search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kernel.no_return_funcs: add kunit_do_failed_assertion()
[smatch/bkmgit.git] / check_kernel.c
blob4cfee72a460f16144e747d9b9504c100e3bb72b9
1 /*
2 * Copyright (C) 2010 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * This is kernel specific stuff for smatch_extra.
20 */
21
22 #include "scope.h"
23 #include "smatch.h"
24 #include "smatch_slist.h"
25 #include "smatch_extra.h"
26
27 static int implied_err_cast_return(struct expression *call, void *unused, struct range_list **rl)
28 {
29 struct expression *arg;
30
31 arg = get_argument_from_call_expr(call->args, 0);
32 if (!get_implied_rl(arg, rl))
33 *rl = alloc_rl(ptr_err_min, ptr_err_max);
34
35 *rl = cast_rl(get_type(call), *rl);
36 return !!*rl;
37 }
38
39 static void hack_ERR_PTR(struct symbol *sym)
40 {
41 struct symbol *arg;
42 struct smatch_state *estate;
43 struct range_list *after;
44 sval_t low_error = {
45 .type = &long_ctype,
46 .value = -4095,
47 };
48 sval_t minus_one = {
49 .type = &long_ctype,
50 .value = -1,
51 };
52 sval_t zero = {
53 .type = &long_ctype,
54 .value = 0,
55 };
56
57 if (!sym || !sym->ident)
58 return;
59 if (strcmp(sym->ident->name, "ERR_PTR") != 0)
60 return;
61
62 arg = first_ptr_list((struct ptr_list *)sym->ctype.base_type->arguments);
63 if (!arg || !arg->ident)
64 return;
65
66 estate = get_state(SMATCH_EXTRA, arg->ident->name, arg);
67 if (!estate) {
68 after = alloc_rl(low_error, minus_one);
69 } else {
70 after = rl_intersection(estate_rl(estate), alloc_rl(low_error, zero));
71 if (rl_equiv(estate_rl(estate), after))
72 return;
73 }
74 set_state(SMATCH_EXTRA, arg->ident->name, arg, alloc_estate_rl(after));
75 }
76
77 static void match_param_valid_ptr(const char *fn, struct expression *call_expr,
78 struct expression *assign_expr, void *_param)
79 {
80 int param = PTR_INT(_param);
81 struct expression *arg;
82 struct smatch_state *pre_state;
83 struct smatch_state *end_state;
84 struct range_list *rl;
85
86 arg = get_argument_from_call_expr(call_expr->args, param);
87 pre_state = get_state_expr(SMATCH_EXTRA, arg);
88 if (estate_rl(pre_state)) {
89 rl = estate_rl(pre_state);
90 rl = remove_range(rl, ptr_null, ptr_null);
91 rl = remove_range(rl, ptr_err_min, ptr_err_max);
92 } else {
93 rl = alloc_rl(valid_ptr_min_sval, valid_ptr_max_sval);
94 }
95 end_state = alloc_estate_rl(rl);
96 set_extra_expr_nomod(arg, end_state);
97 }
98
99 static void match_param_err_or_null(const char *fn, struct expression *call_expr,
100 struct expression *assign_expr, void *_param)
101 {
102 int param = PTR_INT(_param);
103 struct expression *arg;
104 struct range_list *pre, *rl;
105 struct smatch_state *pre_state;
106 struct smatch_state *end_state;
107
108 arg = get_argument_from_call_expr(call_expr->args, param);
109 pre_state = get_state_expr(SMATCH_EXTRA, arg);
110 if (pre_state)
111 pre = estate_rl(pre_state);
112 else
113 pre = alloc_whole_rl(&ptr_ctype);
114 call_results_to_rl(call_expr, &ptr_ctype, "0,(-4095)-(-1)", &rl);
115 rl = rl_intersection(pre, rl);
116 rl = cast_rl(get_type(arg), rl);
117 end_state = alloc_estate_rl(rl);
118 set_extra_expr_nomod(arg, end_state);
119 }
120
121 static void match_not_err(const char *fn, struct expression *call_expr,
122 struct expression *assign_expr, void *unused)
123 {
124 struct expression *arg;
125 struct smatch_state *pre_state;
126 struct range_list *rl;
127
128 arg = get_argument_from_call_expr(call_expr->args, 0);
129 pre_state = get_state_expr(SMATCH_EXTRA, arg);
130 if (pre_state) {
131 rl = estate_rl(pre_state);
132 rl = remove_range(rl, ptr_err_min, ptr_err_max);
133 } else {
134 rl = alloc_rl(valid_ptr_min_sval, valid_ptr_max_sval);
135 }
136 rl = cast_rl(get_type(arg), rl);
137 /* These are implied. But implications don't work for empty states. */
138 if (pre_state && rl)
139 return;
140 set_extra_expr_nomod(arg, alloc_estate_rl(rl));
141 }
142
143 static void match_err(const char *fn, struct expression *call_expr,
144 struct expression *assign_expr, void *unused)
145 {
146 struct expression *arg;
147 struct smatch_state *pre_state;
148 struct range_list *rl;
149
150 arg = get_argument_from_call_expr(call_expr->args, 0);
151 pre_state = get_state_expr(SMATCH_EXTRA, arg);
152 rl = estate_rl(pre_state);
153 if (!rl)
154 rl = alloc_rl(ptr_err_min, ptr_err_max);
155 rl = rl_intersection(rl, alloc_rl(ptr_err_min, ptr_err_max));
156 rl = cast_rl(get_type(arg), rl);
157 if (pre_state && rl) {
158 /*
159 * Ideally this would all be handled by smatch_implied.c
160 * but it doesn't work very well for impossible paths.
161 *
162 */
163 return;
164 }
165 set_extra_expr_nomod(arg, alloc_estate_rl(rl));
166 }
167
168 static void match_container_of_macro(const char *fn, struct expression *expr, void *unused)
169 {
170 set_extra_expr_mod(expr->left, alloc_estate_range(valid_ptr_min_sval, valid_ptr_max_sval));
171 }
172
173 static void match_container_of(struct expression *expr)
174 {
175 struct expression *right = expr->right;
176 char *macro;
177
178 /*
179 * The problem here is that sometimes the container_of() macro is itself
180 * inside a macro and get_macro() only returns the name of the outside
181 * macro.
182 */
183
184 /*
185 * This actually an expression statement assignment but smatch_flow
186 * pre-mangles it for us so we only get the last chunk:
187 * sk = (typeof(sk))((char *)__mptr - offsetof(...))
188 */
189
190 macro = get_macro_name(right->pos);
191 if (!macro)
192 return;
193 if (right->type != EXPR_CAST)
194 return;
195 right = strip_expr(right);
196 if (right->type != EXPR_BINOP || right->op != '-' ||
197 right->left->type != EXPR_CAST)
198 return;
199 right = strip_expr(right->left);
200 if (right->type != EXPR_SYMBOL)
201 return;
202 if (!right->symbol->ident ||
203 strcmp(right->symbol->ident->name, "__mptr") != 0)
204 return;
205 set_extra_expr_mod(expr->left, alloc_estate_range(valid_ptr_min_sval, valid_ptr_max_sval));
206 }
207
208 static int match_next_bit(struct expression *call, void *unused, struct range_list **rl)
209 {
210 struct expression *start_arg;
211 struct expression *size_arg;
212 struct symbol *type;
213 sval_t min, max, tmp;
214
215 size_arg = get_argument_from_call_expr(call->args, 1);
216 /* btw. there isn't a start_arg for find_first_bit() */
217 start_arg = get_argument_from_call_expr(call->args, 2);
218
219 type = get_type(call);
220 min = sval_type_val(type, 0);
221 max = sval_type_val(type, sizeof(long long) * 8);
222
223 if (get_implied_max(size_arg, &tmp) && tmp.uvalue < max.value)
224 max = tmp;
225 if (start_arg && get_implied_min(start_arg, &tmp) && !sval_is_negative(tmp))
226 min = tmp;
227 if (sval_cmp(min, max) > 0)
228 max = min;
229 min = sval_cast(type, min);
230 max = sval_cast(type, max);
231 *rl = alloc_rl(min, max);
232 return 1;
233 }
234
235 static int match_array_size(struct expression *call, void *unused, struct range_list **rl)
236 {
237 struct expression *size;
238 struct expression *count;
239 struct expression *mult;
240 struct range_list *ret;
241
242 size = get_argument_from_call_expr(call->args, 0);
243 count = get_argument_from_call_expr(call->args, 1);
244 mult = binop_expression(size, '*', count);
245
246 if (get_implied_rl(mult, &ret)) {
247 *rl = ret;
248 return 1;
249 }
250
251 return 0;
252 }
253
254 static int match_ffs(struct expression *call, void *unused, struct range_list **rl)
255 {
256 if (get_implied_rl(call, rl))
257 return true;
258 return false;
259 }
260
261 static int match_fls(struct expression *call, void *unused, struct range_list **rl)
262 {
263 struct expression *arg;
264 struct range_list *arg_rl;
265 sval_t zero = {};
266 sval_t start = {
267 .type = &int_ctype,
268 .value = 0,
269 };
270 sval_t end = {
271 .type = &int_ctype,
272 .value = 32,
273 };
274 sval_t sval;
275
276 arg = get_argument_from_call_expr(call->args, 0);
277 if (!get_implied_rl(arg, &arg_rl))
278 return 0;
279 if (rl_to_sval(arg_rl, &sval)) {
280 int i;
281
282 for (i = 63; i >= 0; i--) {
283 if (sval.uvalue & 1ULL << i)
284 break;
285 }
286 sval.value = i + 1;
287 *rl = alloc_rl(sval, sval);
288 return 1;
289 }
290 zero.type = rl_type(arg_rl);
291 if (!rl_has_sval(arg_rl, zero))
292 start.value = 1;
293 *rl = alloc_rl(start, end);
294 return 1;
295 }
296
297 static void find_module_init_exit(struct symbol_list *sym_list)
298 {
299 struct symbol *sym;
300 struct symbol *fn;
301 struct statement *stmt;
302 char *name;
303 int init;
304 int count;
305
306 /*
307 * This is more complicated because Sparse ignores the "alias"
308 * attribute. I search backwards because module_init() is normally at
309 * the end of the file.
310 */
311 count = 0;
312 FOR_EACH_PTR_REVERSE(sym_list, sym) {
313 if (sym->type != SYM_NODE)
314 continue;
315 if (!(sym->ctype.modifiers & MOD_STATIC))
316 continue;
317 fn = get_base_type(sym);
318 if (!fn)
319 continue;
320 if (fn->type != SYM_FN)
321 continue;
322 if (!sym->ident)
323 continue;
324 if (!fn->inline_stmt)
325 continue;
326 if (strcmp(sym->ident->name, "__inittest") == 0)
327 init = 1;
328 else if (strcmp(sym->ident->name, "__exittest") == 0)
329 init = 0;
330 else
331 continue;
332
333 count++;
334
335 stmt = first_ptr_list((struct ptr_list *)fn->inline_stmt->stmts);
336 if (!stmt || stmt->type != STMT_RETURN)
337 continue;
338 name = expr_to_var(stmt->ret_value);
339 if (!name)
340 continue;
341 if (init)
342 sql_insert_function_ptr(name, "(struct module)->init");
343 else
344 sql_insert_function_ptr(name, "(struct module)->exit");
345 free_string(name);
346 if (count >= 2)
347 return;
348 } END_FOR_EACH_PTR_REVERSE(sym);
349 }
350
351 static void match_end_file(struct symbol_list *sym_list)
352 {
353 struct symbol *sym;
354
355 /* find the last static symbol in the file */
356 FOR_EACH_PTR_REVERSE(sym_list, sym) {
357 if (!(sym->ctype.modifiers & MOD_STATIC))
358 continue;
359 if (!sym->scope)
360 continue;
361 find_module_init_exit(sym->scope->symbols);
362 return;
363 } END_FOR_EACH_PTR_REVERSE(sym);
364 }
365
366 static struct expression *get_val_expr(struct expression *expr)
367 {
368 struct symbol *sym, *val;
369
370 if (expr->type != EXPR_DEREF)
371 return NULL;
372 expr = expr->deref;
373 if (expr->type != EXPR_SYMBOL)
374 return NULL;
375 if (strcmp(expr->symbol_name->name, "__u") != 0)
376 return NULL;
377 sym = get_base_type(expr->symbol);
378 val = first_ptr_list((struct ptr_list *)sym->symbol_list);
379 if (!val || strcmp(val->ident->name, "__val") != 0)
380 return NULL;
381 return member_expression(expr, '.', val->ident);
382 }
383
384 static void match__write_once_size(const char *fn, struct expression *call,
385 void *unused)
386 {
387 struct expression *dest, *data, *assign;
388 struct range_list *rl;
389
390 dest = get_argument_from_call_expr(call->args, 0);
391 if (dest->type != EXPR_PREOP || dest->op != '&')
392 return;
393 dest = strip_expr(dest->unop);
394
395 data = get_argument_from_call_expr(call->args, 1);
396 data = get_val_expr(data);
397 if (!data)
398 return;
399 get_absolute_rl(data, &rl);
400 assign = assign_expression(dest, '=', data);
401
402 __in_fake_assign++;
403 __split_expr(assign);
404 __in_fake_assign--;
405 }
406
407 static void match__read_once_size(const char *fn, struct expression *call,
408 void *unused)
409 {
410 struct expression *dest, *data, *assign;
411 struct symbol *type, *val_sym;
412
413 /*
414 * We want to change:
415 * __read_once_size_nocheck(&(x), __u.__c, sizeof(x));
416 * into a fake assignment:
417 * __u.val = x;
418 *
419 */
420
421 data = get_argument_from_call_expr(call->args, 0);
422 if (data->type != EXPR_PREOP || data->op != '&')
423 return;
424 data = strip_parens(data->unop);
425
426 dest = get_argument_from_call_expr(call->args, 1);
427 if (dest->type != EXPR_DEREF || dest->op != '.')
428 return;
429 if (!dest->member || strcmp(dest->member->name, "__c") != 0)
430 return;
431 dest = dest->deref;
432 type = get_type(dest);
433 if (!type)
434 return;
435 val_sym = first_ptr_list((struct ptr_list *)type->symbol_list);
436 dest = member_expression(dest, '.', val_sym->ident);
437
438 assign = assign_expression(dest, '=', data);
439 __in_fake_assign++;
440 __split_expr(assign);
441 __in_fake_assign--;
442 }
443
444 static void match_closure_call(const char *name, struct expression *call,
445 void *unused)
446 {
447 struct expression *cl, *fn, *fake_call;
448 struct expression_list *args = NULL;
449
450 cl = get_argument_from_call_expr(call->args, 0);
451 fn = get_argument_from_call_expr(call->args, 1);
452 if (!fn || !cl)
453 return;
454
455 add_ptr_list(&args, cl);
456 fake_call = call_expression(fn, args);
457 __split_expr(fake_call);
458 }
459
460 static bool has_inc_state(const char *name, struct symbol *sym)
461 {
462 static int refcount_id;
463 struct sm_state *sm, *tmp;
464
465 if (!refcount_id)
466 refcount_id = id_from_name("check_refcount_info");
467
468 sm = get_sm_state(refcount_id, name, sym);
469 if (!sm)
470 return false;
471
472 FOR_EACH_PTR(sm->possible, tmp) {
473 if (strcmp(tmp->state->name, "inc") == 0)
474 return true;
475 /*
476 * &ignore counts as an inc, because that's what happens when
477 * you double increment. Not ideal.
478 */
479 if (strcmp(tmp->state->name, "ignore") == 0)
480 return true;
481 } END_FOR_EACH_PTR(tmp);
482
483 return false;
484 }
485
486 static void match_kref_put(const char *fn, struct expression *call_expr,
487 struct expression *expr, void *_unused)
488 {
489 struct expression *data, *release, *fake_call;
490 struct expression_list *args = NULL;
491 struct symbol *sym;
492 char *ref;
493
494
495 if (call_expr->type != EXPR_CALL)
496 return;
497
498 data = get_argument_from_call_expr(call_expr->args, 0);
499
500 ref = get_name_sym_from_param_key(call_expr, 0, "$->refcount.refs.counter", &sym);
501 if (has_inc_state(ref, sym))
502 return;
503
504 release = get_argument_from_call_expr(call_expr->args, 1);
505
506 add_ptr_list(&args, data);
507 fake_call = call_expression(release, args);
508 add_fake_call_after_return(fake_call);
509 }
510
511 static void match_kernel_param(struct symbol *sym)
512 {
513 struct expression *var;
514 struct symbol *type;
515
516 /* This was designed to parse the module_param_named() macro */
517
518 if (!sym->ident ||
519 !sym->initializer ||
520 sym->initializer->type != EXPR_INITIALIZER)
521 return;
522
523 type = get_real_base_type(sym);
524 if (!type || type->type != SYM_STRUCT || !type->ident)
525 return;
526 if (strcmp(type->ident->name, "kernel_param") != 0)
527 return;
528
529 var = last_ptr_list((struct ptr_list *)sym->initializer->expr_list);
530 if (!var || var->type != EXPR_INITIALIZER)
531 return;
532 var = first_ptr_list((struct ptr_list *)var->expr_list);
533 if (!var || var->type != EXPR_PREOP || var->op != '&')
534 return;
535 var = strip_expr(var->unop);
536
537 type = get_type(var);
538 update_mtag_data(var, alloc_estate_whole(type));
539 }
540
541 bool is_ignored_kernel_data(const char *name)
542 {
543 char *p;
544
545 if (option_project != PROJ_KERNEL)
546 return false;
547
548 /*
549 * On the file I was looking at lockdep was 25% of the DB.
550 */
551 if (strstr(name, ".dep_map."))
552 return true;
553 if (strstr(name, "->dep_map."))
554 return true;
555 if (strstr(name, ".lockdep_map."))
556 return true;
557
558 if (strstr(name, ".rwsem."))
559 return true;
560 if (strstr(name, "->rwsem."))
561 return true;
562
563 if (strstr(name, "->mutex."))
564 return true;
565 if (strstr(name, "->lockdep_mutex."))
566 return true;
567
568 if (strstr(name, ".completion.wait."))
569 return true;
570
571 if (strstr(name, "kobj.kset-"))
572 return true;
573 if (strstr(name, "power.suspend_timer."))
574 return true;
575 if (strstr(name, "power.work."))
576 return true;
577 if (strstr(name, ".lock.rlock."))
578 return true;
579 if (strstr(name, "lockdep_mutex."))
580 return true;
581
582 if (strstr(name, ">klist_devices."))
583 return true;
584
585 if (strstr(name, "->m_log->"))
586 return true;
587
588 if (strstr(name, ".wait_lock."))
589 return true;
590 if (strstr(name, "regmap->lock_arg"))
591 return true;
592 if (strstr(name, "kworker->task"))
593 return true;
594 if (strstr(name, "->algo_data->"))
595 return true;
596
597 /* ignore mutex internals */
598 if ((p = strstr(name, ".rlock.")) ||
599 (p = strstr(name, ">rlock."))) {
600 p += 7;
601 if (strncmp(p, "raw_lock", 8) == 0 ||
602 strcmp(p, "owner") == 0 ||
603 strcmp(p, "owner_cpu") == 0 ||
604 strcmp(p, "magic") == 0 ||
605 strcmp(p, "dep_map") == 0)
606 return true;
607 }
608
609 return false;
610 }
611
612 int get_gfp_param(struct expression *expr)
613 {
614 struct symbol *type;
615 struct symbol *arg, *arg_type;
616 int param;
617
618 if (expr->type != EXPR_CALL)
619 return -1;
620 type = get_type(expr->fn);
621 if (!type)
622 return -1;
623 if (type->type == SYM_PTR)
624 type = get_real_base_type(type);
625 if (type->type != SYM_FN)
626 return -1;
627
628 param = 0;
629 FOR_EACH_PTR(type->arguments, arg) {
630 arg_type = get_base_type(arg);
631 if (arg_type && arg_type->ident &&
632 strcmp(arg_type->ident->name, "gfp_t") == 0)
633 return param;
634 param++;
635 } END_FOR_EACH_PTR(arg);
636
637 return -1;
638 }
639
640 static void match_function_def(struct symbol *sym)
641 {
642 char *macro;
643
644 macro = get_macro_name(sym->pos);
645 if (!macro)
646 return;
647 if (strcmp(macro, "TRACE_EVENT") == 0)
648 set_function_skipped();
649 }
650
651 static bool delete_pci_error_returns(struct expression *expr)
652 {
653 const char *macro;
654 sval_t sval;
655
656 if (!get_value(expr, &sval))
657 return false;
658 if (sval.value < 0x80 || sval.value > 0x90)
659 return false;
660
661 macro = get_macro_name(expr->pos);
662 if (!macro)
663 return false;
664
665 if (strncmp(macro, "PCIBIOS_", 8) != 0)
666 return false;
667
668 if (strcmp(macro, "PCIBIOS_FUNC_NOT_SUPPORTED") == 0 ||
669 strcmp(macro, "PCIBIOS_BAD_VENDOR_ID") == 0 ||
670 strcmp(macro, "PCIBIOS_DEVICE_NOT_FOUND") == 0 ||
671 strcmp(macro, "PCIBIOS_BAD_REGISTER_NUMBER") == 0 ||
672 strcmp(macro, "PCIBIOS_SET_FAILED") == 0 ||
673 strcmp(macro, "PCIBIOS_BUFFER_TOO_SMALL") == 0)
674 return true;
675
676 return false;
677 }
678
679 void check_kernel(int id)
680 {
681 if (option_project != PROJ_KERNEL)
682 return;
683
684 add_implied_return_hook("ERR_PTR", &implied_err_cast_return, NULL);
685 add_implied_return_hook("ERR_CAST", &implied_err_cast_return, NULL);
686 add_implied_return_hook("PTR_ERR", &implied_err_cast_return, NULL);
687 add_hook(hack_ERR_PTR, AFTER_DEF_HOOK);
688 return_implies_state("IS_ERR_OR_NULL", 0, 0, &match_param_valid_ptr, (void *)0);
689 return_implies_state("IS_ERR_OR_NULL", 1, 1, &match_param_err_or_null, (void *)0);
690 return_implies_state("IS_ERR", 0, 0, &match_not_err, NULL);
691 return_implies_state("IS_ERR", 1, 1, &match_err, NULL);
692 return_implies_state("tomoyo_memory_ok", 1, 1, &match_param_valid_ptr, (void *)0);
693
694 add_macro_assign_hook_extra("container_of", &match_container_of_macro, NULL);
695 add_hook(match_container_of, ASSIGNMENT_HOOK);
696
697 add_implied_return_hook("find_next_bit", &match_next_bit, NULL);
698 add_implied_return_hook("find_next_zero_bit", &match_next_bit, NULL);
699 add_implied_return_hook("find_first_bit", &match_next_bit, NULL);
700 add_implied_return_hook("find_first_zero_bit", &match_next_bit, NULL);
701
702 add_implied_return_hook("array_size", &match_array_size, NULL);
703
704 add_implied_return_hook("__ffs", &match_ffs, NULL);
705 add_implied_return_hook("fls", &match_fls, NULL);
706 add_implied_return_hook("__fls", &match_fls, NULL);
707 add_implied_return_hook("fls64", &match_fls, NULL);
708
709 add_function_hook("__ftrace_bad_type", &__match_nullify_path_hook, NULL);
710 add_function_hook("__write_once_size", &match__write_once_size, NULL);
711
712 add_function_hook("__read_once_size", &match__read_once_size, NULL);
713 add_function_hook("__read_once_size_nocheck", &match__read_once_size, NULL);
714
715 add_function_hook("closure_call", &match_closure_call, NULL);
716 return_implies_state_sval("kref_put", int_one, int_one, &match_kref_put, NULL);
717
718 add_hook(&match_kernel_param, BASE_HOOK);
719 add_hook(&match_function_def, FUNC_DEF_HOOK);
720
721 if (option_info)
722 add_hook(match_end_file, END_FILE_HOOK);
723
724 add_delete_return_hook(&delete_pci_error_returns);
725 }