search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Warn on double lock/unlocks.
[smatch.git] / check_overflow.c
blob617219463b1145581f9e8f83d9823cf3d97a030d
1 /*
2 * sparse/check_deference.c
3 *
4 * Copyright (C) 2006 Dan Carpenter.
5 *
6 * Licensed under the Open Software License version 1.1
7 *
8 */
9
10 #include <stdlib.h>
11 #include "parse.h"
12 #include "smatch.h"
13
14 static int my_id;
15
16 static struct smatch_state *alloc_state(int val)
17 {
18 struct smatch_state *state;
19
20 state = malloc(sizeof(*state));
21 state->name = "value";
22 state->data = malloc(sizeof(int));
23 *(int *)state->data = val;
24 return state;
25 }
26
27 static int malloc_size(struct expression *expr)
28 {
29 char *name;
30 struct expression *arg;
31
32 if (!expr)
33 return 0;
34
35 if (expr->type == EXPR_CALL) {
36 name = get_variable_from_expr(expr->fn, NULL);
37 if (name && !strcmp(name, "kmalloc")) {
38 arg = get_argument_from_call_expr(expr->args, 0);
39 return get_value(arg);
40 }
41 } else if (expr->type == EXPR_STRING && expr->string) {
42 return expr->string->length * 8;
43 }
44 return 0;
45 }
46
47 static void match_declaration(struct symbol *sym)
48 {
49 struct symbol *base_type;
50 char *name;
51 int size;
52
53 if (!sym->ident)
54 return;
55
56 name = sym->ident->name;
57 base_type = get_base_type(sym);
58
59 if (base_type->type == SYM_ARRAY && base_type->bit_size > 0)
60 set_state(name, my_id, NULL, alloc_state(base_type->bit_size / 8));
61 else {
62 size = malloc_size(sym->initializer);
63 if (size > 0)
64 set_state(name, my_id, NULL, alloc_state(size));
65 }
66 }
67
68 static void match_assignment(struct expression *expr)
69 {
70 char *name;
71 name = get_variable_from_expr(expr->left, NULL);
72 if (!name)
73 return;
74 if (malloc_size(expr->right) > 0)
75 set_state(name, my_id, NULL, alloc_state(malloc_size(expr->right)));
76 }
77
78 static void match_fn_call(struct expression *expr)
79 {
80 struct expression *dest;
81 struct expression *data;
82 char *fn_name;
83 char *dest_name;
84 char *data_name;
85
86 fn_name = get_variable_from_expr(expr->fn, NULL);
87 if (!fn_name)
88 return;
89
90 if (!strcmp(fn_name, "strcpy")) {
91 struct smatch_state *dest_state;
92 struct smatch_state *data_state;
93
94 dest = get_argument_from_call_expr(expr->args, 0);
95 dest_name = get_variable_from_expr(dest, NULL);
96
97 data = get_argument_from_call_expr(expr->args, 1);
98 data_name = get_variable_from_expr(data, NULL);
99
100 dest_state = get_state(dest_name, my_id, NULL);
101 if (!dest_state || !dest_state->data) {
102 return;
103 }
104 data_state = get_state(data_name, my_id, NULL);
105 if (!data_state || !data_state->data) {
106 return;
107 }
108
109 if (*(int *)dest_state->data < *(int *)data_state->data)
110 smatch_msg("Error %s too large for %s", data_name,
111 dest_name);
112 } else if (!strcmp(fn_name, "strncpy")) {
113 struct smatch_state *state;
114 int needed;
115 int has;
116
117 dest = get_argument_from_call_expr(expr->args, 0);
118 dest_name = get_variable_from_expr(dest, NULL);
119
120 data = get_argument_from_call_expr(expr->args, 2);
121 needed = get_value(data);
122 state = get_state(dest_name, my_id, NULL);
123 if (!state || !state->data)
124 return;
125 has = *(int *)state->data;
126 if (has < needed)
127 smatch_msg("Error %s too small for %d bytes.",
128 dest_name, needed);
129 }
130 }
131
132 void register_overflow(int id)
133 {
134 my_id = id;
135 add_hook(&match_declaration, DECLARATION_HOOK);
136 add_hook(&match_assignment, ASSIGNMENT_HOOK);
137 add_hook(&match_fn_call, FUNCTION_CALL_HOOK);
138 }
Static analysis for C