MallocChecker.cpp source code [clang_source_code/lib/StaticAnalyzer/Checkers/MallocChecker.cpp]

1	//=== MallocChecker.cpp - A malloc/free checker -------------------- C++ ---//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// This file defines malloc/free checker, which checks for potential memory
10	// leaks, double free, and use-after-free problems.
11	//
12	//===----------------------------------------------------------------------===//
13
14	#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15	#include "InterCheckerAPI.h"
16	#include "clang/AST/Attr.h"
17	#include "clang/AST/ParentMap.h"
18	#include "clang/Basic/SourceManager.h"
19	#include "clang/Basic/TargetInfo.h"
20	#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
21	#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
22	#include "clang/StaticAnalyzer/Core/Checker.h"
23	#include "clang/StaticAnalyzer/Core/CheckerManager.h"
24	#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
25	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
26	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
27	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
28	#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
29	#include "llvm/ADT/STLExtras.h"
30	#include "llvm/ADT/SmallString.h"
31	#include "llvm/ADT/StringExtras.h"
32	#include "AllocationState.h"
33	#include <climits>
34	#include <utility>
35
36	using namespace clang;
37	using namespace ento;
38
39	namespace {
40
41	// Used to check correspondence between allocators and deallocators.
42	enum AllocationFamily {
43	AF_None,
44	AF_Malloc,
45	AF_CXXNew,
46	AF_CXXNewArray,
47	AF_IfNameIndex,
48	AF_Alloca,
49	AF_InnerBuffer
50	};
51
52	class RefState {
53	enum Kind { // Reference to allocated memory.
54	Allocated,
55	// Reference to zero-allocated memory.
56	AllocatedOfSizeZero,
57	// Reference to released/freed memory.
58	Released,
59	// The responsibility for freeing resources has transferred from
60	// this reference. A relinquished symbol should not be freed.
61	Relinquished,
62	// We are no longer guaranteed to have observed all manipulations
63	// of this pointer/memory. For example, it could have been
64	// passed as a parameter to an opaque function.
65	Escaped
66	};
67
68	const Stmt *S;
69	unsigned K : 3; // Kind enum, but stored as a bitfield.
70	unsigned Family : 29; // Rest of 32-bit word, currently just an allocation
71	// family.
72
73	RefState(Kind k, const Stmt *s, unsigned family)
74	: S(s), K(k), Family(family) {
75	assert(family != AF_None);
76	}
77	public:
78	bool isAllocated() const { return K == Allocated; }
79	bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; }
80	bool isReleased() const { return K == Released; }
81	bool isRelinquished() const { return K == Relinquished; }
82	bool isEscaped() const { return K == Escaped; }
83	AllocationFamily getAllocationFamily() const {
84	return (AllocationFamily)Family;
85	}
86	const Stmt *getStmt() const { return S; }
87
88	bool operator==(const RefState &X) const {
89	return K == X.K && S == X.S && Family == X.Family;
90	}
91
92	static RefState getAllocated(unsigned family, const Stmt *s) {
93	return RefState(Allocated, s, family);
94	}
95	static RefState getAllocatedOfSizeZero(const RefState *RS) {
96	return RefState(AllocatedOfSizeZero, RS->getStmt(),
97	RS->getAllocationFamily());
98	}
99	static RefState getReleased(unsigned family, const Stmt *s) {
100	return RefState(Released, s, family);
101	}
102	static RefState getRelinquished(unsigned family, const Stmt *s) {
103	return RefState(Relinquished, s, family);
104	}
105	static RefState getEscaped(const RefState *RS) {
106	return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());
107	}
108
109	void Profile(llvm::FoldingSetNodeID &ID) const {
110	ID.AddInteger(K);
111	ID.AddPointer(S);
112	ID.AddInteger(Family);
113	}
114
115	void dump(raw_ostream &OS) const {
116	switch (static_cast<Kind>(K)) {
117	#define CASE(ID) case ID: OS << #ID; break;
118	CASE(Allocated)
119	CASE(AllocatedOfSizeZero)
120	CASE(Released)
121	CASE(Relinquished)
122	CASE(Escaped)
123	}
124	}
125
126	LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
127	};
128
129	enum ReallocPairKind {
130	RPToBeFreedAfterFailure,
131	// The symbol has been freed when reallocation failed.
132	RPIsFreeOnFailure,
133	// The symbol does not need to be freed after reallocation fails.
134	RPDoNotTrackAfterFailure
135	};
136
137	/// \class ReallocPair
138	/// Stores information about the symbol being reallocated by a call to
139	/// 'realloc' to allow modeling failed reallocation later in the path.
140	struct ReallocPair {
141	// The symbol which realloc reallocated.
142	SymbolRef ReallocatedSym;
143	ReallocPairKind Kind;
144
145	ReallocPair(SymbolRef S, ReallocPairKind K) :
146	ReallocatedSym(S), Kind(K) {}
147	void Profile(llvm::FoldingSetNodeID &ID) const {
148	ID.AddInteger(Kind);
149	ID.AddPointer(ReallocatedSym);
150	}
151	bool operator==(const ReallocPair &X) const {
152	return ReallocatedSym == X.ReallocatedSym &&
153	Kind == X.Kind;
154	}
155	};
156
157	typedef std::pair<const ExplodedNode, const MemRegion> LeakInfo;
158
159	class MallocChecker : public Checker<check::DeadSymbols,
160	check::PointerEscape,
161	check::ConstPointerEscape,
162	check::PreStmt<ReturnStmt>,
163	check::EndFunction,
164	check::PreCall,
165	check::PostStmt<CallExpr>,
166	check::PostStmt<CXXNewExpr>,
167	check::NewAllocator,
168	check::PreStmt<CXXDeleteExpr>,
169	check::PostStmt<BlockExpr>,
170	check::PostObjCMessage,
171	check::Location,
172	eval::Assume>
173	{
174	public:
175	MallocChecker()
176	: II_alloca(nullptr), II_win_alloca(nullptr), II_malloc(nullptr),
177	II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr),
178	II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr),
179	II_strdup(nullptr), II_win_strdup(nullptr), II_kmalloc(nullptr),
180	II_if_nameindex(nullptr), II_if_freenameindex(nullptr),
181	II_wcsdup(nullptr), II_win_wcsdup(nullptr), II_g_malloc(nullptr),
182	II_g_malloc0(nullptr), II_g_realloc(nullptr), II_g_try_malloc(nullptr),
183	II_g_try_malloc0(nullptr), II_g_try_realloc(nullptr),
184	II_g_free(nullptr), II_g_memdup(nullptr), II_g_malloc_n(nullptr),
185	II_g_malloc0_n(nullptr), II_g_realloc_n(nullptr),
186	II_g_try_malloc_n(nullptr), II_g_try_malloc0_n(nullptr),
187	II_g_try_realloc_n(nullptr) {}
188
189	/// In pessimistic mode, the checker assumes that it does not know which
190	/// functions might free the memory.
191	enum CheckKind {
192	CK_MallocChecker,
193	CK_NewDeleteChecker,
194	CK_NewDeleteLeaksChecker,
195	CK_MismatchedDeallocatorChecker,
196	CK_InnerPointerChecker,
197	CK_NumCheckKinds
198	};
199
200	enum class MemoryOperationKind {
201	MOK_Allocate,
202	MOK_Free,
203	MOK_Any
204	};
205
206	DefaultBool IsOptimistic;
207
208	DefaultBool ChecksEnabled[CK_NumCheckKinds];
209	CheckName CheckNames[CK_NumCheckKinds];
210
211	void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
212	void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
213	void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;
214	void checkNewAllocator(const CXXNewExpr *NE, SVal Target,
215	CheckerContext &C) const;
216	void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
217	void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
218	void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
219	void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
220	void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
221	void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;
222	ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
223	bool Assumption) const;
224	void checkLocation(SVal l, bool isLoad, const Stmt *S,
225	CheckerContext &C) const;
226
227	ProgramStateRef checkPointerEscape(ProgramStateRef State,
228	const InvalidatedSymbols &Escaped,
229	const CallEvent *Call,
230	PointerEscapeKind Kind) const;
231	ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
232	const InvalidatedSymbols &Escaped,
233	const CallEvent *Call,
234	PointerEscapeKind Kind) const;
235
236	void printState(raw_ostream &Out, ProgramStateRef State,
237	const char NL, const char Sep) const override;
238
239	private:
240	mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
241	mutable std::unique_ptr<BugType> BT_DoubleDelete;
242	mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
243	mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
244	mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
245	mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
246	mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
247	mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
248	mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
249	mutable IdentifierInfo II_alloca, II_win_alloca, II_malloc, II_free,
250	II_realloc, II_calloc, II_valloc, II_reallocf,
251	II_strndup, II_strdup, II_win_strdup, II_kmalloc,
252	II_if_nameindex, II_if_freenameindex, *II_wcsdup,
253	II_win_wcsdup, II_g_malloc, *II_g_malloc0,
254	II_g_realloc, II_g_try_malloc, *II_g_try_malloc0,
255	II_g_try_realloc, II_g_free, *II_g_memdup,
256	II_g_malloc_n, II_g_malloc0_n, *II_g_realloc_n,
257	II_g_try_malloc_n, II_g_try_malloc0_n,
258	*II_g_try_realloc_n;
259	mutable Optional<uint64_t> KernelZeroFlagVal;
260
261	void initIdentifierInfo(ASTContext &C) const;
262
263	/// Determine family of a deallocation expression.
264	AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const;
265
266	/// Print names of allocators and deallocators.
267	///
268	/// \returns true on success.
269	bool printAllocDeallocName(raw_ostream &os, CheckerContext &C,
270	const Expr *E) const;
271
272	/// Print expected name of an allocator based on the deallocator's
273	/// family derived from the DeallocExpr.
274	void printExpectedAllocName(raw_ostream &os, CheckerContext &C,
275	const Expr *DeallocExpr) const;
276	/// Print expected name of a deallocator based on the allocator's
277	/// family.
278	void printExpectedDeallocName(raw_ostream &os, AllocationFamily Family) const;
279
280	///@{
281	/// Check if this is one of the functions which can allocate/reallocate memory
282	/// pointed to by one of its arguments.
283	bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const;
284	bool isCMemFunction(const FunctionDecl *FD,
285	ASTContext &C,
286	AllocationFamily Family,
287	MemoryOperationKind MemKind) const;
288	bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const;
289	///@}
290
291	/// Process C++ operator new()'s allocation, which is the part of C++
292	/// new-expression that goes before the constructor.
293	void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C,
294	SVal Target) const;
295
296	/// Perform a zero-allocation check.
297	/// The optional \p RetVal parameter specifies the newly allocated pointer
298	/// value; if unspecified, the value of expression \p E is used.
299	ProgramStateRef ProcessZeroAllocation(CheckerContext &C, const Expr *E,
300	const unsigned AllocationSizeArg,
301	ProgramStateRef State,
302	Optional<SVal> RetVal = None) const;
303
304	ProgramStateRef MallocMemReturnsAttr(CheckerContext &C,
305	const CallExpr *CE,
306	const OwnershipAttr* Att,
307	ProgramStateRef State) const;
308	static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
309	const Expr *SizeEx, SVal Init,
310	ProgramStateRef State,
311	AllocationFamily Family = AF_Malloc);
312	static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
313	SVal SizeEx, SVal Init,
314	ProgramStateRef State,
315	AllocationFamily Family = AF_Malloc);
316
317	static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE,
318	ProgramStateRef State, SVal Target);
319
320	// Check if this malloc() for special flags. At present that means M_ZERO or
321	// __GFP_ZERO (in which case, treat it like calloc).
322	llvm::Optional<ProgramStateRef>
323	performKernelMalloc(const CallExpr *CE, CheckerContext &C,
324	const ProgramStateRef &State) const;
325
326	/// Update the RefState to reflect the new memory allocation.
327	/// The optional \p RetVal parameter specifies the newly allocated pointer
328	/// value; if unspecified, the value of expression \p E is used.
329	static ProgramStateRef
330	MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State,
331	AllocationFamily Family = AF_Malloc,
332	Optional<SVal> RetVal = None);
333
334	ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE,
335	const OwnershipAttr* Att,
336	ProgramStateRef State) const;
337	ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE,
338	ProgramStateRef state, unsigned Num,
339	bool Hold,
340	bool &ReleasedAllocated,
341	bool ReturnsNullOnFailure = false) const;
342	ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg,
343	const Expr *ParentExpr,
344	ProgramStateRef State,
345	bool Hold,
346	bool &ReleasedAllocated,
347	bool ReturnsNullOnFailure = false) const;
348
349	ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE,
350	bool FreesMemOnFailure,
351	ProgramStateRef State,
352	bool SuffixWithN = false) const;
353	static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
354	const Expr *BlockBytes);
355	static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE,
356	ProgramStateRef State);
357
358	/// Check if the memory associated with this symbol was released.
359	bool isReleased(SymbolRef Sym, CheckerContext &C) const;
360
361	bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
362
363	void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
364	const Stmt *S) const;
365
366	bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;
367
368	/// Check if the function is known free memory, or if it is
369	/// "interesting" and should be modeled explicitly.
370	///
371	/// \param [out] EscapingSymbol A function might not free memory in general,
372	/// but could be known to free a particular symbol. In this case, false is
373	/// returned and the single escaping symbol is returned through the out
374	/// parameter.
375	///
376	/// We assume that pointers do not escape through calls to system functions
377	/// not handled by this checker.
378	bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call,
379	ProgramStateRef State,
380	SymbolRef &EscapingSymbol) const;
381
382	// Implementation of the checkPointerEscape callbacks.
383	ProgramStateRef checkPointerEscapeAux(ProgramStateRef State,
384	const InvalidatedSymbols &Escaped,
385	const CallEvent *Call,
386	PointerEscapeKind Kind,
387	bool(CheckRefState)(const RefState)) const;
388
389	// Implementation of the checkPreStmt and checkEndFunction callbacks.
390	void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const;
391
392	///@{
393	/// Tells if a given family/call/symbol is tracked by the current checker.
394	/// Sets CheckKind to the kind of the checker responsible for this
395	/// family/call/symbol.
396	Optional<CheckKind> getCheckIfTracked(AllocationFamily Family,
397	bool IsALeakCheck = false) const;
398	Optional<CheckKind> getCheckIfTracked(CheckerContext &C,
399	const Stmt *AllocDeallocStmt,
400	bool IsALeakCheck = false) const;
401	Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
402	bool IsALeakCheck = false) const;
403	///@}
404	static bool SummarizeValue(raw_ostream &os, SVal V);
405	static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
406	void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
407	const Expr *DeallocExpr) const;
408	void ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
409	SourceRange Range) const;
410	void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range,
411	const Expr DeallocExpr, const RefState RS,
412	SymbolRef Sym, bool OwnershipTransferred) const;
413	void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
414	const Expr *DeallocExpr,
415	const Expr *AllocExpr = nullptr) const;
416	void ReportUseAfterFree(CheckerContext &C, SourceRange Range,
417	SymbolRef Sym) const;
418	void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
419	SymbolRef Sym, SymbolRef PrevSym) const;
420
421	void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
422
423	void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range,
424	SymbolRef Sym) const;
425
426	void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
427	SourceRange Range, const Expr *FreeExpr) const;
428
429	/// Find the location of the allocation for Sym on the path leading to the
430	/// exploded node N.
431	LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
432	CheckerContext &C) const;
433
434	void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
435
436	/// The bug visitor which allows us to print extra diagnostics along the
437	/// BugReport path. For example, showing the allocation site of the leaked
438	/// region.
439	class MallocBugVisitor final : public BugReporterVisitor {
440	protected:
441	enum NotificationMode {
442	Normal,
443	ReallocationFailed
444	};
445
446	// The allocated region symbol tracked by the main analysis.
447	SymbolRef Sym;
448
449	// The mode we are in, i.e. what kind of diagnostics will be emitted.
450	NotificationMode Mode;
451
452	// A symbol from when the primary region should have been reallocated.
453	SymbolRef FailedReallocSymbol;
454
455	// A C++ destructor stack frame in which memory was released. Used for
456	// miscellaneous false positive suppression.
457	const StackFrameContext *ReleaseDestructorLC;
458
459	bool IsLeak;
460
461	public:
462	MallocBugVisitor(SymbolRef S, bool isLeak = false)
463	: Sym(S), Mode(Normal), FailedReallocSymbol(nullptr),
464	ReleaseDestructorLC(nullptr), IsLeak(isLeak) {}
465
466	static void *getTag() {
467	static int Tag = 0;
468	return &Tag;
469	}
470
471	void Profile(llvm::FoldingSetNodeID &ID) const override {
472	ID.AddPointer(getTag());
473	ID.AddPointer(Sym);
474	}
475
476	inline bool isAllocated(const RefState S, const RefState SPrev,
477	const Stmt *Stmt) {
478	// Did not track -> allocated. Other state (released) -> allocated.
479	return (Stmt && (isa<CallExpr>(Stmt) \|\| isa<CXXNewExpr>(Stmt)) &&
480	(S && (S->isAllocated() \|\| S->isAllocatedOfSizeZero())) &&
481	(!SPrev \|\| !(SPrev->isAllocated() \|\|
482	SPrev->isAllocatedOfSizeZero())));
483	}
484
485	inline bool isReleased(const RefState S, const RefState SPrev,
486	const Stmt *Stmt) {
487	// Did not track -> released. Other state (allocated) -> released.
488	// The statement associated with the release might be missing.
489	bool IsReleased = (S && S->isReleased()) &&
490	(!SPrev \|\| !SPrev->isReleased());
491	(Stmt) \|\| isa(Stmt))) \|\| (!Stmt && S->getAllocationFamily() == AF_InnerBuffer)", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 493, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(!IsReleased \|\|
492	(Stmt) \|\| isa(Stmt))) \|\| (!Stmt && S->getAllocationFamily() == AF_InnerBuffer)", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 493, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true"> (Stmt && (isa<CallExpr>(Stmt) \|\| isa<CXXDeleteExpr>(Stmt))) \|\|
493	(Stmt) \|\| isa(Stmt))) \|\| (!Stmt && S->getAllocationFamily() == AF_InnerBuffer)", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 493, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true"> (!Stmt && S->getAllocationFamily() == AF_InnerBuffer));
494	return IsReleased;
495	}
496
497	inline bool isRelinquished(const RefState S, const RefState SPrev,
498	const Stmt *Stmt) {
499	// Did not track -> relinquished. Other state (allocated) -> relinquished.
500	return (Stmt && (isa<CallExpr>(Stmt) \|\| isa<ObjCMessageExpr>(Stmt) \|\|
501	isa<ObjCPropertyRefExpr>(Stmt)) &&
502	(S && S->isRelinquished()) &&
503	(!SPrev \|\| !SPrev->isRelinquished()));
504	}
505
506	inline bool isReallocFailedCheck(const RefState S, const RefState SPrev,
507	const Stmt *Stmt) {
508	// If the expression is not a call, and the state change is
509	// released -> allocated, it must be the realloc return value
510	// check. If we have to handle more cases here, it might be cleaner just
511	// to track this extra bit in the state itself.
512	return ((!Stmt \|\| !isa<CallExpr>(Stmt)) &&
513	(S && (S->isAllocated() \|\| S->isAllocatedOfSizeZero())) &&
514	(SPrev && !(SPrev->isAllocated() \|\|
515	SPrev->isAllocatedOfSizeZero())));
516	}
517
518	std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
519	BugReporterContext &BRC,
520	BugReport &BR) override;
521
522	std::shared_ptr<PathDiagnosticPiece>
523	getEndPath(BugReporterContext &BRC, const ExplodedNode *EndPathNode,
524	BugReport &BR) override {
525	if (!IsLeak)
526	return nullptr;
527
528	PathDiagnosticLocation L =
529	PathDiagnosticLocation::createEndOfPath(EndPathNode,
530	BRC.getSourceManager());
531	// Do not add the statement itself as a range in case of leak.
532	return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(),
533	false);
534	}
535
536	private:
537	class StackHintGeneratorForReallocationFailed
538	: public StackHintGeneratorForSymbol {
539	public:
540	StackHintGeneratorForReallocationFailed(SymbolRef S, StringRef M)
541	: StackHintGeneratorForSymbol(S, M) {}
542
543	std::string getMessageForArg(const Expr *ArgE,
544	unsigned ArgIndex) override {
545	// Printed parameters start at 1, not 0.
546	++ArgIndex;
547
548	SmallString<200> buf;
549	llvm::raw_svector_ostream os(buf);
550
551	os << "Reallocation of " << ArgIndex << llvm::getOrdinalSuffix(ArgIndex)
552	<< " parameter failed";
553
554	return os.str();
555	}
556
557	std::string getMessageForReturn(const CallExpr *CallExpr) override {
558	return "Reallocation of returned value failed";
559	}
560	};
561	};
562	};
563	} // end anonymous namespace
564
565	REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
566	REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
567	REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef)
568
569	// A map from the freed symbol to the symbol representing the return value of
570	// the free function.
571	REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef)
572
573	namespace {
574	class StopTrackingCallback final : public SymbolVisitor {
575	ProgramStateRef state;
576	public:
577	StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
578	ProgramStateRef getState() const { return state; }
579
580	bool VisitSymbol(SymbolRef sym) override {
581	state = state->remove<RegionState>(sym);
582	return true;
583	}
584	};
585	} // end anonymous namespace
586
587	void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const {
588	if (II_malloc)
589	return;
590	II_alloca = &Ctx.Idents.get("alloca");
591	II_malloc = &Ctx.Idents.get("malloc");
592	II_free = &Ctx.Idents.get("free");
593	II_realloc = &Ctx.Idents.get("realloc");
594	II_reallocf = &Ctx.Idents.get("reallocf");
595	II_calloc = &Ctx.Idents.get("calloc");
596	II_valloc = &Ctx.Idents.get("valloc");
597	II_strdup = &Ctx.Idents.get("strdup");
598	II_strndup = &Ctx.Idents.get("strndup");
599	II_wcsdup = &Ctx.Idents.get("wcsdup");
600	II_kmalloc = &Ctx.Idents.get("kmalloc");
601	II_if_nameindex = &Ctx.Idents.get("if_nameindex");
602	II_if_freenameindex = &Ctx.Idents.get("if_freenameindex");
603
604	//MSVC uses `_`-prefixed instead, so we check for them too.
605	II_win_strdup = &Ctx.Idents.get("_strdup");
606	II_win_wcsdup = &Ctx.Idents.get("_wcsdup");
607	II_win_alloca = &Ctx.Idents.get("_alloca");
608
609	// Glib
610	II_g_malloc = &Ctx.Idents.get("g_malloc");
611	II_g_malloc0 = &Ctx.Idents.get("g_malloc0");
612	II_g_realloc = &Ctx.Idents.get("g_realloc");
613	II_g_try_malloc = &Ctx.Idents.get("g_try_malloc");
614	II_g_try_malloc0 = &Ctx.Idents.get("g_try_malloc0");
615	II_g_try_realloc = &Ctx.Idents.get("g_try_realloc");
616	II_g_free = &Ctx.Idents.get("g_free");
617	II_g_memdup = &Ctx.Idents.get("g_memdup");
618	II_g_malloc_n = &Ctx.Idents.get("g_malloc_n");
619	II_g_malloc0_n = &Ctx.Idents.get("g_malloc0_n");
620	II_g_realloc_n = &Ctx.Idents.get("g_realloc_n");
621	II_g_try_malloc_n = &Ctx.Idents.get("g_try_malloc_n");
622	II_g_try_malloc0_n = &Ctx.Idents.get("g_try_malloc0_n");
623	II_g_try_realloc_n = &Ctx.Idents.get("g_try_realloc_n");
624	}
625
626	bool MallocChecker::isMemFunction(const FunctionDecl *FD, ASTContext &C) const {
627	if (isCMemFunction(FD, C, AF_Malloc, MemoryOperationKind::MOK_Any))
628	return true;
629
630	if (isCMemFunction(FD, C, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
631	return true;
632
633	if (isCMemFunction(FD, C, AF_Alloca, MemoryOperationKind::MOK_Any))
634	return true;
635
636	if (isStandardNewDelete(FD, C))
637	return true;
638
639	return false;
640	}
641
642	bool MallocChecker::isCMemFunction(const FunctionDecl *FD,
643	ASTContext &C,
644	AllocationFamily Family,
645	MemoryOperationKind MemKind) const {
646	if (!FD)
647	return false;
648
649	bool CheckFree = (MemKind == MemoryOperationKind::MOK_Any \|\|
650	MemKind == MemoryOperationKind::MOK_Free);
651	bool CheckAlloc = (MemKind == MemoryOperationKind::MOK_Any \|\|
652	MemKind == MemoryOperationKind::MOK_Allocate);
653
654	if (FD->getKind() == Decl::Function) {
655	const IdentifierInfo *FunI = FD->getIdentifier();
656	initIdentifierInfo(C);
657
658	if (Family == AF_Malloc && CheckFree) {
659	if (FunI == II_free \|\| FunI == II_realloc \|\| FunI == II_reallocf \|\|
660	FunI == II_g_free)
661	return true;
662	}
663
664	if (Family == AF_Malloc && CheckAlloc) {
665	if (FunI == II_malloc \|\| FunI == II_realloc \|\| FunI == II_reallocf \|\|
666	FunI == II_calloc \|\| FunI == II_valloc \|\| FunI == II_strdup \|\|
667	FunI == II_win_strdup \|\| FunI == II_strndup \|\| FunI == II_wcsdup \|\|
668	FunI == II_win_wcsdup \|\| FunI == II_kmalloc \|\|
669	FunI == II_g_malloc \|\| FunI == II_g_malloc0 \|\|
670	FunI == II_g_realloc \|\| FunI == II_g_try_malloc \|\|
671	FunI == II_g_try_malloc0 \|\| FunI == II_g_try_realloc \|\|
672	FunI == II_g_memdup \|\| FunI == II_g_malloc_n \|\|
673	FunI == II_g_malloc0_n \|\| FunI == II_g_realloc_n \|\|
674	FunI == II_g_try_malloc_n \|\| FunI == II_g_try_malloc0_n \|\|
675	FunI == II_g_try_realloc_n)
676	return true;
677	}
678
679	if (Family == AF_IfNameIndex && CheckFree) {
680	if (FunI == II_if_freenameindex)
681	return true;
682	}
683
684	if (Family == AF_IfNameIndex && CheckAlloc) {
685	if (FunI == II_if_nameindex)
686	return true;
687	}
688
689	if (Family == AF_Alloca && CheckAlloc) {
690	if (FunI == II_alloca \|\| FunI == II_win_alloca)
691	return true;
692	}
693	}
694
695	if (Family != AF_Malloc)
696	return false;
697
698	if (IsOptimistic && FD->hasAttrs()) {
699	for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
700	OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
701	if(OwnKind == OwnershipAttr::Takes \|\| OwnKind == OwnershipAttr::Holds) {
702	if (CheckFree)
703	return true;
704	} else if (OwnKind == OwnershipAttr::Returns) {
705	if (CheckAlloc)
706	return true;
707	}
708	}
709	}
710
711	return false;
712	}
713
714	// Tells if the callee is one of the builtin new/delete operators, including
715	// placement operators and other standard overloads.
716	bool MallocChecker::isStandardNewDelete(const FunctionDecl *FD,
717	ASTContext &C) const {
718	if (!FD)
719	return false;
720
721	OverloadedOperatorKind Kind = FD->getOverloadedOperator();
722	if (Kind != OO_New && Kind != OO_Array_New &&
723	Kind != OO_Delete && Kind != OO_Array_Delete)
724	return false;
725
726	// This is standard if and only if it's not defined in a user file.
727	SourceLocation L = FD->getLocation();
728	// If the header for operator delete is not included, it's still defined
729	// in an invalid source location. Check to make sure we don't crash.
730	return !L.isValid() \|\| C.getSourceManager().isInSystemHeader(L);
731	}
732
733	llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc(
734	const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const {
735	// 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
736	//
737	// void malloc(unsigned long size, struct malloc_type mtp, int flags);
738	//
739	// One of the possible flags is M_ZERO, which means 'give me back an
740	// allocation which is already zeroed', like calloc.
741
742	// 2-argument kmalloc(), as used in the Linux kernel:
743	//
744	// void *kmalloc(size_t size, gfp_t flags);
745	//
746	// Has the similar flag value __GFP_ZERO.
747
748	// This logic is largely cloned from O_CREAT in UnixAPIChecker, maybe some
749	// code could be shared.
750
751	ASTContext &Ctx = C.getASTContext();
752	llvm::Triple::OSType OS = Ctx.getTargetInfo().getTriple().getOS();
753
754	if (!KernelZeroFlagVal.hasValue()) {
755	if (OS == llvm::Triple::FreeBSD)
756	KernelZeroFlagVal = 0x0100;
757	else if (OS == llvm::Triple::NetBSD)
758	KernelZeroFlagVal = 0x0002;
759	else if (OS == llvm::Triple::OpenBSD)
760	KernelZeroFlagVal = 0x0008;
761	else if (OS == llvm::Triple::Linux)
762	// __GFP_ZERO
763	KernelZeroFlagVal = 0x8000;
764	else
765	// FIXME: We need a more general way of getting the M_ZERO value.
766	// See also: O_CREAT in UnixAPIChecker.cpp.
767
768	// Fall back to normal malloc behavior on platforms where we don't
769	// know M_ZERO.
770	return None;
771	}
772
773	// We treat the last argument as the flags argument, and callers fall-back to
774	// normal malloc on a None return. This works for the FreeBSD kernel malloc
775	// as well as Linux kmalloc.
776	if (CE->getNumArgs() < 2)
777	return None;
778
779	const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1);
780	const SVal V = C.getSVal(FlagsEx);
781	if (!V.getAs<NonLoc>()) {
782	// The case where 'V' can be a location can only be due to a bad header,
783	// so in this case bail out.
784	return None;
785	}
786
787	NonLoc Flags = V.castAs<NonLoc>();
788	NonLoc ZeroFlag = C.getSValBuilder()
789	.makeIntVal(KernelZeroFlagVal.getValue(), FlagsEx->getType())
790	.castAs<NonLoc>();
791	SVal MaskedFlagsUC = C.getSValBuilder().evalBinOpNN(State, BO_And,
792	Flags, ZeroFlag,
793	FlagsEx->getType());
794	if (MaskedFlagsUC.isUnknownOrUndef())
795	return None;
796	DefinedSVal MaskedFlags = MaskedFlagsUC.castAs<DefinedSVal>();
797
798	// Check if maskedFlags is non-zero.
799	ProgramStateRef TrueState, FalseState;
800	std::tie(TrueState, FalseState) = State->assume(MaskedFlags);
801
802	// If M_ZERO is set, treat this like calloc (initialized).
803	if (TrueState && !FalseState) {
804	SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy);
805	return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState);
806	}
807
808	return None;
809	}
810
811	SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
812	const Expr *BlockBytes) {
813	SValBuilder &SB = C.getSValBuilder();
814	SVal BlocksVal = C.getSVal(Blocks);
815	SVal BlockBytesVal = C.getSVal(BlockBytes);
816	ProgramStateRef State = C.getState();
817	SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,
818	SB.getContext().getSizeType());
819	return TotalSize;
820	}
821
822	void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const {
823	if (C.wasInlined)
824	return;
825
826	const FunctionDecl *FD = C.getCalleeDecl(CE);
827	if (!FD)
828	return;
829
830	ProgramStateRef State = C.getState();
831	bool ReleasedAllocatedMemory = false;
832
833	if (FD->getKind() == Decl::Function) {
834	initIdentifierInfo(C.getASTContext());
835	IdentifierInfo *FunI = FD->getIdentifier();
836
837	if (FunI == II_malloc \|\| FunI == II_g_malloc \|\| FunI == II_g_try_malloc) {
838	if (CE->getNumArgs() < 1)
839	return;
840	if (CE->getNumArgs() < 3) {
841	State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
842	if (CE->getNumArgs() == 1)
843	State = ProcessZeroAllocation(C, CE, 0, State);
844	} else if (CE->getNumArgs() == 3) {
845	llvm::Optional<ProgramStateRef> MaybeState =
846	performKernelMalloc(CE, C, State);
847	if (MaybeState.hasValue())
848	State = MaybeState.getValue();
849	else
850	State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
851	}
852	} else if (FunI == II_kmalloc) {
853	if (CE->getNumArgs() < 1)
854	return;
855	llvm::Optional<ProgramStateRef> MaybeState =
856	performKernelMalloc(CE, C, State);
857	if (MaybeState.hasValue())
858	State = MaybeState.getValue();
859	else
860	State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
861	} else if (FunI == II_valloc) {
862	if (CE->getNumArgs() < 1)
863	return;
864	State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
865	State = ProcessZeroAllocation(C, CE, 0, State);
866	} else if (FunI == II_realloc \|\| FunI == II_g_realloc \|\|
867	FunI == II_g_try_realloc) {
868	State = ReallocMemAux(C, CE, false, State);
869	State = ProcessZeroAllocation(C, CE, 1, State);
870	} else if (FunI == II_reallocf) {
871	State = ReallocMemAux(C, CE, true, State);
872	State = ProcessZeroAllocation(C, CE, 1, State);
873	} else if (FunI == II_calloc) {
874	State = CallocMem(C, CE, State);
875	State = ProcessZeroAllocation(C, CE, 0, State);
876	State = ProcessZeroAllocation(C, CE, 1, State);
877	} else if (FunI == II_free \|\| FunI == II_g_free) {
878	State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
879	} else if (FunI == II_strdup \|\| FunI == II_win_strdup \|\|
880	FunI == II_wcsdup \|\| FunI == II_win_wcsdup) {
881	State = MallocUpdateRefState(C, CE, State);
882	} else if (FunI == II_strndup) {
883	State = MallocUpdateRefState(C, CE, State);
884	} else if (FunI == II_alloca \|\| FunI == II_win_alloca) {
885	if (CE->getNumArgs() < 1)
886	return;
887	State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
888	AF_Alloca);
889	State = ProcessZeroAllocation(C, CE, 0, State);
890	} else if (isStandardNewDelete(FD, C.getASTContext())) {
891	// Process direct calls to operator new/new[]/delete/delete[] functions
892	// as distinct from new/new[]/delete/delete[] expressions that are
893	// processed by the checkPostStmt callbacks for CXXNewExpr and
894	// CXXDeleteExpr.
895	OverloadedOperatorKind K = FD->getOverloadedOperator();
896	if (K == OO_New) {
897	State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
898	AF_CXXNew);
899	State = ProcessZeroAllocation(C, CE, 0, State);
900	}
901	else if (K == OO_Array_New) {
902	State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
903	AF_CXXNewArray);
904	State = ProcessZeroAllocation(C, CE, 0, State);
905	}
906	else if (K == OO_Delete \|\| K == OO_Array_Delete)
907	State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
908	else
909	llvm_unreachable("not a new/delete operator");
910	} else if (FunI == II_if_nameindex) {
911	// Should we model this differently? We can allocate a fixed number of
912	// elements with zeros in the last one.
913	State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State,
914	AF_IfNameIndex);
915	} else if (FunI == II_if_freenameindex) {
916	State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
917	} else if (FunI == II_g_malloc0 \|\| FunI == II_g_try_malloc0) {
918	if (CE->getNumArgs() < 1)
919	return;
920	SValBuilder &svalBuilder = C.getSValBuilder();
921	SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
922	State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State);
923	State = ProcessZeroAllocation(C, CE, 0, State);
924	} else if (FunI == II_g_memdup) {
925	if (CE->getNumArgs() < 2)
926	return;
927	State = MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State);
928	State = ProcessZeroAllocation(C, CE, 1, State);
929	} else if (FunI == II_g_malloc_n \|\| FunI == II_g_try_malloc_n \|\|
930	FunI == II_g_malloc0_n \|\| FunI == II_g_try_malloc0_n) {
931	if (CE->getNumArgs() < 2)
932	return;
933	SVal Init = UndefinedVal();
934	if (FunI == II_g_malloc0_n \|\| FunI == II_g_try_malloc0_n) {
935	SValBuilder &SB = C.getSValBuilder();
936	Init = SB.makeZeroVal(SB.getContext().CharTy);
937	}
938	SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
939	State = MallocMemAux(C, CE, TotalSize, Init, State);
940	State = ProcessZeroAllocation(C, CE, 0, State);
941	State = ProcessZeroAllocation(C, CE, 1, State);
942	} else if (FunI == II_g_realloc_n \|\| FunI == II_g_try_realloc_n) {
943	if (CE->getNumArgs() < 3)
944	return;
945	State = ReallocMemAux(C, CE, false, State, true);
946	State = ProcessZeroAllocation(C, CE, 1, State);
947	State = ProcessZeroAllocation(C, CE, 2, State);
948	}
949	}
950
951	if (IsOptimistic \|\| ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
952	// Check all the attributes, if there are any.
953	// There can be multiple of these attributes.
954	if (FD->hasAttrs())
955	for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
956	switch (I->getOwnKind()) {
957	case OwnershipAttr::Returns:
958	State = MallocMemReturnsAttr(C, CE, I, State);
959	break;
960	case OwnershipAttr::Takes:
961	case OwnershipAttr::Holds:
962	State = FreeMemAttr(C, CE, I, State);
963	break;
964	}
965	}
966	}
967	C.addTransition(State);
968	}
969
970	// Performs a 0-sized allocations check.
971	ProgramStateRef MallocChecker::ProcessZeroAllocation(
972	CheckerContext &C, const Expr *E, const unsigned AllocationSizeArg,
973	ProgramStateRef State, Optional<SVal> RetVal) const {
974	if (!State)
975	return nullptr;
976
977	if (!RetVal)
978	RetVal = C.getSVal(E);
979
980	const Expr *Arg = nullptr;
981
982	if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
983	Arg = CE->getArg(AllocationSizeArg);
984	}
985	else if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
986	if (NE->isArray())
987	Arg = NE->getArraySize();
988	else
989	return State;
990	}
991	else
992	llvm_unreachable("not a CallExpr or CXXNewExpr");
993
994	assert(Arg);
995
996	Optional<DefinedSVal> DefArgVal = C.getSVal(Arg).getAs<DefinedSVal>();
997
998	if (!DefArgVal)
999	return State;
1000
1001	// Check if the allocation size is 0.
1002	ProgramStateRef TrueState, FalseState;
1003	SValBuilder &SvalBuilder = C.getSValBuilder();
1004	DefinedSVal Zero =
1005	SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
1006
1007	std::tie(TrueState, FalseState) =
1008	State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));
1009
1010	if (TrueState && !FalseState) {
1011	SymbolRef Sym = RetVal->getAsLocSymbol();
1012	if (!Sym)
1013	return State;
1014
1015	const RefState *RS = State->get<RegionState>(Sym);
1016	if (RS) {
1017	if (RS->isAllocated())
1018	return TrueState->set<RegionState>(Sym,
1019	RefState::getAllocatedOfSizeZero(RS));
1020	else
1021	return State;
1022	} else {
1023	// Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as
1024	// 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not
1025	// tracked. Add zero-reallocated Sym to the state to catch references
1026	// to zero-allocated memory.
1027	return TrueState->add<ReallocSizeZeroSymbols>(Sym);
1028	}
1029	}
1030
1031	// Assume the value is non-zero going forward.
1032	assert(FalseState);
1033	return FalseState;
1034	}
1035
1036	static QualType getDeepPointeeType(QualType T) {
1037	QualType Result = T, PointeeType = T->getPointeeType();
1038	while (!PointeeType.isNull()) {
1039	Result = PointeeType;
1040	PointeeType = PointeeType->getPointeeType();
1041	}
1042	return Result;
1043	}
1044
1045	static bool treatUnusedNewEscaped(const CXXNewExpr *NE) {
1046
1047	const CXXConstructExpr *ConstructE = NE->getConstructExpr();
1048	if (!ConstructE)
1049	return false;
1050
1051	if (!NE->getAllocatedType()->getAsCXXRecordDecl())
1052	return false;
1053
1054	const CXXConstructorDecl *CtorD = ConstructE->getConstructor();
1055
1056	// Iterate over the constructor parameters.
1057	for (const auto *CtorParam : CtorD->parameters()) {
1058
1059	QualType CtorParamPointeeT = CtorParam->getType()->getPointeeType();
1060	if (CtorParamPointeeT.isNull())
1061	continue;
1062
1063	CtorParamPointeeT = getDeepPointeeType(CtorParamPointeeT);
1064
1065	if (CtorParamPointeeT->getAsCXXRecordDecl())
1066	return true;
1067	}
1068
1069	return false;
1070	}
1071
1072	void MallocChecker::processNewAllocation(const CXXNewExpr *NE,
1073	CheckerContext &C,
1074	SVal Target) const {
1075	if (!isStandardNewDelete(NE->getOperatorNew(), C.getASTContext()))
1076	return;
1077
1078	ParentMap &PM = C.getLocationContext()->getParentMap();
1079	if (!PM.isConsumedExpr(NE) && treatUnusedNewEscaped(NE))
1080	return;
1081
1082	ProgramStateRef State = C.getState();
1083	// The return value from operator new is bound to a specified initialization
1084	// value (if any) and we don't want to loose this value. So we call
1085	// MallocUpdateRefState() instead of MallocMemAux() which breaks the
1086	// existing binding.
1087	State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray
1088	: AF_CXXNew, Target);
1089	State = addExtentSize(C, NE, State, Target);
1090	State = ProcessZeroAllocation(C, NE, 0, State, Target);
1091	C.addTransition(State);
1092	}
1093
1094	void MallocChecker::checkPostStmt(const CXXNewExpr *NE,
1095	CheckerContext &C) const {
1096	if (!C.getAnalysisManager().getAnalyzerOptions().MayInlineCXXAllocator)
1097	processNewAllocation(NE, C, C.getSVal(NE));
1098	}
1099
1100	void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target,
1101	CheckerContext &C) const {
1102	if (!C.wasInlined)
1103	processNewAllocation(NE, C, Target);
1104	}
1105
1106	// Sets the extent value of the MemRegion allocated by
1107	// new expression NE to its size in Bytes.
1108	//
1109	ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C,
1110	const CXXNewExpr *NE,
1111	ProgramStateRef State,
1112	SVal Target) {
1113	if (!State)
1114	return nullptr;
1115	SValBuilder &svalBuilder = C.getSValBuilder();
1116	SVal ElementCount;
1117	const SubRegion *Region;
1118	if (NE->isArray()) {
1119	const Expr *SizeExpr = NE->getArraySize();
1120	ElementCount = C.getSVal(SizeExpr);
1121	// Store the extent size for the (symbolic)region
1122	// containing the elements.
1123	Region = Target.getAsRegion()
1124	->getAs<SubRegion>()
1125	->StripCasts()
1126	->getAs<SubRegion>();
1127	} else {
1128	ElementCount = svalBuilder.makeIntVal(1, true);
1129	Region = Target.getAsRegion()->getAs<SubRegion>();
1130	}
1131	assert(Region);
1132
1133	// Set the region's extent equal to the Size in Bytes.
1134	QualType ElementType = NE->getAllocatedType();
1135	ASTContext &AstContext = C.getASTContext();
1136	CharUnits TypeSize = AstContext.getTypeSizeInChars(ElementType);
1137
1138	if (ElementCount.getAs<NonLoc>()) {
1139	DefinedOrUnknownSVal Extent = Region->getExtent(svalBuilder);
1140	// size in Bytes = ElementCount*TypeSize
1141	SVal SizeInBytes = svalBuilder.evalBinOpNN(
1142	State, BO_Mul, ElementCount.castAs<NonLoc>(),
1143	svalBuilder.makeArrayIndex(TypeSize.getQuantity()),
1144	svalBuilder.getArrayIndexType());
1145	DefinedOrUnknownSVal extentMatchesSize = svalBuilder.evalEQ(
1146	State, Extent, SizeInBytes.castAs<DefinedOrUnknownSVal>());
1147	State = State->assume(extentMatchesSize, true);
1148	}
1149	return State;
1150	}
1151
1152	void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE,
1153	CheckerContext &C) const {
1154
1155	if (!ChecksEnabled[CK_NewDeleteChecker])
1156	if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
1157	checkUseAfterFree(Sym, C, DE->getArgument());
1158
1159	if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext()))
1160	return;
1161
1162	ProgramStateRef State = C.getState();
1163	bool ReleasedAllocated;
1164	State = FreeMemAux(C, DE->getArgument(), DE, State,
1165	/Hold/false, ReleasedAllocated);
1166
1167	C.addTransition(State);
1168	}
1169
1170	static bool isKnownDeallocObjCMethodName(const ObjCMethodCall &Call) {
1171	// If the first selector piece is one of the names below, assume that the
1172	// object takes ownership of the memory, promising to eventually deallocate it
1173	// with free().
1174	// Ex: [NSData dataWithBytesNoCopy:bytes length:10];
1175	// (...unless a 'freeWhenDone' parameter is false, but that's checked later.)
1176	StringRef FirstSlot = Call.getSelector().getNameForSlot(0);
1177	return FirstSlot == "dataWithBytesNoCopy" \|\|
1178	FirstSlot == "initWithBytesNoCopy" \|\|
1179	FirstSlot == "initWithCharactersNoCopy";
1180	}
1181
1182	static Optional<bool> getFreeWhenDoneArg(const ObjCMethodCall &Call) {
1183	Selector S = Call.getSelector();
1184
1185	// FIXME: We should not rely on fully-constrained symbols being folded.
1186	for (unsigned i = 1; i < S.getNumArgs(); ++i)
1187	if (S.getNameForSlot(i).equals("freeWhenDone"))
1188	return !Call.getArgSVal(i).isZeroConstant();
1189
1190	return None;
1191	}
1192
1193	void MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
1194	CheckerContext &C) const {
1195	if (C.wasInlined)
1196	return;
1197
1198	if (!isKnownDeallocObjCMethodName(Call))
1199	return;
1200
1201	if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call))
1202	if (!*FreeWhenDone)
1203	return;
1204
1205	bool ReleasedAllocatedMemory;
1206	ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0),
1207	Call.getOriginExpr(), C.getState(),
1208	/Hold=/true, ReleasedAllocatedMemory,
1209	/RetNullOnFailure=/true);
1210
1211	C.addTransition(State);
1212	}
1213
1214	ProgramStateRef
1215	MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE,
1216	const OwnershipAttr *Att,
1217	ProgramStateRef State) const {
1218	if (!State)
1219	return nullptr;
1220
1221	if (Att->getModule() != II_malloc)
1222	return nullptr;
1223
1224	OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
1225	if (I != E) {
1226	return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(),
1227	State);
1228	}
1229	return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State);
1230	}
1231
1232	ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1233	const CallExpr *CE,
1234	const Expr *SizeEx, SVal Init,
1235	ProgramStateRef State,
1236	AllocationFamily Family) {
1237	if (!State)
1238	return nullptr;
1239
1240	return MallocMemAux(C, CE, C.getSVal(SizeEx), Init, State, Family);
1241	}
1242
1243	ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
1244	const CallExpr *CE,
1245	SVal Size, SVal Init,
1246	ProgramStateRef State,
1247	AllocationFamily Family) {
1248	if (!State)
1249	return nullptr;
1250
1251	// We expect the malloc functions to return a pointer.
1252	if (!Loc::isLocType(CE->getType()))
1253	return nullptr;
1254
1255	// Bind the return value to the symbolic value from the heap region.
1256	// TODO: We could rewrite post visit to eval call; 'malloc' does not have
1257	// side effects other than what we model here.
1258	unsigned Count = C.blockCount();
1259	SValBuilder &svalBuilder = C.getSValBuilder();
1260	const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
1261	DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
1262	.castAs<DefinedSVal>();
1263	State = State->BindExpr(CE, C.getLocationContext(), RetVal);
1264
1265	// Fill the region with the initialization value.
1266	State = State->bindDefaultInitial(RetVal, Init, LCtx);
1267
1268	// Set the region's extent equal to the Size parameter.
1269	const SymbolicRegion *R =
1270	dyn_cast_or_null<SymbolicRegion>(RetVal.getAsRegion());
1271	if (!R)
1272	return nullptr;
1273	if (Optional<DefinedOrUnknownSVal> DefinedSize =
1274	Size.getAs<DefinedOrUnknownSVal>()) {
1275	SValBuilder &svalBuilder = C.getSValBuilder();
1276	DefinedOrUnknownSVal Extent = R->getExtent(svalBuilder);
1277	DefinedOrUnknownSVal extentMatchesSize =
1278	svalBuilder.evalEQ(State, Extent, *DefinedSize);
1279
1280	State = State->assume(extentMatchesSize, true);
1281	assert(State);
1282	}
1283
1284	return MallocUpdateRefState(C, CE, State, Family);
1285	}
1286
1287	ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C,
1288	const Expr *E,
1289	ProgramStateRef State,
1290	AllocationFamily Family,
1291	Optional<SVal> RetVal) {
1292	if (!State)
1293	return nullptr;
1294
1295	// Get the return value.
1296	if (!RetVal)
1297	RetVal = C.getSVal(E);
1298
1299	// We expect the malloc functions to return a pointer.
1300	if (!RetVal->getAs<Loc>())
1301	return nullptr;
1302
1303	SymbolRef Sym = RetVal->getAsLocSymbol();
1304	// This is a return value of a function that was not inlined, such as malloc()
1305	// or new(). We've checked that in the caller. Therefore, it must be a symbol.
1306	assert(Sym);
1307
1308	// Set the symbol's state to Allocated.
1309	return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
1310	}
1311
1312	ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
1313	const CallExpr *CE,
1314	const OwnershipAttr *Att,
1315	ProgramStateRef State) const {
1316	if (!State)
1317	return nullptr;
1318
1319	if (Att->getModule() != II_malloc)
1320	return nullptr;
1321
1322	bool ReleasedAllocated = false;
1323
1324	for (const auto &Arg : Att->args()) {
1325	ProgramStateRef StateI = FreeMemAux(
1326	C, CE, State, Arg.getASTIndex(),
1327	Att->getOwnKind() == OwnershipAttr::Holds, ReleasedAllocated);
1328	if (StateI)
1329	State = StateI;
1330	}
1331	return State;
1332	}
1333
1334	ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1335	const CallExpr *CE,
1336	ProgramStateRef State,
1337	unsigned Num,
1338	bool Hold,
1339	bool &ReleasedAllocated,
1340	bool ReturnsNullOnFailure) const {
1341	if (!State)
1342	return nullptr;
1343
1344	if (CE->getNumArgs() < (Num + 1))
1345	return nullptr;
1346
1347	return FreeMemAux(C, CE->getArg(Num), CE, State, Hold,
1348	ReleasedAllocated, ReturnsNullOnFailure);
1349	}
1350
1351	/// Checks if the previous call to free on the given symbol failed - if free
1352	/// failed, returns true. Also, returns the corresponding return value symbol.
1353	static bool didPreviousFreeFail(ProgramStateRef State,
1354	SymbolRef Sym, SymbolRef &RetStatusSymbol) {
1355	const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
1356	if (Ret) {
1357	(0) . __assert_fail ("Ret && \"We should not store the null return symbol\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 1357, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(Ret && "We should not store the null return symbol");
1358	ConstraintManager &CMgr = State->getConstraintManager();
1359	ConditionTruthVal FreeFailed = CMgr.isNull(State, *Ret);
1360	RetStatusSymbol = *Ret;
1361	return FreeFailed.isConstrainedTrue();
1362	}
1363	return false;
1364	}
1365
1366	AllocationFamily MallocChecker::getAllocationFamily(CheckerContext &C,
1367	const Stmt *S) const {
1368	if (!S)
1369	return AF_None;
1370
1371	if (const CallExpr *CE = dyn_cast<CallExpr>(S)) {
1372	const FunctionDecl *FD = C.getCalleeDecl(CE);
1373
1374	if (!FD)
1375	FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl());
1376
1377	ASTContext &Ctx = C.getASTContext();
1378
1379	if (isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Any))
1380	return AF_Malloc;
1381
1382	if (isStandardNewDelete(FD, Ctx)) {
1383	OverloadedOperatorKind Kind = FD->getOverloadedOperator();
1384	if (Kind == OO_New \|\| Kind == OO_Delete)
1385	return AF_CXXNew;
1386	else if (Kind == OO_Array_New \|\| Kind == OO_Array_Delete)
1387	return AF_CXXNewArray;
1388	}
1389
1390	if (isCMemFunction(FD, Ctx, AF_IfNameIndex, MemoryOperationKind::MOK_Any))
1391	return AF_IfNameIndex;
1392
1393	if (isCMemFunction(FD, Ctx, AF_Alloca, MemoryOperationKind::MOK_Any))
1394	return AF_Alloca;
1395
1396	return AF_None;
1397	}
1398
1399	if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(S))
1400	return NE->isArray() ? AF_CXXNewArray : AF_CXXNew;
1401
1402	if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(S))
1403	return DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew;
1404
1405	if (isa<ObjCMessageExpr>(S))
1406	return AF_Malloc;
1407
1408	return AF_None;
1409	}
1410
1411	bool MallocChecker::printAllocDeallocName(raw_ostream &os, CheckerContext &C,
1412	const Expr *E) const {
1413	if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
1414	// FIXME: This doesn't handle indirect calls.
1415	const FunctionDecl *FD = CE->getDirectCallee();
1416	if (!FD)
1417	return false;
1418
1419	os << *FD;
1420	if (!FD->isOverloadedOperator())
1421	os << "()";
1422	return true;
1423	}
1424
1425	if (const ObjCMessageExpr *Msg = dyn_cast<ObjCMessageExpr>(E)) {
1426	if (Msg->isInstanceMessage())
1427	os << "-";
1428	else
1429	os << "+";
1430	Msg->getSelector().print(os);
1431	return true;
1432	}
1433
1434	if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
1435	os << "'"
1436	<< getOperatorSpelling(NE->getOperatorNew()->getOverloadedOperator())
1437	<< "'";
1438	return true;
1439	}
1440
1441	if (const CXXDeleteExpr *DE = dyn_cast<CXXDeleteExpr>(E)) {
1442	os << "'"
1443	<< getOperatorSpelling(DE->getOperatorDelete()->getOverloadedOperator())
1444	<< "'";
1445	return true;
1446	}
1447
1448	return false;
1449	}
1450
1451	void MallocChecker::printExpectedAllocName(raw_ostream &os, CheckerContext &C,
1452	const Expr *E) const {
1453	AllocationFamily Family = getAllocationFamily(C, E);
1454
1455	switch(Family) {
1456	case AF_Malloc: os << "malloc()"; return;
1457	case AF_CXXNew: os << "'new'"; return;
1458	case AF_CXXNewArray: os << "'new[]'"; return;
1459	case AF_IfNameIndex: os << "'if_nameindex()'"; return;
1460	case AF_InnerBuffer: os << "container-specific allocator"; return;
1461	case AF_Alloca:
1462	case AF_None: llvm_unreachable("not a deallocation expression");
1463	}
1464	}
1465
1466	void MallocChecker::printExpectedDeallocName(raw_ostream &os,
1467	AllocationFamily Family) const {
1468	switch(Family) {
1469	case AF_Malloc: os << "free()"; return;
1470	case AF_CXXNew: os << "'delete'"; return;
1471	case AF_CXXNewArray: os << "'delete[]'"; return;
1472	case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
1473	case AF_InnerBuffer: os << "container-specific deallocator"; return;
1474	case AF_Alloca:
1475	case AF_None: llvm_unreachable("suspicious argument");
1476	}
1477	}
1478
1479	ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
1480	const Expr *ArgExpr,
1481	const Expr *ParentExpr,
1482	ProgramStateRef State,
1483	bool Hold,
1484	bool &ReleasedAllocated,
1485	bool ReturnsNullOnFailure) const {
1486
1487	if (!State)
1488	return nullptr;
1489
1490	SVal ArgVal = C.getSVal(ArgExpr);
1491	if (!ArgVal.getAs<DefinedOrUnknownSVal>())
1492	return nullptr;
1493	DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
1494
1495	// Check for null dereferences.
1496	if (!location.getAs<Loc>())
1497	return nullptr;
1498
1499	// The explicit NULL case, no operation is performed.
1500	ProgramStateRef notNullState, nullState;
1501	std::tie(notNullState, nullState) = State->assume(location);
1502	if (nullState && !notNullState)
1503	return nullptr;
1504
1505	// Unknown values could easily be okay
1506	// Undefined values are handled elsewhere
1507	if (ArgVal.isUnknownOrUndef())
1508	return nullptr;
1509
1510	const MemRegion *R = ArgVal.getAsRegion();
1511
1512	// Nonlocs can't be freed, of course.
1513	// Non-region locations (labels and fixed addresses) also shouldn't be freed.
1514	if (!R) {
1515	ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1516	return nullptr;
1517	}
1518
1519	R = R->StripCasts();
1520
1521	// Blocks might show up as heap data, but should not be free()d
1522	if (isa<BlockDataRegion>(R)) {
1523	ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1524	return nullptr;
1525	}
1526
1527	const MemSpaceRegion *MS = R->getMemorySpace();
1528
1529	// Parameters, locals, statics, globals, and memory returned by
1530	// __builtin_alloca() shouldn't be freed.
1531	if (!(isa<UnknownSpaceRegion>(MS) \|\| isa<HeapSpaceRegion>(MS))) {
1532	// FIXME: at the time this code was written, malloc() regions were
1533	// represented by conjured symbols, which are all in UnknownSpaceRegion.
1534	// This means that there isn't actually anything from HeapSpaceRegion
1535	// that should be freed, even though we allow it here.
1536	// Of course, free() can work on memory allocated outside the current
1537	// function, so UnknownSpaceRegion is always a possibility.
1538	// False negatives are better than false positives.
1539
1540	if (isa<AllocaRegion>(R))
1541	ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1542	else
1543	ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1544
1545	return nullptr;
1546	}
1547
1548	const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
1549	// Various cases could lead to non-symbol values here.
1550	// For now, ignore them.
1551	if (!SrBase)
1552	return nullptr;
1553
1554	SymbolRef SymBase = SrBase->getSymbol();
1555	const RefState *RsBase = State->get<RegionState>(SymBase);
1556	SymbolRef PreviousRetStatusSymbol = nullptr;
1557
1558	if (RsBase) {
1559
1560	// Memory returned by alloca() shouldn't be freed.
1561	if (RsBase->getAllocationFamily() == AF_Alloca) {
1562	ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
1563	return nullptr;
1564	}
1565
1566	// Check for double free first.
1567	if ((RsBase->isReleased() \|\| RsBase->isRelinquished()) &&
1568	!didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
1569	ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),
1570	SymBase, PreviousRetStatusSymbol);
1571	return nullptr;
1572
1573	// If the pointer is allocated or escaped, but we are now trying to free it,
1574	// check that the call to free is proper.
1575	} else if (RsBase->isAllocated() \|\| RsBase->isAllocatedOfSizeZero() \|\|
1576	RsBase->isEscaped()) {
1577
1578	// Check if an expected deallocation function matches the real one.
1579	bool DeallocMatchesAlloc =
1580	RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr);
1581	if (!DeallocMatchesAlloc) {
1582	ReportMismatchedDealloc(C, ArgExpr->getSourceRange(),
1583	ParentExpr, RsBase, SymBase, Hold);
1584	return nullptr;
1585	}
1586
1587	// Check if the memory location being freed is the actual location
1588	// allocated, or an offset.
1589	RegionOffset Offset = R->getAsOffset();
1590	if (Offset.isValid() &&
1591	!Offset.hasSymbolicOffset() &&
1592	Offset.getOffset() != 0) {
1593	const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
1594	ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
1595	AllocExpr);
1596	return nullptr;
1597	}
1598	}
1599	}
1600
1601	if (SymBase->getType()->isFunctionPointerType()) {
1602	ReportFunctionPointerFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr);
1603	return nullptr;
1604	}
1605
1606	ReleasedAllocated = (RsBase != nullptr) && (RsBase->isAllocated() \|\|
1607	RsBase->isAllocatedOfSizeZero());
1608
1609	// Clean out the info on previous call to free return info.
1610	State = State->remove<FreeReturnValue>(SymBase);
1611
1612	// Keep track of the return value. If it is NULL, we will know that free
1613	// failed.
1614	if (ReturnsNullOnFailure) {
1615	SVal RetVal = C.getSVal(ParentExpr);
1616	SymbolRef RetStatusSymbol = RetVal.getAsSymbol();
1617	if (RetStatusSymbol) {
1618	C.getSymbolManager().addSymbolDependency(SymBase, RetStatusSymbol);
1619	State = State->set<FreeReturnValue>(SymBase, RetStatusSymbol);
1620	}
1621	}
1622
1623	AllocationFamily Family = RsBase ? RsBase->getAllocationFamily()
1624	: getAllocationFamily(C, ParentExpr);
1625	// Normal free.
1626	if (Hold)
1627	return State->set<RegionState>(SymBase,
1628	RefState::getRelinquished(Family,
1629	ParentExpr));
1630
1631	return State->set<RegionState>(SymBase,
1632	RefState::getReleased(Family, ParentExpr));
1633	}
1634
1635	Optional<MallocChecker::CheckKind>
1636	MallocChecker::getCheckIfTracked(AllocationFamily Family,
1637	bool IsALeakCheck) const {
1638	switch (Family) {
1639	case AF_Malloc:
1640	case AF_Alloca:
1641	case AF_IfNameIndex: {
1642	if (ChecksEnabled[CK_MallocChecker])
1643	return CK_MallocChecker;
1644	return None;
1645	}
1646	case AF_CXXNew:
1647	case AF_CXXNewArray: {
1648	if (IsALeakCheck) {
1649	if (ChecksEnabled[CK_NewDeleteLeaksChecker])
1650	return CK_NewDeleteLeaksChecker;
1651	}
1652	else {
1653	if (ChecksEnabled[CK_NewDeleteChecker])
1654	return CK_NewDeleteChecker;
1655	}
1656	return None;
1657	}
1658	case AF_InnerBuffer: {
1659	if (ChecksEnabled[CK_InnerPointerChecker])
1660	return CK_InnerPointerChecker;
1661	return None;
1662	}
1663	case AF_None: {
1664	llvm_unreachable("no family");
1665	}
1666	}
1667	llvm_unreachable("unhandled family");
1668	}
1669
1670	Optional<MallocChecker::CheckKind>
1671	MallocChecker::getCheckIfTracked(CheckerContext &C,
1672	const Stmt *AllocDeallocStmt,
1673	bool IsALeakCheck) const {
1674	return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt),
1675	IsALeakCheck);
1676	}
1677
1678	Optional<MallocChecker::CheckKind>
1679	MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
1680	bool IsALeakCheck) const {
1681	if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym))
1682	return CK_MallocChecker;
1683
1684	const RefState *RS = C.getState()->get<RegionState>(Sym);
1685	assert(RS);
1686	return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck);
1687	}
1688
1689	bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
1690	if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>())
1691	os << "an integer (" << IntVal->getValue() << ")";
1692	else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>())
1693	os << "a constant address (" << ConstAddr->getValue() << ")";
1694	else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>())
1695	os << "the address of the label '" << Label->getLabel()->getName() << "'";
1696	else
1697	return false;
1698
1699	return true;
1700	}
1701
1702	bool MallocChecker::SummarizeRegion(raw_ostream &os,
1703	const MemRegion *MR) {
1704	switch (MR->getKind()) {
1705	case MemRegion::FunctionCodeRegionKind: {
1706	const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
1707	if (FD)
1708	os << "the address of the function '" << *FD << '\'';
1709	else
1710	os << "the address of a function";
1711	return true;
1712	}
1713	case MemRegion::BlockCodeRegionKind:
1714	os << "block text";
1715	return true;
1716	case MemRegion::BlockDataRegionKind:
1717	// FIXME: where the block came from?
1718	os << "a block";
1719	return true;
1720	default: {
1721	const MemSpaceRegion *MS = MR->getMemorySpace();
1722
1723	if (isa<StackLocalsSpaceRegion>(MS)) {
1724	const VarRegion *VR = dyn_cast<VarRegion>(MR);
1725	const VarDecl *VD;
1726	if (VR)
1727	VD = VR->getDecl();
1728	else
1729	VD = nullptr;
1730
1731	if (VD)
1732	os << "the address of the local variable '" << VD->getName() << "'";
1733	else
1734	os << "the address of a local stack variable";
1735	return true;
1736	}
1737
1738	if (isa<StackArgumentsSpaceRegion>(MS)) {
1739	const VarRegion *VR = dyn_cast<VarRegion>(MR);
1740	const VarDecl *VD;
1741	if (VR)
1742	VD = VR->getDecl();
1743	else
1744	VD = nullptr;
1745
1746	if (VD)
1747	os << "the address of the parameter '" << VD->getName() << "'";
1748	else
1749	os << "the address of a parameter";
1750	return true;
1751	}
1752
1753	if (isa<GlobalsSpaceRegion>(MS)) {
1754	const VarRegion *VR = dyn_cast<VarRegion>(MR);
1755	const VarDecl *VD;
1756	if (VR)
1757	VD = VR->getDecl();
1758	else
1759	VD = nullptr;
1760
1761	if (VD) {
1762	if (VD->isStaticLocal())
1763	os << "the address of the static variable '" << VD->getName() << "'";
1764	else
1765	os << "the address of the global variable '" << VD->getName() << "'";
1766	} else
1767	os << "the address of a global variable";
1768	return true;
1769	}
1770
1771	return false;
1772	}
1773	}
1774	}
1775
1776	void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal,
1777	SourceRange Range,
1778	const Expr *DeallocExpr) const {
1779
1780	if (!ChecksEnabled[CK_MallocChecker] &&
1781	!ChecksEnabled[CK_NewDeleteChecker])
1782	return;
1783
1784	Optional<MallocChecker::CheckKind> CheckKind =
1785	getCheckIfTracked(C, DeallocExpr);
1786	if (!CheckKind.hasValue())
1787	return;
1788
1789	if (ExplodedNode *N = C.generateErrorNode()) {
1790	if (!BT_BadFree[*CheckKind])
1791	BT_BadFree[*CheckKind].reset(new BugType(
1792	CheckNames[*CheckKind], "Bad free", categories::MemoryError));
1793
1794	SmallString<100> buf;
1795	llvm::raw_svector_ostream os(buf);
1796
1797	const MemRegion *MR = ArgVal.getAsRegion();
1798	while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
1799	MR = ER->getSuperRegion();
1800
1801	os << "Argument to ";
1802	if (!printAllocDeallocName(os, C, DeallocExpr))
1803	os << "deallocator";
1804
1805	os << " is ";
1806	bool Summarized = MR ? SummarizeRegion(os, MR)
1807	: SummarizeValue(os, ArgVal);
1808	if (Summarized)
1809	os << ", which is not memory allocated by ";
1810	else
1811	os << "not memory allocated by ";
1812
1813	printExpectedAllocName(os, C, DeallocExpr);
1814
1815	auto R = llvm::make_unique<BugReport>(BT_BadFree[CheckKind], os.str(), N);
1816	R->markInteresting(MR);
1817	R->addRange(Range);
1818	C.emitReport(std::move(R));
1819	}
1820	}
1821
1822	void MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
1823	SourceRange Range) const {
1824
1825	Optional<MallocChecker::CheckKind> CheckKind;
1826
1827	if (ChecksEnabled[CK_MallocChecker])
1828	CheckKind = CK_MallocChecker;
1829	else if (ChecksEnabled[CK_MismatchedDeallocatorChecker])
1830	CheckKind = CK_MismatchedDeallocatorChecker;
1831	else
1832	return;
1833
1834	if (ExplodedNode *N = C.generateErrorNode()) {
1835	if (!BT_FreeAlloca[*CheckKind])
1836	BT_FreeAlloca[*CheckKind].reset(new BugType(
1837	CheckNames[*CheckKind], "Free alloca()", categories::MemoryError));
1838
1839	auto R = llvm::make_unique<BugReport>(
1840	BT_FreeAlloca[CheckKind],
1841	"Memory allocated by alloca() should not be deallocated", N);
1842	R->markInteresting(ArgVal.getAsRegion());
1843	R->addRange(Range);
1844	C.emitReport(std::move(R));
1845	}
1846	}
1847
1848	void MallocChecker::ReportMismatchedDealloc(CheckerContext &C,
1849	SourceRange Range,
1850	const Expr *DeallocExpr,
1851	const RefState *RS,
1852	SymbolRef Sym,
1853	bool OwnershipTransferred) const {
1854
1855	if (!ChecksEnabled[CK_MismatchedDeallocatorChecker])
1856	return;
1857
1858	if (ExplodedNode *N = C.generateErrorNode()) {
1859	if (!BT_MismatchedDealloc)
1860	BT_MismatchedDealloc.reset(
1861	new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
1862	"Bad deallocator", categories::MemoryError));
1863
1864	SmallString<100> buf;
1865	llvm::raw_svector_ostream os(buf);
1866
1867	const Expr *AllocExpr = cast<Expr>(RS->getStmt());
1868	SmallString<20> AllocBuf;
1869	llvm::raw_svector_ostream AllocOs(AllocBuf);
1870	SmallString<20> DeallocBuf;
1871	llvm::raw_svector_ostream DeallocOs(DeallocBuf);
1872
1873	if (OwnershipTransferred) {
1874	if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1875	os << DeallocOs.str() << " cannot";
1876	else
1877	os << "Cannot";
1878
1879	os << " take ownership of memory";
1880
1881	if (printAllocDeallocName(AllocOs, C, AllocExpr))
1882	os << " allocated by " << AllocOs.str();
1883	} else {
1884	os << "Memory";
1885	if (printAllocDeallocName(AllocOs, C, AllocExpr))
1886	os << " allocated by " << AllocOs.str();
1887
1888	os << " should be deallocated by ";
1889	printExpectedDeallocName(os, RS->getAllocationFamily());
1890
1891	if (printAllocDeallocName(DeallocOs, C, DeallocExpr))
1892	os << ", not " << DeallocOs.str();
1893	}
1894
1895	auto R = llvm::make_unique<BugReport>(*BT_MismatchedDealloc, os.str(), N);
1896	R->markInteresting(Sym);
1897	R->addRange(Range);
1898	R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
1899	C.emitReport(std::move(R));
1900	}
1901	}
1902
1903	void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal,
1904	SourceRange Range, const Expr *DeallocExpr,
1905	const Expr *AllocExpr) const {
1906
1907
1908	if (!ChecksEnabled[CK_MallocChecker] &&
1909	!ChecksEnabled[CK_NewDeleteChecker])
1910	return;
1911
1912	Optional<MallocChecker::CheckKind> CheckKind =
1913	getCheckIfTracked(C, AllocExpr);
1914	if (!CheckKind.hasValue())
1915	return;
1916
1917	ExplodedNode *N = C.generateErrorNode();
1918	if (!N)
1919	return;
1920
1921	if (!BT_OffsetFree[*CheckKind])
1922	BT_OffsetFree[*CheckKind].reset(new BugType(
1923	CheckNames[*CheckKind], "Offset free", categories::MemoryError));
1924
1925	SmallString<100> buf;
1926	llvm::raw_svector_ostream os(buf);
1927	SmallString<20> AllocNameBuf;
1928	llvm::raw_svector_ostream AllocNameOs(AllocNameBuf);
1929
1930	const MemRegion *MR = ArgVal.getAsRegion();
1931	(0) . __assert_fail ("MR && \"Only MemRegion based symbols can have offset free errors\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 1931, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(MR && "Only MemRegion based symbols can have offset free errors");
1932
1933	RegionOffset Offset = MR->getAsOffset();
1934	(0) . __assert_fail ("(Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && \"Only symbols with a valid offset can have offset free errors\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 1937, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert((Offset.isValid() &&
1935	(0) . __assert_fail ("(Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && \"Only symbols with a valid offset can have offset free errors\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 1937, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true"> !Offset.hasSymbolicOffset() &&
1936	(0) . __assert_fail ("(Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && \"Only symbols with a valid offset can have offset free errors\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 1937, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true"> Offset.getOffset() != 0) &&
1937	(0) . __assert_fail ("(Offset.isValid() && !Offset.hasSymbolicOffset() && Offset.getOffset() != 0) && \"Only symbols with a valid offset can have offset free errors\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 1937, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true"> "Only symbols with a valid offset can have offset free errors");
1938
1939	int offsetBytes = Offset.getOffset() / C.getASTContext().getCharWidth();
1940
1941	os << "Argument to ";
1942	if (!printAllocDeallocName(os, C, DeallocExpr))
1943	os << "deallocator";
1944	os << " is offset by "
1945	<< offsetBytes
1946	<< " "
1947	<< ((abs(offsetBytes) > 1) ? "bytes" : "byte")
1948	<< " from the start of ";
1949	if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr))
1950	os << "memory allocated by " << AllocNameOs.str();
1951	else
1952	os << "allocated memory";
1953
1954	auto R = llvm::make_unique<BugReport>(BT_OffsetFree[CheckKind], os.str(), N);
1955	R->markInteresting(MR->getBaseRegion());
1956	R->addRange(Range);
1957	C.emitReport(std::move(R));
1958	}
1959
1960	void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range,
1961	SymbolRef Sym) const {
1962
1963	if (!ChecksEnabled[CK_MallocChecker] &&
1964	!ChecksEnabled[CK_NewDeleteChecker] &&
1965	!ChecksEnabled[CK_InnerPointerChecker])
1966	return;
1967
1968	Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
1969	if (!CheckKind.hasValue())
1970	return;
1971
1972	if (ExplodedNode *N = C.generateErrorNode()) {
1973	if (!BT_UseFree[*CheckKind])
1974	BT_UseFree[*CheckKind].reset(new BugType(
1975	CheckNames[*CheckKind], "Use-after-free", categories::MemoryError));
1976
1977	AllocationFamily AF =
1978	C.getState()->get<RegionState>(Sym)->getAllocationFamily();
1979
1980	auto R = llvm::make_unique<BugReport>(BT_UseFree[CheckKind],
1981	AF == AF_InnerBuffer
1982	? "Inner pointer of container used after re/deallocation"
1983	: "Use of memory after it is freed",
1984	N);
1985
1986	R->markInteresting(Sym);
1987	R->addRange(Range);
1988	R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
1989
1990	if (AF == AF_InnerBuffer)
1991	R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym));
1992
1993	C.emitReport(std::move(R));
1994	}
1995	}
1996
1997	void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range,
1998	bool Released, SymbolRef Sym,
1999	SymbolRef PrevSym) const {
2000
2001	if (!ChecksEnabled[CK_MallocChecker] &&
2002	!ChecksEnabled[CK_NewDeleteChecker])
2003	return;
2004
2005	Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2006	if (!CheckKind.hasValue())
2007	return;
2008
2009	if (ExplodedNode *N = C.generateErrorNode()) {
2010	if (!BT_DoubleFree[*CheckKind])
2011	BT_DoubleFree[*CheckKind].reset(new BugType(
2012	CheckNames[*CheckKind], "Double free", categories::MemoryError));
2013
2014	auto R = llvm::make_unique<BugReport>(
2015	BT_DoubleFree[CheckKind],
2016	(Released ? "Attempt to free released memory"
2017	: "Attempt to free non-owned memory"),
2018	N);
2019	R->addRange(Range);
2020	R->markInteresting(Sym);
2021	if (PrevSym)
2022	R->markInteresting(PrevSym);
2023	R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2024	C.emitReport(std::move(R));
2025	}
2026	}
2027
2028	void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
2029
2030	if (!ChecksEnabled[CK_NewDeleteChecker])
2031	return;
2032
2033	Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2034	if (!CheckKind.hasValue())
2035	return;
2036
2037	if (ExplodedNode *N = C.generateErrorNode()) {
2038	if (!BT_DoubleDelete)
2039	BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker],
2040	"Double delete",
2041	categories::MemoryError));
2042
2043	auto R = llvm::make_unique<BugReport>(
2044	*BT_DoubleDelete, "Attempt to delete released memory", N);
2045
2046	R->markInteresting(Sym);
2047	R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2048	C.emitReport(std::move(R));
2049	}
2050	}
2051
2052	void MallocChecker::ReportUseZeroAllocated(CheckerContext &C,
2053	SourceRange Range,
2054	SymbolRef Sym) const {
2055
2056	if (!ChecksEnabled[CK_MallocChecker] &&
2057	!ChecksEnabled[CK_NewDeleteChecker])
2058	return;
2059
2060	Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
2061
2062	if (!CheckKind.hasValue())
2063	return;
2064
2065	if (ExplodedNode *N = C.generateErrorNode()) {
2066	if (!BT_UseZerroAllocated[*CheckKind])
2067	BT_UseZerroAllocated[*CheckKind].reset(
2068	new BugType(CheckNames[*CheckKind], "Use of zero allocated",
2069	categories::MemoryError));
2070
2071	auto R = llvm::make_unique<BugReport>(BT_UseZerroAllocated[CheckKind],
2072	"Use of zero-allocated memory", N);
2073
2074	R->addRange(Range);
2075	if (Sym) {
2076	R->markInteresting(Sym);
2077	R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
2078	}
2079	C.emitReport(std::move(R));
2080	}
2081	}
2082
2083	void MallocChecker::ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
2084	SourceRange Range,
2085	const Expr *FreeExpr) const {
2086	if (!ChecksEnabled[CK_MallocChecker])
2087	return;
2088
2089	Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, FreeExpr);
2090	if (!CheckKind.hasValue())
2091	return;
2092
2093	if (ExplodedNode *N = C.generateErrorNode()) {
2094	if (!BT_BadFree[*CheckKind])
2095	BT_BadFree[*CheckKind].reset(new BugType(
2096	CheckNames[*CheckKind], "Bad free", categories::MemoryError));
2097
2098	SmallString<100> Buf;
2099	llvm::raw_svector_ostream Os(Buf);
2100
2101	const MemRegion *MR = ArgVal.getAsRegion();
2102	while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
2103	MR = ER->getSuperRegion();
2104
2105	Os << "Argument to ";
2106	if (!printAllocDeallocName(Os, C, FreeExpr))
2107	Os << "deallocator";
2108
2109	Os << " is a function pointer";
2110
2111	auto R = llvm::make_unique<BugReport>(BT_BadFree[CheckKind], Os.str(), N);
2112	R->markInteresting(MR);
2113	R->addRange(Range);
2114	C.emitReport(std::move(R));
2115	}
2116	}
2117
2118	ProgramStateRef MallocChecker::ReallocMemAux(CheckerContext &C,
2119	const CallExpr *CE,
2120	bool FreesOnFail,
2121	ProgramStateRef State,
2122	bool SuffixWithN) const {
2123	if (!State)
2124	return nullptr;
2125
2126	if (SuffixWithN && CE->getNumArgs() < 3)
2127	return nullptr;
2128	else if (CE->getNumArgs() < 2)
2129	return nullptr;
2130
2131	const Expr *arg0Expr = CE->getArg(0);
2132	SVal Arg0Val = C.getSVal(arg0Expr);
2133	if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
2134	return nullptr;
2135	DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
2136
2137	SValBuilder &svalBuilder = C.getSValBuilder();
2138
2139	DefinedOrUnknownSVal PtrEQ =
2140	svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull());
2141
2142	// Get the size argument.
2143	const Expr *Arg1 = CE->getArg(1);
2144
2145	// Get the value of the size argument.
2146	SVal TotalSize = C.getSVal(Arg1);
2147	if (SuffixWithN)
2148	TotalSize = evalMulForBufferSize(C, Arg1, CE->getArg(2));
2149	if (!TotalSize.getAs<DefinedOrUnknownSVal>())
2150	return nullptr;
2151
2152	// Compare the size argument to 0.
2153	DefinedOrUnknownSVal SizeZero =
2154	svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(),
2155	svalBuilder.makeIntValWithPtrWidth(0, false));
2156
2157	ProgramStateRef StatePtrIsNull, StatePtrNotNull;
2158	std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ);
2159	ProgramStateRef StateSizeIsZero, StateSizeNotZero;
2160	std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero);
2161	// We only assume exceptional states if they are definitely true; if the
2162	// state is under-constrained, assume regular realloc behavior.
2163	bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
2164	bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
2165
2166	// If the ptr is NULL and the size is not 0, the call is equivalent to
2167	// malloc(size).
2168	if (PrtIsNull && !SizeIsZero) {
2169	ProgramStateRef stateMalloc = MallocMemAux(C, CE, TotalSize,
2170	UndefinedVal(), StatePtrIsNull);
2171	return stateMalloc;
2172	}
2173
2174	if (PrtIsNull && SizeIsZero)
2175	return State;
2176
2177	// Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
2178	assert(!PrtIsNull);
2179	SymbolRef FromPtr = arg0Val.getAsSymbol();
2180	SVal RetVal = C.getSVal(CE);
2181	SymbolRef ToPtr = RetVal.getAsSymbol();
2182	if (!FromPtr \|\| !ToPtr)
2183	return nullptr;
2184
2185	bool ReleasedAllocated = false;
2186
2187	// If the size is 0, free the memory.
2188	if (SizeIsZero)
2189	if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0,
2190	false, ReleasedAllocated)){
2191	// The semantics of the return value are:
2192	// If size was equal to 0, either NULL or a pointer suitable to be passed
2193	// to free() is returned. We just free the input pointer and do not add
2194	// any constrains on the output pointer.
2195	return stateFree;
2196	}
2197
2198	// Default behavior.
2199	if (ProgramStateRef stateFree =
2200	FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) {
2201
2202	ProgramStateRef stateRealloc = MallocMemAux(C, CE, TotalSize,
2203	UnknownVal(), stateFree);
2204	if (!stateRealloc)
2205	return nullptr;
2206
2207	ReallocPairKind Kind = RPToBeFreedAfterFailure;
2208	if (FreesOnFail)
2209	Kind = RPIsFreeOnFailure;
2210	else if (!ReleasedAllocated)
2211	Kind = RPDoNotTrackAfterFailure;
2212
2213	// Record the info about the reallocated symbol so that we could properly
2214	// process failed reallocation.
2215	stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
2216	ReallocPair(FromPtr, Kind));
2217	// The reallocated symbol should stay alive for as long as the new symbol.
2218	C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
2219	return stateRealloc;
2220	}
2221	return nullptr;
2222	}
2223
2224	ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE,
2225	ProgramStateRef State) {
2226	if (!State)
2227	return nullptr;
2228
2229	if (CE->getNumArgs() < 2)
2230	return nullptr;
2231
2232	SValBuilder &svalBuilder = C.getSValBuilder();
2233	SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
2234	SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
2235
2236	return MallocMemAux(C, CE, TotalSize, zeroVal, State);
2237	}
2238
2239	LeakInfo
2240	MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
2241	CheckerContext &C) const {
2242	const LocationContext *LeakContext = N->getLocationContext();
2243	// Walk the ExplodedGraph backwards and find the first node that referred to
2244	// the tracked symbol.
2245	const ExplodedNode *AllocNode = N;
2246	const MemRegion *ReferenceRegion = nullptr;
2247
2248	while (N) {
2249	ProgramStateRef State = N->getState();
2250	if (!State->get<RegionState>(Sym))
2251	break;
2252
2253	// Find the most recent expression bound to the symbol in the current
2254	// context.
2255	if (!ReferenceRegion) {
2256	if (const MemRegion *MR = C.getLocationRegionIfPostStore(N)) {
2257	SVal Val = State->getSVal(MR);
2258	if (Val.getAsLocSymbol() == Sym) {
2259	const VarRegion* VR = MR->getBaseRegion()->getAs<VarRegion>();
2260	// Do not show local variables belonging to a function other than
2261	// where the error is reported.
2262	if (!VR \|\|
2263	(VR->getStackFrame() == LeakContext->getStackFrame()))
2264	ReferenceRegion = MR;
2265	}
2266	}
2267	}
2268
2269	// Allocation node, is the last node in the current or parent context in
2270	// which the symbol was tracked.
2271	const LocationContext *NContext = N->getLocationContext();
2272	if (NContext == LeakContext \|\|
2273	NContext->isParentOf(LeakContext))
2274	AllocNode = N;
2275	N = N->pred_empty() ? nullptr : *(N->pred_begin());
2276	}
2277
2278	return LeakInfo(AllocNode, ReferenceRegion);
2279	}
2280
2281	void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N,
2282	CheckerContext &C) const {
2283
2284	if (!ChecksEnabled[CK_MallocChecker] &&
2285	!ChecksEnabled[CK_NewDeleteLeaksChecker])
2286	return;
2287
2288	const RefState *RS = C.getState()->get<RegionState>(Sym);
2289	(0) . __assert_fail ("RS && \"cannot leak an untracked symbol\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 2289, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(RS && "cannot leak an untracked symbol");
2290	AllocationFamily Family = RS->getAllocationFamily();
2291
2292	if (Family == AF_Alloca)
2293	return;
2294
2295	Optional<MallocChecker::CheckKind>
2296	CheckKind = getCheckIfTracked(Family, true);
2297
2298	if (!CheckKind.hasValue())
2299	return;
2300
2301	assert(N);
2302	if (!BT_Leak[*CheckKind]) {
2303	// Leaks should not be reported if they are post-dominated by a sink:
2304	// (1) Sinks are higher importance bugs.
2305	// (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
2306	// with __noreturn functions such as assert() or exit(). We choose not
2307	// to report leaks on such paths.
2308	BT_Leak[CheckKind].reset(new BugType(CheckNames[CheckKind], "Memory leak",
2309	categories::MemoryError,
2310	/SuppressOnSink=/true));
2311	}
2312
2313	// Most bug reports are cached at the location where they occurred.
2314	// With leaks, we want to unique them by the location where they were
2315	// allocated, and only report a single path.
2316	PathDiagnosticLocation LocUsedForUniqueing;
2317	const ExplodedNode *AllocNode = nullptr;
2318	const MemRegion *Region = nullptr;
2319	std::tie(AllocNode, Region) = getAllocationSite(N, Sym, C);
2320
2321	const Stmt *AllocationStmt = PathDiagnosticLocation::getStmt(AllocNode);
2322	if (AllocationStmt)
2323	LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocationStmt,
2324	C.getSourceManager(),
2325	AllocNode->getLocationContext());
2326
2327	SmallString<200> buf;
2328	llvm::raw_svector_ostream os(buf);
2329	if (Region && Region->canPrintPretty()) {
2330	os << "Potential leak of memory pointed to by ";
2331	Region->printPretty(os);
2332	} else {
2333	os << "Potential memory leak";
2334	}
2335
2336	auto R = llvm::make_unique<BugReport>(
2337	BT_Leak[CheckKind], os.str(), N, LocUsedForUniqueing,
2338	AllocNode->getLocationContext()->getDecl());
2339	R->markInteresting(Sym);
2340	R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym, true));
2341	C.emitReport(std::move(R));
2342	}
2343
2344	void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
2345	CheckerContext &C) const
2346	{
2347	ProgramStateRef state = C.getState();
2348	RegionStateTy OldRS = state->get<RegionState>();
2349	RegionStateTy::Factory &F = state->get_context<RegionState>();
2350
2351	RegionStateTy RS = OldRS;
2352	SmallVector<SymbolRef, 2> Errors;
2353	for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2354	if (SymReaper.isDead(I->first)) {
2355	if (I->second.isAllocated() \|\| I->second.isAllocatedOfSizeZero())
2356	Errors.push_back(I->first);
2357	// Remove the dead symbol from the map.
2358	RS = F.remove(RS, I->first);
2359	}
2360	}
2361
2362	if (RS == OldRS) {
2363	// We shouldn't have touched other maps yet.
2364	get() == C.getState()->get()", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 2365, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(state->get<ReallocPairs>() ==
2365	get() == C.getState()->get()", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 2365, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true"> C.getState()->get<ReallocPairs>());
2366	get() == C.getState()->get()", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 2367, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(state->get<FreeReturnValue>() ==
2367	get() == C.getState()->get()", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 2367, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true"> C.getState()->get<FreeReturnValue>());
2368	return;
2369	}
2370
2371	// Cleanup the Realloc Pairs Map.
2372	ReallocPairsTy RP = state->get<ReallocPairs>();
2373	for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2374	if (SymReaper.isDead(I->first) \|\|
2375	SymReaper.isDead(I->second.ReallocatedSym)) {
2376	state = state->remove<ReallocPairs>(I->first);
2377	}
2378	}
2379
2380	// Cleanup the FreeReturnValue Map.
2381	FreeReturnValueTy FR = state->get<FreeReturnValue>();
2382	for (FreeReturnValueTy::iterator I = FR.begin(), E = FR.end(); I != E; ++I) {
2383	if (SymReaper.isDead(I->first) \|\|
2384	SymReaper.isDead(I->second)) {
2385	state = state->remove<FreeReturnValue>(I->first);
2386	}
2387	}
2388
2389	// Generate leak node.
2390	ExplodedNode *N = C.getPredecessor();
2391	if (!Errors.empty()) {
2392	static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
2393	N = C.generateNonFatalErrorNode(C.getState(), &Tag);
2394	if (N) {
2395	for (SmallVectorImpl<SymbolRef>::iterator
2396	I = Errors.begin(), E = Errors.end(); I != E; ++I) {
2397	reportLeak(*I, N, C);
2398	}
2399	}
2400	}
2401
2402	C.addTransition(state->set<RegionState>(RS), N);
2403	}
2404
2405	void MallocChecker::checkPreCall(const CallEvent &Call,
2406	CheckerContext &C) const {
2407
2408	if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) {
2409	SymbolRef Sym = DC->getCXXThisVal().getAsSymbol();
2410	if (!Sym \|\| checkDoubleDelete(Sym, C))
2411	return;
2412	}
2413
2414	// We will check for double free in the post visit.
2415	if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) {
2416	const FunctionDecl *FD = FC->getDecl();
2417	if (!FD)
2418	return;
2419
2420	ASTContext &Ctx = C.getASTContext();
2421	if (ChecksEnabled[CK_MallocChecker] &&
2422	(isCMemFunction(FD, Ctx, AF_Malloc, MemoryOperationKind::MOK_Free) \|\|
2423	isCMemFunction(FD, Ctx, AF_IfNameIndex,
2424	MemoryOperationKind::MOK_Free)))
2425	return;
2426	}
2427
2428	// Check if the callee of a method is deleted.
2429	if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
2430	SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
2431	if (!Sym \|\| checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
2432	return;
2433	}
2434
2435	// Check arguments for being used after free.
2436	for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) {
2437	SVal ArgSVal = Call.getArgSVal(I);
2438	if (ArgSVal.getAs<Loc>()) {
2439	SymbolRef Sym = ArgSVal.getAsSymbol();
2440	if (!Sym)
2441	continue;
2442	if (checkUseAfterFree(Sym, C, Call.getArgExpr(I)))
2443	return;
2444	}
2445	}
2446	}
2447
2448	void MallocChecker::checkPreStmt(const ReturnStmt *S,
2449	CheckerContext &C) const {
2450	checkEscapeOnReturn(S, C);
2451	}
2452
2453	// In the CFG, automatic destructors come after the return statement.
2454	// This callback checks for returning memory that is freed by automatic
2455	// destructors, as those cannot be reached in checkPreStmt().
2456	void MallocChecker::checkEndFunction(const ReturnStmt *S,
2457	CheckerContext &C) const {
2458	checkEscapeOnReturn(S, C);
2459	}
2460
2461	void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S,
2462	CheckerContext &C) const {
2463	if (!S)
2464	return;
2465
2466	const Expr *E = S->getRetValue();
2467	if (!E)
2468	return;
2469
2470	// Check if we are returning a symbol.
2471	ProgramStateRef State = C.getState();
2472	SVal RetVal = C.getSVal(E);
2473	SymbolRef Sym = RetVal.getAsSymbol();
2474	if (!Sym)
2475	// If we are returning a field of the allocated struct or an array element,
2476	// the callee could still free the memory.
2477	// TODO: This logic should be a part of generic symbol escape callback.
2478	if (const MemRegion *MR = RetVal.getAsRegion())
2479	if (isa<FieldRegion>(MR) \|\| isa<ElementRegion>(MR))
2480	if (const SymbolicRegion *BMR =
2481	dyn_cast<SymbolicRegion>(MR->getBaseRegion()))
2482	Sym = BMR->getSymbol();
2483
2484	// Check if we are returning freed memory.
2485	if (Sym)
2486	checkUseAfterFree(Sym, C, E);
2487	}
2488
2489	// TODO: Blocks should be either inlined or should call invalidate regions
2490	// upon invocation. After that's in place, special casing here will not be
2491	// needed.
2492	void MallocChecker::checkPostStmt(const BlockExpr *BE,
2493	CheckerContext &C) const {
2494
2495	// Scan the BlockDecRefExprs for any object the retain count checker
2496	// may be tracking.
2497	if (!BE->getBlockDecl()->hasCaptures())
2498	return;
2499
2500	ProgramStateRef state = C.getState();
2501	const BlockDataRegion *R =
2502	cast<BlockDataRegion>(C.getSVal(BE).getAsRegion());
2503
2504	BlockDataRegion::referenced_vars_iterator I = R->referenced_vars_begin(),
2505	E = R->referenced_vars_end();
2506
2507	if (I == E)
2508	return;
2509
2510	SmallVector<const MemRegion*, 10> Regions;
2511	const LocationContext *LC = C.getLocationContext();
2512	MemRegionManager &MemMgr = C.getSValBuilder().getRegionManager();
2513
2514	for ( ; I != E; ++I) {
2515	const VarRegion *VR = I.getCapturedRegion();
2516	if (VR->getSuperRegion() == R) {
2517	VR = MemMgr.getVarRegion(VR->getDecl(), LC);
2518	}
2519	Regions.push_back(VR);
2520	}
2521
2522	state =
2523	state->scanReachableSymbols<StopTrackingCallback>(Regions).getState();
2524	C.addTransition(state);
2525	}
2526
2527	bool MallocChecker::isReleased(SymbolRef Sym, CheckerContext &C) const {
2528	assert(Sym);
2529	const RefState *RS = C.getState()->get<RegionState>(Sym);
2530	return (RS && RS->isReleased());
2531	}
2532
2533	bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
2534	const Stmt *S) const {
2535
2536	if (isReleased(Sym, C)) {
2537	ReportUseAfterFree(C, S->getSourceRange(), Sym);
2538	return true;
2539	}
2540
2541	return false;
2542	}
2543
2544	void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
2545	const Stmt *S) const {
2546	assert(Sym);
2547
2548	if (const RefState *RS = C.getState()->get<RegionState>(Sym)) {
2549	if (RS->isAllocatedOfSizeZero())
2550	ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym);
2551	}
2552	else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) {
2553	ReportUseZeroAllocated(C, S->getSourceRange(), Sym);
2554	}
2555	}
2556
2557	bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
2558
2559	if (isReleased(Sym, C)) {
2560	ReportDoubleDelete(C, Sym);
2561	return true;
2562	}
2563	return false;
2564	}
2565
2566	// Check if the location is a freed symbolic region.
2567	void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
2568	CheckerContext &C) const {
2569	SymbolRef Sym = l.getLocSymbolInBase();
2570	if (Sym) {
2571	checkUseAfterFree(Sym, C, S);
2572	checkUseZeroAllocated(Sym, C, S);
2573	}
2574	}
2575
2576	// If a symbolic region is assumed to NULL (or another constant), stop tracking
2577	// it - assuming that allocation failed on this path.
2578	ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
2579	SVal Cond,
2580	bool Assumption) const {
2581	RegionStateTy RS = state->get<RegionState>();
2582	for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
2583	// If the symbol is assumed to be NULL, remove it from consideration.
2584	ConstraintManager &CMgr = state->getConstraintManager();
2585	ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2586	if (AllocFailed.isConstrainedTrue())
2587	state = state->remove<RegionState>(I.getKey());
2588	}
2589
2590	// Realloc returns 0 when reallocation fails, which means that we should
2591	// restore the state of the pointer being reallocated.
2592	ReallocPairsTy RP = state->get<ReallocPairs>();
2593	for (ReallocPairsTy::iterator I = RP.begin(), E = RP.end(); I != E; ++I) {
2594	// If the symbol is assumed to be NULL, remove it from consideration.
2595	ConstraintManager &CMgr = state->getConstraintManager();
2596	ConditionTruthVal AllocFailed = CMgr.isNull(state, I.getKey());
2597	if (!AllocFailed.isConstrainedTrue())
2598	continue;
2599
2600	SymbolRef ReallocSym = I.getData().ReallocatedSym;
2601	if (const RefState *RS = state->get<RegionState>(ReallocSym)) {
2602	if (RS->isReleased()) {
2603	if (I.getData().Kind == RPToBeFreedAfterFailure)
2604	state = state->set<RegionState>(ReallocSym,
2605	RefState::getAllocated(RS->getAllocationFamily(), RS->getStmt()));
2606	else if (I.getData().Kind == RPDoNotTrackAfterFailure)
2607	state = state->remove<RegionState>(ReallocSym);
2608	else
2609	assert(I.getData().Kind == RPIsFreeOnFailure);
2610	}
2611	}
2612	state = state->remove<ReallocPairs>(I.getKey());
2613	}
2614
2615	return state;
2616	}
2617
2618	bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(
2619	const CallEvent *Call,
2620	ProgramStateRef State,
2621	SymbolRef &EscapingSymbol) const {
2622	assert(Call);
2623	EscapingSymbol = nullptr;
2624
2625	// For now, assume that any C++ or block call can free memory.
2626	// TODO: If we want to be more optimistic here, we'll need to make sure that
2627	// regions escape to C++ containers. They seem to do that even now, but for
2628	// mysterious reasons.
2629	if (!(isa<SimpleFunctionCall>(Call) \|\| isa<ObjCMethodCall>(Call)))
2630	return true;
2631
2632	// Check Objective-C messages by selector name.
2633	if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(Call)) {
2634	// If it's not a framework call, or if it takes a callback, assume it
2635	// can free memory.
2636	if (!Call->isInSystemHeader() \|\| Call->argumentsMayEscape())
2637	return true;
2638
2639	// If it's a method we know about, handle it explicitly post-call.
2640	// This should happen before the "freeWhenDone" check below.
2641	if (isKnownDeallocObjCMethodName(*Msg))
2642	return false;
2643
2644	// If there's a "freeWhenDone" parameter, but the method isn't one we know
2645	// about, we can't be sure that the object will use free() to deallocate the
2646	// memory, so we can't model it explicitly. The best we can do is use it to
2647	// decide whether the pointer escapes.
2648	if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(*Msg))
2649	return *FreeWhenDone;
2650
2651	// If the first selector piece ends with "NoCopy", and there is no
2652	// "freeWhenDone" parameter set to zero, we know ownership is being
2653	// transferred. Again, though, we can't be sure that the object will use
2654	// free() to deallocate the memory, so we can't model it explicitly.
2655	StringRef FirstSlot = Msg->getSelector().getNameForSlot(0);
2656	if (FirstSlot.endswith("NoCopy"))
2657	return true;
2658
2659	// If the first selector starts with addPointer, insertPointer,
2660	// or replacePointer, assume we are dealing with NSPointerArray or similar.
2661	// This is similar to C++ containers (vector); we still might want to check
2662	// that the pointers get freed by following the container itself.
2663	if (FirstSlot.startswith("addPointer") \|\|
2664	FirstSlot.startswith("insertPointer") \|\|
2665	FirstSlot.startswith("replacePointer") \|\|
2666	FirstSlot.equals("valueWithPointer")) {
2667	return true;
2668	}
2669
2670	// We should escape receiver on call to 'init'. This is especially relevant
2671	// to the receiver, as the corresponding symbol is usually not referenced
2672	// after the call.
2673	if (Msg->getMethodFamily() == OMF_init) {
2674	EscapingSymbol = Msg->getReceiverSVal().getAsSymbol();
2675	return true;
2676	}
2677
2678	// Otherwise, assume that the method does not free memory.
2679	// Most framework methods do not free memory.
2680	return false;
2681	}
2682
2683	// At this point the only thing left to handle is straight function calls.
2684	const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl();
2685	if (!FD)
2686	return true;
2687
2688	ASTContext &ASTC = State->getStateManager().getContext();
2689
2690	// If it's one of the allocation functions we can reason about, we model
2691	// its behavior explicitly.
2692	if (isMemFunction(FD, ASTC))
2693	return false;
2694
2695	// If it's not a system call, assume it frees memory.
2696	if (!Call->isInSystemHeader())
2697	return true;
2698
2699	// White list the system functions whose arguments escape.
2700	const IdentifierInfo *II = FD->getIdentifier();
2701	if (!II)
2702	return true;
2703	StringRef FName = II->getName();
2704
2705	// White list the 'XXXNoCopy' CoreFoundation functions.
2706	// We specifically check these before
2707	if (FName.endswith("NoCopy")) {
2708	// Look for the deallocator argument. We know that the memory ownership
2709	// is not transferred only if the deallocator argument is
2710	// 'kCFAllocatorNull'.
2711	for (unsigned i = 1; i < Call->getNumArgs(); ++i) {
2712	const Expr *ArgE = Call->getArgExpr(i)->IgnoreParenCasts();
2713	if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(ArgE)) {
2714	StringRef DeallocatorName = DE->getFoundDecl()->getName();
2715	if (DeallocatorName == "kCFAllocatorNull")
2716	return false;
2717	}
2718	}
2719	return true;
2720	}
2721
2722	// Associating streams with malloced buffers. The pointer can escape if
2723	// 'closefn' is specified (and if that function does free memory),
2724	// but it will not if closefn is not specified.
2725	// Currently, we do not inspect the 'closefn' function (PR12101).
2726	if (FName == "funopen")
2727	if (Call->getNumArgs() >= 4 && Call->getArgSVal(4).isConstant(0))
2728	return false;
2729
2730	// Do not warn on pointers passed to 'setbuf' when used with std streams,
2731	// these leaks might be intentional when setting the buffer for stdio.
2732	// http://stackoverflow.com/questions/2671151/who-frees-setvbuf-buffer
2733	if (FName == "setbuf" \|\| FName =="setbuffer" \|\|
2734	FName == "setlinebuf" \|\| FName == "setvbuf") {
2735	if (Call->getNumArgs() >= 1) {
2736	const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts();
2737	if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE))
2738	if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl()))
2739	if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos)
2740	return true;
2741	}
2742	}
2743
2744	// A bunch of other functions which either take ownership of a pointer or
2745	// wrap the result up in a struct or object, meaning it can be freed later.
2746	// (See RetainCountChecker.) Not all the parameters here are invalidated,
2747	// but the Malloc checker cannot differentiate between them. The right way
2748	// of doing this would be to implement a pointer escapes callback.
2749	if (FName == "CGBitmapContextCreate" \|\|
2750	FName == "CGBitmapContextCreateWithData" \|\|
2751	FName == "CVPixelBufferCreateWithBytes" \|\|
2752	FName == "CVPixelBufferCreateWithPlanarBytes" \|\|
2753	FName == "OSAtomicEnqueue") {
2754	return true;
2755	}
2756
2757	if (FName == "postEvent" &&
2758	FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
2759	return true;
2760	}
2761
2762	if (FName == "postEvent" &&
2763	FD->getQualifiedNameAsString() == "QCoreApplication::postEvent") {
2764	return true;
2765	}
2766
2767	if (FName == "connectImpl" &&
2768	FD->getQualifiedNameAsString() == "QObject::connectImpl") {
2769	return true;
2770	}
2771
2772	// Handle cases where we know a buffer's /address/ can escape.
2773	// Note that the above checks handle some special cases where we know that
2774	// even though the address escapes, it's still our responsibility to free the
2775	// buffer.
2776	if (Call->argumentsMayEscape())
2777	return true;
2778
2779	// Otherwise, assume that the function does not free memory.
2780	// Most system calls do not free the memory.
2781	return false;
2782	}
2783
2784	static bool retTrue(const RefState *RS) {
2785	return true;
2786	}
2787
2788	static bool checkIfNewOrNewArrayFamily(const RefState *RS) {
2789	return (RS->getAllocationFamily() == AF_CXXNewArray \|\|
2790	RS->getAllocationFamily() == AF_CXXNew);
2791	}
2792
2793	ProgramStateRef MallocChecker::checkPointerEscape(ProgramStateRef State,
2794	const InvalidatedSymbols &Escaped,
2795	const CallEvent *Call,
2796	PointerEscapeKind Kind) const {
2797	return checkPointerEscapeAux(State, Escaped, Call, Kind, &retTrue);
2798	}
2799
2800	ProgramStateRef MallocChecker::checkConstPointerEscape(ProgramStateRef State,
2801	const InvalidatedSymbols &Escaped,
2802	const CallEvent *Call,
2803	PointerEscapeKind Kind) const {
2804	return checkPointerEscapeAux(State, Escaped, Call, Kind,
2805	&checkIfNewOrNewArrayFamily);
2806	}
2807
2808	ProgramStateRef MallocChecker::checkPointerEscapeAux(ProgramStateRef State,
2809	const InvalidatedSymbols &Escaped,
2810	const CallEvent *Call,
2811	PointerEscapeKind Kind,
2812	bool(CheckRefState)(const RefState)) const {
2813	// If we know that the call does not free memory, or we want to process the
2814	// call later, keep tracking the top level arguments.
2815	SymbolRef EscapingSymbol = nullptr;
2816	if (Kind == PSK_DirectEscapeOnCall &&
2817	!mayFreeAnyEscapedMemoryOrIsModeledExplicitly(Call, State,
2818	EscapingSymbol) &&
2819	!EscapingSymbol) {
2820	return State;
2821	}
2822
2823	for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
2824	E = Escaped.end();
2825	I != E; ++I) {
2826	SymbolRef sym = *I;
2827
2828	if (EscapingSymbol && EscapingSymbol != sym)
2829	continue;
2830
2831	if (const RefState *RS = State->get<RegionState>(sym)) {
2832	if ((RS->isAllocated() \|\| RS->isAllocatedOfSizeZero()) &&
2833	CheckRefState(RS)) {
2834	State = State->remove<RegionState>(sym);
2835	State = State->set<RegionState>(sym, RefState::getEscaped(RS));
2836	}
2837	}
2838	}
2839	return State;
2840	}
2841
2842	static SymbolRef findFailedReallocSymbol(ProgramStateRef currState,
2843	ProgramStateRef prevState) {
2844	ReallocPairsTy currMap = currState->get<ReallocPairs>();
2845	ReallocPairsTy prevMap = prevState->get<ReallocPairs>();
2846
2847	for (ReallocPairsTy::iterator I = prevMap.begin(), E = prevMap.end();
2848	I != E; ++I) {
2849	SymbolRef sym = I.getKey();
2850	if (!currMap.lookup(sym))
2851	return sym;
2852	}
2853
2854	return nullptr;
2855	}
2856
2857	static bool isReferenceCountingPointerDestructor(const CXXDestructorDecl *DD) {
2858	if (const IdentifierInfo *II = DD->getParent()->getIdentifier()) {
2859	StringRef N = II->getName();
2860	if (N.contains_lower("ptr") \|\| N.contains_lower("pointer")) {
2861	if (N.contains_lower("ref") \|\| N.contains_lower("cnt") \|\|
2862	N.contains_lower("intrusive") \|\| N.contains_lower("shared")) {
2863	return true;
2864	}
2865	}
2866	}
2867	return false;
2868	}
2869
2870	std::shared_ptr<PathDiagnosticPiece> MallocChecker::MallocBugVisitor::VisitNode(
2871	const ExplodedNode *N, BugReporterContext &BRC, BugReport &BR) {
2872
2873	ProgramStateRef state = N->getState();
2874	ProgramStateRef statePrev = N->getFirstPred()->getState();
2875
2876	const RefState *RS = state->get<RegionState>(Sym);
2877	const RefState *RSPrev = statePrev->get<RegionState>(Sym);
2878
2879	const Stmt *S = PathDiagnosticLocation::getStmt(N);
2880	// When dealing with containers, we sometimes want to give a note
2881	// even if the statement is missing.
2882	if (!S && (!RS \|\| RS->getAllocationFamily() != AF_InnerBuffer))
2883	return nullptr;
2884
2885	const LocationContext *CurrentLC = N->getLocationContext();
2886
2887	// If we find an atomic fetch_add or fetch_sub within the destructor in which
2888	// the pointer was released (before the release), this is likely a destructor
2889	// of a shared pointer.
2890	// Because we don't model atomics, and also because we don't know that the
2891	// original reference count is positive, we should not report use-after-frees
2892	// on objects deleted in such destructors. This can probably be improved
2893	// through better shared pointer modeling.
2894	if (ReleaseDestructorLC) {
2895	if (const auto *AE = dyn_cast<AtomicExpr>(S)) {
2896	AtomicExpr::AtomicOp Op = AE->getOp();
2897	if (Op == AtomicExpr::AO__c11_atomic_fetch_add \|\|
2898	Op == AtomicExpr::AO__c11_atomic_fetch_sub) {
2899	if (ReleaseDestructorLC == CurrentLC \|\|
2900	ReleaseDestructorLC->isParentOf(CurrentLC)) {
2901	BR.markInvalid(getTag(), S);
2902	}
2903	}
2904	}
2905	}
2906
2907	// FIXME: We will eventually need to handle non-statement-based events
2908	// (__attribute__((cleanup))).
2909
2910	// Find out if this is an interesting point and what is the kind.
2911	StringRef Msg;
2912	StackHintGeneratorForSymbol *StackHint = nullptr;
2913	SmallString<256> Buf;
2914	llvm::raw_svector_ostream OS(Buf);
2915
2916	if (Mode == Normal) {
2917	if (isAllocated(RS, RSPrev, S)) {
2918	Msg = "Memory is allocated";
2919	StackHint = new StackHintGeneratorForSymbol(Sym,
2920	"Returned allocated memory");
2921	} else if (isReleased(RS, RSPrev, S)) {
2922	const auto Family = RS->getAllocationFamily();
2923	switch (Family) {
2924	case AF_Alloca:
2925	case AF_Malloc:
2926	case AF_CXXNew:
2927	case AF_CXXNewArray:
2928	case AF_IfNameIndex:
2929	Msg = "Memory is released";
2930	StackHint = new StackHintGeneratorForSymbol(Sym,
2931	"Returning; memory was released");
2932	break;
2933	case AF_InnerBuffer: {
2934	const MemRegion *ObjRegion =
2935	allocation_state::getContainerObjRegion(statePrev, Sym);
2936	const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion);
2937	QualType ObjTy = TypedRegion->getValueType();
2938	OS << "Inner buffer of '" << ObjTy.getAsString() << "' ";
2939
2940	if (N->getLocation().getKind() == ProgramPoint::PostImplicitCallKind) {
2941	OS << "deallocated by call to destructor";
2942	StackHint = new StackHintGeneratorForSymbol(Sym,
2943	"Returning; inner buffer was deallocated");
2944	} else {
2945	OS << "reallocated by call to '";
2946	const Stmt *S = RS->getStmt();
2947	if (const auto *MemCallE = dyn_cast<CXXMemberCallExpr>(S)) {
2948	OS << MemCallE->getMethodDecl()->getNameAsString();
2949	} else if (const auto *OpCallE = dyn_cast<CXXOperatorCallExpr>(S)) {
2950	OS << OpCallE->getDirectCallee()->getNameAsString();
2951	} else if (const auto *CallE = dyn_cast<CallExpr>(S)) {
2952	auto &CEMgr = BRC.getStateManager().getCallEventManager();
2953	CallEventRef<> Call = CEMgr.getSimpleCall(CallE, state, CurrentLC);
2954	const auto *D = dyn_cast_or_null<NamedDecl>(Call->getDecl());
2955	OS << (D ? D->getNameAsString() : "unknown");
2956	}
2957	OS << "'";
2958	StackHint = new StackHintGeneratorForSymbol(Sym,
2959	"Returning; inner buffer was reallocated");
2960	}
2961	Msg = OS.str();
2962	break;
2963	}
2964	case AF_None:
2965	llvm_unreachable("Unhandled allocation family!");
2966	}
2967
2968	// See if we're releasing memory while inlining a destructor
2969	// (or one of its callees). This turns on various common
2970	// false positive suppressions.
2971	bool FoundAnyDestructor = false;
2972	for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) {
2973	if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) {
2974	if (isReferenceCountingPointerDestructor(DD)) {
2975	// This immediately looks like a reference-counting destructor.
2976	// We're bad at guessing the original reference count of the object,
2977	// so suppress the report for now.
2978	BR.markInvalid(getTag(), DD);
2979	} else if (!FoundAnyDestructor) {
2980	(0) . __assert_fail ("!ReleaseDestructorLC && \"There can be only one release point!\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 2981, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(!ReleaseDestructorLC &&
2981	(0) . __assert_fail ("!ReleaseDestructorLC && \"There can be only one release point!\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 2981, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true"> "There can be only one release point!");
2982	// Suspect that it's a reference counting pointer destructor.
2983	// On one of the next nodes might find out that it has atomic
2984	// reference counting operations within it (see the code above),
2985	// and if so, we'd conclude that it likely is a reference counting
2986	// pointer destructor.
2987	ReleaseDestructorLC = LC->getStackFrame();
2988	// It is unlikely that releasing memory is delegated to a destructor
2989	// inside a destructor of a shared pointer, because it's fairly hard
2990	// to pass the information that the pointer indeed needs to be
2991	// released into it. So we're only interested in the innermost
2992	// destructor.
2993	FoundAnyDestructor = true;
2994	}
2995	}
2996	}
2997	} else if (isRelinquished(RS, RSPrev, S)) {
2998	Msg = "Memory ownership is transferred";
2999	StackHint = new StackHintGeneratorForSymbol(Sym, "");
3000	} else if (isReallocFailedCheck(RS, RSPrev, S)) {
3001	Mode = ReallocationFailed;
3002	Msg = "Reallocation failed";
3003	StackHint = new StackHintGeneratorForReallocationFailed(Sym,
3004	"Reallocation failed");
3005
3006	if (SymbolRef sym = findFailedReallocSymbol(state, statePrev)) {
3007	// Is it possible to fail two reallocs WITHOUT testing in between?
3008	(0) . __assert_fail ("(!FailedReallocSymbol \|\| FailedReallocSymbol == sym) && \"We only support one failed realloc at a time.\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 3009, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert((!FailedReallocSymbol \|\| FailedReallocSymbol == sym) &&
3009	(0) . __assert_fail ("(!FailedReallocSymbol \|\| FailedReallocSymbol == sym) && \"We only support one failed realloc at a time.\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 3009, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true"> "We only support one failed realloc at a time.");
3010	BR.markInteresting(sym);
3011	FailedReallocSymbol = sym;
3012	}
3013	}
3014
3015	// We are in a special mode if a reallocation failed later in the path.
3016	} else if (Mode == ReallocationFailed) {
3017	(0) . __assert_fail ("FailedReallocSymbol && \"No symbol to look for.\"", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 3017, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(FailedReallocSymbol && "No symbol to look for.");
3018
3019	// Is this is the first appearance of the reallocated symbol?
3020	if (!statePrev->get<RegionState>(FailedReallocSymbol)) {
3021	// We're at the reallocation point.
3022	Msg = "Attempt to reallocate memory";
3023	StackHint = new StackHintGeneratorForSymbol(Sym,
3024	"Returned reallocated memory");
3025	FailedReallocSymbol = nullptr;
3026	Mode = Normal;
3027	}
3028	}
3029
3030	if (Msg.empty())
3031	return nullptr;
3032	assert(StackHint);
3033
3034	// Generate the extra diagnostic.
3035	PathDiagnosticLocation Pos;
3036	if (!S) {
3037	getAllocationFamily() == AF_InnerBuffer", "/home/seafit/code_projects/clang_source/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp", 3037, __PRETTY_FUNCTION__))" file_link="../../../../include/assert.h.html#88" macro="true">assert(RS->getAllocationFamily() == AF_InnerBuffer);
3038	auto PostImplCall = N->getLocation().getAs<PostImplicitCall>();
3039	if (!PostImplCall)
3040	return nullptr;
3041	Pos = PathDiagnosticLocation(PostImplCall->getLocation(),
3042	BRC.getSourceManager());
3043	} else {
3044	Pos = PathDiagnosticLocation(S, BRC.getSourceManager(),
3045	N->getLocationContext());
3046	}
3047
3048	return std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true, StackHint);
3049	}
3050
3051	void MallocChecker::printState(raw_ostream &Out, ProgramStateRef State,
3052	const char NL, const char Sep) const {
3053
3054	RegionStateTy RS = State->get<RegionState>();
3055
3056	if (!RS.isEmpty()) {
3057	Out << Sep << "MallocChecker :" << NL;
3058	for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
3059	const RefState *RefS = State->get<RegionState>(I.getKey());
3060	AllocationFamily Family = RefS->getAllocationFamily();
3061	Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
3062	if (!CheckKind.hasValue())
3063	CheckKind = getCheckIfTracked(Family, true);
3064
3065	I.getKey()->dumpToStream(Out);
3066	Out << " : ";
3067	I.getData().dump(Out);
3068	if (CheckKind.hasValue())
3069	Out << " (" << CheckNames[*CheckKind].getName() << ")";
3070	Out << NL;
3071	}
3072	}
3073	}
3074
3075	namespace clang {
3076	namespace ento {
3077	namespace allocation_state {
3078
3079	ProgramStateRef
3080	markReleased(ProgramStateRef State, SymbolRef Sym, const Expr *Origin) {
3081	AllocationFamily Family = AF_InnerBuffer;
3082	return State->set<RegionState>(Sym, RefState::getReleased(Family, Origin));
3083	}
3084
3085	} // end namespace allocation_state
3086	} // end namespace ento
3087	} // end namespace clang
3088
3089	// Intended to be used in InnerPointerChecker to register the part of
3090	// MallocChecker connected to it.
3091	void ento::registerInnerPointerCheckerAux(CheckerManager &mgr) {
3092	MallocChecker *checker = mgr.getChecker<MallocChecker>();
3093	checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true;
3094	checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =
3095	mgr.getCurrentCheckName();
3096	}
3097
3098	void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {
3099	auto *checker = mgr.registerChecker<MallocChecker>();
3100	checker->IsOptimistic = mgr.getAnalyzerOptions().getCheckerBooleanOption(
3101	checker, "Optimistic", false);
3102	}
3103
3104	bool ento::shouldRegisterDynamicMemoryModeling(const LangOptions &LO) {
3105	return true;
3106	}
3107
3108	#define REGISTER_CHECKER(name) \
3109	void ento::register##name(CheckerManager &mgr) { \
3110	MallocChecker *checker = mgr.getChecker<MallocChecker>(); \
3111	checker->ChecksEnabled[MallocChecker::CK_##name] = true; \
3112	checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \
3113	} \
3114	\
3115	bool ento::shouldRegister##name(const LangOptions &LO) { \
3116	return true; \
3117	}
3118
3119	REGISTER_CHECKER(MallocChecker)
3120	REGISTER_CHECKER(NewDeleteChecker)
3121	REGISTER_CHECKER(NewDeleteLeaksChecker)
3122	REGISTER_CHECKER(MismatchedDeallocatorChecker)
3123

Clang Project