search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
check_locking: move to the new function hook.
[smatch.git] / check_memory.c
blobadd230c066eee3259db0b43c33779f6717845220
1 /*
2 * sparse/check_memory.c
3 *
4 * Copyright (C) 2008 Dan Carpenter.
5 *
6 * Licensed under the Open Software License version 1.1
7 *
8 */
9
10 #include "parse.h"
11 #include "smatch.h"
12 #include "smatch_slist.h"
13
14 static int my_id;
15
16 STATE(allocated);
17 STATE(assigned);
18 STATE(isfree);
19 STATE(malloced);
20 STATE(isnull);
21 STATE(unfree);
22
23 /*
24 malloced --> allocated --> assigned --> isfree +
25 \-> isnull. \-> isfree +
26
27 isfree --> unfree.
28 \-> isnull.
29 */
30
31 static struct tracker_list *arguments;
32
33 static const char *allocation_funcs[] = {
34 "malloc",
35 "kmalloc",
36 "kzalloc",
37 NULL,
38 };
39
40 static struct smatch_state *unmatched_state(struct sm_state *sm)
41 {
42 if (!strcmp(sm->name, "-"))
43 return &assigned;
44 return &undefined;
45 }
46
47 static void assign_parent(struct symbol *sym)
48 {
49 set_state("-", my_id, sym, &assigned);
50 }
51
52 static int parent_is_assigned(struct symbol *sym)
53 {
54 struct smatch_state *state;
55
56 state = get_state("-", my_id, sym);
57 if (state == &assigned)
58 return 1;
59 return 0;
60 }
61
62 static int is_allocation(struct expression *expr)
63 {
64 char *fn_name;
65 int i;
66
67 if (expr->type != EXPR_CALL)
68 return 0;
69
70 if (!(fn_name = get_variable_from_expr(expr->fn, NULL)))
71 return 0;
72
73 for (i = 0; allocation_funcs[i]; i++) {
74 if (!strcmp(fn_name, allocation_funcs[i])) {
75 free_string(fn_name);
76 return 1;
77 }
78 }
79 free_string(fn_name);
80 return 0;
81 }
82
83 static int is_freed(const char *name, struct symbol *sym)
84 {
85 struct state_list *slist;
86
87 slist = get_possible_states(name, my_id, sym);
88 if (slist_has_state(slist, &isfree)) {
89 return 1;
90 }
91 return 0;
92 }
93
94 static int is_argument(struct symbol *sym)
95 {
96 struct tracker *arg;
97
98 FOR_EACH_PTR(arguments, arg) {
99 if (arg->sym == sym)
100 return 1;
101 } END_FOR_EACH_PTR(arg);
102 return 0;
103 }
104
105 static void match_function_def(struct symbol *sym)
106 {
107 struct symbol *arg;
108
109 FOR_EACH_PTR(sym->ctype.base_type->arguments, arg) {
110 add_tracker(&arguments, (arg->ident?arg->ident->name:"NULL"), my_id, arg);
111 } END_FOR_EACH_PTR(arg);
112 }
113
114 static void match_declarations(struct symbol *sym)
115 {
116 const char *name;
117
118 if ((get_base_type(sym))->type == SYM_ARRAY) {
119 return;
120 }
121
122 name = sym->ident->name;
123
124 if (sym->initializer) {
125 if (is_allocation(sym->initializer)) {
126 set_state(name, my_id, sym, &malloced);
127 } else {
128 assign_parent(sym);
129 }
130 }
131 }
132
133 static int is_parent(struct expression *expr)
134 {
135 if (expr->type == EXPR_DEREF)
136 return 0;
137 return 1;
138 }
139
140 static int assign_seen;
141 static int handle_double_assign(struct expression *expr)
142 {
143 struct symbol *sym;
144 char *name;
145
146 if (expr->right->type != EXPR_ASSIGNMENT)
147 return 0;
148 assign_seen++;
149
150 name = get_variable_from_expr_complex(expr->left, &sym);
151 if (name && is_parent(expr->left))
152 assign_parent(sym);
153
154 name = get_variable_from_expr_complex(expr->right->left, &sym);
155 if (name && is_parent(expr->right->left))
156 assign_parent(sym);
157
158 name = get_variable_from_expr_complex(expr->right->right, &sym);
159 if (name && is_parent(expr->right->right))
160 assign_parent(sym);
161
162 return 1;
163 }
164
165 static void match_assign(struct expression *expr)
166 {
167 struct expression *left, *right;
168 char *left_name = NULL;
169 char *right_name = NULL;
170 struct symbol *left_sym, *right_sym;
171 struct smatch_state *state;
172
173 if (assign_seen) {
174 assign_seen--;
175 return;
176 }
177
178 if (handle_double_assign(expr)) {
179 return;
180 }
181
182 left = strip_expr(expr->left);
183 left_name = get_variable_from_expr_complex(left, &left_sym);
184
185 right = strip_expr(expr->right);
186 if (left_name && left_sym && is_allocation(right) &&
187 !(left_sym->ctype.modifiers &
188 (MOD_NONLOCAL | MOD_STATIC | MOD_ADDRESSABLE)) &&
189 !parent_is_assigned(left_sym)) {
190 set_state(left_name, my_id, left_sym, &malloced);
191 goto exit;
192 }
193
194 right_name = get_variable_from_expr_complex(right, &right_sym);
195
196 if (right_name && (state = get_state(right_name, my_id, right_sym))) {
197 if (state == &isfree)
198 smatch_msg("error: assigning freed pointer");
199 set_state(right_name, my_id, right_sym, &assigned);
200 }
201
202 if (is_freed(left_name, left_sym)) {
203 set_state(left_name, my_id, left_sym, &unfree);
204 }
205 if (left_name && is_parent(left))
206 assign_parent(left_sym);
207 if (right_name && is_parent(right))
208 assign_parent(right_sym);
209 exit:
210 free_string(left_name);
211 free_string(right_name);
212 }
213
214 static int is_null(char *name, struct symbol *sym)
215 {
216 struct smatch_state *state;
217
218 /*
219 * FIXME. Ha ha ha... This is so wrong.
220 * I'm pulling in data from the check_null_deref script.
221 * I just happen to know that its ID is 3.
222 * The correct approved way to do this is to get the data from
223 * smatch_extra. But right now smatch_extra doesn't track it.
224 */
225 state = get_state(name, my_id, sym);
226 if (state && !strcmp(state->name, "isnull"))
227 return 1;
228 return 0;
229 }
230
231 static void match_kfree(struct expression *expr)
232 {
233 struct expression *ptr_expr;
234 char *ptr_name;
235 struct symbol *ptr_sym;
236
237 ptr_expr = get_argument_from_call_expr(expr->args, 0);
238 ptr_name = get_variable_from_expr_complex(ptr_expr, &ptr_sym);
239 if (is_freed(ptr_name, ptr_sym) && !is_null(ptr_name, ptr_sym)) {
240 smatch_msg("error: double free of %s", ptr_name);
241 }
242 set_state(ptr_name, my_id, ptr_sym, &isfree);
243 free_string(ptr_name);
244 }
245
246 static int possibly_allocated(struct state_list *slist)
247 {
248 struct sm_state *tmp;
249
250 FOR_EACH_PTR(slist, tmp) {
251 if (tmp->state == &allocated)
252 return 1;
253 if (tmp->state == &malloced)
254 return 1;
255 } END_FOR_EACH_PTR(tmp);
256 return 0;
257 }
258
259 static void check_for_allocated(void)
260 {
261 struct state_list *slist;
262 struct sm_state *tmp;
263
264 slist = get_all_states(my_id);
265 FOR_EACH_PTR(slist, tmp) {
266 if (possibly_allocated(tmp->possible) &&
267 !is_null(tmp->name, tmp->sym) &&
268 !is_argument(tmp->sym) &&
269 !parent_is_assigned(tmp->sym))
270 smatch_msg("error: memery leak of %s", tmp->name);
271 } END_FOR_EACH_PTR(tmp);
272 free_slist(&slist);
273 }
274
275 static void match_return(struct statement *stmt)
276 {
277 char *name;
278 struct symbol *sym;
279
280 name = get_variable_from_expr_complex(stmt->ret_value, &sym);
281 if (sym)
282 assign_parent(sym);
283 free_string(name);
284 check_for_allocated();
285 }
286
287 static void set_new_true_false_paths(const char *name, struct symbol *sym)
288 {
289 struct smatch_state *tmp;
290
291 tmp = get_state(name, my_id, sym);
292
293 if (!tmp) {
294 return;
295 }
296
297 if (tmp == &isfree) {
298 smatch_msg("warn: why do you care about freed memory?");
299 }
300
301 if (tmp == &assigned) {
302 /* we don't care about assigned pointers any more */
303 return;
304 }
305 set_true_false_states(name, my_id, sym, &allocated, &isnull);
306 }
307
308 static void match_condition(struct expression *expr)
309 {
310 struct symbol *sym;
311 char *name;
312
313 expr = strip_expr(expr);
314 switch(expr->type) {
315 case EXPR_PREOP:
316 case EXPR_SYMBOL:
317 case EXPR_DEREF:
318 name = get_variable_from_expr_complex(expr, &sym);
319 if (!name)
320 return;
321 set_new_true_false_paths(name, sym);
322 free_string(name);
323 return;
324 case EXPR_ASSIGNMENT:
325 assign_seen++;
326 /* You have to deal with stuff like if (a = b = c) */
327 match_condition(expr->right);
328 match_condition(expr->left);
329 return;
330 default:
331 return;
332 }
333 }
334
335 static void match_function_call(struct expression *expr)
336 {
337 struct expression *tmp;
338 struct symbol *sym;
339 char *name;
340 char *fn_name;
341 struct sm_state *state;
342
343 fn_name = get_variable_from_expr(expr->fn, NULL);
344
345 if (fn_name && !strcmp(fn_name, "kfree")) {
346 match_kfree(expr);
347 }
348
349 FOR_EACH_PTR(expr->args, tmp) {
350 tmp = strip_expr(tmp);
351 name = get_variable_from_expr_complex(tmp, &sym);
352 if (!name)
353 continue;
354 if ((state = get_sm_state(name, my_id, sym))) {
355 if (possibly_allocated(state->possible)) {
356 set_state(name, my_id, sym, &assigned);
357 }
358 }
359 assign_parent(sym);
360 } END_FOR_EACH_PTR(tmp);
361 }
362
363 static void match_end_func(struct symbol *sym)
364 {
365 check_for_allocated();
366 free_trackers_and_list(&arguments);
367 }
368
369 void check_memory(int id)
370 {
371 my_id = id;
372 add_unmatched_state_hook(my_id, &unmatched_state);
373 add_hook(&match_function_def, FUNC_DEF_HOOK);
374 add_hook(&match_declarations, DECLARATION_HOOK);
375 add_hook(&match_function_call, FUNCTION_CALL_HOOK);
376 add_hook(&match_condition, CONDITION_HOOK);
377 add_hook(&match_assign, ASSIGNMENT_HOOK);
378 add_hook(&match_return, RETURN_HOOK);
379 add_hook(&match_end_func, END_FUNC_HOOK);
380 }
Static analysis for C