search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
user_data: serious bug in handling modifications (missed errors)
[smatch.git] / smatch_strlen.c
bloba0c2f1ac333d5fa195e56b20d1653bb811f011b4
1 /*
2 * smatch/smatch_strlen.c
3 *
4 * Copyright (C) 2013 Oracle.
5 *
6 * Licensed under the Open Software License version 1.1
7 *
8 */
9
10 #include <stdlib.h>
11 #include <errno.h>
12 #include "parse.h"
13 #include "smatch.h"
14 #include "smatch_slist.h"
15 #include "smatch_extra.h"
16
17 #define UNKNOWN_SIZE (-1)
18
19 static int my_strlen_id;
20 /*
21 * The trick with the my_equiv_id is that if we have:
22 * foo = strlen(bar);
23 * We don't know at that point what the strlen() is but we know it's equivalent
24 * to "foo" so maybe we can find the value of "foo" later.
25 */
26 static int my_equiv_id;
27
28 static struct smatch_state *size_to_estate(int size)
29 {
30 sval_t sval;
31
32 sval.type = &int_ctype;
33 sval.value = size;
34
35 return alloc_estate_sval(sval);
36 }
37
38 static struct smatch_state *unmatched_strlen_state(struct sm_state *sm)
39 {
40 return size_to_estate(UNKNOWN_SIZE);
41 }
42
43 static void set_strlen_undefined(struct sm_state *sm, struct expression *mod_expr)
44 {
45 set_state(sm->owner, sm->name, sm->sym, size_to_estate(UNKNOWN_SIZE));
46 }
47
48 static void set_strlen_equiv_undefined(struct sm_state *sm, struct expression *mod_expr)
49 {
50 set_state(sm->owner, sm->name, sm->sym, &undefined);
51 }
52
53 static void match_string_assignment(struct expression *expr)
54 {
55 struct range_list *rl;
56
57 if (expr->op != '=')
58 return;
59 if (!get_implied_strlen(expr->right, &rl))
60 return;
61 set_state_expr(my_strlen_id, expr->left, alloc_estate_rl(clone_rl(rl)));
62 }
63
64 static void match_strlen(const char *fn, struct expression *expr, void *unused)
65 {
66 struct expression *right;
67 struct expression *str;
68 struct expression *len_expr;
69 char *len_name;
70 struct smatch_state *state;
71
72 right = strip_expr(expr->right);
73 str = get_argument_from_call_expr(right->args, 0);
74 len_expr = strip_expr(expr->left);
75
76 len_name = expr_to_var(len_expr);
77 if (!len_name)
78 return;
79
80 state = __alloc_smatch_state(0);
81 state->name = len_name;
82 state->data = len_expr;
83
84 set_state_expr(my_equiv_id, str, state);
85 }
86
87 static int get_strlen_from_string(struct expression *expr, struct range_list **rl)
88 {
89 sval_t sval;
90 int len;
91
92 len = expr->string->length;
93 sval = sval_type_val(&int_ctype, len - 1);
94 *rl = alloc_rl(sval, sval);
95 return 1;
96 }
97
98
99 static int get_strlen_from_state(struct expression *expr, struct range_list **rl)
100 {
101 struct smatch_state *state;
102
103 state = get_state_expr(my_strlen_id, expr);
104 if (!state)
105 return 0;
106 *rl = estate_rl(state);
107 return 1;
108 }
109
110 static int get_strlen_from_equiv(struct expression *expr, struct range_list **rl)
111 {
112 struct smatch_state *state;
113
114 state = get_state_expr(my_equiv_id, expr);
115 if (!state || !state->data)
116 return 0;
117 if (!get_implied_rl((struct expression *)state->data, rl))
118 return 0;
119 return 1;
120 }
121
122 int get_implied_strlen(struct expression *expr, struct range_list **rl)
123 {
124
125 *rl = NULL;
126
127 switch (expr->type) {
128 case EXPR_STRING:
129 return get_strlen_from_string(expr, rl);
130 }
131
132 if (get_strlen_from_state(expr, rl))
133 return 1;
134 if (get_strlen_from_equiv(expr, rl))
135 return 1;
136 return 0;
137 }
138
139 int get_size_from_strlen(struct expression *expr)
140 {
141 struct range_list *rl;
142 sval_t max;
143
144 if (!get_implied_strlen(expr, &rl))
145 return 0;
146 max = rl_max(rl);
147 if (sval_is_negative(max) || sval_is_max(max))
148 return 0;
149
150 return max.value + 1; /* add one because strlen doesn't include the NULL */
151 }
152
153 void set_param_strlen(const char *name, struct symbol *sym, char *key, char *value)
154 {
155 struct range_list *rl = NULL;
156 struct smatch_state *state;
157 char fullname[256];
158
159 if (strncmp(key, "$$", 2) != 0)
160 return;
161
162 snprintf(fullname, 256, "%s%s", name, key + 2);
163
164 str_to_rl(&int_ctype, value, &rl);
165 if (!rl || is_whole_rl(rl))
166 return;
167 state = alloc_estate_rl(rl);
168 set_state(my_strlen_id, fullname, sym, state);
169 }
170
171 static void match_call(struct expression *expr)
172 {
173 struct expression *arg;
174 struct range_list *rl;
175 int i;
176
177 i = 0;
178 FOR_EACH_PTR(expr->args, arg) {
179 if (!get_implied_strlen(arg, &rl))
180 continue;
181 if (!is_whole_rl(rl))
182 sql_insert_caller_info(expr, STR_LEN, i, "$$", show_rl(rl));
183 i++;
184 } END_FOR_EACH_PTR(arg);
185 }
186
187 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct smatch_state *state)
188 {
189 if (state == &merged)
190 return;
191 sql_insert_caller_info(call, STR_LEN, param, printed_name, state->name);
192 }
193
194 void register_strlen(int id)
195 {
196 my_strlen_id = id;
197
198 add_unmatched_state_hook(my_strlen_id, &unmatched_strlen_state);
199
200 select_caller_info_hook(set_param_strlen, STR_LEN);
201 add_hook(&match_string_assignment, ASSIGNMENT_HOOK);
202
203 add_modification_hook(my_strlen_id, &set_strlen_undefined);
204 add_merge_hook(my_strlen_id, &merge_estates);
205 add_hook(&match_call, FUNCTION_CALL_HOOK);
206 add_member_info_callback(my_strlen_id, struct_member_callback);
207 }
208
209 void register_strlen_equiv(int id)
210 {
211 my_equiv_id = id;
212 add_function_assign_hook("strlen", &match_strlen, NULL);
213 add_modification_hook(my_equiv_id, &set_strlen_equiv_undefined);
214 }
215
Static analysis for C