search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[patch 6/many] remove UNDEFINED from last_stmt_val()
[smatch.git] / check_leaks.c
blob4a1e2c78c2fd45d54bc9cd2839dfed9605da7faf
1 /*
2 * sparse/check_memory.c
3 *
4 * Copyright (C) 2008 Dan Carpenter.
5 *
6 * Licensed under the Open Software License version 1.1
7 *
8 */
9
10 #include <fcntl.h>
11 #include <unistd.h>
12 #include "parse.h"
13 #include "smatch.h"
14 #include "smatch_slist.h"
15
16 static int my_id;
17
18 STATE(allocated);
19 STATE(isnull);
20 STATE(freed);
21
22 /*
23 The previous memory leak script found about 3 leaks. Almost all the leaks
24 it found were real though so that has to be said in it's favour.
25
26 The goal of this check is to find a lot more.
27
28 On this check, the plan is to look at return values. If the value is
29 negative we print an error for every local variable that is not freed.
30 */
31
32 static struct tracker_list *arguments;
33
34 static const char *allocation_funcs[] = {
35 "malloc",
36 "kmalloc",
37 "kzalloc",
38 NULL,
39 };
40
41 static int is_argument(struct symbol *sym)
42 {
43 struct tracker *arg;
44
45 FOR_EACH_PTR(arguments, arg) {
46 if (arg->sym == sym)
47 return 1;
48 } END_FOR_EACH_PTR(arg);
49 return 0;
50 }
51
52 static void match_function_def(struct symbol *sym)
53 {
54 struct symbol *arg;
55
56 FOR_EACH_PTR(sym->ctype.base_type->arguments, arg) {
57 add_tracker(&arguments, my_id, (arg->ident?arg->ident->name:"NULL"), arg);
58 } END_FOR_EACH_PTR(arg);
59 }
60
61 static void check_allocated(struct sm_state *sm)
62 {
63 if (slist_has_state(sm->possible, &allocated))
64 sm_msg("warn: '%s' possibly leaked on error path",
65 sm->name);
66 }
67
68 static void check_for_allocated(void)
69 {
70 struct state_list *slist;
71 struct sm_state *tmp;
72
73 slist = get_all_states(my_id);
74 FOR_EACH_PTR(slist, tmp) {
75 check_allocated(tmp);
76 } END_FOR_EACH_PTR(tmp);
77 free_slist(&slist);
78 }
79
80 static void match_allocation(const char *fn, struct expression *expr,
81 void *info)
82 {
83 char *left_name = NULL;
84 struct symbol *left_sym;
85
86 left_name = get_variable_from_expr(expr->left, &left_sym);
87 if (!left_name || !left_sym)
88 goto free;
89 if (is_argument(left_sym))
90 goto free;
91 if (left_sym->ctype.modifiers &
92 (MOD_NONLOCAL | MOD_STATIC | MOD_ADDRESSABLE))
93 goto free;
94 set_state_expr(my_id, expr->left, &allocated);
95 free:
96 free_string(left_name);
97 }
98
99 static void match_free(const char *fn, struct expression *expr, void *data)
100 {
101 struct expression *ptr_expr;
102 long arg_num = PTR_INT(data);
103
104 ptr_expr = get_argument_from_call_expr(expr->args, arg_num);
105 if (!get_state_expr(my_id, ptr_expr))
106 return;
107 set_state_expr(my_id, ptr_expr, &freed);
108 }
109
110 static void check_slist(struct state_list *slist, const char *skip_name,
111 struct symbol *skip_sym)
112 {
113 struct sm_state *sm;
114 struct sm_state *poss;
115
116 FOR_EACH_PTR(slist, sm) {
117 if (sm->owner != my_id)
118 continue;
119 if (sm->sym == skip_sym && !strcmp(sm->name, skip_name))
120 continue;
121 FOR_EACH_PTR(sm->possible, poss) {
122 if (poss->state == &allocated)
123 sm_msg("warn: '%s' possibly leaked on error"
124 " path (implied from line %d)",
125 sm->name, poss->line);
126 } END_FOR_EACH_PTR(poss);
127 } END_FOR_EACH_PTR(sm);
128 }
129
130 static void do_implication_check(struct expression *expr, const char *skip_name,
131 struct symbol *skip_sym)
132 {
133 struct state_list *lt_zero = NULL;
134 struct state_list *ge_zero = NULL;
135 char *name;
136 struct symbol *sym;
137
138 name = get_variable_from_expr(expr, &sym);
139 if (!name || !sym)
140 goto free;
141 get_implications(name, sym, '<', 0, &lt_zero, &ge_zero);
142 check_slist(lt_zero, skip_name, skip_sym);
143 free:
144 free_slist(&ge_zero);
145 free_slist(&lt_zero);
146 free_string(name);
147 }
148
149 static void match_return(struct expression *ret_value)
150 {
151 int ret_val;
152 char *skip_name;
153 struct symbol *skip_sym;
154
155 ret_val = get_value(ret_value);
156 skip_name = get_variable_from_expr(ret_value, &skip_sym);
157 if (ret_val == UNDEFINED) {
158 do_implication_check(ret_value, skip_name, skip_sym);
159 return;
160 }
161 if (ret_val >= 0)
162 return;
163 check_for_allocated();
164 }
165
166 static void set_old_true_false_paths(struct expression *expr)
167 {
168 if (!get_state_expr(my_id, expr))
169 return;
170 set_true_false_states_expr(my_id, expr, &allocated, &isnull);
171 }
172
173 static void match_condition(struct expression *expr)
174 {
175 expr = strip_expr(expr);
176 switch(expr->type) {
177 case EXPR_PREOP:
178 case EXPR_SYMBOL:
179 case EXPR_DEREF:
180 set_old_true_false_paths(expr);
181 return;
182 case EXPR_ASSIGNMENT:
183 match_condition(expr->left);
184 return;
185 default:
186 return;
187 }
188 }
189
190 static void match_end_func(struct symbol *sym)
191 {
192 free_trackers_and_list(&arguments);
193 }
194
195 static void register_free_funcs(void)
196 {
197 struct token *token;
198 const char *func;
199 int arg;
200
201 token = get_tokens_file("kernel.frees_argument");
202 if (!token)
203 return;
204 if (token_type(token) != TOKEN_STREAMBEGIN)
205 return;
206 token = token->next;
207 while (token_type(token) != TOKEN_STREAMEND) {
208 if (token_type(token) != TOKEN_IDENT)
209 return;
210 func = show_ident(token->ident);
211 token = token->next;
212 if (token_type(token) != TOKEN_NUMBER)
213 return;
214 arg = atoi(token->number);
215 add_function_hook(func, &match_free, INT_PTR(arg));
216 token = token->next;
217 }
218 clear_token_alloc();
219 }
220
221 static void register_put_funcs(void)
222 {
223 struct token *token;
224 const char *func;
225 int arg;
226
227 token = get_tokens_file("kernel.puts_argument");
228 if (!token)
229 return;
230 if (token_type(token) != TOKEN_STREAMBEGIN)
231 return;
232 token = token->next;
233 while (token_type(token) != TOKEN_STREAMEND) {
234 if (token_type(token) != TOKEN_IDENT)
235 return;
236 func = show_ident(token->ident);
237 token = token->next;
238 if (token_type(token) != TOKEN_NUMBER)
239 return;
240 arg = atoi(token->number);
241 add_function_hook(func, &match_free, INT_PTR(arg));
242 token = token->next;
243 }
244 clear_token_alloc();
245 }
246
247 static void register_allocation_funcs(void)
248 {
249 struct token *token;
250 const char *func;
251
252 token = get_tokens_file("kernel.allocation_funcs");
253 if (!token)
254 return;
255 if (token_type(token) != TOKEN_STREAMBEGIN)
256 return;
257 token = token->next;
258 while (token_type(token) != TOKEN_STREAMEND) {
259 if (token_type(token) != TOKEN_IDENT)
260 return;
261 func = show_ident(token->ident);
262 add_function_assign_hook(func, &match_allocation, NULL);
263 token = token->next;
264 }
265 clear_token_alloc();
266 }
267
268 void check_leaks(int id)
269 {
270 int i;
271
272 if (!option_spammy)
273 return;
274
275 my_id = id;
276 set_default_state(my_id, &undefined);
277 add_hook(&match_function_def, FUNC_DEF_HOOK);
278 add_hook(&match_condition, CONDITION_HOOK);
279 add_hook(&match_return, RETURN_HOOK);
280 add_hook(&match_end_func, END_FUNC_HOOK);
281 if (option_project == PROJ_KERNEL)
282 add_function_hook("kfree", &match_free, (void *)0);
283 else
284 add_function_hook("free", &match_free, (void *)0);
285 register_free_funcs();
286 register_put_funcs();
287 for(i = 0; allocation_funcs[i]; i++) {
288 add_function_assign_hook(allocation_funcs[i],
289 &match_allocation, NULL);
290 }
291 register_allocation_funcs();
292 }
Static analysis for C