search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
helper: improve get_complication_score()
[smatch.git] / smatch_math.c
blob6352a4d3c54d5ebde0ac7144b8e509785b5061db
1 /*
2 * Copyright (C) 2010 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 #include "symbol.h"
19 #include "smatch.h"
20 #include "smatch_slist.h"
21 #include "smatch_extra.h"
22
23 static struct range_list *_get_rl(struct expression *expr, int implied, int *recurse_cnt);
24 static struct range_list *handle_variable(struct expression *expr, int implied, int *recurse_cnt);
25 static struct range_list *(*custom_handle_variable)(struct expression *expr);
26
27 static sval_t zero = {.type = &int_ctype, {.value = 0} };
28 static sval_t one = {.type = &int_ctype, {.value = 1} };
29
30 struct range_list *rl_zero(void)
31 {
32 return alloc_rl(zero, zero);
33 }
34
35 struct range_list *rl_one(void)
36 {
37 return alloc_rl(one, one);
38 }
39
40 enum {
41 RL_EXACT,
42 RL_HARD,
43 RL_FUZZY,
44 RL_IMPLIED,
45 RL_ABSOLUTE
46 };
47
48 static struct range_list *last_stmt_rl(struct statement *stmt, int implied, int *recurse_cnt)
49 {
50 if (!stmt)
51 return NULL;
52
53 stmt = last_ptr_list((struct ptr_list *)stmt->stmts);
54 if (stmt->type != STMT_EXPRESSION)
55 return NULL;
56 return _get_rl(stmt->expression, implied, recurse_cnt);
57 }
58
59 static struct range_list *handle_expression_statement_rl(struct expression *expr, int implied, int *recurse_cnt)
60 {
61 return last_stmt_rl(get_expression_statement(expr), implied, recurse_cnt);
62 }
63
64 static struct range_list *handle_ampersand_rl(struct expression *expr, int implied, int *recurse_cnt)
65 {
66 struct range_list *rl;
67
68 if (implied == RL_EXACT || implied == RL_HARD)
69 return NULL;
70 if (get_address_rl(expr, &rl))
71 return rl;
72 return alloc_rl(valid_ptr_min_sval, valid_ptr_max_sval);
73 }
74
75 static struct range_list *handle_negate_rl(struct expression *expr, int implied, int *recurse_cnt)
76 {
77 if (known_condition_true(expr->unop))
78 return rl_zero();
79 if (known_condition_false(expr->unop))
80 return rl_one();
81
82 if (implied == RL_EXACT)
83 return NULL;
84
85 if (implied_condition_true(expr->unop))
86 return rl_zero();
87 if (implied_condition_false(expr->unop))
88 return rl_one();
89 return alloc_rl(zero, one);
90 }
91
92 static struct range_list *handle_bitwise_negate(struct expression *expr, int implied, int *recurse_cnt)
93 {
94 struct range_list *rl;
95 sval_t sval;
96
97 rl = _get_rl(expr->unop, implied, recurse_cnt);
98 if (!rl_to_sval(rl, &sval))
99 return NULL;
100 sval = sval_preop(sval, '~');
101 sval_cast(get_type(expr->unop), sval);
102 return alloc_rl(sval, sval);
103 }
104
105 static struct range_list *handle_minus_preop(struct expression *expr, int implied, int *recurse_cnt)
106 {
107 struct range_list *rl;
108 sval_t sval;
109
110 rl = _get_rl(expr->unop, implied, recurse_cnt);
111 if (!rl_to_sval(rl, &sval))
112 return NULL;
113 sval = sval_preop(sval, '-');
114 return alloc_rl(sval, sval);
115 }
116
117 static struct range_list *handle_preop_rl(struct expression *expr, int implied, int *recurse_cnt)
118 {
119 switch (expr->op) {
120 case '&':
121 return handle_ampersand_rl(expr, implied, recurse_cnt);
122 case '!':
123 return handle_negate_rl(expr, implied, recurse_cnt);
124 case '~':
125 return handle_bitwise_negate(expr, implied, recurse_cnt);
126 case '-':
127 return handle_minus_preop(expr, implied, recurse_cnt);
128 case '*':
129 return handle_variable(expr, implied, recurse_cnt);
130 case '(':
131 return handle_expression_statement_rl(expr, implied, recurse_cnt);
132 default:
133 return NULL;
134 }
135 }
136
137 static struct range_list *handle_divide_rl(struct expression *expr, int implied, int *recurse_cnt)
138 {
139 struct range_list *left_rl, *right_rl;
140 struct symbol *type;
141
142 type = get_type(expr);
143
144 left_rl = _get_rl(expr->left, implied, recurse_cnt);
145 left_rl = cast_rl(type, left_rl);
146 right_rl = _get_rl(expr->right, implied, recurse_cnt);
147 right_rl = cast_rl(type, right_rl);
148
149 if (!left_rl || !right_rl)
150 return NULL;
151 if (is_whole_rl(left_rl) || is_whole_rl(right_rl))
152 return NULL;
153
154 return rl_binop(left_rl, '/', right_rl);
155 }
156
157 static struct range_list *handle_subtract_rl(struct expression *expr, int implied, int *recurse_cnt)
158 {
159 struct symbol *type;
160 struct range_list *left_rl, *right_rl;
161 sval_t max, min, tmp;
162 int comparison;
163
164 type = get_type(expr);
165 comparison = get_comparison(expr->left, expr->right);
166
167 left_rl = _get_rl(expr->left, implied, recurse_cnt);
168 left_rl = cast_rl(type, left_rl);
169 right_rl = _get_rl(expr->right, implied, recurse_cnt);
170 right_rl = cast_rl(type, right_rl);
171
172 if ((!left_rl || !right_rl) &&
173 (implied == RL_EXACT || implied == RL_HARD || implied == RL_FUZZY))
174 return NULL;
175
176 if (!left_rl)
177 left_rl = alloc_whole_rl(type);
178 if (!right_rl)
179 right_rl = alloc_whole_rl(type);
180
181 /* negative values complicate everything fix this later */
182 if (sval_is_negative(rl_min(right_rl)))
183 return NULL;
184 max = rl_max(left_rl);
185
186 switch (comparison) {
187 case '>':
188 case SPECIAL_UNSIGNED_GT:
189 min = sval_type_val(type, 1);
190 max = rl_max(left_rl);
191 break;
192 case SPECIAL_GTE:
193 case SPECIAL_UNSIGNED_GTE:
194 min = sval_type_val(type, 0);
195 max = rl_max(left_rl);
196 break;
197 default:
198 if (sval_binop_overflows(rl_min(left_rl), '-', rl_max(right_rl)))
199 return NULL;
200 min = sval_type_min(type);
201 }
202
203 if (!sval_binop_overflows(rl_min(left_rl), '-', rl_max(right_rl))) {
204 tmp = sval_binop(rl_min(left_rl), '-', rl_max(right_rl));
205 if (sval_cmp(tmp, min) > 0)
206 min = tmp;
207 }
208
209 if (!sval_is_max(rl_max(left_rl))) {
210 tmp = sval_binop(rl_max(left_rl), '-', rl_min(right_rl));
211 if (sval_cmp(tmp, max) < 0)
212 max = tmp;
213 }
214
215 if (sval_is_min(min) && sval_is_max(max))
216 return NULL;
217
218 return cast_rl(type, alloc_rl(min, max));
219 }
220
221 static struct range_list *handle_mod_rl(struct expression *expr, int implied, int *recurse_cnt)
222 {
223 struct range_list *rl;
224 sval_t left, right, sval;
225
226 if (implied == RL_EXACT) {
227 if (!get_value(expr->right, &right))
228 return NULL;
229 if (!get_value(expr->left, &left))
230 return NULL;
231 sval = sval_binop(left, '%', right);
232 return alloc_rl(sval, sval);
233 }
234 /* if we can't figure out the right side it's probably hopeless */
235 if (!get_implied_value(expr->right, &right))
236 return NULL;
237
238 right = sval_cast(get_type(expr), right);
239 right.value--;
240
241 rl = _get_rl(expr->left, implied, recurse_cnt);
242 if (rl && rl_max(rl).uvalue < right.uvalue)
243 right.uvalue = rl_max(rl).uvalue;
244
245 return alloc_rl(zero, right);
246 }
247
248 static sval_t sval_lowest_set_bit(sval_t sval)
249 {
250 int i;
251 int found = 0;
252
253 for (i = 0; i < 64; i++) {
254 if (sval.uvalue & 1ULL << i) {
255 if (!found++)
256 continue;
257 sval.uvalue &= ~(1ULL << i);
258 }
259 }
260 return sval;
261 }
262
263 static struct range_list *handle_bitwise_AND(struct expression *expr, int implied, int *recurse_cnt)
264 {
265 struct symbol *type;
266 struct range_list *left_rl, *right_rl;
267 sval_t known;
268
269 if (implied != RL_IMPLIED && implied != RL_ABSOLUTE)
270 return NULL;
271
272 type = get_type(expr);
273
274 if (get_implied_value(expr->left, &known)) {
275 sval_t min;
276
277 min = sval_lowest_set_bit(known);
278 left_rl = alloc_rl(min, known);
279 left_rl = cast_rl(type, left_rl);
280 add_range(&left_rl, sval_type_val(type, 0), sval_type_val(type, 0));
281 } else {
282 left_rl = _get_rl(expr->left, implied, recurse_cnt);
283 if (left_rl) {
284 left_rl = cast_rl(type, left_rl);
285 left_rl = alloc_rl(sval_type_val(type, 0), rl_max(left_rl));
286 } else {
287 if (implied == RL_HARD)
288 return NULL;
289 left_rl = alloc_whole_rl(type);
290 }
291 }
292
293 if (get_implied_value(expr->right, &known)) {
294 sval_t min, left_max, mod;
295
296 min = sval_lowest_set_bit(known);
297 right_rl = alloc_rl(min, known);
298 right_rl = cast_rl(type, right_rl);
299 add_range(&right_rl, sval_type_val(type, 0), sval_type_val(type, 0));
300
301 if (min.value != 0) {
302 left_max = rl_max(left_rl);
303 mod = sval_binop(left_max, '%', min);
304 if (mod.value) {
305 left_max = sval_binop(left_max, '-', mod);
306 left_max.value++;
307 if (left_max.value > 0 && sval_cmp(left_max, rl_max(left_rl)) < 0)
308 left_rl = remove_range(left_rl, left_max, rl_max(left_rl));
309 }
310 }
311 } else {
312 right_rl = _get_rl(expr->right, implied, recurse_cnt);
313 if (right_rl) {
314 right_rl = cast_rl(type, right_rl);
315 right_rl = alloc_rl(sval_type_val(type, 0), rl_max(right_rl));
316 } else {
317 if (implied == RL_HARD)
318 return NULL;
319 right_rl = alloc_whole_rl(type);
320 }
321 }
322
323 return rl_intersection(left_rl, right_rl);
324 }
325
326 static struct range_list *handle_bitwise_OR(struct expression *expr, int implied, int *recurse_cnt)
327 {
328 struct symbol *type;
329 struct range_list *left_rl, *right_rl;
330
331 if (implied != RL_IMPLIED && implied != RL_ABSOLUTE)
332 return NULL;
333
334 type = get_type(expr);
335
336 get_absolute_rl(expr->left, &left_rl);
337 get_absolute_rl(expr->right, &right_rl);
338 left_rl = cast_rl(type, left_rl);
339 right_rl = cast_rl(type, right_rl);
340 if (!left_rl || !right_rl)
341 return NULL;
342
343 return rl_binop(left_rl, '|', right_rl);
344 }
345
346 static struct range_list *handle_right_shift(struct expression *expr, int implied, int *recurse_cnt)
347 {
348 struct range_list *left_rl;
349 sval_t right;
350 sval_t min, max;
351
352 if (implied == RL_EXACT || implied == RL_HARD)
353 return NULL;
354
355 left_rl = _get_rl(expr->left, implied, recurse_cnt);
356 if (left_rl) {
357 max = rl_max(left_rl);
358 min = rl_min(left_rl);
359 } else {
360 if (implied == RL_FUZZY)
361 return NULL;
362 max = sval_type_max(get_type(expr->left));
363 min = sval_type_val(get_type(expr->left), 0);
364 }
365
366 if (get_implied_value(expr->right, &right)) {
367 min = sval_binop(min, SPECIAL_RIGHTSHIFT, right);
368 max = sval_binop(max, SPECIAL_RIGHTSHIFT, right);
369 } else if (!sval_is_negative(min)) {
370 min.value = 0;
371 max = sval_type_max(max.type);
372 } else {
373 return NULL;
374 }
375
376 return alloc_rl(min, max);
377 }
378
379 static struct range_list *handle_left_shift(struct expression *expr, int implied, int *recurse_cnt)
380 {
381 struct range_list *left_rl, *res;
382 sval_t right;
383 sval_t min, max;
384 int add_zero = 0;
385
386 if (implied == RL_EXACT || implied == RL_HARD)
387 return NULL;
388 /* this is hopeless without the right side */
389 if (!get_implied_value(expr->right, &right))
390 return NULL;
391 left_rl = _get_rl(expr->left, implied, recurse_cnt);
392 if (left_rl) {
393 max = rl_max(left_rl);
394 min = rl_min(left_rl);
395 if (min.value == 0) {
396 min.value = 1;
397 add_zero = 1;
398 }
399 } else {
400 if (implied == RL_FUZZY)
401 return NULL;
402 max = sval_type_max(get_type(expr->left));
403 min = sval_type_val(get_type(expr->left), 1);
404 add_zero = 1;
405 }
406
407 max = sval_binop(max, SPECIAL_LEFTSHIFT, right);
408 min = sval_binop(min, SPECIAL_LEFTSHIFT, right);
409 res = alloc_rl(min, max);
410 if (add_zero)
411 res = rl_union(res, rl_zero());
412 return res;
413 }
414
415 static struct range_list *handle_known_binop(struct expression *expr)
416 {
417 sval_t left, right;
418
419 if (!get_value(expr->left, &left))
420 return NULL;
421 if (!get_value(expr->right, &right))
422 return NULL;
423 left = sval_binop(left, expr->op, right);
424 return alloc_rl(left, left);
425 }
426
427 static int has_actual_ranges(struct range_list *rl)
428 {
429 struct data_range *tmp;
430
431 FOR_EACH_PTR(rl, tmp) {
432 if (sval_cmp(tmp->min, tmp->max) != 0)
433 return 1;
434 } END_FOR_EACH_PTR(tmp);
435 return 0;
436 }
437
438 static struct range_list *handle_implied_binop(struct range_list *left_rl, int op, struct range_list *right_rl)
439 {
440 struct range_list *res_rl;
441 struct data_range *left_drange, *right_drange;
442 sval_t res;
443
444 if (!left_rl || !right_rl)
445 return NULL;
446 if (has_actual_ranges(left_rl))
447 return NULL;
448 if (has_actual_ranges(right_rl))
449 return NULL;
450
451 if (ptr_list_size((struct ptr_list *)left_rl) * ptr_list_size((struct ptr_list *)right_rl) > 20)
452 return NULL;
453
454 res_rl = NULL;
455
456 FOR_EACH_PTR(left_rl, left_drange) {
457 FOR_EACH_PTR(right_rl, right_drange) {
458 if ((op == '%' || op == '/') &&
459 right_drange->min.value == 0)
460 return NULL;
461 res = sval_binop(left_drange->min, op, right_drange->min);
462 add_range(&res_rl, res, res);
463 } END_FOR_EACH_PTR(right_drange);
464 } END_FOR_EACH_PTR(left_drange);
465
466 return res_rl;
467 }
468
469 static struct range_list *handle_binop_rl(struct expression *expr, int implied, int *recurse_cnt)
470 {
471 struct smatch_state *state;
472 struct symbol *type;
473 struct range_list *left_rl, *right_rl, *rl;
474 sval_t min, max;
475
476 rl = handle_known_binop(expr);
477 if (rl)
478 return rl;
479 if (implied == RL_EXACT)
480 return NULL;
481
482 state = get_extra_state(expr);
483 if (state && !is_whole_rl(estate_rl(state)))
484 return clone_rl(estate_rl(state));
485
486 type = get_type(expr);
487 left_rl = _get_rl(expr->left, implied, recurse_cnt);
488 left_rl = cast_rl(type, left_rl);
489 right_rl = _get_rl(expr->right, implied, recurse_cnt);
490 right_rl = cast_rl(type, right_rl);
491
492 rl = handle_implied_binop(left_rl, expr->op, right_rl);
493 if (rl)
494 return rl;
495
496 switch (expr->op) {
497 case '%':
498 return handle_mod_rl(expr, implied, recurse_cnt);
499 case '&':
500 return handle_bitwise_AND(expr, implied, recurse_cnt);
501 case '|':
502 return handle_bitwise_OR(expr, implied, recurse_cnt);
503 case SPECIAL_RIGHTSHIFT:
504 return handle_right_shift(expr, implied, recurse_cnt);
505 case SPECIAL_LEFTSHIFT:
506 return handle_left_shift(expr, implied, recurse_cnt);
507 case '-':
508 return handle_subtract_rl(expr, implied, recurse_cnt);
509 case '/':
510 return handle_divide_rl(expr, implied, recurse_cnt);
511 }
512
513 if (!left_rl || !right_rl)
514 return NULL;
515
516 if (sval_binop_overflows(rl_min(left_rl), expr->op, rl_min(right_rl)))
517 return NULL;
518 min = sval_binop(rl_min(left_rl), expr->op, rl_min(right_rl));
519
520 if (sval_binop_overflows(rl_max(left_rl), expr->op, rl_max(right_rl))) {
521 switch (implied) {
522 case RL_FUZZY:
523 case RL_HARD:
524 return NULL;
525 default:
526 max = sval_type_max(get_type(expr));
527 }
528 } else {
529 max = sval_binop(rl_max(left_rl), expr->op, rl_max(right_rl));
530 }
531
532 return alloc_rl(min, max);
533 }
534
535 static int do_comparison(struct expression *expr)
536 {
537 struct range_list *left_ranges = NULL;
538 struct range_list *right_ranges = NULL;
539 int poss_true, poss_false;
540 struct symbol *type;
541
542 type = get_type(expr);
543 get_absolute_rl(expr->left, &left_ranges);
544 get_absolute_rl(expr->right, &right_ranges);
545
546 left_ranges = cast_rl(type, left_ranges);
547 right_ranges = cast_rl(type, right_ranges);
548
549 poss_true = possibly_true_rl(left_ranges, expr->op, right_ranges);
550 poss_false = possibly_false_rl(left_ranges, expr->op, right_ranges);
551
552 free_rl(&left_ranges);
553 free_rl(&right_ranges);
554
555 if (!poss_true && !poss_false)
556 return 0x0;
557 if (poss_true && !poss_false)
558 return 0x1;
559 if (!poss_true && poss_false)
560 return 0x2;
561 return 0x3;
562 }
563
564 static struct range_list *handle_comparison_rl(struct expression *expr, int implied)
565 {
566 sval_t left, right;
567 int res;
568
569 if (get_value(expr->left, &left) && get_value(expr->right, &right)) {
570 struct data_range tmp_left, tmp_right;
571
572 tmp_left.min = left;
573 tmp_left.max = left;
574 tmp_right.min = right;
575 tmp_right.max = right;
576 if (true_comparison_range(&tmp_left, expr->op, &tmp_right))
577 return rl_one();
578 return rl_zero();
579 }
580
581 if (implied == RL_EXACT)
582 return NULL;
583
584 res = do_comparison(expr);
585 if (res == 1)
586 return rl_one();
587 if (res == 2)
588 return rl_zero();
589
590 return alloc_rl(zero, one);
591 }
592
593 static struct range_list *handle_logical_rl(struct expression *expr, int implied)
594 {
595 sval_t left, right;
596 int left_known = 0;
597 int right_known = 0;
598
599 if (implied == RL_EXACT) {
600 if (get_value(expr->left, &left))
601 left_known = 1;
602 if (get_value(expr->right, &right))
603 right_known = 1;
604 } else {
605 if (get_implied_value(expr->left, &left))
606 left_known = 1;
607 if (get_implied_value(expr->right, &right))
608 right_known = 1;
609 }
610
611 switch (expr->op) {
612 case SPECIAL_LOGICAL_OR:
613 if (left_known && left.value)
614 return rl_one();
615 if (right_known && right.value)
616 return rl_one();
617 if (left_known && right_known)
618 return rl_zero();
619 break;
620 case SPECIAL_LOGICAL_AND:
621 if (left_known && right_known) {
622 if (left.value && right.value)
623 return rl_one();
624 return rl_zero();
625 }
626 break;
627 default:
628 return NULL;
629 }
630
631 if (implied == RL_EXACT)
632 return NULL;
633
634 return alloc_rl(zero, one);
635 }
636
637 static struct range_list *handle_conditional_rl(struct expression *expr, int implied, int *recurse_cnt)
638 {
639 struct range_list *true_rl, *false_rl;
640 struct symbol *type;
641 int final_pass_orig = final_pass;
642
643 if (known_condition_true(expr->conditional))
644 return _get_rl(expr->cond_true, implied, recurse_cnt);
645 if (known_condition_false(expr->conditional))
646 return _get_rl(expr->cond_false, implied, recurse_cnt);
647
648 if (implied == RL_EXACT)
649 return NULL;
650
651 if (implied_condition_true(expr->conditional))
652 return _get_rl(expr->cond_true, implied, recurse_cnt);
653 if (implied_condition_false(expr->conditional))
654 return _get_rl(expr->cond_false, implied, recurse_cnt);
655
656
657 /* this becomes a problem with deeply nested conditional statements */
658 if (low_on_memory())
659 return NULL;
660
661 type = get_type(expr);
662
663 __push_fake_cur_stree();
664 final_pass = 0;
665 __split_whole_condition(expr->conditional);
666 true_rl = _get_rl(expr->cond_true, implied, recurse_cnt);
667 __push_true_states();
668 __use_false_states();
669 false_rl = _get_rl(expr->cond_false, implied, recurse_cnt);
670 __merge_true_states();
671 __free_fake_cur_stree();
672 final_pass = final_pass_orig;
673
674 if (!true_rl || !false_rl)
675 return NULL;
676 true_rl = cast_rl(type, true_rl);
677 false_rl = cast_rl(type, false_rl);
678
679 return rl_union(true_rl, false_rl);
680 }
681
682 static int get_fuzzy_max_helper(struct expression *expr, sval_t *max)
683 {
684 struct smatch_state *state;
685 sval_t sval;
686
687 if (get_hard_max(expr, &sval)) {
688 *max = sval;
689 return 1;
690 }
691
692 state = get_extra_state(expr);
693 if (!state || !estate_has_fuzzy_max(state))
694 return 0;
695 *max = sval_cast(get_type(expr), estate_get_fuzzy_max(state));
696 return 1;
697 }
698
699 static int get_fuzzy_min_helper(struct expression *expr, sval_t *min)
700 {
701 struct smatch_state *state;
702 sval_t sval;
703
704 state = get_extra_state(expr);
705 if (!state || !estate_rl(state))
706 return 0;
707
708 sval = estate_min(state);
709 if (sval_is_negative(sval) && sval_is_min(sval))
710 return 0;
711
712 if (sval_is_max(sval))
713 return 0;
714
715 *min = sval_cast(get_type(expr), sval);
716 return 1;
717 }
718
719 int get_const_value(struct expression *expr, sval_t *sval)
720 {
721 struct symbol *sym;
722 sval_t right;
723
724 if (expr->type != EXPR_SYMBOL || !expr->symbol)
725 return 0;
726 sym = expr->symbol;
727 if (!(sym->ctype.modifiers & MOD_CONST))
728 return 0;
729 if (get_value(sym->initializer, &right)) {
730 *sval = sval_cast(get_type(expr), right);
731 return 1;
732 }
733 return 0;
734 }
735
736 struct range_list *var_to_absolute_rl(struct expression *expr)
737 {
738 struct smatch_state *state;
739 struct range_list *rl;
740
741 state = get_extra_state(expr);
742 if (!state) {
743 if (get_local_rl(expr, &rl))
744 return rl;
745 if (get_db_type_rl(expr, &rl))
746 return rl;
747 return alloc_whole_rl(get_type(expr));
748 }
749 /* err on the side of saying things are possible */
750 if (!estate_rl(state))
751 return alloc_whole_rl(get_type(expr));
752 return clone_rl(estate_rl(state));
753 }
754
755 static struct range_list *handle_variable(struct expression *expr, int implied, int *recurse_cnt)
756 {
757 struct smatch_state *state;
758 struct range_list *rl;
759 sval_t sval, min, max;
760
761 if (get_const_value(expr, &sval))
762 return alloc_rl(sval, sval);
763
764 if (custom_handle_variable) {
765 rl = custom_handle_variable(expr);
766 if (!rl)
767 return var_to_absolute_rl(expr);
768 return rl;
769 }
770
771 switch (implied) {
772 case RL_EXACT:
773 return NULL;
774 case RL_HARD:
775 case RL_IMPLIED:
776 case RL_ABSOLUTE:
777 state = get_extra_state(expr);
778 if (!state || !state->data) {
779 if (implied == RL_HARD)
780 return NULL;
781 if (get_local_rl(expr, &rl))
782 return rl;
783 if (get_db_type_rl(expr, &rl))
784 return rl;
785 return NULL;
786 }
787 if (implied == RL_HARD && !estate_has_hard_max(state))
788 return NULL;
789 return clone_rl(estate_rl(state));
790 case RL_FUZZY:
791 if (!get_fuzzy_min_helper(expr, &min))
792 min = sval_type_min(get_type(expr));
793 if (!get_fuzzy_max_helper(expr, &max))
794 return NULL;
795 /* fuzzy ranges are often inverted */
796 if (sval_cmp(min, max) > 0) {
797 sval = min;
798 min = max;
799 max = sval;
800 }
801 return alloc_rl(min, max);
802 }
803 return NULL;
804 }
805
806 static sval_t handle_sizeof(struct expression *expr)
807 {
808 struct symbol *sym;
809 sval_t ret;
810
811 ret = sval_blank(expr);
812 sym = expr->cast_type;
813 if (!sym) {
814 sym = evaluate_expression(expr->cast_expression);
815 /*
816 * Expressions of restricted types will possibly get
817 * promoted - check that here
818 */
819 if (is_restricted_type(sym)) {
820 if (type_bits(sym) < bits_in_int)
821 sym = &int_ctype;
822 } else if (is_fouled_type(sym)) {
823 sym = &int_ctype;
824 }
825 }
826 examine_symbol_type(sym);
827
828 ret.type = size_t_ctype;
829 if (type_bits(sym) <= 0) /* sizeof(void) */ {
830 if (get_real_base_type(sym) == &void_ctype)
831 ret.value = 1;
832 else
833 ret.value = 0;
834 } else
835 ret.value = type_bytes(sym);
836
837 return ret;
838 }
839
840 static struct range_list *handle_call_rl(struct expression *expr, int implied, int *recurse_cnt)
841 {
842 struct range_list *rl;
843
844 if (sym_name_is("__builtin_expect", expr->fn)) {
845 struct expression *arg;
846
847 arg = get_argument_from_call_expr(expr->args, 0);
848 return _get_rl(arg, implied, recurse_cnt);
849 }
850
851 if (implied == RL_EXACT || implied == RL_HARD || implied == RL_FUZZY)
852 return NULL;
853
854 if (get_implied_return(expr, &rl))
855 return rl;
856 return db_return_vals(expr);
857 }
858
859 static struct range_list *handle_cast(struct expression *expr, int implied, int *recurse_cnt)
860 {
861 struct range_list *rl;
862 struct symbol *type;
863
864 type = get_type(expr);
865 rl = _get_rl(expr->cast_expression, implied, recurse_cnt);
866 if (rl)
867 return cast_rl(type, rl);
868 if (implied == RL_ABSOLUTE)
869 return alloc_whole_rl(type);
870 if (implied == RL_IMPLIED && type &&
871 type_bits(type) > 0 && type_bits(type) < 32)
872 return alloc_whole_rl(type);
873 return NULL;
874 }
875
876 static struct range_list *_get_rl(struct expression *expr, int implied, int *recurse_cnt)
877 {
878 struct range_list *rl;
879 struct symbol *type;
880 sval_t sval;
881
882 type = get_type(expr);
883 expr = strip_parens(expr);
884 if (!expr)
885 return NULL;
886
887 if (++(*recurse_cnt) >= 200)
888 return NULL;
889
890 switch(expr->type) {
891 case EXPR_CAST:
892 case EXPR_FORCE_CAST:
893 case EXPR_IMPLIED_CAST:
894 rl = handle_cast(expr, implied, recurse_cnt);
895 goto out_cast;
896 }
897
898 expr = strip_expr(expr);
899 if (!expr)
900 return NULL;
901
902 switch (expr->type) {
903 case EXPR_VALUE:
904 sval = sval_from_val(expr, expr->value);
905 rl = alloc_rl(sval, sval);
906 break;
907 case EXPR_PREOP:
908 rl = handle_preop_rl(expr, implied, recurse_cnt);
909 break;
910 case EXPR_POSTOP:
911 rl = _get_rl(expr->unop, implied, recurse_cnt);
912 break;
913 case EXPR_BINOP:
914 rl = handle_binop_rl(expr, implied, recurse_cnt);
915 break;
916 case EXPR_COMPARE:
917 rl = handle_comparison_rl(expr, implied);
918 break;
919 case EXPR_LOGICAL:
920 rl = handle_logical_rl(expr, implied);
921 break;
922 case EXPR_PTRSIZEOF:
923 case EXPR_SIZEOF:
924 sval = handle_sizeof(expr);
925 rl = alloc_rl(sval, sval);
926 break;
927 case EXPR_SELECT:
928 case EXPR_CONDITIONAL:
929 rl = handle_conditional_rl(expr, implied, recurse_cnt);
930 break;
931 case EXPR_CALL:
932 rl = handle_call_rl(expr, implied, recurse_cnt);
933 break;
934 default:
935 rl = handle_variable(expr, implied, recurse_cnt);
936 }
937
938 out_cast:
939 if (rl)
940 return rl;
941 if (type && implied == RL_ABSOLUTE)
942 return alloc_whole_rl(type);
943 return NULL;
944 }
945
946 /* returns 1 if it can get a value literal or else returns 0 */
947 int get_value(struct expression *expr, sval_t *sval)
948 {
949 struct range_list *rl;
950 int recurse_cnt = 0;
951
952 rl = _get_rl(expr, RL_EXACT, &recurse_cnt);
953 if (!rl_to_sval(rl, sval))
954 return 0;
955 return 1;
956 }
957
958 int get_implied_value(struct expression *expr, sval_t *sval)
959 {
960 struct range_list *rl;
961 int recurse_cnt = 0;
962
963 rl = _get_rl(expr, RL_IMPLIED, &recurse_cnt);
964 if (!rl_to_sval(rl, sval))
965 return 0;
966 return 1;
967 }
968
969 int get_implied_min(struct expression *expr, sval_t *sval)
970 {
971 struct range_list *rl;
972 int recurse_cnt = 0;
973
974 rl = _get_rl(expr, RL_IMPLIED, &recurse_cnt);
975 if (!rl)
976 return 0;
977 *sval = rl_min(rl);
978 return 1;
979 }
980
981 int get_implied_max(struct expression *expr, sval_t *sval)
982 {
983 struct range_list *rl;
984 int recurse_cnt = 0;
985
986 rl = _get_rl(expr, RL_IMPLIED, &recurse_cnt);
987 if (!rl)
988 return 0;
989 *sval = rl_max(rl);
990 return 1;
991 }
992
993 int get_implied_rl(struct expression *expr, struct range_list **rl)
994 {
995 int recurse_cnt = 0;
996
997 *rl = _get_rl(expr, RL_IMPLIED, &recurse_cnt);
998 if (*rl)
999 return 1;
1000 return 0;
1001 }
1002
1003 int get_absolute_rl(struct expression *expr, struct range_list **rl)
1004 {
1005 int recurse_cnt = 0;
1006
1007 *rl = _get_rl(expr, RL_ABSOLUTE, &recurse_cnt);
1008 if (!*rl)
1009 *rl = alloc_whole_rl(get_type(expr));
1010 return 1;
1011 }
1012
1013 int custom_get_absolute_rl(struct expression *expr,
1014 struct range_list *(*fn)(struct expression *expr),
1015 struct range_list **rl)
1016 {
1017 int recurse_cnt = 0;
1018
1019 *rl = NULL;
1020 custom_handle_variable = fn;
1021 *rl = _get_rl(expr, RL_ABSOLUTE, &recurse_cnt);
1022 custom_handle_variable = NULL;
1023 return 1;
1024 }
1025
1026 int get_implied_rl_var_sym(const char *var, struct symbol *sym, struct range_list **rl)
1027 {
1028 struct smatch_state *state;
1029
1030 state = get_state(SMATCH_EXTRA, var, sym);
1031 *rl = estate_rl(state);
1032 if (*rl)
1033 return 1;
1034 return 0;
1035 }
1036
1037 int get_hard_max(struct expression *expr, sval_t *sval)
1038 {
1039 struct range_list *rl;
1040 int recurse_cnt = 0;
1041
1042 rl = _get_rl(expr, RL_HARD, &recurse_cnt);
1043 if (!rl)
1044 return 0;
1045 *sval = rl_max(rl);
1046 return 1;
1047 }
1048
1049 int get_fuzzy_min(struct expression *expr, sval_t *sval)
1050 {
1051 struct range_list *rl;
1052 sval_t tmp;
1053 int recurse_cnt = 0;
1054
1055 rl = _get_rl(expr, RL_FUZZY, &recurse_cnt);
1056 if (!rl)
1057 return 0;
1058 tmp = rl_min(rl);
1059 if (sval_is_negative(tmp) && sval_is_min(tmp))
1060 return 0;
1061 *sval = tmp;
1062 return 1;
1063 }
1064
1065 int get_fuzzy_max(struct expression *expr, sval_t *sval)
1066 {
1067 struct range_list *rl;
1068 sval_t max;
1069 int recurse_cnt = 0;
1070
1071 rl = _get_rl(expr, RL_FUZZY, &recurse_cnt);
1072 if (!rl)
1073 return 0;
1074 max = rl_max(rl);
1075 if (max.uvalue > INT_MAX - 10000)
1076 return 0;
1077 *sval = max;
1078 return 1;
1079 }
1080
1081 int get_absolute_min(struct expression *expr, sval_t *sval)
1082 {
1083 struct range_list *rl;
1084 struct symbol *type;
1085 int recurse_cnt = 0;
1086
1087 type = get_type(expr);
1088 if (!type)
1089 type = &llong_ctype; // FIXME: this is wrong but places assume get type can't fail.
1090 rl = _get_rl(expr, RL_ABSOLUTE, &recurse_cnt);
1091 if (rl)
1092 *sval = rl_min(rl);
1093 else
1094 *sval = sval_type_min(type);
1095
1096 if (sval_cmp(*sval, sval_type_min(type)) < 0)
1097 *sval = sval_type_min(type);
1098 return 1;
1099 }
1100
1101 int get_absolute_max(struct expression *expr, sval_t *sval)
1102 {
1103 struct range_list *rl;
1104 struct symbol *type;
1105 int recurse_cnt = 0;
1106
1107 type = get_type(expr);
1108 if (!type)
1109 type = &llong_ctype;
1110 rl = _get_rl(expr, RL_ABSOLUTE, &recurse_cnt);
1111 if (rl)
1112 *sval = rl_max(rl);
1113 else
1114 *sval = sval_type_max(type);
1115
1116 if (sval_cmp(sval_type_max(type), *sval) < 0)
1117 *sval = sval_type_max(type);
1118 return 1;
1119 }
1120
1121 int known_condition_true(struct expression *expr)
1122 {
1123 sval_t tmp;
1124
1125 if (!expr)
1126 return 0;
1127
1128 if (get_value(expr, &tmp) && tmp.value)
1129 return 1;
1130
1131 return 0;
1132 }
1133
1134 int known_condition_false(struct expression *expr)
1135 {
1136 if (!expr)
1137 return 0;
1138
1139 if (is_zero(expr))
1140 return 1;
1141
1142 if (expr->type == EXPR_CALL) {
1143 if (sym_name_is("__builtin_constant_p", expr->fn))
1144 return 1;
1145 }
1146 return 0;
1147 }
1148
1149 int implied_condition_true(struct expression *expr)
1150 {
1151 sval_t tmp;
1152
1153 if (!expr)
1154 return 0;
1155
1156 if (known_condition_true(expr))
1157 return 1;
1158 if (get_implied_value(expr, &tmp) && tmp.value)
1159 return 1;
1160
1161 if (expr->type == EXPR_POSTOP)
1162 return implied_condition_true(expr->unop);
1163
1164 if (expr->type == EXPR_PREOP && expr->op == SPECIAL_DECREMENT)
1165 return implied_not_equal(expr->unop, 1);
1166 if (expr->type == EXPR_PREOP && expr->op == SPECIAL_INCREMENT)
1167 return implied_not_equal(expr->unop, -1);
1168
1169 expr = strip_expr(expr);
1170 switch (expr->type) {
1171 case EXPR_COMPARE:
1172 if (do_comparison(expr) == 1)
1173 return 1;
1174 break;
1175 case EXPR_PREOP:
1176 if (expr->op == '!') {
1177 if (implied_condition_false(expr->unop))
1178 return 1;
1179 break;
1180 }
1181 break;
1182 default:
1183 if (implied_not_equal(expr, 0) == 1)
1184 return 1;
1185 break;
1186 }
1187 return 0;
1188 }
1189
1190 int implied_condition_false(struct expression *expr)
1191 {
1192 struct expression *tmp;
1193 sval_t sval;
1194
1195 if (!expr)
1196 return 0;
1197
1198 if (known_condition_false(expr))
1199 return 1;
1200
1201 switch (expr->type) {
1202 case EXPR_COMPARE:
1203 if (do_comparison(expr) == 2)
1204 return 1;
1205 case EXPR_PREOP:
1206 if (expr->op == '!') {
1207 if (implied_condition_true(expr->unop))
1208 return 1;
1209 break;
1210 }
1211 tmp = strip_expr(expr);
1212 if (tmp != expr)
1213 return implied_condition_false(tmp);
1214 break;
1215 default:
1216 if (get_implied_value(expr, &sval) && sval.value == 0)
1217 return 1;
1218 break;
1219 }
1220 return 0;
1221 }
1222
1223 int can_integer_overflow(struct symbol *type, struct expression *expr)
1224 {
1225 int op;
1226 sval_t lmax, rmax, res;
1227
1228 if (!type)
1229 type = &int_ctype;
1230
1231 expr = strip_expr(expr);
1232
1233 if (expr->type == EXPR_ASSIGNMENT) {
1234 switch(expr->op) {
1235 case SPECIAL_MUL_ASSIGN:
1236 op = '*';
1237 break;
1238 case SPECIAL_ADD_ASSIGN:
1239 op = '+';
1240 break;
1241 case SPECIAL_SHL_ASSIGN:
1242 op = SPECIAL_LEFTSHIFT;
1243 break;
1244 default:
1245 return 0;
1246 }
1247 } else if (expr->type == EXPR_BINOP) {
1248 if (expr->op != '*' && expr->op != '+' && expr->op != SPECIAL_LEFTSHIFT)
1249 return 0;
1250 op = expr->op;
1251 } else {
1252 return 0;
1253 }
1254
1255 get_absolute_max(expr->left, &lmax);
1256 get_absolute_max(expr->right, &rmax);
1257
1258 if (sval_binop_overflows(lmax, op, rmax))
1259 return 1;
1260
1261 res = sval_binop(lmax, op, rmax);
1262 if (sval_cmp(res, sval_type_max(type)) > 0)
1263 return 1;
1264 return 0;
1265 }
Static analysis for C