1 /*
   2  * Copyright (C) 2010 Dan Carpenter.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License
   6  * as published by the Free Software Foundation; either version 2
   7  * of the License, or (at your option) any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
  16  */
  17 
  18 #include <stdlib.h>
  19 #include <errno.h>
  20 #include "parse.h"
  21 #include "smatch.h"
  22 #include "smatch_slist.h"
  23 #include "smatch_extra.h"
  24 #include "smatch_function_hashtable.h"
  25 
  26 #define UNKNOWN_SIZE (-1)
  27 
  28 static int my_size_id;
  29 
  30 static DEFINE_HASHTABLE_INSERT(insert_func, char, int);
  31 static DEFINE_HASHTABLE_SEARCH(search_func, char, int);
  32 static struct hashtable *allocation_funcs;
  33 
  34 static char *get_fn_name(struct expression *expr)
  35 {
  36         if (expr->type != EXPR_CALL)
  37                 return NULL;
  38         if (expr->fn->type != EXPR_SYMBOL)
  39                 return NULL;
  40         return expr_to_var(expr->fn);
  41 }
  42 
  43 static int is_allocation_function(struct expression *expr)
  44 {
  45         char *func;
  46         int ret = 0;
  47 
  48         func = get_fn_name(expr);
  49         if (!func)
  50                 return 0;
  51         if (search_func(allocation_funcs, func))
  52                 ret = 1;
  53         free_string(func);
  54         return ret;
  55 }
  56 
  57 static void add_allocation_function(const char *func, void *call_back, int param)
  58 {
  59         insert_func(allocation_funcs, (char *)func, (int *)1);
  60         add_function_assign_hook(func, call_back, INT_PTR(param));
  61 }
  62 
  63 static int estate_to_size(struct smatch_state *state)
  64 {
  65         sval_t sval;
  66 
  67         if (!state || !estate_rl(state))
  68                 return 0;
  69         sval = estate_max(state);
  70         return sval.value;
  71 }
  72 
  73 static struct smatch_state *size_to_estate(int size)
  74 {
  75         sval_t sval;
  76 
  77         sval.type = &int_ctype;
  78         sval.value = size;
  79 
  80         return alloc_estate_sval(sval);
  81 }
  82 
  83 static struct range_list *size_to_rl(int size)
  84 {
  85         sval_t sval;
  86 
  87         sval.type = &int_ctype;
  88         sval.value = size;
  89 
  90         return alloc_rl(sval, sval);
  91 }
  92 
  93 static struct smatch_state *unmatched_size_state(struct sm_state *sm)
  94 {
  95         return size_to_estate(UNKNOWN_SIZE);
  96 }
  97 
  98 static void set_size_undefined(struct sm_state *sm, struct expression *mod_expr)
  99 {
 100         set_state(sm->owner, sm->name, sm->sym, size_to_estate(UNKNOWN_SIZE));
 101 }
 102 
 103 static struct smatch_state *merge_size_func(struct smatch_state *s1, struct smatch_state *s2)
 104 {
 105         return merge_estates(s1, s2);
 106 }
 107 
 108 void set_param_buf_size(const char *name, struct symbol *sym, char *key, char *value)
 109 {
 110         struct range_list *rl = NULL;
 111         struct smatch_state *state;
 112         char fullname[256];
 113 
 114         if (strncmp(key, "$", 1) != 0)
 115                 return;
 116 
 117         snprintf(fullname, 256, "%s%s", name, key + 1);
 118 
 119         str_to_rl(&int_ctype, value, &rl);
 120         if (!rl || is_whole_rl(rl))
 121                 return;
 122         state = alloc_estate_rl(rl);
 123         set_state(my_size_id, fullname, sym, state);
 124 }
 125 
 126 static int bytes_per_element(struct expression *expr)
 127 {
 128         struct symbol *type;
 129 
 130         if (!expr)
 131                 return 0;
 132         if (expr->type == EXPR_STRING)
 133                 return 1;
 134         if (expr->type == EXPR_PREOP && expr->op == '&') {
 135                 type = get_type(expr->unop);
 136                 if (type && type->type == SYM_ARRAY)
 137                         expr = expr->unop;
 138         }
 139         type = get_type(expr);
 140         if (!type)
 141                 return 0;
 142 
 143         if (type->type != SYM_PTR && type->type != SYM_ARRAY)
 144                 return 0;
 145 
 146         type = get_base_type(type);
 147         return type_bytes(type);
 148 }
 149 
 150 static int bytes_to_elements(struct expression *expr, int bytes)
 151 {
 152         int bpe;
 153 
 154         bpe = bytes_per_element(expr);
 155         if (bpe == 0)
 156                 return 0;
 157         return bytes / bpe;
 158 }
 159 
 160 static int elements_to_bytes(struct expression *expr, int elements)
 161 {
 162         int bpe;
 163 
 164         bpe = bytes_per_element(expr);
 165         return elements * bpe;
 166 }
 167 
 168 static int get_initializer_size(struct expression *expr)
 169 {
 170         switch (expr->type) {
 171         case EXPR_STRING:
 172                 return expr->string->length;
 173         case EXPR_INITIALIZER: {
 174                 struct expression *tmp;
 175                 int i = 0;
 176 
 177                 FOR_EACH_PTR(expr->expr_list, tmp) {
 178                         if (tmp->type == EXPR_INDEX) {
 179                                 if (tmp->idx_to >= i)
 180                                         i = tmp->idx_to;
 181                                 else
 182                                         continue;
 183                         }
 184 
 185                         i++;
 186                 } END_FOR_EACH_PTR(tmp);
 187                 return i;
 188         }
 189         case EXPR_SYMBOL:
 190                 return get_array_size(expr);
 191         }
 192         return 0;
 193 }
 194 
 195 static struct range_list *db_size_rl;
 196 static int db_size_callback(void *unused, int argc, char **argv, char **azColName)
 197 {
 198         struct range_list *tmp = NULL;
 199 
 200         if (!db_size_rl) {
 201                 str_to_rl(&int_ctype, argv[0], &db_size_rl);
 202         } else {
 203                 str_to_rl(&int_ctype, argv[0], &tmp);
 204                 db_size_rl = rl_union(db_size_rl, tmp);
 205         }
 206         return 0;
 207 }
 208 
 209 static struct range_list *size_from_db_type(struct expression *expr)
 210 {
 211         int this_file_only = 0;
 212         char *name;
 213 
 214         name = get_member_name(expr);
 215         if (!name && is_static(expr)) {
 216                 name = expr_to_var(expr);
 217                 this_file_only = 1;
 218         }
 219         if (!name)
 220                 return NULL;
 221 
 222         if (this_file_only) {
 223                 db_size_rl = NULL;
 224                 run_sql(db_size_callback, NULL,
 225                         "select size from function_type_size where type = '%s' and file = '%s';",
 226                         name, get_filename());
 227                 if (db_size_rl)
 228                         return db_size_rl;
 229                 return NULL;
 230         }
 231 
 232         db_size_rl = NULL;
 233         run_sql(db_size_callback, NULL,
 234                 "select size from type_size where type = '%s';",
 235                 name);
 236         return db_size_rl;
 237 }
 238 
 239 static struct range_list *size_from_db_symbol(struct expression *expr)
 240 {
 241         struct symbol *sym;
 242 
 243         if (expr->type != EXPR_SYMBOL)
 244                 return NULL;
 245         sym = expr->symbol;
 246         if (!sym || !sym->ident ||
 247             !(sym->ctype.modifiers & MOD_TOPLEVEL) ||
 248             sym->ctype.modifiers & MOD_STATIC)
 249                 return NULL;
 250 
 251         db_size_rl = NULL;
 252         run_sql(db_size_callback, NULL,
 253                 "select value from data_info where file = 'extern' and data = '%s' and type = %d;",
 254                 sym->ident->name, BUF_SIZE);
 255         return db_size_rl;
 256 }
 257 
 258 static struct range_list *size_from_db(struct expression *expr)
 259 {
 260         struct range_list *rl;
 261 
 262         rl = size_from_db_symbol(expr);
 263         if (rl)
 264                 return rl;
 265         return size_from_db_type(expr);
 266 }
 267 
 268 static void db_returns_buf_size(struct expression *expr, int param, char *unused, char *math)
 269 {
 270         struct expression *call;
 271         struct range_list *rl;
 272 
 273         if (expr->type != EXPR_ASSIGNMENT)
 274                 return;
 275         call = strip_expr(expr->right);
 276 
 277         if (!parse_call_math_rl(call, math, &rl))
 278                 return;
 279         rl = cast_rl(&int_ctype, rl);
 280         set_state_expr(my_size_id, expr->left, alloc_estate_rl(rl));
 281 }
 282 
 283 static int get_real_array_size_from_type(struct symbol *type)
 284 {
 285         sval_t sval;
 286 
 287         if (!type)
 288                 return 0;
 289         if (!type || type->type != SYM_ARRAY)
 290                 return 0;
 291 
 292         if (!get_implied_value(type->array_size, &sval))
 293                 return 0;
 294 
 295         return sval.value;
 296 }
 297 
 298 int get_real_array_size(struct expression *expr)
 299 {
 300         if (!expr)
 301                 return 0;
 302         if (expr->type == EXPR_PREOP && expr->op == '&')
 303                 expr = expr->unop;
 304         if (expr->type == EXPR_BINOP) /* array elements foo[5] */
 305                 return 0;
 306         return get_real_array_size_from_type(get_type(expr));
 307 }
 308 
 309 static int get_size_from_initializer(struct expression *expr)
 310 {
 311         if (expr->type != EXPR_SYMBOL || !expr->symbol || !expr->symbol->initializer)
 312                 return 0;
 313         if (expr->symbol->initializer == expr) /* int a = a; */
 314                 return 0;
 315         return get_initializer_size(expr->symbol->initializer);
 316 }
 317 
 318 static struct range_list *get_stored_size_bytes(struct expression *expr)
 319 {
 320         struct smatch_state *state;
 321 
 322         state = get_state_expr(my_size_id, expr);
 323         if (!state)
 324                 return NULL;
 325         return estate_rl(state);
 326 }
 327 
 328 static int get_bytes_from_address(struct expression *expr)
 329 {
 330         struct symbol *type;
 331         int ret;
 332 
 333         if (expr->type != EXPR_PREOP || expr->op != '&')
 334                 return 0;
 335         type = get_type(expr);
 336         if (!type)
 337                 return 0;
 338 
 339         if (type->type == SYM_PTR)
 340                 type = get_base_type(type);
 341 
 342         ret = type_bytes(type);
 343         if (ret == 1)
 344                 return 0;  /* ignore char pointers */
 345 
 346         return ret;
 347 }
 348 
 349 static struct expression *remove_addr_fluff(struct expression *expr)
 350 {
 351         struct expression *tmp;
 352         sval_t sval;
 353 
 354         expr = strip_expr(expr);
 355 
 356         /* remove '&' and '*' operations that cancel */
 357         while (expr && expr->type == EXPR_PREOP && expr->op == '&') {
 358                 tmp = strip_expr(expr->unop);
 359                 if (tmp->type != EXPR_PREOP)
 360                         break;
 361                 if (tmp->op != '*')
 362                         break;
 363                 expr = strip_expr(tmp->unop);
 364         }
 365 
 366         if (!expr)
 367                 return NULL;
 368 
 369         /* "foo + 0" is just "foo" */
 370         if (expr->type == EXPR_BINOP && expr->op == '+' &&
 371             get_value(expr->right, &sval) && sval.value == 0)
 372                 return expr->left;
 373 
 374         return expr;
 375 }
 376 
 377 static int is_last_member_of_struct(struct symbol *sym, struct ident *member)
 378 {
 379         struct symbol *tmp;
 380         int i;
 381 
 382         i = 0;
 383         FOR_EACH_PTR_REVERSE(sym->symbol_list, tmp) {
 384                 if (i++ || !tmp->ident)
 385                         return 0;
 386                 if (tmp->ident == member)
 387                         return 1;
 388                 return 0;
 389         } END_FOR_EACH_PTR_REVERSE(tmp);
 390 
 391         return 0;
 392 }
 393 
 394 int last_member_is_resizable(struct symbol *sym)
 395 {
 396         struct symbol *last_member;
 397         struct symbol *type;
 398         sval_t sval;
 399 
 400         if (!sym || sym->type != SYM_STRUCT)
 401                 return 0;
 402 
 403         last_member = last_ptr_list((struct ptr_list *)sym->symbol_list);
 404         if (!last_member || !last_member->ident)
 405                 return 0;
 406 
 407         type = get_real_base_type(last_member);
 408         if (type->type == SYM_STRUCT)
 409                 return last_member_is_resizable(type);
 410         if (type->type != SYM_ARRAY)
 411                 return 0;
 412 
 413         if (!get_implied_value(type->array_size, &sval))
 414                 return 0;
 415 
 416         if (sval.value != 0 && sval.value != 1)
 417                 return 0;
 418 
 419         return 1;
 420 }
 421 
 422 static int get_stored_size_end_struct_bytes(struct expression *expr)
 423 {
 424         struct symbol *sym;
 425         struct symbol *base_sym;
 426         struct smatch_state *state;
 427 
 428         if (expr->type == EXPR_BINOP) /* array elements foo[5] */
 429                 return 0;
 430 
 431         if (expr->type == EXPR_PREOP && expr->op == '&')
 432                 expr = strip_parens(expr->unop);
 433 
 434         sym = expr_to_sym(expr);
 435         if (!sym || !sym->ident)
 436                 return 0;
 437         if (!type_bytes(sym))
 438                 return 0;
 439         if (sym->type != SYM_NODE)
 440                 return 0;
 441 
 442         base_sym = get_real_base_type(sym);
 443         if (!base_sym || base_sym->type != SYM_PTR)
 444                 return 0;
 445         base_sym = get_real_base_type(base_sym);
 446         if (!base_sym || base_sym->type != SYM_STRUCT)
 447                 return 0;
 448 
 449         if (!is_last_member_of_struct(base_sym, expr->member))
 450                 return 0;
 451         if (!last_member_is_resizable(base_sym))
 452                 return 0;
 453 
 454         state = get_state(my_size_id, sym->ident->name, sym);
 455         if (!estate_to_size(state))
 456                 return 0;
 457 
 458         return estate_to_size(state) - type_bytes(base_sym) + type_bytes(get_type(expr));
 459 }
 460 
 461 static struct range_list *alloc_int_rl(int value)
 462 {
 463         sval_t sval = {
 464                 .type = &int_ctype,
 465                 {.value = value},
 466         };
 467 
 468         return alloc_rl(sval, sval);
 469 }
 470 
 471 struct range_list *get_array_size_bytes_rl(struct expression *expr)
 472 {
 473         struct range_list *ret = NULL;
 474         int size;
 475 
 476         expr = remove_addr_fluff(expr);
 477         if (!expr)
 478                 return NULL;
 479 
 480         /* "BAR" */
 481         if (expr->type == EXPR_STRING)
 482                 return alloc_int_rl(expr->string->length);
 483 
 484         if (expr->type == EXPR_BINOP && expr->op == '+') {
 485                 sval_t offset;
 486                 struct symbol *type;
 487                 int bytes;
 488 
 489                 if (!get_implied_value(expr->right, &offset))
 490                         return NULL;
 491                 type = get_type(expr->left);
 492                 if (!type)
 493                         return NULL;
 494                 if (type->type != SYM_ARRAY && type->type != SYM_PTR)
 495                         return NULL;
 496                 type = get_real_base_type(type);
 497                 bytes = type_bytes(type);
 498                 if (bytes == 0)
 499                         return NULL;
 500                 offset.value *= bytes;
 501                 size = get_array_size_bytes(expr->left);
 502                 if (size <= 0)
 503                         return NULL;
 504                 return alloc_int_rl(size - offset.value);
 505         }
 506 
 507         size = get_stored_size_end_struct_bytes(expr);
 508         if (size)
 509                 return alloc_int_rl(size);
 510 
 511         /* buf[4] */
 512         size = get_real_array_size(expr);
 513         if (size)
 514                 return alloc_int_rl(elements_to_bytes(expr, size));
 515 
 516         /* buf = malloc(1024); */
 517         ret = get_stored_size_bytes(expr);
 518         if (ret)
 519                 return ret;
 520 
 521         /* char *foo = "BAR" */
 522         size = get_size_from_initializer(expr);
 523         if (size)
 524                 return alloc_int_rl(elements_to_bytes(expr, size));
 525 
 526         size = get_bytes_from_address(expr);
 527         if (size)
 528                 return alloc_int_rl(size);
 529 
 530         ret = size_from_db(expr);
 531         if (ret)
 532                 return ret;
 533 
 534         return NULL;
 535 }
 536 
 537 int get_array_size_bytes(struct expression *expr)
 538 {
 539         struct range_list *rl;
 540         sval_t sval;
 541 
 542         rl = get_array_size_bytes_rl(expr);
 543         if (!rl_to_sval(rl, &sval))
 544                 return 0;
 545         if (sval.uvalue >= INT_MAX)
 546                 return 0;
 547         return sval.value;
 548 }
 549 
 550 int get_array_size_bytes_max(struct expression *expr)
 551 {
 552         struct range_list *rl;
 553         sval_t bytes;
 554 
 555         rl = get_array_size_bytes_rl(expr);
 556         if (!rl)
 557                 return 0;
 558         bytes = rl_min(rl);
 559         if (bytes.value < 0)
 560                 return 0;
 561         bytes = rl_max(rl);
 562         if (bytes.uvalue >= INT_MAX)
 563                 return 0;
 564         return bytes.value;
 565 }
 566 
 567 int get_array_size_bytes_min(struct expression *expr)
 568 {
 569         struct range_list *rl;
 570         struct data_range *range;
 571 
 572         rl = get_array_size_bytes_rl(expr);
 573         if (!rl)
 574                 return 0;
 575 
 576         FOR_EACH_PTR(rl, range) {
 577                 if (range->min.value <= 0)
 578                         return 0;
 579                 if (range->max.value <= 0)
 580                         return 0;
 581                 if (range->min.uvalue >= INT_MAX)
 582                         return 0;
 583                 return range->min.value;
 584         } END_FOR_EACH_PTR(range);
 585 
 586         return 0;
 587 }
 588 
 589 int get_array_size(struct expression *expr)
 590 {
 591         if (!expr)
 592                 return 0;
 593         return bytes_to_elements(expr, get_array_size_bytes_max(expr));
 594 }
 595 
 596 static struct expression *strip_ampersands(struct expression *expr)
 597 {
 598         struct symbol *type;
 599 
 600         if (expr->type != EXPR_PREOP)
 601                 return expr;
 602         if (expr->op != '&')
 603                 return expr;
 604         type = get_type(expr->unop);
 605         if (!type || type->type != SYM_ARRAY)
 606                 return expr;
 607         return expr->unop;
 608 }
 609 
 610 static void info_record_alloction(struct expression *buffer, struct range_list *rl)
 611 {
 612         char *name;
 613 
 614         if (!option_info)
 615                 return;
 616 
 617         name = get_member_name(buffer);
 618         if (!name && is_static(buffer))
 619                 name = expr_to_var(buffer);
 620         if (!name)
 621                 return;
 622         if (rl && !is_whole_rl(rl))
 623                 sql_insert_function_type_size(name, show_rl(rl));
 624         else
 625                 sql_insert_function_type_size(name, "(-1)");
 626 
 627         free_string(name);
 628 }
 629 
 630 static void store_alloc(struct expression *expr, struct range_list *rl)
 631 {
 632         struct symbol *type;
 633 
 634         rl = clone_rl(rl); // FIXME!!!
 635         set_state_expr(my_size_id, expr, alloc_estate_rl(rl));
 636 
 637         type = get_type(expr);
 638         if (!type)
 639                 return;
 640         if (type->type != SYM_PTR)
 641                 return;
 642         type = get_real_base_type(type);
 643         if (!type)
 644                 return;
 645         if (type == &void_ctype)
 646                 return;
 647         if (type->type != SYM_BASETYPE && type->type != SYM_PTR)
 648                 return;
 649 
 650         info_record_alloction(expr, rl);
 651 }
 652 
 653 static void match_array_assignment(struct expression *expr)
 654 {
 655         struct expression *left;
 656         struct expression *right;
 657         char *left_member, *right_member;
 658         struct range_list *rl;
 659         sval_t sval;
 660 
 661         if (expr->op != '=')
 662                 return;
 663         left = strip_expr(expr->left);
 664         right = strip_expr(expr->right);
 665         right = strip_ampersands(right);
 666 
 667         if (!is_pointer(left))
 668                 return;
 669         if (is_allocation_function(right))
 670                 return;
 671 
 672         left_member = get_member_name(left);
 673         right_member = get_member_name(right);
 674         if (left_member && right_member && strcmp(left_member, right_member) == 0) {
 675                 free_string(left_member);
 676                 free_string(right_member);
 677                 return;
 678         }
 679         free_string(left_member);
 680         free_string(right_member);
 681 
 682         if (get_implied_value(right, &sval) && sval.value == 0) {
 683                 rl = alloc_int_rl(0);
 684                 goto store;
 685         }
 686 
 687         rl = get_array_size_bytes_rl(right);
 688         if (!rl && __in_fake_assign)
 689                 return;
 690 
 691 store:
 692         store_alloc(left, rl);
 693 }
 694 
 695 static void match_alloc(const char *fn, struct expression *expr, void *_size_arg)
 696 {
 697         int size_arg = PTR_INT(_size_arg);
 698         struct expression *right;
 699         struct expression *arg;
 700         struct range_list *rl;
 701 
 702         right = strip_expr(expr->right);
 703         arg = get_argument_from_call_expr(right->args, size_arg);
 704         get_absolute_rl(arg, &rl);
 705         rl = cast_rl(&int_ctype, rl);
 706         store_alloc(expr->left, rl);
 707 }
 708 
 709 static void match_calloc(const char *fn, struct expression *expr, void *unused)
 710 {
 711         struct expression *right;
 712         struct expression *size, *nr, *mult;
 713         struct range_list *rl;
 714 
 715         right = strip_expr(expr->right);
 716         nr = get_argument_from_call_expr(right->args, 0);
 717         size = get_argument_from_call_expr(right->args, 1);
 718         mult = binop_expression(nr, '*', size);
 719         if (get_implied_rl(mult, &rl))
 720                 store_alloc(expr->left, rl);
 721         else
 722                 store_alloc(expr->left, size_to_rl(-1));
 723 }
 724 
 725 static void match_page(const char *fn, struct expression *expr, void *_unused)
 726 {
 727         sval_t page_size = {
 728                 .type = &int_ctype,
 729                 {.value = 4096},
 730         };
 731 
 732         store_alloc(expr->left, alloc_rl(page_size, page_size));
 733 }
 734 
 735 static void match_strndup(const char *fn, struct expression *expr, void *unused)
 736 {
 737         struct expression *fn_expr;
 738         struct expression *size_expr;
 739         sval_t size;
 740 
 741         fn_expr = strip_expr(expr->right);
 742         size_expr = get_argument_from_call_expr(fn_expr->args, 1);
 743         if (get_implied_max(size_expr, &size)) {
 744                 size.value++;
 745                 store_alloc(expr->left, size_to_rl(size.value));
 746         } else {
 747                 store_alloc(expr->left, size_to_rl(-1));
 748         }
 749 
 750 }
 751 
 752 static void match_alloc_pages(const char *fn, struct expression *expr, void *_order_arg)
 753 {
 754         int order_arg = PTR_INT(_order_arg);
 755         struct expression *right;
 756         struct expression *arg;
 757         sval_t sval;
 758 
 759         right = strip_expr(expr->right);
 760         arg = get_argument_from_call_expr(right->args, order_arg);
 761         if (!get_implied_value(arg, &sval))
 762                 return;
 763         if (sval.value < 0 || sval.value > 10)
 764                 return;
 765 
 766         sval.type = &int_ctype;
 767         sval.value = 1 << sval.value;
 768         sval.value *= 4096;
 769 
 770         store_alloc(expr->left, alloc_rl(sval, sval));
 771 }
 772 
 773 static int is_type_bytes(struct range_list *rl, struct expression *arg)
 774 {
 775         struct symbol *type;
 776         sval_t sval;
 777 
 778         if (!rl_to_sval(rl, &sval))
 779                 return 0;
 780 
 781         type = get_type(arg);
 782         if (!type)
 783                 return 0;
 784         if (type->type != SYM_PTR)
 785                 return 0;
 786         type = get_real_base_type(type);
 787         if (type->type != SYM_STRUCT &&
 788             type->type != SYM_UNION)
 789                 return 0;
 790         if (sval.value != type_bytes(type))
 791                 return 0;
 792         return 1;
 793 }
 794 
 795 static void match_call(struct expression *expr)
 796 {
 797         struct expression *arg;
 798         struct symbol *type;
 799         struct range_list *rl;
 800         int i;
 801 
 802         i = -1;
 803         FOR_EACH_PTR(expr->args, arg) {
 804                 i++;
 805                 type = get_type(arg);
 806                 if (!type || (type->type != SYM_PTR && type->type != SYM_ARRAY))
 807                         continue;
 808                 rl = get_array_size_bytes_rl(arg);
 809                 if (!rl)
 810                         continue;
 811                 if (is_whole_rl(rl))
 812                         continue;
 813                 if (is_type_bytes(rl, arg))
 814                         continue;
 815                 sql_insert_caller_info(expr, BUF_SIZE, i, "$", show_rl(rl));
 816         } END_FOR_EACH_PTR(arg);
 817 }
 818 
 819 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
 820 {
 821         if (sm->state == &merged ||
 822             strcmp(sm->state->name, "(-1)") == 0 ||
 823             strcmp(sm->state->name, "empty") == 0 ||
 824             strcmp(sm->state->name, "0") == 0)
 825                 return;
 826         sql_insert_caller_info(call, BUF_SIZE, param, printed_name, sm->state->name);
 827 }
 828 
 829 /*
 830  * This is slightly (very) weird because half of this stuff is handled in
 831  * smatch_parse_call_math.c which is poorly named.  But anyway, add some buf
 832  * sizes here.
 833  *
 834  */
 835 static void print_returned_allocations(int return_id, char *return_ranges, struct expression *expr)
 836 {
 837         char buf[16];
 838         int size;
 839 
 840         size = get_array_size_bytes(expr);
 841         if (!size)
 842                 return;
 843 
 844         snprintf(buf, sizeof(buf), "%d", size);
 845         sql_insert_return_states(return_id, return_ranges, BUF_SIZE, -1, "", buf);
 846 }
 847 
 848 static void record_global_size(struct symbol *sym)
 849 {
 850         int bytes;
 851         char buf[16];
 852 
 853         if (!sym->ident)
 854                 return;
 855 
 856         if (!(sym->ctype.modifiers & MOD_TOPLEVEL) ||
 857             sym->ctype.modifiers & MOD_STATIC)
 858                 return;
 859 
 860         bytes = get_array_size_bytes(symbol_expression(sym));
 861         if (bytes <= 1)
 862                 return;
 863 
 864         snprintf(buf, sizeof(buf), "%d", bytes);
 865         sql_insert_data_info_var_sym(sym->ident->name, sym, BUF_SIZE, buf);
 866 }
 867 
 868 void register_buf_size(int id)
 869 {
 870         my_size_id = id;
 871 
 872         set_dynamic_states(my_size_id);
 873 
 874         add_unmatched_state_hook(my_size_id, &unmatched_size_state);
 875 
 876         select_caller_info_hook(set_param_buf_size, BUF_SIZE);
 877         select_return_states_hook(BUF_SIZE, &db_returns_buf_size);
 878         add_split_return_callback(print_returned_allocations);
 879 
 880         allocation_funcs = create_function_hashtable(100);
 881         add_allocation_function("malloc", &match_alloc, 0);
 882         add_allocation_function("calloc", &match_calloc, 0);
 883         add_allocation_function("memdup", &match_alloc, 1);
 884         add_allocation_function("realloc", &match_alloc, 1);
 885         if (option_project == PROJ_KERNEL) {
 886                 add_allocation_function("kmalloc", &match_alloc, 0);
 887                 add_allocation_function("kmalloc_node", &match_alloc, 0);
 888                 add_allocation_function("kzalloc", &match_alloc, 0);
 889                 add_allocation_function("kzalloc_node", &match_alloc, 0);
 890                 add_allocation_function("vmalloc", &match_alloc, 0);
 891                 add_allocation_function("__vmalloc", &match_alloc, 0);
 892                 add_allocation_function("kcalloc", &match_calloc, 0);
 893                 add_allocation_function("kmalloc_array", &match_calloc, 0);
 894                 add_allocation_function("drm_malloc_ab", &match_calloc, 0);
 895                 add_allocation_function("drm_calloc_large", &match_calloc, 0);
 896                 add_allocation_function("sock_kmalloc", &match_alloc, 1);
 897                 add_allocation_function("kmemdup", &match_alloc, 1);
 898                 add_allocation_function("kmemdup_user", &match_alloc, 1);
 899                 add_allocation_function("dma_alloc_attrs", &match_alloc, 1);
 900                 add_allocation_function("pci_alloc_consistent", &match_alloc, 1);
 901                 add_allocation_function("pci_alloc_coherent", &match_alloc, 1);
 902                 add_allocation_function("devm_kmalloc", &match_alloc, 1);
 903                 add_allocation_function("devm_kzalloc", &match_alloc, 1);
 904                 add_allocation_function("krealloc", &match_alloc, 1);
 905                 add_allocation_function("__alloc_bootmem", &match_alloc, 0);
 906                 add_allocation_function("alloc_bootmem", &match_alloc, 0);
 907                 add_allocation_function("kmap", &match_page, 0);
 908                 add_allocation_function("get_zeroed_page", &match_page, 0);
 909                 add_allocation_function("alloc_page", &match_page, 0);
 910                 add_allocation_function("page_address", &match_page, 0);
 911                 add_allocation_function("lowmem_page_address", &match_page, 0);
 912                 add_allocation_function("alloc_pages", &match_alloc_pages, 1);
 913                 add_allocation_function("alloc_pages_current", &match_alloc_pages, 1);
 914                 add_allocation_function("__get_free_pages", &match_alloc_pages, 1);
 915         }
 916 
 917         add_allocation_function("strndup", match_strndup, 0);
 918         if (option_project == PROJ_KERNEL)
 919                 add_allocation_function("kstrndup", match_strndup, 0);
 920 
 921         add_modification_hook(my_size_id, &set_size_undefined);
 922 
 923         add_merge_hook(my_size_id, &merge_size_func);
 924 
 925         if (option_info)
 926                 add_hook(record_global_size, BASE_HOOK);
 927 }
 928 
 929 void register_buf_size_late(int id)
 930 {
 931         /* has to happen after match_alloc() */
 932         add_hook(&match_array_assignment, ASSIGNMENT_HOOK);
 933 
 934         add_hook(&match_call, FUNCTION_CALL_HOOK);
 935         add_member_info_callback(my_size_id, struct_member_callback);
 936 }