MallocChecker.cpp revision f5aa3f5e58356d0bea823fe75dd7bf6aea6f47f4
1//=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines malloc/free checker, which checks for potential memory 11// leaks, double free, and use-after-free problems. 12// 13//===----------------------------------------------------------------------===// 14 15#include "ClangSACheckers.h" 16#include "InterCheckerAPI.h" 17#include "clang/StaticAnalyzer/Core/Checker.h" 18#include "clang/StaticAnalyzer/Core/CheckerManager.h" 19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 20#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 21#include "clang/StaticAnalyzer/Core/PathSensitive/ObjCMessage.h" 22#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 23#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 24#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 25#include "clang/Basic/SourceManager.h" 26#include "llvm/ADT/ImmutableMap.h" 27#include "llvm/ADT/SmallString.h" 28#include "llvm/ADT/STLExtras.h" 29#include <climits> 30 31using namespace clang; 32using namespace ento; 33 34namespace { 35 36class RefState { 37 enum Kind { AllocateUnchecked, AllocateFailed, Released, Escaped, 38 Relinquished } K; 39 const Stmt *S; 40 41public: 42 RefState(Kind k, const Stmt *s) : K(k), S(s) {} 43 44 bool isAllocated() const { return K == AllocateUnchecked; } 45 bool isReleased() const { return K == Released; } 46 47 const Stmt *getStmt() const { return S; } 48 49 bool operator==(const RefState &X) const { 50 return K == X.K && S == X.S; 51 } 52 53 static RefState getAllocateUnchecked(const Stmt *s) { 54 return RefState(AllocateUnchecked, s); 55 } 56 static RefState getAllocateFailed() { 57 return RefState(AllocateFailed, 0); 58 } 59 static RefState getReleased(const Stmt *s) { return RefState(Released, s); } 60 static RefState getEscaped(const Stmt *s) { return RefState(Escaped, s); } 61 static RefState getRelinquished(const Stmt *s) { 62 return RefState(Relinquished, s); 63 } 64 65 void Profile(llvm::FoldingSetNodeID &ID) const { 66 ID.AddInteger(K); 67 ID.AddPointer(S); 68 } 69}; 70 71struct ReallocPair { 72 SymbolRef ReallocatedSym; 73 bool IsFreeOnFailure; 74 ReallocPair(SymbolRef S, bool F) : ReallocatedSym(S), IsFreeOnFailure(F) {} 75 void Profile(llvm::FoldingSetNodeID &ID) const { 76 ID.AddInteger(IsFreeOnFailure); 77 ID.AddPointer(ReallocatedSym); 78 } 79 bool operator==(const ReallocPair &X) const { 80 return ReallocatedSym == X.ReallocatedSym && 81 IsFreeOnFailure == X.IsFreeOnFailure; 82 } 83}; 84 85typedef std::pair<const Stmt*, const MemRegion*> LeakInfo; 86 87class MallocChecker : public Checker<check::DeadSymbols, 88 check::EndPath, 89 check::PreStmt<ReturnStmt>, 90 check::PreStmt<CallExpr>, 91 check::PostStmt<CallExpr>, 92 check::PostStmt<BlockExpr>, 93 check::Location, 94 check::Bind, 95 eval::Assume, 96 check::RegionChanges> 97{ 98 mutable OwningPtr<BugType> BT_DoubleFree; 99 mutable OwningPtr<BugType> BT_Leak; 100 mutable OwningPtr<BugType> BT_UseFree; 101 mutable OwningPtr<BugType> BT_BadFree; 102 mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc, 103 *II_valloc, *II_reallocf, *II_strndup, *II_strdup; 104 105public: 106 MallocChecker() : II_malloc(0), II_free(0), II_realloc(0), II_calloc(0), 107 II_valloc(0), II_reallocf(0), II_strndup(0), II_strdup(0) {} 108 109 /// In pessimistic mode, the checker assumes that it does not know which 110 /// functions might free the memory. 111 struct ChecksFilter { 112 DefaultBool CMallocPessimistic; 113 DefaultBool CMallocOptimistic; 114 }; 115 116 ChecksFilter Filter; 117 118 void checkPreStmt(const CallExpr *S, CheckerContext &C) const; 119 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 120 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 121 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 122 void checkEndPath(CheckerContext &C) const; 123 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 124 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 125 bool Assumption) const; 126 void checkLocation(SVal l, bool isLoad, const Stmt *S, 127 CheckerContext &C) const; 128 void checkBind(SVal location, SVal val, const Stmt*S, 129 CheckerContext &C) const; 130 ProgramStateRef 131 checkRegionChanges(ProgramStateRef state, 132 const StoreManager::InvalidatedSymbols *invalidated, 133 ArrayRef<const MemRegion *> ExplicitRegions, 134 ArrayRef<const MemRegion *> Regions, 135 const CallOrObjCMessage *Call) const; 136 bool wantsRegionChangeUpdate(ProgramStateRef state) const { 137 return true; 138 } 139 140private: 141 void initIdentifierInfo(ASTContext &C) const; 142 143 /// Check if this is one of the functions which can allocate/reallocate memory 144 /// pointed to by one of its arguments. 145 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 146 147 static ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 148 const CallExpr *CE, 149 const OwnershipAttr* Att); 150 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 151 const Expr *SizeEx, SVal Init, 152 ProgramStateRef state) { 153 return MallocMemAux(C, CE, 154 state->getSVal(SizeEx, C.getLocationContext()), 155 Init, state); 156 } 157 158 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 159 SVal SizeEx, SVal Init, 160 ProgramStateRef state); 161 162 /// Update the RefState to reflect the new memory allocation. 163 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, 164 const CallExpr *CE, 165 ProgramStateRef state); 166 167 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 168 const OwnershipAttr* Att) const; 169 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 170 ProgramStateRef state, unsigned Num, 171 bool Hold) const; 172 173 ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, 174 bool FreesMemOnFailure) const; 175 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE); 176 177 bool checkEscape(SymbolRef Sym, const Stmt *S, CheckerContext &C) const; 178 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 179 const Stmt *S = 0) const; 180 181 /// Check if the function is not known to us. So, for example, we could 182 /// conservatively assume it can free/reallocate it's pointer arguments. 183 bool doesNotFreeMemory(const CallOrObjCMessage *Call, 184 ProgramStateRef State) const; 185 186 static bool SummarizeValue(raw_ostream &os, SVal V); 187 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 188 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange range) const; 189 190 /// Find the location of the allocation for Sym on the path leading to the 191 /// exploded node N. 192 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 193 CheckerContext &C) const; 194 195 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 196 197 /// The bug visitor which allows us to print extra diagnostics along the 198 /// BugReport path. For example, showing the allocation site of the leaked 199 /// region. 200 class MallocBugVisitor : public BugReporterVisitor { 201 protected: 202 enum NotificationMode { 203 Normal, 204 Complete, 205 ReallocationFailed 206 }; 207 208 // The allocated region symbol tracked by the main analysis. 209 SymbolRef Sym; 210 NotificationMode Mode; 211 212 public: 213 MallocBugVisitor(SymbolRef S) : Sym(S), Mode(Normal) {} 214 virtual ~MallocBugVisitor() {} 215 216 void Profile(llvm::FoldingSetNodeID &ID) const { 217 static int X = 0; 218 ID.AddPointer(&X); 219 ID.AddPointer(Sym); 220 } 221 222 inline bool isAllocated(const RefState *S, const RefState *SPrev, 223 const Stmt *Stmt) { 224 // Did not track -> allocated. Other state (released) -> allocated. 225 return (Stmt && isa<CallExpr>(Stmt) && 226 (S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated())); 227 } 228 229 inline bool isReleased(const RefState *S, const RefState *SPrev, 230 const Stmt *Stmt) { 231 // Did not track -> released. Other state (allocated) -> released. 232 return (Stmt && isa<CallExpr>(Stmt) && 233 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 234 } 235 236 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 237 const Stmt *Stmt) { 238 // If the expression is not a call, and the state change is 239 // released -> allocated, it must be the realloc return value 240 // check. If we have to handle more cases here, it might be cleaner just 241 // to track this extra bit in the state itself. 242 return ((!Stmt || !isa<CallExpr>(Stmt)) && 243 (S && S->isAllocated()) && (SPrev && !SPrev->isAllocated())); 244 } 245 246 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 247 const ExplodedNode *PrevN, 248 BugReporterContext &BRC, 249 BugReport &BR); 250 private: 251 class StackHintGeneratorForReallocationFailed 252 : public StackHintGeneratorForSymbol { 253 public: 254 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 255 : StackHintGeneratorForSymbol(S, M) {} 256 257 virtual std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) { 258 SmallString<200> buf; 259 llvm::raw_svector_ostream os(buf); 260 261 os << "Reallocation of "; 262 // Printed parameters start at 1, not 0. 263 printOrdinal(++ArgIndex, os); 264 os << " parameter failed"; 265 266 return os.str(); 267 } 268 269 virtual std::string getMessageForReturn(const CallExpr *CallExpr) { 270 return "Reallocation of returned value failed"; 271 } 272 }; 273 }; 274}; 275} // end anonymous namespace 276 277typedef llvm::ImmutableMap<SymbolRef, RefState> RegionStateTy; 278typedef llvm::ImmutableMap<SymbolRef, ReallocPair > ReallocMap; 279class RegionState {}; 280class ReallocPairs {}; 281namespace clang { 282namespace ento { 283 template <> 284 struct ProgramStateTrait<RegionState> 285 : public ProgramStatePartialTrait<RegionStateTy> { 286 static void *GDMIndex() { static int x; return &x; } 287 }; 288 289 template <> 290 struct ProgramStateTrait<ReallocPairs> 291 : public ProgramStatePartialTrait<ReallocMap> { 292 static void *GDMIndex() { static int x; return &x; } 293 }; 294} 295} 296 297namespace { 298class StopTrackingCallback : public SymbolVisitor { 299 ProgramStateRef state; 300public: 301 StopTrackingCallback(ProgramStateRef st) : state(st) {} 302 ProgramStateRef getState() const { return state; } 303 304 bool VisitSymbol(SymbolRef sym) { 305 state = state->remove<RegionState>(sym); 306 return true; 307 } 308}; 309} // end anonymous namespace 310 311void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 312 if (!II_malloc) 313 II_malloc = &Ctx.Idents.get("malloc"); 314 if (!II_free) 315 II_free = &Ctx.Idents.get("free"); 316 if (!II_realloc) 317 II_realloc = &Ctx.Idents.get("realloc"); 318 if (!II_reallocf) 319 II_reallocf = &Ctx.Idents.get("reallocf"); 320 if (!II_calloc) 321 II_calloc = &Ctx.Idents.get("calloc"); 322 if (!II_valloc) 323 II_valloc = &Ctx.Idents.get("valloc"); 324 if (!II_strdup) 325 II_strdup = &Ctx.Idents.get("strdup"); 326 if (!II_strndup) 327 II_strndup = &Ctx.Idents.get("strndup"); 328} 329 330bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 331 if (!FD) 332 return false; 333 IdentifierInfo *FunI = FD->getIdentifier(); 334 if (!FunI) 335 return false; 336 337 initIdentifierInfo(C); 338 339 if (FunI == II_malloc || FunI == II_free || FunI == II_realloc || 340 FunI == II_reallocf || FunI == II_calloc || FunI == II_valloc || 341 FunI == II_strdup || FunI == II_strndup) 342 return true; 343 344 if (Filter.CMallocOptimistic && FD->hasAttrs() && 345 FD->specific_attr_begin<OwnershipAttr>() != 346 FD->specific_attr_end<OwnershipAttr>()) 347 return true; 348 349 350 return false; 351} 352 353void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 354 const FunctionDecl *FD = C.getCalleeDecl(CE); 355 if (!FD) 356 return; 357 358 initIdentifierInfo(C.getASTContext()); 359 IdentifierInfo *FunI = FD->getIdentifier(); 360 if (!FunI) 361 return; 362 363 ProgramStateRef State = C.getState(); 364 if (FunI == II_malloc || FunI == II_valloc) { 365 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 366 } else if (FunI == II_realloc) { 367 State = ReallocMem(C, CE, false); 368 } else if (FunI == II_reallocf) { 369 State = ReallocMem(C, CE, true); 370 } else if (FunI == II_calloc) { 371 State = CallocMem(C, CE); 372 } else if (FunI == II_free) { 373 State = FreeMemAux(C, CE, C.getState(), 0, false); 374 } else if (FunI == II_strdup) { 375 State = MallocUpdateRefState(C, CE, State); 376 } else if (FunI == II_strndup) { 377 State = MallocUpdateRefState(C, CE, State); 378 } else if (Filter.CMallocOptimistic) { 379 // Check all the attributes, if there are any. 380 // There can be multiple of these attributes. 381 if (FD->hasAttrs()) 382 for (specific_attr_iterator<OwnershipAttr> 383 i = FD->specific_attr_begin<OwnershipAttr>(), 384 e = FD->specific_attr_end<OwnershipAttr>(); 385 i != e; ++i) { 386 switch ((*i)->getOwnKind()) { 387 case OwnershipAttr::Returns: 388 State = MallocMemReturnsAttr(C, CE, *i); 389 break; 390 case OwnershipAttr::Takes: 391 case OwnershipAttr::Holds: 392 State = FreeMemAttr(C, CE, *i); 393 break; 394 } 395 } 396 } 397 C.addTransition(State); 398} 399 400ProgramStateRef MallocChecker::MallocMemReturnsAttr(CheckerContext &C, 401 const CallExpr *CE, 402 const OwnershipAttr* Att) { 403 if (Att->getModule() != "malloc") 404 return 0; 405 406 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 407 if (I != E) { 408 return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), C.getState()); 409 } 410 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), C.getState()); 411} 412 413ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 414 const CallExpr *CE, 415 SVal Size, SVal Init, 416 ProgramStateRef state) { 417 // Get the return value. 418 SVal retVal = state->getSVal(CE, C.getLocationContext()); 419 420 // We expect the malloc functions to return a pointer. 421 if (!isa<Loc>(retVal)) 422 return 0; 423 424 // Fill the region with the initialization value. 425 state = state->bindDefault(retVal, Init); 426 427 // Set the region's extent equal to the Size parameter. 428 const SymbolicRegion *R = 429 dyn_cast_or_null<SymbolicRegion>(retVal.getAsRegion()); 430 if (!R) 431 return 0; 432 if (isa<DefinedOrUnknownSVal>(Size)) { 433 SValBuilder &svalBuilder = C.getSValBuilder(); 434 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 435 DefinedOrUnknownSVal DefinedSize = cast<DefinedOrUnknownSVal>(Size); 436 DefinedOrUnknownSVal extentMatchesSize = 437 svalBuilder.evalEQ(state, Extent, DefinedSize); 438 439 state = state->assume(extentMatchesSize, true); 440 assert(state); 441 } 442 443 return MallocUpdateRefState(C, CE, state); 444} 445 446ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 447 const CallExpr *CE, 448 ProgramStateRef state) { 449 // Get the return value. 450 SVal retVal = state->getSVal(CE, C.getLocationContext()); 451 452 // We expect the malloc functions to return a pointer. 453 if (!isa<Loc>(retVal)) 454 return 0; 455 456 SymbolRef Sym = retVal.getAsLocSymbol(); 457 assert(Sym); 458 459 // Set the symbol's state to Allocated. 460 return state->set<RegionState>(Sym, RefState::getAllocateUnchecked(CE)); 461 462} 463 464ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 465 const CallExpr *CE, 466 const OwnershipAttr* Att) const { 467 if (Att->getModule() != "malloc") 468 return 0; 469 470 ProgramStateRef State = C.getState(); 471 472 for (OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 473 I != E; ++I) { 474 ProgramStateRef StateI = FreeMemAux(C, CE, State, *I, 475 Att->getOwnKind() == OwnershipAttr::Holds); 476 if (StateI) 477 State = StateI; 478 } 479 return State; 480} 481 482ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 483 const CallExpr *CE, 484 ProgramStateRef state, 485 unsigned Num, 486 bool Hold) const { 487 const Expr *ArgExpr = CE->getArg(Num); 488 SVal ArgVal = state->getSVal(ArgExpr, C.getLocationContext()); 489 if (!isa<DefinedOrUnknownSVal>(ArgVal)) 490 return 0; 491 DefinedOrUnknownSVal location = cast<DefinedOrUnknownSVal>(ArgVal); 492 493 // Check for null dereferences. 494 if (!isa<Loc>(location)) 495 return 0; 496 497 // The explicit NULL case, no operation is performed. 498 ProgramStateRef notNullState, nullState; 499 llvm::tie(notNullState, nullState) = state->assume(location); 500 if (nullState && !notNullState) 501 return 0; 502 503 // Unknown values could easily be okay 504 // Undefined values are handled elsewhere 505 if (ArgVal.isUnknownOrUndef()) 506 return 0; 507 508 const MemRegion *R = ArgVal.getAsRegion(); 509 510 // Nonlocs can't be freed, of course. 511 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 512 if (!R) { 513 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange()); 514 return 0; 515 } 516 517 R = R->StripCasts(); 518 519 // Blocks might show up as heap data, but should not be free()d 520 if (isa<BlockDataRegion>(R)) { 521 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange()); 522 return 0; 523 } 524 525 const MemSpaceRegion *MS = R->getMemorySpace(); 526 527 // Parameters, locals, statics, and globals shouldn't be freed. 528 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 529 // FIXME: at the time this code was written, malloc() regions were 530 // represented by conjured symbols, which are all in UnknownSpaceRegion. 531 // This means that there isn't actually anything from HeapSpaceRegion 532 // that should be freed, even though we allow it here. 533 // Of course, free() can work on memory allocated outside the current 534 // function, so UnknownSpaceRegion is always a possibility. 535 // False negatives are better than false positives. 536 537 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange()); 538 return 0; 539 } 540 541 const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R); 542 // Various cases could lead to non-symbol values here. 543 // For now, ignore them. 544 if (!SR) 545 return 0; 546 547 SymbolRef Sym = SR->getSymbol(); 548 const RefState *RS = state->get<RegionState>(Sym); 549 550 // If the symbol has not been tracked, return. This is possible when free() is 551 // called on a pointer that does not get its pointee directly from malloc(). 552 // Full support of this requires inter-procedural analysis. 553 if (!RS) 554 return 0; 555 556 // Check double free. 557 if (RS->isReleased()) { 558 if (ExplodedNode *N = C.generateSink()) { 559 if (!BT_DoubleFree) 560 BT_DoubleFree.reset( 561 new BugType("Double free", "Memory Error")); 562 BugReport *R = new BugReport(*BT_DoubleFree, 563 "Attempt to free released memory", N); 564 R->addRange(ArgExpr->getSourceRange()); 565 R->markInteresting(Sym); 566 R->addVisitor(new MallocBugVisitor(Sym)); 567 C.EmitReport(R); 568 } 569 return 0; 570 } 571 572 // Normal free. 573 if (Hold) 574 return state->set<RegionState>(Sym, RefState::getRelinquished(CE)); 575 return state->set<RegionState>(Sym, RefState::getReleased(CE)); 576} 577 578bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 579 if (nonloc::ConcreteInt *IntVal = dyn_cast<nonloc::ConcreteInt>(&V)) 580 os << "an integer (" << IntVal->getValue() << ")"; 581 else if (loc::ConcreteInt *ConstAddr = dyn_cast<loc::ConcreteInt>(&V)) 582 os << "a constant address (" << ConstAddr->getValue() << ")"; 583 else if (loc::GotoLabel *Label = dyn_cast<loc::GotoLabel>(&V)) 584 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 585 else 586 return false; 587 588 return true; 589} 590 591bool MallocChecker::SummarizeRegion(raw_ostream &os, 592 const MemRegion *MR) { 593 switch (MR->getKind()) { 594 case MemRegion::FunctionTextRegionKind: { 595 const FunctionDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 596 if (FD) 597 os << "the address of the function '" << *FD << '\''; 598 else 599 os << "the address of a function"; 600 return true; 601 } 602 case MemRegion::BlockTextRegionKind: 603 os << "block text"; 604 return true; 605 case MemRegion::BlockDataRegionKind: 606 // FIXME: where the block came from? 607 os << "a block"; 608 return true; 609 default: { 610 const MemSpaceRegion *MS = MR->getMemorySpace(); 611 612 if (isa<StackLocalsSpaceRegion>(MS)) { 613 const VarRegion *VR = dyn_cast<VarRegion>(MR); 614 const VarDecl *VD; 615 if (VR) 616 VD = VR->getDecl(); 617 else 618 VD = NULL; 619 620 if (VD) 621 os << "the address of the local variable '" << VD->getName() << "'"; 622 else 623 os << "the address of a local stack variable"; 624 return true; 625 } 626 627 if (isa<StackArgumentsSpaceRegion>(MS)) { 628 const VarRegion *VR = dyn_cast<VarRegion>(MR); 629 const VarDecl *VD; 630 if (VR) 631 VD = VR->getDecl(); 632 else 633 VD = NULL; 634 635 if (VD) 636 os << "the address of the parameter '" << VD->getName() << "'"; 637 else 638 os << "the address of a parameter"; 639 return true; 640 } 641 642 if (isa<GlobalsSpaceRegion>(MS)) { 643 const VarRegion *VR = dyn_cast<VarRegion>(MR); 644 const VarDecl *VD; 645 if (VR) 646 VD = VR->getDecl(); 647 else 648 VD = NULL; 649 650 if (VD) { 651 if (VD->isStaticLocal()) 652 os << "the address of the static variable '" << VD->getName() << "'"; 653 else 654 os << "the address of the global variable '" << VD->getName() << "'"; 655 } else 656 os << "the address of a global variable"; 657 return true; 658 } 659 660 return false; 661 } 662 } 663} 664 665void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 666 SourceRange range) const { 667 if (ExplodedNode *N = C.generateSink()) { 668 if (!BT_BadFree) 669 BT_BadFree.reset(new BugType("Bad free", "Memory Error")); 670 671 SmallString<100> buf; 672 llvm::raw_svector_ostream os(buf); 673 674 const MemRegion *MR = ArgVal.getAsRegion(); 675 if (MR) { 676 while (const ElementRegion *ER = dyn_cast<ElementRegion>(MR)) 677 MR = ER->getSuperRegion(); 678 679 // Special case for alloca() 680 if (isa<AllocaRegion>(MR)) 681 os << "Argument to free() was allocated by alloca(), not malloc()"; 682 else { 683 os << "Argument to free() is "; 684 if (SummarizeRegion(os, MR)) 685 os << ", which is not memory allocated by malloc()"; 686 else 687 os << "not memory allocated by malloc()"; 688 } 689 } else { 690 os << "Argument to free() is "; 691 if (SummarizeValue(os, ArgVal)) 692 os << ", which is not memory allocated by malloc()"; 693 else 694 os << "not memory allocated by malloc()"; 695 } 696 697 BugReport *R = new BugReport(*BT_BadFree, os.str(), N); 698 R->markInteresting(MR); 699 R->addRange(range); 700 C.EmitReport(R); 701 } 702} 703 704ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, 705 const CallExpr *CE, 706 bool FreesOnFail) const { 707 ProgramStateRef state = C.getState(); 708 const Expr *arg0Expr = CE->getArg(0); 709 const LocationContext *LCtx = C.getLocationContext(); 710 SVal Arg0Val = state->getSVal(arg0Expr, LCtx); 711 if (!isa<DefinedOrUnknownSVal>(Arg0Val)) 712 return 0; 713 DefinedOrUnknownSVal arg0Val = cast<DefinedOrUnknownSVal>(Arg0Val); 714 715 SValBuilder &svalBuilder = C.getSValBuilder(); 716 717 DefinedOrUnknownSVal PtrEQ = 718 svalBuilder.evalEQ(state, arg0Val, svalBuilder.makeNull()); 719 720 // Get the size argument. If there is no size arg then give up. 721 const Expr *Arg1 = CE->getArg(1); 722 if (!Arg1) 723 return 0; 724 725 // Get the value of the size argument. 726 SVal Arg1ValG = state->getSVal(Arg1, LCtx); 727 if (!isa<DefinedOrUnknownSVal>(Arg1ValG)) 728 return 0; 729 DefinedOrUnknownSVal Arg1Val = cast<DefinedOrUnknownSVal>(Arg1ValG); 730 731 // Compare the size argument to 0. 732 DefinedOrUnknownSVal SizeZero = 733 svalBuilder.evalEQ(state, Arg1Val, 734 svalBuilder.makeIntValWithPtrWidth(0, false)); 735 736 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 737 llvm::tie(StatePtrIsNull, StatePtrNotNull) = state->assume(PtrEQ); 738 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 739 llvm::tie(StateSizeIsZero, StateSizeNotZero) = state->assume(SizeZero); 740 // We only assume exceptional states if they are definitely true; if the 741 // state is under-constrained, assume regular realloc behavior. 742 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 743 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 744 745 // If the ptr is NULL and the size is not 0, the call is equivalent to 746 // malloc(size). 747 if ( PrtIsNull && !SizeIsZero) { 748 ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), 749 UndefinedVal(), StatePtrIsNull); 750 return stateMalloc; 751 } 752 753 if (PrtIsNull && SizeIsZero) 754 return 0; 755 756 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 757 assert(!PrtIsNull); 758 SymbolRef FromPtr = arg0Val.getAsSymbol(); 759 SVal RetVal = state->getSVal(CE, LCtx); 760 SymbolRef ToPtr = RetVal.getAsSymbol(); 761 if (!FromPtr || !ToPtr) 762 return 0; 763 764 // If the size is 0, free the memory. 765 if (SizeIsZero) 766 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero,0,false)){ 767 // The semantics of the return value are: 768 // If size was equal to 0, either NULL or a pointer suitable to be passed 769 // to free() is returned. 770 stateFree = stateFree->set<ReallocPairs>(ToPtr, 771 ReallocPair(FromPtr, FreesOnFail)); 772 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 773 return stateFree; 774 } 775 776 // Default behavior. 777 if (ProgramStateRef stateFree = FreeMemAux(C, CE, state, 0, false)) { 778 // FIXME: We should copy the content of the original buffer. 779 ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), 780 UnknownVal(), stateFree); 781 if (!stateRealloc) 782 return 0; 783 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 784 ReallocPair(FromPtr, FreesOnFail)); 785 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 786 return stateRealloc; 787 } 788 return 0; 789} 790 791ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE){ 792 ProgramStateRef state = C.getState(); 793 SValBuilder &svalBuilder = C.getSValBuilder(); 794 const LocationContext *LCtx = C.getLocationContext(); 795 SVal count = state->getSVal(CE->getArg(0), LCtx); 796 SVal elementSize = state->getSVal(CE->getArg(1), LCtx); 797 SVal TotalSize = svalBuilder.evalBinOp(state, BO_Mul, count, elementSize, 798 svalBuilder.getContext().getSizeType()); 799 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 800 801 return MallocMemAux(C, CE, TotalSize, zeroVal, state); 802} 803 804LeakInfo 805MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 806 CheckerContext &C) const { 807 const LocationContext *LeakContext = N->getLocationContext(); 808 // Walk the ExplodedGraph backwards and find the first node that referred to 809 // the tracked symbol. 810 const ExplodedNode *AllocNode = N; 811 const MemRegion *ReferenceRegion = 0; 812 813 while (N) { 814 ProgramStateRef State = N->getState(); 815 if (!State->get<RegionState>(Sym)) 816 break; 817 818 // Find the most recent expression bound to the symbol in the current 819 // context. 820 if (!ReferenceRegion) { 821 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 822 SVal Val = State->getSVal(MR); 823 if (Val.getAsLocSymbol() == Sym) 824 ReferenceRegion = MR; 825 } 826 } 827 828 // Allocation node, is the last node in the current context in which the 829 // symbol was tracked. 830 if (N->getLocationContext() == LeakContext) 831 AllocNode = N; 832 N = N->pred_empty() ? NULL : *(N->pred_begin()); 833 } 834 835 ProgramPoint P = AllocNode->getLocation(); 836 const Stmt *AllocationStmt = 0; 837 if (isa<StmtPoint>(P)) 838 AllocationStmt = cast<StmtPoint>(P).getStmt(); 839 840 return LeakInfo(AllocationStmt, ReferenceRegion); 841} 842 843void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 844 CheckerContext &C) const { 845 assert(N); 846 if (!BT_Leak) { 847 BT_Leak.reset(new BugType("Memory leak", "Memory Error")); 848 // Leaks should not be reported if they are post-dominated by a sink: 849 // (1) Sinks are higher importance bugs. 850 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 851 // with __noreturn functions such as assert() or exit(). We choose not 852 // to report leaks on such paths. 853 BT_Leak->setSuppressOnSink(true); 854 } 855 856 // Most bug reports are cached at the location where they occurred. 857 // With leaks, we want to unique them by the location where they were 858 // allocated, and only report a single path. 859 PathDiagnosticLocation LocUsedForUniqueing; 860 const Stmt *AllocStmt = 0; 861 const MemRegion *Region = 0; 862 llvm::tie(AllocStmt, Region) = getAllocationSite(N, Sym, C); 863 if (AllocStmt) 864 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocStmt, 865 C.getSourceManager(), N->getLocationContext()); 866 867 SmallString<200> buf; 868 llvm::raw_svector_ostream os(buf); 869 os << "Memory is never released; potential leak"; 870 if (Region) { 871 os << " of memory pointed to by '"; 872 Region->dumpPretty(os); 873 os <<'\''; 874 } 875 876 BugReport *R = new BugReport(*BT_Leak, os.str(), N, LocUsedForUniqueing); 877 R->markInteresting(Sym); 878 // FIXME: This is a hack to make sure the MallocBugVisitor gets to look at 879 // the ExplodedNode chain first, in order to mark any failed realloc symbols 880 // as interesting for ConditionBRVisitor. 881 R->addVisitor(new ConditionBRVisitor()); 882 R->addVisitor(new MallocBugVisitor(Sym)); 883 C.EmitReport(R); 884} 885 886void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 887 CheckerContext &C) const 888{ 889 if (!SymReaper.hasDeadSymbols()) 890 return; 891 892 ProgramStateRef state = C.getState(); 893 RegionStateTy RS = state->get<RegionState>(); 894 RegionStateTy::Factory &F = state->get_context<RegionState>(); 895 896 bool generateReport = false; 897 llvm::SmallVector<SymbolRef, 2> Errors; 898 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 899 if (SymReaper.isDead(I->first)) { 900 if (I->second.isAllocated()) { 901 generateReport = true; 902 Errors.push_back(I->first); 903 } 904 // Remove the dead symbol from the map. 905 RS = F.remove(RS, I->first); 906 907 } 908 } 909 910 // Cleanup the Realloc Pairs Map. 911 ReallocMap RP = state->get<ReallocPairs>(); 912 for (ReallocMap::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 913 if (SymReaper.isDead(I->first) || 914 SymReaper.isDead(I->second.ReallocatedSym)) { 915 state = state->remove<ReallocPairs>(I->first); 916 } 917 } 918 919 // Generate leak node. 920 static SimpleProgramPointTag Tag("MallocChecker : DeadSymbolsLeak"); 921 ExplodedNode *N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); 922 923 if (generateReport) { 924 for (llvm::SmallVector<SymbolRef, 2>::iterator 925 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 926 reportLeak(*I, N, C); 927 } 928 } 929 C.addTransition(state->set<RegionState>(RS), N); 930} 931 932void MallocChecker::checkEndPath(CheckerContext &C) const { 933 ProgramStateRef state = C.getState(); 934 RegionStateTy M = state->get<RegionState>(); 935 936 // If inside inlined call, skip it. 937 if (C.getLocationContext()->getParent() != 0) 938 return; 939 940 for (RegionStateTy::iterator I = M.begin(), E = M.end(); I != E; ++I) { 941 RefState RS = I->second; 942 if (RS.isAllocated()) { 943 ExplodedNode *N = C.addTransition(state); 944 if (N) 945 reportLeak(I->first, N, C); 946 } 947 } 948} 949 950bool MallocChecker::checkEscape(SymbolRef Sym, const Stmt *S, 951 CheckerContext &C) const { 952 ProgramStateRef state = C.getState(); 953 const RefState *RS = state->get<RegionState>(Sym); 954 if (!RS) 955 return false; 956 957 if (RS->isAllocated()) { 958 state = state->set<RegionState>(Sym, RefState::getEscaped(S)); 959 C.addTransition(state); 960 return true; 961 } 962 return false; 963} 964 965void MallocChecker::checkPreStmt(const CallExpr *CE, CheckerContext &C) const { 966 if (isMemFunction(C.getCalleeDecl(CE), C.getASTContext())) 967 return; 968 969 // Check use after free, when a freed pointer is passed to a call. 970 ProgramStateRef State = C.getState(); 971 for (CallExpr::const_arg_iterator I = CE->arg_begin(), 972 E = CE->arg_end(); I != E; ++I) { 973 const Expr *A = *I; 974 if (A->getType().getTypePtr()->isAnyPointerType()) { 975 SymbolRef Sym = State->getSVal(A, C.getLocationContext()).getAsSymbol(); 976 if (!Sym) 977 continue; 978 if (checkUseAfterFree(Sym, C, A)) 979 return; 980 } 981 } 982} 983 984void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 985 const Expr *E = S->getRetValue(); 986 if (!E) 987 return; 988 989 // Check if we are returning a symbol. 990 SVal RetVal = C.getState()->getSVal(E, C.getLocationContext()); 991 SymbolRef Sym = RetVal.getAsSymbol(); 992 if (!Sym) 993 // If we are returning a field of the allocated struct or an array element, 994 // the callee could still free the memory. 995 // TODO: This logic should be a part of generic symbol escape callback. 996 if (const MemRegion *MR = RetVal.getAsRegion()) 997 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 998 if (const SymbolicRegion *BMR = 999 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 1000 Sym = BMR->getSymbol(); 1001 if (!Sym) 1002 return; 1003 1004 // Check if we are returning freed memory. 1005 if (checkUseAfterFree(Sym, C, E)) 1006 return; 1007 1008 // If this function body is not inlined, check if the symbol is escaping. 1009 if (C.getLocationContext()->getParent() == 0) 1010 checkEscape(Sym, E, C); 1011} 1012 1013// TODO: Blocks should be either inlined or should call invalidate regions 1014// upon invocation. After that's in place, special casing here will not be 1015// needed. 1016void MallocChecker::checkPostStmt(const BlockExpr *BE, 1017 CheckerContext &C) const { 1018 1019 // Scan the BlockDecRefExprs for any object the retain count checker 1020 // may be tracking. 1021 if (!BE->getBlockDecl()->hasCaptures()) 1022 return; 1023 1024 ProgramStateRef state = C.getState(); 1025 const BlockDataRegion *R = 1026 cast<BlockDataRegion>(state->getSVal(BE, 1027 C.getLocationContext()).getAsRegion()); 1028 1029 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 1030 E = R->referenced_vars_end(); 1031 1032 if (I == E) 1033 return; 1034 1035 SmallVector<const MemRegion*, 10> Regions; 1036 const LocationContext *LC = C.getLocationContext(); 1037 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 1038 1039 for ( ; I != E; ++I) { 1040 const VarRegion *VR = *I; 1041 if (VR->getSuperRegion() == R) { 1042 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 1043 } 1044 Regions.push_back(VR); 1045 } 1046 1047 state = 1048 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 1049 Regions.data() + Regions.size()).getState(); 1050 C.addTransition(state); 1051} 1052 1053bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 1054 const Stmt *S) const { 1055 assert(Sym); 1056 const RefState *RS = C.getState()->get<RegionState>(Sym); 1057 if (RS && RS->isReleased()) { 1058 if (ExplodedNode *N = C.generateSink()) { 1059 if (!BT_UseFree) 1060 BT_UseFree.reset(new BugType("Use-after-free", "Memory Error")); 1061 1062 BugReport *R = new BugReport(*BT_UseFree, 1063 "Use of memory after it is freed",N); 1064 if (S) 1065 R->addRange(S->getSourceRange()); 1066 R->markInteresting(Sym); 1067 R->addVisitor(new MallocBugVisitor(Sym)); 1068 C.EmitReport(R); 1069 return true; 1070 } 1071 } 1072 return false; 1073} 1074 1075// Check if the location is a freed symbolic region. 1076void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 1077 CheckerContext &C) const { 1078 SymbolRef Sym = l.getLocSymbolInBase(); 1079 if (Sym) 1080 checkUseAfterFree(Sym, C); 1081} 1082 1083//===----------------------------------------------------------------------===// 1084// Check various ways a symbol can be invalidated. 1085// TODO: This logic (the next 3 functions) is copied/similar to the 1086// RetainRelease checker. We might want to factor this out. 1087//===----------------------------------------------------------------------===// 1088 1089// Stop tracking symbols when a value escapes as a result of checkBind. 1090// A value escapes in three possible cases: 1091// (1) we are binding to something that is not a memory region. 1092// (2) we are binding to a memregion that does not have stack storage 1093// (3) we are binding to a memregion with stack storage that the store 1094// does not understand. 1095void MallocChecker::checkBind(SVal loc, SVal val, const Stmt *S, 1096 CheckerContext &C) const { 1097 // Are we storing to something that causes the value to "escape"? 1098 bool escapes = true; 1099 ProgramStateRef state = C.getState(); 1100 1101 if (loc::MemRegionVal *regionLoc = dyn_cast<loc::MemRegionVal>(&loc)) { 1102 escapes = !regionLoc->getRegion()->hasStackStorage(); 1103 1104 if (!escapes) { 1105 // To test (3), generate a new state with the binding added. If it is 1106 // the same state, then it escapes (since the store cannot represent 1107 // the binding). 1108 escapes = (state == (state->bindLoc(*regionLoc, val))); 1109 } 1110 if (!escapes) { 1111 // Case 4: We do not currently model what happens when a symbol is 1112 // assigned to a struct field, so be conservative here and let the symbol 1113 // go. TODO: This could definitely be improved upon. 1114 escapes = !isa<VarRegion>(regionLoc->getRegion()); 1115 } 1116 } 1117 1118 // If our store can represent the binding and we aren't storing to something 1119 // that doesn't have local storage then just return and have the simulation 1120 // state continue as is. 1121 if (!escapes) 1122 return; 1123 1124 // Otherwise, find all symbols referenced by 'val' that we are tracking 1125 // and stop tracking them. 1126 state = state->scanReachableSymbols<StopTrackingCallback>(val).getState(); 1127 C.addTransition(state); 1128} 1129 1130// If a symbolic region is assumed to NULL (or another constant), stop tracking 1131// it - assuming that allocation failed on this path. 1132ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 1133 SVal Cond, 1134 bool Assumption) const { 1135 RegionStateTy RS = state->get<RegionState>(); 1136 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1137 // If the symbol is assumed to NULL or another constant, this will 1138 // return an APSInt*. 1139 if (state->getSymVal(I.getKey())) 1140 state = state->remove<RegionState>(I.getKey()); 1141 } 1142 1143 // Realloc returns 0 when reallocation fails, which means that we should 1144 // restore the state of the pointer being reallocated. 1145 ReallocMap RP = state->get<ReallocPairs>(); 1146 for (ReallocMap::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1147 // If the symbol is assumed to NULL or another constant, this will 1148 // return an APSInt*. 1149 if (state->getSymVal(I.getKey())) { 1150 SymbolRef ReallocSym = I.getData().ReallocatedSym; 1151 const RefState *RS = state->get<RegionState>(ReallocSym); 1152 if (RS) { 1153 if (RS->isReleased() && ! I.getData().IsFreeOnFailure) 1154 state = state->set<RegionState>(ReallocSym, 1155 RefState::getAllocateUnchecked(RS->getStmt())); 1156 } 1157 state = state->remove<ReallocPairs>(I.getKey()); 1158 } 1159 } 1160 1161 return state; 1162} 1163 1164// Check if the function is known to us. So, for example, we could 1165// conservatively assume it can free/reallocate it's pointer arguments. 1166// (We assume that the pointers cannot escape through calls to system 1167// functions not handled by this checker.) 1168bool MallocChecker::doesNotFreeMemory(const CallOrObjCMessage *Call, 1169 ProgramStateRef State) const { 1170 if (!Call) 1171 return false; 1172 1173 // For now, assume that any C++ call can free memory. 1174 // TODO: If we want to be more optimistic here, we'll need to make sure that 1175 // regions escape to C++ containers. They seem to do that even now, but for 1176 // mysterious reasons. 1177 if (Call->isCXXCall()) 1178 return false; 1179 1180 const Decl *D = Call->getDecl(); 1181 if (!D) 1182 return false; 1183 1184 ASTContext &ASTC = State->getStateManager().getContext(); 1185 1186 // If it's one of the allocation functions we can reason about, we model 1187 // its behavior explicitly. 1188 if (isa<FunctionDecl>(D) && isMemFunction(cast<FunctionDecl>(D), ASTC)) { 1189 return true; 1190 } 1191 1192 // If it's not a system call, assume it frees memory. 1193 SourceManager &SM = ASTC.getSourceManager(); 1194 if (!SM.isInSystemHeader(D->getLocation())) 1195 return false; 1196 1197 // Process C/ObjC functions. 1198 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D)) { 1199 // White list the system functions whose arguments escape. 1200 const IdentifierInfo *II = FD->getIdentifier(); 1201 if (!II) 1202 return true; 1203 StringRef FName = II->getName(); 1204 1205 // White list thread local storage. 1206 if (FName.equals("pthread_setspecific")) 1207 return false; 1208 1209 // White list the 'XXXNoCopy' ObjC functions. 1210 if (FName.endswith("NoCopy")) { 1211 // Look for the deallocator argument. We know that the memory ownership 1212 // is not transfered only if the deallocator argument is 1213 // 'kCFAllocatorNull'. 1214 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 1215 const Expr *ArgE = Call->getArg(i)->IgnoreParenCasts(); 1216 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 1217 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 1218 if (DeallocatorName == "kCFAllocatorNull") 1219 return true; 1220 } 1221 } 1222 return false; 1223 } 1224 1225 // PR12101 1226 // Many CoreFoundation and CoreGraphics might allow a tracked object 1227 // to escape. 1228 if (Call->isCFCGAllowingEscape(FName)) 1229 return false; 1230 1231 // Associating streams with malloced buffers. The pointer can escape if 1232 // 'closefn' is specified (and if that function does free memory). 1233 // Currently, we do not inspect the 'closefn' function (PR12101). 1234 if (FName == "funopen") 1235 if (Call->getNumArgs() >= 4 && !Call->getArgSVal(4).isConstant(0)) 1236 return false; 1237 1238 // Do not warn on pointers passed to 'setbuf' when used with std streams, 1239 // these leaks might be intentional when setting the buffer for stdio. 1240 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 1241 if (FName == "setbuf" || FName =="setbuffer" || 1242 FName == "setlinebuf" || FName == "setvbuf") { 1243 if (Call->getNumArgs() >= 1) 1244 if (const DeclRefExpr *Arg = 1245 dyn_cast<DeclRefExpr>(Call->getArg(0)->IgnoreParenCasts())) 1246 if (const VarDecl *D = dyn_cast<VarDecl>(Arg->getDecl())) 1247 if (D->getCanonicalDecl()->getName().find("std") 1248 != StringRef::npos) 1249 return false; 1250 } 1251 1252 // A bunch of other functions, which take ownership of a pointer (See retain 1253 // release checker). Not all the parameters here are invalidated, but the 1254 // Malloc checker cannot differentiate between them. The right way of doing 1255 // this would be to implement a pointer escapes callback. 1256 if (FName == "CVPixelBufferCreateWithBytes" || 1257 FName == "CGBitmapContextCreateWithData" || 1258 FName == "CVPixelBufferCreateWithPlanarBytes") { 1259 return false; 1260 } 1261 1262 // Otherwise, assume that the function does not free memory. 1263 // Most system calls, do not free the memory. 1264 return true; 1265 1266 // Process ObjC functions. 1267 } else if (const ObjCMethodDecl * ObjCD = dyn_cast<ObjCMethodDecl>(D)) { 1268 Selector S = ObjCD->getSelector(); 1269 1270 // White list the ObjC functions which do free memory. 1271 // - Anything containing 'freeWhenDone' param set to 1. 1272 // Ex: dataWithBytesNoCopy:length:freeWhenDone. 1273 for (unsigned i = 1; i < S.getNumArgs(); ++i) { 1274 if (S.getNameForSlot(i).equals("freeWhenDone")) { 1275 if (Call->getArgSVal(i).isConstant(1)) 1276 return false; 1277 else 1278 return true; 1279 } 1280 } 1281 1282 // If the first selector ends with NoCopy, assume that the ownership is 1283 // transfered as well. 1284 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 1285 if (S.getNameForSlot(0).endswith("NoCopy")) { 1286 return false; 1287 } 1288 1289 // Otherwise, assume that the function does not free memory. 1290 // Most system calls, do not free the memory. 1291 return true; 1292 } 1293 1294 // Otherwise, assume that the function can free memory. 1295 return false; 1296 1297} 1298 1299// If the symbol we are tracking is invalidated, but not explicitly (ex: the &p 1300// escapes, when we are tracking p), do not track the symbol as we cannot reason 1301// about it anymore. 1302ProgramStateRef 1303MallocChecker::checkRegionChanges(ProgramStateRef State, 1304 const StoreManager::InvalidatedSymbols *invalidated, 1305 ArrayRef<const MemRegion *> ExplicitRegions, 1306 ArrayRef<const MemRegion *> Regions, 1307 const CallOrObjCMessage *Call) const { 1308 if (!invalidated || invalidated->empty()) 1309 return State; 1310 llvm::SmallPtrSet<SymbolRef, 8> WhitelistedSymbols; 1311 1312 // If it's a call which might free or reallocate memory, we assume that all 1313 // regions (explicit and implicit) escaped. 1314 1315 // Otherwise, whitelist explicit pointers; we still can track them. 1316 if (!Call || doesNotFreeMemory(Call, State)) { 1317 for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(), 1318 E = ExplicitRegions.end(); I != E; ++I) { 1319 if (const SymbolicRegion *R = (*I)->StripCasts()->getAs<SymbolicRegion>()) 1320 WhitelistedSymbols.insert(R->getSymbol()); 1321 } 1322 } 1323 1324 for (StoreManager::InvalidatedSymbols::const_iterator I=invalidated->begin(), 1325 E = invalidated->end(); I!=E; ++I) { 1326 SymbolRef sym = *I; 1327 if (WhitelistedSymbols.count(sym)) 1328 continue; 1329 // The symbol escaped. 1330 if (const RefState *RS = State->get<RegionState>(sym)) 1331 State = State->set<RegionState>(sym, RefState::getEscaped(RS->getStmt())); 1332 } 1333 return State; 1334} 1335 1336static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 1337 ProgramStateRef prevState) { 1338 ReallocMap currMap = currState->get<ReallocPairs>(); 1339 ReallocMap prevMap = prevState->get<ReallocPairs>(); 1340 1341 for (ReallocMap::iterator I = prevMap.begin(), E = prevMap.end(); 1342 I != E; ++I) { 1343 SymbolRef sym = I.getKey(); 1344 if (!currMap.lookup(sym)) 1345 return sym; 1346 } 1347 1348 return NULL; 1349} 1350 1351PathDiagnosticPiece * 1352MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N, 1353 const ExplodedNode *PrevN, 1354 BugReporterContext &BRC, 1355 BugReport &BR) { 1356 ProgramStateRef state = N->getState(); 1357 ProgramStateRef statePrev = PrevN->getState(); 1358 1359 const RefState *RS = state->get<RegionState>(Sym); 1360 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 1361 if (!RS && !RSPrev) 1362 return 0; 1363 1364 const Stmt *S = 0; 1365 const char *Msg = 0; 1366 StackHintGeneratorForSymbol *StackHint = 0; 1367 1368 // Retrieve the associated statement. 1369 ProgramPoint ProgLoc = N->getLocation(); 1370 if (isa<StmtPoint>(ProgLoc)) 1371 S = cast<StmtPoint>(ProgLoc).getStmt(); 1372 // If an assumption was made on a branch, it should be caught 1373 // here by looking at the state transition. 1374 if (isa<BlockEdge>(ProgLoc)) { 1375 const CFGBlock *srcBlk = cast<BlockEdge>(ProgLoc).getSrc(); 1376 S = srcBlk->getTerminator(); 1377 } 1378 if (!S) 1379 return 0; 1380 1381 // Find out if this is an interesting point and what is the kind. 1382 if (Mode == Normal) { 1383 if (isAllocated(RS, RSPrev, S)) { 1384 Msg = "Memory is allocated"; 1385 StackHint = new StackHintGeneratorForSymbol(Sym, 1386 "Returned allocated memory"); 1387 } else if (isReleased(RS, RSPrev, S)) { 1388 Msg = "Memory is released"; 1389 StackHint = new StackHintGeneratorForSymbol(Sym, 1390 "Returned released memory"); 1391 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 1392 Mode = ReallocationFailed; 1393 Msg = "Reallocation failed"; 1394 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 1395 "Reallocation failed"); 1396 1397 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) 1398 BR.markInteresting(sym); 1399 } 1400 1401 // We are in a special mode if a reallocation failed later in the path. 1402 } else if (Mode == ReallocationFailed) { 1403 // Generate a special diagnostic for the first realloc we find. 1404 if (!isAllocated(RS, RSPrev, S) && !isReleased(RS, RSPrev, S)) 1405 return 0; 1406 1407 // Check that the name of the function is realloc. 1408 const CallExpr *CE = dyn_cast<CallExpr>(S); 1409 if (!CE) 1410 return 0; 1411 const FunctionDecl *funDecl = CE->getDirectCallee(); 1412 if (!funDecl) 1413 return 0; 1414 StringRef FunName = funDecl->getName(); 1415 if (!(FunName.equals("realloc") || FunName.equals("reallocf"))) 1416 return 0; 1417 Msg = "Attempt to reallocate memory"; 1418 StackHint = new StackHintGeneratorForSymbol(Sym, 1419 "Returned reallocated memory"); 1420 Mode = Normal; 1421 } 1422 1423 if (!Msg) 1424 return 0; 1425 assert(StackHint); 1426 1427 // Generate the extra diagnostic. 1428 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 1429 N->getLocationContext()); 1430 return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint); 1431} 1432 1433 1434#define REGISTER_CHECKER(name) \ 1435void ento::register##name(CheckerManager &mgr) {\ 1436 registerCStringCheckerBasic(mgr); \ 1437 mgr.registerChecker<MallocChecker>()->Filter.C##name = true;\ 1438} 1439 1440REGISTER_CHECKER(MallocPessimistic) 1441REGISTER_CHECKER(MallocOptimistic) 1442