11f5207bJohn Levon/*
21f5207bJohn Levon * Copyright (C) 2010 Dan Carpenter.
31f5207bJohn Levon *
41f5207bJohn Levon * This program is free software; you can redistribute it and/or
51f5207bJohn Levon * modify it under the terms of the GNU General Public License
61f5207bJohn Levon * as published by the Free Software Foundation; either version 2
71f5207bJohn Levon * of the License, or (at your option) any later version.
81f5207bJohn Levon *
91f5207bJohn Levon * This program is distributed in the hope that it will be useful,
101f5207bJohn Levon * but WITHOUT ANY WARRANTY; without even the implied warranty of
121f5207bJohn Levon * GNU General Public License for more details.
131f5207bJohn Levon *
141f5207bJohn Levon * You should have received a copy of the GNU General Public License
151f5207bJohn Levon * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
161f5207bJohn Levon */
171f5207bJohn Levon
181f5207bJohn Levon/*
191f5207bJohn Levon * check_memory() is getting too big and messy.
201f5207bJohn Levon *
211f5207bJohn Levon */
221f5207bJohn Levon
231f5207bJohn Levon#include <string.h>
241f5207bJohn Levon#include "smatch.h"
251f5207bJohn Levon#include "smatch_slist.h"
261f5207bJohn Levon#include "smatch_extra.h"
271f5207bJohn Levon
281f5207bJohn Levonstatic int my_id;
291f5207bJohn Levon
301f5207bJohn LevonSTATE(freed);
311f5207bJohn LevonSTATE(ok);
321f5207bJohn Levon
331f5207bJohn Levonstatic void ok_to_use(struct sm_state *sm, struct expression *mod_expr)
341f5207bJohn Levon{
351f5207bJohn Levon	if (sm->state != &ok)
361f5207bJohn Levon		set_state(my_id, sm->name, sm->sym, &ok);
371f5207bJohn Levon}
381f5207bJohn Levon
39c85f09cJohn Levonstatic void pre_merge_hook(struct sm_state *cur, struct sm_state *other)
401f5207bJohn Levon{
411f5207bJohn Levon	if (is_impossible_path())
42c85f09cJohn Levon		set_state(my_id, cur->name, cur->sym, &ok);
43c85f09cJohn Levon}
44c85f09cJohn Levon
45c85f09cJohn Levonstatic struct smatch_state *unmatched_state(struct sm_state *sm)
46c85f09cJohn Levon{
47c85f09cJohn Levon	struct smatch_state *state;
48c85f09cJohn Levon	sval_t sval;
49c85f09cJohn Levon
50c85f09cJohn Levon	if (sm->state != &freed)
51c85f09cJohn Levon		return &undefined;
52c85f09cJohn Levon
53c85f09cJohn Levon	state = get_state(SMATCH_EXTRA, sm->name, sm->sym);
54c85f09cJohn Levon	if (!state)
55c85f09cJohn Levon		return &undefined;
56c85f09cJohn Levon	if (!estate_get_single_value(state, &sval) || sval.value != 0)
57c85f09cJohn Levon		return &undefined;
58c85f09cJohn Levon	/* It makes it easier to consider NULL pointers as freed.  */
59c85f09cJohn Levon	return &freed;
601f5207bJohn Levon}
611f5207bJohn Levon
621f5207bJohn Levonstatic int is_freed(struct expression *expr)
631f5207bJohn Levon{
641f5207bJohn Levon	struct sm_state *sm;
651f5207bJohn Levon
661f5207bJohn Levon	sm = get_sm_state_expr(my_id, expr);
671f5207bJohn Levon	if (sm && slist_has_state(sm->possible, &freed))
681f5207bJohn Levon		return 1;
691f5207bJohn Levon	return 0;
701f5207bJohn Levon}
711f5207bJohn Levon
721f5207bJohn Levonstatic void match_symbol(struct expression *expr)
731f5207bJohn Levon{
741f5207bJohn Levon	struct expression *parent;
751f5207bJohn Levon	char *name;
761f5207bJohn Levon
771f5207bJohn Levon	if (is_impossible_path())
781f5207bJohn Levon		return;
791f5207bJohn Levon	if (__in_fake_parameter_assign)
801f5207bJohn Levon		return;
811f5207bJohn Levon
821f5207bJohn Levon	parent = expr_get_parent_expr(expr);
831f5207bJohn Levon	while (parent && parent->type == EXPR_PREOP && parent->op == '(')
841f5207bJohn Levon		parent = expr_get_parent_expr(parent);
851f5207bJohn Levon	if (parent && parent->type == EXPR_PREOP && parent->op == '&')
861f5207bJohn Levon		return;
871f5207bJohn Levon
881f5207bJohn Levon	if (!is_freed(expr))
891f5207bJohn Levon		return;
901f5207bJohn Levon	name = expr_to_var(expr);
911f5207bJohn Levon	sm_warning("'%s' was already freed.", name);
921f5207bJohn Levon	free_string(name);
931f5207bJohn Levon}
941f5207bJohn Levon
951f5207bJohn Levonstatic void match_dereferences(struct expression *expr)
961f5207bJohn Levon{
971f5207bJohn Levon	char *name;
981f5207bJohn Levon
991f5207bJohn Levon	if (expr->type != EXPR_PREOP)
1001f5207bJohn Levon		return;
1011f5207bJohn Levon
1021f5207bJohn Levon	if (is_impossible_path())
1031f5207bJohn Levon		return;
1041f5207bJohn Levon	if (__in_fake_parameter_assign)
1051f5207bJohn Levon		return;
1061f5207bJohn Levon
1071f5207bJohn Levon	expr = strip_expr(expr->unop);
1081f5207bJohn Levon	if (!is_freed(expr))
1091f5207bJohn Levon		return;
1101f5207bJohn Levon	name = expr_to_var(expr);
1111f5207bJohn Levon	sm_error("dereferencing freed memory '%s'", name);
1121f5207bJohn Levon	set_state_expr(my_id, expr, &ok);
1131f5207bJohn Levon	free_string(name);
1141f5207bJohn Levon}
1151f5207bJohn Levon
1161f5207bJohn Levonstatic int ignored_params[16];
1171f5207bJohn Levon
1181f5207bJohn Levonstatic void set_ignored_params(struct expression *call)
1191f5207bJohn Levon{
1201f5207bJohn Levon	struct expression *arg;
1211f5207bJohn Levon	const char *p;
1221f5207bJohn Levon	int i;
1231f5207bJohn Levon
1241f5207bJohn Levon	memset(&ignored_params, 0, sizeof(ignored_params));
1251f5207bJohn Levon
1261f5207bJohn Levon	i = -1;
1271f5207bJohn Levon	FOR_EACH_PTR(call->args, arg) {
1281f5207bJohn Levon		i++;
1291f5207bJohn Levon		if (arg->type != EXPR_STRING)
1301f5207bJohn Levon			continue;
1311f5207bJohn Levon		goto found;
1321f5207bJohn Levon	} END_FOR_EACH_PTR(arg);
1331f5207bJohn Levon
1341f5207bJohn Levon	return;
1351f5207bJohn Levon
1361f5207bJohn Levonfound:
1371f5207bJohn Levon	i++;
1381f5207bJohn Levon	p = arg->string->data;
1391f5207bJohn Levon	while ((p = strchr(p, '%'))) {
1401f5207bJohn Levon		if (i >= ARRAY_SIZE(ignored_params))
1411f5207bJohn Levon			return;
1421f5207bJohn Levon		p++;
1431f5207bJohn Levon		if (*p == '%') {
1441f5207bJohn Levon			p++;
1451f5207bJohn Levon			continue;
1461f5207bJohn Levon		}
1471f5207bJohn Levon		if (*p == '.')
1481f5207bJohn Levon			p++;
1491f5207bJohn Levon		if (*p == '*')
1501f5207bJohn Levon			i++;
1511f5207bJohn Levon		if (*p == 'p')
1521f5207bJohn Levon			ignored_params[i] = 1;
1531f5207bJohn Levon		i++;
1541f5207bJohn Levon	}
1551f5207bJohn Levon}
1561f5207bJohn Levon
1571f5207bJohn Levonstatic int is_free_func(struct expression *fn)
1581f5207bJohn Levon{
1591f5207bJohn Levon	char *name;
1601f5207bJohn Levon	int ret = 0;
1611f5207bJohn Levon
1621f5207bJohn Levon	name = expr_to_str(fn);
1631f5207bJohn Levon	if (!name)
1641f5207bJohn Levon		return 0;
1651f5207bJohn Levon	if (strstr(name, "free"))
1661f5207bJohn Levon		ret = 1;
1671f5207bJohn Levon	free_string(name);
1681f5207bJohn Levon
1691f5207bJohn Levon	return ret;
1701f5207bJohn Levon}
1711f5207bJohn Levon
1721f5207bJohn Levonstatic void match_call(struct expression *expr)
1731f5207bJohn Levon{
1741f5207bJohn Levon	struct expression *arg;
1751f5207bJohn Levon	char *name;
1761f5207bJohn Levon	int i;
1771f5207bJohn Levon
1781f5207bJohn Levon	if (is_impossible_path())
1791f5207bJohn Levon		return;
1801f5207bJohn Levon
1811f5207bJohn Levon	set_ignored_params(expr);
1821f5207bJohn Levon
1831f5207bJohn Levon	i = -1;
1841f5207bJohn Levon	FOR_EACH_PTR(expr->args, arg) {
1851f5207bJohn Levon		i++;
1861f5207bJohn Levon		if (!is_pointer(arg))
1871f5207bJohn Levon			continue;
1881f5207bJohn Levon		if (!is_freed(arg))
1891f5207bJohn Levon			continue;
1901f5207bJohn Levon		if (ignored_params[i])
1911f5207bJohn Levon			continue;
1921f5207bJohn Levon
1931f5207bJohn Levon		name = expr_to_var(arg);
1941f5207bJohn Levon		if (is_free_func(expr->fn))
1951f5207bJohn Levon			sm_error("double free of '%s'", name);
1961f5207bJohn Levon		else
1971f5207bJohn Levon			sm_warning("passing freed memory '%s'", name);
1981f5207bJohn Levon		set_state_expr(my_id, arg, &ok);
1991f5207bJohn Levon		free_string(name);
2001f5207bJohn Levon	} END_FOR_EACH_PTR(arg);
2011f5207bJohn Levon}
2021f5207bJohn Levon
2031f5207bJohn Levonstatic void match_return(struct expression *expr)
2041f5207bJohn Levon{
2051f5207bJohn Levon	char *name;
2061f5207bJohn Levon
2071f5207bJohn Levon	if (is_impossible_path())
2081f5207bJohn Levon		return;
2091f5207bJohn Levon
2101f5207bJohn Levon	if (!expr)
2111f5207bJohn Levon		return;
2121f5207bJohn Levon	if (!is_freed(expr))
2131f5207bJohn Levon		return;
2141f5207bJohn Levon
2151f5207bJohn Levon	name = expr_to_var(expr);
2161f5207bJohn Levon	sm_warning("returning freed memory '%s'", name);
2171f5207bJohn Levon	set_state_expr(my_id, expr, &ok);
2181f5207bJohn Levon	free_string(name);
2191f5207bJohn Levon}
2201f5207bJohn Levon
2211f5207bJohn Levonstatic void match_free(const char *fn, struct expression *expr, void *param)
2221f5207bJohn Levon{
2231f5207bJohn Levon	struct expression *arg;
2241f5207bJohn Levon
2251f5207bJohn Levon	if (is_impossible_path())
2261f5207bJohn Levon		return;
2271f5207bJohn Levon
2281f5207bJohn Levon	arg = get_argument_from_call_expr(expr->args, PTR_INT(param));
2291f5207bJohn Levon	if (!arg)
2301f5207bJohn Levon		return;
2311f5207bJohn Levon	if (is_freed(arg)) {
2321f5207bJohn Levon		char *name = expr_to_var(arg);
2331f5207bJohn Levon
2341f5207bJohn Levon		sm_error("double free of '%s'", name);
2351f5207bJohn Levon		free_string(name);
2361f5207bJohn Levon	}
2371f5207bJohn Levon	set_state_expr(my_id, arg, &freed);
2381f5207bJohn Levon}
2391f5207bJohn Levon
2401f5207bJohn Levonstatic void set_param_freed(struct expression *expr, int param, char *key, char *value)
2411f5207bJohn Levon{
2421f5207bJohn Levon	struct expression *arg;
2431f5207bJohn Levon	char *name;
2441f5207bJohn Levon	struct symbol *sym;
2451f5207bJohn Levon	struct sm_state *sm;
2461f5207bJohn Levon
2471f5207bJohn Levon	while (expr->type == EXPR_ASSIGNMENT)
2481f5207bJohn Levon		expr = strip_expr(expr->right);
2491f5207bJohn Levon	if (expr->type != EXPR_CALL)
2501f5207bJohn Levon		return;
2511f5207bJohn Levon
2521f5207bJohn Levon	arg = get_argument_from_call_expr(expr->args, param);
2531f5207bJohn Levon	if (!arg)
2541f5207bJohn Levon		return;
2551f5207bJohn Levon	name = get_variable_from_key(arg, key, &sym);
2561f5207bJohn Levon	if (!name || !sym)
2571f5207bJohn Levon		goto free;
2581f5207bJohn Levon
2591f5207bJohn Levon	if (!is_impossible_path()) {
2601f5207bJohn Levon		sm = get_sm_state(my_id, name, sym);
2611f5207bJohn Levon		if (sm && slist_has_state(sm->possible, &freed)) {
2621f5207bJohn Levon			sm_warning("'%s' double freed", name);
2631f5207bJohn Levon			set_state(my_id, name, sym, &ok);  /* fixme: doesn't silence anything.  I know */
2641f5207bJohn Levon		}
2651f5207bJohn Levon	}
2661f5207bJohn Levon
2671f5207bJohn Levon	set_state(my_id, name, sym, &freed);
2681f5207bJohn Levonfree:
2691f5207bJohn Levon	free_string(name);
2701f5207bJohn Levon}
2711f5207bJohn Levon
2721f5207bJohn Levonint parent_is_free_var_sym_strict(const char *name, struct symbol *sym)
2731f5207bJohn Levon{
2741f5207bJohn Levon	char buf[256];
2751f5207bJohn Levon	char *start;
2761f5207bJohn Levon	char *end;
2771f5207bJohn Levon	struct smatch_state *state;
2781f5207bJohn Levon
2791f5207bJohn Levon	strncpy(buf, name, sizeof(buf) - 1);
2801f5207bJohn Levon	buf[sizeof(buf) - 1] = '\0';
2811f5207bJohn Levon
2821f5207bJohn Levon	start = &buf[0];
2831f5207bJohn Levon	while ((*start == '&'))
2841f5207bJohn Levon		start++;
2851f5207bJohn Levon
2861f5207bJohn Levon	while ((end = strrchr(start, '-'))) {
2871f5207bJohn Levon		*end = '\0';
2881f5207bJohn Levon		state = __get_state(my_id, start, sym);
2891f5207bJohn Levon		if (state == &freed)
2901f5207bJohn Levon			return 1;
2911f5207bJohn Levon	}
2921f5207bJohn Levon	return 0;
2931f5207bJohn Levon}
2941f5207bJohn Levon
2951f5207bJohn Levonint parent_is_free_strict(struct expression *expr)
2961f5207bJohn Levon{
2971f5207bJohn Levon	struct symbol *sym;
2981f5207bJohn Levon	char *var;
2991f5207bJohn Levon	int ret = 0;
3001f5207bJohn Levon
3011f5207bJohn Levon	expr = strip_expr(expr);
3021f5207bJohn Levon	var = expr_to_var_sym(expr, &sym);
3031f5207bJohn Levon	if (!var || !sym)
3041f5207bJohn Levon		goto free;
3051f5207bJohn Levon	ret = parent_is_free_var_sym_strict(var, sym);
3061f5207bJohn Levonfree:
3071f5207bJohn Levon	free_string(var);
3081f5207bJohn Levon	return ret;
3091f5207bJohn Levon}
3101f5207bJohn Levon
311efe51d0John Levonstatic void match_untracked(struct expression *call, int param)
312efe51d0John Levon{
313efe51d0John Levon	struct state_list *slist = NULL;
314efe51d0John Levon	struct expression *arg;
315efe51d0John Levon	struct sm_state *sm;
316efe51d0John Levon	char *name;
317efe51d0John Levon	char buf[64];
318efe51d0John Levon	int len;
319efe51d0John Levon
320efe51d0John Levon	arg = get_argument_from_call_expr(call->args, param);
321efe51d0John Levon	if (!arg)
322efe51d0John Levon		return;
323efe51d0John Levon
324efe51d0John Levon	name = expr_to_var(arg);
325efe51d0John Levon	if (!name)
326efe51d0John Levon		return;
327efe51d0John Levon	snprintf(buf, sizeof(buf), "%s->", name);
328efe51d0John Levon	free_string(name);
329efe51d0John Levon	len = strlen(buf);
330efe51d0John Levon
331efe51d0John Levon	FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
332efe51d0John Levon		if (strncmp(sm->name, buf, len) == 0)
333efe51d0John Levon			add_ptr_list(&slist, sm);
334efe51d0John Levon	} END_FOR_EACH_SM(sm);
335efe51d0John Levon
336efe51d0John Levon	FOR_EACH_PTR(slist, sm) {
337efe51d0John Levon		set_state(sm->owner, sm->name, sm->sym, &ok);
338efe51d0John Levon	} END_FOR_EACH_PTR(sm);
339efe51d0John Levon
340efe51d0John Levon	free_slist(&slist);
341efe51d0John Levon}
342efe51d0John Levon
3431f5207bJohn Levonvoid check_free_strict(int id)
3441f5207bJohn Levon{
3451f5207bJohn Levon	my_id = id;
3461f5207bJohn Levon
3471f5207bJohn Levon	if (option_project != PROJ_KERNEL)
3481f5207bJohn Levon		return;
3491f5207bJohn Levon
3501f5207bJohn Levon	add_function_hook("kfree", &match_free, INT_PTR(0));
3511f5207bJohn Levon	add_function_hook("kmem_cache_free", &match_free, INT_PTR(1));
3521f5207bJohn Levon
3531f5207bJohn Levon	if (option_spammy)
3541f5207bJohn Levon		add_hook(&match_symbol, SYM_HOOK);
3551f5207bJohn Levon	add_hook(&match_dereferences, DEREF_HOOK);
3561f5207bJohn Levon	add_hook(&match_call, FUNCTION_CALL_HOOK);
3571f5207bJohn Levon	add_hook(&match_return, RETURN_HOOK);
3581f5207bJohn Levon
3591f5207bJohn Levon	add_modification_hook_late(my_id, &ok_to_use);
3601f5207bJohn Levon	add_pre_merge_hook(my_id, &pre_merge_hook);
361c85f09cJohn Levon	add_unmatched_state_hook(my_id, &unmatched_state);
3621f5207bJohn Levon
3631f5207bJohn Levon	select_return_states_hook(PARAM_FREED, &set_param_freed);
364efe51d0John Levon	add_untracked_param_hook(&match_untracked);
3651f5207bJohn Levon}