Print this page
12724 update smatch to 0.6.1-rc1-il-5
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/tools/smatch/src/check_kernel.c
+++ new/usr/src/tools/smatch/src/check_kernel.c
1 1 /*
2 2 * Copyright (C) 2010 Dan Carpenter.
3 3 *
4 4 * This program is free software; you can redistribute it and/or
5 5 * modify it under the terms of the GNU General Public License
6 6 * as published by the Free Software Foundation; either version 2
7 7 * of the License, or (at your option) any later version.
8 8 *
9 9 * This program is distributed in the hope that it will be useful,
10 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 * GNU General Public License for more details.
13 13 *
14 14 * You should have received a copy of the GNU General Public License
15 15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 16 */
17 17
18 18 /*
19 19 * This is kernel specific stuff for smatch_extra.
20 20 */
21 21
22 22 #include "scope.h"
23 23 #include "smatch.h"
24 24 #include "smatch_extra.h"
|
↓ open down ↓ |
24 lines elided |
↑ open up ↑ |
25 25
26 26 static sval_t err_ptr_min;
27 27 static sval_t err_ptr_max;
28 28 static sval_t null_ptr;
29 29
30 30 static int implied_err_cast_return(struct expression *call, void *unused, struct range_list **rl)
31 31 {
32 32 struct expression *arg;
33 33
34 34 arg = get_argument_from_call_expr(call->args, 0);
35 - if (!get_implied_rl(arg, rl)) {
35 + if (!get_implied_rl(arg, rl))
36 36 *rl = alloc_rl(err_ptr_min, err_ptr_max);
37 - *rl = cast_rl(get_type(arg), *rl);
38 - }
37 +
38 + *rl = cast_rl(get_type(call), *rl);
39 39 return 1;
40 40 }
41 41
42 42 static void hack_ERR_PTR(struct symbol *sym)
43 43 {
44 44 struct symbol *arg;
45 45 struct smatch_state *estate;
46 46 struct range_list *after;
47 47 sval_t low_error;
48 48 sval_t minus_one;
49 49 sval_t zero;
50 50
51 51 low_error.type = &long_ctype;
52 52 low_error.value = -4095;
53 53
54 54 minus_one.type = &long_ctype;
55 55 minus_one.value = -1;
56 56
57 57 zero.type = &long_ctype;
58 58 zero.value = 0;
59 59
60 60 if (!sym || !sym->ident)
61 61 return;
62 62 if (strcmp(sym->ident->name, "ERR_PTR") != 0)
63 63 return;
64 64
65 65 arg = first_ptr_list((struct ptr_list *)sym->ctype.base_type->arguments);
66 66 if (!arg || !arg->ident)
67 67 return;
68 68
69 69 estate = get_state(SMATCH_EXTRA, arg->ident->name, arg);
70 70 if (!estate) {
71 71 after = alloc_rl(low_error, minus_one);
72 72 } else {
73 73 after = rl_intersection(estate_rl(estate), alloc_rl(low_error, zero));
74 74 if (rl_equiv(estate_rl(estate), after))
75 75 return;
76 76 }
77 77 set_state(SMATCH_EXTRA, arg->ident->name, arg, alloc_estate_rl(after));
78 78 }
79 79
80 80 static void match_param_valid_ptr(const char *fn, struct expression *call_expr,
81 81 struct expression *assign_expr, void *_param)
82 82 {
83 83 int param = PTR_INT(_param);
84 84 struct expression *arg;
85 85 struct smatch_state *pre_state;
86 86 struct smatch_state *end_state;
87 87 struct range_list *rl;
88 88
89 89 arg = get_argument_from_call_expr(call_expr->args, param);
90 90 pre_state = get_state_expr(SMATCH_EXTRA, arg);
91 91 if (estate_rl(pre_state)) {
92 92 rl = estate_rl(pre_state);
93 93 rl = remove_range(rl, null_ptr, null_ptr);
94 94 rl = remove_range(rl, err_ptr_min, err_ptr_max);
95 95 } else {
96 96 rl = alloc_rl(valid_ptr_min_sval, valid_ptr_max_sval);
97 97 }
98 98 end_state = alloc_estate_rl(rl);
99 99 set_extra_expr_nomod(arg, end_state);
100 100 }
101 101
102 102 static void match_param_err_or_null(const char *fn, struct expression *call_expr,
103 103 struct expression *assign_expr, void *_param)
104 104 {
105 105 int param = PTR_INT(_param);
106 106 struct expression *arg;
107 107 struct range_list *pre, *rl;
108 108 struct smatch_state *pre_state;
109 109 struct smatch_state *end_state;
110 110
111 111 arg = get_argument_from_call_expr(call_expr->args, param);
112 112 pre_state = get_state_expr(SMATCH_EXTRA, arg);
113 113 if (pre_state)
114 114 pre = estate_rl(pre_state);
115 115 else
116 116 pre = alloc_whole_rl(&ptr_ctype);
117 117 call_results_to_rl(call_expr, &ptr_ctype, "0,(-4095)-(-1)", &rl);
118 118 rl = rl_intersection(pre, rl);
119 119 rl = cast_rl(get_type(arg), rl);
120 120 end_state = alloc_estate_rl(rl);
121 121 set_extra_expr_nomod(arg, end_state);
122 122 }
|
↓ open down ↓ |
74 lines elided |
↑ open up ↑ |
123 123
124 124 static void match_not_err(const char *fn, struct expression *call_expr,
125 125 struct expression *assign_expr, void *unused)
126 126 {
127 127 struct expression *arg;
128 128 struct smatch_state *pre_state;
129 129 struct range_list *rl;
130 130
131 131 arg = get_argument_from_call_expr(call_expr->args, 0);
132 132 pre_state = get_state_expr(SMATCH_EXTRA, arg);
133 - if (estate_rl(pre_state)) {
134 - rl = estate_rl(pre_state);
135 - rl = remove_range(rl, err_ptr_min, err_ptr_max);
136 - } else {
137 - rl = alloc_rl(valid_ptr_min_sval, valid_ptr_max_sval);
138 - }
133 + if (pre_state)
134 + return;
135 + rl = alloc_rl(valid_ptr_min_sval, valid_ptr_max_sval);
139 136 rl = cast_rl(get_type(arg), rl);
140 137 set_extra_expr_nomod(arg, alloc_estate_rl(rl));
141 138 }
142 139
143 140 static void match_err(const char *fn, struct expression *call_expr,
144 141 struct expression *assign_expr, void *unused)
145 142 {
146 143 struct expression *arg;
147 144 struct smatch_state *pre_state;
148 145 struct range_list *rl;
149 146
150 147 arg = get_argument_from_call_expr(call_expr->args, 0);
151 148 pre_state = get_state_expr(SMATCH_EXTRA, arg);
152 149 rl = estate_rl(pre_state);
153 150 if (!rl)
154 151 rl = alloc_rl(err_ptr_min, err_ptr_max);
155 152 rl = rl_intersection(rl, alloc_rl(err_ptr_min, err_ptr_max));
156 153 rl = cast_rl(get_type(arg), rl);
154 + if (pre_state && rl) {
155 + /*
156 + * Ideally this would all be handled by smatch_implied.c
157 + * but it doesn't work very well for impossible paths.
158 + *
159 + */
160 + return;
161 + }
157 162 set_extra_expr_nomod(arg, alloc_estate_rl(rl));
158 163 }
159 164
160 165 static void match_container_of_macro(const char *fn, struct expression *expr, void *unused)
161 166 {
162 167 set_extra_expr_mod(expr->left, alloc_estate_range(valid_ptr_min_sval, valid_ptr_max_sval));
163 168 }
164 169
165 170 static void match_container_of(struct expression *expr)
166 171 {
167 172 struct expression *right = expr->right;
168 173 char *macro;
169 174
170 175 /*
171 176 * The problem here is that sometimes the container_of() macro is itself
172 177 * inside a macro and get_macro() only returns the name of the outside
173 178 * macro.
174 179 */
175 180
176 181 /*
177 182 * This actually an expression statement assignment but smatch_flow
178 183 * pre-mangles it for us so we only get the last chunk:
179 184 * sk = (typeof(sk))((char *)__mptr - offsetof(...))
180 185 */
181 186
182 187 macro = get_macro_name(right->pos);
183 188 if (!macro)
184 189 return;
185 190 if (right->type != EXPR_CAST)
186 191 return;
187 192 right = strip_expr(right);
188 193 if (right->type != EXPR_BINOP || right->op != '-' ||
189 194 right->left->type != EXPR_CAST)
190 195 return;
191 196 right = strip_expr(right->left);
192 197 if (right->type != EXPR_SYMBOL)
193 198 return;
194 199 if (!right->symbol->ident ||
195 200 strcmp(right->symbol->ident->name, "__mptr") != 0)
196 201 return;
197 202 set_extra_expr_mod(expr->left, alloc_estate_range(valid_ptr_min_sval, valid_ptr_max_sval));
198 203 }
199 204
200 205 static int match_next_bit(struct expression *call, void *unused, struct range_list **rl)
201 206 {
202 207 struct expression *start_arg;
203 208 struct expression *size_arg;
204 209 struct symbol *type;
205 210 sval_t min, max, tmp;
206 211
207 212 size_arg = get_argument_from_call_expr(call->args, 1);
208 213 /* btw. there isn't a start_arg for find_first_bit() */
209 214 start_arg = get_argument_from_call_expr(call->args, 2);
210 215
211 216 type = get_type(call);
212 217 min = sval_type_val(type, 0);
213 218 max = sval_type_val(type, sizeof(long long) * 8);
214 219
215 220 if (get_implied_max(size_arg, &tmp) && tmp.uvalue < max.value)
216 221 max = tmp;
217 222 if (start_arg && get_implied_min(start_arg, &tmp) && !sval_is_negative(tmp))
218 223 min = tmp;
219 224 if (sval_cmp(min, max) > 0)
220 225 max = min;
221 226 min = sval_cast(type, min);
222 227 max = sval_cast(type, max);
223 228 *rl = alloc_rl(min, max);
224 229 return 1;
225 230 }
226 231
227 232 static int match_fls(struct expression *call, void *unused, struct range_list **rl)
228 233 {
229 234 struct expression *arg;
230 235 struct range_list *arg_rl;
231 236 sval_t zero = {};
232 237 sval_t start, end, sval;
233 238
234 239 start.type = &int_ctype;
235 240 start.value = 0;
236 241 end.type = &int_ctype;
237 242 end.value = 32;
238 243
239 244 arg = get_argument_from_call_expr(call->args, 0);
240 245 if (!get_implied_rl(arg, &arg_rl))
241 246 return 0;
242 247 if (rl_to_sval(arg_rl, &sval)) {
243 248 int i;
244 249
245 250 for (i = 63; i >= 0; i--) {
246 251 if (sval.uvalue & 1ULL << i)
247 252 break;
248 253 }
249 254 sval.value = i + 1;
|
↓ open down ↓ |
83 lines elided |
↑ open up ↑ |
250 255 *rl = alloc_rl(sval, sval);
251 256 return 1;
252 257 }
253 258 zero.type = rl_type(arg_rl);
254 259 if (!rl_has_sval(arg_rl, zero))
255 260 start.value = 1;
256 261 *rl = alloc_rl(start, end);
257 262 return 1;
258 263 }
259 264
260 -
261 -
262 265 static void find_module_init_exit(struct symbol_list *sym_list)
263 266 {
264 267 struct symbol *sym;
265 268 struct symbol *fn;
266 269 struct statement *stmt;
267 270 char *name;
268 271 int init;
269 272 int count;
270 273
271 274 /*
272 275 * This is more complicated because Sparse ignores the "alias"
273 276 * attribute. I search backwards because module_init() is normally at
274 277 * the end of the file.
275 278 */
276 279 count = 0;
277 280 FOR_EACH_PTR_REVERSE(sym_list, sym) {
278 281 if (sym->type != SYM_NODE)
279 282 continue;
280 283 if (!(sym->ctype.modifiers & MOD_STATIC))
281 284 continue;
282 285 fn = get_base_type(sym);
283 286 if (!fn)
284 287 continue;
285 288 if (fn->type != SYM_FN)
286 289 continue;
287 290 if (!sym->ident)
288 291 continue;
289 292 if (!fn->inline_stmt)
290 293 continue;
291 294 if (strcmp(sym->ident->name, "__inittest") == 0)
292 295 init = 1;
293 296 else if (strcmp(sym->ident->name, "__exittest") == 0)
294 297 init = 0;
295 298 else
296 299 continue;
297 300
298 301 count++;
299 302
300 303 stmt = first_ptr_list((struct ptr_list *)fn->inline_stmt->stmts);
301 304 if (!stmt || stmt->type != STMT_RETURN)
302 305 continue;
303 306 name = expr_to_var(stmt->ret_value);
304 307 if (!name)
305 308 continue;
306 309 if (init)
307 310 sql_insert_function_ptr(name, "(struct module)->init");
308 311 else
309 312 sql_insert_function_ptr(name, "(struct module)->exit");
310 313 free_string(name);
311 314 if (count >= 2)
312 315 return;
313 316 } END_FOR_EACH_PTR_REVERSE(sym);
314 317 }
315 318
316 319 static void match_end_file(struct symbol_list *sym_list)
317 320 {
318 321 struct symbol *sym;
319 322
320 323 /* find the last static symbol in the file */
321 324 FOR_EACH_PTR_REVERSE(sym_list, sym) {
322 325 if (!(sym->ctype.modifiers & MOD_STATIC))
323 326 continue;
324 327 if (!sym->scope)
325 328 continue;
326 329 find_module_init_exit(sym->scope->symbols);
327 330 return;
328 331 } END_FOR_EACH_PTR_REVERSE(sym);
329 332 }
330 333
331 334 static struct expression *get_val_expr(struct expression *expr)
332 335 {
333 336 struct symbol *sym, *val;
334 337
335 338 if (expr->type != EXPR_DEREF)
336 339 return NULL;
337 340 expr = expr->deref;
338 341 if (expr->type != EXPR_SYMBOL)
339 342 return NULL;
340 343 if (strcmp(expr->symbol_name->name, "__u") != 0)
341 344 return NULL;
342 345 sym = get_base_type(expr->symbol);
343 346 val = first_ptr_list((struct ptr_list *)sym->symbol_list);
344 347 if (!val || strcmp(val->ident->name, "__val") != 0)
345 348 return NULL;
346 349 return member_expression(expr, '.', val->ident);
347 350 }
348 351
349 352 static void match__write_once_size(const char *fn, struct expression *call,
350 353 void *unused)
351 354 {
352 355 struct expression *dest, *data, *assign;
353 356 struct range_list *rl;
354 357
355 358 dest = get_argument_from_call_expr(call->args, 0);
356 359 if (dest->type != EXPR_PREOP || dest->op != '&')
357 360 return;
358 361 dest = strip_expr(dest->unop);
359 362
360 363 data = get_argument_from_call_expr(call->args, 1);
361 364 data = get_val_expr(data);
362 365 if (!data)
363 366 return;
364 367 get_absolute_rl(data, &rl);
365 368 assign = assign_expression(dest, '=', data);
366 369
367 370 __in_fake_assign++;
368 371 __split_expr(assign);
369 372 __in_fake_assign--;
370 373 }
371 374
372 375 static void match__read_once_size(const char *fn, struct expression *call,
373 376 void *unused)
374 377 {
375 378 struct expression *dest, *data, *assign;
376 379 struct symbol *type, *val_sym;
377 380
378 381 /*
379 382 * We want to change:
380 383 * __read_once_size_nocheck(&(x), __u.__c, sizeof(x));
381 384 * into a fake assignment:
382 385 * __u.val = x;
383 386 *
384 387 */
385 388
386 389 data = get_argument_from_call_expr(call->args, 0);
387 390 if (data->type != EXPR_PREOP || data->op != '&')
388 391 return;
389 392 data = strip_parens(data->unop);
390 393
391 394 dest = get_argument_from_call_expr(call->args, 1);
392 395 if (dest->type != EXPR_DEREF || dest->op != '.')
393 396 return;
394 397 if (!dest->member || strcmp(dest->member->name, "__c") != 0)
395 398 return;
396 399 dest = dest->deref;
397 400 type = get_type(dest);
398 401 if (!type)
|
↓ open down ↓ |
127 lines elided |
↑ open up ↑ |
399 402 return;
400 403 val_sym = first_ptr_list((struct ptr_list *)type->symbol_list);
401 404 dest = member_expression(dest, '.', val_sym->ident);
402 405
403 406 assign = assign_expression(dest, '=', data);
404 407 __in_fake_assign++;
405 408 __split_expr(assign);
406 409 __in_fake_assign--;
407 410 }
408 411
412 +static void match_closure_call(const char *name, struct expression *call,
413 + void *unused)
414 +{
415 + struct expression *cl, *fn, *fake_call;
416 + struct expression_list *args = NULL;
417 +
418 + cl = get_argument_from_call_expr(call->args, 0);
419 + fn = get_argument_from_call_expr(call->args, 1);
420 + if (!fn || !cl)
421 + return;
422 +
423 + add_ptr_list(&args, cl);
424 + fake_call = call_expression(fn, args);
425 + __split_expr(fake_call);
426 +}
427 +
409 428 bool is_ignored_kernel_data(const char *name)
410 429 {
411 430 if (option_project != PROJ_KERNEL)
412 431 return false;
413 432
414 433 /*
415 434 * On the file I was looking at lockdep was 25% of the DB.
416 435 */
417 436 if (strstr(name, ".dep_map."))
418 437 return true;
419 438 if (strstr(name, ".lockdep_map."))
420 439 return true;
421 440 return false;
422 441 }
423 442
424 443 void check_kernel(int id)
425 444 {
426 445 if (option_project != PROJ_KERNEL)
427 446 return;
428 447
429 448 err_ptr_min.type = &ptr_ctype;
430 449 err_ptr_min.value = -4095;
431 450 err_ptr_max.type = &ptr_ctype;
432 451 err_ptr_max.value = -1l;
433 452 null_ptr.type = &ptr_ctype;
434 453 null_ptr.value = 0;
435 454
436 455 err_ptr_min = sval_cast(&ptr_ctype, err_ptr_min);
437 456 err_ptr_max = sval_cast(&ptr_ctype, err_ptr_max);
438 457
439 458 add_implied_return_hook("ERR_PTR", &implied_err_cast_return, NULL);
440 459 add_implied_return_hook("ERR_CAST", &implied_err_cast_return, NULL);
441 460 add_implied_return_hook("PTR_ERR", &implied_err_cast_return, NULL);
442 461 add_hook(hack_ERR_PTR, AFTER_DEF_HOOK);
443 462 return_implies_state("IS_ERR_OR_NULL", 0, 0, &match_param_valid_ptr, (void *)0);
444 463 return_implies_state("IS_ERR_OR_NULL", 1, 1, &match_param_err_or_null, (void *)0);
445 464 return_implies_state("IS_ERR", 0, 0, &match_not_err, NULL);
446 465 return_implies_state("IS_ERR", 1, 1, &match_err, NULL);
447 466 return_implies_state("tomoyo_memory_ok", 1, 1, &match_param_valid_ptr, (void *)0);
448 467
449 468 add_macro_assign_hook_extra("container_of", &match_container_of_macro, NULL);
450 469 add_hook(match_container_of, ASSIGNMENT_HOOK);
451 470
452 471 add_implied_return_hook("find_next_bit", &match_next_bit, NULL);
453 472 add_implied_return_hook("find_next_zero_bit", &match_next_bit, NULL);
454 473 add_implied_return_hook("find_first_bit", &match_next_bit, NULL);
455 474 add_implied_return_hook("find_first_zero_bit", &match_next_bit, NULL);
|
↓ open down ↓ |
37 lines elided |
↑ open up ↑ |
456 475
457 476 add_implied_return_hook("fls", &match_fls, NULL);
458 477 add_implied_return_hook("fls64", &match_fls, NULL);
459 478
460 479 add_function_hook("__ftrace_bad_type", &__match_nullify_path_hook, NULL);
461 480 add_function_hook("__write_once_size", &match__write_once_size, NULL);
462 481
463 482 add_function_hook("__read_once_size", &match__read_once_size, NULL);
464 483 add_function_hook("__read_once_size_nocheck", &match__read_once_size, NULL);
465 484
485 + add_function_hook("closure_call", &match_closure_call, NULL);
486 +
466 487 if (option_info)
467 488 add_hook(match_end_file, END_FILE_HOOK);
468 489 }
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX