25 */
26
27 #include "smatch.h"
28 #include "smatch_slist.h"
29 #include "smatch_extra.h"
30
31 static int my_id;
32
33 STATE(capped);
34 STATE(uncapped);
35
36 static void set_uncapped(struct sm_state *sm, struct expression *mod_expr)
37 {
38 set_state(my_id, sm->name, sm->sym, &uncapped);
39 }
40
41 static struct smatch_state *unmatched_state(struct sm_state *sm)
42 {
43 struct smatch_state *state;
44
45 state = get_state(SMATCH_EXTRA, sm->name, sm->sym);
46 if (state && !estate_is_whole(state))
47 return &capped;
48 return &uncapped;
49 }
50
51 static int is_capped_macro(struct expression *expr)
52 {
53 char *name;
54
55 name = get_macro_name(expr->pos);
56 if (!name)
57 return 0;
58
59 if (strcmp(name, "min") == 0)
60 return 1;
61 if (strcmp(name, "MIN") == 0)
62 return 1;
63 if (strcmp(name, "min_t") == 0)
64 return 1;
65
66 return 0;
67 }
68
69 int is_capped(struct expression *expr)
70 {
71 sval_t dummy;
72
73 expr = strip_expr(expr);
74 while (expr && expr->type == EXPR_POSTOP) {
75 expr = strip_expr(expr->unop);
76 }
77 if (!expr)
78 return 0;
79
80 if (get_hard_max(expr, &dummy))
81 return 1;
82
83 if (is_capped_macro(expr))
84 return 1;
85
86 if (expr->type == EXPR_BINOP) {
87 struct range_list *left_rl, *right_rl;
88
89 if (expr->op == '&')
90 return 1;
91 if (expr->op == SPECIAL_RIGHTSHIFT)
92 return 1;
93 if (expr->op == '%')
94 return is_capped(expr->right);
95 if (!is_capped(expr->left))
96 return 0;
97 if (expr->op == '/')
98 return 1;
99 if (!is_capped(expr->right))
100 return 0;
101 if (expr->op == '*') {
102 get_absolute_rl(expr->left, &left_rl);
103 get_absolute_rl(expr->right, &right_rl);
104 if (sval_is_negative(rl_min(left_rl)) ||
105 sval_is_negative(rl_min(right_rl)))
106 return 0;
107 }
108 return 1;
109 }
110 if (get_state_expr(my_id, expr) == &capped)
111 return 1;
112 return 0;
113 }
114
115 int is_capped_var_sym(const char *name, struct symbol *sym)
116 {
117 if (get_state(my_id, name, sym) == &capped)
118 return 1;
119 return 0;
120 }
121
122 void set_param_capped_data(const char *name, struct symbol *sym, char *key, char *value)
123 {
124 char fullname[256];
125
126 if (strncmp(key, "$", 1))
127 return;
128 snprintf(fullname, 256, "%s%s", name, key + 1);
129 set_state(my_id, fullname, sym, &capped);
130 }
131
132 static void match_condition(struct expression *expr)
133 {
134 struct smatch_state *left_true = NULL;
135 struct smatch_state *left_false = NULL;
136 struct smatch_state *right_true = NULL;
137 struct smatch_state *right_false = NULL;
138
139
140 if (expr->type != EXPR_COMPARE)
141 return;
142
143 switch (expr->op) {
144 case '<':
145 case SPECIAL_LTE:
146 case SPECIAL_UNSIGNED_LT:
147 case SPECIAL_UNSIGNED_LTE:
148 left_true = &capped;
149 right_false = &capped;
150 break;
151 case '>':
152 case SPECIAL_GTE:
153 case SPECIAL_UNSIGNED_GT:
154 case SPECIAL_UNSIGNED_GTE:
155 left_false = &capped;
156 right_true = &capped;
157 break;
158 case SPECIAL_EQUAL:
159 left_true = &capped;
160 right_true = &capped;
161 break;
162 case SPECIAL_NOTEQUAL:
163 left_false = &capped;
164 right_false = &capped;
165 break;
166
167 default:
168 return;
169 }
170
171 set_true_false_states_expr(my_id, expr->left, left_true, left_false);
172 set_true_false_states_expr(my_id, expr->right, right_true, right_false);
173 }
174
175 static void match_assign(struct expression *expr)
176 {
177 if (is_capped(expr->right)) {
178 set_state_expr(my_id, expr->left, &capped);
179 } else {
180 if (get_state_expr(my_id, expr->left))
181 set_state_expr(my_id, expr->left, &uncapped);
182 }
183 }
184
185 static void match_caller_info(struct expression *expr)
186 {
187 struct expression *tmp;
188 sval_t sval;
189 int i;
190
191 i = -1;
192 FOR_EACH_PTR(expr->args, tmp) {
193 i++;
194 if (get_implied_value(tmp, &sval))
195 continue;
196 if (!is_capped(tmp))
197 continue;
198 sql_insert_caller_info(expr, CAPPED_DATA, i, "$", "1");
199 } END_FOR_EACH_PTR(tmp);
200 }
201
202 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
203 {
204 struct smatch_state *estate;
205 sval_t sval;
206
207 if (sm->state != &capped)
208 return;
209 estate = get_state(SMATCH_EXTRA, sm->name, sm->sym);
210 if (estate_get_single_value(estate, &sval))
211 return;
212 sql_insert_caller_info(call, CAPPED_DATA, param, printed_name, "1");
213 }
214
215 static void print_return_implies_capped(int return_id, char *return_ranges, struct expression *expr)
216 {
217 struct smatch_state *orig, *estate;
218 struct sm_state *sm;
219 struct symbol *ret_sym;
220 const char *param_name;
221 char *return_str;
222 int param;
223 sval_t sval;
224 bool return_found = false;
225
226 expr = strip_expr(expr);
227 return_str = expr_to_str(expr);
228 ret_sym = expr_to_sym(expr);
229
230 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
231 if (sm->state != &capped)
232 continue;
233
234 param = get_param_num_from_sym(sm->sym);
235 if (param < 0)
236 continue;
237
238 estate = get_state(SMATCH_EXTRA, sm->name, sm->sym);
239 if (estate_get_single_value(estate, &sval))
240 continue;
241
242 orig = get_state_stree(get_start_states(), my_id, sm->name, sm->sym);
243 if (orig == &capped)
244 continue;
245
246 param_name = get_param_name(sm);
247 if (!param_name)
248 continue;
249
250 sql_insert_return_states(return_id, return_ranges, CAPPED_DATA,
251 param, param_name, "1");
252 } END_FOR_EACH_SM(sm);
253
254 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
255 if (!ret_sym)
256 break;
257 if (ret_sym != sm->sym)
258 continue;
259
260 param_name = state_name_to_param_name(sm->name, return_str);
261 if (!param_name)
262 continue;
263 if (strcmp(param_name, "$") == 0)
264 return_found = true;
265 sql_insert_return_states(return_id, return_ranges, CAPPED_DATA,
266 -1, param_name, "1");
267 } END_FOR_EACH_SM(sm);
268
269 if (return_found)
270 goto free_string;
271
272 if (option_project == PROJ_KERNEL && get_function() &&
273 strstr(get_function(), "nla_get_"))
274 sql_insert_return_states(return_id, return_ranges, CAPPED_DATA,
275 -1, "$", "1");
276
277 free_string:
278 free_string(return_str);
279 }
|
25 */
26
27 #include "smatch.h"
28 #include "smatch_slist.h"
29 #include "smatch_extra.h"
30
31 static int my_id;
32
33 STATE(capped);
34 STATE(uncapped);
35
36 static void set_uncapped(struct sm_state *sm, struct expression *mod_expr)
37 {
38 set_state(my_id, sm->name, sm->sym, &uncapped);
39 }
40
41 static struct smatch_state *unmatched_state(struct sm_state *sm)
42 {
43 struct smatch_state *state;
44
45 state = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
46 if (state && !estate_is_whole(state))
47 return &capped;
48 return &uncapped;
49 }
50
51 static int is_capped_macro(struct expression *expr)
52 {
53 char *name;
54
55 name = get_macro_name(expr->pos);
56 if (!name)
57 return 0;
58
59 if (strcmp(name, "min") == 0)
60 return 1;
61 if (strcmp(name, "MIN") == 0)
62 return 1;
63 if (strcmp(name, "min_t") == 0)
64 return 1;
65
66 return 0;
67 }
68
69 int is_capped(struct expression *expr)
70 {
71 struct symbol *type;
72 sval_t dummy;
73
74 expr = strip_expr(expr);
75 while (expr && expr->type == EXPR_POSTOP) {
76 expr = strip_expr(expr->unop);
77 }
78 if (!expr)
79 return 0;
80
81 type = get_type(expr);
82 if (is_ptr_type(type))
83 return 0;
84 if (type == &bool_ctype)
85 return 0;
86 if (type_bits(type) >= 0 && type_bits(type) <= 2)
87 return 0;
88
89 if (get_hard_max(expr, &dummy))
90 return 1;
91
92 if (is_capped_macro(expr))
93 return 1;
94
95 if (expr->type == EXPR_BINOP) {
96 struct range_list *left_rl, *right_rl;
97
98 if (expr->op == '&')
99 return 1;
100 if (expr->op == SPECIAL_RIGHTSHIFT)
101 return 1;
102 if (expr->op == '%' && is_capped(expr->right))
103 return 1;
104 if (!is_capped(expr->left))
105 return 0;
106 if (expr->op == '/')
107 return 1;
108 if (!is_capped(expr->right))
109 return 0;
110 if (expr->op == '*') {
111 get_absolute_rl(expr->left, &left_rl);
112 get_absolute_rl(expr->right, &right_rl);
113 if (sval_is_negative(rl_min(left_rl)) ||
114 sval_is_negative(rl_min(right_rl)))
115 return 0;
116 }
117 return 1;
118 }
119 if (get_state_expr(my_id, expr) == &capped)
120 return 1;
121 return 0;
122 }
123
124 int is_capped_var_sym(const char *name, struct symbol *sym)
125 {
126 if (get_state(my_id, name, sym) == &capped)
127 return 1;
128 return 0;
129 }
130
131 void set_param_capped_data(const char *name, struct symbol *sym, char *key, char *value)
132 {
133 char fullname[256];
134
135 if (strncmp(key, "$", 1))
136 return;
137 snprintf(fullname, 256, "%s%s", name, key + 1);
138 set_state(my_id, fullname, sym, &capped);
139 }
140
141 static void match_condition(struct expression *expr)
142 {
143 struct expression *left, *right;
144 struct smatch_state *left_true = NULL;
145 struct smatch_state *left_false = NULL;
146 struct smatch_state *right_true = NULL;
147 struct smatch_state *right_false = NULL;
148 sval_t sval;
149
150
151 if (expr->type != EXPR_COMPARE)
152 return;
153
154 left = strip_expr(expr->left);
155 right = strip_expr(expr->right);
156
157 while (left->type == EXPR_ASSIGNMENT)
158 left = strip_expr(left->left);
159
160 /* If we're dealing with known expressions, that's for smatch_extra.c */
161 if (get_implied_value(left, &sval) ||
162 get_implied_value(right, &sval))
163 return;
164
165 switch (expr->op) {
166 case '<':
167 case SPECIAL_LTE:
168 case SPECIAL_UNSIGNED_LT:
169 case SPECIAL_UNSIGNED_LTE:
170 left_true = &capped;
171 right_false = &capped;
172 break;
173 case '>':
174 case SPECIAL_GTE:
175 case SPECIAL_UNSIGNED_GT:
176 case SPECIAL_UNSIGNED_GTE:
177 left_false = &capped;
178 right_true = &capped;
179 break;
180 case SPECIAL_EQUAL:
181 left_true = &capped;
182 right_true = &capped;
183 break;
184 case SPECIAL_NOTEQUAL:
185 left_false = &capped;
186 right_false = &capped;
187 break;
188
189 default:
190 return;
191 }
192
193 set_true_false_states_expr(my_id, left, left_true, left_false);
194 set_true_false_states_expr(my_id, right, right_true, right_false);
195 }
196
197 static void match_assign(struct expression *expr)
198 {
199 struct symbol *type;
200
201 type = get_type(expr);
202 if (is_ptr_type(type))
203 return;
204 if (type == &bool_ctype)
205 return;
206 if (type_bits(type) >= 0 && type_bits(type) <= 2)
207 return;
208
209 if (is_capped(expr->right)) {
210 set_state_expr(my_id, expr->left, &capped);
211 } else {
212 if (get_state_expr(my_id, expr->left))
213 set_state_expr(my_id, expr->left, &uncapped);
214 }
215 }
216
217 static void match_caller_info(struct expression *expr)
218 {
219 struct expression *tmp;
220 sval_t sval;
221 int i;
222
223 i = -1;
224 FOR_EACH_PTR(expr->args, tmp) {
225 i++;
226 if (get_implied_value(tmp, &sval))
227 continue;
228 if (!is_capped(tmp))
229 continue;
230 sql_insert_caller_info(expr, CAPPED_DATA, i, "$", "1");
231 } END_FOR_EACH_PTR(tmp);
232 }
233
234 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
235 {
236 struct smatch_state *estate;
237 sval_t sval;
238
239 if (sm->state != &capped)
240 return;
241 estate = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
242 if (estate_get_single_value(estate, &sval))
243 return;
244 sql_insert_caller_info(call, CAPPED_DATA, param, printed_name, "1");
245 }
246
247 static void print_return_implies_capped(int return_id, char *return_ranges, struct expression *expr)
248 {
249 struct smatch_state *orig, *estate;
250 struct sm_state *sm;
251 struct symbol *ret_sym;
252 const char *param_name;
253 char *return_str;
254 int param;
255 sval_t sval;
256 bool return_found = false;
257
258 expr = strip_expr(expr);
259 return_str = expr_to_str(expr);
260 ret_sym = expr_to_sym(expr);
261
262 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
263 if (sm->state != &capped)
264 continue;
265
266 param = get_param_num_from_sym(sm->sym);
267 if (param < 0)
268 continue;
269
270 estate = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
271 if (estate_get_single_value(estate, &sval))
272 continue;
273
274 orig = get_state_stree(get_start_states(), my_id, sm->name, sm->sym);
275 if (orig == &capped && !param_was_set_var_sym(sm->name, sm->sym))
276 continue;
277
278 param_name = get_param_name(sm);
279 if (!param_name)
280 continue;
281
282 sql_insert_return_states(return_id, return_ranges, CAPPED_DATA,
283 param, param_name, "1");
284 } END_FOR_EACH_SM(sm);
285
286 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
287 if (!ret_sym)
288 break;
289 if (sm->state != &capped)
290 continue;
291 if (ret_sym != sm->sym)
292 continue;
293
294 estate = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
295 if (estate_get_single_value(estate, &sval))
296 continue;
297
298 param_name = state_name_to_param_name(sm->name, return_str);
299 if (!param_name)
300 continue;
301 if (strcmp(param_name, "$") == 0)
302 return_found = true;
303 sql_insert_return_states(return_id, return_ranges, CAPPED_DATA,
304 -1, param_name, "1");
305 } END_FOR_EACH_SM(sm);
306
307 if (return_found)
308 goto free_string;
309
310 if (option_project == PROJ_KERNEL && get_function() &&
311 strstr(get_function(), "nla_get_"))
312 sql_insert_return_states(return_id, return_ranges, CAPPED_DATA,
313 -1, "$", "1");
314
315 free_string:
316 free_string(return_str);
317 }
|