Print this page
new smatch
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/tools/smatch/src/smatch_buf_size.c
+++ new/usr/src/tools/smatch/src/smatch_buf_size.c
1 1 /*
2 2 * Copyright (C) 2010 Dan Carpenter.
3 3 *
4 4 * This program is free software; you can redistribute it and/or
5 5 * modify it under the terms of the GNU General Public License
6 6 * as published by the Free Software Foundation; either version 2
7 7 * of the License, or (at your option) any later version.
8 8 *
9 9 * This program is distributed in the hope that it will be useful,
10 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 * GNU General Public License for more details.
13 13 *
14 14 * You should have received a copy of the GNU General Public License
15 15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
|
↓ open down ↓ |
15 lines elided |
↑ open up ↑ |
16 16 */
17 17
18 18 #include <stdlib.h>
19 19 #include <errno.h>
20 20 #include "parse.h"
21 21 #include "smatch.h"
22 22 #include "smatch_slist.h"
23 23 #include "smatch_extra.h"
24 24 #include "smatch_function_hashtable.h"
25 25
26 -#define UNKNOWN_SIZE (-1)
26 +#define UNKNOWN_SIZE -1
27 27
28 28 static int my_size_id;
29 29
30 30 static DEFINE_HASHTABLE_INSERT(insert_func, char, int);
31 31 static DEFINE_HASHTABLE_SEARCH(search_func, char, int);
32 32 static struct hashtable *allocation_funcs;
33 33
34 34 static char *get_fn_name(struct expression *expr)
35 35 {
36 36 if (expr->type != EXPR_CALL)
37 37 return NULL;
38 38 if (expr->fn->type != EXPR_SYMBOL)
39 39 return NULL;
40 40 return expr_to_var(expr->fn);
41 41 }
42 42
43 43 static int is_allocation_function(struct expression *expr)
44 44 {
45 45 char *func;
46 46 int ret = 0;
47 47
48 48 func = get_fn_name(expr);
49 49 if (!func)
50 50 return 0;
51 51 if (search_func(allocation_funcs, func))
52 52 ret = 1;
53 53 free_string(func);
54 54 return ret;
55 55 }
56 56
57 57 static void add_allocation_function(const char *func, void *call_back, int param)
58 58 {
59 59 insert_func(allocation_funcs, (char *)func, (int *)1);
60 60 add_function_assign_hook(func, call_back, INT_PTR(param));
61 61 }
62 62
63 63 static int estate_to_size(struct smatch_state *state)
64 64 {
65 65 sval_t sval;
66 66
67 67 if (!state || !estate_rl(state))
68 68 return 0;
69 69 sval = estate_max(state);
70 70 return sval.value;
71 71 }
72 72
73 73 static struct smatch_state *size_to_estate(int size)
74 74 {
75 75 sval_t sval;
76 76
77 77 sval.type = &int_ctype;
78 78 sval.value = size;
79 79
80 80 return alloc_estate_sval(sval);
81 81 }
82 82
83 83 static struct range_list *size_to_rl(int size)
84 84 {
85 85 sval_t sval;
86 86
87 87 sval.type = &int_ctype;
88 88 sval.value = size;
89 89
90 90 return alloc_rl(sval, sval);
91 91 }
92 92
93 93 static struct smatch_state *unmatched_size_state(struct sm_state *sm)
94 94 {
95 95 return size_to_estate(UNKNOWN_SIZE);
96 96 }
97 97
98 98 static void set_size_undefined(struct sm_state *sm, struct expression *mod_expr)
99 99 {
100 100 set_state(sm->owner, sm->name, sm->sym, size_to_estate(UNKNOWN_SIZE));
101 101 }
102 102
103 103 static struct smatch_state *merge_size_func(struct smatch_state *s1, struct smatch_state *s2)
104 104 {
105 105 return merge_estates(s1, s2);
106 106 }
107 107
108 108 void set_param_buf_size(const char *name, struct symbol *sym, char *key, char *value)
109 109 {
110 110 struct range_list *rl = NULL;
111 111 struct smatch_state *state;
112 112 char fullname[256];
113 113
114 114 if (strncmp(key, "$", 1) != 0)
115 115 return;
116 116
117 117 snprintf(fullname, 256, "%s%s", name, key + 1);
118 118
119 119 str_to_rl(&int_ctype, value, &rl);
120 120 if (!rl || is_whole_rl(rl))
121 121 return;
122 122 state = alloc_estate_rl(rl);
123 123 set_state(my_size_id, fullname, sym, state);
124 124 }
125 125
126 126 static int bytes_per_element(struct expression *expr)
127 127 {
128 128 struct symbol *type;
129 129
130 130 if (!expr)
131 131 return 0;
132 132 if (expr->type == EXPR_STRING)
133 133 return 1;
134 134 if (expr->type == EXPR_PREOP && expr->op == '&') {
135 135 type = get_type(expr->unop);
136 136 if (type && type->type == SYM_ARRAY)
137 137 expr = expr->unop;
138 138 }
139 139 type = get_type(expr);
140 140 if (!type)
141 141 return 0;
142 142
143 143 if (type->type != SYM_PTR && type->type != SYM_ARRAY)
144 144 return 0;
145 145
146 146 type = get_base_type(type);
147 147 return type_bytes(type);
148 148 }
149 149
150 150 static int bytes_to_elements(struct expression *expr, int bytes)
151 151 {
152 152 int bpe;
153 153
154 154 bpe = bytes_per_element(expr);
155 155 if (bpe == 0)
156 156 return 0;
157 157 return bytes / bpe;
158 158 }
159 159
160 160 static int elements_to_bytes(struct expression *expr, int elements)
161 161 {
162 162 int bpe;
163 163
164 164 bpe = bytes_per_element(expr);
165 165 return elements * bpe;
166 166 }
167 167
168 168 static int get_initializer_size(struct expression *expr)
169 169 {
170 170 switch (expr->type) {
171 171 case EXPR_STRING:
172 172 return expr->string->length;
173 173 case EXPR_INITIALIZER: {
174 174 struct expression *tmp;
175 175 int i = 0;
176 176
177 177 FOR_EACH_PTR(expr->expr_list, tmp) {
178 178 if (tmp->type == EXPR_INDEX) {
179 179 if (tmp->idx_to >= i)
180 180 i = tmp->idx_to;
181 181 else
182 182 continue;
183 183 }
184 184
185 185 i++;
186 186 } END_FOR_EACH_PTR(tmp);
187 187 return i;
188 188 }
189 189 case EXPR_SYMBOL:
190 190 return get_array_size(expr);
191 191 }
192 192 return 0;
193 193 }
194 194
195 195 static struct range_list *db_size_rl;
196 196 static int db_size_callback(void *unused, int argc, char **argv, char **azColName)
197 197 {
198 198 struct range_list *tmp = NULL;
199 199
200 200 if (!db_size_rl) {
201 201 str_to_rl(&int_ctype, argv[0], &db_size_rl);
202 202 } else {
203 203 str_to_rl(&int_ctype, argv[0], &tmp);
204 204 db_size_rl = rl_union(db_size_rl, tmp);
205 205 }
206 206 return 0;
207 207 }
208 208
209 209 static struct range_list *size_from_db_type(struct expression *expr)
210 210 {
211 211 int this_file_only = 0;
212 212 char *name;
213 213
214 214 name = get_member_name(expr);
215 215 if (!name && is_static(expr)) {
216 216 name = expr_to_var(expr);
217 217 this_file_only = 1;
218 218 }
219 219 if (!name)
220 220 return NULL;
221 221
222 222 if (this_file_only) {
223 223 db_size_rl = NULL;
224 224 run_sql(db_size_callback, NULL,
225 225 "select size from function_type_size where type = '%s' and file = '%s';",
226 226 name, get_filename());
227 227 if (db_size_rl)
228 228 return db_size_rl;
229 229 return NULL;
230 230 }
231 231
232 232 db_size_rl = NULL;
233 233 run_sql(db_size_callback, NULL,
234 234 "select size from type_size where type = '%s';",
235 235 name);
236 236 return db_size_rl;
237 237 }
238 238
239 239 static struct range_list *size_from_db_symbol(struct expression *expr)
240 240 {
241 241 struct symbol *sym;
242 242
243 243 if (expr->type != EXPR_SYMBOL)
244 244 return NULL;
245 245 sym = expr->symbol;
246 246 if (!sym || !sym->ident ||
247 247 !(sym->ctype.modifiers & MOD_TOPLEVEL) ||
248 248 sym->ctype.modifiers & MOD_STATIC)
249 249 return NULL;
250 250
251 251 db_size_rl = NULL;
252 252 run_sql(db_size_callback, NULL,
253 253 "select value from data_info where file = 'extern' and data = '%s' and type = %d;",
254 254 sym->ident->name, BUF_SIZE);
255 255 return db_size_rl;
256 256 }
257 257
258 258 static struct range_list *size_from_db(struct expression *expr)
259 259 {
260 260 struct range_list *rl;
261 261
262 262 rl = size_from_db_symbol(expr);
263 263 if (rl)
264 264 return rl;
265 265 return size_from_db_type(expr);
266 266 }
|
↓ open down ↓ |
230 lines elided |
↑ open up ↑ |
267 267
268 268 static void db_returns_buf_size(struct expression *expr, int param, char *unused, char *math)
269 269 {
270 270 struct expression *call;
271 271 struct range_list *rl;
272 272
273 273 if (expr->type != EXPR_ASSIGNMENT)
274 274 return;
275 275 call = strip_expr(expr->right);
276 276
277 - if (!parse_call_math_rl(call, math, &rl))
278 - return;
277 + call_results_to_rl(call, &int_ctype, math, &rl);
279 278 rl = cast_rl(&int_ctype, rl);
280 279 set_state_expr(my_size_id, expr->left, alloc_estate_rl(rl));
281 280 }
282 281
283 282 static int get_real_array_size_from_type(struct symbol *type)
284 283 {
285 284 sval_t sval;
286 285
287 286 if (!type)
288 287 return 0;
289 288 if (!type || type->type != SYM_ARRAY)
290 289 return 0;
291 290
292 291 if (!get_implied_value(type->array_size, &sval))
293 292 return 0;
294 293
295 294 return sval.value;
296 295 }
297 296
298 297 int get_real_array_size(struct expression *expr)
299 298 {
300 299 if (!expr)
301 300 return 0;
302 301 if (expr->type == EXPR_PREOP && expr->op == '&')
303 302 expr = expr->unop;
304 303 if (expr->type == EXPR_BINOP) /* array elements foo[5] */
305 304 return 0;
306 305 return get_real_array_size_from_type(get_type(expr));
307 306 }
308 307
309 308 static int get_size_from_initializer(struct expression *expr)
310 309 {
311 310 if (expr->type != EXPR_SYMBOL || !expr->symbol || !expr->symbol->initializer)
312 311 return 0;
313 312 if (expr->symbol->initializer == expr) /* int a = a; */
314 313 return 0;
315 314 return get_initializer_size(expr->symbol->initializer);
316 315 }
317 316
318 317 static struct range_list *get_stored_size_bytes(struct expression *expr)
319 318 {
320 319 struct smatch_state *state;
321 320
322 321 state = get_state_expr(my_size_id, expr);
323 322 if (!state)
324 323 return NULL;
325 324 return estate_rl(state);
326 325 }
327 326
328 327 static int get_bytes_from_address(struct expression *expr)
329 328 {
330 329 struct symbol *type;
331 330 int ret;
332 331
333 332 if (expr->type != EXPR_PREOP || expr->op != '&')
334 333 return 0;
335 334 type = get_type(expr);
336 335 if (!type)
337 336 return 0;
338 337
339 338 if (type->type == SYM_PTR)
340 339 type = get_base_type(type);
341 340
342 341 ret = type_bytes(type);
343 342 if (ret == 1)
344 343 return 0; /* ignore char pointers */
345 344
346 345 return ret;
347 346 }
348 347
349 348 static struct expression *remove_addr_fluff(struct expression *expr)
350 349 {
351 350 struct expression *tmp;
352 351 sval_t sval;
353 352
354 353 expr = strip_expr(expr);
355 354
356 355 /* remove '&' and '*' operations that cancel */
357 356 while (expr && expr->type == EXPR_PREOP && expr->op == '&') {
358 357 tmp = strip_expr(expr->unop);
359 358 if (tmp->type != EXPR_PREOP)
360 359 break;
361 360 if (tmp->op != '*')
362 361 break;
363 362 expr = strip_expr(tmp->unop);
364 363 }
365 364
366 365 if (!expr)
367 366 return NULL;
368 367
369 368 /* "foo + 0" is just "foo" */
370 369 if (expr->type == EXPR_BINOP && expr->op == '+' &&
371 370 get_value(expr->right, &sval) && sval.value == 0)
372 371 return expr->left;
373 372
374 373 return expr;
375 374 }
376 375
377 376 static int is_last_member_of_struct(struct symbol *sym, struct ident *member)
378 377 {
379 378 struct symbol *tmp;
380 379 int i;
381 380
382 381 i = 0;
383 382 FOR_EACH_PTR_REVERSE(sym->symbol_list, tmp) {
384 383 if (i++ || !tmp->ident)
385 384 return 0;
386 385 if (tmp->ident == member)
387 386 return 1;
388 387 return 0;
389 388 } END_FOR_EACH_PTR_REVERSE(tmp);
390 389
391 390 return 0;
392 391 }
393 392
394 393 int last_member_is_resizable(struct symbol *sym)
395 394 {
396 395 struct symbol *last_member;
397 396 struct symbol *type;
398 397 sval_t sval;
399 398
400 399 if (!sym || sym->type != SYM_STRUCT)
401 400 return 0;
402 401
403 402 last_member = last_ptr_list((struct ptr_list *)sym->symbol_list);
404 403 if (!last_member || !last_member->ident)
405 404 return 0;
406 405
407 406 type = get_real_base_type(last_member);
408 407 if (type->type == SYM_STRUCT)
409 408 return last_member_is_resizable(type);
410 409 if (type->type != SYM_ARRAY)
411 410 return 0;
412 411
413 412 if (!get_implied_value(type->array_size, &sval))
414 413 return 0;
415 414
416 415 if (sval.value != 0 && sval.value != 1)
417 416 return 0;
418 417
419 418 return 1;
420 419 }
421 420
422 421 static int get_stored_size_end_struct_bytes(struct expression *expr)
423 422 {
424 423 struct symbol *sym;
425 424 struct symbol *base_sym;
426 425 struct smatch_state *state;
427 426
428 427 if (expr->type == EXPR_BINOP) /* array elements foo[5] */
429 428 return 0;
430 429
431 430 if (expr->type == EXPR_PREOP && expr->op == '&')
432 431 expr = strip_parens(expr->unop);
433 432
434 433 sym = expr_to_sym(expr);
435 434 if (!sym || !sym->ident)
436 435 return 0;
437 436 if (!type_bytes(sym))
438 437 return 0;
439 438 if (sym->type != SYM_NODE)
440 439 return 0;
441 440
442 441 base_sym = get_real_base_type(sym);
443 442 if (!base_sym || base_sym->type != SYM_PTR)
444 443 return 0;
445 444 base_sym = get_real_base_type(base_sym);
446 445 if (!base_sym || base_sym->type != SYM_STRUCT)
447 446 return 0;
448 447
449 448 if (!is_last_member_of_struct(base_sym, expr->member))
450 449 return 0;
451 450 if (!last_member_is_resizable(base_sym))
452 451 return 0;
453 452
454 453 state = get_state(my_size_id, sym->ident->name, sym);
455 454 if (!estate_to_size(state))
456 455 return 0;
457 456
458 457 return estate_to_size(state) - type_bytes(base_sym) + type_bytes(get_type(expr));
459 458 }
460 459
461 460 static struct range_list *alloc_int_rl(int value)
462 461 {
463 462 sval_t sval = {
|
↓ open down ↓ |
175 lines elided |
↑ open up ↑ |
464 463 .type = &int_ctype,
465 464 {.value = value},
466 465 };
467 466
468 467 return alloc_rl(sval, sval);
469 468 }
470 469
471 470 struct range_list *get_array_size_bytes_rl(struct expression *expr)
472 471 {
473 472 struct range_list *ret = NULL;
473 + sval_t sval;
474 474 int size;
475 475
476 476 expr = remove_addr_fluff(expr);
477 477 if (!expr)
478 478 return NULL;
479 479
480 480 /* "BAR" */
481 481 if (expr->type == EXPR_STRING)
482 482 return alloc_int_rl(expr->string->length);
483 483
484 484 if (expr->type == EXPR_BINOP && expr->op == '+') {
485 485 sval_t offset;
486 486 struct symbol *type;
487 487 int bytes;
488 488
489 489 if (!get_implied_value(expr->right, &offset))
490 490 return NULL;
491 491 type = get_type(expr->left);
492 492 if (!type)
493 493 return NULL;
494 494 if (type->type != SYM_ARRAY && type->type != SYM_PTR)
495 495 return NULL;
496 496 type = get_real_base_type(type);
497 497 bytes = type_bytes(type);
498 498 if (bytes == 0)
499 499 return NULL;
500 500 offset.value *= bytes;
501 501 size = get_array_size_bytes(expr->left);
502 502 if (size <= 0)
503 503 return NULL;
504 504 return alloc_int_rl(size - offset.value);
505 505 }
506 506
507 507 size = get_stored_size_end_struct_bytes(expr);
508 508 if (size)
509 509 return alloc_int_rl(size);
510 510
511 511 /* buf[4] */
512 512 size = get_real_array_size(expr);
513 513 if (size)
514 514 return alloc_int_rl(elements_to_bytes(expr, size));
515 515
516 516 /* buf = malloc(1024); */
517 517 ret = get_stored_size_bytes(expr);
518 518 if (ret)
519 519 return ret;
520 520
|
↓ open down ↓ |
37 lines elided |
↑ open up ↑ |
521 521 /* char *foo = "BAR" */
522 522 size = get_size_from_initializer(expr);
523 523 if (size)
524 524 return alloc_int_rl(elements_to_bytes(expr, size));
525 525
526 526 size = get_bytes_from_address(expr);
527 527 if (size)
528 528 return alloc_int_rl(size);
529 529
530 530 ret = size_from_db(expr);
531 + if (rl_to_sval(ret, &sval) && sval.value == -1)
532 + return NULL;
531 533 if (ret)
532 534 return ret;
533 535
534 536 return NULL;
535 537 }
536 538
537 539 int get_array_size_bytes(struct expression *expr)
538 540 {
539 541 struct range_list *rl;
540 542 sval_t sval;
541 543
542 544 rl = get_array_size_bytes_rl(expr);
543 545 if (!rl_to_sval(rl, &sval))
544 546 return 0;
545 547 if (sval.uvalue >= INT_MAX)
546 548 return 0;
547 549 return sval.value;
548 550 }
549 551
550 552 int get_array_size_bytes_max(struct expression *expr)
551 553 {
552 554 struct range_list *rl;
553 555 sval_t bytes;
554 556
555 557 rl = get_array_size_bytes_rl(expr);
556 558 if (!rl)
557 559 return 0;
558 560 bytes = rl_min(rl);
559 561 if (bytes.value < 0)
560 562 return 0;
561 563 bytes = rl_max(rl);
562 564 if (bytes.uvalue >= INT_MAX)
563 565 return 0;
564 566 return bytes.value;
565 567 }
566 568
567 569 int get_array_size_bytes_min(struct expression *expr)
568 570 {
569 571 struct range_list *rl;
570 572 struct data_range *range;
571 573
572 574 rl = get_array_size_bytes_rl(expr);
573 575 if (!rl)
574 576 return 0;
575 577
576 578 FOR_EACH_PTR(rl, range) {
577 579 if (range->min.value <= 0)
578 580 return 0;
579 581 if (range->max.value <= 0)
580 582 return 0;
581 583 if (range->min.uvalue >= INT_MAX)
582 584 return 0;
583 585 return range->min.value;
584 586 } END_FOR_EACH_PTR(range);
585 587
586 588 return 0;
587 589 }
588 590
589 591 int get_array_size(struct expression *expr)
590 592 {
591 593 if (!expr)
592 594 return 0;
593 595 return bytes_to_elements(expr, get_array_size_bytes_max(expr));
594 596 }
595 597
596 598 static struct expression *strip_ampersands(struct expression *expr)
597 599 {
598 600 struct symbol *type;
599 601
600 602 if (expr->type != EXPR_PREOP)
601 603 return expr;
602 604 if (expr->op != '&')
603 605 return expr;
604 606 type = get_type(expr->unop);
605 607 if (!type || type->type != SYM_ARRAY)
606 608 return expr;
607 609 return expr->unop;
608 610 }
609 611
610 612 static void info_record_alloction(struct expression *buffer, struct range_list *rl)
611 613 {
612 614 char *name;
613 615
614 616 if (!option_info)
615 617 return;
616 618
617 619 name = get_member_name(buffer);
618 620 if (!name && is_static(buffer))
619 621 name = expr_to_var(buffer);
620 622 if (!name)
621 623 return;
622 624 if (rl && !is_whole_rl(rl))
623 625 sql_insert_function_type_size(name, show_rl(rl));
624 626 else
|
↓ open down ↓ |
84 lines elided |
↑ open up ↑ |
625 627 sql_insert_function_type_size(name, "(-1)");
626 628
627 629 free_string(name);
628 630 }
629 631
630 632 static void store_alloc(struct expression *expr, struct range_list *rl)
631 633 {
632 634 struct symbol *type;
633 635
634 636 rl = clone_rl(rl); // FIXME!!!
637 + if (!rl)
638 + rl = size_to_rl(UNKNOWN_SIZE);
635 639 set_state_expr(my_size_id, expr, alloc_estate_rl(rl));
636 640
637 641 type = get_type(expr);
638 642 if (!type)
639 643 return;
640 644 if (type->type != SYM_PTR)
641 645 return;
642 646 type = get_real_base_type(type);
643 647 if (!type)
644 648 return;
645 649 if (type == &void_ctype)
646 650 return;
647 651 if (type->type != SYM_BASETYPE && type->type != SYM_PTR)
648 652 return;
649 653
650 654 info_record_alloction(expr, rl);
651 655 }
652 656
653 657 static void match_array_assignment(struct expression *expr)
654 658 {
655 659 struct expression *left;
656 660 struct expression *right;
657 661 char *left_member, *right_member;
658 662 struct range_list *rl;
659 663 sval_t sval;
660 664
661 665 if (expr->op != '=')
662 666 return;
663 667 left = strip_expr(expr->left);
664 668 right = strip_expr(expr->right);
665 669 right = strip_ampersands(right);
666 670
667 671 if (!is_pointer(left))
668 672 return;
669 673 if (is_allocation_function(right))
670 674 return;
671 675
672 676 left_member = get_member_name(left);
673 677 right_member = get_member_name(right);
674 678 if (left_member && right_member && strcmp(left_member, right_member) == 0) {
675 679 free_string(left_member);
676 680 free_string(right_member);
677 681 return;
678 682 }
679 683 free_string(left_member);
680 684 free_string(right_member);
681 685
682 686 if (get_implied_value(right, &sval) && sval.value == 0) {
683 687 rl = alloc_int_rl(0);
684 688 goto store;
685 689 }
686 690
687 691 rl = get_array_size_bytes_rl(right);
688 692 if (!rl && __in_fake_assign)
689 693 return;
690 694
691 695 store:
692 696 store_alloc(left, rl);
693 697 }
694 698
695 699 static void match_alloc(const char *fn, struct expression *expr, void *_size_arg)
696 700 {
697 701 int size_arg = PTR_INT(_size_arg);
698 702 struct expression *right;
699 703 struct expression *arg;
700 704 struct range_list *rl;
701 705
702 706 right = strip_expr(expr->right);
703 707 arg = get_argument_from_call_expr(right->args, size_arg);
704 708 get_absolute_rl(arg, &rl);
705 709 rl = cast_rl(&int_ctype, rl);
706 710 store_alloc(expr->left, rl);
707 711 }
708 712
709 713 static void match_calloc(const char *fn, struct expression *expr, void *unused)
710 714 {
711 715 struct expression *right;
|
↓ open down ↓ |
67 lines elided |
↑ open up ↑ |
712 716 struct expression *size, *nr, *mult;
713 717 struct range_list *rl;
714 718
715 719 right = strip_expr(expr->right);
716 720 nr = get_argument_from_call_expr(right->args, 0);
717 721 size = get_argument_from_call_expr(right->args, 1);
718 722 mult = binop_expression(nr, '*', size);
719 723 if (get_implied_rl(mult, &rl))
720 724 store_alloc(expr->left, rl);
721 725 else
722 - store_alloc(expr->left, size_to_rl(-1));
726 + store_alloc(expr->left, size_to_rl(UNKNOWN_SIZE));
723 727 }
724 728
725 729 static void match_page(const char *fn, struct expression *expr, void *_unused)
726 730 {
727 731 sval_t page_size = {
728 732 .type = &int_ctype,
729 733 {.value = 4096},
730 734 };
731 735
732 736 store_alloc(expr->left, alloc_rl(page_size, page_size));
733 737 }
734 738
735 739 static void match_strndup(const char *fn, struct expression *expr, void *unused)
736 740 {
|
↓ open down ↓ |
4 lines elided |
↑ open up ↑ |
737 741 struct expression *fn_expr;
738 742 struct expression *size_expr;
739 743 sval_t size;
740 744
741 745 fn_expr = strip_expr(expr->right);
742 746 size_expr = get_argument_from_call_expr(fn_expr->args, 1);
743 747 if (get_implied_max(size_expr, &size)) {
744 748 size.value++;
745 749 store_alloc(expr->left, size_to_rl(size.value));
746 750 } else {
747 - store_alloc(expr->left, size_to_rl(-1));
751 + store_alloc(expr->left, size_to_rl(UNKNOWN_SIZE));
748 752 }
749 753
750 754 }
751 755
752 756 static void match_alloc_pages(const char *fn, struct expression *expr, void *_order_arg)
753 757 {
754 758 int order_arg = PTR_INT(_order_arg);
755 759 struct expression *right;
756 760 struct expression *arg;
757 761 sval_t sval;
758 762
759 763 right = strip_expr(expr->right);
760 764 arg = get_argument_from_call_expr(right->args, order_arg);
761 765 if (!get_implied_value(arg, &sval))
762 766 return;
763 767 if (sval.value < 0 || sval.value > 10)
764 768 return;
765 769
766 770 sval.type = &int_ctype;
767 771 sval.value = 1 << sval.value;
768 772 sval.value *= 4096;
769 773
770 774 store_alloc(expr->left, alloc_rl(sval, sval));
771 775 }
772 776
773 777 static int is_type_bytes(struct range_list *rl, struct expression *arg)
774 778 {
775 779 struct symbol *type;
776 780 sval_t sval;
777 781
778 782 if (!rl_to_sval(rl, &sval))
779 783 return 0;
780 784
781 785 type = get_type(arg);
782 786 if (!type)
783 787 return 0;
784 788 if (type->type != SYM_PTR)
785 789 return 0;
786 790 type = get_real_base_type(type);
787 791 if (type->type != SYM_STRUCT &&
788 792 type->type != SYM_UNION)
789 793 return 0;
790 794 if (sval.value != type_bytes(type))
791 795 return 0;
792 796 return 1;
793 797 }
794 798
795 799 static void match_call(struct expression *expr)
796 800 {
797 801 struct expression *arg;
798 802 struct symbol *type;
799 803 struct range_list *rl;
800 804 int i;
801 805
802 806 i = -1;
803 807 FOR_EACH_PTR(expr->args, arg) {
804 808 i++;
805 809 type = get_type(arg);
806 810 if (!type || (type->type != SYM_PTR && type->type != SYM_ARRAY))
807 811 continue;
808 812 rl = get_array_size_bytes_rl(arg);
809 813 if (!rl)
810 814 continue;
|
↓ open down ↓ |
53 lines elided |
↑ open up ↑ |
811 815 if (is_whole_rl(rl))
812 816 continue;
813 817 if (is_type_bytes(rl, arg))
814 818 continue;
815 819 sql_insert_caller_info(expr, BUF_SIZE, i, "$", show_rl(rl));
816 820 } END_FOR_EACH_PTR(arg);
817 821 }
818 822
819 823 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
820 824 {
821 - if (sm->state == &merged ||
822 - strcmp(sm->state->name, "(-1)") == 0 ||
823 - strcmp(sm->state->name, "empty") == 0 ||
824 - strcmp(sm->state->name, "0") == 0)
825 + sval_t sval;
826 +
827 + if (!estate_rl(sm->state) ||
828 + (estate_get_single_value(sm->state, &sval) &&
829 + (sval.value == -1 || sval.value == 0)))
825 830 return;
831 +
826 832 sql_insert_caller_info(call, BUF_SIZE, param, printed_name, sm->state->name);
827 833 }
828 834
829 835 /*
830 836 * This is slightly (very) weird because half of this stuff is handled in
831 837 * smatch_parse_call_math.c which is poorly named. But anyway, add some buf
832 838 * sizes here.
833 839 *
834 840 */
835 841 static void print_returned_allocations(int return_id, char *return_ranges, struct expression *expr)
836 842 {
837 - char buf[16];
838 - int size;
843 + const char *param_math;
844 + struct range_list *rl;
845 + char buf[64];
846 + sval_t sval;
839 847
840 - size = get_array_size_bytes(expr);
841 - if (!size)
848 + rl = get_array_size_bytes_rl(expr);
849 + param_math = get_allocation_math(expr);
850 + if (!rl && !param_math)
842 851 return;
843 852
844 - snprintf(buf, sizeof(buf), "%d", size);
853 + if (!param_math &&
854 + rl_to_sval(rl, &sval) &&
855 + (sval.value == -1 || sval.value == 0))
856 + return;
857 +
858 + if (param_math)
859 + snprintf(buf, sizeof(buf), "%s[%s]", show_rl(rl), param_math);
860 + else
861 + snprintf(buf, sizeof(buf), "%s", show_rl(rl));
862 +
863 + // FIXME: don't store if you can guess the size from the type
864 + // FIXME: return if we allocate a parameter $0->bar
845 865 sql_insert_return_states(return_id, return_ranges, BUF_SIZE, -1, "", buf);
846 866 }
847 867
848 868 static void record_global_size(struct symbol *sym)
849 869 {
850 870 int bytes;
851 871 char buf[16];
852 872
853 873 if (!sym->ident)
854 874 return;
855 875
856 876 if (!(sym->ctype.modifiers & MOD_TOPLEVEL) ||
857 877 sym->ctype.modifiers & MOD_STATIC)
858 878 return;
859 879
860 880 bytes = get_array_size_bytes(symbol_expression(sym));
861 881 if (bytes <= 1)
862 882 return;
863 883
864 884 snprintf(buf, sizeof(buf), "%d", bytes);
|
↓ open down ↓ |
10 lines elided |
↑ open up ↑ |
865 885 sql_insert_data_info_var_sym(sym->ident->name, sym, BUF_SIZE, buf);
866 886 }
867 887
868 888 void register_buf_size(int id)
869 889 {
870 890 my_size_id = id;
871 891
872 892 set_dynamic_states(my_size_id);
873 893
874 894 add_unmatched_state_hook(my_size_id, &unmatched_size_state);
895 + add_merge_hook(my_size_id, &merge_estates);
875 896
876 897 select_caller_info_hook(set_param_buf_size, BUF_SIZE);
877 898 select_return_states_hook(BUF_SIZE, &db_returns_buf_size);
878 899 add_split_return_callback(print_returned_allocations);
879 900
880 901 allocation_funcs = create_function_hashtable(100);
881 902 add_allocation_function("malloc", &match_alloc, 0);
882 903 add_allocation_function("calloc", &match_calloc, 0);
883 904 add_allocation_function("memdup", &match_alloc, 1);
884 905 add_allocation_function("realloc", &match_alloc, 1);
885 906 if (option_project == PROJ_KERNEL) {
886 907 add_allocation_function("kmalloc", &match_alloc, 0);
887 908 add_allocation_function("kmalloc_node", &match_alloc, 0);
888 909 add_allocation_function("kzalloc", &match_alloc, 0);
889 910 add_allocation_function("kzalloc_node", &match_alloc, 0);
890 911 add_allocation_function("vmalloc", &match_alloc, 0);
891 912 add_allocation_function("__vmalloc", &match_alloc, 0);
892 913 add_allocation_function("kcalloc", &match_calloc, 0);
893 914 add_allocation_function("kmalloc_array", &match_calloc, 0);
894 915 add_allocation_function("drm_malloc_ab", &match_calloc, 0);
895 916 add_allocation_function("drm_calloc_large", &match_calloc, 0);
896 917 add_allocation_function("sock_kmalloc", &match_alloc, 1);
897 918 add_allocation_function("kmemdup", &match_alloc, 1);
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
898 919 add_allocation_function("kmemdup_user", &match_alloc, 1);
899 920 add_allocation_function("dma_alloc_attrs", &match_alloc, 1);
900 921 add_allocation_function("pci_alloc_consistent", &match_alloc, 1);
901 922 add_allocation_function("pci_alloc_coherent", &match_alloc, 1);
902 923 add_allocation_function("devm_kmalloc", &match_alloc, 1);
903 924 add_allocation_function("devm_kzalloc", &match_alloc, 1);
904 925 add_allocation_function("krealloc", &match_alloc, 1);
905 926 add_allocation_function("__alloc_bootmem", &match_alloc, 0);
906 927 add_allocation_function("alloc_bootmem", &match_alloc, 0);
907 928 add_allocation_function("kmap", &match_page, 0);
929 + add_allocation_function("kmap_atomic", &match_page, 0);
908 930 add_allocation_function("get_zeroed_page", &match_page, 0);
909 931 add_allocation_function("alloc_page", &match_page, 0);
910 - add_allocation_function("page_address", &match_page, 0);
911 - add_allocation_function("lowmem_page_address", &match_page, 0);
912 932 add_allocation_function("alloc_pages", &match_alloc_pages, 1);
913 933 add_allocation_function("alloc_pages_current", &match_alloc_pages, 1);
914 934 add_allocation_function("__get_free_pages", &match_alloc_pages, 1);
935 + add_allocation_function("dma_alloc_contiguous", &match_alloc, 1);
936 + add_allocation_function("dma_alloc_coherent", &match_alloc, 1);
915 937 }
916 938
917 939 add_allocation_function("strndup", match_strndup, 0);
918 940 if (option_project == PROJ_KERNEL)
919 941 add_allocation_function("kstrndup", match_strndup, 0);
920 942
921 943 add_modification_hook(my_size_id, &set_size_undefined);
922 944
923 945 add_merge_hook(my_size_id, &merge_size_func);
924 946
925 947 if (option_info)
926 948 add_hook(record_global_size, BASE_HOOK);
927 949 }
928 950
929 951 void register_buf_size_late(int id)
930 952 {
931 953 /* has to happen after match_alloc() */
932 954 add_hook(&match_array_assignment, ASSIGNMENT_HOOK);
933 955
934 956 add_hook(&match_call, FUNCTION_CALL_HOOK);
935 957 add_member_info_callback(my_size_id, struct_member_callback);
936 958 }
|
↓ open down ↓ |
12 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX