Print this page
11972 resync smatch
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/tools/smatch/src/smatch_extra.c
+++ new/usr/src/tools/smatch/src/smatch_extra.c
1 1 /*
2 2 * Copyright (C) 2008 Dan Carpenter.
3 3 *
4 4 * This program is free software; you can redistribute it and/or
5 5 * modify it under the terms of the GNU General Public License
6 6 * as published by the Free Software Foundation; either version 2
7 7 * of the License, or (at your option) any later version.
8 8 *
9 9 * This program is distributed in the hope that it will be useful,
10 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 * GNU General Public License for more details.
13 13 *
14 14 * You should have received a copy of the GNU General Public License
15 15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 16 */
17 17
18 18 /*
19 19 * smatch_extra.c is supposed to track the value of every variable.
20 20 *
21 21 */
22 22
23 23 #define _GNU_SOURCE
24 24 #include <string.h>
25 25
26 26 #include <stdlib.h>
27 27 #include <errno.h>
28 28 #ifndef __USE_ISOC99
29 29 #define __USE_ISOC99
30 30 #endif
31 31 #include <limits.h>
32 32 #include "parse.h"
33 33 #include "smatch.h"
34 34 #include "smatch_slist.h"
35 35 #include "smatch_extra.h"
36 36
37 37 static int my_id;
38 38 static int link_id;
39 39 extern int check_assigned_expr_id;
40 40
41 41 static void match_link_modify(struct sm_state *sm, struct expression *mod_expr);
42 42
43 43 struct string_list *__ignored_macros = NULL;
44 44 int in_warn_on_macro(void)
45 45 {
46 46 struct statement *stmt;
47 47 char *tmp;
48 48 char *macro;
49 49
50 50 stmt = get_current_statement();
51 51 if (!stmt)
52 52 return 0;
53 53 macro = get_macro_name(stmt->pos);
54 54 if (!macro)
55 55 return 0;
56 56
57 57 FOR_EACH_PTR(__ignored_macros, tmp) {
58 58 if (!strcmp(tmp, macro))
59 59 return 1;
60 60 } END_FOR_EACH_PTR(tmp);
61 61 return 0;
62 62 }
63 63
64 64 typedef void (mod_hook)(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state);
65 65 DECLARE_PTR_LIST(void_fn_list, mod_hook *);
66 66 static struct void_fn_list *extra_mod_hooks;
67 67 static struct void_fn_list *extra_nomod_hooks;
68 68
69 69 void add_extra_mod_hook(mod_hook *fn)
70 70 {
71 71 mod_hook **p = malloc(sizeof(mod_hook *));
72 72 *p = fn;
73 73 add_ptr_list(&extra_mod_hooks, p);
74 74 }
75 75
76 76 void add_extra_nomod_hook(mod_hook *fn)
77 77 {
78 78 mod_hook **p = malloc(sizeof(mod_hook *));
79 79 *p = fn;
80 80 add_ptr_list(&extra_nomod_hooks, p);
81 81 }
82 82
83 83 void call_extra_hooks(struct void_fn_list *hooks, const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
84 84 {
85 85 mod_hook **fn;
86 86
87 87 FOR_EACH_PTR(hooks, fn) {
88 88 (*fn)(name, sym, expr, state);
89 89 } END_FOR_EACH_PTR(fn);
90 90 }
91 91
|
↓ open down ↓ |
91 lines elided |
↑ open up ↑ |
92 92 void call_extra_mod_hooks(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
93 93 {
94 94 call_extra_hooks(extra_mod_hooks, name, sym, expr, state);
95 95 }
96 96
97 97 void call_extra_nomod_hooks(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
98 98 {
99 99 call_extra_hooks(extra_nomod_hooks, name, sym, expr, state);
100 100 }
101 101
102 +static void set_union_info(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
103 +{
104 + struct symbol *type, *tmp, *inner_type, *inner, *new_type;
105 + struct expression *deref, *member_expr;
106 + struct smatch_state *new;
107 + int offset, inner_offset;
108 + static bool in_recurse;
109 + char *member_name;
110 +
111 + if (__in_fake_assign)
112 + return;
113 +
114 + if (in_recurse)
115 + return;
116 + in_recurse = true;
117 +
118 + if (!expr || expr->type != EXPR_DEREF || !expr->member)
119 + goto done;
120 + offset = get_member_offset_from_deref(expr);
121 + if (offset < 0)
122 + goto done;
123 +
124 + deref = strip_expr(expr->deref);
125 + type = get_type(deref);
126 + if (type_is_ptr(type))
127 + type = get_real_base_type(type);
128 + if (!type || type->type != SYM_STRUCT)
129 + goto done;
130 +
131 + FOR_EACH_PTR(type->symbol_list, tmp) {
132 + inner_type = get_real_base_type(tmp);
133 + if (!inner_type || inner_type->type != SYM_UNION)
134 + continue;
135 +
136 + inner = first_ptr_list((struct ptr_list *)inner_type->symbol_list);
137 + if (!inner || !inner->ident)
138 + continue;
139 +
140 + inner_offset = get_member_offset(type, inner->ident->name);
141 + if (inner_offset < offset)
142 + continue;
143 + if (inner_offset > offset)
144 + goto done;
145 +
146 + FOR_EACH_PTR(inner_type->symbol_list, inner) {
147 + struct symbol *tmp_type;
148 +
149 + if (!inner->ident || inner->ident == expr->member)
150 + continue;
151 + tmp_type = get_real_base_type(inner);
152 + if (tmp_type && tmp_type->type == SYM_STRUCT)
153 + continue;
154 + member_expr = deref;
155 + if (tmp->ident)
156 + member_expr = member_expression(member_expr, '.', tmp->ident);
157 + member_expr = member_expression(member_expr, expr->op, inner->ident);
158 + member_name = expr_to_var(member_expr);
159 + if (!member_name)
160 + continue;
161 + new_type = get_real_base_type(inner);
162 + new = alloc_estate_rl(cast_rl(new_type, estate_rl(state)));
163 + set_extra_mod_helper(member_name, sym, member_expr, new);
164 + free_string(member_name);
165 + } END_FOR_EACH_PTR(inner);
166 + } END_FOR_EACH_PTR(tmp);
167 +
168 +done:
169 + in_recurse = false;
170 +}
171 +
102 172 static bool in_param_set;
103 173 void set_extra_mod_helper(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
104 174 {
175 + if (!expr)
176 + expr = gen_expression_from_name_sym(name, sym);
105 177 remove_from_equiv(name, sym);
178 + set_union_info(name, sym, expr, state);
106 179 call_extra_mod_hooks(name, sym, expr, state);
107 - if ((__in_fake_assign || in_param_set) &&
180 + update_mtag_data(expr, state);
181 + if (in_param_set &&
108 182 estate_is_unknown(state) && !get_state(SMATCH_EXTRA, name, sym))
109 183 return;
110 184 set_state(SMATCH_EXTRA, name, sym, state);
111 185 }
112 186
113 187 static void set_extra_nomod_helper(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
114 188 {
115 189 call_extra_nomod_hooks(name, sym, expr, state);
116 190 set_state(SMATCH_EXTRA, name, sym, state);
117 191 }
118 192
119 193 static char *get_pointed_at(const char *name, struct symbol *sym, struct symbol **new_sym)
120 194 {
121 195 struct expression *assigned;
122 196
123 197 if (name[0] != '*')
124 198 return NULL;
125 199 if (strcmp(name + 1, sym->ident->name) != 0)
126 200 return NULL;
127 201
128 202 assigned = get_assigned_expr_name_sym(sym->ident->name, sym);
129 203 if (!assigned)
130 204 return NULL;
131 205 assigned = strip_parens(assigned);
132 206 if (assigned->type != EXPR_PREOP || assigned->op != '&')
133 207 return NULL;
134 208
135 209 return expr_to_var_sym(assigned->unop, new_sym);
136 210 }
137 211
138 212 char *get_other_name_sym_from_chunk(const char *name, const char *chunk, int len, struct symbol *sym, struct symbol **new_sym)
139 213 {
140 214 struct expression *assigned;
141 215 char *orig_name = NULL;
142 216 char buf[256];
143 217 char *ret;
144 218
145 219 assigned = get_assigned_expr_name_sym(chunk, sym);
146 220 if (!assigned)
147 221 return NULL;
148 222 if (assigned->type == EXPR_CALL)
149 223 return map_call_to_other_name_sym(name, sym, new_sym);
150 224 if (assigned->type == EXPR_PREOP && assigned->op == '&') {
151 225
152 226 orig_name = expr_to_var_sym(assigned, new_sym);
153 227 if (!orig_name || !*new_sym)
154 228 goto free;
155 229
156 230 snprintf(buf, sizeof(buf), "%s.%s", orig_name + 1, name + len);
157 231 ret = alloc_string(buf);
158 232 free_string(orig_name);
159 233 return ret;
160 234 }
161 235
162 236 orig_name = expr_to_var_sym(assigned, new_sym);
163 237 if (!orig_name || !*new_sym)
164 238 goto free;
|
↓ open down ↓ |
47 lines elided |
↑ open up ↑ |
165 239
166 240 snprintf(buf, sizeof(buf), "%s->%s", orig_name, name + len);
167 241 ret = alloc_string(buf);
168 242 free_string(orig_name);
169 243 return ret;
170 244 free:
171 245 free_string(orig_name);
172 246 return NULL;
173 247 }
174 248
175 -static char *get_long_name_sym(const char *name, struct symbol *sym, struct symbol **new_sym)
249 +static char *get_long_name_sym(const char *name, struct symbol *sym, struct symbol **new_sym, bool use_stack)
176 250 {
177 251 struct expression *tmp;
178 252 struct sm_state *sm;
179 253 char buf[256];
180 254
181 255 /*
182 256 * Just prepend the name with a different name/sym and return that.
183 257 * For example, if we set "foo->bar = bar;" then we clamp "bar->baz",
184 258 * that also clamps "foo->bar->baz".
185 259 *
186 260 */
187 261
188 262 FOR_EACH_MY_SM(check_assigned_expr_id, __get_cur_stree(), sm) {
|
↓ open down ↓ |
3 lines elided |
↑ open up ↑ |
189 263 tmp = sm->state->data;
190 264 if (!tmp || tmp->type != EXPR_SYMBOL)
191 265 continue;
192 266 if (tmp->symbol == sym)
193 267 goto found;
194 268 } END_FOR_EACH_SM(sm);
195 269
196 270 return NULL;
197 271
198 272 found:
273 + if (!use_stack && name[tmp->symbol->ident->len] != '-')
274 + return NULL;
199 275 snprintf(buf, sizeof(buf), "%s%s", sm->name, name + tmp->symbol->ident->len);
200 276 *new_sym = sm->sym;
201 277 return alloc_string(buf);
202 278 }
203 279
204 280 char *get_other_name_sym_helper(const char *name, struct symbol *sym, struct symbol **new_sym, bool use_stack)
205 281 {
206 282 char buf[256];
207 283 char *ret;
208 284 int len;
209 285
210 286 *new_sym = NULL;
211 287
212 288 if (!sym || !sym->ident)
213 289 return NULL;
214 290
215 291 ret = get_pointed_at(name, sym, new_sym);
216 292 if (ret)
|
↓ open down ↓ |
8 lines elided |
↑ open up ↑ |
217 293 return ret;
218 294
219 295 ret = map_long_to_short_name_sym(name, sym, new_sym, use_stack);
220 296 if (ret)
221 297 return ret;
222 298
223 299 len = snprintf(buf, sizeof(buf), "%s", name);
224 300 if (len >= sizeof(buf) - 2)
225 301 return NULL;
226 302
227 - while (len >= 1) {
303 + while (use_stack && len >= 1) {
228 304 if (buf[len] == '>' && buf[len - 1] == '-') {
229 305 len--;
230 306 buf[len] = '\0';
231 307 ret = get_other_name_sym_from_chunk(name, buf, len + 2, sym, new_sym);
232 308 if (ret)
233 309 return ret;
234 310 }
235 311 len--;
236 312 }
237 313
238 - ret = get_long_name_sym(name, sym, new_sym);
314 + ret = get_long_name_sym(name, sym, new_sym, use_stack);
239 315 if (ret)
240 316 return ret;
241 317
242 318 return NULL;
243 319 }
244 320
245 321 char *get_other_name_sym(const char *name, struct symbol *sym, struct symbol **new_sym)
246 322 {
247 323 return get_other_name_sym_helper(name, sym, new_sym, true);
248 324 }
249 325
250 326 char *get_other_name_sym_nostack(const char *name, struct symbol *sym, struct symbol **new_sym)
|
↓ open down ↓ |
2 lines elided |
↑ open up ↑ |
251 327 {
252 328 return get_other_name_sym_helper(name, sym, new_sym, false);
253 329 }
254 330
255 331 void set_extra_mod(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
256 332 {
257 333 char *new_name;
258 334 struct symbol *new_sym;
259 335
260 336 set_extra_mod_helper(name, sym, expr, state);
261 - new_name = get_other_name_sym(name, sym, &new_sym);
337 + new_name = get_other_name_sym_nostack(name, sym, &new_sym);
262 338 if (new_name && new_sym)
263 - set_extra_mod_helper(new_name, new_sym, expr, state);
339 + set_extra_mod_helper(new_name, new_sym, NULL, state);
264 340 free_string(new_name);
265 341 }
266 342
267 343 static struct expression *chunk_get_array_base(struct expression *expr)
268 344 {
269 345 /*
270 346 * The problem with is_array() is that it only returns true for things
271 347 * like foo[1] but not for foo[1].bar.
272 348 *
273 349 */
274 350 expr = strip_expr(expr);
275 351 while (expr && expr->type == EXPR_DEREF)
276 352 expr = strip_expr(expr->deref);
277 353 return get_array_base(expr);
278 354 }
279 355
280 356 static int chunk_has_array(struct expression *expr)
281 357 {
282 358 return !!chunk_get_array_base(expr);
283 359 }
284 360
285 361 static void clear_array_states(struct expression *array)
286 362 {
287 363 struct sm_state *sm;
288 364
289 365 sm = get_sm_state_expr(link_id, array);
290 366 if (sm)
291 367 match_link_modify(sm, NULL);
292 368 }
293 369
294 370 static void set_extra_array_mod(struct expression *expr, struct smatch_state *state)
295 371 {
296 372 struct expression *array;
297 373 struct var_sym_list *vsl;
298 374 struct var_sym *vs;
299 375 char *name;
300 376 struct symbol *sym;
301 377
302 378 array = chunk_get_array_base(expr);
303 379
304 380 name = expr_to_chunk_sym_vsl(expr, &sym, &vsl);
305 381 if (!name || !vsl) {
306 382 clear_array_states(array);
307 383 goto free;
308 384 }
309 385
310 386 FOR_EACH_PTR(vsl, vs) {
311 387 store_link(link_id, vs->var, vs->sym, name, sym);
312 388 } END_FOR_EACH_PTR(vs);
313 389
314 390 call_extra_mod_hooks(name, sym, expr, state);
315 391 set_state(SMATCH_EXTRA, name, sym, state);
316 392 free:
317 393 free_string(name);
318 394 }
319 395
320 396 void set_extra_expr_mod(struct expression *expr, struct smatch_state *state)
321 397 {
322 398 struct symbol *sym;
323 399 char *name;
324 400
325 401 if (chunk_has_array(expr)) {
326 402 set_extra_array_mod(expr, state);
327 403 return;
328 404 }
329 405
330 406 expr = strip_expr(expr);
331 407 name = expr_to_var_sym(expr, &sym);
332 408 if (!name || !sym)
333 409 goto free;
334 410 set_extra_mod(name, sym, expr, state);
335 411 free:
336 412 free_string(name);
337 413 }
338 414
339 415 void set_extra_nomod(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
340 416 {
341 417 char *new_name;
342 418 struct symbol *new_sym;
343 419 struct relation *rel;
344 420 struct smatch_state *orig_state;
345 421
346 422 orig_state = get_state(SMATCH_EXTRA, name, sym);
347 423
348 424 /* don't save unknown states if leaving it blank is the same */
349 425 if (!orig_state && estate_is_unknown(state))
350 426 return;
351 427
352 428 new_name = get_other_name_sym(name, sym, &new_sym);
353 429 if (new_name && new_sym)
354 430 set_extra_nomod_helper(new_name, new_sym, expr, state);
355 431 free_string(new_name);
356 432
357 433 if (!estate_related(orig_state)) {
358 434 set_extra_nomod_helper(name, sym, expr, state);
359 435 return;
360 436 }
361 437
362 438 set_related(state, estate_related(orig_state));
363 439 FOR_EACH_PTR(estate_related(orig_state), rel) {
364 440 struct smatch_state *estate;
365 441
366 442 estate = get_state(SMATCH_EXTRA, rel->name, rel->sym);
367 443 if (!estate)
368 444 continue;
369 445 set_extra_nomod_helper(rel->name, rel->sym, expr, clone_estate_cast(estate_type(estate), state));
370 446 } END_FOR_EACH_PTR(rel);
371 447 }
372 448
373 449 void set_extra_nomod_vsl(const char *name, struct symbol *sym, struct var_sym_list *vsl, struct expression *expr, struct smatch_state *state)
374 450 {
375 451 struct var_sym *vs;
376 452
377 453 FOR_EACH_PTR(vsl, vs) {
378 454 store_link(link_id, vs->var, vs->sym, name, sym);
379 455 } END_FOR_EACH_PTR(vs);
380 456
381 457 set_extra_nomod(name, sym, expr, state);
382 458 }
383 459
384 460 /*
385 461 * This is for return_implies_state() hooks which modify a SMATCH_EXTRA state
386 462 */
387 463 void set_extra_expr_nomod(struct expression *expr, struct smatch_state *state)
388 464 {
389 465 struct var_sym_list *vsl;
390 466 struct var_sym *vs;
391 467 char *name;
392 468 struct symbol *sym;
393 469
394 470 name = expr_to_chunk_sym_vsl(expr, &sym, &vsl);
395 471 if (!name || !vsl)
396 472 goto free;
397 473 FOR_EACH_PTR(vsl, vs) {
398 474 store_link(link_id, vs->var, vs->sym, name, sym);
399 475 } END_FOR_EACH_PTR(vs);
400 476
401 477 set_extra_nomod(name, sym, expr, state);
402 478 free:
403 479 free_string(name);
404 480 }
405 481
406 482 static void set_extra_true_false(const char *name, struct symbol *sym,
407 483 struct smatch_state *true_state,
408 484 struct smatch_state *false_state)
409 485 {
410 486 char *new_name;
411 487 struct symbol *new_sym;
412 488 struct relation *rel;
413 489 struct smatch_state *orig_state;
414 490
415 491 if (!true_state && !false_state)
416 492 return;
417 493
418 494 if (in_warn_on_macro())
419 495 return;
420 496
421 497 new_name = get_other_name_sym(name, sym, &new_sym);
422 498 if (new_name && new_sym)
423 499 set_true_false_states(SMATCH_EXTRA, new_name, new_sym, true_state, false_state);
424 500 free_string(new_name);
425 501
426 502 orig_state = get_state(SMATCH_EXTRA, name, sym);
427 503
428 504 if (!estate_related(orig_state)) {
429 505 set_true_false_states(SMATCH_EXTRA, name, sym, true_state, false_state);
430 506 return;
431 507 }
432 508
433 509 if (true_state)
434 510 set_related(true_state, estate_related(orig_state));
435 511 if (false_state)
436 512 set_related(false_state, estate_related(orig_state));
437 513
438 514 FOR_EACH_PTR(estate_related(orig_state), rel) {
439 515 set_true_false_states(SMATCH_EXTRA, rel->name, rel->sym,
440 516 true_state, false_state);
441 517 } END_FOR_EACH_PTR(rel);
442 518 }
443 519
444 520 static void set_extra_chunk_true_false(struct expression *expr,
445 521 struct smatch_state *true_state,
446 522 struct smatch_state *false_state)
447 523 {
448 524 struct var_sym_list *vsl;
449 525 struct var_sym *vs;
450 526 struct symbol *type;
451 527 char *name;
452 528 struct symbol *sym;
453 529
454 530 if (in_warn_on_macro())
455 531 return;
456 532
457 533 type = get_type(expr);
458 534 if (!type)
459 535 return;
460 536
461 537 name = expr_to_chunk_sym_vsl(expr, &sym, &vsl);
462 538 if (!name || !vsl)
463 539 goto free;
464 540 FOR_EACH_PTR(vsl, vs) {
465 541 store_link(link_id, vs->var, vs->sym, name, sym);
466 542 } END_FOR_EACH_PTR(vs);
467 543
468 544 set_true_false_states(SMATCH_EXTRA, name, sym,
469 545 clone_estate(true_state),
470 546 clone_estate(false_state));
471 547 free:
472 548 free_string(name);
473 549 }
474 550
475 551 static void set_extra_expr_true_false(struct expression *expr,
476 552 struct smatch_state *true_state,
477 553 struct smatch_state *false_state)
478 554 {
479 555 char *name;
480 556 struct symbol *sym;
481 557 sval_t sval;
482 558
483 559 if (!true_state && !false_state)
484 560 return;
485 561
486 562 if (get_value(expr, &sval))
487 563 return;
488 564
489 565 expr = strip_expr(expr);
490 566 name = expr_to_var_sym(expr, &sym);
491 567 if (!name || !sym) {
492 568 free_string(name);
493 569 set_extra_chunk_true_false(expr, true_state, false_state);
494 570 return;
495 571 }
496 572 set_extra_true_false(name, sym, true_state, false_state);
497 573 free_string(name);
498 574 }
499 575
500 576 static int get_countdown_info(struct expression *condition, struct expression **unop, int *op, sval_t *right)
501 577 {
502 578 struct expression *unop_expr;
503 579 int comparison;
504 580 sval_t limit;
505 581
506 582 right->type = &int_ctype;
507 583 right->value = 0;
508 584
509 585 condition = strip_expr(condition);
510 586
511 587 if (condition->type == EXPR_COMPARE) {
512 588 comparison = remove_unsigned_from_comparison(condition->op);
513 589
514 590 if (comparison != SPECIAL_GTE && comparison != '>')
515 591 return 0;
516 592 if (!get_value(condition->right, &limit))
517 593 return 0;
518 594
519 595 unop_expr = condition->left;
520 596 if (unop_expr->type != EXPR_PREOP && unop_expr->type != EXPR_POSTOP)
521 597 return 0;
522 598 if (unop_expr->op != SPECIAL_DECREMENT)
523 599 return 0;
524 600
525 601 *unop = unop_expr;
526 602 *op = comparison;
527 603 *right = limit;
528 604
529 605 return 1;
530 606 }
531 607
532 608 if (condition->type != EXPR_PREOP && condition->type != EXPR_POSTOP)
533 609 return 0;
534 610 if (condition->op != SPECIAL_DECREMENT)
535 611 return 0;
536 612
537 613 *unop = condition;
538 614 *op = '>';
539 615
540 616 return 1;
541 617 }
542 618
543 619 static struct sm_state *handle_canonical_while_count_down(struct statement *loop)
544 620 {
545 621 struct expression *iter_var;
546 622 struct expression *condition, *unop;
547 623 struct symbol *type;
548 624 struct sm_state *sm;
549 625 struct smatch_state *estate;
550 626 int op;
551 627 sval_t start, right;
552 628
553 629 right.type = &int_ctype;
554 630 right.value = 0;
555 631
556 632 condition = strip_expr(loop->iterator_pre_condition);
557 633 if (!condition)
558 634 return NULL;
559 635
560 636 if (!get_countdown_info(condition, &unop, &op, &right))
561 637 return NULL;
562 638
563 639 iter_var = unop->unop;
564 640
565 641 sm = get_sm_state_expr(SMATCH_EXTRA, iter_var);
566 642 if (!sm)
567 643 return NULL;
568 644 if (sval_cmp(estate_min(sm->state), right) < 0)
569 645 return NULL;
570 646 start = estate_max(sm->state);
571 647
572 648 type = get_type(iter_var);
573 649 right = sval_cast(type, right);
574 650 start = sval_cast(type, start);
575 651
576 652 if (sval_cmp(start, right) <= 0)
577 653 return NULL;
578 654 if (!sval_is_max(start))
579 655 start.value--;
580 656
581 657 if (op == SPECIAL_GTE)
582 658 right.value--;
583 659
584 660 if (unop->type == EXPR_PREOP) {
585 661 right.value++;
586 662 estate = alloc_estate_range(right, start);
587 663 if (estate_has_hard_max(sm->state))
588 664 estate_set_hard_max(estate);
589 665 estate_copy_fuzzy_max(estate, sm->state);
590 666 set_extra_expr_mod(iter_var, estate);
591 667 }
592 668 if (unop->type == EXPR_POSTOP) {
593 669 estate = alloc_estate_range(right, start);
594 670 if (estate_has_hard_max(sm->state))
595 671 estate_set_hard_max(estate);
596 672 estate_copy_fuzzy_max(estate, sm->state);
597 673 set_extra_expr_mod(iter_var, estate);
598 674 }
599 675 return get_sm_state_expr(SMATCH_EXTRA, iter_var);
600 676 }
601 677
602 678 static struct sm_state *handle_canonical_for_inc(struct expression *iter_expr,
603 679 struct expression *condition)
604 680 {
605 681 struct expression *iter_var;
606 682 struct sm_state *sm;
607 683 struct smatch_state *estate;
608 684 sval_t start, end, max;
609 685 struct symbol *type;
610 686
611 687 iter_var = iter_expr->unop;
612 688 sm = get_sm_state_expr(SMATCH_EXTRA, iter_var);
613 689 if (!sm)
614 690 return NULL;
615 691 if (!estate_get_single_value(sm->state, &start))
616 692 return NULL;
617 693 if (!get_implied_value(condition->right, &end))
618 694 return NULL;
619 695
620 696 if (get_sm_state_expr(SMATCH_EXTRA, condition->left) != sm)
621 697 return NULL;
622 698
623 699 switch (condition->op) {
624 700 case SPECIAL_UNSIGNED_LT:
625 701 case SPECIAL_NOTEQUAL:
626 702 case '<':
627 703 if (!sval_is_min(end))
628 704 end.value--;
629 705 break;
630 706 case SPECIAL_UNSIGNED_LTE:
631 707 case SPECIAL_LTE:
632 708 break;
633 709 default:
634 710 return NULL;
635 711 }
636 712 if (sval_cmp(end, start) < 0)
637 713 return NULL;
638 714 type = get_type(iter_var);
639 715 start = sval_cast(type, start);
640 716 end = sval_cast(type, end);
641 717 estate = alloc_estate_range(start, end);
642 718 if (get_hard_max(condition->right, &max)) {
643 719 if (!get_macro_name(condition->pos))
644 720 estate_set_hard_max(estate);
645 721 if (condition->op == '<' ||
646 722 condition->op == SPECIAL_UNSIGNED_LT ||
647 723 condition->op == SPECIAL_NOTEQUAL)
648 724 max.value--;
649 725 max = sval_cast(type, max);
650 726 estate_set_fuzzy_max(estate, max);
651 727 }
652 728 set_extra_expr_mod(iter_var, estate);
653 729 return get_sm_state_expr(SMATCH_EXTRA, iter_var);
654 730 }
655 731
656 732 static struct sm_state *handle_canonical_for_dec(struct expression *iter_expr,
657 733 struct expression *condition)
658 734 {
659 735 struct expression *iter_var;
660 736 struct sm_state *sm;
661 737 struct smatch_state *estate;
662 738 sval_t start, end;
663 739
664 740 iter_var = iter_expr->unop;
665 741 sm = get_sm_state_expr(SMATCH_EXTRA, iter_var);
666 742 if (!sm)
667 743 return NULL;
668 744 if (!estate_get_single_value(sm->state, &start))
669 745 return NULL;
670 746 if (!get_implied_min(condition->right, &end))
671 747 end = sval_type_min(get_type(iter_var));
672 748 end = sval_cast(estate_type(sm->state), end);
673 749 if (get_sm_state_expr(SMATCH_EXTRA, condition->left) != sm)
674 750 return NULL;
675 751
676 752 switch (condition->op) {
677 753 case SPECIAL_NOTEQUAL:
678 754 case '>':
679 755 if (!sval_is_max(end))
680 756 end.value++;
681 757 break;
682 758 case SPECIAL_GTE:
683 759 break;
684 760 default:
685 761 return NULL;
686 762 }
687 763 if (sval_cmp(end, start) > 0)
688 764 return NULL;
689 765 estate = alloc_estate_range(end, start);
690 766 estate_set_hard_max(estate);
691 767 estate_set_fuzzy_max(estate, estate_get_fuzzy_max(estate));
692 768 set_extra_expr_mod(iter_var, estate);
693 769 return get_sm_state_expr(SMATCH_EXTRA, iter_var);
694 770 }
695 771
696 772 static struct sm_state *handle_canonical_for_loops(struct statement *loop)
697 773 {
698 774 struct expression *iter_expr;
699 775 struct expression *condition;
700 776
701 777 if (!loop->iterator_post_statement)
702 778 return NULL;
703 779 if (loop->iterator_post_statement->type != STMT_EXPRESSION)
704 780 return NULL;
705 781 iter_expr = loop->iterator_post_statement->expression;
706 782 if (!loop->iterator_pre_condition)
707 783 return NULL;
708 784 if (loop->iterator_pre_condition->type != EXPR_COMPARE)
709 785 return NULL;
710 786 condition = loop->iterator_pre_condition;
711 787
712 788 if (iter_expr->op == SPECIAL_INCREMENT)
713 789 return handle_canonical_for_inc(iter_expr, condition);
714 790 if (iter_expr->op == SPECIAL_DECREMENT)
715 791 return handle_canonical_for_dec(iter_expr, condition);
716 792 return NULL;
717 793 }
718 794
719 795 struct sm_state *__extra_handle_canonical_loops(struct statement *loop, struct stree **stree)
720 796 {
721 797 struct sm_state *ret;
722 798
723 799 /*
724 800 * Canonical loops are a hack. The proper way to handle this is to
725 801 * use two passes, but unfortunately, doing two passes makes parsing
726 802 * code twice as slow.
727 803 *
728 804 * What we do is we set the inside state here, which overwrites whatever
729 805 * __extra_match_condition() does. Then we set the outside state in
730 806 * __extra_pre_loop_hook_after().
731 807 *
732 808 */
733 809 __push_fake_cur_stree();
734 810 if (!loop->iterator_post_statement)
735 811 ret = handle_canonical_while_count_down(loop);
736 812 else
737 813 ret = handle_canonical_for_loops(loop);
738 814 *stree = __pop_fake_cur_stree();
739 815 return ret;
740 816 }
741 817
742 818 int __iterator_unchanged(struct sm_state *sm)
743 819 {
744 820 if (!sm)
745 821 return 0;
746 822 if (get_sm_state(my_id, sm->name, sm->sym) == sm)
747 823 return 1;
748 824 return 0;
749 825 }
750 826
751 827 static void while_count_down_after(struct sm_state *sm, struct expression *condition)
752 828 {
753 829 struct expression *unop;
754 830 int op;
755 831 sval_t limit, after_value;
756 832
757 833 if (!get_countdown_info(condition, &unop, &op, &limit))
758 834 return;
759 835 after_value = estate_min(sm->state);
760 836 after_value.value--;
761 837 set_extra_mod(sm->name, sm->sym, condition->unop, alloc_estate_sval(after_value));
762 838 }
763 839
764 840 void __extra_pre_loop_hook_after(struct sm_state *sm,
765 841 struct statement *iterator,
766 842 struct expression *condition)
767 843 {
768 844 struct expression *iter_expr;
769 845 sval_t limit;
770 846 struct smatch_state *state;
771 847
772 848 if (!iterator) {
773 849 while_count_down_after(sm, condition);
774 850 return;
775 851 }
776 852
777 853 iter_expr = iterator->expression;
778 854
779 855 if (condition->type != EXPR_COMPARE)
780 856 return;
781 857 if (iter_expr->op == SPECIAL_INCREMENT) {
782 858 limit = sval_binop(estate_max(sm->state), '+',
783 859 sval_type_val(estate_type(sm->state), 1));
784 860 } else {
785 861 limit = sval_binop(estate_min(sm->state), '-',
786 862 sval_type_val(estate_type(sm->state), 1));
787 863 }
788 864 limit = sval_cast(estate_type(sm->state), limit);
789 865 if (!estate_has_hard_max(sm->state) && !__has_breaks()) {
790 866 if (iter_expr->op == SPECIAL_INCREMENT)
791 867 state = alloc_estate_range(estate_min(sm->state), limit);
792 868 else
793 869 state = alloc_estate_range(limit, estate_max(sm->state));
794 870 } else {
795 871 state = alloc_estate_sval(limit);
796 872 }
797 873 if (!estate_has_hard_max(sm->state)) {
798 874 estate_clear_hard_max(state);
799 875 }
800 876 if (estate_has_fuzzy_max(sm->state)) {
801 877 sval_t hmax = estate_get_fuzzy_max(sm->state);
802 878 sval_t max = estate_max(sm->state);
803 879
804 880 if (sval_cmp(hmax, max) != 0)
805 881 estate_clear_fuzzy_max(state);
806 882 } else if (!estate_has_fuzzy_max(sm->state)) {
807 883 estate_clear_fuzzy_max(state);
808 884 }
809 885
810 886 set_extra_mod(sm->name, sm->sym, iter_expr, state);
811 887 }
812 888
813 889 static bool get_global_rl(const char *name, struct symbol *sym, struct range_list **rl)
814 890 {
815 891 struct expression *expr;
816 892
817 893 if (!sym || !(sym->ctype.modifiers & MOD_TOPLEVEL) || !sym->ident)
818 894 return false;
819 895 if (strcmp(sym->ident->name, name) != 0)
820 896 return false;
821 897
822 898 expr = symbol_expression(sym);
823 899 return get_implied_rl(expr, rl);
824 900 }
825 901
826 902 static struct stree *unmatched_stree;
827 903 static struct smatch_state *unmatched_state(struct sm_state *sm)
828 904 {
829 905 struct smatch_state *state;
830 906 struct range_list *rl;
831 907
832 908 if (unmatched_stree) {
833 909 state = get_state_stree(unmatched_stree, SMATCH_EXTRA, sm->name, sm->sym);
834 910 if (state)
835 911 return state;
836 912 }
837 913 if (parent_is_gone_var_sym(sm->name, sm->sym))
838 914 return alloc_estate_empty();
839 915 if (get_global_rl(sm->name, sm->sym, &rl))
840 916 return alloc_estate_rl(rl);
841 917 return alloc_estate_whole(estate_type(sm->state));
842 918 }
843 919
844 920 static void clear_the_pointed_at(struct expression *expr)
845 921 {
846 922 struct stree *stree;
847 923 char *name;
848 924 struct symbol *sym;
849 925 struct sm_state *tmp;
850 926
851 927 name = expr_to_var_sym(expr, &sym);
852 928 if (!name || !sym)
853 929 goto free;
854 930
855 931 stree = __get_cur_stree();
856 932 FOR_EACH_MY_SM(SMATCH_EXTRA, stree, tmp) {
857 933 if (tmp->name[0] != '*')
858 934 continue;
859 935 if (tmp->sym != sym)
860 936 continue;
861 937 if (strcmp(tmp->name + 1, name) != 0)
862 938 continue;
863 939 set_extra_mod(tmp->name, tmp->sym, expr, alloc_estate_whole(estate_type(tmp->state)));
864 940 } END_FOR_EACH_SM(tmp);
865 941
866 942 free:
867 943 free_string(name);
868 944 }
869 945
870 946 static int is_const_param(struct expression *expr, int param)
871 947 {
872 948 struct symbol *type;
873 949
874 950 type = get_arg_type(expr, param);
875 951 if (!type)
876 952 return 0;
877 953 if (type->ctype.modifiers & MOD_CONST)
878 954 return 1;
879 955 return 0;
880 956 }
881 957
882 958 static void match_function_call(struct expression *expr)
883 959 {
884 960 struct expression *arg;
885 961 struct expression *tmp;
886 962 int param = -1;
887 963
888 964 /* if we have the db this is handled in smatch_function_hooks.c */
889 965 if (!option_no_db)
890 966 return;
891 967 if (inlinable(expr->fn))
892 968 return;
893 969
894 970 FOR_EACH_PTR(expr->args, arg) {
895 971 param++;
896 972 if (is_const_param(expr->fn, param))
897 973 continue;
898 974 tmp = strip_expr(arg);
899 975 if (tmp->type == EXPR_PREOP && tmp->op == '&')
900 976 set_extra_expr_mod(tmp->unop, alloc_estate_whole(get_type(tmp->unop)));
901 977 else
902 978 clear_the_pointed_at(tmp);
903 979 } END_FOR_EACH_PTR(arg);
904 980 }
905 981
906 982 int values_fit_type(struct expression *left, struct expression *right)
907 983 {
908 984 struct range_list *rl;
909 985 struct symbol *type;
910 986
911 987 type = get_type(left);
912 988 if (!type)
913 989 return 0;
914 990 get_absolute_rl(right, &rl);
915 991 if (type == rl_type(rl))
916 992 return 1;
917 993 if (type_unsigned(type) && sval_is_negative(rl_min(rl)))
918 994 return 0;
919 995 if (sval_cmp(sval_type_min(type), rl_min(rl)) > 0)
920 996 return 0;
921 997 if (sval_cmp(sval_type_max(type), rl_max(rl)) < 0)
922 998 return 0;
923 999 return 1;
924 1000 }
925 1001
926 1002 static void save_chunk_info(struct expression *left, struct expression *right)
927 1003 {
928 1004 struct var_sym_list *vsl;
929 1005 struct var_sym *vs;
930 1006 struct expression *add_expr;
931 1007 struct symbol *type;
932 1008 sval_t sval;
933 1009 char *name;
934 1010 struct symbol *sym;
935 1011
936 1012 if (right->type != EXPR_BINOP || right->op != '-')
937 1013 return;
938 1014 if (!get_value(right->left, &sval))
939 1015 return;
940 1016 if (!expr_to_sym(right->right))
941 1017 return;
942 1018
943 1019 add_expr = binop_expression(left, '+', right->right);
944 1020 type = get_type(add_expr);
945 1021 if (!type)
946 1022 return;
947 1023 name = expr_to_chunk_sym_vsl(add_expr, &sym, &vsl);
948 1024 if (!name || !vsl)
949 1025 goto free;
950 1026 FOR_EACH_PTR(vsl, vs) {
951 1027 store_link(link_id, vs->var, vs->sym, name, sym);
952 1028 } END_FOR_EACH_PTR(vs);
953 1029
954 1030 set_state(SMATCH_EXTRA, name, sym, alloc_estate_sval(sval_cast(type, sval)));
955 1031 free:
956 1032 free_string(name);
957 1033 }
958 1034
959 1035 static void do_array_assign(struct expression *left, int op, struct expression *right)
960 1036 {
961 1037 struct range_list *rl;
962 1038
963 1039 if (op == '=') {
964 1040 get_absolute_rl(right, &rl);
965 1041 rl = cast_rl(get_type(left), rl);
966 1042 } else {
967 1043 rl = alloc_whole_rl(get_type(left));
968 1044 }
969 1045
970 1046 set_extra_array_mod(left, alloc_estate_rl(rl));
971 1047 }
972 1048
973 1049 static void match_vanilla_assign(struct expression *left, struct expression *right)
974 1050 {
975 1051 struct range_list *orig_rl = NULL;
976 1052 struct range_list *rl = NULL;
977 1053 struct symbol *right_sym;
978 1054 struct symbol *left_type;
979 1055 struct symbol *right_type;
980 1056 char *right_name = NULL;
981 1057 struct symbol *sym;
982 1058 char *name;
983 1059 sval_t sval, max;
984 1060 struct smatch_state *state;
985 1061 int comparison;
986 1062
987 1063 if (is_struct(left))
988 1064 return;
989 1065
990 1066 save_chunk_info(left, right);
991 1067
992 1068 name = expr_to_var_sym(left, &sym);
993 1069 if (!name) {
994 1070 if (chunk_has_array(left))
995 1071 do_array_assign(left, '=', right);
996 1072 return;
997 1073 }
998 1074
999 1075 left_type = get_type(left);
1000 1076 right_type = get_type(right);
1001 1077
1002 1078 right_name = expr_to_var_sym(right, &right_sym);
1003 1079
1004 1080 if (!__in_fake_assign &&
1005 1081 !(right->type == EXPR_PREOP && right->op == '&') &&
1006 1082 right_name && right_sym &&
1007 1083 values_fit_type(left, strip_expr(right)) &&
1008 1084 !has_symbol(right, sym)) {
1009 1085 set_equiv(left, right);
1010 1086 goto free;
1011 1087 }
1012 1088
1013 1089 if (is_pointer(right) && get_address_rl(right, &rl)) {
1014 1090 state = alloc_estate_rl(rl);
1015 1091 goto done;
1016 1092 }
1017 1093
1018 1094 if (get_implied_value(right, &sval)) {
1019 1095 state = alloc_estate_sval(sval_cast(left_type, sval));
1020 1096 goto done;
1021 1097 }
1022 1098
1023 1099 if (__in_fake_assign) {
1024 1100 struct smatch_state *right_state;
1025 1101 sval_t sval;
1026 1102
1027 1103 if (get_value(right, &sval)) {
1028 1104 sval = sval_cast(left_type, sval);
1029 1105 state = alloc_estate_sval(sval);
1030 1106 goto done;
1031 1107 }
1032 1108
1033 1109 right_state = get_state(SMATCH_EXTRA, right_name, right_sym);
1034 1110 if (right_state) {
1035 1111 /* simple assignment */
1036 1112 state = clone_estate(right_state);
1037 1113 goto done;
1038 1114 }
1039 1115
1040 1116 state = alloc_estate_rl(alloc_whole_rl(left_type));
1041 1117 goto done;
1042 1118 }
1043 1119
1044 1120 comparison = get_comparison_no_extra(left, right);
1045 1121 if (comparison) {
1046 1122 comparison = flip_comparison(comparison);
1047 1123 get_implied_rl(left, &orig_rl);
1048 1124 }
1049 1125
1050 1126 if (get_implied_rl(right, &rl)) {
1051 1127 rl = cast_rl(left_type, rl);
1052 1128 if (orig_rl)
1053 1129 filter_by_comparison(&rl, comparison, orig_rl);
1054 1130 state = alloc_estate_rl(rl);
1055 1131 if (get_hard_max(right, &max)) {
1056 1132 estate_set_hard_max(state);
1057 1133 estate_set_fuzzy_max(state, max);
1058 1134 }
1059 1135 } else {
1060 1136 rl = alloc_whole_rl(right_type);
1061 1137 rl = cast_rl(left_type, rl);
1062 1138 if (orig_rl)
1063 1139 filter_by_comparison(&rl, comparison, orig_rl);
1064 1140 state = alloc_estate_rl(rl);
1065 1141 }
1066 1142
1067 1143 done:
1068 1144 set_extra_mod(name, sym, left, state);
1069 1145 free:
1070 1146 free_string(right_name);
1071 1147 }
1072 1148
1073 1149 static void match_assign(struct expression *expr)
1074 1150 {
1075 1151 struct range_list *rl = NULL;
1076 1152 struct expression *left;
1077 1153 struct expression *right;
1078 1154 struct expression *binop_expr;
1079 1155 struct symbol *left_type;
1080 1156 struct symbol *sym;
1081 1157 char *name;
1082 1158
1083 1159 left = strip_expr(expr->left);
1084 1160
1085 1161 right = strip_parens(expr->right);
1086 1162 if (right->type == EXPR_CALL && sym_name_is("__builtin_expect", right->fn))
1087 1163 right = get_argument_from_call_expr(right->args, 0);
1088 1164 while (right->type == EXPR_ASSIGNMENT && right->op == '=')
1089 1165 right = strip_parens(right->left);
1090 1166
1091 1167 if (expr->op == '=' && is_condition(expr->right))
1092 1168 return; /* handled in smatch_condition.c */
1093 1169 if (expr->op == '=' && right->type == EXPR_CALL)
1094 1170 return; /* handled in smatch_function_hooks.c */
1095 1171 if (expr->op == '=') {
1096 1172 match_vanilla_assign(left, right);
1097 1173 return;
1098 1174 }
1099 1175
1100 1176 name = expr_to_var_sym(left, &sym);
1101 1177 if (!name)
1102 1178 return;
1103 1179
1104 1180 left_type = get_type(left);
1105 1181
1106 1182 switch (expr->op) {
1107 1183 case SPECIAL_ADD_ASSIGN:
1108 1184 case SPECIAL_SUB_ASSIGN:
1109 1185 case SPECIAL_AND_ASSIGN:
1110 1186 case SPECIAL_MOD_ASSIGN:
1111 1187 case SPECIAL_SHL_ASSIGN:
1112 1188 case SPECIAL_SHR_ASSIGN:
1113 1189 case SPECIAL_OR_ASSIGN:
1114 1190 case SPECIAL_XOR_ASSIGN:
1115 1191 case SPECIAL_MUL_ASSIGN:
1116 1192 case SPECIAL_DIV_ASSIGN:
1117 1193 binop_expr = binop_expression(expr->left,
1118 1194 op_remove_assign(expr->op),
1119 1195 expr->right);
1120 1196 get_absolute_rl(binop_expr, &rl);
1121 1197 rl = cast_rl(left_type, rl);
1122 1198 if (inside_loop()) {
1123 1199 if (expr->op == SPECIAL_ADD_ASSIGN)
1124 1200 add_range(&rl, rl_max(rl), sval_type_max(rl_type(rl)));
1125 1201
1126 1202 if (expr->op == SPECIAL_SUB_ASSIGN &&
1127 1203 !sval_is_negative(rl_min(rl))) {
1128 1204 sval_t zero = { .type = rl_type(rl) };
1129 1205
1130 1206 add_range(&rl, rl_min(rl), zero);
1131 1207 }
1132 1208 }
1133 1209 set_extra_mod(name, sym, left, alloc_estate_rl(rl));
1134 1210 goto free;
1135 1211 }
1136 1212 set_extra_mod(name, sym, left, alloc_estate_whole(left_type));
1137 1213 free:
1138 1214 free_string(name);
1139 1215 }
1140 1216
1141 1217 static struct smatch_state *increment_state(struct smatch_state *state)
1142 1218 {
1143 1219 sval_t min = estate_min(state);
1144 1220 sval_t max = estate_max(state);
1145 1221
1146 1222 if (!estate_rl(state))
1147 1223 return NULL;
1148 1224
1149 1225 if (inside_loop())
1150 1226 max = sval_type_max(max.type);
1151 1227
1152 1228 if (!sval_is_min(min) && !sval_is_max(min))
1153 1229 min.value++;
1154 1230 if (!sval_is_min(max) && !sval_is_max(max))
1155 1231 max.value++;
1156 1232 return alloc_estate_range(min, max);
1157 1233 }
1158 1234
1159 1235 static struct smatch_state *decrement_state(struct smatch_state *state)
1160 1236 {
1161 1237 sval_t min = estate_min(state);
1162 1238 sval_t max = estate_max(state);
1163 1239
1164 1240 if (!estate_rl(state))
1165 1241 return NULL;
1166 1242
1167 1243 if (inside_loop())
1168 1244 min = sval_type_min(min.type);
1169 1245
1170 1246 if (!sval_is_min(min) && !sval_is_max(min))
1171 1247 min.value--;
1172 1248 if (!sval_is_min(max) && !sval_is_max(max))
1173 1249 max.value--;
1174 1250 return alloc_estate_range(min, max);
1175 1251 }
1176 1252
1177 1253 static void clear_pointed_at_state(struct expression *expr)
1178 1254 {
1179 1255 struct symbol *type;
1180 1256
1181 1257 /*
1182 1258 * ALERT: This is sort of a mess. If it's is a struct assigment like
1183 1259 * "foo = bar;", then that's handled by smatch_struct_assignment.c.
1184 1260 * the same thing for p++ where "p" is a struct. Most modifications
1185 1261 * are handled by the assignment hook or the db. Smatch_extra.c doesn't
1186 1262 * use smatch_modification.c because we have to get the ordering right
1187 1263 * or something. So if you have p++ where p is a pointer to a standard
1188 1264 * c type then we handle that here. What a mess.
1189 1265 */
1190 1266 expr = strip_expr(expr);
1191 1267 type = get_type(expr);
1192 1268 if (!type || type->type != SYM_PTR)
1193 1269 return;
1194 1270 type = get_real_base_type(type);
1195 1271 if (!type || type->type != SYM_BASETYPE)
1196 1272 return;
1197 1273 set_extra_expr_nomod(deref_expression(expr), alloc_estate_whole(type));
1198 1274 }
1199 1275
1200 1276 static void unop_expr(struct expression *expr)
1201 1277 {
1202 1278 struct smatch_state *state;
1203 1279
1204 1280 if (expr->smatch_flags & Handled)
1205 1281 return;
1206 1282
1207 1283 switch (expr->op) {
1208 1284 case SPECIAL_INCREMENT:
1209 1285 state = get_state_expr(SMATCH_EXTRA, expr->unop);
1210 1286 state = increment_state(state);
1211 1287 if (!state)
1212 1288 state = alloc_estate_whole(get_type(expr));
1213 1289 set_extra_expr_mod(expr->unop, state);
1214 1290 clear_pointed_at_state(expr->unop);
1215 1291 break;
1216 1292 case SPECIAL_DECREMENT:
1217 1293 state = get_state_expr(SMATCH_EXTRA, expr->unop);
1218 1294 state = decrement_state(state);
1219 1295 if (!state)
1220 1296 state = alloc_estate_whole(get_type(expr));
1221 1297 set_extra_expr_mod(expr->unop, state);
1222 1298 clear_pointed_at_state(expr->unop);
1223 1299 break;
|
↓ open down ↓ |
950 lines elided |
↑ open up ↑ |
1224 1300 default:
1225 1301 return;
1226 1302 }
1227 1303 }
1228 1304
1229 1305 static void asm_expr(struct statement *stmt)
1230 1306 {
1231 1307
1232 1308 struct expression *expr;
1233 1309 struct symbol *type;
1234 - int state = 0;
1235 1310
1236 1311 FOR_EACH_PTR(stmt->asm_outputs, expr) {
1237 - switch (state) {
1238 - case 0: /* identifier */
1239 - case 1: /* constraint */
1240 - state++;
1312 + if (expr->type != EXPR_ASM_OPERAND) {
1313 + sm_perror("unexpected asm param type %d", expr->type);
1241 1314 continue;
1242 - case 2: /* expression */
1243 - state = 0;
1244 - type = get_type(strip_expr(expr));
1245 - set_extra_expr_mod(expr, alloc_estate_whole(type));
1246 - continue;
1247 1315 }
1316 + type = get_type(strip_expr(expr->expr));
1317 + set_extra_expr_mod(expr->expr, alloc_estate_whole(type));
1248 1318 } END_FOR_EACH_PTR(expr);
1249 1319 }
1250 1320
1251 1321 static void check_dereference(struct expression *expr)
1252 1322 {
1253 1323 struct smatch_state *state;
1254 1324
1255 1325 if (__in_fake_assign)
1256 1326 return;
1257 1327 if (outside_of_function())
1258 1328 return;
1259 1329 state = get_extra_state(expr);
1260 1330 if (state) {
1261 1331 struct range_list *rl;
1262 1332
1263 1333 rl = rl_intersection(estate_rl(state), valid_ptr_rl);
1264 1334 if (rl_equiv(rl, estate_rl(state)))
1265 1335 return;
1266 1336 set_extra_expr_nomod(expr, alloc_estate_rl(rl));
1267 1337 } else {
1268 1338 struct range_list *rl;
1269 1339
1270 1340 if (get_mtag_rl(expr, &rl))
1271 1341 rl = rl_intersection(rl, valid_ptr_rl);
1272 1342 else
|
↓ open down ↓ |
15 lines elided |
↑ open up ↑ |
1273 1343 rl = clone_rl(valid_ptr_rl);
1274 1344
1275 1345 set_extra_expr_nomod(expr, alloc_estate_rl(rl));
1276 1346 }
1277 1347 }
1278 1348
1279 1349 static void match_dereferences(struct expression *expr)
1280 1350 {
1281 1351 if (expr->type != EXPR_PREOP)
1282 1352 return;
1353 + if (getting_address(expr))
1354 + return;
1283 1355 /* it's saying that foo[1] = bar dereferences foo[1] */
1284 1356 if (is_array(expr))
1285 1357 return;
1286 1358 check_dereference(expr->unop);
1287 1359 }
1288 1360
1289 1361 static void match_pointer_as_array(struct expression *expr)
1290 1362 {
1291 1363 if (!is_array(expr))
1292 1364 return;
1293 1365 check_dereference(get_array_base(expr));
1294 1366 }
1295 1367
1296 1368 static void find_dereferences(struct expression *expr)
1297 1369 {
1298 1370 while (expr->type == EXPR_PREOP) {
1299 1371 if (expr->op == '*')
1300 1372 check_dereference(expr->unop);
1301 1373 expr = strip_expr(expr->unop);
1302 1374 }
1303 1375 }
1304 1376
1305 1377 static void set_param_dereferenced(struct expression *call, struct expression *arg, char *key, char *unused)
1306 1378 {
1307 1379 struct symbol *sym;
1308 1380 char *name;
1309 1381
1310 1382 name = get_variable_from_key(arg, key, &sym);
1311 1383 if (name && sym) {
1312 1384 struct smatch_state *orig, *new;
1313 1385 struct range_list *rl;
1314 1386
1315 1387 orig = get_state(SMATCH_EXTRA, name, sym);
1316 1388 if (orig) {
1317 1389 rl = rl_intersection(estate_rl(orig),
1318 1390 alloc_rl(valid_ptr_min_sval,
1319 1391 valid_ptr_max_sval));
1320 1392 new = alloc_estate_rl(rl);
1321 1393 } else {
1322 1394 new = alloc_estate_range(valid_ptr_min_sval, valid_ptr_max_sval);
1323 1395 }
1324 1396
1325 1397 set_extra_nomod(name, sym, NULL, new);
1326 1398 }
1327 1399 free_string(name);
1328 1400
1329 1401 find_dereferences(arg);
1330 1402 }
1331 1403
1332 1404 static sval_t add_one(sval_t sval)
1333 1405 {
1334 1406 sval.value++;
1335 1407 return sval;
1336 1408 }
1337 1409
1338 1410 static int handle_postop_inc(struct expression *left, int op, struct expression *right)
1339 1411 {
1340 1412 struct statement *stmt;
1341 1413 struct expression *cond;
1342 1414 struct smatch_state *true_state, *false_state;
1343 1415 struct symbol *type;
1344 1416 sval_t start;
1345 1417 sval_t limit;
1346 1418
1347 1419 /*
1348 1420 * If we're decrementing here then that's a canonical while count down
1349 1421 * so it's handled already. We're only handling loops like:
1350 1422 * i = 0;
1351 1423 * do { ... } while (i++ < 3);
1352 1424 */
1353 1425
1354 1426 if (left->type != EXPR_POSTOP || left->op != SPECIAL_INCREMENT)
1355 1427 return 0;
1356 1428
1357 1429 stmt = __cur_stmt->parent;
1358 1430 if (!stmt)
1359 1431 return 0;
1360 1432 if (stmt->type == STMT_COMPOUND)
1361 1433 stmt = stmt->parent;
1362 1434 if (!stmt || stmt->type != STMT_ITERATOR || !stmt->iterator_post_condition)
1363 1435 return 0;
1364 1436
1365 1437 cond = strip_expr(stmt->iterator_post_condition);
1366 1438 if (cond->type != EXPR_COMPARE || cond->op != op)
1367 1439 return 0;
1368 1440 if (left != strip_expr(cond->left) || right != strip_expr(cond->right))
1369 1441 return 0;
1370 1442
1371 1443 if (!get_implied_value(left->unop, &start))
1372 1444 return 0;
1373 1445 if (!get_implied_value(right, &limit))
1374 1446 return 0;
1375 1447 type = get_type(left->unop);
1376 1448 limit = sval_cast(type, limit);
1377 1449 if (sval_cmp(start, limit) > 0)
1378 1450 return 0;
1379 1451
1380 1452 switch (op) {
1381 1453 case '<':
1382 1454 case SPECIAL_UNSIGNED_LT:
1383 1455 break;
1384 1456 case SPECIAL_LTE:
1385 1457 case SPECIAL_UNSIGNED_LTE:
1386 1458 limit = add_one(limit);
1387 1459 default:
1388 1460 return 0;
1389 1461
1390 1462 }
1391 1463
1392 1464 true_state = alloc_estate_range(add_one(start), limit);
1393 1465 false_state = alloc_estate_range(add_one(limit), add_one(limit));
1394 1466
1395 1467 /* Currently we just discard the false state but when two passes is
1396 1468 * implimented correctly then it will use it.
1397 1469 */
1398 1470
1399 1471 set_extra_expr_true_false(left->unop, true_state, false_state);
1400 1472
1401 1473 return 1;
1402 1474 }
1403 1475
1404 1476 bool is_impossible_variable(struct expression *expr)
1405 1477 {
1406 1478 struct smatch_state *state;
1407 1479
1408 1480 state = get_extra_state(expr);
1409 1481 if (state && !estate_rl(state))
1410 1482 return true;
1411 1483 return false;
1412 1484 }
1413 1485
1414 1486 static bool in_macro(struct expression *left, struct expression *right)
1415 1487 {
1416 1488 if (!left || !right)
1417 1489 return 0;
1418 1490 if (left->pos.line != right->pos.line || left->pos.pos != right->pos.pos)
1419 1491 return 0;
1420 1492 if (get_macro_name(left->pos))
1421 1493 return 1;
1422 1494 return 0;
1423 1495 }
1424 1496
1425 1497 static void handle_comparison(struct symbol *type, struct expression *left, int op, struct expression *right)
1426 1498 {
1427 1499 struct range_list *left_orig;
1428 1500 struct range_list *left_true;
1429 1501 struct range_list *left_false;
1430 1502 struct range_list *right_orig;
1431 1503 struct range_list *right_true;
1432 1504 struct range_list *right_false;
1433 1505 struct smatch_state *left_true_state;
1434 1506 struct smatch_state *left_false_state;
1435 1507 struct smatch_state *right_true_state;
1436 1508 struct smatch_state *right_false_state;
1437 1509 sval_t dummy, hard_max;
1438 1510 int left_postop = 0;
1439 1511 int right_postop = 0;
1440 1512
1441 1513 if (left->op == SPECIAL_INCREMENT || left->op == SPECIAL_DECREMENT) {
1442 1514 if (left->type == EXPR_POSTOP) {
1443 1515 left->smatch_flags |= Handled;
1444 1516 left_postop = left->op;
1445 1517 if (handle_postop_inc(left, op, right))
1446 1518 return;
1447 1519 }
1448 1520 left = strip_parens(left->unop);
1449 1521 }
1450 1522 while (left->type == EXPR_ASSIGNMENT)
1451 1523 left = strip_parens(left->left);
1452 1524
1453 1525 if (right->op == SPECIAL_INCREMENT || right->op == SPECIAL_DECREMENT) {
1454 1526 if (right->type == EXPR_POSTOP) {
1455 1527 right->smatch_flags |= Handled;
1456 1528 right_postop = right->op;
1457 1529 }
1458 1530 right = strip_parens(right->unop);
1459 1531 }
1460 1532
1461 1533 if (is_impossible_variable(left) || is_impossible_variable(right))
1462 1534 return;
1463 1535
1464 1536 get_real_absolute_rl(left, &left_orig);
1465 1537 left_orig = cast_rl(type, left_orig);
1466 1538
1467 1539 get_real_absolute_rl(right, &right_orig);
1468 1540 right_orig = cast_rl(type, right_orig);
1469 1541
1470 1542 split_comparison_rl(left_orig, op, right_orig, &left_true, &left_false, &right_true, &right_false);
1471 1543
1472 1544 left_true = rl_truncate_cast(get_type(strip_expr(left)), left_true);
1473 1545 left_false = rl_truncate_cast(get_type(strip_expr(left)), left_false);
1474 1546 right_true = rl_truncate_cast(get_type(strip_expr(right)), right_true);
1475 1547 right_false = rl_truncate_cast(get_type(strip_expr(right)), right_false);
1476 1548
1477 1549 if (!left_true || !left_false) {
1478 1550 struct range_list *tmp_true, *tmp_false;
1479 1551
1480 1552 split_comparison_rl(alloc_whole_rl(type), op, right_orig, &tmp_true, &tmp_false, NULL, NULL);
1481 1553 tmp_true = rl_truncate_cast(get_type(strip_expr(left)), tmp_true);
1482 1554 tmp_false = rl_truncate_cast(get_type(strip_expr(left)), tmp_false);
1483 1555 if (tmp_true && tmp_false)
1484 1556 __save_imaginary_state(left, tmp_true, tmp_false);
1485 1557 }
1486 1558
1487 1559 if (!right_true || !right_false) {
1488 1560 struct range_list *tmp_true, *tmp_false;
1489 1561
1490 1562 split_comparison_rl(alloc_whole_rl(type), op, right_orig, NULL, NULL, &tmp_true, &tmp_false);
1491 1563 tmp_true = rl_truncate_cast(get_type(strip_expr(right)), tmp_true);
1492 1564 tmp_false = rl_truncate_cast(get_type(strip_expr(right)), tmp_false);
1493 1565 if (tmp_true && tmp_false)
1494 1566 __save_imaginary_state(right, tmp_true, tmp_false);
1495 1567 }
1496 1568
1497 1569 left_true_state = alloc_estate_rl(left_true);
1498 1570 left_false_state = alloc_estate_rl(left_false);
1499 1571 right_true_state = alloc_estate_rl(right_true);
1500 1572 right_false_state = alloc_estate_rl(right_false);
1501 1573
1502 1574 switch (op) {
1503 1575 case '<':
1504 1576 case SPECIAL_UNSIGNED_LT:
1505 1577 case SPECIAL_UNSIGNED_LTE:
1506 1578 case SPECIAL_LTE:
1507 1579 if (get_implied_value(right, &dummy) && !in_macro(left, right))
1508 1580 estate_set_hard_max(left_true_state);
1509 1581 if (get_implied_value(left, &dummy) && !in_macro(left, right))
1510 1582 estate_set_hard_max(right_false_state);
1511 1583 break;
1512 1584 case '>':
1513 1585 case SPECIAL_UNSIGNED_GT:
1514 1586 case SPECIAL_UNSIGNED_GTE:
1515 1587 case SPECIAL_GTE:
1516 1588 if (get_implied_value(left, &dummy) && !in_macro(left, right))
1517 1589 estate_set_hard_max(right_true_state);
1518 1590 if (get_implied_value(right, &dummy) && !in_macro(left, right))
1519 1591 estate_set_hard_max(left_false_state);
1520 1592 break;
1521 1593 }
1522 1594
1523 1595 switch (op) {
1524 1596 case '<':
1525 1597 case SPECIAL_UNSIGNED_LT:
1526 1598 case SPECIAL_UNSIGNED_LTE:
1527 1599 case SPECIAL_LTE:
1528 1600 if (get_hard_max(right, &hard_max)) {
1529 1601 if (op == '<' || op == SPECIAL_UNSIGNED_LT)
1530 1602 hard_max.value--;
1531 1603 estate_set_fuzzy_max(left_true_state, hard_max);
1532 1604 }
1533 1605 if (get_implied_value(right, &hard_max)) {
1534 1606 if (op == SPECIAL_UNSIGNED_LTE ||
1535 1607 op == SPECIAL_LTE)
1536 1608 hard_max.value++;
1537 1609 estate_set_fuzzy_max(left_false_state, hard_max);
1538 1610 }
1539 1611 if (get_hard_max(left, &hard_max)) {
1540 1612 if (op == SPECIAL_UNSIGNED_LTE ||
1541 1613 op == SPECIAL_LTE)
1542 1614 hard_max.value--;
1543 1615 estate_set_fuzzy_max(right_false_state, hard_max);
1544 1616 }
1545 1617 if (get_implied_value(left, &hard_max)) {
1546 1618 if (op == '<' || op == SPECIAL_UNSIGNED_LT)
1547 1619 hard_max.value++;
1548 1620 estate_set_fuzzy_max(right_true_state, hard_max);
1549 1621 }
1550 1622 break;
1551 1623 case '>':
1552 1624 case SPECIAL_UNSIGNED_GT:
1553 1625 case SPECIAL_UNSIGNED_GTE:
1554 1626 case SPECIAL_GTE:
1555 1627 if (get_hard_max(left, &hard_max)) {
1556 1628 if (op == '>' || op == SPECIAL_UNSIGNED_GT)
1557 1629 hard_max.value--;
1558 1630 estate_set_fuzzy_max(right_true_state, hard_max);
1559 1631 }
1560 1632 if (get_implied_value(left, &hard_max)) {
1561 1633 if (op == SPECIAL_UNSIGNED_GTE ||
1562 1634 op == SPECIAL_GTE)
1563 1635 hard_max.value++;
1564 1636 estate_set_fuzzy_max(right_false_state, hard_max);
1565 1637 }
1566 1638 if (get_hard_max(right, &hard_max)) {
1567 1639 if (op == SPECIAL_UNSIGNED_LTE ||
1568 1640 op == SPECIAL_LTE)
1569 1641 hard_max.value--;
1570 1642 estate_set_fuzzy_max(left_false_state, hard_max);
1571 1643 }
1572 1644 if (get_implied_value(right, &hard_max)) {
1573 1645 if (op == '>' ||
1574 1646 op == SPECIAL_UNSIGNED_GT)
1575 1647 hard_max.value++;
1576 1648 estate_set_fuzzy_max(left_true_state, hard_max);
1577 1649 }
1578 1650 break;
1579 1651 case SPECIAL_EQUAL:
1580 1652 if (get_hard_max(left, &hard_max))
1581 1653 estate_set_fuzzy_max(right_true_state, hard_max);
1582 1654 if (get_hard_max(right, &hard_max))
1583 1655 estate_set_fuzzy_max(left_true_state, hard_max);
1584 1656 break;
1585 1657 }
1586 1658
1587 1659 if (get_hard_max(left, &hard_max)) {
1588 1660 estate_set_hard_max(left_true_state);
1589 1661 estate_set_hard_max(left_false_state);
1590 1662 }
1591 1663 if (get_hard_max(right, &hard_max)) {
1592 1664 estate_set_hard_max(right_true_state);
1593 1665 estate_set_hard_max(right_false_state);
1594 1666 }
1595 1667
1596 1668 if (left_postop == SPECIAL_INCREMENT) {
1597 1669 left_true_state = increment_state(left_true_state);
1598 1670 left_false_state = increment_state(left_false_state);
1599 1671 }
1600 1672 if (left_postop == SPECIAL_DECREMENT) {
1601 1673 left_true_state = decrement_state(left_true_state);
1602 1674 left_false_state = decrement_state(left_false_state);
1603 1675 }
1604 1676 if (right_postop == SPECIAL_INCREMENT) {
1605 1677 right_true_state = increment_state(right_true_state);
1606 1678 right_false_state = increment_state(right_false_state);
1607 1679 }
1608 1680 if (right_postop == SPECIAL_DECREMENT) {
1609 1681 right_true_state = decrement_state(right_true_state);
1610 1682 right_false_state = decrement_state(right_false_state);
1611 1683 }
1612 1684
1613 1685 if (estate_rl(left_true_state) && estates_equiv(left_true_state, left_false_state)) {
1614 1686 left_true_state = NULL;
1615 1687 left_false_state = NULL;
1616 1688 }
1617 1689
1618 1690 if (estate_rl(right_true_state) && estates_equiv(right_true_state, right_false_state)) {
1619 1691 right_true_state = NULL;
1620 1692 right_false_state = NULL;
1621 1693 }
1622 1694
1623 1695 /* Don't introduce new states for known true/false conditions */
1624 1696 if (rl_equiv(left_orig, estate_rl(left_true_state)))
1625 1697 left_true_state = NULL;
1626 1698 if (rl_equiv(left_orig, estate_rl(left_false_state)))
1627 1699 left_false_state = NULL;
1628 1700 if (rl_equiv(right_orig, estate_rl(right_true_state)))
1629 1701 right_true_state = NULL;
1630 1702 if (rl_equiv(right_orig, estate_rl(right_false_state)))
1631 1703 right_false_state = NULL;
1632 1704
1633 1705 set_extra_expr_true_false(left, left_true_state, left_false_state);
1634 1706 set_extra_expr_true_false(right, right_true_state, right_false_state);
1635 1707 }
1636 1708
1637 1709 static int is_simple_math(struct expression *expr)
1638 1710 {
1639 1711 if (!expr)
1640 1712 return 0;
1641 1713 if (expr->type != EXPR_BINOP)
1642 1714 return 0;
1643 1715 switch (expr->op) {
1644 1716 case '+':
1645 1717 case '-':
1646 1718 case '*':
1647 1719 return 1;
1648 1720 }
1649 1721 return 0;
1650 1722 }
1651 1723
1652 1724 static int flip_op(int op)
1653 1725 {
1654 1726 /* We only care about simple math */
1655 1727 switch (op) {
1656 1728 case '+':
1657 1729 return '-';
1658 1730 case '-':
1659 1731 return '+';
1660 1732 case '*':
1661 1733 return '/';
1662 1734 }
1663 1735 return 0;
1664 1736 }
1665 1737
1666 1738 static void move_known_to_rl(struct expression **expr_p, struct range_list **rl_p)
1667 1739 {
1668 1740 struct expression *expr = *expr_p;
1669 1741 struct range_list *rl = *rl_p;
1670 1742 sval_t sval;
1671 1743
1672 1744 if (!is_simple_math(expr))
1673 1745 return;
1674 1746
1675 1747 if (get_implied_value(expr->right, &sval)) {
1676 1748 *expr_p = expr->left;
1677 1749 *rl_p = rl_binop(rl, flip_op(expr->op), alloc_rl(sval, sval));
1678 1750 move_known_to_rl(expr_p, rl_p);
1679 1751 return;
1680 1752 }
1681 1753 if (expr->op == '-')
1682 1754 return;
1683 1755 if (get_implied_value(expr->left, &sval)) {
1684 1756 *expr_p = expr->right;
1685 1757 *rl_p = rl_binop(rl, flip_op(expr->op), alloc_rl(sval, sval));
1686 1758 move_known_to_rl(expr_p, rl_p);
1687 1759 return;
1688 1760 }
1689 1761 }
1690 1762
1691 1763 static void move_known_values(struct expression **left_p, struct expression **right_p)
1692 1764 {
1693 1765 struct expression *left = *left_p;
1694 1766 struct expression *right = *right_p;
1695 1767 sval_t sval, dummy;
1696 1768
1697 1769 if (get_implied_value(left, &sval)) {
1698 1770 if (!is_simple_math(right))
1699 1771 return;
1700 1772 if (get_implied_value(right, &dummy))
1701 1773 return;
1702 1774 if (right->op == '*') {
1703 1775 sval_t divisor;
1704 1776
1705 1777 if (!get_value(right->right, &divisor))
1706 1778 return;
1707 1779 if (divisor.value == 0)
1708 1780 return;
1709 1781 *left_p = binop_expression(left, invert_op(right->op), right->right);
1710 1782 *right_p = right->left;
1711 1783 return;
1712 1784 }
1713 1785 if (right->op == '+' && get_value(right->left, &sval)) {
1714 1786 *left_p = binop_expression(left, invert_op(right->op), right->left);
1715 1787 *right_p = right->right;
1716 1788 return;
1717 1789 }
1718 1790 if (get_value(right->right, &sval)) {
1719 1791 *left_p = binop_expression(left, invert_op(right->op), right->right);
1720 1792 *right_p = right->left;
1721 1793 return;
1722 1794 }
1723 1795 return;
1724 1796 }
1725 1797 if (get_implied_value(right, &sval)) {
1726 1798 if (!is_simple_math(left))
1727 1799 return;
1728 1800 if (get_implied_value(left, &dummy))
1729 1801 return;
1730 1802 if (left->op == '*') {
1731 1803 sval_t divisor;
1732 1804
1733 1805 if (!get_value(left->right, &divisor))
1734 1806 return;
1735 1807 if (divisor.value == 0)
1736 1808 return;
1737 1809 *right_p = binop_expression(right, invert_op(left->op), left->right);
1738 1810 *left_p = left->left;
1739 1811 return;
1740 1812 }
1741 1813 if (left->op == '+' && get_value(left->left, &sval)) {
1742 1814 *right_p = binop_expression(right, invert_op(left->op), left->left);
1743 1815 *left_p = left->right;
1744 1816 return;
1745 1817 }
1746 1818
1747 1819 if (get_value(left->right, &sval)) {
1748 1820 *right_p = binop_expression(right, invert_op(left->op), left->right);
1749 1821 *left_p = left->left;
1750 1822 return;
1751 1823 }
1752 1824 return;
1753 1825 }
1754 1826 }
1755 1827
1756 1828 /*
1757 1829 * The reason for do_simple_algebra() is to solve things like:
1758 1830 * if (foo > 66 || foo + bar > 64) {
1759 1831 * "foo" is not really a known variable so it won't be handled by
1760 1832 * move_known_variables() but it's a super common idiom.
1761 1833 *
1762 1834 */
1763 1835 static int do_simple_algebra(struct expression **left_p, struct expression **right_p)
1764 1836 {
1765 1837 struct expression *left = *left_p;
1766 1838 struct expression *right = *right_p;
1767 1839 struct range_list *rl;
1768 1840 sval_t tmp;
1769 1841
1770 1842 if (left->type != EXPR_BINOP || left->op != '+')
1771 1843 return 0;
1772 1844 if (can_integer_overflow(get_type(left), left))
1773 1845 return 0;
1774 1846 if (!get_implied_value(right, &tmp))
1775 1847 return 0;
1776 1848
1777 1849 if (!get_implied_value(left->left, &tmp) &&
1778 1850 get_implied_rl(left->left, &rl) &&
1779 1851 !is_whole_rl(rl)) {
1780 1852 *right_p = binop_expression(right, '-', left->left);
1781 1853 *left_p = left->right;
1782 1854 return 1;
1783 1855 }
1784 1856 if (!get_implied_value(left->right, &tmp) &&
1785 1857 get_implied_rl(left->right, &rl) &&
1786 1858 !is_whole_rl(rl)) {
1787 1859 *right_p = binop_expression(right, '-', left->right);
1788 1860 *left_p = left->left;
1789 1861 return 1;
1790 1862 }
1791 1863
1792 1864 return 0;
1793 1865 }
1794 1866
1795 1867 static int match_func_comparison(struct expression *expr)
1796 1868 {
1797 1869 struct expression *left = strip_expr(expr->left);
1798 1870 struct expression *right = strip_expr(expr->right);
1799 1871
1800 1872 if (left->type == EXPR_CALL || right->type == EXPR_CALL) {
1801 1873 function_comparison(left, expr->op, right);
1802 1874 return 1;
1803 1875 }
1804 1876
1805 1877 return 0;
1806 1878 }
1807 1879
1808 1880 /* Handle conditions like "if (foo + bar < foo) {" */
1809 1881 static int handle_integer_overflow_test(struct expression *expr)
1810 1882 {
1811 1883 struct expression *left, *right;
1812 1884 struct symbol *type;
1813 1885 sval_t left_min, right_min, min, max;
1814 1886
1815 1887 if (expr->op != '<' && expr->op != SPECIAL_UNSIGNED_LT)
1816 1888 return 0;
1817 1889
1818 1890 left = strip_parens(expr->left);
1819 1891 right = strip_parens(expr->right);
1820 1892
1821 1893 if (left->op != '+')
1822 1894 return 0;
1823 1895
1824 1896 type = get_type(expr);
1825 1897 if (!type)
1826 1898 return 0;
1827 1899 if (type_positive_bits(type) == 32) {
1828 1900 max.type = &uint_ctype;
1829 1901 max.uvalue = (unsigned int)-1;
1830 1902 } else if (type_positive_bits(type) == 64) {
1831 1903 max.type = &ulong_ctype;
1832 1904 max.value = (unsigned long long)-1;
1833 1905 } else {
1834 1906 return 0;
1835 1907 }
1836 1908
1837 1909 if (!expr_equiv(left->left, right) && !expr_equiv(left->right, right))
1838 1910 return 0;
1839 1911
1840 1912 get_absolute_min(left->left, &left_min);
1841 1913 get_absolute_min(left->right, &right_min);
1842 1914 min = sval_binop(left_min, '+', right_min);
1843 1915
1844 1916 type = get_type(left);
1845 1917 min = sval_cast(type, min);
1846 1918 max = sval_cast(type, max);
1847 1919
1848 1920 set_extra_chunk_true_false(left, NULL, alloc_estate_range(min, max));
1849 1921 return 1;
1850 1922 }
1851 1923
1852 1924 static void match_comparison(struct expression *expr)
1853 1925 {
1854 1926 struct expression *left_orig = strip_parens(expr->left);
1855 1927 struct expression *right_orig = strip_parens(expr->right);
1856 1928 struct expression *left, *right, *tmp;
1857 1929 struct expression *prev;
1858 1930 struct symbol *type;
1859 1931 int redo, count;
1860 1932
1861 1933 if (match_func_comparison(expr))
1862 1934 return;
1863 1935
1864 1936 type = get_type(expr);
1865 1937 if (!type)
1866 1938 type = &llong_ctype;
1867 1939
1868 1940 if (handle_integer_overflow_test(expr))
1869 1941 return;
1870 1942
1871 1943 left = left_orig;
1872 1944 right = right_orig;
1873 1945 move_known_values(&left, &right);
1874 1946 handle_comparison(type, left, expr->op, right);
1875 1947
1876 1948 left = left_orig;
1877 1949 right = right_orig;
1878 1950 if (do_simple_algebra(&left, &right))
1879 1951 handle_comparison(type, left, expr->op, right);
1880 1952
1881 1953 prev = get_assigned_expr(left_orig);
1882 1954 if (is_simple_math(prev) && has_variable(prev, left_orig) == 0) {
1883 1955 left = prev;
1884 1956 right = right_orig;
1885 1957 move_known_values(&left, &right);
1886 1958 handle_comparison(type, left, expr->op, right);
1887 1959 }
1888 1960
1889 1961 prev = get_assigned_expr(right_orig);
1890 1962 if (is_simple_math(prev) && has_variable(prev, right_orig) == 0) {
1891 1963 left = left_orig;
1892 1964 right = prev;
1893 1965 move_known_values(&left, &right);
1894 1966 handle_comparison(type, left, expr->op, right);
1895 1967 }
1896 1968
1897 1969 redo = 0;
1898 1970 left = left_orig;
1899 1971 right = right_orig;
1900 1972 if (get_last_expr_from_expression_stmt(left_orig)) {
1901 1973 left = get_last_expr_from_expression_stmt(left_orig);
1902 1974 redo = 1;
1903 1975 }
1904 1976 if (get_last_expr_from_expression_stmt(right_orig)) {
1905 1977 right = get_last_expr_from_expression_stmt(right_orig);
1906 1978 redo = 1;
1907 1979 }
1908 1980
1909 1981 if (!redo)
1910 1982 return;
1911 1983
1912 1984 count = 0;
1913 1985 while ((tmp = get_assigned_expr(left))) {
1914 1986 if (count++ > 3)
1915 1987 break;
1916 1988 left = strip_expr(tmp);
1917 1989 }
1918 1990 count = 0;
1919 1991 while ((tmp = get_assigned_expr(right))) {
1920 1992 if (count++ > 3)
1921 1993 break;
1922 1994 right = strip_expr(tmp);
1923 1995 }
1924 1996
1925 1997 handle_comparison(type, left, expr->op, right);
1926 1998 }
1927 1999
1928 2000 static sval_t get_high_mask(sval_t known)
1929 2001 {
1930 2002 sval_t ret;
1931 2003 int i;
1932 2004
1933 2005 ret = known;
1934 2006 ret.value = 0;
1935 2007
1936 2008 for (i = type_bits(known.type) - 1; i >= 0; i--) {
1937 2009 if (known.uvalue & (1ULL << i))
1938 2010 ret.uvalue |= (1ULL << i);
1939 2011 else
1940 2012 return ret;
1941 2013
1942 2014 }
1943 2015 return ret;
1944 2016 }
1945 2017
1946 2018 static bool handle_bit_test(struct expression *expr)
1947 2019 {
1948 2020 struct range_list *orig_rl, *rl;
1949 2021 struct expression *shift, *mask, *var;
1950 2022 struct bit_info *bit_info;
1951 2023 sval_t sval;
1952 2024 sval_t high = { .type = &int_ctype };
1953 2025 sval_t low = { .type = &int_ctype };
1954 2026
1955 2027 shift = strip_expr(expr->right);
1956 2028 mask = strip_expr(expr->left);
1957 2029 if (shift->type != EXPR_BINOP || shift->op != SPECIAL_LEFTSHIFT) {
1958 2030 shift = strip_expr(expr->left);
1959 2031 mask = strip_expr(expr->right);
1960 2032 if (shift->type != EXPR_BINOP || shift->op != SPECIAL_LEFTSHIFT)
1961 2033 return false;
1962 2034 }
1963 2035 if (!get_implied_value(shift->left, &sval) || sval.value != 1)
1964 2036 return false;
1965 2037 var = strip_expr(shift->right);
1966 2038
1967 2039 bit_info = get_bit_info(mask);
1968 2040 if (!bit_info)
1969 2041 return false;
1970 2042 if (!bit_info->possible)
1971 2043 return false;
1972 2044
1973 2045 get_absolute_rl(var, &orig_rl);
1974 2046 if (sval_is_negative(rl_min(orig_rl)) ||
1975 2047 rl_max(orig_rl).uvalue > type_bits(get_type(shift->left)))
1976 2048 return false;
1977 2049
1978 2050 low.value = ffsll(bit_info->possible);
1979 2051 high.value = sm_fls64(bit_info->possible);
1980 2052 rl = alloc_rl(low, high);
1981 2053 rl = cast_rl(get_type(var), rl);
1982 2054 rl = rl_intersection(orig_rl, rl);
1983 2055 if (!rl)
1984 2056 return false;
1985 2057
1986 2058 set_extra_expr_true_false(shift->right, alloc_estate_rl(rl), NULL);
1987 2059
1988 2060 return true;
1989 2061 }
1990 2062
1991 2063 static void handle_AND_op(struct expression *var, sval_t known)
1992 2064 {
1993 2065 struct range_list *orig_rl;
1994 2066 struct range_list *true_rl = NULL;
1995 2067 struct range_list *false_rl = NULL;
1996 2068 int bit;
1997 2069 sval_t low_mask = known;
1998 2070 sval_t high_mask;
1999 2071 sval_t max;
2000 2072
2001 2073 get_absolute_rl(var, &orig_rl);
2002 2074
2003 2075 if (known.value > 0) {
2004 2076 bit = ffsll(known.value) - 1;
2005 2077 low_mask.uvalue = (1ULL << bit) - 1;
2006 2078 true_rl = remove_range(orig_rl, sval_type_val(known.type, 0), low_mask);
2007 2079 }
2008 2080 high_mask = get_high_mask(known);
2009 2081 if (high_mask.value) {
2010 2082 bit = ffsll(high_mask.value) - 1;
2011 2083 low_mask.uvalue = (1ULL << bit) - 1;
2012 2084
2013 2085 false_rl = orig_rl;
2014 2086 if (sval_is_negative(rl_min(orig_rl)))
2015 2087 false_rl = remove_range(false_rl, sval_type_min(known.type), sval_type_val(known.type, -1));
2016 2088 false_rl = remove_range(false_rl, low_mask, sval_type_max(known.type));
2017 2089 if (type_signed(high_mask.type) && type_unsigned(rl_type(false_rl))) {
2018 2090 false_rl = remove_range(false_rl,
2019 2091 sval_type_val(rl_type(false_rl), sval_type_max(known.type).uvalue),
2020 2092 sval_type_val(rl_type(false_rl), -1));
2021 2093 }
2022 2094 } else if (known.value == 1 &&
2023 2095 get_hard_max(var, &max) &&
2024 2096 sval_cmp(max, rl_max(orig_rl)) == 0 &&
2025 2097 max.value & 1) {
2026 2098 false_rl = remove_range(orig_rl, max, max);
2027 2099 }
2028 2100 set_extra_expr_true_false(var,
2029 2101 true_rl ? alloc_estate_rl(true_rl) : NULL,
2030 2102 false_rl ? alloc_estate_rl(false_rl) : NULL);
2031 2103 }
2032 2104
2033 2105 static void handle_AND_condition(struct expression *expr)
2034 2106 {
2035 2107 sval_t known;
2036 2108
2037 2109 if (handle_bit_test(expr))
2038 2110 return;
2039 2111
2040 2112 if (get_implied_value(expr->left, &known))
2041 2113 handle_AND_op(expr->right, known);
2042 2114 else if (get_implied_value(expr->right, &known))
2043 2115 handle_AND_op(expr->left, known);
2044 2116 }
2045 2117
2046 2118 static void handle_MOD_condition(struct expression *expr)
2047 2119 {
2048 2120 struct range_list *orig_rl;
2049 2121 struct range_list *true_rl;
2050 2122 struct range_list *false_rl = NULL;
2051 2123 sval_t right;
2052 2124 sval_t zero = { 0, };
2053 2125
2054 2126 if (!get_implied_value(expr->right, &right) || right.value == 0)
2055 2127 return;
2056 2128 get_absolute_rl(expr->left, &orig_rl);
2057 2129
2058 2130 zero.value = 0;
2059 2131 zero.type = rl_type(orig_rl);
2060 2132
2061 2133 /* We're basically dorking around the min and max here */
2062 2134 true_rl = remove_range(orig_rl, zero, zero);
2063 2135 if (!sval_is_max(rl_max(true_rl)) &&
2064 2136 !(rl_max(true_rl).value % right.value))
2065 2137 true_rl = remove_range(true_rl, rl_max(true_rl), rl_max(true_rl));
2066 2138
2067 2139 if (rl_equiv(true_rl, orig_rl))
2068 2140 true_rl = NULL;
2069 2141
2070 2142 if (sval_is_positive(rl_min(orig_rl)) &&
2071 2143 (rl_max(orig_rl).value - rl_min(orig_rl).value) / right.value < 5) {
2072 2144 sval_t add;
2073 2145 int i;
2074 2146
2075 2147 add = rl_min(orig_rl);
2076 2148 add.value += right.value - (add.value % right.value);
2077 2149 add.value -= right.value;
2078 2150
2079 2151 for (i = 0; i < 5; i++) {
2080 2152 add.value += right.value;
2081 2153 if (add.value > rl_max(orig_rl).value)
2082 2154 break;
2083 2155 add_range(&false_rl, add, add);
2084 2156 }
2085 2157 } else {
2086 2158 if (rl_min(orig_rl).uvalue != 0 &&
2087 2159 rl_min(orig_rl).uvalue < right.uvalue) {
2088 2160 sval_t chop = right;
2089 2161 chop.value--;
2090 2162 false_rl = remove_range(orig_rl, zero, chop);
2091 2163 }
2092 2164
2093 2165 if (!sval_is_max(rl_max(orig_rl)) &&
2094 2166 (rl_max(orig_rl).value % right.value)) {
2095 2167 sval_t chop = rl_max(orig_rl);
2096 2168 chop.value -= chop.value % right.value;
2097 2169 chop.value++;
2098 2170 if (!false_rl)
2099 2171 false_rl = clone_rl(orig_rl);
2100 2172 false_rl = remove_range(false_rl, chop, rl_max(orig_rl));
2101 2173 }
2102 2174 }
2103 2175
2104 2176 set_extra_expr_true_false(expr->left,
2105 2177 true_rl ? alloc_estate_rl(true_rl) : NULL,
2106 2178 false_rl ? alloc_estate_rl(false_rl) : NULL);
2107 2179 }
2108 2180
2109 2181 /* this is actually hooked from smatch_implied.c... it's hacky, yes */
2110 2182 void __extra_match_condition(struct expression *expr)
2111 2183 {
2112 2184 expr = strip_expr(expr);
2113 2185 switch (expr->type) {
2114 2186 case EXPR_CALL:
2115 2187 function_comparison(expr, SPECIAL_NOTEQUAL, zero_expr());
2116 2188 return;
2117 2189 case EXPR_PREOP:
2118 2190 case EXPR_SYMBOL:
2119 2191 case EXPR_DEREF:
2120 2192 handle_comparison(get_type(expr), expr, SPECIAL_NOTEQUAL, zero_expr());
2121 2193 return;
2122 2194 case EXPR_COMPARE:
2123 2195 match_comparison(expr);
2124 2196 return;
2125 2197 case EXPR_ASSIGNMENT:
2126 2198 __extra_match_condition(expr->left);
2127 2199 return;
2128 2200 case EXPR_BINOP:
2129 2201 if (expr->op == '&')
2130 2202 handle_AND_condition(expr);
2131 2203 if (expr->op == '%')
2132 2204 handle_MOD_condition(expr);
2133 2205 return;
2134 2206 }
2135 2207 }
2136 2208
2137 2209 static void assume_indexes_are_valid(struct expression *expr)
2138 2210 {
2139 2211 struct expression *array_expr;
2140 2212 int array_size;
2141 2213 struct expression *offset;
2142 2214 struct symbol *offset_type;
2143 2215 struct range_list *rl_before;
2144 2216 struct range_list *rl_after;
2145 2217 struct range_list *filter = NULL;
2146 2218 sval_t size;
2147 2219
2148 2220 expr = strip_expr(expr);
2149 2221 if (!is_array(expr))
2150 2222 return;
2151 2223
2152 2224 offset = get_array_offset(expr);
2153 2225 offset_type = get_type(offset);
2154 2226 if (offset_type && type_signed(offset_type)) {
2155 2227 filter = alloc_rl(sval_type_min(offset_type),
2156 2228 sval_type_val(offset_type, -1));
2157 2229 }
2158 2230
2159 2231 array_expr = get_array_base(expr);
2160 2232 array_size = get_real_array_size(array_expr);
2161 2233 if (array_size > 1) {
2162 2234 size = sval_type_val(offset_type, array_size);
2163 2235 add_range(&filter, size, sval_type_max(offset_type));
2164 2236 }
2165 2237
2166 2238 if (!filter)
2167 2239 return;
2168 2240 get_absolute_rl(offset, &rl_before);
2169 2241 rl_after = rl_filter(rl_before, filter);
2170 2242 if (rl_equiv(rl_before, rl_after))
2171 2243 return;
2172 2244 set_extra_expr_nomod(offset, alloc_estate_rl(rl_after));
2173 2245 }
2174 2246
2175 2247 /* returns 1 if it is not possible for expr to be value, otherwise returns 0 */
2176 2248 int implied_not_equal(struct expression *expr, long long val)
2177 2249 {
2178 2250 return !possibly_false(expr, SPECIAL_NOTEQUAL, value_expr(val));
2179 2251 }
2180 2252
2181 2253 int implied_not_equal_name_sym(char *name, struct symbol *sym, long long val)
2182 2254 {
2183 2255 struct smatch_state *estate;
2184 2256
2185 2257 estate = get_state(SMATCH_EXTRA, name, sym);
2186 2258 if (!estate)
2187 2259 return 0;
2188 2260 if (!rl_has_sval(estate_rl(estate), sval_type_val(estate_type(estate), 0)))
2189 2261 return 1;
2190 2262 return 0;
2191 2263 }
2192 2264
2193 2265 int parent_is_null_var_sym(const char *name, struct symbol *sym)
2194 2266 {
2195 2267 char buf[256];
|
↓ open down ↓ |
903 lines elided |
↑ open up ↑ |
2196 2268 char *start;
2197 2269 char *end;
2198 2270 struct smatch_state *state;
2199 2271
2200 2272 strncpy(buf, name, sizeof(buf) - 1);
2201 2273 buf[sizeof(buf) - 1] = '\0';
2202 2274
2203 2275 start = &buf[0];
2204 2276 while (*start == '*') {
2205 2277 start++;
2206 - state = get_state(SMATCH_EXTRA, start, sym);
2278 + state = __get_state(SMATCH_EXTRA, start, sym);
2207 2279 if (!state)
2208 2280 continue;
2209 2281 if (!estate_rl(state))
2210 2282 return 1;
2211 2283 if (estate_min(state).value == 0 &&
2212 2284 estate_max(state).value == 0)
2213 2285 return 1;
2214 2286 }
2215 2287
2216 2288 start = &buf[0];
2217 2289 while (*start == '&')
2218 2290 start++;
2219 2291
2220 2292 while ((end = strrchr(start, '-'))) {
2221 2293 *end = '\0';
2222 2294 state = __get_state(SMATCH_EXTRA, start, sym);
2223 2295 if (!state)
2224 2296 continue;
2225 2297 if (estate_min(state).value == 0 &&
2226 2298 estate_max(state).value == 0)
2227 2299 return 1;
2228 2300 }
2229 2301 return 0;
2230 2302 }
2231 2303
2232 2304 int parent_is_null(struct expression *expr)
2233 2305 {
2234 2306 struct symbol *sym;
2235 2307 char *var;
2236 2308 int ret = 0;
2237 2309
2238 2310 expr = strip_expr(expr);
2239 2311 var = expr_to_var_sym(expr, &sym);
2240 2312 if (!var || !sym)
2241 2313 goto free;
2242 2314 ret = parent_is_null_var_sym(var, sym);
2243 2315 free:
2244 2316 free_string(var);
2245 2317 return ret;
2246 2318 }
2247 2319
2248 2320 static int param_used_callback(void *found, int argc, char **argv, char **azColName)
2249 2321 {
2250 2322 *(int *)found = 1;
2251 2323 return 0;
2252 2324 }
2253 2325
2254 2326 static int is_kzalloc_info(struct sm_state *sm)
2255 2327 {
2256 2328 sval_t sval;
2257 2329
2258 2330 /*
2259 2331 * kzalloc() information is treated as special because so there is just
2260 2332 * a lot of stuff initialized to zero and it makes building the database
2261 2333 * take hours and hours.
2262 2334 *
2263 2335 * In theory, we should just remove this line and not pass any unused
2264 2336 * information, but I'm not sure enough that this code works so I want
2265 2337 * to hold off on that for now.
2266 2338 */
2267 2339 if (!estate_get_single_value(sm->state, &sval))
2268 2340 return 0;
2269 2341 if (sval.value != 0)
2270 2342 return 0;
2271 2343 return 1;
2272 2344 }
2273 2345
2274 2346 static int is_really_long(struct sm_state *sm)
2275 2347 {
2276 2348 const char *p;
2277 2349 int cnt = 0;
2278 2350
2279 2351 p = sm->name;
2280 2352 while ((p = strstr(p, "->"))) {
2281 2353 p += 2;
2282 2354 cnt++;
2283 2355 }
2284 2356
2285 2357 if (cnt < 3 ||
2286 2358 strlen(sm->name) < 40)
2287 2359 return 0;
2288 2360 return 1;
2289 2361 }
2290 2362
2291 2363 static int filter_unused_param_value_info(struct expression *call, int param, char *printed_name, struct sm_state *sm)
2292 2364 {
2293 2365 int found = 0;
2294 2366
2295 2367 /* for function pointers assume everything is used */
2296 2368 if (call->fn->type != EXPR_SYMBOL)
2297 2369 return 0;
2298 2370
2299 2371 /*
2300 2372 * This is to handle __builtin_mul_overflow(). In an ideal world we
2301 2373 * would only need this for invalid code.
2302 2374 *
2303 2375 */
2304 2376 if (!call->fn->symbol)
2305 2377 return 0;
2306 2378
2307 2379 if (!is_kzalloc_info(sm) && !is_really_long(sm))
2308 2380 return 0;
2309 2381
2310 2382 run_sql(¶m_used_callback, &found,
2311 2383 "select * from return_implies where %s and type = %d and parameter = %d and key = '%s';",
2312 2384 get_static_filter(call->fn->symbol), PARAM_USED, param, printed_name);
2313 2385 if (found)
2314 2386 return 0;
2315 2387
2316 2388 /* If the database is not built yet, then assume everything is used */
2317 2389 run_sql(¶m_used_callback, &found,
2318 2390 "select * from return_implies where %s and type = %d;",
2319 2391 get_static_filter(call->fn->symbol), PARAM_USED);
2320 2392 if (!found)
2321 2393 return 0;
2322 2394
2323 2395 return 1;
2324 2396 }
2325 2397
2326 2398 struct range_list *intersect_with_real_abs_var_sym(const char *name, struct symbol *sym, struct range_list *start)
2327 2399 {
2328 2400 struct smatch_state *state;
2329 2401
2330 2402 /*
2331 2403 * Here is the difference between implied value and real absolute, say
2332 2404 * you have:
2333 2405 *
2334 2406 * int a = (u8)x;
2335 2407 *
2336 2408 * Then you know that a is 0-255. That's real absolute. But you don't
2337 2409 * know for sure that it actually goes up to 255. So it's not implied.
2338 2410 * Implied indicates a degree of certainty.
2339 2411 *
2340 2412 * But then say you cap "a" at 8. That means you know it goes up to
2341 2413 * 8. So now the implied value is s32min-8. But you can combine it
2342 2414 * with the real absolute to say that actually it's 0-8.
2343 2415 *
2344 2416 * We are combining it here. But now that I think about it, this is
2345 2417 * probably not the ideal place to combine it because it should proably
2346 2418 * be done earlier. Oh well, this is an improvement on what was there
2347 2419 * before so I'm going to commit this code.
2348 2420 *
2349 2421 */
2350 2422
2351 2423 state = get_real_absolute_state_var_sym(name, sym);
2352 2424 if (!state || !estate_rl(state))
2353 2425 return start;
2354 2426
2355 2427 return rl_intersection(estate_rl(state), start);
2356 2428 }
2357 2429
2358 2430 struct range_list *intersect_with_real_abs_expr(struct expression *expr, struct range_list *start)
2359 2431 {
2360 2432 struct smatch_state *state;
2361 2433 struct range_list *abs_rl;
2362 2434
2363 2435 state = get_real_absolute_state(expr);
2364 2436 if (!state || !estate_rl(state))
2365 2437 return start;
|
↓ open down ↓ |
149 lines elided |
↑ open up ↑ |
2366 2438
2367 2439 abs_rl = cast_rl(rl_type(start), estate_rl(state));
2368 2440 return rl_intersection(abs_rl, start);
2369 2441 }
2370 2442
2371 2443 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
2372 2444 {
2373 2445 struct range_list *rl;
2374 2446 sval_t dummy;
2375 2447
2376 - if (estate_is_whole(sm->state))
2448 + if (estate_is_whole(sm->state) || !estate_rl(sm->state))
2377 2449 return;
2378 2450 if (filter_unused_param_value_info(call, param, printed_name, sm))
2379 2451 return;
2380 2452 rl = estate_rl(sm->state);
2381 2453 rl = intersect_with_real_abs_var_sym(sm->name, sm->sym, rl);
2454 + if (!rl)
2455 + return;
2382 2456 sql_insert_caller_info(call, PARAM_VALUE, param, printed_name, show_rl(rl));
2383 2457 if (!estate_get_single_value(sm->state, &dummy)) {
2384 2458 if (estate_has_hard_max(sm->state))
2385 2459 sql_insert_caller_info(call, HARD_MAX, param, printed_name,
2386 2460 sval_to_str(estate_max(sm->state)));
2387 2461 if (estate_has_fuzzy_max(sm->state))
2388 2462 sql_insert_caller_info(call, FUZZY_MAX, param, printed_name,
2389 2463 sval_to_str(estate_get_fuzzy_max(sm->state)));
2390 2464 }
2391 2465 }
2392 2466
2393 2467 static void returned_struct_members(int return_id, char *return_ranges, struct expression *expr)
2394 2468 {
2395 2469 struct symbol *returned_sym;
2396 2470 char *returned_name;
2397 2471 struct sm_state *sm;
2398 2472 char *compare_str;
2399 2473 char name_buf[256];
2400 2474 char val_buf[256];
2401 2475 int len;
2402 2476
2403 2477 // FIXME handle *$
2404 2478
2405 2479 if (!is_pointer(expr))
2406 2480 return;
2407 2481
2408 2482 returned_name = expr_to_var_sym(expr, &returned_sym);
2409 2483 if (!returned_name || !returned_sym)
2410 2484 goto free;
2411 2485 len = strlen(returned_name);
2412 2486
2413 2487 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
2414 2488 if (!estate_rl(sm->state))
2415 2489 continue;
2416 2490 if (returned_sym != sm->sym)
2417 2491 continue;
2418 2492 if (strncmp(returned_name, sm->name, len) != 0)
2419 2493 continue;
2420 2494 if (sm->name[len] != '-')
2421 2495 continue;
2422 2496
2423 2497 snprintf(name_buf, sizeof(name_buf), "$%s", sm->name + len);
2424 2498
2425 2499 compare_str = name_sym_to_param_comparison(sm->name, sm->sym);
2426 2500 if (!compare_str && estate_is_whole(sm->state))
2427 2501 continue;
2428 2502 snprintf(val_buf, sizeof(val_buf), "%s%s", sm->state->name, compare_str ?: "");
2429 2503
2430 2504 sql_insert_return_states(return_id, return_ranges, PARAM_VALUE,
2431 2505 -1, name_buf, val_buf);
2432 2506 } END_FOR_EACH_SM(sm);
2433 2507
2434 2508 free:
2435 2509 free_string(returned_name);
2436 2510 }
2437 2511
2438 2512 static void db_limited_before(void)
2439 2513 {
2440 2514 unmatched_stree = clone_stree(__get_cur_stree());
2441 2515 }
2442 2516
2443 2517 static void db_limited_after(void)
2444 2518 {
2445 2519 free_stree(&unmatched_stree);
2446 2520 }
2447 2521
2448 2522 static int basically_the_same(struct range_list *orig, struct range_list *new)
2449 2523 {
2450 2524 if (rl_equiv(orig, new))
2451 2525 return 1;
2452 2526
2453 2527 /*
2454 2528 * The whole range is essentially the same as 0,4096-27777777777 so
2455 2529 * don't overwrite the implications just to store that.
2456 2530 *
2457 2531 */
2458 2532 if (rl_type(orig)->type == SYM_PTR &&
2459 2533 is_whole_rl(orig) &&
2460 2534 rl_min(new).value == 0 &&
2461 2535 rl_max(new).value == valid_ptr_max)
2462 2536 return 1;
2463 2537 return 0;
2464 2538 }
2465 2539
2466 2540 static void db_param_limit_binops(struct expression *arg, char *key, struct range_list *rl)
2467 2541 {
2468 2542 struct range_list *left_rl;
2469 2543 sval_t zero = { .type = rl_type(rl), };
2470 2544 sval_t sval;
2471 2545
2472 2546 if (arg->op != '*')
2473 2547 return;
2474 2548 if (!get_implied_value(arg->right, &sval))
2475 2549 return;
2476 2550 if (can_integer_overflow(get_type(arg), arg))
2477 2551 return;
2478 2552
2479 2553 left_rl = rl_binop(rl, '/', alloc_rl(sval, sval));
2480 2554 if (!rl_has_sval(rl, zero))
2481 2555 left_rl = remove_range(left_rl, zero, zero);
2482 2556
2483 2557 set_extra_expr_nomod(arg->left, alloc_estate_rl(left_rl));
2484 2558 }
2485 2559
2486 2560 static void db_param_limit_filter(struct expression *expr, int param, char *key, char *value, enum info_type op)
2487 2561 {
2488 2562 struct expression *arg;
2489 2563 char *name;
2490 2564 struct symbol *sym;
2491 2565 struct var_sym_list *vsl = NULL;
2492 2566 struct sm_state *sm;
2493 2567 struct symbol *compare_type, *var_type;
2494 2568 struct range_list *rl;
2495 2569 struct range_list *limit;
2496 2570 struct range_list *new;
2497 2571 char *other_name;
2498 2572 struct symbol *other_sym;
2499 2573
2500 2574 while (expr->type == EXPR_ASSIGNMENT)
2501 2575 expr = strip_expr(expr->right);
2502 2576 if (expr->type != EXPR_CALL)
2503 2577 return;
2504 2578
2505 2579 arg = get_argument_from_call_expr(expr->args, param);
2506 2580 if (!arg)
2507 2581 return;
2508 2582
2509 2583 if (strcmp(key, "$") == 0)
2510 2584 compare_type = get_arg_type(expr->fn, param);
2511 2585 else
2512 2586 compare_type = get_member_type_from_key(arg, key);
2513 2587
2514 2588 call_results_to_rl(expr, compare_type, value, &limit);
2515 2589 if (strcmp(key, "$") == 0)
2516 2590 move_known_to_rl(&arg, &limit);
2517 2591 name = get_chunk_from_key(arg, key, &sym, &vsl);
2518 2592 if (!name)
2519 2593 return;
2520 2594 if (op != PARAM_LIMIT && !sym)
2521 2595 goto free;
2522 2596
2523 2597 sm = get_sm_state(SMATCH_EXTRA, name, sym);
2524 2598 if (sm)
2525 2599 rl = estate_rl(sm->state);
2526 2600 else
2527 2601 rl = alloc_whole_rl(compare_type);
2528 2602
2529 2603 if (op == PARAM_LIMIT && !rl_fits_in_type(rl, compare_type))
2530 2604 goto free;
2531 2605
2532 2606 new = rl_intersection(rl, limit);
2533 2607
2534 2608 var_type = get_member_type_from_key(arg, key);
2535 2609 new = cast_rl(var_type, new);
2536 2610
2537 2611 /* We want to preserve the implications here */
2538 2612 if (sm && basically_the_same(rl, new))
2539 2613 goto free;
2540 2614 other_name = get_other_name_sym(name, sym, &other_sym);
2541 2615
2542 2616 if (op == PARAM_LIMIT)
2543 2617 set_extra_nomod_vsl(name, sym, vsl, NULL, alloc_estate_rl(new));
2544 2618 else
2545 2619 set_extra_mod(name, sym, NULL, alloc_estate_rl(new));
2546 2620
2547 2621 if (other_name && other_sym) {
2548 2622 if (op == PARAM_LIMIT)
2549 2623 set_extra_nomod_vsl(other_name, other_sym, vsl, NULL, alloc_estate_rl(new));
2550 2624 else
2551 2625 set_extra_mod(other_name, other_sym, NULL, alloc_estate_rl(new));
2552 2626 }
2553 2627
2554 2628 if (op == PARAM_LIMIT && arg->type == EXPR_BINOP)
2555 2629 db_param_limit_binops(arg, key, new);
2556 2630 free:
2557 2631 free_string(name);
2558 2632 }
2559 2633
2560 2634 static void db_param_limit(struct expression *expr, int param, char *key, char *value)
2561 2635 {
|
↓ open down ↓ |
170 lines elided |
↑ open up ↑ |
2562 2636 db_param_limit_filter(expr, param, key, value, PARAM_LIMIT);
2563 2637 }
2564 2638
2565 2639 static void db_param_filter(struct expression *expr, int param, char *key, char *value)
2566 2640 {
2567 2641 db_param_limit_filter(expr, param, key, value, PARAM_FILTER);
2568 2642 }
2569 2643
2570 2644 static void db_param_add_set(struct expression *expr, int param, char *key, char *value, enum info_type op)
2571 2645 {
2572 - struct expression *arg;
2646 + struct expression *arg, *gen_expr;
2573 2647 char *name;
2574 2648 char *other_name = NULL;
2575 2649 struct symbol *sym, *other_sym;
2576 2650 struct symbol *param_type, *arg_type;
2577 2651 struct smatch_state *state;
2578 2652 struct range_list *new = NULL;
2579 2653 struct range_list *added = NULL;
2580 2654
2581 2655 while (expr->type == EXPR_ASSIGNMENT)
2582 2656 expr = strip_expr(expr->right);
2583 2657 if (expr->type != EXPR_CALL)
2584 2658 return;
2585 2659
2586 2660 arg = get_argument_from_call_expr(expr->args, param);
2587 2661 if (!arg)
2588 2662 return;
2589 2663
2590 2664 arg_type = get_arg_type_from_key(expr->fn, param, arg, key);
2591 2665 param_type = get_member_type_from_key(arg, key);
2666 + if (param_type && param_type->type == SYM_STRUCT)
2667 + return;
2592 2668 name = get_variable_from_key(arg, key, &sym);
2593 2669 if (!name || !sym)
2594 2670 goto free;
2671 + gen_expr = gen_expression_from_key(arg, key);
2595 2672
2596 2673 state = get_state(SMATCH_EXTRA, name, sym);
2597 2674 if (state)
2598 2675 new = estate_rl(state);
2599 2676
2600 2677 call_results_to_rl(expr, arg_type, value, &added);
2601 2678 added = cast_rl(param_type, added);
2602 2679 if (op == PARAM_SET)
2603 2680 new = added;
2604 2681 else
2605 2682 new = rl_union(new, added);
2606 2683
2607 2684 other_name = get_other_name_sym_nostack(name, sym, &other_sym);
2608 - set_extra_mod(name, sym, NULL, alloc_estate_rl(new));
2685 + set_extra_mod(name, sym, gen_expr, alloc_estate_rl(new));
2609 2686 if (other_name && other_sym)
2610 - set_extra_mod(other_name, other_sym, NULL, alloc_estate_rl(new));
2687 + set_extra_mod(other_name, other_sym, gen_expr, alloc_estate_rl(new));
2611 2688 free:
2612 2689 free_string(other_name);
2613 2690 free_string(name);
2614 2691 }
2615 2692
2616 2693 static void db_param_add(struct expression *expr, int param, char *key, char *value)
2617 2694 {
2618 2695 in_param_set = true;
2619 2696 db_param_add_set(expr, param, key, value, PARAM_ADD);
2620 2697 in_param_set = false;
2621 2698 }
2622 2699
2623 2700 static void db_param_set(struct expression *expr, int param, char *key, char *value)
2624 2701 {
2625 2702 in_param_set = true;
2626 2703 db_param_add_set(expr, param, key, value, PARAM_SET);
2627 2704 in_param_set = false;
2628 2705 }
2629 2706
2630 2707 static void match_lost_param(struct expression *call, int param)
2631 2708 {
2632 2709 struct expression *arg;
2633 2710
2634 2711 if (is_const_param(call->fn, param))
2635 2712 return;
2636 2713
2637 2714 arg = get_argument_from_call_expr(call->args, param);
2638 2715 if (!arg)
2639 2716 return;
2640 2717
2641 2718 arg = strip_expr(arg);
2642 2719 if (arg->type == EXPR_PREOP && arg->op == '&')
2643 2720 set_extra_expr_mod(arg->unop, alloc_estate_whole(get_type(arg->unop)));
2644 2721 else
2645 2722 ; /* if pointer then set struct members, maybe?*/
2646 2723 }
2647 2724
2648 2725 static void db_param_value(struct expression *expr, int param, char *key, char *value)
2649 2726 {
2650 2727 struct expression *call;
2651 2728 char *name;
2652 2729 struct symbol *sym;
2653 2730 struct symbol *type;
2654 2731 struct range_list *rl = NULL;
2655 2732
2656 2733 if (param != -1)
2657 2734 return;
2658 2735
2659 2736 call = expr;
2660 2737 while (call->type == EXPR_ASSIGNMENT)
2661 2738 call = strip_expr(call->right);
2662 2739 if (call->type != EXPR_CALL)
2663 2740 return;
2664 2741
2665 2742 type = get_member_type_from_key(expr->left, key);
2666 2743 name = get_variable_from_key(expr->left, key, &sym);
2667 2744 if (!name || !sym)
2668 2745 goto free;
2669 2746
2670 2747 call_results_to_rl(call, type, value, &rl);
2671 2748
2672 2749 set_extra_mod(name, sym, NULL, alloc_estate_rl(rl));
2673 2750 free:
2674 2751 free_string(name);
2675 2752 }
2676 2753
2677 2754 static void match_call_info(struct expression *expr)
2678 2755 {
2679 2756 struct smatch_state *state;
2680 2757 struct range_list *rl = NULL;
2681 2758 struct expression *arg;
2682 2759 struct symbol *type;
2683 2760 sval_t dummy;
2684 2761 int i = 0;
2685 2762
2686 2763 FOR_EACH_PTR(expr->args, arg) {
2687 2764 type = get_arg_type(expr->fn, i);
2688 2765
2689 2766 get_absolute_rl(arg, &rl);
2690 2767 rl = cast_rl(type, rl);
2691 2768
2692 2769 if (!is_whole_rl(rl)) {
2693 2770 rl = intersect_with_real_abs_expr(arg, rl);
2694 2771 sql_insert_caller_info(expr, PARAM_VALUE, i, "$", show_rl(rl));
2695 2772 }
2696 2773 state = get_state_expr(SMATCH_EXTRA, arg);
2697 2774 if (!estate_get_single_value(state, &dummy) && estate_has_hard_max(state)) {
2698 2775 sql_insert_caller_info(expr, HARD_MAX, i, "$",
2699 2776 sval_to_str(estate_max(state)));
2700 2777 }
2701 2778 if (estate_has_fuzzy_max(state)) {
2702 2779 sql_insert_caller_info(expr, FUZZY_MAX, i, "$",
2703 2780 sval_to_str(estate_get_fuzzy_max(state)));
2704 2781 }
2705 2782 i++;
2706 2783 } END_FOR_EACH_PTR(arg);
2707 2784 }
2708 2785
2709 2786 static void set_param_value(const char *name, struct symbol *sym, char *key, char *value)
2710 2787 {
2711 2788 struct expression *expr;
2712 2789 struct range_list *rl = NULL;
2713 2790 struct smatch_state *state;
2714 2791 struct symbol *type;
2715 2792 char fullname[256];
2716 2793 char *key_orig = key;
2717 2794 bool add_star = false;
2718 2795 sval_t dummy;
2719 2796
2720 2797 if (key[0] == '*') {
2721 2798 add_star = true;
2722 2799 key++;
2723 2800 }
2724 2801
2725 2802 snprintf(fullname, 256, "%s%s%s", add_star ? "*" : "", name, key + 1);
2726 2803
2727 2804 expr = symbol_expression(sym);
2728 2805 type = get_member_type_from_key(expr, key_orig);
2729 2806 str_to_rl(type, value, &rl);
2730 2807 state = alloc_estate_rl(rl);
2731 2808 if (estate_get_single_value(state, &dummy))
2732 2809 estate_set_hard_max(state);
2733 2810 set_state(SMATCH_EXTRA, fullname, sym, state);
2734 2811 }
2735 2812
2736 2813 static void set_param_fuzzy_max(const char *name, struct symbol *sym, char *key, char *value)
2737 2814 {
2738 2815 struct range_list *rl = NULL;
2739 2816 struct smatch_state *state;
2740 2817 struct symbol *type;
2741 2818 char fullname[256];
2742 2819 sval_t max;
2743 2820
2744 2821 if (strcmp(key, "*$") == 0)
2745 2822 snprintf(fullname, sizeof(fullname), "*%s", name);
2746 2823 else if (strncmp(key, "$", 1) == 0)
2747 2824 snprintf(fullname, 256, "%s%s", name, key + 1);
2748 2825 else
2749 2826 return;
2750 2827
2751 2828 state = get_state(SMATCH_EXTRA, fullname, sym);
2752 2829 if (!state)
2753 2830 return;
2754 2831 type = estate_type(state);
2755 2832 str_to_rl(type, value, &rl);
2756 2833 if (!rl_to_sval(rl, &max))
2757 2834 return;
2758 2835 estate_set_fuzzy_max(state, max);
2759 2836 }
2760 2837
2761 2838 static void set_param_hard_max(const char *name, struct symbol *sym, char *key, char *value)
2762 2839 {
2763 2840 struct smatch_state *state;
2764 2841 char fullname[256];
2765 2842
2766 2843 if (strcmp(key, "*$") == 0)
2767 2844 snprintf(fullname, sizeof(fullname), "*%s", name);
2768 2845 else if (strncmp(key, "$", 1) == 0)
2769 2846 snprintf(fullname, 256, "%s%s", name, key + 1);
2770 2847 else
2771 2848 return;
2772 2849
2773 2850 state = get_state(SMATCH_EXTRA, fullname, sym);
2774 2851 if (!state)
2775 2852 return;
2776 2853 estate_set_hard_max(state);
2777 2854 }
2778 2855
2779 2856 struct sm_state *get_extra_sm_state(struct expression *expr)
2780 2857 {
2781 2858 char *name;
2782 2859 struct symbol *sym;
2783 2860 struct sm_state *ret = NULL;
2784 2861
2785 2862 name = expr_to_known_chunk_sym(expr, &sym);
2786 2863 if (!name)
2787 2864 goto free;
2788 2865
2789 2866 ret = get_sm_state(SMATCH_EXTRA, name, sym);
2790 2867 free:
2791 2868 free_string(name);
2792 2869 return ret;
2793 2870 }
2794 2871
2795 2872 struct smatch_state *get_extra_state(struct expression *expr)
2796 2873 {
2797 2874 struct sm_state *sm;
2798 2875
2799 2876 sm = get_extra_sm_state(expr);
2800 2877 if (!sm)
2801 2878 return NULL;
2802 2879 return sm->state;
2803 2880 }
2804 2881
2805 2882 void register_smatch_extra(int id)
2806 2883 {
2807 2884 my_id = id;
2808 2885
2809 2886 set_dynamic_states(my_id);
2810 2887 add_merge_hook(my_id, &merge_estates);
2811 2888 add_unmatched_state_hook(my_id, &unmatched_state);
2812 2889 select_caller_info_hook(set_param_value, PARAM_VALUE);
2813 2890 select_caller_info_hook(set_param_fuzzy_max, FUZZY_MAX);
2814 2891 select_caller_info_hook(set_param_hard_max, HARD_MAX);
2815 2892 select_return_states_before(&db_limited_before);
2816 2893 select_return_states_hook(PARAM_LIMIT, &db_param_limit);
2817 2894 select_return_states_hook(PARAM_FILTER, &db_param_filter);
2818 2895 select_return_states_hook(PARAM_ADD, &db_param_add);
2819 2896 select_return_states_hook(PARAM_SET, &db_param_set);
2820 2897 add_lost_param_hook(&match_lost_param);
2821 2898 select_return_states_hook(PARAM_VALUE, &db_param_value);
2822 2899 select_return_states_after(&db_limited_after);
2823 2900 }
2824 2901
2825 2902 static void match_link_modify(struct sm_state *sm, struct expression *mod_expr)
2826 2903 {
2827 2904 struct var_sym_list *links;
2828 2905 struct var_sym *tmp;
2829 2906 struct smatch_state *state;
2830 2907
2831 2908 links = sm->state->data;
2832 2909
2833 2910 FOR_EACH_PTR(links, tmp) {
2834 2911 if (sm->sym == tmp->sym &&
2835 2912 strcmp(sm->name, tmp->var) == 0)
2836 2913 continue;
2837 2914 state = get_state(SMATCH_EXTRA, tmp->var, tmp->sym);
2838 2915 if (!state)
2839 2916 continue;
2840 2917 set_state(SMATCH_EXTRA, tmp->var, tmp->sym, alloc_estate_whole(estate_type(state)));
2841 2918 } END_FOR_EACH_PTR(tmp);
2842 2919 set_state(link_id, sm->name, sm->sym, &undefined);
2843 2920 }
2844 2921
2845 2922 void register_smatch_extra_links(int id)
2846 2923 {
2847 2924 link_id = id;
2848 2925 set_dynamic_states(link_id);
2849 2926 }
2850 2927
2851 2928 void register_smatch_extra_late(int id)
2852 2929 {
2853 2930 add_merge_hook(link_id, &merge_link_states);
2854 2931 add_modification_hook(link_id, &match_link_modify);
2855 2932 add_hook(&match_dereferences, DEREF_HOOK);
2856 2933 add_hook(&match_pointer_as_array, OP_HOOK);
2857 2934 select_return_implies_hook(DEREFERENCE, &set_param_dereferenced);
2858 2935 add_hook(&match_function_call, FUNCTION_CALL_HOOK);
2859 2936 add_hook(&match_assign, ASSIGNMENT_HOOK);
2860 2937 add_hook(&match_assign, GLOBAL_ASSIGNMENT_HOOK);
2861 2938 add_hook(&unop_expr, OP_HOOK);
2862 2939 add_hook(&asm_expr, ASM_HOOK);
2863 2940
2864 2941 add_hook(&match_call_info, FUNCTION_CALL_HOOK);
2865 2942 add_member_info_callback(my_id, struct_member_callback);
2866 2943 add_split_return_callback(&returned_struct_members);
2867 2944
2868 2945 // add_hook(&assume_indexes_are_valid, OP_HOOK);
2869 2946 }
|
↓ open down ↓ |
249 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX