/* * Copyright (C) 2012 Oracle. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt */ #include "smatch.h" static int my_id; STATE(size_in_bytes); static void set_undefined(struct sm_state *sm, struct expression *mod_expr) { if (sm->state == &size_in_bytes) set_state(my_id, sm->name, sm->sym, &undefined); } static int is_sizeof(struct expression *expr) { return (expr->type == EXPR_SIZEOF); } static int is_macro(struct expression *expr, const char *macro_name) { char *name; struct expression *outside_expr; /* check that we aren't inside the macro itself */ outside_expr = last_ptr_list((struct ptr_list *)big_expression_stack); if (outside_expr && positions_eq(expr->pos, outside_expr->pos)) return 0; name = get_macro_name(expr->pos); if (name && strcmp(name, macro_name) == 0) return 1; return 0; } static int is_size_in_bytes(struct expression *expr) { if (is_sizeof(expr)) return 1; if (is_macro(expr, "offsetof")) return 1; if (is_macro(expr, "PAGE_SIZE")) return 1; if (get_state_expr(my_id, expr) == &size_in_bytes) return 1; return 0; } static void match_binop(struct expression *expr) { struct symbol *type; char *name; int size; if (expr->op != '+') return; type = get_pointer_type(expr->left); if (!type) return; if (type_bits(type) <= 8) /* ignore void, bool and char pointers*/ return; if (!is_size_in_bytes(expr->right)) return; /* if we know it's within bounds then don't complain */ size = get_array_size(expr->left); if (size) { sval_t max; get_absolute_max(expr->right, &max); if (max.uvalue < size) return; } name = expr_to_str(expr->left); sm_warning("potential pointer math issue ('%s' is a %d bit pointer)", name, type_bits(type)); free_string(name); } static void match_assign(struct expression *expr) { if (expr->op != '=') return; if (!is_size_in_bytes(expr->right)) return; set_state_expr(my_id, expr->left, &size_in_bytes); } static void check_assign(struct expression *expr) { struct symbol *type; char *name; if (expr->op != SPECIAL_ADD_ASSIGN && expr->op != SPECIAL_SUB_ASSIGN) return; type = get_pointer_type(expr->left); if (!type) return; if (type_bits(type) == 8 || type_bits(type) == -1) return; if (!is_size_in_bytes(expr->right)) return; name = expr_to_var(expr->left); sm_warning("potential pointer math issue ('%s' is a %d bit pointer)", name, type_bits(type)); free_string(name); } void check_pointer_math(int id) { my_id = id; add_hook(&match_binop, BINOP_HOOK); add_hook(&match_assign, ASSIGNMENT_HOOK); add_hook(&check_assign, ASSIGNMENT_HOOK); add_modification_hook(my_id, &set_undefined); }