1 //=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines malloc/free checker, which checks for potential memory
10 // leaks, double free, and use-after-free problems.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15 #include "InterCheckerAPI.h"
16 #include "clang/AST/Attr.h"
17 #include "clang/AST/ParentMap.h"
18 #include "clang/Basic/SourceManager.h"
19 #include "clang/Basic/TargetInfo.h"
20 #include "clang/Lex/Lexer.h"
21 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
22 #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
23 #include "clang/StaticAnalyzer/Core/Checker.h"
24 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
25 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
26 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
27 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
28 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
29 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
30 #include "llvm/ADT/STLExtras.h"
31 #include "llvm/ADT/SmallString.h"
32 #include "llvm/ADT/StringExtras.h"
33 #include "AllocationState.h"
34 #include <climits>
35 #include <utility>
36 
37 using namespace clang;
38 using namespace ento;
39 
40 namespace {
41 
42 // Used to check correspondence between allocators and deallocators.
43 enum AllocationFamily {
44   AF_None,
45   AF_Malloc,
46   AF_CXXNew,
47   AF_CXXNewArray,
48   AF_IfNameIndex,
49   AF_Alloca,
50   AF_InnerBuffer
51 };
52 
53 class RefState {
54   enum Kind { // Reference to allocated memory.
55               Allocated,
56               // Reference to zero-allocated memory.
57               AllocatedOfSizeZero,
58               // Reference to released/freed memory.
59               Released,
60               // The responsibility for freeing resources has transferred from
61               // this reference. A relinquished symbol should not be freed.
62               Relinquished,
63               // We are no longer guaranteed to have observed all manipulations
64               // of this pointer/memory. For example, it could have been
65               // passed as a parameter to an opaque function.
66               Escaped
67   };
68 
69   const Stmt *S;
70   unsigned K : 3; // Kind enum, but stored as a bitfield.
71   unsigned Family : 29; // Rest of 32-bit word, currently just an allocation
72                         // family.
73 
74   RefState(Kind k, const Stmt *s, unsigned family)
75     : S(s), K(k), Family(family) {
76     assert(family != AF_None);
77   }
78 public:
79   bool isAllocated() const { return K == Allocated; }
80   bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; }
81   bool isReleased() const { return K == Released; }
82   bool isRelinquished() const { return K == Relinquished; }
83   bool isEscaped() const { return K == Escaped; }
84   AllocationFamily getAllocationFamily() const {
85     return (AllocationFamily)Family;
86   }
87   const Stmt *getStmt() const { return S; }
88 
89   bool operator==(const RefState &X) const {
90     return K == X.K && S == X.S && Family == X.Family;
91   }
92 
93   static RefState getAllocated(unsigned family, const Stmt *s) {
94     return RefState(Allocated, s, family);
95   }
96   static RefState getAllocatedOfSizeZero(const RefState *RS) {
97     return RefState(AllocatedOfSizeZero, RS->getStmt(),
98                     RS->getAllocationFamily());
99   }
100   static RefState getReleased(unsigned family, const Stmt *s) {
101     return RefState(Released, s, family);
102   }
103   static RefState getRelinquished(unsigned family, const Stmt *s) {
104     return RefState(Relinquished, s, family);
105   }
106   static RefState getEscaped(const RefState *RS) {
107     return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());
108   }
109 
110   void Profile(llvm::FoldingSetNodeID &ID) const {
111     ID.AddInteger(K);
112     ID.AddPointer(S);
113     ID.AddInteger(Family);
114   }
115 
116   void dump(raw_ostream &OS) const {
117     switch (static_cast<Kind>(K)) {
118 #define CASE(ID) case ID: OS << #ID; break;
119     CASE(Allocated)
120     CASE(AllocatedOfSizeZero)
121     CASE(Released)
122     CASE(Relinquished)
123     CASE(Escaped)
124     }
125   }
126 
127   LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
128 };
129 
130 enum ReallocPairKind {
131   RPToBeFreedAfterFailure,
132   // The symbol has been freed when reallocation failed.
133   RPIsFreeOnFailure,
134   // The symbol does not need to be freed after reallocation fails.
135   RPDoNotTrackAfterFailure
136 };
137 
138 /// \class ReallocPair
139 /// Stores information about the symbol being reallocated by a call to
140 /// 'realloc' to allow modeling failed reallocation later in the path.
141 struct ReallocPair {
142   // The symbol which realloc reallocated.
143   SymbolRef ReallocatedSym;
144   ReallocPairKind Kind;
145 
146   ReallocPair(SymbolRef S, ReallocPairKind K) :
147     ReallocatedSym(S), Kind(K) {}
148   void Profile(llvm::FoldingSetNodeID &ID) const {
149     ID.AddInteger(Kind);
150     ID.AddPointer(ReallocatedSym);
151   }
152   bool operator==(const ReallocPair &X) const {
153     return ReallocatedSym == X.ReallocatedSym &&
154            Kind == X.Kind;
155   }
156 };
157 
158 typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo;
159 
160 class MallocChecker : public Checker<check::DeadSymbols,
161                                      check::PointerEscape,
162                                      check::ConstPointerEscape,
163                                      check::PreStmt<ReturnStmt>,
164                                      check::EndFunction,
165                                      check::PreCall,
166                                      check::PostStmt<CallExpr>,
167                                      check::PostStmt<CXXNewExpr>,
168                                      check::NewAllocator,
169                                      check::PreStmt<CXXDeleteExpr>,
170                                      check::PostStmt<BlockExpr>,
171                                      check::PostObjCMessage,
172                                      check::Location,
173                                      eval::Assume>
174 {
175 public:
176   MallocChecker()
177       : II_alloca(nullptr), II_win_alloca(nullptr), II_malloc(nullptr),
178         II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr),
179         II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr),
180         II_strdup(nullptr), II_win_strdup(nullptr), II_kmalloc(nullptr),
181         II_kfree(nullptr), II_if_nameindex(nullptr),
182         II_if_freenameindex(nullptr), II_wcsdup(nullptr),
183         II_win_wcsdup(nullptr), II_g_malloc(nullptr), II_g_malloc0(nullptr),
184         II_g_realloc(nullptr), II_g_try_malloc(nullptr),
185         II_g_try_malloc0(nullptr), II_g_try_realloc(nullptr),
186         II_g_free(nullptr), II_g_memdup(nullptr), II_g_malloc_n(nullptr),
187         II_g_malloc0_n(nullptr), II_g_realloc_n(nullptr),
188         II_g_try_malloc_n(nullptr), II_g_try_malloc0_n(nullptr),
189         II_g_try_realloc_n(nullptr) {}
190 
191   /// In pessimistic mode, the checker assumes that it does not know which
192   /// functions might free the memory.
193   enum CheckKind {
194     CK_MallocChecker,
195     CK_NewDeleteChecker,
196     CK_NewDeleteLeaksChecker,
197     CK_MismatchedDeallocatorChecker,
198     CK_InnerPointerChecker,
199     CK_NumCheckKinds
200   };
201 
202   enum class MemoryOperationKind {
203     MOK_Allocate,
204     MOK_Free,
205     MOK_Any
206   };
207 
208   DefaultBool IsOptimistic;
209 
210   DefaultBool ChecksEnabled[CK_NumCheckKinds];
211   CheckName CheckNames[CK_NumCheckKinds];
212 
213   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
214   void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
215   void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;
216   void checkNewAllocator(const CXXNewExpr *NE, SVal Target,
217                          CheckerContext &C) const;
218   void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
219   void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
220   void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
221   void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
222   void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
223   void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;
224   ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
225                             bool Assumption) const;
226   void checkLocation(SVal l, bool isLoad, const Stmt *S,
227                      CheckerContext &C) const;
228 
229   ProgramStateRef checkPointerEscape(ProgramStateRef State,
230                                     const InvalidatedSymbols &Escaped,
231                                     const CallEvent *Call,
232                                     PointerEscapeKind Kind) const;
233   ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
234                                           const InvalidatedSymbols &Escaped,
235                                           const CallEvent *Call,
236                                           PointerEscapeKind Kind) const;
237 
238   void printState(raw_ostream &Out, ProgramStateRef State,
239                   const char *NL, const char *Sep) const override;
240 
241 private:
242   mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
243   mutable std::unique_ptr<BugType> BT_DoubleDelete;
244   mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
245   mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
246   mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
247   mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
248   mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
249   mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
250   mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
251   mutable IdentifierInfo *II_alloca, *II_win_alloca, *II_malloc, *II_free,
252                          *II_realloc, *II_calloc, *II_valloc, *II_reallocf,
253                          *II_strndup, *II_strdup, *II_win_strdup, *II_kmalloc,
254                          *II_kfree, *II_if_nameindex, *II_if_freenameindex,
255                          *II_wcsdup, *II_win_wcsdup, *II_g_malloc,
256                          *II_g_malloc0, *II_g_realloc, *II_g_try_malloc,
257                          *II_g_try_malloc0, *II_g_try_realloc, *II_g_free,
258                          *II_g_memdup, *II_g_malloc_n, *II_g_malloc0_n,
259                          *II_g_realloc_n, *II_g_try_malloc_n,
260                          *II_g_try_malloc0_n, *II_g_try_realloc_n;
261   mutable Optional<uint64_t> KernelZeroFlagVal;
262 
263   void initIdentifierInfo(ASTContext &C) const;
264 
265   /// Determine family of a deallocation expression.
266   AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const;
267 
268   /// Print names of allocators and deallocators.
269   ///
270   /// \returns true on success.
271   bool printAllocDeallocName(raw_ostream &os, CheckerContext &C,
272                              const Expr *E) const;
273 
274   /// Print expected name of an allocator based on the deallocator's
275   /// family derived from the DeallocExpr.
276   void printExpectedAllocName(raw_ostream &os, CheckerContext &C,
277                               const Expr *DeallocExpr) const;
278   /// Print expected name of a deallocator based on the allocator's
279   /// family.
280   void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const;
281 
282   ///@{
283   /// Check if this is one of the functions which can allocate/reallocate memory
284   /// pointed to by one of its arguments.
285   bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const;
286   bool isCMemFunction(const FunctionDecl *FD,
287                       ASTContext &C,
288                       AllocationFamily Family,
289                       MemoryOperationKind MemKind) const;
290   bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const;
291   ///@}
292 
293   /// Process C++ operator new()'s allocation, which is the part of C++
294   /// new-expression that goes before the constructor.
295   void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C,
296                             SVal Target) const;
297 
298   /// Perform a zero-allocation check.
299   /// The optional \p RetVal parameter specifies the newly allocated pointer
300   /// value; if unspecified, the value of expression \p E is used.
301   ProgramStateRef ProcessZeroAllocation(CheckerContext &C, const Expr *E,
302                                         const unsigned AllocationSizeArg,
303                                         ProgramStateRef State,
304                                         Optional<SVal> RetVal = None) const;
305 
306   ProgramStateRef MallocMemReturnsAttr(CheckerContext &C,
307                                        const CallExpr *CE,
308                                        const OwnershipAttr* Att,
309                                        ProgramStateRef State) const;
310   static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
311                                       const Expr *SizeEx, SVal Init,
312                                       ProgramStateRef State,
313                                       AllocationFamily Family = AF_Malloc);
314   static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
315                                       SVal SizeEx, SVal Init,
316                                       ProgramStateRef State,
317                                       AllocationFamily Family = AF_Malloc);
318 
319   static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE,
320                                        ProgramStateRef State, SVal Target);
321 
322   // Check if this malloc() for special flags. At present that means M_ZERO or
323   // __GFP_ZERO (in which case, treat it like calloc).
324   llvm::Optional<ProgramStateRef>
325   performKernelMalloc(const CallExpr *CE, CheckerContext &C,
326                       const ProgramStateRef &State) const;
327 
328   /// Update the RefState to reflect the new memory allocation.
329   /// The optional \p RetVal parameter specifies the newly allocated pointer
330   /// value; if unspecified, the value of expression \p E is used.
331   static ProgramStateRef
332   MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State,
333                        AllocationFamily Family = AF_Malloc,
334                        Optional<SVal> RetVal = None);
335 
336   ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE,
337                               const OwnershipAttr* Att,
338                               ProgramStateRef State) const;
339   ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE,
340                              ProgramStateRef state, unsigned Num,
341                              bool Hold,
342                              bool &ReleasedAllocated,
343                              bool ReturnsNullOnFailure = false) const;
344   ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg,
345                              const Expr *ParentExpr,
346                              ProgramStateRef State,
347                              bool Hold,
348                              bool &ReleasedAllocated,
349                              bool ReturnsNullOnFailure = false) const;
350 
351   ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE,
352                                 bool FreesMemOnFailure,
353                                 ProgramStateRef State,
354                                 bool SuffixWithN = false) const;
355   static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
356                                    const Expr *BlockBytes);
357   static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE,
358                                    ProgramStateRef State);
359 
360   /// Check if the memory associated with this symbol was released.
361   bool isReleased(SymbolRef Sym, CheckerContext &C) const;
362 
363   /// See if deallocation happens in a suspicious context. If so, escape the
364   /// pointers that otherwise would have been deallocated and return true.
365   bool suppressDeallocationsInSuspiciousContexts(const CallExpr *CE,
366                                                  CheckerContext &C) const;
367 
368   bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
369 
370   void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
371                              const Stmt *S) const;
372 
373   bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;
374 
375   /// Check if the function is known free memory, or if it is
376   /// "interesting" and should be modeled explicitly.
377   ///
378   /// \param [out] EscapingSymbol A function might not free memory in general,
379   ///   but could be known to free a particular symbol. In this case, false is
380   ///   returned and the single escaping symbol is returned through the out
381   ///   parameter.
382   ///
383   /// We assume that pointers do not escape through calls to system functions
384   /// not handled by this checker.
385   bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call,
386                                    ProgramStateRef State,
387                                    SymbolRef &EscapingSymbol) const;
388 
389   // Implementation of the checkPointerEscape callbacks.
390   ProgramStateRef checkPointerEscapeAux(ProgramStateRef State,
391                                   const InvalidatedSymbols &Escaped,
392                                   const CallEvent *Call,
393                                   PointerEscapeKind Kind,
394                                   bool(*CheckRefState)(const RefState*)) const;
395 
396   // Implementation of the checkPreStmt and checkEndFunction callbacks.
397   void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const;
398 
399   ///@{
400   /// Tells if a given family/call/symbol is tracked by the current checker.
401   /// Sets CheckKind to the kind of the checker responsible for this
402   /// family/call/symbol.
403   Optional<CheckKind> getCheckIfTracked(AllocationFamily Family,
404                                         bool IsALeakCheck = false) const;
405   Optional<CheckKind> getCheckIfTracked(CheckerContext &C,
406                                         const Stmt *AllocDeallocStmt,
407                                         bool IsALeakCheck = false) const;
408   Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
409                                         bool IsALeakCheck = false) const;
410   ///@}
411   static bool SummarizeValue(raw_ostream &os, SVal V);
412   static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
413   void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
414                      const Expr *DeallocExpr) const;
415   void ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
416                         SourceRange Range) const;
417   void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range,
418                                const Expr *DeallocExpr, const RefState *RS,
419                                SymbolRef Sym, bool OwnershipTransferred) const;
420   void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
421                         const Expr *DeallocExpr,
422                         const Expr *AllocExpr = nullptr) const;
423   void ReportUseAfterFree(CheckerContext &C, SourceRange Range,
424                           SymbolRef Sym) const;
425   void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
426                         SymbolRef Sym, SymbolRef PrevSym) const;
427 
428   void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
429 
430   void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range,
431                               SymbolRef Sym) const;
432 
433   void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
434                                  SourceRange Range, const Expr *FreeExpr) const;
435 
436   /// Find the location of the allocation for Sym on the path leading to the
437   /// exploded node N.
438   LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
439                              CheckerContext &C) const;
440 
441   void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
442 
443   /// The bug visitor which allows us to print extra diagnostics along the
444   /// BugReport path. For example, showing the allocation site of the leaked
445   /// region.
446   class MallocBugVisitor final : public BugReporterVisitor {
447   protected:
448     enum NotificationMode {
449       Normal,
450       ReallocationFailed
451     };
452 
453     // The allocated region symbol tracked by the main analysis.
454     SymbolRef Sym;
455 
456     // The mode we are in, i.e. what kind of diagnostics will be emitted.
457     NotificationMode Mode;
458 
459     // A symbol from when the primary region should have been reallocated.
460     SymbolRef FailedReallocSymbol;
461 
462     // A C++ destructor stack frame in which memory was released. Used for
463     // miscellaneous false positive suppression.
464     const StackFrameContext *ReleaseDestructorLC;
465 
466     bool IsLeak;
467 
468   public:
469     MallocBugVisitor(SymbolRef S, bool isLeak = false)
470         : Sym(S), Mode(Normal), FailedReallocSymbol(nullptr),
471           ReleaseDestructorLC(nullptr), IsLeak(isLeak) {}
472 
473     static void *getTag() {
474       static int Tag = 0;
475       return &Tag;
476     }
477 
478     void Profile(llvm::FoldingSetNodeID &ID) const override {
479       ID.AddPointer(getTag());
480       ID.AddPointer(Sym);
481     }
482 
483     inline bool isAllocated(const RefState *S, const RefState *SPrev,
484                             const Stmt *Stmt) {
485       // Did not track -> allocated. Other state (released) -> allocated.
486       return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) &&
487               (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) &&
488               (!SPrev || !(SPrev->isAllocated() ||
489                            SPrev->isAllocatedOfSizeZero())));
490     }
491 
492     inline bool isReleased(const RefState *S, const RefState *SPrev,
493                            const Stmt *Stmt) {
494       // Did not track -> released. Other state (allocated) -> released.
495       // The statement associated with the release might be missing.
496       bool IsReleased = (S && S->isReleased()) &&
497                         (!SPrev || !SPrev->isReleased());
498       assert(!IsReleased ||
499              (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) ||
500              (!Stmt && S->getAllocationFamily() == AF_InnerBuffer));
501       return IsReleased;
502     }
503 
504     inline bool isRelinquished(const RefState *S, const RefState *SPrev,
505                                const Stmt *Stmt) {
506       // Did not track -> relinquished. Other state (allocated) -> relinquished.
507       return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) ||
508                                               isa<ObjCPropertyRefExpr>(Stmt)) &&
509               (S && S->isRelinquished()) &&
510               (!SPrev || !SPrev->isRelinquished()));
511     }
512 
513     inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev,
514                                      const Stmt *Stmt) {
515       // If the expression is not a call, and the state change is
516       // released -> allocated, it must be the realloc return value
517       // check. If we have to handle more cases here, it might be cleaner just
518       // to track this extra bit in the state itself.
519       return (
520           (!Stmt || !isa<CallExpr>(Stmt)) &&
521           (S && (S->isAllocated() || S->isAllocatedOfSizeZero())) &&
522           (SPrev && !(SPrev->isAllocated() || SPrev->isAllocatedOfSizeZero())));
523     }
524 
525     PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
526                                      BugReporterContext &BRC,
527                                      BugReport &BR) override;
528 
529     PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC,
530                                       const ExplodedNode *EndPathNode,
531                                       BugReport &BR) override {
532       if (!IsLeak)
533         return nullptr;
534 
535       PathDiagnosticLocation L =
536         PathDiagnosticLocation::createEndOfPath(EndPathNode,
537                                                 BRC.getSourceManager());
538       // Do not add the statement itself as a range in case of leak.
539       return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(),
540                                                          false);
541     }
542 
543   private:
544     class StackHintGeneratorForReallocationFailed
545         : public StackHintGeneratorForSymbol {
546     public:
547       StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M)
548         : StackHintGeneratorForSymbol(S, M) {}
549 
550       std::string getMessageForArg(const Expr *ArgE,
551                                    unsigned ArgIndex) override {
552         // Printed parameters start at 1, not 0.
553         ++ArgIndex;
554 
555         SmallString<200> buf;
556         llvm::raw_svector_ostream os(buf);
557 
558         os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex)
559            << " parameter failed";
560 
561         return os.str();
562       }
563 
564       std::string getMessageForReturn(const CallExpr *CallExpr) override {
565         return "Reallocation of returned value failed";
566       }
567     };
568   };
569 };
570 } // end anonymous namespace
571 
572 REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
573 REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
574 REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef)
575 
576 // A map from the freed symbol to the symbol representing the return value of
577 // the free function.
578 REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef)
579 
580 namespace {
581 class StopTrackingCallback final : public SymbolVisitor {
582   ProgramStateRef state;
583 public:
584   StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
585   ProgramStateRef getState() const { return state; }
586 
587   bool VisitSymbol(SymbolRef sym) override {
588     state = state->remove<RegionState>(sym);
589     return true;
590   }
591 };
592 } // end anonymous namespace
593 
594 void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const {
595   if (II_malloc)
596     return;
597   II_alloca = &Ctx.Idents.get("alloca");
598   II_malloc = &Ctx.Idents.get("malloc");
599   II_free = &Ctx.Idents.get("free");
600   II_realloc = &Ctx.Idents.get("realloc");
601   II_reallocf = &Ctx.Idents.get("reallocf");
602   II_calloc = &Ctx.Idents.get("calloc");
603   II_valloc = &Ctx.Idents.get("valloc");
604   II_strdup = &Ctx.Idents.get("strdup");
605   II_strndup = &Ctx.Idents.get("strndup");
606   II_wcsdup = &Ctx.Idents.get("wcsdup");
607   II_kmalloc = &Ctx.Idents.get("kmalloc");
608   II_kfree = &Ctx.Idents.get("kfree");
609   II_if_nameindex = &Ctx.Idents.get("if_nameindex");
610   II_if_freenameindex = &Ctx.Idents.get("if_freenameindex");
611 
612   //MSVC uses `_`-prefixed instead, so we check for them too.
613   II_win_strdup = &Ctx.Idents.get("_strdup");
614   II_win_wcsdup = &Ctx.Idents.get("_wcsdup");
615   II_win_alloca = &Ctx.Idents.get("_alloca");
616 
617   // Glib
618   II_g_malloc = &Ctx.Idents.get("g_malloc");
619   II_g_malloc0 = &Ctx.Idents.get("g_malloc0");
620   II_g_realloc = &Ctx.Idents.get("g_realloc");
621   II_g_try_malloc = &Ctx.Idents.get("g_try_malloc");
622   II_g_try_malloc0 = &Ctx.Idents.get("g_try_malloc0");
623   II_g_try_realloc = &Ctx.Idents.get("g_try_realloc");
624   II_g_free = &Ctx.Idents.get("g_free");
625   II_g_memdup = &Ctx.Idents.get("g_memdup");
626   II_g_malloc_n = &Ctx.Idents.get("g_malloc_n");
627   II_g_malloc0_n = &Ctx.Idents.get("g_malloc0_n");
628   II_g_realloc_n = &Ctx.Idents.get("g_realloc_n");
629   II_g_try_malloc_n = &Ctx.Idents.get("g_try_malloc_n");
630   II_g_try_malloc0_n = &Ctx.Idents.get("g_try_malloc0_n");
631   II_g_try_realloc_n = &Ctx.Idents.get("g_try_realloc_n");
632 }
633 
634 bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const {
635   if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any))
636     return true;
637 
638   if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
639     return true;
640 
641   if (isCMemFunction(FD, C, AF_Alloca, MemoryOperationKind::MOK_Any))
642     return true;
643 
644   if (isStandardNewDelete(FD, C))
645     return true;
646 
647   return false;
648 }
649 
650 bool MallocChecker::isCMemFunction(const FunctionDecl *FD,
651                                    ASTContext &C,
652                                    AllocationFamily Family,
653                                    MemoryOperationKind MemKind) const {
654   if (!FD)
655     return false;
656 
657   bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any ||
658                     MemKind == MemoryOperationKind::MOK_Free);
659   bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any ||
660                      MemKind == MemoryOperationKind::MOK_Allocate);
661 
662   if (FD->getKind() == Decl::Function) {
663     const IdentifierInfo *FunI = FD->getIdentifier();
664     initIdentifierInfo(C);
665 
666     if (Family == AF_Malloc && CheckFree) {
667       if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf ||
668           FunI == II_g_free || FunI == II_kfree)
669         return true;
670     }
671 
672     if (Family == AF_Malloc && CheckAlloc) {
673       if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf ||
674           FunI == II_calloc || FunI == II_valloc || FunI == II_strdup ||
675           FunI == II_win_strdup || FunI == II_strndup || FunI == II_wcsdup ||
676           FunI == II_win_wcsdup || FunI == II_kmalloc ||
677           FunI == II_g_malloc || FunI == II_g_malloc0 ||
678           FunI == II_g_realloc || FunI == II_g_try_malloc ||
679           FunI == II_g_try_malloc0 || FunI == II_g_try_realloc ||
680           FunI == II_g_memdup || FunI == II_g_malloc_n ||
681           FunI == II_g_malloc0_n || FunI == II_g_realloc_n ||
682           FunI == II_g_try_malloc_n || FunI == II_g_try_malloc0_n ||
683           FunI == II_g_try_realloc_n)
684         return true;
685     }
686 
687     if (Family == AF_IfNameIndex && CheckFree) {
688       if (FunI == II_if_freenameindex)
689         return true;
690     }
691 
692     if (Family == AF_IfNameIndex && CheckAlloc) {
693       if (FunI == II_if_nameindex)
694         return true;
695     }
696 
697     if (Family == AF_Alloca && CheckAlloc) {
698       if (FunI == II_alloca || FunI == II_win_alloca)
699         return true;
700     }
701   }
702 
703   if (Family != AF_Malloc)
704     return false;
705 
706   if (IsOptimistic && FD->hasAttrs()) {
707     for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
708       OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
709       if(OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) {
710         if (CheckFree)
711           return true;
712       } else if (OwnKind == OwnershipAttr::Returns) {
713         if (CheckAlloc)
714           return true;
715       }
716     }
717   }
718 
719   return false;
720 }
721 
722 // Tells if the callee is one of the builtin new/delete operators, including
723 // placement operators and other standard overloads.
724 bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD,
725                                         ASTContext &C) const {
726   if (!FD)
727     return false;
728 
729   OverloadedOperatorKind Kind = FD->getOverloadedOperator();
730   if (Kind != OO_New && Kind != OO_Array_New &&
731       Kind != OO_Delete && Kind != OO_Array_Delete)
732     return false;
733 
734   // This is standard if and only if it's not defined in a user file.
735   SourceLocation L = FD->getLocation();
736   // If the header for operator delete is not included, it's still defined
737   // in an invalid source location. Check to make sure we don't crash.
738   return !L.isValid() || C.getSourceManager().isInSystemHeader(L);
739 }
740 
741 llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc(
742   const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const {
743   // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
744   //
745   // void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
746   //
747   // One of the possible flags is M_ZERO, which means 'give me back an
748   // allocation which is already zeroed', like calloc.
749 
750   // 2-argument kmalloc(), as used in the Linux kernel:
751   //
752   // void *kmalloc(size_t size, gfp_t flags);
753   //
754   // Has the similar flag value __GFP_ZERO.
755 
756   // This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some
757   // code could be shared.
758 
759   ASTContext &Ctx = C.getASTContext();
760   llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS();
761 
762   if (!KernelZeroFlagVal.hasValue()) {
763     if (OS == llvm::Triple::FreeBSD)
764       KernelZeroFlagVal = 0x0100;
765     else if (OS == llvm::Triple::NetBSD)
766       KernelZeroFlagVal = 0x0002;
767     else if (OS == llvm::Triple::OpenBSD)
768       KernelZeroFlagVal = 0x0008;
769     else if (OS == llvm::Triple::Linux)
770       // __GFP_ZERO
771       KernelZeroFlagVal = 0x8000;
772     else
773       // FIXME: We need a more general way of getting the M_ZERO value.
774       // See also: O_CREAT in UnixAPIChecker.cpp.
775 
776       // Fall back to normal malloc behavior on platforms where we don't
777       // know M_ZERO.
778       return None;
779   }
780 
781   // We treat the last argument as the flags argument, and callers fall-back to
782   // normal malloc on a None return. This works for the FreeBSD kernel malloc
783   // as well as Linux kmalloc.
784   if (CE->getNumArgs() < 2)
785     return None;
786 
787   const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1);
788   const SVal V = C.getSVal(FlagsEx);
789   if (!V.getAs<NonLoc>()) {
790     // The case where 'V' can be a location can only be due to a bad header,
791     // so in this case bail out.
792     return None;
793   }
794 
795   NonLoc Flags = V.castAs<NonLoc>();
796   NonLoc ZeroFlag = C.getSValBuilder()
797       .makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType())
798       .castAs<NonLoc>();
799   SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And,
800                                                       Flags, ZeroFlag,
801                                                       FlagsEx->getType());
802   if (MaskedFlagsUC.isUnknownOrUndef())
803     return None;
804   DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>();
805 
806   // Check if maskedFlags is non-zero.
807   ProgramStateRef TrueState, FalseState;
808   std::tie(TrueState, FalseState) = State->assume(MaskedFlags);
809 
810   // If M_ZERO is set, treat this like calloc (initialized).
811   if (TrueState && !FalseState) {
812     SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy);
813     return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState);
814   }
815 
816   return None;
817 }
818 
819 SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
820                                          const Expr *BlockBytes) {
821   SValBuilder &SB = C.getSValBuilder();
822   SVal BlocksVal = C.getSVal(Blocks);
823   SVal BlockBytesVal = C.getSVal(BlockBytes);
824   ProgramStateRef State = C.getState();
825   SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,
826                                 SB.getContext().getSizeType());
827   return TotalSize;
828 }
829 
830 void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const {
831   if (C.wasInlined)
832     return;
833 
834   const FunctionDecl *FD = C.getCalleeDecl(CE);
835   if (!FD)
836     return;
837 
838   ProgramStateRef State = C.getState();
839   bool ReleasedAllocatedMemory = false;
840 
841   if (FD->getKind() == Decl::Function) {
842     initIdentifierInfo(C.getASTContext());
843     IdentifierInfo *FunI = FD->getIdentifier();
844 
845     if (FunI == II_malloc || FunI == II_g_malloc || FunI == II_g_try_malloc) {
846       if (CE->getNumArgs() < 1)
847         return;
848       if (CE->getNumArgs() < 3) {
849         State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
850         if (CE->getNumArgs() == 1)
851           State = ProcessZeroAllocation(C, CE, 0, State);
852       } else if (CE->getNumArgs() == 3) {
853         llvm::Optional<ProgramStateRef> MaybeState =
854           performKernelMalloc(CE, C, State);
855         if (MaybeState.hasValue())
856           State = MaybeState.getValue();
857         else
858           State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
859       }
860     } else if (FunI == II_kmalloc) {
861       if (CE->getNumArgs() < 1)
862         return;
863       llvm::Optional<ProgramStateRef> MaybeState =
864         performKernelMalloc(CE, C, State);
865       if (MaybeState.hasValue())
866         State = MaybeState.getValue();
867       else
868         State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
869     } else if (FunI == II_valloc) {
870       if (CE->getNumArgs() < 1)
871         return;
872       State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
873       State = ProcessZeroAllocation(C, CE, 0, State);
874     } else if (FunI == II_realloc || FunI == II_g_realloc ||
875                FunI == II_g_try_realloc) {
876       State = ReallocMemAux(C, CE, false, State);
877       State = ProcessZeroAllocation(C, CE, 1, State);
878     } else if (FunI == II_reallocf) {
879       State = ReallocMemAux(C, CE, true, State);
880       State = ProcessZeroAllocation(C, CE, 1, State);
881     } else if (FunI == II_calloc) {
882       State = CallocMem(C, CE, State);
883       State = ProcessZeroAllocation(C, CE, 0, State);
884       State = ProcessZeroAllocation(C, CE, 1, State);
885     } else if (FunI == II_free || FunI == II_g_free || FunI == II_kfree) {
886       if (suppressDeallocationsInSuspiciousContexts(CE, C))
887         return;
888 
889       State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
890     } else if (FunI == II_strdup || FunI == II_win_strdup ||
891                FunI == II_wcsdup || FunI == II_win_wcsdup) {
892       State = MallocUpdateRefState(C, CE, State);
893     } else if (FunI == II_strndup) {
894       State = MallocUpdateRefState(C, CE, State);
895     } else if (FunI == II_alloca || FunI == II_win_alloca) {
896       if (CE->getNumArgs() < 1)
897         return;
898       State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
899                            AF_Alloca);
900       State = ProcessZeroAllocation(C, CE, 0, State);
901     } else if (isStandardNewDelete(FD, C.getASTContext())) {
902       // Process direct calls to operator new/new[]/delete/delete[] functions
903       // as distinct from new/new[]/delete/delete[] expressions that are
904       // processed by the checkPostStmt callbacks for CXXNewExpr and
905       // CXXDeleteExpr.
906       OverloadedOperatorKind K = FD->getOverloadedOperator();
907       if (K == OO_New) {
908         State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
909                              AF_CXXNew);
910         State = ProcessZeroAllocation(C, CE, 0, State);
911       }
912       else if (K == OO_Array_New) {
913         State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
914                              AF_CXXNewArray);
915         State = ProcessZeroAllocation(C, CE, 0, State);
916       }
917       else if (K == OO_Delete || K == OO_Array_Delete)
918         State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
919       else
920         llvm_unreachable("not a new/delete operator");
921     } else if (FunI == II_if_nameindex) {
922       // Should we model this differently? We can allocate a fixed number of
923       // elements with zeros in the last one.
924       State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State,
925                            AF_IfNameIndex);
926     } else if (FunI == II_if_freenameindex) {
927       State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
928     } else if (FunI == II_g_malloc0 || FunI == II_g_try_malloc0) {
929       if (CE->getNumArgs() < 1)
930         return;
931       SValBuilder &svalBuilder = C.getSValBuilder();
932       SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
933       State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State);
934       State = ProcessZeroAllocation(C, CE, 0, State);
935     } else if (FunI == II_g_memdup) {
936       if (CE->getNumArgs() < 2)
937         return;
938       State = MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State);
939       State = ProcessZeroAllocation(C, CE, 1, State);
940     } else if (FunI == II_g_malloc_n || FunI == II_g_try_malloc_n ||
941                FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) {
942       if (CE->getNumArgs() < 2)
943         return;
944       SVal Init = UndefinedVal();
945       if (FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) {
946         SValBuilder &SB = C.getSValBuilder();
947         Init = SB.makeZeroVal(SB.getContext().CharTy);
948       }
949       SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
950       State = MallocMemAux(C, CE, TotalSize, Init, State);
951       State = ProcessZeroAllocation(C, CE, 0, State);
952       State = ProcessZeroAllocation(C, CE, 1, State);
953     } else if (FunI == II_g_realloc_n || FunI == II_g_try_realloc_n) {
954       if (CE->getNumArgs() < 3)
955         return;
956       State = ReallocMemAux(C, CE, false, State, true);
957       State = ProcessZeroAllocation(C, CE, 1, State);
958       State = ProcessZeroAllocation(C, CE, 2, State);
959     }
960   }
961 
962   if (IsOptimistic || ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
963     // Check all the attributes, if there are any.
964     // There can be multiple of these attributes.
965     if (FD->hasAttrs())
966       for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
967         switch (I->getOwnKind()) {
968         case OwnershipAttr::Returns:
969           State = MallocMemReturnsAttr(C, CE, I, State);
970           break;
971         case OwnershipAttr::Takes:
972         case OwnershipAttr::Holds:
973           State = FreeMemAttr(C, CE, I, State);
974           break;
975         }
976       }
977   }
978   C.addTransition(State);
979 }
980 
981 // Performs a 0-sized allocations check.
982 ProgramStateRef MallocChecker::ProcessZeroAllocation(
983     CheckerContext &C, const Expr *E, const unsigned AllocationSizeArg,
984     ProgramStateRef State, Optional<SVal> RetVal) const {
985   if (!State)
986     return nullptr;
987 
988   if (!RetVal)
989     RetVal = C.getSVal(E);
990 
991   const Expr *Arg = nullptr;
992 
993   if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
994     Arg = CE->getArg(AllocationSizeArg);
995   }
996   else if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
997     if (NE->isArray())
998       Arg = *NE->getArraySize();
999     else
1000       return State;
1001   }
1002   else
1003     llvm_unreachable("not a CallExpr or CXXNewExpr");
1004 
1005   assert(Arg);
1006 
1007   Optional<DefinedSVal> DefArgVal = C.getSVal(Arg).getAs<DefinedSVal>();
1008 
1009   if (!DefArgVal)
1010     return State;
1011 
1012   // Check if the allocation size is 0.
1013   ProgramStateRef TrueState, FalseState;
1014   SValBuilder &SvalBuilder = C.getSValBuilder();
1015   DefinedSVal Zero =
1016       SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
1017 
1018   std::tie(TrueState, FalseState) =
1019       State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));
1020 
1021   if (TrueState && !FalseState) {
1022     SymbolRef Sym = RetVal->getAsLocSymbol();
1023     if (!Sym)
1024       return State;
1025 
1026     const RefState *RS = State->get<RegionState>(Sym);
1027     if (RS) {
1028       if (RS->isAllocated())
1029         return TrueState->set<RegionState>(Sym,
1030                                           RefState::getAllocatedOfSizeZero(RS));
1031       else
1032         return State;
1033     } else {
1034       // Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as
1035       // 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not
1036       // tracked. Add zero-reallocated Sym to the state to catch references
1037       // to zero-allocated memory.
1038       return TrueState->add<ReallocSizeZeroSymbols>(Sym);
1039     }
1040   }
1041 
1042   // Assume the value is non-zero going forward.
1043   assert(FalseState);
1044   return FalseState;
1045 }
1046 
1047 static QualType getDeepPointeeType(QualType T) {
1048   QualType Result = T, PointeeType = T->getPointeeType();
1049   while (!PointeeType.isNull()) {
1050     Result = PointeeType;
1051     PointeeType = PointeeType->getPointeeType();
1052   }
1053   return Result;
1054 }
1055 
1056 static bool treatUnusedNewEscaped(const CXXNewExpr *NE) {
1057 
1058   const CXXConstructExpr *ConstructE = NE->getConstructExpr();
1059   if (!ConstructE)
1060     return false;
1061 
1062   if (!NE->getAllocatedType()->getAsCXXRecordDecl())
1063     return false;
1064 
1065   const CXXConstructorDecl *CtorD = ConstructE->getConstructor();
1066 
1067   // Iterate over the constructor parameters.
1068   for (const auto *CtorParam : CtorD->parameters()) {
1069 
1070     QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType();
1071     if (CtorParamPointeeT.isNull())
1072       continue;
1073 
1074     CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT);
1075 
1076     if (CtorParamPointeeT->getAsCXXRecordDecl())
1077       return true;
1078   }
1079 
1080   return false;
1081 }
1082 
1083 void MallocChecker::processNewAllocation(const CXXNewExpr *NE,
1084                                          CheckerContext &C,
1085                                          SVal Target) const {
1086   if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext()))
1087     return;
1088 
1089   const ParentMap &PM = C.getLocationContext()->getParentMap();
1090   if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE))
1091     return;
1092 
1093   ProgramStateRef State = C.getState();
1094   // The return value from operator new is bound to a specified initialization
1095   // value (if any) and we don't want to loose this value. So we call
1096   // MallocUpdateRefState() instead of MallocMemAux() which breaks the
1097   // existing binding.
1098   State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray
1099                                                            : AF_CXXNew, Target);
1100   State = addExtentSize(C, NE, State, Target);
1101   State = ProcessZeroAllocation(C, NE, 0, State, Target);
1102   C.addTransition(State);
1103 }
1104 
1105 void MallocChecker::checkPostStmt(const CXXNewExpr *NE,
1106                                   CheckerContext &C) const {
1107   if (!C.getAnalysisManager().getAnalyzerOptions().MayInlineCXXAllocator)
1108     processNewAllocation(NE, C, C.getSVal(NE));
1109 }
1110 
1111 void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target,
1112                                       CheckerContext &C) const {
1113   if (!C.wasInlined)
1114     processNewAllocation(NE, C, Target);
1115 }
1116 
1117 // Sets the extent value of the MemRegion allocated by
1118 // new expression NE to its size in Bytes.
1119 //
1120 ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C,
1121                                              const CXXNewExpr *NE,
1122                                              ProgramStateRef State,
1123                                              SVal Target) {
1124   if (!State)
1125     return nullptr;
1126   SValBuilder &svalBuilder = C.getSValBuilder();
1127   SVal ElementCount;
1128   const SubRegion *Region;
1129   if (NE->isArray()) {
1130     const Expr *SizeExpr = *NE->getArraySize();
1131     ElementCount = C.getSVal(SizeExpr);
1132     // Store the extent size for the (symbolic)region
1133     // containing the elements.
1134     Region = Target.getAsRegion()
1135                  ->castAs<SubRegion>()
1136                  ->StripCasts()
1137                  ->castAs<SubRegion>();
1138   } else {
1139     ElementCount = svalBuilder.makeIntVal(1, true);
1140     Region = Target.getAsRegion()->castAs<SubRegion>();
1141   }
1142 
1143   // Set the region's extent equal to the Size in Bytes.
1144   QualType ElementType = NE->getAllocatedType();
1145   ASTContext &AstContext = C.getASTContext();
1146   CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType);
1147 
1148   if (ElementCount.getAs<NonLoc>()) {
1149     DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder);
1150     // size in Bytes = ElementCount*TypeSize
1151     SVal SizeInBytes = svalBuilder.evalBinOpNN(
1152         State, BO_Mul, ElementCount.castAs<NonLoc>(),
1153         svalBuilder.makeArrayIndex(TypeSize.getQuantity()),
1154         svalBuilder.getArrayIndexType());
1155     DefinedOrUnknownSVal extentMatchesSize = svalBuilder.evalEQ(
1156         State, Extent, SizeInBytes.castAs<DefinedOrUnknownSVal>());
1157     State = State->assume(extentMatchesSize, true);
1158   }
1159   return State;
1160 }
1161 
1162 void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE,
1163                                  CheckerContext &C) const {
1164 
1165   if (!ChecksEnabled[CK_NewDeleteChecker])
1166     if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
1167       checkUseAfterFree(Sym, C, DE->getArgument());
1168 
1169   if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext()))
1170     return;
1171 
1172   ProgramStateRef State = C.getState();
1173   bool ReleasedAllocated;
1174   State = FreeMemAux(C, DE->getArgument(), DE, State,
1175                      /*Hold*/false, ReleasedAllocated);
1176 
1177   C.addTransition(State);
1178 }
1179 
1180 static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) {
1181   // If the first selector piece is one of the names below, assume that the
1182   // object takes ownership of the memory, promising to eventually deallocate it
1183   // with free().
1184   // Ex:  [NSData dataWithBytesNoCopy:bytes length:10];
1185   // (...unless a 'freeWhenDone' parameter is false, but that's checked later.)
1186   StringRef FirstSlot = Call.getSelector().getNameForSlot(0);
1187   return FirstSlot == "dataWithBytesNoCopy" ||
1188          FirstSlot == "initWithBytesNoCopy" ||
1189          FirstSlot == "initWithCharactersNoCopy";
1190 }
1191 
1192 static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) {
1193   Selector S = Call.getSelector();
1194 
1195   // FIXME: We should not rely on fully-constrained symbols being folded.
1196   for (unsigned i = 1; i < S.getNumArgs(); ++i)
1197     if (S.getNameForSlot(i).equals("freeWhenDone"))
1198       return !Call.getArgSVal(i).isZeroConstant();
1199 
1200   return None;
1201 }
1202 
1203 void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
1204                                          CheckerContext &C) const {
1205   if (C.wasInlined)
1206     return;
1207 
1208   if (!isKnownDeallocObjCMethodName(Call))
1209     return;
1210 
1211   if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call))
1212     if (!*FreeWhenDone)
1213       return;
1214 
1215   bool ReleasedAllocatedMemory;
1216   ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0),
1217                                      Call.getOriginExpr(), C.getState(),
1218                                      /*Hold=*/true, ReleasedAllocatedMemory,
1219                                      /*ReturnsNullOnFailure=*/true);
1220 
1221   C.addTransition(State);
1222 }
1223 
1224 ProgramStateRef
1225 MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE,
1226                                     const OwnershipAttr *Att,
1227                                     ProgramStateRef State) const {
1228   if (!State)
1229     return nullptr;
1230 
1231   if (Att->getModule() != II_malloc)
1232     return nullptr;
1233 
1234   OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
1235   if (I != E) {
1236     return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(),
1237                         State);
1238   }
1239   return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State);
1240 }
1241 
1242 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1243                                             const CallExpr *CE,
1244                                             const Expr *SizeEx, SVal Init,
1245                                             ProgramStateRef State,
1246                                             AllocationFamily Family) {
1247   if (!State)
1248     return nullptr;
1249 
1250   return MallocMemAux(C, CE, C.getSVal(SizeEx), Init, State, Family);
1251 }
1252 
1253 ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1254                                            const CallExpr *CE,
1255                                            SVal Size, SVal Init,
1256                                            ProgramStateRef State,
1257                                            AllocationFamily Family) {
1258   if (!State)
1259     return nullptr;
1260 
1261   // We expect the malloc functions to return a pointer.
1262   if (!Loc::isLocType(CE->getType()))
1263     return nullptr;
1264 
1265   // Bind the return value to the symbolic value from the heap region.
1266   // TODO: We could rewrite post visit to eval call; 'malloc' does not have
1267   // side effects other than what we model here.
1268   unsigned Count = C.blockCount();
1269   SValBuilder &svalBuilder = C.getSValBuilder();
1270   const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
1271   DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
1272       .castAs<DefinedSVal>();
1273   State = State->BindExpr(CE, C.getLocationContext(), RetVal);
1274 
1275   // Fill the region with the initialization value.
1276   State = State->bindDefaultInitial(RetVal, Init, LCtx);
1277 
1278   // Set the region's extent equal to the Size parameter.
1279   const SymbolicRegion *R =
1280       dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion());
1281   if (!R)
1282     return nullptr;
1283   if (Optional<DefinedOrUnknownSVal> DefinedSize =
1284           Size.getAs<DefinedOrUnknownSVal>()) {
1285     SValBuilder &svalBuilder = C.getSValBuilder();
1286     DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder);
1287     DefinedOrUnknownSVal extentMatchesSize =
1288         svalBuilder.evalEQ(State, Extent, *DefinedSize);
1289 
1290     State = State->assume(extentMatchesSize, true);
1291     assert(State);
1292   }
1293 
1294   return MallocUpdateRefState(C, CE, State, Family);
1295 }
1296 
1297 ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C,
1298                                                     const Expr *E,
1299                                                     ProgramStateRef State,
1300                                                     AllocationFamily Family,
1301                                                     Optional<SVal> RetVal) {
1302   if (!State)
1303     return nullptr;
1304 
1305   // Get the return value.
1306   if (!RetVal)
1307     RetVal = C.getSVal(E);
1308 
1309   // We expect the malloc functions to return a pointer.
1310   if (!RetVal->getAs<Loc>())
1311     return nullptr;
1312 
1313   SymbolRef Sym = RetVal->getAsLocSymbol();
1314   // This is a return value of a function that was not inlined, such as malloc()
1315   // or new(). We've checked that in the caller. Therefore, it must be a symbol.
1316   assert(Sym);
1317 
1318   // Set the symbol's state to Allocated.
1319   return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
1320 }
1321 
1322 ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
1323                                            const CallExpr *CE,
1324                                            const OwnershipAttr *Att,
1325                                            ProgramStateRef State) const {
1326   if (!State)
1327     return nullptr;
1328 
1329   if (Att->getModule() != II_malloc)
1330     return nullptr;
1331 
1332   bool ReleasedAllocated = false;
1333 
1334   for (const auto &Arg : Att->args()) {
1335     ProgramStateRef StateI = FreeMemAux(
1336         C, CE, State, Arg.getASTIndex(),
1337         Att->getOwnKind() == OwnershipAttr::Holds, ReleasedAllocated);
1338     if (StateI)
1339       State = StateI;
1340   }
1341   return State;
1342 }
1343 
1344 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1345                                           const CallExpr *CE,
1346                                           ProgramStateRef State,
1347                                           unsigned Num,
1348                                           bool Hold,
1349                                           bool &ReleasedAllocated,
1350                                           bool ReturnsNullOnFailure) const {
1351   if (!State)
1352     return nullptr;
1353 
1354   if (CE->getNumArgs() < (Num + 1))
1355     return nullptr;
1356 
1357   return FreeMemAux(C, CE->getArg(Num), CE, State, Hold,
1358                     ReleasedAllocated, ReturnsNullOnFailure);
1359 }
1360 
1361 /// Checks if the previous call to free on the given symbol failed - if free
1362 /// failed, returns true. Also, returns the corresponding return value symbol.
1363 static bool didPreviousFreeFail(ProgramStateRef State,
1364                                 SymbolRef Sym, SymbolRef &RetStatusSymbol) {
1365   const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
1366   if (Ret) {
1367     assert(*Ret && "We should not store the null return symbol");
1368     ConstraintManager &CMgr = State->getConstraintManager();
1369     ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret);
1370     RetStatusSymbol = *Ret;
1371     return FreeFailed.isConstrainedTrue();
1372   }
1373   return false;
1374 }
1375 
1376 AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C,
1377                                                     const Stmt *S) const {
1378   if (!S)
1379     return AF_None;
1380 
1381   if (const CallExpr *CE = dyn_cast<CallExpr>(S)) {
1382     const FunctionDecl *FD = C.getCalleeDecl(CE);
1383 
1384     if (!FD)
1385       FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl());
1386 
1387     ASTContext &Ctx = C.getASTContext();
1388 
1389     if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any))
1390       return AF_Malloc;
1391 
1392     if (isStandardNewDelete(FD, Ctx)) {
1393       OverloadedOperatorKind Kind = FD->getOverloadedOperator();
1394       if (Kind == OO_New || Kind == OO_Delete)
1395         return AF_CXXNew;
1396       else if (Kind == OO_Array_New || Kind == OO_Array_Delete)
1397         return AF_CXXNewArray;
1398     }
1399 
1400     if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
1401       return AF_IfNameIndex;
1402 
1403     if (isCMemFunction(FD, Ctx, AF_Alloca, MemoryOperationKind::MOK_Any))
1404       return AF_Alloca;
1405 
1406     return AF_None;
1407   }
1408 
1409   if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S))
1410     return NE->isArray() ? AF_CXXNewArray : AF_CXXNew;
1411 
1412   if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S))
1413     return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew;
1414 
1415   if (isa<ObjCMessageExpr>(S))
1416     return AF_Malloc;
1417 
1418   return AF_None;
1419 }
1420 
1421 bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C,
1422                                           const Expr *E) const {
1423   if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
1424     // FIXME: This doesn't handle indirect calls.
1425     const FunctionDecl *FD = CE->getDirectCallee();
1426     if (!FD)
1427       return false;
1428 
1429     os << *FD;
1430     if (!FD->isOverloadedOperator())
1431       os << "()";
1432     return true;
1433   }
1434 
1435   if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) {
1436     if (Msg->isInstanceMessage())
1437       os << "-";
1438     else
1439       os << "+";
1440     Msg->getSelector().print(os);
1441     return true;
1442   }
1443 
1444   if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
1445     os << "'"
1446        << getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator())
1447        << "'";
1448     return true;
1449   }
1450 
1451   if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) {
1452     os << "'"
1453        << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator())
1454        << "'";
1455     return true;
1456   }
1457 
1458   return false;
1459 }
1460 
1461 void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C,
1462                                            const Expr *E) const {
1463   AllocationFamily Family = getAllocationFamily(C, E);
1464 
1465   switch(Family) {
1466     case AF_Malloc: os << "malloc()"; return;
1467     case AF_CXXNew: os << "'new'"; return;
1468     case AF_CXXNewArray: os << "'new[]'"; return;
1469     case AF_IfNameIndex: os << "'if_nameindex()'"; return;
1470     case AF_InnerBuffer: os << "container-specific allocator"; return;
1471     case AF_Alloca:
1472     case AF_None: llvm_unreachable("not a deallocation expression");
1473   }
1474 }
1475 
1476 void MallocChecker::printExpectedDeallocName(raw_ostream &os,
1477                                              AllocationFamily Family) const {
1478   switch(Family) {
1479     case AF_Malloc: os << "free()"; return;
1480     case AF_CXXNew: os << "'delete'"; return;
1481     case AF_CXXNewArray: os << "'delete[]'"; return;
1482     case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
1483     case AF_InnerBuffer: os << "container-specific deallocator"; return;
1484     case AF_Alloca:
1485     case AF_None: llvm_unreachable("suspicious argument");
1486   }
1487 }
1488 
1489 ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1490                                           const Expr *ArgExpr,
1491                                           const Expr *ParentExpr,
1492                                           ProgramStateRef State,
1493                                           bool Hold,
1494                                           bool &ReleasedAllocated,
1495                                           bool ReturnsNullOnFailure) const {
1496 
1497   if (!State)
1498     return nullptr;
1499 
1500   SVal ArgVal = C.getSVal(ArgExpr);
1501   if (!ArgVal.getAs<DefinedOrUnknownSVal>())
1502     return nullptr;
1503   DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
1504 
1505   // Check for null dereferences.
1506   if (!location.getAs<Loc>())
1507     return nullptr;
1508 
1509   // The explicit NULL case, no operation is performed.
1510   ProgramStateRef notNullState, nullState;
1511   std::tie(notNullState, nullState) = State->assume(location);
1512   if (nullState && !notNullState)
1513     return nullptr;
1514 
1515   // Unknown values could easily be okay
1516   // Undefined values are handled elsewhere
1517   if (ArgVal.isUnknownOrUndef())
1518     return nullptr;
1519 
1520   const MemRegion *R = ArgVal.getAsRegion();
1521 
1522   // Nonlocs can't be freed, of course.
1523   // Non-region locations (labels and fixed addresses) also shouldn't be freed.
1524   if (!R) {
1525     ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1526     return nullptr;
1527   }
1528 
1529   R = R->StripCasts();
1530 
1531   // Blocks might show up as heap data, but should not be free()d
1532   if (isa<BlockDataRegion>(R)) {
1533     ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1534     return nullptr;
1535   }
1536 
1537   const MemSpaceRegion *MS = R->getMemorySpace();
1538 
1539   // Parameters, locals, statics, globals, and memory returned by
1540   // __builtin_alloca() shouldn't be freed.
1541   if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) {
1542     // FIXME: at the time this code was written, malloc() regions were
1543     // represented by conjured symbols, which are all in UnknownSpaceRegion.
1544     // This means that there isn't actually anything from HeapSpaceRegion
1545     // that should be freed, even though we allow it here.
1546     // Of course, free() can work on memory allocated outside the current
1547     // function, so UnknownSpaceRegion is always a possibility.
1548     // False negatives are better than false positives.
1549 
1550     if (isa<AllocaRegion>(R))
1551       ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1552     else
1553       ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1554 
1555     return nullptr;
1556   }
1557 
1558   const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
1559   // Various cases could lead to non-symbol values here.
1560   // For now, ignore them.
1561   if (!SrBase)
1562     return nullptr;
1563 
1564   SymbolRef SymBase = SrBase->getSymbol();
1565   const RefState *RsBase = State->get<RegionState>(SymBase);
1566   SymbolRef PreviousRetStatusSymbol = nullptr;
1567 
1568   if (RsBase) {
1569 
1570     // Memory returned by alloca() shouldn't be freed.
1571     if (RsBase->getAllocationFamily() == AF_Alloca) {
1572       ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1573       return nullptr;
1574     }
1575 
1576     // Check for double free first.
1577     if ((RsBase->isReleased() || RsBase->isRelinquished()) &&
1578         !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
1579       ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),
1580                        SymBase, PreviousRetStatusSymbol);
1581       return nullptr;
1582 
1583     // If the pointer is allocated or escaped, but we are now trying to free it,
1584     // check that the call to free is proper.
1585     } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() ||
1586                RsBase->isEscaped()) {
1587 
1588       // Check if an expected deallocation function matches the real one.
1589       bool DeallocMatchesAlloc =
1590         RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr);
1591       if (!DeallocMatchesAlloc) {
1592         ReportMismatchedDealloc(C, ArgExpr->getSourceRange(),
1593                                 ParentExpr, RsBase, SymBase, Hold);
1594         return nullptr;
1595       }
1596 
1597       // Check if the memory location being freed is the actual location
1598       // allocated, or an offset.
1599       RegionOffset Offset = R->getAsOffset();
1600       if (Offset.isValid() &&
1601           !Offset.hasSymbolicOffset() &&
1602           Offset.getOffset() != 0) {
1603         const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
1604         ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1605                          AllocExpr);
1606         return nullptr;
1607       }
1608     }
1609   }
1610 
1611   if (SymBase->getType()->isFunctionPointerType()) {
1612     ReportFunctionPointerFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1613     return nullptr;
1614   }
1615 
1616   ReleasedAllocated = (RsBase != nullptr) && (RsBase->isAllocated() ||
1617                                               RsBase->isAllocatedOfSizeZero());
1618 
1619   // Clean out the info on previous call to free return info.
1620   State = State->remove<FreeReturnValue>(SymBase);
1621 
1622   // Keep track of the return value. If it is NULL, we will know that free
1623   // failed.
1624   if (ReturnsNullOnFailure) {
1625     SVal RetVal = C.getSVal(ParentExpr);
1626     SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
1627     if (RetStatusSymbol) {
1628       C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol);
1629       State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol);
1630     }
1631   }
1632 
1633   AllocationFamily Family = RsBase ? RsBase->getAllocationFamily()
1634                                    : getAllocationFamily(C, ParentExpr);
1635   // Normal free.
1636   if (Hold)
1637     return State->set<RegionState>(SymBase,
1638                                    RefState::getRelinquished(Family,
1639                                                              ParentExpr));
1640 
1641   return State->set<RegionState>(SymBase,
1642                                  RefState::getReleased(Family, ParentExpr));
1643 }
1644 
1645 Optional<MallocChecker::CheckKind>
1646 MallocChecker::getCheckIfTracked(AllocationFamily Family,
1647                                  bool IsALeakCheck) const {
1648   switch (Family) {
1649   case AF_Malloc:
1650   case AF_Alloca:
1651   case AF_IfNameIndex: {
1652     if (ChecksEnabled[CK_MallocChecker])
1653       return CK_MallocChecker;
1654     return None;
1655   }
1656   case AF_CXXNew:
1657   case AF_CXXNewArray: {
1658     if (IsALeakCheck) {
1659       if (ChecksEnabled[CK_NewDeleteLeaksChecker])
1660         return CK_NewDeleteLeaksChecker;
1661     }
1662     else {
1663       if (ChecksEnabled[CK_NewDeleteChecker])
1664         return CK_NewDeleteChecker;
1665     }
1666     return None;
1667   }
1668   case AF_InnerBuffer: {
1669     if (ChecksEnabled[CK_InnerPointerChecker])
1670       return CK_InnerPointerChecker;
1671     return None;
1672   }
1673   case AF_None: {
1674     llvm_unreachable("no family");
1675   }
1676   }
1677   llvm_unreachable("unhandled family");
1678 }
1679 
1680 Optional<MallocChecker::CheckKind>
1681 MallocChecker::getCheckIfTracked(CheckerContext &C,
1682                                  const Stmt *AllocDeallocStmt,
1683                                  bool IsALeakCheck) const {
1684   return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt),
1685                            IsALeakCheck);
1686 }
1687 
1688 Optional<MallocChecker::CheckKind>
1689 MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
1690                                  bool IsALeakCheck) const {
1691   if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym))
1692     return CK_MallocChecker;
1693 
1694   const RefState *RS = C.getState()->get<RegionState>(Sym);
1695   assert(RS);
1696   return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck);
1697 }
1698 
1699 bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
1700   if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>())
1701     os << "an integer (" << IntVal->getValue() << ")";
1702   else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>())
1703     os << "a constant address (" << ConstAddr->getValue() << ")";
1704   else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>())
1705     os << "the address of the label '" << Label->getLabel()->getName() << "'";
1706   else
1707     return false;
1708 
1709   return true;
1710 }
1711 
1712 bool MallocChecker::SummarizeRegion(raw_ostream &os,
1713                                     const MemRegion *MR) {
1714   switch (MR->getKind()) {
1715   case MemRegion::FunctionCodeRegionKind: {
1716     const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
1717     if (FD)
1718       os << "the address of the function '" << *FD << '\'';
1719     else
1720       os << "the address of a function";
1721     return true;
1722   }
1723   case MemRegion::BlockCodeRegionKind:
1724     os << "block text";
1725     return true;
1726   case MemRegion::BlockDataRegionKind:
1727     // FIXME: where the block came from?
1728     os << "a block";
1729     return true;
1730   default: {
1731     const MemSpaceRegion *MS = MR->getMemorySpace();
1732 
1733     if (isa<StackLocalsSpaceRegion>(MS)) {
1734       const VarRegion *VR = dyn_cast<VarRegion>(MR);
1735       const VarDecl *VD;
1736       if (VR)
1737         VD = VR->getDecl();
1738       else
1739         VD = nullptr;
1740 
1741       if (VD)
1742         os << "the address of the local variable '" << VD->getName() << "'";
1743       else
1744         os << "the address of a local stack variable";
1745       return true;
1746     }
1747 
1748     if (isa<StackArgumentsSpaceRegion>(MS)) {
1749       const VarRegion *VR = dyn_cast<VarRegion>(MR);
1750       const VarDecl *VD;
1751       if (VR)
1752         VD = VR->getDecl();
1753       else
1754         VD = nullptr;
1755 
1756       if (VD)
1757         os << "the address of the parameter '" << VD->getName() << "'";
1758       else
1759         os << "the address of a parameter";
1760       return true;
1761     }
1762 
1763     if (isa<GlobalsSpaceRegion>(MS)) {
1764       const VarRegion *VR = dyn_cast<VarRegion>(MR);
1765       const VarDecl *VD;
1766       if (VR)
1767         VD = VR->getDecl();
1768       else
1769         VD = nullptr;
1770 
1771       if (VD) {
1772         if (VD->isStaticLocal())
1773           os << "the address of the static variable '" << VD->getName() << "'";
1774         else
1775           os << "the address of the global variable '" << VD->getName() << "'";
1776       } else
1777         os << "the address of a global variable";
1778       return true;
1779     }
1780 
1781     return false;
1782   }
1783   }
1784 }
1785 
1786 void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal,
1787                                   SourceRange Range,
1788                                   const Expr *DeallocExpr) const {
1789 
1790   if (!ChecksEnabled[CK_MallocChecker] &&
1791       !ChecksEnabled[CK_NewDeleteChecker])
1792     return;
1793 
1794   Optional<MallocChecker::CheckKind> CheckKind =
1795       getCheckIfTracked(C, DeallocExpr);
1796   if (!CheckKind.hasValue())
1797     return;
1798 
1799   if (ExplodedNode *N = C.generateErrorNode()) {
1800     if (!BT_BadFree[*CheckKind])
1801       BT_BadFree[*CheckKind].reset(new BugType(
1802           CheckNames[*CheckKind], "Bad free", categories::MemoryError));
1803 
1804     SmallString<100> buf;
1805     llvm::raw_svector_ostream os(buf);
1806 
1807     const MemRegion *MR = ArgVal.getAsRegion();
1808     while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
1809       MR = ER->getSuperRegion();
1810 
1811     os << "Argument to ";
1812     if (!printAllocDeallocName(os, C, DeallocExpr))
1813       os << "deallocator";
1814 
1815     os << " is ";
1816     bool Summarized = MR ? SummarizeRegion(os, MR)
1817                          : SummarizeValue(os, ArgVal);
1818     if (Summarized)
1819       os << ", which is not memory allocated by ";
1820     else
1821       os << "not memory allocated by ";
1822 
1823     printExpectedAllocName(os, C, DeallocExpr);
1824 
1825     auto R = std::make_unique<BugReport>(*BT_BadFree[*CheckKind], os.str(), N);
1826     R->markInteresting(MR);
1827     R->addRange(Range);
1828     C.emitReport(std::move(R));
1829   }
1830 }
1831 
1832 void MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
1833                                      SourceRange Range) const {
1834 
1835   Optional<MallocChecker::CheckKind> CheckKind;
1836 
1837   if (ChecksEnabled[CK_MallocChecker])
1838     CheckKind = CK_MallocChecker;
1839   else if (ChecksEnabled[CK_MismatchedDeallocatorChecker])
1840     CheckKind = CK_MismatchedDeallocatorChecker;
1841   else
1842     return;
1843 
1844   if (ExplodedNode *N = C.generateErrorNode()) {
1845     if (!BT_FreeAlloca[*CheckKind])
1846       BT_FreeAlloca[*CheckKind].reset(new BugType(
1847           CheckNames[*CheckKind], "Free alloca()", categories::MemoryError));
1848 
1849     auto R = std::make_unique<BugReport>(
1850         *BT_FreeAlloca[*CheckKind],
1851         "Memory allocated by alloca() should not be deallocated", N);
1852     R->markInteresting(ArgVal.getAsRegion());
1853     R->addRange(Range);
1854     C.emitReport(std::move(R));
1855   }
1856 }
1857 
1858 void MallocChecker::ReportMismatchedDealloc(CheckerContext &C,
1859                                             SourceRange Range,
1860                                             const Expr *DeallocExpr,
1861                                             const RefState *RS,
1862                                             SymbolRef Sym,
1863                                             bool OwnershipTransferred) const {
1864 
1865   if (!ChecksEnabled[CK_MismatchedDeallocatorChecker])
1866     return;
1867 
1868   if (ExplodedNode *N = C.generateErrorNode()) {
1869     if (!BT_MismatchedDealloc)
1870       BT_MismatchedDealloc.reset(
1871           new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
1872                       "Bad deallocator", categories::MemoryError));
1873 
1874     SmallString<100> buf;
1875     llvm::raw_svector_ostream os(buf);
1876 
1877     const Expr *AllocExpr = cast<Expr>(RS->getStmt());
1878     SmallString<20> AllocBuf;
1879     llvm::raw_svector_ostream AllocOs(AllocBuf);
1880     SmallString<20> DeallocBuf;
1881     llvm::raw_svector_ostream DeallocOs(DeallocBuf);
1882 
1883     if (OwnershipTransferred) {
1884       if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1885         os << DeallocOs.str() << " cannot";
1886       else
1887         os << "Cannot";
1888 
1889       os << " take ownership of memory";
1890 
1891       if (printAllocDeallocName(AllocOs, C, AllocExpr))
1892         os << " allocated by " << AllocOs.str();
1893     } else {
1894       os << "Memory";
1895       if (printAllocDeallocName(AllocOs, C, AllocExpr))
1896         os << " allocated by " << AllocOs.str();
1897 
1898       os << " should be deallocated by ";
1899         printExpectedDeallocName(os, RS->getAllocationFamily());
1900 
1901       if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1902         os << ", not " << DeallocOs.str();
1903     }
1904 
1905     auto R = std::make_unique<BugReport>(*BT_MismatchedDealloc, os.str(), N);
1906     R->markInteresting(Sym);
1907     R->addRange(Range);
1908     R->addVisitor(std::make_unique<MallocBugVisitor>(Sym));
1909     C.emitReport(std::move(R));
1910   }
1911 }
1912 
1913 void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal,
1914                                      SourceRange Range, const Expr *DeallocExpr,
1915                                      const Expr *AllocExpr) const {
1916 
1917 
1918   if (!ChecksEnabled[CK_MallocChecker] &&
1919       !ChecksEnabled[CK_NewDeleteChecker])
1920     return;
1921 
1922   Optional<MallocChecker::CheckKind> CheckKind =
1923       getCheckIfTracked(C, AllocExpr);
1924   if (!CheckKind.hasValue())
1925     return;
1926 
1927   ExplodedNode *N = C.generateErrorNode();
1928   if (!N)
1929     return;
1930 
1931   if (!BT_OffsetFree[*CheckKind])
1932     BT_OffsetFree[*CheckKind].reset(new BugType(
1933         CheckNames[*CheckKind], "Offset free", categories::MemoryError));
1934 
1935   SmallString<100> buf;
1936   llvm::raw_svector_ostream os(buf);
1937   SmallString<20> AllocNameBuf;
1938   llvm::raw_svector_ostream AllocNameOs(AllocNameBuf);
1939 
1940   const MemRegion *MR = ArgVal.getAsRegion();
1941   assert(MR && "Only MemRegion based symbols can have offset free errors");
1942 
1943   RegionOffset Offset = MR->getAsOffset();
1944   assert((Offset.isValid() &&
1945           !Offset.hasSymbolicOffset() &&
1946           Offset.getOffset() != 0) &&
1947          "Only symbols with a valid offset can have offset free errors");
1948 
1949   int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
1950 
1951   os << "Argument to ";
1952   if (!printAllocDeallocName(os, C, DeallocExpr))
1953     os << "deallocator";
1954   os << " is offset by "
1955      << offsetBytes
1956      << " "
1957      << ((abs(offsetBytes) > 1) ? "bytes" : "byte")
1958      << " from the start of ";
1959   if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr))
1960     os << "memory allocated by " << AllocNameOs.str();
1961   else
1962     os << "allocated memory";
1963 
1964   auto R = std::make_unique<BugReport>(*BT_OffsetFree[*CheckKind], os.str(), N);
1965   R->markInteresting(MR->getBaseRegion());
1966   R->addRange(Range);
1967   C.emitReport(std::move(R));
1968 }
1969 
1970 void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range,
1971                                        SymbolRef Sym) const {
1972 
1973   if (!ChecksEnabled[CK_MallocChecker] &&
1974       !ChecksEnabled[CK_NewDeleteChecker] &&
1975       !ChecksEnabled[CK_InnerPointerChecker])
1976     return;
1977 
1978   Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
1979   if (!CheckKind.hasValue())
1980     return;
1981 
1982   if (ExplodedNode *N = C.generateErrorNode()) {
1983     if (!BT_UseFree[*CheckKind])
1984       BT_UseFree[*CheckKind].reset(new BugType(
1985           CheckNames[*CheckKind], "Use-after-free", categories::MemoryError));
1986 
1987     AllocationFamily AF =
1988         C.getState()->get<RegionState>(Sym)->getAllocationFamily();
1989 
1990     auto R = std::make_unique<BugReport>(*BT_UseFree[*CheckKind],
1991         AF == AF_InnerBuffer
1992               ? "Inner pointer of container used after re/deallocation"
1993               : "Use of memory after it is freed",
1994         N);
1995 
1996     R->markInteresting(Sym);
1997     R->addRange(Range);
1998     R->addVisitor(std::make_unique<MallocBugVisitor>(Sym));
1999 
2000     if (AF == AF_InnerBuffer)
2001       R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym));
2002 
2003     C.emitReport(std::move(R));
2004   }
2005 }
2006 
2007 void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range,
2008                                      bool Released, SymbolRef Sym,
2009                                      SymbolRef PrevSym) const {
2010 
2011   if (!ChecksEnabled[CK_MallocChecker] &&
2012       !ChecksEnabled[CK_NewDeleteChecker])
2013     return;
2014 
2015   Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2016   if (!CheckKind.hasValue())
2017     return;
2018 
2019   if (ExplodedNode *N = C.generateErrorNode()) {
2020     if (!BT_DoubleFree[*CheckKind])
2021       BT_DoubleFree[*CheckKind].reset(new BugType(
2022           CheckNames[*CheckKind], "Double free", categories::MemoryError));
2023 
2024     auto R = std::make_unique<BugReport>(
2025         *BT_DoubleFree[*CheckKind],
2026         (Released ? "Attempt to free released memory"
2027                   : "Attempt to free non-owned memory"),
2028         N);
2029     R->addRange(Range);
2030     R->markInteresting(Sym);
2031     if (PrevSym)
2032       R->markInteresting(PrevSym);
2033     R->addVisitor(std::make_unique<MallocBugVisitor>(Sym));
2034     C.emitReport(std::move(R));
2035   }
2036 }
2037 
2038 void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
2039 
2040   if (!ChecksEnabled[CK_NewDeleteChecker])
2041     return;
2042 
2043   Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2044   if (!CheckKind.hasValue())
2045     return;
2046 
2047   if (ExplodedNode *N = C.generateErrorNode()) {
2048     if (!BT_DoubleDelete)
2049       BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker],
2050                                         "Double delete",
2051                                         categories::MemoryError));
2052 
2053     auto R = std::make_unique<BugReport>(
2054         *BT_DoubleDelete, "Attempt to delete released memory", N);
2055 
2056     R->markInteresting(Sym);
2057     R->addVisitor(std::make_unique<MallocBugVisitor>(Sym));
2058     C.emitReport(std::move(R));
2059   }
2060 }
2061 
2062 void MallocChecker::ReportUseZeroAllocated(CheckerContext &C,
2063                                            SourceRange Range,
2064                                            SymbolRef Sym) const {
2065 
2066   if (!ChecksEnabled[CK_MallocChecker] &&
2067       !ChecksEnabled[CK_NewDeleteChecker])
2068     return;
2069 
2070   Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2071 
2072   if (!CheckKind.hasValue())
2073     return;
2074 
2075   if (ExplodedNode *N = C.generateErrorNode()) {
2076     if (!BT_UseZerroAllocated[*CheckKind])
2077       BT_UseZerroAllocated[*CheckKind].reset(
2078           new BugType(CheckNames[*CheckKind], "Use of zero allocated",
2079                       categories::MemoryError));
2080 
2081     auto R = std::make_unique<BugReport>(*BT_UseZerroAllocated[*CheckKind],
2082                                          "Use of zero-allocated memory", N);
2083 
2084     R->addRange(Range);
2085     if (Sym) {
2086       R->markInteresting(Sym);
2087       R->addVisitor(std::make_unique<MallocBugVisitor>(Sym));
2088     }
2089     C.emitReport(std::move(R));
2090   }
2091 }
2092 
2093 void MallocChecker::ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
2094                                               SourceRange Range,
2095                                               const Expr *FreeExpr) const {
2096   if (!ChecksEnabled[CK_MallocChecker])
2097     return;
2098 
2099   Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, FreeExpr);
2100   if (!CheckKind.hasValue())
2101     return;
2102 
2103   if (ExplodedNode *N = C.generateErrorNode()) {
2104     if (!BT_BadFree[*CheckKind])
2105       BT_BadFree[*CheckKind].reset(new BugType(
2106           CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2107 
2108     SmallString<100> Buf;
2109     llvm::raw_svector_ostream Os(Buf);
2110 
2111     const MemRegion *MR = ArgVal.getAsRegion();
2112     while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
2113       MR = ER->getSuperRegion();
2114 
2115     Os << "Argument to ";
2116     if (!printAllocDeallocName(Os, C, FreeExpr))
2117       Os << "deallocator";
2118 
2119     Os << " is a function pointer";
2120 
2121     auto R = std::make_unique<BugReport>(*BT_BadFree[*CheckKind], Os.str(), N);
2122     R->markInteresting(MR);
2123     R->addRange(Range);
2124     C.emitReport(std::move(R));
2125   }
2126 }
2127 
2128 ProgramStateRef MallocChecker::ReallocMemAux(CheckerContext &C,
2129                                              const CallExpr *CE,
2130                                              bool FreesOnFail,
2131                                              ProgramStateRef State,
2132                                              bool SuffixWithN) const {
2133   if (!State)
2134     return nullptr;
2135 
2136   if (SuffixWithN && CE->getNumArgs() < 3)
2137     return nullptr;
2138   else if (CE->getNumArgs() < 2)
2139     return nullptr;
2140 
2141   const Expr *arg0Expr = CE->getArg(0);
2142   SVal Arg0Val = C.getSVal(arg0Expr);
2143   if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
2144     return nullptr;
2145   DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
2146 
2147   SValBuilder &svalBuilder = C.getSValBuilder();
2148 
2149   DefinedOrUnknownSVal PtrEQ =
2150     svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull());
2151 
2152   // Get the size argument.
2153   const Expr *Arg1 = CE->getArg(1);
2154 
2155   // Get the value of the size argument.
2156   SVal TotalSize = C.getSVal(Arg1);
2157   if (SuffixWithN)
2158     TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2));
2159   if (!TotalSize.getAs<DefinedOrUnknownSVal>())
2160     return nullptr;
2161 
2162   // Compare the size argument to 0.
2163   DefinedOrUnknownSVal SizeZero =
2164     svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(),
2165                        svalBuilder.makeIntValWithPtrWidth(0, false));
2166 
2167   ProgramStateRef StatePtrIsNull, StatePtrNotNull;
2168   std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ);
2169   ProgramStateRef StateSizeIsZero, StateSizeNotZero;
2170   std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero);
2171   // We only assume exceptional states if they are definitely true; if the
2172   // state is under-constrained, assume regular realloc behavior.
2173   bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
2174   bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
2175 
2176   // If the ptr is NULL and the size is not 0, the call is equivalent to
2177   // malloc(size).
2178   if (PrtIsNull && !SizeIsZero) {
2179     ProgramStateRef stateMalloc = MallocMemAux(C, CE, TotalSize,
2180                                                UndefinedVal(), StatePtrIsNull);
2181     return stateMalloc;
2182   }
2183 
2184   if (PrtIsNull && SizeIsZero)
2185     return State;
2186 
2187   // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
2188   assert(!PrtIsNull);
2189   SymbolRef FromPtr = arg0Val.getAsSymbol();
2190   SVal RetVal = C.getSVal(CE);
2191   SymbolRef ToPtr = RetVal.getAsSymbol();
2192   if (!FromPtr || !ToPtr)
2193     return nullptr;
2194 
2195   bool ReleasedAllocated = false;
2196 
2197   // If the size is 0, free the memory.
2198   if (SizeIsZero)
2199     if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0,
2200                                                false, ReleasedAllocated)){
2201       // The semantics of the return value are:
2202       // If size was equal to 0, either NULL or a pointer suitable to be passed
2203       // to free() is returned. We just free the input pointer and do not add
2204       // any constrains on the output pointer.
2205       return stateFree;
2206     }
2207 
2208   // Default behavior.
2209   if (ProgramStateRef stateFree =
2210         FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) {
2211 
2212     ProgramStateRef stateRealloc = MallocMemAux(C, CE, TotalSize,
2213                                                 UnknownVal(), stateFree);
2214     if (!stateRealloc)
2215       return nullptr;
2216 
2217     ReallocPairKind Kind = RPToBeFreedAfterFailure;
2218     if (FreesOnFail)
2219       Kind = RPIsFreeOnFailure;
2220     else if (!ReleasedAllocated)
2221       Kind = RPDoNotTrackAfterFailure;
2222 
2223     // Record the info about the reallocated symbol so that we could properly
2224     // process failed reallocation.
2225     stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
2226                                                    ReallocPair(FromPtr, Kind));
2227     // The reallocated symbol should stay alive for as long as the new symbol.
2228     C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
2229     return stateRealloc;
2230   }
2231   return nullptr;
2232 }
2233 
2234 ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE,
2235                                          ProgramStateRef State) {
2236   if (!State)
2237     return nullptr;
2238 
2239   if (CE->getNumArgs() < 2)
2240     return nullptr;
2241 
2242   SValBuilder &svalBuilder = C.getSValBuilder();
2243   SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
2244   SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
2245 
2246   return MallocMemAux(C, CE, TotalSize, zeroVal, State);
2247 }
2248 
2249 LeakInfo
2250 MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
2251                                  CheckerContext &C) const {
2252   const LocationContext *LeakContext = N->getLocationContext();
2253   // Walk the ExplodedGraph backwards and find the first node that referred to
2254   // the tracked symbol.
2255   const ExplodedNode *AllocNode = N;
2256   const MemRegion *ReferenceRegion = nullptr;
2257 
2258   while (N) {
2259     ProgramStateRef State = N->getState();
2260     if (!State->get<RegionState>(Sym))
2261       break;
2262 
2263     // Find the most recent expression bound to the symbol in the current
2264     // context.
2265       if (!ReferenceRegion) {
2266         if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) {
2267           SVal Val = State->getSVal(MR);
2268           if (Val.getAsLocSymbol() == Sym) {
2269             const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>();
2270             // Do not show local variables belonging to a function other than
2271             // where the error is reported.
2272             if (!VR ||
2273                 (VR->getStackFrame() == LeakContext->getStackFrame()))
2274               ReferenceRegion = MR;
2275           }
2276         }
2277       }
2278 
2279     // Allocation node, is the last node in the current or parent context in
2280     // which the symbol was tracked.
2281     const LocationContext *NContext = N->getLocationContext();
2282     if (NContext == LeakContext ||
2283         NContext->isParentOf(LeakContext))
2284       AllocNode = N;
2285     N = N->pred_empty() ? nullptr : *(N->pred_begin());
2286   }
2287 
2288   return LeakInfo(AllocNode, ReferenceRegion);
2289 }
2290 
2291 void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N,
2292                                CheckerContext &C) const {
2293 
2294   if (!ChecksEnabled[CK_MallocChecker] &&
2295       !ChecksEnabled[CK_NewDeleteLeaksChecker])
2296     return;
2297 
2298   const RefState *RS = C.getState()->get<RegionState>(Sym);
2299   assert(RS && "cannot leak an untracked symbol");
2300   AllocationFamily Family = RS->getAllocationFamily();
2301 
2302   if (Family == AF_Alloca)
2303     return;
2304 
2305   Optional<MallocChecker::CheckKind>
2306       CheckKind = getCheckIfTracked(Family, true);
2307 
2308   if (!CheckKind.hasValue())
2309     return;
2310 
2311   assert(N);
2312   if (!BT_Leak[*CheckKind]) {
2313     // Leaks should not be reported if they are post-dominated by a sink:
2314     // (1) Sinks are higher importance bugs.
2315     // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
2316     //     with __noreturn functions such as assert() or exit(). We choose not
2317     //     to report leaks on such paths.
2318     BT_Leak[*CheckKind].reset(new BugType(CheckNames[*CheckKind], "Memory leak",
2319                                           categories::MemoryError,
2320                                           /*SuppressOnSink=*/true));
2321   }
2322 
2323   // Most bug reports are cached at the location where they occurred.
2324   // With leaks, we want to unique them by the location where they were
2325   // allocated, and only report a single path.
2326   PathDiagnosticLocation LocUsedForUniqueing;
2327   const ExplodedNode *AllocNode = nullptr;
2328   const MemRegion *Region = nullptr;
2329   std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C);
2330 
2331   const Stmt *AllocationStmt = PathDiagnosticLocation::getStmt(AllocNode);
2332   if (AllocationStmt)
2333     LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt,
2334                                               C.getSourceManager(),
2335                                               AllocNode->getLocationContext());
2336 
2337   SmallString<200> buf;
2338   llvm::raw_svector_ostream os(buf);
2339   if (Region && Region->canPrintPretty()) {
2340     os << "Potential leak of memory pointed to by ";
2341     Region->printPretty(os);
2342   } else {
2343     os << "Potential memory leak";
2344   }
2345 
2346   auto R = std::make_unique<BugReport>(
2347       *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing,
2348       AllocNode->getLocationContext()->getDecl());
2349   R->markInteresting(Sym);
2350   R->addVisitor(std::make_unique<MallocBugVisitor>(Sym, true));
2351   C.emitReport(std::move(R));
2352 }
2353 
2354 void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
2355                                      CheckerContext &C) const
2356 {
2357   ProgramStateRef state = C.getState();
2358   RegionStateTy OldRS = state->get<RegionState>();
2359   RegionStateTy::Factory &F = state->get_context<RegionState>();
2360 
2361   RegionStateTy RS = OldRS;
2362   SmallVector<SymbolRef, 2> Errors;
2363   for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2364     if (SymReaper.isDead(I->first)) {
2365       if (I->second.isAllocated() || I->second.isAllocatedOfSizeZero())
2366         Errors.push_back(I->first);
2367       // Remove the dead symbol from the map.
2368       RS = F.remove(RS, I->first);
2369     }
2370   }
2371 
2372   if (RS == OldRS) {
2373     // We shouldn't have touched other maps yet.
2374     assert(state->get<ReallocPairs>() ==
2375            C.getState()->get<ReallocPairs>());
2376     assert(state->get<FreeReturnValue>() ==
2377            C.getState()->get<FreeReturnValue>());
2378     return;
2379   }
2380 
2381   // Cleanup the Realloc Pairs Map.
2382   ReallocPairsTy RP = state->get<ReallocPairs>();
2383   for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2384     if (SymReaper.isDead(I->first) ||
2385         SymReaper.isDead(I->second.ReallocatedSym)) {
2386       state = state->remove<ReallocPairs>(I->first);
2387     }
2388   }
2389 
2390   // Cleanup the FreeReturnValue Map.
2391   FreeReturnValueTy FR = state->get<FreeReturnValue>();
2392   for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) {
2393     if (SymReaper.isDead(I->first) ||
2394         SymReaper.isDead(I->second)) {
2395       state = state->remove<FreeReturnValue>(I->first);
2396     }
2397   }
2398 
2399   // Generate leak node.
2400   ExplodedNode *N = C.getPredecessor();
2401   if (!Errors.empty()) {
2402     static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
2403     N = C.generateNonFatalErrorNode(C.getState(), &Tag);
2404     if (N) {
2405       for (SmallVectorImpl<SymbolRef>::iterator
2406            I = Errors.begin(), E = Errors.end(); I != E; ++I) {
2407         reportLeak(*I, N, C);
2408       }
2409     }
2410   }
2411 
2412   C.addTransition(state->set<RegionState>(RS), N);
2413 }
2414 
2415 void MallocChecker::checkPreCall(const CallEvent &Call,
2416                                  CheckerContext &C) const {
2417 
2418   if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) {
2419     SymbolRef Sym = DC->getCXXThisVal().getAsSymbol();
2420     if (!Sym || checkDoubleDelete(Sym, C))
2421       return;
2422   }
2423 
2424   // We will check for double free in the post visit.
2425   if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) {
2426     const FunctionDecl *FD = FC->getDecl();
2427     if (!FD)
2428       return;
2429 
2430     ASTContext &Ctx = C.getASTContext();
2431     if (ChecksEnabled[CK_MallocChecker] &&
2432         (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) ||
2433          isCMemFunction(FD, Ctx, AF_IfNameIndex,
2434                         MemoryOperationKind::MOK_Free)))
2435       return;
2436   }
2437 
2438   // Check if the callee of a method is deleted.
2439   if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
2440     SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
2441     if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
2442       return;
2443   }
2444 
2445   // Check arguments for being used after free.
2446   for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
2447     SVal ArgSVal = Call.getArgSVal(I);
2448     if (ArgSVal.getAs<Loc>()) {
2449       SymbolRef Sym = ArgSVal.getAsSymbol();
2450       if (!Sym)
2451         continue;
2452       if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
2453         return;
2454     }
2455   }
2456 }
2457 
2458 void MallocChecker::checkPreStmt(const ReturnStmt *S,
2459                                  CheckerContext &C) const {
2460   checkEscapeOnReturn(S, C);
2461 }
2462 
2463 // In the CFG, automatic destructors come after the return statement.
2464 // This callback checks for returning memory that is freed by automatic
2465 // destructors, as those cannot be reached in checkPreStmt().
2466 void MallocChecker::checkEndFunction(const ReturnStmt *S,
2467                                      CheckerContext &C) const {
2468   checkEscapeOnReturn(S, C);
2469 }
2470 
2471 void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S,
2472                                         CheckerContext &C) const {
2473   if (!S)
2474     return;
2475 
2476   const Expr *E = S->getRetValue();
2477   if (!E)
2478     return;
2479 
2480   // Check if we are returning a symbol.
2481   ProgramStateRef State = C.getState();
2482   SVal RetVal = C.getSVal(E);
2483   SymbolRef Sym = RetVal.getAsSymbol();
2484   if (!Sym)
2485     // If we are returning a field of the allocated struct or an array element,
2486     // the callee could still free the memory.
2487     // TODO: This logic should be a part of generic symbol escape callback.
2488     if (const MemRegion *MR = RetVal.getAsRegion())
2489       if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR))
2490         if (const SymbolicRegion *BMR =
2491               dyn_cast<SymbolicRegion>(MR->getBaseRegion()))
2492           Sym = BMR->getSymbol();
2493 
2494   // Check if we are returning freed memory.
2495   if (Sym)
2496     checkUseAfterFree(Sym, C, E);
2497 }
2498 
2499 // TODO: Blocks should be either inlined or should call invalidate regions
2500 // upon invocation. After that's in place, special casing here will not be
2501 // needed.
2502 void MallocChecker::checkPostStmt(const BlockExpr *BE,
2503                                   CheckerContext &C) const {
2504 
2505   // Scan the BlockDecRefExprs for any object the retain count checker
2506   // may be tracking.
2507   if (!BE->getBlockDecl()->hasCaptures())
2508     return;
2509 
2510   ProgramStateRef state = C.getState();
2511   const BlockDataRegion *R =
2512     cast<BlockDataRegion>(C.getSVal(BE).getAsRegion());
2513 
2514   BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(),
2515                                             E = R->referenced_vars_end();
2516 
2517   if (I == E)
2518     return;
2519 
2520   SmallVector<const MemRegion*, 10> Regions;
2521   const LocationContext *LC = C.getLocationContext();
2522   MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
2523 
2524   for ( ; I != E; ++I) {
2525     const VarRegion *VR = I.getCapturedRegion();
2526     if (VR->getSuperRegion() == R) {
2527       VR = MemMgr.getVarRegion(VR->getDecl(), LC);
2528     }
2529     Regions.push_back(VR);
2530   }
2531 
2532   state =
2533     state->scanReachableSymbols<StopTrackingCallback>(Regions).getState();
2534   C.addTransition(state);
2535 }
2536 
2537 bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const {
2538   assert(Sym);
2539   const RefState *RS = C.getState()->get<RegionState>(Sym);
2540   return (RS && RS->isReleased());
2541 }
2542 
2543 bool MallocChecker::suppressDeallocationsInSuspiciousContexts(
2544     const CallExpr *CE, CheckerContext &C) const {
2545   if (CE->getNumArgs() == 0)
2546     return false;
2547 
2548   StringRef FunctionStr = "";
2549   if (const auto *FD = dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
2550     if (const Stmt *Body = FD->getBody())
2551       if (Body->getBeginLoc().isValid())
2552         FunctionStr =
2553             Lexer::getSourceText(CharSourceRange::getTokenRange(
2554                                      {FD->getBeginLoc(), Body->getBeginLoc()}),
2555                                  C.getSourceManager(), C.getLangOpts());
2556 
2557   // We do not model the Integer Set Library's retain-count based allocation.
2558   if (!FunctionStr.contains("__isl_"))
2559     return false;
2560 
2561   ProgramStateRef State = C.getState();
2562 
2563   for (const Expr *Arg : CE->arguments())
2564     if (SymbolRef Sym = C.getSVal(Arg).getAsSymbol())
2565       if (const RefState *RS = State->get<RegionState>(Sym))
2566         State = State->set<RegionState>(Sym, RefState::getEscaped(RS));
2567 
2568   C.addTransition(State);
2569   return true;
2570 }
2571 
2572 bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
2573                                       const Stmt *S) const {
2574 
2575   if (isReleased(Sym, C)) {
2576     ReportUseAfterFree(C, S->getSourceRange(), Sym);
2577     return true;
2578   }
2579 
2580   return false;
2581 }
2582 
2583 void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
2584                                           const Stmt *S) const {
2585   assert(Sym);
2586 
2587   if (const RefState *RS = C.getState()->get<RegionState>(Sym)) {
2588     if (RS->isAllocatedOfSizeZero())
2589       ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym);
2590   }
2591   else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) {
2592     ReportUseZeroAllocated(C, S->getSourceRange(), Sym);
2593   }
2594 }
2595 
2596 bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
2597 
2598   if (isReleased(Sym, C)) {
2599     ReportDoubleDelete(C, Sym);
2600     return true;
2601   }
2602   return false;
2603 }
2604 
2605 // Check if the location is a freed symbolic region.
2606 void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
2607                                   CheckerContext &C) const {
2608   SymbolRef Sym = l.getLocSymbolInBase();
2609   if (Sym) {
2610     checkUseAfterFree(Sym, C, S);
2611     checkUseZeroAllocated(Sym, C, S);
2612   }
2613 }
2614 
2615 // If a symbolic region is assumed to NULL (or another constant), stop tracking
2616 // it - assuming that allocation failed on this path.
2617 ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
2618                                               SVal Cond,
2619                                               bool Assumption) const {
2620   RegionStateTy RS = state->get<RegionState>();
2621   for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2622     // If the symbol is assumed to be NULL, remove it from consideration.
2623     ConstraintManager &CMgr = state->getConstraintManager();
2624     ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2625     if (AllocFailed.isConstrainedTrue())
2626       state = state->remove<RegionState>(I.getKey());
2627   }
2628 
2629   // Realloc returns 0 when reallocation fails, which means that we should
2630   // restore the state of the pointer being reallocated.
2631   ReallocPairsTy RP = state->get<ReallocPairs>();
2632   for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2633     // If the symbol is assumed to be NULL, remove it from consideration.
2634     ConstraintManager &CMgr = state->getConstraintManager();
2635     ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2636     if (!AllocFailed.isConstrainedTrue())
2637       continue;
2638 
2639     SymbolRef ReallocSym = I.getData().ReallocatedSym;
2640     if (const RefState *RS = state->get<RegionState>(ReallocSym)) {
2641       if (RS->isReleased()) {
2642         if (I.getData().Kind == RPToBeFreedAfterFailure)
2643           state = state->set<RegionState>(ReallocSym,
2644               RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt()));
2645         else if (I.getData().Kind == RPDoNotTrackAfterFailure)
2646           state = state->remove<RegionState>(ReallocSym);
2647         else
2648           assert(I.getData().Kind == RPIsFreeOnFailure);
2649       }
2650     }
2651     state = state->remove<ReallocPairs>(I.getKey());
2652   }
2653 
2654   return state;
2655 }
2656 
2657 bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
2658                                               const CallEvent *Call,
2659                                               ProgramStateRef State,
2660                                               SymbolRef &EscapingSymbol) const {
2661   assert(Call);
2662   EscapingSymbol = nullptr;
2663 
2664   // For now, assume that any C++ or block call can free memory.
2665   // TODO: If we want to be more optimistic here, we'll need to make sure that
2666   // regions escape to C++ containers. They seem to do that even now, but for
2667   // mysterious reasons.
2668   if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call)))
2669     return true;
2670 
2671   // Check Objective-C messages by selector name.
2672   if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
2673     // If it's not a framework call, or if it takes a callback, assume it
2674     // can free memory.
2675     if (!Call->isInSystemHeader() || Call->argumentsMayEscape())
2676       return true;
2677 
2678     // If it's a method we know about, handle it explicitly post-call.
2679     // This should happen before the "freeWhenDone" check below.
2680     if (isKnownDeallocObjCMethodName(*Msg))
2681       return false;
2682 
2683     // If there's a "freeWhenDone" parameter, but the method isn't one we know
2684     // about, we can't be sure that the object will use free() to deallocate the
2685     // memory, so we can't model it explicitly. The best we can do is use it to
2686     // decide whether the pointer escapes.
2687     if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg))
2688       return *FreeWhenDone;
2689 
2690     // If the first selector piece ends with "NoCopy", and there is no
2691     // "freeWhenDone" parameter set to zero, we know ownership is being
2692     // transferred. Again, though, we can't be sure that the object will use
2693     // free() to deallocate the memory, so we can't model it explicitly.
2694     StringRef FirstSlot = Msg->getSelector().getNameForSlot(0);
2695     if (FirstSlot.endswith("NoCopy"))
2696       return true;
2697 
2698     // If the first selector starts with addPointer, insertPointer,
2699     // or replacePointer, assume we are dealing with NSPointerArray or similar.
2700     // This is similar to C++ containers (vector); we still might want to check
2701     // that the pointers get freed by following the container itself.
2702     if (FirstSlot.startswith("addPointer") ||
2703         FirstSlot.startswith("insertPointer") ||
2704         FirstSlot.startswith("replacePointer") ||
2705         FirstSlot.equals("valueWithPointer")) {
2706       return true;
2707     }
2708 
2709     // We should escape receiver on call to 'init'. This is especially relevant
2710     // to the receiver, as the corresponding symbol is usually not referenced
2711     // after the call.
2712     if (Msg->getMethodFamily() == OMF_init) {
2713       EscapingSymbol = Msg->getReceiverSVal().getAsSymbol();
2714       return true;
2715     }
2716 
2717     // Otherwise, assume that the method does not free memory.
2718     // Most framework methods do not free memory.
2719     return false;
2720   }
2721 
2722   // At this point the only thing left to handle is straight function calls.
2723   const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl();
2724   if (!FD)
2725     return true;
2726 
2727   ASTContext &ASTC = State->getStateManager().getContext();
2728 
2729   // If it's one of the allocation functions we can reason about, we model
2730   // its behavior explicitly.
2731   if (isMemFunction(FD, ASTC))
2732     return false;
2733 
2734   // If it's not a system call, assume it frees memory.
2735   if (!Call->isInSystemHeader())
2736     return true;
2737 
2738   // White list the system functions whose arguments escape.
2739   const IdentifierInfo *II = FD->getIdentifier();
2740   if (!II)
2741     return true;
2742   StringRef FName = II->getName();
2743 
2744   // White list the 'XXXNoCopy' CoreFoundation functions.
2745   // We specifically check these before
2746   if (FName.endswith("NoCopy")) {
2747     // Look for the deallocator argument. We know that the memory ownership
2748     // is not transferred only if the deallocator argument is
2749     // 'kCFAllocatorNull'.
2750     for (unsigned i = 1; i < Call->getNumArgs(); ++i) {
2751       const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts();
2752       if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) {
2753         StringRef DeallocatorName = DE->getFoundDecl()->getName();
2754         if (DeallocatorName == "kCFAllocatorNull")
2755           return false;
2756       }
2757     }
2758     return true;
2759   }
2760 
2761   // Associating streams with malloced buffers. The pointer can escape if
2762   // 'closefn' is specified (and if that function does free memory),
2763   // but it will not if closefn is not specified.
2764   // Currently, we do not inspect the 'closefn' function (PR12101).
2765   if (FName == "funopen")
2766     if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0))
2767       return false;
2768 
2769   // Do not warn on pointers passed to 'setbuf' when used with std streams,
2770   // these leaks might be intentional when setting the buffer for stdio.
2771   // http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer
2772   if (FName == "setbuf" || FName =="setbuffer" ||
2773       FName == "setlinebuf" || FName == "setvbuf") {
2774     if (Call->getNumArgs() >= 1) {
2775       const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts();
2776       if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE))
2777         if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl()))
2778           if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos)
2779             return true;
2780     }
2781   }
2782 
2783   // A bunch of other functions which either take ownership of a pointer or
2784   // wrap the result up in a struct or object, meaning it can be freed later.
2785   // (See RetainCountChecker.) Not all the parameters here are invalidated,
2786   // but the Malloc checker cannot differentiate between them. The right way
2787   // of doing this would be to implement a pointer escapes callback.
2788   if (FName == "CGBitmapContextCreate" ||
2789       FName == "CGBitmapContextCreateWithData" ||
2790       FName == "CVPixelBufferCreateWithBytes" ||
2791       FName == "CVPixelBufferCreateWithPlanarBytes" ||
2792       FName == "OSAtomicEnqueue") {
2793     return true;
2794   }
2795 
2796   if (FName == "postEvent" &&
2797       FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
2798     return true;
2799   }
2800 
2801   if (FName == "postEvent" &&
2802       FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
2803     return true;
2804   }
2805 
2806   if (FName == "connectImpl" &&
2807       FD->getQualifiedNameAsString() == "QObject::connectImpl") {
2808     return true;
2809   }
2810 
2811   // Handle cases where we know a buffer's /address/ can escape.
2812   // Note that the above checks handle some special cases where we know that
2813   // even though the address escapes, it's still our responsibility to free the
2814   // buffer.
2815   if (Call->argumentsMayEscape())
2816     return true;
2817 
2818   // Otherwise, assume that the function does not free memory.
2819   // Most system calls do not free the memory.
2820   return false;
2821 }
2822 
2823 static bool retTrue(const RefState *RS) {
2824   return true;
2825 }
2826 
2827 static bool checkIfNewOrNewArrayFamily(const RefState *RS) {
2828   return (RS->getAllocationFamily() == AF_CXXNewArray ||
2829           RS->getAllocationFamily() == AF_CXXNew);
2830 }
2831 
2832 ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
2833                                              const InvalidatedSymbols &Escaped,
2834                                              const CallEvent *Call,
2835                                              PointerEscapeKind Kind) const {
2836   return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue);
2837 }
2838 
2839 ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State,
2840                                               const InvalidatedSymbols &Escaped,
2841                                               const CallEvent *Call,
2842                                               PointerEscapeKind Kind) const {
2843   return checkPointerEscapeAux(State, Escaped, Call, Kind,
2844                                &checkIfNewOrNewArrayFamily);
2845 }
2846 
2847 ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State,
2848                                               const InvalidatedSymbols &Escaped,
2849                                               const CallEvent *Call,
2850                                               PointerEscapeKind Kind,
2851                                   bool(*CheckRefState)(const RefState*)) const {
2852   // If we know that the call does not free memory, or we want to process the
2853   // call later, keep tracking the top level arguments.
2854   SymbolRef EscapingSymbol = nullptr;
2855   if (Kind == PSK_DirectEscapeOnCall &&
2856       !mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State,
2857                                                     EscapingSymbol) &&
2858       !EscapingSymbol) {
2859     return State;
2860   }
2861 
2862   for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
2863        E = Escaped.end();
2864        I != E; ++I) {
2865     SymbolRef sym = *I;
2866 
2867     if (EscapingSymbol && EscapingSymbol != sym)
2868       continue;
2869 
2870     if (const RefState *RS = State->get<RegionState>(sym)) {
2871       if ((RS->isAllocated() || RS->isAllocatedOfSizeZero()) &&
2872           CheckRefState(RS)) {
2873         State = State->set<RegionState>(sym, RefState::getEscaped(RS));
2874       }
2875     }
2876   }
2877   return State;
2878 }
2879 
2880 static SymbolRef findFailedReallocSymbol(ProgramStateRef currState,
2881                                          ProgramStateRef prevState) {
2882   ReallocPairsTy currMap = currState->get<ReallocPairs>();
2883   ReallocPairsTy prevMap = prevState->get<ReallocPairs>();
2884 
2885   for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end();
2886        I != E; ++I) {
2887     SymbolRef sym = I.getKey();
2888     if (!currMap.lookup(sym))
2889       return sym;
2890   }
2891 
2892   return nullptr;
2893 }
2894 
2895 static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD) {
2896   if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) {
2897     StringRef N = II->getName();
2898     if (N.contains_lower("ptr") || N.contains_lower("pointer")) {
2899       if (N.contains_lower("ref") || N.contains_lower("cnt") ||
2900           N.contains_lower("intrusive") || N.contains_lower("shared")) {
2901         return true;
2902       }
2903     }
2904   }
2905   return false;
2906 }
2907 
2908 PathDiagnosticPieceRef MallocChecker::MallocBugVisitor::VisitNode(
2909     const ExplodedNode *N, BugReporterContext &BRC, BugReport &BR) {
2910 
2911   ProgramStateRef state = N->getState();
2912   ProgramStateRef statePrev = N->getFirstPred()->getState();
2913 
2914   const RefState *RS = state->get<RegionState>(Sym);
2915   const RefState *RSPrev = statePrev->get<RegionState>(Sym);
2916 
2917   const Stmt *S = PathDiagnosticLocation::getStmt(N);
2918   // When dealing with containers, we sometimes want to give a note
2919   // even if the statement is missing.
2920   if (!S && (!RS || RS->getAllocationFamily() != AF_InnerBuffer))
2921     return nullptr;
2922 
2923   const LocationContext *CurrentLC = N->getLocationContext();
2924 
2925   // If we find an atomic fetch_add or fetch_sub within the destructor in which
2926   // the pointer was released (before the release), this is likely a destructor
2927   // of a shared pointer.
2928   // Because we don't model atomics, and also because we don't know that the
2929   // original reference count is positive, we should not report use-after-frees
2930   // on objects deleted in such destructors. This can probably be improved
2931   // through better shared pointer modeling.
2932   if (ReleaseDestructorLC) {
2933     if (const auto *AE = dyn_cast<AtomicExpr>(S)) {
2934       AtomicExpr::AtomicOp Op = AE->getOp();
2935       if (Op == AtomicExpr::AO__c11_atomic_fetch_add ||
2936           Op == AtomicExpr::AO__c11_atomic_fetch_sub) {
2937         if (ReleaseDestructorLC == CurrentLC ||
2938             ReleaseDestructorLC->isParentOf(CurrentLC)) {
2939           BR.markInvalid(getTag(), S);
2940         }
2941       }
2942     }
2943   }
2944 
2945   // FIXME: We will eventually need to handle non-statement-based events
2946   // (__attribute__((cleanup))).
2947 
2948   // Find out if this is an interesting point and what is the kind.
2949   StringRef Msg;
2950   StackHintGeneratorForSymbol *StackHint = nullptr;
2951   SmallString<256> Buf;
2952   llvm::raw_svector_ostream OS(Buf);
2953 
2954   if (Mode == Normal) {
2955     if (isAllocated(RS, RSPrev, S)) {
2956       Msg = "Memory is allocated";
2957       StackHint = new StackHintGeneratorForSymbol(Sym,
2958                                                   "Returned allocated memory");
2959     } else if (isReleased(RS, RSPrev, S)) {
2960       const auto Family = RS->getAllocationFamily();
2961       switch (Family) {
2962         case AF_Alloca:
2963         case AF_Malloc:
2964         case AF_CXXNew:
2965         case AF_CXXNewArray:
2966         case AF_IfNameIndex:
2967           Msg = "Memory is released";
2968           StackHint = new StackHintGeneratorForSymbol(Sym,
2969                                               "Returning; memory was released");
2970           break;
2971         case AF_InnerBuffer: {
2972           const MemRegion *ObjRegion =
2973               allocation_state::getContainerObjRegion(statePrev, Sym);
2974           const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion);
2975           QualType ObjTy = TypedRegion->getValueType();
2976           OS << "Inner buffer of '" << ObjTy.getAsString() << "' ";
2977 
2978           if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) {
2979             OS << "deallocated by call to destructor";
2980             StackHint = new StackHintGeneratorForSymbol(Sym,
2981                                       "Returning; inner buffer was deallocated");
2982           } else {
2983             OS << "reallocated by call to '";
2984             const Stmt *S = RS->getStmt();
2985             if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) {
2986               OS << MemCallE->getMethodDecl()->getNameAsString();
2987             } else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) {
2988               OS << OpCallE->getDirectCallee()->getNameAsString();
2989             } else if (const auto *CallE = dyn_cast<CallExpr>(S)) {
2990               auto &CEMgr = BRC.getStateManager().getCallEventManager();
2991               CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC);
2992               const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl());
2993               OS << (D ? D->getNameAsString() : "unknown");
2994             }
2995             OS << "'";
2996             StackHint = new StackHintGeneratorForSymbol(Sym,
2997                                       "Returning; inner buffer was reallocated");
2998           }
2999           Msg = OS.str();
3000           break;
3001         }
3002         case AF_None:
3003           llvm_unreachable("Unhandled allocation family!");
3004       }
3005 
3006       // See if we're releasing memory while inlining a destructor
3007       // (or one of its callees). This turns on various common
3008       // false positive suppressions.
3009       bool FoundAnyDestructor = false;
3010       for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) {
3011         if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) {
3012           if (isReferenceCountingPointerDestructor(DD)) {
3013             // This immediately looks like a reference-counting destructor.
3014             // We're bad at guessing the original reference count of the object,
3015             // so suppress the report for now.
3016             BR.markInvalid(getTag(), DD);
3017           } else if (!FoundAnyDestructor) {
3018             assert(!ReleaseDestructorLC &&
3019                    "There can be only one release point!");
3020             // Suspect that it's a reference counting pointer destructor.
3021             // On one of the next nodes might find out that it has atomic
3022             // reference counting operations within it (see the code above),
3023             // and if so, we'd conclude that it likely is a reference counting
3024             // pointer destructor.
3025             ReleaseDestructorLC = LC->getStackFrame();
3026             // It is unlikely that releasing memory is delegated to a destructor
3027             // inside a destructor of a shared pointer, because it's fairly hard
3028             // to pass the information that the pointer indeed needs to be
3029             // released into it. So we're only interested in the innermost
3030             // destructor.
3031             FoundAnyDestructor = true;
3032           }
3033         }
3034       }
3035     } else if (isRelinquished(RS, RSPrev, S)) {
3036       Msg = "Memory ownership is transferred";
3037       StackHint = new StackHintGeneratorForSymbol(Sym, "");
3038     } else if (isReallocFailedCheck(RS, RSPrev, S)) {
3039       Mode = ReallocationFailed;
3040       Msg = "Reallocation failed";
3041       StackHint = new StackHintGeneratorForReallocationFailed(Sym,
3042                                                        "Reallocation failed");
3043 
3044       if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) {
3045         // Is it possible to fail two reallocs WITHOUT testing in between?
3046         assert((!FailedReallocSymbol || FailedReallocSymbol == sym) &&
3047           "We only support one failed realloc at a time.");
3048         BR.markInteresting(sym);
3049         FailedReallocSymbol = sym;
3050       }
3051     }
3052 
3053   // We are in a special mode if a reallocation failed later in the path.
3054   } else if (Mode == ReallocationFailed) {
3055     assert(FailedReallocSymbol && "No symbol to look for.");
3056 
3057     // Is this is the first appearance of the reallocated symbol?
3058     if (!statePrev->get<RegionState>(FailedReallocSymbol)) {
3059       // We're at the reallocation point.
3060       Msg = "Attempt to reallocate memory";
3061       StackHint = new StackHintGeneratorForSymbol(Sym,
3062                                                  "Returned reallocated memory");
3063       FailedReallocSymbol = nullptr;
3064       Mode = Normal;
3065     }
3066   }
3067 
3068   if (Msg.empty()) {
3069     // Silence a memory leak warning by MallocChecker in MallocChecker.cpp :)
3070     assert(!StackHint && "Memory leak!");
3071     return nullptr;
3072   }
3073 
3074   assert(StackHint);
3075 
3076   // Generate the extra diagnostic.
3077   PathDiagnosticLocation Pos;
3078   if (!S) {
3079     assert(RS->getAllocationFamily() == AF_InnerBuffer);
3080     auto PostImplCall = N->getLocation().getAs<PostImplicitCall>();
3081     if (!PostImplCall)
3082       return nullptr;
3083     Pos = PathDiagnosticLocation(PostImplCall->getLocation(),
3084                                  BRC.getSourceManager());
3085   } else {
3086     Pos = PathDiagnosticLocation(S, BRC.getSourceManager(),
3087                                  N->getLocationContext());
3088   }
3089 
3090   return std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true, StackHint);
3091 }
3092 
3093 void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
3094                                const char *NL, const char *Sep) const {
3095 
3096   RegionStateTy RS = State->get<RegionState>();
3097 
3098   if (!RS.isEmpty()) {
3099     Out << Sep << "MallocChecker :" << NL;
3100     for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
3101       const RefState *RefS = State->get<RegionState>(I.getKey());
3102       AllocationFamily Family = RefS->getAllocationFamily();
3103       Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
3104       if (!CheckKind.hasValue())
3105          CheckKind = getCheckIfTracked(Family, true);
3106 
3107       I.getKey()->dumpToStream(Out);
3108       Out << " : ";
3109       I.getData().dump(Out);
3110       if (CheckKind.hasValue())
3111         Out << " (" << CheckNames[*CheckKind].getName() << ")";
3112       Out << NL;
3113     }
3114   }
3115 }
3116 
3117 namespace clang {
3118 namespace ento {
3119 namespace allocation_state {
3120 
3121 ProgramStateRef
3122 markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin) {
3123   AllocationFamily Family = AF_InnerBuffer;
3124   return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin));
3125 }
3126 
3127 } // end namespace allocation_state
3128 } // end namespace ento
3129 } // end namespace clang
3130 
3131 // Intended to be used in InnerPointerChecker to register the part of
3132 // MallocChecker connected to it.
3133 void ento::registerInnerPointerCheckerAux(CheckerManager &mgr) {
3134   MallocChecker *checker = mgr.getChecker<MallocChecker>();
3135   checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true;
3136   checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =
3137       mgr.getCurrentCheckName();
3138 }
3139 
3140 void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {
3141   auto *checker = mgr.registerChecker<MallocChecker>();
3142   checker->IsOptimistic = mgr.getAnalyzerOptions().getCheckerBooleanOption(
3143                                                          checker, "Optimistic");
3144 }
3145 
3146 bool ento::shouldRegisterDynamicMemoryModeling(const LangOptions &LO) {
3147   return true;
3148 }
3149 
3150 #define REGISTER_CHECKER(name)                                                 \
3151   void ento::register##name(CheckerManager &mgr) {                             \
3152     MallocChecker *checker = mgr.getChecker<MallocChecker>();                  \
3153     checker->ChecksEnabled[MallocChecker::CK_##name] = true;                   \
3154     checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \
3155   }                                                                            \
3156                                                                                \
3157   bool ento::shouldRegister##name(const LangOptions &LO) {                     \
3158     return true;                                                               \
3159   }
3160 
3161 REGISTER_CHECKER(MallocChecker)
3162 REGISTER_CHECKER(NewDeleteChecker)
3163 REGISTER_CHECKER(NewDeleteLeaksChecker)
3164 REGISTER_CHECKER(MismatchedDeallocatorChecker)
3165