1 /*
   2  * Copyright (C) 2012 Oracle.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License
   6  * as published by the Free Software Foundation; either version 2
   7  * of the License, or (at your option) any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
  16  */
  17 
  18 /*
  19  * This is almost the same as smatch_param_filter.c.  The difference is that
  20  * this only deals with values passed on the stack and param filter only deals
  21  * with values changed so that the caller sees the new value.  It other words
  22  * the key for these should always be "$" and the key for param_filter should
  23  * never be "$".  Also smatch_param_set() should never use "$" as the key.
  24  * Param set should work together with param_filter to determine the value that
  25  * the caller sees at the end.
  26  *
  27  * This is for functions like this:
  28  *
  29  * int foo(int a)
  30  * {
  31  *        if (a >= 0 && a < 10) {
  32  *                 a = 42;
  33  *                 return 1;
  34  *        }
  35  *        return 0;
  36  * }
  37  *
  38  * If we pass in 5, it returns 1.
  39  *
  40  * It's a bit complicated because we can't just consider the final value, we
  41  * have to always consider the passed in value.
  42  *
  43  */
  44 
  45 #include "scope.h"
  46 #include "smatch.h"
  47 #include "smatch_extra.h"
  48 #include "smatch_slist.h"
  49 
  50 static int my_id;
  51 
  52 static struct stree *start_states;
  53 static struct stree_stack *saved_stack;
  54 
  55 static void save_start_states(struct statement *stmt)
  56 {
  57         start_states = get_all_states_stree(SMATCH_EXTRA);
  58 }
  59 
  60 static void free_start_states(void)
  61 {
  62         free_stree(&start_states);
  63 }
  64 
  65 static struct smatch_state *unmatched_state(struct sm_state *sm)
  66 {
  67         struct smatch_state *state;
  68 
  69         state = get_state(SMATCH_EXTRA, sm->name, sm->sym);
  70         if (state)
  71                 return state;
  72         return alloc_estate_whole(estate_type(sm->state));
  73 }
  74 
  75 struct smatch_state *get_orig_estate(const char *name, struct symbol *sym)
  76 {
  77         struct smatch_state *state;
  78 
  79         state = get_state(my_id, name, sym);
  80         if (state)
  81                 return state;
  82 
  83         state = get_state(SMATCH_EXTRA, name, sym);
  84         if (state)
  85                 return state;
  86         return alloc_estate_rl(alloc_whole_rl(get_real_base_type(sym)));
  87 }
  88 
  89 struct smatch_state *get_orig_estate_type(const char *name, struct symbol *sym, struct symbol *type)
  90 {
  91         struct smatch_state *state;
  92 
  93         state = get_state(my_id, name, sym);
  94         if (state)
  95                 return state;
  96 
  97         state = get_state(SMATCH_EXTRA, name, sym);
  98         if (state)
  99                 return state;
 100         return alloc_estate_rl(alloc_whole_rl(type));
 101 }
 102 
 103 static struct range_list *generify_mtag_range(struct smatch_state *state)
 104 {
 105         struct range_list *rl;
 106         struct data_range *drange;
 107 
 108         if (!estate_type(state) || estate_type(state)->type != SYM_PTR)
 109                 return estate_rl(state);
 110 
 111         /*
 112          * The problem is that we get too specific on our param limits when we
 113          * know exactly what pointers are passed to a function.  It gets to the
 114          * point where we say "pointer x will succeed, but everything else will
 115          * fail."  And then we introduce a new caller which passes a different
 116          * pointer and it's like, "Sorry bro, that's not possible."
 117          *
 118          */
 119         rl = rl_intersection(estate_rl(state), valid_ptr_rl);
 120         if (!rl)
 121                 return estate_rl(state);
 122 
 123         FOR_EACH_PTR(rl, drange) {
 124                 if (drange->min.value != drange->max.value)
 125                         continue;
 126                 if (drange->min.value > -4096 && drange->min.value <= 0)
 127                         continue;
 128                 return rl_union(valid_ptr_rl, rl);
 129         } END_FOR_EACH_PTR(drange);
 130 
 131         return estate_rl(state);
 132 }
 133 
 134 static void print_return_value_param(int return_id, char *return_ranges, struct expression *expr)
 135 {
 136         struct smatch_state *state, *old;
 137         struct sm_state *tmp;
 138         struct range_list *rl;
 139         const char *param_name;
 140         int param;
 141 
 142         FOR_EACH_MY_SM(SMATCH_EXTRA, __get_cur_stree(), tmp) {
 143                 param = get_param_num_from_sym(tmp->sym);
 144                 if (param < 0)
 145                         continue;
 146 
 147                 param_name = get_param_name(tmp);
 148                 if (!param_name)
 149                         continue;
 150 
 151                 state = __get_state(my_id, tmp->name, tmp->sym);
 152                 if (!state)
 153                         state = tmp->state;
 154 
 155                 if (estate_is_whole(state) || estate_is_empty(state))
 156                         continue;
 157                 old = get_state_stree(start_states, SMATCH_EXTRA, tmp->name, tmp->sym);
 158                 if (old && rl_equiv(estate_rl(old), estate_rl(state)))
 159                         continue;
 160 
 161                 if (is_ignored_kernel_data(param_name))
 162                         continue;
 163 
 164                 rl = generify_mtag_range(state);
 165                 sql_insert_return_states(return_id, return_ranges, PARAM_LIMIT,
 166                                          param, param_name, show_rl(rl));
 167         } END_FOR_EACH_SM(tmp);
 168 }
 169 
 170 static void extra_mod_hook(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
 171 {
 172         struct smatch_state *orig_vals;
 173         int param;
 174 
 175         param = get_param_num_from_sym(sym);
 176         if (param < 0)
 177                 return;
 178 
 179         orig_vals = get_orig_estate_type(name, sym, estate_type(state));
 180         set_state(my_id, name, sym, orig_vals);
 181 }
 182 
 183 static void match_save_states(struct expression *expr)
 184 {
 185         push_stree(&saved_stack, start_states);
 186         start_states = NULL;
 187 }
 188 
 189 static void match_restore_states(struct expression *expr)
 190 {
 191         free_stree(&start_states);
 192         start_states = pop_stree(&saved_stack);
 193 }
 194 
 195 void register_param_limit(int id)
 196 {
 197         my_id = id;
 198 
 199         set_dynamic_states(my_id);
 200         add_hook(&save_start_states, AFTER_DEF_HOOK);
 201         add_hook(&free_start_states, AFTER_FUNC_HOOK);
 202 
 203         add_extra_mod_hook(&extra_mod_hook);
 204         add_unmatched_state_hook(my_id, &unmatched_state);
 205         add_merge_hook(my_id, &merge_estates);
 206 
 207         add_hook(&match_save_states, INLINE_FN_START);
 208         add_hook(&match_restore_states, INLINE_FN_END);
 209 
 210         add_split_return_callback(&print_return_value_param);
 211 }
 212