Index: lib/StaticAnalyzer/Checkers/MallocChecker.cpp =================================================================== --- lib/StaticAnalyzer/Checkers/MallocChecker.cpp +++ lib/StaticAnalyzer/Checkers/MallocChecker.cpp @@ -177,7 +177,10 @@ II_wcsdup(nullptr), II_win_wcsdup(nullptr), II_g_malloc(nullptr), II_g_malloc0(nullptr), II_g_realloc(nullptr), II_g_try_malloc(nullptr), II_g_try_malloc0(nullptr), II_g_try_realloc(nullptr), - II_g_free(nullptr), II_g_memdup(nullptr) {} + II_g_free(nullptr), II_g_memdup(nullptr), II_g_malloc_n(nullptr), + II_g_malloc0_n(nullptr), II_g_realloc_n(nullptr), + II_g_try_malloc_n(nullptr), II_g_try_malloc0_n(nullptr), + II_g_try_realloc_n(nullptr) {} /// In pessimistic mode, the checker assumes that it does not know which /// functions might free the memory. @@ -241,7 +244,10 @@ *II_if_nameindex, *II_if_freenameindex, *II_wcsdup, *II_win_wcsdup, *II_g_malloc, *II_g_malloc0, *II_g_realloc, *II_g_try_malloc, *II_g_try_malloc0, - *II_g_try_realloc, *II_g_free, *II_g_memdup; + *II_g_try_realloc, *II_g_free, *II_g_memdup, + *II_g_malloc_n, *II_g_malloc0_n, *II_g_realloc_n, + *II_g_try_malloc_n, *II_g_try_malloc0_n, + *II_g_try_realloc_n; mutable Optional KernelZeroFlagVal; void initIdentifierInfo(ASTContext &C) const; @@ -321,9 +327,12 @@ bool &ReleasedAllocated, bool ReturnsNullOnFailure = false) const; - ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, - bool FreesMemOnFailure, - ProgramStateRef State) const; + ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE, + bool FreesMemOnFailure, + ProgramStateRef State, + bool SuffixWithN = false) const; + SVal SValBinMulOp(CheckerContext &C, const Expr *Blocks, + const Expr *BlockBytes, ProgramStateRef State) const; static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE, ProgramStateRef State); @@ -569,6 +578,11 @@ II_g_try_realloc = &Ctx.Idents.get("g_try_realloc"); II_g_free = &Ctx.Idents.get("g_free"); II_g_memdup = &Ctx.Idents.get("g_memdup"); + II_g_malloc_n = &Ctx.Idents.get("g_malloc_n"); + II_g_malloc0_n = &Ctx.Idents.get("g_malloc0_n"); + II_g_realloc_n = &Ctx.Idents.get("g_realloc_n"); + II_g_try_malloc0_n = &Ctx.Idents.get("g_try_malloc0_n"); + II_g_try_realloc_n = &Ctx.Idents.get("g_try_realloc_n"); } bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const { @@ -617,7 +631,10 @@ FunI == II_g_malloc || FunI == II_g_malloc0 || FunI == II_g_realloc || FunI == II_g_try_malloc || FunI == II_g_try_malloc0 || FunI == II_g_try_realloc || - FunI == II_g_memdup) + FunI == II_g_memdup || FunI == II_g_malloc_n || + FunI == II_g_malloc0_n || FunI == II_g_realloc_n || + FunI == II_g_try_malloc_n || FunI == II_g_try_malloc0_n || + FunI == II_g_try_realloc_n) return true; } @@ -767,6 +784,22 @@ return None; } +SVal MallocChecker::SValBinMulOp(CheckerContext &C, + const Expr *Blocks, + const Expr *BlockBytes, + ProgramStateRef State) const { + SValBuilder &svalBuilder = C.getSValBuilder(); + const LocationContext *LCtx = C.getLocationContext(); + SVal nBlocks = State->getSVal(Blocks, LCtx); + SVal nBlockBytes = State->getSVal(BlockBytes, LCtx); + SVal TotalSize = svalBuilder.evalBinOp(State, + BO_Mul, + nBlocks, + nBlockBytes, + svalBuilder.getContext().getSizeType()); + return TotalSize; +} + void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const { if (C.wasInlined) return; @@ -813,10 +846,10 @@ State = ProcessZeroAllocation(C, CE, 0, State); } else if (FunI == II_realloc || FunI == II_g_realloc || FunI == II_g_try_realloc) { - State = ReallocMem(C, CE, false, State); + State = ReallocMemAux(C, CE, false, State); State = ProcessZeroAllocation(C, CE, 1, State); } else if (FunI == II_reallocf) { - State = ReallocMem(C, CE, true, State); + State = ReallocMemAux(C, CE, true, State); State = ProcessZeroAllocation(C, CE, 1, State); } else if (FunI == II_calloc) { State = CallocMem(C, CE, State); @@ -874,6 +907,26 @@ return; State = MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State); State = ProcessZeroAllocation(C, CE, 1, State); + } else if (FunI == II_g_malloc_n || FunI == II_g_try_malloc_n || + FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) { + if (CE->getNumArgs() < 2) + return; + SVal Init = UndefinedVal(); + if (FunI == II_g_malloc0_n || FunI == II_g_try_malloc0_n) { + SValBuilder &svalBuilder = C.getSValBuilder(); + Init = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); + } + State = MallocMemAux(C, CE, + SValBinMulOp(C, CE->getArg(0), CE->getArg(1), State), + Init, State); + State = ProcessZeroAllocation(C, CE, 0, State); + State = ProcessZeroAllocation(C, CE, 1, State); + } else if (FunI == II_g_realloc_n || FunI == II_g_try_realloc_n) { + if (CE->getNumArgs() < 3) + return; + State = ReallocMemAux(C, CE, false, State, true); + State = ProcessZeroAllocation(C, CE, 1, State); + State = ProcessZeroAllocation(C, CE, 2, State); } } @@ -1976,15 +2029,18 @@ } } -ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, - const CallExpr *CE, - bool FreesOnFail, - ProgramStateRef State) const { +ProgramStateRef MallocChecker::ReallocMemAux(CheckerContext &C, + const CallExpr *CE, + bool FreesOnFail, + ProgramStateRef State, + bool SuffixWithN) const { if (!State) return nullptr; - if (CE->getNumArgs() < 2) + if ((!SuffixWithN && CE->getNumArgs() < 2) || + (SuffixWithN && CE->getNumArgs() < 3)) { return nullptr; + } const Expr *arg0Expr = CE->getArg(0); const LocationContext *LCtx = C.getLocationContext(); @@ -2000,14 +2056,21 @@ // Get the size argument. If there is no size arg then give up. const Expr *Arg1 = CE->getArg(1); - if (!Arg1) + const Expr *Arg2 = SuffixWithN ? CE->getArg(2) : nullptr; + if ((!SuffixWithN && !Arg1) || (SuffixWithN && !Arg2)) return nullptr; // Get the value of the size argument. SVal Arg1ValG = State->getSVal(Arg1, LCtx); - if (!Arg1ValG.getAs()) + SVal Arg2ValG = State->getSVal(Arg2, LCtx); + if (!Arg1ValG.getAs() || + (SuffixWithN && !Arg2ValG.getAs())) { return nullptr; - DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs(); + } + SVal TotalSizeG = SValBinMulOp(C, Arg1, Arg2, State); + DefinedOrUnknownSVal Arg1Val = SuffixWithN ? + TotalSizeG.castAs() : + Arg1ValG.castAs(); // Compare the size argument to 0. DefinedOrUnknownSVal SizeZero = @@ -2026,7 +2089,10 @@ // If the ptr is NULL and the size is not 0, the call is equivalent to // malloc(size). if ( PrtIsNull && !SizeIsZero) { - ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), + ProgramStateRef stateMalloc = SuffixWithN ? + MallocMemAux(C, CE, TotalSizeG, + UndefinedVal(), StatePtrIsNull) : + MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), StatePtrIsNull); return stateMalloc; } @@ -2059,7 +2125,10 @@ if (ProgramStateRef stateFree = FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) { - ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), + ProgramStateRef stateRealloc = SuffixWithN ? + MallocMemAux(C, CE, TotalSizeG, + UnknownVal(), stateFree) : + MallocMemAux(C, CE, CE->getArg(1), UnknownVal(), stateFree); if (!stateRealloc) return nullptr; Index: test/Analysis/gmalloc.c =================================================================== --- test/Analysis/gmalloc.c +++ test/Analysis/gmalloc.c @@ -13,6 +13,12 @@ gpointer g_try_malloc(gsize n_bytes); gpointer g_try_malloc0(gsize n_bytes); gpointer g_try_realloc(gpointer mem, gsize n_bytes); +gpointer g_malloc_n(gsize n_blocks, gsize n_block_bytes); +gpointer g_malloc0_n(gsize n_blocks, gsize n_block_bytes); +gpointer g_realloc_n(gpointer mem, gsize n_blocks, gsize n_block_bytes); +gpointer g_try_malloc_n(gsize n_blocks, gsize n_block_bytes); +gpointer g_try_malloc0_n(gsize n_blocks, gsize n_block_bytes); +gpointer g_try_realloc_n(gpointer mem, gsize n_blocks, gsize n_block_bytes); void g_free(gpointer mem); gpointer g_memdup(gconstpointer mem, guint byte_size); @@ -25,6 +31,12 @@ gpointer g3 = g_try_malloc(n_bytes); gpointer g4 = g_try_malloc0(n_bytes); g3 = g_try_realloc(g3, n_bytes * 2); + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); g_free(g1); g_free(g2); @@ -38,6 +50,12 @@ gpointer g3 = g_try_malloc(n_bytes); gpointer g4 = g_try_malloc0(n_bytes); g3 = g_try_realloc(g3, n_bytes * 2); + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); g_free(g1); g_free(g2); @@ -52,8 +70,100 @@ gpointer g3 = g_try_malloc(n_bytes); gpointer g4 = g_try_malloc0(n_bytes); g3 = g_try_realloc(g3, n_bytes * 2); // expected-warning{{Potential leak of memory pointed to by 'g4'}} + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g6'}} + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g5'}} + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g8'}} + + g_free(g1); // expected-warning{{Potential leak of memory pointed to by 'g7'}} + g_free(g2); + g_free(g3); +} + +void f4() { + gpointer g1 = g_malloc(n_bytes); + gpointer g2 = g_malloc0(n_bytes); + g1 = g_realloc(g1, n_bytes * 2); + gpointer g3 = g_try_malloc(n_bytes); + gpointer g4 = g_try_malloc0(n_bytes); + g3 = g_try_realloc(g3, n_bytes * 2); + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g6'}} + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g5'}} + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g8'}} + + g_free(g1); // expected-warning{{Potential leak of memory pointed to by 'g7'}} + g_free(g2); + g_free(g3); + g_free(g4); +} + +void f5() { + gpointer g1 = g_malloc(n_bytes); + gpointer g2 = g_malloc0(n_bytes); + g1 = g_realloc(g1, n_bytes * 2); + gpointer g3 = g_try_malloc(n_bytes); + gpointer g4 = g_try_malloc0(n_bytes); + g3 = g_try_realloc(g3, n_bytes * 2); + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g6'}} + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g8'}} + + g_free(g1); // expected-warning{{Potential leak of memory pointed to by 'g7'}} + g_free(g2); + g_free(g3); + g_free(g4); + g_free(g5); +} + +void f6() { + gpointer g1 = g_malloc(n_bytes); + gpointer g2 = g_malloc0(n_bytes); + g1 = g_realloc(g1, n_bytes * 2); + gpointer g3 = g_try_malloc(n_bytes); + gpointer g4 = g_try_malloc0(n_bytes); + g3 = g_try_realloc(g3, n_bytes * 2); + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g8'}} + + g_free(g1); // expected-warning{{Potential leak of memory pointed to by 'g7'}} + g_free(g2); + g_free(g3); + g_free(g4); + g_free(g5); + g_free(g6); +} + +void f7() { + gpointer g1 = g_malloc(n_bytes); + gpointer g2 = g_malloc0(n_bytes); + g1 = g_realloc(g1, n_bytes * 2); + gpointer g3 = g_try_malloc(n_bytes); + gpointer g4 = g_try_malloc0(n_bytes); + g3 = g_try_realloc(g3, n_bytes * 2); + gpointer g5 = g_malloc_n(n_bytes, sizeof(char)); + gpointer g6 = g_malloc0_n(n_bytes, sizeof(char)); + g5 = g_realloc_n(g5, n_bytes * 2, sizeof(char)); + gpointer g7 = g_try_malloc_n(n_bytes, sizeof(char)); + gpointer g8 = g_try_malloc0_n(n_bytes, sizeof(char)); + g7 = g_try_realloc_n(g7, n_bytes * 2, sizeof(char)); // expected-warning{{Potential leak of memory pointed to by 'g8'}} g_free(g1); g_free(g2); g_free(g3); + g_free(g4); + g_free(g5); + g_free(g6); + g_free(g7); }