2009-11-12 16:38:56 +08:00
|
|
|
//=== MallocChecker.cpp - A malloc/free checker -------------------*- C++ -*--//
|
|
|
|
//
|
|
|
|
// The LLVM Compiler Infrastructure
|
|
|
|
//
|
|
|
|
// This file is distributed under the University of Illinois Open Source
|
|
|
|
// License. See LICENSE.TXT for details.
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
//
|
|
|
|
// This file defines malloc/free checker, which checks for potential memory
|
|
|
|
// leaks, double free, and use-after-free problems.
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
2011-02-28 09:26:35 +08:00
|
|
|
#include "ClangSACheckers.h"
|
2012-02-18 06:35:31 +08:00
|
|
|
#include "InterCheckerAPI.h"
|
2012-12-04 17:13:33 +08:00
|
|
|
#include "clang/AST/Attr.h"
|
|
|
|
#include "clang/Basic/SourceManager.h"
|
|
|
|
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
|
2011-03-01 09:16:21 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/Checker.h"
|
2011-02-28 09:26:35 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
|
2012-07-27 05:39:41 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
|
2012-12-04 17:13:33 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
|
2011-08-16 06:09:50 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
|
|
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
|
2011-02-10 09:03:03 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
|
2009-11-12 16:38:56 +08:00
|
|
|
#include "llvm/ADT/ImmutableMap.h"
|
2012-02-04 20:31:12 +08:00
|
|
|
#include "llvm/ADT/STLExtras.h"
|
2012-12-01 23:09:41 +08:00
|
|
|
#include "llvm/ADT/SmallString.h"
|
2012-09-22 09:24:42 +08:00
|
|
|
#include "llvm/ADT/StringExtras.h"
|
2012-02-22 11:14:20 +08:00
|
|
|
#include <climits>
|
|
|
|
|
2009-11-12 16:38:56 +08:00
|
|
|
using namespace clang;
|
2010-12-23 15:20:52 +08:00
|
|
|
using namespace ento;
|
2009-11-12 16:38:56 +08:00
|
|
|
|
|
|
|
namespace {
|
|
|
|
|
2009-12-11 08:55:44 +08:00
|
|
|
class RefState {
|
2012-06-21 04:57:46 +08:00
|
|
|
enum Kind { // Reference to allocated memory.
|
|
|
|
Allocated,
|
|
|
|
// Reference to released/freed memory.
|
|
|
|
Released,
|
|
|
|
// The responsibility for freeing resources has transfered from
|
|
|
|
// this reference. A relinquished symbol should not be freed.
|
2010-08-07 05:12:55 +08:00
|
|
|
Relinquished } K;
|
2009-11-17 15:54:15 +08:00
|
|
|
const Stmt *S;
|
|
|
|
|
2009-12-11 08:55:44 +08:00
|
|
|
public:
|
2009-11-17 15:54:15 +08:00
|
|
|
RefState(Kind k, const Stmt *s) : K(k), S(s) {}
|
|
|
|
|
2012-06-21 04:57:46 +08:00
|
|
|
bool isAllocated() const { return K == Allocated; }
|
2009-11-17 15:54:15 +08:00
|
|
|
bool isReleased() const { return K == Released; }
|
2012-06-21 04:57:46 +08:00
|
|
|
bool isRelinquished() const { return K == Relinquished; }
|
2012-03-01 02:42:47 +08:00
|
|
|
|
2012-02-14 02:05:39 +08:00
|
|
|
const Stmt *getStmt() const { return S; }
|
2009-11-17 15:54:15 +08:00
|
|
|
|
|
|
|
bool operator==(const RefState &X) const {
|
|
|
|
return K == X.K && S == X.S;
|
|
|
|
}
|
|
|
|
|
2012-06-21 04:57:46 +08:00
|
|
|
static RefState getAllocated(const Stmt *s) {
|
|
|
|
return RefState(Allocated, s);
|
2009-12-31 14:13:07 +08:00
|
|
|
}
|
2009-11-17 15:54:15 +08:00
|
|
|
static RefState getReleased(const Stmt *s) { return RefState(Released, s); }
|
2010-08-07 05:12:55 +08:00
|
|
|
static RefState getRelinquished(const Stmt *s) {
|
|
|
|
return RefState(Relinquished, s);
|
|
|
|
}
|
2009-11-17 15:54:15 +08:00
|
|
|
|
|
|
|
void Profile(llvm::FoldingSetNodeID &ID) const {
|
|
|
|
ID.AddInteger(K);
|
|
|
|
ID.AddPointer(S);
|
|
|
|
}
|
2013-01-03 09:30:12 +08:00
|
|
|
|
2013-01-13 03:30:44 +08:00
|
|
|
void dump(raw_ostream &OS) const {
|
2013-01-03 09:30:12 +08:00
|
|
|
static const char *Table[] = {
|
|
|
|
"Allocated",
|
|
|
|
"Released",
|
|
|
|
"Relinquished"
|
|
|
|
};
|
|
|
|
OS << Table[(unsigned) K];
|
|
|
|
}
|
|
|
|
|
|
|
|
LLVM_ATTRIBUTE_USED void dump() const {
|
|
|
|
dump(llvm::errs());
|
|
|
|
}
|
2009-11-12 16:38:56 +08:00
|
|
|
};
|
|
|
|
|
2012-09-13 06:57:34 +08:00
|
|
|
enum ReallocPairKind {
|
|
|
|
RPToBeFreedAfterFailure,
|
|
|
|
// The symbol has been freed when reallocation failed.
|
|
|
|
RPIsFreeOnFailure,
|
|
|
|
// The symbol does not need to be freed after reallocation fails.
|
|
|
|
RPDoNotTrackAfterFailure
|
|
|
|
};
|
|
|
|
|
2012-08-24 10:28:20 +08:00
|
|
|
/// \class ReallocPair
|
|
|
|
/// \brief Stores information about the symbol being reallocated by a call to
|
|
|
|
/// 'realloc' to allow modeling failed reallocation later in the path.
|
2012-02-15 08:11:25 +08:00
|
|
|
struct ReallocPair {
|
2012-08-24 10:28:20 +08:00
|
|
|
// \brief The symbol which realloc reallocated.
|
2012-02-15 08:11:25 +08:00
|
|
|
SymbolRef ReallocatedSym;
|
2012-09-13 06:57:34 +08:00
|
|
|
ReallocPairKind Kind;
|
2012-08-24 10:28:20 +08:00
|
|
|
|
2012-09-13 06:57:34 +08:00
|
|
|
ReallocPair(SymbolRef S, ReallocPairKind K) :
|
|
|
|
ReallocatedSym(S), Kind(K) {}
|
2012-02-15 08:11:25 +08:00
|
|
|
void Profile(llvm::FoldingSetNodeID &ID) const {
|
2012-09-13 06:57:34 +08:00
|
|
|
ID.AddInteger(Kind);
|
2012-02-15 08:11:25 +08:00
|
|
|
ID.AddPointer(ReallocatedSym);
|
|
|
|
}
|
|
|
|
bool operator==(const ReallocPair &X) const {
|
|
|
|
return ReallocatedSym == X.ReallocatedSym &&
|
2012-09-13 06:57:34 +08:00
|
|
|
Kind == X.Kind;
|
2012-02-15 08:11:25 +08:00
|
|
|
}
|
|
|
|
};
|
|
|
|
|
2013-01-08 08:25:29 +08:00
|
|
|
typedef std::pair<const ExplodedNode*, const MemRegion*> LeakInfo;
|
2012-03-22 03:45:08 +08:00
|
|
|
|
2012-02-09 04:13:28 +08:00
|
|
|
class MallocChecker : public Checker<check::DeadSymbols,
|
2012-12-20 08:38:25 +08:00
|
|
|
check::PointerEscape,
|
2012-01-05 07:48:37 +08:00
|
|
|
check::PreStmt<ReturnStmt>,
|
2012-02-15 05:55:24 +08:00
|
|
|
check::PreStmt<CallExpr>,
|
2012-02-09 04:13:28 +08:00
|
|
|
check::PostStmt<CallExpr>,
|
2012-03-22 08:57:20 +08:00
|
|
|
check::PostStmt<BlockExpr>,
|
2012-11-13 11:18:01 +08:00
|
|
|
check::PostObjCMessage,
|
2012-01-05 07:48:37 +08:00
|
|
|
check::Location,
|
2012-12-20 08:38:25 +08:00
|
|
|
eval::Assume>
|
2012-01-05 07:48:37 +08:00
|
|
|
{
|
2012-02-17 06:26:12 +08:00
|
|
|
mutable OwningPtr<BugType> BT_DoubleFree;
|
|
|
|
mutable OwningPtr<BugType> BT_Leak;
|
|
|
|
mutable OwningPtr<BugType> BT_UseFree;
|
|
|
|
mutable OwningPtr<BugType> BT_BadFree;
|
2013-02-08 07:05:47 +08:00
|
|
|
mutable OwningPtr<BugType> BT_OffsetFree;
|
2012-02-15 08:11:22 +08:00
|
|
|
mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc,
|
2012-02-22 11:14:20 +08:00
|
|
|
*II_valloc, *II_reallocf, *II_strndup, *II_strdup;
|
|
|
|
|
2009-11-12 16:38:56 +08:00
|
|
|
public:
|
2012-02-15 08:11:22 +08:00
|
|
|
MallocChecker() : II_malloc(0), II_free(0), II_realloc(0), II_calloc(0),
|
2012-02-22 11:14:20 +08:00
|
|
|
II_valloc(0), II_reallocf(0), II_strndup(0), II_strdup(0) {}
|
2012-02-09 07:16:52 +08:00
|
|
|
|
|
|
|
/// In pessimistic mode, the checker assumes that it does not know which
|
|
|
|
/// functions might free the memory.
|
|
|
|
struct ChecksFilter {
|
|
|
|
DefaultBool CMallocPessimistic;
|
|
|
|
DefaultBool CMallocOptimistic;
|
|
|
|
};
|
|
|
|
|
|
|
|
ChecksFilter Filter;
|
|
|
|
|
2012-02-15 05:55:24 +08:00
|
|
|
void checkPreStmt(const CallExpr *S, CheckerContext &C) const;
|
2012-02-09 04:13:28 +08:00
|
|
|
void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
|
2012-11-13 11:18:01 +08:00
|
|
|
void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
|
2012-03-22 08:57:20 +08:00
|
|
|
void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
|
2011-02-28 09:26:35 +08:00
|
|
|
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
|
|
|
|
void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
|
2011-02-28 09:26:35 +08:00
|
|
|
bool Assumption) const;
|
2011-10-06 08:43:15 +08:00
|
|
|
void checkLocation(SVal l, bool isLoad, const Stmt *S,
|
|
|
|
CheckerContext &C) const;
|
2012-12-20 08:38:25 +08:00
|
|
|
|
|
|
|
ProgramStateRef checkPointerEscape(ProgramStateRef State,
|
|
|
|
const InvalidatedSymbols &Escaped,
|
2013-02-08 07:05:43 +08:00
|
|
|
const CallEvent *Call,
|
|
|
|
PointerEscapeKind Kind) const;
|
2009-12-31 14:13:07 +08:00
|
|
|
|
2012-05-02 08:05:20 +08:00
|
|
|
void printState(raw_ostream &Out, ProgramStateRef State,
|
|
|
|
const char *NL, const char *Sep) const;
|
|
|
|
|
2009-11-13 15:25:27 +08:00
|
|
|
private:
|
2012-02-15 05:55:24 +08:00
|
|
|
void initIdentifierInfo(ASTContext &C) const;
|
|
|
|
|
|
|
|
/// Check if this is one of the functions which can allocate/reallocate memory
|
|
|
|
/// pointed to by one of its arguments.
|
|
|
|
bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const;
|
2012-05-18 09:16:10 +08:00
|
|
|
bool isFreeFunction(const FunctionDecl *FD, ASTContext &C) const;
|
|
|
|
bool isAllocationFunction(const FunctionDecl *FD, ASTContext &C) const;
|
2012-02-15 05:55:24 +08:00
|
|
|
|
2012-02-23 03:24:52 +08:00
|
|
|
static ProgramStateRef MallocMemReturnsAttr(CheckerContext &C,
|
|
|
|
const CallExpr *CE,
|
|
|
|
const OwnershipAttr* Att);
|
2012-01-27 05:29:00 +08:00
|
|
|
static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
|
2011-02-28 09:26:35 +08:00
|
|
|
const Expr *SizeEx, SVal Init,
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef state) {
|
2012-01-07 06:09:28 +08:00
|
|
|
return MallocMemAux(C, CE,
|
|
|
|
state->getSVal(SizeEx, C.getLocationContext()),
|
|
|
|
Init, state);
|
2010-06-01 11:01:33 +08:00
|
|
|
}
|
2012-02-23 03:24:52 +08:00
|
|
|
|
2012-01-27 05:29:00 +08:00
|
|
|
static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
|
2011-02-28 09:26:35 +08:00
|
|
|
SVal SizeEx, SVal Init,
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef state);
|
2010-06-01 11:01:33 +08:00
|
|
|
|
2012-02-23 03:24:52 +08:00
|
|
|
/// Update the RefState to reflect the new memory allocation.
|
|
|
|
static ProgramStateRef MallocUpdateRefState(CheckerContext &C,
|
|
|
|
const CallExpr *CE,
|
|
|
|
ProgramStateRef state);
|
|
|
|
|
|
|
|
ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE,
|
|
|
|
const OwnershipAttr* Att) const;
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE,
|
2012-06-22 10:04:31 +08:00
|
|
|
ProgramStateRef state, unsigned Num,
|
2012-08-24 10:28:20 +08:00
|
|
|
bool Hold,
|
2012-11-13 11:18:01 +08:00
|
|
|
bool &ReleasedAllocated,
|
|
|
|
bool ReturnsNullOnFailure = false) const;
|
2012-06-22 10:04:31 +08:00
|
|
|
ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg,
|
|
|
|
const Expr *ParentExpr,
|
2012-11-13 11:18:01 +08:00
|
|
|
ProgramStateRef State,
|
2012-08-24 10:28:20 +08:00
|
|
|
bool Hold,
|
2012-11-13 11:18:01 +08:00
|
|
|
bool &ReleasedAllocated,
|
|
|
|
bool ReturnsNullOnFailure = false) const;
|
2009-12-12 20:29:38 +08:00
|
|
|
|
2012-02-23 03:24:52 +08:00
|
|
|
ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE,
|
|
|
|
bool FreesMemOnFailure) const;
|
|
|
|
static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE);
|
2010-06-08 03:32:37 +08:00
|
|
|
|
2012-05-18 09:16:10 +08:00
|
|
|
///\brief Check if the memory associated with this symbol was released.
|
|
|
|
bool isReleased(SymbolRef Sym, CheckerContext &C) const;
|
|
|
|
|
2012-02-09 07:16:56 +08:00
|
|
|
bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
|
|
|
|
const Stmt *S = 0) const;
|
|
|
|
|
2012-02-15 05:55:24 +08:00
|
|
|
/// Check if the function is not known to us. So, for example, we could
|
|
|
|
/// conservatively assume it can free/reallocate it's pointer arguments.
|
2012-07-03 03:27:35 +08:00
|
|
|
bool doesNotFreeMemory(const CallEvent *Call,
|
2012-02-25 07:56:53 +08:00
|
|
|
ProgramStateRef State) const;
|
2012-02-15 05:55:24 +08:00
|
|
|
|
2011-08-13 07:37:29 +08:00
|
|
|
static bool SummarizeValue(raw_ostream &os, SVal V);
|
|
|
|
static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
|
2011-02-28 09:26:35 +08:00
|
|
|
void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange range) const;
|
2013-02-08 07:05:47 +08:00
|
|
|
void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range)const;
|
2012-02-09 14:25:51 +08:00
|
|
|
|
2012-02-24 05:38:21 +08:00
|
|
|
/// Find the location of the allocation for Sym on the path leading to the
|
|
|
|
/// exploded node N.
|
2012-03-22 03:45:08 +08:00
|
|
|
LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
|
|
|
|
CheckerContext &C) const;
|
2012-02-24 05:38:21 +08:00
|
|
|
|
2012-02-12 05:02:40 +08:00
|
|
|
void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
|
|
|
|
|
2012-02-09 14:25:51 +08:00
|
|
|
/// The bug visitor which allows us to print extra diagnostics along the
|
|
|
|
/// BugReport path. For example, showing the allocation site of the leaked
|
|
|
|
/// region.
|
2012-03-24 10:45:35 +08:00
|
|
|
class MallocBugVisitor : public BugReporterVisitorImpl<MallocBugVisitor> {
|
2012-02-09 14:25:51 +08:00
|
|
|
protected:
|
2012-02-17 06:26:07 +08:00
|
|
|
enum NotificationMode {
|
|
|
|
Normal,
|
|
|
|
ReallocationFailed
|
|
|
|
};
|
|
|
|
|
2012-02-09 14:25:51 +08:00
|
|
|
// The allocated region symbol tracked by the main analysis.
|
|
|
|
SymbolRef Sym;
|
|
|
|
|
2012-05-10 09:37:40 +08:00
|
|
|
// The mode we are in, i.e. what kind of diagnostics will be emitted.
|
|
|
|
NotificationMode Mode;
|
2012-03-24 11:15:09 +08:00
|
|
|
|
2012-05-10 09:37:40 +08:00
|
|
|
// A symbol from when the primary region should have been reallocated.
|
|
|
|
SymbolRef FailedReallocSymbol;
|
2012-03-24 11:15:09 +08:00
|
|
|
|
2012-05-10 09:37:40 +08:00
|
|
|
bool IsLeak;
|
|
|
|
|
|
|
|
public:
|
|
|
|
MallocBugVisitor(SymbolRef S, bool isLeak = false)
|
|
|
|
: Sym(S), Mode(Normal), FailedReallocSymbol(0), IsLeak(isLeak) {}
|
2012-03-24 11:15:09 +08:00
|
|
|
|
2012-02-09 14:25:51 +08:00
|
|
|
virtual ~MallocBugVisitor() {}
|
|
|
|
|
|
|
|
void Profile(llvm::FoldingSetNodeID &ID) const {
|
|
|
|
static int X = 0;
|
|
|
|
ID.AddPointer(&X);
|
|
|
|
ID.AddPointer(Sym);
|
|
|
|
}
|
|
|
|
|
2012-02-17 06:26:07 +08:00
|
|
|
inline bool isAllocated(const RefState *S, const RefState *SPrev,
|
|
|
|
const Stmt *Stmt) {
|
2012-02-09 14:25:51 +08:00
|
|
|
// Did not track -> allocated. Other state (released) -> allocated.
|
2012-02-17 06:26:07 +08:00
|
|
|
return (Stmt && isa<CallExpr>(Stmt) &&
|
|
|
|
(S && S->isAllocated()) && (!SPrev || !SPrev->isAllocated()));
|
2012-02-09 14:25:51 +08:00
|
|
|
}
|
|
|
|
|
2012-02-17 06:26:07 +08:00
|
|
|
inline bool isReleased(const RefState *S, const RefState *SPrev,
|
|
|
|
const Stmt *Stmt) {
|
2012-02-09 14:25:51 +08:00
|
|
|
// Did not track -> released. Other state (allocated) -> released.
|
2012-02-17 06:26:07 +08:00
|
|
|
return (Stmt && isa<CallExpr>(Stmt) &&
|
|
|
|
(S && S->isReleased()) && (!SPrev || !SPrev->isReleased()));
|
|
|
|
}
|
|
|
|
|
2012-06-22 10:04:31 +08:00
|
|
|
inline bool isRelinquished(const RefState *S, const RefState *SPrev,
|
|
|
|
const Stmt *Stmt) {
|
|
|
|
// Did not track -> relinquished. Other state (allocated) -> relinquished.
|
|
|
|
return (Stmt && (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) ||
|
|
|
|
isa<ObjCPropertyRefExpr>(Stmt)) &&
|
|
|
|
(S && S->isRelinquished()) &&
|
|
|
|
(!SPrev || !SPrev->isRelinquished()));
|
|
|
|
}
|
|
|
|
|
2012-02-17 06:26:07 +08:00
|
|
|
inline bool isReallocFailedCheck(const RefState *S, const RefState *SPrev,
|
|
|
|
const Stmt *Stmt) {
|
|
|
|
// If the expression is not a call, and the state change is
|
|
|
|
// released -> allocated, it must be the realloc return value
|
|
|
|
// check. If we have to handle more cases here, it might be cleaner just
|
|
|
|
// to track this extra bit in the state itself.
|
|
|
|
return ((!Stmt || !isa<CallExpr>(Stmt)) &&
|
|
|
|
(S && S->isAllocated()) && (SPrev && !SPrev->isAllocated()));
|
2012-02-09 14:25:51 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
PathDiagnosticPiece *VisitNode(const ExplodedNode *N,
|
|
|
|
const ExplodedNode *PrevN,
|
|
|
|
BugReporterContext &BRC,
|
|
|
|
BugReport &BR);
|
2012-05-10 09:37:40 +08:00
|
|
|
|
|
|
|
PathDiagnosticPiece* getEndPath(BugReporterContext &BRC,
|
|
|
|
const ExplodedNode *EndPathNode,
|
|
|
|
BugReport &BR) {
|
|
|
|
if (!IsLeak)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
PathDiagnosticLocation L =
|
|
|
|
PathDiagnosticLocation::createEndOfPath(EndPathNode,
|
|
|
|
BRC.getSourceManager());
|
|
|
|
// Do not add the statement itself as a range in case of leak.
|
|
|
|
return new PathDiagnosticEventPiece(L, BR.getDescription(), false);
|
|
|
|
}
|
|
|
|
|
2012-03-17 07:24:20 +08:00
|
|
|
private:
|
|
|
|
class StackHintGeneratorForReallocationFailed
|
|
|
|
: public StackHintGeneratorForSymbol {
|
|
|
|
public:
|
|
|
|
StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M)
|
|
|
|
: StackHintGeneratorForSymbol(S, M) {}
|
|
|
|
|
|
|
|
virtual std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) {
|
2012-09-22 09:24:42 +08:00
|
|
|
// Printed parameters start at 1, not 0.
|
|
|
|
++ArgIndex;
|
|
|
|
|
2012-03-17 07:24:20 +08:00
|
|
|
SmallString<200> buf;
|
|
|
|
llvm::raw_svector_ostream os(buf);
|
|
|
|
|
2012-09-22 09:24:42 +08:00
|
|
|
os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex)
|
|
|
|
<< " parameter failed";
|
2012-03-17 07:24:20 +08:00
|
|
|
|
|
|
|
return os.str();
|
|
|
|
}
|
|
|
|
|
|
|
|
virtual std::string getMessageForReturn(const CallExpr *CallExpr) {
|
2012-03-17 07:44:28 +08:00
|
|
|
return "Reallocation of returned value failed";
|
2012-03-17 07:24:20 +08:00
|
|
|
}
|
|
|
|
};
|
2012-02-09 14:25:51 +08:00
|
|
|
};
|
2009-11-12 16:38:56 +08:00
|
|
|
};
|
2009-11-28 14:07:30 +08:00
|
|
|
} // end anonymous namespace
|
2009-11-12 16:38:56 +08:00
|
|
|
|
2012-11-02 09:54:06 +08:00
|
|
|
REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
|
|
|
|
REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
|
2009-11-12 16:38:56 +08:00
|
|
|
|
2012-11-13 11:18:01 +08:00
|
|
|
// A map from the freed symbol to the symbol representing the return value of
|
|
|
|
// the free function.
|
|
|
|
REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef)
|
|
|
|
|
2012-02-12 05:02:35 +08:00
|
|
|
namespace {
|
|
|
|
class StopTrackingCallback : public SymbolVisitor {
|
|
|
|
ProgramStateRef state;
|
|
|
|
public:
|
|
|
|
StopTrackingCallback(ProgramStateRef st) : state(st) {}
|
|
|
|
ProgramStateRef getState() const { return state; }
|
|
|
|
|
|
|
|
bool VisitSymbol(SymbolRef sym) {
|
|
|
|
state = state->remove<RegionState>(sym);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
};
|
|
|
|
} // end anonymous namespace
|
|
|
|
|
2012-02-15 05:55:24 +08:00
|
|
|
void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const {
|
2012-05-19 06:47:40 +08:00
|
|
|
if (II_malloc)
|
|
|
|
return;
|
|
|
|
II_malloc = &Ctx.Idents.get("malloc");
|
|
|
|
II_free = &Ctx.Idents.get("free");
|
|
|
|
II_realloc = &Ctx.Idents.get("realloc");
|
|
|
|
II_reallocf = &Ctx.Idents.get("reallocf");
|
|
|
|
II_calloc = &Ctx.Idents.get("calloc");
|
|
|
|
II_valloc = &Ctx.Idents.get("valloc");
|
|
|
|
II_strdup = &Ctx.Idents.get("strdup");
|
|
|
|
II_strndup = &Ctx.Idents.get("strndup");
|
2012-02-09 04:13:28 +08:00
|
|
|
}
|
|
|
|
|
2012-02-15 05:55:24 +08:00
|
|
|
bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const {
|
2012-05-18 09:16:10 +08:00
|
|
|
if (isFreeFunction(FD, C))
|
|
|
|
return true;
|
|
|
|
|
|
|
|
if (isAllocationFunction(FD, C))
|
|
|
|
return true;
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool MallocChecker::isAllocationFunction(const FunctionDecl *FD,
|
|
|
|
ASTContext &C) const {
|
2012-02-15 10:12:00 +08:00
|
|
|
if (!FD)
|
|
|
|
return false;
|
2012-05-18 09:16:10 +08:00
|
|
|
|
2012-07-11 07:13:01 +08:00
|
|
|
if (FD->getKind() == Decl::Function) {
|
|
|
|
IdentifierInfo *FunI = FD->getIdentifier();
|
|
|
|
initIdentifierInfo(C);
|
|
|
|
|
|
|
|
if (FunI == II_malloc || FunI == II_realloc ||
|
|
|
|
FunI == II_reallocf || FunI == II_calloc || FunI == II_valloc ||
|
|
|
|
FunI == II_strdup || FunI == II_strndup)
|
|
|
|
return true;
|
|
|
|
}
|
2012-02-15 05:55:24 +08:00
|
|
|
|
2012-05-18 09:16:10 +08:00
|
|
|
if (Filter.CMallocOptimistic && FD->hasAttrs())
|
|
|
|
for (specific_attr_iterator<OwnershipAttr>
|
|
|
|
i = FD->specific_attr_begin<OwnershipAttr>(),
|
|
|
|
e = FD->specific_attr_end<OwnershipAttr>();
|
|
|
|
i != e; ++i)
|
|
|
|
if ((*i)->getOwnKind() == OwnershipAttr::Returns)
|
|
|
|
return true;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool MallocChecker::isFreeFunction(const FunctionDecl *FD, ASTContext &C) const {
|
|
|
|
if (!FD)
|
|
|
|
return false;
|
|
|
|
|
2012-07-11 07:13:01 +08:00
|
|
|
if (FD->getKind() == Decl::Function) {
|
|
|
|
IdentifierInfo *FunI = FD->getIdentifier();
|
|
|
|
initIdentifierInfo(C);
|
2012-02-15 05:55:24 +08:00
|
|
|
|
2012-07-11 07:13:01 +08:00
|
|
|
if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf)
|
|
|
|
return true;
|
|
|
|
}
|
2012-02-15 05:55:24 +08:00
|
|
|
|
2012-05-18 09:16:10 +08:00
|
|
|
if (Filter.CMallocOptimistic && FD->hasAttrs())
|
|
|
|
for (specific_attr_iterator<OwnershipAttr>
|
|
|
|
i = FD->specific_attr_begin<OwnershipAttr>(),
|
|
|
|
e = FD->specific_attr_end<OwnershipAttr>();
|
|
|
|
i != e; ++i)
|
|
|
|
if ((*i)->getOwnKind() == OwnershipAttr::Takes ||
|
|
|
|
(*i)->getOwnKind() == OwnershipAttr::Holds)
|
|
|
|
return true;
|
2012-02-15 05:55:24 +08:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2012-02-09 04:13:28 +08:00
|
|
|
void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const {
|
2012-09-20 09:55:32 +08:00
|
|
|
if (C.wasInlined)
|
|
|
|
return;
|
|
|
|
|
2012-02-09 04:13:28 +08:00
|
|
|
const FunctionDecl *FD = C.getCalleeDecl(CE);
|
|
|
|
if (!FD)
|
|
|
|
return;
|
2012-02-15 08:11:22 +08:00
|
|
|
|
2012-02-23 03:24:52 +08:00
|
|
|
ProgramStateRef State = C.getState();
|
2012-08-24 10:28:20 +08:00
|
|
|
bool ReleasedAllocatedMemory = false;
|
2012-07-11 07:13:01 +08:00
|
|
|
|
|
|
|
if (FD->getKind() == Decl::Function) {
|
|
|
|
initIdentifierInfo(C.getASTContext());
|
|
|
|
IdentifierInfo *FunI = FD->getIdentifier();
|
|
|
|
|
|
|
|
if (FunI == II_malloc || FunI == II_valloc) {
|
|
|
|
if (CE->getNumArgs() < 1)
|
|
|
|
return;
|
|
|
|
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
|
|
|
|
} else if (FunI == II_realloc) {
|
|
|
|
State = ReallocMem(C, CE, false);
|
|
|
|
} else if (FunI == II_reallocf) {
|
|
|
|
State = ReallocMem(C, CE, true);
|
|
|
|
} else if (FunI == II_calloc) {
|
|
|
|
State = CallocMem(C, CE);
|
|
|
|
} else if (FunI == II_free) {
|
2012-08-24 10:28:20 +08:00
|
|
|
State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
|
2012-07-11 07:13:01 +08:00
|
|
|
} else if (FunI == II_strdup) {
|
|
|
|
State = MallocUpdateRefState(C, CE, State);
|
|
|
|
} else if (FunI == II_strndup) {
|
|
|
|
State = MallocUpdateRefState(C, CE, State);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (Filter.CMallocOptimistic) {
|
2012-02-23 03:24:52 +08:00
|
|
|
// Check all the attributes, if there are any.
|
|
|
|
// There can be multiple of these attributes.
|
|
|
|
if (FD->hasAttrs())
|
|
|
|
for (specific_attr_iterator<OwnershipAttr>
|
|
|
|
i = FD->specific_attr_begin<OwnershipAttr>(),
|
|
|
|
e = FD->specific_attr_end<OwnershipAttr>();
|
|
|
|
i != e; ++i) {
|
|
|
|
switch ((*i)->getOwnKind()) {
|
|
|
|
case OwnershipAttr::Returns:
|
|
|
|
State = MallocMemReturnsAttr(C, CE, *i);
|
|
|
|
break;
|
|
|
|
case OwnershipAttr::Takes:
|
|
|
|
case OwnershipAttr::Holds:
|
|
|
|
State = FreeMemAttr(C, CE, *i);
|
|
|
|
break;
|
|
|
|
}
|
2010-07-31 09:52:11 +08:00
|
|
|
}
|
|
|
|
}
|
2012-02-22 11:14:20 +08:00
|
|
|
C.addTransition(State);
|
2009-12-12 20:29:38 +08:00
|
|
|
}
|
|
|
|
|
2012-07-03 03:27:56 +08:00
|
|
|
static bool isFreeWhenDoneSetToZero(const ObjCMethodCall &Call) {
|
|
|
|
Selector S = Call.getSelector();
|
2012-06-23 06:08:09 +08:00
|
|
|
for (unsigned i = 1; i < S.getNumArgs(); ++i)
|
2012-06-22 10:04:31 +08:00
|
|
|
if (S.getNameForSlot(i).equals("freeWhenDone"))
|
|
|
|
if (Call.getArgSVal(i).isConstant(0))
|
|
|
|
return true;
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2012-11-13 11:18:01 +08:00
|
|
|
void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
|
|
|
|
CheckerContext &C) const {
|
2012-12-11 08:17:53 +08:00
|
|
|
if (C.wasInlined)
|
|
|
|
return;
|
|
|
|
|
2012-06-22 10:04:31 +08:00
|
|
|
// If the first selector is dataWithBytesNoCopy, assume that the memory will
|
|
|
|
// be released with 'free' by the new object.
|
|
|
|
// Ex: [NSData dataWithBytesNoCopy:bytes length:10];
|
|
|
|
// Unless 'freeWhenDone' param set to 0.
|
|
|
|
// TODO: Check that the memory was allocated with malloc.
|
2012-08-24 10:28:20 +08:00
|
|
|
bool ReleasedAllocatedMemory = false;
|
2012-07-03 03:28:04 +08:00
|
|
|
Selector S = Call.getSelector();
|
2012-06-23 06:42:30 +08:00
|
|
|
if ((S.getNameForSlot(0) == "dataWithBytesNoCopy" ||
|
|
|
|
S.getNameForSlot(0) == "initWithBytesNoCopy" ||
|
|
|
|
S.getNameForSlot(0) == "initWithCharactersNoCopy") &&
|
2012-07-03 03:27:56 +08:00
|
|
|
!isFreeWhenDoneSetToZero(Call)){
|
2012-06-22 10:04:31 +08:00
|
|
|
unsigned int argIdx = 0;
|
2012-11-13 11:18:01 +08:00
|
|
|
ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(argIdx),
|
|
|
|
Call.getOriginExpr(), C.getState(), true,
|
|
|
|
ReleasedAllocatedMemory,
|
|
|
|
/* RetNullOnFailure*/ true);
|
|
|
|
|
|
|
|
C.addTransition(State);
|
2012-06-22 10:04:31 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-02-23 03:24:52 +08:00
|
|
|
ProgramStateRef MallocChecker::MallocMemReturnsAttr(CheckerContext &C,
|
|
|
|
const CallExpr *CE,
|
|
|
|
const OwnershipAttr* Att) {
|
2010-08-19 07:23:40 +08:00
|
|
|
if (Att->getModule() != "malloc")
|
2012-02-23 03:24:52 +08:00
|
|
|
return 0;
|
2010-07-31 09:52:11 +08:00
|
|
|
|
2010-08-19 07:23:40 +08:00
|
|
|
OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
|
2010-07-31 09:52:11 +08:00
|
|
|
if (I != E) {
|
2012-02-23 03:24:52 +08:00
|
|
|
return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), C.getState());
|
2010-07-31 09:52:11 +08:00
|
|
|
}
|
2012-02-23 03:24:52 +08:00
|
|
|
return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), C.getState());
|
2010-07-31 09:52:11 +08:00
|
|
|
}
|
|
|
|
|
2012-02-09 04:13:28 +08:00
|
|
|
ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
|
2009-12-12 20:29:38 +08:00
|
|
|
const CallExpr *CE,
|
2010-06-01 11:01:33 +08:00
|
|
|
SVal Size, SVal Init,
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef state) {
|
2012-06-07 11:57:32 +08:00
|
|
|
|
|
|
|
// Bind the return value to the symbolic value from the heap region.
|
|
|
|
// TODO: We could rewrite post visit to eval call; 'malloc' does not have
|
|
|
|
// side effects other than what we model here.
|
2012-08-22 14:26:15 +08:00
|
|
|
unsigned Count = C.blockCount();
|
2012-06-07 11:57:32 +08:00
|
|
|
SValBuilder &svalBuilder = C.getSValBuilder();
|
|
|
|
const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
|
2013-02-20 13:52:05 +08:00
|
|
|
DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
|
|
|
|
.castAs<DefinedSVal>();
|
2012-06-07 11:57:32 +08:00
|
|
|
state = state->BindExpr(CE, C.getLocationContext(), RetVal);
|
2009-12-11 11:09:01 +08:00
|
|
|
|
2012-02-15 08:11:22 +08:00
|
|
|
// We expect the malloc functions to return a pointer.
|
2013-02-20 13:52:05 +08:00
|
|
|
if (!RetVal.getAs<Loc>())
|
2012-02-15 08:11:22 +08:00
|
|
|
return 0;
|
|
|
|
|
2010-07-04 08:00:41 +08:00
|
|
|
// Fill the region with the initialization value.
|
2012-06-07 11:57:32 +08:00
|
|
|
state = state->bindDefault(RetVal, Init);
|
2010-06-01 11:01:33 +08:00
|
|
|
|
2010-07-04 08:00:41 +08:00
|
|
|
// Set the region's extent equal to the Size parameter.
|
2012-02-10 09:11:00 +08:00
|
|
|
const SymbolicRegion *R =
|
2012-06-07 11:57:32 +08:00
|
|
|
dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion());
|
2012-02-22 11:14:20 +08:00
|
|
|
if (!R)
|
2012-02-10 09:11:00 +08:00
|
|
|
return 0;
|
2013-02-20 13:52:05 +08:00
|
|
|
if (llvm::Optional<DefinedOrUnknownSVal> DefinedSize =
|
|
|
|
Size.getAs<DefinedOrUnknownSVal>()) {
|
2012-02-23 03:24:52 +08:00
|
|
|
SValBuilder &svalBuilder = C.getSValBuilder();
|
2012-02-22 11:14:20 +08:00
|
|
|
DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder);
|
|
|
|
DefinedOrUnknownSVal extentMatchesSize =
|
2013-02-20 13:52:05 +08:00
|
|
|
svalBuilder.evalEQ(state, Extent, *DefinedSize);
|
2012-02-22 11:14:20 +08:00
|
|
|
|
|
|
|
state = state->assume(extentMatchesSize, true);
|
|
|
|
assert(state);
|
|
|
|
}
|
2010-12-02 15:49:45 +08:00
|
|
|
|
2012-02-23 03:24:52 +08:00
|
|
|
return MallocUpdateRefState(C, CE, state);
|
|
|
|
}
|
|
|
|
|
|
|
|
ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C,
|
|
|
|
const CallExpr *CE,
|
|
|
|
ProgramStateRef state) {
|
|
|
|
// Get the return value.
|
|
|
|
SVal retVal = state->getSVal(CE, C.getLocationContext());
|
|
|
|
|
|
|
|
// We expect the malloc functions to return a pointer.
|
2013-02-20 13:52:05 +08:00
|
|
|
if (!retVal.getAs<Loc>())
|
2012-02-23 03:24:52 +08:00
|
|
|
return 0;
|
|
|
|
|
2010-12-02 15:49:45 +08:00
|
|
|
SymbolRef Sym = retVal.getAsLocSymbol();
|
2009-11-12 16:38:56 +08:00
|
|
|
assert(Sym);
|
2010-12-02 15:49:45 +08:00
|
|
|
|
2009-11-12 16:38:56 +08:00
|
|
|
// Set the symbol's state to Allocated.
|
2012-06-21 04:57:46 +08:00
|
|
|
return state->set<RegionState>(Sym, RefState::getAllocated(CE));
|
2009-12-12 20:29:38 +08:00
|
|
|
|
|
|
|
}
|
|
|
|
|
2012-02-23 03:24:52 +08:00
|
|
|
ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
|
|
|
|
const CallExpr *CE,
|
|
|
|
const OwnershipAttr* Att) const {
|
2010-08-19 07:23:40 +08:00
|
|
|
if (Att->getModule() != "malloc")
|
2012-02-23 03:24:52 +08:00
|
|
|
return 0;
|
2010-07-31 09:52:11 +08:00
|
|
|
|
2012-03-02 06:06:06 +08:00
|
|
|
ProgramStateRef State = C.getState();
|
2012-08-24 10:28:20 +08:00
|
|
|
bool ReleasedAllocated = false;
|
2012-03-02 06:06:06 +08:00
|
|
|
|
2010-08-19 07:23:40 +08:00
|
|
|
for (OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
|
|
|
|
I != E; ++I) {
|
2012-03-02 06:06:06 +08:00
|
|
|
ProgramStateRef StateI = FreeMemAux(C, CE, State, *I,
|
2012-08-24 10:28:20 +08:00
|
|
|
Att->getOwnKind() == OwnershipAttr::Holds,
|
|
|
|
ReleasedAllocated);
|
2012-03-02 06:06:06 +08:00
|
|
|
if (StateI)
|
|
|
|
State = StateI;
|
2010-07-31 09:52:11 +08:00
|
|
|
}
|
2012-03-02 06:06:06 +08:00
|
|
|
return State;
|
2010-07-31 09:52:11 +08:00
|
|
|
}
|
|
|
|
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
|
2012-02-10 09:11:00 +08:00
|
|
|
const CallExpr *CE,
|
|
|
|
ProgramStateRef state,
|
|
|
|
unsigned Num,
|
2012-08-24 10:28:20 +08:00
|
|
|
bool Hold,
|
2012-11-13 11:18:01 +08:00
|
|
|
bool &ReleasedAllocated,
|
|
|
|
bool ReturnsNullOnFailure) const {
|
2012-04-11 07:41:11 +08:00
|
|
|
if (CE->getNumArgs() < (Num + 1))
|
|
|
|
return 0;
|
|
|
|
|
2012-11-13 11:18:01 +08:00
|
|
|
return FreeMemAux(C, CE->getArg(Num), CE, state, Hold,
|
|
|
|
ReleasedAllocated, ReturnsNullOnFailure);
|
|
|
|
}
|
|
|
|
|
2012-11-14 03:47:40 +08:00
|
|
|
/// Checks if the previous call to free on the given symbol failed - if free
|
|
|
|
/// failed, returns true. Also, returns the corresponding return value symbol.
|
2012-11-22 23:02:44 +08:00
|
|
|
static bool didPreviousFreeFail(ProgramStateRef State,
|
|
|
|
SymbolRef Sym, SymbolRef &RetStatusSymbol) {
|
2012-11-14 03:47:40 +08:00
|
|
|
const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
|
2012-11-13 11:18:01 +08:00
|
|
|
if (Ret) {
|
|
|
|
assert(*Ret && "We should not store the null return symbol");
|
|
|
|
ConstraintManager &CMgr = State->getConstraintManager();
|
|
|
|
ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret);
|
2012-11-14 03:47:40 +08:00
|
|
|
RetStatusSymbol = *Ret;
|
|
|
|
return FreeFailed.isConstrainedTrue();
|
2012-11-13 11:18:01 +08:00
|
|
|
}
|
2012-11-14 03:47:40 +08:00
|
|
|
return false;
|
2012-06-22 10:04:31 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
|
|
|
|
const Expr *ArgExpr,
|
|
|
|
const Expr *ParentExpr,
|
2012-11-13 11:18:01 +08:00
|
|
|
ProgramStateRef State,
|
2012-08-24 10:28:20 +08:00
|
|
|
bool Hold,
|
2012-11-13 11:18:01 +08:00
|
|
|
bool &ReleasedAllocated,
|
|
|
|
bool ReturnsNullOnFailure) const {
|
2012-06-22 10:04:31 +08:00
|
|
|
|
2012-11-13 11:18:01 +08:00
|
|
|
SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext());
|
2013-02-20 13:52:05 +08:00
|
|
|
if (!ArgVal.getAs<DefinedOrUnknownSVal>())
|
2012-02-10 09:11:00 +08:00
|
|
|
return 0;
|
2013-02-20 13:52:05 +08:00
|
|
|
DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
|
2010-07-31 09:52:11 +08:00
|
|
|
|
|
|
|
// Check for null dereferences.
|
2013-02-20 13:52:05 +08:00
|
|
|
if (!location.getAs<Loc>())
|
2012-02-09 04:13:28 +08:00
|
|
|
return 0;
|
2010-07-31 09:52:11 +08:00
|
|
|
|
2012-02-14 08:26:13 +08:00
|
|
|
// The explicit NULL case, no operation is performed.
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef notNullState, nullState;
|
2012-11-13 11:18:01 +08:00
|
|
|
llvm::tie(notNullState, nullState) = State->assume(location);
|
2010-07-31 09:52:11 +08:00
|
|
|
if (nullState && !notNullState)
|
2012-02-09 04:13:28 +08:00
|
|
|
return 0;
|
2010-07-31 09:52:11 +08:00
|
|
|
|
2010-06-08 03:32:37 +08:00
|
|
|
// Unknown values could easily be okay
|
|
|
|
// Undefined values are handled elsewhere
|
|
|
|
if (ArgVal.isUnknownOrUndef())
|
2012-02-09 04:13:28 +08:00
|
|
|
return 0;
|
2010-02-14 14:49:48 +08:00
|
|
|
|
2010-06-08 03:32:37 +08:00
|
|
|
const MemRegion *R = ArgVal.getAsRegion();
|
|
|
|
|
|
|
|
// Nonlocs can't be freed, of course.
|
|
|
|
// Non-region locations (labels and fixed addresses) also shouldn't be freed.
|
|
|
|
if (!R) {
|
|
|
|
ReportBadFree(C, ArgVal, ArgExpr->getSourceRange());
|
2012-02-09 04:13:28 +08:00
|
|
|
return 0;
|
2010-06-08 03:32:37 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
R = R->StripCasts();
|
|
|
|
|
|
|
|
// Blocks might show up as heap data, but should not be free()d
|
|
|
|
if (isa<BlockDataRegion>(R)) {
|
|
|
|
ReportBadFree(C, ArgVal, ArgExpr->getSourceRange());
|
2012-02-09 04:13:28 +08:00
|
|
|
return 0;
|
2010-06-08 03:32:37 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
const MemSpaceRegion *MS = R->getMemorySpace();
|
|
|
|
|
|
|
|
// Parameters, locals, statics, and globals shouldn't be freed.
|
|
|
|
if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) {
|
|
|
|
// FIXME: at the time this code was written, malloc() regions were
|
|
|
|
// represented by conjured symbols, which are all in UnknownSpaceRegion.
|
|
|
|
// This means that there isn't actually anything from HeapSpaceRegion
|
|
|
|
// that should be freed, even though we allow it here.
|
|
|
|
// Of course, free() can work on memory allocated outside the current
|
|
|
|
// function, so UnknownSpaceRegion is always a possibility.
|
|
|
|
// False negatives are better than false positives.
|
|
|
|
|
|
|
|
ReportBadFree(C, ArgVal, ArgExpr->getSourceRange());
|
2012-02-09 04:13:28 +08:00
|
|
|
return 0;
|
2010-06-08 03:32:37 +08:00
|
|
|
}
|
2013-02-08 07:05:47 +08:00
|
|
|
|
|
|
|
const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
|
2010-05-13 16:26:32 +08:00
|
|
|
// Various cases could lead to non-symbol values here.
|
2010-06-08 03:32:37 +08:00
|
|
|
// For now, ignore them.
|
2013-02-08 07:05:47 +08:00
|
|
|
if (!SrBase)
|
2012-02-09 04:13:28 +08:00
|
|
|
return 0;
|
2009-11-12 16:38:56 +08:00
|
|
|
|
2013-02-08 07:05:47 +08:00
|
|
|
SymbolRef SymBase = SrBase->getSymbol();
|
|
|
|
const RefState *RsBase = State->get<RegionState>(SymBase);
|
2012-11-14 03:47:40 +08:00
|
|
|
SymbolRef PreviousRetStatusSymbol = 0;
|
2010-01-18 11:27:34 +08:00
|
|
|
|
2009-11-12 16:38:56 +08:00
|
|
|
// Check double free.
|
2013-02-08 07:05:47 +08:00
|
|
|
if (RsBase &&
|
|
|
|
(RsBase->isReleased() || RsBase->isRelinquished()) &&
|
|
|
|
!didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
|
2012-11-13 11:18:01 +08:00
|
|
|
|
2010-12-21 05:19:09 +08:00
|
|
|
if (ExplodedNode *N = C.generateSink()) {
|
2009-11-12 16:38:56 +08:00
|
|
|
if (!BT_DoubleFree)
|
2011-02-28 09:26:35 +08:00
|
|
|
BT_DoubleFree.reset(
|
2012-02-17 06:26:12 +08:00
|
|
|
new BugType("Double free", "Memory Error"));
|
2013-02-08 07:05:47 +08:00
|
|
|
BugReport *R = new BugReport(*BT_DoubleFree,
|
|
|
|
(RsBase->isReleased() ? "Attempt to free released memory"
|
|
|
|
: "Attempt to free non-owned memory"),
|
|
|
|
N);
|
2012-02-17 06:26:07 +08:00
|
|
|
R->addRange(ArgExpr->getSourceRange());
|
2013-02-08 07:05:47 +08:00
|
|
|
R->markInteresting(SymBase);
|
2012-11-14 03:47:40 +08:00
|
|
|
if (PreviousRetStatusSymbol)
|
|
|
|
R->markInteresting(PreviousRetStatusSymbol);
|
2013-02-08 07:05:47 +08:00
|
|
|
R->addVisitor(new MallocBugVisitor(SymBase));
|
2012-11-02 09:53:40 +08:00
|
|
|
C.emitReport(R);
|
2009-11-12 16:38:56 +08:00
|
|
|
}
|
2012-02-09 04:13:28 +08:00
|
|
|
return 0;
|
2009-11-12 16:38:56 +08:00
|
|
|
}
|
|
|
|
|
2013-02-08 07:05:47 +08:00
|
|
|
// Check if the memory location being freed is the actual location
|
|
|
|
// allocated, or an offset.
|
|
|
|
RegionOffset Offset = R->getAsOffset();
|
|
|
|
if (RsBase && RsBase->isAllocated() &&
|
|
|
|
Offset.isValid() &&
|
|
|
|
!Offset.hasSymbolicOffset() &&
|
|
|
|
Offset.getOffset() != 0) {
|
|
|
|
ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange());
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
ReleasedAllocated = (RsBase != 0);
|
2012-08-24 10:28:20 +08:00
|
|
|
|
2012-11-14 03:47:40 +08:00
|
|
|
// Clean out the info on previous call to free return info.
|
2013-02-08 07:05:47 +08:00
|
|
|
State = State->remove<FreeReturnValue>(SymBase);
|
2012-11-14 03:47:40 +08:00
|
|
|
|
2012-11-13 11:18:01 +08:00
|
|
|
// Keep track of the return value. If it is NULL, we will know that free
|
|
|
|
// failed.
|
|
|
|
if (ReturnsNullOnFailure) {
|
|
|
|
SVal RetVal = C.getSVal(ParentExpr);
|
|
|
|
SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
|
|
|
|
if (RetStatusSymbol) {
|
2013-02-08 07:05:47 +08:00
|
|
|
C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol);
|
|
|
|
State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol);
|
2012-11-13 11:18:01 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2009-11-12 16:38:56 +08:00
|
|
|
// Normal free.
|
2013-02-08 07:05:47 +08:00
|
|
|
if (Hold) {
|
|
|
|
return State->set<RegionState>(SymBase,
|
|
|
|
RefState::getRelinquished(ParentExpr));
|
|
|
|
}
|
|
|
|
return State->set<RegionState>(SymBase, RefState::getReleased(ParentExpr));
|
2009-12-12 20:29:38 +08:00
|
|
|
}
|
|
|
|
|
2011-08-13 07:37:29 +08:00
|
|
|
bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
|
2013-02-20 13:52:05 +08:00
|
|
|
if (llvm::Optional<nonloc::ConcreteInt> IntVal =
|
|
|
|
V.getAs<nonloc::ConcreteInt>())
|
2010-06-08 03:32:37 +08:00
|
|
|
os << "an integer (" << IntVal->getValue() << ")";
|
2013-02-20 13:52:05 +08:00
|
|
|
else if (llvm::Optional<loc::ConcreteInt> ConstAddr =
|
|
|
|
V.getAs<loc::ConcreteInt>())
|
2010-06-08 03:32:37 +08:00
|
|
|
os << "a constant address (" << ConstAddr->getValue() << ")";
|
2013-02-20 13:52:05 +08:00
|
|
|
else if (llvm::Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>())
|
2011-02-17 13:38:27 +08:00
|
|
|
os << "the address of the label '" << Label->getLabel()->getName() << "'";
|
2010-06-08 03:32:37 +08:00
|
|
|
else
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2011-08-13 07:37:29 +08:00
|
|
|
bool MallocChecker::SummarizeRegion(raw_ostream &os,
|
2010-06-08 03:32:37 +08:00
|
|
|
const MemRegion *MR) {
|
|
|
|
switch (MR->getKind()) {
|
|
|
|
case MemRegion::FunctionTextRegionKind: {
|
2012-09-18 03:13:56 +08:00
|
|
|
const NamedDecl *FD = cast<FunctionTextRegion>(MR)->getDecl();
|
2010-06-08 03:32:37 +08:00
|
|
|
if (FD)
|
2011-10-15 02:45:37 +08:00
|
|
|
os << "the address of the function '" << *FD << '\'';
|
2010-06-08 03:32:37 +08:00
|
|
|
else
|
|
|
|
os << "the address of a function";
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
case MemRegion::BlockTextRegionKind:
|
|
|
|
os << "block text";
|
|
|
|
return true;
|
|
|
|
case MemRegion::BlockDataRegionKind:
|
|
|
|
// FIXME: where the block came from?
|
|
|
|
os << "a block";
|
|
|
|
return true;
|
|
|
|
default: {
|
|
|
|
const MemSpaceRegion *MS = MR->getMemorySpace();
|
|
|
|
|
2012-01-05 07:54:01 +08:00
|
|
|
if (isa<StackLocalsSpaceRegion>(MS)) {
|
2010-06-08 03:32:37 +08:00
|
|
|
const VarRegion *VR = dyn_cast<VarRegion>(MR);
|
|
|
|
const VarDecl *VD;
|
|
|
|
if (VR)
|
|
|
|
VD = VR->getDecl();
|
|
|
|
else
|
|
|
|
VD = NULL;
|
|
|
|
|
|
|
|
if (VD)
|
|
|
|
os << "the address of the local variable '" << VD->getName() << "'";
|
|
|
|
else
|
|
|
|
os << "the address of a local stack variable";
|
|
|
|
return true;
|
|
|
|
}
|
2012-01-05 07:54:01 +08:00
|
|
|
|
|
|
|
if (isa<StackArgumentsSpaceRegion>(MS)) {
|
2010-06-08 03:32:37 +08:00
|
|
|
const VarRegion *VR = dyn_cast<VarRegion>(MR);
|
|
|
|
const VarDecl *VD;
|
|
|
|
if (VR)
|
|
|
|
VD = VR->getDecl();
|
|
|
|
else
|
|
|
|
VD = NULL;
|
|
|
|
|
|
|
|
if (VD)
|
|
|
|
os << "the address of the parameter '" << VD->getName() << "'";
|
|
|
|
else
|
|
|
|
os << "the address of a parameter";
|
|
|
|
return true;
|
|
|
|
}
|
2012-01-05 07:54:01 +08:00
|
|
|
|
|
|
|
if (isa<GlobalsSpaceRegion>(MS)) {
|
2010-06-08 03:32:37 +08:00
|
|
|
const VarRegion *VR = dyn_cast<VarRegion>(MR);
|
|
|
|
const VarDecl *VD;
|
|
|
|
if (VR)
|
|
|
|
VD = VR->getDecl();
|
|
|
|
else
|
|
|
|
VD = NULL;
|
|
|
|
|
|
|
|
if (VD) {
|
|
|
|
if (VD->isStaticLocal())
|
|
|
|
os << "the address of the static variable '" << VD->getName() << "'";
|
|
|
|
else
|
|
|
|
os << "the address of the global variable '" << VD->getName() << "'";
|
|
|
|
} else
|
|
|
|
os << "the address of a global variable";
|
|
|
|
return true;
|
|
|
|
}
|
2012-01-05 07:54:01 +08:00
|
|
|
|
|
|
|
return false;
|
2010-06-08 03:32:37 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal,
|
2011-02-28 09:26:35 +08:00
|
|
|
SourceRange range) const {
|
2010-12-21 05:19:09 +08:00
|
|
|
if (ExplodedNode *N = C.generateSink()) {
|
2010-06-08 03:32:37 +08:00
|
|
|
if (!BT_BadFree)
|
2012-02-17 06:26:12 +08:00
|
|
|
BT_BadFree.reset(new BugType("Bad free", "Memory Error"));
|
2010-06-08 03:32:37 +08:00
|
|
|
|
2012-02-05 10:13:05 +08:00
|
|
|
SmallString<100> buf;
|
2010-06-08 03:32:37 +08:00
|
|
|
llvm::raw_svector_ostream os(buf);
|
|
|
|
|
|
|
|
const MemRegion *MR = ArgVal.getAsRegion();
|
|
|
|
if (MR) {
|
|
|
|
while (const ElementRegion *ER = dyn_cast<ElementRegion>(MR))
|
|
|
|
MR = ER->getSuperRegion();
|
|
|
|
|
|
|
|
// Special case for alloca()
|
|
|
|
if (isa<AllocaRegion>(MR))
|
|
|
|
os << "Argument to free() was allocated by alloca(), not malloc()";
|
|
|
|
else {
|
|
|
|
os << "Argument to free() is ";
|
|
|
|
if (SummarizeRegion(os, MR))
|
|
|
|
os << ", which is not memory allocated by malloc()";
|
|
|
|
else
|
|
|
|
os << "not memory allocated by malloc()";
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
os << "Argument to free() is ";
|
|
|
|
if (SummarizeValue(os, ArgVal))
|
|
|
|
os << ", which is not memory allocated by malloc()";
|
|
|
|
else
|
|
|
|
os << "not memory allocated by malloc()";
|
|
|
|
}
|
|
|
|
|
2011-08-18 07:00:25 +08:00
|
|
|
BugReport *R = new BugReport(*BT_BadFree, os.str(), N);
|
2012-03-09 09:13:14 +08:00
|
|
|
R->markInteresting(MR);
|
2010-06-08 03:32:37 +08:00
|
|
|
R->addRange(range);
|
2012-11-02 09:53:40 +08:00
|
|
|
C.emitReport(R);
|
2010-06-08 03:32:37 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-02-08 07:05:47 +08:00
|
|
|
void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal,
|
|
|
|
SourceRange Range) const {
|
|
|
|
ExplodedNode *N = C.generateSink();
|
|
|
|
if (N == NULL)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (!BT_OffsetFree)
|
|
|
|
BT_OffsetFree.reset(new BugType("Offset free", "Memory Error"));
|
|
|
|
|
|
|
|
SmallString<100> buf;
|
|
|
|
llvm::raw_svector_ostream os(buf);
|
|
|
|
|
|
|
|
const MemRegion *MR = ArgVal.getAsRegion();
|
|
|
|
assert(MR && "Only MemRegion based symbols can have offset free errors");
|
|
|
|
|
|
|
|
RegionOffset Offset = MR->getAsOffset();
|
|
|
|
assert((Offset.isValid() &&
|
|
|
|
!Offset.hasSymbolicOffset() &&
|
|
|
|
Offset.getOffset() != 0) &&
|
|
|
|
"Only symbols with a valid offset can have offset free errors");
|
|
|
|
|
|
|
|
int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
|
|
|
|
|
|
|
|
os << "Argument to free() is offset by "
|
|
|
|
<< offsetBytes
|
|
|
|
<< " "
|
|
|
|
<< ((abs(offsetBytes) > 1) ? "bytes" : "byte")
|
|
|
|
<< " from the start of memory allocated by malloc()";
|
|
|
|
|
|
|
|
BugReport *R = new BugReport(*BT_OffsetFree, os.str(), N);
|
|
|
|
R->markInteresting(MR->getBaseRegion());
|
|
|
|
R->addRange(Range);
|
|
|
|
C.emitReport(R);
|
|
|
|
}
|
|
|
|
|
2012-02-23 03:24:52 +08:00
|
|
|
ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C,
|
|
|
|
const CallExpr *CE,
|
|
|
|
bool FreesOnFail) const {
|
2012-04-11 07:41:11 +08:00
|
|
|
if (CE->getNumArgs() < 2)
|
|
|
|
return 0;
|
|
|
|
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef state = C.getState();
|
2010-12-02 15:49:45 +08:00
|
|
|
const Expr *arg0Expr = CE->getArg(0);
|
2012-01-07 06:09:28 +08:00
|
|
|
const LocationContext *LCtx = C.getLocationContext();
|
2012-02-10 09:11:00 +08:00
|
|
|
SVal Arg0Val = state->getSVal(arg0Expr, LCtx);
|
2013-02-20 13:52:05 +08:00
|
|
|
if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
|
2012-02-23 03:24:52 +08:00
|
|
|
return 0;
|
2013-02-20 13:52:05 +08:00
|
|
|
DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
|
2009-12-12 20:29:38 +08:00
|
|
|
|
2010-12-02 05:28:31 +08:00
|
|
|
SValBuilder &svalBuilder = C.getSValBuilder();
|
2009-12-12 20:29:38 +08:00
|
|
|
|
2010-12-02 15:49:45 +08:00
|
|
|
DefinedOrUnknownSVal PtrEQ =
|
|
|
|
svalBuilder.evalEQ(state, arg0Val, svalBuilder.makeNull());
|
2009-12-12 20:29:38 +08:00
|
|
|
|
2011-04-27 22:49:29 +08:00
|
|
|
// Get the size argument. If there is no size arg then give up.
|
|
|
|
const Expr *Arg1 = CE->getArg(1);
|
|
|
|
if (!Arg1)
|
2012-02-23 03:24:52 +08:00
|
|
|
return 0;
|
2011-04-27 22:49:29 +08:00
|
|
|
|
|
|
|
// Get the value of the size argument.
|
2012-02-10 09:11:00 +08:00
|
|
|
SVal Arg1ValG = state->getSVal(Arg1, LCtx);
|
2013-02-20 13:52:05 +08:00
|
|
|
if (!Arg1ValG.getAs<DefinedOrUnknownSVal>())
|
2012-02-23 03:24:52 +08:00
|
|
|
return 0;
|
2013-02-20 13:52:05 +08:00
|
|
|
DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>();
|
2011-04-27 22:49:29 +08:00
|
|
|
|
|
|
|
// Compare the size argument to 0.
|
|
|
|
DefinedOrUnknownSVal SizeZero =
|
|
|
|
svalBuilder.evalEQ(state, Arg1Val,
|
|
|
|
svalBuilder.makeIntValWithPtrWidth(0, false));
|
|
|
|
|
2012-02-14 02:05:39 +08:00
|
|
|
ProgramStateRef StatePtrIsNull, StatePtrNotNull;
|
|
|
|
llvm::tie(StatePtrIsNull, StatePtrNotNull) = state->assume(PtrEQ);
|
|
|
|
ProgramStateRef StateSizeIsZero, StateSizeNotZero;
|
|
|
|
llvm::tie(StateSizeIsZero, StateSizeNotZero) = state->assume(SizeZero);
|
|
|
|
// We only assume exceptional states if they are definitely true; if the
|
|
|
|
// state is under-constrained, assume regular realloc behavior.
|
|
|
|
bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
|
|
|
|
bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
|
|
|
|
|
2011-04-27 22:49:29 +08:00
|
|
|
// If the ptr is NULL and the size is not 0, the call is equivalent to
|
|
|
|
// malloc(size).
|
2012-02-14 02:05:39 +08:00
|
|
|
if ( PrtIsNull && !SizeIsZero) {
|
2012-02-23 03:24:52 +08:00
|
|
|
ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1),
|
2012-02-14 02:05:39 +08:00
|
|
|
UndefinedVal(), StatePtrIsNull);
|
2012-02-23 03:24:52 +08:00
|
|
|
return stateMalloc;
|
2009-12-12 20:29:38 +08:00
|
|
|
}
|
|
|
|
|
2012-02-14 02:05:39 +08:00
|
|
|
if (PrtIsNull && SizeIsZero)
|
2012-02-23 03:24:52 +08:00
|
|
|
return 0;
|
2011-04-27 22:49:29 +08:00
|
|
|
|
2012-02-14 04:57:07 +08:00
|
|
|
// Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
|
2012-02-14 02:05:39 +08:00
|
|
|
assert(!PrtIsNull);
|
2012-02-14 04:57:07 +08:00
|
|
|
SymbolRef FromPtr = arg0Val.getAsSymbol();
|
|
|
|
SVal RetVal = state->getSVal(CE, LCtx);
|
|
|
|
SymbolRef ToPtr = RetVal.getAsSymbol();
|
|
|
|
if (!FromPtr || !ToPtr)
|
2012-02-23 03:24:52 +08:00
|
|
|
return 0;
|
2012-02-14 02:05:39 +08:00
|
|
|
|
2012-08-24 10:28:20 +08:00
|
|
|
bool ReleasedAllocated = false;
|
|
|
|
|
2012-02-14 02:05:39 +08:00
|
|
|
// If the size is 0, free the memory.
|
|
|
|
if (SizeIsZero)
|
2012-08-24 10:28:20 +08:00
|
|
|
if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0,
|
|
|
|
false, ReleasedAllocated)){
|
2012-02-14 02:05:39 +08:00
|
|
|
// The semantics of the return value are:
|
|
|
|
// If size was equal to 0, either NULL or a pointer suitable to be passed
|
2012-08-04 02:30:18 +08:00
|
|
|
// to free() is returned. We just free the input pointer and do not add
|
|
|
|
// any constrains on the output pointer.
|
2012-02-23 03:24:52 +08:00
|
|
|
return stateFree;
|
2012-02-14 02:05:39 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
// Default behavior.
|
2012-08-24 10:28:20 +08:00
|
|
|
if (ProgramStateRef stateFree =
|
|
|
|
FreeMemAux(C, CE, state, 0, false, ReleasedAllocated)) {
|
|
|
|
|
2012-02-14 02:05:39 +08:00
|
|
|
ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1),
|
|
|
|
UnknownVal(), stateFree);
|
2012-02-14 04:57:07 +08:00
|
|
|
if (!stateRealloc)
|
2012-02-23 03:24:52 +08:00
|
|
|
return 0;
|
2012-08-24 10:28:20 +08:00
|
|
|
|
2012-09-13 06:57:34 +08:00
|
|
|
ReallocPairKind Kind = RPToBeFreedAfterFailure;
|
|
|
|
if (FreesOnFail)
|
|
|
|
Kind = RPIsFreeOnFailure;
|
|
|
|
else if (!ReleasedAllocated)
|
|
|
|
Kind = RPDoNotTrackAfterFailure;
|
|
|
|
|
2012-08-24 10:28:20 +08:00
|
|
|
// Record the info about the reallocated symbol so that we could properly
|
|
|
|
// process failed reallocation.
|
2012-02-15 08:11:25 +08:00
|
|
|
stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
|
2012-09-13 06:57:34 +08:00
|
|
|
ReallocPair(FromPtr, Kind));
|
2012-08-24 10:28:20 +08:00
|
|
|
// The reallocated symbol should stay alive for as long as the new symbol.
|
2012-02-14 08:26:13 +08:00
|
|
|
C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
|
2012-02-23 03:24:52 +08:00
|
|
|
return stateRealloc;
|
2009-12-12 20:29:38 +08:00
|
|
|
}
|
2012-02-23 03:24:52 +08:00
|
|
|
return 0;
|
2009-11-12 16:38:56 +08:00
|
|
|
}
|
2009-11-13 15:25:27 +08:00
|
|
|
|
2012-02-23 03:24:52 +08:00
|
|
|
ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE){
|
2012-04-11 07:41:11 +08:00
|
|
|
if (CE->getNumArgs() < 2)
|
|
|
|
return 0;
|
|
|
|
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef state = C.getState();
|
2010-12-02 05:28:31 +08:00
|
|
|
SValBuilder &svalBuilder = C.getSValBuilder();
|
2012-01-07 06:09:28 +08:00
|
|
|
const LocationContext *LCtx = C.getLocationContext();
|
|
|
|
SVal count = state->getSVal(CE->getArg(0), LCtx);
|
|
|
|
SVal elementSize = state->getSVal(CE->getArg(1), LCtx);
|
2010-12-02 15:49:45 +08:00
|
|
|
SVal TotalSize = svalBuilder.evalBinOp(state, BO_Mul, count, elementSize,
|
|
|
|
svalBuilder.getContext().getSizeType());
|
|
|
|
SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
|
2010-06-01 11:01:33 +08:00
|
|
|
|
2012-02-23 03:24:52 +08:00
|
|
|
return MallocMemAux(C, CE, TotalSize, zeroVal, state);
|
2010-06-01 11:01:33 +08:00
|
|
|
}
|
|
|
|
|
2012-03-22 03:45:08 +08:00
|
|
|
LeakInfo
|
2012-02-24 05:38:21 +08:00
|
|
|
MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
|
|
|
|
CheckerContext &C) const {
|
2012-02-28 07:40:55 +08:00
|
|
|
const LocationContext *LeakContext = N->getLocationContext();
|
2012-02-24 05:38:21 +08:00
|
|
|
// Walk the ExplodedGraph backwards and find the first node that referred to
|
|
|
|
// the tracked symbol.
|
|
|
|
const ExplodedNode *AllocNode = N;
|
2012-03-22 03:45:08 +08:00
|
|
|
const MemRegion *ReferenceRegion = 0;
|
2012-02-24 05:38:21 +08:00
|
|
|
|
|
|
|
while (N) {
|
2012-03-22 03:45:08 +08:00
|
|
|
ProgramStateRef State = N->getState();
|
|
|
|
if (!State->get<RegionState>(Sym))
|
2012-02-24 05:38:21 +08:00
|
|
|
break;
|
2012-03-22 03:45:08 +08:00
|
|
|
|
|
|
|
// Find the most recent expression bound to the symbol in the current
|
|
|
|
// context.
|
|
|
|
if (!ReferenceRegion) {
|
2012-03-22 05:03:48 +08:00
|
|
|
if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) {
|
|
|
|
SVal Val = State->getSVal(MR);
|
|
|
|
if (Val.getAsLocSymbol() == Sym)
|
|
|
|
ReferenceRegion = MR;
|
|
|
|
}
|
2012-03-22 03:45:08 +08:00
|
|
|
}
|
|
|
|
|
2012-02-28 07:40:55 +08:00
|
|
|
// Allocation node, is the last node in the current context in which the
|
|
|
|
// symbol was tracked.
|
|
|
|
if (N->getLocationContext() == LeakContext)
|
|
|
|
AllocNode = N;
|
2012-02-24 05:38:21 +08:00
|
|
|
N = N->pred_empty() ? NULL : *(N->pred_begin());
|
|
|
|
}
|
|
|
|
|
2013-01-08 08:25:29 +08:00
|
|
|
return LeakInfo(AllocNode, ReferenceRegion);
|
2012-02-24 05:38:21 +08:00
|
|
|
}
|
|
|
|
|
2012-02-12 05:02:40 +08:00
|
|
|
void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N,
|
|
|
|
CheckerContext &C) const {
|
|
|
|
assert(N);
|
|
|
|
if (!BT_Leak) {
|
2012-02-17 06:26:12 +08:00
|
|
|
BT_Leak.reset(new BugType("Memory leak", "Memory Error"));
|
2012-02-12 05:02:40 +08:00
|
|
|
// Leaks should not be reported if they are post-dominated by a sink:
|
|
|
|
// (1) Sinks are higher importance bugs.
|
|
|
|
// (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
|
|
|
|
// with __noreturn functions such as assert() or exit(). We choose not
|
|
|
|
// to report leaks on such paths.
|
|
|
|
BT_Leak->setSuppressOnSink(true);
|
|
|
|
}
|
|
|
|
|
2012-02-24 05:38:21 +08:00
|
|
|
// Most bug reports are cached at the location where they occurred.
|
|
|
|
// With leaks, we want to unique them by the location where they were
|
|
|
|
// allocated, and only report a single path.
|
2012-02-28 07:40:55 +08:00
|
|
|
PathDiagnosticLocation LocUsedForUniqueing;
|
2013-01-08 08:25:29 +08:00
|
|
|
const ExplodedNode *AllocNode = 0;
|
2012-03-22 03:45:08 +08:00
|
|
|
const MemRegion *Region = 0;
|
2013-01-08 08:25:29 +08:00
|
|
|
llvm::tie(AllocNode, Region) = getAllocationSite(N, Sym, C);
|
|
|
|
|
|
|
|
ProgramPoint P = AllocNode->getLocation();
|
|
|
|
const Stmt *AllocationStmt = 0;
|
|
|
|
if (CallExitEnd *Exit = dyn_cast<CallExitEnd>(&P))
|
|
|
|
AllocationStmt = Exit->getCalleeContext()->getCallSite();
|
|
|
|
else if (StmtPoint *SP = dyn_cast<StmtPoint>(&P))
|
|
|
|
AllocationStmt = SP->getStmt();
|
|
|
|
if (AllocationStmt)
|
|
|
|
LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt,
|
|
|
|
C.getSourceManager(),
|
|
|
|
AllocNode->getLocationContext());
|
2012-02-24 05:38:21 +08:00
|
|
|
|
2012-03-22 03:45:08 +08:00
|
|
|
SmallString<200> buf;
|
|
|
|
llvm::raw_svector_ostream os(buf);
|
|
|
|
os << "Memory is never released; potential leak";
|
2012-08-09 02:23:36 +08:00
|
|
|
if (Region && Region->canPrintPretty()) {
|
2012-03-22 03:45:08 +08:00
|
|
|
os << " of memory pointed to by '";
|
2012-08-09 02:23:36 +08:00
|
|
|
Region->printPretty(os);
|
2012-08-09 02:23:31 +08:00
|
|
|
os << '\'';
|
2012-03-22 03:45:08 +08:00
|
|
|
}
|
|
|
|
|
2013-01-08 08:25:29 +08:00
|
|
|
BugReport *R = new BugReport(*BT_Leak, os.str(), N,
|
|
|
|
LocUsedForUniqueing,
|
|
|
|
AllocNode->getLocationContext()->getDecl());
|
2012-03-09 09:13:14 +08:00
|
|
|
R->markInteresting(Sym);
|
2012-05-10 09:37:40 +08:00
|
|
|
R->addVisitor(new MallocBugVisitor(Sym, true));
|
2012-11-02 09:53:40 +08:00
|
|
|
C.emitReport(R);
|
2012-02-12 05:02:40 +08:00
|
|
|
}
|
|
|
|
|
2011-02-28 09:26:35 +08:00
|
|
|
void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
|
|
|
|
CheckerContext &C) const
|
2010-12-02 15:49:45 +08:00
|
|
|
{
|
2010-08-15 16:19:57 +08:00
|
|
|
if (!SymReaper.hasDeadSymbols())
|
|
|
|
return;
|
|
|
|
|
2012-01-27 05:29:00 +08:00
|
|
|
ProgramStateRef state = C.getState();
|
2010-08-15 16:19:57 +08:00
|
|
|
RegionStateTy RS = state->get<RegionState>();
|
2010-08-18 12:33:47 +08:00
|
|
|
RegionStateTy::Factory &F = state->get_context<RegionState>();
|
2010-08-15 16:19:57 +08:00
|
|
|
|
2013-01-13 03:30:44 +08:00
|
|
|
SmallVector<SymbolRef, 2> Errors;
|
2010-08-15 16:19:57 +08:00
|
|
|
for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
|
|
|
|
if (SymReaper.isDead(I->first)) {
|
2012-10-30 06:51:54 +08:00
|
|
|
if (I->second.isAllocated())
|
2012-02-09 14:48:19 +08:00
|
|
|
Errors.push_back(I->first);
|
2010-08-18 12:33:47 +08:00
|
|
|
// Remove the dead symbol from the map.
|
2010-11-24 08:54:37 +08:00
|
|
|
RS = F.remove(RS, I->first);
|
2011-07-29 07:07:51 +08:00
|
|
|
|
2009-11-13 15:48:11 +08:00
|
|
|
}
|
|
|
|
}
|
2011-07-29 07:07:51 +08:00
|
|
|
|
2012-02-14 02:05:39 +08:00
|
|
|
// Cleanup the Realloc Pairs Map.
|
2012-11-02 09:54:06 +08:00
|
|
|
ReallocPairsTy RP = state->get<ReallocPairs>();
|
|
|
|
for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
|
2012-02-15 08:11:25 +08:00
|
|
|
if (SymReaper.isDead(I->first) ||
|
|
|
|
SymReaper.isDead(I->second.ReallocatedSym)) {
|
2012-02-14 02:05:39 +08:00
|
|
|
state = state->remove<ReallocPairs>(I->first);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-11-13 11:18:01 +08:00
|
|
|
// Cleanup the FreeReturnValue Map.
|
|
|
|
FreeReturnValueTy FR = state->get<FreeReturnValue>();
|
|
|
|
for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) {
|
|
|
|
if (SymReaper.isDead(I->first) ||
|
|
|
|
SymReaper.isDead(I->second)) {
|
|
|
|
state = state->remove<FreeReturnValue>(I->first);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-02-24 05:38:21 +08:00
|
|
|
// Generate leak node.
|
2012-10-30 06:51:54 +08:00
|
|
|
ExplodedNode *N = C.getPredecessor();
|
|
|
|
if (!Errors.empty()) {
|
|
|
|
static SimpleProgramPointTag Tag("MallocChecker : DeadSymbolsLeak");
|
|
|
|
N = C.addTransition(C.getState(), C.getPredecessor(), &Tag);
|
2013-01-13 03:30:44 +08:00
|
|
|
for (SmallVector<SymbolRef, 2>::iterator
|
2012-10-30 06:51:54 +08:00
|
|
|
I = Errors.begin(), E = Errors.end(); I != E; ++I) {
|
2012-02-12 05:02:40 +08:00
|
|
|
reportLeak(*I, N, C);
|
2012-02-09 14:48:19 +08:00
|
|
|
}
|
2011-07-29 07:07:51 +08:00
|
|
|
}
|
2012-10-30 06:51:54 +08:00
|
|
|
|
2012-02-24 05:38:21 +08:00
|
|
|
C.addTransition(state->set<RegionState>(RS), N);
|
2009-11-13 15:25:27 +08:00
|
|
|
}
|
2009-11-17 15:54:15 +08:00
|
|
|
|
2012-02-15 05:55:24 +08:00
|
|
|
void MallocChecker::checkPreStmt(const CallExpr *CE, CheckerContext &C) const {
|
2012-05-18 09:16:10 +08:00
|
|
|
// We will check for double free in the post visit.
|
|
|
|
if (isFreeFunction(C.getCalleeDecl(CE), C.getASTContext()))
|
2012-02-15 05:55:24 +08:00
|
|
|
return;
|
|
|
|
|
|
|
|
// Check use after free, when a freed pointer is passed to a call.
|
|
|
|
ProgramStateRef State = C.getState();
|
|
|
|
for (CallExpr::const_arg_iterator I = CE->arg_begin(),
|
|
|
|
E = CE->arg_end(); I != E; ++I) {
|
|
|
|
const Expr *A = *I;
|
|
|
|
if (A->getType().getTypePtr()->isAnyPointerType()) {
|
|
|
|
SymbolRef Sym = State->getSVal(A, C.getLocationContext()).getAsSymbol();
|
|
|
|
if (!Sym)
|
|
|
|
continue;
|
|
|
|
if (checkUseAfterFree(Sym, C, A))
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-02-09 07:16:56 +08:00
|
|
|
void MallocChecker::checkPreStmt(const ReturnStmt *S, CheckerContext &C) const {
|
|
|
|
const Expr *E = S->getRetValue();
|
|
|
|
if (!E)
|
|
|
|
return;
|
2012-02-12 05:44:39 +08:00
|
|
|
|
|
|
|
// Check if we are returning a symbol.
|
2012-08-09 02:23:31 +08:00
|
|
|
ProgramStateRef State = C.getState();
|
|
|
|
SVal RetVal = State->getSVal(E, C.getLocationContext());
|
2012-02-22 10:36:01 +08:00
|
|
|
SymbolRef Sym = RetVal.getAsSymbol();
|
|
|
|
if (!Sym)
|
|
|
|
// If we are returning a field of the allocated struct or an array element,
|
|
|
|
// the callee could still free the memory.
|
|
|
|
// TODO: This logic should be a part of generic symbol escape callback.
|
|
|
|
if (const MemRegion *MR = RetVal.getAsRegion())
|
|
|
|
if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR))
|
|
|
|
if (const SymbolicRegion *BMR =
|
|
|
|
dyn_cast<SymbolicRegion>(MR->getBaseRegion()))
|
|
|
|
Sym = BMR->getSymbol();
|
2012-02-09 07:16:56 +08:00
|
|
|
|
2012-02-12 05:44:39 +08:00
|
|
|
// Check if we are returning freed memory.
|
2012-08-09 02:23:31 +08:00
|
|
|
if (Sym)
|
2012-11-16 03:11:33 +08:00
|
|
|
checkUseAfterFree(Sym, C, E);
|
2009-11-17 16:58:18 +08:00
|
|
|
}
|
2009-12-31 14:13:07 +08:00
|
|
|
|
2012-03-22 08:57:20 +08:00
|
|
|
// TODO: Blocks should be either inlined or should call invalidate regions
|
|
|
|
// upon invocation. After that's in place, special casing here will not be
|
|
|
|
// needed.
|
|
|
|
void MallocChecker::checkPostStmt(const BlockExpr *BE,
|
|
|
|
CheckerContext &C) const {
|
|
|
|
|
|
|
|
// Scan the BlockDecRefExprs for any object the retain count checker
|
|
|
|
// may be tracking.
|
|
|
|
if (!BE->getBlockDecl()->hasCaptures())
|
|
|
|
return;
|
|
|
|
|
|
|
|
ProgramStateRef state = C.getState();
|
|
|
|
const BlockDataRegion *R =
|
|
|
|
cast<BlockDataRegion>(state->getSVal(BE,
|
|
|
|
C.getLocationContext()).getAsRegion());
|
|
|
|
|
|
|
|
BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(),
|
|
|
|
E = R->referenced_vars_end();
|
|
|
|
|
|
|
|
if (I == E)
|
|
|
|
return;
|
|
|
|
|
|
|
|
SmallVector<const MemRegion*, 10> Regions;
|
|
|
|
const LocationContext *LC = C.getLocationContext();
|
|
|
|
MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
|
|
|
|
|
|
|
|
for ( ; I != E; ++I) {
|
2012-12-06 15:17:20 +08:00
|
|
|
const VarRegion *VR = I.getCapturedRegion();
|
2012-03-22 08:57:20 +08:00
|
|
|
if (VR->getSuperRegion() == R) {
|
|
|
|
VR = MemMgr.getVarRegion(VR->getDecl(), LC);
|
|
|
|
}
|
|
|
|
Regions.push_back(VR);
|
|
|
|
}
|
|
|
|
|
|
|
|
state =
|
|
|
|
state->scanReachableSymbols<StopTrackingCallback>(Regions.data(),
|
|
|
|
Regions.data() + Regions.size()).getState();
|
|
|
|
C.addTransition(state);
|
|
|
|
}
|
|
|
|
|
2012-05-18 09:16:10 +08:00
|
|
|
bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const {
|
2012-02-09 07:16:56 +08:00
|
|
|
assert(Sym);
|
|
|
|
const RefState *RS = C.getState()->get<RegionState>(Sym);
|
2012-05-18 09:16:10 +08:00
|
|
|
return (RS && RS->isReleased());
|
|
|
|
}
|
|
|
|
|
|
|
|
bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
|
|
|
|
const Stmt *S) const {
|
|
|
|
if (isReleased(Sym, C)) {
|
2012-02-12 07:46:36 +08:00
|
|
|
if (ExplodedNode *N = C.generateSink()) {
|
2012-02-09 07:16:56 +08:00
|
|
|
if (!BT_UseFree)
|
2012-02-17 06:26:12 +08:00
|
|
|
BT_UseFree.reset(new BugType("Use-after-free", "Memory Error"));
|
2012-02-09 07:16:56 +08:00
|
|
|
|
2012-02-17 06:26:12 +08:00
|
|
|
BugReport *R = new BugReport(*BT_UseFree,
|
|
|
|
"Use of memory after it is freed",N);
|
2012-02-09 07:16:56 +08:00
|
|
|
if (S)
|
|
|
|
R->addRange(S->getSourceRange());
|
2012-03-09 09:13:14 +08:00
|
|
|
R->markInteresting(Sym);
|
2012-02-09 14:25:51 +08:00
|
|
|
R->addVisitor(new MallocBugVisitor(Sym));
|
2012-11-02 09:53:40 +08:00
|
|
|
C.emitReport(R);
|
2012-02-09 07:16:56 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2010-03-10 12:58:55 +08:00
|
|
|
// Check if the location is a freed symbolic region.
|
2011-10-06 08:43:15 +08:00
|
|
|
void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
|
|
|
|
CheckerContext &C) const {
|
2010-03-10 12:58:55 +08:00
|
|
|
SymbolRef Sym = l.getLocSymbolInBase();
|
2012-02-09 07:16:56 +08:00
|
|
|
if (Sym)
|
2012-05-18 09:16:10 +08:00
|
|
|
checkUseAfterFree(Sym, C, S);
|
2010-03-10 12:58:55 +08:00
|
|
|
}
|
2010-07-31 09:52:11 +08:00
|
|
|
|
2012-02-12 05:02:35 +08:00
|
|
|
// If a symbolic region is assumed to NULL (or another constant), stop tracking
|
|
|
|
// it - assuming that allocation failed on this path.
|
|
|
|
ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
|
|
|
|
SVal Cond,
|
|
|
|
bool Assumption) const {
|
|
|
|
RegionStateTy RS = state->get<RegionState>();
|
|
|
|
for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
|
2012-09-08 06:31:01 +08:00
|
|
|
// If the symbol is assumed to be NULL, remove it from consideration.
|
2012-11-01 08:18:27 +08:00
|
|
|
ConstraintManager &CMgr = state->getConstraintManager();
|
|
|
|
ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
|
|
|
|
if (AllocFailed.isConstrainedTrue())
|
2012-02-12 05:02:35 +08:00
|
|
|
state = state->remove<RegionState>(I.getKey());
|
|
|
|
}
|
|
|
|
|
2012-02-14 02:05:39 +08:00
|
|
|
// Realloc returns 0 when reallocation fails, which means that we should
|
|
|
|
// restore the state of the pointer being reallocated.
|
2012-11-02 09:54:06 +08:00
|
|
|
ReallocPairsTy RP = state->get<ReallocPairs>();
|
|
|
|
for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
|
2012-09-08 06:31:01 +08:00
|
|
|
// If the symbol is assumed to be NULL, remove it from consideration.
|
2012-11-01 08:18:27 +08:00
|
|
|
ConstraintManager &CMgr = state->getConstraintManager();
|
|
|
|
ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
|
2012-11-01 08:25:15 +08:00
|
|
|
if (!AllocFailed.isConstrainedTrue())
|
2012-09-13 06:57:34 +08:00
|
|
|
continue;
|
2012-11-01 08:18:27 +08:00
|
|
|
|
2012-09-13 06:57:34 +08:00
|
|
|
SymbolRef ReallocSym = I.getData().ReallocatedSym;
|
|
|
|
if (const RefState *RS = state->get<RegionState>(ReallocSym)) {
|
|
|
|
if (RS->isReleased()) {
|
|
|
|
if (I.getData().Kind == RPToBeFreedAfterFailure)
|
2012-02-15 08:11:25 +08:00
|
|
|
state = state->set<RegionState>(ReallocSym,
|
2012-09-13 06:57:34 +08:00
|
|
|
RefState::getAllocated(RS->getStmt()));
|
|
|
|
else if (I.getData().Kind == RPDoNotTrackAfterFailure)
|
|
|
|
state = state->remove<RegionState>(ReallocSym);
|
|
|
|
else
|
|
|
|
assert(I.getData().Kind == RPIsFreeOnFailure);
|
2012-02-14 02:05:39 +08:00
|
|
|
}
|
|
|
|
}
|
2012-09-13 06:57:34 +08:00
|
|
|
state = state->remove<ReallocPairs>(I.getKey());
|
2012-02-14 02:05:39 +08:00
|
|
|
}
|
|
|
|
|
2012-02-12 05:02:35 +08:00
|
|
|
return state;
|
|
|
|
}
|
|
|
|
|
2012-02-25 07:56:53 +08:00
|
|
|
// Check if the function is known to us. So, for example, we could
|
2012-07-03 03:27:35 +08:00
|
|
|
// conservatively assume it can free/reallocate its pointer arguments.
|
2012-02-15 05:55:24 +08:00
|
|
|
// (We assume that the pointers cannot escape through calls to system
|
|
|
|
// functions not handled by this checker.)
|
2012-07-03 03:27:35 +08:00
|
|
|
bool MallocChecker::doesNotFreeMemory(const CallEvent *Call,
|
2012-02-25 07:56:53 +08:00
|
|
|
ProgramStateRef State) const {
|
2012-07-03 03:27:51 +08:00
|
|
|
assert(Call);
|
2012-02-25 07:56:53 +08:00
|
|
|
|
|
|
|
// For now, assume that any C++ call can free memory.
|
|
|
|
// TODO: If we want to be more optimistic here, we'll need to make sure that
|
|
|
|
// regions escape to C++ containers. They seem to do that even now, but for
|
|
|
|
// mysterious reasons.
|
2012-07-03 03:27:56 +08:00
|
|
|
if (!(isa<FunctionCall>(Call) || isa<ObjCMethodCall>(Call)))
|
2012-02-25 07:56:53 +08:00
|
|
|
return false;
|
2012-02-15 05:55:24 +08:00
|
|
|
|
2012-07-03 03:27:35 +08:00
|
|
|
// Check Objective-C messages by selector name.
|
2012-07-03 03:27:56 +08:00
|
|
|
if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
|
2012-07-03 03:27:51 +08:00
|
|
|
// If it's not a framework call, or if it takes a callback, assume it
|
|
|
|
// can free memory.
|
|
|
|
if (!Call->isInSystemHeader() || Call->hasNonZeroCallbackArg())
|
2012-03-30 13:48:16 +08:00
|
|
|
return false;
|
|
|
|
|
2012-07-03 03:27:35 +08:00
|
|
|
Selector S = Msg->getSelector();
|
2012-02-25 07:56:53 +08:00
|
|
|
|
2012-07-03 03:27:35 +08:00
|
|
|
// Whitelist the ObjC methods which do free memory.
|
2012-02-25 07:56:53 +08:00
|
|
|
// - Anything containing 'freeWhenDone' param set to 1.
|
|
|
|
// Ex: dataWithBytesNoCopy:length:freeWhenDone.
|
2012-06-23 06:08:09 +08:00
|
|
|
for (unsigned i = 1; i < S.getNumArgs(); ++i) {
|
2012-02-25 07:56:53 +08:00
|
|
|
if (S.getNameForSlot(i).equals("freeWhenDone")) {
|
|
|
|
if (Call->getArgSVal(i).isConstant(1))
|
|
|
|
return false;
|
2012-03-06 01:42:10 +08:00
|
|
|
else
|
|
|
|
return true;
|
2012-02-25 07:56:53 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-03-06 01:42:10 +08:00
|
|
|
// If the first selector ends with NoCopy, assume that the ownership is
|
2012-06-02 18:20:41 +08:00
|
|
|
// transferred as well.
|
2012-03-06 01:42:10 +08:00
|
|
|
// Ex: [NSData dataWithBytesNoCopy:bytes length:10];
|
2012-07-03 03:27:35 +08:00
|
|
|
StringRef FirstSlot = S.getNameForSlot(0);
|
|
|
|
if (FirstSlot.endswith("NoCopy"))
|
2012-03-06 01:42:10 +08:00
|
|
|
return false;
|
|
|
|
|
2012-06-19 13:10:32 +08:00
|
|
|
// If the first selector starts with addPointer, insertPointer,
|
|
|
|
// or replacePointer, assume we are dealing with NSPointerArray or similar.
|
|
|
|
// This is similar to C++ containers (vector); we still might want to check
|
2012-07-03 03:27:35 +08:00
|
|
|
// that the pointers get freed by following the container itself.
|
|
|
|
if (FirstSlot.startswith("addPointer") ||
|
|
|
|
FirstSlot.startswith("insertPointer") ||
|
|
|
|
FirstSlot.startswith("replacePointer")) {
|
2012-06-19 13:10:32 +08:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2012-07-03 03:27:35 +08:00
|
|
|
// Otherwise, assume that the method does not free memory.
|
|
|
|
// Most framework methods do not free memory.
|
|
|
|
return true;
|
|
|
|
}
|
2012-05-04 07:50:28 +08:00
|
|
|
|
2012-07-03 03:27:35 +08:00
|
|
|
// At this point the only thing left to handle is straight function calls.
|
|
|
|
const FunctionDecl *FD = cast<FunctionCall>(Call)->getDecl();
|
|
|
|
if (!FD)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
ASTContext &ASTC = State->getStateManager().getContext();
|
|
|
|
|
|
|
|
// If it's one of the allocation functions we can reason about, we model
|
|
|
|
// its behavior explicitly.
|
|
|
|
if (isMemFunction(FD, ASTC))
|
2012-02-25 07:56:53 +08:00
|
|
|
return true;
|
2012-07-03 03:27:35 +08:00
|
|
|
|
|
|
|
// If it's not a system call, assume it frees memory.
|
|
|
|
if (!Call->isInSystemHeader())
|
|
|
|
return false;
|
|
|
|
|
|
|
|
// White list the system functions whose arguments escape.
|
|
|
|
const IdentifierInfo *II = FD->getIdentifier();
|
|
|
|
if (!II)
|
|
|
|
return false;
|
|
|
|
StringRef FName = II->getName();
|
|
|
|
|
|
|
|
// White list the 'XXXNoCopy' CoreFoundation functions.
|
2012-07-03 03:27:51 +08:00
|
|
|
// We specifically check these before
|
2012-07-03 03:27:35 +08:00
|
|
|
if (FName.endswith("NoCopy")) {
|
|
|
|
// Look for the deallocator argument. We know that the memory ownership
|
|
|
|
// is not transferred only if the deallocator argument is
|
|
|
|
// 'kCFAllocatorNull'.
|
|
|
|
for (unsigned i = 1; i < Call->getNumArgs(); ++i) {
|
|
|
|
const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts();
|
|
|
|
if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) {
|
|
|
|
StringRef DeallocatorName = DE->getFoundDecl()->getName();
|
|
|
|
if (DeallocatorName == "kCFAllocatorNull")
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
2012-02-15 05:55:24 +08:00
|
|
|
}
|
|
|
|
|
2012-07-03 03:27:35 +08:00
|
|
|
// Associating streams with malloced buffers. The pointer can escape if
|
2012-07-03 03:27:51 +08:00
|
|
|
// 'closefn' is specified (and if that function does free memory),
|
|
|
|
// but it will not if closefn is not specified.
|
2012-07-03 03:27:35 +08:00
|
|
|
// Currently, we do not inspect the 'closefn' function (PR12101).
|
|
|
|
if (FName == "funopen")
|
2012-07-03 03:27:51 +08:00
|
|
|
if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0))
|
|
|
|
return true;
|
2012-02-25 07:56:53 +08:00
|
|
|
|
2012-07-03 03:27:35 +08:00
|
|
|
// Do not warn on pointers passed to 'setbuf' when used with std streams,
|
|
|
|
// these leaks might be intentional when setting the buffer for stdio.
|
|
|
|
// http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer
|
|
|
|
if (FName == "setbuf" || FName =="setbuffer" ||
|
|
|
|
FName == "setlinebuf" || FName == "setvbuf") {
|
|
|
|
if (Call->getNumArgs() >= 1) {
|
|
|
|
const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts();
|
|
|
|
if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE))
|
|
|
|
if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl()))
|
|
|
|
if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos)
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// A bunch of other functions which either take ownership of a pointer or
|
|
|
|
// wrap the result up in a struct or object, meaning it can be freed later.
|
|
|
|
// (See RetainCountChecker.) Not all the parameters here are invalidated,
|
|
|
|
// but the Malloc checker cannot differentiate between them. The right way
|
|
|
|
// of doing this would be to implement a pointer escapes callback.
|
|
|
|
if (FName == "CGBitmapContextCreate" ||
|
|
|
|
FName == "CGBitmapContextCreateWithData" ||
|
|
|
|
FName == "CVPixelBufferCreateWithBytes" ||
|
|
|
|
FName == "CVPixelBufferCreateWithPlanarBytes" ||
|
|
|
|
FName == "OSAtomicEnqueue") {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2012-07-03 03:27:51 +08:00
|
|
|
// Handle cases where we know a buffer's /address/ can escape.
|
|
|
|
// Note that the above checks handle some special cases where we know that
|
|
|
|
// even though the address escapes, it's still our responsibility to free the
|
|
|
|
// buffer.
|
|
|
|
if (Call->argumentsMayEscape())
|
2012-07-03 03:27:35 +08:00
|
|
|
return false;
|
|
|
|
|
|
|
|
// Otherwise, assume that the function does not free memory.
|
|
|
|
// Most system calls do not free the memory.
|
|
|
|
return true;
|
2012-02-15 05:55:24 +08:00
|
|
|
}
|
|
|
|
|
2012-12-20 08:38:25 +08:00
|
|
|
ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
|
|
|
|
const InvalidatedSymbols &Escaped,
|
2013-02-08 07:05:43 +08:00
|
|
|
const CallEvent *Call,
|
|
|
|
PointerEscapeKind Kind) const {
|
2012-12-20 08:38:25 +08:00
|
|
|
// If we know that the call does not free memory, keep tracking the top
|
|
|
|
// level arguments.
|
2013-02-08 07:05:43 +08:00
|
|
|
if ((Kind == PSK_DirectEscapeOnCall ||
|
|
|
|
Kind == PSK_IndirectEscapeOnCall) &&
|
|
|
|
doesNotFreeMemory(Call, State)) {
|
2012-02-15 05:55:24 +08:00
|
|
|
return State;
|
2013-02-08 07:05:43 +08:00
|
|
|
}
|
2012-02-25 07:56:53 +08:00
|
|
|
|
2012-12-20 08:38:25 +08:00
|
|
|
for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
|
|
|
|
E = Escaped.end();
|
|
|
|
I != E; ++I) {
|
2012-02-12 05:02:35 +08:00
|
|
|
SymbolRef sym = *I;
|
2012-12-20 08:38:25 +08:00
|
|
|
|
2012-06-22 10:04:31 +08:00
|
|
|
if (const RefState *RS = State->get<RegionState>(sym)) {
|
|
|
|
if (RS->isAllocated())
|
2012-08-09 08:42:24 +08:00
|
|
|
State = State->remove<RegionState>(sym);
|
2012-06-22 10:04:31 +08:00
|
|
|
}
|
2012-02-12 05:02:35 +08:00
|
|
|
}
|
2012-02-15 05:55:24 +08:00
|
|
|
return State;
|
2010-07-31 09:52:11 +08:00
|
|
|
}
|
2011-02-28 09:26:35 +08:00
|
|
|
|
2012-03-18 15:43:35 +08:00
|
|
|
static SymbolRef findFailedReallocSymbol(ProgramStateRef currState,
|
|
|
|
ProgramStateRef prevState) {
|
2012-11-02 09:54:06 +08:00
|
|
|
ReallocPairsTy currMap = currState->get<ReallocPairs>();
|
|
|
|
ReallocPairsTy prevMap = prevState->get<ReallocPairs>();
|
2012-03-18 15:43:35 +08:00
|
|
|
|
2012-11-02 09:54:06 +08:00
|
|
|
for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end();
|
2012-03-18 15:43:35 +08:00
|
|
|
I != E; ++I) {
|
|
|
|
SymbolRef sym = I.getKey();
|
|
|
|
if (!currMap.lookup(sym))
|
|
|
|
return sym;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2012-02-09 14:25:51 +08:00
|
|
|
PathDiagnosticPiece *
|
|
|
|
MallocChecker::MallocBugVisitor::VisitNode(const ExplodedNode *N,
|
|
|
|
const ExplodedNode *PrevN,
|
|
|
|
BugReporterContext &BRC,
|
|
|
|
BugReport &BR) {
|
2012-03-18 15:43:35 +08:00
|
|
|
ProgramStateRef state = N->getState();
|
|
|
|
ProgramStateRef statePrev = PrevN->getState();
|
|
|
|
|
|
|
|
const RefState *RS = state->get<RegionState>(Sym);
|
|
|
|
const RefState *RSPrev = statePrev->get<RegionState>(Sym);
|
2012-08-04 02:30:18 +08:00
|
|
|
if (!RS)
|
2012-02-09 14:25:51 +08:00
|
|
|
return 0;
|
|
|
|
|
2012-02-17 06:26:07 +08:00
|
|
|
const Stmt *S = 0;
|
|
|
|
const char *Msg = 0;
|
2012-03-17 07:24:20 +08:00
|
|
|
StackHintGeneratorForSymbol *StackHint = 0;
|
2012-02-17 06:26:07 +08:00
|
|
|
|
|
|
|
// Retrieve the associated statement.
|
|
|
|
ProgramPoint ProgLoc = N->getLocation();
|
2013-01-05 03:04:36 +08:00
|
|
|
if (StmtPoint *SP = dyn_cast<StmtPoint>(&ProgLoc)) {
|
2012-07-11 06:07:52 +08:00
|
|
|
S = SP->getStmt();
|
2013-01-05 03:04:36 +08:00
|
|
|
} else if (CallExitEnd *Exit = dyn_cast<CallExitEnd>(&ProgLoc)) {
|
2012-07-11 06:07:52 +08:00
|
|
|
S = Exit->getCalleeContext()->getCallSite();
|
2013-01-05 03:04:36 +08:00
|
|
|
} else if (BlockEdge *Edge = dyn_cast<BlockEdge>(&ProgLoc)) {
|
|
|
|
// If an assumption was made on a branch, it should be caught
|
|
|
|
// here by looking at the state transition.
|
|
|
|
S = Edge->getSrc()->getTerminator();
|
2012-02-17 06:26:07 +08:00
|
|
|
}
|
2013-01-05 03:04:36 +08:00
|
|
|
|
2012-02-17 06:26:07 +08:00
|
|
|
if (!S)
|
2012-02-09 14:25:51 +08:00
|
|
|
return 0;
|
|
|
|
|
2012-07-11 06:07:42 +08:00
|
|
|
// FIXME: We will eventually need to handle non-statement-based events
|
|
|
|
// (__attribute__((cleanup))).
|
|
|
|
|
2012-02-09 14:25:51 +08:00
|
|
|
// Find out if this is an interesting point and what is the kind.
|
2012-02-17 06:26:07 +08:00
|
|
|
if (Mode == Normal) {
|
2012-03-16 05:13:02 +08:00
|
|
|
if (isAllocated(RS, RSPrev, S)) {
|
2012-02-17 06:26:07 +08:00
|
|
|
Msg = "Memory is allocated";
|
2012-03-17 07:44:28 +08:00
|
|
|
StackHint = new StackHintGeneratorForSymbol(Sym,
|
|
|
|
"Returned allocated memory");
|
2012-03-16 05:13:02 +08:00
|
|
|
} else if (isReleased(RS, RSPrev, S)) {
|
2012-02-17 06:26:07 +08:00
|
|
|
Msg = "Memory is released";
|
2012-03-17 07:44:28 +08:00
|
|
|
StackHint = new StackHintGeneratorForSymbol(Sym,
|
|
|
|
"Returned released memory");
|
2012-06-22 10:04:31 +08:00
|
|
|
} else if (isRelinquished(RS, RSPrev, S)) {
|
|
|
|
Msg = "Memory ownership is transfered";
|
|
|
|
StackHint = new StackHintGeneratorForSymbol(Sym, "");
|
2012-03-16 05:13:02 +08:00
|
|
|
} else if (isReallocFailedCheck(RS, RSPrev, S)) {
|
2012-02-17 06:26:07 +08:00
|
|
|
Mode = ReallocationFailed;
|
|
|
|
Msg = "Reallocation failed";
|
2012-03-17 07:24:20 +08:00
|
|
|
StackHint = new StackHintGeneratorForReallocationFailed(Sym,
|
2012-03-17 07:44:28 +08:00
|
|
|
"Reallocation failed");
|
2012-03-18 15:43:35 +08:00
|
|
|
|
2012-03-24 11:15:09 +08:00
|
|
|
if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) {
|
|
|
|
// Is it possible to fail two reallocs WITHOUT testing in between?
|
|
|
|
assert((!FailedReallocSymbol || FailedReallocSymbol == sym) &&
|
|
|
|
"We only support one failed realloc at a time.");
|
2012-03-18 15:43:35 +08:00
|
|
|
BR.markInteresting(sym);
|
2012-03-24 11:15:09 +08:00
|
|
|
FailedReallocSymbol = sym;
|
|
|
|
}
|
2012-02-17 06:26:07 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
// We are in a special mode if a reallocation failed later in the path.
|
|
|
|
} else if (Mode == ReallocationFailed) {
|
2012-03-24 11:15:09 +08:00
|
|
|
assert(FailedReallocSymbol && "No symbol to look for.");
|
2012-02-17 06:26:07 +08:00
|
|
|
|
2012-03-24 11:15:09 +08:00
|
|
|
// Is this is the first appearance of the reallocated symbol?
|
|
|
|
if (!statePrev->get<RegionState>(FailedReallocSymbol)) {
|
|
|
|
// We're at the reallocation point.
|
|
|
|
Msg = "Attempt to reallocate memory";
|
|
|
|
StackHint = new StackHintGeneratorForSymbol(Sym,
|
|
|
|
"Returned reallocated memory");
|
|
|
|
FailedReallocSymbol = NULL;
|
|
|
|
Mode = Normal;
|
|
|
|
}
|
2012-02-17 06:26:07 +08:00
|
|
|
}
|
|
|
|
|
2012-02-09 14:25:51 +08:00
|
|
|
if (!Msg)
|
|
|
|
return 0;
|
2012-03-17 07:24:20 +08:00
|
|
|
assert(StackHint);
|
2012-02-09 14:25:51 +08:00
|
|
|
|
|
|
|
// Generate the extra diagnostic.
|
2012-02-17 06:26:07 +08:00
|
|
|
PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
|
2012-02-09 14:25:51 +08:00
|
|
|
N->getLocationContext());
|
2012-03-17 07:24:20 +08:00
|
|
|
return new PathDiagnosticEventPiece(Pos, Msg, true, StackHint);
|
2012-02-09 14:25:51 +08:00
|
|
|
}
|
|
|
|
|
2012-05-02 08:05:20 +08:00
|
|
|
void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
|
|
|
|
const char *NL, const char *Sep) const {
|
|
|
|
|
|
|
|
RegionStateTy RS = State->get<RegionState>();
|
|
|
|
|
2013-01-03 09:30:12 +08:00
|
|
|
if (!RS.isEmpty()) {
|
|
|
|
Out << Sep << "MallocChecker:" << NL;
|
|
|
|
for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
|
|
|
|
I.getKey()->dumpToStream(Out);
|
|
|
|
Out << " : ";
|
|
|
|
I.getData().dump(Out);
|
|
|
|
Out << NL;
|
|
|
|
}
|
|
|
|
}
|
2012-05-02 08:05:20 +08:00
|
|
|
}
|
2012-02-09 14:25:51 +08:00
|
|
|
|
2012-02-09 07:16:52 +08:00
|
|
|
#define REGISTER_CHECKER(name) \
|
|
|
|
void ento::register##name(CheckerManager &mgr) {\
|
2012-02-18 06:35:31 +08:00
|
|
|
registerCStringCheckerBasic(mgr); \
|
2012-02-09 07:16:52 +08:00
|
|
|
mgr.registerChecker<MallocChecker>()->Filter.C##name = true;\
|
2011-02-28 09:26:35 +08:00
|
|
|
}
|
2012-02-09 07:16:52 +08:00
|
|
|
|
|
|
|
REGISTER_CHECKER(MallocPessimistic)
|
|
|
|
REGISTER_CHECKER(MallocOptimistic)
|