search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mtag: mask out the low bits
[smatch.git] / check_free.c
blob18b37c06f17a444757f11fad7c9494d06649b023
1 /*
2 * Copyright (C) 2010 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * check_memory() is getting too big and messy.
20 *
21 */
22
23 #include <string.h>
24 #include "smatch.h"
25 #include "smatch_slist.h"
26 #include "smatch_extra.h"
27
28 static int my_id;
29
30 STATE(freed);
31 STATE(ok);
32
33 static void ok_to_use(struct sm_state *sm, struct expression *mod_expr)
34 {
35 if (sm->state != &ok)
36 set_state(my_id, sm->name, sm->sym, &ok);
37 }
38
39 static void pre_merge_hook(struct sm_state *sm)
40 {
41 if (is_impossible_path())
42 set_state(my_id, sm->name, sm->sym, &ok);
43 }
44
45 static int is_freed(struct expression *expr)
46 {
47 struct sm_state *sm;
48
49 sm = get_sm_state_expr(my_id, expr);
50 if (sm && slist_has_state(sm->possible, &freed))
51 return 1;
52 return 0;
53 }
54
55 static void match_symbol(struct expression *expr)
56 {
57 struct expression *parent;
58 char *name;
59
60 if (is_impossible_path())
61 return;
62
63 parent = expr_get_parent_expr(expr);
64 while (parent && parent->type == EXPR_PREOP && parent->op == '(')
65 parent = expr_get_parent_expr(parent);
66 if (parent && parent->type == EXPR_PREOP && parent->op == '&')
67 return;
68
69 if (!is_freed(expr))
70 return;
71 name = expr_to_var(expr);
72 sm_msg("warn: '%s' was already freed.", name);
73 free_string(name);
74 }
75
76 static void match_dereferences(struct expression *expr)
77 {
78 char *name;
79
80 if (expr->type != EXPR_PREOP)
81 return;
82
83 if (is_impossible_path())
84 return;
85
86 expr = strip_expr(expr->unop);
87 if (!is_freed(expr))
88 return;
89 name = expr_to_var(expr);
90 sm_msg("error: dereferencing freed memory '%s'", name);
91 set_state_expr(my_id, expr, &ok);
92 free_string(name);
93 }
94
95 static int ignored_params[16];
96
97 static void set_ignored_params(struct expression *call)
98 {
99 struct expression *arg;
100 const char *p;
101 int i;
102
103 memset(&ignored_params, 0, sizeof(ignored_params));
104
105 i = -1;
106 FOR_EACH_PTR(call->args, arg) {
107 i++;
108 if (arg->type != EXPR_STRING)
109 continue;
110 goto found;
111 } END_FOR_EACH_PTR(arg);
112
113 return;
114
115 found:
116 i++;
117 p = arg->string->data;
118 while ((p = strchr(p, '%'))) {
119 if (i >= ARRAY_SIZE(ignored_params))
120 return;
121 p++;
122 if (*p == '%') {
123 p++;
124 continue;
125 }
126 if (*p == '.')
127 p++;
128 if (*p == '*')
129 i++;
130 if (*p == 'p')
131 ignored_params[i] = 1;
132 i++;
133 }
134 }
135
136 static int is_free_func(struct expression *fn)
137 {
138 char *name;
139 int ret = 0;
140
141 name = expr_to_str(fn);
142 if (!name)
143 return 0;
144 if (strstr(name, "free"))
145 ret = 1;
146 free_string(name);
147
148 return ret;
149 }
150
151 static void match_call(struct expression *expr)
152 {
153 struct expression *arg;
154 char *name;
155 int i;
156
157 if (is_impossible_path())
158 return;
159
160 set_ignored_params(expr);
161
162 i = -1;
163 FOR_EACH_PTR(expr->args, arg) {
164 i++;
165 if (!is_pointer(arg))
166 continue;
167 if (!is_freed(arg))
168 continue;
169 if (ignored_params[i])
170 continue;
171
172 name = expr_to_var(arg);
173 if (is_free_func(expr->fn))
174 sm_msg("error: double free of '%s'", name);
175 else
176 sm_msg("warn: passing freed memory '%s'", name);
177 set_state_expr(my_id, arg, &ok);
178 free_string(name);
179 } END_FOR_EACH_PTR(arg);
180 }
181
182 static void match_return(struct expression *expr)
183 {
184 char *name;
185
186 if (is_impossible_path())
187 return;
188
189 if (!expr)
190 return;
191 if (!is_freed(expr))
192 return;
193
194 name = expr_to_var(expr);
195 sm_msg("warn: returning freed memory '%s'", name);
196 set_state_expr(my_id, expr, &ok);
197 free_string(name);
198 }
199
200 static void match_free(const char *fn, struct expression *expr, void *param)
201 {
202 struct expression *arg;
203
204 if (is_impossible_path())
205 return;
206
207 arg = get_argument_from_call_expr(expr->args, PTR_INT(param));
208 if (!arg)
209 return;
210 if (is_freed(arg)) {
211 char *name = expr_to_var(arg);
212
213 sm_msg("error: double free of '%s'", name);
214 free_string(name);
215 }
216 set_state_expr(my_id, arg, &freed);
217 }
218
219 static void set_param_freed(struct expression *call, struct expression *arg, char *key, char *unused)
220 {
221 struct symbol *sym;
222 char *name;
223
224 name = get_variable_from_key(arg, key, &sym);
225 if (!name || !sym)
226 goto free;
227
228 set_state(my_id, name, sym, &freed);
229 free:
230 free_string(name);
231 }
232
233 int parent_is_free_var_sym(const char *name, struct symbol *sym)
234 {
235 char buf[256];
236 char *start;
237 char *end;
238 struct smatch_state *state;
239
240 if (option_project == PROJ_KERNEL)
241 return parent_is_free_var_sym_strict(name, sym);
242
243 strncpy(buf, name, sizeof(buf) - 1);
244 buf[sizeof(buf) - 1] = '\0';
245
246 start = &buf[0];
247 while ((*start == '&'))
248 start++;
249
250 while ((end = strrchr(start, '-'))) {
251 *end = '\0';
252 state = __get_state(my_id, start, sym);
253 if (state == &freed)
254 return 1;
255 }
256 return 0;
257 }
258
259 int parent_is_free(struct expression *expr)
260 {
261 struct symbol *sym;
262 char *var;
263 int ret = 0;
264
265 expr = strip_expr(expr);
266 var = expr_to_var_sym(expr, &sym);
267 if (!var || !sym)
268 goto free;
269 ret = parent_is_free_var_sym(var, sym);
270 free:
271 free_string(var);
272 return ret;
273 }
274
275 void check_free(int id)
276 {
277 my_id = id;
278
279 if (option_project == PROJ_KERNEL) {
280 /* The kernel use check_free_strict.c */
281 return;
282 }
283
284 add_function_hook("free", &match_free, INT_PTR(0));
285
286 if (option_spammy)
287 add_hook(&match_symbol, SYM_HOOK);
288 add_hook(&match_dereferences, DEREF_HOOK);
289 add_hook(&match_call, FUNCTION_CALL_HOOK);
290 add_hook(&match_return, RETURN_HOOK);
291
292 add_modification_hook(my_id, &ok_to_use);
293 select_return_implies_hook(PARAM_FREED, &set_param_freed);
294 add_pre_merge_hook(my_id, &pre_merge_hook);
295 }
Static analysis for C