2 * Copyright (C) 2008 Dan Carpenter.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
19 * smatch_extra.c is supposed to track the value of every variable.
31 #include "smatch_slist.h"
32 #include "smatch_extra.h"
37 static void match_link_modify(struct sm_state
*sm
, struct expression
*mod_expr
);
39 struct string_list
*__ignored_macros
= NULL
;
40 static int in_warn_on_macro(void)
42 struct statement
*stmt
;
46 stmt
= get_current_statement();
49 macro
= get_macro_name(stmt
->pos
);
53 FOR_EACH_PTR(__ignored_macros
, tmp
) {
54 if (!strcmp(tmp
, macro
))
56 } END_FOR_EACH_PTR(tmp
);
60 typedef void (mod_hook
)(const char *name
, struct symbol
*sym
, struct smatch_state
*state
);
61 DECLARE_PTR_LIST(void_fn_list
, mod_hook
*);
62 static struct void_fn_list
*extra_mod_hooks
;
63 void add_extra_mod_hook(mod_hook
*fn
)
65 mod_hook
**p
= malloc(sizeof(mod_hook
*));
67 add_ptr_list(&extra_mod_hooks
, p
);
70 void call_extra_mod_hooks(const char *name
, struct symbol
*sym
, struct smatch_state
*state
)
74 FOR_EACH_PTR(extra_mod_hooks
, fn
) {
75 (*fn
)(name
, sym
, state
);
76 } END_FOR_EACH_PTR(fn
);
79 struct sm_state
*set_extra_mod_helper(const char *name
, struct symbol
*sym
, struct smatch_state
*state
)
81 remove_from_equiv(name
, sym
);
82 call_extra_mod_hooks(name
, sym
, state
);
83 if (__in_fake_assign
&& estate_is_unknown(state
) && !get_state(SMATCH_EXTRA
, name
, sym
))
85 return set_state(SMATCH_EXTRA
, name
, sym
, state
);
88 static char *get_other_name_sym(const char *name
, struct symbol
*sym
, struct symbol
**new_sym
)
90 struct expression
*assigned
;
91 char *orig_name
= NULL
;
101 skip
= strlen(sym
->ident
->name
);
102 if (name
[skip
] != '-' || name
[skip
+ 1] != '>')
106 assigned
= get_assigned_expr_name_sym(sym
->ident
->name
, sym
);
109 if (assigned
->type
== EXPR_PREOP
|| assigned
->op
== '&') {
111 orig_name
= expr_to_var_sym(assigned
, new_sym
);
112 if (!orig_name
|| !*new_sym
)
115 snprintf(buf
, sizeof(buf
), "%s.%s", orig_name
+ 1, name
+ skip
);
116 ret
= alloc_string(buf
);
117 free_string(orig_name
);
121 if (assigned
->type
!= EXPR_DEREF
)
124 orig_name
= expr_to_var_sym(assigned
, new_sym
);
125 if (!orig_name
|| !*new_sym
)
128 snprintf(buf
, sizeof(buf
), "%s->%s", orig_name
, name
+ skip
);
129 ret
= alloc_string(buf
);
130 free_string(orig_name
);
134 free_string(orig_name
);
138 struct sm_state
*set_extra_mod(const char *name
, struct symbol
*sym
, struct smatch_state
*state
)
141 struct symbol
*new_sym
;
144 sm
= set_extra_mod_helper(name
, sym
, state
);
145 new_name
= get_other_name_sym(name
, sym
, &new_sym
);
146 if (new_name
&& new_sym
)
147 set_extra_mod_helper(new_name
, new_sym
, state
);
148 free_string(new_name
);
152 static void clear_array_states(struct expression
*array
)
156 sm
= get_sm_state_expr(link_id
, array
);
158 match_link_modify(sm
, NULL
);
161 static struct sm_state
*set_extra_array_mod(struct expression
*expr
, struct smatch_state
*state
)
163 struct expression
*array
;
164 struct expression
*offset
;
165 struct var_sym_list
*vsl
;
170 struct sm_state
*ret
= NULL
;
172 array
= get_array_base(expr
);
173 offset
= get_array_offset(expr
);
175 name
= expr_to_chunk_sym_vsl(expr
, &sym
, &vsl
);
177 if (!name
|| !vsl
|| !get_value(offset
, &sval
)) {
178 clear_array_states(array
);
182 FOR_EACH_PTR(vsl
, vs
) {
183 store_link(link_id
, vs
->var
, vs
->sym
, name
, sym
);
184 } END_FOR_EACH_PTR(vs
);
186 ret
= set_state(SMATCH_EXTRA
, name
, sym
, state
);
192 struct sm_state
*set_extra_expr_mod(struct expression
*expr
, struct smatch_state
*state
)
196 struct sm_state
*ret
= NULL
;
199 return set_extra_array_mod(expr
, state
);
201 expr
= strip_expr(expr
);
202 name
= expr_to_var_sym(expr
, &sym
);
205 ret
= set_extra_mod(name
, sym
, state
);
211 void set_extra_nomod(const char *name
, struct symbol
*sym
, struct smatch_state
*state
)
214 struct symbol
*new_sym
;
215 struct relation
*rel
;
216 struct smatch_state
*orig_state
;
218 orig_state
= get_state(SMATCH_EXTRA
, name
, sym
);
220 new_name
= get_other_name_sym(name
, sym
, &new_sym
);
221 if (new_name
&& new_sym
)
222 set_state(SMATCH_EXTRA
, new_name
, new_sym
, state
);
223 free_string(new_name
);
225 if (!estate_related(orig_state
)) {
226 set_state(SMATCH_EXTRA
, name
, sym
, state
);
230 set_related(state
, estate_related(orig_state
));
231 FOR_EACH_PTR(estate_related(orig_state
), rel
) {
232 struct smatch_state
*estate
;
234 if (option_debug_related
)
235 sm_msg("%s updating related %s to %s", name
, rel
->name
, state
->name
);
236 estate
= get_state(SMATCH_EXTRA
, rel
->name
, rel
->sym
);
239 set_state(SMATCH_EXTRA
, rel
->name
, rel
->sym
, clone_estate_cast(estate_type(estate
), state
));
240 } END_FOR_EACH_PTR(rel
);
244 * This is for return_implies_state() hooks which modify a SMATCH_EXTRA state
246 void set_extra_expr_nomod(struct expression
*expr
, struct smatch_state
*state
)
251 name
= expr_to_var_sym(expr
, &sym
);
254 set_extra_nomod(name
, sym
, state
);
260 static void set_extra_true_false(const char *name
, struct symbol
*sym
,
261 struct smatch_state
*true_state
,
262 struct smatch_state
*false_state
)
265 struct symbol
*new_sym
;
266 struct relation
*rel
;
267 struct smatch_state
*orig_state
;
269 if (!true_state
&& !false_state
)
272 if (in_warn_on_macro())
275 new_name
= get_other_name_sym(name
, sym
, &new_sym
);
276 if (new_name
&& new_sym
)
277 set_true_false_states(SMATCH_EXTRA
, new_name
, new_sym
, true_state
, false_state
);
278 free_string(new_name
);
280 orig_state
= get_state(SMATCH_EXTRA
, name
, sym
);
282 if (!estate_related(orig_state
)) {
283 set_true_false_states(SMATCH_EXTRA
, name
, sym
, true_state
, false_state
);
288 set_related(true_state
, estate_related(orig_state
));
290 set_related(false_state
, estate_related(orig_state
));
292 FOR_EACH_PTR(estate_related(orig_state
), rel
) {
293 set_true_false_states(SMATCH_EXTRA
, rel
->name
, rel
->sym
,
294 true_state
, false_state
);
295 } END_FOR_EACH_PTR(rel
);
298 static void set_extra_chunk_true_false(struct expression
*expr
,
299 struct smatch_state
*true_state
,
300 struct smatch_state
*false_state
)
302 struct var_sym_list
*vsl
;
308 if (in_warn_on_macro())
311 type
= get_type(expr
);
315 name
= expr_to_chunk_sym_vsl(expr
, &sym
, &vsl
);
318 FOR_EACH_PTR(vsl
, vs
) {
319 store_link(link_id
, vs
->var
, vs
->sym
, name
, sym
);
320 } END_FOR_EACH_PTR(vs
);
322 set_true_false_states(SMATCH_EXTRA
, name
, sym
,
323 clone_estate(true_state
),
324 clone_estate(false_state
));
329 static void set_extra_expr_true_false(struct expression
*expr
,
330 struct smatch_state
*true_state
,
331 struct smatch_state
*false_state
)
337 if (!true_state
&& !false_state
)
340 if (get_value(expr
, &sval
))
343 expr
= strip_expr(expr
);
344 name
= expr_to_var_sym(expr
, &sym
);
347 set_extra_chunk_true_false(expr
, true_state
, false_state
);
350 set_extra_true_false(name
, sym
, true_state
, false_state
);
354 static struct sm_state
*handle_canonical_while_count_down(struct statement
*loop
)
356 struct expression
*iter_var
;
357 struct expression
*condition
;
359 struct smatch_state
*estate
;
362 condition
= strip_expr(loop
->iterator_pre_condition
);
365 if (condition
->type
!= EXPR_PREOP
&& condition
->type
!= EXPR_POSTOP
)
367 if (condition
->op
!= SPECIAL_DECREMENT
)
370 iter_var
= condition
->unop
;
371 sm
= get_sm_state_expr(SMATCH_EXTRA
, iter_var
);
374 if (sval_cmp_val(estate_min(sm
->state
), 0) < 0)
376 start
= estate_max(sm
->state
);
377 if (sval_cmp_val(start
, 0) <= 0)
379 if (!sval_is_max(start
))
382 if (condition
->type
== EXPR_PREOP
) {
383 estate
= alloc_estate_range(sval_type_val(start
.type
, 1), start
);
384 if (estate_has_hard_max(sm
->state
))
385 estate_set_hard_max(estate
);
386 estate_copy_fuzzy_max(estate
, sm
->state
);
387 set_extra_expr_mod(iter_var
, estate
);
389 if (condition
->type
== EXPR_POSTOP
) {
390 estate
= alloc_estate_range(sval_type_val(start
.type
, 0), start
);
391 if (estate_has_hard_max(sm
->state
))
392 estate_set_hard_max(estate
);
393 estate_copy_fuzzy_max(estate
, sm
->state
);
394 set_extra_expr_mod(iter_var
, estate
);
396 return get_sm_state_expr(SMATCH_EXTRA
, iter_var
);
399 static struct sm_state
*handle_canonical_for_inc(struct expression
*iter_expr
,
400 struct expression
*condition
)
402 struct expression
*iter_var
;
404 struct smatch_state
*estate
;
405 sval_t start
, end
, max
;
407 iter_var
= iter_expr
->unop
;
408 sm
= get_sm_state_expr(SMATCH_EXTRA
, iter_var
);
411 if (!estate_get_single_value(sm
->state
, &start
))
413 if (get_implied_max(condition
->right
, &end
))
414 end
= sval_cast(get_type(iter_var
), end
);
416 end
= sval_type_max(get_type(iter_var
));
418 if (get_sm_state_expr(SMATCH_EXTRA
, condition
->left
) != sm
)
421 switch (condition
->op
) {
422 case SPECIAL_UNSIGNED_LT
:
423 case SPECIAL_NOTEQUAL
:
425 if (!sval_is_min(end
))
428 case SPECIAL_UNSIGNED_LTE
:
434 if (sval_cmp(end
, start
) < 0)
436 estate
= alloc_estate_range(start
, end
);
437 if (get_hard_max(condition
->right
, &max
)) {
438 estate_set_hard_max(estate
);
439 if (condition
->op
== '<' ||
440 condition
->op
== SPECIAL_UNSIGNED_LT
||
441 condition
->op
== SPECIAL_NOTEQUAL
)
443 estate_set_fuzzy_max(estate
, max
);
445 set_extra_expr_mod(iter_var
, estate
);
446 return get_sm_state_expr(SMATCH_EXTRA
, iter_var
);
449 static struct sm_state
*handle_canonical_for_dec(struct expression
*iter_expr
,
450 struct expression
*condition
)
452 struct expression
*iter_var
;
454 struct smatch_state
*estate
;
457 iter_var
= iter_expr
->unop
;
458 sm
= get_sm_state_expr(SMATCH_EXTRA
, iter_var
);
461 if (!estate_get_single_value(sm
->state
, &start
))
463 if (!get_implied_min(condition
->right
, &end
))
464 end
= sval_type_min(get_type(iter_var
));
465 if (get_sm_state_expr(SMATCH_EXTRA
, condition
->left
) != sm
)
468 switch (condition
->op
) {
469 case SPECIAL_NOTEQUAL
:
471 if (!sval_is_min(end
) && !sval_is_max(end
))
479 if (sval_cmp(end
, start
) > 0)
481 estate
= alloc_estate_range(end
, start
);
482 estate_set_hard_max(estate
);
483 estate_set_fuzzy_max(estate
, estate_get_fuzzy_max(estate
));
484 set_extra_expr_mod(iter_var
, estate
);
485 return get_sm_state_expr(SMATCH_EXTRA
, iter_var
);
488 static struct sm_state
*handle_canonical_for_loops(struct statement
*loop
)
490 struct expression
*iter_expr
;
491 struct expression
*condition
;
493 if (!loop
->iterator_post_statement
)
495 if (loop
->iterator_post_statement
->type
!= STMT_EXPRESSION
)
497 iter_expr
= loop
->iterator_post_statement
->expression
;
498 if (!loop
->iterator_pre_condition
)
500 if (loop
->iterator_pre_condition
->type
!= EXPR_COMPARE
)
502 condition
= loop
->iterator_pre_condition
;
504 if (iter_expr
->op
== SPECIAL_INCREMENT
)
505 return handle_canonical_for_inc(iter_expr
, condition
);
506 if (iter_expr
->op
== SPECIAL_DECREMENT
)
507 return handle_canonical_for_dec(iter_expr
, condition
);
511 struct sm_state
*__extra_handle_canonical_loops(struct statement
*loop
, struct stree
**stree
)
513 struct sm_state
*ret
;
515 __push_fake_cur_stree();
516 if (!loop
->iterator_post_statement
)
517 ret
= handle_canonical_while_count_down(loop
);
519 ret
= handle_canonical_for_loops(loop
);
520 *stree
= __pop_fake_cur_stree();
524 int __iterator_unchanged(struct sm_state
*sm
)
528 if (get_sm_state(my_id
, sm
->name
, sm
->sym
) == sm
)
533 static void while_count_down_after(struct sm_state
*sm
, struct expression
*condition
)
537 /* paranoid checking. prolly not needed */
538 condition
= strip_expr(condition
);
541 if (condition
->type
!= EXPR_PREOP
&& condition
->type
!= EXPR_POSTOP
)
543 if (condition
->op
!= SPECIAL_DECREMENT
)
545 after_value
= estate_min(sm
->state
);
547 set_extra_mod(sm
->name
, sm
->sym
, alloc_estate_sval(after_value
));
550 void __extra_pre_loop_hook_after(struct sm_state
*sm
,
551 struct statement
*iterator
,
552 struct expression
*condition
)
554 struct expression
*iter_expr
;
556 struct smatch_state
*state
;
559 while_count_down_after(sm
, condition
);
563 iter_expr
= iterator
->expression
;
565 if (condition
->type
!= EXPR_COMPARE
)
567 if (iter_expr
->op
== SPECIAL_INCREMENT
) {
568 limit
= sval_binop(estate_max(sm
->state
), '+',
569 sval_type_val(estate_type(sm
->state
), 1));
571 limit
= sval_binop(estate_min(sm
->state
), '-',
572 sval_type_val(estate_type(sm
->state
), 1));
574 if (!estate_has_hard_max(sm
->state
) && !__has_breaks()) {
575 if (iter_expr
->op
== SPECIAL_INCREMENT
)
576 state
= alloc_estate_range(estate_min(sm
->state
), limit
);
578 state
= alloc_estate_range(limit
, estate_max(sm
->state
));
580 state
= alloc_estate_sval(limit
);
582 if (!estate_has_hard_max(sm
->state
)) {
583 estate_clear_hard_max(state
);
585 if (estate_has_fuzzy_max(sm
->state
)) {
586 sval_t hmax
= estate_get_fuzzy_max(sm
->state
);
587 sval_t max
= estate_max(sm
->state
);
589 if (sval_cmp(hmax
, max
) != 0)
590 estate_clear_fuzzy_max(state
);
591 } else if (!estate_has_fuzzy_max(sm
->state
)) {
592 estate_clear_fuzzy_max(state
);
595 set_extra_mod(sm
->name
, sm
->sym
, state
);
598 static struct stree
*unmatched_stree
;
599 static struct smatch_state
*unmatched_state(struct sm_state
*sm
)
601 struct smatch_state
*state
;
603 if (unmatched_stree
) {
604 state
= get_state_stree(unmatched_stree
, SMATCH_EXTRA
, sm
->name
, sm
->sym
);
608 if (parent_is_gone_var_sym(sm
->name
, sm
->sym
))
609 return alloc_estate_empty();
610 return alloc_estate_whole(estate_type(sm
->state
));
613 static void clear_the_pointed_at(struct expression
*expr
)
618 struct sm_state
*tmp
;
620 name
= expr_to_var_sym(expr
, &sym
);
624 stree
= __get_cur_stree();
625 FOR_EACH_MY_SM(SMATCH_EXTRA
, stree
, tmp
) {
626 if (tmp
->name
[0] != '*')
630 if (strcmp(tmp
->name
+ 1, name
) != 0)
632 set_extra_mod(tmp
->name
, tmp
->sym
, alloc_estate_whole(estate_type(tmp
->state
)));
633 } END_FOR_EACH_SM(tmp
);
639 static void match_function_call(struct expression
*expr
)
641 struct expression
*arg
;
642 struct expression
*tmp
;
644 /* if we have the db this is handled in smatch_function_hooks.c */
647 if (inlinable(expr
->fn
))
650 FOR_EACH_PTR(expr
->args
, arg
) {
651 tmp
= strip_expr(arg
);
652 if (tmp
->type
== EXPR_PREOP
&& tmp
->op
== '&')
653 set_extra_expr_mod(tmp
->unop
, alloc_estate_whole(get_type(tmp
->unop
)));
655 clear_the_pointed_at(tmp
);
656 } END_FOR_EACH_PTR(arg
);
659 static int values_fit_type(struct expression
*left
, struct expression
*right
)
661 struct range_list
*rl
;
664 type
= get_type(left
);
667 get_absolute_rl(right
, &rl
);
668 if (type_unsigned(type
) && sval_is_negative(rl_min(rl
)))
670 if (sval_cmp(sval_type_min(type
), rl_min(rl
)) > 0)
672 if (sval_cmp(sval_type_max(type
), rl_max(rl
)) < 0)
677 static void save_chunk_info(struct expression
*left
, struct expression
*right
)
679 struct var_sym_list
*vsl
;
681 struct expression
*add_expr
;
687 if (right
->type
!= EXPR_BINOP
|| right
->op
!= '-')
689 if (!get_value(right
->left
, &sval
))
691 if (!expr_to_sym(right
->right
))
694 add_expr
= binop_expression(left
, '+', right
->right
);
695 type
= get_type(add_expr
);
698 name
= expr_to_chunk_sym_vsl(add_expr
, &sym
, &vsl
);
701 FOR_EACH_PTR(vsl
, vs
) {
702 store_link(link_id
, vs
->var
, vs
->sym
, name
, sym
);
703 } END_FOR_EACH_PTR(vs
);
705 set_state(SMATCH_EXTRA
, name
, sym
, alloc_estate_sval(sval_cast(type
, sval
)));
710 static void do_array_assign(struct expression
*left
, int op
, struct expression
*right
)
712 struct range_list
*rl
;
715 get_absolute_rl(right
, &rl
);
716 rl
= cast_rl(get_type(left
), rl
);
718 rl
= alloc_whole_rl(get_type(left
));
721 set_extra_array_mod(left
, alloc_estate_rl(rl
));
724 static void match_untracked_array(struct expression
*call
, int param
)
726 struct expression
*arg
;
728 arg
= get_argument_from_call_expr(call
->args
, param
);
729 arg
= strip_expr(arg
);
731 clear_array_states(arg
);
734 static void match_vanilla_assign(struct expression
*left
, struct expression
*right
)
736 struct range_list
*orig_rl
= NULL
;
737 struct range_list
*rl
= NULL
;
738 struct symbol
*right_sym
;
739 struct symbol
*left_type
;
740 struct symbol
*right_type
;
741 char *right_name
= NULL
;
745 struct smatch_state
*state
;
751 save_chunk_info(left
, right
);
753 name
= expr_to_var_sym(left
, &sym
);
756 do_array_assign(left
, '=', right
);
760 left_type
= get_type(left
);
761 right_type
= get_type(right
);
763 right_name
= expr_to_var_sym(right
, &right_sym
);
765 if (!__in_fake_assign
&&
766 !(right
->type
== EXPR_PREOP
&& right
->op
== '&') &&
767 right_name
&& right_sym
&&
768 values_fit_type(left
, right
) &&
769 !has_symbol(right
, sym
)) {
770 set_equiv(left
, right
);
774 if (is_pointer(right
) && get_address_rl(right
, &rl
)) {
775 state
= alloc_estate_rl(rl
);
779 comparison
= get_comparison(left
, right
);
781 comparison
= flip_comparison(comparison
);
782 get_implied_rl(left
, &orig_rl
);
785 if (get_implied_rl(right
, &rl
)) {
786 rl
= cast_rl(left_type
, rl
);
788 filter_by_comparison(&rl
, comparison
, orig_rl
);
789 state
= alloc_estate_rl(rl
);
790 if (get_hard_max(right
, &max
)) {
791 estate_set_hard_max(state
);
792 estate_set_fuzzy_max(state
, max
);
795 rl
= alloc_whole_rl(right_type
);
796 rl
= cast_rl(left_type
, rl
);
798 filter_by_comparison(&rl
, comparison
, orig_rl
);
799 state
= alloc_estate_rl(rl
);
803 set_extra_mod(name
, sym
, state
);
805 free_string(right_name
);
808 static int op_remove_assign(int op
)
811 case SPECIAL_ADD_ASSIGN
:
813 case SPECIAL_SUB_ASSIGN
:
815 case SPECIAL_MUL_ASSIGN
:
817 case SPECIAL_DIV_ASSIGN
:
819 case SPECIAL_MOD_ASSIGN
:
821 case SPECIAL_AND_ASSIGN
:
823 case SPECIAL_OR_ASSIGN
:
825 case SPECIAL_XOR_ASSIGN
:
827 case SPECIAL_SHL_ASSIGN
:
828 return SPECIAL_LEFTSHIFT
;
829 case SPECIAL_SHR_ASSIGN
:
830 return SPECIAL_RIGHTSHIFT
;
836 static void match_assign(struct expression
*expr
)
838 struct range_list
*rl
= NULL
;
839 struct expression
*left
;
840 struct expression
*right
;
841 struct expression
*binop_expr
;
842 struct symbol
*left_type
;
843 struct symbol
*right_type
;
846 sval_t left_min
, left_max
;
847 sval_t right_min
, right_max
;
848 sval_t res_min
, res_max
;
850 left
= strip_expr(expr
->left
);
852 right
= strip_parens(expr
->right
);
853 if (right
->type
== EXPR_CALL
&& sym_name_is("__builtin_expect", right
->fn
))
854 right
= get_argument_from_call_expr(right
->args
, 0);
855 while (right
->type
== EXPR_ASSIGNMENT
&& right
->op
== '=')
856 right
= strip_parens(right
->left
);
858 if (expr
->op
== '=' && is_condition(expr
->right
))
859 return; /* handled in smatch_condition.c */
860 if (expr
->op
== '=' && right
->type
== EXPR_CALL
)
861 return; /* handled in smatch_function_hooks.c */
862 if (expr
->op
== '=') {
863 match_vanilla_assign(left
, right
);
867 name
= expr_to_var_sym(left
, &sym
);
871 left_type
= get_type(left
);
872 right_type
= get_type(right
);
874 res_min
= sval_type_min(left_type
);
875 res_max
= sval_type_max(left_type
);
878 case SPECIAL_ADD_ASSIGN
:
879 get_absolute_max(left
, &left_max
);
880 get_absolute_max(right
, &right_max
);
881 if (sval_binop_overflows(left_max
, '+', right_max
))
883 if (get_implied_min(left
, &left_min
) &&
884 !sval_is_negative_min(left_min
) &&
885 get_implied_min(right
, &right_min
) &&
886 !sval_is_negative_min(right_min
)) {
887 res_min
= sval_binop(left_min
, '+', right_min
);
888 res_min
= sval_cast(right_type
, res_min
);
890 if (inside_loop()) /* we are assuming loops don't lead to wrapping */
892 res_max
= sval_binop(left_max
, '+', right_max
);
893 res_max
= sval_cast(right_type
, res_max
);
895 case SPECIAL_SUB_ASSIGN
:
896 if (get_implied_max(left
, &left_max
) &&
897 !sval_is_max(left_max
) &&
898 get_implied_min(right
, &right_min
) &&
899 !sval_is_min(right_min
)) {
900 res_max
= sval_binop(left_max
, '-', right_min
);
901 res_max
= sval_cast(right_type
, res_max
);
905 if (get_implied_min(left
, &left_min
) &&
906 !sval_is_min(left_min
) &&
907 get_implied_max(right
, &right_max
) &&
908 !sval_is_max(right_max
)) {
909 res_min
= sval_binop(left_min
, '-', right_max
);
910 res_min
= sval_cast(right_type
, res_min
);
913 case SPECIAL_AND_ASSIGN
:
914 case SPECIAL_MOD_ASSIGN
:
915 case SPECIAL_SHL_ASSIGN
:
916 case SPECIAL_SHR_ASSIGN
:
917 case SPECIAL_OR_ASSIGN
:
918 case SPECIAL_XOR_ASSIGN
:
919 case SPECIAL_MUL_ASSIGN
:
920 case SPECIAL_DIV_ASSIGN
:
921 binop_expr
= binop_expression(expr
->left
,
922 op_remove_assign(expr
->op
),
924 if (get_absolute_rl(binop_expr
, &rl
)) {
925 rl
= cast_rl(left_type
, rl
);
926 set_extra_mod(name
, sym
, alloc_estate_rl(rl
));
931 rl
= cast_rl(left_type
, alloc_rl(res_min
, res_max
));
932 set_extra_mod(name
, sym
, alloc_estate_rl(rl
));
937 static struct smatch_state
*increment_state(struct smatch_state
*state
)
939 sval_t min
= estate_min(state
);
940 sval_t max
= estate_max(state
);
942 if (!estate_rl(state
))
946 max
= sval_type_max(max
.type
);
948 if (!sval_is_min(min
) && !sval_is_max(min
))
950 if (!sval_is_min(max
) && !sval_is_max(max
))
952 return alloc_estate_range(min
, max
);
955 static struct smatch_state
*decrement_state(struct smatch_state
*state
)
957 sval_t min
= estate_min(state
);
958 sval_t max
= estate_max(state
);
960 if (!estate_rl(state
))
964 min
= sval_type_min(min
.type
);
966 if (!sval_is_min(min
) && !sval_is_max(min
))
968 if (!sval_is_min(max
) && !sval_is_max(max
))
970 return alloc_estate_range(min
, max
);
973 static void unop_expr(struct expression
*expr
)
975 struct smatch_state
*state
;
977 if (expr
->smatch_flags
& Handled
)
981 case SPECIAL_INCREMENT
:
982 state
= get_state_expr(SMATCH_EXTRA
, expr
->unop
);
983 state
= increment_state(state
);
985 state
= alloc_estate_whole(get_type(expr
));
986 set_extra_expr_mod(expr
->unop
, state
);
988 case SPECIAL_DECREMENT
:
989 state
= get_state_expr(SMATCH_EXTRA
, expr
->unop
);
990 state
= decrement_state(state
);
992 state
= alloc_estate_whole(get_type(expr
));
993 set_extra_expr_mod(expr
->unop
, state
);
1000 static void asm_expr(struct statement
*stmt
)
1003 struct expression
*expr
;
1004 struct symbol
*type
;
1007 FOR_EACH_PTR(stmt
->asm_outputs
, expr
) {
1009 case 0: /* identifier */
1010 case 1: /* constraint */
1013 case 2: /* expression */
1015 type
= get_type(strip_expr(expr
));
1016 set_extra_expr_mod(expr
, alloc_estate_whole(type
));
1019 } END_FOR_EACH_PTR(expr
);
1022 static void check_dereference(struct expression
*expr
)
1024 if (outside_of_function())
1026 set_extra_expr_nomod(expr
, alloc_estate_range(valid_ptr_min_sval
, valid_ptr_max_sval
));
1029 static void match_dereferences(struct expression
*expr
)
1031 if (expr
->type
!= EXPR_PREOP
)
1033 check_dereference(expr
->unop
);
1036 static void match_pointer_as_array(struct expression
*expr
)
1038 if (!is_array(expr
))
1040 check_dereference(get_array_base(expr
));
1043 static void set_param_dereferenced(struct expression
*arg
, char *key
, char *unused
)
1048 name
= get_variable_from_key(arg
, key
, &sym
);
1052 set_extra_nomod(name
, sym
, alloc_estate_range(valid_ptr_min_sval
, valid_ptr_max_sval
));
1058 static sval_t
add_one(sval_t sval
)
1064 static sval_t
sub_one(sval_t sval
)
1070 static void handle_comparison(struct symbol
*type
, struct expression
*left
, int op
, struct expression
*right
)
1072 struct range_list
*left_orig
;
1073 struct range_list
*left_true
;
1074 struct range_list
*left_false
;
1075 struct range_list
*right_orig
;
1076 struct range_list
*right_true
;
1077 struct range_list
*right_false
;
1078 struct smatch_state
*left_true_state
;
1079 struct smatch_state
*left_false_state
;
1080 struct smatch_state
*right_true_state
;
1081 struct smatch_state
*right_false_state
;
1082 sval_t min
, max
, dummy
, hard_max
;
1083 int left_postop
= 0;
1084 int right_postop
= 0;
1086 if (left
->op
== SPECIAL_INCREMENT
|| left
->op
== SPECIAL_DECREMENT
) {
1087 if (left
->type
== EXPR_POSTOP
) {
1088 left
->smatch_flags
|= Handled
;
1089 left_postop
= left
->op
;
1091 left
= strip_parens(left
->unop
);
1093 while (left
->type
== EXPR_ASSIGNMENT
)
1094 left
= strip_parens(left
->left
);
1096 if (right
->op
== SPECIAL_INCREMENT
|| right
->op
== SPECIAL_DECREMENT
) {
1097 if (right
->type
== EXPR_POSTOP
) {
1098 right
->smatch_flags
|= Handled
;
1099 right_postop
= right
->op
;
1101 right
= strip_parens(right
->unop
);
1104 /* FIXME: we should be able to use get_real_absolute_rl() here but
1105 * apparently that is buggy.
1107 get_absolute_rl(left
, &left_orig
);
1108 left_orig
= cast_rl(type
, left_orig
);
1110 get_absolute_rl(right
, &right_orig
);
1111 right_orig
= cast_rl(type
, right_orig
);
1113 min
= sval_type_min(type
);
1114 max
= sval_type_max(type
);
1116 left_true
= clone_rl(left_orig
);
1117 left_false
= clone_rl(left_orig
);
1118 right_true
= clone_rl(right_orig
);
1119 right_false
= clone_rl(right_orig
);
1123 case SPECIAL_UNSIGNED_LT
:
1124 left_true
= remove_range(left_orig
, rl_max(right_orig
), max
);
1125 if (!sval_is_min(rl_min(right_orig
))) {
1126 left_false
= remove_range(left_orig
, min
, sub_one(rl_min(right_orig
)));
1129 right_true
= remove_range(right_orig
, min
, rl_min(left_orig
));
1130 if (!sval_is_max(rl_max(left_orig
)))
1131 right_false
= remove_range(right_orig
, add_one(rl_max(left_orig
)), max
);
1133 case SPECIAL_UNSIGNED_LTE
:
1135 if (!sval_is_max(rl_max(right_orig
)))
1136 left_true
= remove_range(left_orig
, add_one(rl_max(right_orig
)), max
);
1137 left_false
= remove_range(left_orig
, min
, rl_min(right_orig
));
1139 if (!sval_is_min(rl_min(left_orig
)))
1140 right_true
= remove_range(right_orig
, min
, sub_one(rl_min(left_orig
)));
1141 right_false
= remove_range(right_orig
, rl_max(left_orig
), max
);
1143 if (sval_cmp(rl_min(left_orig
), rl_min(right_orig
)) == 0)
1144 left_false
= remove_range(left_false
, rl_min(left_orig
), rl_min(left_orig
));
1145 if (sval_cmp(rl_max(left_orig
), rl_max(right_orig
)) == 0)
1146 right_false
= remove_range(right_false
, rl_max(left_orig
), rl_max(left_orig
));
1149 if (!sval_is_max(rl_max(right_orig
))) {
1150 left_true
= remove_range(left_true
, add_one(rl_max(right_orig
)), max
);
1152 if (!sval_is_min(rl_min(right_orig
))) {
1153 left_true
= remove_range(left_true
, min
, sub_one(rl_min(right_orig
)));
1155 if (sval_cmp(rl_min(right_orig
), rl_max(right_orig
)) == 0)
1156 left_false
= remove_range(left_orig
, rl_min(right_orig
), rl_min(right_orig
));
1158 if (!sval_is_max(rl_max(left_orig
)))
1159 right_true
= remove_range(right_true
, add_one(rl_max(left_orig
)), max
);
1160 if (!sval_is_min(rl_min(left_orig
)))
1161 right_true
= remove_range(right_true
, min
, sub_one(rl_min(left_orig
)));
1162 if (sval_cmp(rl_min(left_orig
), rl_max(left_orig
)) == 0)
1163 right_false
= remove_range(right_orig
, rl_min(left_orig
), rl_min(left_orig
));
1165 case SPECIAL_UNSIGNED_GTE
:
1167 if (!sval_is_min(rl_min(right_orig
)))
1168 left_true
= remove_range(left_orig
, min
, sub_one(rl_min(right_orig
)));
1169 left_false
= remove_range(left_orig
, rl_max(right_orig
), max
);
1171 if (!sval_is_max(rl_max(left_orig
)))
1172 right_true
= remove_range(right_orig
, add_one(rl_max(left_orig
)), max
);
1173 right_false
= remove_range(right_orig
, min
, rl_min(left_orig
));
1175 if (sval_cmp(rl_min(left_orig
), rl_min(right_orig
)) == 0)
1176 right_false
= remove_range(right_false
, rl_min(left_orig
), rl_min(left_orig
));
1177 if (sval_cmp(rl_max(left_orig
), rl_max(right_orig
)) == 0)
1178 left_false
= remove_range(left_false
, rl_max(left_orig
), rl_max(left_orig
));
1181 case SPECIAL_UNSIGNED_GT
:
1182 left_true
= remove_range(left_orig
, min
, rl_min(right_orig
));
1183 if (!sval_is_max(rl_max(right_orig
)))
1184 left_false
= remove_range(left_orig
, add_one(rl_max(right_orig
)), max
);
1186 right_true
= remove_range(right_orig
, rl_max(left_orig
), max
);
1187 if (!sval_is_min(rl_min(left_orig
)))
1188 right_false
= remove_range(right_orig
, min
, sub_one(rl_min(left_orig
)));
1190 case SPECIAL_NOTEQUAL
:
1191 if (!sval_is_max(rl_max(right_orig
)))
1192 left_false
= remove_range(left_false
, add_one(rl_max(right_orig
)), max
);
1193 if (!sval_is_min(rl_min(right_orig
)))
1194 left_false
= remove_range(left_false
, min
, sub_one(rl_min(right_orig
)));
1195 if (sval_cmp(rl_min(right_orig
), rl_max(right_orig
)) == 0)
1196 left_true
= remove_range(left_orig
, rl_min(right_orig
), rl_min(right_orig
));
1198 if (!sval_is_max(rl_max(left_orig
)))
1199 right_false
= remove_range(right_false
, add_one(rl_max(left_orig
)), max
);
1200 if (!sval_is_min(rl_min(left_orig
)))
1201 right_false
= remove_range(right_false
, min
, sub_one(rl_min(left_orig
)));
1202 if (sval_cmp(rl_min(left_orig
), rl_max(left_orig
)) == 0)
1203 right_true
= remove_range(right_orig
, rl_min(left_orig
), rl_min(left_orig
));
1209 left_true
= rl_truncate_cast(get_type(strip_expr(left
)), left_true
);
1210 left_false
= rl_truncate_cast(get_type(strip_expr(left
)), left_false
);
1211 right_true
= rl_truncate_cast(get_type(strip_expr(right
)), right_true
);
1212 right_false
= rl_truncate_cast(get_type(strip_expr(right
)), right_false
);
1214 left_true_state
= alloc_estate_rl(left_true
);
1215 left_false_state
= alloc_estate_rl(left_false
);
1216 right_true_state
= alloc_estate_rl(right_true
);
1217 right_false_state
= alloc_estate_rl(right_false
);
1221 case SPECIAL_UNSIGNED_LT
:
1222 case SPECIAL_UNSIGNED_LTE
:
1224 if (get_hard_max(right
, &dummy
))
1225 estate_set_hard_max(left_true_state
);
1226 if (get_hard_max(left
, &dummy
))
1227 estate_set_hard_max(right_false_state
);
1230 case SPECIAL_UNSIGNED_GT
:
1231 case SPECIAL_UNSIGNED_GTE
:
1233 if (get_hard_max(left
, &dummy
))
1234 estate_set_hard_max(right_true_state
);
1235 if (get_hard_max(right
, &dummy
))
1236 estate_set_hard_max(left_false_state
);
1242 case SPECIAL_UNSIGNED_LT
:
1243 case SPECIAL_UNSIGNED_LTE
:
1245 if (get_hard_max(right
, &hard_max
)) {
1246 if (op
== '<' || op
== SPECIAL_UNSIGNED_LT
)
1248 estate_set_fuzzy_max(left_true_state
, hard_max
);
1250 if (get_implied_value(right
, &hard_max
)) {
1251 if (op
== SPECIAL_UNSIGNED_LTE
||
1254 estate_set_fuzzy_max(left_false_state
, hard_max
);
1256 if (get_hard_max(left
, &hard_max
)) {
1257 if (op
== SPECIAL_UNSIGNED_LTE
||
1260 estate_set_fuzzy_max(right_false_state
, hard_max
);
1262 if (get_implied_value(left
, &hard_max
)) {
1263 if (op
== '<' || op
== SPECIAL_UNSIGNED_LT
)
1265 estate_set_fuzzy_max(right_true_state
, hard_max
);
1269 case SPECIAL_UNSIGNED_GT
:
1270 case SPECIAL_UNSIGNED_GTE
:
1272 if (get_hard_max(left
, &hard_max
)) {
1273 if (op
== '>' || op
== SPECIAL_UNSIGNED_GT
)
1275 estate_set_fuzzy_max(right_true_state
, hard_max
);
1277 if (get_implied_value(left
, &hard_max
)) {
1278 if (op
== SPECIAL_UNSIGNED_GTE
||
1281 estate_set_fuzzy_max(right_false_state
, hard_max
);
1283 if (get_hard_max(right
, &hard_max
)) {
1284 if (op
== SPECIAL_UNSIGNED_LTE
||
1287 estate_set_fuzzy_max(left_false_state
, hard_max
);
1289 if (get_implied_value(right
, &hard_max
)) {
1291 op
== SPECIAL_UNSIGNED_GT
)
1293 estate_set_fuzzy_max(left_true_state
, hard_max
);
1297 if (get_hard_max(left
, &hard_max
))
1298 estate_set_fuzzy_max(right_true_state
, hard_max
);
1299 if (get_hard_max(right
, &hard_max
))
1300 estate_set_fuzzy_max(left_true_state
, hard_max
);
1304 if (get_hard_max(left
, &hard_max
)) {
1305 estate_set_hard_max(left_true_state
);
1306 estate_set_hard_max(left_false_state
);
1308 if (get_hard_max(right
, &hard_max
)) {
1309 estate_set_hard_max(right_true_state
);
1310 estate_set_hard_max(right_false_state
);
1313 if (left_postop
== SPECIAL_INCREMENT
) {
1314 left_true_state
= increment_state(left_true_state
);
1315 left_false_state
= increment_state(left_false_state
);
1317 if (left_postop
== SPECIAL_DECREMENT
) {
1318 left_true_state
= decrement_state(left_true_state
);
1319 left_false_state
= decrement_state(left_false_state
);
1321 if (right_postop
== SPECIAL_INCREMENT
) {
1322 right_true_state
= increment_state(right_true_state
);
1323 right_false_state
= increment_state(right_false_state
);
1325 if (right_postop
== SPECIAL_DECREMENT
) {
1326 right_true_state
= decrement_state(right_true_state
);
1327 right_false_state
= decrement_state(right_false_state
);
1330 if (estate_rl(left_true_state
) && estates_equiv(left_true_state
, left_false_state
)) {
1331 left_true_state
= NULL
;
1332 left_false_state
= NULL
;
1335 if (estate_rl(right_true_state
) && estates_equiv(right_true_state
, right_false_state
)) {
1336 right_true_state
= NULL
;
1337 right_false_state
= NULL
;
1340 set_extra_expr_true_false(left
, left_true_state
, left_false_state
);
1341 set_extra_expr_true_false(right
, right_true_state
, right_false_state
);
1344 static int is_simple_math(struct expression
*expr
)
1348 if (expr
->type
!= EXPR_BINOP
)
1359 static void move_known_values(struct expression
**left_p
, struct expression
**right_p
)
1361 struct expression
*left
= *left_p
;
1362 struct expression
*right
= *right_p
;
1365 if (get_implied_value(left
, &sval
)) {
1366 if (!is_simple_math(right
))
1368 if (right
->op
== '*') {
1371 if (!get_value(right
->right
, &divisor
))
1373 if (divisor
.value
== 0 && sval
.value
% divisor
.value
)
1375 *left_p
= binop_expression(left
, invert_op(right
->op
), right
->right
);
1376 *right_p
= right
->left
;
1379 if (right
->op
== '+' && get_value(right
->left
, &sval
)) {
1380 *left_p
= binop_expression(left
, invert_op(right
->op
), right
->left
);
1381 *right_p
= right
->right
;
1384 if (get_value(right
->right
, &sval
)) {
1385 *left_p
= binop_expression(left
, invert_op(right
->op
), right
->right
);
1386 *right_p
= right
->left
;
1391 if (get_implied_value(right
, &sval
)) {
1392 if (!is_simple_math(left
))
1394 if (left
->op
== '*') {
1397 if (!get_value(left
->right
, &divisor
))
1399 if (divisor
.value
== 0 && sval
.value
% divisor
.value
)
1401 *right_p
= binop_expression(right
, invert_op(left
->op
), left
->right
);
1402 *left_p
= left
->left
;
1405 if (left
->op
== '+' && get_value(left
->left
, &sval
)) {
1406 *right_p
= binop_expression(right
, invert_op(left
->op
), left
->left
);
1407 *left_p
= left
->right
;
1411 if (get_value(left
->right
, &sval
)) {
1412 *right_p
= binop_expression(right
, invert_op(left
->op
), left
->right
);
1413 *left_p
= left
->left
;
1420 static int match_func_comparison(struct expression
*expr
)
1422 struct expression
*left
= strip_expr(expr
->left
);
1423 struct expression
*right
= strip_expr(expr
->right
);
1427 * fixme: think about this harder. We should always be trying to limit
1428 * the non-call side as well. If we can't determine the limitter does
1429 * that mean we aren't querying the database and are missing important
1433 if (left
->type
== EXPR_CALL
) {
1434 if (get_implied_value(left
, &sval
)) {
1435 handle_comparison(get_type(expr
), left
, expr
->op
, right
);
1438 function_comparison(left
, expr
->op
, right
);
1442 if (right
->type
== EXPR_CALL
) {
1443 if (get_implied_value(right
, &sval
)) {
1444 handle_comparison(get_type(expr
), left
, expr
->op
, right
);
1447 function_comparison(left
, expr
->op
, right
);
1454 static void match_comparison(struct expression
*expr
)
1456 struct expression
*left_orig
= strip_parens(expr
->left
);
1457 struct expression
*right_orig
= strip_parens(expr
->right
);
1458 struct expression
*left
, *right
;
1459 struct expression
*prev
;
1460 struct symbol
*type
;
1462 if (match_func_comparison(expr
))
1465 type
= get_type(expr
);
1467 type
= &llong_ctype
;
1471 move_known_values(&left
, &right
);
1472 handle_comparison(type
, left
, expr
->op
, right
);
1474 prev
= get_assigned_expr(left_orig
);
1475 if (is_simple_math(prev
) && has_variable(prev
, left_orig
) == 0) {
1478 move_known_values(&left
, &right
);
1479 handle_comparison(type
, left
, expr
->op
, right
);
1482 prev
= get_assigned_expr(right_orig
);
1483 if (is_simple_math(prev
) && has_variable(prev
, right_orig
) == 0) {
1486 move_known_values(&left
, &right
);
1487 handle_comparison(type
, left
, expr
->op
, right
);
1491 static void handle_AND_condition(struct expression
*expr
)
1493 struct range_list
*rl
= NULL
;
1496 if (get_implied_value(expr
->left
, &known
) && known
.value
> 0) {
1498 get_absolute_rl(expr
->right
, &rl
);
1499 rl
= remove_range(rl
, sval_type_val(known
.type
, 0), known
);
1500 set_extra_expr_true_false(expr
->right
, alloc_estate_rl(rl
), NULL
);
1504 if (get_implied_value(expr
->right
, &known
) && known
.value
> 0) {
1506 get_absolute_rl(expr
->left
, &rl
);
1507 rl
= remove_range(rl
, sval_type_val(known
.type
, 0), known
);
1508 set_extra_expr_true_false(expr
->left
, alloc_estate_rl(rl
), NULL
);
1513 /* this is actually hooked from smatch_implied.c... it's hacky, yes */
1514 void __extra_match_condition(struct expression
*expr
)
1516 struct smatch_state
*pre_state
;
1517 struct smatch_state
*true_state
;
1518 struct smatch_state
*false_state
;
1520 expr
= strip_expr(expr
);
1521 switch (expr
->type
) {
1523 function_comparison(expr
, SPECIAL_NOTEQUAL
, zero_expr());
1530 zero
= sval_blank(expr
);
1533 pre_state
= get_extra_state(expr
);
1534 true_state
= estate_filter_sval(pre_state
, zero
);
1535 if (possibly_true(expr
, SPECIAL_EQUAL
, zero_expr()))
1536 false_state
= alloc_estate_sval(zero
);
1538 false_state
= alloc_estate_empty();
1539 set_extra_expr_true_false(expr
, true_state
, false_state
);
1543 match_comparison(expr
);
1545 case EXPR_ASSIGNMENT
:
1546 __extra_match_condition(expr
->left
);
1549 if (expr
->op
== '&')
1550 handle_AND_condition(expr
);
1555 static void assume_indexes_are_valid(struct expression
*expr
)
1557 struct expression
*array_expr
;
1559 struct expression
*offset
;
1560 struct symbol
*offset_type
;
1561 struct range_list
*rl_before
;
1562 struct range_list
*rl_after
;
1563 struct range_list
*filter
= NULL
;
1566 expr
= strip_expr(expr
);
1567 if (!is_array(expr
))
1570 offset
= get_array_offset(expr
);
1571 offset_type
= get_type(offset
);
1572 if (offset_type
&& type_signed(offset_type
)) {
1573 filter
= alloc_rl(sval_type_min(offset_type
),
1574 sval_type_val(offset_type
, -1));
1577 array_expr
= get_array_base(expr
);
1578 array_size
= get_real_array_size(array_expr
);
1579 if (array_size
> 1) {
1580 size
= sval_type_val(offset_type
, array_size
);
1581 add_range(&filter
, size
, sval_type_max(offset_type
));
1586 get_absolute_rl(offset
, &rl_before
);
1587 rl_after
= rl_filter(rl_before
, filter
);
1588 if (rl_equiv(rl_before
, rl_after
))
1590 set_extra_expr_nomod(offset
, alloc_estate_rl(rl_after
));
1593 /* returns 1 if it is not possible for expr to be value, otherwise returns 0 */
1594 int implied_not_equal(struct expression
*expr
, long long val
)
1596 return !possibly_false(expr
, SPECIAL_NOTEQUAL
, value_expr(val
));
1599 int implied_not_equal_name_sym(char *name
, struct symbol
*sym
, long long val
)
1601 struct smatch_state
*estate
;
1603 estate
= get_state(SMATCH_EXTRA
, name
, sym
);
1606 if (!rl_has_sval(estate_rl(estate
), sval_type_val(estate_type(estate
), 0)))
1611 int parent_is_null_var_sym(const char *name
, struct symbol
*sym
)
1616 struct smatch_state
*state
;
1618 strncpy(buf
, name
, sizeof(buf
) - 1);
1619 buf
[sizeof(buf
) - 1] = '\0';
1622 while (*start
== '*') {
1624 state
= get_state(SMATCH_EXTRA
, start
, sym
);
1627 if (!estate_rl(state
))
1629 if (estate_min(state
).value
== 0 &&
1630 estate_max(state
).value
== 0)
1635 while (*start
== '&')
1638 while ((end
= strrchr(start
, '-'))) {
1640 state
= get_state(SMATCH_EXTRA
, start
, sym
);
1643 if (estate_min(state
).value
== 0 &&
1644 estate_max(state
).value
== 0)
1650 int parent_is_null(struct expression
*expr
)
1656 expr
= strip_expr(expr
);
1657 var
= expr_to_var_sym(expr
, &sym
);
1660 ret
= parent_is_null_var_sym(var
, sym
);
1666 static int param_used_callback(void *found
, int argc
, char **argv
, char **azColName
)
1672 static int filter_unused_kzalloc_info(struct expression
*call
, int param
, char *printed_name
, struct sm_state
*sm
)
1677 /* for function pointers assume everything is used */
1678 if (call
->fn
->type
!= EXPR_SYMBOL
)
1682 * kzalloc() information is treated as special because so there is just
1683 * a lot of stuff initialized to zero and it makes building the database
1684 * take hours and hours.
1686 * In theory, we should just remove this line and not pass any unused
1687 * information, but I'm not sure enough that this code works so I want
1688 * to hold off on that for now.
1690 if (!estate_get_single_value(sm
->state
, &sval
) || sval
.value
!= 0)
1693 run_sql(¶m_used_callback
, &found
,
1694 "select * from call_implies where %s and type = %d and parameter = %d and key = '%s';",
1695 get_static_filter(call
->fn
->symbol
), PARAM_USED
, param
, printed_name
);
1699 /* If the database is not built yet, then assume everything is used */
1700 run_sql(¶m_used_callback
, &found
,
1701 "select * from call_implies where %s and type = %d;",
1702 get_static_filter(call
->fn
->symbol
), PARAM_USED
);
1709 static void struct_member_callback(struct expression
*call
, int param
, char *printed_name
, struct sm_state
*sm
)
1711 if (estate_is_whole(sm
->state
))
1713 if (filter_unused_kzalloc_info(call
, param
, printed_name
, sm
))
1715 sql_insert_caller_info(call
, PARAM_VALUE
, param
, printed_name
, sm
->state
->name
);
1716 if (estate_has_fuzzy_max(sm
->state
))
1717 sql_insert_caller_info(call
, FUZZY_MAX
, param
, printed_name
,
1718 sval_to_str(estate_get_fuzzy_max(sm
->state
)));
1721 static void returned_struct_members(int return_id
, char *return_ranges
, struct expression
*expr
)
1723 struct symbol
*returned_sym
;
1724 struct sm_state
*sm
;
1725 const char *param_name
;
1729 returned_sym
= expr_to_sym(expr
);
1733 FOR_EACH_MY_SM(my_id
, __get_cur_stree(), sm
) {
1734 if (!estate_rl(sm
->state
))
1736 if (returned_sym
!= sm
->sym
)
1739 param_name
= get_param_name(sm
);
1742 if (strcmp(param_name
, "$") == 0)
1744 compare_str
= name_sym_to_param_comparison(sm
->name
, sm
->sym
);
1745 if (!compare_str
&& estate_is_whole(sm
->state
))
1747 snprintf(buf
, sizeof(buf
), "%s%s", sm
->state
->name
, compare_str
?: "");
1749 sql_insert_return_states(return_id
, return_ranges
, PARAM_VALUE
,
1750 -1, param_name
, buf
);
1751 } END_FOR_EACH_SM(sm
);
1754 static void db_limited_before(void)
1756 unmatched_stree
= clone_stree(__get_cur_stree());
1759 static void db_limited_after(void)
1761 free_stree(&unmatched_stree
);
1764 static void db_param_limit_filter(struct expression
*expr
, int param
, char *key
, char *value
, enum info_type op
)
1766 struct expression
*arg
;
1769 struct sm_state
*sm
;
1770 struct symbol
*compare_type
, *var_type
;
1771 struct range_list
*rl
;
1772 struct range_list
*limit
;
1773 struct range_list
*new;
1775 while (expr
->type
== EXPR_ASSIGNMENT
)
1776 expr
= strip_expr(expr
->right
);
1777 if (expr
->type
!= EXPR_CALL
)
1780 arg
= get_argument_from_call_expr(expr
->args
, param
);
1784 name
= get_variable_from_key(arg
, key
, &sym
);
1788 if (strcmp(key
, "$") == 0)
1789 compare_type
= get_arg_type(expr
->fn
, param
);
1791 compare_type
= get_member_type_from_key(arg
, key
);
1793 sm
= get_sm_state(SMATCH_EXTRA
, name
, sym
);
1795 rl
= estate_rl(sm
->state
);
1797 rl
= alloc_whole_rl(compare_type
);
1799 call_results_to_rl(expr
, compare_type
, value
, &limit
);
1800 new = rl_intersection(rl
, limit
);
1802 var_type
= get_member_type_from_key(arg
, key
);
1803 new = cast_rl(var_type
, new);
1805 /* We want to preserve the implications here */
1806 if (sm
&& rl_equiv(estate_rl(sm
->state
), new))
1809 if (op
== PARAM_LIMIT
)
1810 set_extra_nomod(name
, sym
, alloc_estate_rl(new));
1812 set_extra_mod(name
, sym
, alloc_estate_rl(new));
1819 static void db_param_limit(struct expression
*expr
, int param
, char *key
, char *value
)
1821 db_param_limit_filter(expr
, param
, key
, value
, PARAM_LIMIT
);
1824 static void db_param_filter(struct expression
*expr
, int param
, char *key
, char *value
)
1826 db_param_limit_filter(expr
, param
, key
, value
, PARAM_FILTER
);
1829 static void db_param_add_set(struct expression
*expr
, int param
, char *key
, char *value
, enum info_type op
)
1831 struct expression
*arg
;
1834 struct symbol
*type
;
1835 struct smatch_state
*state
;
1836 struct range_list
*new = NULL
;
1837 struct range_list
*added
= NULL
;
1839 while (expr
->type
== EXPR_ASSIGNMENT
)
1840 expr
= strip_expr(expr
->right
);
1841 if (expr
->type
!= EXPR_CALL
)
1844 arg
= get_argument_from_call_expr(expr
->args
, param
);
1847 type
= get_member_type_from_key(arg
, key
);
1848 name
= get_variable_from_key(arg
, key
, &sym
);
1852 state
= get_state(SMATCH_EXTRA
, name
, sym
);
1854 new = estate_rl(state
);
1856 call_results_to_rl(expr
, type
, value
, &added
);
1858 if (op
== PARAM_SET
)
1861 new = rl_union(new, added
);
1863 set_extra_mod(name
, sym
, alloc_estate_rl(new));
1868 static void db_param_add(struct expression
*expr
, int param
, char *key
, char *value
)
1870 db_param_add_set(expr
, param
, key
, value
, PARAM_ADD
);
1873 static void db_param_set(struct expression
*expr
, int param
, char *key
, char *value
)
1875 db_param_add_set(expr
, param
, key
, value
, PARAM_SET
);
1878 static void db_param_value(struct expression
*expr
, int param
, char *key
, char *value
)
1880 struct expression
*call
;
1883 struct symbol
*type
;
1884 struct range_list
*rl
= NULL
;
1890 while (call
->type
== EXPR_ASSIGNMENT
)
1891 call
= strip_expr(call
->right
);
1892 if (call
->type
!= EXPR_CALL
)
1895 type
= get_member_type_from_key(expr
->left
, key
);
1896 name
= get_variable_from_key(expr
->left
, key
, &sym
);
1900 call_results_to_rl(call
, type
, value
, &rl
);
1902 set_extra_mod(name
, sym
, alloc_estate_rl(rl
));
1907 static void match_call_info(struct expression
*expr
)
1909 struct smatch_state
*state
;
1910 struct range_list
*rl
= NULL
;
1911 struct expression
*arg
;
1912 struct symbol
*type
;
1915 FOR_EACH_PTR(expr
->args
, arg
) {
1916 type
= get_arg_type(expr
->fn
, i
);
1918 if (get_implied_rl(arg
, &rl
))
1919 rl
= cast_rl(type
, rl
);
1921 rl
= cast_rl(type
, alloc_whole_rl(get_type(arg
)));
1923 if (!is_whole_rl(rl
))
1924 sql_insert_caller_info(expr
, PARAM_VALUE
, i
, "$", show_rl(rl
));
1925 state
= get_state_expr(SMATCH_EXTRA
, arg
);
1926 if (estate_has_fuzzy_max(state
)) {
1927 sql_insert_caller_info(expr
, FUZZY_MAX
, i
, "$",
1928 sval_to_str(estate_get_fuzzy_max(state
)));
1931 } END_FOR_EACH_PTR(arg
);
1934 static void set_param_value(const char *name
, struct symbol
*sym
, char *key
, char *value
)
1936 struct range_list
*rl
= NULL
;
1937 struct smatch_state
*state
;
1938 struct symbol
*type
;
1941 if (strcmp(key
, "*$") == 0)
1942 snprintf(fullname
, sizeof(fullname
), "*%s", name
);
1943 else if (strncmp(key
, "$", 1) == 0)
1944 snprintf(fullname
, 256, "%s%s", name
, key
+ 1);
1948 type
= get_member_type_from_key(symbol_expression(sym
), key
);
1949 str_to_rl(type
, value
, &rl
);
1950 state
= alloc_estate_rl(rl
);
1951 set_state(SMATCH_EXTRA
, fullname
, sym
, state
);
1954 static void set_param_hard_max(const char *name
, struct symbol
*sym
, char *key
, char *value
)
1956 struct range_list
*rl
= NULL
;
1957 struct smatch_state
*state
;
1958 struct symbol
*type
;
1962 if (strcmp(key
, "*$") == 0)
1963 snprintf(fullname
, sizeof(fullname
), "*%s", name
);
1964 else if (strncmp(key
, "$", 1) == 0)
1965 snprintf(fullname
, 256, "%s%s", name
, key
+ 1);
1969 state
= get_state(SMATCH_EXTRA
, fullname
, sym
);
1972 type
= get_member_type_from_key(symbol_expression(sym
), key
);
1973 str_to_rl(type
, value
, &rl
);
1974 if (!rl_to_sval(rl
, &max
))
1976 estate_set_fuzzy_max(state
, max
);
1979 struct smatch_state
*get_extra_state(struct expression
*expr
)
1983 struct smatch_state
*ret
= NULL
;
1984 struct range_list
*rl
;
1986 if (is_pointer(expr
) && get_address_rl(expr
, &rl
))
1987 return alloc_estate_rl(rl
);
1989 name
= expr_to_known_chunk_sym(expr
, &sym
);
1993 ret
= get_state(SMATCH_EXTRA
, name
, sym
);
1999 void register_smatch_extra(int id
)
2003 add_merge_hook(my_id
, &merge_estates
);
2004 add_unmatched_state_hook(my_id
, &unmatched_state
);
2005 select_caller_info_hook(set_param_value
, PARAM_VALUE
);
2006 select_caller_info_hook(set_param_hard_max
, FUZZY_MAX
);
2007 select_return_states_before(&db_limited_before
);
2008 select_return_states_hook(PARAM_LIMIT
, &db_param_limit
);
2009 select_return_states_hook(PARAM_FILTER
, &db_param_filter
);
2010 select_return_states_hook(PARAM_ADD
, &db_param_add
);
2011 select_return_states_hook(PARAM_SET
, &db_param_set
);
2012 select_return_states_hook(PARAM_VALUE
, &db_param_value
);
2013 select_return_states_after(&db_limited_after
);
2016 static void match_link_modify(struct sm_state
*sm
, struct expression
*mod_expr
)
2018 struct var_sym_list
*links
;
2019 struct var_sym
*tmp
;
2020 struct smatch_state
*state
;
2022 links
= sm
->state
->data
;
2024 FOR_EACH_PTR(links
, tmp
) {
2025 state
= get_state(SMATCH_EXTRA
, tmp
->var
, tmp
->sym
);
2028 set_state(SMATCH_EXTRA
, tmp
->var
, tmp
->sym
, alloc_estate_whole(estate_type(state
)));
2029 } END_FOR_EACH_PTR(tmp
);
2030 set_state(link_id
, sm
->name
, sm
->sym
, &undefined
);
2033 void register_smatch_extra_links(int id
)
2038 void register_smatch_extra_late(int id
)
2040 add_merge_hook(link_id
, &merge_link_states
);
2041 add_modification_hook(link_id
, &match_link_modify
);
2042 add_hook(&match_dereferences
, DEREF_HOOK
);
2043 add_hook(&match_pointer_as_array
, OP_HOOK
);
2044 select_call_implies_hook(DEREFERENCE
, &set_param_dereferenced
);
2045 add_hook(&match_function_call
, FUNCTION_CALL_HOOK
);
2046 add_hook(&match_assign
, ASSIGNMENT_HOOK
);
2047 add_hook(&match_assign
, GLOBAL_ASSIGNMENT_HOOK
);
2048 add_hook(&unop_expr
, OP_HOOK
);
2049 add_hook(&asm_expr
, ASM_HOOK
);
2050 add_untracked_param_hook(&match_untracked_array
);
2052 add_hook(&match_call_info
, FUNCTION_CALL_HOOK
);
2053 add_member_info_callback(my_id
, struct_member_callback
);
2054 add_split_return_callback(&returned_struct_members
);
2056 add_hook(&assume_indexes_are_valid
, OP_HOOK
);
