1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines malloc/free checker, which checks for potential memory 11 // leaks, double free, and use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/AST/Attr.h" 18 #include "clang/Basic/SourceManager.h" 19 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 20 #include "clang/StaticAnalyzer/Core/Checker.h" 21 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 23 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 27 #include "llvm/ADT/ImmutableMap.h" 28 #include "llvm/ADT/STLExtras.h" 29 #include "llvm/ADT/SmallString.h" 30 #include "llvm/ADT/StringExtras.h" 31 #include <climits> 32 33 using namespace clang; 34 using namespace ento; 35 36 namespace { 37 38 class RefState { 39 enum Kind { // Reference to allocated memory. 40 Allocated, 41 // Reference to released/freed memory. 42 Released, 43 // The responsibility for freeing resources has transfered from 44 // this reference. A relinquished symbol should not be freed. 45 Relinquished } K; 46 const Stmt *S; 47 48 public: 49 RefState(Kind k, const Stmt *s) : K(k), S(s) {} 50 51 bool isAllocated() const { return K == Allocated; } 52 bool isReleased() const { return K == Released; } 53 bool isRelinquished() const { return K == Relinquished; } 54 55 const Stmt *getStmt() const { return S; } 56 57 bool operator==(const RefState &X) const { 58 return K == X.K && S == X.S; 59 } 60 61 static RefState getAllocated(const Stmt *s) { 62 return RefState(Allocated, s); 63 } 64 static RefState getReleased(const Stmt *s) { return RefState(Released, s); } 65 static RefState getRelinquished(const Stmt *s) { 66 return RefState(Relinquished, s); 67 } 68 69 void Profile(llvm::FoldingSetNodeID &ID) const { 70 ID.AddInteger(K); 71 ID.AddPointer(S); 72 } 73 }; 74 75 enum ReallocPairKind { 76 RPToBeFreedAfterFailure, 77 // The symbol has been freed when reallocation failed. 78 RPIsFreeOnFailure, 79 // The symbol does not need to be freed after reallocation fails. 80 RPDoNotTrackAfterFailure 81 }; 82 83 /// \class ReallocPair 84 /// \brief Stores information about the symbol being reallocated by a call to 85 /// 'realloc' to allow modeling failed reallocation later in the path. 86 struct ReallocPair { 87 // \brief The symbol which realloc reallocated. 88 SymbolRef ReallocatedSym; 89 ReallocPairKind Kind; 90 91 ReallocPair(SymbolRef S, ReallocPairKind K) : 92 ReallocatedSym(S), Kind(K) {} 93 void Profile(llvm::FoldingSetNodeID &ID) const { 94 ID.AddInteger(Kind); 95 ID.AddPointer(ReallocatedSym); 96 } 97 bool operator==(const ReallocPair &X) const { 98 return ReallocatedSym == X.ReallocatedSym && 99 Kind == X.Kind; 100 } 101 }; 102 103 typedef std::pair<const Stmt*, const MemRegion*> LeakInfo; 104 105 class MallocChecker : public Checker<check::DeadSymbols, 106 check::PreStmt<ReturnStmt>, 107 check::PreStmt<CallExpr>, 108 check::PostStmt<CallExpr>, 109 check::PostStmt<BlockExpr>, 110 check::PostObjCMessage, 111 check::Location, 112 check::Bind, 113 eval::Assume, 114 check::RegionChanges> 115 { 116 mutable OwningPtr<BugType> BT_DoubleFree; 117 mutable OwningPtr<BugType> BT_Leak; 118 mutable OwningPtr<BugType> BT_UseFree; 119 mutable OwningPtr<BugType> BT_BadFree; 120 mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc, 121 *II_valloc, *II_reallocf, *II_strndup, *II_strdup; 122 123 public: 124 MallocChecker() : II_malloc(0), II_free(0), II_realloc(0), II_calloc(0), 125 II_valloc(0), II_reallocf(0), II_strndup(0), II_strdup(0) {} 126 127 /// In pessimistic mode, the checker assumes that it does not know which 128 /// functions might free the memory. 129 struct ChecksFilter { 130 DefaultBool CMallocPessimistic; 131 DefaultBool CMallocOptimistic; 132 }; 133 134 ChecksFilter Filter; 135 136 void checkPreStmt(const CallExpr *S, CheckerContext &C) const; 137 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 138 void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; 139 void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; 140 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 141 void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; 142 ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, 143 bool Assumption) const; 144 void checkLocation(SVal l, bool isLoad, const Stmt *S, 145 CheckerContext &C) const; 146 void checkBind(SVal location, SVal val, const Stmt*S, 147 CheckerContext &C) const; 148 ProgramStateRef 149 checkRegionChanges(ProgramStateRef state, 150 const StoreManager::InvalidatedSymbols *invalidated, 151 ArrayRef<const MemRegion *> ExplicitRegions, 152 ArrayRef<const MemRegion *> Regions, 153 const CallEvent *Call) const; 154 bool wantsRegionChangeUpdate(ProgramStateRef state) const { 155 return true; 156 } 157 158 void printState(raw_ostream &Out, ProgramStateRef State, 159 const char *NL, const char *Sep) const; 160 161 private: 162 void initIdentifierInfo(ASTContext &C) const; 163 164 /// Check if this is one of the functions which can allocate/reallocate memory 165 /// pointed to by one of its arguments. 166 bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; 167 bool isFreeFunction(const FunctionDecl *FD, ASTContext &C) const; 168 bool isAllocationFunction(const FunctionDecl *FD, ASTContext &C) const; 169 170 static ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, 171 const CallExpr *CE, 172 const OwnershipAttr* Att); 173 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 174 const Expr *SizeEx, SVal Init, 175 ProgramStateRef state) { 176 return MallocMemAux(C, CE, 177 state->getSVal(SizeEx, C.getLocationContext()), 178 Init, state); 179 } 180 181 static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, 182 SVal SizeEx, SVal Init, 183 ProgramStateRef state); 184 185 /// Update the RefState to reflect the new memory allocation. 186 static ProgramStateRef MallocUpdateRefState(CheckerContext &C, 187 const CallExpr *CE, 188 ProgramStateRef state); 189 190 ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, 191 const OwnershipAttr* Att) const; 192 ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, 193 ProgramStateRef state, unsigned Num, 194 bool Hold, 195 bool &ReleasedAllocated, 196 bool ReturnsNullOnFailure = false) const; 197 ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, 198 const Expr *ParentExpr, 199 ProgramStateRef State, 200 bool Hold, 201 bool &ReleasedAllocated, 202 bool ReturnsNullOnFailure = false) const; 203 204 ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, 205 bool FreesMemOnFailure) const; 206 static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE); 207 208 ///\brief Check if the memory associated with this symbol was released. 209 bool isReleased(SymbolRef Sym, CheckerContext &C) const; 210 211 bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 212 const Stmt *S = 0) const; 213 214 /// Check if the function is not known to us. So, for example, we could 215 /// conservatively assume it can free/reallocate it's pointer arguments. 216 bool doesNotFreeMemory(const CallEvent *Call, 217 ProgramStateRef State) const; 218 219 static bool SummarizeValue(raw_ostream &os, SVal V); 220 static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); 221 void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange range) const; 222 223 /// Find the location of the allocation for Sym on the path leading to the 224 /// exploded node N. 225 LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 226 CheckerContext &C) const; 227 228 void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; 229 230 /// The bug visitor which allows us to print extra diagnostics along the 231 /// BugReport path. For example, showing the allocation site of the leaked 232 /// region. 233 class MallocBugVisitor : public BugReporterVisitorImpl<MallocBugVisitor> { 234 protected: 235 enum NotificationMode { 236 Normal, 237 ReallocationFailed 238 }; 239 240 // The allocated region symbol tracked by the main analysis. 241 SymbolRef Sym; 242 243 // The mode we are in, i.e. what kind of diagnostics will be emitted. 244 NotificationMode Mode; 245 246 // A symbol from when the primary region should have been reallocated. 247 SymbolRef FailedReallocSymbol; 248 249 bool IsLeak; 250 251 public: 252 MallocBugVisitor(SymbolRef S, bool isLeak = false) 253 : Sym(S), Mode(Normal), FailedReallocSymbol(0), IsLeak(isLeak) {} 254 255 virtual ~MallocBugVisitor() {} 256 257 void Profile(llvm::FoldingSetNodeID &ID) const { 258 static int X = 0; 259 ID.AddPointer(&X); 260 ID.AddPointer(Sym); 261 } 262 263 inline bool isAllocated(const RefState *S, const RefState *SPrev, 264 const Stmt *Stmt) { 265 // Did not track -> allocated. Other state (released) -> allocated. 266 return (Stmt && isa<CallExpr>(Stmt) && 267 (S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated())); 268 } 269 270 inline bool isReleased(const RefState *S, const RefState *SPrev, 271 const Stmt *Stmt) { 272 // Did not track -> released. Other state (allocated) -> released. 273 return (Stmt && isa<CallExpr>(Stmt) && 274 (S && S->isReleased()) && (!SPrev || !SPrev->isReleased())); 275 } 276 277 inline bool isRelinquished(const RefState *S, const RefState *SPrev, 278 const Stmt *Stmt) { 279 // Did not track -> relinquished. Other state (allocated) -> relinquished. 280 return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) || 281 isa<ObjCPropertyRefExpr>(Stmt)) && 282 (S && S->isRelinquished()) && 283 (!SPrev || !SPrev->isRelinquished())); 284 } 285 286 inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev, 287 const Stmt *Stmt) { 288 // If the expression is not a call, and the state change is 289 // released -> allocated, it must be the realloc return value 290 // check. If we have to handle more cases here, it might be cleaner just 291 // to track this extra bit in the state itself. 292 return ((!Stmt || !isa<CallExpr>(Stmt)) && 293 (S && S->isAllocated()) && (SPrev && !SPrev->isAllocated())); 294 } 295 296 PathDiagnosticPiece *VisitNode(const ExplodedNode *N, 297 const ExplodedNode *PrevN, 298 BugReporterContext &BRC, 299 BugReport &BR); 300 301 PathDiagnosticPiece* getEndPath(BugReporterContext &BRC, 302 const ExplodedNode *EndPathNode, 303 BugReport &BR) { 304 if (!IsLeak) 305 return 0; 306 307 PathDiagnosticLocation L = 308 PathDiagnosticLocation::createEndOfPath(EndPathNode, 309 BRC.getSourceManager()); 310 // Do not add the statement itself as a range in case of leak. 311 return new PathDiagnosticEventPiece(L, BR.getDescription(), false); 312 } 313 314 private: 315 class StackHintGeneratorForReallocationFailed 316 : public StackHintGeneratorForSymbol { 317 public: 318 StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M) 319 : StackHintGeneratorForSymbol(S, M) {} 320 321 virtual std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) { 322 // Printed parameters start at 1, not 0. 323 ++ArgIndex; 324 325 SmallString<200> buf; 326 llvm::raw_svector_ostream os(buf); 327 328 os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex) 329 << " parameter failed"; 330 331 return os.str(); 332 } 333 334 virtual std::string getMessageForReturn(const CallExpr *CallExpr) { 335 return "Reallocation of returned value failed"; 336 } 337 }; 338 }; 339 }; 340 } // end anonymous namespace 341 342 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) 343 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) 344 345 // A map from the freed symbol to the symbol representing the return value of 346 // the free function. 347 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) 348 349 namespace { 350 class StopTrackingCallback : public SymbolVisitor { 351 ProgramStateRef state; 352 public: 353 StopTrackingCallback(ProgramStateRef st) : state(st) {} 354 ProgramStateRef getState() const { return state; } 355 356 bool VisitSymbol(SymbolRef sym) { 357 state = state->remove<RegionState>(sym); 358 return true; 359 } 360 }; 361 } // end anonymous namespace 362 363 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { 364 if (II_malloc) 365 return; 366 II_malloc = &Ctx.Idents.get("malloc"); 367 II_free = &Ctx.Idents.get("free"); 368 II_realloc = &Ctx.Idents.get("realloc"); 369 II_reallocf = &Ctx.Idents.get("reallocf"); 370 II_calloc = &Ctx.Idents.get("calloc"); 371 II_valloc = &Ctx.Idents.get("valloc"); 372 II_strdup = &Ctx.Idents.get("strdup"); 373 II_strndup = &Ctx.Idents.get("strndup"); 374 } 375 376 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { 377 if (isFreeFunction(FD, C)) 378 return true; 379 380 if (isAllocationFunction(FD, C)) 381 return true; 382 383 return false; 384 } 385 386 bool MallocChecker::isAllocationFunction(const FunctionDecl *FD, 387 ASTContext &C) const { 388 if (!FD) 389 return false; 390 391 if (FD->getKind() == Decl::Function) { 392 IdentifierInfo *FunI = FD->getIdentifier(); 393 initIdentifierInfo(C); 394 395 if (FunI == II_malloc || FunI == II_realloc || 396 FunI == II_reallocf || FunI == II_calloc || FunI == II_valloc || 397 FunI == II_strdup || FunI == II_strndup) 398 return true; 399 } 400 401 if (Filter.CMallocOptimistic && FD->hasAttrs()) 402 for (specific_attr_iterator<OwnershipAttr> 403 i = FD->specific_attr_begin<OwnershipAttr>(), 404 e = FD->specific_attr_end<OwnershipAttr>(); 405 i != e; ++i) 406 if ((*i)->getOwnKind() == OwnershipAttr::Returns) 407 return true; 408 return false; 409 } 410 411 bool MallocChecker::isFreeFunction(const FunctionDecl *FD, ASTContext &C) const { 412 if (!FD) 413 return false; 414 415 if (FD->getKind() == Decl::Function) { 416 IdentifierInfo *FunI = FD->getIdentifier(); 417 initIdentifierInfo(C); 418 419 if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf) 420 return true; 421 } 422 423 if (Filter.CMallocOptimistic && FD->hasAttrs()) 424 for (specific_attr_iterator<OwnershipAttr> 425 i = FD->specific_attr_begin<OwnershipAttr>(), 426 e = FD->specific_attr_end<OwnershipAttr>(); 427 i != e; ++i) 428 if ((*i)->getOwnKind() == OwnershipAttr::Takes || 429 (*i)->getOwnKind() == OwnershipAttr::Holds) 430 return true; 431 return false; 432 } 433 434 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { 435 if (C.wasInlined) 436 return; 437 438 const FunctionDecl *FD = C.getCalleeDecl(CE); 439 if (!FD) 440 return; 441 442 ProgramStateRef State = C.getState(); 443 bool ReleasedAllocatedMemory = false; 444 445 if (FD->getKind() == Decl::Function) { 446 initIdentifierInfo(C.getASTContext()); 447 IdentifierInfo *FunI = FD->getIdentifier(); 448 449 if (FunI == II_malloc || FunI == II_valloc) { 450 if (CE->getNumArgs() < 1) 451 return; 452 State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); 453 } else if (FunI == II_realloc) { 454 State = ReallocMem(C, CE, false); 455 } else if (FunI == II_reallocf) { 456 State = ReallocMem(C, CE, true); 457 } else if (FunI == II_calloc) { 458 State = CallocMem(C, CE); 459 } else if (FunI == II_free) { 460 State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); 461 } else if (FunI == II_strdup) { 462 State = MallocUpdateRefState(C, CE, State); 463 } else if (FunI == II_strndup) { 464 State = MallocUpdateRefState(C, CE, State); 465 } 466 } 467 468 if (Filter.CMallocOptimistic) { 469 // Check all the attributes, if there are any. 470 // There can be multiple of these attributes. 471 if (FD->hasAttrs()) 472 for (specific_attr_iterator<OwnershipAttr> 473 i = FD->specific_attr_begin<OwnershipAttr>(), 474 e = FD->specific_attr_end<OwnershipAttr>(); 475 i != e; ++i) { 476 switch ((*i)->getOwnKind()) { 477 case OwnershipAttr::Returns: 478 State = MallocMemReturnsAttr(C, CE, *i); 479 break; 480 case OwnershipAttr::Takes: 481 case OwnershipAttr::Holds: 482 State = FreeMemAttr(C, CE, *i); 483 break; 484 } 485 } 486 } 487 C.addTransition(State); 488 } 489 490 static bool isFreeWhenDoneSetToZero(const ObjCMethodCall &Call) { 491 Selector S = Call.getSelector(); 492 for (unsigned i = 1; i < S.getNumArgs(); ++i) 493 if (S.getNameForSlot(i).equals("freeWhenDone")) 494 if (Call.getArgSVal(i).isConstant(0)) 495 return true; 496 497 return false; 498 } 499 500 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call, 501 CheckerContext &C) const { 502 if (C.wasInlined) 503 return; 504 505 // If the first selector is dataWithBytesNoCopy, assume that the memory will 506 // be released with 'free' by the new object. 507 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 508 // Unless 'freeWhenDone' param set to 0. 509 // TODO: Check that the memory was allocated with malloc. 510 bool ReleasedAllocatedMemory = false; 511 Selector S = Call.getSelector(); 512 if ((S.getNameForSlot(0) == "dataWithBytesNoCopy" || 513 S.getNameForSlot(0) == "initWithBytesNoCopy" || 514 S.getNameForSlot(0) == "initWithCharactersNoCopy") && 515 !isFreeWhenDoneSetToZero(Call)){ 516 unsigned int argIdx = 0; 517 ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(argIdx), 518 Call.getOriginExpr(), C.getState(), true, 519 ReleasedAllocatedMemory, 520 /* RetNullOnFailure*/ true); 521 522 C.addTransition(State); 523 } 524 } 525 526 ProgramStateRef MallocChecker::MallocMemReturnsAttr(CheckerContext &C, 527 const CallExpr *CE, 528 const OwnershipAttr* Att) { 529 if (Att->getModule() != "malloc") 530 return 0; 531 532 OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 533 if (I != E) { 534 return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), C.getState()); 535 } 536 return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), C.getState()); 537 } 538 539 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, 540 const CallExpr *CE, 541 SVal Size, SVal Init, 542 ProgramStateRef state) { 543 544 // Bind the return value to the symbolic value from the heap region. 545 // TODO: We could rewrite post visit to eval call; 'malloc' does not have 546 // side effects other than what we model here. 547 unsigned Count = C.blockCount(); 548 SValBuilder &svalBuilder = C.getSValBuilder(); 549 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 550 DefinedSVal RetVal = 551 cast<DefinedSVal>(svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)); 552 state = state->BindExpr(CE, C.getLocationContext(), RetVal); 553 554 // We expect the malloc functions to return a pointer. 555 if (!isa<Loc>(RetVal)) 556 return 0; 557 558 // Fill the region with the initialization value. 559 state = state->bindDefault(RetVal, Init); 560 561 // Set the region's extent equal to the Size parameter. 562 const SymbolicRegion *R = 563 dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion()); 564 if (!R) 565 return 0; 566 if (isa<DefinedOrUnknownSVal>(Size)) { 567 SValBuilder &svalBuilder = C.getSValBuilder(); 568 DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder); 569 DefinedOrUnknownSVal DefinedSize = cast<DefinedOrUnknownSVal>(Size); 570 DefinedOrUnknownSVal extentMatchesSize = 571 svalBuilder.evalEQ(state, Extent, DefinedSize); 572 573 state = state->assume(extentMatchesSize, true); 574 assert(state); 575 } 576 577 return MallocUpdateRefState(C, CE, state); 578 } 579 580 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, 581 const CallExpr *CE, 582 ProgramStateRef state) { 583 // Get the return value. 584 SVal retVal = state->getSVal(CE, C.getLocationContext()); 585 586 // We expect the malloc functions to return a pointer. 587 if (!isa<Loc>(retVal)) 588 return 0; 589 590 SymbolRef Sym = retVal.getAsLocSymbol(); 591 assert(Sym); 592 593 // Set the symbol's state to Allocated. 594 return state->set<RegionState>(Sym, RefState::getAllocated(CE)); 595 596 } 597 598 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, 599 const CallExpr *CE, 600 const OwnershipAttr* Att) const { 601 if (Att->getModule() != "malloc") 602 return 0; 603 604 ProgramStateRef State = C.getState(); 605 bool ReleasedAllocated = false; 606 607 for (OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); 608 I != E; ++I) { 609 ProgramStateRef StateI = FreeMemAux(C, CE, State, *I, 610 Att->getOwnKind() == OwnershipAttr::Holds, 611 ReleasedAllocated); 612 if (StateI) 613 State = StateI; 614 } 615 return State; 616 } 617 618 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 619 const CallExpr *CE, 620 ProgramStateRef state, 621 unsigned Num, 622 bool Hold, 623 bool &ReleasedAllocated, 624 bool ReturnsNullOnFailure) const { 625 if (CE->getNumArgs() < (Num + 1)) 626 return 0; 627 628 return FreeMemAux(C, CE->getArg(Num), CE, state, Hold, 629 ReleasedAllocated, ReturnsNullOnFailure); 630 } 631 632 /// Checks if the previous call to free on the given symbol failed - if free 633 /// failed, returns true. Also, returns the corresponding return value symbol. 634 static bool didPreviousFreeFail(ProgramStateRef State, 635 SymbolRef Sym, SymbolRef &RetStatusSymbol) { 636 const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); 637 if (Ret) { 638 assert(*Ret && "We should not store the null return symbol"); 639 ConstraintManager &CMgr = State->getConstraintManager(); 640 ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); 641 RetStatusSymbol = *Ret; 642 return FreeFailed.isConstrainedTrue(); 643 } 644 return false; 645 } 646 647 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, 648 const Expr *ArgExpr, 649 const Expr *ParentExpr, 650 ProgramStateRef State, 651 bool Hold, 652 bool &ReleasedAllocated, 653 bool ReturnsNullOnFailure) const { 654 655 SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext()); 656 if (!isa<DefinedOrUnknownSVal>(ArgVal)) 657 return 0; 658 DefinedOrUnknownSVal location = cast<DefinedOrUnknownSVal>(ArgVal); 659 660 // Check for null dereferences. 661 if (!isa<Loc>(location)) 662 return 0; 663 664 // The explicit NULL case, no operation is performed. 665 ProgramStateRef notNullState, nullState; 666 llvm::tie(notNullState, nullState) = State->assume(location); 667 if (nullState && !notNullState) 668 return 0; 669 670 // Unknown values could easily be okay 671 // Undefined values are handled elsewhere 672 if (ArgVal.isUnknownOrUndef()) 673 return 0; 674 675 const MemRegion *R = ArgVal.getAsRegion(); 676 677 // Nonlocs can't be freed, of course. 678 // Non-region locations (labels and fixed addresses) also shouldn't be freed. 679 if (!R) { 680 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange()); 681 return 0; 682 } 683 684 R = R->StripCasts(); 685 686 // Blocks might show up as heap data, but should not be free()d 687 if (isa<BlockDataRegion>(R)) { 688 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange()); 689 return 0; 690 } 691 692 const MemSpaceRegion *MS = R->getMemorySpace(); 693 694 // Parameters, locals, statics, and globals shouldn't be freed. 695 if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { 696 // FIXME: at the time this code was written, malloc() regions were 697 // represented by conjured symbols, which are all in UnknownSpaceRegion. 698 // This means that there isn't actually anything from HeapSpaceRegion 699 // that should be freed, even though we allow it here. 700 // Of course, free() can work on memory allocated outside the current 701 // function, so UnknownSpaceRegion is always a possibility. 702 // False negatives are better than false positives. 703 704 ReportBadFree(C, ArgVal, ArgExpr->getSourceRange()); 705 return 0; 706 } 707 708 const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R); 709 // Various cases could lead to non-symbol values here. 710 // For now, ignore them. 711 if (!SR) 712 return 0; 713 714 SymbolRef Sym = SR->getSymbol(); 715 const RefState *RS = State->get<RegionState>(Sym); 716 SymbolRef PreviousRetStatusSymbol = 0; 717 718 // Check double free. 719 if (RS && 720 (RS->isReleased() || RS->isRelinquished()) && 721 !didPreviousFreeFail(State, Sym, PreviousRetStatusSymbol)) { 722 723 if (ExplodedNode *N = C.generateSink()) { 724 if (!BT_DoubleFree) 725 BT_DoubleFree.reset( 726 new BugType("Double free", "Memory Error")); 727 BugReport *R = new BugReport(*BT_DoubleFree, 728 (RS->isReleased() ? "Attempt to free released memory" : 729 "Attempt to free non-owned memory"), N); 730 R->addRange(ArgExpr->getSourceRange()); 731 R->markInteresting(Sym); 732 if (PreviousRetStatusSymbol) 733 R->markInteresting(PreviousRetStatusSymbol); 734 R->addVisitor(new MallocBugVisitor(Sym)); 735 C.emitReport(R); 736 } 737 return 0; 738 } 739 740 ReleasedAllocated = (RS != 0); 741 742 // Clean out the info on previous call to free return info. 743 State = State->remove<FreeReturnValue>(Sym); 744 745 // Keep track of the return value. If it is NULL, we will know that free 746 // failed. 747 if (ReturnsNullOnFailure) { 748 SVal RetVal = C.getSVal(ParentExpr); 749 SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); 750 if (RetStatusSymbol) { 751 C.getSymbolManager().addSymbolDependency(Sym, RetStatusSymbol); 752 State = State->set<FreeReturnValue>(Sym, RetStatusSymbol); 753 } 754 } 755 756 // Normal free. 757 if (Hold) 758 return State->set<RegionState>(Sym, RefState::getRelinquished(ParentExpr)); 759 return State->set<RegionState>(Sym, RefState::getReleased(ParentExpr)); 760 } 761 762 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { 763 if (nonloc::ConcreteInt *IntVal = dyn_cast<nonloc::ConcreteInt>(&V)) 764 os << "an integer (" << IntVal->getValue() << ")"; 765 else if (loc::ConcreteInt *ConstAddr = dyn_cast<loc::ConcreteInt>(&V)) 766 os << "a constant address (" << ConstAddr->getValue() << ")"; 767 else if (loc::GotoLabel *Label = dyn_cast<loc::GotoLabel>(&V)) 768 os << "the address of the label '" << Label->getLabel()->getName() << "'"; 769 else 770 return false; 771 772 return true; 773 } 774 775 bool MallocChecker::SummarizeRegion(raw_ostream &os, 776 const MemRegion *MR) { 777 switch (MR->getKind()) { 778 case MemRegion::FunctionTextRegionKind: { 779 const NamedDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 780 if (FD) 781 os << "the address of the function '" << *FD << '\''; 782 else 783 os << "the address of a function"; 784 return true; 785 } 786 case MemRegion::BlockTextRegionKind: 787 os << "block text"; 788 return true; 789 case MemRegion::BlockDataRegionKind: 790 // FIXME: where the block came from? 791 os << "a block"; 792 return true; 793 default: { 794 const MemSpaceRegion *MS = MR->getMemorySpace(); 795 796 if (isa<StackLocalsSpaceRegion>(MS)) { 797 const VarRegion *VR = dyn_cast<VarRegion>(MR); 798 const VarDecl *VD; 799 if (VR) 800 VD = VR->getDecl(); 801 else 802 VD = NULL; 803 804 if (VD) 805 os << "the address of the local variable '" << VD->getName() << "'"; 806 else 807 os << "the address of a local stack variable"; 808 return true; 809 } 810 811 if (isa<StackArgumentsSpaceRegion>(MS)) { 812 const VarRegion *VR = dyn_cast<VarRegion>(MR); 813 const VarDecl *VD; 814 if (VR) 815 VD = VR->getDecl(); 816 else 817 VD = NULL; 818 819 if (VD) 820 os << "the address of the parameter '" << VD->getName() << "'"; 821 else 822 os << "the address of a parameter"; 823 return true; 824 } 825 826 if (isa<GlobalsSpaceRegion>(MS)) { 827 const VarRegion *VR = dyn_cast<VarRegion>(MR); 828 const VarDecl *VD; 829 if (VR) 830 VD = VR->getDecl(); 831 else 832 VD = NULL; 833 834 if (VD) { 835 if (VD->isStaticLocal()) 836 os << "the address of the static variable '" << VD->getName() << "'"; 837 else 838 os << "the address of the global variable '" << VD->getName() << "'"; 839 } else 840 os << "the address of a global variable"; 841 return true; 842 } 843 844 return false; 845 } 846 } 847 } 848 849 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, 850 SourceRange range) const { 851 if (ExplodedNode *N = C.generateSink()) { 852 if (!BT_BadFree) 853 BT_BadFree.reset(new BugType("Bad free", "Memory Error")); 854 855 SmallString<100> buf; 856 llvm::raw_svector_ostream os(buf); 857 858 const MemRegion *MR = ArgVal.getAsRegion(); 859 if (MR) { 860 while (const ElementRegion *ER = dyn_cast<ElementRegion>(MR)) 861 MR = ER->getSuperRegion(); 862 863 // Special case for alloca() 864 if (isa<AllocaRegion>(MR)) 865 os << "Argument to free() was allocated by alloca(), not malloc()"; 866 else { 867 os << "Argument to free() is "; 868 if (SummarizeRegion(os, MR)) 869 os << ", which is not memory allocated by malloc()"; 870 else 871 os << "not memory allocated by malloc()"; 872 } 873 } else { 874 os << "Argument to free() is "; 875 if (SummarizeValue(os, ArgVal)) 876 os << ", which is not memory allocated by malloc()"; 877 else 878 os << "not memory allocated by malloc()"; 879 } 880 881 BugReport *R = new BugReport(*BT_BadFree, os.str(), N); 882 R->markInteresting(MR); 883 R->addRange(range); 884 C.emitReport(R); 885 } 886 } 887 888 ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, 889 const CallExpr *CE, 890 bool FreesOnFail) const { 891 if (CE->getNumArgs() < 2) 892 return 0; 893 894 ProgramStateRef state = C.getState(); 895 const Expr *arg0Expr = CE->getArg(0); 896 const LocationContext *LCtx = C.getLocationContext(); 897 SVal Arg0Val = state->getSVal(arg0Expr, LCtx); 898 if (!isa<DefinedOrUnknownSVal>(Arg0Val)) 899 return 0; 900 DefinedOrUnknownSVal arg0Val = cast<DefinedOrUnknownSVal>(Arg0Val); 901 902 SValBuilder &svalBuilder = C.getSValBuilder(); 903 904 DefinedOrUnknownSVal PtrEQ = 905 svalBuilder.evalEQ(state, arg0Val, svalBuilder.makeNull()); 906 907 // Get the size argument. If there is no size arg then give up. 908 const Expr *Arg1 = CE->getArg(1); 909 if (!Arg1) 910 return 0; 911 912 // Get the value of the size argument. 913 SVal Arg1ValG = state->getSVal(Arg1, LCtx); 914 if (!isa<DefinedOrUnknownSVal>(Arg1ValG)) 915 return 0; 916 DefinedOrUnknownSVal Arg1Val = cast<DefinedOrUnknownSVal>(Arg1ValG); 917 918 // Compare the size argument to 0. 919 DefinedOrUnknownSVal SizeZero = 920 svalBuilder.evalEQ(state, Arg1Val, 921 svalBuilder.makeIntValWithPtrWidth(0, false)); 922 923 ProgramStateRef StatePtrIsNull, StatePtrNotNull; 924 llvm::tie(StatePtrIsNull, StatePtrNotNull) = state->assume(PtrEQ); 925 ProgramStateRef StateSizeIsZero, StateSizeNotZero; 926 llvm::tie(StateSizeIsZero, StateSizeNotZero) = state->assume(SizeZero); 927 // We only assume exceptional states if they are definitely true; if the 928 // state is under-constrained, assume regular realloc behavior. 929 bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; 930 bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; 931 932 // If the ptr is NULL and the size is not 0, the call is equivalent to 933 // malloc(size). 934 if ( PrtIsNull && !SizeIsZero) { 935 ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), 936 UndefinedVal(), StatePtrIsNull); 937 return stateMalloc; 938 } 939 940 if (PrtIsNull && SizeIsZero) 941 return 0; 942 943 // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). 944 assert(!PrtIsNull); 945 SymbolRef FromPtr = arg0Val.getAsSymbol(); 946 SVal RetVal = state->getSVal(CE, LCtx); 947 SymbolRef ToPtr = RetVal.getAsSymbol(); 948 if (!FromPtr || !ToPtr) 949 return 0; 950 951 bool ReleasedAllocated = false; 952 953 // If the size is 0, free the memory. 954 if (SizeIsZero) 955 if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, 956 false, ReleasedAllocated)){ 957 // The semantics of the return value are: 958 // If size was equal to 0, either NULL or a pointer suitable to be passed 959 // to free() is returned. We just free the input pointer and do not add 960 // any constrains on the output pointer. 961 return stateFree; 962 } 963 964 // Default behavior. 965 if (ProgramStateRef stateFree = 966 FreeMemAux(C, CE, state, 0, false, ReleasedAllocated)) { 967 968 ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), 969 UnknownVal(), stateFree); 970 if (!stateRealloc) 971 return 0; 972 973 ReallocPairKind Kind = RPToBeFreedAfterFailure; 974 if (FreesOnFail) 975 Kind = RPIsFreeOnFailure; 976 else if (!ReleasedAllocated) 977 Kind = RPDoNotTrackAfterFailure; 978 979 // Record the info about the reallocated symbol so that we could properly 980 // process failed reallocation. 981 stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, 982 ReallocPair(FromPtr, Kind)); 983 // The reallocated symbol should stay alive for as long as the new symbol. 984 C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); 985 return stateRealloc; 986 } 987 return 0; 988 } 989 990 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE){ 991 if (CE->getNumArgs() < 2) 992 return 0; 993 994 ProgramStateRef state = C.getState(); 995 SValBuilder &svalBuilder = C.getSValBuilder(); 996 const LocationContext *LCtx = C.getLocationContext(); 997 SVal count = state->getSVal(CE->getArg(0), LCtx); 998 SVal elementSize = state->getSVal(CE->getArg(1), LCtx); 999 SVal TotalSize = svalBuilder.evalBinOp(state, BO_Mul, count, elementSize, 1000 svalBuilder.getContext().getSizeType()); 1001 SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); 1002 1003 return MallocMemAux(C, CE, TotalSize, zeroVal, state); 1004 } 1005 1006 LeakInfo 1007 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, 1008 CheckerContext &C) const { 1009 const LocationContext *LeakContext = N->getLocationContext(); 1010 // Walk the ExplodedGraph backwards and find the first node that referred to 1011 // the tracked symbol. 1012 const ExplodedNode *AllocNode = N; 1013 const MemRegion *ReferenceRegion = 0; 1014 1015 while (N) { 1016 ProgramStateRef State = N->getState(); 1017 if (!State->get<RegionState>(Sym)) 1018 break; 1019 1020 // Find the most recent expression bound to the symbol in the current 1021 // context. 1022 if (!ReferenceRegion) { 1023 if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) { 1024 SVal Val = State->getSVal(MR); 1025 if (Val.getAsLocSymbol() == Sym) 1026 ReferenceRegion = MR; 1027 } 1028 } 1029 1030 // Allocation node, is the last node in the current context in which the 1031 // symbol was tracked. 1032 if (N->getLocationContext() == LeakContext) 1033 AllocNode = N; 1034 N = N->pred_empty() ? NULL : *(N->pred_begin()); 1035 } 1036 1037 ProgramPoint P = AllocNode->getLocation(); 1038 const Stmt *AllocationStmt = 0; 1039 if (CallExitEnd *Exit = dyn_cast<CallExitEnd>(&P)) 1040 AllocationStmt = Exit->getCalleeContext()->getCallSite(); 1041 else if (StmtPoint *SP = dyn_cast<StmtPoint>(&P)) 1042 AllocationStmt = SP->getStmt(); 1043 1044 return LeakInfo(AllocationStmt, ReferenceRegion); 1045 } 1046 1047 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, 1048 CheckerContext &C) const { 1049 assert(N); 1050 if (!BT_Leak) { 1051 BT_Leak.reset(new BugType("Memory leak", "Memory Error")); 1052 // Leaks should not be reported if they are post-dominated by a sink: 1053 // (1) Sinks are higher importance bugs. 1054 // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending 1055 // with __noreturn functions such as assert() or exit(). We choose not 1056 // to report leaks on such paths. 1057 BT_Leak->setSuppressOnSink(true); 1058 } 1059 1060 // Most bug reports are cached at the location where they occurred. 1061 // With leaks, we want to unique them by the location where they were 1062 // allocated, and only report a single path. 1063 PathDiagnosticLocation LocUsedForUniqueing; 1064 const Stmt *AllocStmt = 0; 1065 const MemRegion *Region = 0; 1066 llvm::tie(AllocStmt, Region) = getAllocationSite(N, Sym, C); 1067 if (AllocStmt) 1068 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocStmt, 1069 C.getSourceManager(), N->getLocationContext()); 1070 1071 SmallString<200> buf; 1072 llvm::raw_svector_ostream os(buf); 1073 os << "Memory is never released; potential leak"; 1074 if (Region && Region->canPrintPretty()) { 1075 os << " of memory pointed to by '"; 1076 Region->printPretty(os); 1077 os << '\''; 1078 } 1079 1080 BugReport *R = new BugReport(*BT_Leak, os.str(), N, LocUsedForUniqueing); 1081 R->markInteresting(Sym); 1082 R->addVisitor(new MallocBugVisitor(Sym, true)); 1083 C.emitReport(R); 1084 } 1085 1086 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, 1087 CheckerContext &C) const 1088 { 1089 if (!SymReaper.hasDeadSymbols()) 1090 return; 1091 1092 ProgramStateRef state = C.getState(); 1093 RegionStateTy RS = state->get<RegionState>(); 1094 RegionStateTy::Factory &F = state->get_context<RegionState>(); 1095 1096 llvm::SmallVector<SymbolRef, 2> Errors; 1097 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1098 if (SymReaper.isDead(I->first)) { 1099 if (I->second.isAllocated()) 1100 Errors.push_back(I->first); 1101 // Remove the dead symbol from the map. 1102 RS = F.remove(RS, I->first); 1103 1104 } 1105 } 1106 1107 // Cleanup the Realloc Pairs Map. 1108 ReallocPairsTy RP = state->get<ReallocPairs>(); 1109 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1110 if (SymReaper.isDead(I->first) || 1111 SymReaper.isDead(I->second.ReallocatedSym)) { 1112 state = state->remove<ReallocPairs>(I->first); 1113 } 1114 } 1115 1116 // Cleanup the FreeReturnValue Map. 1117 FreeReturnValueTy FR = state->get<FreeReturnValue>(); 1118 for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) { 1119 if (SymReaper.isDead(I->first) || 1120 SymReaper.isDead(I->second)) { 1121 state = state->remove<FreeReturnValue>(I->first); 1122 } 1123 } 1124 1125 // Generate leak node. 1126 ExplodedNode *N = C.getPredecessor(); 1127 if (!Errors.empty()) { 1128 static SimpleProgramPointTag Tag("MallocChecker : DeadSymbolsLeak"); 1129 N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); 1130 for (llvm::SmallVector<SymbolRef, 2>::iterator 1131 I = Errors.begin(), E = Errors.end(); I != E; ++I) { 1132 reportLeak(*I, N, C); 1133 } 1134 } 1135 1136 C.addTransition(state->set<RegionState>(RS), N); 1137 } 1138 1139 void MallocChecker::checkPreStmt(const CallExpr *CE, CheckerContext &C) const { 1140 // We will check for double free in the post visit. 1141 if (isFreeFunction(C.getCalleeDecl(CE), C.getASTContext())) 1142 return; 1143 1144 // Check use after free, when a freed pointer is passed to a call. 1145 ProgramStateRef State = C.getState(); 1146 for (CallExpr::const_arg_iterator I = CE->arg_begin(), 1147 E = CE->arg_end(); I != E; ++I) { 1148 const Expr *A = *I; 1149 if (A->getType().getTypePtr()->isAnyPointerType()) { 1150 SymbolRef Sym = State->getSVal(A, C.getLocationContext()).getAsSymbol(); 1151 if (!Sym) 1152 continue; 1153 if (checkUseAfterFree(Sym, C, A)) 1154 return; 1155 } 1156 } 1157 } 1158 1159 void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const { 1160 const Expr *E = S->getRetValue(); 1161 if (!E) 1162 return; 1163 1164 // Check if we are returning a symbol. 1165 ProgramStateRef State = C.getState(); 1166 SVal RetVal = State->getSVal(E, C.getLocationContext()); 1167 SymbolRef Sym = RetVal.getAsSymbol(); 1168 if (!Sym) 1169 // If we are returning a field of the allocated struct or an array element, 1170 // the callee could still free the memory. 1171 // TODO: This logic should be a part of generic symbol escape callback. 1172 if (const MemRegion *MR = RetVal.getAsRegion()) 1173 if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR)) 1174 if (const SymbolicRegion *BMR = 1175 dyn_cast<SymbolicRegion>(MR->getBaseRegion())) 1176 Sym = BMR->getSymbol(); 1177 1178 // Check if we are returning freed memory. 1179 if (Sym) 1180 checkUseAfterFree(Sym, C, E); 1181 } 1182 1183 // TODO: Blocks should be either inlined or should call invalidate regions 1184 // upon invocation. After that's in place, special casing here will not be 1185 // needed. 1186 void MallocChecker::checkPostStmt(const BlockExpr *BE, 1187 CheckerContext &C) const { 1188 1189 // Scan the BlockDecRefExprs for any object the retain count checker 1190 // may be tracking. 1191 if (!BE->getBlockDecl()->hasCaptures()) 1192 return; 1193 1194 ProgramStateRef state = C.getState(); 1195 const BlockDataRegion *R = 1196 cast<BlockDataRegion>(state->getSVal(BE, 1197 C.getLocationContext()).getAsRegion()); 1198 1199 BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(), 1200 E = R->referenced_vars_end(); 1201 1202 if (I == E) 1203 return; 1204 1205 SmallVector<const MemRegion*, 10> Regions; 1206 const LocationContext *LC = C.getLocationContext(); 1207 MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager(); 1208 1209 for ( ; I != E; ++I) { 1210 const VarRegion *VR = I.getCapturedRegion(); 1211 if (VR->getSuperRegion() == R) { 1212 VR = MemMgr.getVarRegion(VR->getDecl(), LC); 1213 } 1214 Regions.push_back(VR); 1215 } 1216 1217 state = 1218 state->scanReachableSymbols<StopTrackingCallback>(Regions.data(), 1219 Regions.data() + Regions.size()).getState(); 1220 C.addTransition(state); 1221 } 1222 1223 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const { 1224 assert(Sym); 1225 const RefState *RS = C.getState()->get<RegionState>(Sym); 1226 return (RS && RS->isReleased()); 1227 } 1228 1229 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, 1230 const Stmt *S) const { 1231 if (isReleased(Sym, C)) { 1232 if (ExplodedNode *N = C.generateSink()) { 1233 if (!BT_UseFree) 1234 BT_UseFree.reset(new BugType("Use-after-free", "Memory Error")); 1235 1236 BugReport *R = new BugReport(*BT_UseFree, 1237 "Use of memory after it is freed",N); 1238 if (S) 1239 R->addRange(S->getSourceRange()); 1240 R->markInteresting(Sym); 1241 R->addVisitor(new MallocBugVisitor(Sym)); 1242 C.emitReport(R); 1243 return true; 1244 } 1245 } 1246 return false; 1247 } 1248 1249 // Check if the location is a freed symbolic region. 1250 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, 1251 CheckerContext &C) const { 1252 SymbolRef Sym = l.getLocSymbolInBase(); 1253 if (Sym) 1254 checkUseAfterFree(Sym, C, S); 1255 } 1256 1257 //===----------------------------------------------------------------------===// 1258 // Check various ways a symbol can be invalidated. 1259 // TODO: This logic (the next 3 functions) is copied/similar to the 1260 // RetainRelease checker. We might want to factor this out. 1261 //===----------------------------------------------------------------------===// 1262 1263 // Stop tracking symbols when a value escapes as a result of checkBind. 1264 // A value escapes in three possible cases: 1265 // (1) we are binding to something that is not a memory region. 1266 // (2) we are binding to a memregion that does not have stack storage 1267 // (3) we are binding to a memregion with stack storage that the store 1268 // does not understand. 1269 void MallocChecker::checkBind(SVal loc, SVal val, const Stmt *S, 1270 CheckerContext &C) const { 1271 // Are we storing to something that causes the value to "escape"? 1272 bool escapes = true; 1273 ProgramStateRef state = C.getState(); 1274 1275 if (loc::MemRegionVal *regionLoc = dyn_cast<loc::MemRegionVal>(&loc)) { 1276 escapes = !regionLoc->getRegion()->hasStackStorage(); 1277 1278 if (!escapes) { 1279 // To test (3), generate a new state with the binding added. If it is 1280 // the same state, then it escapes (since the store cannot represent 1281 // the binding). 1282 // Do this only if we know that the store is not supposed to generate the 1283 // same state. 1284 SVal StoredVal = state->getSVal(regionLoc->getRegion()); 1285 if (StoredVal != val) 1286 escapes = (state == (state->bindLoc(*regionLoc, val))); 1287 } 1288 } 1289 1290 // If our store can represent the binding and we aren't storing to something 1291 // that doesn't have local storage then just return and have the simulation 1292 // state continue as is. 1293 if (!escapes) 1294 return; 1295 1296 // Otherwise, find all symbols referenced by 'val' that we are tracking 1297 // and stop tracking them. 1298 state = state->scanReachableSymbols<StopTrackingCallback>(val).getState(); 1299 C.addTransition(state); 1300 } 1301 1302 // If a symbolic region is assumed to NULL (or another constant), stop tracking 1303 // it - assuming that allocation failed on this path. 1304 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state, 1305 SVal Cond, 1306 bool Assumption) const { 1307 RegionStateTy RS = state->get<RegionState>(); 1308 for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) { 1309 // If the symbol is assumed to be NULL, remove it from consideration. 1310 ConstraintManager &CMgr = state->getConstraintManager(); 1311 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 1312 if (AllocFailed.isConstrainedTrue()) 1313 state = state->remove<RegionState>(I.getKey()); 1314 } 1315 1316 // Realloc returns 0 when reallocation fails, which means that we should 1317 // restore the state of the pointer being reallocated. 1318 ReallocPairsTy RP = state->get<ReallocPairs>(); 1319 for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) { 1320 // If the symbol is assumed to be NULL, remove it from consideration. 1321 ConstraintManager &CMgr = state->getConstraintManager(); 1322 ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey()); 1323 if (!AllocFailed.isConstrainedTrue()) 1324 continue; 1325 1326 SymbolRef ReallocSym = I.getData().ReallocatedSym; 1327 if (const RefState *RS = state->get<RegionState>(ReallocSym)) { 1328 if (RS->isReleased()) { 1329 if (I.getData().Kind == RPToBeFreedAfterFailure) 1330 state = state->set<RegionState>(ReallocSym, 1331 RefState::getAllocated(RS->getStmt())); 1332 else if (I.getData().Kind == RPDoNotTrackAfterFailure) 1333 state = state->remove<RegionState>(ReallocSym); 1334 else 1335 assert(I.getData().Kind == RPIsFreeOnFailure); 1336 } 1337 } 1338 state = state->remove<ReallocPairs>(I.getKey()); 1339 } 1340 1341 return state; 1342 } 1343 1344 // Check if the function is known to us. So, for example, we could 1345 // conservatively assume it can free/reallocate its pointer arguments. 1346 // (We assume that the pointers cannot escape through calls to system 1347 // functions not handled by this checker.) 1348 bool MallocChecker::doesNotFreeMemory(const CallEvent *Call, 1349 ProgramStateRef State) const { 1350 assert(Call); 1351 1352 // For now, assume that any C++ call can free memory. 1353 // TODO: If we want to be more optimistic here, we'll need to make sure that 1354 // regions escape to C++ containers. They seem to do that even now, but for 1355 // mysterious reasons. 1356 if (!(isa<FunctionCall>(Call) || isa<ObjCMethodCall>(Call))) 1357 return false; 1358 1359 // Check Objective-C messages by selector name. 1360 if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) { 1361 // If it's not a framework call, or if it takes a callback, assume it 1362 // can free memory. 1363 if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg()) 1364 return false; 1365 1366 Selector S = Msg->getSelector(); 1367 1368 // Whitelist the ObjC methods which do free memory. 1369 // - Anything containing 'freeWhenDone' param set to 1. 1370 // Ex: dataWithBytesNoCopy:length:freeWhenDone. 1371 for (unsigned i = 1; i < S.getNumArgs(); ++i) { 1372 if (S.getNameForSlot(i).equals("freeWhenDone")) { 1373 if (Call->getArgSVal(i).isConstant(1)) 1374 return false; 1375 else 1376 return true; 1377 } 1378 } 1379 1380 // If the first selector ends with NoCopy, assume that the ownership is 1381 // transferred as well. 1382 // Ex: [NSData dataWithBytesNoCopy:bytes length:10]; 1383 StringRef FirstSlot = S.getNameForSlot(0); 1384 if (FirstSlot.endswith("NoCopy")) 1385 return false; 1386 1387 // If the first selector starts with addPointer, insertPointer, 1388 // or replacePointer, assume we are dealing with NSPointerArray or similar. 1389 // This is similar to C++ containers (vector); we still might want to check 1390 // that the pointers get freed by following the container itself. 1391 if (FirstSlot.startswith("addPointer") || 1392 FirstSlot.startswith("insertPointer") || 1393 FirstSlot.startswith("replacePointer")) { 1394 return false; 1395 } 1396 1397 // Otherwise, assume that the method does not free memory. 1398 // Most framework methods do not free memory. 1399 return true; 1400 } 1401 1402 // At this point the only thing left to handle is straight function calls. 1403 const FunctionDecl *FD = cast<FunctionCall>(Call)->getDecl(); 1404 if (!FD) 1405 return false; 1406 1407 ASTContext &ASTC = State->getStateManager().getContext(); 1408 1409 // If it's one of the allocation functions we can reason about, we model 1410 // its behavior explicitly. 1411 if (isMemFunction(FD, ASTC)) 1412 return true; 1413 1414 // If it's not a system call, assume it frees memory. 1415 if (!Call->isInSystemHeader()) 1416 return false; 1417 1418 // White list the system functions whose arguments escape. 1419 const IdentifierInfo *II = FD->getIdentifier(); 1420 if (!II) 1421 return false; 1422 StringRef FName = II->getName(); 1423 1424 // White list the 'XXXNoCopy' CoreFoundation functions. 1425 // We specifically check these before 1426 if (FName.endswith("NoCopy")) { 1427 // Look for the deallocator argument. We know that the memory ownership 1428 // is not transferred only if the deallocator argument is 1429 // 'kCFAllocatorNull'. 1430 for (unsigned i = 1; i < Call->getNumArgs(); ++i) { 1431 const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts(); 1432 if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) { 1433 StringRef DeallocatorName = DE->getFoundDecl()->getName(); 1434 if (DeallocatorName == "kCFAllocatorNull") 1435 return true; 1436 } 1437 } 1438 return false; 1439 } 1440 1441 // Associating streams with malloced buffers. The pointer can escape if 1442 // 'closefn' is specified (and if that function does free memory), 1443 // but it will not if closefn is not specified. 1444 // Currently, we do not inspect the 'closefn' function (PR12101). 1445 if (FName == "funopen") 1446 if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0)) 1447 return true; 1448 1449 // Do not warn on pointers passed to 'setbuf' when used with std streams, 1450 // these leaks might be intentional when setting the buffer for stdio. 1451 // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer 1452 if (FName == "setbuf" || FName =="setbuffer" || 1453 FName == "setlinebuf" || FName == "setvbuf") { 1454 if (Call->getNumArgs() >= 1) { 1455 const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts(); 1456 if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE)) 1457 if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl())) 1458 if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos) 1459 return false; 1460 } 1461 } 1462 1463 // A bunch of other functions which either take ownership of a pointer or 1464 // wrap the result up in a struct or object, meaning it can be freed later. 1465 // (See RetainCountChecker.) Not all the parameters here are invalidated, 1466 // but the Malloc checker cannot differentiate between them. The right way 1467 // of doing this would be to implement a pointer escapes callback. 1468 if (FName == "CGBitmapContextCreate" || 1469 FName == "CGBitmapContextCreateWithData" || 1470 FName == "CVPixelBufferCreateWithBytes" || 1471 FName == "CVPixelBufferCreateWithPlanarBytes" || 1472 FName == "OSAtomicEnqueue") { 1473 return false; 1474 } 1475 1476 // Handle cases where we know a buffer's /address/ can escape. 1477 // Note that the above checks handle some special cases where we know that 1478 // even though the address escapes, it's still our responsibility to free the 1479 // buffer. 1480 if (Call->argumentsMayEscape()) 1481 return false; 1482 1483 // Otherwise, assume that the function does not free memory. 1484 // Most system calls do not free the memory. 1485 return true; 1486 } 1487 1488 // If the symbol we are tracking is invalidated, but not explicitly (ex: the &p 1489 // escapes, when we are tracking p), do not track the symbol as we cannot reason 1490 // about it anymore. 1491 ProgramStateRef 1492 MallocChecker::checkRegionChanges(ProgramStateRef State, 1493 const StoreManager::InvalidatedSymbols *invalidated, 1494 ArrayRef<const MemRegion *> ExplicitRegions, 1495 ArrayRef<const MemRegion *> Regions, 1496 const CallEvent *Call) const { 1497 if (!invalidated || invalidated->empty()) 1498 return State; 1499 llvm::SmallPtrSet<SymbolRef, 8> WhitelistedSymbols; 1500 1501 // If it's a call which might free or reallocate memory, we assume that all 1502 // regions (explicit and implicit) escaped. 1503 1504 // Otherwise, whitelist explicit pointers; we still can track them. 1505 if (!Call || doesNotFreeMemory(Call, State)) { 1506 for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(), 1507 E = ExplicitRegions.end(); I != E; ++I) { 1508 if (const SymbolicRegion *R = (*I)->StripCasts()->getAs<SymbolicRegion>()) 1509 WhitelistedSymbols.insert(R->getSymbol()); 1510 } 1511 } 1512 1513 for (StoreManager::InvalidatedSymbols::const_iterator I=invalidated->begin(), 1514 E = invalidated->end(); I!=E; ++I) { 1515 SymbolRef sym = *I; 1516 if (WhitelistedSymbols.count(sym)) 1517 continue; 1518 // The symbol escaped. Note, we assume that if the symbol is released, 1519 // passing it out will result in a use after free. We also keep tracking 1520 // relinquished symbols. 1521 if (const RefState *RS = State->get<RegionState>(sym)) { 1522 if (RS->isAllocated()) 1523 State = State->remove<RegionState>(sym); 1524 } 1525 } 1526 return State; 1527 } 1528 1529 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState, 1530 ProgramStateRef prevState) { 1531 ReallocPairsTy currMap = currState->get<ReallocPairs>(); 1532 ReallocPairsTy prevMap = prevState->get<ReallocPairs>(); 1533 1534 for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end(); 1535 I != E; ++I) { 1536 SymbolRef sym = I.getKey(); 1537 if (!currMap.lookup(sym)) 1538 return sym; 1539 } 1540 1541 return NULL; 1542 } 1543 1544 PathDiagnosticPiece * 1545 MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N, 1546 const ExplodedNode *PrevN, 1547 BugReporterContext &BRC, 1548 BugReport &BR) { 1549 ProgramStateRef state = N->getState(); 1550 ProgramStateRef statePrev = PrevN->getState(); 1551 1552 const RefState *RS = state->get<RegionState>(Sym); 1553 const RefState *RSPrev = statePrev->get<RegionState>(Sym); 1554 if (!RS) 1555 return 0; 1556 1557 const Stmt *S = 0; 1558 const char *Msg = 0; 1559 StackHintGeneratorForSymbol *StackHint = 0; 1560 1561 // Retrieve the associated statement. 1562 ProgramPoint ProgLoc = N->getLocation(); 1563 if (StmtPoint *SP = dyn_cast<StmtPoint>(&ProgLoc)) 1564 S = SP->getStmt(); 1565 else if (CallExitEnd *Exit = dyn_cast<CallExitEnd>(&ProgLoc)) 1566 S = Exit->getCalleeContext()->getCallSite(); 1567 // If an assumption was made on a branch, it should be caught 1568 // here by looking at the state transition. 1569 else if (BlockEdge *Edge = dyn_cast<BlockEdge>(&ProgLoc)) { 1570 const CFGBlock *srcBlk = Edge->getSrc(); 1571 S = srcBlk->getTerminator(); 1572 } 1573 if (!S) 1574 return 0; 1575 1576 // FIXME: We will eventually need to handle non-statement-based events 1577 // (__attribute__((cleanup))). 1578 1579 // Find out if this is an interesting point and what is the kind. 1580 if (Mode == Normal) { 1581 if (isAllocated(RS, RSPrev, S)) { 1582 Msg = "Memory is allocated"; 1583 StackHint = new StackHintGeneratorForSymbol(Sym, 1584 "Returned allocated memory"); 1585 } else if (isReleased(RS, RSPrev, S)) { 1586 Msg = "Memory is released"; 1587 StackHint = new StackHintGeneratorForSymbol(Sym, 1588 "Returned released memory"); 1589 } else if (isRelinquished(RS, RSPrev, S)) { 1590 Msg = "Memory ownership is transfered"; 1591 StackHint = new StackHintGeneratorForSymbol(Sym, ""); 1592 } else if (isReallocFailedCheck(RS, RSPrev, S)) { 1593 Mode = ReallocationFailed; 1594 Msg = "Reallocation failed"; 1595 StackHint = new StackHintGeneratorForReallocationFailed(Sym, 1596 "Reallocation failed"); 1597 1598 if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) { 1599 // Is it possible to fail two reallocs WITHOUT testing in between? 1600 assert((!FailedReallocSymbol || FailedReallocSymbol == sym) && 1601 "We only support one failed realloc at a time."); 1602 BR.markInteresting(sym); 1603 FailedReallocSymbol = sym; 1604 } 1605 } 1606 1607 // We are in a special mode if a reallocation failed later in the path. 1608 } else if (Mode == ReallocationFailed) { 1609 assert(FailedReallocSymbol && "No symbol to look for."); 1610 1611 // Is this is the first appearance of the reallocated symbol? 1612 if (!statePrev->get<RegionState>(FailedReallocSymbol)) { 1613 // We're at the reallocation point. 1614 Msg = "Attempt to reallocate memory"; 1615 StackHint = new StackHintGeneratorForSymbol(Sym, 1616 "Returned reallocated memory"); 1617 FailedReallocSymbol = NULL; 1618 Mode = Normal; 1619 } 1620 } 1621 1622 if (!Msg) 1623 return 0; 1624 assert(StackHint); 1625 1626 // Generate the extra diagnostic. 1627 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 1628 N->getLocationContext()); 1629 return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint); 1630 } 1631 1632 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State, 1633 const char *NL, const char *Sep) const { 1634 1635 RegionStateTy RS = State->get<RegionState>(); 1636 1637 if (!RS.isEmpty()) 1638 Out << "Has Malloc data" << NL; 1639 } 1640 1641 #define REGISTER_CHECKER(name) \ 1642 void ento::register##name(CheckerManager &mgr) {\ 1643 registerCStringCheckerBasic(mgr); \ 1644 mgr.registerChecker<MallocChecker>()->Filter.C##name = true;\ 1645 } 1646 1647 REGISTER_CHECKER(MallocPessimistic) 1648 REGISTER_CHECKER(MallocOptimistic) 1649