1
//=== FuchsiaHandleChecker.cpp - Find handle leaks/double closes -*- C++ -*--=//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
// This checker checks if the handle of Fuchsia is properly used according to
10
// following rules.
11
//   - If a handle is acquired, it should be released before execution
12
//        ends.
13
//   - If a handle is released, it should not be released again.
14
//   - If a handle is released, it should not be used for other purposes
15
//        such as I/O.
16
//
17
// In this checker, each tracked handle is associated with a state. When the
18
// handle variable is passed to different function calls or syscalls, its state
19
// changes. The state changes can be generally represented by following ASCII
20
// Art:
21
//
22
//
23
//                                 +-------------+         +------------+
24
//          acquire_func succeeded |             | Escape  |            |
25
//               +----------------->  Allocated  +--------->  Escaped   <--+
26
//               |                 |             |         |            |  |
27
//               |                 +-----+------++         +------------+  |
28
//               |                       |      |                          |
29
// acquire_func  |         release_func  |      +--+                       |
30
//    failed     |                       |         | handle  +--------+    |
31
// +---------+   |                       |         | dies    |        |    |
32
// |         |   |                  +----v-----+   +---------> Leaked |    |
33
// |         |   |                  |          |             |(REPORT)|    |
34
// |  +----------+--+               | Released | Escape      +--------+    |
35
// |  |             |               |          +---------------------------+
36
// +--> Not tracked |               +----+---+-+
37
//    |             |                    |   |        As argument by value
38
//    +----------+--+       release_func |   +------+ in function call
39
//               |                       |          | or by reference in
40
//               |                       |          | use_func call
41
//    unowned    |                  +----v-----+    |     +-----------+
42
//  acquire_func |                  | Double   |    +-----> Use after |
43
//   succeeded   |                  | released |          | released  |
44
//               |                  | (REPORT) |          | (REPORT)  |
45
//        +---------------+         +----------+          +-----------+
46
//        | Allocated     |
47
//        | Unowned       |  release_func
48
//        |               +---------+
49
//        +---------------+         |
50
//                                  |
51
//                            +-----v----------+
52
//                            | Release of     |
53
//                            | unowned handle |
54
//                            | (REPORT)       |
55
//                            +----------------+
56
//
57
// acquire_func represents the functions or syscalls that may acquire a handle.
58
// release_func represents the functions or syscalls that may release a handle.
59
// use_func represents the functions or syscall that requires an open handle.
60
//
61
// If a tracked handle dies in "Released" or "Not Tracked" state, we assume it
62
// is properly used. Otherwise a bug and will be reported.
63
//
64
// Note that, the analyzer does not always know for sure if a function failed
65
// or succeeded. In those cases we use the state MaybeAllocated.
66
// Thus, the diagram above captures the intent, not implementation details.
67
//
68
// Due to the fact that the number of handle related syscalls in Fuchsia
69
// is large, we adopt the annotation attributes to descript syscalls'
70
// operations(acquire/release/use) on handles instead of hardcoding
71
// everything in the checker.
72
//
73
// We use following annotation attributes for handle related syscalls or
74
// functions:
75
//  1. __attribute__((acquire_handle("Fuchsia"))) |handle will be acquired
76
//  2. __attribute__((release_handle("Fuchsia"))) |handle will be released
77
//  3. __attribute__((use_handle("Fuchsia"))) |handle will not transit to
78
//     escaped state, it also needs to be open.
79
//
80
// For example, an annotated syscall:
81
//   zx_status_t zx_channel_create(
82
//   uint32_t options,
83
//   zx_handle_t* out0 __attribute__((acquire_handle("Fuchsia"))) ,
84
//   zx_handle_t* out1 __attribute__((acquire_handle("Fuchsia"))));
85
// denotes a syscall which will acquire two handles and save them to 'out0' and
86
// 'out1' when succeeded.
87
//
88
//===----------------------------------------------------------------------===//
89

90
#include "clang/AST/Attr.h"
91
#include "clang/AST/Decl.h"
92
#include "clang/AST/Type.h"
93
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
94
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
95
#include "clang/StaticAnalyzer/Core/Checker.h"
96
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
97
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
98
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
99
#include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h"
100
#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
101
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
102
#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
103
#include "llvm/ADT/StringExtras.h"
104
#include <optional>
105

106
using namespace clang;
107
using namespace ento;
108

109
namespace {
110

111
static const StringRef HandleTypeName = "zx_handle_t";
112
static const StringRef ErrorTypeName = "zx_status_t";
113

114
class HandleState {
115
private:
116
  enum class Kind { MaybeAllocated, Allocated, Released, Escaped, Unowned } K;
117
  SymbolRef ErrorSym;
118
  HandleState(Kind K, SymbolRef ErrorSym) : K(K), ErrorSym(ErrorSym) {}
119

120
public:
121
  bool operator==(const HandleState &Other) const {
122
    return K == Other.K && ErrorSym == Other.ErrorSym;
123
  }
124
  bool isAllocated() const { return K == Kind::Allocated; }
125
  bool maybeAllocated() const { return K == Kind::MaybeAllocated; }
126
  bool isReleased() const { return K == Kind::Released; }
127
  bool isEscaped() const { return K == Kind::Escaped; }
128
  bool isUnowned() const { return K == Kind::Unowned; }
129

130
  static HandleState getMaybeAllocated(SymbolRef ErrorSym) {
131
    return HandleState(Kind::MaybeAllocated, ErrorSym);
132
  }
133
  static HandleState getAllocated(ProgramStateRef State, HandleState S) {
134
    assert(S.maybeAllocated());
135
    assert(State->getConstraintManager()
136
               .isNull(State, S.getErrorSym())
137
               .isConstrained());
138
    return HandleState(Kind::Allocated, nullptr);
139
  }
140
  static HandleState getReleased() {
141
    return HandleState(Kind::Released, nullptr);
142
  }
143
  static HandleState getEscaped() {
144
    return HandleState(Kind::Escaped, nullptr);
145
  }
146
  static HandleState getUnowned() {
147
    return HandleState(Kind::Unowned, nullptr);
148
  }
149

150
  SymbolRef getErrorSym() const { return ErrorSym; }
151

152
  void Profile(llvm::FoldingSetNodeID &ID) const {
153
    ID.AddInteger(static_cast<int>(K));
154
    ID.AddPointer(ErrorSym);
155
  }
156

157
  LLVM_DUMP_METHOD void dump(raw_ostream &OS) const {
158
    switch (K) {
159
#define CASE(ID)                                                               \
160
  case ID:                                                                     \
161
    OS << #ID;                                                                 \
162
    break;
163
      CASE(Kind::MaybeAllocated)
164
      CASE(Kind::Allocated)
165
      CASE(Kind::Released)
166
      CASE(Kind::Escaped)
167
      CASE(Kind::Unowned)
168
    }
169
    if (ErrorSym) {
170
      OS << " ErrorSym: ";
171
      ErrorSym->dumpToStream(OS);
172
    }
173
  }
174

175
  LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
176
};
177

178
template <typename Attr> static bool hasFuchsiaAttr(const Decl *D) {
179
  return D->hasAttr<Attr>() && D->getAttr<Attr>()->getHandleType() == "Fuchsia";
180
}
181

182
template <typename Attr> static bool hasFuchsiaUnownedAttr(const Decl *D) {
183
  return D->hasAttr<Attr>() &&
184
         D->getAttr<Attr>()->getHandleType() == "FuchsiaUnowned";
185
}
186

187
class FuchsiaHandleChecker
188
    : public Checker<check::PostCall, check::PreCall, check::DeadSymbols,
189
                     check::PointerEscape, eval::Assume> {
190
  BugType LeakBugType{this, "Fuchsia handle leak", "Fuchsia Handle Error",
191
                      /*SuppressOnSink=*/true};
192
  BugType DoubleReleaseBugType{this, "Fuchsia handle double release",
193
                               "Fuchsia Handle Error"};
194
  BugType UseAfterReleaseBugType{this, "Fuchsia handle use after release",
195
                                 "Fuchsia Handle Error"};
196
  BugType ReleaseUnownedBugType{
197
      this, "Fuchsia handle release of unowned handle", "Fuchsia Handle Error"};
198

199
public:
200
  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
201
  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
202
  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
203
  ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond,
204
                             bool Assumption) const;
205
  ProgramStateRef checkPointerEscape(ProgramStateRef State,
206
                                     const InvalidatedSymbols &Escaped,
207
                                     const CallEvent *Call,
208
                                     PointerEscapeKind Kind) const;
209

210
  ExplodedNode *reportLeaks(ArrayRef<SymbolRef> LeakedHandles,
211
                            CheckerContext &C, ExplodedNode *Pred) const;
212

213
  void reportDoubleRelease(SymbolRef HandleSym, const SourceRange &Range,
214
                           CheckerContext &C) const;
215

216
  void reportUnownedRelease(SymbolRef HandleSym, const SourceRange &Range,
217
                            CheckerContext &C) const;
218

219
  void reportUseAfterFree(SymbolRef HandleSym, const SourceRange &Range,
220
                          CheckerContext &C) const;
221

222
  void reportBug(SymbolRef Sym, ExplodedNode *ErrorNode, CheckerContext &C,
223
                 const SourceRange *Range, const BugType &Type,
224
                 StringRef Msg) const;
225

226
  void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
227
                  const char *Sep) const override;
228
};
229
} // end anonymous namespace
230

231
REGISTER_MAP_WITH_PROGRAMSTATE(HStateMap, SymbolRef, HandleState)
232

233
static const ExplodedNode *getAcquireSite(const ExplodedNode *N, SymbolRef Sym,
234
                                          CheckerContext &Ctx) {
235
  ProgramStateRef State = N->getState();
236
  // When bug type is handle leak, exploded node N does not have state info for
237
  // leaking handle. Get the predecessor of N instead.
238
  if (!State->get<HStateMap>(Sym))
239
    N = N->getFirstPred();
240

241
  const ExplodedNode *Pred = N;
242
  while (N) {
243
    State = N->getState();
244
    if (!State->get<HStateMap>(Sym)) {
245
      const HandleState *HState = Pred->getState()->get<HStateMap>(Sym);
246
      if (HState && (HState->isAllocated() || HState->maybeAllocated()))
247
        return N;
248
    }
249
    Pred = N;
250
    N = N->getFirstPred();
251
  }
252
  return nullptr;
253
}
254

255
namespace {
256
class FuchsiaHandleSymbolVisitor final : public SymbolVisitor {
257
public:
258
  bool VisitSymbol(SymbolRef S) override {
259
    if (const auto *HandleType = S->getType()->getAs<TypedefType>())
260
      if (HandleType->getDecl()->getName() == HandleTypeName)
261
        Symbols.push_back(S);
262
    return true;
263
  }
264

265
  SmallVector<SymbolRef, 1024> GetSymbols() { return Symbols; }
266

267
private:
268
  SmallVector<SymbolRef, 1024> Symbols;
269
};
270
} // end anonymous namespace
271

272
/// Returns the symbols extracted from the argument or empty vector if it cannot
273
/// be found. It is unlikely to have over 1024 symbols in one argument.
274
static SmallVector<SymbolRef, 1024>
275
getFuchsiaHandleSymbols(QualType QT, SVal Arg, ProgramStateRef State) {
276
  int PtrToHandleLevel = 0;
277
  while (QT->isAnyPointerType() || QT->isReferenceType()) {
278
    ++PtrToHandleLevel;
279
    QT = QT->getPointeeType();
280
  }
281
  if (QT->isStructureType()) {
282
    // If we see a structure, see if there is any handle referenced by the
283
    // structure.
284
    FuchsiaHandleSymbolVisitor Visitor;
285
    State->scanReachableSymbols(Arg, Visitor);
286
    return Visitor.GetSymbols();
287
  }
288
  if (const auto *HandleType = QT->getAs<TypedefType>()) {
289
    if (HandleType->getDecl()->getName() != HandleTypeName)
290
      return {};
291
    if (PtrToHandleLevel > 1)
292
      // Not supported yet.
293
      return {};
294

295
    if (PtrToHandleLevel == 0) {
296
      SymbolRef Sym = Arg.getAsSymbol();
297
      if (Sym) {
298
        return {Sym};
299
      } else {
300
        return {};
301
      }
302
    } else {
303
      assert(PtrToHandleLevel == 1);
304
      if (std::optional<Loc> ArgLoc = Arg.getAs<Loc>()) {
305
        SymbolRef Sym = State->getSVal(*ArgLoc).getAsSymbol();
306
        if (Sym) {
307
          return {Sym};
308
        } else {
309
          return {};
310
        }
311
      }
312
    }
313
  }
314
  return {};
315
}
316

317
void FuchsiaHandleChecker::checkPreCall(const CallEvent &Call,
318
                                        CheckerContext &C) const {
319
  ProgramStateRef State = C.getState();
320
  const FunctionDecl *FuncDecl = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
321
  if (!FuncDecl) {
322
    // Unknown call, escape by value handles. They are not covered by
323
    // PointerEscape callback.
324
    for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {
325
      if (SymbolRef Handle = Call.getArgSVal(Arg).getAsSymbol())
326
        State = State->set<HStateMap>(Handle, HandleState::getEscaped());
327
    }
328
    C.addTransition(State);
329
    return;
330
  }
331

332
  for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {
333
    if (Arg >= FuncDecl->getNumParams())
334
      break;
335
    const ParmVarDecl *PVD = FuncDecl->getParamDecl(Arg);
336
    SmallVector<SymbolRef, 1024> Handles =
337
        getFuchsiaHandleSymbols(PVD->getType(), Call.getArgSVal(Arg), State);
338

339
    // Handled in checkPostCall.
340
    if (hasFuchsiaAttr<ReleaseHandleAttr>(PVD) ||
341
        hasFuchsiaAttr<AcquireHandleAttr>(PVD))
342
      continue;
343

344
    for (SymbolRef Handle : Handles) {
345
      const HandleState *HState = State->get<HStateMap>(Handle);
346
      if (!HState || HState->isEscaped())
347
        continue;
348

349
      if (hasFuchsiaAttr<UseHandleAttr>(PVD) ||
350
          PVD->getType()->isIntegerType()) {
351
        if (HState->isReleased()) {
352
          reportUseAfterFree(Handle, Call.getArgSourceRange(Arg), C);
353
          return;
354
        }
355
      }
356
    }
357
  }
358
  C.addTransition(State);
359
}
360

361
void FuchsiaHandleChecker::checkPostCall(const CallEvent &Call,
362
                                         CheckerContext &C) const {
363
  const FunctionDecl *FuncDecl = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
364
  if (!FuncDecl)
365
    return;
366

367
  // If we analyzed the function body, then ignore the annotations.
368
  if (C.wasInlined)
369
    return;
370

371
  ProgramStateRef State = C.getState();
372

373
  std::vector<std::function<std::string(BugReport & BR)>> Notes;
374
  SymbolRef ResultSymbol = nullptr;
375
  if (const auto *TypeDefTy = FuncDecl->getReturnType()->getAs<TypedefType>())
376
    if (TypeDefTy->getDecl()->getName() == ErrorTypeName)
377
      ResultSymbol = Call.getReturnValue().getAsSymbol();
378

379
  // Function returns an open handle.
380
  if (hasFuchsiaAttr<AcquireHandleAttr>(FuncDecl)) {
381
    SymbolRef RetSym = Call.getReturnValue().getAsSymbol();
382
    Notes.push_back([RetSym, FuncDecl](BugReport &BR) -> std::string {
383
      auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
384
      if (PathBR->getInterestingnessKind(RetSym)) {
385
        std::string SBuf;
386
        llvm::raw_string_ostream OS(SBuf);
387
        OS << "Function '" << FuncDecl->getDeclName()
388
           << "' returns an open handle";
389
        return SBuf;
390
      } else
391
        return "";
392
    });
393
    State =
394
        State->set<HStateMap>(RetSym, HandleState::getMaybeAllocated(nullptr));
395
  } else if (hasFuchsiaUnownedAttr<AcquireHandleAttr>(FuncDecl)) {
396
    // Function returns an unowned handle
397
    SymbolRef RetSym = Call.getReturnValue().getAsSymbol();
398
    Notes.push_back([RetSym, FuncDecl](BugReport &BR) -> std::string {
399
      auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
400
      if (PathBR->getInterestingnessKind(RetSym)) {
401
        std::string SBuf;
402
        llvm::raw_string_ostream OS(SBuf);
403
        OS << "Function '" << FuncDecl->getDeclName()
404
           << "' returns an unowned handle";
405
        return SBuf;
406
      } else
407
        return "";
408
    });
409
    State = State->set<HStateMap>(RetSym, HandleState::getUnowned());
410
  }
411

412
  for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {
413
    if (Arg >= FuncDecl->getNumParams())
414
      break;
415
    const ParmVarDecl *PVD = FuncDecl->getParamDecl(Arg);
416
    unsigned ParamDiagIdx = PVD->getFunctionScopeIndex() + 1;
417
    SmallVector<SymbolRef, 1024> Handles =
418
        getFuchsiaHandleSymbols(PVD->getType(), Call.getArgSVal(Arg), State);
419

420
    for (SymbolRef Handle : Handles) {
421
      const HandleState *HState = State->get<HStateMap>(Handle);
422
      if (HState && HState->isEscaped())
423
        continue;
424
      if (hasFuchsiaAttr<ReleaseHandleAttr>(PVD)) {
425
        if (HState && HState->isReleased()) {
426
          reportDoubleRelease(Handle, Call.getArgSourceRange(Arg), C);
427
          return;
428
        } else if (HState && HState->isUnowned()) {
429
          reportUnownedRelease(Handle, Call.getArgSourceRange(Arg), C);
430
          return;
431
        } else {
432
          Notes.push_back([Handle, ParamDiagIdx](BugReport &BR) -> std::string {
433
            auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
434
            if (PathBR->getInterestingnessKind(Handle)) {
435
              std::string SBuf;
436
              llvm::raw_string_ostream OS(SBuf);
437
              OS << "Handle released through " << ParamDiagIdx
438
                 << llvm::getOrdinalSuffix(ParamDiagIdx) << " parameter";
439
              return SBuf;
440
            } else
441
              return "";
442
          });
443
          State = State->set<HStateMap>(Handle, HandleState::getReleased());
444
        }
445
      } else if (hasFuchsiaAttr<AcquireHandleAttr>(PVD)) {
446
        Notes.push_back([Handle, ParamDiagIdx](BugReport &BR) -> std::string {
447
          auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
448
          if (PathBR->getInterestingnessKind(Handle)) {
449
            std::string SBuf;
450
            llvm::raw_string_ostream OS(SBuf);
451
            OS << "Handle allocated through " << ParamDiagIdx
452
               << llvm::getOrdinalSuffix(ParamDiagIdx) << " parameter";
453
            return SBuf;
454
          } else
455
            return "";
456
        });
457
        State = State->set<HStateMap>(
458
            Handle, HandleState::getMaybeAllocated(ResultSymbol));
459
      } else if (hasFuchsiaUnownedAttr<AcquireHandleAttr>(PVD)) {
460
        Notes.push_back([Handle, ParamDiagIdx](BugReport &BR) -> std::string {
461
          auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
462
          if (PathBR->getInterestingnessKind(Handle)) {
463
            std::string SBuf;
464
            llvm::raw_string_ostream OS(SBuf);
465
            OS << "Unowned handle allocated through " << ParamDiagIdx
466
               << llvm::getOrdinalSuffix(ParamDiagIdx) << " parameter";
467
            return SBuf;
468
          } else
469
            return "";
470
        });
471
        State = State->set<HStateMap>(Handle, HandleState::getUnowned());
472
      } else if (!hasFuchsiaAttr<UseHandleAttr>(PVD) &&
473
                 PVD->getType()->isIntegerType()) {
474
        // Working around integer by-value escapes.
475
        // The by-value escape would not be captured in checkPointerEscape.
476
        // If the function was not analyzed (otherwise wasInlined should be
477
        // true) and there is no annotation on the handle, we assume the handle
478
        // is escaped.
479
        State = State->set<HStateMap>(Handle, HandleState::getEscaped());
480
      }
481
    }
482
  }
483
  const NoteTag *T = nullptr;
484
  if (!Notes.empty()) {
485
    T = C.getNoteTag([this, Notes{std::move(Notes)}](
486
                         PathSensitiveBugReport &BR) -> std::string {
487
      if (&BR.getBugType() != &UseAfterReleaseBugType &&
488
          &BR.getBugType() != &LeakBugType &&
489
          &BR.getBugType() != &DoubleReleaseBugType &&
490
          &BR.getBugType() != &ReleaseUnownedBugType)
491
        return "";
492
      for (auto &Note : Notes) {
493
        std::string Text = Note(BR);
494
        if (!Text.empty())
495
          return Text;
496
      }
497
      return "";
498
    });
499
  }
500
  C.addTransition(State, T);
501
}
502

503
void FuchsiaHandleChecker::checkDeadSymbols(SymbolReaper &SymReaper,
504
                                            CheckerContext &C) const {
505
  ProgramStateRef State = C.getState();
506
  SmallVector<SymbolRef, 2> LeakedSyms;
507
  HStateMapTy TrackedHandles = State->get<HStateMap>();
508
  for (auto &CurItem : TrackedHandles) {
509
    SymbolRef ErrorSym = CurItem.second.getErrorSym();
510
    // Keeping zombie handle symbols. In case the error symbol is dying later
511
    // than the handle symbol we might produce spurious leak warnings (in case
512
    // we find out later from the status code that the handle allocation failed
513
    // in the first place).
514
    if (!SymReaper.isDead(CurItem.first) ||
515
        (ErrorSym && !SymReaper.isDead(ErrorSym)))
516
      continue;
517
    if (CurItem.second.isAllocated() || CurItem.second.maybeAllocated())
518
      LeakedSyms.push_back(CurItem.first);
519
    State = State->remove<HStateMap>(CurItem.first);
520
  }
521

522
  ExplodedNode *N = C.getPredecessor();
523
  if (!LeakedSyms.empty())
524
    N = reportLeaks(LeakedSyms, C, N);
525

526
  C.addTransition(State, N);
527
}
528

529
// Acquiring a handle is not always successful. In Fuchsia most functions
530
// return a status code that determines the status of the handle.
531
// When we split the path based on this status code we know that on one
532
// path we do have the handle and on the other path the acquire failed.
533
// This method helps avoiding false positive leak warnings on paths where
534
// the function failed.
535
// Moreover, when a handle is known to be zero (the invalid handle),
536
// we no longer can follow the symbol on the path, becaue the constant
537
// zero will be used instead of the symbol. We also do not need to release
538
// an invalid handle, so we remove the corresponding symbol from the state.
539
ProgramStateRef FuchsiaHandleChecker::evalAssume(ProgramStateRef State,
540
                                                 SVal Cond,
541
                                                 bool Assumption) const {
542
  // TODO: add notes about successes/fails for APIs.
543
  ConstraintManager &Cmr = State->getConstraintManager();
544
  HStateMapTy TrackedHandles = State->get<HStateMap>();
545
  for (auto &CurItem : TrackedHandles) {
546
    ConditionTruthVal HandleVal = Cmr.isNull(State, CurItem.first);
547
    if (HandleVal.isConstrainedTrue()) {
548
      // The handle is invalid. We can no longer follow the symbol on this path.
549
      State = State->remove<HStateMap>(CurItem.first);
550
    }
551
    SymbolRef ErrorSym = CurItem.second.getErrorSym();
552
    if (!ErrorSym)
553
      continue;
554
    ConditionTruthVal ErrorVal = Cmr.isNull(State, ErrorSym);
555
    if (ErrorVal.isConstrainedTrue()) {
556
      // Allocation succeeded.
557
      if (CurItem.second.maybeAllocated())
558
        State = State->set<HStateMap>(
559
            CurItem.first, HandleState::getAllocated(State, CurItem.second));
560
    } else if (ErrorVal.isConstrainedFalse()) {
561
      // Allocation failed.
562
      if (CurItem.second.maybeAllocated())
563
        State = State->remove<HStateMap>(CurItem.first);
564
    }
565
  }
566
  return State;
567
}
568

569
ProgramStateRef FuchsiaHandleChecker::checkPointerEscape(
570
    ProgramStateRef State, const InvalidatedSymbols &Escaped,
571
    const CallEvent *Call, PointerEscapeKind Kind) const {
572
  const FunctionDecl *FuncDecl =
573
      Call ? dyn_cast_or_null<FunctionDecl>(Call->getDecl()) : nullptr;
574

575
  llvm::DenseSet<SymbolRef> UnEscaped;
576
  // Not all calls should escape our symbols.
577
  if (FuncDecl &&
578
      (Kind == PSK_DirectEscapeOnCall || Kind == PSK_IndirectEscapeOnCall ||
579
       Kind == PSK_EscapeOutParameters)) {
580
    for (unsigned Arg = 0; Arg < Call->getNumArgs(); ++Arg) {
581
      if (Arg >= FuncDecl->getNumParams())
582
        break;
583
      const ParmVarDecl *PVD = FuncDecl->getParamDecl(Arg);
584
      SmallVector<SymbolRef, 1024> Handles =
585
          getFuchsiaHandleSymbols(PVD->getType(), Call->getArgSVal(Arg), State);
586
      for (SymbolRef Handle : Handles) {
587
        if (hasFuchsiaAttr<UseHandleAttr>(PVD) ||
588
            hasFuchsiaAttr<ReleaseHandleAttr>(PVD)) {
589
          UnEscaped.insert(Handle);
590
        }
591
      }
592
    }
593
  }
594

595
  // For out params, we have to deal with derived symbols. See
596
  // MacOSKeychainAPIChecker for details.
597
  for (auto I : State->get<HStateMap>()) {
598
    if (Escaped.count(I.first) && !UnEscaped.count(I.first))
599
      State = State->set<HStateMap>(I.first, HandleState::getEscaped());
600
    if (const auto *SD = dyn_cast<SymbolDerived>(I.first)) {
601
      auto ParentSym = SD->getParentSymbol();
602
      if (Escaped.count(ParentSym))
603
        State = State->set<HStateMap>(I.first, HandleState::getEscaped());
604
    }
605
  }
606

607
  return State;
608
}
609

610
ExplodedNode *
611
FuchsiaHandleChecker::reportLeaks(ArrayRef<SymbolRef> LeakedHandles,
612
                                  CheckerContext &C, ExplodedNode *Pred) const {
613
  ExplodedNode *ErrNode = C.generateNonFatalErrorNode(C.getState(), Pred);
614
  for (SymbolRef LeakedHandle : LeakedHandles) {
615
    reportBug(LeakedHandle, ErrNode, C, nullptr, LeakBugType,
616
              "Potential leak of handle");
617
  }
618
  return ErrNode;
619
}
620

621
void FuchsiaHandleChecker::reportDoubleRelease(SymbolRef HandleSym,
622
                                               const SourceRange &Range,
623
                                               CheckerContext &C) const {
624
  ExplodedNode *ErrNode = C.generateErrorNode(C.getState());
625
  reportBug(HandleSym, ErrNode, C, &Range, DoubleReleaseBugType,
626
            "Releasing a previously released handle");
627
}
628

629
void FuchsiaHandleChecker::reportUnownedRelease(SymbolRef HandleSym,
630
                                                const SourceRange &Range,
631
                                                CheckerContext &C) const {
632
  ExplodedNode *ErrNode = C.generateErrorNode(C.getState());
633
  reportBug(HandleSym, ErrNode, C, &Range, ReleaseUnownedBugType,
634
            "Releasing an unowned handle");
635
}
636

637
void FuchsiaHandleChecker::reportUseAfterFree(SymbolRef HandleSym,
638
                                              const SourceRange &Range,
639
                                              CheckerContext &C) const {
640
  ExplodedNode *ErrNode = C.generateErrorNode(C.getState());
641
  reportBug(HandleSym, ErrNode, C, &Range, UseAfterReleaseBugType,
642
            "Using a previously released handle");
643
}
644

645
void FuchsiaHandleChecker::reportBug(SymbolRef Sym, ExplodedNode *ErrorNode,
646
                                     CheckerContext &C,
647
                                     const SourceRange *Range,
648
                                     const BugType &Type, StringRef Msg) const {
649
  if (!ErrorNode)
650
    return;
651

652
  std::unique_ptr<PathSensitiveBugReport> R;
653
  if (Type.isSuppressOnSink()) {
654
    const ExplodedNode *AcquireNode = getAcquireSite(ErrorNode, Sym, C);
655
    if (AcquireNode) {
656
      const Stmt *S = AcquireNode->getStmtForDiagnostics();
657
      assert(S && "Statement cannot be null.");
658
      PathDiagnosticLocation LocUsedForUniqueing =
659
          PathDiagnosticLocation::createBegin(
660
              S, C.getSourceManager(), AcquireNode->getLocationContext());
661

662
      R = std::make_unique<PathSensitiveBugReport>(
663
          Type, Msg, ErrorNode, LocUsedForUniqueing,
664
          AcquireNode->getLocationContext()->getDecl());
665
    }
666
  }
667
  if (!R)
668
    R = std::make_unique<PathSensitiveBugReport>(Type, Msg, ErrorNode);
669
  if (Range)
670
    R->addRange(*Range);
671
  R->markInteresting(Sym);
672
  C.emitReport(std::move(R));
673
}
674

675
void ento::registerFuchsiaHandleChecker(CheckerManager &mgr) {
676
  mgr.registerChecker<FuchsiaHandleChecker>();
677
}
678

679
bool ento::shouldRegisterFuchsiaHandleChecker(const CheckerManager &mgr) {
680
  return true;
681
}
682

683
void FuchsiaHandleChecker::printState(raw_ostream &Out, ProgramStateRef State,
684
                                      const char *NL, const char *Sep) const {
685

686
  HStateMapTy StateMap = State->get<HStateMap>();
687

688
  if (!StateMap.isEmpty()) {
689
    Out << Sep << "FuchsiaHandleChecker :" << NL;
690
    for (const auto &[Sym, HandleState] : StateMap) {
691
      Sym->dumpToStream(Out);
692
      Out << " : ";
693
      HandleState.dump(Out);
694
      Out << NL;
695
    }
696
  }
697
}
698

699