check_err_ptr_deref.c

   1 /*
   2  * sparse/check_err_ptr_deref.c
   3  *
   4  * Copyright (C) 2009 Dan Carpenter.
   5  *
   6  * Licensed under the Open Software License version 1.1
   7  *
   8  */
   9
  10 #include "smatch.h"
  11 #include "smatch_slist.h"
  12 #include "smatch_extra.h"
  13
  14 static int my_id;
  15
  16 STATE(err_ptr);
  17 STATE(checked);
  18
  19 static void ok_to_use(const char *name, struct symbol *sym, struct expression *expr, void *unused)
  20 {
  21         delete_state(my_id, name, sym);
  22 }
  23
  24 static void check_is_err_ptr(struct sm_state *sm)
  25 {
  26         if (!sm)
  27                 return;
  28
  29         if (slist_has_state(sm->possible, &err_ptr)) {
  30                 sm_msg("error: '%s' dereferencing possible ERR_PTR()",
  31                            sm->name);
  32                 set_state(my_id, sm->name, sm->sym, &checked);
  33         }
  34 }
  35
  36 static void match_returns_err_ptr(const char *fn, struct expression *expr,
  37                                 void *info)
  38 {
  39         set_state_expr(my_id, expr->left, &err_ptr);
  40 }
  41
  42
  43 static void match_checked(const char *fn, struct expression *call_expr,
  44                         struct expression *assign_expr, void *unused)
  45 {
  46         struct expression *arg;
  47
  48         arg = get_argument_from_call_expr(call_expr->args, 0);
  49         arg = strip_expr(arg);
  50         while (arg->type == EXPR_ASSIGNMENT)
  51                 arg = strip_expr(arg->left);
  52         set_state_expr(my_id, arg, &checked);
  53 }
  54
  55 static void match_err(const char *fn, struct expression *call_expr,
  56                         struct expression *assign_expr, void *unused)
  57 {
  58         struct expression *arg;
  59
  60         arg = get_argument_from_call_expr(call_expr->args, 0);
  61         arg = strip_expr(arg);
  62         while (arg->type == EXPR_ASSIGNMENT)
  63                 arg = strip_expr(arg->left);
  64         set_state_expr(my_id, arg, &err_ptr);
  65 }
  66
  67 static void match_dereferences(struct expression *expr)
  68 {
  69         struct sm_state *sm;
  70
  71         if (expr->type != EXPR_PREOP)
  72                 return;
  73         expr = strip_expr(expr->unop);
  74
  75         sm = get_sm_state_expr(my_id, expr);
  76         check_is_err_ptr(sm);
  77 }
  78
  79 static void register_err_ptr_funcs(void)
  80 {
  81         struct token *token;
  82         const char *func;
  83
  84         token = get_tokens_file("kernel.returns_err_ptr");
  85         if (!token)
  86                 return;
  87         if (token_type(token) != TOKEN_STREAMBEGIN)
  88                 return;
  89         token = token->next;
  90         while (token_type(token) != TOKEN_STREAMEND) {
  91                 if (token_type(token) != TOKEN_IDENT)
  92                         return;
  93                 func = show_ident(token->ident);
  94                 add_function_assign_hook(func, &match_returns_err_ptr, NULL);
  95                 token = token->next;
  96         }
  97         clear_token_alloc();
  98 }
  99
 100 static void match_err_ptr(const char *fn, struct expression *expr, void *unused)
 101 {
 102         struct expression *arg;
 103         struct sm_state *sm;
 104         struct sm_state *tmp;
 105         long long tmp_min;
 106         long long tmp_max;
 107         long long min = whole_range.max;
 108         long long max = whole_range.min;
 109
 110         arg = get_argument_from_call_expr(expr->args, 0);
 111         sm = get_sm_state_expr(SMATCH_EXTRA, arg);
 112         if (!sm)
 113                 return;
 114         FOR_EACH_PTR(sm->possible, tmp) {
 115                 tmp_min = get_dinfo_min(get_dinfo(tmp->state));
 116                 if (tmp_min != whole_range.min && tmp_min < min)
 117                         min = tmp_min;
 118                 tmp_max = get_dinfo_max(get_dinfo(tmp->state));
 119                 if (tmp_max != whole_range.max && tmp_max > max)
 120                         max = tmp_max;
 121         } END_FOR_EACH_PTR(tmp);
 122         if (min < -4095)
 123                 sm_msg("error: %lld too low for ERR_PTR", min);
 124         if (max > 0)
 125                 sm_msg("error: passing non neg %lld to ERR_PTR", max);
 126 }
 127
 128 static void match_ptr_err(const char *fn, struct expression *expr, void *unused)
 129 {
 130         struct expression *arg;
 131         struct expression *right;
 132
 133         right = strip_expr(expr->right);
 134         arg = get_argument_from_call_expr(right->args, 0);
 135         if (get_state_expr(my_id, arg) == &err_ptr) {
 136                 set_extra_expr_mod(expr->left, alloc_extra_state_range(-4095, -1));
 137         }
 138 }
 139
 140 void check_err_ptr_deref(int id)
 141 {
 142         if (option_project != PROJ_KERNEL)
 143                 return;
 144
 145         my_id = id;
 146         return_implies_state("IS_ERR", 0, 0, &match_checked, NULL);
 147         return_implies_state("IS_ERR", 1, 1, &match_err, NULL);
 148         register_err_ptr_funcs();
 149         add_hook(&match_dereferences, DEREF_HOOK);
 150         add_function_hook("ERR_PTR", &match_err_ptr, NULL);
 151         add_function_assign_hook("PTR_ERR", &match_ptr_err, NULL);
 152         set_default_modification_hook(my_id, ok_to_use);
 153 }
 154