313 if (expr->symbol->initializer == expr) /* int a = a; */
314 return 0;
315 return get_initializer_size(expr->symbol->initializer);
316 }
317
318 static struct range_list *get_stored_size_bytes(struct expression *expr)
319 {
320 struct smatch_state *state;
321
322 state = get_state_expr(my_size_id, expr);
323 if (!state)
324 return NULL;
325 return estate_rl(state);
326 }
327
328 static int get_bytes_from_address(struct expression *expr)
329 {
330 struct symbol *type;
331 int ret;
332
333 if (!option_spammy)
334 return 0;
335 if (expr->type != EXPR_PREOP || expr->op != '&')
336 return 0;
337 type = get_type(expr);
338 if (!type)
339 return 0;
340
341 if (type->type == SYM_PTR)
342 type = get_base_type(type);
343
344 ret = type_bytes(type);
345 if (ret == 1)
346 return 0; /* ignore char pointers */
347
348 return ret;
349 }
350
351 static struct expression *remove_addr_fluff(struct expression *expr)
352 {
353 struct expression *tmp;
354 sval_t sval;
489 int bytes;
490
491 if (!get_implied_value(expr->right, &offset))
492 return NULL;
493 type = get_type(expr->left);
494 if (!type)
495 return NULL;
496 if (type->type != SYM_ARRAY && type->type != SYM_PTR)
497 return NULL;
498 type = get_real_base_type(type);
499 bytes = type_bytes(type);
500 if (bytes == 0)
501 return NULL;
502 offset.value *= bytes;
503 size = get_array_size_bytes(expr->left);
504 if (size <= 0)
505 return NULL;
506 return alloc_int_rl(size - offset.value);
507 }
508
509 /* buf[4] */
510 size = get_real_array_size(expr);
511 if (size)
512 return alloc_int_rl(elements_to_bytes(expr, size));
513
514 /* buf = malloc(1024); */
515 ret = get_stored_size_bytes(expr);
516 if (ret)
517 return ret;
518
519 size = get_stored_size_end_struct_bytes(expr);
520 if (size)
521 return alloc_int_rl(size);
522
523 /* char *foo = "BAR" */
524 size = get_size_from_initializer(expr);
525 if (size)
526 return alloc_int_rl(elements_to_bytes(expr, size));
527
528 size = get_bytes_from_address(expr);
529 if (size)
530 return alloc_int_rl(size);
531
532 ret = size_from_db(expr);
533 if (ret)
534 return ret;
535
536 return NULL;
537 }
538
539 int get_array_size_bytes(struct expression *expr)
540 {
541 struct range_list *rl;
542 sval_t sval;
694 store_alloc(left, rl);
695 }
696
697 static void match_alloc(const char *fn, struct expression *expr, void *_size_arg)
698 {
699 int size_arg = PTR_INT(_size_arg);
700 struct expression *right;
701 struct expression *arg;
702 struct range_list *rl;
703
704 right = strip_expr(expr->right);
705 arg = get_argument_from_call_expr(right->args, size_arg);
706 get_absolute_rl(arg, &rl);
707 rl = cast_rl(&int_ctype, rl);
708 store_alloc(expr->left, rl);
709 }
710
711 static void match_calloc(const char *fn, struct expression *expr, void *unused)
712 {
713 struct expression *right;
714 struct expression *arg;
715 sval_t elements;
716 sval_t size;
717
718 right = strip_expr(expr->right);
719 arg = get_argument_from_call_expr(right->args, 0);
720 if (!get_implied_value(arg, &elements))
721 return; // FIXME!!!
722 arg = get_argument_from_call_expr(right->args, 1);
723 if (get_implied_value(arg, &size))
724 store_alloc(expr->left, size_to_rl(elements.value * size.value));
725 else
726 store_alloc(expr->left, size_to_rl(-1));
727 }
728
729 static void match_page(const char *fn, struct expression *expr, void *_unused)
730 {
731 sval_t page_size = {
732 .type = &int_ctype,
733 {.value = 4096},
734 };
735
736 store_alloc(expr->left, alloc_rl(page_size, page_size));
737 }
738
739 static void match_strndup(const char *fn, struct expression *expr, void *unused)
740 {
741 struct expression *fn_expr;
742 struct expression *size_expr;
743 sval_t size;
744
856
857 if (!sym->ident)
858 return;
859
860 if (!(sym->ctype.modifiers & MOD_TOPLEVEL) ||
861 sym->ctype.modifiers & MOD_STATIC)
862 return;
863
864 bytes = get_array_size_bytes(symbol_expression(sym));
865 if (bytes <= 1)
866 return;
867
868 snprintf(buf, sizeof(buf), "%d", bytes);
869 sql_insert_data_info_var_sym(sym->ident->name, sym, BUF_SIZE, buf);
870 }
871
872 void register_buf_size(int id)
873 {
874 my_size_id = id;
875
876 add_unmatched_state_hook(my_size_id, &unmatched_size_state);
877
878 select_caller_info_hook(set_param_buf_size, BUF_SIZE);
879 select_return_states_hook(BUF_SIZE, &db_returns_buf_size);
880 add_split_return_callback(print_returned_allocations);
881
882 allocation_funcs = create_function_hashtable(100);
883 add_allocation_function("malloc", &match_alloc, 0);
884 add_allocation_function("calloc", &match_calloc, 0);
885 add_allocation_function("memdup", &match_alloc, 1);
886 add_allocation_function("realloc", &match_alloc, 1);
887 if (option_project == PROJ_KERNEL) {
888 add_allocation_function("kmalloc", &match_alloc, 0);
889 add_allocation_function("kmalloc_node", &match_alloc, 0);
890 add_allocation_function("kzalloc", &match_alloc, 0);
891 add_allocation_function("kzalloc_node", &match_alloc, 0);
892 add_allocation_function("vmalloc", &match_alloc, 0);
893 add_allocation_function("__vmalloc", &match_alloc, 0);
894 add_allocation_function("kcalloc", &match_calloc, 0);
895 add_allocation_function("kmalloc_array", &match_calloc, 0);
896 add_allocation_function("drm_malloc_ab", &match_calloc, 0);
897 add_allocation_function("drm_calloc_large", &match_calloc, 0);
898 add_allocation_function("sock_kmalloc", &match_alloc, 1);
899 add_allocation_function("kmemdup", &match_alloc, 1);
900 add_allocation_function("kmemdup_user", &match_alloc, 1);
901 add_allocation_function("dma_alloc_attrs", &match_alloc, 1);
902 add_allocation_function("pci_alloc_consistent", &match_alloc, 1);
903 add_allocation_function("pci_alloc_coherent", &match_alloc, 1);
904 add_allocation_function("devm_kmalloc", &match_alloc, 1);
905 add_allocation_function("devm_kzalloc", &match_alloc, 1);
906 add_allocation_function("krealloc", &match_alloc, 1);
907 add_allocation_function("__alloc_bootmem", &match_alloc, 0);
908 add_allocation_function("alloc_bootmem", &match_alloc, 0);
909 add_allocation_function("kmap", &match_page, 0);
910 add_allocation_function("get_zeroed_page", &match_page, 0);
911 add_allocation_function("alloc_pages", &match_alloc_pages, 1);
912 add_allocation_function("alloc_pages_current", &match_alloc_pages, 1);
913 add_allocation_function("__get_free_pages", &match_alloc_pages, 1);
914 }
915
916 add_allocation_function("strndup", match_strndup, 0);
917 if (option_project == PROJ_KERNEL)
918 add_allocation_function("kstrndup", match_strndup, 0);
919
920 add_modification_hook(my_size_id, &set_size_undefined);
921
922 add_merge_hook(my_size_id, &merge_size_func);
923
924 if (option_info)
925 add_hook(record_global_size, BASE_HOOK);
926 }
927
928 void register_buf_size_late(int id)
929 {
930 /* has to happen after match_alloc() */
|
313 if (expr->symbol->initializer == expr) /* int a = a; */
314 return 0;
315 return get_initializer_size(expr->symbol->initializer);
316 }
317
318 static struct range_list *get_stored_size_bytes(struct expression *expr)
319 {
320 struct smatch_state *state;
321
322 state = get_state_expr(my_size_id, expr);
323 if (!state)
324 return NULL;
325 return estate_rl(state);
326 }
327
328 static int get_bytes_from_address(struct expression *expr)
329 {
330 struct symbol *type;
331 int ret;
332
333 if (expr->type != EXPR_PREOP || expr->op != '&')
334 return 0;
335 type = get_type(expr);
336 if (!type)
337 return 0;
338
339 if (type->type == SYM_PTR)
340 type = get_base_type(type);
341
342 ret = type_bytes(type);
343 if (ret == 1)
344 return 0; /* ignore char pointers */
345
346 return ret;
347 }
348
349 static struct expression *remove_addr_fluff(struct expression *expr)
350 {
351 struct expression *tmp;
352 sval_t sval;
487 int bytes;
488
489 if (!get_implied_value(expr->right, &offset))
490 return NULL;
491 type = get_type(expr->left);
492 if (!type)
493 return NULL;
494 if (type->type != SYM_ARRAY && type->type != SYM_PTR)
495 return NULL;
496 type = get_real_base_type(type);
497 bytes = type_bytes(type);
498 if (bytes == 0)
499 return NULL;
500 offset.value *= bytes;
501 size = get_array_size_bytes(expr->left);
502 if (size <= 0)
503 return NULL;
504 return alloc_int_rl(size - offset.value);
505 }
506
507 size = get_stored_size_end_struct_bytes(expr);
508 if (size)
509 return alloc_int_rl(size);
510
511 /* buf[4] */
512 size = get_real_array_size(expr);
513 if (size)
514 return alloc_int_rl(elements_to_bytes(expr, size));
515
516 /* buf = malloc(1024); */
517 ret = get_stored_size_bytes(expr);
518 if (ret)
519 return ret;
520
521 /* char *foo = "BAR" */
522 size = get_size_from_initializer(expr);
523 if (size)
524 return alloc_int_rl(elements_to_bytes(expr, size));
525
526 size = get_bytes_from_address(expr);
527 if (size)
528 return alloc_int_rl(size);
529
530 ret = size_from_db(expr);
531 if (ret)
532 return ret;
533
534 return NULL;
535 }
536
537 int get_array_size_bytes(struct expression *expr)
538 {
539 struct range_list *rl;
540 sval_t sval;
692 store_alloc(left, rl);
693 }
694
695 static void match_alloc(const char *fn, struct expression *expr, void *_size_arg)
696 {
697 int size_arg = PTR_INT(_size_arg);
698 struct expression *right;
699 struct expression *arg;
700 struct range_list *rl;
701
702 right = strip_expr(expr->right);
703 arg = get_argument_from_call_expr(right->args, size_arg);
704 get_absolute_rl(arg, &rl);
705 rl = cast_rl(&int_ctype, rl);
706 store_alloc(expr->left, rl);
707 }
708
709 static void match_calloc(const char *fn, struct expression *expr, void *unused)
710 {
711 struct expression *right;
712 struct expression *size, *nr, *mult;
713 struct range_list *rl;
714
715 right = strip_expr(expr->right);
716 nr = get_argument_from_call_expr(right->args, 0);
717 size = get_argument_from_call_expr(right->args, 1);
718 mult = binop_expression(nr, '*', size);
719 if (get_implied_rl(mult, &rl))
720 store_alloc(expr->left, rl);
721 else
722 store_alloc(expr->left, size_to_rl(-1));
723 }
724
725 static void match_page(const char *fn, struct expression *expr, void *_unused)
726 {
727 sval_t page_size = {
728 .type = &int_ctype,
729 {.value = 4096},
730 };
731
732 store_alloc(expr->left, alloc_rl(page_size, page_size));
733 }
734
735 static void match_strndup(const char *fn, struct expression *expr, void *unused)
736 {
737 struct expression *fn_expr;
738 struct expression *size_expr;
739 sval_t size;
740
852
853 if (!sym->ident)
854 return;
855
856 if (!(sym->ctype.modifiers & MOD_TOPLEVEL) ||
857 sym->ctype.modifiers & MOD_STATIC)
858 return;
859
860 bytes = get_array_size_bytes(symbol_expression(sym));
861 if (bytes <= 1)
862 return;
863
864 snprintf(buf, sizeof(buf), "%d", bytes);
865 sql_insert_data_info_var_sym(sym->ident->name, sym, BUF_SIZE, buf);
866 }
867
868 void register_buf_size(int id)
869 {
870 my_size_id = id;
871
872 set_dynamic_states(my_size_id);
873
874 add_unmatched_state_hook(my_size_id, &unmatched_size_state);
875
876 select_caller_info_hook(set_param_buf_size, BUF_SIZE);
877 select_return_states_hook(BUF_SIZE, &db_returns_buf_size);
878 add_split_return_callback(print_returned_allocations);
879
880 allocation_funcs = create_function_hashtable(100);
881 add_allocation_function("malloc", &match_alloc, 0);
882 add_allocation_function("calloc", &match_calloc, 0);
883 add_allocation_function("memdup", &match_alloc, 1);
884 add_allocation_function("realloc", &match_alloc, 1);
885 if (option_project == PROJ_KERNEL) {
886 add_allocation_function("kmalloc", &match_alloc, 0);
887 add_allocation_function("kmalloc_node", &match_alloc, 0);
888 add_allocation_function("kzalloc", &match_alloc, 0);
889 add_allocation_function("kzalloc_node", &match_alloc, 0);
890 add_allocation_function("vmalloc", &match_alloc, 0);
891 add_allocation_function("__vmalloc", &match_alloc, 0);
892 add_allocation_function("kcalloc", &match_calloc, 0);
893 add_allocation_function("kmalloc_array", &match_calloc, 0);
894 add_allocation_function("drm_malloc_ab", &match_calloc, 0);
895 add_allocation_function("drm_calloc_large", &match_calloc, 0);
896 add_allocation_function("sock_kmalloc", &match_alloc, 1);
897 add_allocation_function("kmemdup", &match_alloc, 1);
898 add_allocation_function("kmemdup_user", &match_alloc, 1);
899 add_allocation_function("dma_alloc_attrs", &match_alloc, 1);
900 add_allocation_function("pci_alloc_consistent", &match_alloc, 1);
901 add_allocation_function("pci_alloc_coherent", &match_alloc, 1);
902 add_allocation_function("devm_kmalloc", &match_alloc, 1);
903 add_allocation_function("devm_kzalloc", &match_alloc, 1);
904 add_allocation_function("krealloc", &match_alloc, 1);
905 add_allocation_function("__alloc_bootmem", &match_alloc, 0);
906 add_allocation_function("alloc_bootmem", &match_alloc, 0);
907 add_allocation_function("kmap", &match_page, 0);
908 add_allocation_function("get_zeroed_page", &match_page, 0);
909 add_allocation_function("alloc_page", &match_page, 0);
910 add_allocation_function("page_address", &match_page, 0);
911 add_allocation_function("lowmem_page_address", &match_page, 0);
912 add_allocation_function("alloc_pages", &match_alloc_pages, 1);
913 add_allocation_function("alloc_pages_current", &match_alloc_pages, 1);
914 add_allocation_function("__get_free_pages", &match_alloc_pages, 1);
915 }
916
917 add_allocation_function("strndup", match_strndup, 0);
918 if (option_project == PROJ_KERNEL)
919 add_allocation_function("kstrndup", match_strndup, 0);
920
921 add_modification_hook(my_size_id, &set_size_undefined);
922
923 add_merge_hook(my_size_id, &merge_size_func);
924
925 if (option_info)
926 add_hook(record_global_size, BASE_HOOK);
927 }
928
929 void register_buf_size_late(int id)
930 {
931 /* has to happen after match_alloc() */
|