check_leaks.c

   1 /*
   2  * Copyright (C) 2010 Dan Carpenter.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License
   6  * as published by the Free Software Foundation; either version 2
   7  * of the License, or (at your option) any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
  16  */
  17
  18 /*
  19  * The point of this check is to look for leaks.
  20  * foo = malloc();  // <- mark it as allocated.
  21  * A variable becomes &ok if we:
  22  * 1) assign it to another variable.
  23  * 2) pass it to a function.
  24  *
  25  * One complication is dealing with stuff like:
  26  * foo->bar = malloc();
  27  * foo->baz = malloc();
  28  * foo = something();
  29  *
  30  * The work around is that for now what this check only
  31  * checks simple expressions and doesn't check whether
  32  * foo->bar is leaked.
  33  *
  34  */
  35
  36 #include <fcntl.h>
  37 #include <unistd.h>
  38 #include "parse.h"
  39 #include "smatch.h"
  40 #include "smatch_slist.h"
  41
  42 static int my_id;
  43
  44 STATE(allocated);
  45 STATE(ok);
  46
  47 static void set_parent(struct expression *expr, struct smatch_state *state);
  48
  49 static const char *allocation_funcs[] = {
  50         "malloc",
  51         "kmalloc",
  52         "kzalloc",
  53         "kmemdup",
  54 };
  55
  56 static char *alloc_parent_str(struct symbol *sym)
  57 {
  58         static char buf[256];
  59
  60         if (!sym || !sym->ident)
  61                 return NULL;
  62
  63         snprintf(buf, 255, "%s", sym->ident->name);
  64         buf[255] = '\0';
  65         return alloc_string(buf);
  66 }
  67
  68 static char *get_parent_from_expr(struct expression *expr, struct symbol **sym)
  69 {
  70         char *name;
  71
  72         expr = strip_expr(expr);
  73
  74         name = expr_to_str_sym(expr, sym);
  75         free_string(name);
  76         if (!name || !*sym || !(*sym)->ident) {
  77                 *sym = NULL;
  78                 return NULL;
  79         }
  80         return alloc_parent_str(*sym);
  81 }
  82
  83 static int is_local(struct expression *expr)
  84 {
  85         char *name;
  86         struct symbol *sym;
  87         int ret = 0;
  88
  89         name = expr_to_str_sym(expr, &sym);
  90         if (!name || !sym)
  91                 goto out;
  92         if (sym->ctype.modifiers & (MOD_NONLOCAL | MOD_STATIC | MOD_ADDRESSABLE))
  93                 goto out;
  94         ret = 1;
  95 out:
  96         free_string(name);
  97         return ret;
  98 }
  99
 100 static int is_param(struct expression *expr)
 101 {
 102         char *name;
 103         struct symbol *sym;
 104         struct symbol *tmp;
 105         int ret = 0;
 106
 107         name = expr_to_str_sym(expr, &sym);
 108         if (!name || !sym)
 109                 goto out;
 110         FOR_EACH_PTR(cur_func_sym->ctype.base_type->arguments, tmp) {
 111                 if (tmp == sym) {
 112                         ret = 1;
 113                         goto out;
 114                 }
 115         } END_FOR_EACH_PTR(tmp);
 116 out:
 117         free_string(name);
 118         return ret;
 119 }
 120
 121 static void match_alloc(const char *fn, struct expression *expr, void *unused)
 122 {
 123         if (is_fake_var_assign(expr))
 124                 return;
 125         if (!is_local(expr->left))
 126                 return;
 127         if (is_param(expr->left))
 128                 return;
 129         if (has_cleanup(expr->left))
 130                 return;
 131         if (expr->left->type != EXPR_SYMBOL)
 132                 return;
 133         set_state_expr(my_id, expr->left, &allocated);
 134 }
 135
 136 static void match_condition(struct expression *expr)
 137 {
 138         struct sm_state *sm;
 139
 140         expr = strip_expr(expr);
 141
 142         switch (expr->type) {
 143         case EXPR_PREOP:
 144         case EXPR_SYMBOL:
 145         case EXPR_DEREF:
 146                 sm = get_sm_state_expr(my_id, expr);
 147                 if (sm && slist_has_state(sm->possible, &allocated))
 148                         set_true_false_states_expr(my_id, expr, NULL, &ok);
 149                 return;
 150         case EXPR_ASSIGNMENT:
 151                  /* You have to deal with stuff like if (a = b = c) */
 152                 match_condition(expr->left);
 153                 return;
 154         default:
 155                 return;
 156         }
 157 }
 158
 159 static void set_parent(struct expression *expr, struct smatch_state *state)
 160 {
 161         char *name;
 162         struct symbol *sym;
 163
 164         expr = strip_expr(expr);
 165         if (!expr)
 166                 return;
 167         if (expr->type == EXPR_CONDITIONAL ||
 168             expr->type == EXPR_SELECT) {
 169                 set_parent(expr->cond_true, state);
 170                 set_parent(expr->cond_false, state);
 171                 return;
 172         }
 173
 174         name = get_parent_from_expr(expr, &sym);
 175         if (!name || !sym)
 176                 goto free;
 177         if (state == &ok && !get_state(my_id, name, sym))
 178                 goto free;
 179         set_state(my_id, name, sym, state);
 180 free:
 181         free_string(name);
 182 }
 183
 184 static void match_function_call(struct expression *expr)
 185 {
 186         struct expression *tmp;
 187
 188         FOR_EACH_PTR(expr->args, tmp) {
 189                 set_parent(tmp, &ok);
 190         } END_FOR_EACH_PTR(tmp);
 191 }
 192
 193 static void warn_if_allocated(struct expression *expr)
 194 {
 195         struct sm_state *sm;
 196         char *name;
 197         sval_t sval;
 198
 199         sm = get_sm_state_expr(my_id, expr);
 200         if (!sm)
 201                 return;
 202         if (!slist_has_state(sm->possible, &allocated))
 203                 return;
 204
 205         if (get_implied_value(expr, &sval) && sval.value == 0)
 206                 return;
 207
 208         name = expr_to_var(expr);
 209         sm_warning("overwrite may leak '%s'", name);
 210         free_string(name);
 211
 212         /* silence further warnings */
 213         set_state_expr(my_id, expr, &ok);
 214 }
 215
 216 static void match_assign(struct expression *expr)
 217 {
 218         struct expression *right;
 219
 220         right = expr->right;
 221
 222         while (right->type == EXPR_ASSIGNMENT)
 223                 right = right->left;
 224
 225         warn_if_allocated(expr->left);
 226         set_parent(right, &ok);
 227 }
 228
 229 static void check_for_allocated(void)
 230 {
 231         struct stree *stree;
 232         struct sm_state *tmp;
 233
 234         stree = __get_cur_stree();
 235         FOR_EACH_MY_SM(my_id, stree, tmp) {
 236                 if (!slist_has_state(tmp->possible, &allocated))
 237                         continue;
 238                 sm_warning("possible memory leak of '%s'", tmp->name);
 239         } END_FOR_EACH_SM(tmp);
 240 }
 241
 242 static void match_return(struct expression *ret_value)
 243 {
 244         if (__inline_fn)
 245                 return;
 246         set_parent(ret_value, &ok);
 247         check_for_allocated();
 248 }
 249
 250 static void match_end_func(struct symbol *sym)
 251 {
 252         if (__inline_fn)
 253                 return;
 254         check_for_allocated();
 255 }
 256
 257 void check_leaks(int id)
 258 {
 259         int i;
 260
 261         my_id = id;
 262
 263         for (i = 0; i < ARRAY_SIZE(allocation_funcs); i++)
 264                 add_function_assign_hook(allocation_funcs[i], &match_alloc, NULL);
 265
 266         add_hook(&match_condition, CONDITION_HOOK);
 267
 268         add_hook(&match_function_call, FUNCTION_CALL_HOOK);
 269         add_hook(&match_assign, ASSIGNMENT_HOOK);
 270
 271         add_hook(&match_return, RETURN_HOOK);
 272         add_hook(&match_end_func, END_FUNC_HOOK);
 273 }