llvm-project/clang/test/Analysis/kmalloc-linux.c

// RUN: %clang_analyze_cc1 -triple x86_64-unknown-linux %s -verify \
// RUN:   -Wno-incompatible-library-redeclaration \
// RUN:   -analyzer-checker=core \
// RUN:   -analyzer-checker=unix.Malloc

#define __GFP_ZERO 0x8000
#define NULL ((void *)0)

typedef __typeof(sizeof(int)) size_t;

void *kmalloc(size_t, int);
void kfree(void *);

struct test {
};

void foo(struct test *);

void test_zeroed() {
  struct test **list, *t;
  int i;

  list = kmalloc(sizeof(*list) * 10, __GFP_ZERO);
  if (list == NULL)
    return;

  for (i = 0; i < 10; i++) {
    t = list[i];
    foo(t);
  }
  kfree(list); // no-warning
}

void test_nonzero() {
  struct test **list, *t;
  int i;

  list = kmalloc(sizeof(*list) * 10, 0);
  if (list == NULL)
    return;

  for (i = 0; i < 10; i++) {
    t = list[i]; // expected-warning{{undefined}}
    foo(t);
  }
  kfree(list);
}

void test_indeterminate(int flags) {
  struct test **list, *t;
  int i;

  list = kmalloc(sizeof(*list) * 10, flags);
  if (list == NULL)
    return;

  for (i = 0; i < 10; i++) {
    t = list[i]; // expected-warning{{undefined}}
    foo(t);
  }
  kfree(list);
}

typedef unsigned long long uint64_t;

struct malloc_type;

// 3 parameter malloc:
// https://www.freebsd.org/cgi/man.cgi?query=malloc&sektion=9
void *malloc(unsigned long size, struct malloc_type *mtp, int flags);

void test_3arg_malloc(struct malloc_type *mtp) {
  struct test **list, *t;
  int i;

  list = malloc(sizeof(*list) * 10, mtp, __GFP_ZERO);
  if (list == NULL)
    return;

  for (i = 0; i < 10; i++) {
    t = list[i];
    foo(t);
  }
  kfree(list); // no-warning
}

void test_3arg_malloc_nonzero(struct malloc_type *mtp) {
  struct test **list, *t;
  int i;

  list = malloc(sizeof(*list) * 10, mtp, 0);
  if (list == NULL)
    return;

  for (i = 0; i < 10; i++) {
    t = list[i]; // expected-warning{{undefined}}
    foo(t);
  }
  kfree(list);
}

void test_3arg_malloc_indeterminate(struct malloc_type *mtp, int flags) {
  struct test **list, *t;
  int i;

  list = malloc(sizeof(*list) * 10, mtp, flags);
  if (list == NULL)
    return;

  for (i = 0; i < 10; i++) {
    t = list[i]; // expected-warning{{undefined}}
    foo(t);
  }
  kfree(list);
}

void test_3arg_malloc_leak(struct malloc_type *mtp, int flags) {
  struct test **list;

  list = malloc(sizeof(*list) * 10, mtp, flags);
  if (list == NULL)
    return;
} // expected-warning{{Potential leak of memory pointed to by 'list'}}

// kmalloc can return a constant value defined in ZERO_SIZE_PTR
// if a block of size 0 is requested
#define ZERO_SIZE_PTR ((void *)16)

void test_kfree_ZERO_SIZE_PTR() {
  void *ptr = ZERO_SIZE_PTR;
  kfree(ptr); // no warning about freeing this value
}

void test_kfree_other_constant_value() {
  void *ptr = (void *)1;
  kfree(ptr); // expected-warning{{Argument to kfree() is a constant address (1)}}
}
[analyzer][MallocChecker] Fix that kfree only takes a single argument Exactly what it says on the tin! https://www.kernel.org/doc/htmldocs/kernel-api/API-kfree.html Differential Revision: https://reviews.llvm.org/D76917 2020-03-27 19:35:08 +08:00			`// RUN: %clang_analyze_cc1 -triple x86_64-unknown-linux %s -verify \`
			`// RUN: -Wno-incompatible-library-redeclaration \`
			`// RUN: -analyzer-checker=core \`
			`// RUN: -analyzer-checker=unix.Malloc`
[analyzer] Handle the M_ZERO and __GFP_ZERO flags in kernel mallocs. Add M_ZERO awareness to malloc() static analysis in Clang for FreeBSD, NetBSD, and OpenBSD in a similar fashion to O_CREAT for open(2). These systems have a three-argument malloc() in the kernel where the third argument contains flags; the M_ZERO flag will zero-initialize the allocated buffer. This should reduce the number of false positives when running static analysis on BSD kernels. Additionally, add kmalloc() (Linux kernel malloc()) and treat __GFP_ZERO like M_ZERO on Linux. Future work involves a better method of checking for named flags without hardcoding values. Patch by Conrad Meyer, with minor modifications by me. llvm-svn: 204832 2014-03-27 01:05:46 +08:00
			`#define __GFP_ZERO 0x8000`
			`#define NULL ((void *)0)`

[analyzer][MallocChecker][NFC] Change the use of IdentifierInfo* to CallDescription Exactly what it says on the tin! I decided not to merge this with the patch that changes all these to a CallDescriptionMap object, so the patch is that much more trivial. Differential Revision: https://reviews.llvm.org/D68163 2019-09-20 17:01:45 +08:00			`typedef __typeof(sizeof(int)) size_t;`

[analyzer] Handle the M_ZERO and __GFP_ZERO flags in kernel mallocs. Add M_ZERO awareness to malloc() static analysis in Clang for FreeBSD, NetBSD, and OpenBSD in a similar fashion to O_CREAT for open(2). These systems have a three-argument malloc() in the kernel where the third argument contains flags; the M_ZERO flag will zero-initialize the allocated buffer. This should reduce the number of false positives when running static analysis on BSD kernels. Additionally, add kmalloc() (Linux kernel malloc()) and treat __GFP_ZERO like M_ZERO on Linux. Future work involves a better method of checking for named flags without hardcoding values. Patch by Conrad Meyer, with minor modifications by me. llvm-svn: 204832 2014-03-27 01:05:46 +08:00			`void *kmalloc(size_t, int);`
[analyzer][MallocChecker] Fix that kfree only takes a single argument Exactly what it says on the tin! https://www.kernel.org/doc/htmldocs/kernel-api/API-kfree.html Differential Revision: https://reviews.llvm.org/D76917 2020-03-27 19:35:08 +08:00			`void kfree(void *);`
[analyzer] Handle the M_ZERO and __GFP_ZERO flags in kernel mallocs. Add M_ZERO awareness to malloc() static analysis in Clang for FreeBSD, NetBSD, and OpenBSD in a similar fashion to O_CREAT for open(2). These systems have a three-argument malloc() in the kernel where the third argument contains flags; the M_ZERO flag will zero-initialize the allocated buffer. This should reduce the number of false positives when running static analysis on BSD kernels. Additionally, add kmalloc() (Linux kernel malloc()) and treat __GFP_ZERO like M_ZERO on Linux. Future work involves a better method of checking for named flags without hardcoding values. Patch by Conrad Meyer, with minor modifications by me. llvm-svn: 204832 2014-03-27 01:05:46 +08:00
			`struct test {`
			`};`

			`void foo(struct test *);`

			`void test_zeroed() {`
			`struct test *list, t;`
			`int i;`

			`list = kmalloc(sizeof(list) 10, __GFP_ZERO);`
			`if (list == NULL)`
			`return;`

			`for (i = 0; i < 10; i++) {`
			`t = list[i];`
			`foo(t);`
			`}`
[analyzer] Support kfree in MallocChecker Summary: kmalloc is freed with kfree in the linux kernel. kmalloc support was added in r204832, but kfree was not. Adding kfree fixes incorrectly detected memory leaks. Reviewers: NoQ, nickdesaulniers, dcoughlin, Szelethus Reviewed By: NoQ, Szelethus Subscribers: xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, Charusso, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D64030 llvm-svn: 364875 2019-07-02 07:29:10 +08:00			`kfree(list); // no-warning`
[analyzer] Handle the M_ZERO and __GFP_ZERO flags in kernel mallocs. Add M_ZERO awareness to malloc() static analysis in Clang for FreeBSD, NetBSD, and OpenBSD in a similar fashion to O_CREAT for open(2). These systems have a three-argument malloc() in the kernel where the third argument contains flags; the M_ZERO flag will zero-initialize the allocated buffer. This should reduce the number of false positives when running static analysis on BSD kernels. Additionally, add kmalloc() (Linux kernel malloc()) and treat __GFP_ZERO like M_ZERO on Linux. Future work involves a better method of checking for named flags without hardcoding values. Patch by Conrad Meyer, with minor modifications by me. llvm-svn: 204832 2014-03-27 01:05:46 +08:00			`}`

			`void test_nonzero() {`
			`struct test *list, t;`
			`int i;`

			`list = kmalloc(sizeof(list) 10, 0);`
			`if (list == NULL)`
			`return;`

			`for (i = 0; i < 10; i++) {`
			`t = list[i]; // expected-warning{{undefined}}`
			`foo(t);`
			`}`
[analyzer] Support kfree in MallocChecker Summary: kmalloc is freed with kfree in the linux kernel. kmalloc support was added in r204832, but kfree was not. Adding kfree fixes incorrectly detected memory leaks. Reviewers: NoQ, nickdesaulniers, dcoughlin, Szelethus Reviewed By: NoQ, Szelethus Subscribers: xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, Charusso, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D64030 llvm-svn: 364875 2019-07-02 07:29:10 +08:00			`kfree(list);`
[analyzer] Handle the M_ZERO and __GFP_ZERO flags in kernel mallocs. Add M_ZERO awareness to malloc() static analysis in Clang for FreeBSD, NetBSD, and OpenBSD in a similar fashion to O_CREAT for open(2). These systems have a three-argument malloc() in the kernel where the third argument contains flags; the M_ZERO flag will zero-initialize the allocated buffer. This should reduce the number of false positives when running static analysis on BSD kernels. Additionally, add kmalloc() (Linux kernel malloc()) and treat __GFP_ZERO like M_ZERO on Linux. Future work involves a better method of checking for named flags without hardcoding values. Patch by Conrad Meyer, with minor modifications by me. llvm-svn: 204832 2014-03-27 01:05:46 +08:00			`}`

			`void test_indeterminate(int flags) {`
			`struct test *list, t;`
			`int i;`

			`list = kmalloc(sizeof(list) 10, flags);`
			`if (list == NULL)`
			`return;`

			`for (i = 0; i < 10; i++) {`
			`t = list[i]; // expected-warning{{undefined}}`
			`foo(t);`
			`}`
[analyzer] Support kfree in MallocChecker Summary: kmalloc is freed with kfree in the linux kernel. kmalloc support was added in r204832, but kfree was not. Adding kfree fixes incorrectly detected memory leaks. Reviewers: NoQ, nickdesaulniers, dcoughlin, Szelethus Reviewed By: NoQ, Szelethus Subscribers: xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, Charusso, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D64030 llvm-svn: 364875 2019-07-02 07:29:10 +08:00			`kfree(list);`
[analyzer] Handle the M_ZERO and __GFP_ZERO flags in kernel mallocs. Add M_ZERO awareness to malloc() static analysis in Clang for FreeBSD, NetBSD, and OpenBSD in a similar fashion to O_CREAT for open(2). These systems have a three-argument malloc() in the kernel where the third argument contains flags; the M_ZERO flag will zero-initialize the allocated buffer. This should reduce the number of false positives when running static analysis on BSD kernels. Additionally, add kmalloc() (Linux kernel malloc()) and treat __GFP_ZERO like M_ZERO on Linux. Future work involves a better method of checking for named flags without hardcoding values. Patch by Conrad Meyer, with minor modifications by me. llvm-svn: 204832 2014-03-27 01:05:46 +08:00			`}`
[analyzer][MallocChecker][NFC] Change the use of IdentifierInfo* to CallDescription Exactly what it says on the tin! I decided not to merge this with the patch that changes all these to a CallDescriptionMap object, so the patch is that much more trivial. Differential Revision: https://reviews.llvm.org/D68163 2019-09-20 17:01:45 +08:00
			`typedef unsigned long long uint64_t;`

			`struct malloc_type;`

[analyzer][MallocChecker] Fix that kfree only takes a single argument Exactly what it says on the tin! https://www.kernel.org/doc/htmldocs/kernel-api/API-kfree.html Differential Revision: https://reviews.llvm.org/D76917 2020-03-27 19:35:08 +08:00			`// 3 parameter malloc:`
			`// https://www.freebsd.org/cgi/man.cgi?query=malloc&sektion=9`
[analyzer][MallocChecker][NFC] Change the use of IdentifierInfo* to CallDescription Exactly what it says on the tin! I decided not to merge this with the patch that changes all these to a CallDescriptionMap object, so the patch is that much more trivial. Differential Revision: https://reviews.llvm.org/D68163 2019-09-20 17:01:45 +08:00			`void malloc(unsigned long size, struct malloc_type mtp, int flags);`

			`void test_3arg_malloc(struct malloc_type *mtp) {`
			`struct test *list, t;`
			`int i;`

			`list = malloc(sizeof(list) 10, mtp, __GFP_ZERO);`
			`if (list == NULL)`
			`return;`

			`for (i = 0; i < 10; i++) {`
			`t = list[i];`
			`foo(t);`
			`}`
			`kfree(list); // no-warning`
			`}`

			`void test_3arg_malloc_nonzero(struct malloc_type *mtp) {`
			`struct test *list, t;`
			`int i;`

			`list = malloc(sizeof(list) 10, mtp, 0);`
			`if (list == NULL)`
			`return;`

			`for (i = 0; i < 10; i++) {`
			`t = list[i]; // expected-warning{{undefined}}`
			`foo(t);`
			`}`
			`kfree(list);`
			`}`

			`void test_3arg_malloc_indeterminate(struct malloc_type *mtp, int flags) {`
			`struct test *list, t;`
			`int i;`

[analyzer][MallocChecker] Fix that kfree only takes a single argument Exactly what it says on the tin! https://www.kernel.org/doc/htmldocs/kernel-api/API-kfree.html Differential Revision: https://reviews.llvm.org/D76917 2020-03-27 19:35:08 +08:00			`list = malloc(sizeof(list) 10, mtp, flags);`
[analyzer][MallocChecker][NFC] Change the use of IdentifierInfo* to CallDescription Exactly what it says on the tin! I decided not to merge this with the patch that changes all these to a CallDescriptionMap object, so the patch is that much more trivial. Differential Revision: https://reviews.llvm.org/D68163 2019-09-20 17:01:45 +08:00			`if (list == NULL)`
			`return;`

			`for (i = 0; i < 10; i++) {`
			`t = list[i]; // expected-warning{{undefined}}`
			`foo(t);`
			`}`
			`kfree(list);`
			`}`
[analyzer][MallocChecker] Fix that kfree only takes a single argument Exactly what it says on the tin! https://www.kernel.org/doc/htmldocs/kernel-api/API-kfree.html Differential Revision: https://reviews.llvm.org/D76917 2020-03-27 19:35:08 +08:00
			`void test_3arg_malloc_leak(struct malloc_type *mtp, int flags) {`
			`struct test **list;`

			`list = malloc(sizeof(list) 10, mtp, flags);`
			`if (list == NULL)`
			`return;`
			`} // expected-warning{{Potential leak of memory pointed to by 'list'}}`
[Analyzer][MallocChecker] No warning for kfree of ZERO_SIZE_PTR. Summary: The kernel kmalloc function may return a constant value ZERO_SIZE_PTR if a zero-sized block is allocated. This special value is allowed to be passed to kfree and should produce no warning. This is a simple version but should be no problem. The macro is always detected independent of if this is a kernel source code or any other code. Reviewers: Szelethus, martong Reviewed By: Szelethus, martong Subscribers: rnkovacs, xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, gamesh411, Charusso, martong, ASDenysPetrov, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D76830 2020-03-30 15:23:07 +08:00
			`// kmalloc can return a constant value defined in ZERO_SIZE_PTR`
			`// if a block of size 0 is requested`
			`#define ZERO_SIZE_PTR ((void *)16)`

			`void test_kfree_ZERO_SIZE_PTR() {`
			`void *ptr = ZERO_SIZE_PTR;`
			`kfree(ptr); // no warning about freeing this value`
			`}`

			`void test_kfree_other_constant_value() {`
			`void ptr = (void )1;`
			`kfree(ptr); // expected-warning{{Argument to kfree() is a constant address (1)}}`
			`}`