252 run_sql(db_size_callback, NULL,
253 "select value from data_info where file = 'extern' and data = '%s' and type = %d;",
254 sym->ident->name, BUF_SIZE);
255 return db_size_rl;
256 }
257
258 static struct range_list *size_from_db(struct expression *expr)
259 {
260 struct range_list *rl;
261
262 rl = size_from_db_symbol(expr);
263 if (rl)
264 return rl;
265 return size_from_db_type(expr);
266 }
267
268 static void db_returns_buf_size(struct expression *expr, int param, char *unused, char *math)
269 {
270 struct expression *call;
271 struct range_list *rl;
272
273 if (expr->type != EXPR_ASSIGNMENT)
274 return;
275 call = strip_expr(expr->right);
276
277 call_results_to_rl(call, &int_ctype, math, &rl);
278 rl = cast_rl(&int_ctype, rl);
279 set_state_expr(my_size_id, expr->left, alloc_estate_rl(rl));
280 }
281
282 static int get_real_array_size_from_type(struct symbol *type)
283 {
284 sval_t sval;
285
286 if (!type)
287 return 0;
288 if (!type || type->type != SYM_ARRAY)
289 return 0;
290
291 if (!get_implied_value(type->array_size, &sval))
292 return 0;
293
294 return sval.value;
295 }
296
297 int get_real_array_size(struct expression *expr)
298 {
434 if (!sym || !sym->ident)
435 return 0;
436 if (!type_bytes(sym))
437 return 0;
438 if (sym->type != SYM_NODE)
439 return 0;
440
441 base_sym = get_real_base_type(sym);
442 if (!base_sym || base_sym->type != SYM_PTR)
443 return 0;
444 base_sym = get_real_base_type(base_sym);
445 if (!base_sym || base_sym->type != SYM_STRUCT)
446 return 0;
447
448 if (!is_last_member_of_struct(base_sym, expr->member))
449 return 0;
450 if (!last_member_is_resizable(base_sym))
451 return 0;
452
453 state = get_state(my_size_id, sym->ident->name, sym);
454 if (!estate_to_size(state))
455 return 0;
456
457 return estate_to_size(state) - type_bytes(base_sym) + type_bytes(get_type(expr));
458 }
459
460 static struct range_list *alloc_int_rl(int value)
461 {
462 sval_t sval = {
463 .type = &int_ctype,
464 {.value = value},
465 };
466
467 return alloc_rl(sval, sval);
468 }
469
470 struct range_list *get_array_size_bytes_rl(struct expression *expr)
471 {
472 struct range_list *ret = NULL;
473 sval_t sval;
474 int size;
487 int bytes;
488
489 if (!get_implied_value(expr->right, &offset))
490 return NULL;
491 type = get_type(expr->left);
492 if (!type)
493 return NULL;
494 if (type->type != SYM_ARRAY && type->type != SYM_PTR)
495 return NULL;
496 type = get_real_base_type(type);
497 bytes = type_bytes(type);
498 if (bytes == 0)
499 return NULL;
500 offset.value *= bytes;
501 size = get_array_size_bytes(expr->left);
502 if (size <= 0)
503 return NULL;
504 return alloc_int_rl(size - offset.value);
505 }
506
507 size = get_stored_size_end_struct_bytes(expr);
508 if (size)
509 return alloc_int_rl(size);
510
511 /* buf[4] */
512 size = get_real_array_size(expr);
513 if (size)
514 return alloc_int_rl(elements_to_bytes(expr, size));
515
516 /* buf = malloc(1024); */
517 ret = get_stored_size_bytes(expr);
518 if (ret)
519 return ret;
520
521 /* char *foo = "BAR" */
522 size = get_size_from_initializer(expr);
523 if (size)
524 return alloc_int_rl(elements_to_bytes(expr, size));
525
526 size = get_bytes_from_address(expr);
527 if (size)
528 return alloc_int_rl(size);
529
530 ret = size_from_db(expr);
531 if (rl_to_sval(ret, &sval) && sval.value == -1)
532 return NULL;
533 if (ret)
534 return ret;
535
536 return NULL;
537 }
538
539 int get_array_size_bytes(struct expression *expr)
540 {
619 name = get_member_name(buffer);
620 if (!name && is_static(buffer))
621 name = expr_to_var(buffer);
622 if (!name)
623 return;
624 if (rl && !is_whole_rl(rl))
625 sql_insert_function_type_size(name, show_rl(rl));
626 else
627 sql_insert_function_type_size(name, "(-1)");
628
629 free_string(name);
630 }
631
632 static void store_alloc(struct expression *expr, struct range_list *rl)
633 {
634 struct symbol *type;
635
636 rl = clone_rl(rl); // FIXME!!!
637 if (!rl)
638 rl = size_to_rl(UNKNOWN_SIZE);
639 set_state_expr(my_size_id, expr, alloc_estate_rl(rl));
640
641 type = get_type(expr);
642 if (!type)
643 return;
644 if (type->type != SYM_PTR)
645 return;
646 type = get_real_base_type(type);
647 if (!type)
648 return;
649 if (type == &void_ctype)
650 return;
651 if (type->type != SYM_BASETYPE && type->type != SYM_PTR)
652 return;
653
654 info_record_alloction(expr, rl);
655 }
656
657 static void match_array_assignment(struct expression *expr)
658 {
659 struct expression *left;
660 struct expression *right;
661 char *left_member, *right_member;
662 struct range_list *rl;
663 sval_t sval;
664
665 if (expr->op != '=')
666 return;
667 left = strip_expr(expr->left);
668 right = strip_expr(expr->right);
669 right = strip_ampersands(right);
670
671 if (!is_pointer(left))
672 return;
673 if (is_allocation_function(right))
674 return;
675
676 left_member = get_member_name(left);
677 right_member = get_member_name(right);
678 if (left_member && right_member && strcmp(left_member, right_member) == 0) {
679 free_string(left_member);
680 free_string(right_member);
681 return;
682 }
683 free_string(left_member);
684 free_string(right_member);
685
686 if (get_implied_value(right, &sval) && sval.value == 0) {
687 rl = alloc_int_rl(0);
688 goto store;
689 }
690
691 rl = get_array_size_bytes_rl(right);
692 if (!rl && __in_fake_assign)
693 return;
694
695 store:
696 store_alloc(left, rl);
697 }
698
699 static void match_alloc(const char *fn, struct expression *expr, void *_size_arg)
700 {
701 int size_arg = PTR_INT(_size_arg);
702 struct expression *right;
703 struct expression *arg;
704 struct range_list *rl;
705
706 right = strip_expr(expr->right);
707 arg = get_argument_from_call_expr(right->args, size_arg);
708 get_absolute_rl(arg, &rl);
709 rl = cast_rl(&int_ctype, rl);
710 store_alloc(expr->left, rl);
711 }
712
713 static void match_calloc(const char *fn, struct expression *expr, void *unused)
714 {
715 struct expression *right;
716 struct expression *size, *nr, *mult;
717 struct range_list *rl;
718
719 right = strip_expr(expr->right);
720 nr = get_argument_from_call_expr(right->args, 0);
721 size = get_argument_from_call_expr(right->args, 1);
722 mult = binop_expression(nr, '*', size);
723 if (get_implied_rl(mult, &rl))
724 store_alloc(expr->left, rl);
725 else
726 store_alloc(expr->left, size_to_rl(UNKNOWN_SIZE));
727 }
728
729 static void match_page(const char *fn, struct expression *expr, void *_unused)
730 {
731 sval_t page_size = {
732 .type = &int_ctype,
733 {.value = 4096},
734 };
735
736 store_alloc(expr->left, alloc_rl(page_size, page_size));
737 }
738
739 static void match_strndup(const char *fn, struct expression *expr, void *unused)
740 {
741 struct expression *fn_expr;
795 return 0;
796 return 1;
797 }
798
799 static void match_call(struct expression *expr)
800 {
801 struct expression *arg;
802 struct symbol *type;
803 struct range_list *rl;
804 int i;
805
806 i = -1;
807 FOR_EACH_PTR(expr->args, arg) {
808 i++;
809 type = get_type(arg);
810 if (!type || (type->type != SYM_PTR && type->type != SYM_ARRAY))
811 continue;
812 rl = get_array_size_bytes_rl(arg);
813 if (!rl)
814 continue;
815 if (is_whole_rl(rl))
816 continue;
817 if (is_type_bytes(rl, arg))
818 continue;
819 sql_insert_caller_info(expr, BUF_SIZE, i, "$", show_rl(rl));
820 } END_FOR_EACH_PTR(arg);
821 }
822
823 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
824 {
825 sval_t sval;
826
827 if (!estate_rl(sm->state) ||
828 (estate_get_single_value(sm->state, &sval) &&
829 (sval.value == -1 || sval.value == 0)))
830 return;
831
832 sql_insert_caller_info(call, BUF_SIZE, param, printed_name, sm->state->name);
833 }
834
892 set_dynamic_states(my_size_id);
893
894 add_unmatched_state_hook(my_size_id, &unmatched_size_state);
895 add_merge_hook(my_size_id, &merge_estates);
896
897 select_caller_info_hook(set_param_buf_size, BUF_SIZE);
898 select_return_states_hook(BUF_SIZE, &db_returns_buf_size);
899 add_split_return_callback(print_returned_allocations);
900
901 allocation_funcs = create_function_hashtable(100);
902 add_allocation_function("malloc", &match_alloc, 0);
903 add_allocation_function("calloc", &match_calloc, 0);
904 add_allocation_function("memdup", &match_alloc, 1);
905 add_allocation_function("realloc", &match_alloc, 1);
906 if (option_project == PROJ_KERNEL) {
907 add_allocation_function("kmalloc", &match_alloc, 0);
908 add_allocation_function("kmalloc_node", &match_alloc, 0);
909 add_allocation_function("kzalloc", &match_alloc, 0);
910 add_allocation_function("kzalloc_node", &match_alloc, 0);
911 add_allocation_function("vmalloc", &match_alloc, 0);
912 add_allocation_function("__vmalloc", &match_alloc, 0);
913 add_allocation_function("kvmalloc", &match_alloc, 0);
914 add_allocation_function("kcalloc", &match_calloc, 0);
915 add_allocation_function("kmalloc_array", &match_calloc, 0);
916 add_allocation_function("drm_malloc_ab", &match_calloc, 0);
917 add_allocation_function("drm_calloc_large", &match_calloc, 0);
918 add_allocation_function("sock_kmalloc", &match_alloc, 1);
919 add_allocation_function("kmemdup", &match_alloc, 1);
920 add_allocation_function("kmemdup_user", &match_alloc, 1);
921 add_allocation_function("dma_alloc_attrs", &match_alloc, 1);
922 add_allocation_function("pci_alloc_consistent", &match_alloc, 1);
923 add_allocation_function("pci_alloc_coherent", &match_alloc, 1);
924 add_allocation_function("devm_kmalloc", &match_alloc, 1);
925 add_allocation_function("devm_kzalloc", &match_alloc, 1);
926 add_allocation_function("krealloc", &match_alloc, 1);
927 add_allocation_function("__alloc_bootmem", &match_alloc, 0);
928 add_allocation_function("alloc_bootmem", &match_alloc, 0);
929 add_allocation_function("kmap", &match_page, 0);
930 add_allocation_function("kmap_atomic", &match_page, 0);
931 add_allocation_function("get_zeroed_page", &match_page, 0);
932 add_allocation_function("alloc_page", &match_page, 0);
933 add_allocation_function("alloc_pages", &match_alloc_pages, 1);
934 add_allocation_function("alloc_pages_current", &match_alloc_pages, 1);
935 add_allocation_function("__get_free_pages", &match_alloc_pages, 1);
936 add_allocation_function("dma_alloc_contiguous", &match_alloc, 1);
937 add_allocation_function("dma_alloc_coherent", &match_alloc, 1);
|
252 run_sql(db_size_callback, NULL,
253 "select value from data_info where file = 'extern' and data = '%s' and type = %d;",
254 sym->ident->name, BUF_SIZE);
255 return db_size_rl;
256 }
257
258 static struct range_list *size_from_db(struct expression *expr)
259 {
260 struct range_list *rl;
261
262 rl = size_from_db_symbol(expr);
263 if (rl)
264 return rl;
265 return size_from_db_type(expr);
266 }
267
268 static void db_returns_buf_size(struct expression *expr, int param, char *unused, char *math)
269 {
270 struct expression *call;
271 struct range_list *rl;
272 sval_t sval;
273
274 if (expr->type != EXPR_ASSIGNMENT)
275 return;
276 call = strip_expr(expr->right);
277
278 call_results_to_rl(call, &int_ctype, math, &rl);
279 rl = cast_rl(&int_ctype, rl);
280 if (rl_to_sval(rl, &sval) && sval.value == 0)
281 return;
282 set_state_expr(my_size_id, expr->left, alloc_estate_rl(rl));
283 }
284
285 static int get_real_array_size_from_type(struct symbol *type)
286 {
287 sval_t sval;
288
289 if (!type)
290 return 0;
291 if (!type || type->type != SYM_ARRAY)
292 return 0;
293
294 if (!get_implied_value(type->array_size, &sval))
295 return 0;
296
297 return sval.value;
298 }
299
300 int get_real_array_size(struct expression *expr)
301 {
437 if (!sym || !sym->ident)
438 return 0;
439 if (!type_bytes(sym))
440 return 0;
441 if (sym->type != SYM_NODE)
442 return 0;
443
444 base_sym = get_real_base_type(sym);
445 if (!base_sym || base_sym->type != SYM_PTR)
446 return 0;
447 base_sym = get_real_base_type(base_sym);
448 if (!base_sym || base_sym->type != SYM_STRUCT)
449 return 0;
450
451 if (!is_last_member_of_struct(base_sym, expr->member))
452 return 0;
453 if (!last_member_is_resizable(base_sym))
454 return 0;
455
456 state = get_state(my_size_id, sym->ident->name, sym);
457 if (!estate_to_size(state) || estate_to_size(state) == -1)
458 return 0;
459
460 return estate_to_size(state) - type_bytes(base_sym) + type_bytes(get_type(expr));
461 }
462
463 static struct range_list *alloc_int_rl(int value)
464 {
465 sval_t sval = {
466 .type = &int_ctype,
467 {.value = value},
468 };
469
470 return alloc_rl(sval, sval);
471 }
472
473 struct range_list *get_array_size_bytes_rl(struct expression *expr)
474 {
475 struct range_list *ret = NULL;
476 sval_t sval;
477 int size;
490 int bytes;
491
492 if (!get_implied_value(expr->right, &offset))
493 return NULL;
494 type = get_type(expr->left);
495 if (!type)
496 return NULL;
497 if (type->type != SYM_ARRAY && type->type != SYM_PTR)
498 return NULL;
499 type = get_real_base_type(type);
500 bytes = type_bytes(type);
501 if (bytes == 0)
502 return NULL;
503 offset.value *= bytes;
504 size = get_array_size_bytes(expr->left);
505 if (size <= 0)
506 return NULL;
507 return alloc_int_rl(size - offset.value);
508 }
509
510 /* buf = malloc(1024); */
511 ret = get_stored_size_bytes(expr);
512 if (ret)
513 return ret;
514
515 size = get_stored_size_end_struct_bytes(expr);
516 if (size)
517 return alloc_int_rl(size);
518
519 /* buf[4] */
520 size = get_real_array_size(expr);
521 if (size)
522 return alloc_int_rl(elements_to_bytes(expr, size));
523
524 /* char *foo = "BAR" */
525 size = get_size_from_initializer(expr);
526 if (size)
527 return alloc_int_rl(elements_to_bytes(expr, size));
528
529 size = get_bytes_from_address(expr);
530 if (size)
531 return alloc_int_rl(size);
532
533 ret = size_from_db(expr);
534 if (rl_to_sval(ret, &sval) && sval.value == -1)
535 return NULL;
536 if (ret)
537 return ret;
538
539 return NULL;
540 }
541
542 int get_array_size_bytes(struct expression *expr)
543 {
622 name = get_member_name(buffer);
623 if (!name && is_static(buffer))
624 name = expr_to_var(buffer);
625 if (!name)
626 return;
627 if (rl && !is_whole_rl(rl))
628 sql_insert_function_type_size(name, show_rl(rl));
629 else
630 sql_insert_function_type_size(name, "(-1)");
631
632 free_string(name);
633 }
634
635 static void store_alloc(struct expression *expr, struct range_list *rl)
636 {
637 struct symbol *type;
638
639 rl = clone_rl(rl); // FIXME!!!
640 if (!rl)
641 rl = size_to_rl(UNKNOWN_SIZE);
642
643 if (rl_min(rl).value != UNKNOWN_SIZE ||
644 rl_max(rl).value != UNKNOWN_SIZE ||
645 get_state_expr(my_size_id, expr))
646 set_state_expr(my_size_id, expr, alloc_estate_rl(rl));
647
648 type = get_type(expr);
649 if (!type)
650 return;
651 if (type->type != SYM_PTR)
652 return;
653 type = get_real_base_type(type);
654 if (!type)
655 return;
656 if (type == &void_ctype)
657 return;
658 if (type->type != SYM_BASETYPE && type->type != SYM_PTR)
659 return;
660
661 info_record_alloction(expr, rl);
662 }
663
664 static bool is_array_base(struct expression *expr)
665 {
666 struct symbol *type;
667
668 type = get_type(expr);
669 if (type && type->type == SYM_ARRAY)
670 return true;
671 return false;
672 }
673
674 static void match_array_assignment(struct expression *expr)
675 {
676 struct expression *left;
677 struct expression *right;
678 char *left_member, *right_member;
679 struct range_list *rl;
680 sval_t sval;
681
682 if (expr->op != '=')
683 return;
684
685 left = strip_expr(expr->left);
686 right = strip_expr(expr->right);
687 right = strip_ampersands(right);
688
689 if (!is_pointer(left))
690 return;
691 /* char buf[24] = "str"; */
692 if (is_array_base(left))
693 return;
694 if (is_allocation_function(right))
695 return;
696
697 left_member = get_member_name(left);
698 right_member = get_member_name(right);
699 if (left_member && right_member && strcmp(left_member, right_member) == 0) {
700 free_string(left_member);
701 free_string(right_member);
702 return;
703 }
704 free_string(left_member);
705 free_string(right_member);
706
707 if (get_implied_value(right, &sval) && sval.value == 0) {
708 rl = alloc_int_rl(0);
709 goto store;
710 }
711
712 rl = get_array_size_bytes_rl(right);
713 if (!rl && __in_fake_assign)
714 return;
715
716 store:
717 store_alloc(left, rl);
718 }
719
720 static void match_alloc(const char *fn, struct expression *expr, void *_size_arg)
721 {
722 int size_arg = PTR_INT(_size_arg);
723 struct expression *right;
724 struct expression *arg;
725 struct range_list *rl;
726
727 right = strip_expr(expr->right);
728 arg = get_argument_from_call_expr(right->args, size_arg);
729 get_absolute_rl(arg, &rl);
730 rl = cast_rl(&int_ctype, rl);
731 store_alloc(expr->left, rl);
732 }
733
734 static void match_calloc(const char *fn, struct expression *expr, void *_param)
735 {
736 struct expression *right;
737 struct expression *size, *nr, *mult;
738 struct range_list *rl;
739 int param = PTR_INT(_param);
740
741 right = strip_expr(expr->right);
742 nr = get_argument_from_call_expr(right->args, param);
743 size = get_argument_from_call_expr(right->args, param + 1);
744 mult = binop_expression(nr, '*', size);
745 if (get_implied_rl(mult, &rl))
746 store_alloc(expr->left, rl);
747 else
748 store_alloc(expr->left, size_to_rl(UNKNOWN_SIZE));
749 }
750
751 static void match_page(const char *fn, struct expression *expr, void *_unused)
752 {
753 sval_t page_size = {
754 .type = &int_ctype,
755 {.value = 4096},
756 };
757
758 store_alloc(expr->left, alloc_rl(page_size, page_size));
759 }
760
761 static void match_strndup(const char *fn, struct expression *expr, void *unused)
762 {
763 struct expression *fn_expr;
817 return 0;
818 return 1;
819 }
820
821 static void match_call(struct expression *expr)
822 {
823 struct expression *arg;
824 struct symbol *type;
825 struct range_list *rl;
826 int i;
827
828 i = -1;
829 FOR_EACH_PTR(expr->args, arg) {
830 i++;
831 type = get_type(arg);
832 if (!type || (type->type != SYM_PTR && type->type != SYM_ARRAY))
833 continue;
834 rl = get_array_size_bytes_rl(arg);
835 if (!rl)
836 continue;
837 if (rl_min(rl).value == UNKNOWN_SIZE &&
838 rl_max(rl).value == UNKNOWN_SIZE)
839 continue;
840 if (is_whole_rl(rl))
841 continue;
842 if (is_type_bytes(rl, arg))
843 continue;
844 sql_insert_caller_info(expr, BUF_SIZE, i, "$", show_rl(rl));
845 } END_FOR_EACH_PTR(arg);
846 }
847
848 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
849 {
850 sval_t sval;
851
852 if (!estate_rl(sm->state) ||
853 (estate_get_single_value(sm->state, &sval) &&
854 (sval.value == -1 || sval.value == 0)))
855 return;
856
857 sql_insert_caller_info(call, BUF_SIZE, param, printed_name, sm->state->name);
858 }
859
917 set_dynamic_states(my_size_id);
918
919 add_unmatched_state_hook(my_size_id, &unmatched_size_state);
920 add_merge_hook(my_size_id, &merge_estates);
921
922 select_caller_info_hook(set_param_buf_size, BUF_SIZE);
923 select_return_states_hook(BUF_SIZE, &db_returns_buf_size);
924 add_split_return_callback(print_returned_allocations);
925
926 allocation_funcs = create_function_hashtable(100);
927 add_allocation_function("malloc", &match_alloc, 0);
928 add_allocation_function("calloc", &match_calloc, 0);
929 add_allocation_function("memdup", &match_alloc, 1);
930 add_allocation_function("realloc", &match_alloc, 1);
931 if (option_project == PROJ_KERNEL) {
932 add_allocation_function("kmalloc", &match_alloc, 0);
933 add_allocation_function("kmalloc_node", &match_alloc, 0);
934 add_allocation_function("kzalloc", &match_alloc, 0);
935 add_allocation_function("kzalloc_node", &match_alloc, 0);
936 add_allocation_function("vmalloc", &match_alloc, 0);
937 add_allocation_function("vzalloc", &match_alloc, 0);
938 add_allocation_function("__vmalloc", &match_alloc, 0);
939 add_allocation_function("kvmalloc", &match_alloc, 0);
940 add_allocation_function("kcalloc", &match_calloc, 0);
941 add_allocation_function("kmalloc_array", &match_calloc, 0);
942 add_allocation_function("devm_kmalloc_array", &match_calloc, 1);
943 add_allocation_function("sock_kmalloc", &match_alloc, 1);
944 add_allocation_function("kmemdup", &match_alloc, 1);
945 add_allocation_function("kmemdup_user", &match_alloc, 1);
946 add_allocation_function("dma_alloc_attrs", &match_alloc, 1);
947 add_allocation_function("pci_alloc_consistent", &match_alloc, 1);
948 add_allocation_function("pci_alloc_coherent", &match_alloc, 1);
949 add_allocation_function("devm_kmalloc", &match_alloc, 1);
950 add_allocation_function("devm_kzalloc", &match_alloc, 1);
951 add_allocation_function("krealloc", &match_alloc, 1);
952 add_allocation_function("__alloc_bootmem", &match_alloc, 0);
953 add_allocation_function("alloc_bootmem", &match_alloc, 0);
954 add_allocation_function("kmap", &match_page, 0);
955 add_allocation_function("kmap_atomic", &match_page, 0);
956 add_allocation_function("get_zeroed_page", &match_page, 0);
957 add_allocation_function("alloc_page", &match_page, 0);
958 add_allocation_function("alloc_pages", &match_alloc_pages, 1);
959 add_allocation_function("alloc_pages_current", &match_alloc_pages, 1);
960 add_allocation_function("__get_free_pages", &match_alloc_pages, 1);
961 add_allocation_function("dma_alloc_contiguous", &match_alloc, 1);
962 add_allocation_function("dma_alloc_coherent", &match_alloc, 1);
|