search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
comparison: select the caller_info
[smatch.git] / smatch_param_cleared.c
blob633fc2402b1d4f50f7bc3cb08111da59fe35d360
1 /*
2 * Copyright (C) 2012 Oracle.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * This works together with smatch_clear_buffer.c. This one is only for
20 * tracking the information and smatch_clear_buffer.c changes SMATCH_EXTRA.
21 *
22 * This tracks functions like memset() which clear out a chunk of memory.
23 * It fills in a gap that smatch_param_set.c can't handle. It only handles
24 * void pointers because smatch_param_set.c should handle the rest. Oh. And
25 * also it handles arrays because Smatch sucks at handling arrays.
26 */
27
28 #include "scope.h"
29 #include "smatch.h"
30 #include "smatch_slist.h"
31 #include "smatch_extra.h"
32
33 static int my_id;
34
35 STATE(cleared);
36 STATE(zeroed);
37
38 static void db_param_cleared(struct expression *expr, int param, char *key, char *value)
39 {
40 struct expression *arg;
41 char *name;
42 struct symbol *sym;
43
44 while (expr->type == EXPR_ASSIGNMENT)
45 expr = strip_expr(expr->right);
46 if (expr->type != EXPR_CALL)
47 return;
48
49 arg = get_argument_from_call_expr(expr->args, param);
50 arg = strip_expr(arg);
51 name = get_variable_from_key(arg, key, &sym);
52 if (!name || !sym)
53 goto free;
54
55 if (strcmp(value, "0") == 0)
56 set_state(my_id, name, sym, &zeroed);
57 else
58 set_state(my_id, name, sym, &cleared);
59 free:
60 free_string(name);
61 }
62
63 static void match_memset(const char *fn, struct expression *expr, void *arg)
64 {
65 db_param_cleared(expr, PTR_INT(arg), (char *)"$", (char *)"0");
66 }
67
68 static void match_memcpy(const char *fn, struct expression *expr, void *arg)
69 {
70 db_param_cleared(expr, PTR_INT(arg), (char *)"$", (char *)"");
71 }
72
73 static void print_return_value_param(int return_id, char *return_ranges, struct expression *expr)
74 {
75 struct stree *stree;
76 struct sm_state *sm;
77 int param;
78 const char *param_name;
79
80 stree = __get_cur_stree();
81
82 FOR_EACH_MY_SM(my_id, stree, sm) {
83 param = get_param_num_from_sym(sm->sym);
84 if (param < 0)
85 continue;
86
87 param_name = get_param_name(sm);
88 if (!param_name)
89 continue;
90
91 if (sm->state == &zeroed) {
92 sql_insert_return_states(return_id, return_ranges,
93 PARAM_CLEARED, param, param_name, "0");
94 }
95
96 if (sm->state == &cleared) {
97 sql_insert_return_states(return_id, return_ranges,
98 PARAM_CLEARED, param, param_name, "");
99 }
100 } END_FOR_EACH_SM(sm);
101 }
102
103 bool parent_was_PARAM_CLEAR(const char *name, struct symbol *sym)
104 {
105 struct sm_state *sm;
106 char buf[80];
107 int len, i;
108
109 if (!name)
110 return 0;
111
112 len = strlen(name);
113 if (len >= sizeof(buf))
114 len = sizeof(buf) - 1;
115
116 for (i = len - 2; i >= 1; i--) {
117 if (name[i] != '-' && name[i] != '.')
118 continue;
119
120 memcpy(buf, name, i);
121 buf[i] = '\0';
122 sm = get_sm_state(my_id, buf, sym);
123 if (sm && sm->state == &cleared)
124 return true;
125 if (sm)
126 return false;
127
128 buf[0] = '&';
129 memcpy(buf + 1, name, i);
130 buf[i + 1] = '\0';
131 sm = get_sm_state(my_id, buf, sym);
132 if (sm && sm->state == &cleared)
133 return true;
134 if (sm)
135 return false;
136 }
137
138 return false;
139 }
140
141 bool parent_was_PARAM_CLEAR_ZERO(const char *name, struct symbol *sym)
142 {
143 struct sm_state *sm;
144 char buf[80];
145 int len, i;
146
147 if (!name)
148 return 0;
149
150 len = strlen(name);
151 if (len >= sizeof(buf))
152 len = sizeof(buf) - 1;
153
154 for (i = len - 2; i >= 1; i--) {
155 if (name[i] != '-' && name[i] != '.')
156 continue;
157
158 memcpy(buf, name, i);
159 buf[i] = '\0';
160 sm = get_sm_state(my_id, buf, sym);
161 if (sm && sm->state == &zeroed)
162 return true;
163 if (sm)
164 return false;
165
166 buf[0] = '&';
167 memcpy(buf + 1, name, i);
168 buf[i + 1] = '\0';
169 sm = get_sm_state(my_id, buf, sym);
170 if (sm && sm->state == &zeroed)
171 return true;
172 if (sm)
173 return false;
174 }
175
176 return false;
177 }
178
179 static void register_clears_param(void)
180 {
181 struct token *token;
182 char name[256];
183 const char *function;
184 int param;
185
186 if (option_project == PROJ_NONE)
187 return;
188
189 snprintf(name, 256, "%s.clears_argument", option_project_str);
190
191 token = get_tokens_file(name);
192 if (!token)
193 return;
194 if (token_type(token) != TOKEN_STREAMBEGIN)
195 return;
196 token = token->next;
197 while (token_type(token) != TOKEN_STREAMEND) {
198 if (token_type(token) != TOKEN_IDENT)
199 return;
200 function = show_ident(token->ident);
201 token = token->next;
202 if (token_type(token) != TOKEN_NUMBER)
203 return;
204 param = atoi(token->number);
205 add_function_hook(function, &match_memcpy, INT_PTR(param));
206 token = token->next;
207 }
208 clear_token_alloc();
209 }
210
211 #define USB_DIR_IN 0x80
212 static void match_usb_control_msg(const char *fn, struct expression *expr, void *_size_arg)
213 {
214 struct expression *inout;
215 sval_t sval;
216
217 inout = get_argument_from_call_expr(expr->args, 3);
218
219 if (get_value(inout, &sval) && !(sval.uvalue & USB_DIR_IN))
220 return;
221
222 db_param_cleared(expr, 6, (char *)"$", (char *)"");
223 }
224
225 static void match_assign(struct expression *expr)
226 {
227 struct symbol *type;
228
229 /*
230 * If we have struct foo x, y; and we say that x = y; then it
231 * initializes the struct holes. So we record that here.
232 */
233 type = get_type(expr->left);
234 if (!type || type->type != SYM_STRUCT)
235 return;
236 set_state_expr(my_id, expr->left, &cleared);
237 }
238
239 static void match_array_assign(struct expression *expr)
240 {
241 struct expression *array_expr;
242
243 if (!is_array(expr->left))
244 return;
245
246 array_expr = get_array_base(expr->left);
247 set_state_expr(my_id, array_expr, &cleared);
248 }
249
250 void register_param_cleared(int id)
251 {
252 my_id = id;
253
254 add_function_hook("memset", &match_memset, INT_PTR(0));
255 add_function_hook("memzero", &match_memset, INT_PTR(0));
256 add_function_hook("__memset", &match_memset, INT_PTR(0));
257 add_function_hook("__memzero", &match_memset, INT_PTR(0));
258
259 add_function_hook("memcpy", &match_memcpy, INT_PTR(0));
260 add_function_hook("memmove", &match_memcpy, INT_PTR(0));
261 add_function_hook("__memcpy", &match_memcpy, INT_PTR(0));
262 add_function_hook("__memmove", &match_memcpy, INT_PTR(0));
263 add_function_hook("strcpy", &match_memcpy, INT_PTR(0));
264 add_function_hook("strncpy", &match_memcpy, INT_PTR(0));
265 add_function_hook("sprintf", &match_memcpy, INT_PTR(0));
266 add_function_hook("snprintf", &match_memcpy, INT_PTR(0));
267
268 add_hook(&match_assign, ASSIGNMENT_HOOK);
269 add_hook(&match_array_assign, ASSIGNMENT_HOOK);
270
271 register_clears_param();
272
273 select_return_states_hook(PARAM_CLEARED, &db_param_cleared);
274 add_split_return_callback(&print_return_value_param);
275
276 if (option_project == PROJ_KERNEL) {
277 add_function_hook("usb_control_msg", &match_usb_control_msg, NULL);
278 }
279
280 }
281
Static analysis for C