search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
locking: delete some NULL checks
[smatch.git] / smatch_param_limit.c
blobdf20d4ab19c07597aa4624b63d3219a5a4996274
1 /*
2 * Copyright (C) 2012 Oracle.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * This is almost the same as smatch_param_filter.c. The difference is that
20 * this only deals with values passed on the stack and param filter only deals
21 * with values changed so that the caller sees the new value. It other words
22 * the key for these should always be "$" and the key for param_filter should
23 * never be "$". Also smatch_param_set() should never use "$" as the key.
24 * Param set should work together with param_filter to determine the value that
25 * the caller sees at the end.
26 *
27 * This is for functions like this:
28 *
29 * int foo(int a)
30 * {
31 * if (a >= 0 && a < 10) {
32 * a = 42;
33 * return 1;
34 * }
35 * return 0;
36 * }
37 *
38 * If we pass in 5, it returns 1.
39 *
40 * It's a bit complicated because we can't just consider the final value, we
41 * have to always consider the passed in value.
42 *
43 */
44
45 #include "smatch.h"
46 #include "smatch_extra.h"
47 #include "smatch_slist.h"
48
49 static int my_id;
50
51 static struct stree *limit_states;
52 static struct stree *ignore_states;
53
54 int __no_limits;
55
56 static struct smatch_state *unmatched_state(struct sm_state *sm)
57 {
58 struct smatch_state *state;
59
60 if (!param_was_set_var_sym(sm->name, sm->sym)) {
61 state = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
62 if (state)
63 return state;
64 }
65 return alloc_estate_whole(estate_type(sm->state));
66 }
67
68 struct smatch_state *get_orig_estate(const char *name, struct symbol *sym)
69 {
70 struct smatch_state *state;
71
72 state = get_state(my_id, name, sym);
73 if (state)
74 return state;
75
76 state = get_state(SMATCH_EXTRA, name, sym);
77 if (state)
78 return state;
79 return alloc_estate_rl(alloc_whole_rl(get_real_base_type(sym)));
80 }
81
82 static struct range_list *generify_mtag_range(struct smatch_state *state)
83 {
84 struct range_list *rl;
85 struct data_range *drange;
86
87 if (!estate_type(state) || estate_type(state)->type != SYM_PTR)
88 return estate_rl(state);
89
90 /*
91 * The problem is that we get too specific on our param limits when we
92 * know exactly what pointers are passed to a function. It gets to the
93 * point where we say "pointer x will succeed, but everything else will
94 * fail." And then we introduce a new caller which passes a different
95 * pointer and it's like, "Sorry bro, that's not possible."
96 *
97 */
98 rl = estate_rl(state);
99 FOR_EACH_PTR(rl, drange) {
100 if (drange->min.value != drange->max.value)
101 continue;
102 if (drange->min.value == 0)
103 continue;
104 if (is_err_ptr(drange->min))
105 continue;
106 return rl_union(valid_ptr_rl, rl);
107 } END_FOR_EACH_PTR(drange);
108
109 return estate_rl(state);
110 }
111
112 static bool sm_was_set(struct sm_state *sm)
113 {
114 struct relation *rel;
115
116 if (!estate_related(sm->state))
117 return param_was_set_var_sym(sm->name, sm->sym);
118
119 FOR_EACH_PTR(estate_related(sm->state), rel) {
120 if (param_was_set_var_sym(sm->name, sm->sym))
121 return true;
122 } END_FOR_EACH_PTR(rel);
123 return false;
124 }
125
126 static bool is_boring_pointer_info(const char *name, struct range_list *rl)
127 {
128 char *rl_str;
129
130 /* addresses are always boring */
131 if (name[0] == '&')
132 return true;
133
134 /*
135 * One way that PARAM_LIMIT can be set is by dereferencing pointers.
136 * It's not necessarily very valuable to track that a pointer must
137 * be non-NULL. It's even less valuable to know that it's either NULL
138 * or valid. It can be nice to know that it's not an error pointer, I
139 * suppose. But let's not pass that data back to all the callers
140 * forever.
141 *
142 */
143
144 if (strlen(name) < 40)
145 return false;
146
147 rl_str = show_rl(rl);
148 if (!rl_str)
149 return false;
150
151 if (strcmp(rl_str, "4096-ptr_max") == 0 ||
152 strcmp(rl_str, "0,4096-ptr_max") == 0)
153 return true;
154
155 return false;
156 }
157
158 static void print_return_value_param(int return_id, char *return_ranges, struct expression *expr)
159 {
160 struct smatch_state *state, *old;
161 struct sm_state *tmp;
162 struct range_list *rl;
163 const char *param_name;
164 int param;
165
166 FOR_EACH_MY_SM(SMATCH_EXTRA, __get_cur_stree(), tmp) {
167 if (tmp->name[0] == '&')
168 continue;
169
170 if (!get_state_stree(limit_states, my_id, tmp->name, tmp->sym) &&
171 get_state_stree(ignore_states, my_id, tmp->name, tmp->sym))
172 continue;
173
174 param = get_param_num_from_sym(tmp->sym);
175 if (param < 0)
176 continue;
177
178 param_name = get_param_name(tmp);
179 if (!param_name)
180 continue;
181
182 state = __get_state(my_id, tmp->name, tmp->sym);
183 if (!state) {
184 if (sm_was_set(tmp))
185 continue;
186 state = tmp->state;
187 }
188
189 if (estate_is_whole(state) || estate_is_empty(state))
190 continue;
191 old = get_state_stree(get_start_states(), SMATCH_EXTRA, tmp->name, tmp->sym);
192 if (old && rl_equiv(estate_rl(old), estate_rl(state)))
193 continue;
194
195 if (is_ignored_kernel_data(param_name))
196 continue;
197
198 rl = generify_mtag_range(state);
199 if (is_boring_pointer_info(param_name, rl))
200 continue;
201
202 sql_insert_return_states(return_id, return_ranges, PARAM_LIMIT,
203 param, param_name, show_rl(rl));
204 } END_FOR_EACH_SM(tmp);
205 }
206
207 static void extra_mod_hook(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
208 {
209 struct smatch_state *orig;
210 struct symbol *param_sym;
211 char *param_name;
212
213 if (expr && expr->smatch_flags & Fake)
214 return;
215
216 param_name = get_param_var_sym_var_sym(name, sym, NULL, &param_sym);
217 if (!param_name || !param_sym)
218 goto free;
219 if (get_param_num_from_sym(param_sym) < 0)
220 goto free;
221
222 /* already saved */
223 if (get_state(my_id, param_name, param_sym))
224 goto free;
225
226 if (__in_buf_clear)
227 return;
228
229 orig = get_state(SMATCH_EXTRA, param_name, param_sym);
230 if (!orig)
231 orig = alloc_estate_whole(estate_type(state));
232
233 set_state(my_id, param_name, param_sym, orig);
234 free:
235 free_string(param_name);
236 }
237
238 static void extra_nomod_hook(const char *name, struct symbol *sym, struct expression *expr, struct smatch_state *state)
239 {
240 if (__no_limits) {
241 set_state_stree(&ignore_states, my_id, name, sym, &undefined);
242 return;
243 }
244 set_state_stree(&limit_states, my_id, name, sym, &undefined);
245 }
246
247 static void match_end_func(struct symbol *sym)
248 {
249 free_stree(&ignore_states);
250 free_stree(&limit_states);
251 }
252
253 void register_param_limit(int id)
254 {
255 my_id = id;
256
257 add_function_data((unsigned long *)&limit_states);
258 add_function_data((unsigned long *)&ignore_states);
259 add_hook(&match_end_func, END_FUNC_HOOK);
260
261 db_ignore_states(my_id);
262 set_dynamic_states(my_id);
263
264 add_extra_mod_hook(&extra_mod_hook);
265 add_extra_nomod_hook(&extra_nomod_hook);
266 add_unmatched_state_hook(my_id, &unmatched_state);
267 add_merge_hook(my_id, &merge_estates);
268
269 add_split_return_callback(&print_return_value_param);
270 }
271
Static analysis for C