11f5207b7SJohn Levon /*
21f5207b7SJohn Levon * Copyright (C) 2011 Oracle. All rights reserved.
31f5207b7SJohn Levon *
41f5207b7SJohn Levon * This program is free software; you can redistribute it and/or
51f5207b7SJohn Levon * modify it under the terms of the GNU General Public License
61f5207b7SJohn Levon * as published by the Free Software Foundation; either version 2
71f5207b7SJohn Levon * of the License, or (at your option) any later version.
81f5207b7SJohn Levon *
91f5207b7SJohn Levon * This program is distributed in the hope that it will be useful,
101f5207b7SJohn Levon * but WITHOUT ANY WARRANTY; without even the implied warranty of
111f5207b7SJohn Levon * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
121f5207b7SJohn Levon * GNU General Public License for more details.
131f5207b7SJohn Levon *
141f5207b7SJohn Levon * You should have received a copy of the GNU General Public License
151f5207b7SJohn Levon * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
161f5207b7SJohn Levon */
171f5207b7SJohn Levon
181f5207b7SJohn Levon /*
191f5207b7SJohn Levon * This is trying to make a list of the variables which
201f5207b7SJohn Levon * have capped values. Sometimes we don't know what the
211f5207b7SJohn Levon * cap is, for example if we are comparing variables but
221f5207b7SJohn Levon * we don't know the values of the variables. In that
231f5207b7SJohn Levon * case we only know that our variable is capped and we
241f5207b7SJohn Levon * sort that information here.
251f5207b7SJohn Levon */
261f5207b7SJohn Levon
271f5207b7SJohn Levon #include "smatch.h"
281f5207b7SJohn Levon #include "smatch_slist.h"
291f5207b7SJohn Levon #include "smatch_extra.h"
301f5207b7SJohn Levon
311f5207b7SJohn Levon static int my_id;
321f5207b7SJohn Levon
331f5207b7SJohn Levon STATE(capped);
341f5207b7SJohn Levon STATE(uncapped);
351f5207b7SJohn Levon
set_uncapped(struct sm_state * sm,struct expression * mod_expr)361f5207b7SJohn Levon static void set_uncapped(struct sm_state *sm, struct expression *mod_expr)
371f5207b7SJohn Levon {
381f5207b7SJohn Levon set_state(my_id, sm->name, sm->sym, &uncapped);
391f5207b7SJohn Levon }
401f5207b7SJohn Levon
unmatched_state(struct sm_state * sm)411f5207b7SJohn Levon static struct smatch_state *unmatched_state(struct sm_state *sm)
421f5207b7SJohn Levon {
431f5207b7SJohn Levon struct smatch_state *state;
441f5207b7SJohn Levon
45efe51d0cSJohn Levon state = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
461f5207b7SJohn Levon if (state && !estate_is_whole(state))
471f5207b7SJohn Levon return &capped;
481f5207b7SJohn Levon return &uncapped;
491f5207b7SJohn Levon }
501f5207b7SJohn Levon
is_capped_macro(struct expression * expr)511f5207b7SJohn Levon static int is_capped_macro(struct expression *expr)
521f5207b7SJohn Levon {
531f5207b7SJohn Levon char *name;
541f5207b7SJohn Levon
551f5207b7SJohn Levon name = get_macro_name(expr->pos);
561f5207b7SJohn Levon if (!name)
571f5207b7SJohn Levon return 0;
581f5207b7SJohn Levon
591f5207b7SJohn Levon if (strcmp(name, "min") == 0)
601f5207b7SJohn Levon return 1;
611f5207b7SJohn Levon if (strcmp(name, "MIN") == 0)
621f5207b7SJohn Levon return 1;
631f5207b7SJohn Levon if (strcmp(name, "min_t") == 0)
641f5207b7SJohn Levon return 1;
651f5207b7SJohn Levon
661f5207b7SJohn Levon return 0;
671f5207b7SJohn Levon }
681f5207b7SJohn Levon
is_capped(struct expression * expr)691f5207b7SJohn Levon int is_capped(struct expression *expr)
701f5207b7SJohn Levon {
71efe51d0cSJohn Levon struct symbol *type;
721f5207b7SJohn Levon sval_t dummy;
731f5207b7SJohn Levon
741f5207b7SJohn Levon expr = strip_expr(expr);
751f5207b7SJohn Levon while (expr && expr->type == EXPR_POSTOP) {
761f5207b7SJohn Levon expr = strip_expr(expr->unop);
771f5207b7SJohn Levon }
781f5207b7SJohn Levon if (!expr)
791f5207b7SJohn Levon return 0;
801f5207b7SJohn Levon
81efe51d0cSJohn Levon type = get_type(expr);
82efe51d0cSJohn Levon if (is_ptr_type(type))
83efe51d0cSJohn Levon return 0;
84efe51d0cSJohn Levon if (type == &bool_ctype)
85efe51d0cSJohn Levon return 0;
86efe51d0cSJohn Levon if (type_bits(type) >= 0 && type_bits(type) <= 2)
87efe51d0cSJohn Levon return 0;
88efe51d0cSJohn Levon
891f5207b7SJohn Levon if (get_hard_max(expr, &dummy))
901f5207b7SJohn Levon return 1;
911f5207b7SJohn Levon
921f5207b7SJohn Levon if (is_capped_macro(expr))
931f5207b7SJohn Levon return 1;
941f5207b7SJohn Levon
951f5207b7SJohn Levon if (expr->type == EXPR_BINOP) {
961f5207b7SJohn Levon struct range_list *left_rl, *right_rl;
97*6523a3aaSJohn Levon sval_t sval;
981f5207b7SJohn Levon
99*6523a3aaSJohn Levon if (expr->op == '&' && !get_value(expr->right, &sval))
1001f5207b7SJohn Levon return 1;
1011f5207b7SJohn Levon if (expr->op == SPECIAL_RIGHTSHIFT)
102*6523a3aaSJohn Levon return 0;
103*6523a3aaSJohn Levon if (expr->op == '%' &&
104*6523a3aaSJohn Levon !get_value(expr->right, &sval) && is_capped(expr->right))
105efe51d0cSJohn Levon return 1;
1061f5207b7SJohn Levon if (!is_capped(expr->left))
1071f5207b7SJohn Levon return 0;
1081f5207b7SJohn Levon if (expr->op == '/')
1091f5207b7SJohn Levon return 1;
1101f5207b7SJohn Levon if (!is_capped(expr->right))
1111f5207b7SJohn Levon return 0;
1121f5207b7SJohn Levon if (expr->op == '*') {
1131f5207b7SJohn Levon get_absolute_rl(expr->left, &left_rl);
1141f5207b7SJohn Levon get_absolute_rl(expr->right, &right_rl);
1151f5207b7SJohn Levon if (sval_is_negative(rl_min(left_rl)) ||
1161f5207b7SJohn Levon sval_is_negative(rl_min(right_rl)))
1171f5207b7SJohn Levon return 0;
1181f5207b7SJohn Levon }
1191f5207b7SJohn Levon return 1;
1201f5207b7SJohn Levon }
1211f5207b7SJohn Levon if (get_state_expr(my_id, expr) == &capped)
1221f5207b7SJohn Levon return 1;
1231f5207b7SJohn Levon return 0;
1241f5207b7SJohn Levon }
1251f5207b7SJohn Levon
is_capped_var_sym(const char * name,struct symbol * sym)1261f5207b7SJohn Levon int is_capped_var_sym(const char *name, struct symbol *sym)
1271f5207b7SJohn Levon {
1281f5207b7SJohn Levon if (get_state(my_id, name, sym) == &capped)
1291f5207b7SJohn Levon return 1;
1301f5207b7SJohn Levon return 0;
1311f5207b7SJohn Levon }
1321f5207b7SJohn Levon
set_param_capped_data(const char * name,struct symbol * sym,char * key,char * value)1331f5207b7SJohn Levon void set_param_capped_data(const char *name, struct symbol *sym, char *key, char *value)
1341f5207b7SJohn Levon {
1351f5207b7SJohn Levon char fullname[256];
1361f5207b7SJohn Levon
1371f5207b7SJohn Levon if (strncmp(key, "$", 1))
1381f5207b7SJohn Levon return;
1391f5207b7SJohn Levon snprintf(fullname, 256, "%s%s", name, key + 1);
1401f5207b7SJohn Levon set_state(my_id, fullname, sym, &capped);
1411f5207b7SJohn Levon }
1421f5207b7SJohn Levon
match_condition(struct expression * expr)1431f5207b7SJohn Levon static void match_condition(struct expression *expr)
1441f5207b7SJohn Levon {
145efe51d0cSJohn Levon struct expression *left, *right;
1461f5207b7SJohn Levon struct smatch_state *left_true = NULL;
1471f5207b7SJohn Levon struct smatch_state *left_false = NULL;
1481f5207b7SJohn Levon struct smatch_state *right_true = NULL;
1491f5207b7SJohn Levon struct smatch_state *right_false = NULL;
150efe51d0cSJohn Levon sval_t sval;
1511f5207b7SJohn Levon
1521f5207b7SJohn Levon
1531f5207b7SJohn Levon if (expr->type != EXPR_COMPARE)
1541f5207b7SJohn Levon return;
1551f5207b7SJohn Levon
156efe51d0cSJohn Levon left = strip_expr(expr->left);
157efe51d0cSJohn Levon right = strip_expr(expr->right);
158efe51d0cSJohn Levon
159efe51d0cSJohn Levon while (left->type == EXPR_ASSIGNMENT)
160efe51d0cSJohn Levon left = strip_expr(left->left);
161efe51d0cSJohn Levon
162efe51d0cSJohn Levon /* If we're dealing with known expressions, that's for smatch_extra.c */
163efe51d0cSJohn Levon if (get_implied_value(left, &sval) ||
164efe51d0cSJohn Levon get_implied_value(right, &sval))
165efe51d0cSJohn Levon return;
166efe51d0cSJohn Levon
1671f5207b7SJohn Levon switch (expr->op) {
1681f5207b7SJohn Levon case '<':
1691f5207b7SJohn Levon case SPECIAL_LTE:
1701f5207b7SJohn Levon case SPECIAL_UNSIGNED_LT:
1711f5207b7SJohn Levon case SPECIAL_UNSIGNED_LTE:
1721f5207b7SJohn Levon left_true = &capped;
1731f5207b7SJohn Levon right_false = &capped;
1741f5207b7SJohn Levon break;
1751f5207b7SJohn Levon case '>':
1761f5207b7SJohn Levon case SPECIAL_GTE:
1771f5207b7SJohn Levon case SPECIAL_UNSIGNED_GT:
1781f5207b7SJohn Levon case SPECIAL_UNSIGNED_GTE:
1791f5207b7SJohn Levon left_false = &capped;
1801f5207b7SJohn Levon right_true = &capped;
1811f5207b7SJohn Levon break;
1821f5207b7SJohn Levon case SPECIAL_EQUAL:
1831f5207b7SJohn Levon left_true = &capped;
1841f5207b7SJohn Levon right_true = &capped;
1851f5207b7SJohn Levon break;
1861f5207b7SJohn Levon case SPECIAL_NOTEQUAL:
1871f5207b7SJohn Levon left_false = &capped;
1881f5207b7SJohn Levon right_false = &capped;
1891f5207b7SJohn Levon break;
1901f5207b7SJohn Levon
1911f5207b7SJohn Levon default:
1921f5207b7SJohn Levon return;
1931f5207b7SJohn Levon }
1941f5207b7SJohn Levon
195efe51d0cSJohn Levon set_true_false_states_expr(my_id, left, left_true, left_false);
196efe51d0cSJohn Levon set_true_false_states_expr(my_id, right, right_true, right_false);
1971f5207b7SJohn Levon }
1981f5207b7SJohn Levon
match_assign(struct expression * expr)1991f5207b7SJohn Levon static void match_assign(struct expression *expr)
2001f5207b7SJohn Levon {
201efe51d0cSJohn Levon struct symbol *type;
202efe51d0cSJohn Levon
203efe51d0cSJohn Levon type = get_type(expr);
204efe51d0cSJohn Levon if (is_ptr_type(type))
205efe51d0cSJohn Levon return;
206efe51d0cSJohn Levon if (type == &bool_ctype)
207efe51d0cSJohn Levon return;
208efe51d0cSJohn Levon if (type_bits(type) >= 0 && type_bits(type) <= 2)
209efe51d0cSJohn Levon return;
210efe51d0cSJohn Levon
2111f5207b7SJohn Levon if (is_capped(expr->right)) {
2121f5207b7SJohn Levon set_state_expr(my_id, expr->left, &capped);
2131f5207b7SJohn Levon } else {
2141f5207b7SJohn Levon if (get_state_expr(my_id, expr->left))
2151f5207b7SJohn Levon set_state_expr(my_id, expr->left, &uncapped);
2161f5207b7SJohn Levon }
2171f5207b7SJohn Levon }
2181f5207b7SJohn Levon
match_caller_info(struct expression * expr)2191f5207b7SJohn Levon static void match_caller_info(struct expression *expr)
2201f5207b7SJohn Levon {
2211f5207b7SJohn Levon struct expression *tmp;
2221f5207b7SJohn Levon sval_t sval;
2231f5207b7SJohn Levon int i;
2241f5207b7SJohn Levon
2251f5207b7SJohn Levon i = -1;
2261f5207b7SJohn Levon FOR_EACH_PTR(expr->args, tmp) {
2271f5207b7SJohn Levon i++;
2281f5207b7SJohn Levon if (get_implied_value(tmp, &sval))
2291f5207b7SJohn Levon continue;
2301f5207b7SJohn Levon if (!is_capped(tmp))
2311f5207b7SJohn Levon continue;
2321f5207b7SJohn Levon sql_insert_caller_info(expr, CAPPED_DATA, i, "$", "1");
2331f5207b7SJohn Levon } END_FOR_EACH_PTR(tmp);
2341f5207b7SJohn Levon }
2351f5207b7SJohn Levon
struct_member_callback(struct expression * call,int param,char * printed_name,struct sm_state * sm)2361f5207b7SJohn Levon static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
2371f5207b7SJohn Levon {
2381f5207b7SJohn Levon struct smatch_state *estate;
2391f5207b7SJohn Levon sval_t sval;
2401f5207b7SJohn Levon
2411f5207b7SJohn Levon if (sm->state != &capped)
2421f5207b7SJohn Levon return;
243efe51d0cSJohn Levon estate = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
2441f5207b7SJohn Levon if (estate_get_single_value(estate, &sval))
2451f5207b7SJohn Levon return;
2461f5207b7SJohn Levon sql_insert_caller_info(call, CAPPED_DATA, param, printed_name, "1");
2471f5207b7SJohn Levon }
2481f5207b7SJohn Levon
print_return_implies_capped(int return_id,char * return_ranges,struct expression * expr)2491f5207b7SJohn Levon static void print_return_implies_capped(int return_id, char *return_ranges, struct expression *expr)
2501f5207b7SJohn Levon {
2511f5207b7SJohn Levon struct smatch_state *orig, *estate;
2521f5207b7SJohn Levon struct sm_state *sm;
2531f5207b7SJohn Levon struct symbol *ret_sym;
2541f5207b7SJohn Levon const char *param_name;
2551f5207b7SJohn Levon char *return_str;
2561f5207b7SJohn Levon int param;
2571f5207b7SJohn Levon sval_t sval;
2581f5207b7SJohn Levon bool return_found = false;
2591f5207b7SJohn Levon
2601f5207b7SJohn Levon expr = strip_expr(expr);
2611f5207b7SJohn Levon return_str = expr_to_str(expr);
2621f5207b7SJohn Levon ret_sym = expr_to_sym(expr);
2631f5207b7SJohn Levon
2641f5207b7SJohn Levon FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
2651f5207b7SJohn Levon if (sm->state != &capped)
2661f5207b7SJohn Levon continue;
2671f5207b7SJohn Levon
2681f5207b7SJohn Levon param = get_param_num_from_sym(sm->sym);
2691f5207b7SJohn Levon if (param < 0)
2701f5207b7SJohn Levon continue;
2711f5207b7SJohn Levon
272efe51d0cSJohn Levon estate = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
2731f5207b7SJohn Levon if (estate_get_single_value(estate, &sval))
2741f5207b7SJohn Levon continue;
2751f5207b7SJohn Levon
2761f5207b7SJohn Levon orig = get_state_stree(get_start_states(), my_id, sm->name, sm->sym);
277efe51d0cSJohn Levon if (orig == &capped && !param_was_set_var_sym(sm->name, sm->sym))
2781f5207b7SJohn Levon continue;
2791f5207b7SJohn Levon
2801f5207b7SJohn Levon param_name = get_param_name(sm);
2811f5207b7SJohn Levon if (!param_name)
2821f5207b7SJohn Levon continue;
2831f5207b7SJohn Levon
2841f5207b7SJohn Levon sql_insert_return_states(return_id, return_ranges, CAPPED_DATA,
2851f5207b7SJohn Levon param, param_name, "1");
2861f5207b7SJohn Levon } END_FOR_EACH_SM(sm);
2871f5207b7SJohn Levon
2881f5207b7SJohn Levon FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
2891f5207b7SJohn Levon if (!ret_sym)
2901f5207b7SJohn Levon break;
291efe51d0cSJohn Levon if (sm->state != &capped)
292efe51d0cSJohn Levon continue;
2931f5207b7SJohn Levon if (ret_sym != sm->sym)
2941f5207b7SJohn Levon continue;
2951f5207b7SJohn Levon
296efe51d0cSJohn Levon estate = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
297efe51d0cSJohn Levon if (estate_get_single_value(estate, &sval))
298efe51d0cSJohn Levon continue;
299efe51d0cSJohn Levon
3001f5207b7SJohn Levon param_name = state_name_to_param_name(sm->name, return_str);
3011f5207b7SJohn Levon if (!param_name)
3021f5207b7SJohn Levon continue;
3031f5207b7SJohn Levon if (strcmp(param_name, "$") == 0)
3041f5207b7SJohn Levon return_found = true;
3051f5207b7SJohn Levon sql_insert_return_states(return_id, return_ranges, CAPPED_DATA,
3061f5207b7SJohn Levon -1, param_name, "1");
3071f5207b7SJohn Levon } END_FOR_EACH_SM(sm);
3081f5207b7SJohn Levon
3091f5207b7SJohn Levon if (return_found)
3101f5207b7SJohn Levon goto free_string;
3111f5207b7SJohn Levon
3121f5207b7SJohn Levon if (option_project == PROJ_KERNEL && get_function() &&
3131f5207b7SJohn Levon strstr(get_function(), "nla_get_"))
3141f5207b7SJohn Levon sql_insert_return_states(return_id, return_ranges, CAPPED_DATA,
3151f5207b7SJohn Levon -1, "$", "1");
3161f5207b7SJohn Levon
3171f5207b7SJohn Levon free_string:
3181f5207b7SJohn Levon free_string(return_str);
3191f5207b7SJohn Levon }
3201f5207b7SJohn Levon
db_return_states_capped(struct expression * expr,int param,char * key,char * value)3211f5207b7SJohn Levon static void db_return_states_capped(struct expression *expr, int param, char *key, char *value)
3221f5207b7SJohn Levon {
3231f5207b7SJohn Levon char *name;
3241f5207b7SJohn Levon struct symbol *sym;
3251f5207b7SJohn Levon
3261f5207b7SJohn Levon name = return_state_to_var_sym(expr, param, key, &sym);
3271f5207b7SJohn Levon if (!name || !sym)
3281f5207b7SJohn Levon goto free;
3291f5207b7SJohn Levon
3301f5207b7SJohn Levon set_state(my_id, name, sym, &capped);
3311f5207b7SJohn Levon free:
3321f5207b7SJohn Levon free_string(name);
3331f5207b7SJohn Levon }
3341f5207b7SJohn Levon
register_capped(int id)3351f5207b7SJohn Levon void register_capped(int id)
3361f5207b7SJohn Levon {
3371f5207b7SJohn Levon my_id = id;
3381f5207b7SJohn Levon
3391f5207b7SJohn Levon add_unmatched_state_hook(my_id, &unmatched_state);
3401f5207b7SJohn Levon select_caller_info_hook(set_param_capped_data, CAPPED_DATA);
3411f5207b7SJohn Levon add_hook(&match_condition, CONDITION_HOOK);
3421f5207b7SJohn Levon add_hook(&match_assign, ASSIGNMENT_HOOK);
3431f5207b7SJohn Levon add_modification_hook(my_id, &set_uncapped);
3441f5207b7SJohn Levon
3451f5207b7SJohn Levon add_hook(&match_caller_info, FUNCTION_CALL_HOOK);
3461f5207b7SJohn Levon add_member_info_callback(my_id, struct_member_callback);
3471f5207b7SJohn Levon
3481f5207b7SJohn Levon add_split_return_callback(print_return_implies_capped);
3491f5207b7SJohn Levon select_return_states_hook(CAPPED_DATA, &db_return_states_capped);
3501f5207b7SJohn Levon }
351