixWithN && CE->getNumArgs() < 3)
2659	return nullptr;
2660	else if (CE->getNumArgs() < 2)
2661	return nullptr;
2662
2663	const Expr *arg0Expr = CE->getArg(Arg: 0);
2664	SVal Arg0Val = C.getSVal(arg0Expr);
2665	if (!isa<DefinedOrUnknownSVal>(Val: Arg0Val))
2666	return nullptr;
2667	DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
2668
2669	SValBuilder &svalBuilder = C.getSValBuilder();
2670
2671	DefinedOrUnknownSVal PtrEQ = svalBuilder.evalEQ(
2672	state: State, lhs: arg0Val, rhs: svalBuilder.makeNullWithType(type: arg0Expr->getType()));
2673
2674	// Get the size argument.
2675	const Expr *Arg1 = CE->getArg(Arg: 1);
2676
2677	// Get the value of the size argument.
2678	SVal TotalSize = C.getSVal(Arg1);
2679	if (SuffixWithN)
2680	TotalSize = evalMulForBufferSize(C, Blocks: Arg1, BlockBytes: CE->getArg(Arg: 2));
2681	if (!isa<DefinedOrUnknownSVal>(Val: TotalSize))
2682	return nullptr;
2683
2684	// Compare the size argument to 0.
2685	DefinedOrUnknownSVal SizeZero =
2686	svalBuilder.evalEQ(state: State, lhs: TotalSize.castAs<DefinedOrUnknownSVal>(),
2687	rhs: svalBuilder.makeIntValWithWidth(
2688	ptrType: svalBuilder.getContext().getSizeType(), integer: 0));
2689
2690	ProgramStateRef StatePtrIsNull, StatePtrNotNull;
2691	std::tie(args&: StatePtrIsNull, args&: StatePtrNotNull) = State->assume(Cond: PtrEQ);
2692	ProgramStateRef StateSizeIsZero, StateSizeNotZero;
2693	std::tie(args&: StateSizeIsZero, args&: StateSizeNotZero) = State->assume(Cond: SizeZero);
2694	// We only assume exceptional states if they are definitely true; if the
2695	// state is under-constrained, assume regular realloc behavior.
2696	bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
2697	bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
2698
2699	// If the ptr is NULL and the size is not 0, the call is equivalent to
2700	// malloc(size).
2701	if (PrtIsNull && !SizeIsZero) {
2702	ProgramStateRef stateMalloc = MallocMemAux(
2703	C, Call, Size: TotalSize, Init: UndefinedVal(), State: StatePtrIsNull, Family);
2704	return stateMalloc;
2705	}
2706
2707	if (PrtIsNull && SizeIsZero)
2708	return State;
2709
2710	assert(!PrtIsNull);
2711
2712	bool IsKnownToBeAllocated = false;
2713
2714	// If the size is 0, free the memory.
2715	if (SizeIsZero)
2716	// The semantics of the return value are:
2717	// If size was equal to 0, either NULL or a pointer suitable to be passed
2718	// to free() is returned. We just free the input pointer and do not add
2719	// any constrains on the output pointer.
2720	if (ProgramStateRef stateFree = FreeMemAux(
2721	C, Call, State: StateSizeIsZero, Num: 0, Hold: false, IsKnownToBeAllocated, Family))
2722	return stateFree;
2723
2724	// Default behavior.
2725	if (ProgramStateRef stateFree =
2726	FreeMemAux(C, Call, State, Num: 0, Hold: false, IsKnownToBeAllocated, Family)) {
2727
2728	ProgramStateRef stateRealloc =
2729	MallocMemAux(C, Call, Size: TotalSize, Init: UnknownVal(), State: stateFree, Family);
2730	if (!stateRealloc)
2731	return nullptr;
2732
2733	OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure;
2734	if (ShouldFreeOnFail)
2735	Kind = OAR_FreeOnFailure;
2736	else if (!IsKnownToBeAllocated)
2737	Kind = OAR_DoNotTrackAfterFailure;
2738
2739	// Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
2740	SymbolRef FromPtr = arg0Val.getLocSymbolInBase();
2741	SVal RetVal = C.getSVal(CE);
2742	SymbolRef ToPtr = RetVal.getAsSymbol();
2743	assert(FromPtr && ToPtr &&
2744	"By this point, FreeMemAux and MallocMemAux should have checked "
2745	"whether the argument or the return value is symbolic!");
2746
2747	// Record the info about the reallocated symbol so that we could properly
2748	// process failed reallocation.
2749	stateRealloc = stateRealloc->set<ReallocPairs>(K: ToPtr,
2750	E: ReallocPair(FromPtr, Kind));
2751	// The reallocated symbol should stay alive for as long as the new symbol.
2752	C.getSymbolManager().addSymbolDependency(Primary: ToPtr, Dependent: FromPtr);
2753	return stateRealloc;
2754	}
2755	return nullptr;
2756	}
2757
2758	ProgramStateRef MallocChecker::CallocMem(CheckerContext &C,
2759	const CallEvent &Call,
2760	ProgramStateRef State) {
2761	if (!State)
2762	return nullptr;
2763
2764	if (Call.getNumArgs() < 2)
2765	return nullptr;
2766
2767	SValBuilder &svalBuilder = C.getSValBuilder();
2768	SVal zeroVal = svalBuilder.makeZeroVal(type: svalBuilder.getContext().CharTy);
2769	SVal TotalSize =
2770	evalMulForBufferSize(C, Blocks: Call.getArgExpr(Index: 0), BlockBytes: Call.getArgExpr(Index: 1));
2771
2772	return MallocMemAux(C, Call, Size: TotalSize, Init: zeroVal, State, Family: AF_Malloc);
2773	}
2774
2775	MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N,
2776	SymbolRef Sym,
2777	CheckerContext &C) {
2778	const LocationContext *LeakContext = N->getLocationContext();
2779	// Walk the ExplodedGraph backwards and find the first node that referred to
2780	// the tracked symbol.
2781	const ExplodedNode *AllocNode = N;
2782	const MemRegion *ReferenceRegion = nullptr;
2783
2784	while (N) {
2785	ProgramStateRef State = N->getState();
2786	if (!State->get<RegionState>(key: Sym))
2787	break;
2788
2789	// Find the most recent expression bound to the symbol in the current
2790	// context.
2791	if (!ReferenceRegion) {
2792	if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) {
2793	SVal Val = State->getSVal(R: MR);
2794	if (Val.getAsLocSymbol() == Sym) {
2795	const VarRegion *VR = MR->getBaseRegion()->getAs<VarRegion>();
2796	// Do not show local variables belonging to a function other than
2797	// where the error is reported.
2798	if (!VR || (VR->getStackFrame() == LeakContext->getStackFrame()))
2799	ReferenceRegion = MR;
2800	}
2801	}
2802	}
2803
2804	// Allocation node, is the last node in the current or parent context in
2805	// which the symbol was tracked.
2806	const LocationContext *NContext = N->getLocationContext();
2807	if (NContext == LeakContext ||
2808	NContext->isParentOf(LC: LeakContext))
2809	AllocNode = N;
2810	N = N->pred_empty() ? nullptr : *(N->pred_begin());
2811	}
2812
2813	return LeakInfo(AllocNode, ReferenceRegion);
2814	}
2815
2816	void MallocChecker::HandleLeak(SymbolRef Sym, ExplodedNode *N,
2817	CheckerContext &C) const {
2818
2819	if (!ChecksEnabled[CK_MallocChecker] &&
2820	!ChecksEnabled[CK_NewDeleteLeaksChecker])
2821	return;
2822
2823	const RefState *RS = C.getState()->get<RegionState>(key: Sym);
2824	assert(RS && "cannot leak an untracked symbol");
2825	AllocationFamily Family = RS->getAllocationFamily();
2826
2827	if (Family == AF_Alloca)
2828	return;
2829
2830	std::optional<MallocChecker::CheckKind> CheckKind =
2831	getCheckIfTracked(Family, IsALeakCheck: true);
2832
2833	if (!CheckKind)
2834	return;
2835
2836	assert(N);
2837	if (!BT_Leak[*CheckKind]) {
2838	// Leaks should not be reported if they are post-dominated by a sink:
2839	// (1) Sinks are higher importance bugs.
2840	// (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
2841	// with __noreturn functions such as assert() or exit(). We choose not
2842	// to report leaks on such paths.
2843	BT_Leak[*CheckKind].reset(p: new BugType(CheckNames[*CheckKind], "Memory leak",
2844	categories::MemoryError,
2845	/*SuppressOnSink=*/true));
2846	}
2847
2848	// Most bug reports are cached at the location where they occurred.
2849	// With leaks, we want to unique them by the location where they were
2850	// allocated, and only report a single path.
2851	PathDiagnosticLocation LocUsedForUniqueing;
2852	const ExplodedNode *AllocNode = nullptr;
2853	const MemRegion *Region = nullptr;
2854	std::tie(args&: AllocNode, args&: Region) = getAllocationSite(N, Sym, C);
2855
2856	const Stmt *AllocationStmt = AllocNode->getStmtForDiagnostics();
2857	if (AllocationStmt)
2858	LocUsedForUniqueing = PathDiagnosticLocation::createBegin(S: AllocationStmt,
2859	SM: C.getSourceManager(),
2860	LAC: AllocNode->getLocationContext());
2861
2862	SmallString<200> buf;
2863	llvm::raw_svector_ostream os(buf);
2864	if (Region && Region->canPrintPretty()) {
2865	os << "Potential leak of memory pointed to by ";
2866	Region->printPretty(os);
2867	} else {
2868	os << "Potential memory leak";
2869	}
2870
2871	auto R = std::make_unique<PathSensitiveBugReport>(
2872	args&: *BT_Leak[*CheckKind], args: os.str(), args&: N, args&: LocUsedForUniqueing,
2873	args: AllocNode->getLocationContext()->getDecl());
2874	R->markInteresting(sym: Sym);
2875	R->addVisitor<MallocBugVisitor>(ConstructorArgs&: Sym, ConstructorArgs: true);
2876	if (ShouldRegisterNoOwnershipChangeVisitor)
2877	R->addVisitor<NoOwnershipChangeVisitor>(ConstructorArgs&: Sym, ConstructorArgs: this);
2878	C.emitReport(R: std::move(R));
2879	}
2880
2881	void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
2882	CheckerContext &C) const
2883	{
2884	ProgramStateRef state = C.getState();
2885	RegionStateTy OldRS = state->get<RegionState>();
2886	RegionStateTy::Factory &F = state->get_context<RegionState>();
2887
2888	RegionStateTy RS = OldRS;
2889	SmallVector<SymbolRef, 2> Errors;
2890	for (auto [Sym, State] : RS) {
2891	if (SymReaper.isDead(sym: Sym)) {
2892	if (State.isAllocated() || State.isAllocatedOfSizeZero())
2893	Errors.push_back(Elt: Sym);
2894	// Remove the dead symbol from the map.
2895	RS = F.remove(Old: RS, K: Sym);
2896	}
2897	}
2898
2899	if (RS == OldRS) {
2900	// We shouldn't have touched other maps yet.
2901	assert(state->get<ReallocPairs>() ==
2902	C.getState()->get<ReallocPairs>());
2903	assert(state->get<FreeReturnValue>() ==
2904	C.getState()->get<FreeReturnValue>());
2905	return;
2906	}
2907
2908	// Cleanup the Realloc Pairs Map.
2909	ReallocPairsTy RP = state->get<ReallocPairs>();
2910	for (auto [Sym, ReallocPair] : RP) {
2911	if (SymReaper.isDead(sym: Sym) || SymReaper.isDead(sym: ReallocPair.ReallocatedSym)) {
2912	state = state->remove<ReallocPairs>(K: Sym);
2913	}
2914	}
2915
2916	// Cleanup the FreeReturnValue Map.
2917	FreeReturnValueTy FR = state->get<FreeReturnValue>();
2918	for (auto [Sym, RetSym] : FR) {
2919	if (SymReaper.isDead(sym: Sym) || SymReaper.isDead(sym: RetSym)) {
2920	state = state->remove<FreeReturnValue>(K: Sym);
2921	}
2922	}
2923
2924	// Generate leak node.
2925	ExplodedNode *N = C.getPredecessor();
2926	if (!Errors.empty()) {
2927	static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
2928	N = C.generateNonFatalErrorNode(State: C.getState(), Tag: &Tag);
2929	if (N) {
2930	for (SymbolRef Sym : Errors) {
2931	HandleLeak(Sym, N, C);
2932	}
2933	}
2934	}
2935
2936	C.addTransition(State: state->set<RegionState>(RS), Pred: N);
2937	}
2938
2939	void MallocChecker::checkPreCall(const CallEvent &Call,
2940	CheckerContext &C) const {
2941
2942	if (const auto *DC = dyn_cast<CXXDeallocatorCall>(Val: &Call)) {
2943	const CXXDeleteExpr *DE = DC->getOriginExpr();
2944
2945	if (!ChecksEnabled[CK_NewDeleteChecker])
2946	if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
2947	checkUseAfterFree(Sym, C, DE->getArgument());
2948
2949	if (!isStandardNewDelete(FD: DC->getDecl()))
2950	return;
2951
2952	ProgramStateRef State = C.getState();
2953	bool IsKnownToBeAllocated;
2954	State = FreeMemAux(C, ArgExpr: DE->getArgument(), Call, State,
2955	/*Hold*/ false, IsKnownToBeAllocated,
2956	Family: (DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew));
2957
2958	C.addTransition(State);
2959	return;
2960	}
2961
2962	if (const auto *DC = dyn_cast<CXXDestructorCall>(Val: &Call)) {
2963	SymbolRef Sym = DC->getCXXThisVal().getAsSymbol();
2964	if (!Sym || checkDoubleDelete(Sym, C))
2965	return;
2966	}
2967
2968	// We need to handle getline pre-conditions here before the pointed region
2969	// gets invalidated by StreamChecker
2970	if (const auto *PreFN = PreFnMap.lookup(Call)) {
2971	(*PreFN)(this, Call, C);
2972	return;
2973	}
2974
2975	// We will check for double free in the post visit.
2976	if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(Val: &Call)) {
2977	const FunctionDecl *FD = FC->getDecl();
2978	if (!FD)
2979	return;
2980
2981	if (ChecksEnabled[CK_MallocChecker] && isFreeingCall(Call))
2982	return;
2983	}
2984
2985	// Check if the callee of a method is deleted.
2986	if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(Val: &Call)) {
2987	SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
2988	if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
2989	return;
2990	}
2991
2992	// Check arguments for being used after free.
2993	for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
2994	SVal ArgSVal = Call.getArgSVal(Index: I);
2995	if (isa<Loc>(Val: ArgSVal)) {
2996	SymbolRef Sym = ArgSVal.getAsSymbol();
2997	if (!Sym)
2998	continue;
2999	if (checkUseAfterFree(Sym, C, Call.getArgExpr(Index: I)))
3000	return;
3001	}
3002	}
3003	}
3004
3005	void MallocChecker::checkPreStmt(const ReturnStmt *S,
3006	CheckerContext &C) const {
3007	checkEscapeOnReturn(S, C);
3008	}
3009
3010	// In the CFG, automatic destructors come after the return statement.
3011	// This callback checks for returning memory that is freed by automatic
3012	// destructors, as those cannot be reached in checkPreStmt().
3013	void MallocChecker::checkEndFunction(const ReturnStmt *S,
3014	CheckerContext &C) const {
3015	checkEscapeOnReturn(S, C);
3016	}
3017
3018	void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S,
3019	CheckerContext &C) const {
3020	if (!S)
3021	return;
3022
3023	const Expr *E = S->getRetValue();
3024	if (!E)
3025	return;
3026
3027	// Check if we are returning a symbol.
3028	ProgramStateRef State = C.getState();
3029	SVal RetVal = C.getSVal(E);
3030	SymbolRef Sym = RetVal.getAsSymbol();
3031	if (!Sym)
3032	// If we are returning a field of the allocated struct or an array element,
3033	// the callee could still free the memory.
3034	// TODO: This logic should be a part of generic symbol escape callback.
3035	if (const MemRegion *MR = RetVal.getAsRegion())
3036	if (isa<FieldRegion, ElementRegion>(Val: MR))
3037	if (const SymbolicRegion *BMR =
3038	dyn_cast<SymbolicRegion>(Val: MR->getBaseRegion()))
3039	Sym = BMR->getSymbol();
3040
3041	// Check if we are returning freed memory.
3042	if (Sym)
3043	checkUseAfterFree(Sym, C, E);
3044	}
3045
3046	// TODO: Blocks should be either inlined or should call invalidate regions
3047	// upon invocation. After that's in place, special casing here will not be
3048	// needed.
3049	void MallocChecker::checkPostStmt(const BlockExpr *BE,
3050	CheckerContext &C) const {
3051
3052	// Scan the BlockDecRefExprs for any object the retain count checker
3053	// may be tracking.
3054	if (!BE->getBlockDecl()->hasCaptures())
3055	return;
3056
3057	ProgramStateRef state = C.getState();
3058	const BlockDataRegion *R =
3059	cast<BlockDataRegion>(Val: C.getSVal(BE).getAsRegion());
3060
3061	auto ReferencedVars = R->referenced_vars();
3062	if (ReferencedVars.empty())
3063	return;
3064
3065	SmallVector<const MemRegion*, 10> Regions;
3066	const LocationContext *LC = C.getLocationContext();
3067	MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
3068
3069	for (const auto &Var : ReferencedVars) {
3070	const VarRegion *VR = Var.getCapturedRegion();
3071	if (VR->getSuperRegion() == R) {
3072	VR = MemMgr.getVarRegion(VR->getDecl(), LC);
3073	}
3074	Regions.push_back(VR);
3075	}
3076
3077	state =
3078	state->scanReachableSymbols<StopTrackingCallback>(Reachable: Regions).getState();
3079	C.addTransition(State: state);
3080	}
3081
3082	static bool isReleased(SymbolRef Sym, CheckerContext &C) {
3083	assert(Sym);
3084	const RefState *RS = C.getState()->get<RegionState>(key: Sym);
3085	return (RS && RS->isReleased());
3086	}
3087
3088	bool MallocChecker::suppressDeallocationsInSuspiciousContexts(
3089	const CallEvent &Call, CheckerContext &C) const {
3090	if (Call.getNumArgs() == 0)
3091	return false;
3092
3093	StringRef FunctionStr = "";
3094	if (const auto *FD = dyn_cast<FunctionDecl>(Val: C.getStackFrame()->getDecl()))
3095	if (const Stmt *Body = FD->getBody())
3096	if (Body->getBeginLoc().isValid())
3097	FunctionStr =
3098	Lexer::getSourceText(Range: CharSourceRange::getTokenRange(
3099	{FD->getBeginLoc(), Body->getBeginLoc()}),
3100	SM: C.getSourceManager(), LangOpts: C.getLangOpts());
3101
3102	// We do not model the Integer Set Library's retain-count based allocation.
3103	if (!FunctionStr.contains(Other: "__isl_"))
3104	return false;
3105
3106	ProgramStateRef State = C.getState();
3107
3108	for (const Expr *Arg : cast<CallExpr>(Val: Call.getOriginExpr())->arguments())
3109	if (SymbolRef Sym = C.getSVal(Arg).getAsSymbol())
3110	if (const RefState *RS = State->get<RegionState>(key: Sym))
3111	State = State->set<RegionState>(K: Sym, E: RefState::getEscaped(RS));
3112
3113	C.addTransition(State);
3114	return true;
3115	}
3116
3117	bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
3118	const Stmt *S) const {
3119
3120	if (isReleased(Sym, C)) {
3121	HandleUseAfterFree(C, Range: S->getSourceRange(), Sym);
3122	return true;
3123	}
3124
3125	return false;
3126	}
3127
3128	void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
3129	const Stmt *S) const {
3130	assert(Sym);
3131
3132	if (const RefState *RS = C.getState()->get<RegionState>(key: Sym)) {
3133	if (RS->isAllocatedOfSizeZero())
3134	HandleUseZeroAlloc(C, Range: RS->getStmt()->getSourceRange(), Sym);
3135	}
3136	else if (C.getState()->contains<ReallocSizeZeroSymbols>(key: Sym)) {
3137	HandleUseZeroAlloc(C, Range: S->getSourceRange(), Sym);
3138	}
3139	}
3140
3141	bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
3142
3143	if (isReleased(Sym, C)) {
3144	HandleDoubleDelete(C, Sym);
3145	return true;
3146	}
3147	return false;
3148	}
3149
3150	// Check if the location is a freed symbolic region.
3151	void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
3152	CheckerContext &C) const {
3153	SymbolRef Sym = l.getLocSymbolInBase();
3154	if (Sym) {
3155	checkUseAfterFree(Sym, C, S);
3156	checkUseZeroAllocated(Sym, C, S);
3157	}
3158	}
3159
3160	// If a symbolic region is assumed to NULL (or another constant), stop tracking
3161	// it - assuming that allocation failed on this path.
3162	ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
3163	SVal Cond,
3164	bool Assumption) const {
3165	RegionStateTy RS = state->get<RegionState>();
3166	for (SymbolRef Sym : llvm::make_first_range(c&: RS)) {
3167	// If the symbol is assumed to be NULL, remove it from consideration.
3168	ConstraintManager &CMgr = state->getConstraintManager();
3169	ConditionTruthVal AllocFailed = CMgr.isNull(State: state, Sym);
3170	if (AllocFailed.isConstrainedTrue())
3171	state = state->remove<RegionState>(K: Sym);
3172	}
3173
3174	// Realloc returns 0 when reallocation fails, which means that we should
3175	// restore the state of the pointer being reallocated.
3176	ReallocPairsTy RP = state->get<ReallocPairs>();
3177	for (auto [Sym, ReallocPair] : RP) {
3178	// If the symbol is assumed to be NULL, remove it from consideration.
3179	ConstraintManager &CMgr = state->getConstraintManager();
3180	ConditionTruthVal AllocFailed = CMgr.isNull(State: state, Sym);
3181	if (!AllocFailed.isConstrainedTrue())
3182	continue;
3183
3184	SymbolRef ReallocSym = ReallocPair.ReallocatedSym;
3185	if (const RefState *RS = state->get<RegionState>(key: ReallocSym)) {
3186	if (RS->isReleased()) {
3187	switch (ReallocPair.Kind) {
3188	case OAR_ToBeFreedAfterFailure:
3189	state = state->set<RegionState>(K: ReallocSym,
3190	E: RefState::getAllocated(family: RS->getAllocationFamily(), s: RS->getStmt()));
3191	break;
3192	case OAR_DoNotTrackAfterFailure:
3193	state = state->remove<RegionState>(K: ReallocSym);
3194	break;
3195	default:
3196	assert(ReallocPair.Kind == OAR_FreeOnFailure);
3197	}
3198	}
3199	}
3200	state = state->remove<ReallocPairs>(K: Sym);
3201	}
3202
3203	return state;
3204	}
3205
3206	bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
3207	const CallEvent *Call,
3208	ProgramStateRef State,
3209	SymbolRef &EscapingSymbol) const {
3210	assert(Call);
3211	EscapingSymbol = nullptr;
3212
3213	// For now, assume that any C++ or block call can free memory.
3214	// TODO: If we want to be more optimistic here, we'll need to make sure that
3215	// regions escape to C++ containers. They seem to do that even now, but for
3216	// mysterious reasons.
3217	if (!isa<SimpleFunctionCall, ObjCMethodCall>(Val: Call))
3218	return true;
3219
3220	// Check Objective-C messages by selector name.
3221	if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Val: Call)) {
3222	// If it's not a framework call, or if it takes a callback, assume it
3223	// can free memory.
3224	if (!Call->isInSystemHeader() || Call->argumentsMayEscape())
3225	return true;
3226
3227	// If it's a method we know about, handle it explicitly post-call.
3228	// This should happen before the "freeWhenDone" check below.
3229	if (isKnownDeallocObjCMethodName(Call: *Msg))
3230	return false;
3231
3232	// If there's a "freeWhenDone" parameter, but the method isn't one we know
3233	// about, we can't be sure that the object will use free() to deallocate the
3234	// memory, so we can't model it explicitly. The best we can do is use it to
3235	// decide whether the pointer escapes.
3236	if (std::optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call: *Msg))
3237	return *FreeWhenDone;
3238
3239	// If the first selector piece ends with "NoCopy", and there is no
3240	// "freeWhenDone" parameter set to zero, we know ownership is being
3241	// transferred. Again, though, we can't be sure that the object will use
3242	// free() to deallocate the memory, so we can't model it explicitly.
3243	StringRef FirstSlot = Msg->getSelector().getNameForSlot(argIndex: 0);
3244	if (FirstSlot.ends_with(Suffix: "NoCopy"))
3245	return true;
3246
3247	// If the first selector starts with addPointer, insertPointer,
3248	// or replacePointer, assume we are dealing with NSPointerArray or similar.
3249	// This is similar to C++ containers (vector); we still might want to check
3250	// that the pointers get freed by following the container itself.
3251	if (FirstSlot.starts_with(Prefix: "addPointer") ||
3252	FirstSlot.starts_with(Prefix: "insertPointer") ||
3253	FirstSlot.starts_with(Prefix: "replacePointer") ||
3254	FirstSlot.equals(RHS: "valueWithPointer")) {
3255	return true;
3256	}
3257
3258	// We should escape receiver on call to 'init'. This is especially relevant
3259	// to the receiver, as the corresponding symbol is usually not referenced
3260	// after the call.
3261	if (Msg->getMethodFamily() == OMF_init) {
3262	EscapingSymbol = Msg->getReceiverSVal().getAsSymbol();
3263	return true;
3264	}
3265
3266	// Otherwise, assume that the method does not free memory.
3267	// Most framework methods do not free memory.
3268	return false;
3269	}
3270
3271	// At this point the only thing left to handle is straight function calls.
3272	const FunctionDecl *FD = cast<SimpleFunctionCall>(Val: Call)->getDecl();
3273	if (!FD)
3274	return true;
3275
3276	// If it's one of the allocation functions we can reason about, we model
3277	// its behavior explicitly.
3278	if (isMemCall(Call: *Call))
3279	return false;
3280
3281	// If it's not a system call, assume it frees memory.
3282	if (!Call->isInSystemHeader())
3283	return true;
3284
3285	// White list the system functions whose arguments escape.
3286	const IdentifierInfo *II = FD->getIdentifier();
3287	if (!II)
3288	return true;
3289	StringRef FName = II->getName();
3290
3291	// White list the 'XXXNoCopy' CoreFoundation functions.
3292	// We specifically check these before
3293	if (FName.ends_with(Suffix: "NoCopy")) {
3294	// Look for the deallocator argument. We know that the memory ownership
3295	// is not transferred only if the deallocator argument is
3296	// 'kCFAllocatorNull'.
3297	for (unsigned i = 1; i < Call->getNumArgs(); ++i) {
3298	const Expr *ArgE = Call->getArgExpr(Index: i)->IgnoreParenCasts();
3299	if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(Val: ArgE)) {
3300	StringRef DeallocatorName = DE->getFoundDecl()->getName();
3301	if (DeallocatorName == "kCFAllocatorNull")
3302	return false;
3303	}
3304	}
3305	return true;
3306	}
3307
3308	// Associating streams with malloced buffers. The pointer can escape if
3309	// 'closefn' is specified (and if that function does free memory),
3310	// but it will not if closefn is not specified.
3311	// Currently, we do not inspect the 'closefn' function (PR12101).
3312	if (FName == "funopen")
3313	if (Call->getNumArgs() >= 4 && Call->getArgSVal(Index: 4).isConstant(I: 0))
3314	return false;
3315
3316	// Do not warn on pointers passed to 'setbuf' when used with std streams,
3317	// these leaks might be intentional when setting the buffer for stdio.
3318	// http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer
3319	if (FName == "setbuf" || FName =="setbuffer" ||
3320	FName == "setlinebuf" || FName == "setvbuf") {
3321	if (Call->getNumArgs() >= 1) {
3322	const Expr *ArgE = Call->getArgExpr(Index: 0)->IgnoreParenCasts();
3323	if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(Val: ArgE))
3324	if (const VarDecl *D = dyn_cast<VarDecl>(Val: ArgDRE->getDecl()))
3325	if (D->getCanonicalDecl()->getName().contains("std"))
3326	return true;
3327	}
3328	}
3329
3330	// A bunch of other functions which either take ownership of a pointer or
3331	// wrap the result up in a struct or object, meaning it can be freed later.
3332	// (See RetainCountChecker.) Not all the parameters here are invalidated,
3333	// but the Malloc checker cannot differentiate between them. The right way
3334	// of doing this would be to implement a pointer escapes callback.
3335	if (FName == "CGBitmapContextCreate" ||
3336	FName == "CGBitmapContextCreateWithData" ||
3337	FName == "CVPixelBufferCreateWithBytes" ||
3338	FName == "CVPixelBufferCreateWithPlanarBytes" ||
3339	FName == "OSAtomicEnqueue") {
3340	return true;
3341	}
3342
3343	if (FName == "postEvent" &&
3344	FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
3345	return true;
3346	}
3347
3348	if (FName == "connectImpl" &&
3349	FD->getQualifiedNameAsString() == "QObject::connectImpl") {
3350	return true;
3351	}
3352
3353	if (FName == "singleShotImpl" &&
3354	FD->getQualifiedNameAsString() == "QTimer::singleShotImpl") {
3355	return true;
3356	}
3357
3358	// Handle cases where we know a buffer's /address/ can escape.
3359	// Note that the above checks handle some special cases where we know that
3360	// even though the address escapes, it's still our responsibility to free the
3361	// buffer.
3362	if (Call->argumentsMayEscape())
3363	return true;
3364
3365	// Otherwise, assume that the function does not free memory.
3366	// Most system calls do not free the memory.
3367	return false;
3368	}
3369
3370	ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
3371	const InvalidatedSymbols &Escaped,
3372	const CallEvent *Call,
3373	PointerEscapeKind Kind) const {
3374	return checkPointerEscapeAux(State, Escaped, Call, Kind,
3375	/*IsConstPointerEscape*/ false);
3376	}
3377
3378	ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State,
3379	const InvalidatedSymbols &Escaped,
3380	const CallEvent *Call,
3381	PointerEscapeKind Kind) const {
3382	// If a const pointer escapes, it may not be freed(), but it could be deleted.
3383	return checkPointerEscapeAux(State, Escaped, Call, Kind,
3384	/*IsConstPointerEscape*/ true);
3385	}
3386
3387	static bool checkIfNewOrNewArrayFamily(const RefState *RS) {
3388	return (RS->getAllocationFamily() == AF_CXXNewArray ||
3389	RS->getAllocationFamily() == AF_CXXNew);
3390	}
3391
3392	ProgramStateRef MallocChecker::checkPointerEscapeAux(
3393	ProgramStateRef State, const InvalidatedSymbols &Escaped,
3394	const CallEvent *Call, PointerEscapeKind Kind,
3395	bool IsConstPointerEscape) const {
3396	// If we know that the call does not free memory, or we want to process the
3397	// call later, keep tracking the top level arguments.
3398	SymbolRef EscapingSymbol = nullptr;
3399	if (Kind == PSK_DirectEscapeOnCall &&
3400	!mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State,
3401	EscapingSymbol) &&
3402	!EscapingSymbol) {
3403	return State;
3404	}
3405
3406	for (SymbolRef sym : Escaped) {
3407	if (EscapingSymbol && EscapingSymbol != sym)
3408	continue;
3409
3410	if (const RefState *RS = State->get<RegionState>(key: sym))
3411	if (RS->isAllocated() || RS->isAllocatedOfSizeZero())
3412	if (!IsConstPointerEscape || checkIfNewOrNewArrayFamily(RS))
3413	State = State->set<RegionState>(K: sym, E: RefState::getEscaped(RS));
3414	}
3415	return State;
3416	}
3417
3418	bool MallocChecker::isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C,
3419	SVal ArgVal) const {
3420	if (!KernelZeroSizePtrValue)
3421	KernelZeroSizePtrValue =
3422	tryExpandAsInteger(Macro: "ZERO_SIZE_PTR", PP: C.getPreprocessor());
3423
3424	const llvm::APSInt *ArgValKnown =
3425	C.getSValBuilder().getKnownValue(state: State, val: ArgVal);
3426	return ArgValKnown && *KernelZeroSizePtrValue &&
3427	ArgValKnown->getSExtValue() == **KernelZeroSizePtrValue;
3428	}
3429
3430	static SymbolRef findFailedReallocSymbol(ProgramStateRef currState,
3431	ProgramStateRef prevState) {
3432	ReallocPairsTy currMap = currState->get<ReallocPairs>();
3433	ReallocPairsTy prevMap = prevState->get<ReallocPairs>();
3434
3435	for (const ReallocPairsTy::value_type &Pair : prevMap) {
3436	SymbolRef sym = Pair.first;
3437	if (!currMap.lookup(K: sym))
3438	return sym;
3439	}
3440
3441	return nullptr;
3442	}
3443
3444	static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD) {
3445	if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) {
3446	StringRef N = II->getName();
3447	if (N.contains_insensitive(Other: "ptr") || N.contains_insensitive(Other: "pointer")) {
3448	if (N.contains_insensitive(Other: "ref") || N.contains_insensitive(Other: "cnt") ||
3449	N.contains_insensitive(Other: "intrusive") ||
3450	N.contains_insensitive(Other: "shared")) {
3451	return true;
3452	}
3453	}
3454	}
3455	return false;
3456	}
3457
3458	PathDiagnosticPieceRef MallocBugVisitor::VisitNode(const ExplodedNode *N,
3459	BugReporterContext &BRC,
3460	PathSensitiveBugReport &BR) {
3461	ProgramStateRef state = N->getState();
3462	ProgramStateRef statePrev = N->getFirstPred()->getState();
3463
3464	const RefState *RSCurr = state->get<RegionState>(key: Sym);
3465	const RefState *RSPrev = statePrev->get<RegionState>(key: Sym);
3466
3467	const Stmt *S = N->getStmtForDiagnostics();
3468	// When dealing with containers, we sometimes want to give a note
3469	// even if the statement is missing.
3470	if (!S && (!RSCurr || RSCurr->getAllocationFamily() != AF_InnerBuffer))
3471	return nullptr;
3472
3473	const LocationContext *CurrentLC = N->getLocationContext();
3474
3475	// If we find an atomic fetch_add or fetch_sub within the destructor in which
3476	// the pointer was released (before the release), this is likely a destructor
3477	// of a shared pointer.
3478	// Because we don't model atomics, and also because we don't know that the
3479	// original reference count is positive, we should not report use-after-frees
3480	// on objects deleted in such destructors. This can probably be improved
3481	// through better shared pointer modeling.
3482	if (ReleaseDestructorLC) {
3483	if (const auto *AE = dyn_cast<AtomicExpr>(Val: S)) {
3484	AtomicExpr::AtomicOp Op = AE->getOp();
3485	if (Op == AtomicExpr::AO__c11_atomic_fetch_add ||
3486	Op == AtomicExpr::AO__c11_atomic_fetch_sub) {
3487	if (ReleaseDestructorLC == CurrentLC ||
3488	ReleaseDestructorLC->isParentOf(LC: CurrentLC)) {
3489	BR.markInvalid(Tag: getTag(), Data: S);
3490	}
3491	}
3492	}
3493	}
3494
3495	// FIXME: We will eventually need to handle non-statement-based events
3496	// (__attribute__((cleanup))).
3497
3498	// Find out if this is an interesting point and what is the kind.
3499	StringRef Msg;
3500	std::unique_ptr<StackHintGeneratorForSymbol> StackHint = nullptr;
3501	SmallString<256> Buf;
3502	llvm::raw_svector_ostream OS(Buf);
3503
3504	if (Mode == Normal) {
3505	if (isAllocated(RSCurr, RSPrev, Stmt: S)) {
3506	Msg = "Memory is allocated";
3507	StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3508	args&: Sym, args: "Returned allocated memory");
3509	} else if (isReleased(RSCurr, RSPrev, Stmt: S)) {
3510	const auto Family = RSCurr->getAllocationFamily();
3511	switch (Family) {
3512	case AF_Alloca:
3513	case AF_Malloc:
3514	case AF_CXXNew:
3515	case AF_CXXNewArray:
3516	case AF_IfNameIndex:
3517	Msg = "Memory is released";
3518	StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3519	args&: Sym, args: "Returning; memory was released");
3520	break;
3521	case AF_InnerBuffer: {
3522	const MemRegion *ObjRegion =
3523	allocation_state::getContainerObjRegion(State: statePrev, Sym);
3524	const auto *TypedRegion = cast<TypedValueRegion>(Val: ObjRegion);
3525	QualType ObjTy = TypedRegion->getValueType();
3526	OS << "Inner buffer of '" << ObjTy << "' ";
3527
3528	if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) {
3529	OS << "deallocated by call to destructor";
3530	StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3531	args&: Sym, args: "Returning; inner buffer was deallocated");
3532	} else {
3533	OS << "reallocated by call to '";
3534	const Stmt *S = RSCurr->getStmt();
3535	if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(Val: S)) {
3536	OS << MemCallE->getMethodDecl()->getDeclName();
3537	} else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(Val: S)) {
3538	OS << OpCallE->getDirectCallee()->getDeclName();
3539	} else if (const auto *CallE = dyn_cast<CallExpr>(Val: S)) {
3540	auto &CEMgr = BRC.getStateManager().getCallEventManager();
3541	CallEventRef<> Call =
3542	CEMgr.getSimpleCall(E: CallE, State: state, LCtx: CurrentLC, ElemRef: {nullptr, 0});
3543	if (const auto *D = dyn_cast_or_null<NamedDecl>(Val: Call->getDecl()))
3544	OS << D->getDeclName();
3545	else
3546	OS << "unknown";
3547	}
3548	OS << "'";
3549	StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3550	args&: Sym, args: "Returning; inner buffer was reallocated");
3551	}
3552	Msg = OS.str();
3553	break;
3554	}
3555	case AF_None:
3556	llvm_unreachable("Unhandled allocation family!");
3557	}
3558
3559	// See if we're releasing memory while inlining a destructor
3560	// (or one of its callees). This turns on various common
3561	// false positive suppressions.
3562	bool FoundAnyDestructor = false;
3563	for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) {
3564	if (const auto *DD = dyn_cast<CXXDestructorDecl>(Val: LC->getDecl())) {
3565	if (isReferenceCountingPointerDestructor(DD)) {
3566	// This immediately looks like a reference-counting destructor.
3567	// We're bad at guessing the original reference count of the object,
3568	// so suppress the report for now.
3569	BR.markInvalid(Tag: getTag(), Data: DD);
3570	} else if (!FoundAnyDestructor) {
3571	assert(!ReleaseDestructorLC &&
3572	"There can be only one release point!");
3573	// Suspect that it's a reference counting pointer destructor.
3574	// On one of the next nodes might find out that it has atomic
3575	// reference counting operations within it (see the code above),
3576	// and if so, we'd conclude that it likely is a reference counting
3577	// pointer destructor.
3578	ReleaseDestructorLC = LC->getStackFrame();
3579	// It is unlikely that releasing memory is delegated to a destructor
3580	// inside a destructor of a shared pointer, because it's fairly hard
3581	// to pass the information that the pointer indeed needs to be
3582	// released into it. So we're only interested in the innermost
3583	// destructor.
3584	FoundAnyDestructor = true;
3585	}
3586	}
3587	}
3588	} else if (isRelinquished(RSCurr, RSPrev, Stmt: S)) {
3589	Msg = "Memory ownership is transferred";
3590	StackHint = std::make_unique<StackHintGeneratorForSymbol>(args&: Sym, args: "");
3591	} else if (hasReallocFailed(RSCurr, RSPrev, Stmt: S)) {
3592	Mode = ReallocationFailed;
3593	Msg = "Reallocation failed";
3594	StackHint = std::make_unique<StackHintGeneratorForReallocationFailed>(
3595	args&: Sym, args: "Reallocation failed");
3596
3597	if (SymbolRef sym = findFailedReallocSymbol(currState: state, prevState: statePrev)) {
3598	// Is it possible to fail two reallocs WITHOUT testing in between?
3599	assert((!FailedReallocSymbol || FailedReallocSymbol == sym) &&
3600	"We only support one failed realloc at a time.");
3601	BR.markInteresting(sym);
3602	FailedReallocSymbol = sym;
3603	}
3604	}
3605
3606	// We are in a special mode if a reallocation failed later in the path.
3607	} else if (Mode == ReallocationFailed) {
3608	assert(FailedReallocSymbol && "No symbol to look for.");
3609
3610	// Is this is the first appearance of the reallocated symbol?
3611	if (!statePrev->get<RegionState>(key: FailedReallocSymbol)) {
3612	// We're at the reallocation point.
3613	Msg = "Attempt to reallocate memory";
3614	StackHint = std::make_unique<StackHintGeneratorForSymbol>(
3615	args&: Sym, args: "Returned reallocated memory");
3616	FailedReallocSymbol = nullptr;
3617	Mode = Normal;
3618	}
3619	}
3620
3621	if (Msg.empty()) {
3622	assert(!StackHint);
3623	return nullptr;
3624	}
3625
3626	assert(StackHint);
3627
3628	// Generate the extra diagnostic.
3629	PathDiagnosticLocation Pos;
3630	if (!S) {
3631	assert(RSCurr->getAllocationFamily() == AF_InnerBuffer);
3632	auto PostImplCall = N->getLocation().getAs<PostImplicitCall>();
3633	if (!PostImplCall)
3634	return nullptr;
3635	Pos = PathDiagnosticLocation(PostImplCall->getLocation(),
3636	BRC.getSourceManager());
3637	} else {
3638	Pos = PathDiagnosticLocation(S, BRC.getSourceManager(),
3639	N->getLocationContext());
3640	}
3641
3642	auto P = std::make_shared<PathDiagnosticEventPiece>(args&: Pos, args&: Msg, args: true);
3643	BR.addCallStackHint(Piece: P, StackHint: std::move(StackHint));
3644	return P;
3645	}
3646
3647	void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
3648	const char *NL, const char *Sep) const {
3649
3650	RegionStateTy RS = State->get<RegionState>();
3651
3652	if (!RS.isEmpty()) {
3653	Out << Sep << "MallocChecker :" << NL;
3654	for (auto [Sym, Data] : RS) {
3655	const RefState *RefS = State->get<RegionState>(key: Sym);
3656	AllocationFamily Family = RefS->getAllocationFamily();
3657	std::optional<MallocChecker::CheckKind> CheckKind =
3658	getCheckIfTracked(Family);
3659	if (!CheckKind)
3660	CheckKind = getCheckIfTracked(Family, IsALeakCheck: true);
3661
3662	Sym->dumpToStream(os&: Out);
3663	Out << " : ";
3664	Data.dump(OS&: Out);
3665	if (CheckKind)
3666	Out << " (" << CheckNames[*CheckKind].getName() << ")";
3667	Out << NL;
3668	}
3669	}
3670	}
3671
3672	namespace clang {
3673	namespace ento {
3674	namespace allocation_state {
3675
3676	ProgramStateRef
3677	markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin) {
3678	AllocationFamily Family = AF_InnerBuffer;
3679	return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin));
3680	}
3681
3682	} // end namespace allocation_state
3683	} // end namespace ento
3684	} // end namespace clang
3685
3686	// Intended to be used in InnerPointerChecker to register the part of
3687	// MallocChecker connected to it.
3688	void ento::registerInnerPointerCheckerAux(CheckerManager &mgr) {
3689	MallocChecker *checker = mgr.getChecker<MallocChecker>();
3690	checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true;
3691	checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =
3692	mgr.getCurrentCheckerName();
3693	}
3694
3695	void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {
3696	auto *checker = mgr.registerChecker<MallocChecker>();
3697	checker->ShouldIncludeOwnershipAnnotatedFunctions =
3698	mgr.getAnalyzerOptions().getCheckerBooleanOption(C: checker, OptionName: "Optimistic");
3699	checker->ShouldRegisterNoOwnershipChangeVisitor =
3700	mgr.getAnalyzerOptions().getCheckerBooleanOption(
3701	C: checker, OptionName: "AddNoOwnershipChangeNotes");
3702	}
3703
3704	bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) {
3705	return true;
3706	}
3707
3708	#define REGISTER_CHECKER(name) \
3709	void ento::register##name(CheckerManager &mgr) { \
3710	MallocChecker *checker = mgr.getChecker<MallocChecker>(); \
3711	checker->ChecksEnabled[MallocChecker::CK_##name] = true; \
3712	checker->CheckNames[MallocChecker::CK_##name] = \
3713	mgr.getCurrentCheckerName(); \
3714	} \
3715	\
3716	bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
3717
3718	REGISTER_CHECKER(MallocChecker)
3719	REGISTER_CHECKER(NewDeleteChecker)
3720	REGISTER_CHECKER(NewDeleteLeaksChecker)
3721	REGISTER_CHECKER(MismatchedDeallocatorChecker)
3722