check_frees_param.c

   1 /*
   2  * sparse/check_frees_param.c
   3  *
   4  * Copyright (C) 2014 Oracle.
   5  *
   6  * Licensed under the Open Software License version 1.1
   7  *
   8  * This file is sort of like check_dereferences_param.c.  In theory the one
   9  * difference should be that the param is NULL it should still be counted as a
  10  * free.  But for now I don't handle that case.
  11  */
  12
  13 #include "smatch.h"
  14 #include "smatch_extra.h"
  15 #include "smatch_slist.h"
  16
  17 static int my_id;
  18
  19 STATE(freed);
  20 STATE(ignore);
  21 STATE(param);
  22
  23 static int is_arg(struct expression *expr)
  24 {
  25         struct symbol *arg;
  26
  27         if (expr->type != EXPR_SYMBOL)
  28                 return 0;
  29
  30         FOR_EACH_PTR(cur_func_sym->ctype.base_type->arguments, arg) {
  31                 if (arg == expr->symbol)
  32                         return 1;
  33         } END_FOR_EACH_PTR(arg);
  34         return 0;
  35 }
  36
  37 static void set_ignore(struct sm_state *sm, struct expression *mod_expr)
  38 {
  39         if (sm->state == &freed)
  40                 return;
  41         set_state(my_id, sm->name, sm->sym, &ignore);
  42 }
  43
  44 static void match_function_def(struct symbol *sym)
  45 {
  46         struct symbol *arg;
  47         int i;
  48
  49         i = -1;
  50         FOR_EACH_PTR(sym->ctype.base_type->arguments, arg) {
  51                 i++;
  52                 if (!arg->ident)
  53                         continue;
  54                 set_state(my_id, arg->ident->name, arg, &param);
  55         } END_FOR_EACH_PTR(arg);
  56 }
  57
  58 static void freed_variable(struct expression *expr)
  59 {
  60         struct sm_state *sm;
  61
  62         expr = strip_expr(expr);
  63         if (!is_arg(expr))
  64                 return;
  65
  66         sm = get_sm_state_expr(my_id, expr);
  67         if (sm && slist_has_state(sm->possible, &ignore))
  68                 return;
  69         set_state_expr(my_id, expr, &freed);
  70 }
  71
  72 static void match_free(const char *fn, struct expression *expr, void *param)
  73 {
  74         struct expression *arg;
  75
  76         arg = get_argument_from_call_expr(expr->args, PTR_INT(param));
  77         if (!arg)
  78                 return;
  79         freed_variable(arg);
  80 }
  81
  82 static void set_param_freed(struct expression *arg, char *unused)
  83 {
  84         freed_variable(arg);
  85 }
  86
  87 static void process_states(struct state_list *slist)
  88 {
  89         struct symbol *arg;
  90         int i;
  91
  92         i = -1;
  93         FOR_EACH_PTR(cur_func_sym->ctype.base_type->arguments, arg) {
  94                 i++;
  95                 if (!arg->ident)
  96                         continue;
  97                 if (get_state_slist(slist, my_id, arg->ident->name, arg) == &freed)
  98                         sql_insert_call_implies(PARAM_FREED, i, 1);
  99         } END_FOR_EACH_PTR(arg);
 100 }
 101
 102 void check_frees_param(int id)
 103 {
 104         my_id = id;
 105
 106         add_hook(&match_function_def, FUNC_DEF_HOOK);
 107
 108         if (option_project == PROJ_KERNEL) {
 109                 add_function_hook("kfree", &match_free, INT_PTR(0));
 110                 add_function_hook("kmem_cache_free", &match_free, INT_PTR(1));
 111         } else {
 112                 add_function_hook("free", &match_free, INT_PTR(0));
 113         }
 114
 115         select_call_implies_hook(PARAM_FREED, &set_param_freed);
 116         add_modification_hook(my_id, &set_ignore);
 117
 118         all_return_states_hook(&process_states);
 119 }