gcc/analyzer/sm-malloc.dot

   1 /* An overview of the state machine from sm-malloc.cc.
   2    Copyright (C) 2019-2023 Free Software Foundation, Inc.
   3    Contributed by David Malcolm <dmalcolm@redhat.com>.
   4
   5 This file is part of GCC.
   6
   7 GCC is free software; you can redistribute it and/or modify it
   8 under the terms of the GNU General Public License as published by
   9 the Free Software Foundation; either version 3, or (at your option)
  10 any later version.
  11
  12 GCC is distributed in the hope that it will be useful, but
  13 WITHOUT ANY WARRANTY; without even the implied warranty of
  14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  15 General Public License for more details.
  16
  17 You should have received a copy of the GNU General Public License
  18 along with GCC; see the file COPYING3.  If not see
  19 <http://www.gnu.org/licenses/>.  */
  20
  21 /* Keep this in-sync with sm-malloc.cc  */
  22
  23 digraph "malloc" {
  24
  25   /* STATES. */
  26
  27   /* Start state.  */
  28   start;
  29
  30   /* State for a pointer returned from malloc that hasn't been checked for
  31      NULL.
  32      It could be a pointer to heap-allocated memory, or could be NULL.  */
  33   unchecked;
  34
  35   /* State for a pointer that's been unconditionally dereferenced.  */
  36   assumed_non_null;
  37
  38   /* State for a pointer that's known to be NULL.  */
  39   null;
  40
  41   /* State for a pointer to heap-allocated memory, known to be non-NULL.  */
  42   nonnull;
  43
  44   /* State for a pointer to freed memory.  */
  45   freed;
  46
  47   /* State for a pointer that's known to not be on the heap (e.g. to a local
  48      or global).  */
  49   non_heap;
  50
  51   /* Stop state, for pointers we don't want to track any more.  */
  52   stop;
  53
  54   /* TRANSITIONS. */
  55
  56   start -> unchecked [label="on 'X=malloc(...);'"];
  57   start -> unchecked [label="on 'X=calloc(...);'"];
  58
  59   start -> non_heap [label="on 'X=alloca(...);'"];
  60   start -> non_heap [label="on 'X=__builtin_alloca(...);'"];
  61
  62   /* On "free".  */
  63   start -> freed [label="on 'free(X);'"];
  64   assumed_non_null -> freed [label="on 'free(X);'"];
  65   unchecked -> freed [label="on 'free(X);'"];
  66   nonnull -> freed [label="on 'free(X);'"];
  67   freed -> stop [label="on 'free(X);':\n Warn('double-free')"];
  68   non_heap -> stop  [label="on 'free(X);':\n Warn('free of non-heap')"];
  69
  70   /* Handle "__attribute__((nonnull))".   */
  71   unchecked -> nonnull [label="on 'FN(X)' with __attribute__((nonnull)):\nWarn('possible NULL arg')"];
  72   null -> stop [label="on 'FN(X)' with __attribute__((nonnull)):\nWarn('NULL arg')"];
  73   start -> assumed_non_null [label="on 'FN(X)' with __attribute__((nonnull))"];
  74
  75   /* is_zero_assignment.  */
  76   start -> null [label="on 'X = 0;'"];
  77   unchecked -> null [label="on 'X = 0;'"];
  78   nonnull -> null [label="on 'X = 0;'"];
  79   freed -> null [label="on 'X = 0;'"];
  80
  81   start -> non_heap [label="on 'X = &EXPR;'"];
  82
  83   /* Handle dereferences.  */
  84   start -> assumed_non_null [label="on '*X'"];
  85   unchecked -> nonnull [label="on '*X':\nWarn('possible NULL deref')"];
  86   null -> stop [label="on '*X':\nWarn('NULL deref')"];
  87   freed -> stop [label="on '*X':\nWarn('use after free')"];
  88
  89   /* on_condition.  */
  90   unchecked -> nonnull [label="on 'X != 0'"];
  91   unchecked -> null [label="on 'X == 0'"];
  92   assumed_non_null -> stop [label="on 'if (X)':\nWarn('deref-before-check')"];
  93
  94   unchecked -> stop [label="on leak:\nWarn('leak')"];
  95   nonnull -> stop [label="on leak:\nWarn('leak')"];
  96 }