Print this page
11506 smatch resync
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/tools/smatch/src/check_spectre.c
+++ new/usr/src/tools/smatch/src/check_spectre.c
1 1 /*
2 2 * Copyright (C) 2018 Oracle.
3 3 *
4 4 * This program is free software; you can redistribute it and/or
5 5 * modify it under the terms of the GNU General Public License
6 6 * as published by the Free Software Foundation; either version 2
7 7 * of the License, or (at your option) any later version.
8 8 *
9 9 * This program is distributed in the hope that it will be useful,
10 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
↓ open down ↓ |
11 lines elided |
↑ open up ↑ |
12 12 * GNU General Public License for more details.
13 13 *
14 14 * You should have received a copy of the GNU General Public License
15 15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 16 */
17 17
18 18 #include "smatch.h"
19 19 #include "smatch_extra.h"
20 20
21 21 static int my_id;
22 +extern int second_half_id;
23 +extern void set_spectre_first_half(struct expression *expr);
22 24
23 25 static int suppress_multiple = 1;
24 26
25 27 static int is_write(struct expression *expr)
26 28 {
27 29 return 0;
28 30 }
29 31
30 32 static int is_read(struct expression *expr)
31 33 {
32 34 struct expression *parent, *last_parent;
33 35 struct statement *stmt;
34 36
35 37 if (is_write(expr))
36 38 return 0;
37 39
38 40 last_parent = expr;
39 41 while ((parent = expr_get_parent_expr(expr))){
40 42
41 43 last_parent = parent;
42 44
43 45 /* If we pass a value as a parameter that's a read, probably? */
44 46 // if (parent->type == EXPR_CALL)
45 47 // return 1;
46 48
47 49 if (parent->type == EXPR_ASSIGNMENT) {
48 50 if (parent->right == expr)
49 51 return 1;
50 52 if (parent->left == expr)
51 53 return 0;
52 54 }
53 55 expr = parent;
54 56 }
55 57
56 58 stmt = expr_get_parent_stmt(last_parent);
57 59 if (stmt && stmt->type == STMT_RETURN)
58 60 return 1;
59 61
60 62 return 0;
61 63 }
62 64
63 65 static int is_harmless(struct expression *expr)
64 66 {
65 67 struct expression *tmp, *parent;
66 68 struct statement *stmt;
67 69 int count = 0;
68 70
69 71 parent = expr;
70 72 while ((tmp = expr_get_parent_expr(parent))) {
71 73 if (tmp->type == EXPR_ASSIGNMENT || tmp->type == EXPR_CALL)
72 74 return 0;
73 75 parent = tmp;
74 76 if (count++ > 4)
75 77 break;
76 78 }
77 79
78 80 stmt = expr_get_parent_stmt(parent);
79 81 if (!stmt)
80 82 return 0;
81 83 if (stmt->type == STMT_IF && stmt->if_conditional == parent)
82 84 return 1;
83 85 if (stmt->type == STMT_ITERATOR &&
84 86 (stmt->iterator_pre_condition == parent ||
85 87 stmt->iterator_post_condition == parent))
86 88 return 1;
87 89
88 90 return 0;
89 91 }
90 92
91 93 static unsigned long long get_max_by_type(struct expression *expr)
92 94 {
93 95 struct symbol *type;
94 96 int cnt = 0;
95 97 sval_t max;
96 98
97 99 max.type = &ullong_ctype;
98 100 max.uvalue = -1ULL;
99 101
100 102 while (true) {
101 103 expr = strip_parens(expr);
102 104 type = get_type(expr);
103 105 if (type && sval_type_max(type).uvalue < max.uvalue)
104 106 max = sval_type_max(type);
105 107 if (expr->type == EXPR_PREOP) {
106 108 expr = expr->unop;
107 109 } else if (expr->type == EXPR_BINOP) {
108 110 if (expr->op == '%' || expr->op == '&')
109 111 expr = expr->right;
110 112 else
111 113 return max.uvalue;
112 114 } else {
113 115 expr = get_assigned_expr(expr);
114 116 if (!expr)
115 117 return max.uvalue;
116 118 }
117 119 if (cnt++ > 5)
118 120 return max.uvalue;
119 121 }
120 122
121 123 return max.uvalue;
122 124 }
123 125
124 126 static unsigned long long get_mask(struct expression *expr)
125 127 {
126 128 struct expression *tmp;
127 129 sval_t mask;
128 130 int cnt = 0;
129 131
130 132 expr = strip_expr(expr);
131 133
132 134 tmp = get_assigned_expr(expr);
133 135 while (tmp) {
134 136 expr = tmp;
135 137 if (++cnt > 3)
136 138 break;
137 139 tmp = get_assigned_expr(expr);
138 140 }
139 141
140 142 if (expr->type == EXPR_BINOP && expr->op == '&') {
141 143 if (get_value(expr->right, &mask)) /* right is the common case */
142 144 return mask.uvalue;
143 145 if (get_value(expr->left, &mask))
144 146 return mask.uvalue;
145 147 }
146 148
147 149 return ULLONG_MAX;
148 150 }
149 151
150 152 static void array_check(struct expression *expr)
151 153 {
152 154 struct expression_list *conditions;
153 155 struct expression *array_expr, *offset;
154 156 unsigned long long mask;
155 157 int array_size;
156 158 char *name;
157 159
|
↓ open down ↓ |
126 lines elided |
↑ open up ↑ |
158 160 expr = strip_expr(expr);
159 161 if (!is_array(expr))
160 162 return;
161 163
162 164 if (is_impossible_path())
163 165 return;
164 166 if (is_harmless(expr))
165 167 return;
166 168
167 169 array_expr = get_array_base(expr);
168 - if (suppress_multiple && is_ignored_expr(my_id, array_expr))
170 + if (suppress_multiple && is_ignored_expr(my_id, array_expr)) {
171 + set_spectre_first_half(expr);
169 172 return;
173 + }
170 174
171 175 offset = get_array_offset(expr);
172 176 if (!is_user_rl(offset))
173 177 return;
174 178 if (is_nospec(offset))
175 179 return;
176 180
177 181 array_size = get_array_size(array_expr);
178 182 if (array_size > 0 && get_max_by_type(offset) < array_size)
179 183 return;
180 184 // binfo = get_bit_info(offset);
181 185 // if (array_size > 0 && binfo && binfo->possible < array_size)
182 186 // return;
183 187
184 188 mask = get_mask(offset);
|
↓ open down ↓ |
5 lines elided |
↑ open up ↑ |
185 189 if (mask <= array_size)
186 190 return;
187 191
188 192 conditions = get_conditions(offset);
189 193
190 194 name = expr_to_str(array_expr);
191 195 sm_warning("potential spectre issue '%s' [%s]%s",
192 196 name,
193 197 is_read(expr) ? "r" : "w",
194 198 conditions ? " (local cap)" : "");
199 +
200 + set_spectre_first_half(expr);
195 201 if (suppress_multiple)
196 202 add_ignore_expr(my_id, array_expr);
197 203 free_string(name);
198 204 }
199 205
200 206 void check_spectre(int id)
201 207 {
202 208 my_id = id;
203 209
204 210 suppress_multiple = getenv("FULL_SPECTRE") == NULL;
205 211
206 212 if (option_project != PROJ_KERNEL)
207 213 return;
208 214
209 215 add_hook(&array_check, OP_HOOK);
210 216 }
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX