210 TYPE_LINK, member_name, type_to_str(type));
211 return has_link;
212 }
213
214 static int is_container_of(void)
215 {
216 /* We already check the macro name in is_ignored_macro() */
217 struct expression *expr;
218 int offset;
219
220 expr = get_faked_expression();
221 if (!expr || expr->type != EXPR_ASSIGNMENT)
222 return 0;
223
224 offset = get_offset_from_container_of(expr->right);
225 if (offset < 0)
226 return 0;
227 return 1;
228 }
229
230 static int is_ignored_macro(void)
231 {
232 struct expression *expr;
233 char *name;
234
235 expr = get_faked_expression();
236 if (!expr || expr->type != EXPR_ASSIGNMENT)
237 return 0;
238 name = get_macro_name(expr->right->pos);
239 if (!name)
240 return 0;
241 if (strcmp(name, "container_of") == 0)
242 return 1;
243 if (strcmp(name, "rb_entry") == 0)
244 return 1;
245 if (strcmp(name, "list_entry") == 0)
246 return 1;
247 if (strcmp(name, "list_first_entry") == 0)
248 return 1;
249 if (strcmp(name, "hlist_entry") == 0)
250 return 1;
251 if (strstr(name, "for_each"))
252 return 1;
253 return 0;
254 }
255
256 static int is_ignored_function(void)
257 {
258 struct expression *expr;
259
260 expr = get_faked_expression();
261 if (!expr || expr->type != EXPR_ASSIGNMENT)
262 return 0;
263 expr = strip_expr(expr->right);
264 if (!expr || expr->type != EXPR_CALL || expr->fn->type != EXPR_SYMBOL)
265 return 0;
266
267 if (sym_name_is("kmalloc", expr->fn))
268 return 1;
269 if (sym_name_is("netdev_priv", expr->fn))
270 return 1;
271 if (sym_name_is("dev_get_drvdata", expr->fn))
272 return 1;
273
274 return 0;
275 }
276
277 static int is_uncasted_pointer_assign(void)
278 {
279 struct expression *expr;
280 struct symbol *left_type, *right_type;
281
282 expr = get_faked_expression();
283 if (!expr)
284 return 0;
285 if (expr->type == EXPR_PREOP || expr->type == EXPR_POSTOP) {
286 if (expr->op == SPECIAL_INCREMENT || expr->op == SPECIAL_DECREMENT)
287 return 1;
288 }
289 if (expr->type != EXPR_ASSIGNMENT)
290 return 0;
291 left_type = get_type(expr->left);
292 right_type = get_type(expr->right);
293
294 if (!left_type || !right_type)
295 return 0;
296
297 if (left_type->type != SYM_PTR &&
298 left_type->type != SYM_ARRAY)
299 return 0;
300 if (right_type->type != SYM_PTR &&
301 right_type->type != SYM_ARRAY)
302 return 0;
303 left_type = get_real_base_type(left_type);
304 right_type = get_real_base_type(right_type);
305
306 if (left_type == right_type)
307 return 1;
308 return 0;
309 }
310
311 static int set_param_type(void *_type_str, int argc, char **argv, char **azColName)
312 {
313 char **type_str = _type_str;
314 static char type_buf[128];
315
316 if (*type_str) {
379 return 0;
380
381 if (strcmp(right_type_name, left_type_name) == 0) {
382 prev_ans = 1;
383 return 1;
384 }
385
386 return 0;
387 }
388
389 static void match_assign_value(struct expression *expr)
390 {
391 char *member, *right_member;
392 struct range_list *rl;
393 struct symbol *type;
394
395 if (!cur_func_sym)
396 return;
397
398 type = get_type(expr->left);
399 member = get_member_name(expr->left);
400 if (!member)
401 return;
402
403 /* if we're saying foo->mtu = bar->mtu then that doesn't add information */
404 right_member = get_member_name(expr->right);
405 if (right_member && strcmp(right_member, member) == 0)
406 goto free;
407
408 if (is_fake_call(expr->right)) {
409 if (is_ignored_macro())
410 goto free;
411 if (is_ignored_function())
412 goto free;
413 if (is_uncasted_pointer_assign())
414 goto free;
415 if (is_uncasted_fn_param_from_db())
416 goto free;
417 if (is_container_of())
418 goto free;
419 add_fake_type_val(member, alloc_whole_rl(get_type(expr->left)), is_ignored_fake_assignment());
420 goto free;
421 }
422
423 if (expr->op == '=') {
424 get_absolute_rl(expr->right, &rl);
425 rl = cast_rl(type, rl);
426 } else {
427 /*
428 * This is a bit cheating. We order it so this will already be set
429 * by smatch_extra.c and we just look up the value.
430 */
431 get_absolute_rl(expr->left, &rl);
432 }
433 add_type_val(member, rl);
434 free:
435 free_string(right_member);
436 free_string(member);
437 }
438
484 struct range_list *rl;
485 char *member;
486
487 if (expr->op != SPECIAL_DECREMENT && expr->op != SPECIAL_INCREMENT)
488 return;
489
490 expr = strip_expr(expr->unop);
491 member = get_member_name(expr);
492 if (!member)
493 return;
494 rl = alloc_whole_rl(get_type(expr));
495 add_type_val(member, rl);
496 free_string(member);
497 }
498
499 static void asm_expr(struct statement *stmt)
500 {
501 struct expression *expr;
502 struct range_list *rl;
503 char *member;
504 int state = 0;
505
506 FOR_EACH_PTR(stmt->asm_outputs, expr) {
507 switch (state) {
508 case 0: /* identifier */
509 case 1: /* constraint */
510 state++;
511 continue;
512 case 2: /* expression */
513 state = 0;
514 member = get_member_name(expr);
515 if (!member)
516 continue;
517 rl = alloc_whole_rl(get_type(expr));
518 add_type_val(member, rl);
519 free_string(member);
520 continue;
521 }
522 } END_FOR_EACH_PTR(expr);
523 }
524
525 static void db_param_add(struct expression *expr, int param, char *key, char *value)
526 {
527 struct expression *arg;
528 struct symbol *type;
529 struct range_list *rl;
530 char *member;
531
532 if (strcmp(key, "*$") != 0)
533 return;
534
535 while (expr->type == EXPR_ASSIGNMENT)
536 expr = strip_expr(expr->right);
537 if (expr->type != EXPR_CALL)
538 return;
539
540 arg = get_argument_from_call_expr(expr->args, param);
541 arg = strip_expr(arg);
542 if (!arg)
543 return;
544 type = get_member_type_from_key(arg, key);
545 if (arg->type != EXPR_PREOP || arg->op != '&')
546 return;
547 arg = strip_expr(arg->unop);
548
549 member = get_member_name(arg);
550 if (!member)
551 return;
552 call_results_to_rl(expr, type, value, &rl);
553 add_type_val(member, rl);
554 free_string(member);
555 }
556
557 static void match_end_func_info(struct symbol *sym)
558 {
559 struct sm_state *sm;
560
561 FOR_EACH_SM(fn_type_val, sm) {
562 sql_insert_function_type_value(sm->name, sm->state->name);
563 } END_FOR_EACH_SM(sm);
564 }
|
210 TYPE_LINK, member_name, type_to_str(type));
211 return has_link;
212 }
213
214 static int is_container_of(void)
215 {
216 /* We already check the macro name in is_ignored_macro() */
217 struct expression *expr;
218 int offset;
219
220 expr = get_faked_expression();
221 if (!expr || expr->type != EXPR_ASSIGNMENT)
222 return 0;
223
224 offset = get_offset_from_container_of(expr->right);
225 if (offset < 0)
226 return 0;
227 return 1;
228 }
229
230 static bool is_driver_data(void)
231 {
232 static struct expression *prev_expr;
233 struct expression *expr;
234 char *name;
235 static bool prev_ret;
236 bool ret = false;
237
238 expr = get_faked_expression();
239 if (!expr || expr->type != EXPR_ASSIGNMENT)
240 return false;
241
242 if (expr == prev_expr)
243 return prev_ret;
244 prev_expr = expr;
245
246 name = expr_to_str(expr->right);
247 if (!name) {
248 prev_ret = false;
249 return false;
250 }
251
252 if (strstr(name, "get_drvdata(") ||
253 strstr(name, "dev.driver_data") ||
254 strstr(name, "dev->driver_data"))
255 ret = true;
256
257 free_string(name);
258
259 prev_ret = ret;
260 return ret;
261 }
262
263 static int is_ignored_macro(void)
264 {
265 struct expression *expr;
266 char *name;
267
268 expr = get_faked_expression();
269 if (!expr || expr->type != EXPR_ASSIGNMENT || expr->op != '=')
270 return 0;
271 name = get_macro_name(expr->right->pos);
272 if (!name)
273 return 0;
274 if (strcmp(name, "container_of") == 0)
275 return 1;
276 if (strcmp(name, "rb_entry") == 0)
277 return 1;
278 if (strcmp(name, "list_entry") == 0)
279 return 1;
280 if (strcmp(name, "list_first_entry") == 0)
281 return 1;
282 if (strcmp(name, "hlist_entry") == 0)
283 return 1;
284 if (strcmp(name, "per_cpu_ptr") == 0)
285 return 1;
286 if (strcmp(name, "raw_cpu_ptr") == 0)
287 return 1;
288 if (strcmp(name, "this_cpu_ptr") == 0)
289 return 1;
290
291 if (strcmp(name, "TRACE_EVENT") == 0)
292 return 1;
293 if (strcmp(name, "DECLARE_EVENT_CLASS") == 0)
294 return 1;
295 if (strcmp(name, "DEFINE_EVENT") == 0)
296 return 1;
297
298 if (strstr(name, "for_each"))
299 return 1;
300 return 0;
301 }
302
303 static int is_ignored_function(void)
304 {
305 struct expression *expr;
306
307 expr = get_faked_expression();
308 if (!expr || expr->type != EXPR_ASSIGNMENT)
309 return 0;
310 expr = strip_expr(expr->right);
311 if (!expr || expr->type != EXPR_CALL || expr->fn->type != EXPR_SYMBOL)
312 return 0;
313
314 if (sym_name_is("kmalloc", expr->fn))
315 return 1;
316 if (sym_name_is("vmalloc", expr->fn))
317 return 1;
318 if (sym_name_is("kvmalloc", expr->fn))
319 return 1;
320 if (sym_name_is("kmalloc_array", expr->fn))
321 return 1;
322 if (sym_name_is("vmalloc_array", expr->fn))
323 return 1;
324 if (sym_name_is("kvmalloc_array", expr->fn))
325 return 1;
326
327 if (sym_name_is("mmu_memory_cache_alloc", expr->fn))
328 return 1;
329 if (sym_name_is("kmem_alloc", expr->fn))
330 return 1;
331 if (sym_name_is("alloc_pages", expr->fn))
332 return 1;
333
334 if (sym_name_is("netdev_priv", expr->fn))
335 return 1;
336 if (sym_name_is("dev_get_drvdata", expr->fn))
337 return 1;
338 if (sym_name_is("i2c_get_clientdata", expr->fn))
339 return 1;
340
341 return 0;
342 }
343
344 static int is_uncasted_pointer_assign(void)
345 {
346 struct expression *expr;
347 struct symbol *left_type, *right_type;
348
349 expr = get_faked_expression();
350 if (!expr)
351 return 0;
352 if (expr->type == EXPR_PREOP || expr->type == EXPR_POSTOP) {
353 if (expr->op == SPECIAL_INCREMENT || expr->op == SPECIAL_DECREMENT)
354 return 1;
355 }
356 if (expr->type != EXPR_ASSIGNMENT)
357 return 0;
358 left_type = get_type(expr->left);
359 right_type = get_type(expr->right);
360
361 if (!left_type || !right_type)
362 return 0;
363
364 if (left_type->type == SYM_STRUCT && left_type == right_type)
365 return 1;
366
367 if (left_type->type != SYM_PTR &&
368 left_type->type != SYM_ARRAY)
369 return 0;
370 if (right_type->type != SYM_PTR &&
371 right_type->type != SYM_ARRAY)
372 return 0;
373 left_type = get_real_base_type(left_type);
374 right_type = get_real_base_type(right_type);
375
376 if (left_type == right_type)
377 return 1;
378 return 0;
379 }
380
381 static int set_param_type(void *_type_str, int argc, char **argv, char **azColName)
382 {
383 char **type_str = _type_str;
384 static char type_buf[128];
385
386 if (*type_str) {
449 return 0;
450
451 if (strcmp(right_type_name, left_type_name) == 0) {
452 prev_ans = 1;
453 return 1;
454 }
455
456 return 0;
457 }
458
459 static void match_assign_value(struct expression *expr)
460 {
461 char *member, *right_member;
462 struct range_list *rl;
463 struct symbol *type;
464
465 if (!cur_func_sym)
466 return;
467
468 type = get_type(expr->left);
469 if (type && type->type == SYM_STRUCT)
470 return;
471 member = get_member_name(expr->left);
472 if (!member)
473 return;
474
475 /* if we're saying foo->mtu = bar->mtu then that doesn't add information */
476 right_member = get_member_name(expr->right);
477 if (right_member && strcmp(right_member, member) == 0)
478 goto free;
479
480 if (is_fake_call(expr->right)) {
481 if (is_ignored_macro())
482 goto free;
483 if (is_ignored_function())
484 goto free;
485 if (is_uncasted_pointer_assign())
486 goto free;
487 if (is_uncasted_fn_param_from_db())
488 goto free;
489 if (is_container_of())
490 goto free;
491 if (is_driver_data())
492 goto free;
493 add_fake_type_val(member, alloc_whole_rl(get_type(expr->left)), is_ignored_fake_assignment());
494 goto free;
495 }
496
497 if (expr->op == '=') {
498 get_absolute_rl(expr->right, &rl);
499 rl = cast_rl(type, rl);
500 } else {
501 /*
502 * This is a bit cheating. We order it so this will already be set
503 * by smatch_extra.c and we just look up the value.
504 */
505 get_absolute_rl(expr->left, &rl);
506 }
507 add_type_val(member, rl);
508 free:
509 free_string(right_member);
510 free_string(member);
511 }
512
558 struct range_list *rl;
559 char *member;
560
561 if (expr->op != SPECIAL_DECREMENT && expr->op != SPECIAL_INCREMENT)
562 return;
563
564 expr = strip_expr(expr->unop);
565 member = get_member_name(expr);
566 if (!member)
567 return;
568 rl = alloc_whole_rl(get_type(expr));
569 add_type_val(member, rl);
570 free_string(member);
571 }
572
573 static void asm_expr(struct statement *stmt)
574 {
575 struct expression *expr;
576 struct range_list *rl;
577 char *member;
578
579 FOR_EACH_PTR(stmt->asm_outputs, expr) {
580 member = get_member_name(expr->expr);
581 if (!member)
582 continue;
583 rl = alloc_whole_rl(get_type(expr->expr));
584 add_type_val(member, rl);
585 free_string(member);
586 } END_FOR_EACH_PTR(expr);
587 }
588
589 static void db_param_add(struct expression *expr, int param, char *key, char *value)
590 {
591 struct expression *arg;
592 struct symbol *type;
593 struct range_list *rl;
594 char *member;
595
596 if (strcmp(key, "*$") != 0)
597 return;
598
599 while (expr->type == EXPR_ASSIGNMENT)
600 expr = strip_expr(expr->right);
601 if (expr->type != EXPR_CALL)
602 return;
603
604 arg = get_argument_from_call_expr(expr->args, param);
605 arg = strip_expr(arg);
606 if (!arg)
607 return;
608 type = get_member_type_from_key(arg, key);
609 /*
610 * The situation here is that say we memset() a void pointer to zero
611 * then that's returned to the called as "*$ = 0;" but on the caller's
612 * side it's not void, it's a struct.
613 *
614 * So the question is should we be passing that slightly bogus
615 * information back to the caller? Maybe, maybe not, but either way we
616 * are not going to record it here because a struct can't be zero.
617 *
618 */
619 if (type && type->type == SYM_STRUCT)
620 return;
621
622 if (arg->type != EXPR_PREOP || arg->op != '&')
623 return;
624 arg = strip_expr(arg->unop);
625
626 member = get_member_name(arg);
627 if (!member)
628 return;
629 call_results_to_rl(expr, type, value, &rl);
630 add_type_val(member, rl);
631 free_string(member);
632 }
633
634 static void match_end_func_info(struct symbol *sym)
635 {
636 struct sm_state *sm;
637
638 FOR_EACH_SM(fn_type_val, sm) {
639 sql_insert_function_type_value(sm->name, sm->state->name);
640 } END_FOR_EACH_SM(sm);
641 }
|