search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
buf_size: handle devm_kmalloc() allocations.
[smatch.git] / smatch_math.c
blob386939b0c33f152b1bfba286bf2dd2ee82585e81
1 /*
2 * smatch/smatch_math.c
3 *
4 * Copyright (C) 2010 Dan Carpenter.
5 *
6 * Licensed under the Open Software License version 1.1
7 *
8 */
9
10 #include "symbol.h"
11 #include "smatch.h"
12 #include "smatch_slist.h"
13 #include "smatch_extra.h"
14
15 static struct range_list *_get_rl(struct expression *expr, int implied);
16 static struct range_list *handle_variable(struct expression *expr, int implied);
17
18 static sval_t zero = {.type = &int_ctype, {.value = 0} };
19 static sval_t one = {.type = &int_ctype, {.value = 1} };
20
21 static struct range_list *rl_zero(void)
22 {
23 return alloc_rl(zero, zero);
24 }
25
26 static struct range_list *rl_one(void)
27 {
28 return alloc_rl(one, one);
29 }
30
31 enum {
32 RL_EXACT,
33 RL_HARD,
34 RL_FUZZY,
35 RL_IMPLIED,
36 RL_ABSOLUTE
37 };
38
39 static struct range_list *last_stmt_rl(struct statement *stmt, int implied)
40 {
41 if (!stmt)
42 return NULL;
43
44 stmt = last_ptr_list((struct ptr_list *)stmt->stmts);
45 if (stmt->type != STMT_EXPRESSION)
46 return NULL;
47 return _get_rl(stmt->expression, implied);
48 }
49
50 static struct range_list *handle_expression_statement_rl(struct expression *expr, int implied)
51 {
52 return last_stmt_rl(get_expression_statement(expr), implied);
53 }
54
55 static struct range_list *handle_ampersand_rl(int implied)
56 {
57 if (implied == RL_EXACT || implied == RL_HARD)
58 return NULL;
59 return alloc_rl(valid_ptr_min_sval, valid_ptr_max_sval);
60 }
61
62 static struct range_list *handle_negate_rl(struct expression *expr, int implied)
63 {
64 if (known_condition_true(expr->unop))
65 return rl_zero();
66 if (known_condition_false(expr->unop))
67 return rl_one();
68
69 if (implied == RL_EXACT)
70 return NULL;
71
72 if (implied_condition_true(expr->unop))
73 return rl_zero();
74 if (implied_condition_false(expr->unop))
75 return rl_one();
76 return alloc_rl(zero, one);
77 }
78
79 static struct range_list *handle_bitwise_negate(struct expression *expr, int implied)
80 {
81 struct range_list *rl;
82 sval_t sval;
83
84 rl = _get_rl(expr->unop, implied);
85 if (!rl_to_sval(rl, &sval))
86 return NULL;
87 sval = sval_preop(sval, '~');
88 sval_cast(get_type(expr->unop), sval);
89 return alloc_rl(sval, sval);
90 }
91
92 static struct range_list *handle_minus_preop(struct expression *expr, int implied)
93 {
94 struct range_list *rl;
95 sval_t sval;
96
97 rl = _get_rl(expr->unop, implied);
98 if (!rl_to_sval(rl, &sval))
99 return NULL;
100 sval = sval_preop(sval, '-');
101 return alloc_rl(sval, sval);
102 }
103
104 static struct range_list *handle_preop_rl(struct expression *expr, int implied)
105 {
106 switch (expr->op) {
107 case '&':
108 return handle_ampersand_rl(implied);
109 case '!':
110 return handle_negate_rl(expr, implied);
111 case '~':
112 return handle_bitwise_negate(expr, implied);
113 case '-':
114 return handle_minus_preop(expr, implied);
115 case '*':
116 return handle_variable(expr, implied);
117 case '(':
118 return handle_expression_statement_rl(expr, implied);
119 default:
120 return NULL;
121 }
122 }
123
124 static struct range_list *handle_divide_rl(struct expression *expr, int implied)
125 {
126 struct range_list *left_rl, *right_rl;
127 struct symbol *type;
128 sval_t min, max;
129
130 type = get_type(expr);
131
132 left_rl = _get_rl(expr->left, implied);
133 left_rl = cast_rl(type, left_rl);
134 right_rl = _get_rl(expr->right, implied);
135 right_rl = cast_rl(type, right_rl);
136
137 if (!left_rl || !right_rl)
138 return NULL;
139 if (is_whole_rl(left_rl) || is_whole_rl(right_rl))
140 return NULL;
141 if (sval_is_negative(rl_min(left_rl)) || sval_cmp_val(rl_min(right_rl), 0) <= 0)
142 return NULL;
143
144 max = rl_max(left_rl);
145 if (!sval_is_max(max))
146 max = sval_binop(max, '/', rl_min(right_rl));
147 min = sval_binop(rl_min(left_rl), '/', rl_max(right_rl));
148 return alloc_rl(min, max);
149 }
150
151 static struct range_list *handle_subtract_rl(struct expression *expr, int implied)
152 {
153 struct symbol *type;
154 struct range_list *left_rl, *right_rl;
155 sval_t max, min, tmp;
156 int comparison;
157
158 type = get_type(expr);
159 comparison = get_comparison(expr->left, expr->right);
160
161 left_rl = _get_rl(expr->left, implied);
162 left_rl = cast_rl(type, left_rl);
163 right_rl = _get_rl(expr->right, implied);
164 right_rl = cast_rl(type, right_rl);
165
166 if ((!left_rl || !right_rl) &&
167 (implied == RL_EXACT || implied == RL_HARD || implied == RL_FUZZY))
168 return NULL;
169
170 if (!left_rl)
171 left_rl = alloc_whole_rl(type);
172 if (!right_rl)
173 right_rl = alloc_whole_rl(type);
174
175 /* negative values complicate everything fix this later */
176 if (sval_is_negative(rl_min(right_rl)))
177 return NULL;
178 max = rl_max(left_rl);
179
180 switch (comparison) {
181 case '>':
182 case SPECIAL_UNSIGNED_GT:
183 min = sval_type_val(type, 1);
184 max = rl_max(left_rl);
185 break;
186 case SPECIAL_GTE:
187 case SPECIAL_UNSIGNED_GTE:
188 min = sval_type_val(type, 0);
189 max = rl_max(left_rl);
190 break;
191 default:
192 if (sval_binop_overflows(rl_min(left_rl), '-', rl_max(right_rl)))
193 return NULL;
194 min = sval_type_min(type);
195 }
196
197 if (!sval_binop_overflows(rl_min(left_rl), '-', rl_max(right_rl))) {
198 tmp = sval_binop(rl_min(left_rl), '-', rl_max(right_rl));
199 if (sval_cmp(tmp, min) > 0)
200 min = tmp;
201 }
202
203 if (!sval_is_max(rl_max(left_rl))) {
204 tmp = sval_binop(rl_max(left_rl), '-', rl_min(right_rl));
205 if (sval_cmp(tmp, max) < 0)
206 max = tmp;
207 }
208
209 if (sval_is_min(min) && sval_is_max(max))
210 return NULL;
211
212 return cast_rl(type, alloc_rl(min, max));
213 }
214
215 static struct range_list *handle_mod_rl(struct expression *expr, int implied)
216 {
217 struct range_list *rl;
218 sval_t left, right, sval;
219
220 if (implied == RL_EXACT) {
221 if (!get_value(expr->right, &right))
222 return NULL;
223 if (!get_value(expr->left, &left))
224 return NULL;
225 sval = sval_binop(left, '%', right);
226 return alloc_rl(sval, sval);
227 }
228 /* if we can't figure out the right side it's probably hopeless */
229 if (!get_implied_value(expr->right, &right))
230 return NULL;
231
232 right = sval_cast(get_type(expr), right);
233 right.value--;
234
235 rl = _get_rl(expr->left, implied);
236 if (rl && rl_max(rl).uvalue < right.uvalue)
237 right.uvalue = rl_max(rl).uvalue;
238
239 return alloc_rl(zero, right);
240 }
241
242 static sval_t sval_lowest_set_bit(sval_t sval)
243 {
244 int i;
245 int found = 0;
246
247 for (i = 0; i < 64; i++) {
248 if (sval.uvalue & 1ULL << i) {
249 if (!found++)
250 continue;
251 sval.uvalue &= ~(1ULL << i);
252 }
253 }
254 return sval;
255 }
256
257 static struct range_list *handle_bitwise_AND(struct expression *expr, int implied)
258 {
259 struct symbol *type;
260 struct range_list *left_rl, *right_rl;
261 sval_t known;
262
263 if (implied != RL_IMPLIED && implied != RL_ABSOLUTE)
264 return NULL;
265
266 type = get_type(expr);
267
268 if (get_implied_value(expr->left, &known)) {
269 sval_t min;
270
271 min = sval_lowest_set_bit(known);
272 left_rl = alloc_rl(min, known);
273 left_rl = cast_rl(type, left_rl);
274 add_range(&left_rl, sval_type_val(type, 0), sval_type_val(type, 0));
275 } else {
276 left_rl = _get_rl(expr->left, implied);
277 if (left_rl) {
278 left_rl = cast_rl(type, left_rl);
279 left_rl = alloc_rl(sval_type_val(type, 0), rl_max(left_rl));
280 } else {
281 if (implied == RL_HARD)
282 return NULL;
283 left_rl = alloc_whole_rl(type);
284 }
285 }
286
287 if (get_implied_value(expr->right, &known)) {
288 sval_t min;
289
290 min = sval_lowest_set_bit(known);
291 right_rl = alloc_rl(min, known);
292 right_rl = cast_rl(type, right_rl);
293 add_range(&right_rl, sval_type_val(type, 0), sval_type_val(type, 0));
294 } else {
295 right_rl = _get_rl(expr->right, implied);
296 if (right_rl) {
297 right_rl = cast_rl(type, right_rl);
298 right_rl = alloc_rl(sval_type_val(type, 0), rl_max(right_rl));
299 } else {
300 if (implied == RL_HARD)
301 return NULL;
302 right_rl = alloc_whole_rl(type);
303 }
304 }
305
306 return rl_intersection(left_rl, right_rl);
307 }
308
309 static struct range_list *handle_bitwise_OR(struct expression *expr, int implied)
310 {
311 struct symbol *type;
312 struct range_list *left_rl, *right_rl;
313
314 if (implied != RL_IMPLIED && implied != RL_ABSOLUTE)
315 return NULL;
316
317 type = get_type(expr);
318
319 get_absolute_rl(expr->left, &left_rl);
320 get_absolute_rl(expr->right, &right_rl);
321 left_rl = cast_rl(type, left_rl);
322 right_rl = cast_rl(type, right_rl);
323
324 return rl_union(left_rl, right_rl);
325 }
326
327 static struct range_list *handle_right_shift(struct expression *expr, int implied)
328 {
329 struct range_list *left_rl;
330 sval_t right;
331 sval_t min, max;
332
333 if (implied == RL_EXACT || implied == RL_HARD)
334 return NULL;
335 /* this is hopeless without the right side */
336 if (!get_implied_value(expr->right, &right))
337 return NULL;
338 left_rl = _get_rl(expr->left, implied);
339 if (left_rl) {
340 max = rl_max(left_rl);
341 min = rl_min(left_rl);
342 } else {
343 if (implied == RL_FUZZY)
344 return NULL;
345 max = sval_type_max(get_type(expr->left));
346 min = sval_type_val(get_type(expr->left), 0);
347 }
348
349 max = sval_binop(max, SPECIAL_RIGHTSHIFT, right);
350 min = sval_binop(min, SPECIAL_RIGHTSHIFT, right);
351 return alloc_rl(min, max);
352 }
353
354 static struct range_list *handle_left_shift(struct expression *expr, int implied)
355 {
356 struct range_list *left_rl, *res;
357 sval_t right;
358 sval_t min, max;
359 int add_zero = 0;
360
361 if (implied == RL_EXACT || implied == RL_HARD)
362 return NULL;
363 /* this is hopeless without the right side */
364 if (!get_implied_value(expr->right, &right))
365 return NULL;
366 left_rl = _get_rl(expr->left, implied);
367 if (left_rl) {
368 max = rl_max(left_rl);
369 min = rl_min(left_rl);
370 if (min.value == 0) {
371 min.value = 1;
372 add_zero = 1;
373 }
374 } else {
375 if (implied == RL_FUZZY)
376 return NULL;
377 max = sval_type_max(get_type(expr->left));
378 min = sval_type_val(get_type(expr->left), 1);
379 add_zero = 1;
380 }
381
382 max = sval_binop(max, SPECIAL_LEFTSHIFT, right);
383 min = sval_binop(min, SPECIAL_LEFTSHIFT, right);
384 res = alloc_rl(min, max);
385 if (add_zero)
386 res = rl_union(res, rl_zero());
387 return res;
388 }
389
390 static struct range_list *handle_known_binop(struct expression *expr)
391 {
392 sval_t left, right;
393
394 if (!get_value(expr->left, &left))
395 return NULL;
396 if (!get_value(expr->right, &right))
397 return NULL;
398 left = sval_binop(left, expr->op, right);
399 return alloc_rl(left, left);
400 }
401
402 static struct range_list *handle_binop_rl(struct expression *expr, int implied)
403 {
404 struct symbol *type;
405 struct range_list *left_rl, *right_rl, *rl;
406 sval_t min, max;
407
408 rl = handle_known_binop(expr);
409 if (rl)
410 return rl;
411 if (implied == RL_EXACT)
412 return NULL;
413
414 switch (expr->op) {
415 case '%':
416 return handle_mod_rl(expr, implied);
417 case '&':
418 return handle_bitwise_AND(expr, implied);
419 case '|':
420 return handle_bitwise_OR(expr, implied);
421 case SPECIAL_RIGHTSHIFT:
422 return handle_right_shift(expr, implied);
423 case SPECIAL_LEFTSHIFT:
424 return handle_left_shift(expr, implied);
425 case '-':
426 return handle_subtract_rl(expr, implied);
427 case '/':
428 return handle_divide_rl(expr, implied);
429 }
430
431 type = get_type(expr);
432 left_rl = _get_rl(expr->left, implied);
433 left_rl = cast_rl(type, left_rl);
434 right_rl = _get_rl(expr->right, implied);
435 right_rl = cast_rl(type, right_rl);
436
437 if (!left_rl || !right_rl)
438 return NULL;
439
440 if (sval_binop_overflows(rl_min(left_rl), expr->op, rl_min(right_rl)))
441 return NULL;
442 min = sval_binop(rl_min(left_rl), expr->op, rl_min(right_rl));
443
444 if (sval_binop_overflows(rl_max(left_rl), expr->op, rl_max(right_rl))) {
445 switch (implied) {
446 case RL_FUZZY:
447 case RL_HARD:
448 return NULL;
449 default:
450 max = sval_type_max(get_type(expr));
451 }
452 } else {
453 max = sval_binop(rl_max(left_rl), expr->op, rl_max(right_rl));
454 }
455
456 return alloc_rl(min, max);
457 }
458
459 static int do_comparison(struct expression *expr)
460 {
461 struct range_list *left_ranges = NULL;
462 struct range_list *right_ranges = NULL;
463 int poss_true, poss_false;
464 struct symbol *type;
465
466 type = get_type(expr);
467
468 get_implied_rl(expr->left, &left_ranges);
469 get_implied_rl(expr->right, &right_ranges);
470 left_ranges = cast_rl(type, left_ranges);
471 right_ranges = cast_rl(type, right_ranges);
472
473 poss_true = possibly_true_rl(left_ranges, expr->op, right_ranges);
474 poss_false = possibly_false_rl(left_ranges, expr->op, right_ranges);
475
476 free_rl(&left_ranges);
477 free_rl(&right_ranges);
478
479 if (!poss_true && !poss_false)
480 return 0;
481 if (poss_true && !poss_false)
482 return 1;
483 if (!poss_true && poss_false)
484 return 2;
485 return 3;
486 }
487
488 static struct range_list *handle_comparison_rl(struct expression *expr, int implied)
489 {
490 sval_t left, right;
491 int res;
492
493 if (get_value(expr->left, &left) && get_value(expr->right, &right)) {
494 struct data_range tmp_left, tmp_right;
495
496 tmp_left.min = left;
497 tmp_left.max = left;
498 tmp_right.min = right;
499 tmp_right.max = right;
500 if (true_comparison_range(&tmp_left, expr->op, &tmp_right))
501 return rl_one();
502 return rl_zero();
503 }
504
505 if (implied == RL_EXACT)
506 return NULL;
507
508 res = do_comparison(expr);
509 if (res == 1)
510 return rl_one();
511 if (res == 2)
512 return rl_zero();
513
514 return alloc_rl(zero, one);
515 }
516
517 static struct range_list *handle_logical_rl(struct expression *expr, int implied)
518 {
519 sval_t left, right;
520 int left_known = 0;
521 int right_known = 0;
522
523 if (implied == RL_EXACT) {
524 if (get_value(expr->left, &left))
525 left_known = 1;
526 if (get_value(expr->right, &right))
527 right_known = 1;
528 } else {
529 if (get_implied_value(expr->left, &left))
530 left_known = 1;
531 if (get_implied_value(expr->right, &right))
532 right_known = 1;
533 }
534
535 switch (expr->op) {
536 case SPECIAL_LOGICAL_OR:
537 if (left_known && left.value)
538 return rl_one();
539 if (right_known && right.value)
540 return rl_one();
541 if (left_known && right_known)
542 return rl_zero();
543 break;
544 case SPECIAL_LOGICAL_AND:
545 if (left_known && right_known) {
546 if (left.value && right.value)
547 return rl_one();
548 return rl_zero();
549 }
550 break;
551 default:
552 return NULL;
553 }
554
555 if (implied == RL_EXACT)
556 return NULL;
557
558 return alloc_rl(zero, one);
559 }
560
561 static struct range_list *handle_conditional_rl(struct expression *expr, int implied)
562 {
563 struct range_list *true_rl, *false_rl;
564 struct symbol *type;
565 int final_pass_orig = final_pass;
566
567 if (known_condition_true(expr->conditional))
568 return _get_rl(expr->cond_true, implied);
569 if (known_condition_false(expr->conditional))
570 return _get_rl(expr->cond_false, implied);
571
572 if (implied == RL_EXACT)
573 return NULL;
574
575 if (implied_condition_true(expr->conditional))
576 return _get_rl(expr->cond_true, implied);
577 if (implied_condition_false(expr->conditional))
578 return _get_rl(expr->cond_false, implied);
579
580
581 /* this becomes a problem with deeply nested conditional statements */
582 if (low_on_memory())
583 return NULL;
584
585 type = get_type(expr);
586
587 __push_fake_cur_slist();
588 final_pass = 0;
589 __split_whole_condition(expr->conditional);
590 true_rl = _get_rl(expr->cond_true, implied);
591 __push_true_states();
592 __use_false_states();
593 false_rl = _get_rl(expr->cond_false, implied);
594 __merge_true_states();
595 __free_fake_cur_slist();
596 final_pass = final_pass_orig;
597
598 if (!true_rl || !false_rl)
599 return NULL;
600 true_rl = cast_rl(type, true_rl);
601 false_rl = cast_rl(type, false_rl);
602
603 return rl_union(true_rl, false_rl);
604 }
605
606 static int get_fuzzy_max_helper(struct expression *expr, sval_t *max)
607 {
608 struct sm_state *sm;
609 struct sm_state *tmp;
610 sval_t sval;
611
612 if (get_hard_max(expr, &sval)) {
613 *max = sval;
614 return 1;
615 }
616
617 sm = get_sm_state_expr(SMATCH_EXTRA, expr);
618 if (!sm)
619 return 0;
620
621 sval = sval_type_min(estate_type(sm->state));
622 FOR_EACH_PTR(sm->possible, tmp) {
623 sval_t new_min;
624
625 new_min = estate_min(tmp->state);
626 if (sval_cmp(new_min, sval) > 0)
627 sval = new_min;
628 } END_FOR_EACH_PTR(tmp);
629
630 if (sval_is_min(sval))
631 return 0;
632 if (sval.value == sval_type_min(sval.type).value + 1) /* it's common to be on off */
633 return 0;
634
635 *max = sval_cast(get_type(expr), sval);
636 return 1;
637 }
638
639 static int get_fuzzy_min_helper(struct expression *expr, sval_t *min)
640 {
641 struct sm_state *sm;
642 struct sm_state *tmp;
643 sval_t sval;
644
645 sm = get_sm_state_expr(SMATCH_EXTRA, expr);
646 if (!sm)
647 return 0;
648
649 if (!sval_is_min(estate_min(sm->state))) {
650 *min = estate_min(sm->state);
651 return 1;
652 }
653
654 sval = sval_type_max(estate_type(sm->state));
655 FOR_EACH_PTR(sm->possible, tmp) {
656 sval_t new_max;
657
658 new_max = estate_max(tmp->state);
659 if (sval_cmp(new_max, sval) < 0)
660 sval = new_max;
661 } END_FOR_EACH_PTR(tmp);
662
663 if (sval_is_max(sval))
664 return 0;
665 *min = sval_cast(get_type(expr), sval);
666 return 1;
667 }
668
669 int get_const_value(struct expression *expr, sval_t *sval)
670 {
671 struct symbol *sym;
672 sval_t right;
673
674 if (expr->type != EXPR_SYMBOL || !expr->symbol)
675 return 0;
676 sym = expr->symbol;
677 if (!(sym->ctype.modifiers & MOD_CONST))
678 return 0;
679 if (get_value(sym->initializer, &right)) {
680 *sval = sval_cast(get_type(expr), right);
681 return 1;
682 }
683 return 0;
684 }
685
686 static struct range_list *handle_variable(struct expression *expr, int implied)
687 {
688 struct smatch_state *state;
689 struct range_list *rl;
690 sval_t sval, min, max;
691
692 if (get_const_value(expr, &sval))
693 return alloc_rl(sval, sval);
694
695 switch (implied) {
696 case RL_EXACT:
697 return NULL;
698 case RL_HARD:
699 case RL_IMPLIED:
700 case RL_ABSOLUTE:
701 state = get_state_expr(SMATCH_EXTRA, expr);
702 if (!state || !state->data) {
703 if (implied == RL_HARD)
704 return NULL;
705 if (get_local_rl(expr, &rl))
706 return rl;
707 if (get_db_type_rl(expr, &rl))
708 return rl;
709 return NULL;
710 }
711 if (implied == RL_HARD && !estate_has_hard_max(state))
712 return NULL;
713 return clone_rl(estate_rl(state));
714 case RL_FUZZY:
715 if (!get_fuzzy_min_helper(expr, &min))
716 min = sval_type_min(get_type(expr));
717 if (!get_fuzzy_max_helper(expr, &max))
718 return NULL;
719 /* fuzzy ranges are often inverted */
720 if (sval_cmp(min, max) > 0) {
721 sval = min;
722 min = max;
723 max = sval;
724 }
725 return alloc_rl(min, max);
726 }
727 return NULL;
728 }
729
730 static sval_t handle_sizeof(struct expression *expr)
731 {
732 struct symbol *sym;
733 sval_t ret;
734
735 ret = sval_blank(expr);
736 sym = expr->cast_type;
737 if (!sym) {
738 sym = evaluate_expression(expr->cast_expression);
739 /*
740 * Expressions of restricted types will possibly get
741 * promoted - check that here
742 */
743 if (is_restricted_type(sym)) {
744 if (sym->bit_size < bits_in_int)
745 sym = &int_ctype;
746 } else if (is_fouled_type(sym)) {
747 sym = &int_ctype;
748 }
749 }
750 examine_symbol_type(sym);
751
752 ret.type = size_t_ctype;
753 if (sym->bit_size <= 0) /* sizeof(void) */ {
754 if (get_real_base_type(sym) == &void_ctype)
755 ret.value = 1;
756 else
757 ret.value = 0;
758 } else
759 ret.value = bits_to_bytes(sym->bit_size);
760
761 return ret;
762 }
763
764 static struct range_list *handle_call_rl(struct expression *expr, int implied)
765 {
766 struct range_list *rl;
767
768 if (implied == RL_EXACT || implied == RL_HARD || implied == RL_FUZZY)
769 return NULL;
770
771 if (get_implied_return(expr, &rl))
772 return rl;
773 return db_return_vals(expr);
774 }
775
776 static struct range_list *handle_cast(struct expression *expr, int implied)
777 {
778 struct range_list *rl;
779 struct symbol *type;
780
781 type = get_type(expr);
782 rl = _get_rl(expr->cast_expression, implied);
783 if (rl)
784 return cast_rl(type, rl);
785 if (implied == RL_ABSOLUTE)
786 return alloc_whole_rl(type);
787 if (implied == RL_IMPLIED && type &&
788 type->bit_size > 0 && type->bit_size < 32)
789 return alloc_whole_rl(type);
790 return NULL;
791 }
792
793 static struct range_list *_get_rl(struct expression *expr, int implied)
794 {
795 struct range_list *rl;
796 struct symbol *type;
797 sval_t sval;
798
799 expr = strip_parens(expr);
800 if (!expr)
801 return NULL;
802 type = get_type(expr);
803
804 switch (expr->type) {
805 case EXPR_VALUE:
806 sval = sval_from_val(expr, expr->value);
807 rl = alloc_rl(sval, sval);
808 break;
809 case EXPR_PREOP:
810 rl = handle_preop_rl(expr, implied);
811 break;
812 case EXPR_POSTOP:
813 rl = _get_rl(expr->unop, implied);
814 break;
815 case EXPR_CAST:
816 case EXPR_FORCE_CAST:
817 case EXPR_IMPLIED_CAST:
818 rl = handle_cast(expr, implied);
819 break;
820 case EXPR_BINOP:
821 rl = handle_binop_rl(expr, implied);
822 break;
823 case EXPR_COMPARE:
824 rl = handle_comparison_rl(expr, implied);
825 break;
826 case EXPR_LOGICAL:
827 rl = handle_logical_rl(expr, implied);
828 break;
829 case EXPR_PTRSIZEOF:
830 case EXPR_SIZEOF:
831 sval = handle_sizeof(expr);
832 rl = alloc_rl(sval, sval);
833 break;
834 case EXPR_SELECT:
835 case EXPR_CONDITIONAL:
836 rl = handle_conditional_rl(expr, implied);
837 break;
838 case EXPR_CALL:
839 rl = handle_call_rl(expr, implied);
840 break;
841 default:
842 rl = handle_variable(expr, implied);
843 }
844
845 if (rl)
846 return rl;
847 if (type && implied == RL_ABSOLUTE)
848 return alloc_whole_rl(type);
849 return NULL;
850 }
851
852 /* returns 1 if it can get a value literal or else returns 0 */
853 int get_value(struct expression *expr, sval_t *sval)
854 {
855 struct range_list *rl;
856
857 rl = _get_rl(expr, RL_EXACT);
858 if (!rl_to_sval(rl, sval))
859 return 0;
860 return 1;
861 }
862
863 int get_implied_value(struct expression *expr, sval_t *sval)
864 {
865 struct range_list *rl;
866
867 rl = _get_rl(expr, RL_IMPLIED);
868 if (!rl_to_sval(rl, sval))
869 return 0;
870 return 1;
871 }
872
873 int get_implied_min(struct expression *expr, sval_t *sval)
874 {
875 struct range_list *rl;
876
877 rl = _get_rl(expr, RL_IMPLIED);
878 if (!rl)
879 return 0;
880 *sval = rl_min(rl);
881 return 1;
882 }
883
884 int get_implied_max(struct expression *expr, sval_t *sval)
885 {
886 struct range_list *rl;
887
888 rl = _get_rl(expr, RL_IMPLIED);
889 if (!rl)
890 return 0;
891 *sval = rl_max(rl);
892 return 1;
893 }
894
895 int get_implied_rl(struct expression *expr, struct range_list **rl)
896 {
897 *rl = _get_rl(expr, RL_IMPLIED);
898 if (*rl)
899 return 1;
900 return 0;
901 }
902
903 int get_absolute_rl(struct expression *expr, struct range_list **rl)
904 {
905 *rl = _get_rl(expr, RL_ABSOLUTE);
906 if (!*rl)
907 *rl = alloc_whole_rl(get_type(expr));
908 return 1;
909 }
910
911 int get_implied_rl_var_sym(const char *var, struct symbol *sym, struct range_list **rl)
912 {
913 struct smatch_state *state;
914
915 state = get_state(SMATCH_EXTRA, var, sym);
916 *rl = estate_rl(state);
917 if (*rl)
918 return 1;
919 return 0;
920 }
921
922 int get_hard_max(struct expression *expr, sval_t *sval)
923 {
924 struct range_list *rl;
925
926 rl = _get_rl(expr, RL_HARD);
927 if (!rl)
928 return 0;
929 *sval = rl_max(rl);
930 return 1;
931 }
932
933 int get_fuzzy_min(struct expression *expr, sval_t *sval)
934 {
935 struct range_list *rl;
936 sval_t tmp;
937
938 rl = _get_rl(expr, RL_FUZZY);
939 if (!rl)
940 return 0;
941 tmp = rl_min(rl);
942 if (sval_is_negative(tmp) && sval_is_min(tmp))
943 return 0;
944 *sval = tmp;
945 return 1;
946 }
947
948 int get_fuzzy_max(struct expression *expr, sval_t *sval)
949 {
950 struct range_list *rl;
951 sval_t max;
952
953 rl = _get_rl(expr, RL_FUZZY);
954 if (!rl)
955 return 0;
956 max = rl_max(rl);
957 if (max.uvalue > INT_MAX - 10000)
958 return 0;
959 *sval = max;
960 return 1;
961 }
962
963 int get_absolute_min(struct expression *expr, sval_t *sval)
964 {
965 struct range_list *rl;
966 struct symbol *type;
967
968 type = get_type(expr);
969 if (!type)
970 type = &llong_ctype; // FIXME: this is wrong but places assume get type can't fail.
971 rl = _get_rl(expr, RL_ABSOLUTE);
972 if (rl)
973 *sval = rl_min(rl);
974 else
975 *sval = sval_type_min(type);
976
977 if (sval_cmp(*sval, sval_type_min(type)) < 0)
978 *sval = sval_type_min(type);
979 return 1;
980 }
981
982 int get_absolute_max(struct expression *expr, sval_t *sval)
983 {
984 struct range_list *rl;
985 struct symbol *type;
986
987 type = get_type(expr);
988 if (!type)
989 type = &llong_ctype;
990 rl = _get_rl(expr, RL_ABSOLUTE);
991 if (rl)
992 *sval = rl_max(rl);
993 else
994 *sval = sval_type_max(type);
995
996 if (sval_cmp(sval_type_max(type), *sval) < 0)
997 *sval = sval_type_max(type);
998 return 1;
999 }
1000
1001 int known_condition_true(struct expression *expr)
1002 {
1003 sval_t tmp;
1004
1005 if (!expr)
1006 return 0;
1007
1008 if (get_value(expr, &tmp) && tmp.value)
1009 return 1;
1010
1011 return 0;
1012 }
1013
1014 int known_condition_false(struct expression *expr)
1015 {
1016 if (!expr)
1017 return 0;
1018
1019 if (is_zero(expr))
1020 return 1;
1021
1022 if (expr->type == EXPR_CALL) {
1023 if (sym_name_is("__builtin_constant_p", expr->fn))
1024 return 1;
1025 }
1026 return 0;
1027 }
1028
1029 int implied_condition_true(struct expression *expr)
1030 {
1031 sval_t tmp;
1032
1033 if (!expr)
1034 return 0;
1035
1036 if (known_condition_true(expr))
1037 return 1;
1038 if (get_implied_value(expr, &tmp) && tmp.value)
1039 return 1;
1040
1041 if (expr->type == EXPR_POSTOP)
1042 return implied_condition_true(expr->unop);
1043
1044 if (expr->type == EXPR_PREOP && expr->op == SPECIAL_DECREMENT)
1045 return implied_not_equal(expr->unop, 1);
1046 if (expr->type == EXPR_PREOP && expr->op == SPECIAL_INCREMENT)
1047 return implied_not_equal(expr->unop, -1);
1048
1049 expr = strip_expr(expr);
1050 switch (expr->type) {
1051 case EXPR_COMPARE:
1052 if (do_comparison(expr) == 1)
1053 return 1;
1054 break;
1055 case EXPR_PREOP:
1056 if (expr->op == '!') {
1057 if (implied_condition_false(expr->unop))
1058 return 1;
1059 break;
1060 }
1061 break;
1062 default:
1063 if (implied_not_equal(expr, 0) == 1)
1064 return 1;
1065 break;
1066 }
1067 return 0;
1068 }
1069
1070 int implied_condition_false(struct expression *expr)
1071 {
1072 struct expression *tmp;
1073 sval_t sval;
1074
1075 if (!expr)
1076 return 0;
1077
1078 if (known_condition_false(expr))
1079 return 1;
1080
1081 switch (expr->type) {
1082 case EXPR_COMPARE:
1083 if (do_comparison(expr) == 2)
1084 return 1;
1085 case EXPR_PREOP:
1086 if (expr->op == '!') {
1087 if (implied_condition_true(expr->unop))
1088 return 1;
1089 break;
1090 }
1091 tmp = strip_expr(expr);
1092 if (tmp != expr)
1093 return implied_condition_false(tmp);
1094 break;
1095 default:
1096 if (get_implied_value(expr, &sval) && sval.value == 0)
1097 return 1;
1098 break;
1099 }
1100 return 0;
1101 }
Static analysis for C