Print this page
11506 smatch resync
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/tools/smatch/src/smatch_buf_size.c
+++ new/usr/src/tools/smatch/src/smatch_buf_size.c
1 1 /*
2 2 * Copyright (C) 2010 Dan Carpenter.
3 3 *
4 4 * This program is free software; you can redistribute it and/or
5 5 * modify it under the terms of the GNU General Public License
6 6 * as published by the Free Software Foundation; either version 2
7 7 * of the License, or (at your option) any later version.
8 8 *
9 9 * This program is distributed in the hope that it will be useful,
10 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 * GNU General Public License for more details.
13 13 *
14 14 * You should have received a copy of the GNU General Public License
15 15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 16 */
17 17
18 18 #include <stdlib.h>
19 19 #include <errno.h>
20 20 #include "parse.h"
21 21 #include "smatch.h"
22 22 #include "smatch_slist.h"
23 23 #include "smatch_extra.h"
24 24 #include "smatch_function_hashtable.h"
25 25
26 26 #define UNKNOWN_SIZE (-1)
27 27
28 28 static int my_size_id;
29 29
30 30 static DEFINE_HASHTABLE_INSERT(insert_func, char, int);
31 31 static DEFINE_HASHTABLE_SEARCH(search_func, char, int);
32 32 static struct hashtable *allocation_funcs;
33 33
34 34 static char *get_fn_name(struct expression *expr)
35 35 {
36 36 if (expr->type != EXPR_CALL)
37 37 return NULL;
38 38 if (expr->fn->type != EXPR_SYMBOL)
39 39 return NULL;
40 40 return expr_to_var(expr->fn);
41 41 }
42 42
43 43 static int is_allocation_function(struct expression *expr)
44 44 {
45 45 char *func;
46 46 int ret = 0;
47 47
48 48 func = get_fn_name(expr);
49 49 if (!func)
50 50 return 0;
51 51 if (search_func(allocation_funcs, func))
52 52 ret = 1;
53 53 free_string(func);
54 54 return ret;
55 55 }
56 56
57 57 static void add_allocation_function(const char *func, void *call_back, int param)
58 58 {
59 59 insert_func(allocation_funcs, (char *)func, (int *)1);
60 60 add_function_assign_hook(func, call_back, INT_PTR(param));
61 61 }
62 62
63 63 static int estate_to_size(struct smatch_state *state)
64 64 {
65 65 sval_t sval;
66 66
67 67 if (!state || !estate_rl(state))
68 68 return 0;
69 69 sval = estate_max(state);
70 70 return sval.value;
71 71 }
72 72
73 73 static struct smatch_state *size_to_estate(int size)
74 74 {
75 75 sval_t sval;
76 76
77 77 sval.type = &int_ctype;
78 78 sval.value = size;
79 79
80 80 return alloc_estate_sval(sval);
81 81 }
82 82
83 83 static struct range_list *size_to_rl(int size)
84 84 {
85 85 sval_t sval;
86 86
87 87 sval.type = &int_ctype;
88 88 sval.value = size;
89 89
90 90 return alloc_rl(sval, sval);
91 91 }
92 92
93 93 static struct smatch_state *unmatched_size_state(struct sm_state *sm)
94 94 {
95 95 return size_to_estate(UNKNOWN_SIZE);
96 96 }
97 97
98 98 static void set_size_undefined(struct sm_state *sm, struct expression *mod_expr)
99 99 {
100 100 set_state(sm->owner, sm->name, sm->sym, size_to_estate(UNKNOWN_SIZE));
101 101 }
102 102
103 103 static struct smatch_state *merge_size_func(struct smatch_state *s1, struct smatch_state *s2)
104 104 {
105 105 return merge_estates(s1, s2);
106 106 }
107 107
108 108 void set_param_buf_size(const char *name, struct symbol *sym, char *key, char *value)
109 109 {
110 110 struct range_list *rl = NULL;
111 111 struct smatch_state *state;
112 112 char fullname[256];
113 113
114 114 if (strncmp(key, "$", 1) != 0)
115 115 return;
116 116
117 117 snprintf(fullname, 256, "%s%s", name, key + 1);
118 118
119 119 str_to_rl(&int_ctype, value, &rl);
120 120 if (!rl || is_whole_rl(rl))
121 121 return;
122 122 state = alloc_estate_rl(rl);
123 123 set_state(my_size_id, fullname, sym, state);
124 124 }
125 125
126 126 static int bytes_per_element(struct expression *expr)
127 127 {
128 128 struct symbol *type;
129 129
130 130 if (!expr)
131 131 return 0;
132 132 if (expr->type == EXPR_STRING)
133 133 return 1;
134 134 if (expr->type == EXPR_PREOP && expr->op == '&') {
135 135 type = get_type(expr->unop);
136 136 if (type && type->type == SYM_ARRAY)
137 137 expr = expr->unop;
138 138 }
139 139 type = get_type(expr);
140 140 if (!type)
141 141 return 0;
142 142
143 143 if (type->type != SYM_PTR && type->type != SYM_ARRAY)
144 144 return 0;
145 145
146 146 type = get_base_type(type);
147 147 return type_bytes(type);
148 148 }
149 149
150 150 static int bytes_to_elements(struct expression *expr, int bytes)
151 151 {
152 152 int bpe;
153 153
154 154 bpe = bytes_per_element(expr);
155 155 if (bpe == 0)
156 156 return 0;
157 157 return bytes / bpe;
158 158 }
159 159
160 160 static int elements_to_bytes(struct expression *expr, int elements)
161 161 {
162 162 int bpe;
163 163
164 164 bpe = bytes_per_element(expr);
165 165 return elements * bpe;
166 166 }
167 167
168 168 static int get_initializer_size(struct expression *expr)
169 169 {
170 170 switch (expr->type) {
171 171 case EXPR_STRING:
172 172 return expr->string->length;
173 173 case EXPR_INITIALIZER: {
174 174 struct expression *tmp;
175 175 int i = 0;
176 176
177 177 FOR_EACH_PTR(expr->expr_list, tmp) {
178 178 if (tmp->type == EXPR_INDEX) {
179 179 if (tmp->idx_to >= i)
180 180 i = tmp->idx_to;
181 181 else
182 182 continue;
183 183 }
184 184
185 185 i++;
186 186 } END_FOR_EACH_PTR(tmp);
187 187 return i;
188 188 }
189 189 case EXPR_SYMBOL:
190 190 return get_array_size(expr);
191 191 }
192 192 return 0;
193 193 }
194 194
195 195 static struct range_list *db_size_rl;
196 196 static int db_size_callback(void *unused, int argc, char **argv, char **azColName)
197 197 {
198 198 struct range_list *tmp = NULL;
199 199
200 200 if (!db_size_rl) {
201 201 str_to_rl(&int_ctype, argv[0], &db_size_rl);
202 202 } else {
203 203 str_to_rl(&int_ctype, argv[0], &tmp);
204 204 db_size_rl = rl_union(db_size_rl, tmp);
205 205 }
206 206 return 0;
207 207 }
208 208
209 209 static struct range_list *size_from_db_type(struct expression *expr)
210 210 {
211 211 int this_file_only = 0;
212 212 char *name;
213 213
214 214 name = get_member_name(expr);
215 215 if (!name && is_static(expr)) {
216 216 name = expr_to_var(expr);
217 217 this_file_only = 1;
218 218 }
219 219 if (!name)
220 220 return NULL;
221 221
222 222 if (this_file_only) {
223 223 db_size_rl = NULL;
224 224 run_sql(db_size_callback, NULL,
225 225 "select size from function_type_size where type = '%s' and file = '%s';",
226 226 name, get_filename());
227 227 if (db_size_rl)
228 228 return db_size_rl;
229 229 return NULL;
230 230 }
231 231
232 232 db_size_rl = NULL;
233 233 run_sql(db_size_callback, NULL,
234 234 "select size from type_size where type = '%s';",
235 235 name);
236 236 return db_size_rl;
237 237 }
238 238
239 239 static struct range_list *size_from_db_symbol(struct expression *expr)
240 240 {
241 241 struct symbol *sym;
242 242
243 243 if (expr->type != EXPR_SYMBOL)
244 244 return NULL;
245 245 sym = expr->symbol;
246 246 if (!sym || !sym->ident ||
247 247 !(sym->ctype.modifiers & MOD_TOPLEVEL) ||
248 248 sym->ctype.modifiers & MOD_STATIC)
249 249 return NULL;
250 250
251 251 db_size_rl = NULL;
252 252 run_sql(db_size_callback, NULL,
253 253 "select value from data_info where file = 'extern' and data = '%s' and type = %d;",
254 254 sym->ident->name, BUF_SIZE);
255 255 return db_size_rl;
256 256 }
257 257
258 258 static struct range_list *size_from_db(struct expression *expr)
259 259 {
260 260 struct range_list *rl;
261 261
262 262 rl = size_from_db_symbol(expr);
263 263 if (rl)
264 264 return rl;
265 265 return size_from_db_type(expr);
266 266 }
267 267
268 268 static void db_returns_buf_size(struct expression *expr, int param, char *unused, char *math)
269 269 {
270 270 struct expression *call;
271 271 struct range_list *rl;
272 272
273 273 if (expr->type != EXPR_ASSIGNMENT)
274 274 return;
275 275 call = strip_expr(expr->right);
276 276
277 277 if (!parse_call_math_rl(call, math, &rl))
278 278 return;
279 279 rl = cast_rl(&int_ctype, rl);
280 280 set_state_expr(my_size_id, expr->left, alloc_estate_rl(rl));
281 281 }
282 282
283 283 static int get_real_array_size_from_type(struct symbol *type)
284 284 {
285 285 sval_t sval;
286 286
287 287 if (!type)
288 288 return 0;
289 289 if (!type || type->type != SYM_ARRAY)
290 290 return 0;
291 291
292 292 if (!get_implied_value(type->array_size, &sval))
293 293 return 0;
294 294
295 295 return sval.value;
296 296 }
297 297
298 298 int get_real_array_size(struct expression *expr)
299 299 {
300 300 if (!expr)
301 301 return 0;
302 302 if (expr->type == EXPR_PREOP && expr->op == '&')
303 303 expr = expr->unop;
304 304 if (expr->type == EXPR_BINOP) /* array elements foo[5] */
305 305 return 0;
306 306 return get_real_array_size_from_type(get_type(expr));
307 307 }
308 308
309 309 static int get_size_from_initializer(struct expression *expr)
310 310 {
311 311 if (expr->type != EXPR_SYMBOL || !expr->symbol || !expr->symbol->initializer)
312 312 return 0;
313 313 if (expr->symbol->initializer == expr) /* int a = a; */
314 314 return 0;
315 315 return get_initializer_size(expr->symbol->initializer);
316 316 }
317 317
318 318 static struct range_list *get_stored_size_bytes(struct expression *expr)
319 319 {
320 320 struct smatch_state *state;
321 321
322 322 state = get_state_expr(my_size_id, expr);
|
↓ open down ↓ |
322 lines elided |
↑ open up ↑ |
323 323 if (!state)
324 324 return NULL;
325 325 return estate_rl(state);
326 326 }
327 327
328 328 static int get_bytes_from_address(struct expression *expr)
329 329 {
330 330 struct symbol *type;
331 331 int ret;
332 332
333 - if (!option_spammy)
334 - return 0;
335 333 if (expr->type != EXPR_PREOP || expr->op != '&')
336 334 return 0;
337 335 type = get_type(expr);
338 336 if (!type)
339 337 return 0;
340 338
341 339 if (type->type == SYM_PTR)
342 340 type = get_base_type(type);
343 341
344 342 ret = type_bytes(type);
345 343 if (ret == 1)
346 344 return 0; /* ignore char pointers */
347 345
348 346 return ret;
349 347 }
350 348
351 349 static struct expression *remove_addr_fluff(struct expression *expr)
352 350 {
353 351 struct expression *tmp;
354 352 sval_t sval;
355 353
356 354 expr = strip_expr(expr);
357 355
358 356 /* remove '&' and '*' operations that cancel */
359 357 while (expr && expr->type == EXPR_PREOP && expr->op == '&') {
360 358 tmp = strip_expr(expr->unop);
361 359 if (tmp->type != EXPR_PREOP)
362 360 break;
363 361 if (tmp->op != '*')
364 362 break;
365 363 expr = strip_expr(tmp->unop);
366 364 }
367 365
368 366 if (!expr)
369 367 return NULL;
370 368
371 369 /* "foo + 0" is just "foo" */
372 370 if (expr->type == EXPR_BINOP && expr->op == '+' &&
373 371 get_value(expr->right, &sval) && sval.value == 0)
374 372 return expr->left;
375 373
376 374 return expr;
377 375 }
378 376
379 377 static int is_last_member_of_struct(struct symbol *sym, struct ident *member)
380 378 {
381 379 struct symbol *tmp;
382 380 int i;
383 381
384 382 i = 0;
385 383 FOR_EACH_PTR_REVERSE(sym->symbol_list, tmp) {
386 384 if (i++ || !tmp->ident)
387 385 return 0;
388 386 if (tmp->ident == member)
389 387 return 1;
390 388 return 0;
391 389 } END_FOR_EACH_PTR_REVERSE(tmp);
392 390
393 391 return 0;
394 392 }
395 393
396 394 int last_member_is_resizable(struct symbol *sym)
397 395 {
398 396 struct symbol *last_member;
399 397 struct symbol *type;
400 398 sval_t sval;
401 399
402 400 if (!sym || sym->type != SYM_STRUCT)
403 401 return 0;
404 402
405 403 last_member = last_ptr_list((struct ptr_list *)sym->symbol_list);
406 404 if (!last_member || !last_member->ident)
407 405 return 0;
408 406
409 407 type = get_real_base_type(last_member);
410 408 if (type->type == SYM_STRUCT)
411 409 return last_member_is_resizable(type);
412 410 if (type->type != SYM_ARRAY)
413 411 return 0;
414 412
415 413 if (!get_implied_value(type->array_size, &sval))
416 414 return 0;
417 415
418 416 if (sval.value != 0 && sval.value != 1)
419 417 return 0;
420 418
421 419 return 1;
422 420 }
423 421
424 422 static int get_stored_size_end_struct_bytes(struct expression *expr)
425 423 {
426 424 struct symbol *sym;
427 425 struct symbol *base_sym;
428 426 struct smatch_state *state;
429 427
430 428 if (expr->type == EXPR_BINOP) /* array elements foo[5] */
431 429 return 0;
432 430
433 431 if (expr->type == EXPR_PREOP && expr->op == '&')
434 432 expr = strip_parens(expr->unop);
435 433
436 434 sym = expr_to_sym(expr);
437 435 if (!sym || !sym->ident)
438 436 return 0;
439 437 if (!type_bytes(sym))
440 438 return 0;
441 439 if (sym->type != SYM_NODE)
442 440 return 0;
443 441
444 442 base_sym = get_real_base_type(sym);
445 443 if (!base_sym || base_sym->type != SYM_PTR)
446 444 return 0;
447 445 base_sym = get_real_base_type(base_sym);
448 446 if (!base_sym || base_sym->type != SYM_STRUCT)
449 447 return 0;
450 448
451 449 if (!is_last_member_of_struct(base_sym, expr->member))
452 450 return 0;
453 451 if (!last_member_is_resizable(base_sym))
454 452 return 0;
455 453
456 454 state = get_state(my_size_id, sym->ident->name, sym);
457 455 if (!estate_to_size(state))
458 456 return 0;
459 457
460 458 return estate_to_size(state) - type_bytes(base_sym) + type_bytes(get_type(expr));
461 459 }
462 460
463 461 static struct range_list *alloc_int_rl(int value)
464 462 {
465 463 sval_t sval = {
466 464 .type = &int_ctype,
467 465 {.value = value},
468 466 };
469 467
470 468 return alloc_rl(sval, sval);
471 469 }
472 470
473 471 struct range_list *get_array_size_bytes_rl(struct expression *expr)
474 472 {
475 473 struct range_list *ret = NULL;
476 474 int size;
477 475
478 476 expr = remove_addr_fluff(expr);
479 477 if (!expr)
480 478 return NULL;
481 479
482 480 /* "BAR" */
483 481 if (expr->type == EXPR_STRING)
484 482 return alloc_int_rl(expr->string->length);
485 483
486 484 if (expr->type == EXPR_BINOP && expr->op == '+') {
487 485 sval_t offset;
488 486 struct symbol *type;
489 487 int bytes;
490 488
491 489 if (!get_implied_value(expr->right, &offset))
492 490 return NULL;
493 491 type = get_type(expr->left);
494 492 if (!type)
495 493 return NULL;
496 494 if (type->type != SYM_ARRAY && type->type != SYM_PTR)
497 495 return NULL;
498 496 type = get_real_base_type(type);
|
↓ open down ↓ |
154 lines elided |
↑ open up ↑ |
499 497 bytes = type_bytes(type);
500 498 if (bytes == 0)
501 499 return NULL;
502 500 offset.value *= bytes;
503 501 size = get_array_size_bytes(expr->left);
504 502 if (size <= 0)
505 503 return NULL;
506 504 return alloc_int_rl(size - offset.value);
507 505 }
508 506
507 + size = get_stored_size_end_struct_bytes(expr);
508 + if (size)
509 + return alloc_int_rl(size);
510 +
509 511 /* buf[4] */
510 512 size = get_real_array_size(expr);
511 513 if (size)
512 514 return alloc_int_rl(elements_to_bytes(expr, size));
513 515
514 516 /* buf = malloc(1024); */
515 517 ret = get_stored_size_bytes(expr);
516 518 if (ret)
517 519 return ret;
518 520
519 - size = get_stored_size_end_struct_bytes(expr);
520 - if (size)
521 - return alloc_int_rl(size);
522 -
523 521 /* char *foo = "BAR" */
524 522 size = get_size_from_initializer(expr);
525 523 if (size)
526 524 return alloc_int_rl(elements_to_bytes(expr, size));
527 525
528 526 size = get_bytes_from_address(expr);
529 527 if (size)
530 528 return alloc_int_rl(size);
531 529
532 530 ret = size_from_db(expr);
533 531 if (ret)
534 532 return ret;
535 533
536 534 return NULL;
537 535 }
538 536
539 537 int get_array_size_bytes(struct expression *expr)
540 538 {
541 539 struct range_list *rl;
542 540 sval_t sval;
543 541
544 542 rl = get_array_size_bytes_rl(expr);
545 543 if (!rl_to_sval(rl, &sval))
546 544 return 0;
547 545 if (sval.uvalue >= INT_MAX)
548 546 return 0;
549 547 return sval.value;
550 548 }
551 549
552 550 int get_array_size_bytes_max(struct expression *expr)
553 551 {
554 552 struct range_list *rl;
555 553 sval_t bytes;
556 554
557 555 rl = get_array_size_bytes_rl(expr);
558 556 if (!rl)
559 557 return 0;
560 558 bytes = rl_min(rl);
561 559 if (bytes.value < 0)
562 560 return 0;
563 561 bytes = rl_max(rl);
564 562 if (bytes.uvalue >= INT_MAX)
565 563 return 0;
566 564 return bytes.value;
567 565 }
568 566
569 567 int get_array_size_bytes_min(struct expression *expr)
570 568 {
571 569 struct range_list *rl;
572 570 struct data_range *range;
573 571
574 572 rl = get_array_size_bytes_rl(expr);
575 573 if (!rl)
576 574 return 0;
577 575
578 576 FOR_EACH_PTR(rl, range) {
579 577 if (range->min.value <= 0)
580 578 return 0;
581 579 if (range->max.value <= 0)
582 580 return 0;
583 581 if (range->min.uvalue >= INT_MAX)
584 582 return 0;
585 583 return range->min.value;
586 584 } END_FOR_EACH_PTR(range);
587 585
588 586 return 0;
589 587 }
590 588
591 589 int get_array_size(struct expression *expr)
592 590 {
593 591 if (!expr)
594 592 return 0;
595 593 return bytes_to_elements(expr, get_array_size_bytes_max(expr));
596 594 }
597 595
598 596 static struct expression *strip_ampersands(struct expression *expr)
599 597 {
600 598 struct symbol *type;
601 599
602 600 if (expr->type != EXPR_PREOP)
603 601 return expr;
604 602 if (expr->op != '&')
605 603 return expr;
606 604 type = get_type(expr->unop);
607 605 if (!type || type->type != SYM_ARRAY)
608 606 return expr;
609 607 return expr->unop;
610 608 }
611 609
612 610 static void info_record_alloction(struct expression *buffer, struct range_list *rl)
613 611 {
614 612 char *name;
615 613
616 614 if (!option_info)
617 615 return;
618 616
619 617 name = get_member_name(buffer);
620 618 if (!name && is_static(buffer))
621 619 name = expr_to_var(buffer);
622 620 if (!name)
623 621 return;
624 622 if (rl && !is_whole_rl(rl))
625 623 sql_insert_function_type_size(name, show_rl(rl));
626 624 else
627 625 sql_insert_function_type_size(name, "(-1)");
628 626
629 627 free_string(name);
630 628 }
631 629
632 630 static void store_alloc(struct expression *expr, struct range_list *rl)
633 631 {
634 632 struct symbol *type;
635 633
636 634 rl = clone_rl(rl); // FIXME!!!
637 635 set_state_expr(my_size_id, expr, alloc_estate_rl(rl));
638 636
639 637 type = get_type(expr);
640 638 if (!type)
641 639 return;
642 640 if (type->type != SYM_PTR)
643 641 return;
644 642 type = get_real_base_type(type);
645 643 if (!type)
646 644 return;
647 645 if (type == &void_ctype)
648 646 return;
649 647 if (type->type != SYM_BASETYPE && type->type != SYM_PTR)
650 648 return;
651 649
652 650 info_record_alloction(expr, rl);
653 651 }
654 652
655 653 static void match_array_assignment(struct expression *expr)
656 654 {
657 655 struct expression *left;
658 656 struct expression *right;
659 657 char *left_member, *right_member;
660 658 struct range_list *rl;
661 659 sval_t sval;
662 660
663 661 if (expr->op != '=')
664 662 return;
665 663 left = strip_expr(expr->left);
666 664 right = strip_expr(expr->right);
667 665 right = strip_ampersands(right);
668 666
669 667 if (!is_pointer(left))
670 668 return;
671 669 if (is_allocation_function(right))
672 670 return;
673 671
674 672 left_member = get_member_name(left);
675 673 right_member = get_member_name(right);
676 674 if (left_member && right_member && strcmp(left_member, right_member) == 0) {
677 675 free_string(left_member);
678 676 free_string(right_member);
679 677 return;
680 678 }
681 679 free_string(left_member);
682 680 free_string(right_member);
683 681
684 682 if (get_implied_value(right, &sval) && sval.value == 0) {
685 683 rl = alloc_int_rl(0);
686 684 goto store;
687 685 }
688 686
689 687 rl = get_array_size_bytes_rl(right);
690 688 if (!rl && __in_fake_assign)
691 689 return;
692 690
693 691 store:
694 692 store_alloc(left, rl);
695 693 }
696 694
697 695 static void match_alloc(const char *fn, struct expression *expr, void *_size_arg)
698 696 {
699 697 int size_arg = PTR_INT(_size_arg);
700 698 struct expression *right;
701 699 struct expression *arg;
702 700 struct range_list *rl;
703 701
|
↓ open down ↓ |
171 lines elided |
↑ open up ↑ |
704 702 right = strip_expr(expr->right);
705 703 arg = get_argument_from_call_expr(right->args, size_arg);
706 704 get_absolute_rl(arg, &rl);
707 705 rl = cast_rl(&int_ctype, rl);
708 706 store_alloc(expr->left, rl);
709 707 }
710 708
711 709 static void match_calloc(const char *fn, struct expression *expr, void *unused)
712 710 {
713 711 struct expression *right;
714 - struct expression *arg;
715 - sval_t elements;
716 - sval_t size;
712 + struct expression *size, *nr, *mult;
713 + struct range_list *rl;
717 714
718 715 right = strip_expr(expr->right);
719 - arg = get_argument_from_call_expr(right->args, 0);
720 - if (!get_implied_value(arg, &elements))
721 - return; // FIXME!!!
722 - arg = get_argument_from_call_expr(right->args, 1);
723 - if (get_implied_value(arg, &size))
724 - store_alloc(expr->left, size_to_rl(elements.value * size.value));
716 + nr = get_argument_from_call_expr(right->args, 0);
717 + size = get_argument_from_call_expr(right->args, 1);
718 + mult = binop_expression(nr, '*', size);
719 + if (get_implied_rl(mult, &rl))
720 + store_alloc(expr->left, rl);
725 721 else
726 722 store_alloc(expr->left, size_to_rl(-1));
727 723 }
728 724
729 725 static void match_page(const char *fn, struct expression *expr, void *_unused)
730 726 {
731 727 sval_t page_size = {
732 728 .type = &int_ctype,
733 729 {.value = 4096},
734 730 };
735 731
736 732 store_alloc(expr->left, alloc_rl(page_size, page_size));
737 733 }
738 734
739 735 static void match_strndup(const char *fn, struct expression *expr, void *unused)
740 736 {
741 737 struct expression *fn_expr;
742 738 struct expression *size_expr;
743 739 sval_t size;
744 740
745 741 fn_expr = strip_expr(expr->right);
746 742 size_expr = get_argument_from_call_expr(fn_expr->args, 1);
747 743 if (get_implied_max(size_expr, &size)) {
748 744 size.value++;
749 745 store_alloc(expr->left, size_to_rl(size.value));
750 746 } else {
751 747 store_alloc(expr->left, size_to_rl(-1));
752 748 }
753 749
754 750 }
755 751
756 752 static void match_alloc_pages(const char *fn, struct expression *expr, void *_order_arg)
757 753 {
758 754 int order_arg = PTR_INT(_order_arg);
759 755 struct expression *right;
760 756 struct expression *arg;
761 757 sval_t sval;
762 758
763 759 right = strip_expr(expr->right);
764 760 arg = get_argument_from_call_expr(right->args, order_arg);
765 761 if (!get_implied_value(arg, &sval))
766 762 return;
767 763 if (sval.value < 0 || sval.value > 10)
768 764 return;
769 765
770 766 sval.type = &int_ctype;
771 767 sval.value = 1 << sval.value;
772 768 sval.value *= 4096;
773 769
774 770 store_alloc(expr->left, alloc_rl(sval, sval));
775 771 }
776 772
777 773 static int is_type_bytes(struct range_list *rl, struct expression *arg)
778 774 {
779 775 struct symbol *type;
780 776 sval_t sval;
781 777
782 778 if (!rl_to_sval(rl, &sval))
783 779 return 0;
784 780
785 781 type = get_type(arg);
786 782 if (!type)
787 783 return 0;
788 784 if (type->type != SYM_PTR)
789 785 return 0;
790 786 type = get_real_base_type(type);
791 787 if (type->type != SYM_STRUCT &&
792 788 type->type != SYM_UNION)
793 789 return 0;
794 790 if (sval.value != type_bytes(type))
795 791 return 0;
796 792 return 1;
797 793 }
798 794
799 795 static void match_call(struct expression *expr)
800 796 {
801 797 struct expression *arg;
802 798 struct symbol *type;
803 799 struct range_list *rl;
804 800 int i;
805 801
806 802 i = -1;
807 803 FOR_EACH_PTR(expr->args, arg) {
808 804 i++;
809 805 type = get_type(arg);
810 806 if (!type || (type->type != SYM_PTR && type->type != SYM_ARRAY))
811 807 continue;
812 808 rl = get_array_size_bytes_rl(arg);
813 809 if (!rl)
814 810 continue;
815 811 if (is_whole_rl(rl))
816 812 continue;
817 813 if (is_type_bytes(rl, arg))
818 814 continue;
819 815 sql_insert_caller_info(expr, BUF_SIZE, i, "$", show_rl(rl));
820 816 } END_FOR_EACH_PTR(arg);
821 817 }
822 818
823 819 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
824 820 {
825 821 if (sm->state == &merged ||
826 822 strcmp(sm->state->name, "(-1)") == 0 ||
827 823 strcmp(sm->state->name, "empty") == 0 ||
828 824 strcmp(sm->state->name, "0") == 0)
829 825 return;
830 826 sql_insert_caller_info(call, BUF_SIZE, param, printed_name, sm->state->name);
831 827 }
832 828
833 829 /*
834 830 * This is slightly (very) weird because half of this stuff is handled in
835 831 * smatch_parse_call_math.c which is poorly named. But anyway, add some buf
836 832 * sizes here.
837 833 *
838 834 */
839 835 static void print_returned_allocations(int return_id, char *return_ranges, struct expression *expr)
840 836 {
841 837 char buf[16];
842 838 int size;
843 839
844 840 size = get_array_size_bytes(expr);
845 841 if (!size)
846 842 return;
847 843
848 844 snprintf(buf, sizeof(buf), "%d", size);
849 845 sql_insert_return_states(return_id, return_ranges, BUF_SIZE, -1, "", buf);
850 846 }
851 847
852 848 static void record_global_size(struct symbol *sym)
853 849 {
854 850 int bytes;
855 851 char buf[16];
856 852
857 853 if (!sym->ident)
858 854 return;
859 855
860 856 if (!(sym->ctype.modifiers & MOD_TOPLEVEL) ||
861 857 sym->ctype.modifiers & MOD_STATIC)
862 858 return;
863 859
864 860 bytes = get_array_size_bytes(symbol_expression(sym));
865 861 if (bytes <= 1)
|
↓ open down ↓ |
131 lines elided |
↑ open up ↑ |
866 862 return;
867 863
868 864 snprintf(buf, sizeof(buf), "%d", bytes);
869 865 sql_insert_data_info_var_sym(sym->ident->name, sym, BUF_SIZE, buf);
870 866 }
871 867
872 868 void register_buf_size(int id)
873 869 {
874 870 my_size_id = id;
875 871
872 + set_dynamic_states(my_size_id);
873 +
876 874 add_unmatched_state_hook(my_size_id, &unmatched_size_state);
877 875
878 876 select_caller_info_hook(set_param_buf_size, BUF_SIZE);
879 877 select_return_states_hook(BUF_SIZE, &db_returns_buf_size);
880 878 add_split_return_callback(print_returned_allocations);
881 879
882 880 allocation_funcs = create_function_hashtable(100);
883 881 add_allocation_function("malloc", &match_alloc, 0);
884 882 add_allocation_function("calloc", &match_calloc, 0);
885 883 add_allocation_function("memdup", &match_alloc, 1);
886 884 add_allocation_function("realloc", &match_alloc, 1);
887 885 if (option_project == PROJ_KERNEL) {
888 886 add_allocation_function("kmalloc", &match_alloc, 0);
889 887 add_allocation_function("kmalloc_node", &match_alloc, 0);
890 888 add_allocation_function("kzalloc", &match_alloc, 0);
891 889 add_allocation_function("kzalloc_node", &match_alloc, 0);
892 890 add_allocation_function("vmalloc", &match_alloc, 0);
893 891 add_allocation_function("__vmalloc", &match_alloc, 0);
894 892 add_allocation_function("kcalloc", &match_calloc, 0);
895 893 add_allocation_function("kmalloc_array", &match_calloc, 0);
896 894 add_allocation_function("drm_malloc_ab", &match_calloc, 0);
897 895 add_allocation_function("drm_calloc_large", &match_calloc, 0);
898 896 add_allocation_function("sock_kmalloc", &match_alloc, 1);
899 897 add_allocation_function("kmemdup", &match_alloc, 1);
900 898 add_allocation_function("kmemdup_user", &match_alloc, 1);
|
↓ open down ↓ |
15 lines elided |
↑ open up ↑ |
901 899 add_allocation_function("dma_alloc_attrs", &match_alloc, 1);
902 900 add_allocation_function("pci_alloc_consistent", &match_alloc, 1);
903 901 add_allocation_function("pci_alloc_coherent", &match_alloc, 1);
904 902 add_allocation_function("devm_kmalloc", &match_alloc, 1);
905 903 add_allocation_function("devm_kzalloc", &match_alloc, 1);
906 904 add_allocation_function("krealloc", &match_alloc, 1);
907 905 add_allocation_function("__alloc_bootmem", &match_alloc, 0);
908 906 add_allocation_function("alloc_bootmem", &match_alloc, 0);
909 907 add_allocation_function("kmap", &match_page, 0);
910 908 add_allocation_function("get_zeroed_page", &match_page, 0);
909 + add_allocation_function("alloc_page", &match_page, 0);
910 + add_allocation_function("page_address", &match_page, 0);
911 + add_allocation_function("lowmem_page_address", &match_page, 0);
911 912 add_allocation_function("alloc_pages", &match_alloc_pages, 1);
912 913 add_allocation_function("alloc_pages_current", &match_alloc_pages, 1);
913 914 add_allocation_function("__get_free_pages", &match_alloc_pages, 1);
914 915 }
915 916
916 917 add_allocation_function("strndup", match_strndup, 0);
917 918 if (option_project == PROJ_KERNEL)
918 919 add_allocation_function("kstrndup", match_strndup, 0);
919 920
920 921 add_modification_hook(my_size_id, &set_size_undefined);
921 922
922 923 add_merge_hook(my_size_id, &merge_size_func);
923 924
924 925 if (option_info)
925 926 add_hook(record_global_size, BASE_HOOK);
926 927 }
927 928
928 929 void register_buf_size_late(int id)
929 930 {
930 931 /* has to happen after match_alloc() */
931 932 add_hook(&match_array_assignment, ASSIGNMENT_HOOK);
932 933
933 934 add_hook(&match_call, FUNCTION_CALL_HOOK);
934 935 add_member_info_callback(my_size_id, struct_member_callback);
935 936 }
|
↓ open down ↓ |
15 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX