search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
flow: introduce definite_inside_loop()
[smatch.git] / check_leaks.c
blob95e5c92e3b074f6c3965e2065102d7ffb4f48250
1 /*
2 * sparse/check_leaks.c
3 *
4 * Copyright (C) 2010 Dan Carpenter.
5 *
6 * Licensed under the Open Software License version 1.1
7 *
8 */
9
10 /*
11 * The point of this check is to look for leaks.
12 * foo = malloc(); // <- mark it as allocated.
13 * A variable becomes &ok if we:
14 * 1) assign it to another variable.
15 * 2) pass it to a function.
16 *
17 * One complication is dealing with stuff like:
18 * foo->bar = malloc();
19 * foo->baz = malloc();
20 * foo = something();
21 *
22 * The work around is that for now what this check only
23 * checks simple expressions and doesn't check whether
24 * foo->bar is leaked.
25 *
26 */
27
28 #include <fcntl.h>
29 #include <unistd.h>
30 #include "parse.h"
31 #include "smatch.h"
32 #include "smatch_slist.h"
33
34 static int my_id;
35
36 STATE(allocated);
37 STATE(ok);
38
39 static void set_parent(struct expression *expr, struct smatch_state *state);
40
41 static const char *allocation_funcs[] = {
42 "malloc",
43 "kmalloc",
44 "kzalloc",
45 "kmemdup",
46 };
47
48 static char *alloc_parent_str(struct symbol *sym)
49 {
50 static char buf[256];
51
52 if (!sym || !sym->ident)
53 return NULL;
54
55 snprintf(buf, 255, "%s", sym->ident->name);
56 buf[255] = '\0';
57 return alloc_string(buf);
58 }
59
60 static char *get_parent_from_expr(struct expression *expr, struct symbol **sym)
61 {
62 char *name;
63
64 expr = strip_expr(expr);
65
66 name = expr_to_str_sym(expr, sym);
67 free_string(name);
68 if (!name || !*sym || !(*sym)->ident) {
69 *sym = NULL;
70 return NULL;
71 }
72 return alloc_parent_str(*sym);
73 }
74
75 static int is_local(struct expression *expr)
76 {
77 char *name;
78 struct symbol *sym;
79 int ret = 0;
80
81 name = expr_to_str_sym(expr, &sym);
82 if (!name || !sym)
83 goto out;
84 if (sym->ctype.modifiers & (MOD_NONLOCAL | MOD_STATIC | MOD_ADDRESSABLE))
85 goto out;
86 ret = 1;
87 out:
88 free_string(name);
89 return ret;
90 }
91
92 static int is_param(struct expression *expr)
93 {
94 char *name;
95 struct symbol *sym;
96 struct symbol *tmp;
97 int ret = 0;
98
99 name = expr_to_str_sym(expr, &sym);
100 if (!name || !sym)
101 goto out;
102 FOR_EACH_PTR(cur_func_sym->ctype.base_type->arguments, tmp) {
103 if (tmp == sym) {
104 ret = 1;
105 goto out;
106 }
107 } END_FOR_EACH_PTR(tmp);
108 out:
109 free_string(name);
110 return ret;
111
112 }
113
114 static void match_alloc(const char *fn, struct expression *expr, void *unused)
115 {
116 if (!is_local(expr->left))
117 return;
118 if (is_param(expr->left))
119 return;
120 if (expr->left->type != EXPR_SYMBOL)
121 return;
122 set_state_expr(my_id, expr->left, &allocated);
123 }
124
125 static void match_condition(struct expression *expr)
126 {
127 struct sm_state *sm;
128
129 expr = strip_expr(expr);
130
131 switch (expr->type) {
132 case EXPR_PREOP:
133 case EXPR_SYMBOL:
134 case EXPR_DEREF:
135 sm = get_sm_state_expr(my_id, expr);
136 if (sm && slist_has_state(sm->possible, &allocated))
137 set_true_false_states_expr(my_id, expr, &allocated, &ok);
138 return;
139 case EXPR_ASSIGNMENT:
140 /* You have to deal with stuff like if (a = b = c) */
141 match_condition(expr->left);
142 return;
143 default:
144 return;
145 }
146 }
147
148 static void set_parent(struct expression *expr, struct smatch_state *state)
149 {
150 char *name;
151 struct symbol *sym;
152
153 name = get_parent_from_expr(expr, &sym);
154 if (!name || !sym)
155 goto free;
156 if (state == &ok && !get_state(my_id, name, sym))
157 goto free;
158 set_state(my_id, name, sym, state);
159 free:
160 free_string(name);
161 }
162
163 static void match_function_call(struct expression *expr)
164 {
165 struct expression *tmp;
166
167 FOR_EACH_PTR(expr->args, tmp) {
168 set_parent(tmp, &ok);
169 } END_FOR_EACH_PTR(tmp);
170 }
171
172 static void warn_if_allocated(struct expression *expr)
173 {
174 struct sm_state *sm;
175 char *name;
176
177 sm = get_sm_state_expr(my_id, expr);
178 if (!sm)
179 return;
180 if (!slist_has_state(sm->possible, &allocated))
181 return;
182
183 name = expr_to_var(expr);
184 sm_msg("warn: overwrite may leak '%s'", name);
185 free_string(name);
186
187 /* silence further warnings */
188 set_state_expr(my_id, expr, &ok);
189 }
190
191 static void match_assign(struct expression *expr)
192 {
193 struct expression *right;
194
195 right = expr->right;
196
197 while (right->type == EXPR_ASSIGNMENT)
198 right = right->left;
199
200 warn_if_allocated(expr->left);
201 set_parent(right, &ok);
202 }
203
204 static void check_for_allocated(void)
205 {
206 struct state_list *slist;
207 struct sm_state *tmp;
208
209 slist = get_all_states(my_id);
210 FOR_EACH_PTR(slist, tmp) {
211 if (!slist_has_state(tmp->possible, &allocated))
212 continue;
213 sm_msg("warn: possible memory leak of '%s'", tmp->name);
214 } END_FOR_EACH_PTR(tmp);
215 free_slist(&slist);
216 }
217
218 static void match_return(struct expression *ret_value)
219 {
220 if (__inline_fn)
221 return;
222 set_parent(ret_value, &ok);
223 check_for_allocated();
224 }
225
226 static void match_end_func(struct symbol *sym)
227 {
228 if (__inline_fn)
229 return;
230 check_for_allocated();
231 }
232
233 void check_leaks(int id)
234 {
235 int i;
236
237 my_id = id;
238
239 for (i = 0; i < ARRAY_SIZE(allocation_funcs); i++)
240 add_function_assign_hook(allocation_funcs[i], &match_alloc, NULL);
241
242 add_hook(&match_condition, CONDITION_HOOK);
243
244 add_hook(&match_function_call, FUNCTION_CALL_HOOK);
245 add_hook(&match_assign, ASSIGNMENT_HOOK);
246
247 add_hook(&match_return, RETURN_HOOK);
248 add_hook(&match_end_func, END_FUNC_HOOK);
249 }
Static analysis for C