Semantic patch for sizeof() using palloc()

mkindahl · Commitfest Bot · commit cebab1860499 · 2025-03-29T07:50:26.000Z
If palloc() is used to allocate elements of type T it should be assigned to a
variable of type T* or risk indexes out of bounds. This semantic patch checks
that allocations to variables of type T* are using sizeof(T) when allocating
memory using palloc().
diff --git a/cocci/palloc_sizeof.cocci b/cocci/palloc_sizeof.cocci
@@ -0,0 +1,49 @@
+virtual report
+virtual context
+virtual patch
+
+@initialize:python@
+@@
+import re
+
+CONST_CRE = re.compile(r'\bconst\b')
+
+def is_simple_type(s):
+    return s != 'void' and not CONST_CRE.search(s)
+
+@r1 depends on report || context@
+type T1 : script:python () { is_simple_type(T1) };
+idexpression T1 *I;
+type T2 != T1;
+position p;
+expression E;
+identifier func = {palloc, palloc0};
+@@
+(
+* I = func@p(sizeof(T2))
+|
+* I = func@p(E * sizeof(T2))
+)
+
+@script:python depends on report@
+T1 << r1.T1;
+T2 << r1.T2;
+I << r1.I;
+p << r1.p;
+@@
+coccilib.report.print_report(p[0], f"'{I}' has type '{T1}*' but 'sizeof({T2})' is used to allocate memory")
+
+@depends on patch@
+type T1 : script:python () { is_simple_type(T1) };
+idexpression T1 *I;
+type T2 != T1;
+expression E;
+identifier func = {palloc, palloc0};
+@@
+(
+- I = func(sizeof(T2))
++ I = func(sizeof(T1))
+|
+- I = func(E * sizeof(T2))
++ I = func(E * sizeof(T1))
+)
