Print this page
12724 update smatch to 0.6.1-rc1-il-5
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/tools/smatch/src/smatch_buf_size.c
+++ new/usr/src/tools/smatch/src/smatch_buf_size.c
1 1 /*
2 2 * Copyright (C) 2010 Dan Carpenter.
3 3 *
4 4 * This program is free software; you can redistribute it and/or
5 5 * modify it under the terms of the GNU General Public License
6 6 * as published by the Free Software Foundation; either version 2
7 7 * of the License, or (at your option) any later version.
8 8 *
9 9 * This program is distributed in the hope that it will be useful,
10 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 * GNU General Public License for more details.
13 13 *
14 14 * You should have received a copy of the GNU General Public License
15 15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 16 */
17 17
18 18 #include <stdlib.h>
19 19 #include <errno.h>
20 20 #include "parse.h"
21 21 #include "smatch.h"
22 22 #include "smatch_slist.h"
23 23 #include "smatch_extra.h"
24 24 #include "smatch_function_hashtable.h"
25 25
26 26 #define UNKNOWN_SIZE -1
27 27
28 28 static int my_size_id;
29 29
30 30 static DEFINE_HASHTABLE_INSERT(insert_func, char, int);
31 31 static DEFINE_HASHTABLE_SEARCH(search_func, char, int);
32 32 static struct hashtable *allocation_funcs;
33 33
34 34 static char *get_fn_name(struct expression *expr)
35 35 {
36 36 if (expr->type != EXPR_CALL)
37 37 return NULL;
38 38 if (expr->fn->type != EXPR_SYMBOL)
39 39 return NULL;
40 40 return expr_to_var(expr->fn);
41 41 }
42 42
43 43 static int is_allocation_function(struct expression *expr)
44 44 {
45 45 char *func;
46 46 int ret = 0;
47 47
48 48 func = get_fn_name(expr);
49 49 if (!func)
50 50 return 0;
51 51 if (search_func(allocation_funcs, func))
52 52 ret = 1;
53 53 free_string(func);
54 54 return ret;
55 55 }
56 56
57 57 static void add_allocation_function(const char *func, void *call_back, int param)
58 58 {
59 59 insert_func(allocation_funcs, (char *)func, (int *)1);
60 60 add_function_assign_hook(func, call_back, INT_PTR(param));
61 61 }
62 62
63 63 static int estate_to_size(struct smatch_state *state)
64 64 {
65 65 sval_t sval;
66 66
67 67 if (!state || !estate_rl(state))
68 68 return 0;
69 69 sval = estate_max(state);
70 70 return sval.value;
71 71 }
72 72
73 73 static struct smatch_state *size_to_estate(int size)
74 74 {
75 75 sval_t sval;
76 76
77 77 sval.type = &int_ctype;
78 78 sval.value = size;
79 79
80 80 return alloc_estate_sval(sval);
81 81 }
82 82
83 83 static struct range_list *size_to_rl(int size)
84 84 {
85 85 sval_t sval;
86 86
87 87 sval.type = &int_ctype;
88 88 sval.value = size;
89 89
90 90 return alloc_rl(sval, sval);
91 91 }
92 92
93 93 static struct smatch_state *unmatched_size_state(struct sm_state *sm)
94 94 {
95 95 return size_to_estate(UNKNOWN_SIZE);
96 96 }
97 97
98 98 static void set_size_undefined(struct sm_state *sm, struct expression *mod_expr)
99 99 {
100 100 set_state(sm->owner, sm->name, sm->sym, size_to_estate(UNKNOWN_SIZE));
101 101 }
102 102
103 103 static struct smatch_state *merge_size_func(struct smatch_state *s1, struct smatch_state *s2)
104 104 {
105 105 return merge_estates(s1, s2);
106 106 }
107 107
108 108 void set_param_buf_size(const char *name, struct symbol *sym, char *key, char *value)
109 109 {
110 110 struct range_list *rl = NULL;
111 111 struct smatch_state *state;
112 112 char fullname[256];
113 113
114 114 if (strncmp(key, "$", 1) != 0)
115 115 return;
116 116
117 117 snprintf(fullname, 256, "%s%s", name, key + 1);
118 118
119 119 str_to_rl(&int_ctype, value, &rl);
120 120 if (!rl || is_whole_rl(rl))
121 121 return;
122 122 state = alloc_estate_rl(rl);
123 123 set_state(my_size_id, fullname, sym, state);
124 124 }
125 125
126 126 static int bytes_per_element(struct expression *expr)
127 127 {
128 128 struct symbol *type;
129 129
130 130 if (!expr)
131 131 return 0;
132 132 if (expr->type == EXPR_STRING)
133 133 return 1;
134 134 if (expr->type == EXPR_PREOP && expr->op == '&') {
135 135 type = get_type(expr->unop);
136 136 if (type && type->type == SYM_ARRAY)
137 137 expr = expr->unop;
138 138 }
139 139 type = get_type(expr);
140 140 if (!type)
141 141 return 0;
142 142
143 143 if (type->type != SYM_PTR && type->type != SYM_ARRAY)
144 144 return 0;
145 145
146 146 type = get_base_type(type);
147 147 return type_bytes(type);
148 148 }
149 149
150 150 static int bytes_to_elements(struct expression *expr, int bytes)
151 151 {
152 152 int bpe;
153 153
154 154 bpe = bytes_per_element(expr);
155 155 if (bpe == 0)
156 156 return 0;
157 157 return bytes / bpe;
158 158 }
159 159
160 160 static int elements_to_bytes(struct expression *expr, int elements)
161 161 {
162 162 int bpe;
163 163
164 164 bpe = bytes_per_element(expr);
165 165 return elements * bpe;
166 166 }
167 167
168 168 static int get_initializer_size(struct expression *expr)
169 169 {
170 170 switch (expr->type) {
171 171 case EXPR_STRING:
172 172 return expr->string->length;
173 173 case EXPR_INITIALIZER: {
174 174 struct expression *tmp;
175 175 int i = 0;
176 176
177 177 FOR_EACH_PTR(expr->expr_list, tmp) {
178 178 if (tmp->type == EXPR_INDEX) {
179 179 if (tmp->idx_to >= i)
180 180 i = tmp->idx_to;
181 181 else
182 182 continue;
183 183 }
184 184
185 185 i++;
186 186 } END_FOR_EACH_PTR(tmp);
187 187 return i;
188 188 }
189 189 case EXPR_SYMBOL:
190 190 return get_array_size(expr);
191 191 }
192 192 return 0;
193 193 }
194 194
195 195 static struct range_list *db_size_rl;
196 196 static int db_size_callback(void *unused, int argc, char **argv, char **azColName)
197 197 {
198 198 struct range_list *tmp = NULL;
199 199
200 200 if (!db_size_rl) {
201 201 str_to_rl(&int_ctype, argv[0], &db_size_rl);
202 202 } else {
203 203 str_to_rl(&int_ctype, argv[0], &tmp);
204 204 db_size_rl = rl_union(db_size_rl, tmp);
205 205 }
206 206 return 0;
207 207 }
208 208
209 209 static struct range_list *size_from_db_type(struct expression *expr)
210 210 {
211 211 int this_file_only = 0;
212 212 char *name;
213 213
214 214 name = get_member_name(expr);
215 215 if (!name && is_static(expr)) {
216 216 name = expr_to_var(expr);
217 217 this_file_only = 1;
218 218 }
219 219 if (!name)
220 220 return NULL;
221 221
222 222 if (this_file_only) {
223 223 db_size_rl = NULL;
224 224 run_sql(db_size_callback, NULL,
225 225 "select size from function_type_size where type = '%s' and file = '%s';",
226 226 name, get_filename());
227 227 if (db_size_rl)
228 228 return db_size_rl;
229 229 return NULL;
230 230 }
231 231
232 232 db_size_rl = NULL;
233 233 run_sql(db_size_callback, NULL,
234 234 "select size from type_size where type = '%s';",
235 235 name);
236 236 return db_size_rl;
237 237 }
238 238
239 239 static struct range_list *size_from_db_symbol(struct expression *expr)
240 240 {
241 241 struct symbol *sym;
242 242
243 243 if (expr->type != EXPR_SYMBOL)
244 244 return NULL;
245 245 sym = expr->symbol;
246 246 if (!sym || !sym->ident ||
247 247 !(sym->ctype.modifiers & MOD_TOPLEVEL) ||
248 248 sym->ctype.modifiers & MOD_STATIC)
249 249 return NULL;
250 250
251 251 db_size_rl = NULL;
252 252 run_sql(db_size_callback, NULL,
253 253 "select value from data_info where file = 'extern' and data = '%s' and type = %d;",
254 254 sym->ident->name, BUF_SIZE);
255 255 return db_size_rl;
256 256 }
257 257
258 258 static struct range_list *size_from_db(struct expression *expr)
259 259 {
260 260 struct range_list *rl;
261 261
|
↓ open down ↓ |
261 lines elided |
↑ open up ↑ |
262 262 rl = size_from_db_symbol(expr);
263 263 if (rl)
264 264 return rl;
265 265 return size_from_db_type(expr);
266 266 }
267 267
268 268 static void db_returns_buf_size(struct expression *expr, int param, char *unused, char *math)
269 269 {
270 270 struct expression *call;
271 271 struct range_list *rl;
272 + sval_t sval;
272 273
273 274 if (expr->type != EXPR_ASSIGNMENT)
274 275 return;
275 276 call = strip_expr(expr->right);
276 277
277 278 call_results_to_rl(call, &int_ctype, math, &rl);
278 279 rl = cast_rl(&int_ctype, rl);
280 + if (rl_to_sval(rl, &sval) && sval.value == 0)
281 + return;
279 282 set_state_expr(my_size_id, expr->left, alloc_estate_rl(rl));
280 283 }
281 284
282 285 static int get_real_array_size_from_type(struct symbol *type)
283 286 {
284 287 sval_t sval;
285 288
286 289 if (!type)
287 290 return 0;
288 291 if (!type || type->type != SYM_ARRAY)
289 292 return 0;
290 293
291 294 if (!get_implied_value(type->array_size, &sval))
292 295 return 0;
293 296
294 297 return sval.value;
295 298 }
296 299
297 300 int get_real_array_size(struct expression *expr)
298 301 {
299 302 if (!expr)
300 303 return 0;
301 304 if (expr->type == EXPR_PREOP && expr->op == '&')
302 305 expr = expr->unop;
303 306 if (expr->type == EXPR_BINOP) /* array elements foo[5] */
304 307 return 0;
305 308 return get_real_array_size_from_type(get_type(expr));
306 309 }
307 310
308 311 static int get_size_from_initializer(struct expression *expr)
309 312 {
310 313 if (expr->type != EXPR_SYMBOL || !expr->symbol || !expr->symbol->initializer)
311 314 return 0;
312 315 if (expr->symbol->initializer == expr) /* int a = a; */
313 316 return 0;
314 317 return get_initializer_size(expr->symbol->initializer);
315 318 }
316 319
317 320 static struct range_list *get_stored_size_bytes(struct expression *expr)
318 321 {
319 322 struct smatch_state *state;
320 323
321 324 state = get_state_expr(my_size_id, expr);
322 325 if (!state)
323 326 return NULL;
324 327 return estate_rl(state);
325 328 }
326 329
327 330 static int get_bytes_from_address(struct expression *expr)
328 331 {
329 332 struct symbol *type;
330 333 int ret;
331 334
332 335 if (expr->type != EXPR_PREOP || expr->op != '&')
333 336 return 0;
334 337 type = get_type(expr);
335 338 if (!type)
336 339 return 0;
337 340
338 341 if (type->type == SYM_PTR)
339 342 type = get_base_type(type);
340 343
341 344 ret = type_bytes(type);
342 345 if (ret == 1)
343 346 return 0; /* ignore char pointers */
344 347
345 348 return ret;
346 349 }
347 350
348 351 static struct expression *remove_addr_fluff(struct expression *expr)
349 352 {
350 353 struct expression *tmp;
351 354 sval_t sval;
352 355
353 356 expr = strip_expr(expr);
354 357
355 358 /* remove '&' and '*' operations that cancel */
356 359 while (expr && expr->type == EXPR_PREOP && expr->op == '&') {
357 360 tmp = strip_expr(expr->unop);
358 361 if (tmp->type != EXPR_PREOP)
359 362 break;
360 363 if (tmp->op != '*')
361 364 break;
362 365 expr = strip_expr(tmp->unop);
363 366 }
364 367
365 368 if (!expr)
366 369 return NULL;
367 370
368 371 /* "foo + 0" is just "foo" */
369 372 if (expr->type == EXPR_BINOP && expr->op == '+' &&
370 373 get_value(expr->right, &sval) && sval.value == 0)
371 374 return expr->left;
372 375
373 376 return expr;
374 377 }
375 378
376 379 static int is_last_member_of_struct(struct symbol *sym, struct ident *member)
377 380 {
378 381 struct symbol *tmp;
379 382 int i;
380 383
381 384 i = 0;
382 385 FOR_EACH_PTR_REVERSE(sym->symbol_list, tmp) {
383 386 if (i++ || !tmp->ident)
384 387 return 0;
385 388 if (tmp->ident == member)
386 389 return 1;
387 390 return 0;
388 391 } END_FOR_EACH_PTR_REVERSE(tmp);
389 392
390 393 return 0;
391 394 }
392 395
393 396 int last_member_is_resizable(struct symbol *sym)
394 397 {
395 398 struct symbol *last_member;
396 399 struct symbol *type;
397 400 sval_t sval;
398 401
399 402 if (!sym || sym->type != SYM_STRUCT)
400 403 return 0;
401 404
402 405 last_member = last_ptr_list((struct ptr_list *)sym->symbol_list);
403 406 if (!last_member || !last_member->ident)
404 407 return 0;
405 408
406 409 type = get_real_base_type(last_member);
407 410 if (type->type == SYM_STRUCT)
408 411 return last_member_is_resizable(type);
409 412 if (type->type != SYM_ARRAY)
410 413 return 0;
411 414
412 415 if (!get_implied_value(type->array_size, &sval))
413 416 return 0;
414 417
415 418 if (sval.value != 0 && sval.value != 1)
416 419 return 0;
417 420
418 421 return 1;
419 422 }
420 423
421 424 static int get_stored_size_end_struct_bytes(struct expression *expr)
422 425 {
423 426 struct symbol *sym;
424 427 struct symbol *base_sym;
425 428 struct smatch_state *state;
426 429
427 430 if (expr->type == EXPR_BINOP) /* array elements foo[5] */
428 431 return 0;
429 432
430 433 if (expr->type == EXPR_PREOP && expr->op == '&')
431 434 expr = strip_parens(expr->unop);
432 435
433 436 sym = expr_to_sym(expr);
434 437 if (!sym || !sym->ident)
435 438 return 0;
436 439 if (!type_bytes(sym))
437 440 return 0;
438 441 if (sym->type != SYM_NODE)
439 442 return 0;
440 443
441 444 base_sym = get_real_base_type(sym);
442 445 if (!base_sym || base_sym->type != SYM_PTR)
443 446 return 0;
|
↓ open down ↓ |
155 lines elided |
↑ open up ↑ |
444 447 base_sym = get_real_base_type(base_sym);
445 448 if (!base_sym || base_sym->type != SYM_STRUCT)
446 449 return 0;
447 450
448 451 if (!is_last_member_of_struct(base_sym, expr->member))
449 452 return 0;
450 453 if (!last_member_is_resizable(base_sym))
451 454 return 0;
452 455
453 456 state = get_state(my_size_id, sym->ident->name, sym);
454 - if (!estate_to_size(state))
457 + if (!estate_to_size(state) || estate_to_size(state) == -1)
455 458 return 0;
456 459
457 460 return estate_to_size(state) - type_bytes(base_sym) + type_bytes(get_type(expr));
458 461 }
459 462
460 463 static struct range_list *alloc_int_rl(int value)
461 464 {
462 465 sval_t sval = {
463 466 .type = &int_ctype,
464 467 {.value = value},
465 468 };
466 469
467 470 return alloc_rl(sval, sval);
468 471 }
469 472
470 473 struct range_list *get_array_size_bytes_rl(struct expression *expr)
471 474 {
472 475 struct range_list *ret = NULL;
473 476 sval_t sval;
474 477 int size;
475 478
476 479 expr = remove_addr_fluff(expr);
477 480 if (!expr)
478 481 return NULL;
479 482
480 483 /* "BAR" */
481 484 if (expr->type == EXPR_STRING)
482 485 return alloc_int_rl(expr->string->length);
483 486
484 487 if (expr->type == EXPR_BINOP && expr->op == '+') {
485 488 sval_t offset;
486 489 struct symbol *type;
487 490 int bytes;
488 491
489 492 if (!get_implied_value(expr->right, &offset))
490 493 return NULL;
491 494 type = get_type(expr->left);
492 495 if (!type)
493 496 return NULL;
494 497 if (type->type != SYM_ARRAY && type->type != SYM_PTR)
495 498 return NULL;
496 499 type = get_real_base_type(type);
|
↓ open down ↓ |
32 lines elided |
↑ open up ↑ |
497 500 bytes = type_bytes(type);
498 501 if (bytes == 0)
499 502 return NULL;
500 503 offset.value *= bytes;
501 504 size = get_array_size_bytes(expr->left);
502 505 if (size <= 0)
503 506 return NULL;
504 507 return alloc_int_rl(size - offset.value);
505 508 }
506 509
510 + /* buf = malloc(1024); */
511 + ret = get_stored_size_bytes(expr);
512 + if (ret)
513 + return ret;
514 +
507 515 size = get_stored_size_end_struct_bytes(expr);
508 516 if (size)
509 517 return alloc_int_rl(size);
510 518
511 519 /* buf[4] */
512 520 size = get_real_array_size(expr);
513 521 if (size)
514 522 return alloc_int_rl(elements_to_bytes(expr, size));
515 523
516 - /* buf = malloc(1024); */
517 - ret = get_stored_size_bytes(expr);
518 - if (ret)
519 - return ret;
520 -
521 524 /* char *foo = "BAR" */
522 525 size = get_size_from_initializer(expr);
523 526 if (size)
524 527 return alloc_int_rl(elements_to_bytes(expr, size));
525 528
526 529 size = get_bytes_from_address(expr);
527 530 if (size)
528 531 return alloc_int_rl(size);
529 532
530 533 ret = size_from_db(expr);
531 534 if (rl_to_sval(ret, &sval) && sval.value == -1)
532 535 return NULL;
533 536 if (ret)
534 537 return ret;
535 538
536 539 return NULL;
537 540 }
538 541
539 542 int get_array_size_bytes(struct expression *expr)
540 543 {
541 544 struct range_list *rl;
542 545 sval_t sval;
543 546
544 547 rl = get_array_size_bytes_rl(expr);
545 548 if (!rl_to_sval(rl, &sval))
546 549 return 0;
547 550 if (sval.uvalue >= INT_MAX)
548 551 return 0;
549 552 return sval.value;
550 553 }
551 554
552 555 int get_array_size_bytes_max(struct expression *expr)
553 556 {
554 557 struct range_list *rl;
555 558 sval_t bytes;
556 559
557 560 rl = get_array_size_bytes_rl(expr);
558 561 if (!rl)
559 562 return 0;
560 563 bytes = rl_min(rl);
561 564 if (bytes.value < 0)
562 565 return 0;
563 566 bytes = rl_max(rl);
564 567 if (bytes.uvalue >= INT_MAX)
565 568 return 0;
566 569 return bytes.value;
567 570 }
568 571
569 572 int get_array_size_bytes_min(struct expression *expr)
570 573 {
571 574 struct range_list *rl;
572 575 struct data_range *range;
573 576
574 577 rl = get_array_size_bytes_rl(expr);
575 578 if (!rl)
576 579 return 0;
577 580
578 581 FOR_EACH_PTR(rl, range) {
579 582 if (range->min.value <= 0)
580 583 return 0;
581 584 if (range->max.value <= 0)
582 585 return 0;
583 586 if (range->min.uvalue >= INT_MAX)
584 587 return 0;
585 588 return range->min.value;
586 589 } END_FOR_EACH_PTR(range);
587 590
588 591 return 0;
589 592 }
590 593
591 594 int get_array_size(struct expression *expr)
592 595 {
593 596 if (!expr)
594 597 return 0;
595 598 return bytes_to_elements(expr, get_array_size_bytes_max(expr));
596 599 }
597 600
598 601 static struct expression *strip_ampersands(struct expression *expr)
599 602 {
600 603 struct symbol *type;
601 604
602 605 if (expr->type != EXPR_PREOP)
603 606 return expr;
604 607 if (expr->op != '&')
605 608 return expr;
606 609 type = get_type(expr->unop);
607 610 if (!type || type->type != SYM_ARRAY)
608 611 return expr;
609 612 return expr->unop;
610 613 }
611 614
612 615 static void info_record_alloction(struct expression *buffer, struct range_list *rl)
613 616 {
614 617 char *name;
615 618
616 619 if (!option_info)
617 620 return;
618 621
619 622 name = get_member_name(buffer);
620 623 if (!name && is_static(buffer))
621 624 name = expr_to_var(buffer);
622 625 if (!name)
623 626 return;
624 627 if (rl && !is_whole_rl(rl))
625 628 sql_insert_function_type_size(name, show_rl(rl));
626 629 else
627 630 sql_insert_function_type_size(name, "(-1)");
628 631
|
↓ open down ↓ |
98 lines elided |
↑ open up ↑ |
629 632 free_string(name);
630 633 }
631 634
632 635 static void store_alloc(struct expression *expr, struct range_list *rl)
633 636 {
634 637 struct symbol *type;
635 638
636 639 rl = clone_rl(rl); // FIXME!!!
637 640 if (!rl)
638 641 rl = size_to_rl(UNKNOWN_SIZE);
639 - set_state_expr(my_size_id, expr, alloc_estate_rl(rl));
640 642
643 + if (rl_min(rl).value != UNKNOWN_SIZE ||
644 + rl_max(rl).value != UNKNOWN_SIZE ||
645 + get_state_expr(my_size_id, expr))
646 + set_state_expr(my_size_id, expr, alloc_estate_rl(rl));
647 +
641 648 type = get_type(expr);
642 649 if (!type)
643 650 return;
644 651 if (type->type != SYM_PTR)
645 652 return;
646 653 type = get_real_base_type(type);
647 654 if (!type)
648 655 return;
649 656 if (type == &void_ctype)
650 657 return;
651 658 if (type->type != SYM_BASETYPE && type->type != SYM_PTR)
652 659 return;
653 660
654 661 info_record_alloction(expr, rl);
655 662 }
656 663
664 +static bool is_array_base(struct expression *expr)
665 +{
666 + struct symbol *type;
667 +
668 + type = get_type(expr);
669 + if (type && type->type == SYM_ARRAY)
670 + return true;
671 + return false;
672 +}
673 +
657 674 static void match_array_assignment(struct expression *expr)
658 675 {
659 676 struct expression *left;
660 677 struct expression *right;
661 678 char *left_member, *right_member;
662 679 struct range_list *rl;
663 680 sval_t sval;
664 681
665 682 if (expr->op != '=')
666 683 return;
684 +
667 685 left = strip_expr(expr->left);
668 686 right = strip_expr(expr->right);
669 687 right = strip_ampersands(right);
670 688
671 689 if (!is_pointer(left))
672 690 return;
691 + /* char buf[24] = "str"; */
692 + if (is_array_base(left))
693 + return;
673 694 if (is_allocation_function(right))
674 695 return;
675 696
676 697 left_member = get_member_name(left);
677 698 right_member = get_member_name(right);
678 699 if (left_member && right_member && strcmp(left_member, right_member) == 0) {
679 700 free_string(left_member);
680 701 free_string(right_member);
681 702 return;
682 703 }
683 704 free_string(left_member);
684 705 free_string(right_member);
685 706
686 707 if (get_implied_value(right, &sval) && sval.value == 0) {
687 708 rl = alloc_int_rl(0);
688 709 goto store;
689 710 }
690 711
691 712 rl = get_array_size_bytes_rl(right);
692 713 if (!rl && __in_fake_assign)
693 714 return;
694 715
695 716 store:
696 717 store_alloc(left, rl);
697 718 }
698 719
699 720 static void match_alloc(const char *fn, struct expression *expr, void *_size_arg)
700 721 {
701 722 int size_arg = PTR_INT(_size_arg);
702 723 struct expression *right;
|
↓ open down ↓ |
20 lines elided |
↑ open up ↑ |
703 724 struct expression *arg;
704 725 struct range_list *rl;
705 726
706 727 right = strip_expr(expr->right);
707 728 arg = get_argument_from_call_expr(right->args, size_arg);
708 729 get_absolute_rl(arg, &rl);
709 730 rl = cast_rl(&int_ctype, rl);
710 731 store_alloc(expr->left, rl);
711 732 }
712 733
713 -static void match_calloc(const char *fn, struct expression *expr, void *unused)
734 +static void match_calloc(const char *fn, struct expression *expr, void *_param)
714 735 {
715 736 struct expression *right;
716 737 struct expression *size, *nr, *mult;
717 738 struct range_list *rl;
739 + int param = PTR_INT(_param);
718 740
719 741 right = strip_expr(expr->right);
720 - nr = get_argument_from_call_expr(right->args, 0);
721 - size = get_argument_from_call_expr(right->args, 1);
742 + nr = get_argument_from_call_expr(right->args, param);
743 + size = get_argument_from_call_expr(right->args, param + 1);
722 744 mult = binop_expression(nr, '*', size);
723 745 if (get_implied_rl(mult, &rl))
724 746 store_alloc(expr->left, rl);
725 747 else
726 748 store_alloc(expr->left, size_to_rl(UNKNOWN_SIZE));
727 749 }
728 750
729 751 static void match_page(const char *fn, struct expression *expr, void *_unused)
730 752 {
731 753 sval_t page_size = {
732 754 .type = &int_ctype,
733 755 {.value = 4096},
734 756 };
735 757
736 758 store_alloc(expr->left, alloc_rl(page_size, page_size));
737 759 }
738 760
739 761 static void match_strndup(const char *fn, struct expression *expr, void *unused)
740 762 {
741 763 struct expression *fn_expr;
742 764 struct expression *size_expr;
743 765 sval_t size;
744 766
745 767 fn_expr = strip_expr(expr->right);
746 768 size_expr = get_argument_from_call_expr(fn_expr->args, 1);
747 769 if (get_implied_max(size_expr, &size)) {
748 770 size.value++;
749 771 store_alloc(expr->left, size_to_rl(size.value));
750 772 } else {
751 773 store_alloc(expr->left, size_to_rl(UNKNOWN_SIZE));
752 774 }
753 775
754 776 }
755 777
756 778 static void match_alloc_pages(const char *fn, struct expression *expr, void *_order_arg)
757 779 {
758 780 int order_arg = PTR_INT(_order_arg);
759 781 struct expression *right;
760 782 struct expression *arg;
761 783 sval_t sval;
762 784
763 785 right = strip_expr(expr->right);
764 786 arg = get_argument_from_call_expr(right->args, order_arg);
765 787 if (!get_implied_value(arg, &sval))
766 788 return;
767 789 if (sval.value < 0 || sval.value > 10)
768 790 return;
769 791
770 792 sval.type = &int_ctype;
771 793 sval.value = 1 << sval.value;
772 794 sval.value *= 4096;
773 795
774 796 store_alloc(expr->left, alloc_rl(sval, sval));
775 797 }
776 798
777 799 static int is_type_bytes(struct range_list *rl, struct expression *arg)
778 800 {
779 801 struct symbol *type;
780 802 sval_t sval;
781 803
782 804 if (!rl_to_sval(rl, &sval))
783 805 return 0;
784 806
785 807 type = get_type(arg);
786 808 if (!type)
787 809 return 0;
788 810 if (type->type != SYM_PTR)
789 811 return 0;
790 812 type = get_real_base_type(type);
791 813 if (type->type != SYM_STRUCT &&
792 814 type->type != SYM_UNION)
793 815 return 0;
794 816 if (sval.value != type_bytes(type))
795 817 return 0;
796 818 return 1;
797 819 }
798 820
799 821 static void match_call(struct expression *expr)
800 822 {
801 823 struct expression *arg;
802 824 struct symbol *type;
803 825 struct range_list *rl;
804 826 int i;
|
↓ open down ↓ |
73 lines elided |
↑ open up ↑ |
805 827
806 828 i = -1;
807 829 FOR_EACH_PTR(expr->args, arg) {
808 830 i++;
809 831 type = get_type(arg);
810 832 if (!type || (type->type != SYM_PTR && type->type != SYM_ARRAY))
811 833 continue;
812 834 rl = get_array_size_bytes_rl(arg);
813 835 if (!rl)
814 836 continue;
837 + if (rl_min(rl).value == UNKNOWN_SIZE &&
838 + rl_max(rl).value == UNKNOWN_SIZE)
839 + continue;
815 840 if (is_whole_rl(rl))
816 841 continue;
817 842 if (is_type_bytes(rl, arg))
818 843 continue;
819 844 sql_insert_caller_info(expr, BUF_SIZE, i, "$", show_rl(rl));
820 845 } END_FOR_EACH_PTR(arg);
821 846 }
822 847
823 848 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
824 849 {
825 850 sval_t sval;
826 851
827 852 if (!estate_rl(sm->state) ||
828 853 (estate_get_single_value(sm->state, &sval) &&
829 854 (sval.value == -1 || sval.value == 0)))
830 855 return;
831 856
832 857 sql_insert_caller_info(call, BUF_SIZE, param, printed_name, sm->state->name);
833 858 }
834 859
835 860 /*
836 861 * This is slightly (very) weird because half of this stuff is handled in
837 862 * smatch_parse_call_math.c which is poorly named. But anyway, add some buf
838 863 * sizes here.
839 864 *
840 865 */
841 866 static void print_returned_allocations(int return_id, char *return_ranges, struct expression *expr)
842 867 {
843 868 const char *param_math;
844 869 struct range_list *rl;
845 870 char buf[64];
846 871 sval_t sval;
847 872
848 873 rl = get_array_size_bytes_rl(expr);
849 874 param_math = get_allocation_math(expr);
850 875 if (!rl && !param_math)
851 876 return;
852 877
853 878 if (!param_math &&
854 879 rl_to_sval(rl, &sval) &&
855 880 (sval.value == -1 || sval.value == 0))
856 881 return;
857 882
858 883 if (param_math)
859 884 snprintf(buf, sizeof(buf), "%s[%s]", show_rl(rl), param_math);
860 885 else
861 886 snprintf(buf, sizeof(buf), "%s", show_rl(rl));
862 887
863 888 // FIXME: don't store if you can guess the size from the type
864 889 // FIXME: return if we allocate a parameter $0->bar
865 890 sql_insert_return_states(return_id, return_ranges, BUF_SIZE, -1, "", buf);
866 891 }
867 892
868 893 static void record_global_size(struct symbol *sym)
869 894 {
870 895 int bytes;
871 896 char buf[16];
872 897
873 898 if (!sym->ident)
874 899 return;
875 900
876 901 if (!(sym->ctype.modifiers & MOD_TOPLEVEL) ||
877 902 sym->ctype.modifiers & MOD_STATIC)
878 903 return;
879 904
880 905 bytes = get_array_size_bytes(symbol_expression(sym));
881 906 if (bytes <= 1)
882 907 return;
883 908
884 909 snprintf(buf, sizeof(buf), "%d", bytes);
885 910 sql_insert_data_info_var_sym(sym->ident->name, sym, BUF_SIZE, buf);
886 911 }
887 912
888 913 void register_buf_size(int id)
889 914 {
890 915 my_size_id = id;
891 916
892 917 set_dynamic_states(my_size_id);
893 918
894 919 add_unmatched_state_hook(my_size_id, &unmatched_size_state);
895 920 add_merge_hook(my_size_id, &merge_estates);
896 921
897 922 select_caller_info_hook(set_param_buf_size, BUF_SIZE);
898 923 select_return_states_hook(BUF_SIZE, &db_returns_buf_size);
899 924 add_split_return_callback(print_returned_allocations);
900 925
901 926 allocation_funcs = create_function_hashtable(100);
|
↓ open down ↓ |
77 lines elided |
↑ open up ↑ |
902 927 add_allocation_function("malloc", &match_alloc, 0);
903 928 add_allocation_function("calloc", &match_calloc, 0);
904 929 add_allocation_function("memdup", &match_alloc, 1);
905 930 add_allocation_function("realloc", &match_alloc, 1);
906 931 if (option_project == PROJ_KERNEL) {
907 932 add_allocation_function("kmalloc", &match_alloc, 0);
908 933 add_allocation_function("kmalloc_node", &match_alloc, 0);
909 934 add_allocation_function("kzalloc", &match_alloc, 0);
910 935 add_allocation_function("kzalloc_node", &match_alloc, 0);
911 936 add_allocation_function("vmalloc", &match_alloc, 0);
937 + add_allocation_function("vzalloc", &match_alloc, 0);
912 938 add_allocation_function("__vmalloc", &match_alloc, 0);
913 939 add_allocation_function("kvmalloc", &match_alloc, 0);
914 940 add_allocation_function("kcalloc", &match_calloc, 0);
915 941 add_allocation_function("kmalloc_array", &match_calloc, 0);
916 - add_allocation_function("drm_malloc_ab", &match_calloc, 0);
917 - add_allocation_function("drm_calloc_large", &match_calloc, 0);
942 + add_allocation_function("devm_kmalloc_array", &match_calloc, 1);
918 943 add_allocation_function("sock_kmalloc", &match_alloc, 1);
919 944 add_allocation_function("kmemdup", &match_alloc, 1);
920 945 add_allocation_function("kmemdup_user", &match_alloc, 1);
921 946 add_allocation_function("dma_alloc_attrs", &match_alloc, 1);
922 947 add_allocation_function("pci_alloc_consistent", &match_alloc, 1);
923 948 add_allocation_function("pci_alloc_coherent", &match_alloc, 1);
924 949 add_allocation_function("devm_kmalloc", &match_alloc, 1);
925 950 add_allocation_function("devm_kzalloc", &match_alloc, 1);
926 951 add_allocation_function("krealloc", &match_alloc, 1);
927 952 add_allocation_function("__alloc_bootmem", &match_alloc, 0);
928 953 add_allocation_function("alloc_bootmem", &match_alloc, 0);
929 954 add_allocation_function("kmap", &match_page, 0);
930 955 add_allocation_function("kmap_atomic", &match_page, 0);
931 956 add_allocation_function("get_zeroed_page", &match_page, 0);
932 957 add_allocation_function("alloc_page", &match_page, 0);
933 958 add_allocation_function("alloc_pages", &match_alloc_pages, 1);
934 959 add_allocation_function("alloc_pages_current", &match_alloc_pages, 1);
935 960 add_allocation_function("__get_free_pages", &match_alloc_pages, 1);
936 961 add_allocation_function("dma_alloc_contiguous", &match_alloc, 1);
937 962 add_allocation_function("dma_alloc_coherent", &match_alloc, 1);
938 963 }
939 964
940 965 add_allocation_function("strndup", match_strndup, 0);
941 966 if (option_project == PROJ_KERNEL)
942 967 add_allocation_function("kstrndup", match_strndup, 0);
943 968
944 969 add_modification_hook(my_size_id, &set_size_undefined);
945 970
946 971 add_merge_hook(my_size_id, &merge_size_func);
947 972
948 973 if (option_info)
949 974 add_hook(record_global_size, BASE_HOOK);
950 975 }
951 976
952 977 void register_buf_size_late(int id)
953 978 {
954 979 /* has to happen after match_alloc() */
955 980 add_hook(&match_array_assignment, ASSIGNMENT_HOOK);
956 981
957 982 add_hook(&match_call, FUNCTION_CALL_HOOK);
958 983 add_member_info_callback(my_size_id, struct_member_callback);
959 984 }
|
↓ open down ↓ |
32 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX