check_free.c

   1 /*
   2  * Copyright (C) 2010 Dan Carpenter.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License
   6  * as published by the Free Software Foundation; either version 2
   7  * of the License, or (at your option) any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
  16  */
  17
  18 /*
  19  * check_memory() is getting too big and messy.
  20  *
  21  */
  22
  23 #include "smatch.h"
  24 #include "smatch_slist.h"
  25
  26 static int my_id;
  27
  28 STATE(freed);
  29 STATE(ok);
  30
  31 static void ok_to_use(struct sm_state *sm, struct expression *mod_expr)
  32 {
  33         if (sm->state != &ok)
  34                 set_state(my_id, sm->name, sm->sym, &ok);
  35 }
  36
  37 static int is_freed(struct expression *expr)
  38 {
  39         struct sm_state *sm;
  40
  41         sm = get_sm_state_expr(my_id, expr);
  42         if (sm && slist_has_state(sm->possible, &freed))
  43                 return 1;
  44         return 0;
  45 }
  46
  47 static void match_symbol(struct expression *expr)
  48 {
  49         char *name;
  50
  51         if (!is_freed(expr))
  52                 return;
  53         name = expr_to_var(expr);
  54         sm_msg("warn: '%s' was already freed.", name);
  55         free_string(name);
  56 }
  57
  58 static void match_dereferences(struct expression *expr)
  59 {
  60         char *name;
  61
  62         if (expr->type != EXPR_PREOP)
  63                 return;
  64         expr = strip_expr(expr->unop);
  65
  66         if (!is_freed(expr))
  67                 return;
  68         name = expr_to_var_sym(expr, NULL);
  69         sm_msg("error: dereferencing freed memory '%s'", name);
  70         set_state_expr(my_id, expr, &ok);
  71         free_string(name);
  72 }
  73
  74 static void match_free(const char *fn, struct expression *expr, void *param)
  75 {
  76         struct expression *arg;
  77
  78         arg = get_argument_from_call_expr(expr->args, PTR_INT(param));
  79         if (!arg)
  80                 return;
  81         /* option_spammy already prints a warning here */
  82         if (!option_spammy && is_freed(arg)) {
  83                 char *name = expr_to_var_sym(arg, NULL);
  84
  85                 sm_msg("error: double free of '%s'", name);
  86                 free_string(name);
  87         }
  88         set_state_expr(my_id, arg, &freed);
  89 }
  90
  91 static void set_param_freed(struct expression *arg, char *unused)
  92 {
  93         set_state_expr(my_id, arg, &freed);
  94 }
  95
  96 void check_free(int id)
  97 {
  98         my_id = id;
  99
 100         if (option_project == PROJ_KERNEL) {
 101                 add_function_hook("kfree", &match_free, INT_PTR(0));
 102                 add_function_hook("kmem_cache_free", &match_free, INT_PTR(1));
 103         } else {
 104                 add_function_hook("free", &match_free, INT_PTR(0));
 105         }
 106
 107         if (option_spammy)
 108                 add_hook(&match_symbol, SYM_HOOK);
 109         else
 110                 add_hook(&match_dereferences, DEREF_HOOK);
 111
 112         add_modification_hook(my_id, &ok_to_use);
 113         select_call_implies_hook(PARAM_FREED, &set_param_freed);
 114 }