This is an archive of the discontinued LLVM Phabricator instance.

Differential D68162

[analyzer][MallocChecker][NFC] Communicate the allocation family to auxiliary functions with parameters
ClosedPublic

Authored by Szelethus on Sep 27 2019, 3:07 PM.

Details

Reviewers
NoQ
xazax.hun
rnkovacs
Charusso
dcoughlin
baloghadamsoftware
Commits
rG9fd7ce7f4449: [analyzer][MallocChecker][NFC] Communicate the allocation family to auxiliary…
Summary

The following series of refactoring patches aim to fix the horrible mess that MallocChecker.cpp is.

I genuinely hate this file. It goes completely against how most of the checkers are implemented, its by far the biggest headache regarding checker dependencies, checker options, or anything you can imagine. On top of all that, its just bad code. Its seriously everything that you shouldn't do in C++, or any other language really. Bad variable/class names, in/out parameters... Apologies, rant over.

So: there are a variety of memory manipulating function this checker models. One aspect of these functions is their AllocationFamily, which we use to distinguish between allocation kinds, like using free() on an object allocated by operator new. However, since we always know which function we're actually modeling, in fact we know it compile time, there is no need to use tricks to retrieve this information out of thin air n+1 function calls down the line. This patch changes many methods of MallocChecker to take a non-optional AllocationFamily template parameter (which also makes stack dumps a bit nicer!), and removes some no longer needed auxiliary functions.

Diff Detail

Event Timeline

Szelethus created this revision.Sep 27 2019, 3:07 PM
Herald added subscribers: cfe-commits, gamesh411, dkrupp and 5 others. · View Herald TranscriptSep 27 2019, 3:07 PM
Szelethus added a child revision: D68163: [analyzer][MallocChecker][NFC] Change the use of IdentifierInfo* to CallDescription.Sep 27 2019, 3:11 PM
NoQ added a comment.EditedSep 27 2019, 6:54 PM

Thank you, fantastic finding!

in fact we know it compile time

Yeah, but is it accidental or is there a good reason behind always having this information at compile time? 'Cause i don't want to restrict the code to always provide this information at compile time if we're not sure it'll always be able to provide it in compile time.

My mental model for this sort of stuff is something like this:

CallDescriptionMap M = {
  "malloc", {&MallocChecker::MallocMemAux, AF_Malloc},
  "alloca", {&MallocChecker::MallocMemAux, AF_Alloca},
};

void checkPostCall(const CallEvent &Call, CheckerContext &C) {
  if (Info *I = M.lookup(Call))
    I->first(I->second, C, Call);
}
Szelethus added a comment.Oct 1 2019, 7:19 AM
In D68162#1686810, @NoQ wrote:

Thank you, fantastic finding!

in fact we know it compile time

Yeah, but is it accidental or is there a good reason behind always having this information at compile time? 'Cause i don't want to restrict the code to always provide this information at compile time if we're not sure it'll always be able to provide it in compile time.

Definitely accidental. And now that I think about it, maybe it would be better to turn these into non-optional regular arguments. Though its far in the future, we could eventually add annotations that tell whether a function returns with newed or malloc()ated memory.

The entire point of the patch was to get rid of getAllocationFamily, because there really isn't a need to get the allocation family of hardcoded functions.

Szelethus updated this revision to Diff 222781.Oct 2 2019, 2:43 AM
Szelethus retitled this revision from [analyzer][MallocChecker][NFC] Communicate the allocation family information to auxiliary functions with template parameters to [analyzer][MallocChecker][NFC] Communicate the allocation family to auxiliary functions with parameters.

Use regular parameters instead of template parameters.

baloghadamsoftware added a comment.Oct 3 2019, 8:57 AM

I like this change. If we can retrieve something with a simple getter, then do not carry extra parameters all over the code. However, if we have to recalculate something over and over again then it is much better to determine it once and pass it around as a parameter. Especially in this case where we have the information statically at top level and do not have to calculate it all if we use that.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1865

Please add an && "<Error message>" to the assertion.

Szelethus added a comment.Oct 11 2019, 7:25 AM

I forgot to emphasise that the entire point of the patch was to get rid of getAllocationFamily, at least the way it used to work, because it was a mess and prevented me from moving forward with changing things to a CallDescriptionMap.

In D68162#1693110, @baloghadamsoftware wrote:

I like this change. If we can retrieve something with a simple getter, then do not carry extra parameters all over the code. However, if we have to recalculate something over and over again then it is much better to determine it once and pass it around as a parameter. Especially in this case where we have the information statically at top level and do not have to calculate it all if we use that.

In D68162#1686810, @NoQ wrote:

My mental model for this sort of stuff is something like this:

CallDescriptionMap M = {
  "malloc", {&MallocChecker::MallocMemAux, AF_Malloc},
  "alloca", {&MallocChecker::MallocMemAux, AF_Alloca},
};

void checkPostCall(const CallEvent &Call, CheckerContext &C) {
  if (Info *I = M.lookup(Call))
    I->first(I->second, C, Call);
}

I guess you two are right. Maybe the best solution would be collapse const CallExpr * and AllocationFamily parameters into CallEvent, and just query the relevant information. Sure, its a query every time we need it, but nothing impacts performance as much as months of hair pulling trying to understand what this file does :^)

NoQ accepted this revision.Nov 7 2019, 5:13 PM

Thanks again!~

In D68162#1705928, @Szelethus wrote:

I guess you two are right. Maybe the best solution would be collapse const CallExpr * and AllocationFamily parameters into CallEvent, and just query the relevant information. Sure, its a query every time we need it, but nothing impacts performance as much as months of hair pulling trying to understand what this file does :^)

Just make sure not to store call events in the program state, 'cause they're short-lived :)

This revision is now accepted and ready to land.Nov 7 2019, 5:13 PM
Closed by commit rG9fd7ce7f4449: [analyzer][MallocChecker][NFC] Communicate the allocation family to auxiliary… (authored by Szelethus). · Explain WhyFeb 25 2020, 2:24 AM
This revision was automatically updated to reflect the committed changes.
Herald added subscribers: martong, steakhal. · View Herald TranscriptFeb 25 2020, 2:24 AM
nicolas17 mentioned this in rG9fd7ce7f4449: [analyzer][MallocChecker][NFC] Communicate the allocation family to auxiliary….Mar 1 2020, 8:36 PM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
12 lines
312 lines

Diff 246390

clang/lib/StaticAnalyzer/Checkers/InterCheckerAPI.h

//==--- InterCheckerAPI.h ---------------------------------------*- C++ -*-==// //==--- InterCheckerAPI.h ---------------------------------------*- C++ -*-==//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// This file allows introduction of checker dependencies. It contains APIs for // This file allows introduction of checker dependencies. It contains APIs for
// inter-checker communications. // inter-checker communications.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_INTERCHECKERAPI_H #ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_INTERCHECKERAPI_H
#define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_INTERCHECKERAPI_H #define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_INTERCHECKERAPI_H
namespace clang {
class CheckerManager;
// FIXME: This file goes against how a checker should be implemented either in
// a single file, or be exposed in a header file. Let's try to get rid of it!
namespace clang {
namespace ento { namespace ento {
class CheckerManager;
/// Register the part of MallocChecker connected to InnerPointerChecker. /// Register the part of MallocChecker connected to InnerPointerChecker.
void registerInnerPointerCheckerAux(CheckerManager &Mgr); void registerInnerPointerCheckerAux(CheckerManager &Mgr);
}} } // namespace ento
} // namespace clang
#endif /* INTERCHECKERAPI_H_ */ #endif /* INTERCHECKERAPI_H_ */

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show All 38 Lines
// regions are only freed by free(), new by delete, new[] by delete[]. // regions are only freed by free(), new by delete, new[] by delete[].
// //
// InnerPointerChecker interacts very closely with MallocChecker, but unlike // InnerPointerChecker interacts very closely with MallocChecker, but unlike
// the above checkers, it has it's own file, hence the many InnerPointerChecker // the above checkers, it has it's own file, hence the many InnerPointerChecker
// related headers and non-static functions. // related headers and non-static functions.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "AllocationState.h"
#include "InterCheckerAPI.h" #include "InterCheckerAPI.h"
#include "clang/AST/Attr.h" #include "clang/AST/Attr.h"
#include "clang/AST/ParentMap.h" #include "clang/AST/ParentMap.h"
#include "clang/Basic/SourceManager.h" #include "clang/Basic/SourceManager.h"
#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"
#include "clang/Lex/Lexer.h" #include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
#include "AllocationState.h" #include "llvm/Support/ErrorHandling.h"
#include <climits> #include <climits>
#include <utility> #include <utility>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// The types of allocation we're modeling. // The types of allocation we're modeling. This is used to check whether a
// dynamically allocated object is deallocated with the correct function, like
// not using operator delete on an object created by malloc(), or alloca regions
// aren't ever deallocated manually.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
// Used to check correspondence between allocators and deallocators. // Used to check correspondence between allocators and deallocators.
enum AllocationFamily { enum AllocationFamily {
AF_None, AF_None,
AF_Malloc, AF_Malloc,
AF_CXXNew, AF_CXXNew,
AF_CXXNewArray, AF_CXXNewArray,
AF_IfNameIndex, AF_IfNameIndex,
AF_Alloca, AF_Alloca,
AF_InnerBuffer AF_InnerBuffer
}; };
struct MemFunctionInfoTy; struct MemFunctionInfoTy;
} // end of anonymous namespace } // end of anonymous namespace
/// Determine family of a deallocation expression.
static AllocationFamily
getAllocationFamily(const MemFunctionInfoTy &MemFunctionInfo, CheckerContext &C,
const Stmt *S);
/// Print names of allocators and deallocators. /// Print names of allocators and deallocators.
/// ///
/// \returns true on success. /// \returns true on success.
static bool printAllocDeallocName(raw_ostream &os, CheckerContext &C, static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E);
const Expr *E);
/// Print expected name of an allocator based on the deallocator's /// Print expected name of an allocator based on the deallocator's family
/// family derived from the DeallocExpr. /// derived from the DeallocExpr.
static void printExpectedAllocName(raw_ostream &os, static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family);
const MemFunctionInfoTy &MemFunctionInfo,
CheckerContext &C, const Expr *E);
/// Print expected name of a deallocator based on the allocator's /// Print expected name of a deallocator based on the allocator's
/// family. /// family.
static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family); static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family);
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// The state of a symbol, in terms of memory management. // The state of a symbol, in terms of memory management.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 84 Lines▼ Show 20 Lines
/// Check if the memory associated with this symbol was released. /// Check if the memory associated with this symbol was released.
static bool isReleased(SymbolRef Sym, CheckerContext &C); static bool isReleased(SymbolRef Sym, CheckerContext &C);
/// Update the RefState to reflect the new memory allocation. /// Update the RefState to reflect the new memory allocation.
/// The optional \p RetVal parameter specifies the newly allocated pointer /// The optional \p RetVal parameter specifies the newly allocated pointer
/// value; if unspecified, the value of expression \p E is used. /// value; if unspecified, the value of expression \p E is used.
static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E, static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
ProgramStateRef State, ProgramStateRef State,
AllocationFamily Family = AF_Malloc, AllocationFamily Family,
Optional<SVal> RetVal = None); Optional<SVal> RetVal = None);
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// The modeling of memory reallocation. // The modeling of memory reallocation.
// //
// The terminology 'toPtr' and 'fromPtr' will be used: // The terminology 'toPtr' and 'fromPtr' will be used:
// toPtr = realloc(fromPtr, 20); // toPtr = realloc(fromPtr, 20);
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 177 Lines▼ Show 20 Linesprivate:
mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds]; mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
// TODO: Remove mutable by moving the initializtaion to the registry function. // TODO: Remove mutable by moving the initializtaion to the registry function.
mutable Optional<uint64_t> KernelZeroFlagVal; mutable Optional<uint64_t> KernelZeroFlagVal;
/// Process C++ operator new()'s allocation, which is the part of C++ /// Process C++ operator new()'s allocation, which is the part of C++
/// new-expression that goes before the constructor. /// new-expression that goes before the constructor.
void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C, void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C,
SVal Target) const; SVal Target, AllocationFamily Family) const;
/// Perform a zero-allocation check. /// Perform a zero-allocation check.
/// ///
/// \param [in] E The expression that allocates memory. /// \param [in] E The expression that allocates memory.
/// \param [in] IndexOfSizeArg Index of the argument that specifies the size /// \param [in] IndexOfSizeArg Index of the argument that specifies the size
/// of the memory that needs to be allocated. E.g. for malloc, this would be /// of the memory that needs to be allocated. E.g. for malloc, this would be
/// 0. /// 0.
/// \param [in] RetVal Specifies the newly allocated pointer value; /// \param [in] RetVal Specifies the newly allocated pointer value;
Show All 31 Linesprivate:
/// \param [in] Init The value the allocated memory needs to be initialized. /// \param [in] Init The value the allocated memory needs to be initialized.
/// with. For example, \c calloc initializes the allocated memory to 0, /// with. For example, \c calloc initializes the allocated memory to 0,
/// malloc leaves it undefined. /// malloc leaves it undefined.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// \returns The ProgramState right after allocation. /// \returns The ProgramState right after allocation.
static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
const Expr *SizeEx, SVal Init, const Expr *SizeEx, SVal Init,
ProgramStateRef State, ProgramStateRef State,
AllocationFamily Family = AF_Malloc); AllocationFamily Family);
/// Models memory allocation. /// Models memory allocation.
/// ///
/// \param [in] CE The expression that allocates memory. /// \param [in] CE The expression that allocates memory.
/// \param [in] Size Size of the memory that needs to be allocated. /// \param [in] Size Size of the memory that needs to be allocated.
/// \param [in] Init The value the allocated memory needs to be initialized. /// \param [in] Init The value the allocated memory needs to be initialized.
/// with. For example, \c calloc initializes the allocated memory to 0, /// with. For example, \c calloc initializes the allocated memory to 0,
/// malloc leaves it undefined. /// malloc leaves it undefined.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// \returns The ProgramState right after allocation. /// \returns The ProgramState right after allocation.
static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
SVal Size, SVal Init, SVal Size, SVal Init,
ProgramStateRef State, ProgramStateRef State,
AllocationFamily Family = AF_Malloc); AllocationFamily Family);
static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE, static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE,
ProgramStateRef State, SVal Target); ProgramStateRef State, SVal Target);
// Check if this malloc() for special flags. At present that means M_ZERO or // Check if this malloc() for special flags. At present that means M_ZERO or
// __GFP_ZERO (in which case, treat it like calloc). // __GFP_ZERO (in which case, treat it like calloc).
llvm::Optional<ProgramStateRef> llvm::Optional<ProgramStateRef>
performKernelMalloc(const CallExpr *CE, CheckerContext &C, performKernelMalloc(const CallExpr *CE, CheckerContext &C,
Show All 37 Linesprivate:
/// // ... /// // ...
/// } /// }
/// \param [in] ReturnsNullOnFailure Whether the memory deallocation function /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
/// we're modeling returns with Null on failure. /// we're modeling returns with Null on failure.
/// \returns The ProgramState right after deallocation. /// \returns The ProgramState right after deallocation.
ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE,
ProgramStateRef State, unsigned Num, bool Hold, ProgramStateRef State, unsigned Num, bool Hold,
bool &IsKnownToBeAllocated, bool &IsKnownToBeAllocated,
AllocationFamily Family,
bool ReturnsNullOnFailure = false) const; bool ReturnsNullOnFailure = false) const;
/// Models memory deallocation. /// Models memory deallocation.
/// ///
/// \param [in] ArgExpr The variable who's pointee needs to be freed. /// \param [in] ArgExpr The variable who's pointee needs to be freed.
/// \param [in] ParentExpr The expression that frees the memory. /// \param [in] ParentExpr The expression that frees the memory.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// normally 0, but for custom free functions it may be different. /// normally 0, but for custom free functions it may be different.
/// \param [in] Hold Whether the parameter at \p Index has the ownership_holds /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
/// attribute. /// attribute.
/// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known
/// to have been allocated, or in other words, the symbol to be freed was /// to have been allocated, or in other words, the symbol to be freed was
/// registered as allocated by this checker. In the following case, \c ptr /// registered as allocated by this checker. In the following case, \c ptr
/// isn't known to be allocated. /// isn't known to be allocated.
/// void Haha(int *ptr) { /// void Haha(int *ptr) {
/// ptr = realloc(ptr, 67); /// ptr = realloc(ptr, 67);
/// // ... /// // ...
/// } /// }
/// \param [in] ReturnsNullOnFailure Whether the memory deallocation function /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
/// we're modeling returns with Null on failure. /// we're modeling returns with Null on failure.
/// \returns The ProgramState right after deallocation. /// \returns The ProgramState right after deallocation.
ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *ArgExpr, ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *ArgExpr,
const Expr *ParentExpr, ProgramStateRef State, const Expr *ParentExpr, ProgramStateRef State,
bool Hold, bool &IsKnownToBeAllocated, bool Hold, bool &IsKnownToBeAllocated,
AllocationFamily Family,
bool ReturnsNullOnFailure = false) const; bool ReturnsNullOnFailure = false) const;
// TODO: Needs some refactoring, as all other deallocation modeling // TODO: Needs some refactoring, as all other deallocation modeling
// functions are suffering from out parameters and messy code due to how // functions are suffering from out parameters and messy code due to how
// realloc is handled. // realloc is handled.
// //
/// Models memory reallocation. /// Models memory reallocation.
/// ///
/// \param [in] CE The expression that reallocated memory /// \param [in] CE The expression that reallocated memory
/// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied /// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied
/// memory should be freed. /// memory should be freed.
/// \param [in] State The \c ProgramState right before reallocation. /// \param [in] State The \c ProgramState right before reallocation.
/// \param [in] SuffixWithN Whether the reallocation function we're modeling /// \param [in] SuffixWithN Whether the reallocation function we're modeling
/// has an '_n' suffix, such as g_realloc_n. /// has an '_n' suffix, such as g_realloc_n.
/// \returns The ProgramState right after reallocation. /// \returns The ProgramState right after reallocation.
ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE, ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE,
bool ShouldFreeOnFail, ProgramStateRef State, bool ShouldFreeOnFail, ProgramStateRef State,
AllocationFamily Family,
bool SuffixWithN = false) const; bool SuffixWithN = false) const;
/// Evaluates the buffer size that needs to be allocated. /// Evaluates the buffer size that needs to be allocated.
/// ///
/// \param [in] Blocks The amount of blocks that needs to be allocated. /// \param [in] Blocks The amount of blocks that needs to be allocated.
/// \param [in] BlockBytes The size of a block. /// \param [in] BlockBytes The size of a block.
/// \returns The symbolic value of \p Blocks * \p BlockBytes. /// \returns The symbolic value of \p Blocks * \p BlockBytes.
static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
▲ Show 20 LinesShow All 48 Lines▼ Show 20 Linesprivate:
void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const; void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const;
///@{ ///@{
/// Tells if a given family/call/symbol is tracked by the current checker. /// Tells if a given family/call/symbol is tracked by the current checker.
/// Sets CheckKind to the kind of the checker responsible for this /// Sets CheckKind to the kind of the checker responsible for this
/// family/call/symbol. /// family/call/symbol.
Optional<CheckKind> getCheckIfTracked(AllocationFamily Family, Optional<CheckKind> getCheckIfTracked(AllocationFamily Family,
bool IsALeakCheck = false) const; bool IsALeakCheck = false) const;
Optional<CheckKind> getCheckIfTracked(CheckerContext &C,
const Stmt *AllocDeallocStmt,
bool IsALeakCheck = false) const;
Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym, Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
bool IsALeakCheck = false) const; bool IsALeakCheck = false) const;
///@} ///@}
static bool SummarizeValue(raw_ostream &os, SVal V); static bool SummarizeValue(raw_ostream &os, SVal V);
static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
const Expr *DeallocExpr) const; const Expr *DeallocExpr, AllocationFamily Family) const;
void ReportFreeAlloca(CheckerContext &C, SVal ArgVal, void ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
SourceRange Range) const; SourceRange Range) const;
void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range,
const Expr *DeallocExpr, const RefState *RS, const Expr *DeallocExpr, const RefState *RS,
SymbolRef Sym, bool OwnershipTransferred) const; SymbolRef Sym, bool OwnershipTransferred) const;
void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
const Expr *DeallocExpr, const Expr *DeallocExpr, AllocationFamily Family,
const Expr *AllocExpr = nullptr) const; const Expr *AllocExpr = nullptr) const;
void ReportUseAfterFree(CheckerContext &C, SourceRange Range, void ReportUseAfterFree(CheckerContext &C, SourceRange Range,
SymbolRef Sym) const; SymbolRef Sym) const;
void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
SymbolRef Sym, SymbolRef PrevSym) const; SymbolRef Sym, SymbolRef PrevSym) const;
void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const; void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range, void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range,
SymbolRef Sym) const; SymbolRef Sym) const;
void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal, void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
SourceRange Range, const Expr *FreeExpr) const; SourceRange Range, const Expr *FreeExpr,
AllocationFamily Family) const;
/// Find the location of the allocation for Sym on the path leading to the /// Find the location of the allocation for Sym on the path leading to the
/// exploded node N. /// exploded node N.
static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
CheckerContext &C); CheckerContext &C);
void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
}; };
▲ Show 20 LinesShow All 366 Lines▼ Show 20 Linesllvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc(
// Check if maskedFlags is non-zero. // Check if maskedFlags is non-zero.
ProgramStateRef TrueState, FalseState; ProgramStateRef TrueState, FalseState;
std::tie(TrueState, FalseState) = State->assume(MaskedFlags); std::tie(TrueState, FalseState) = State->assume(MaskedFlags);
// If M_ZERO is set, treat this like calloc (initialized). // If M_ZERO is set, treat this like calloc (initialized).
if (TrueState && !FalseState) { if (TrueState && !FalseState) {
SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy); SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy);
return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState); return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState, AF_Malloc);
} }
return None; return None;
} }
SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
const Expr *BlockBytes) { const Expr *BlockBytes) {
SValBuilder &SB = C.getSValBuilder(); SValBuilder &SB = C.getSValBuilder();
Show All 22 Lines if (FD->getKind() == Decl::Function) {
if (FunI == MemFunctionInfo.II_malloc || if (FunI == MemFunctionInfo.II_malloc ||
FunI == MemFunctionInfo.II_g_malloc || FunI == MemFunctionInfo.II_g_malloc ||
FunI == MemFunctionInfo.II_g_try_malloc) { FunI == MemFunctionInfo.II_g_try_malloc) {
switch (CE->getNumArgs()) { switch (CE->getNumArgs()) {
default: default:
return; return;
case 1: case 1:
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 0, State); State = ProcessZeroAllocCheck(C, CE, 0, State);
break; break;
case 2: case 2:
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_Malloc);
break; break;
case 3: case 3:
llvm::Optional<ProgramStateRef> MaybeState = llvm::Optional<ProgramStateRef> MaybeState =
performKernelMalloc(CE, C, State); performKernelMalloc(CE, C, State);
if (MaybeState.hasValue()) if (MaybeState.hasValue())
State = MaybeState.getValue(); State = MaybeState.getValue();
else else
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_Malloc);
break; break;
} }
} else if (FunI == MemFunctionInfo.II_kmalloc) { } else if (FunI == MemFunctionInfo.II_kmalloc) {
if (CE->getNumArgs() < 1) if (CE->getNumArgs() < 1)
return; return;
llvm::Optional<ProgramStateRef> MaybeState = llvm::Optional<ProgramStateRef> MaybeState =
performKernelMalloc(CE, C, State); performKernelMalloc(CE, C, State);
if (MaybeState.hasValue()) if (MaybeState.hasValue())
State = MaybeState.getValue(); State = MaybeState.getValue();
else else
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_Malloc);
} else if (FunI == MemFunctionInfo.II_valloc) { } else if (FunI == MemFunctionInfo.II_valloc) {
if (CE->getNumArgs() < 1) if (CE->getNumArgs() < 1)
return; return;
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); State =
MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 0, State); State = ProcessZeroAllocCheck(C, CE, 0, State);
} else if (FunI == MemFunctionInfo.II_realloc || } else if (FunI == MemFunctionInfo.II_realloc ||
FunI == MemFunctionInfo.II_g_realloc || FunI == MemFunctionInfo.II_g_realloc ||
FunI == MemFunctionInfo.II_g_try_realloc) { FunI == MemFunctionInfo.II_g_try_realloc) {
State = ReallocMemAux(C, CE, /*ShouldFreeOnFail*/ false, State); State =
ReallocMemAux(C, CE, /*ShouldFreeOnFail*/ false, State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 1, State); State = ProcessZeroAllocCheck(C, CE, 1, State);
} else if (FunI == MemFunctionInfo.II_reallocf) { } else if (FunI == MemFunctionInfo.II_reallocf) {
State = ReallocMemAux(C, CE, /*ShouldFreeOnFail*/ true, State); State = ReallocMemAux(C, CE, /*ShouldFreeOnFail*/ true, State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 1, State); State = ProcessZeroAllocCheck(C, CE, 1, State);
} else if (FunI == MemFunctionInfo.II_calloc) { } else if (FunI == MemFunctionInfo.II_calloc) {
State = CallocMem(C, CE, State); State = CallocMem(C, CE, State);
State = ProcessZeroAllocCheck(C, CE, 0, State); State = ProcessZeroAllocCheck(C, CE, 0, State);
State = ProcessZeroAllocCheck(C, CE, 1, State); State = ProcessZeroAllocCheck(C, CE, 1, State);
} else if (FunI == MemFunctionInfo.II_free || } else if (FunI == MemFunctionInfo.II_free ||
FunI == MemFunctionInfo.II_g_free || FunI == MemFunctionInfo.II_g_free ||
FunI == MemFunctionInfo.II_kfree) { FunI == MemFunctionInfo.II_kfree) {
if (suppressDeallocationsInSuspiciousContexts(CE, C)) if (suppressDeallocationsInSuspiciousContexts(CE, C))
return; return;
State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory); State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory,
AF_Malloc);
} else if (FunI == MemFunctionInfo.II_strdup || } else if (FunI == MemFunctionInfo.II_strdup ||
FunI == MemFunctionInfo.II_win_strdup || FunI == MemFunctionInfo.II_win_strdup ||
FunI == MemFunctionInfo.II_wcsdup || FunI == MemFunctionInfo.II_wcsdup ||
FunI == MemFunctionInfo.II_win_wcsdup) { FunI == MemFunctionInfo.II_win_wcsdup) {
State = MallocUpdateRefState(C, CE, State); State = MallocUpdateRefState(C, CE, State, AF_Malloc);
} else if (FunI == MemFunctionInfo.II_strndup) { } else if (FunI == MemFunctionInfo.II_strndup) {
State = MallocUpdateRefState(C, CE, State); State = MallocUpdateRefState(C, CE, State, AF_Malloc);
} else if (FunI == MemFunctionInfo.II_alloca || } else if (FunI == MemFunctionInfo.II_alloca ||
FunI == MemFunctionInfo.II_win_alloca) { FunI == MemFunctionInfo.II_win_alloca) {
if (CE->getNumArgs() < 1) if (CE->getNumArgs() < 1)
return; return;
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, State =
AF_Alloca); MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_Alloca);
State = ProcessZeroAllocCheck(C, CE, 0, State); State = ProcessZeroAllocCheck(C, CE, 0, State);
} else if (MemFunctionInfo.isStandardNewDelete(FD, C.getASTContext())) { } else if (MemFunctionInfo.isStandardNewDelete(FD, C.getASTContext())) {
// Process direct calls to operator new/new[]/delete/delete[] functions // Process direct calls to operator new/new[]/delete/delete[] functions
// as distinct from new/new[]/delete/delete[] expressions that are // as distinct from new/new[]/delete/delete[] expressions that are
// processed by the checkPostStmt callbacks for CXXNewExpr and // processed by the checkPostStmt callbacks for CXXNewExpr and
// CXXDeleteExpr. // CXXDeleteExpr.
switch (FD->getOverloadedOperator()) { switch (FD->getOverloadedOperator()) {
case OO_New: case OO_New:
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_CXXNew); AF_CXXNew);
State = ProcessZeroAllocCheck(C, CE, 0, State); State = ProcessZeroAllocCheck(C, CE, 0, State);
break; break;
case OO_Array_New: case OO_Array_New:
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_CXXNewArray); AF_CXXNewArray);
State = ProcessZeroAllocCheck(C, CE, 0, State); State = ProcessZeroAllocCheck(C, CE, 0, State);
break; break;
case OO_Delete: case OO_Delete:
State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory,
AF_CXXNew);
break;
case OO_Array_Delete: case OO_Array_Delete:
State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory); State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory,
AF_CXXNewArray);
break; break;
default: default:
llvm_unreachable("not a new/delete operator"); llvm_unreachable("not a new/delete operator");
} }
} else if (FunI == MemFunctionInfo.II_if_nameindex) { } else if (FunI == MemFunctionInfo.II_if_nameindex) {
// Should we model this differently? We can allocate a fixed number of // Should we model this differently? We can allocate a fixed number of
// elements with zeros in the last one. // elements with zeros in the last one.
State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State, State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State,
AF_IfNameIndex); AF_IfNameIndex);
} else if (FunI == MemFunctionInfo.II_if_freenameindex) { } else if (FunI == MemFunctionInfo.II_if_freenameindex) {
State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory); State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory,
AF_IfNameIndex);
} else if (FunI == MemFunctionInfo.II_g_malloc0 || } else if (FunI == MemFunctionInfo.II_g_malloc0 ||
FunI == MemFunctionInfo.II_g_try_malloc0) { FunI == MemFunctionInfo.II_g_try_malloc0) {
if (CE->getNumArgs() < 1) if (CE->getNumArgs() < 1)
return; return;
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State); State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 0, State); State = ProcessZeroAllocCheck(C, CE, 0, State);
} else if (FunI == MemFunctionInfo.II_g_memdup) { } else if (FunI == MemFunctionInfo.II_g_memdup) {
if (CE->getNumArgs() < 2) if (CE->getNumArgs() < 2)
return; return;
State = MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State); State =
MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 1, State); State = ProcessZeroAllocCheck(C, CE, 1, State);
} else if (FunI == MemFunctionInfo.II_g_malloc_n || } else if (FunI == MemFunctionInfo.II_g_malloc_n ||
FunI == MemFunctionInfo.II_g_try_malloc_n || FunI == MemFunctionInfo.II_g_try_malloc_n ||
FunI == MemFunctionInfo.II_g_malloc0_n || FunI == MemFunctionInfo.II_g_malloc0_n ||
FunI == MemFunctionInfo.II_g_try_malloc0_n) { FunI == MemFunctionInfo.II_g_try_malloc0_n) {
if (CE->getNumArgs() < 2) if (CE->getNumArgs() < 2)
return; return;
SVal Init = UndefinedVal(); SVal Init = UndefinedVal();
if (FunI == MemFunctionInfo.II_g_malloc0_n || if (FunI == MemFunctionInfo.II_g_malloc0_n ||
FunI == MemFunctionInfo.II_g_try_malloc0_n) { FunI == MemFunctionInfo.II_g_try_malloc0_n) {
SValBuilder &SB = C.getSValBuilder(); SValBuilder &SB = C.getSValBuilder();
Init = SB.makeZeroVal(SB.getContext().CharTy); Init = SB.makeZeroVal(SB.getContext().CharTy);
} }
SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1)); SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
State = MallocMemAux(C, CE, TotalSize, Init, State); State = MallocMemAux(C, CE, TotalSize, Init, State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 0, State); State = ProcessZeroAllocCheck(C, CE, 0, State);
State = ProcessZeroAllocCheck(C, CE, 1, State); State = ProcessZeroAllocCheck(C, CE, 1, State);
} else if (FunI == MemFunctionInfo.II_g_realloc_n || } else if (FunI == MemFunctionInfo.II_g_realloc_n ||
FunI == MemFunctionInfo.II_g_try_realloc_n) { FunI == MemFunctionInfo.II_g_try_realloc_n) {
if (CE->getNumArgs() < 3) if (CE->getNumArgs() < 3)
return; return;
State = ReallocMemAux(C, CE, /*ShouldFreeOnFail*/ false, State, State = ReallocMemAux(C, CE, /*ShouldFreeOnFail*/ false, State, AF_Malloc,
/*SuffixWithN*/ true); /*SuffixWithN*/ true);
State = ProcessZeroAllocCheck(C, CE, 1, State); State = ProcessZeroAllocCheck(C, CE, 1, State);
State = ProcessZeroAllocCheck(C, CE, 2, State); State = ProcessZeroAllocCheck(C, CE, 2, State);
} }
} }
if (MemFunctionInfo.ShouldIncludeOwnershipAnnotatedFunctions || if (MemFunctionInfo.ShouldIncludeOwnershipAnnotatedFunctions ||
ChecksEnabled[CK_MismatchedDeallocatorChecker]) { ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
▲ Show 20 LinesShow All 115 Lines▼ Show 20 Lines for (const auto *CtorParam : CtorD->parameters()) {
if (CtorParamPointeeT->getAsCXXRecordDecl()) if (CtorParamPointeeT->getAsCXXRecordDecl())
return true; return true;
} }
return false; return false;
} }
void MallocChecker::processNewAllocation(const CXXNewExpr *NE, void MallocChecker::processNewAllocation(const CXXNewExpr *NE,
CheckerContext &C, CheckerContext &C, SVal Target,
SVal Target) const { AllocationFamily Family) const {
if (!MemFunctionInfo.isStandardNewDelete(NE->getOperatorNew(), if (!MemFunctionInfo.isStandardNewDelete(NE->getOperatorNew(),
C.getASTContext())) C.getASTContext()))
return; return;
const ParentMap &PM = C.getLocationContext()->getParentMap(); const ParentMap &PM = C.getLocationContext()->getParentMap();
// Non-trivial constructors have a chance to escape 'this', but marking all // Non-trivial constructors have a chance to escape 'this', but marking all
// invocations of trivial constructors as escaped would cause too great of // invocations of trivial constructors as escaped would cause too great of
// reduction of true positives, so let's just do that for constructors that // reduction of true positives, so let's just do that for constructors that
// have an argument of a pointer-to-record type. // have an argument of a pointer-to-record type.
if (!PM.isConsumedExpr(NE) && hasNonTrivialConstructorCall(NE)) if (!PM.isConsumedExpr(NE) && hasNonTrivialConstructorCall(NE))
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// The return value from operator new is bound to a specified initialization // The return value from operator new is bound to a specified initialization
// value (if any) and we don't want to loose this value. So we call // value (if any) and we don't want to loose this value. So we call
// MallocUpdateRefState() instead of MallocMemAux() which breaks the // MallocUpdateRefState() instead of MallocMemAux() which breaks the
// existing binding. // existing binding.
State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray State = MallocUpdateRefState(C, NE, State, Family, Target);
: AF_CXXNew, Target);
State = addExtentSize(C, NE, State, Target); State = addExtentSize(C, NE, State, Target);
State = ProcessZeroAllocCheck(C, NE, 0, State, Target); State = ProcessZeroAllocCheck(C, NE, 0, State, Target);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkPostStmt(const CXXNewExpr *NE, void MallocChecker::checkPostStmt(const CXXNewExpr *NE,
CheckerContext &C) const { CheckerContext &C) const {
if (!C.getAnalysisManager().getAnalyzerOptions().MayInlineCXXAllocator) if (!C.getAnalysisManager().getAnalyzerOptions().MayInlineCXXAllocator) {
processNewAllocation(NE, C, C.getSVal(NE)); if (NE->isArray())
processNewAllocation(NE, C, C.getSVal(NE),
(NE->isArray() ? AF_CXXNewArray : AF_CXXNew));
}
} }
void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target, void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target,
CheckerContext &C) const { CheckerContext &C) const {
if (!C.wasInlined) if (!C.wasInlined) {
processNewAllocation(NE, C, Target); processNewAllocation(NE, C, Target,
(NE->isArray() ? AF_CXXNewArray : AF_CXXNew));
}
} }
// Sets the extent value of the MemRegion allocated by // Sets the extent value of the MemRegion allocated by
// new expression NE to its size in Bytes. // new expression NE to its size in Bytes.
// //
ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C, ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C,
const CXXNewExpr *NE, const CXXNewExpr *NE,
ProgramStateRef State, ProgramStateRef State,
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Linesvoid MallocChecker::checkPreStmt(const CXXDeleteExpr *DE,
if (!MemFunctionInfo.isStandardNewDelete(DE->getOperatorDelete(), if (!MemFunctionInfo.isStandardNewDelete(DE->getOperatorDelete(),
C.getASTContext())) C.getASTContext()))
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
bool IsKnownToBeAllocated; bool IsKnownToBeAllocated;
State = FreeMemAux(C, DE->getArgument(), DE, State, State = FreeMemAux(C, DE->getArgument(), DE, State,
/*Hold*/ false, IsKnownToBeAllocated); /*Hold*/ false, IsKnownToBeAllocated,
(DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew));
C.addTransition(State); C.addTransition(State);
} }
static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) { static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) {
// If the first selector piece is one of the names below, assume that the // If the first selector piece is one of the names below, assume that the
// object takes ownership of the memory, promising to eventually deallocate it // object takes ownership of the memory, promising to eventually deallocate it
// with free(). // with free().
Show All 29 Lines if (!*FreeWhenDone)
return; return;
if (Call.hasNonZeroCallbackArg()) if (Call.hasNonZeroCallbackArg())
return; return;
bool IsKnownToBeAllocatedMemory; bool IsKnownToBeAllocatedMemory;
ProgramStateRef State = ProgramStateRef State =
FreeMemAux(C, Call.getArgExpr(0), Call.getOriginExpr(), C.getState(), FreeMemAux(C, Call.getArgExpr(0), Call.getOriginExpr(), C.getState(),
/*Hold=*/true, IsKnownToBeAllocatedMemory, /*Hold=*/true, IsKnownToBeAllocatedMemory, AF_Malloc,
/*RetNullOnFailure=*/true); /*RetNullOnFailure=*/true);
C.addTransition(State); C.addTransition(State);
} }
ProgramStateRef ProgramStateRef
MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE, MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE,
const OwnershipAttr *Att, const OwnershipAttr *Att,
ProgramStateRef State) const { ProgramStateRef State) const {
if (!State) if (!State)
return nullptr; return nullptr;
if (Att->getModule() != MemFunctionInfo.II_malloc) if (Att->getModule() != MemFunctionInfo.II_malloc)
return nullptr; return nullptr;
OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
if (I != E) { if (I != E) {
return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(), return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(),
State); State, AF_Malloc);
} }
return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State); return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State, AF_Malloc);
} }
ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
const CallExpr *CE, const CallExpr *CE,
const Expr *SizeEx, SVal Init, const Expr *SizeEx, SVal Init,
ProgramStateRef State, ProgramStateRef State,
AllocationFamily Family) { AllocationFamily Family) {
if (!State) if (!State)
return nullptr; return nullptr;
return MallocMemAux(C, CE, C.getSVal(SizeEx), Init, State, Family); return MallocMemAux(C, CE, C.getSVal(SizeEx), Init, State, Family);
} }
ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
const CallExpr *CE, const CallExpr *CE, SVal Size,
SVal Size, SVal Init, SVal Init, ProgramStateRef State,
ProgramStateRef State,
AllocationFamily Family) { AllocationFamily Family) {
if (!State) if (!State)
return nullptr; return nullptr;
// We expect the malloc functions to return a pointer. // We expect the malloc functions to return a pointer.
if (!Loc::isLocType(CE->getType())) if (!Loc::isLocType(CE->getType()))
return nullptr; return nullptr;
// Bind the return value to the symbolic value from the heap region. // Bind the return value to the symbolic value from the heap region.
▲ Show 20 LinesShow All 60 Lines▼ Show 20 Lines if (!State)
return nullptr; return nullptr;
if (Att->getModule() != MemFunctionInfo.II_malloc) if (Att->getModule() != MemFunctionInfo.II_malloc)
return nullptr; return nullptr;
bool IsKnownToBeAllocated = false; bool IsKnownToBeAllocated = false;
for (const auto &Arg : Att->args()) { for (const auto &Arg : Att->args()) {
ProgramStateRef StateI = FreeMemAux( ProgramStateRef StateI =
C, CE, State, Arg.getASTIndex(), FreeMemAux(C, CE, State, Arg.getASTIndex(),
Att->getOwnKind() == OwnershipAttr::Holds, IsKnownToBeAllocated); Att->getOwnKind() == OwnershipAttr::Holds,
IsKnownToBeAllocated, AF_Malloc);
if (StateI) if (StateI)
State = StateI; State = StateI;
} }
return State; return State;
} }
ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, const CallExpr *CE, ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, const CallExpr *CE,
ProgramStateRef State, unsigned Num, ProgramStateRef State, unsigned Num,
bool Hold, bool &IsKnownToBeAllocated, bool Hold, bool &IsKnownToBeAllocated,
AllocationFamily Family,
bool ReturnsNullOnFailure) const { bool ReturnsNullOnFailure) const {
if (!State) if (!State)
return nullptr; return nullptr;
if (CE->getNumArgs() < (Num + 1)) if (CE->getNumArgs() < (Num + 1))
return nullptr; return nullptr;
return FreeMemAux(C, CE->getArg(Num), CE, State, Hold, IsKnownToBeAllocated, return FreeMemAux(C, CE->getArg(Num), CE, State, Hold, IsKnownToBeAllocated,
ReturnsNullOnFailure); Family, ReturnsNullOnFailure);
} }
/// Checks if the previous call to free on the given symbol failed - if free /// Checks if the previous call to free on the given symbol failed - if free
/// failed, returns true. Also, returns the corresponding return value symbol. /// failed, returns true. Also, returns the corresponding return value symbol.
static bool didPreviousFreeFail(ProgramStateRef State, static bool didPreviousFreeFail(ProgramStateRef State,
SymbolRef Sym, SymbolRef &RetStatusSymbol) { SymbolRef Sym, SymbolRef &RetStatusSymbol) {
const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
if (Ret) { if (Ret) {
assert(*Ret && "We should not store the null return symbol"); assert(*Ret && "We should not store the null return symbol");
ConstraintManager &CMgr = State->getConstraintManager(); ConstraintManager &CMgr = State->getConstraintManager();
ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret); ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret);
RetStatusSymbol = *Ret; RetStatusSymbol = *Ret;
return FreeFailed.isConstrainedTrue(); return FreeFailed.isConstrainedTrue();
} }
return false; return false;
} }
static AllocationFamily static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E) {
getAllocationFamily(const MemFunctionInfoTy &MemFunctionInfo, CheckerContext &C,
const Stmt *S) {
if (!S)
return AF_None;
if (const CallExpr *CE = dyn_cast<CallExpr>(S)) {
const FunctionDecl *FD = C.getCalleeDecl(CE);
if (!FD)
FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl());
ASTContext &Ctx = C.getASTContext();
if (MemFunctionInfo.isCMemFunction(FD, Ctx, AF_Malloc,
MemoryOperationKind::MOK_Any))
return AF_Malloc;
if (MemFunctionInfo.isStandardNewDelete(FD, Ctx)) {
OverloadedOperatorKind Kind = FD->getOverloadedOperator();
if (Kind == OO_New || Kind == OO_Delete)
return AF_CXXNew;
else if (Kind == OO_Array_New || Kind == OO_Array_Delete)
return AF_CXXNewArray;
}
if (MemFunctionInfo.isCMemFunction(FD, Ctx, AF_IfNameIndex,
MemoryOperationKind::MOK_Any))
return AF_IfNameIndex;
if (MemFunctionInfo.isCMemFunction(FD, Ctx, AF_Alloca,
MemoryOperationKind::MOK_Any))
return AF_Alloca;
return AF_None;
}
if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S))
return NE->isArray() ? AF_CXXNewArray : AF_CXXNew;
if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S))
return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew;
if (isa<ObjCMessageExpr>(S))
return AF_Malloc;
return AF_None;
}
static bool printAllocDeallocName(raw_ostream &os, CheckerContext &C,
const Expr *E) {
if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
// FIXME: This doesn't handle indirect calls. // FIXME: This doesn't handle indirect calls.
const FunctionDecl *FD = CE->getDirectCallee(); const FunctionDecl *FD = CE->getDirectCallee();
if (!FD) if (!FD)
return false; return false;
os << *FD; os << *FD;
if (!FD->isOverloadedOperator()) if (!FD->isOverloadedOperator())
Show All 22 Lines os << "'"
<< getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator()) << getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator())
<< "'"; << "'";
return true; return true;
} }
return false; return false;
} }
static void printExpectedAllocName(raw_ostream &os, static void printExpectedAllocName(raw_ostream &os, AllocationFamily Family) {
const MemFunctionInfoTy &MemFunctionInfo,
CheckerContext &C, const Expr *E) {
AllocationFamily Family = getAllocationFamily(MemFunctionInfo, C, E);
switch(Family) { switch(Family) {
case AF_Malloc: os << "malloc()"; return; case AF_Malloc: os << "malloc()"; return;
case AF_CXXNew: os << "'new'"; return; case AF_CXXNew: os << "'new'"; return;
case AF_CXXNewArray: os << "'new[]'"; return; case AF_CXXNewArray: os << "'new[]'"; return;
case AF_IfNameIndex: os << "'if_nameindex()'"; return; case AF_IfNameIndex: os << "'if_nameindex()'"; return;
case AF_InnerBuffer: os << "container-specific allocator"; return; case AF_InnerBuffer: os << "container-specific allocator"; return;
case AF_Alloca: case AF_Alloca:
case AF_None: llvm_unreachable("not a deallocation expression"); case AF_None: llvm_unreachable("not a deallocation expression");
} }
} }
static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) { static void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) {
switch(Family) { switch(Family) {
case AF_Malloc: os << "free()"; return; case AF_Malloc: os << "free()"; return;
case AF_CXXNew: os << "'delete'"; return; case AF_CXXNew: os << "'delete'"; return;
case AF_CXXNewArray: os << "'delete[]'"; return; case AF_CXXNewArray: os << "'delete[]'"; return;
case AF_IfNameIndex: os << "'if_freenameindex()'"; return; case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
case AF_InnerBuffer: os << "container-specific deallocator"; return; case AF_InnerBuffer: os << "container-specific deallocator"; return;
case AF_Alloca: case AF_Alloca:
case AF_None: llvm_unreachable("suspicious argument"); case AF_None: llvm_unreachable("suspicious argument");
} }
} }
ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, ProgramStateRef MallocChecker::FreeMemAux(
const Expr *ArgExpr, CheckerContext &C, const Expr *ArgExpr, const Expr *ParentExpr,
const Expr *ParentExpr, ProgramStateRef State, bool Hold, bool &IsKnownToBeAllocated,
ProgramStateRef State, bool Hold, AllocationFamily Family, bool ReturnsNullOnFailure) const {
bool &IsKnownToBeAllocated,
bool ReturnsNullOnFailure) const {
if (!State) if (!State)
return nullptr; return nullptr;
SVal ArgVal = C.getSVal(ArgExpr); SVal ArgVal = C.getSVal(ArgExpr);
if (!ArgVal.getAs<DefinedOrUnknownSVal>()) if (!ArgVal.getAs<DefinedOrUnknownSVal>())
return nullptr; return nullptr;
DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
Show All 13 LinesProgramStateRef MallocChecker::FreeMemAux(
if (ArgVal.isUnknownOrUndef()) if (ArgVal.isUnknownOrUndef())
return nullptr; return nullptr;
const MemRegion *R = ArgVal.getAsRegion(); const MemRegion *R = ArgVal.getAsRegion();
// Nonlocs can't be freed, of course. // Nonlocs can't be freed, of course.
// Non-region locations (labels and fixed addresses) also shouldn't be freed. // Non-region locations (labels and fixed addresses) also shouldn't be freed.
if (!R) { if (!R) {
ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family);
return nullptr; return nullptr;
} }
R = R->StripCasts(); R = R->StripCasts();
// Blocks might show up as heap data, but should not be free()d // Blocks might show up as heap data, but should not be free()d
if (isa<BlockDataRegion>(R)) { if (isa<BlockDataRegion>(R)) {
ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family);
return nullptr; return nullptr;
} }
const MemSpaceRegion *MS = R->getMemorySpace(); const MemSpaceRegion *MS = R->getMemorySpace();
// Parameters, locals, statics, globals, and memory returned by // Parameters, locals, statics, globals, and memory returned by
// __builtin_alloca() shouldn't be freed. // __builtin_alloca() shouldn't be freed.
if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) {
// FIXME: at the time this code was written, malloc() regions were // FIXME: at the time this code was written, malloc() regions were
// represented by conjured symbols, which are all in UnknownSpaceRegion. // represented by conjured symbols, which are all in UnknownSpaceRegion.
// This means that there isn't actually anything from HeapSpaceRegion // This means that there isn't actually anything from HeapSpaceRegion
// that should be freed, even though we allow it here. // that should be freed, even though we allow it here.
// Of course, free() can work on memory allocated outside the current // Of course, free() can work on memory allocated outside the current
// function, so UnknownSpaceRegion is always a possibility. // function, so UnknownSpaceRegion is always a possibility.
// False negatives are better than false positives. // False negatives are better than false positives.
if (isa<AllocaRegion>(R)) if (isa<AllocaRegion>(R))
ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
else else
ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family);
return nullptr; return nullptr;
} }
const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
// Various cases could lead to non-symbol values here. // Various cases could lead to non-symbol values here.
// For now, ignore them. // For now, ignore them.
if (!SrBase) if (!SrBase)
Show All 22 Lines if ((RsBase->isReleased() || RsBase->isRelinquished()) &&
return nullptr; return nullptr;
// If the pointer is allocated or escaped, but we are now trying to free it, // If the pointer is allocated or escaped, but we are now trying to free it,
// check that the call to free is proper. // check that the call to free is proper.
} else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() || } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() ||
RsBase->isEscaped()) { RsBase->isEscaped()) {
// Check if an expected deallocation function matches the real one. // Check if an expected deallocation function matches the real one.
bool DeallocMatchesAlloc = bool DeallocMatchesAlloc = RsBase->getAllocationFamily() == Family;
RsBase->getAllocationFamily() ==
getAllocationFamily(MemFunctionInfo, C, ParentExpr);
if (!DeallocMatchesAlloc) { if (!DeallocMatchesAlloc) {
ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), ReportMismatchedDealloc(C, ArgExpr->getSourceRange(),
ParentExpr, RsBase, SymBase, Hold); ParentExpr, RsBase, SymBase, Hold);
return nullptr; return nullptr;
} }
// Check if the memory location being freed is the actual location // Check if the memory location being freed is the actual location
// allocated, or an offset. // allocated, or an offset.
RegionOffset Offset = R->getAsOffset(); RegionOffset Offset = R->getAsOffset();
if (Offset.isValid() && if (Offset.isValid() &&
!Offset.hasSymbolicOffset() && !Offset.hasSymbolicOffset() &&
Offset.getOffset() != 0) { Offset.getOffset() != 0) {
const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
AllocExpr); Family, AllocExpr);
return nullptr; return nullptr;
} }
} }
} }
if (SymBase->getType()->isFunctionPointerType()) { if (SymBase->getType()->isFunctionPointerType()) {
ReportFunctionPointerFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr); ReportFunctionPointerFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
Family);
return nullptr; return nullptr;
} }
// Clean out the info on previous call to free return info. // Clean out the info on previous call to free return info.
State = State->remove<FreeReturnValue>(SymBase); State = State->remove<FreeReturnValue>(SymBase);
// Keep track of the return value. If it is NULL, we will know that free // Keep track of the return value. If it is NULL, we will know that free
// failed. // failed.
if (ReturnsNullOnFailure) { if (ReturnsNullOnFailure) {
SVal RetVal = C.getSVal(ParentExpr); SVal RetVal = C.getSVal(ParentExpr);
SymbolRef RetStatusSymbol = RetVal.getAsSymbol(); SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
if (RetStatusSymbol) { if (RetStatusSymbol) {
C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol); C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol);
State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol); State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol);
} }
} }
AllocationFamily Family = // If we don't know anything about this symbol, a free on it may be totally
RsBase ? RsBase->getAllocationFamily() // valid. If this is the case, lets assume that the allocation family of the
: getAllocationFamily(MemFunctionInfo, C, ParentExpr); // freeing function is the same as the symbols allocation family, and go with
// that.
assert(!RsBase || (RsBase && RsBase->getAllocationFamily() == Family));
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Please add an && "<Error message>" to the assertion.

baloghadamsoftware: Please add an `&& "<Error message>"` to the assertion.
// Normal free. // Normal free.
if (Hold) if (Hold)
return State->set<RegionState>(SymBase, return State->set<RegionState>(SymBase,
RefState::getRelinquished(Family, RefState::getRelinquished(Family,
ParentExpr)); ParentExpr));
return State->set<RegionState>(SymBase, return State->set<RegionState>(SymBase,
RefState::getReleased(Family, ParentExpr)); RefState::getReleased(Family, ParentExpr));
Show All 30 LinesMallocChecker::getCheckIfTracked(AllocationFamily Family,
case AF_None: { case AF_None: {
llvm_unreachable("no family"); llvm_unreachable("no family");
} }
} }
llvm_unreachable("unhandled family"); llvm_unreachable("unhandled family");
} }
Optional<MallocChecker::CheckKind> Optional<MallocChecker::CheckKind>
MallocChecker::getCheckIfTracked(CheckerContext &C,
const Stmt *AllocDeallocStmt,
bool IsALeakCheck) const {
return getCheckIfTracked(
getAllocationFamily(MemFunctionInfo, C, AllocDeallocStmt), IsALeakCheck);
}
Optional<MallocChecker::CheckKind>
MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym, MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
bool IsALeakCheck) const { bool IsALeakCheck) const {
if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym))
return CK_MallocChecker; return CK_MallocChecker;
const RefState *RS = C.getState()->get<RegionState>(Sym); const RefState *RS = C.getState()->get<RegionState>(Sym);
assert(RS); assert(RS);
return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck); return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck);
▲ Show 20 LinesShow All 82 Lines▼ Show 20 Lines default: {
} }
return false; return false;
} }
} }
} }
void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal,
SourceRange Range, SourceRange Range, const Expr *DeallocExpr,
const Expr *DeallocExpr) const { AllocationFamily Family) const {
if (!ChecksEnabled[CK_MallocChecker] && if (!ChecksEnabled[CK_MallocChecker] &&
!ChecksEnabled[CK_NewDeleteChecker]) !ChecksEnabled[CK_NewDeleteChecker])
return; return;
Optional<MallocChecker::CheckKind> CheckKind = Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
getCheckIfTracked(C, DeallocExpr);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateErrorNode()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_BadFree[*CheckKind]) if (!BT_BadFree[*CheckKind])
BT_BadFree[*CheckKind].reset(new BugType( BT_BadFree[*CheckKind].reset(new BugType(
CheckNames[*CheckKind], "Bad free", categories::MemoryError)); CheckNames[*CheckKind], "Bad free", categories::MemoryError));
SmallString<100> buf; SmallString<100> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
const MemRegion *MR = ArgVal.getAsRegion(); const MemRegion *MR = ArgVal.getAsRegion();
while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
MR = ER->getSuperRegion(); MR = ER->getSuperRegion();
os << "Argument to "; os << "Argument to ";
if (!printAllocDeallocName(os, C, DeallocExpr)) if (!printMemFnName(os, C, DeallocExpr))
os << "deallocator"; os << "deallocator";
os << " is "; os << " is ";
bool Summarized = MR ? SummarizeRegion(os, MR) bool Summarized = MR ? SummarizeRegion(os, MR)
: SummarizeValue(os, ArgVal); : SummarizeValue(os, ArgVal);
if (Summarized) if (Summarized)
os << ", which is not memory allocated by "; os << ", which is not memory allocated by ";
else else
os << "not memory allocated by "; os << "not memory allocated by ";
printExpectedAllocName(os, MemFunctionInfo, C, DeallocExpr); printExpectedAllocName(os, Family);
auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind], auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind],
os.str(), N); os.str(), N);
R->markInteresting(MR); R->markInteresting(MR);
R->addRange(Range); R->addRange(Range);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
▲ Show 20 LinesShow All 45 Lines▼ Show 20 Lines if (ExplodedNode *N = C.generateErrorNode()) {
const Expr *AllocExpr = cast<Expr>(RS->getStmt()); const Expr *AllocExpr = cast<Expr>(RS->getStmt());
SmallString<20> AllocBuf; SmallString<20> AllocBuf;
llvm::raw_svector_ostream AllocOs(AllocBuf); llvm::raw_svector_ostream AllocOs(AllocBuf);
SmallString<20> DeallocBuf; SmallString<20> DeallocBuf;
llvm::raw_svector_ostream DeallocOs(DeallocBuf); llvm::raw_svector_ostream DeallocOs(DeallocBuf);
if (OwnershipTransferred) { if (OwnershipTransferred) {
if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) if (printMemFnName(DeallocOs, C, DeallocExpr))
os << DeallocOs.str() << " cannot"; os << DeallocOs.str() << " cannot";
else else
os << "Cannot"; os << "Cannot";
os << " take ownership of memory"; os << " take ownership of memory";
if (printAllocDeallocName(AllocOs, C, AllocExpr)) if (printMemFnName(AllocOs, C, AllocExpr))
os << " allocated by " << AllocOs.str(); os << " allocated by " << AllocOs.str();
} else { } else {
os << "Memory"; os << "Memory";
if (printAllocDeallocName(AllocOs, C, AllocExpr)) if (printMemFnName(AllocOs, C, AllocExpr))
os << " allocated by " << AllocOs.str(); os << " allocated by " << AllocOs.str();
os << " should be deallocated by "; os << " should be deallocated by ";
printExpectedDeallocName(os, RS->getAllocationFamily()); printExpectedDeallocName(os, RS->getAllocationFamily());
if (printAllocDeallocName(DeallocOs, C, DeallocExpr)) if (printMemFnName(DeallocOs, C, DeallocExpr))
os << ", not " << DeallocOs.str(); os << ", not " << DeallocOs.str();
} }
auto R = std::make_unique<PathSensitiveBugReport>(*BT_MismatchedDealloc, auto R = std::make_unique<PathSensitiveBugReport>(*BT_MismatchedDealloc,
os.str(), N); os.str(), N);
R->markInteresting(Sym); R->markInteresting(Sym);
R->addRange(Range); R->addRange(Range);
R->addVisitor(std::make_unique<MallocBugVisitor>(Sym)); R->addVisitor(std::make_unique<MallocBugVisitor>(Sym));
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal,
SourceRange Range, const Expr *DeallocExpr, SourceRange Range, const Expr *DeallocExpr,
AllocationFamily Family,
const Expr *AllocExpr) const { const Expr *AllocExpr) const {
if (!ChecksEnabled[CK_MallocChecker] && if (!ChecksEnabled[CK_MallocChecker] &&
!ChecksEnabled[CK_NewDeleteChecker]) !ChecksEnabled[CK_NewDeleteChecker])
return; return;
Optional<MallocChecker::CheckKind> CheckKind = Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
getCheckIfTracked(C, AllocExpr);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
ExplodedNode *N = C.generateErrorNode(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
if (!BT_OffsetFree[*CheckKind]) if (!BT_OffsetFree[*CheckKind])
Show All 12 Linesvoid MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal,
assert((Offset.isValid() && assert((Offset.isValid() &&
!Offset.hasSymbolicOffset() && !Offset.hasSymbolicOffset() &&
Offset.getOffset() != 0) && Offset.getOffset() != 0) &&
"Only symbols with a valid offset can have offset free errors"); "Only symbols with a valid offset can have offset free errors");
int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth(); int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
os << "Argument to "; os << "Argument to ";
if (!printAllocDeallocName(os, C, DeallocExpr)) if (!printMemFnName(os, C, DeallocExpr))
os << "deallocator"; os << "deallocator";
os << " is offset by " os << " is offset by "
<< offsetBytes << offsetBytes
<< " " << " "
<< ((abs(offsetBytes) > 1) ? "bytes" : "byte") << ((abs(offsetBytes) > 1) ? "bytes" : "byte")
<< " from the start of "; << " from the start of ";
if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) if (AllocExpr && printMemFnName(AllocNameOs, C, AllocExpr))
os << "memory allocated by " << AllocNameOs.str(); os << "memory allocated by " << AllocNameOs.str();
else else
os << "allocated memory"; os << "allocated memory";
auto R = std::make_unique<PathSensitiveBugReport>(*BT_OffsetFree[*CheckKind], auto R = std::make_unique<PathSensitiveBugReport>(*BT_OffsetFree[*CheckKind],
os.str(), N); os.str(), N);
R->markInteresting(MR->getBaseRegion()); R->markInteresting(MR->getBaseRegion());
R->addRange(Range); R->addRange(Range);
▲ Show 20 LinesShow All 121 Lines▼ Show 20 Lines if (Sym) {
R->addVisitor(std::make_unique<MallocBugVisitor>(Sym)); R->addVisitor(std::make_unique<MallocBugVisitor>(Sym));
} }
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void MallocChecker::ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal, void MallocChecker::ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
SourceRange Range, SourceRange Range,
const Expr *FreeExpr) const { const Expr *FreeExpr,
AllocationFamily Family) const {
if (!ChecksEnabled[CK_MallocChecker]) if (!ChecksEnabled[CK_MallocChecker])
return; return;
Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, FreeExpr); Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateErrorNode()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_BadFree[*CheckKind]) if (!BT_BadFree[*CheckKind])
BT_BadFree[*CheckKind].reset(new BugType( BT_BadFree[*CheckKind].reset(new BugType(
CheckNames[*CheckKind], "Bad free", categories::MemoryError)); CheckNames[*CheckKind], "Bad free", categories::MemoryError));
SmallString<100> Buf; SmallString<100> Buf;
llvm::raw_svector_ostream Os(Buf); llvm::raw_svector_ostream Os(Buf);
const MemRegion *MR = ArgVal.getAsRegion(); const MemRegion *MR = ArgVal.getAsRegion();
while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
MR = ER->getSuperRegion(); MR = ER->getSuperRegion();
Os << "Argument to "; Os << "Argument to ";
if (!printAllocDeallocName(Os, C, FreeExpr)) if (!printMemFnName(Os, C, FreeExpr))
Os << "deallocator"; Os << "deallocator";
Os << " is a function pointer"; Os << " is a function pointer";
auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind], auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind],
Os.str(), N); Os.str(), N);
R->markInteresting(MR); R->markInteresting(MR);
R->addRange(Range); R->addRange(Range);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
ProgramStateRef MallocChecker::ReallocMemAux(CheckerContext &C, ProgramStateRef
const CallExpr *CE, MallocChecker::ReallocMemAux(CheckerContext &C, const CallExpr *CE,
bool ShouldFreeOnFail, bool ShouldFreeOnFail, ProgramStateRef State,
ProgramStateRef State, AllocationFamily Family, bool SuffixWithN) const {
bool SuffixWithN) const {
if (!State) if (!State)
return nullptr; return nullptr;
if (SuffixWithN && CE->getNumArgs() < 3) if (SuffixWithN && CE->getNumArgs() < 3)
return nullptr; return nullptr;
else if (CE->getNumArgs() < 2) else if (CE->getNumArgs() < 2)
return nullptr; return nullptr;
Show All 30 LinesMallocChecker::ReallocMemAux(CheckerContext &C, const CallExpr *CE,
// We only assume exceptional states if they are definitely true; if the // We only assume exceptional states if they are definitely true; if the
// state is under-constrained, assume regular realloc behavior. // state is under-constrained, assume regular realloc behavior.
bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
// If the ptr is NULL and the size is not 0, the call is equivalent to // If the ptr is NULL and the size is not 0, the call is equivalent to
// malloc(size). // malloc(size).
if (PrtIsNull && !SizeIsZero) { if (PrtIsNull && !SizeIsZero) {
ProgramStateRef stateMalloc = MallocMemAux(C, CE, TotalSize, ProgramStateRef stateMalloc =
UndefinedVal(), StatePtrIsNull); MallocMemAux(C, CE, TotalSize, UndefinedVal(), StatePtrIsNull, Family);
return stateMalloc; return stateMalloc;
} }
if (PrtIsNull && SizeIsZero) if (PrtIsNull && SizeIsZero)
return State; return State;
// Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
assert(!PrtIsNull); assert(!PrtIsNull);
SymbolRef FromPtr = arg0Val.getAsSymbol(); SymbolRef FromPtr = arg0Val.getAsSymbol();
SVal RetVal = C.getSVal(CE); SVal RetVal = C.getSVal(CE);
SymbolRef ToPtr = RetVal.getAsSymbol(); SymbolRef ToPtr = RetVal.getAsSymbol();
if (!FromPtr || !ToPtr) if (!FromPtr || !ToPtr)
return nullptr; return nullptr;
bool IsKnownToBeAllocated = false; bool IsKnownToBeAllocated = false;
// If the size is 0, free the memory. // If the size is 0, free the memory.
if (SizeIsZero) if (SizeIsZero)
// The semantics of the return value are: // The semantics of the return value are:
// If size was equal to 0, either NULL or a pointer suitable to be passed // If size was equal to 0, either NULL or a pointer suitable to be passed
// to free() is returned. We just free the input pointer and do not add // to free() is returned. We just free the input pointer and do not add
// any constrains on the output pointer. // any constrains on the output pointer.
if (ProgramStateRef stateFree = if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, false,
FreeMemAux(C, CE, StateSizeIsZero, 0, false, IsKnownToBeAllocated)) IsKnownToBeAllocated, Family))
return stateFree; return stateFree;
// Default behavior. // Default behavior.
if (ProgramStateRef stateFree = if (ProgramStateRef stateFree =
FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocated)) { FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocated, Family)) {
ProgramStateRef stateRealloc = MallocMemAux(C, CE, TotalSize, ProgramStateRef stateRealloc =
UnknownVal(), stateFree); MallocMemAux(C, CE, TotalSize, UnknownVal(), stateFree, Family);
if (!stateRealloc) if (!stateRealloc)
return nullptr; return nullptr;
OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure; OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure;
if (ShouldFreeOnFail) if (ShouldFreeOnFail)
Kind = OAR_FreeOnFailure; Kind = OAR_FreeOnFailure;
else if (!IsKnownToBeAllocated) else if (!IsKnownToBeAllocated)
Kind = OAR_DoNotTrackAfterFailure; Kind = OAR_DoNotTrackAfterFailure;
Show All 16 LinesProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE,
if (CE->getNumArgs() < 2) if (CE->getNumArgs() < 2)
return nullptr; return nullptr;
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1)); SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
return MallocMemAux(C, CE, TotalSize, zeroVal, State); return MallocMemAux(C, CE, TotalSize, zeroVal, State, AF_Malloc);
} }
MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N, MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N,
SymbolRef Sym, SymbolRef Sym,
CheckerContext &C) { CheckerContext &C) {
const LocationContext *LeakContext = N->getLocationContext(); const LocationContext *LeakContext = N->getLocationContext();
// Walk the ExplodedGraph backwards and find the first node that referred to // Walk the ExplodedGraph backwards and find the first node that referred to
// the tracked symbol. // the tracked symbol.
▲ Show 20 LinesShow All 908 LinesShow Last 20 Lines