Print this page
12166 resync smatch to 0.6.1-rc1-il-3
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/tools/smatch/src/smatch_extra.c
+++ new/usr/src/tools/smatch/src/smatch_extra.c
1 1 /*
2 2 * Copyright (C) 2008 Dan Carpenter.
3 3 *
4 4 * This program is free software; you can redistribute it and/or
5 5 * modify it under the terms of the GNU General Public License
6 6 * as published by the Free Software Foundation; either version 2
7 7 * of the License, or (at your option) any later version.
8 8 *
9 9 * This program is distributed in the hope that it will be useful,
10 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 * GNU General Public License for more details.
13 13 *
14 14 * You should have received a copy of the GNU General Public License
15 15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 16 */
17 17
18 18 /*
19 19 * smatch_extra.c is supposed to track the value of every variable.
20 20 *
21 21 */
22 22
23 23 #define _GNU_SOURCE
24 24 #include <string.h>
25 25
26 26 #include <stdlib.h>
27 27 #include <errno.h>
28 28 #ifndef __USE_ISOC99
29 29 #define __USE_ISOC99
30 30 #endif
31 31 #include <limits.h>
32 32 #include "parse.h"
33 33 #include "smatch.h"
34 34 #include "smatch_slist.h"
35 35 #include "smatch_extra.h"
36 36
37 37 static int my_id;
38 38 static int link_id;
39 39 extern int check_assigned_expr_id;
40 40
41 41 static void match_link_modify(struct sm_state *sm, struct expression *mod_expr);
42 42
43 43 struct string_list *__ignored_macros = NULL;
44 44 int in_warn_on_macro(void)
45 45 {
46 46 struct statement *stmt;
47 47 char *tmp;
48 48 char *macro;
49 49
50 50 stmt = get_current_statement();
51 51 if (!stmt)
52 52 return 0;
53 53 macro = get_macro_name(stmt->pos);
54 54 if (!macro)
55 55 return 0;
56 56
57 57 FOR_EACH_PTR(__ignored_macros, tmp) {
58 58 if (!strcmp(tmp, macro))
59 59 return 1;
60 60 } END_FOR_EACH_PTR(tmp);
61 61 return 0;
62 62 }
63 63
64 64 typedef void (mod_hook)(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state);
65 65 DECLARE_PTR_LIST(void_fn_list, mod_hook *);
66 66 static struct void_fn_list *extra_mod_hooks;
67 67 static struct void_fn_list *extra_nomod_hooks;
68 68
69 69 void add_extra_mod_hook(mod_hook *fn)
70 70 {
71 71 mod_hook **p = malloc(sizeof(mod_hook *));
72 72 *p = fn;
73 73 add_ptr_list(&extra_mod_hooks, p);
74 74 }
75 75
76 76 void add_extra_nomod_hook(mod_hook *fn)
77 77 {
78 78 mod_hook **p = malloc(sizeof(mod_hook *));
79 79 *p = fn;
80 80 add_ptr_list(&extra_nomod_hooks, p);
81 81 }
82 82
83 83 void call_extra_hooks(struct void_fn_list *hooks, const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
84 84 {
85 85 mod_hook **fn;
86 86
87 87 FOR_EACH_PTR(hooks, fn) {
88 88 (*fn)(name, sym, expr, state);
89 89 } END_FOR_EACH_PTR(fn);
90 90 }
91 91
92 92 void call_extra_mod_hooks(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
93 93 {
94 94 call_extra_hooks(extra_mod_hooks, name, sym, expr, state);
95 95 }
96 96
97 97 void call_extra_nomod_hooks(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
98 98 {
99 99 call_extra_hooks(extra_nomod_hooks, name, sym, expr, state);
100 100 }
101 101
102 102 static void set_union_info(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
103 103 {
104 104 struct symbol *type, *tmp, *inner_type, *inner, *new_type;
105 105 struct expression *deref, *member_expr;
106 106 struct smatch_state *new;
107 107 int offset, inner_offset;
108 108 static bool in_recurse;
109 109 char *member_name;
110 110
111 111 if (__in_fake_assign)
112 112 return;
113 113
114 114 if (in_recurse)
115 115 return;
116 116 in_recurse = true;
117 117
118 118 if (!expr || expr->type != EXPR_DEREF || !expr->member)
119 119 goto done;
120 120 offset = get_member_offset_from_deref(expr);
121 121 if (offset < 0)
122 122 goto done;
123 123
124 124 deref = strip_expr(expr->deref);
125 125 type = get_type(deref);
126 126 if (type_is_ptr(type))
127 127 type = get_real_base_type(type);
128 128 if (!type || type->type != SYM_STRUCT)
129 129 goto done;
130 130
131 131 FOR_EACH_PTR(type->symbol_list, tmp) {
132 132 inner_type = get_real_base_type(tmp);
133 133 if (!inner_type || inner_type->type != SYM_UNION)
134 134 continue;
135 135
136 136 inner = first_ptr_list((struct ptr_list *)inner_type->symbol_list);
137 137 if (!inner || !inner->ident)
138 138 continue;
139 139
140 140 inner_offset = get_member_offset(type, inner->ident->name);
141 141 if (inner_offset < offset)
142 142 continue;
143 143 if (inner_offset > offset)
144 144 goto done;
145 145
146 146 FOR_EACH_PTR(inner_type->symbol_list, inner) {
147 147 struct symbol *tmp_type;
148 148
149 149 if (!inner->ident || inner->ident == expr->member)
150 150 continue;
151 151 tmp_type = get_real_base_type(inner);
152 152 if (tmp_type && tmp_type->type == SYM_STRUCT)
153 153 continue;
154 154 member_expr = deref;
155 155 if (tmp->ident)
156 156 member_expr = member_expression(member_expr, '.', tmp->ident);
157 157 member_expr = member_expression(member_expr, expr->op, inner->ident);
158 158 member_name = expr_to_var(member_expr);
159 159 if (!member_name)
160 160 continue;
161 161 new_type = get_real_base_type(inner);
162 162 new = alloc_estate_rl(cast_rl(new_type, estate_rl(state)));
163 163 set_extra_mod_helper(member_name, sym, member_expr, new);
164 164 free_string(member_name);
165 165 } END_FOR_EACH_PTR(inner);
166 166 } END_FOR_EACH_PTR(tmp);
167 167
168 168 done:
169 169 in_recurse = false;
170 170 }
171 171
172 172 static bool in_param_set;
173 173 void set_extra_mod_helper(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
174 174 {
175 175 if (!expr)
176 176 expr = gen_expression_from_name_sym(name, sym);
177 177 remove_from_equiv(name, sym);
178 178 set_union_info(name, sym, expr, state);
179 179 call_extra_mod_hooks(name, sym, expr, state);
180 180 update_mtag_data(expr, state);
181 181 if (in_param_set &&
182 182 estate_is_unknown(state) && !get_state(SMATCH_EXTRA, name, sym))
183 183 return;
184 184 set_state(SMATCH_EXTRA, name, sym, state);
185 185 }
186 186
|
↓ open down ↓ |
186 lines elided |
↑ open up ↑ |
187 187 static void set_extra_nomod_helper(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
188 188 {
189 189 call_extra_nomod_hooks(name, sym, expr, state);
190 190 set_state(SMATCH_EXTRA, name, sym, state);
191 191 }
192 192
193 193 static char *get_pointed_at(const char *name, struct symbol *sym, struct symbol **new_sym)
194 194 {
195 195 struct expression *assigned;
196 196
197 + /*
198 + * Imagine we have an assignment: "foo = &addr;" then the other name
199 + * of "*foo" is addr.
200 + */
201 +
197 202 if (name[0] != '*')
198 203 return NULL;
199 204 if (strcmp(name + 1, sym->ident->name) != 0)
200 205 return NULL;
201 206
202 207 assigned = get_assigned_expr_name_sym(sym->ident->name, sym);
203 208 if (!assigned)
204 209 return NULL;
205 210 assigned = strip_parens(assigned);
206 211 if (assigned->type != EXPR_PREOP || assigned->op != '&')
207 212 return NULL;
208 213
209 214 return expr_to_var_sym(assigned->unop, new_sym);
210 215 }
211 216
212 217 char *get_other_name_sym_from_chunk(const char *name, const char *chunk, int len, struct symbol *sym, struct symbol **new_sym)
213 218 {
214 219 struct expression *assigned;
215 220 char *orig_name = NULL;
216 221 char buf[256];
217 222 char *ret;
218 223
219 224 assigned = get_assigned_expr_name_sym(chunk, sym);
220 225 if (!assigned)
221 226 return NULL;
222 227 if (assigned->type == EXPR_CALL)
223 228 return map_call_to_other_name_sym(name, sym, new_sym);
224 229 if (assigned->type == EXPR_PREOP && assigned->op == '&') {
225 230
226 231 orig_name = expr_to_var_sym(assigned, new_sym);
227 232 if (!orig_name || !*new_sym)
228 233 goto free;
229 234
230 235 snprintf(buf, sizeof(buf), "%s.%s", orig_name + 1, name + len);
231 236 ret = alloc_string(buf);
232 237 free_string(orig_name);
233 238 return ret;
234 239 }
235 240
236 241 orig_name = expr_to_var_sym(assigned, new_sym);
237 242 if (!orig_name || !*new_sym)
238 243 goto free;
239 244
240 245 snprintf(buf, sizeof(buf), "%s->%s", orig_name, name + len);
241 246 ret = alloc_string(buf);
242 247 free_string(orig_name);
243 248 return ret;
244 249 free:
245 250 free_string(orig_name);
246 251 return NULL;
|
↓ open down ↓ |
40 lines elided |
↑ open up ↑ |
247 252 }
248 253
249 254 static char *get_long_name_sym(const char *name, struct symbol *sym, struct symbol **new_sym, bool use_stack)
250 255 {
251 256 struct expression *tmp;
252 257 struct sm_state *sm;
253 258 char buf[256];
254 259
255 260 /*
256 261 * Just prepend the name with a different name/sym and return that.
257 - * For example, if we set "foo->bar = bar;" then we clamp "bar->baz",
258 - * that also clamps "foo->bar->baz".
259 - *
262 + * For example, if we set "foo->bar = bar;" then the other name
263 + * for "bar->baz" is "foo->bar->baz". Or if we have "foo = bar;" then
264 + * the other name for "bar" is "foo". A third option is if we have
265 + * "foo = bar;" then another name for "*bar" is "*foo".
260 266 */
261 267
262 268 FOR_EACH_MY_SM(check_assigned_expr_id, __get_cur_stree(), sm) {
263 269 tmp = sm->state->data;
264 270 if (!tmp || tmp->type != EXPR_SYMBOL)
265 271 continue;
266 272 if (tmp->symbol == sym)
267 273 goto found;
268 274 } END_FOR_EACH_SM(sm);
269 275
270 276 return NULL;
271 277
272 278 found:
273 279 if (!use_stack && name[tmp->symbol->ident->len] != '-')
274 280 return NULL;
275 - snprintf(buf, sizeof(buf), "%s%s", sm->name, name + tmp->symbol->ident->len);
281 +
282 + if (name[0] == '*' && strcmp(name + 1, tmp->symbol_name->name) == 0)
283 + snprintf(buf, sizeof(buf), "*%s", sm->name);
284 + else if (name[tmp->symbol->ident->len] == '-' ||
285 + name[tmp->symbol->ident->len] == '.')
286 + snprintf(buf, sizeof(buf), "%s%s", sm->name, name + tmp->symbol->ident->len);
287 + else if (strcmp(name, tmp->symbol_name->name) == 0)
288 + snprintf(buf, sizeof(buf), "%s", sm->name);
289 + else
290 + return NULL;
291 +
276 292 *new_sym = sm->sym;
277 293 return alloc_string(buf);
278 294 }
279 295
280 296 char *get_other_name_sym_helper(const char *name, struct symbol *sym, struct symbol **new_sym, bool use_stack)
281 297 {
282 298 char buf[256];
283 299 char *ret;
284 300 int len;
285 301
286 302 *new_sym = NULL;
287 303
288 304 if (!sym || !sym->ident)
289 305 return NULL;
290 306
291 307 ret = get_pointed_at(name, sym, new_sym);
292 308 if (ret)
293 309 return ret;
294 310
295 311 ret = map_long_to_short_name_sym(name, sym, new_sym, use_stack);
296 312 if (ret)
297 313 return ret;
298 314
299 315 len = snprintf(buf, sizeof(buf), "%s", name);
300 316 if (len >= sizeof(buf) - 2)
301 317 return NULL;
302 318
303 319 while (use_stack && len >= 1) {
304 320 if (buf[len] == '>' && buf[len - 1] == '-') {
305 321 len--;
306 322 buf[len] = '\0';
307 323 ret = get_other_name_sym_from_chunk(name, buf, len + 2, sym, new_sym);
308 324 if (ret)
309 325 return ret;
310 326 }
311 327 len--;
312 328 }
313 329
314 330 ret = get_long_name_sym(name, sym, new_sym, use_stack);
315 331 if (ret)
316 332 return ret;
317 333
318 334 return NULL;
319 335 }
320 336
321 337 char *get_other_name_sym(const char *name, struct symbol *sym, struct symbol **new_sym)
322 338 {
323 339 return get_other_name_sym_helper(name, sym, new_sym, true);
324 340 }
325 341
326 342 char *get_other_name_sym_nostack(const char *name, struct symbol *sym, struct symbol **new_sym)
327 343 {
328 344 return get_other_name_sym_helper(name, sym, new_sym, false);
329 345 }
330 346
331 347 void set_extra_mod(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
332 348 {
333 349 char *new_name;
334 350 struct symbol *new_sym;
335 351
336 352 set_extra_mod_helper(name, sym, expr, state);
337 353 new_name = get_other_name_sym_nostack(name, sym, &new_sym);
338 354 if (new_name && new_sym)
339 355 set_extra_mod_helper(new_name, new_sym, NULL, state);
340 356 free_string(new_name);
341 357 }
342 358
343 359 static struct expression *chunk_get_array_base(struct expression *expr)
344 360 {
345 361 /*
346 362 * The problem with is_array() is that it only returns true for things
347 363 * like foo[1] but not for foo[1].bar.
348 364 *
349 365 */
350 366 expr = strip_expr(expr);
351 367 while (expr && expr->type == EXPR_DEREF)
352 368 expr = strip_expr(expr->deref);
353 369 return get_array_base(expr);
354 370 }
355 371
356 372 static int chunk_has_array(struct expression *expr)
357 373 {
358 374 return !!chunk_get_array_base(expr);
359 375 }
360 376
361 377 static void clear_array_states(struct expression *array)
362 378 {
363 379 struct sm_state *sm;
364 380
365 381 sm = get_sm_state_expr(link_id, array);
366 382 if (sm)
367 383 match_link_modify(sm, NULL);
368 384 }
369 385
370 386 static void set_extra_array_mod(struct expression *expr, struct smatch_state *state)
371 387 {
372 388 struct expression *array;
373 389 struct var_sym_list *vsl;
374 390 struct var_sym *vs;
375 391 char *name;
376 392 struct symbol *sym;
377 393
378 394 array = chunk_get_array_base(expr);
379 395
380 396 name = expr_to_chunk_sym_vsl(expr, &sym, &vsl);
381 397 if (!name || !vsl) {
382 398 clear_array_states(array);
383 399 goto free;
384 400 }
385 401
386 402 FOR_EACH_PTR(vsl, vs) {
387 403 store_link(link_id, vs->var, vs->sym, name, sym);
388 404 } END_FOR_EACH_PTR(vs);
389 405
390 406 call_extra_mod_hooks(name, sym, expr, state);
391 407 set_state(SMATCH_EXTRA, name, sym, state);
392 408 free:
393 409 free_string(name);
394 410 }
395 411
396 412 void set_extra_expr_mod(struct expression *expr, struct smatch_state *state)
397 413 {
398 414 struct symbol *sym;
399 415 char *name;
400 416
401 417 if (chunk_has_array(expr)) {
402 418 set_extra_array_mod(expr, state);
403 419 return;
404 420 }
405 421
406 422 expr = strip_expr(expr);
407 423 name = expr_to_var_sym(expr, &sym);
408 424 if (!name || !sym)
409 425 goto free;
410 426 set_extra_mod(name, sym, expr, state);
411 427 free:
412 428 free_string(name);
413 429 }
414 430
415 431 void set_extra_nomod(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
416 432 {
417 433 char *new_name;
418 434 struct symbol *new_sym;
419 435 struct relation *rel;
420 436 struct smatch_state *orig_state;
421 437
422 438 orig_state = get_state(SMATCH_EXTRA, name, sym);
423 439
424 440 /* don't save unknown states if leaving it blank is the same */
425 441 if (!orig_state && estate_is_unknown(state))
426 442 return;
427 443
428 444 new_name = get_other_name_sym(name, sym, &new_sym);
429 445 if (new_name && new_sym)
430 446 set_extra_nomod_helper(new_name, new_sym, expr, state);
431 447 free_string(new_name);
432 448
433 449 if (!estate_related(orig_state)) {
434 450 set_extra_nomod_helper(name, sym, expr, state);
435 451 return;
436 452 }
437 453
438 454 set_related(state, estate_related(orig_state));
439 455 FOR_EACH_PTR(estate_related(orig_state), rel) {
440 456 struct smatch_state *estate;
441 457
442 458 estate = get_state(SMATCH_EXTRA, rel->name, rel->sym);
443 459 if (!estate)
444 460 continue;
445 461 set_extra_nomod_helper(rel->name, rel->sym, expr, clone_estate_cast(estate_type(estate), state));
446 462 } END_FOR_EACH_PTR(rel);
447 463 }
448 464
449 465 void set_extra_nomod_vsl(const char *name, struct symbol *sym, struct var_sym_list *vsl, struct expression *expr, struct smatch_state *state)
450 466 {
451 467 struct var_sym *vs;
452 468
453 469 FOR_EACH_PTR(vsl, vs) {
454 470 store_link(link_id, vs->var, vs->sym, name, sym);
455 471 } END_FOR_EACH_PTR(vs);
456 472
457 473 set_extra_nomod(name, sym, expr, state);
458 474 }
459 475
460 476 /*
461 477 * This is for return_implies_state() hooks which modify a SMATCH_EXTRA state
462 478 */
463 479 void set_extra_expr_nomod(struct expression *expr, struct smatch_state *state)
464 480 {
465 481 struct var_sym_list *vsl;
466 482 struct var_sym *vs;
467 483 char *name;
468 484 struct symbol *sym;
469 485
470 486 name = expr_to_chunk_sym_vsl(expr, &sym, &vsl);
471 487 if (!name || !vsl)
472 488 goto free;
473 489 FOR_EACH_PTR(vsl, vs) {
474 490 store_link(link_id, vs->var, vs->sym, name, sym);
475 491 } END_FOR_EACH_PTR(vs);
476 492
477 493 set_extra_nomod(name, sym, expr, state);
478 494 free:
479 495 free_string(name);
480 496 }
481 497
482 498 static void set_extra_true_false(const char *name, struct symbol *sym,
483 499 struct smatch_state *true_state,
484 500 struct smatch_state *false_state)
485 501 {
486 502 char *new_name;
487 503 struct symbol *new_sym;
488 504 struct relation *rel;
489 505 struct smatch_state *orig_state;
490 506
491 507 if (!true_state && !false_state)
492 508 return;
493 509
494 510 if (in_warn_on_macro())
495 511 return;
496 512
497 513 new_name = get_other_name_sym(name, sym, &new_sym);
498 514 if (new_name && new_sym)
499 515 set_true_false_states(SMATCH_EXTRA, new_name, new_sym, true_state, false_state);
500 516 free_string(new_name);
501 517
502 518 orig_state = get_state(SMATCH_EXTRA, name, sym);
503 519
504 520 if (!estate_related(orig_state)) {
505 521 set_true_false_states(SMATCH_EXTRA, name, sym, true_state, false_state);
506 522 return;
507 523 }
508 524
509 525 if (true_state)
510 526 set_related(true_state, estate_related(orig_state));
511 527 if (false_state)
512 528 set_related(false_state, estate_related(orig_state));
513 529
514 530 FOR_EACH_PTR(estate_related(orig_state), rel) {
515 531 set_true_false_states(SMATCH_EXTRA, rel->name, rel->sym,
516 532 true_state, false_state);
517 533 } END_FOR_EACH_PTR(rel);
518 534 }
519 535
520 536 static void set_extra_chunk_true_false(struct expression *expr,
521 537 struct smatch_state *true_state,
522 538 struct smatch_state *false_state)
523 539 {
524 540 struct var_sym_list *vsl;
525 541 struct var_sym *vs;
526 542 struct symbol *type;
527 543 char *name;
528 544 struct symbol *sym;
529 545
530 546 if (in_warn_on_macro())
531 547 return;
532 548
533 549 type = get_type(expr);
534 550 if (!type)
535 551 return;
536 552
537 553 name = expr_to_chunk_sym_vsl(expr, &sym, &vsl);
538 554 if (!name || !vsl)
539 555 goto free;
540 556 FOR_EACH_PTR(vsl, vs) {
541 557 store_link(link_id, vs->var, vs->sym, name, sym);
542 558 } END_FOR_EACH_PTR(vs);
543 559
544 560 set_true_false_states(SMATCH_EXTRA, name, sym,
545 561 clone_estate(true_state),
546 562 clone_estate(false_state));
547 563 free:
548 564 free_string(name);
549 565 }
550 566
551 567 static void set_extra_expr_true_false(struct expression *expr,
552 568 struct smatch_state *true_state,
553 569 struct smatch_state *false_state)
554 570 {
555 571 char *name;
556 572 struct symbol *sym;
557 573 sval_t sval;
558 574
559 575 if (!true_state && !false_state)
560 576 return;
561 577
562 578 if (get_value(expr, &sval))
563 579 return;
564 580
565 581 expr = strip_expr(expr);
566 582 name = expr_to_var_sym(expr, &sym);
567 583 if (!name || !sym) {
568 584 free_string(name);
569 585 set_extra_chunk_true_false(expr, true_state, false_state);
570 586 return;
571 587 }
572 588 set_extra_true_false(name, sym, true_state, false_state);
573 589 free_string(name);
574 590 }
575 591
576 592 static int get_countdown_info(struct expression *condition, struct expression **unop, int *op, sval_t *right)
577 593 {
578 594 struct expression *unop_expr;
579 595 int comparison;
580 596 sval_t limit;
581 597
582 598 right->type = &int_ctype;
583 599 right->value = 0;
584 600
585 601 condition = strip_expr(condition);
586 602
587 603 if (condition->type == EXPR_COMPARE) {
588 604 comparison = remove_unsigned_from_comparison(condition->op);
589 605
590 606 if (comparison != SPECIAL_GTE && comparison != '>')
591 607 return 0;
592 608 if (!get_value(condition->right, &limit))
593 609 return 0;
594 610
595 611 unop_expr = condition->left;
596 612 if (unop_expr->type != EXPR_PREOP && unop_expr->type != EXPR_POSTOP)
597 613 return 0;
598 614 if (unop_expr->op != SPECIAL_DECREMENT)
599 615 return 0;
600 616
601 617 *unop = unop_expr;
602 618 *op = comparison;
603 619 *right = limit;
604 620
605 621 return 1;
606 622 }
607 623
608 624 if (condition->type != EXPR_PREOP && condition->type != EXPR_POSTOP)
609 625 return 0;
610 626 if (condition->op != SPECIAL_DECREMENT)
611 627 return 0;
612 628
613 629 *unop = condition;
614 630 *op = '>';
615 631
616 632 return 1;
617 633 }
618 634
619 635 static struct sm_state *handle_canonical_while_count_down(struct statement *loop)
620 636 {
621 637 struct expression *iter_var;
622 638 struct expression *condition, *unop;
623 639 struct symbol *type;
624 640 struct sm_state *sm;
625 641 struct smatch_state *estate;
626 642 int op;
627 643 sval_t start, right;
628 644
629 645 right.type = &int_ctype;
630 646 right.value = 0;
631 647
632 648 condition = strip_expr(loop->iterator_pre_condition);
633 649 if (!condition)
634 650 return NULL;
635 651
636 652 if (!get_countdown_info(condition, &unop, &op, &right))
637 653 return NULL;
638 654
639 655 iter_var = unop->unop;
640 656
641 657 sm = get_sm_state_expr(SMATCH_EXTRA, iter_var);
642 658 if (!sm)
643 659 return NULL;
644 660 if (sval_cmp(estate_min(sm->state), right) < 0)
645 661 return NULL;
646 662 start = estate_max(sm->state);
647 663
648 664 type = get_type(iter_var);
649 665 right = sval_cast(type, right);
650 666 start = sval_cast(type, start);
651 667
652 668 if (sval_cmp(start, right) <= 0)
653 669 return NULL;
654 670 if (!sval_is_max(start))
655 671 start.value--;
656 672
657 673 if (op == SPECIAL_GTE)
658 674 right.value--;
659 675
660 676 if (unop->type == EXPR_PREOP) {
661 677 right.value++;
662 678 estate = alloc_estate_range(right, start);
663 679 if (estate_has_hard_max(sm->state))
664 680 estate_set_hard_max(estate);
665 681 estate_copy_fuzzy_max(estate, sm->state);
666 682 set_extra_expr_mod(iter_var, estate);
667 683 }
668 684 if (unop->type == EXPR_POSTOP) {
669 685 estate = alloc_estate_range(right, start);
670 686 if (estate_has_hard_max(sm->state))
671 687 estate_set_hard_max(estate);
672 688 estate_copy_fuzzy_max(estate, sm->state);
673 689 set_extra_expr_mod(iter_var, estate);
674 690 }
675 691 return get_sm_state_expr(SMATCH_EXTRA, iter_var);
676 692 }
677 693
678 694 static struct sm_state *handle_canonical_for_inc(struct expression *iter_expr,
679 695 struct expression *condition)
680 696 {
681 697 struct expression *iter_var;
682 698 struct sm_state *sm;
683 699 struct smatch_state *estate;
684 700 sval_t start, end, max;
685 701 struct symbol *type;
686 702
687 703 iter_var = iter_expr->unop;
688 704 sm = get_sm_state_expr(SMATCH_EXTRA, iter_var);
689 705 if (!sm)
690 706 return NULL;
691 707 if (!estate_get_single_value(sm->state, &start))
692 708 return NULL;
693 709 if (!get_implied_value(condition->right, &end))
694 710 return NULL;
695 711
696 712 if (get_sm_state_expr(SMATCH_EXTRA, condition->left) != sm)
697 713 return NULL;
698 714
699 715 switch (condition->op) {
700 716 case SPECIAL_UNSIGNED_LT:
701 717 case SPECIAL_NOTEQUAL:
702 718 case '<':
703 719 if (!sval_is_min(end))
704 720 end.value--;
705 721 break;
706 722 case SPECIAL_UNSIGNED_LTE:
707 723 case SPECIAL_LTE:
708 724 break;
709 725 default:
710 726 return NULL;
711 727 }
712 728 if (sval_cmp(end, start) < 0)
713 729 return NULL;
714 730 type = get_type(iter_var);
715 731 start = sval_cast(type, start);
716 732 end = sval_cast(type, end);
717 733 estate = alloc_estate_range(start, end);
718 734 if (get_hard_max(condition->right, &max)) {
719 735 if (!get_macro_name(condition->pos))
720 736 estate_set_hard_max(estate);
721 737 if (condition->op == '<' ||
722 738 condition->op == SPECIAL_UNSIGNED_LT ||
723 739 condition->op == SPECIAL_NOTEQUAL)
724 740 max.value--;
725 741 max = sval_cast(type, max);
726 742 estate_set_fuzzy_max(estate, max);
727 743 }
728 744 set_extra_expr_mod(iter_var, estate);
729 745 return get_sm_state_expr(SMATCH_EXTRA, iter_var);
730 746 }
731 747
732 748 static struct sm_state *handle_canonical_for_dec(struct expression *iter_expr,
733 749 struct expression *condition)
734 750 {
735 751 struct expression *iter_var;
736 752 struct sm_state *sm;
737 753 struct smatch_state *estate;
738 754 sval_t start, end;
739 755
740 756 iter_var = iter_expr->unop;
741 757 sm = get_sm_state_expr(SMATCH_EXTRA, iter_var);
742 758 if (!sm)
743 759 return NULL;
744 760 if (!estate_get_single_value(sm->state, &start))
745 761 return NULL;
746 762 if (!get_implied_min(condition->right, &end))
747 763 end = sval_type_min(get_type(iter_var));
748 764 end = sval_cast(estate_type(sm->state), end);
749 765 if (get_sm_state_expr(SMATCH_EXTRA, condition->left) != sm)
750 766 return NULL;
751 767
752 768 switch (condition->op) {
753 769 case SPECIAL_NOTEQUAL:
754 770 case '>':
755 771 if (!sval_is_max(end))
756 772 end.value++;
757 773 break;
758 774 case SPECIAL_GTE:
759 775 break;
760 776 default:
761 777 return NULL;
762 778 }
763 779 if (sval_cmp(end, start) > 0)
764 780 return NULL;
765 781 estate = alloc_estate_range(end, start);
766 782 estate_set_hard_max(estate);
767 783 estate_set_fuzzy_max(estate, estate_get_fuzzy_max(estate));
768 784 set_extra_expr_mod(iter_var, estate);
769 785 return get_sm_state_expr(SMATCH_EXTRA, iter_var);
770 786 }
771 787
772 788 static struct sm_state *handle_canonical_for_loops(struct statement *loop)
773 789 {
774 790 struct expression *iter_expr;
775 791 struct expression *condition;
776 792
777 793 if (!loop->iterator_post_statement)
778 794 return NULL;
779 795 if (loop->iterator_post_statement->type != STMT_EXPRESSION)
780 796 return NULL;
781 797 iter_expr = loop->iterator_post_statement->expression;
782 798 if (!loop->iterator_pre_condition)
783 799 return NULL;
784 800 if (loop->iterator_pre_condition->type != EXPR_COMPARE)
785 801 return NULL;
786 802 condition = loop->iterator_pre_condition;
787 803
788 804 if (iter_expr->op == SPECIAL_INCREMENT)
789 805 return handle_canonical_for_inc(iter_expr, condition);
790 806 if (iter_expr->op == SPECIAL_DECREMENT)
791 807 return handle_canonical_for_dec(iter_expr, condition);
792 808 return NULL;
793 809 }
794 810
795 811 struct sm_state *__extra_handle_canonical_loops(struct statement *loop, struct stree **stree)
796 812 {
797 813 struct sm_state *ret;
798 814
799 815 /*
800 816 * Canonical loops are a hack. The proper way to handle this is to
801 817 * use two passes, but unfortunately, doing two passes makes parsing
802 818 * code twice as slow.
803 819 *
804 820 * What we do is we set the inside state here, which overwrites whatever
805 821 * __extra_match_condition() does. Then we set the outside state in
806 822 * __extra_pre_loop_hook_after().
807 823 *
808 824 */
809 825 __push_fake_cur_stree();
810 826 if (!loop->iterator_post_statement)
811 827 ret = handle_canonical_while_count_down(loop);
812 828 else
813 829 ret = handle_canonical_for_loops(loop);
814 830 *stree = __pop_fake_cur_stree();
815 831 return ret;
816 832 }
817 833
818 834 int __iterator_unchanged(struct sm_state *sm)
819 835 {
820 836 if (!sm)
821 837 return 0;
822 838 if (get_sm_state(my_id, sm->name, sm->sym) == sm)
823 839 return 1;
824 840 return 0;
825 841 }
826 842
827 843 static void while_count_down_after(struct sm_state *sm, struct expression *condition)
828 844 {
829 845 struct expression *unop;
830 846 int op;
831 847 sval_t limit, after_value;
832 848
833 849 if (!get_countdown_info(condition, &unop, &op, &limit))
834 850 return;
835 851 after_value = estate_min(sm->state);
836 852 after_value.value--;
837 853 set_extra_mod(sm->name, sm->sym, condition->unop, alloc_estate_sval(after_value));
838 854 }
839 855
840 856 void __extra_pre_loop_hook_after(struct sm_state *sm,
841 857 struct statement *iterator,
842 858 struct expression *condition)
843 859 {
844 860 struct expression *iter_expr;
845 861 sval_t limit;
846 862 struct smatch_state *state;
847 863
848 864 if (!iterator) {
849 865 while_count_down_after(sm, condition);
850 866 return;
851 867 }
852 868
853 869 iter_expr = iterator->expression;
854 870
855 871 if (condition->type != EXPR_COMPARE)
856 872 return;
857 873 if (iter_expr->op == SPECIAL_INCREMENT) {
858 874 limit = sval_binop(estate_max(sm->state), '+',
859 875 sval_type_val(estate_type(sm->state), 1));
860 876 } else {
861 877 limit = sval_binop(estate_min(sm->state), '-',
862 878 sval_type_val(estate_type(sm->state), 1));
863 879 }
864 880 limit = sval_cast(estate_type(sm->state), limit);
865 881 if (!estate_has_hard_max(sm->state) && !__has_breaks()) {
866 882 if (iter_expr->op == SPECIAL_INCREMENT)
867 883 state = alloc_estate_range(estate_min(sm->state), limit);
868 884 else
869 885 state = alloc_estate_range(limit, estate_max(sm->state));
870 886 } else {
871 887 state = alloc_estate_sval(limit);
872 888 }
873 889 if (!estate_has_hard_max(sm->state)) {
874 890 estate_clear_hard_max(state);
875 891 }
876 892 if (estate_has_fuzzy_max(sm->state)) {
877 893 sval_t hmax = estate_get_fuzzy_max(sm->state);
878 894 sval_t max = estate_max(sm->state);
879 895
880 896 if (sval_cmp(hmax, max) != 0)
881 897 estate_clear_fuzzy_max(state);
882 898 } else if (!estate_has_fuzzy_max(sm->state)) {
883 899 estate_clear_fuzzy_max(state);
884 900 }
885 901
886 902 set_extra_mod(sm->name, sm->sym, iter_expr, state);
887 903 }
888 904
889 905 static bool get_global_rl(const char *name, struct symbol *sym, struct range_list **rl)
890 906 {
891 907 struct expression *expr;
892 908
893 909 if (!sym || !(sym->ctype.modifiers & MOD_TOPLEVEL) || !sym->ident)
894 910 return false;
895 911 if (strcmp(sym->ident->name, name) != 0)
896 912 return false;
897 913
898 914 expr = symbol_expression(sym);
899 915 return get_implied_rl(expr, rl);
900 916 }
901 917
902 918 static struct stree *unmatched_stree;
903 919 static struct smatch_state *unmatched_state(struct sm_state *sm)
904 920 {
905 921 struct smatch_state *state;
906 922 struct range_list *rl;
907 923
908 924 if (unmatched_stree) {
909 925 state = get_state_stree(unmatched_stree, SMATCH_EXTRA, sm->name, sm->sym);
910 926 if (state)
911 927 return state;
912 928 }
913 929 if (parent_is_gone_var_sym(sm->name, sm->sym))
914 930 return alloc_estate_empty();
915 931 if (get_global_rl(sm->name, sm->sym, &rl))
916 932 return alloc_estate_rl(rl);
917 933 return alloc_estate_whole(estate_type(sm->state));
918 934 }
919 935
920 936 static void clear_the_pointed_at(struct expression *expr)
921 937 {
922 938 struct stree *stree;
923 939 char *name;
924 940 struct symbol *sym;
925 941 struct sm_state *tmp;
926 942
927 943 name = expr_to_var_sym(expr, &sym);
928 944 if (!name || !sym)
929 945 goto free;
930 946
931 947 stree = __get_cur_stree();
932 948 FOR_EACH_MY_SM(SMATCH_EXTRA, stree, tmp) {
933 949 if (tmp->name[0] != '*')
934 950 continue;
935 951 if (tmp->sym != sym)
936 952 continue;
937 953 if (strcmp(tmp->name + 1, name) != 0)
938 954 continue;
939 955 set_extra_mod(tmp->name, tmp->sym, expr, alloc_estate_whole(estate_type(tmp->state)));
940 956 } END_FOR_EACH_SM(tmp);
941 957
942 958 free:
943 959 free_string(name);
944 960 }
945 961
946 962 static int is_const_param(struct expression *expr, int param)
947 963 {
948 964 struct symbol *type;
949 965
950 966 type = get_arg_type(expr, param);
951 967 if (!type)
952 968 return 0;
953 969 if (type->ctype.modifiers & MOD_CONST)
954 970 return 1;
955 971 return 0;
956 972 }
957 973
958 974 static void match_function_call(struct expression *expr)
959 975 {
960 976 struct expression *arg;
961 977 struct expression *tmp;
962 978 int param = -1;
963 979
964 980 /* if we have the db this is handled in smatch_function_hooks.c */
965 981 if (!option_no_db)
966 982 return;
967 983 if (inlinable(expr->fn))
968 984 return;
969 985
970 986 FOR_EACH_PTR(expr->args, arg) {
971 987 param++;
972 988 if (is_const_param(expr->fn, param))
973 989 continue;
974 990 tmp = strip_expr(arg);
975 991 if (tmp->type == EXPR_PREOP && tmp->op == '&')
976 992 set_extra_expr_mod(tmp->unop, alloc_estate_whole(get_type(tmp->unop)));
977 993 else
978 994 clear_the_pointed_at(tmp);
979 995 } END_FOR_EACH_PTR(arg);
980 996 }
981 997
982 998 int values_fit_type(struct expression *left, struct expression *right)
983 999 {
984 1000 struct range_list *rl;
985 1001 struct symbol *type;
986 1002
987 1003 type = get_type(left);
988 1004 if (!type)
989 1005 return 0;
990 1006 get_absolute_rl(right, &rl);
991 1007 if (type == rl_type(rl))
992 1008 return 1;
993 1009 if (type_unsigned(type) && sval_is_negative(rl_min(rl)))
994 1010 return 0;
995 1011 if (sval_cmp(sval_type_min(type), rl_min(rl)) > 0)
996 1012 return 0;
997 1013 if (sval_cmp(sval_type_max(type), rl_max(rl)) < 0)
998 1014 return 0;
999 1015 return 1;
1000 1016 }
1001 1017
1002 1018 static void save_chunk_info(struct expression *left, struct expression *right)
1003 1019 {
1004 1020 struct var_sym_list *vsl;
1005 1021 struct var_sym *vs;
1006 1022 struct expression *add_expr;
1007 1023 struct symbol *type;
1008 1024 sval_t sval;
1009 1025 char *name;
1010 1026 struct symbol *sym;
1011 1027
1012 1028 if (right->type != EXPR_BINOP || right->op != '-')
1013 1029 return;
1014 1030 if (!get_value(right->left, &sval))
1015 1031 return;
1016 1032 if (!expr_to_sym(right->right))
1017 1033 return;
1018 1034
1019 1035 add_expr = binop_expression(left, '+', right->right);
1020 1036 type = get_type(add_expr);
1021 1037 if (!type)
1022 1038 return;
1023 1039 name = expr_to_chunk_sym_vsl(add_expr, &sym, &vsl);
1024 1040 if (!name || !vsl)
1025 1041 goto free;
1026 1042 FOR_EACH_PTR(vsl, vs) {
1027 1043 store_link(link_id, vs->var, vs->sym, name, sym);
1028 1044 } END_FOR_EACH_PTR(vs);
1029 1045
1030 1046 set_state(SMATCH_EXTRA, name, sym, alloc_estate_sval(sval_cast(type, sval)));
1031 1047 free:
1032 1048 free_string(name);
1033 1049 }
1034 1050
1035 1051 static void do_array_assign(struct expression *left, int op, struct expression *right)
1036 1052 {
1037 1053 struct range_list *rl;
1038 1054
1039 1055 if (op == '=') {
1040 1056 get_absolute_rl(right, &rl);
1041 1057 rl = cast_rl(get_type(left), rl);
1042 1058 } else {
1043 1059 rl = alloc_whole_rl(get_type(left));
1044 1060 }
1045 1061
1046 1062 set_extra_array_mod(left, alloc_estate_rl(rl));
1047 1063 }
1048 1064
1049 1065 static void match_vanilla_assign(struct expression *left, struct expression *right)
1050 1066 {
1051 1067 struct range_list *orig_rl = NULL;
1052 1068 struct range_list *rl = NULL;
1053 1069 struct symbol *right_sym;
1054 1070 struct symbol *left_type;
1055 1071 struct symbol *right_type;
1056 1072 char *right_name = NULL;
1057 1073 struct symbol *sym;
1058 1074 char *name;
1059 1075 sval_t sval, max;
1060 1076 struct smatch_state *state;
1061 1077 int comparison;
1062 1078
1063 1079 if (is_struct(left))
1064 1080 return;
1065 1081
1066 1082 save_chunk_info(left, right);
1067 1083
1068 1084 name = expr_to_var_sym(left, &sym);
1069 1085 if (!name) {
1070 1086 if (chunk_has_array(left))
1071 1087 do_array_assign(left, '=', right);
1072 1088 return;
1073 1089 }
1074 1090
1075 1091 left_type = get_type(left);
1076 1092 right_type = get_type(right);
1077 1093
1078 1094 right_name = expr_to_var_sym(right, &right_sym);
|
↓ open down ↓ |
793 lines elided |
↑ open up ↑ |
1079 1095
1080 1096 if (!__in_fake_assign &&
1081 1097 !(right->type == EXPR_PREOP && right->op == '&') &&
1082 1098 right_name && right_sym &&
1083 1099 values_fit_type(left, strip_expr(right)) &&
1084 1100 !has_symbol(right, sym)) {
1085 1101 set_equiv(left, right);
1086 1102 goto free;
1087 1103 }
1088 1104
1089 - if (is_pointer(right) && get_address_rl(right, &rl)) {
1090 - state = alloc_estate_rl(rl);
1091 - goto done;
1092 - }
1093 -
1094 1105 if (get_implied_value(right, &sval)) {
1095 1106 state = alloc_estate_sval(sval_cast(left_type, sval));
1096 1107 goto done;
1097 1108 }
1098 1109
1099 1110 if (__in_fake_assign) {
1100 1111 struct smatch_state *right_state;
1101 1112 sval_t sval;
1102 1113
1103 1114 if (get_value(right, &sval)) {
1104 1115 sval = sval_cast(left_type, sval);
1105 1116 state = alloc_estate_sval(sval);
1106 1117 goto done;
1107 1118 }
1108 1119
1109 1120 right_state = get_state(SMATCH_EXTRA, right_name, right_sym);
1110 1121 if (right_state) {
1111 1122 /* simple assignment */
1112 1123 state = clone_estate(right_state);
1113 1124 goto done;
1114 1125 }
1115 1126
1116 1127 state = alloc_estate_rl(alloc_whole_rl(left_type));
1117 1128 goto done;
1118 1129 }
1119 1130
1120 1131 comparison = get_comparison_no_extra(left, right);
1121 1132 if (comparison) {
1122 1133 comparison = flip_comparison(comparison);
1123 1134 get_implied_rl(left, &orig_rl);
1124 1135 }
1125 1136
1126 1137 if (get_implied_rl(right, &rl)) {
1127 1138 rl = cast_rl(left_type, rl);
1128 1139 if (orig_rl)
1129 1140 filter_by_comparison(&rl, comparison, orig_rl);
1130 1141 state = alloc_estate_rl(rl);
1131 1142 if (get_hard_max(right, &max)) {
1132 1143 estate_set_hard_max(state);
1133 1144 estate_set_fuzzy_max(state, max);
1134 1145 }
1135 1146 } else {
1136 1147 rl = alloc_whole_rl(right_type);
1137 1148 rl = cast_rl(left_type, rl);
1138 1149 if (orig_rl)
1139 1150 filter_by_comparison(&rl, comparison, orig_rl);
1140 1151 state = alloc_estate_rl(rl);
1141 1152 }
1142 1153
1143 1154 done:
1144 1155 set_extra_mod(name, sym, left, state);
1145 1156 free:
1146 1157 free_string(right_name);
1147 1158 }
1148 1159
1149 1160 static void match_assign(struct expression *expr)
1150 1161 {
1151 1162 struct range_list *rl = NULL;
1152 1163 struct expression *left;
1153 1164 struct expression *right;
1154 1165 struct expression *binop_expr;
1155 1166 struct symbol *left_type;
1156 1167 struct symbol *sym;
1157 1168 char *name;
1158 1169
1159 1170 left = strip_expr(expr->left);
1160 1171
1161 1172 right = strip_parens(expr->right);
1162 1173 if (right->type == EXPR_CALL && sym_name_is("__builtin_expect", right->fn))
1163 1174 right = get_argument_from_call_expr(right->args, 0);
1164 1175 while (right->type == EXPR_ASSIGNMENT && right->op == '=')
1165 1176 right = strip_parens(right->left);
1166 1177
1167 1178 if (expr->op == '=' && is_condition(expr->right))
1168 1179 return; /* handled in smatch_condition.c */
1169 1180 if (expr->op == '=' && right->type == EXPR_CALL)
1170 1181 return; /* handled in smatch_function_hooks.c */
1171 1182 if (expr->op == '=') {
1172 1183 match_vanilla_assign(left, right);
1173 1184 return;
1174 1185 }
1175 1186
1176 1187 name = expr_to_var_sym(left, &sym);
1177 1188 if (!name)
1178 1189 return;
1179 1190
1180 1191 left_type = get_type(left);
1181 1192
1182 1193 switch (expr->op) {
1183 1194 case SPECIAL_ADD_ASSIGN:
1184 1195 case SPECIAL_SUB_ASSIGN:
1185 1196 case SPECIAL_AND_ASSIGN:
1186 1197 case SPECIAL_MOD_ASSIGN:
1187 1198 case SPECIAL_SHL_ASSIGN:
1188 1199 case SPECIAL_SHR_ASSIGN:
1189 1200 case SPECIAL_OR_ASSIGN:
1190 1201 case SPECIAL_XOR_ASSIGN:
1191 1202 case SPECIAL_MUL_ASSIGN:
1192 1203 case SPECIAL_DIV_ASSIGN:
1193 1204 binop_expr = binop_expression(expr->left,
1194 1205 op_remove_assign(expr->op),
1195 1206 expr->right);
1196 1207 get_absolute_rl(binop_expr, &rl);
1197 1208 rl = cast_rl(left_type, rl);
1198 1209 if (inside_loop()) {
1199 1210 if (expr->op == SPECIAL_ADD_ASSIGN)
1200 1211 add_range(&rl, rl_max(rl), sval_type_max(rl_type(rl)));
1201 1212
1202 1213 if (expr->op == SPECIAL_SUB_ASSIGN &&
1203 1214 !sval_is_negative(rl_min(rl))) {
1204 1215 sval_t zero = { .type = rl_type(rl) };
1205 1216
1206 1217 add_range(&rl, rl_min(rl), zero);
1207 1218 }
1208 1219 }
1209 1220 set_extra_mod(name, sym, left, alloc_estate_rl(rl));
1210 1221 goto free;
1211 1222 }
1212 1223 set_extra_mod(name, sym, left, alloc_estate_whole(left_type));
1213 1224 free:
1214 1225 free_string(name);
1215 1226 }
1216 1227
1217 1228 static struct smatch_state *increment_state(struct smatch_state *state)
1218 1229 {
1219 1230 sval_t min = estate_min(state);
1220 1231 sval_t max = estate_max(state);
1221 1232
1222 1233 if (!estate_rl(state))
1223 1234 return NULL;
1224 1235
1225 1236 if (inside_loop())
1226 1237 max = sval_type_max(max.type);
1227 1238
1228 1239 if (!sval_is_min(min) && !sval_is_max(min))
1229 1240 min.value++;
1230 1241 if (!sval_is_min(max) && !sval_is_max(max))
1231 1242 max.value++;
1232 1243 return alloc_estate_range(min, max);
1233 1244 }
1234 1245
1235 1246 static struct smatch_state *decrement_state(struct smatch_state *state)
1236 1247 {
1237 1248 sval_t min = estate_min(state);
1238 1249 sval_t max = estate_max(state);
1239 1250
1240 1251 if (!estate_rl(state))
1241 1252 return NULL;
1242 1253
1243 1254 if (inside_loop())
1244 1255 min = sval_type_min(min.type);
1245 1256
1246 1257 if (!sval_is_min(min) && !sval_is_max(min))
1247 1258 min.value--;
1248 1259 if (!sval_is_min(max) && !sval_is_max(max))
1249 1260 max.value--;
1250 1261 return alloc_estate_range(min, max);
1251 1262 }
1252 1263
1253 1264 static void clear_pointed_at_state(struct expression *expr)
1254 1265 {
1255 1266 struct symbol *type;
1256 1267
1257 1268 /*
1258 1269 * ALERT: This is sort of a mess. If it's is a struct assigment like
1259 1270 * "foo = bar;", then that's handled by smatch_struct_assignment.c.
1260 1271 * the same thing for p++ where "p" is a struct. Most modifications
1261 1272 * are handled by the assignment hook or the db. Smatch_extra.c doesn't
1262 1273 * use smatch_modification.c because we have to get the ordering right
1263 1274 * or something. So if you have p++ where p is a pointer to a standard
1264 1275 * c type then we handle that here. What a mess.
1265 1276 */
1266 1277 expr = strip_expr(expr);
1267 1278 type = get_type(expr);
1268 1279 if (!type || type->type != SYM_PTR)
1269 1280 return;
1270 1281 type = get_real_base_type(type);
1271 1282 if (!type || type->type != SYM_BASETYPE)
1272 1283 return;
1273 1284 set_extra_expr_nomod(deref_expression(expr), alloc_estate_whole(type));
1274 1285 }
1275 1286
1276 1287 static void unop_expr(struct expression *expr)
1277 1288 {
1278 1289 struct smatch_state *state;
1279 1290
1280 1291 if (expr->smatch_flags & Handled)
1281 1292 return;
1282 1293
1283 1294 switch (expr->op) {
1284 1295 case SPECIAL_INCREMENT:
1285 1296 state = get_state_expr(SMATCH_EXTRA, expr->unop);
1286 1297 state = increment_state(state);
1287 1298 if (!state)
1288 1299 state = alloc_estate_whole(get_type(expr));
1289 1300 set_extra_expr_mod(expr->unop, state);
1290 1301 clear_pointed_at_state(expr->unop);
1291 1302 break;
1292 1303 case SPECIAL_DECREMENT:
1293 1304 state = get_state_expr(SMATCH_EXTRA, expr->unop);
1294 1305 state = decrement_state(state);
1295 1306 if (!state)
1296 1307 state = alloc_estate_whole(get_type(expr));
1297 1308 set_extra_expr_mod(expr->unop, state);
1298 1309 clear_pointed_at_state(expr->unop);
1299 1310 break;
1300 1311 default:
1301 1312 return;
1302 1313 }
1303 1314 }
1304 1315
1305 1316 static void asm_expr(struct statement *stmt)
1306 1317 {
1307 1318
1308 1319 struct expression *expr;
1309 1320 struct symbol *type;
1310 1321
1311 1322 FOR_EACH_PTR(stmt->asm_outputs, expr) {
1312 1323 if (expr->type != EXPR_ASM_OPERAND) {
1313 1324 sm_perror("unexpected asm param type %d", expr->type);
1314 1325 continue;
1315 1326 }
1316 1327 type = get_type(strip_expr(expr->expr));
1317 1328 set_extra_expr_mod(expr->expr, alloc_estate_whole(type));
1318 1329 } END_FOR_EACH_PTR(expr);
1319 1330 }
1320 1331
1321 1332 static void check_dereference(struct expression *expr)
1322 1333 {
1323 1334 struct smatch_state *state;
1324 1335
1325 1336 if (__in_fake_assign)
1326 1337 return;
1327 1338 if (outside_of_function())
1328 1339 return;
1329 1340 state = get_extra_state(expr);
1330 1341 if (state) {
1331 1342 struct range_list *rl;
1332 1343
1333 1344 rl = rl_intersection(estate_rl(state), valid_ptr_rl);
1334 1345 if (rl_equiv(rl, estate_rl(state)))
1335 1346 return;
1336 1347 set_extra_expr_nomod(expr, alloc_estate_rl(rl));
1337 1348 } else {
1338 1349 struct range_list *rl;
1339 1350
1340 1351 if (get_mtag_rl(expr, &rl))
1341 1352 rl = rl_intersection(rl, valid_ptr_rl);
1342 1353 else
1343 1354 rl = clone_rl(valid_ptr_rl);
1344 1355
1345 1356 set_extra_expr_nomod(expr, alloc_estate_rl(rl));
1346 1357 }
1347 1358 }
1348 1359
1349 1360 static void match_dereferences(struct expression *expr)
1350 1361 {
1351 1362 if (expr->type != EXPR_PREOP)
1352 1363 return;
1353 1364 if (getting_address(expr))
1354 1365 return;
1355 1366 /* it's saying that foo[1] = bar dereferences foo[1] */
1356 1367 if (is_array(expr))
1357 1368 return;
1358 1369 check_dereference(expr->unop);
1359 1370 }
1360 1371
1361 1372 static void match_pointer_as_array(struct expression *expr)
1362 1373 {
1363 1374 if (!is_array(expr))
1364 1375 return;
1365 1376 check_dereference(get_array_base(expr));
1366 1377 }
1367 1378
1368 1379 static void find_dereferences(struct expression *expr)
1369 1380 {
1370 1381 while (expr->type == EXPR_PREOP) {
1371 1382 if (expr->op == '*')
1372 1383 check_dereference(expr->unop);
1373 1384 expr = strip_expr(expr->unop);
1374 1385 }
1375 1386 }
1376 1387
1377 1388 static void set_param_dereferenced(struct expression *call, struct expression *arg, char *key, char *unused)
1378 1389 {
1379 1390 struct symbol *sym;
1380 1391 char *name;
1381 1392
1382 1393 name = get_variable_from_key(arg, key, &sym);
1383 1394 if (name && sym) {
1384 1395 struct smatch_state *orig, *new;
1385 1396 struct range_list *rl;
1386 1397
1387 1398 orig = get_state(SMATCH_EXTRA, name, sym);
1388 1399 if (orig) {
1389 1400 rl = rl_intersection(estate_rl(orig),
1390 1401 alloc_rl(valid_ptr_min_sval,
1391 1402 valid_ptr_max_sval));
1392 1403 new = alloc_estate_rl(rl);
1393 1404 } else {
1394 1405 new = alloc_estate_range(valid_ptr_min_sval, valid_ptr_max_sval);
1395 1406 }
1396 1407
1397 1408 set_extra_nomod(name, sym, NULL, new);
1398 1409 }
1399 1410 free_string(name);
1400 1411
1401 1412 find_dereferences(arg);
1402 1413 }
1403 1414
1404 1415 static sval_t add_one(sval_t sval)
1405 1416 {
1406 1417 sval.value++;
1407 1418 return sval;
1408 1419 }
1409 1420
1410 1421 static int handle_postop_inc(struct expression *left, int op, struct expression *right)
1411 1422 {
1412 1423 struct statement *stmt;
1413 1424 struct expression *cond;
1414 1425 struct smatch_state *true_state, *false_state;
1415 1426 struct symbol *type;
1416 1427 sval_t start;
1417 1428 sval_t limit;
1418 1429
1419 1430 /*
1420 1431 * If we're decrementing here then that's a canonical while count down
1421 1432 * so it's handled already. We're only handling loops like:
1422 1433 * i = 0;
1423 1434 * do { ... } while (i++ < 3);
1424 1435 */
1425 1436
1426 1437 if (left->type != EXPR_POSTOP || left->op != SPECIAL_INCREMENT)
1427 1438 return 0;
1428 1439
1429 1440 stmt = __cur_stmt->parent;
1430 1441 if (!stmt)
1431 1442 return 0;
1432 1443 if (stmt->type == STMT_COMPOUND)
1433 1444 stmt = stmt->parent;
1434 1445 if (!stmt || stmt->type != STMT_ITERATOR || !stmt->iterator_post_condition)
1435 1446 return 0;
1436 1447
1437 1448 cond = strip_expr(stmt->iterator_post_condition);
1438 1449 if (cond->type != EXPR_COMPARE || cond->op != op)
1439 1450 return 0;
1440 1451 if (left != strip_expr(cond->left) || right != strip_expr(cond->right))
1441 1452 return 0;
1442 1453
1443 1454 if (!get_implied_value(left->unop, &start))
1444 1455 return 0;
1445 1456 if (!get_implied_value(right, &limit))
1446 1457 return 0;
1447 1458 type = get_type(left->unop);
1448 1459 limit = sval_cast(type, limit);
1449 1460 if (sval_cmp(start, limit) > 0)
1450 1461 return 0;
1451 1462
1452 1463 switch (op) {
1453 1464 case '<':
1454 1465 case SPECIAL_UNSIGNED_LT:
1455 1466 break;
1456 1467 case SPECIAL_LTE:
1457 1468 case SPECIAL_UNSIGNED_LTE:
1458 1469 limit = add_one(limit);
1459 1470 default:
1460 1471 return 0;
1461 1472
1462 1473 }
1463 1474
1464 1475 true_state = alloc_estate_range(add_one(start), limit);
1465 1476 false_state = alloc_estate_range(add_one(limit), add_one(limit));
1466 1477
1467 1478 /* Currently we just discard the false state but when two passes is
1468 1479 * implimented correctly then it will use it.
1469 1480 */
1470 1481
1471 1482 set_extra_expr_true_false(left->unop, true_state, false_state);
1472 1483
1473 1484 return 1;
1474 1485 }
1475 1486
1476 1487 bool is_impossible_variable(struct expression *expr)
1477 1488 {
1478 1489 struct smatch_state *state;
1479 1490
1480 1491 state = get_extra_state(expr);
1481 1492 if (state && !estate_rl(state))
1482 1493 return true;
1483 1494 return false;
1484 1495 }
1485 1496
1486 1497 static bool in_macro(struct expression *left, struct expression *right)
1487 1498 {
1488 1499 if (!left || !right)
1489 1500 return 0;
1490 1501 if (left->pos.line != right->pos.line || left->pos.pos != right->pos.pos)
1491 1502 return 0;
1492 1503 if (get_macro_name(left->pos))
1493 1504 return 1;
1494 1505 return 0;
1495 1506 }
1496 1507
1497 1508 static void handle_comparison(struct symbol *type, struct expression *left, int op, struct expression *right)
1498 1509 {
1499 1510 struct range_list *left_orig;
1500 1511 struct range_list *left_true;
1501 1512 struct range_list *left_false;
1502 1513 struct range_list *right_orig;
1503 1514 struct range_list *right_true;
1504 1515 struct range_list *right_false;
1505 1516 struct smatch_state *left_true_state;
1506 1517 struct smatch_state *left_false_state;
1507 1518 struct smatch_state *right_true_state;
1508 1519 struct smatch_state *right_false_state;
1509 1520 sval_t dummy, hard_max;
1510 1521 int left_postop = 0;
1511 1522 int right_postop = 0;
1512 1523
1513 1524 if (left->op == SPECIAL_INCREMENT || left->op == SPECIAL_DECREMENT) {
1514 1525 if (left->type == EXPR_POSTOP) {
1515 1526 left->smatch_flags |= Handled;
1516 1527 left_postop = left->op;
1517 1528 if (handle_postop_inc(left, op, right))
1518 1529 return;
1519 1530 }
1520 1531 left = strip_parens(left->unop);
1521 1532 }
1522 1533 while (left->type == EXPR_ASSIGNMENT)
1523 1534 left = strip_parens(left->left);
1524 1535
1525 1536 if (right->op == SPECIAL_INCREMENT || right->op == SPECIAL_DECREMENT) {
1526 1537 if (right->type == EXPR_POSTOP) {
1527 1538 right->smatch_flags |= Handled;
1528 1539 right_postop = right->op;
1529 1540 }
1530 1541 right = strip_parens(right->unop);
1531 1542 }
1532 1543
1533 1544 if (is_impossible_variable(left) || is_impossible_variable(right))
1534 1545 return;
1535 1546
1536 1547 get_real_absolute_rl(left, &left_orig);
1537 1548 left_orig = cast_rl(type, left_orig);
1538 1549
1539 1550 get_real_absolute_rl(right, &right_orig);
1540 1551 right_orig = cast_rl(type, right_orig);
1541 1552
1542 1553 split_comparison_rl(left_orig, op, right_orig, &left_true, &left_false, &right_true, &right_false);
1543 1554
1544 1555 left_true = rl_truncate_cast(get_type(strip_expr(left)), left_true);
1545 1556 left_false = rl_truncate_cast(get_type(strip_expr(left)), left_false);
1546 1557 right_true = rl_truncate_cast(get_type(strip_expr(right)), right_true);
1547 1558 right_false = rl_truncate_cast(get_type(strip_expr(right)), right_false);
1548 1559
1549 1560 if (!left_true || !left_false) {
1550 1561 struct range_list *tmp_true, *tmp_false;
1551 1562
1552 1563 split_comparison_rl(alloc_whole_rl(type), op, right_orig, &tmp_true, &tmp_false, NULL, NULL);
1553 1564 tmp_true = rl_truncate_cast(get_type(strip_expr(left)), tmp_true);
1554 1565 tmp_false = rl_truncate_cast(get_type(strip_expr(left)), tmp_false);
1555 1566 if (tmp_true && tmp_false)
1556 1567 __save_imaginary_state(left, tmp_true, tmp_false);
1557 1568 }
1558 1569
1559 1570 if (!right_true || !right_false) {
1560 1571 struct range_list *tmp_true, *tmp_false;
1561 1572
1562 1573 split_comparison_rl(alloc_whole_rl(type), op, right_orig, NULL, NULL, &tmp_true, &tmp_false);
1563 1574 tmp_true = rl_truncate_cast(get_type(strip_expr(right)), tmp_true);
1564 1575 tmp_false = rl_truncate_cast(get_type(strip_expr(right)), tmp_false);
1565 1576 if (tmp_true && tmp_false)
1566 1577 __save_imaginary_state(right, tmp_true, tmp_false);
1567 1578 }
1568 1579
1569 1580 left_true_state = alloc_estate_rl(left_true);
1570 1581 left_false_state = alloc_estate_rl(left_false);
1571 1582 right_true_state = alloc_estate_rl(right_true);
1572 1583 right_false_state = alloc_estate_rl(right_false);
1573 1584
1574 1585 switch (op) {
1575 1586 case '<':
1576 1587 case SPECIAL_UNSIGNED_LT:
1577 1588 case SPECIAL_UNSIGNED_LTE:
1578 1589 case SPECIAL_LTE:
1579 1590 if (get_implied_value(right, &dummy) && !in_macro(left, right))
1580 1591 estate_set_hard_max(left_true_state);
1581 1592 if (get_implied_value(left, &dummy) && !in_macro(left, right))
1582 1593 estate_set_hard_max(right_false_state);
1583 1594 break;
1584 1595 case '>':
1585 1596 case SPECIAL_UNSIGNED_GT:
1586 1597 case SPECIAL_UNSIGNED_GTE:
1587 1598 case SPECIAL_GTE:
1588 1599 if (get_implied_value(left, &dummy) && !in_macro(left, right))
1589 1600 estate_set_hard_max(right_true_state);
1590 1601 if (get_implied_value(right, &dummy) && !in_macro(left, right))
1591 1602 estate_set_hard_max(left_false_state);
1592 1603 break;
1593 1604 }
1594 1605
1595 1606 switch (op) {
1596 1607 case '<':
1597 1608 case SPECIAL_UNSIGNED_LT:
1598 1609 case SPECIAL_UNSIGNED_LTE:
1599 1610 case SPECIAL_LTE:
1600 1611 if (get_hard_max(right, &hard_max)) {
1601 1612 if (op == '<' || op == SPECIAL_UNSIGNED_LT)
1602 1613 hard_max.value--;
1603 1614 estate_set_fuzzy_max(left_true_state, hard_max);
1604 1615 }
1605 1616 if (get_implied_value(right, &hard_max)) {
1606 1617 if (op == SPECIAL_UNSIGNED_LTE ||
1607 1618 op == SPECIAL_LTE)
1608 1619 hard_max.value++;
1609 1620 estate_set_fuzzy_max(left_false_state, hard_max);
1610 1621 }
1611 1622 if (get_hard_max(left, &hard_max)) {
1612 1623 if (op == SPECIAL_UNSIGNED_LTE ||
1613 1624 op == SPECIAL_LTE)
1614 1625 hard_max.value--;
1615 1626 estate_set_fuzzy_max(right_false_state, hard_max);
1616 1627 }
1617 1628 if (get_implied_value(left, &hard_max)) {
1618 1629 if (op == '<' || op == SPECIAL_UNSIGNED_LT)
1619 1630 hard_max.value++;
1620 1631 estate_set_fuzzy_max(right_true_state, hard_max);
1621 1632 }
1622 1633 break;
1623 1634 case '>':
1624 1635 case SPECIAL_UNSIGNED_GT:
1625 1636 case SPECIAL_UNSIGNED_GTE:
1626 1637 case SPECIAL_GTE:
1627 1638 if (get_hard_max(left, &hard_max)) {
1628 1639 if (op == '>' || op == SPECIAL_UNSIGNED_GT)
1629 1640 hard_max.value--;
1630 1641 estate_set_fuzzy_max(right_true_state, hard_max);
1631 1642 }
1632 1643 if (get_implied_value(left, &hard_max)) {
1633 1644 if (op == SPECIAL_UNSIGNED_GTE ||
1634 1645 op == SPECIAL_GTE)
1635 1646 hard_max.value++;
1636 1647 estate_set_fuzzy_max(right_false_state, hard_max);
1637 1648 }
1638 1649 if (get_hard_max(right, &hard_max)) {
1639 1650 if (op == SPECIAL_UNSIGNED_LTE ||
1640 1651 op == SPECIAL_LTE)
1641 1652 hard_max.value--;
1642 1653 estate_set_fuzzy_max(left_false_state, hard_max);
1643 1654 }
1644 1655 if (get_implied_value(right, &hard_max)) {
1645 1656 if (op == '>' ||
1646 1657 op == SPECIAL_UNSIGNED_GT)
1647 1658 hard_max.value++;
1648 1659 estate_set_fuzzy_max(left_true_state, hard_max);
1649 1660 }
1650 1661 break;
1651 1662 case SPECIAL_EQUAL:
1652 1663 if (get_hard_max(left, &hard_max))
1653 1664 estate_set_fuzzy_max(right_true_state, hard_max);
1654 1665 if (get_hard_max(right, &hard_max))
1655 1666 estate_set_fuzzy_max(left_true_state, hard_max);
1656 1667 break;
1657 1668 }
1658 1669
1659 1670 if (get_hard_max(left, &hard_max)) {
1660 1671 estate_set_hard_max(left_true_state);
1661 1672 estate_set_hard_max(left_false_state);
1662 1673 }
1663 1674 if (get_hard_max(right, &hard_max)) {
1664 1675 estate_set_hard_max(right_true_state);
1665 1676 estate_set_hard_max(right_false_state);
1666 1677 }
1667 1678
1668 1679 if (left_postop == SPECIAL_INCREMENT) {
1669 1680 left_true_state = increment_state(left_true_state);
1670 1681 left_false_state = increment_state(left_false_state);
1671 1682 }
1672 1683 if (left_postop == SPECIAL_DECREMENT) {
1673 1684 left_true_state = decrement_state(left_true_state);
1674 1685 left_false_state = decrement_state(left_false_state);
1675 1686 }
1676 1687 if (right_postop == SPECIAL_INCREMENT) {
1677 1688 right_true_state = increment_state(right_true_state);
1678 1689 right_false_state = increment_state(right_false_state);
1679 1690 }
1680 1691 if (right_postop == SPECIAL_DECREMENT) {
1681 1692 right_true_state = decrement_state(right_true_state);
1682 1693 right_false_state = decrement_state(right_false_state);
1683 1694 }
1684 1695
1685 1696 if (estate_rl(left_true_state) && estates_equiv(left_true_state, left_false_state)) {
1686 1697 left_true_state = NULL;
1687 1698 left_false_state = NULL;
1688 1699 }
1689 1700
1690 1701 if (estate_rl(right_true_state) && estates_equiv(right_true_state, right_false_state)) {
1691 1702 right_true_state = NULL;
1692 1703 right_false_state = NULL;
1693 1704 }
1694 1705
1695 1706 /* Don't introduce new states for known true/false conditions */
1696 1707 if (rl_equiv(left_orig, estate_rl(left_true_state)))
1697 1708 left_true_state = NULL;
1698 1709 if (rl_equiv(left_orig, estate_rl(left_false_state)))
1699 1710 left_false_state = NULL;
1700 1711 if (rl_equiv(right_orig, estate_rl(right_true_state)))
1701 1712 right_true_state = NULL;
1702 1713 if (rl_equiv(right_orig, estate_rl(right_false_state)))
1703 1714 right_false_state = NULL;
1704 1715
1705 1716 set_extra_expr_true_false(left, left_true_state, left_false_state);
1706 1717 set_extra_expr_true_false(right, right_true_state, right_false_state);
1707 1718 }
1708 1719
1709 1720 static int is_simple_math(struct expression *expr)
1710 1721 {
1711 1722 if (!expr)
1712 1723 return 0;
1713 1724 if (expr->type != EXPR_BINOP)
1714 1725 return 0;
1715 1726 switch (expr->op) {
1716 1727 case '+':
1717 1728 case '-':
1718 1729 case '*':
1719 1730 return 1;
1720 1731 }
1721 1732 return 0;
1722 1733 }
1723 1734
1724 1735 static int flip_op(int op)
1725 1736 {
1726 1737 /* We only care about simple math */
1727 1738 switch (op) {
1728 1739 case '+':
1729 1740 return '-';
1730 1741 case '-':
1731 1742 return '+';
1732 1743 case '*':
1733 1744 return '/';
1734 1745 }
1735 1746 return 0;
1736 1747 }
1737 1748
1738 1749 static void move_known_to_rl(struct expression **expr_p, struct range_list **rl_p)
1739 1750 {
1740 1751 struct expression *expr = *expr_p;
1741 1752 struct range_list *rl = *rl_p;
1742 1753 sval_t sval;
1743 1754
1744 1755 if (!is_simple_math(expr))
1745 1756 return;
1746 1757
1747 1758 if (get_implied_value(expr->right, &sval)) {
1748 1759 *expr_p = expr->left;
1749 1760 *rl_p = rl_binop(rl, flip_op(expr->op), alloc_rl(sval, sval));
1750 1761 move_known_to_rl(expr_p, rl_p);
1751 1762 return;
1752 1763 }
1753 1764 if (expr->op == '-')
1754 1765 return;
1755 1766 if (get_implied_value(expr->left, &sval)) {
1756 1767 *expr_p = expr->right;
1757 1768 *rl_p = rl_binop(rl, flip_op(expr->op), alloc_rl(sval, sval));
1758 1769 move_known_to_rl(expr_p, rl_p);
1759 1770 return;
1760 1771 }
1761 1772 }
1762 1773
1763 1774 static void move_known_values(struct expression **left_p, struct expression **right_p)
1764 1775 {
1765 1776 struct expression *left = *left_p;
1766 1777 struct expression *right = *right_p;
1767 1778 sval_t sval, dummy;
1768 1779
1769 1780 if (get_implied_value(left, &sval)) {
1770 1781 if (!is_simple_math(right))
1771 1782 return;
1772 1783 if (get_implied_value(right, &dummy))
1773 1784 return;
1774 1785 if (right->op == '*') {
1775 1786 sval_t divisor;
1776 1787
1777 1788 if (!get_value(right->right, &divisor))
1778 1789 return;
1779 1790 if (divisor.value == 0)
1780 1791 return;
1781 1792 *left_p = binop_expression(left, invert_op(right->op), right->right);
1782 1793 *right_p = right->left;
1783 1794 return;
1784 1795 }
1785 1796 if (right->op == '+' && get_value(right->left, &sval)) {
1786 1797 *left_p = binop_expression(left, invert_op(right->op), right->left);
1787 1798 *right_p = right->right;
1788 1799 return;
1789 1800 }
1790 1801 if (get_value(right->right, &sval)) {
1791 1802 *left_p = binop_expression(left, invert_op(right->op), right->right);
1792 1803 *right_p = right->left;
1793 1804 return;
1794 1805 }
1795 1806 return;
1796 1807 }
1797 1808 if (get_implied_value(right, &sval)) {
1798 1809 if (!is_simple_math(left))
1799 1810 return;
1800 1811 if (get_implied_value(left, &dummy))
1801 1812 return;
1802 1813 if (left->op == '*') {
1803 1814 sval_t divisor;
1804 1815
1805 1816 if (!get_value(left->right, &divisor))
1806 1817 return;
1807 1818 if (divisor.value == 0)
1808 1819 return;
1809 1820 *right_p = binop_expression(right, invert_op(left->op), left->right);
1810 1821 *left_p = left->left;
1811 1822 return;
1812 1823 }
1813 1824 if (left->op == '+' && get_value(left->left, &sval)) {
1814 1825 *right_p = binop_expression(right, invert_op(left->op), left->left);
1815 1826 *left_p = left->right;
1816 1827 return;
1817 1828 }
1818 1829
1819 1830 if (get_value(left->right, &sval)) {
1820 1831 *right_p = binop_expression(right, invert_op(left->op), left->right);
1821 1832 *left_p = left->left;
1822 1833 return;
1823 1834 }
1824 1835 return;
1825 1836 }
1826 1837 }
1827 1838
1828 1839 /*
1829 1840 * The reason for do_simple_algebra() is to solve things like:
1830 1841 * if (foo > 66 || foo + bar > 64) {
1831 1842 * "foo" is not really a known variable so it won't be handled by
1832 1843 * move_known_variables() but it's a super common idiom.
1833 1844 *
1834 1845 */
1835 1846 static int do_simple_algebra(struct expression **left_p, struct expression **right_p)
1836 1847 {
1837 1848 struct expression *left = *left_p;
1838 1849 struct expression *right = *right_p;
1839 1850 struct range_list *rl;
1840 1851 sval_t tmp;
1841 1852
1842 1853 if (left->type != EXPR_BINOP || left->op != '+')
1843 1854 return 0;
1844 1855 if (can_integer_overflow(get_type(left), left))
1845 1856 return 0;
1846 1857 if (!get_implied_value(right, &tmp))
1847 1858 return 0;
1848 1859
1849 1860 if (!get_implied_value(left->left, &tmp) &&
1850 1861 get_implied_rl(left->left, &rl) &&
1851 1862 !is_whole_rl(rl)) {
1852 1863 *right_p = binop_expression(right, '-', left->left);
1853 1864 *left_p = left->right;
1854 1865 return 1;
1855 1866 }
1856 1867 if (!get_implied_value(left->right, &tmp) &&
1857 1868 get_implied_rl(left->right, &rl) &&
1858 1869 !is_whole_rl(rl)) {
1859 1870 *right_p = binop_expression(right, '-', left->right);
1860 1871 *left_p = left->left;
1861 1872 return 1;
1862 1873 }
1863 1874
1864 1875 return 0;
1865 1876 }
1866 1877
1867 1878 static int match_func_comparison(struct expression *expr)
1868 1879 {
1869 1880 struct expression *left = strip_expr(expr->left);
1870 1881 struct expression *right = strip_expr(expr->right);
1871 1882
1872 1883 if (left->type == EXPR_CALL || right->type == EXPR_CALL) {
1873 1884 function_comparison(left, expr->op, right);
1874 1885 return 1;
1875 1886 }
1876 1887
1877 1888 return 0;
1878 1889 }
1879 1890
1880 1891 /* Handle conditions like "if (foo + bar < foo) {" */
1881 1892 static int handle_integer_overflow_test(struct expression *expr)
1882 1893 {
1883 1894 struct expression *left, *right;
1884 1895 struct symbol *type;
1885 1896 sval_t left_min, right_min, min, max;
1886 1897
1887 1898 if (expr->op != '<' && expr->op != SPECIAL_UNSIGNED_LT)
1888 1899 return 0;
1889 1900
1890 1901 left = strip_parens(expr->left);
1891 1902 right = strip_parens(expr->right);
1892 1903
1893 1904 if (left->op != '+')
1894 1905 return 0;
1895 1906
1896 1907 type = get_type(expr);
1897 1908 if (!type)
1898 1909 return 0;
1899 1910 if (type_positive_bits(type) == 32) {
1900 1911 max.type = &uint_ctype;
1901 1912 max.uvalue = (unsigned int)-1;
1902 1913 } else if (type_positive_bits(type) == 64) {
1903 1914 max.type = &ulong_ctype;
1904 1915 max.value = (unsigned long long)-1;
1905 1916 } else {
1906 1917 return 0;
1907 1918 }
1908 1919
1909 1920 if (!expr_equiv(left->left, right) && !expr_equiv(left->right, right))
1910 1921 return 0;
1911 1922
1912 1923 get_absolute_min(left->left, &left_min);
1913 1924 get_absolute_min(left->right, &right_min);
1914 1925 min = sval_binop(left_min, '+', right_min);
1915 1926
1916 1927 type = get_type(left);
1917 1928 min = sval_cast(type, min);
1918 1929 max = sval_cast(type, max);
1919 1930
1920 1931 set_extra_chunk_true_false(left, NULL, alloc_estate_range(min, max));
1921 1932 return 1;
1922 1933 }
1923 1934
1924 1935 static void match_comparison(struct expression *expr)
1925 1936 {
1926 1937 struct expression *left_orig = strip_parens(expr->left);
1927 1938 struct expression *right_orig = strip_parens(expr->right);
1928 1939 struct expression *left, *right, *tmp;
1929 1940 struct expression *prev;
1930 1941 struct symbol *type;
1931 1942 int redo, count;
1932 1943
1933 1944 if (match_func_comparison(expr))
1934 1945 return;
1935 1946
1936 1947 type = get_type(expr);
1937 1948 if (!type)
1938 1949 type = &llong_ctype;
1939 1950
1940 1951 if (handle_integer_overflow_test(expr))
1941 1952 return;
1942 1953
1943 1954 left = left_orig;
1944 1955 right = right_orig;
1945 1956 move_known_values(&left, &right);
1946 1957 handle_comparison(type, left, expr->op, right);
1947 1958
1948 1959 left = left_orig;
1949 1960 right = right_orig;
1950 1961 if (do_simple_algebra(&left, &right))
1951 1962 handle_comparison(type, left, expr->op, right);
1952 1963
1953 1964 prev = get_assigned_expr(left_orig);
1954 1965 if (is_simple_math(prev) && has_variable(prev, left_orig) == 0) {
1955 1966 left = prev;
1956 1967 right = right_orig;
1957 1968 move_known_values(&left, &right);
1958 1969 handle_comparison(type, left, expr->op, right);
1959 1970 }
1960 1971
1961 1972 prev = get_assigned_expr(right_orig);
1962 1973 if (is_simple_math(prev) && has_variable(prev, right_orig) == 0) {
1963 1974 left = left_orig;
1964 1975 right = prev;
1965 1976 move_known_values(&left, &right);
1966 1977 handle_comparison(type, left, expr->op, right);
1967 1978 }
1968 1979
1969 1980 redo = 0;
1970 1981 left = left_orig;
1971 1982 right = right_orig;
1972 1983 if (get_last_expr_from_expression_stmt(left_orig)) {
1973 1984 left = get_last_expr_from_expression_stmt(left_orig);
1974 1985 redo = 1;
1975 1986 }
1976 1987 if (get_last_expr_from_expression_stmt(right_orig)) {
1977 1988 right = get_last_expr_from_expression_stmt(right_orig);
1978 1989 redo = 1;
1979 1990 }
1980 1991
1981 1992 if (!redo)
1982 1993 return;
1983 1994
1984 1995 count = 0;
1985 1996 while ((tmp = get_assigned_expr(left))) {
1986 1997 if (count++ > 3)
1987 1998 break;
1988 1999 left = strip_expr(tmp);
1989 2000 }
1990 2001 count = 0;
1991 2002 while ((tmp = get_assigned_expr(right))) {
1992 2003 if (count++ > 3)
1993 2004 break;
1994 2005 right = strip_expr(tmp);
1995 2006 }
1996 2007
1997 2008 handle_comparison(type, left, expr->op, right);
1998 2009 }
1999 2010
2000 2011 static sval_t get_high_mask(sval_t known)
2001 2012 {
2002 2013 sval_t ret;
2003 2014 int i;
2004 2015
2005 2016 ret = known;
2006 2017 ret.value = 0;
2007 2018
2008 2019 for (i = type_bits(known.type) - 1; i >= 0; i--) {
2009 2020 if (known.uvalue & (1ULL << i))
2010 2021 ret.uvalue |= (1ULL << i);
2011 2022 else
2012 2023 return ret;
2013 2024
2014 2025 }
2015 2026 return ret;
2016 2027 }
2017 2028
2018 2029 static bool handle_bit_test(struct expression *expr)
2019 2030 {
2020 2031 struct range_list *orig_rl, *rl;
2021 2032 struct expression *shift, *mask, *var;
2022 2033 struct bit_info *bit_info;
2023 2034 sval_t sval;
2024 2035 sval_t high = { .type = &int_ctype };
2025 2036 sval_t low = { .type = &int_ctype };
2026 2037
2027 2038 shift = strip_expr(expr->right);
2028 2039 mask = strip_expr(expr->left);
2029 2040 if (shift->type != EXPR_BINOP || shift->op != SPECIAL_LEFTSHIFT) {
2030 2041 shift = strip_expr(expr->left);
2031 2042 mask = strip_expr(expr->right);
2032 2043 if (shift->type != EXPR_BINOP || shift->op != SPECIAL_LEFTSHIFT)
2033 2044 return false;
2034 2045 }
2035 2046 if (!get_implied_value(shift->left, &sval) || sval.value != 1)
2036 2047 return false;
2037 2048 var = strip_expr(shift->right);
2038 2049
2039 2050 bit_info = get_bit_info(mask);
2040 2051 if (!bit_info)
2041 2052 return false;
2042 2053 if (!bit_info->possible)
2043 2054 return false;
2044 2055
2045 2056 get_absolute_rl(var, &orig_rl);
2046 2057 if (sval_is_negative(rl_min(orig_rl)) ||
2047 2058 rl_max(orig_rl).uvalue > type_bits(get_type(shift->left)))
2048 2059 return false;
2049 2060
2050 2061 low.value = ffsll(bit_info->possible);
2051 2062 high.value = sm_fls64(bit_info->possible);
2052 2063 rl = alloc_rl(low, high);
2053 2064 rl = cast_rl(get_type(var), rl);
2054 2065 rl = rl_intersection(orig_rl, rl);
2055 2066 if (!rl)
2056 2067 return false;
2057 2068
2058 2069 set_extra_expr_true_false(shift->right, alloc_estate_rl(rl), NULL);
2059 2070
2060 2071 return true;
2061 2072 }
2062 2073
2063 2074 static void handle_AND_op(struct expression *var, sval_t known)
2064 2075 {
2065 2076 struct range_list *orig_rl;
2066 2077 struct range_list *true_rl = NULL;
2067 2078 struct range_list *false_rl = NULL;
2068 2079 int bit;
2069 2080 sval_t low_mask = known;
2070 2081 sval_t high_mask;
2071 2082 sval_t max;
2072 2083
2073 2084 get_absolute_rl(var, &orig_rl);
2074 2085
2075 2086 if (known.value > 0) {
2076 2087 bit = ffsll(known.value) - 1;
2077 2088 low_mask.uvalue = (1ULL << bit) - 1;
2078 2089 true_rl = remove_range(orig_rl, sval_type_val(known.type, 0), low_mask);
2079 2090 }
2080 2091 high_mask = get_high_mask(known);
2081 2092 if (high_mask.value) {
2082 2093 bit = ffsll(high_mask.value) - 1;
2083 2094 low_mask.uvalue = (1ULL << bit) - 1;
2084 2095
2085 2096 false_rl = orig_rl;
2086 2097 if (sval_is_negative(rl_min(orig_rl)))
2087 2098 false_rl = remove_range(false_rl, sval_type_min(known.type), sval_type_val(known.type, -1));
2088 2099 false_rl = remove_range(false_rl, low_mask, sval_type_max(known.type));
2089 2100 if (type_signed(high_mask.type) && type_unsigned(rl_type(false_rl))) {
2090 2101 false_rl = remove_range(false_rl,
2091 2102 sval_type_val(rl_type(false_rl), sval_type_max(known.type).uvalue),
2092 2103 sval_type_val(rl_type(false_rl), -1));
2093 2104 }
2094 2105 } else if (known.value == 1 &&
2095 2106 get_hard_max(var, &max) &&
2096 2107 sval_cmp(max, rl_max(orig_rl)) == 0 &&
2097 2108 max.value & 1) {
2098 2109 false_rl = remove_range(orig_rl, max, max);
2099 2110 }
2100 2111 set_extra_expr_true_false(var,
2101 2112 true_rl ? alloc_estate_rl(true_rl) : NULL,
2102 2113 false_rl ? alloc_estate_rl(false_rl) : NULL);
2103 2114 }
2104 2115
2105 2116 static void handle_AND_condition(struct expression *expr)
2106 2117 {
2107 2118 sval_t known;
2108 2119
2109 2120 if (handle_bit_test(expr))
2110 2121 return;
2111 2122
2112 2123 if (get_implied_value(expr->left, &known))
2113 2124 handle_AND_op(expr->right, known);
2114 2125 else if (get_implied_value(expr->right, &known))
2115 2126 handle_AND_op(expr->left, known);
2116 2127 }
2117 2128
2118 2129 static void handle_MOD_condition(struct expression *expr)
2119 2130 {
2120 2131 struct range_list *orig_rl;
2121 2132 struct range_list *true_rl;
2122 2133 struct range_list *false_rl = NULL;
2123 2134 sval_t right;
2124 2135 sval_t zero = { 0, };
2125 2136
2126 2137 if (!get_implied_value(expr->right, &right) || right.value == 0)
2127 2138 return;
2128 2139 get_absolute_rl(expr->left, &orig_rl);
2129 2140
2130 2141 zero.value = 0;
2131 2142 zero.type = rl_type(orig_rl);
2132 2143
2133 2144 /* We're basically dorking around the min and max here */
2134 2145 true_rl = remove_range(orig_rl, zero, zero);
2135 2146 if (!sval_is_max(rl_max(true_rl)) &&
2136 2147 !(rl_max(true_rl).value % right.value))
2137 2148 true_rl = remove_range(true_rl, rl_max(true_rl), rl_max(true_rl));
2138 2149
2139 2150 if (rl_equiv(true_rl, orig_rl))
2140 2151 true_rl = NULL;
2141 2152
2142 2153 if (sval_is_positive(rl_min(orig_rl)) &&
2143 2154 (rl_max(orig_rl).value - rl_min(orig_rl).value) / right.value < 5) {
2144 2155 sval_t add;
2145 2156 int i;
2146 2157
2147 2158 add = rl_min(orig_rl);
2148 2159 add.value += right.value - (add.value % right.value);
2149 2160 add.value -= right.value;
2150 2161
2151 2162 for (i = 0; i < 5; i++) {
2152 2163 add.value += right.value;
2153 2164 if (add.value > rl_max(orig_rl).value)
2154 2165 break;
2155 2166 add_range(&false_rl, add, add);
2156 2167 }
2157 2168 } else {
2158 2169 if (rl_min(orig_rl).uvalue != 0 &&
2159 2170 rl_min(orig_rl).uvalue < right.uvalue) {
2160 2171 sval_t chop = right;
2161 2172 chop.value--;
2162 2173 false_rl = remove_range(orig_rl, zero, chop);
2163 2174 }
2164 2175
2165 2176 if (!sval_is_max(rl_max(orig_rl)) &&
2166 2177 (rl_max(orig_rl).value % right.value)) {
2167 2178 sval_t chop = rl_max(orig_rl);
2168 2179 chop.value -= chop.value % right.value;
2169 2180 chop.value++;
2170 2181 if (!false_rl)
2171 2182 false_rl = clone_rl(orig_rl);
2172 2183 false_rl = remove_range(false_rl, chop, rl_max(orig_rl));
2173 2184 }
2174 2185 }
2175 2186
2176 2187 set_extra_expr_true_false(expr->left,
2177 2188 true_rl ? alloc_estate_rl(true_rl) : NULL,
2178 2189 false_rl ? alloc_estate_rl(false_rl) : NULL);
2179 2190 }
2180 2191
2181 2192 /* this is actually hooked from smatch_implied.c... it's hacky, yes */
2182 2193 void __extra_match_condition(struct expression *expr)
2183 2194 {
2184 2195 expr = strip_expr(expr);
2185 2196 switch (expr->type) {
2186 2197 case EXPR_CALL:
2187 2198 function_comparison(expr, SPECIAL_NOTEQUAL, zero_expr());
2188 2199 return;
2189 2200 case EXPR_PREOP:
2190 2201 case EXPR_SYMBOL:
2191 2202 case EXPR_DEREF:
2192 2203 handle_comparison(get_type(expr), expr, SPECIAL_NOTEQUAL, zero_expr());
2193 2204 return;
2194 2205 case EXPR_COMPARE:
2195 2206 match_comparison(expr);
2196 2207 return;
2197 2208 case EXPR_ASSIGNMENT:
2198 2209 __extra_match_condition(expr->left);
2199 2210 return;
2200 2211 case EXPR_BINOP:
2201 2212 if (expr->op == '&')
2202 2213 handle_AND_condition(expr);
2203 2214 if (expr->op == '%')
2204 2215 handle_MOD_condition(expr);
2205 2216 return;
2206 2217 }
2207 2218 }
2208 2219
2209 2220 static void assume_indexes_are_valid(struct expression *expr)
2210 2221 {
2211 2222 struct expression *array_expr;
2212 2223 int array_size;
2213 2224 struct expression *offset;
2214 2225 struct symbol *offset_type;
2215 2226 struct range_list *rl_before;
2216 2227 struct range_list *rl_after;
2217 2228 struct range_list *filter = NULL;
2218 2229 sval_t size;
2219 2230
2220 2231 expr = strip_expr(expr);
2221 2232 if (!is_array(expr))
2222 2233 return;
2223 2234
2224 2235 offset = get_array_offset(expr);
2225 2236 offset_type = get_type(offset);
2226 2237 if (offset_type && type_signed(offset_type)) {
2227 2238 filter = alloc_rl(sval_type_min(offset_type),
2228 2239 sval_type_val(offset_type, -1));
2229 2240 }
2230 2241
2231 2242 array_expr = get_array_base(expr);
2232 2243 array_size = get_real_array_size(array_expr);
2233 2244 if (array_size > 1) {
2234 2245 size = sval_type_val(offset_type, array_size);
2235 2246 add_range(&filter, size, sval_type_max(offset_type));
2236 2247 }
2237 2248
2238 2249 if (!filter)
2239 2250 return;
2240 2251 get_absolute_rl(offset, &rl_before);
2241 2252 rl_after = rl_filter(rl_before, filter);
2242 2253 if (rl_equiv(rl_before, rl_after))
2243 2254 return;
2244 2255 set_extra_expr_nomod(offset, alloc_estate_rl(rl_after));
2245 2256 }
2246 2257
2247 2258 /* returns 1 if it is not possible for expr to be value, otherwise returns 0 */
2248 2259 int implied_not_equal(struct expression *expr, long long val)
2249 2260 {
2250 2261 return !possibly_false(expr, SPECIAL_NOTEQUAL, value_expr(val));
2251 2262 }
2252 2263
2253 2264 int implied_not_equal_name_sym(char *name, struct symbol *sym, long long val)
2254 2265 {
2255 2266 struct smatch_state *estate;
2256 2267
2257 2268 estate = get_state(SMATCH_EXTRA, name, sym);
2258 2269 if (!estate)
2259 2270 return 0;
2260 2271 if (!rl_has_sval(estate_rl(estate), sval_type_val(estate_type(estate), 0)))
2261 2272 return 1;
2262 2273 return 0;
2263 2274 }
2264 2275
2265 2276 int parent_is_null_var_sym(const char *name, struct symbol *sym)
2266 2277 {
2267 2278 char buf[256];
2268 2279 char *start;
2269 2280 char *end;
2270 2281 struct smatch_state *state;
2271 2282
2272 2283 strncpy(buf, name, sizeof(buf) - 1);
2273 2284 buf[sizeof(buf) - 1] = '\0';
2274 2285
2275 2286 start = &buf[0];
2276 2287 while (*start == '*') {
2277 2288 start++;
2278 2289 state = __get_state(SMATCH_EXTRA, start, sym);
2279 2290 if (!state)
2280 2291 continue;
2281 2292 if (!estate_rl(state))
2282 2293 return 1;
2283 2294 if (estate_min(state).value == 0 &&
2284 2295 estate_max(state).value == 0)
2285 2296 return 1;
2286 2297 }
2287 2298
2288 2299 start = &buf[0];
2289 2300 while (*start == '&')
2290 2301 start++;
2291 2302
2292 2303 while ((end = strrchr(start, '-'))) {
2293 2304 *end = '\0';
2294 2305 state = __get_state(SMATCH_EXTRA, start, sym);
2295 2306 if (!state)
2296 2307 continue;
2297 2308 if (estate_min(state).value == 0 &&
2298 2309 estate_max(state).value == 0)
2299 2310 return 1;
2300 2311 }
2301 2312 return 0;
2302 2313 }
2303 2314
2304 2315 int parent_is_null(struct expression *expr)
2305 2316 {
2306 2317 struct symbol *sym;
2307 2318 char *var;
2308 2319 int ret = 0;
2309 2320
2310 2321 expr = strip_expr(expr);
2311 2322 var = expr_to_var_sym(expr, &sym);
2312 2323 if (!var || !sym)
2313 2324 goto free;
2314 2325 ret = parent_is_null_var_sym(var, sym);
2315 2326 free:
2316 2327 free_string(var);
2317 2328 return ret;
2318 2329 }
2319 2330
2320 2331 static int param_used_callback(void *found, int argc, char **argv, char **azColName)
2321 2332 {
2322 2333 *(int *)found = 1;
2323 2334 return 0;
2324 2335 }
2325 2336
2326 2337 static int is_kzalloc_info(struct sm_state *sm)
2327 2338 {
2328 2339 sval_t sval;
2329 2340
2330 2341 /*
2331 2342 * kzalloc() information is treated as special because so there is just
2332 2343 * a lot of stuff initialized to zero and it makes building the database
2333 2344 * take hours and hours.
2334 2345 *
2335 2346 * In theory, we should just remove this line and not pass any unused
2336 2347 * information, but I'm not sure enough that this code works so I want
2337 2348 * to hold off on that for now.
2338 2349 */
2339 2350 if (!estate_get_single_value(sm->state, &sval))
2340 2351 return 0;
2341 2352 if (sval.value != 0)
2342 2353 return 0;
2343 2354 return 1;
2344 2355 }
2345 2356
2346 2357 static int is_really_long(struct sm_state *sm)
2347 2358 {
2348 2359 const char *p;
2349 2360 int cnt = 0;
2350 2361
2351 2362 p = sm->name;
2352 2363 while ((p = strstr(p, "->"))) {
2353 2364 p += 2;
2354 2365 cnt++;
2355 2366 }
2356 2367
2357 2368 if (cnt < 3 ||
2358 2369 strlen(sm->name) < 40)
2359 2370 return 0;
2360 2371 return 1;
2361 2372 }
2362 2373
2363 2374 static int filter_unused_param_value_info(struct expression *call, int param, char *printed_name, struct sm_state *sm)
2364 2375 {
2365 2376 int found = 0;
2366 2377
2367 2378 /* for function pointers assume everything is used */
2368 2379 if (call->fn->type != EXPR_SYMBOL)
2369 2380 return 0;
2370 2381
2371 2382 /*
2372 2383 * This is to handle __builtin_mul_overflow(). In an ideal world we
2373 2384 * would only need this for invalid code.
2374 2385 *
2375 2386 */
2376 2387 if (!call->fn->symbol)
2377 2388 return 0;
2378 2389
2379 2390 if (!is_kzalloc_info(sm) && !is_really_long(sm))
2380 2391 return 0;
2381 2392
2382 2393 run_sql(¶m_used_callback, &found,
2383 2394 "select * from return_implies where %s and type = %d and parameter = %d and key = '%s';",
2384 2395 get_static_filter(call->fn->symbol), PARAM_USED, param, printed_name);
2385 2396 if (found)
2386 2397 return 0;
2387 2398
2388 2399 /* If the database is not built yet, then assume everything is used */
2389 2400 run_sql(¶m_used_callback, &found,
2390 2401 "select * from return_implies where %s and type = %d;",
2391 2402 get_static_filter(call->fn->symbol), PARAM_USED);
2392 2403 if (!found)
2393 2404 return 0;
2394 2405
2395 2406 return 1;
2396 2407 }
2397 2408
2398 2409 struct range_list *intersect_with_real_abs_var_sym(const char *name, struct symbol *sym, struct range_list *start)
2399 2410 {
2400 2411 struct smatch_state *state;
2401 2412
2402 2413 /*
2403 2414 * Here is the difference between implied value and real absolute, say
2404 2415 * you have:
2405 2416 *
2406 2417 * int a = (u8)x;
2407 2418 *
2408 2419 * Then you know that a is 0-255. That's real absolute. But you don't
2409 2420 * know for sure that it actually goes up to 255. So it's not implied.
2410 2421 * Implied indicates a degree of certainty.
2411 2422 *
2412 2423 * But then say you cap "a" at 8. That means you know it goes up to
2413 2424 * 8. So now the implied value is s32min-8. But you can combine it
2414 2425 * with the real absolute to say that actually it's 0-8.
2415 2426 *
2416 2427 * We are combining it here. But now that I think about it, this is
2417 2428 * probably not the ideal place to combine it because it should proably
2418 2429 * be done earlier. Oh well, this is an improvement on what was there
2419 2430 * before so I'm going to commit this code.
2420 2431 *
2421 2432 */
2422 2433
2423 2434 state = get_real_absolute_state_var_sym(name, sym);
2424 2435 if (!state || !estate_rl(state))
2425 2436 return start;
2426 2437
2427 2438 return rl_intersection(estate_rl(state), start);
2428 2439 }
2429 2440
2430 2441 struct range_list *intersect_with_real_abs_expr(struct expression *expr, struct range_list *start)
2431 2442 {
2432 2443 struct smatch_state *state;
2433 2444 struct range_list *abs_rl;
2434 2445
2435 2446 state = get_real_absolute_state(expr);
2436 2447 if (!state || !estate_rl(state))
2437 2448 return start;
2438 2449
2439 2450 abs_rl = cast_rl(rl_type(start), estate_rl(state));
2440 2451 return rl_intersection(abs_rl, start);
2441 2452 }
2442 2453
2443 2454 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
2444 2455 {
2445 2456 struct range_list *rl;
2446 2457 sval_t dummy;
2447 2458
2448 2459 if (estate_is_whole(sm->state) || !estate_rl(sm->state))
2449 2460 return;
2450 2461 if (filter_unused_param_value_info(call, param, printed_name, sm))
2451 2462 return;
2452 2463 rl = estate_rl(sm->state);
2453 2464 rl = intersect_with_real_abs_var_sym(sm->name, sm->sym, rl);
2454 2465 if (!rl)
2455 2466 return;
2456 2467 sql_insert_caller_info(call, PARAM_VALUE, param, printed_name, show_rl(rl));
2457 2468 if (!estate_get_single_value(sm->state, &dummy)) {
2458 2469 if (estate_has_hard_max(sm->state))
2459 2470 sql_insert_caller_info(call, HARD_MAX, param, printed_name,
2460 2471 sval_to_str(estate_max(sm->state)));
2461 2472 if (estate_has_fuzzy_max(sm->state))
2462 2473 sql_insert_caller_info(call, FUZZY_MAX, param, printed_name,
2463 2474 sval_to_str(estate_get_fuzzy_max(sm->state)));
2464 2475 }
2465 2476 }
2466 2477
2467 2478 static void returned_struct_members(int return_id, char *return_ranges, struct expression *expr)
2468 2479 {
2469 2480 struct symbol *returned_sym;
2470 2481 char *returned_name;
2471 2482 struct sm_state *sm;
2472 2483 char *compare_str;
2473 2484 char name_buf[256];
2474 2485 char val_buf[256];
2475 2486 int len;
2476 2487
2477 2488 // FIXME handle *$
2478 2489
2479 2490 if (!is_pointer(expr))
2480 2491 return;
2481 2492
2482 2493 returned_name = expr_to_var_sym(expr, &returned_sym);
2483 2494 if (!returned_name || !returned_sym)
2484 2495 goto free;
2485 2496 len = strlen(returned_name);
2486 2497
2487 2498 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
2488 2499 if (!estate_rl(sm->state))
2489 2500 continue;
2490 2501 if (returned_sym != sm->sym)
2491 2502 continue;
2492 2503 if (strncmp(returned_name, sm->name, len) != 0)
2493 2504 continue;
2494 2505 if (sm->name[len] != '-')
2495 2506 continue;
2496 2507
2497 2508 snprintf(name_buf, sizeof(name_buf), "$%s", sm->name + len);
2498 2509
2499 2510 compare_str = name_sym_to_param_comparison(sm->name, sm->sym);
2500 2511 if (!compare_str && estate_is_whole(sm->state))
2501 2512 continue;
2502 2513 snprintf(val_buf, sizeof(val_buf), "%s%s", sm->state->name, compare_str ?: "");
2503 2514
2504 2515 sql_insert_return_states(return_id, return_ranges, PARAM_VALUE,
2505 2516 -1, name_buf, val_buf);
2506 2517 } END_FOR_EACH_SM(sm);
2507 2518
2508 2519 free:
2509 2520 free_string(returned_name);
2510 2521 }
2511 2522
2512 2523 static void db_limited_before(void)
2513 2524 {
2514 2525 unmatched_stree = clone_stree(__get_cur_stree());
2515 2526 }
2516 2527
2517 2528 static void db_limited_after(void)
2518 2529 {
2519 2530 free_stree(&unmatched_stree);
2520 2531 }
2521 2532
2522 2533 static int basically_the_same(struct range_list *orig, struct range_list *new)
2523 2534 {
2524 2535 if (rl_equiv(orig, new))
2525 2536 return 1;
2526 2537
2527 2538 /*
2528 2539 * The whole range is essentially the same as 0,4096-27777777777 so
2529 2540 * don't overwrite the implications just to store that.
2530 2541 *
2531 2542 */
2532 2543 if (rl_type(orig)->type == SYM_PTR &&
2533 2544 is_whole_rl(orig) &&
2534 2545 rl_min(new).value == 0 &&
2535 2546 rl_max(new).value == valid_ptr_max)
2536 2547 return 1;
2537 2548 return 0;
2538 2549 }
2539 2550
2540 2551 static void db_param_limit_binops(struct expression *arg, char *key, struct range_list *rl)
2541 2552 {
2542 2553 struct range_list *left_rl;
2543 2554 sval_t zero = { .type = rl_type(rl), };
2544 2555 sval_t sval;
2545 2556
2546 2557 if (arg->op != '*')
2547 2558 return;
2548 2559 if (!get_implied_value(arg->right, &sval))
2549 2560 return;
2550 2561 if (can_integer_overflow(get_type(arg), arg))
2551 2562 return;
2552 2563
2553 2564 left_rl = rl_binop(rl, '/', alloc_rl(sval, sval));
2554 2565 if (!rl_has_sval(rl, zero))
2555 2566 left_rl = remove_range(left_rl, zero, zero);
2556 2567
2557 2568 set_extra_expr_nomod(arg->left, alloc_estate_rl(left_rl));
2558 2569 }
2559 2570
2560 2571 static void db_param_limit_filter(struct expression *expr, int param, char *key, char *value, enum info_type op)
2561 2572 {
2562 2573 struct expression *arg;
2563 2574 char *name;
2564 2575 struct symbol *sym;
2565 2576 struct var_sym_list *vsl = NULL;
2566 2577 struct sm_state *sm;
2567 2578 struct symbol *compare_type, *var_type;
2568 2579 struct range_list *rl;
2569 2580 struct range_list *limit;
2570 2581 struct range_list *new;
2571 2582 char *other_name;
2572 2583 struct symbol *other_sym;
2573 2584
2574 2585 while (expr->type == EXPR_ASSIGNMENT)
2575 2586 expr = strip_expr(expr->right);
2576 2587 if (expr->type != EXPR_CALL)
2577 2588 return;
2578 2589
2579 2590 arg = get_argument_from_call_expr(expr->args, param);
2580 2591 if (!arg)
2581 2592 return;
2582 2593
2583 2594 if (strcmp(key, "$") == 0)
2584 2595 compare_type = get_arg_type(expr->fn, param);
2585 2596 else
2586 2597 compare_type = get_member_type_from_key(arg, key);
2587 2598
2588 2599 call_results_to_rl(expr, compare_type, value, &limit);
2589 2600 if (strcmp(key, "$") == 0)
2590 2601 move_known_to_rl(&arg, &limit);
2591 2602 name = get_chunk_from_key(arg, key, &sym, &vsl);
2592 2603 if (!name)
2593 2604 return;
2594 2605 if (op != PARAM_LIMIT && !sym)
2595 2606 goto free;
2596 2607
2597 2608 sm = get_sm_state(SMATCH_EXTRA, name, sym);
2598 2609 if (sm)
2599 2610 rl = estate_rl(sm->state);
2600 2611 else
2601 2612 rl = alloc_whole_rl(compare_type);
2602 2613
2603 2614 if (op == PARAM_LIMIT && !rl_fits_in_type(rl, compare_type))
2604 2615 goto free;
2605 2616
2606 2617 new = rl_intersection(rl, limit);
2607 2618
2608 2619 var_type = get_member_type_from_key(arg, key);
2609 2620 new = cast_rl(var_type, new);
2610 2621
2611 2622 /* We want to preserve the implications here */
2612 2623 if (sm && basically_the_same(rl, new))
2613 2624 goto free;
2614 2625 other_name = get_other_name_sym(name, sym, &other_sym);
2615 2626
2616 2627 if (op == PARAM_LIMIT)
2617 2628 set_extra_nomod_vsl(name, sym, vsl, NULL, alloc_estate_rl(new));
2618 2629 else
2619 2630 set_extra_mod(name, sym, NULL, alloc_estate_rl(new));
2620 2631
2621 2632 if (other_name && other_sym) {
2622 2633 if (op == PARAM_LIMIT)
2623 2634 set_extra_nomod_vsl(other_name, other_sym, vsl, NULL, alloc_estate_rl(new));
2624 2635 else
2625 2636 set_extra_mod(other_name, other_sym, NULL, alloc_estate_rl(new));
2626 2637 }
2627 2638
2628 2639 if (op == PARAM_LIMIT && arg->type == EXPR_BINOP)
2629 2640 db_param_limit_binops(arg, key, new);
2630 2641 free:
2631 2642 free_string(name);
2632 2643 }
2633 2644
2634 2645 static void db_param_limit(struct expression *expr, int param, char *key, char *value)
2635 2646 {
2636 2647 db_param_limit_filter(expr, param, key, value, PARAM_LIMIT);
2637 2648 }
2638 2649
2639 2650 static void db_param_filter(struct expression *expr, int param, char *key, char *value)
2640 2651 {
2641 2652 db_param_limit_filter(expr, param, key, value, PARAM_FILTER);
2642 2653 }
2643 2654
2644 2655 static void db_param_add_set(struct expression *expr, int param, char *key, char *value, enum info_type op)
2645 2656 {
2646 2657 struct expression *arg, *gen_expr;
2647 2658 char *name;
2648 2659 char *other_name = NULL;
2649 2660 struct symbol *sym, *other_sym;
2650 2661 struct symbol *param_type, *arg_type;
2651 2662 struct smatch_state *state;
2652 2663 struct range_list *new = NULL;
2653 2664 struct range_list *added = NULL;
2654 2665
2655 2666 while (expr->type == EXPR_ASSIGNMENT)
2656 2667 expr = strip_expr(expr->right);
2657 2668 if (expr->type != EXPR_CALL)
2658 2669 return;
2659 2670
2660 2671 arg = get_argument_from_call_expr(expr->args, param);
2661 2672 if (!arg)
2662 2673 return;
2663 2674
2664 2675 arg_type = get_arg_type_from_key(expr->fn, param, arg, key);
2665 2676 param_type = get_member_type_from_key(arg, key);
2666 2677 if (param_type && param_type->type == SYM_STRUCT)
2667 2678 return;
2668 2679 name = get_variable_from_key(arg, key, &sym);
2669 2680 if (!name || !sym)
2670 2681 goto free;
2671 2682 gen_expr = gen_expression_from_key(arg, key);
2672 2683
2673 2684 state = get_state(SMATCH_EXTRA, name, sym);
2674 2685 if (state)
2675 2686 new = estate_rl(state);
2676 2687
2677 2688 call_results_to_rl(expr, arg_type, value, &added);
2678 2689 added = cast_rl(param_type, added);
2679 2690 if (op == PARAM_SET)
2680 2691 new = added;
2681 2692 else
2682 2693 new = rl_union(new, added);
2683 2694
2684 2695 other_name = get_other_name_sym_nostack(name, sym, &other_sym);
2685 2696 set_extra_mod(name, sym, gen_expr, alloc_estate_rl(new));
2686 2697 if (other_name && other_sym)
2687 2698 set_extra_mod(other_name, other_sym, gen_expr, alloc_estate_rl(new));
2688 2699 free:
2689 2700 free_string(other_name);
2690 2701 free_string(name);
2691 2702 }
2692 2703
2693 2704 static void db_param_add(struct expression *expr, int param, char *key, char *value)
2694 2705 {
2695 2706 in_param_set = true;
2696 2707 db_param_add_set(expr, param, key, value, PARAM_ADD);
2697 2708 in_param_set = false;
2698 2709 }
2699 2710
2700 2711 static void db_param_set(struct expression *expr, int param, char *key, char *value)
2701 2712 {
2702 2713 in_param_set = true;
2703 2714 db_param_add_set(expr, param, key, value, PARAM_SET);
2704 2715 in_param_set = false;
2705 2716 }
2706 2717
2707 2718 static void match_lost_param(struct expression *call, int param)
2708 2719 {
2709 2720 struct expression *arg;
2710 2721
2711 2722 if (is_const_param(call->fn, param))
2712 2723 return;
2713 2724
2714 2725 arg = get_argument_from_call_expr(call->args, param);
2715 2726 if (!arg)
2716 2727 return;
2717 2728
2718 2729 arg = strip_expr(arg);
2719 2730 if (arg->type == EXPR_PREOP && arg->op == '&')
2720 2731 set_extra_expr_mod(arg->unop, alloc_estate_whole(get_type(arg->unop)));
2721 2732 else
2722 2733 ; /* if pointer then set struct members, maybe?*/
2723 2734 }
2724 2735
2725 2736 static void db_param_value(struct expression *expr, int param, char *key, char *value)
2726 2737 {
2727 2738 struct expression *call;
2728 2739 char *name;
2729 2740 struct symbol *sym;
2730 2741 struct symbol *type;
2731 2742 struct range_list *rl = NULL;
2732 2743
2733 2744 if (param != -1)
2734 2745 return;
2735 2746
2736 2747 call = expr;
2737 2748 while (call->type == EXPR_ASSIGNMENT)
2738 2749 call = strip_expr(call->right);
2739 2750 if (call->type != EXPR_CALL)
2740 2751 return;
2741 2752
2742 2753 type = get_member_type_from_key(expr->left, key);
2743 2754 name = get_variable_from_key(expr->left, key, &sym);
2744 2755 if (!name || !sym)
2745 2756 goto free;
2746 2757
2747 2758 call_results_to_rl(call, type, value, &rl);
2748 2759
2749 2760 set_extra_mod(name, sym, NULL, alloc_estate_rl(rl));
2750 2761 free:
2751 2762 free_string(name);
2752 2763 }
2753 2764
2754 2765 static void match_call_info(struct expression *expr)
2755 2766 {
2756 2767 struct smatch_state *state;
2757 2768 struct range_list *rl = NULL;
2758 2769 struct expression *arg;
2759 2770 struct symbol *type;
2760 2771 sval_t dummy;
2761 2772 int i = 0;
2762 2773
2763 2774 FOR_EACH_PTR(expr->args, arg) {
2764 2775 type = get_arg_type(expr->fn, i);
2765 2776
2766 2777 get_absolute_rl(arg, &rl);
2767 2778 rl = cast_rl(type, rl);
2768 2779
2769 2780 if (!is_whole_rl(rl)) {
2770 2781 rl = intersect_with_real_abs_expr(arg, rl);
2771 2782 sql_insert_caller_info(expr, PARAM_VALUE, i, "$", show_rl(rl));
2772 2783 }
2773 2784 state = get_state_expr(SMATCH_EXTRA, arg);
2774 2785 if (!estate_get_single_value(state, &dummy) && estate_has_hard_max(state)) {
2775 2786 sql_insert_caller_info(expr, HARD_MAX, i, "$",
2776 2787 sval_to_str(estate_max(state)));
2777 2788 }
2778 2789 if (estate_has_fuzzy_max(state)) {
2779 2790 sql_insert_caller_info(expr, FUZZY_MAX, i, "$",
2780 2791 sval_to_str(estate_get_fuzzy_max(state)));
2781 2792 }
2782 2793 i++;
2783 2794 } END_FOR_EACH_PTR(arg);
2784 2795 }
2785 2796
2786 2797 static void set_param_value(const char *name, struct symbol *sym, char *key, char *value)
2787 2798 {
2788 2799 struct expression *expr;
2789 2800 struct range_list *rl = NULL;
2790 2801 struct smatch_state *state;
2791 2802 struct symbol *type;
2792 2803 char fullname[256];
2793 2804 char *key_orig = key;
2794 2805 bool add_star = false;
2795 2806 sval_t dummy;
2796 2807
2797 2808 if (key[0] == '*') {
2798 2809 add_star = true;
2799 2810 key++;
2800 2811 }
2801 2812
2802 2813 snprintf(fullname, 256, "%s%s%s", add_star ? "*" : "", name, key + 1);
2803 2814
2804 2815 expr = symbol_expression(sym);
2805 2816 type = get_member_type_from_key(expr, key_orig);
2806 2817 str_to_rl(type, value, &rl);
2807 2818 state = alloc_estate_rl(rl);
2808 2819 if (estate_get_single_value(state, &dummy))
2809 2820 estate_set_hard_max(state);
2810 2821 set_state(SMATCH_EXTRA, fullname, sym, state);
2811 2822 }
2812 2823
2813 2824 static void set_param_fuzzy_max(const char *name, struct symbol *sym, char *key, char *value)
2814 2825 {
2815 2826 struct range_list *rl = NULL;
2816 2827 struct smatch_state *state;
2817 2828 struct symbol *type;
2818 2829 char fullname[256];
2819 2830 sval_t max;
2820 2831
2821 2832 if (strcmp(key, "*$") == 0)
2822 2833 snprintf(fullname, sizeof(fullname), "*%s", name);
2823 2834 else if (strncmp(key, "$", 1) == 0)
2824 2835 snprintf(fullname, 256, "%s%s", name, key + 1);
2825 2836 else
2826 2837 return;
2827 2838
2828 2839 state = get_state(SMATCH_EXTRA, fullname, sym);
2829 2840 if (!state)
2830 2841 return;
2831 2842 type = estate_type(state);
2832 2843 str_to_rl(type, value, &rl);
2833 2844 if (!rl_to_sval(rl, &max))
2834 2845 return;
2835 2846 estate_set_fuzzy_max(state, max);
2836 2847 }
2837 2848
2838 2849 static void set_param_hard_max(const char *name, struct symbol *sym, char *key, char *value)
2839 2850 {
2840 2851 struct smatch_state *state;
2841 2852 char fullname[256];
2842 2853
2843 2854 if (strcmp(key, "*$") == 0)
2844 2855 snprintf(fullname, sizeof(fullname), "*%s", name);
2845 2856 else if (strncmp(key, "$", 1) == 0)
2846 2857 snprintf(fullname, 256, "%s%s", name, key + 1);
2847 2858 else
2848 2859 return;
2849 2860
2850 2861 state = get_state(SMATCH_EXTRA, fullname, sym);
2851 2862 if (!state)
2852 2863 return;
2853 2864 estate_set_hard_max(state);
2854 2865 }
2855 2866
2856 2867 struct sm_state *get_extra_sm_state(struct expression *expr)
2857 2868 {
2858 2869 char *name;
2859 2870 struct symbol *sym;
2860 2871 struct sm_state *ret = NULL;
2861 2872
2862 2873 name = expr_to_known_chunk_sym(expr, &sym);
2863 2874 if (!name)
2864 2875 goto free;
2865 2876
2866 2877 ret = get_sm_state(SMATCH_EXTRA, name, sym);
2867 2878 free:
2868 2879 free_string(name);
2869 2880 return ret;
2870 2881 }
2871 2882
2872 2883 struct smatch_state *get_extra_state(struct expression *expr)
2873 2884 {
2874 2885 struct sm_state *sm;
2875 2886
2876 2887 sm = get_extra_sm_state(expr);
2877 2888 if (!sm)
2878 2889 return NULL;
2879 2890 return sm->state;
2880 2891 }
2881 2892
2882 2893 void register_smatch_extra(int id)
2883 2894 {
2884 2895 my_id = id;
2885 2896
2886 2897 set_dynamic_states(my_id);
2887 2898 add_merge_hook(my_id, &merge_estates);
2888 2899 add_unmatched_state_hook(my_id, &unmatched_state);
2889 2900 select_caller_info_hook(set_param_value, PARAM_VALUE);
2890 2901 select_caller_info_hook(set_param_fuzzy_max, FUZZY_MAX);
2891 2902 select_caller_info_hook(set_param_hard_max, HARD_MAX);
2892 2903 select_return_states_before(&db_limited_before);
2893 2904 select_return_states_hook(PARAM_LIMIT, &db_param_limit);
2894 2905 select_return_states_hook(PARAM_FILTER, &db_param_filter);
2895 2906 select_return_states_hook(PARAM_ADD, &db_param_add);
2896 2907 select_return_states_hook(PARAM_SET, &db_param_set);
2897 2908 add_lost_param_hook(&match_lost_param);
2898 2909 select_return_states_hook(PARAM_VALUE, &db_param_value);
2899 2910 select_return_states_after(&db_limited_after);
2900 2911 }
2901 2912
2902 2913 static void match_link_modify(struct sm_state *sm, struct expression *mod_expr)
2903 2914 {
2904 2915 struct var_sym_list *links;
2905 2916 struct var_sym *tmp;
2906 2917 struct smatch_state *state;
2907 2918
2908 2919 links = sm->state->data;
2909 2920
2910 2921 FOR_EACH_PTR(links, tmp) {
2911 2922 if (sm->sym == tmp->sym &&
2912 2923 strcmp(sm->name, tmp->var) == 0)
2913 2924 continue;
2914 2925 state = get_state(SMATCH_EXTRA, tmp->var, tmp->sym);
2915 2926 if (!state)
2916 2927 continue;
2917 2928 set_state(SMATCH_EXTRA, tmp->var, tmp->sym, alloc_estate_whole(estate_type(state)));
2918 2929 } END_FOR_EACH_PTR(tmp);
2919 2930 set_state(link_id, sm->name, sm->sym, &undefined);
2920 2931 }
2921 2932
2922 2933 void register_smatch_extra_links(int id)
2923 2934 {
2924 2935 link_id = id;
2925 2936 set_dynamic_states(link_id);
2926 2937 }
2927 2938
2928 2939 void register_smatch_extra_late(int id)
2929 2940 {
2930 2941 add_merge_hook(link_id, &merge_link_states);
2931 2942 add_modification_hook(link_id, &match_link_modify);
2932 2943 add_hook(&match_dereferences, DEREF_HOOK);
2933 2944 add_hook(&match_pointer_as_array, OP_HOOK);
2934 2945 select_return_implies_hook(DEREFERENCE, &set_param_dereferenced);
2935 2946 add_hook(&match_function_call, FUNCTION_CALL_HOOK);
2936 2947 add_hook(&match_assign, ASSIGNMENT_HOOK);
2937 2948 add_hook(&match_assign, GLOBAL_ASSIGNMENT_HOOK);
2938 2949 add_hook(&unop_expr, OP_HOOK);
2939 2950 add_hook(&asm_expr, ASM_HOOK);
2940 2951
2941 2952 add_hook(&match_call_info, FUNCTION_CALL_HOOK);
2942 2953 add_member_info_callback(my_id, struct_member_callback);
2943 2954 add_split_return_callback(&returned_struct_members);
2944 2955
2945 2956 // add_hook(&assume_indexes_are_valid, OP_HOOK);
2946 2957 }
|
↓ open down ↓ |
1843 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX