[analyzer] Support kfree in MallocChecker

nhukc · nhukc · commit 121401425d4d · 2019-07-01T23:29:10.000Z
Summary: kmalloc is freed with kfree in the linux kernel. kmalloc support was added in r204832, but kfree was not. Adding kfree fixes incorrectly detected memory leaks. Reviewers: NoQ, nickdesaulniers, dcoughlin, Szelethus Reviewed By: NoQ, Szelethus Subscribers: xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, Charusso, cfe-commits Tags: #clang Differential Revision: https://reviews.llvm.org/D64030 llvm-svn: 364875
diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -177,9 +177,10 @@ class MallocChecker : public Checker<check::DeadSymbols,
         II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr),
         II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr),
         II_strdup(nullptr), II_win_strdup(nullptr), II_kmalloc(nullptr),
-        II_if_nameindex(nullptr), II_if_freenameindex(nullptr),
-        II_wcsdup(nullptr), II_win_wcsdup(nullptr), II_g_malloc(nullptr),
-        II_g_malloc0(nullptr), II_g_realloc(nullptr), II_g_try_malloc(nullptr),
+        II_kfree(nullptr), II_if_nameindex(nullptr),
+        II_if_freenameindex(nullptr), II_wcsdup(nullptr),
+        II_win_wcsdup(nullptr), II_g_malloc(nullptr), II_g_malloc0(nullptr),
+        II_g_realloc(nullptr), II_g_try_malloc(nullptr),
         II_g_try_malloc0(nullptr), II_g_try_realloc(nullptr),
         II_g_free(nullptr), II_g_memdup(nullptr), II_g_malloc_n(nullptr),
         II_g_malloc0_n(nullptr), II_g_realloc_n(nullptr),
@@ -249,13 +250,13 @@ class MallocChecker : public Checker<check::DeadSymbols,
   mutable IdentifierInfo *II_alloca, *II_win_alloca, *II_malloc, *II_free,
                          *II_realloc, *II_calloc, *II_valloc, *II_reallocf,
                          *II_strndup, *II_strdup, *II_win_strdup, *II_kmalloc,
-                         *II_if_nameindex, *II_if_freenameindex, *II_wcsdup,
-                         *II_win_wcsdup, *II_g_malloc, *II_g_malloc0,
-                         *II_g_realloc, *II_g_try_malloc, *II_g_try_malloc0,
-                         *II_g_try_realloc, *II_g_free, *II_g_memdup,
-                         *II_g_malloc_n, *II_g_malloc0_n, *II_g_realloc_n,
-                         *II_g_try_malloc_n, *II_g_try_malloc0_n,
-                         *II_g_try_realloc_n;
+                         *II_kfree, *II_if_nameindex, *II_if_freenameindex,
+                         *II_wcsdup, *II_win_wcsdup, *II_g_malloc,
+                         *II_g_malloc0, *II_g_realloc, *II_g_try_malloc,
+                         *II_g_try_malloc0, *II_g_try_realloc, *II_g_free,
+                         *II_g_memdup, *II_g_malloc_n, *II_g_malloc0_n,
+                         *II_g_realloc_n, *II_g_try_malloc_n,
+                         *II_g_try_malloc0_n, *II_g_try_realloc_n;
   mutable Optional<uint64_t> KernelZeroFlagVal;
 
   void initIdentifierInfo(ASTContext &C) const;
@@ -598,6 +599,7 @@ void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const {
   II_strndup = &Ctx.Idents.get("strndup");
   II_wcsdup = &Ctx.Idents.get("wcsdup");
   II_kmalloc = &Ctx.Idents.get("kmalloc");
+  II_kfree = &Ctx.Idents.get("kfree");
   II_if_nameindex = &Ctx.Idents.get("if_nameindex");
   II_if_freenameindex = &Ctx.Idents.get("if_freenameindex");
 
@@ -657,7 +659,7 @@ bool MallocChecker::isCMemFunction(const FunctionDecl *FD,
 
     if (Family == AF_Malloc && CheckFree) {
       if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf ||
-          FunI == II_g_free)
+          FunI == II_g_free || FunI == II_kfree)
         return true;
     }
 
@@ -874,7 +876,7 @@ void MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const {
       State = CallocMem(C, CE, State);
       State = ProcessZeroAllocation(C, CE, 0, State);
       State = ProcessZeroAllocation(C, CE, 1, State);
-    } else if (FunI == II_free || FunI == II_g_free) {
+    } else if (FunI == II_free || FunI == II_g_free || FunI == II_kfree) {
       State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
     } else if (FunI == II_strdup || FunI == II_win_strdup ||
                FunI == II_wcsdup || FunI == II_win_wcsdup) {
diff --git a/clang/test/Analysis/kmalloc-linux.c b/clang/test/Analysis/kmalloc-linux.c
@@ -24,7 +24,7 @@ void test_zeroed() {
     t = list[i];
     foo(t);
   }
-  free(list); // no-warning
+  kfree(list); // no-warning
 }
 
 void test_nonzero() {
@@ -39,7 +39,7 @@ void test_nonzero() {
     t = list[i]; // expected-warning{{undefined}}
     foo(t);
   }
-  free(list);
+  kfree(list);
 }
 
 void test_indeterminate(int flags) {
@@ -54,5 +54,5 @@ void test_indeterminate(int flags) {
     t = list[i]; // expected-warning{{undefined}}
     foo(t);
   }
-  free(list);
+  kfree(list);
 }

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ void test_zeroed() {`
`24`	`24`	`t = list[i];`
`25`	`25`	`foo(t);`
`26`	`26`	`}`
`27`		`- free(list); // no-warning`
	`27`	`+ kfree(list); // no-warning`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`void test_nonzero() {`
`@@ -39,7 +39,7 @@ void test_nonzero() {`
`39`	`39`	`t = list[i]; // expected-warning{{undefined}}`
`40`	`40`	`foo(t);`
`41`	`41`	`}`
`42`		`- free(list);`
	`42`	`+ kfree(list);`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`void test_indeterminate(int flags) {`
`@@ -54,5 +54,5 @@ void test_indeterminate(int flags) {`
`54`	`54`	`t = list[i]; // expected-warning{{undefined}}`
`55`	`55`	`foo(t);`
`56`	`56`	`}`
`57`		`- free(list);`
	`57`	`+ kfree(list);`
`58`	`58`	`}`