xref: /freebsd/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp (revision c8e7f78a3d28ff6e6223ed136ada8e1e2f34965e)
1 //=== FuchsiaHandleChecker.cpp - Find handle leaks/double closes -*- C++ -*--=//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This checker checks if the handle of Fuchsia is properly used according to
10 // following rules.
11 //   - If a handle is acquired, it should be released before execution
12 //        ends.
13 //   - If a handle is released, it should not be released again.
14 //   - If a handle is released, it should not be used for other purposes
15 //        such as I/O.
16 //
17 // In this checker, each tracked handle is associated with a state. When the
18 // handle variable is passed to different function calls or syscalls, its state
19 // changes. The state changes can be generally represented by following ASCII
20 // Art:
21 //
22 //
23 //                                 +-------------+         +------------+
24 //          acquire_func succeeded |             | Escape  |            |
25 //               +----------------->  Allocated  +--------->  Escaped   <--+
26 //               |                 |             |         |            |  |
27 //               |                 +-----+------++         +------------+  |
28 //               |                       |      |                          |
29 // acquire_func  |         release_func  |      +--+                       |
30 //    failed     |                       |         | handle  +--------+    |
31 // +---------+   |                       |         | dies    |        |    |
32 // |         |   |                  +----v-----+   +---------> Leaked |    |
33 // |         |   |                  |          |             |(REPORT)|    |
34 // |  +----------+--+               | Released | Escape      +--------+    |
35 // |  |             |               |          +---------------------------+
36 // +--> Not tracked |               +----+---+-+
37 //    |             |                    |   |        As argument by value
38 //    +----------+--+       release_func |   +------+ in function call
39 //               |                       |          | or by reference in
40 //               |                       |          | use_func call
41 //    unowned    |                  +----v-----+    |     +-----------+
42 //  acquire_func |                  | Double   |    +-----> Use after |
43 //   succeeded   |                  | released |          | released  |
44 //               |                  | (REPORT) |          | (REPORT)  |
45 //        +---------------+         +----------+          +-----------+
46 //        | Allocated     |
47 //        | Unowned       |  release_func
48 //        |               +---------+
49 //        +---------------+         |
50 //                                  |
51 //                            +-----v----------+
52 //                            | Release of     |
53 //                            | unowned handle |
54 //                            | (REPORT)       |
55 //                            +----------------+
56 //
57 // acquire_func represents the functions or syscalls that may acquire a handle.
58 // release_func represents the functions or syscalls that may release a handle.
59 // use_func represents the functions or syscall that requires an open handle.
60 //
61 // If a tracked handle dies in "Released" or "Not Tracked" state, we assume it
62 // is properly used. Otherwise a bug and will be reported.
63 //
64 // Note that, the analyzer does not always know for sure if a function failed
65 // or succeeded. In those cases we use the state MaybeAllocated.
66 // Thus, the diagram above captures the intent, not implementation details.
67 //
68 // Due to the fact that the number of handle related syscalls in Fuchsia
69 // is large, we adopt the annotation attributes to descript syscalls'
70 // operations(acquire/release/use) on handles instead of hardcoding
71 // everything in the checker.
72 //
73 // We use following annotation attributes for handle related syscalls or
74 // functions:
75 //  1. __attribute__((acquire_handle("Fuchsia"))) |handle will be acquired
76 //  2. __attribute__((release_handle("Fuchsia"))) |handle will be released
77 //  3. __attribute__((use_handle("Fuchsia"))) |handle will not transit to
78 //     escaped state, it also needs to be open.
79 //
80 // For example, an annotated syscall:
81 //   zx_status_t zx_channel_create(
82 //   uint32_t options,
83 //   zx_handle_t* out0 __attribute__((acquire_handle("Fuchsia"))) ,
84 //   zx_handle_t* out1 __attribute__((acquire_handle("Fuchsia"))));
85 // denotes a syscall which will acquire two handles and save them to 'out0' and
86 // 'out1' when succeeded.
87 //
88 //===----------------------------------------------------------------------===//
89 
90 #include "clang/AST/Attr.h"
91 #include "clang/AST/Decl.h"
92 #include "clang/AST/Type.h"
93 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
94 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
95 #include "clang/StaticAnalyzer/Core/Checker.h"
96 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
97 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
98 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
99 #include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h"
100 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
101 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
102 #include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
103 #include "llvm/ADT/StringExtras.h"
104 #include <optional>
105 
106 using namespace clang;
107 using namespace ento;
108 
109 namespace {
110 
111 static const StringRef HandleTypeName = "zx_handle_t";
112 static const StringRef ErrorTypeName = "zx_status_t";
113 
114 class HandleState {
115 private:
116   enum class Kind { MaybeAllocated, Allocated, Released, Escaped, Unowned } K;
117   SymbolRef ErrorSym;
118   HandleState(Kind K, SymbolRef ErrorSym) : K(K), ErrorSym(ErrorSym) {}
119 
120 public:
121   bool operator==(const HandleState &Other) const {
122     return K == Other.K && ErrorSym == Other.ErrorSym;
123   }
124   bool isAllocated() const { return K == Kind::Allocated; }
125   bool maybeAllocated() const { return K == Kind::MaybeAllocated; }
126   bool isReleased() const { return K == Kind::Released; }
127   bool isEscaped() const { return K == Kind::Escaped; }
128   bool isUnowned() const { return K == Kind::Unowned; }
129 
130   static HandleState getMaybeAllocated(SymbolRef ErrorSym) {
131     return HandleState(Kind::MaybeAllocated, ErrorSym);
132   }
133   static HandleState getAllocated(ProgramStateRef State, HandleState S) {
134     assert(S.maybeAllocated());
135     assert(State->getConstraintManager()
136                .isNull(State, S.getErrorSym())
137                .isConstrained());
138     return HandleState(Kind::Allocated, nullptr);
139   }
140   static HandleState getReleased() {
141     return HandleState(Kind::Released, nullptr);
142   }
143   static HandleState getEscaped() {
144     return HandleState(Kind::Escaped, nullptr);
145   }
146   static HandleState getUnowned() {
147     return HandleState(Kind::Unowned, nullptr);
148   }
149 
150   SymbolRef getErrorSym() const { return ErrorSym; }
151 
152   void Profile(llvm::FoldingSetNodeID &ID) const {
153     ID.AddInteger(static_cast<int>(K));
154     ID.AddPointer(ErrorSym);
155   }
156 
157   LLVM_DUMP_METHOD void dump(raw_ostream &OS) const {
158     switch (K) {
159 #define CASE(ID)                                                               \
160   case ID:                                                                     \
161     OS << #ID;                                                                 \
162     break;
163       CASE(Kind::MaybeAllocated)
164       CASE(Kind::Allocated)
165       CASE(Kind::Released)
166       CASE(Kind::Escaped)
167       CASE(Kind::Unowned)
168     }
169     if (ErrorSym) {
170       OS << " ErrorSym: ";
171       ErrorSym->dumpToStream(OS);
172     }
173   }
174 
175   LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
176 };
177 
178 template <typename Attr> static bool hasFuchsiaAttr(const Decl *D) {
179   return D->hasAttr<Attr>() && D->getAttr<Attr>()->getHandleType() == "Fuchsia";
180 }
181 
182 template <typename Attr> static bool hasFuchsiaUnownedAttr(const Decl *D) {
183   return D->hasAttr<Attr>() &&
184          D->getAttr<Attr>()->getHandleType() == "FuchsiaUnowned";
185 }
186 
187 class FuchsiaHandleChecker
188     : public Checker<check::PostCall, check::PreCall, check::DeadSymbols,
189                      check::PointerEscape, eval::Assume> {
190   BugType LeakBugType{this, "Fuchsia handle leak", "Fuchsia Handle Error",
191                       /*SuppressOnSink=*/true};
192   BugType DoubleReleaseBugType{this, "Fuchsia handle double release",
193                                "Fuchsia Handle Error"};
194   BugType UseAfterReleaseBugType{this, "Fuchsia handle use after release",
195                                  "Fuchsia Handle Error"};
196   BugType ReleaseUnownedBugType{
197       this, "Fuchsia handle release of unowned handle", "Fuchsia Handle Error"};
198 
199 public:
200   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
201   void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
202   void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
203   ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond,
204                              bool Assumption) const;
205   ProgramStateRef checkPointerEscape(ProgramStateRef State,
206                                      const InvalidatedSymbols &Escaped,
207                                      const CallEvent *Call,
208                                      PointerEscapeKind Kind) const;
209 
210   ExplodedNode *reportLeaks(ArrayRef<SymbolRef> LeakedHandles,
211                             CheckerContext &C, ExplodedNode *Pred) const;
212 
213   void reportDoubleRelease(SymbolRef HandleSym, const SourceRange &Range,
214                            CheckerContext &C) const;
215 
216   void reportUnownedRelease(SymbolRef HandleSym, const SourceRange &Range,
217                             CheckerContext &C) const;
218 
219   void reportUseAfterFree(SymbolRef HandleSym, const SourceRange &Range,
220                           CheckerContext &C) const;
221 
222   void reportBug(SymbolRef Sym, ExplodedNode *ErrorNode, CheckerContext &C,
223                  const SourceRange *Range, const BugType &Type,
224                  StringRef Msg) const;
225 
226   void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
227                   const char *Sep) const override;
228 };
229 } // end anonymous namespace
230 
231 REGISTER_MAP_WITH_PROGRAMSTATE(HStateMap, SymbolRef, HandleState)
232 
233 static const ExplodedNode *getAcquireSite(const ExplodedNode *N, SymbolRef Sym,
234                                           CheckerContext &Ctx) {
235   ProgramStateRef State = N->getState();
236   // When bug type is handle leak, exploded node N does not have state info for
237   // leaking handle. Get the predecessor of N instead.
238   if (!State->get<HStateMap>(Sym))
239     N = N->getFirstPred();
240 
241   const ExplodedNode *Pred = N;
242   while (N) {
243     State = N->getState();
244     if (!State->get<HStateMap>(Sym)) {
245       const HandleState *HState = Pred->getState()->get<HStateMap>(Sym);
246       if (HState && (HState->isAllocated() || HState->maybeAllocated()))
247         return N;
248     }
249     Pred = N;
250     N = N->getFirstPred();
251   }
252   return nullptr;
253 }
254 
255 namespace {
256 class FuchsiaHandleSymbolVisitor final : public SymbolVisitor {
257 public:
258   bool VisitSymbol(SymbolRef S) override {
259     if (const auto *HandleType = S->getType()->getAs<TypedefType>())
260       if (HandleType->getDecl()->getName() == HandleTypeName)
261         Symbols.push_back(S);
262     return true;
263   }
264 
265   SmallVector<SymbolRef, 1024> GetSymbols() { return Symbols; }
266 
267 private:
268   SmallVector<SymbolRef, 1024> Symbols;
269 };
270 } // end anonymous namespace
271 
272 /// Returns the symbols extracted from the argument or empty vector if it cannot
273 /// be found. It is unlikely to have over 1024 symbols in one argument.
274 static SmallVector<SymbolRef, 1024>
275 getFuchsiaHandleSymbols(QualType QT, SVal Arg, ProgramStateRef State) {
276   int PtrToHandleLevel = 0;
277   while (QT->isAnyPointerType() || QT->isReferenceType()) {
278     ++PtrToHandleLevel;
279     QT = QT->getPointeeType();
280   }
281   if (QT->isStructureType()) {
282     // If we see a structure, see if there is any handle referenced by the
283     // structure.
284     FuchsiaHandleSymbolVisitor Visitor;
285     State->scanReachableSymbols(Arg, Visitor);
286     return Visitor.GetSymbols();
287   }
288   if (const auto *HandleType = QT->getAs<TypedefType>()) {
289     if (HandleType->getDecl()->getName() != HandleTypeName)
290       return {};
291     if (PtrToHandleLevel > 1)
292       // Not supported yet.
293       return {};
294 
295     if (PtrToHandleLevel == 0) {
296       SymbolRef Sym = Arg.getAsSymbol();
297       if (Sym) {
298         return {Sym};
299       } else {
300         return {};
301       }
302     } else {
303       assert(PtrToHandleLevel == 1);
304       if (std::optional<Loc> ArgLoc = Arg.getAs<Loc>()) {
305         SymbolRef Sym = State->getSVal(*ArgLoc).getAsSymbol();
306         if (Sym) {
307           return {Sym};
308         } else {
309           return {};
310         }
311       }
312     }
313   }
314   return {};
315 }
316 
317 void FuchsiaHandleChecker::checkPreCall(const CallEvent &Call,
318                                         CheckerContext &C) const {
319   ProgramStateRef State = C.getState();
320   const FunctionDecl *FuncDecl = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
321   if (!FuncDecl) {
322     // Unknown call, escape by value handles. They are not covered by
323     // PointerEscape callback.
324     for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {
325       if (SymbolRef Handle = Call.getArgSVal(Arg).getAsSymbol())
326         State = State->set<HStateMap>(Handle, HandleState::getEscaped());
327     }
328     C.addTransition(State);
329     return;
330   }
331 
332   for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {
333     if (Arg >= FuncDecl->getNumParams())
334       break;
335     const ParmVarDecl *PVD = FuncDecl->getParamDecl(Arg);
336     SmallVector<SymbolRef, 1024> Handles =
337         getFuchsiaHandleSymbols(PVD->getType(), Call.getArgSVal(Arg), State);
338 
339     // Handled in checkPostCall.
340     if (hasFuchsiaAttr<ReleaseHandleAttr>(PVD) ||
341         hasFuchsiaAttr<AcquireHandleAttr>(PVD))
342       continue;
343 
344     for (SymbolRef Handle : Handles) {
345       const HandleState *HState = State->get<HStateMap>(Handle);
346       if (!HState || HState->isEscaped())
347         continue;
348 
349       if (hasFuchsiaAttr<UseHandleAttr>(PVD) ||
350           PVD->getType()->isIntegerType()) {
351         if (HState->isReleased()) {
352           reportUseAfterFree(Handle, Call.getArgSourceRange(Arg), C);
353           return;
354         }
355       }
356     }
357   }
358   C.addTransition(State);
359 }
360 
361 void FuchsiaHandleChecker::checkPostCall(const CallEvent &Call,
362                                          CheckerContext &C) const {
363   const FunctionDecl *FuncDecl = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
364   if (!FuncDecl)
365     return;
366 
367   // If we analyzed the function body, then ignore the annotations.
368   if (C.wasInlined)
369     return;
370 
371   ProgramStateRef State = C.getState();
372 
373   std::vector<std::function<std::string(BugReport & BR)>> Notes;
374   SymbolRef ResultSymbol = nullptr;
375   if (const auto *TypeDefTy = FuncDecl->getReturnType()->getAs<TypedefType>())
376     if (TypeDefTy->getDecl()->getName() == ErrorTypeName)
377       ResultSymbol = Call.getReturnValue().getAsSymbol();
378 
379   // Function returns an open handle.
380   if (hasFuchsiaAttr<AcquireHandleAttr>(FuncDecl)) {
381     SymbolRef RetSym = Call.getReturnValue().getAsSymbol();
382     Notes.push_back([RetSym, FuncDecl](BugReport &BR) -> std::string {
383       auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
384       if (auto IsInteresting = PathBR->getInterestingnessKind(RetSym)) {
385         std::string SBuf;
386         llvm::raw_string_ostream OS(SBuf);
387         OS << "Function '" << FuncDecl->getDeclName()
388            << "' returns an open handle";
389         return SBuf;
390       } else
391         return "";
392     });
393     State =
394         State->set<HStateMap>(RetSym, HandleState::getMaybeAllocated(nullptr));
395   } else if (hasFuchsiaUnownedAttr<AcquireHandleAttr>(FuncDecl)) {
396     // Function returns an unowned handle
397     SymbolRef RetSym = Call.getReturnValue().getAsSymbol();
398     Notes.push_back([RetSym, FuncDecl](BugReport &BR) -> std::string {
399       auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
400       if (auto IsInteresting = PathBR->getInterestingnessKind(RetSym)) {
401         std::string SBuf;
402         llvm::raw_string_ostream OS(SBuf);
403         OS << "Function '" << FuncDecl->getDeclName()
404            << "' returns an unowned handle";
405         return SBuf;
406       } else
407         return "";
408     });
409     State = State->set<HStateMap>(RetSym, HandleState::getUnowned());
410   }
411 
412   for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {
413     if (Arg >= FuncDecl->getNumParams())
414       break;
415     const ParmVarDecl *PVD = FuncDecl->getParamDecl(Arg);
416     unsigned ParamDiagIdx = PVD->getFunctionScopeIndex() + 1;
417     SmallVector<SymbolRef, 1024> Handles =
418         getFuchsiaHandleSymbols(PVD->getType(), Call.getArgSVal(Arg), State);
419 
420     for (SymbolRef Handle : Handles) {
421       const HandleState *HState = State->get<HStateMap>(Handle);
422       if (HState && HState->isEscaped())
423         continue;
424       if (hasFuchsiaAttr<ReleaseHandleAttr>(PVD)) {
425         if (HState && HState->isReleased()) {
426           reportDoubleRelease(Handle, Call.getArgSourceRange(Arg), C);
427           return;
428         } else if (HState && HState->isUnowned()) {
429           reportUnownedRelease(Handle, Call.getArgSourceRange(Arg), C);
430           return;
431         } else {
432           Notes.push_back([Handle, ParamDiagIdx](BugReport &BR) -> std::string {
433             auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
434             if (auto IsInteresting = PathBR->getInterestingnessKind(Handle)) {
435               std::string SBuf;
436               llvm::raw_string_ostream OS(SBuf);
437               OS << "Handle released through " << ParamDiagIdx
438                  << llvm::getOrdinalSuffix(ParamDiagIdx) << " parameter";
439               return SBuf;
440             } else
441               return "";
442           });
443           State = State->set<HStateMap>(Handle, HandleState::getReleased());
444         }
445       } else if (hasFuchsiaAttr<AcquireHandleAttr>(PVD)) {
446         Notes.push_back([Handle, ParamDiagIdx](BugReport &BR) -> std::string {
447           auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
448           if (auto IsInteresting = PathBR->getInterestingnessKind(Handle)) {
449             std::string SBuf;
450             llvm::raw_string_ostream OS(SBuf);
451             OS << "Handle allocated through " << ParamDiagIdx
452                << llvm::getOrdinalSuffix(ParamDiagIdx) << " parameter";
453             return SBuf;
454           } else
455             return "";
456         });
457         State = State->set<HStateMap>(
458             Handle, HandleState::getMaybeAllocated(ResultSymbol));
459       } else if (hasFuchsiaUnownedAttr<AcquireHandleAttr>(PVD)) {
460         Notes.push_back([Handle, ParamDiagIdx](BugReport &BR) -> std::string {
461           auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
462           if (auto IsInteresting = PathBR->getInterestingnessKind(Handle)) {
463             std::string SBuf;
464             llvm::raw_string_ostream OS(SBuf);
465             OS << "Unowned handle allocated through " << ParamDiagIdx
466                << llvm::getOrdinalSuffix(ParamDiagIdx) << " parameter";
467             return SBuf;
468           } else
469             return "";
470         });
471         State = State->set<HStateMap>(Handle, HandleState::getUnowned());
472       } else if (!hasFuchsiaAttr<UseHandleAttr>(PVD) &&
473                  PVD->getType()->isIntegerType()) {
474         // Working around integer by-value escapes.
475         // The by-value escape would not be captured in checkPointerEscape.
476         // If the function was not analyzed (otherwise wasInlined should be
477         // true) and there is no annotation on the handle, we assume the handle
478         // is escaped.
479         State = State->set<HStateMap>(Handle, HandleState::getEscaped());
480       }
481     }
482   }
483   const NoteTag *T = nullptr;
484   if (!Notes.empty()) {
485     T = C.getNoteTag([this, Notes{std::move(Notes)}](
486                          PathSensitiveBugReport &BR) -> std::string {
487       if (&BR.getBugType() != &UseAfterReleaseBugType &&
488           &BR.getBugType() != &LeakBugType &&
489           &BR.getBugType() != &DoubleReleaseBugType &&
490           &BR.getBugType() != &ReleaseUnownedBugType)
491         return "";
492       for (auto &Note : Notes) {
493         std::string Text = Note(BR);
494         if (!Text.empty())
495           return Text;
496       }
497       return "";
498     });
499   }
500   C.addTransition(State, T);
501 }
502 
503 void FuchsiaHandleChecker::checkDeadSymbols(SymbolReaper &SymReaper,
504                                             CheckerContext &C) const {
505   ProgramStateRef State = C.getState();
506   SmallVector<SymbolRef, 2> LeakedSyms;
507   HStateMapTy TrackedHandles = State->get<HStateMap>();
508   for (auto &CurItem : TrackedHandles) {
509     SymbolRef ErrorSym = CurItem.second.getErrorSym();
510     // Keeping zombie handle symbols. In case the error symbol is dying later
511     // than the handle symbol we might produce spurious leak warnings (in case
512     // we find out later from the status code that the handle allocation failed
513     // in the first place).
514     if (!SymReaper.isDead(CurItem.first) ||
515         (ErrorSym && !SymReaper.isDead(ErrorSym)))
516       continue;
517     if (CurItem.second.isAllocated() || CurItem.second.maybeAllocated())
518       LeakedSyms.push_back(CurItem.first);
519     State = State->remove<HStateMap>(CurItem.first);
520   }
521 
522   ExplodedNode *N = C.getPredecessor();
523   if (!LeakedSyms.empty())
524     N = reportLeaks(LeakedSyms, C, N);
525 
526   C.addTransition(State, N);
527 }
528 
529 // Acquiring a handle is not always successful. In Fuchsia most functions
530 // return a status code that determines the status of the handle.
531 // When we split the path based on this status code we know that on one
532 // path we do have the handle and on the other path the acquire failed.
533 // This method helps avoiding false positive leak warnings on paths where
534 // the function failed.
535 // Moreover, when a handle is known to be zero (the invalid handle),
536 // we no longer can follow the symbol on the path, becaue the constant
537 // zero will be used instead of the symbol. We also do not need to release
538 // an invalid handle, so we remove the corresponding symbol from the state.
539 ProgramStateRef FuchsiaHandleChecker::evalAssume(ProgramStateRef State,
540                                                  SVal Cond,
541                                                  bool Assumption) const {
542   // TODO: add notes about successes/fails for APIs.
543   ConstraintManager &Cmr = State->getConstraintManager();
544   HStateMapTy TrackedHandles = State->get<HStateMap>();
545   for (auto &CurItem : TrackedHandles) {
546     ConditionTruthVal HandleVal = Cmr.isNull(State, CurItem.first);
547     if (HandleVal.isConstrainedTrue()) {
548       // The handle is invalid. We can no longer follow the symbol on this path.
549       State = State->remove<HStateMap>(CurItem.first);
550     }
551     SymbolRef ErrorSym = CurItem.second.getErrorSym();
552     if (!ErrorSym)
553       continue;
554     ConditionTruthVal ErrorVal = Cmr.isNull(State, ErrorSym);
555     if (ErrorVal.isConstrainedTrue()) {
556       // Allocation succeeded.
557       if (CurItem.second.maybeAllocated())
558         State = State->set<HStateMap>(
559             CurItem.first, HandleState::getAllocated(State, CurItem.second));
560     } else if (ErrorVal.isConstrainedFalse()) {
561       // Allocation failed.
562       if (CurItem.second.maybeAllocated())
563         State = State->remove<HStateMap>(CurItem.first);
564     }
565   }
566   return State;
567 }
568 
569 ProgramStateRef FuchsiaHandleChecker::checkPointerEscape(
570     ProgramStateRef State, const InvalidatedSymbols &Escaped,
571     const CallEvent *Call, PointerEscapeKind Kind) const {
572   const FunctionDecl *FuncDecl =
573       Call ? dyn_cast_or_null<FunctionDecl>(Call->getDecl()) : nullptr;
574 
575   llvm::DenseSet<SymbolRef> UnEscaped;
576   // Not all calls should escape our symbols.
577   if (FuncDecl &&
578       (Kind == PSK_DirectEscapeOnCall || Kind == PSK_IndirectEscapeOnCall ||
579        Kind == PSK_EscapeOutParameters)) {
580     for (unsigned Arg = 0; Arg < Call->getNumArgs(); ++Arg) {
581       if (Arg >= FuncDecl->getNumParams())
582         break;
583       const ParmVarDecl *PVD = FuncDecl->getParamDecl(Arg);
584       SmallVector<SymbolRef, 1024> Handles =
585           getFuchsiaHandleSymbols(PVD->getType(), Call->getArgSVal(Arg), State);
586       for (SymbolRef Handle : Handles) {
587         if (hasFuchsiaAttr<UseHandleAttr>(PVD) ||
588             hasFuchsiaAttr<ReleaseHandleAttr>(PVD)) {
589           UnEscaped.insert(Handle);
590         }
591       }
592     }
593   }
594 
595   // For out params, we have to deal with derived symbols. See
596   // MacOSKeychainAPIChecker for details.
597   for (auto I : State->get<HStateMap>()) {
598     if (Escaped.count(I.first) && !UnEscaped.count(I.first))
599       State = State->set<HStateMap>(I.first, HandleState::getEscaped());
600     if (const auto *SD = dyn_cast<SymbolDerived>(I.first)) {
601       auto ParentSym = SD->getParentSymbol();
602       if (Escaped.count(ParentSym))
603         State = State->set<HStateMap>(I.first, HandleState::getEscaped());
604     }
605   }
606 
607   return State;
608 }
609 
610 ExplodedNode *
611 FuchsiaHandleChecker::reportLeaks(ArrayRef<SymbolRef> LeakedHandles,
612                                   CheckerContext &C, ExplodedNode *Pred) const {
613   ExplodedNode *ErrNode = C.generateNonFatalErrorNode(C.getState(), Pred);
614   for (SymbolRef LeakedHandle : LeakedHandles) {
615     reportBug(LeakedHandle, ErrNode, C, nullptr, LeakBugType,
616               "Potential leak of handle");
617   }
618   return ErrNode;
619 }
620 
621 void FuchsiaHandleChecker::reportDoubleRelease(SymbolRef HandleSym,
622                                                const SourceRange &Range,
623                                                CheckerContext &C) const {
624   ExplodedNode *ErrNode = C.generateErrorNode(C.getState());
625   reportBug(HandleSym, ErrNode, C, &Range, DoubleReleaseBugType,
626             "Releasing a previously released handle");
627 }
628 
629 void FuchsiaHandleChecker::reportUnownedRelease(SymbolRef HandleSym,
630                                                 const SourceRange &Range,
631                                                 CheckerContext &C) const {
632   ExplodedNode *ErrNode = C.generateErrorNode(C.getState());
633   reportBug(HandleSym, ErrNode, C, &Range, ReleaseUnownedBugType,
634             "Releasing an unowned handle");
635 }
636 
637 void FuchsiaHandleChecker::reportUseAfterFree(SymbolRef HandleSym,
638                                               const SourceRange &Range,
639                                               CheckerContext &C) const {
640   ExplodedNode *ErrNode = C.generateErrorNode(C.getState());
641   reportBug(HandleSym, ErrNode, C, &Range, UseAfterReleaseBugType,
642             "Using a previously released handle");
643 }
644 
645 void FuchsiaHandleChecker::reportBug(SymbolRef Sym, ExplodedNode *ErrorNode,
646                                      CheckerContext &C,
647                                      const SourceRange *Range,
648                                      const BugType &Type, StringRef Msg) const {
649   if (!ErrorNode)
650     return;
651 
652   std::unique_ptr<PathSensitiveBugReport> R;
653   if (Type.isSuppressOnSink()) {
654     const ExplodedNode *AcquireNode = getAcquireSite(ErrorNode, Sym, C);
655     if (AcquireNode) {
656       PathDiagnosticLocation LocUsedForUniqueing =
657           PathDiagnosticLocation::createBegin(
658               AcquireNode->getStmtForDiagnostics(), C.getSourceManager(),
659               AcquireNode->getLocationContext());
660 
661       R = std::make_unique<PathSensitiveBugReport>(
662           Type, Msg, ErrorNode, LocUsedForUniqueing,
663           AcquireNode->getLocationContext()->getDecl());
664     }
665   }
666   if (!R)
667     R = std::make_unique<PathSensitiveBugReport>(Type, Msg, ErrorNode);
668   if (Range)
669     R->addRange(*Range);
670   R->markInteresting(Sym);
671   C.emitReport(std::move(R));
672 }
673 
674 void ento::registerFuchsiaHandleChecker(CheckerManager &mgr) {
675   mgr.registerChecker<FuchsiaHandleChecker>();
676 }
677 
678 bool ento::shouldRegisterFuchsiaHandleChecker(const CheckerManager &mgr) {
679   return true;
680 }
681 
682 void FuchsiaHandleChecker::printState(raw_ostream &Out, ProgramStateRef State,
683                                       const char *NL, const char *Sep) const {
684 
685   HStateMapTy StateMap = State->get<HStateMap>();
686 
687   if (!StateMap.isEmpty()) {
688     Out << Sep << "FuchsiaHandleChecker :" << NL;
689     for (const auto &[Sym, HandleState] : StateMap) {
690       Sym->dumpToStream(Out);
691       Out << " : ";
692       HandleState.dump(Out);
693       Out << NL;
694     }
695   }
696 }
697