StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp

139823Simp//=== FuchsiaHandleChecker.cpp - Find handle leaks/double closes -*- C++ -*--=//
1541Srgrimes//
1541Srgrimes// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
137668Smlaier// See https://llvm.org/LICENSE.txt for license information.
1541Srgrimes// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
1541Srgrimes//
1541Srgrimes//===----------------------------------------------------------------------===//
1541Srgrimes//
1541Srgrimes// This checker checks if the handle of Fuchsia is properly used according to
1541Srgrimes// following rules.
1541Srgrimes//   - If a handle is acquired, it should be released before execution
1541Srgrimes//        ends.
1541Srgrimes//   - If a handle is released, it should not be released again.
1541Srgrimes//   - If a handle is released, it should not be used for other purposes
1541Srgrimes//        such as I/O.
1541Srgrimes//
1541Srgrimes// In this checker, each tracked handle is associated with a state. When the
1541Srgrimes// handle variable is passed to different function calls or syscalls, its state
1541Srgrimes// changes. The state changes can be generally represented by following ASCII
1541Srgrimes// Art:
1541Srgrimes//
1541Srgrimes//
1541Srgrimes//                              +-+---------v-+         +------------+
1541Srgrimes//       acquire_func succeeded |             | Escape  |            |
1541Srgrimes//            +----------------->  Allocated  +--------->  Escaped   <--+
1541Srgrimes//            |                 |             |         |            |  |
1541Srgrimes//            |                 +-----+------++         +------------+  |
1541Srgrimes//            |                       |      |                          |
1541Srgrimes//            |         release_func  |      +--+                       |
10939Swollman//            |                       |         | handle  +--------+    |
1541Srgrimes//            |                       |         | dies    |        |    |
1541Srgrimes//            |                  +----v-----+   +---------> Leaked |    |
172467Ssilby//            |                  |          |             |(REPORT)|    |
172467Ssilby// +----------+--+               | Released | Escape      +--------+    |
172467Ssilby// |             |               |          +---------------------------+
204902Sqingli// | Not tracked <--+            +----+---+-+
143868Sglebius// |             |  |                 |   |        As argument by value
1541Srgrimes// +------+------+  |    release_func |   +------+ in function call
1549Srgrimes//        |         |                 |          | or by reference in
24204Sbde//        |         |                 |          | use_func call
1541Srgrimes//        +---------+            +----v-----+    |     +-----------+
164033Srwatson//        acquire_func failed    | Double   |    +-----> Use after |
1541Srgrimes//                               | released |          | released  |
186948Sbz//                               | (REPORT) |          | (REPORT)  |
12704Sphk//                               +----------+          +-----------+
186948Sbz//
12704Sphk// acquire_func represents the functions or syscalls that may acquire a handle.
192011Sqingli// release_func represents the functions or syscalls that may release a handle.
1541Srgrimes// use_func represents the functions or syscall that requires an open handle.
1541Srgrimes//
195914Sqingli// If a tracked handle dies in "Released" or "Not Tracked" state, we assume it
215207Sgnn// is properly used. Otherwise a bug and will be reported.
192011Sqingli//
186119Sqingli// Note that, the analyzer does not always know for sure if a function failed
55009Sshin// or succeeded. In those cases we use the state MaybeAllocated.
1541Srgrimes// Thus, the diagramm above captures the intent, not implementation details.
192011Sqingli//
1541Srgrimes// Due to the fact that the number of handle related syscalls in Fuchsia
1541Srgrimes// is large, we adopt the annotation attributes to descript syscalls'
1541Srgrimes// operations(acquire/release/use) on handles instead of hardcoding
81127Sume// everything in the checker.
170613Sbms//
189592Sbms// We use following annotation attributes for handle related syscalls or
195699Srwatson// functions:
195699Srwatson//  1. __attribute__((acquire_handle("Fuchsia"))) |handle will be acquired
1541Srgrimes//  2. __attribute__((release_handle("Fuchsia"))) |handle will be released
92723Salfred//  3. __attribute__((use_handle("Fuchsia"))) |handle will not transit to
92723Salfred//     escaped state, it also needs to be open.
92723Salfred//
92723Salfred// For example, an annotated syscall:
55009Sshin//   zx_status_t zx_channel_create(
137628Smlaier//   uint32_t options,
222143Sqingli//   zx_handle_t* out0 __attribute__((acquire_handle("Fuchsia"))) ,
92723Salfred//   zx_handle_t* out1 __attribute__((acquire_handle("Fuchsia"))));
92723Salfred// denotes a syscall which will acquire two handles and save them to 'out0' and
228313Sglebius// 'out1' when succeeded.
167729Sbms//
1541Srgrimes//===----------------------------------------------------------------------===//
215701Sdim
207369Sbz#include "clang/AST/Attr.h"
195699Srwatson#include "clang/AST/Decl.h"
195699Srwatson#include "clang/AST/Type.h"
149221Sglebius#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
21666Swollman#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
207369Sbz#include "clang/StaticAnalyzer/Core/Checker.h"
207369Sbz#include "clang/StaticAnalyzer/Core/CheckerManager.h"
207369Sbz#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
215207Sgnn#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
215207Sgnn#include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h"
215207Sgnn#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
1541Srgrimes#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
1541Srgrimes#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
226401Sglebius
1541Srgrimesusing namespace clang;
1549Srgrimesusing namespace ento;
169454Srwatson
1541Srgrimesnamespace {
1541Srgrimes
1541Srgrimesstatic const StringRef HandleTypeName = "zx_handle_t";
1541Srgrimesstatic const StringRef ErrorTypeName = "zx_status_t";
194951Srwatson
226401Sglebiusclass HandleState {
226401Sglebiusprivate:
226401Sglebius  enum class Kind { MaybeAllocated, Allocated, Released, Escaped } K;
226401Sglebius  SymbolRef ErrorSym;
194951Srwatson  HandleState(Kind K, SymbolRef ErrorSym) : K(K), ErrorSym(ErrorSym) {}
1541Srgrimes
194951Srwatsonpublic:
1541Srgrimes  bool operator==(const HandleState &Other) const {
1541Srgrimes    return K == Other.K && ErrorSym == Other.ErrorSym;
1541Srgrimes  }
1541Srgrimes  bool isAllocated() const { return K == Kind::Allocated; }
133486Sandre  bool maybeAllocated() const { return K == Kind::MaybeAllocated; }
133486Sandre  bool isReleased() const { return K == Kind::Released; }
133486Sandre  bool isEscaped() const { return K == Kind::Escaped; }
133486Sandre
169454Srwatson  static HandleState getMaybeAllocated(SymbolRef ErrorSym) {
133486Sandre    return HandleState(Kind::MaybeAllocated, ErrorSym);
133486Sandre  }
133486Sandre  static HandleState getAllocated(ProgramStateRef State, HandleState S) {
194951Srwatson    assert(S.maybeAllocated());
133486Sandre    assert(State->getConstraintManager()
194951Srwatson               .isNull(State, S.getErrorSym())
194951Srwatson               .isConstrained());
184295Sbz    return HandleState(Kind::Allocated, nullptr);
194951Srwatson  }
133486Sandre  static HandleState getReleased() {
194951Srwatson    return HandleState(Kind::Released, nullptr);
184295Sbz  }
133486Sandre  static HandleState getEscaped() {
133486Sandre    return HandleState(Kind::Escaped, nullptr);
133486Sandre  }
1541Srgrimes
1541Srgrimes  SymbolRef getErrorSym() const { return ErrorSym; }
1541Srgrimes
1541Srgrimes  void Profile(llvm::FoldingSetNodeID &ID) const {
1549Srgrimes    ID.AddInteger(static_cast<int>(K));
169454Srwatson    ID.AddPointer(ErrorSym);
1541Srgrimes  }
1541Srgrimes
1541Srgrimes  LLVM_DUMP_METHOD void dump(raw_ostream &OS) const {
1541Srgrimes    switch (K) {
166450Sbms#define CASE(ID)                                                               \
1541Srgrimes  case ID:                                                                     \
1541Srgrimes    OS << #ID;                                                                 \
1541Srgrimes    break;
1541Srgrimes      CASE(Kind::MaybeAllocated)
1541Srgrimes      CASE(Kind::Allocated)
1541Srgrimes      CASE(Kind::Released)
1541Srgrimes      CASE(Kind::Escaped)
1541Srgrimes    }
1541Srgrimes  }
1541Srgrimes
1541Srgrimes  LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
1541Srgrimes};
12296Sphk
169454Srwatsontemplate <typename Attr> static bool hasFuchsiaAttr(const Decl *D) {
1541Srgrimes  return D->hasAttr<Attr>() && D->getAttr<Attr>()->getHandleType() == "Fuchsia";
1541Srgrimes}
1541Srgrimes
1541Srgrimesclass FuchsiaHandleChecker
1541Srgrimes    : public Checker<check::PostCall, check::PreCall, check::DeadSymbols,
4127Swollman                     check::PointerEscape, eval::Assume> {
133874Srwatson  BugType LeakBugType{this, "Fuchsia handle leak", "Fuchsia Handle Error",
1541Srgrimes                      /*SuppressOnSink=*/true};
1541Srgrimes  BugType DoubleReleaseBugType{this, "Fuchsia handle double release",
1541Srgrimes                               "Fuchsia Handle Error"};
1541Srgrimes  BugType UseAfterReleaseBugType{this, "Fuchsia handle use after release",
1541Srgrimes                                 "Fuchsia Handle Error"};
55009Sshin
55009Sshinpublic:
55009Sshin  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
55009Sshin  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
55009Sshin  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
55009Sshin  ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond,
55009Sshin                             bool Assumption) const;
55009Sshin  ProgramStateRef checkPointerEscape(ProgramStateRef State,
55009Sshin                                     const InvalidatedSymbols &Escaped,
55009Sshin                                     const CallEvent *Call,
55009Sshin                                     PointerEscapeKind Kind) const;
55009Sshin
55009Sshin  ExplodedNode *reportLeaks(ArrayRef<SymbolRef> LeakedHandles,
55009Sshin                            CheckerContext &C, ExplodedNode *Pred) const;
55009Sshin
55009Sshin  void reportDoubleRelease(SymbolRef HandleSym, const SourceRange &Range,
55009Sshin                           CheckerContext &C) const;
55009Sshin
55009Sshin  void reportUseAfterFree(SymbolRef HandleSym, const SourceRange &Range,
184295Sbz                          CheckerContext &C) const;
55009Sshin
55009Sshin  void reportBug(SymbolRef Sym, ExplodedNode *ErrorNode, CheckerContext &C,
55009Sshin                 const SourceRange *Range, const BugType &Type,
169454Srwatson                 StringRef Msg) const;
55009Sshin
55009Sshin  void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
55009Sshin                  const char *Sep) const override;
55009Sshin};
55009Sshin} // end anonymous namespace
55009Sshin
55009SshinREGISTER_MAP_WITH_PROGRAMSTATE(HStateMap, SymbolRef, HandleState)
55009Sshin
55009Sshinstatic const ExplodedNode *getAcquireSite(const ExplodedNode *N, SymbolRef Sym,
55009Sshin                                          CheckerContext &Ctx) {
55009Sshin  ProgramStateRef State = N->getState();
55009Sshin  // When bug type is handle leak, exploded node N does not have state info for
1541Srgrimes  // leaking handle. Get the predecessor of N instead.
1541Srgrimes  if (!State->get<HStateMap>(Sym))
191443Srwatson    N = N->getFirstPred();
191443Srwatson
1541Srgrimes  const ExplodedNode *Pred = N;
1541Srgrimes  while (N) {
1549Srgrimes    State = N->getState();
169454Srwatson    if (!State->get<HStateMap>(Sym)) {
169454Srwatson      const HandleState *HState = Pred->getState()->get<HStateMap>(Sym);
1541Srgrimes      if (HState && (HState->isAllocated() || HState->maybeAllocated()))
1541Srgrimes        return N;
184295Sbz    }
1541Srgrimes    Pred = N;
168032Sbms    N = N->getFirstPred();
84102Sjlemon  }
189592Sbms  return nullptr;
1541Srgrimes}
1541Srgrimes
194951Srwatson/// Returns the symbols extracted from the argument or null if it cannot be
168032Sbms/// found.
1541Srgrimesstatic SymbolRef getFuchsiaHandleSymbol(QualType QT, SVal Arg,
184295Sbz                                        ProgramStateRef State) {
168032Sbms  int PtrToHandleLevel = 0;
87124Sbrian  while (QT->isAnyPointerType() || QT->isReferenceType()) {
168032Sbms    ++PtrToHandleLevel;
87124Sbrian    QT = QT->getPointeeType();
191443Srwatson  }
191443Srwatson  if (const auto *HandleType = QT->getAs<TypedefType>()) {
191443Srwatson    if (HandleType->getDecl()->getName() != HandleTypeName)
191443Srwatson      return nullptr;
55009Sshin    if (PtrToHandleLevel > 1) {
191443Srwatson      // Not supported yet.
191443Srwatson      return nullptr;
191443Srwatson    }
191443Srwatson
227791Sglebius    if (PtrToHandleLevel == 0) {
227791Sglebius      return Arg.getAsSymbol();
227791Sglebius    } else {
227791Sglebius      assert(PtrToHandleLevel == 1);
227791Sglebius      if (Optional<Loc> ArgLoc = Arg.getAs<Loc>())
227791Sglebius        return State->getSVal(*ArgLoc).getAsSymbol();
227791Sglebius    }
227791Sglebius  }
227791Sglebius  return nullptr;
227791Sglebius}
227791Sglebius
227831Sglebiusvoid FuchsiaHandleChecker::checkPreCall(const CallEvent &Call,
227831Sglebius                                        CheckerContext &C) const {
227791Sglebius  ProgramStateRef State = C.getState();
227791Sglebius  const FunctionDecl *FuncDecl = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
227791Sglebius  if (!FuncDecl) {
227791Sglebius    // Unknown call, escape by value handles. They are not covered by
227791Sglebius    // PointerEscape callback.
227791Sglebius    for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {
227791Sglebius      if (SymbolRef Handle = Call.getArgSVal(Arg).getAsSymbol())
227791Sglebius        State = State->set<HStateMap>(Handle, HandleState::getEscaped());
227791Sglebius    }
227791Sglebius    C.addTransition(State);
227791Sglebius    return;
227791Sglebius  }
227791Sglebius
191443Srwatson  for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {
191443Srwatson    if (Arg >= FuncDecl->getNumParams())
191443Srwatson      break;
191443Srwatson    const ParmVarDecl *PVD = FuncDecl->getParamDecl(Arg);
227791Sglebius    SymbolRef Handle =
227791Sglebius        getFuchsiaHandleSymbol(PVD->getType(), Call.getArgSVal(Arg), State);
227791Sglebius    if (!Handle)
191443Srwatson      continue;
191443Srwatson
55009Sshin    // Handled in checkPostCall.
164033Srwatson    if (hasFuchsiaAttr<ReleaseHandleAttr>(PVD) ||
164033Srwatson        hasFuchsiaAttr<AcquireHandleAttr>(PVD))
164033Srwatson      continue;
164033Srwatson
164033Srwatson    const HandleState *HState = State->get<HStateMap>(Handle);
184295Sbz    if (!HState || HState->isEscaped())
184295Sbz      continue;
164033Srwatson
164033Srwatson    if (hasFuchsiaAttr<UseHandleAttr>(PVD) || PVD->getType()->isIntegerType()) {
55009Sshin      if (HState->isReleased()) {
164033Srwatson        reportUseAfterFree(Handle, Call.getArgSourceRange(Arg), C);
164033Srwatson        return;
164033Srwatson      }
164033Srwatson    }
164033Srwatson    if (!hasFuchsiaAttr<UseHandleAttr>(PVD) &&
184295Sbz        PVD->getType()->isIntegerType()) {
184295Sbz      // Working around integer by-value escapes.
164033Srwatson      State = State->set<HStateMap>(Handle, HandleState::getEscaped());
164033Srwatson    }
55009Sshin  }
184295Sbz  C.addTransition(State);
184295Sbz}
83366Sjulian
191443Srwatsonvoid FuchsiaHandleChecker::checkPostCall(const CallEvent &Call,
191443Srwatson                                         CheckerContext &C) const {
191443Srwatson  const FunctionDecl *FuncDecl = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
191443Srwatson  if (!FuncDecl)
191443Srwatson    return;
55009Sshin
55009Sshin  ProgramStateRef State = C.getState();
191443Srwatson
191443Srwatson  std::vector<std::function<std::string(BugReport & BR)>> Notes;
191443Srwatson  SymbolRef ResultSymbol = nullptr;
1541Srgrimes  if (const auto *TypeDefTy = FuncDecl->getReturnType()->getAs<TypedefType>())
191456Srwatson    if (TypeDefTy->getDecl()->getName() == ErrorTypeName)
191456Srwatson      ResultSymbol = Call.getReturnValue().getAsSymbol();
191456Srwatson
191456Srwatson  // Function returns an open handle.
191456Srwatson  if (hasFuchsiaAttr<AcquireHandleAttr>(FuncDecl)) {
191456Srwatson    SymbolRef RetSym = Call.getReturnValue().getAsSymbol();
191456Srwatson    State =
191456Srwatson        State->set<HStateMap>(RetSym, HandleState::getMaybeAllocated(nullptr));
191456Srwatson  }
191456Srwatson
191456Srwatson  for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {
191456Srwatson    if (Arg >= FuncDecl->getNumParams())
191456Srwatson      break;
191456Srwatson    const ParmVarDecl *PVD = FuncDecl->getParamDecl(Arg);
191456Srwatson    SymbolRef Handle =
191456Srwatson        getFuchsiaHandleSymbol(PVD->getType(), Call.getArgSVal(Arg), State);
191456Srwatson    if (!Handle)
191456Srwatson      continue;
191456Srwatson
191456Srwatson    const HandleState *HState = State->get<HStateMap>(Handle);
191456Srwatson    if (HState && HState->isEscaped())
191456Srwatson      continue;
191456Srwatson    if (hasFuchsiaAttr<ReleaseHandleAttr>(PVD)) {
191456Srwatson      if (HState && HState->isReleased()) {
191456Srwatson        reportDoubleRelease(Handle, Call.getArgSourceRange(Arg), C);
1541Srgrimes        return;
14632Sfenner      } else {
191443Srwatson        Notes.push_back([Handle](BugReport &BR) {
191443Srwatson          auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
1541Srgrimes          if (auto IsInteresting = PathBR->getInterestingnessKind(Handle)) {
191443Srwatson            return "Handle released here.";
194951Srwatson          } else
191443Srwatson            return "";
191443Srwatson        });
191443Srwatson        State = State->set<HStateMap>(Handle, HandleState::getReleased());
191443Srwatson      }
191443Srwatson    } else if (hasFuchsiaAttr<AcquireHandleAttr>(PVD)) {
191443Srwatson      Notes.push_back([Handle](BugReport &BR) {
191443Srwatson        auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
191443Srwatson        if (auto IsInteresting = PathBR->getInterestingnessKind(Handle)) {
191443Srwatson          return "Handle allocated here.";
194760Srwatson        } else
194760Srwatson          return "";
194951Srwatson      });
191443Srwatson      State = State->set<HStateMap>(
194760Srwatson          Handle, HandleState::getMaybeAllocated(ResultSymbol));
191443Srwatson    }
191443Srwatson  }
191443Srwatson  const NoteTag *T = nullptr;
191443Srwatson  if (!Notes.empty()) {
191443Srwatson    T = C.getNoteTag(
191443Srwatson        [this, Notes{std::move(Notes)}](BugReport &BR) -> std::string {
191443Srwatson          if (&BR.getBugType() != &UseAfterReleaseBugType &&
191443Srwatson              &BR.getBugType() != &LeakBugType &&
84102Sjlemon              &BR.getBugType() != &DoubleReleaseBugType)
84102Sjlemon            return "";
191443Srwatson          for (auto &Note : Notes) {
194760Srwatson            std::string Text = Note(BR);
194760Srwatson            if (!Text.empty())
194760Srwatson              return Text;
84102Sjlemon          }
191443Srwatson          return "";
191443Srwatson        });
1541Srgrimes  }
191500Srwatson  C.addTransition(State, T);
1541Srgrimes}
1541Srgrimes
1541Srgrimesvoid FuchsiaHandleChecker::checkDeadSymbols(SymbolReaper &SymReaper,
227958Sglebius                                            CheckerContext &C) const {
194760Srwatson  ProgramStateRef State = C.getState();
194760Srwatson  SmallVector<SymbolRef, 2> LeakedSyms;
194951Srwatson  HStateMapTy TrackedHandles = State->get<HStateMap>();
71999Sphk  for (auto &CurItem : TrackedHandles) {
8071Swollman    if (!SymReaper.isDead(CurItem.first))
8071Swollman      continue;
8071Swollman    if (CurItem.second.isAllocated() || CurItem.second.maybeAllocated())
8071Swollman      LeakedSyms.push_back(CurItem.first);
8071Swollman    State = State->remove<HStateMap>(CurItem.first);
194760Srwatson  }
194760Srwatson
194760Srwatson  ExplodedNode *N = C.getPredecessor();
194760Srwatson  if (!LeakedSyms.empty())
194951Srwatson    N = reportLeaks(LeakedSyms, C, N);
8876Srgrimes
8071Swollman  C.addTransition(State, N);
8071Swollman}
8071Swollman
191500Srwatson// Acquiring a handle is not always successful. In Fuchsia most functions
194760Srwatson// return a status code that determines the status of the handle.
8071Swollman// When we split the path based on this status code we know that on one
1541Srgrimes// path we do have the handle and on the other path the acquire failed.
191500Srwatson// This method helps avoiding false positive leak warnings on paths where
191500Srwatson// the function failed.
194760Srwatson// Moreover, when a handle is known to be zero (the invalid handle),
191500Srwatson// we no longer can follow the symbol on the path, becaue the constant
1541Srgrimes// zero will be used instead of the symbol. We also do not need to release
1541Srgrimes// an invalid handle, so we remove the corresponding symbol from the state.
1541SrgrimesProgramStateRef FuchsiaHandleChecker::evalAssume(ProgramStateRef State,
1541Srgrimes                                                 SVal Cond,
184295Sbz                                                 bool Assumption) const {
20407Swollman  // TODO: add notes about successes/fails for APIs.
191500Srwatson  ConstraintManager &Cmr = State->getConstraintManager();
191500Srwatson  HStateMapTy TrackedHandles = State->get<HStateMap>();
191500Srwatson  for (auto &CurItem : TrackedHandles) {
191500Srwatson    ConditionTruthVal HandleVal = Cmr.isNull(State, CurItem.first);
194760Srwatson    if (HandleVal.isConstrainedTrue()) {
191500Srwatson      // The handle is invalid. We can no longer follow the symbol on this path.
191500Srwatson      State = State->remove<HStateMap>(CurItem.first);
20407Swollman    }
194602Srwatson    SymbolRef ErrorSym = CurItem.second.getErrorSym();
20407Swollman    if (!ErrorSym)
20407Swollman      continue;
20407Swollman    ConditionTruthVal ErrorVal = Cmr.isNull(State, ErrorSym);
108033Shsu    if (ErrorVal.isConstrainedTrue()) {
1541Srgrimes      // Allocation succeeded.
85740Sdes      if (CurItem.second.maybeAllocated())
1541Srgrimes        State = State->set<HStateMap>(
1541Srgrimes            CurItem.first, HandleState::getAllocated(State, CurItem.second));
1541Srgrimes    } else if (ErrorVal.isConstrainedFalse()) {
1541Srgrimes      // Allocation failed.
1541Srgrimes      if (CurItem.second.maybeAllocated())
151824Sglebius        State = State->remove<HStateMap>(CurItem.first);
194760Srwatson    }
194760Srwatson  }
191285Srwatson  return State;
194760Srwatson}
194760Srwatson
194951SrwatsonProgramStateRef FuchsiaHandleChecker::checkPointerEscape(
181803Sbz    ProgramStateRef State, const InvalidatedSymbols &Escaped,
194951Srwatson    const CallEvent *Call, PointerEscapeKind Kind) const {
87124Sbrian  const FunctionDecl *FuncDecl =
1541Srgrimes      Call ? dyn_cast_or_null<FunctionDecl>(Call->getDecl()) : nullptr;
1541Srgrimes
1541Srgrimes  llvm::DenseSet<SymbolRef> UnEscaped;
1541Srgrimes  // Not all calls should escape our symbols.
1541Srgrimes  if (FuncDecl &&
1541Srgrimes      (Kind == PSK_DirectEscapeOnCall || Kind == PSK_IndirectEscapeOnCall ||
1541Srgrimes       Kind == PSK_EscapeOutParameters)) {
1541Srgrimes    for (unsigned Arg = 0; Arg < Call->getNumArgs(); ++Arg) {
191500Srwatson      if (Arg >= FuncDecl->getNumParams())
191500Srwatson        break;
194760Srwatson      const ParmVarDecl *PVD = FuncDecl->getParamDecl(Arg);
191500Srwatson      SymbolRef Handle =
1541Srgrimes          getFuchsiaHandleSymbol(PVD->getType(), Call->getArgSVal(Arg), State);
1541Srgrimes      if (!Handle)
191500Srwatson        continue;
191500Srwatson      if (hasFuchsiaAttr<UseHandleAttr>(PVD) ||
194760Srwatson          hasFuchsiaAttr<ReleaseHandleAttr>(PVD))
194760Srwatson        UnEscaped.insert(Handle);
191500Srwatson    }
1541Srgrimes  }
1541Srgrimes
1541Srgrimes  // For out params, we have to deal with derived symbols. See
194760Srwatson  // MacOSKeychainAPIChecker for details.
1541Srgrimes  for (auto I : State->get<HStateMap>()) {
1541Srgrimes    if (Escaped.count(I.first) && !UnEscaped.count(I.first))
191500Srwatson      State = State->set<HStateMap>(I.first, HandleState::getEscaped());
191500Srwatson    if (const auto *SD = dyn_cast<SymbolDerived>(I.first)) {
194760Srwatson      auto ParentSym = SD->getParentSymbol();
191500Srwatson      if (Escaped.count(ParentSym))
1541Srgrimes        State = State->set<HStateMap>(I.first, HandleState::getEscaped());
194760Srwatson    }
1541Srgrimes  }
1541Srgrimes
191500Srwatson  return State;
191500Srwatson}
194760Srwatson
191500SrwatsonExplodedNode *
1541SrgrimesFuchsiaHandleChecker::reportLeaks(ArrayRef<SymbolRef> LeakedHandles,
194760Srwatson                                  CheckerContext &C, ExplodedNode *Pred) const {
1541Srgrimes  ExplodedNode *ErrNode = C.generateNonFatalErrorNode(C.getState(), Pred);
1541Srgrimes  for (SymbolRef LeakedHandle : LeakedHandles) {
1541Srgrimes    reportBug(LeakedHandle, ErrNode, C, nullptr, LeakBugType,
194760Srwatson              "Potential leak of handle");
1541Srgrimes  }
1541Srgrimes  return ErrNode;
191500Srwatson}
191500Srwatson
194760Srwatsonvoid FuchsiaHandleChecker::reportDoubleRelease(SymbolRef HandleSym,
191500Srwatson                                               const SourceRange &Range,
1541Srgrimes                                               CheckerContext &C) const {
1541Srgrimes  ExplodedNode *ErrNode = C.generateErrorNode(C.getState());
184295Sbz  reportBug(HandleSym, ErrNode, C, &Range, DoubleReleaseBugType,
146883Siedowse            "Releasing a previously released handle");
146883Siedowse}
146883Siedowse
146883Siedowsevoid FuchsiaHandleChecker::reportUseAfterFree(SymbolRef HandleSym,
194760Srwatson                                              const SourceRange &Range,
146883Siedowse                                              CheckerContext &C) const {
1541Srgrimes  ExplodedNode *ErrNode = C.generateErrorNode(C.getState());
1541Srgrimes  reportBug(HandleSym, ErrNode, C, &Range, UseAfterReleaseBugType,
1541Srgrimes            "Using a previously released handle");
1541Srgrimes}
1541Srgrimes
1541Srgrimesvoid FuchsiaHandleChecker::reportBug(SymbolRef Sym, ExplodedNode *ErrorNode,
1541Srgrimes                                     CheckerContext &C,
1541Srgrimes                                     const SourceRange *Range,
194760Srwatson                                     const BugType &Type, StringRef Msg) const {
1541Srgrimes  if (!ErrorNode)
1541Srgrimes    return;
191500Srwatson
191500Srwatson  std::unique_ptr<PathSensitiveBugReport> R;
194760Srwatson  if (Type.isSuppressOnSink()) {
191500Srwatson    const ExplodedNode *AcquireNode = getAcquireSite(ErrorNode, Sym, C);
1541Srgrimes    if (AcquireNode) {
194760Srwatson      PathDiagnosticLocation LocUsedForUniqueing =
1541Srgrimes          PathDiagnosticLocation::createBegin(
1541Srgrimes              AcquireNode->getStmtForDiagnostics(), C.getSourceManager(),
87124Sbrian              AcquireNode->getLocationContext());
228313Sglebius
87124Sbrian      R = std::make_unique<PathSensitiveBugReport>(
87124Sbrian          Type, Msg, ErrorNode, LocUsedForUniqueing,
168032Sbms          AcquireNode->getLocationContext()->getDecl());
189603Sbms    }
189592Sbms  }
189592Sbms  if (!R)
189592Sbms    R = std::make_unique<PathSensitiveBugReport>(Type, Msg, ErrorNode);
189592Sbms  if (Range)
189592Sbms    R->addRange(*Range);
126264Smlaier  R->markInteresting(Sym);
168032Sbms  C.emitReport(std::move(R));
194760Srwatson}
194760Srwatson
1541Srgrimesvoid ento::registerFuchsiaHandleChecker(CheckerManager &mgr) {
1541Srgrimes  mgr.registerChecker<FuchsiaHandleChecker>();
228062Sglebius}
228062Sglebius
85740Sdesbool ento::shouldRegisterFuchsiaHandleChecker(const LangOptions &LO) {
194760Srwatson  return true;
1541Srgrimes}
1541Srgrimes
1541Srgrimesvoid FuchsiaHandleChecker::printState(raw_ostream &Out, ProgramStateRef State,
1541Srgrimes                                      const char *NL, const char *Sep) const {
1541Srgrimes
227959Sglebius  HStateMapTy StateMap = State->get<HStateMap>();
227791Sglebius
227791Sglebius  if (!StateMap.isEmpty()) {
1541Srgrimes    Out << Sep << "FuchsiaHandleChecker :" << NL;
197210Sqingli    for (HStateMapTy::iterator I = StateMap.begin(), E = StateMap.end(); I != E;
197210Sqingli         ++I) {
197210Sqingli      I.getKey()->dumpToStream(Out);
197210Sqingli      Out << " : ";
197210Sqingli      I.getData().dump(Out);
197210Sqingli      Out << NL;
197210Sqingli    }
197210Sqingli  }
197210Sqingli}
222438Sqingli