smatch_slist.c

   1 /*
   2  * Copyright (C) 2008,2009 Dan Carpenter.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License
   6  * as published by the Free Software Foundation; either version 2
   7  * of the License, or (at your option) any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
  16  */
  17
  18 #include <stdlib.h>
  19 #include <stdio.h>
  20 #include "smatch.h"
  21 #include "smatch_slist.h"
  22
  23 #undef CHECKORDER
  24
  25 ALLOCATOR(smatch_state, "smatch state");
  26 ALLOCATOR(sm_state, "sm state");
  27 ALLOCATOR(named_stree, "named slist");
  28 __DO_ALLOCATOR(char, 1, 4, "state names", sname);
  29
  30 int sm_state_counter;
  31
  32 static struct stree_stack *all_pools;
  33
  34 const char *show_sm(struct sm_state *sm)
  35 {
  36         char buf[256];
  37         struct sm_state *tmp;
  38         int pos;
  39         int i;
  40
  41         if (!sm)
  42                 return "<none>";
  43
  44         pos = snprintf(buf, sizeof(buf), "[%s] %s %p = '%s'%s",
  45                        check_name(sm->owner), sm->name, sm->sym, show_state(sm->state),
  46                        sm->merged ? " [merged]" : "");
  47         if (pos > sizeof(buf))
  48                 goto truncate;
  49
  50         if (ptr_list_size((struct ptr_list *)sm->possible) == 1)
  51                 return alloc_sname(buf);
  52
  53         pos += snprintf(buf + pos, sizeof(buf) - pos, " (");
  54         if (pos > sizeof(buf))
  55                 goto truncate;
  56         i = 0;
  57         FOR_EACH_PTR(sm->possible, tmp) {
  58                 if (i++)
  59                         pos += snprintf(buf + pos, sizeof(buf) - pos, ", ");
  60                 if (pos > sizeof(buf))
  61                         goto truncate;
  62                 pos += snprintf(buf + pos, sizeof(buf) - pos, "%s",
  63                                show_state(tmp->state));
  64                 if (pos > sizeof(buf))
  65                         goto truncate;
  66         } END_FOR_EACH_PTR(tmp);
  67         snprintf(buf + pos, sizeof(buf) - pos, ")");
  68
  69         return alloc_sname(buf);
  70
  71 truncate:
  72         for (i = 0; i < 3; i++)
  73                 buf[sizeof(buf) - 2 - i] = '.';
  74         return alloc_sname(buf);
  75 }
  76
  77 void __print_stree(struct stree *stree)
  78 {
  79         struct sm_state *sm;
  80
  81         option_debug++;
  82         sm_msg("dumping stree [%ld states]", stree_count(stree));
  83         FOR_EACH_SM(stree, sm) {
  84                 sm_printf("%s\n", show_sm(sm));
  85         } END_FOR_EACH_SM(sm);
  86         sm_printf("---\n");
  87         option_debug--;
  88 }
  89
  90 /* NULL states go at the end to simplify merge_slist */
  91 int cmp_tracker(const struct sm_state *a, const struct sm_state *b)
  92 {
  93         int ret;
  94
  95         if (a == b)
  96                 return 0;
  97         if (!b)
  98                 return -1;
  99         if (!a)
 100                 return 1;
 101
 102         if (a->owner < b->owner)
 103                 return -1;
 104         if (a->owner > b->owner)
 105                 return 1;
 106
 107         ret = strcmp(a->name, b->name);
 108         if (ret < 0)
 109                 return -1;
 110         if (ret > 0)
 111                 return 1;
 112
 113         if (!b->sym && a->sym)
 114                 return -1;
 115         if (!a->sym && b->sym)
 116                 return 1;
 117         if (a->sym < b->sym)
 118                 return -1;
 119         if (a->sym > b->sym)
 120                 return 1;
 121
 122         return 0;
 123 }
 124
 125 int *dynamic_states;
 126 void allocate_dynamic_states_array(int num_checks)
 127 {
 128         dynamic_states = calloc(num_checks, sizeof(int));
 129 }
 130
 131 void set_dynamic_states(unsigned short owner)
 132 {
 133         dynamic_states[owner] = true;
 134 }
 135
 136 bool has_dynamic_states(unsigned short owner)
 137 {
 138         if (owner >= num_checks)
 139                 return false;
 140         return dynamic_states[owner];
 141 }
 142
 143 static int cmp_possible_sm(const struct sm_state *a, const struct sm_state *b, int preserve)
 144 {
 145         int ret;
 146
 147         if (a == b)
 148                 return 0;
 149
 150         if (!has_dynamic_states(a->owner)) {
 151                 if (a->state > b->state)
 152                         return -1;
 153                 if (a->state < b->state)
 154                         return 1;
 155                 return 0;
 156         }
 157
 158         if (a->owner == SMATCH_EXTRA) {
 159                 /*
 160                  * In Smatch extra you can have borrowed implications.
 161                  *
 162                  * FIXME: review how borrowed implications work and if they
 163                  * are the best way.  See also smatch_implied.c.
 164                  *
 165                  */
 166                 ret = cmp_tracker(a, b);
 167                 if (ret)
 168                         return ret;
 169
 170                 /*
 171                  * We want to preserve leaf states.  They're use to split
 172                  * returns in smatch_db.c.
 173                  *
 174                  */
 175                 if (preserve) {
 176                         if (a->merged && !b->merged)
 177                                 return -1;
 178                         if (!a->merged)
 179                                 return 1;
 180                 }
 181         }
 182         if (!a->state->name || !b->state->name)
 183                 return 0;
 184
 185         return strcmp(a->state->name, b->state->name);
 186 }
 187
 188 struct sm_state *alloc_sm_state(int owner, const char *name,
 189                                 struct symbol *sym, struct smatch_state *state)
 190 {
 191         struct sm_state *sm_state = __alloc_sm_state(0);
 192
 193         sm_state_counter++;
 194
 195         sm_state->name = alloc_sname(name);
 196         sm_state->owner = owner;
 197         sm_state->sym = sym;
 198         sm_state->state = state;
 199         sm_state->line = get_lineno();
 200         sm_state->merged = 0;
 201         sm_state->pool = NULL;
 202         sm_state->left = NULL;
 203         sm_state->right = NULL;
 204         sm_state->possible = NULL;
 205         add_ptr_list(&sm_state->possible, sm_state);
 206         return sm_state;
 207 }
 208
 209 static struct sm_state *alloc_state_no_name(int owner, const char *name,
 210                                      struct symbol *sym,
 211                                      struct smatch_state *state)
 212 {
 213         struct sm_state *tmp;
 214
 215         tmp = alloc_sm_state(owner, NULL, sym, state);
 216         tmp->name = name;
 217         return tmp;
 218 }
 219
 220 int too_many_possible(struct sm_state *sm)
 221 {
 222         if (ptr_list_size((struct ptr_list *)sm->possible) >= 100)
 223                 return 1;
 224         return 0;
 225 }
 226
 227 void add_possible_sm(struct sm_state *to, struct sm_state *new)
 228 {
 229         struct sm_state *tmp;
 230         int preserve = 1;
 231         int cmp;
 232
 233         if (too_many_possible(to))
 234                 preserve = 0;
 235
 236         FOR_EACH_PTR(to->possible, tmp) {
 237                 cmp = cmp_possible_sm(tmp, new, preserve);
 238                 if (cmp < 0)
 239                         continue;
 240                 else if (cmp == 0) {
 241                         return;
 242                 } else {
 243                         INSERT_CURRENT(new, tmp);
 244                         return;
 245                 }
 246         } END_FOR_EACH_PTR(tmp);
 247         add_ptr_list(&to->possible, new);
 248 }
 249
 250 static void copy_possibles(struct sm_state *to, struct sm_state *one, struct sm_state *two)
 251 {
 252         struct sm_state *large = one;
 253         struct sm_state *small = two;
 254         struct sm_state *tmp;
 255
 256         /*
 257          * We spend a lot of time copying the possible lists.  I've tried to
 258          * optimize the process a bit.
 259          *
 260          */
 261
 262         if (ptr_list_size((struct ptr_list *)two->possible) >
 263             ptr_list_size((struct ptr_list *)one->possible)) {
 264                 large = two;
 265                 small = one;
 266         }
 267
 268         to->possible = clone_slist(large->possible);
 269         add_possible_sm(to, to);
 270         FOR_EACH_PTR(small->possible, tmp) {
 271                 add_possible_sm(to, tmp);
 272         } END_FOR_EACH_PTR(tmp);
 273 }
 274
 275 char *alloc_sname(const char *str)
 276 {
 277         char *tmp;
 278
 279         if (!str)
 280                 return NULL;
 281         tmp = __alloc_sname(strlen(str) + 1);
 282         strcpy(tmp, str);
 283         return tmp;
 284 }
 285
 286 static struct symbol *oom_func;
 287 static int oom_limit = 3000000;  /* Start with a 3GB limit */
 288 int out_of_memory(void)
 289 {
 290         if (oom_func)
 291                 return 1;
 292
 293         /*
 294          * I decided to use 50M here based on trial and error.
 295          * It works out OK for the kernel and so it should work
 296          * for most other projects as well.
 297          */
 298         if (sm_state_counter * sizeof(struct sm_state) >= 100000000)
 299                 return 1;
 300
 301         /*
 302          * We're reading from statm to figure out how much memory we
 303          * are using.  The problem is that at the end of the function
 304          * we release the memory, so that it can be re-used but it
 305          * stays in cache, it's not released to the OS.  So then if
 306          * we allocate memory for different purposes we can easily
 307          * hit the 3GB limit on the next function, so that's why I give
 308          * the next function an extra 100MB to work with.
 309          *
 310          */
 311         if (get_mem_kb() > oom_limit) {
 312                 oom_func = cur_func_sym;
 313                 final_pass++;
 314                 sm_perror("OOM: %luKb sm_state_count = %d", get_mem_kb(), sm_state_counter);
 315                 final_pass--;
 316                 return 1;
 317         }
 318
 319         return 0;
 320 }
 321
 322 int low_on_memory(void)
 323 {
 324         if (sm_state_counter * sizeof(struct sm_state) >= 25000000)
 325                 return 1;
 326         return 0;
 327 }
 328
 329 static void free_sm_state(struct sm_state *sm)
 330 {
 331         free_slist(&sm->possible);
 332         /*
 333          * fixme.  Free the actual state.
 334          * Right now we leave it until the end of the function
 335          * because we don't want to double free it.
 336          * Use the freelist to not double free things
 337          */
 338 }
 339
 340 static void free_all_sm_states(struct allocation_blob *blob)
 341 {
 342         unsigned int size = sizeof(struct sm_state);
 343         unsigned int offset = 0;
 344
 345         while (offset < blob->offset) {
 346                 free_sm_state((struct sm_state *)(blob->data + offset));
 347                 offset += size;
 348         }
 349 }
 350
 351 /* At the end of every function we free all the sm_states */
 352 void free_every_single_sm_state(void)
 353 {
 354         struct allocator_struct *desc = &sm_state_allocator;
 355         struct allocation_blob *blob = desc->blobs;
 356
 357         desc->blobs = NULL;
 358         desc->allocations = 0;
 359         desc->total_bytes = 0;
 360         desc->useful_bytes = 0;
 361         desc->freelist = NULL;
 362         while (blob) {
 363                 struct allocation_blob *next = blob->next;
 364                 free_all_sm_states(blob);
 365                 blob_free(blob, desc->chunking);
 366                 blob = next;
 367         }
 368         clear_sname_alloc();
 369         clear_smatch_state_alloc();
 370
 371         free_stack_and_strees(&all_pools);
 372         sm_state_counter = 0;
 373         if (oom_func) {
 374                 oom_limit += 100000;
 375                 oom_func = NULL;
 376         }
 377 }
 378
 379 unsigned long get_pool_count(void)
 380 {
 381         return ptr_list_size((struct ptr_list *)all_pools);
 382 }
 383
 384 struct sm_state *clone_sm(struct sm_state *s)
 385 {
 386         struct sm_state *ret;
 387
 388         ret = alloc_state_no_name(s->owner, s->name, s->sym, s->state);
 389         ret->merged = s->merged;
 390         ret->line = s->line;
 391         /* clone_sm() doesn't copy the pools.  Each state needs to have
 392            only one pool. */
 393         ret->possible = clone_slist(s->possible);
 394         ret->left = s->left;
 395         ret->right = s->right;
 396         return ret;
 397 }
 398
 399 int is_merged(struct sm_state *sm)
 400 {
 401         return sm->merged;
 402 }
 403
 404 int is_leaf(struct sm_state *sm)
 405 {
 406         if (!sm->merged)
 407                 return true;
 408         if (sm->leaf)
 409                 return true;
 410         return false;
 411 }
 412
 413 int slist_has_state(struct state_list *slist, struct smatch_state *state)
 414 {
 415         struct sm_state *tmp;
 416
 417         FOR_EACH_PTR(slist, tmp) {
 418                 if (tmp->state == state)
 419                         return 1;
 420         } END_FOR_EACH_PTR(tmp);
 421         return 0;
 422 }
 423
 424 struct state_list *clone_slist(struct state_list *from_slist)
 425 {
 426         struct sm_state *sm;
 427         struct state_list *to_slist = NULL;
 428
 429         FOR_EACH_PTR(from_slist, sm) {
 430                 add_ptr_list(&to_slist, sm);
 431         } END_FOR_EACH_PTR(sm);
 432         return to_slist;
 433 }
 434
 435 static struct smatch_state *merge_states(int owner, const char *name,
 436                                          struct symbol *sym,
 437                                          struct smatch_state *state1,
 438                                          struct smatch_state *state2)
 439 {
 440         struct smatch_state *ret;
 441
 442         if (state1 == state2)
 443                 ret = state1;
 444         else if (__has_merge_function(owner))
 445                 ret = __client_merge_function(owner, state1, state2);
 446         else if (!state1 || !state2)
 447                 ret = &undefined;
 448         else
 449                 ret = &merged;
 450         return ret;
 451 }
 452
 453 struct sm_state *merge_sm_states(struct sm_state *one, struct sm_state *two)
 454 {
 455         struct smatch_state *s;
 456         struct sm_state *result;
 457         static int warned;
 458
 459         if (one->state->data && !has_dynamic_states(one->owner))
 460                 sm_msg("dynamic state: %s", show_sm(one));
 461
 462         if (one == two)
 463                 return one;
 464         if (out_of_memory()) {
 465                 if (!warned)
 466                         sm_warning("Function too hairy.  No more merges.");
 467                 warned = 1;
 468                 return one;
 469         }
 470         warned = 0;
 471         s = merge_states(one->owner, one->name, one->sym, one->state, two->state);
 472         result = alloc_state_no_name(one->owner, one->name, one->sym, s);
 473         result->merged = 1;
 474         result->left = one;
 475         result->right = two;
 476
 477         copy_possibles(result, one, two);
 478
 479         /*
 480          * The ->line information is used by deref_check where we complain about
 481          * checking pointers that have already been dereferenced.  Let's say we
 482          * dereference a pointer on both the true and false paths and then merge
 483          * the states here.  The result state is &derefed, but the ->line number
 484          * is on the line where the pointer is merged not where it was
 485          * dereferenced..
 486          *
 487          * So in that case, let's just pick one dereference and set the ->line
 488          * to point at it.
 489          *
 490          */
 491
 492         if (result->state == one->state)
 493                 result->line = one->line;
 494         if (result->state == two->state)
 495                 result->line = two->line;
 496
 497         if (debug_on(check_name(one->owner), one->name)) {
 498                 struct sm_state *tmp;
 499                 int i = 0;
 500
 501                 printf("%s:%d %s() merge [%s] '%s' %s(L %d) + %s(L %d) => %s (",
 502                         get_filename(), get_lineno(), get_function(),
 503                         check_name(one->owner), one->name,
 504                         show_state(one->state), one->line,
 505                         show_state(two->state), two->line,
 506                         show_state(s));
 507
 508                 FOR_EACH_PTR(result->possible, tmp) {
 509                         if (i++)
 510                                 printf(", ");
 511                         printf("%s", show_state(tmp->state));
 512                 } END_FOR_EACH_PTR(tmp);
 513                 printf(")\n");
 514         }
 515
 516         return result;
 517 }
 518
 519 struct sm_state *get_sm_state_stree(struct stree *stree, int owner, const char *name,
 520                                 struct symbol *sym)
 521 {
 522         struct tracker tracker = {
 523                 .owner = owner,
 524                 .name = (char *)name,
 525                 .sym = sym,
 526         };
 527
 528         if (!name)
 529                 return NULL;
 530
 531         return avl_lookup(stree, (struct sm_state *)&tracker);
 532 }
 533
 534 struct smatch_state *get_state_stree(struct stree *stree,
 535                                 int owner, const char *name,
 536                                 struct symbol *sym)
 537 {
 538         struct sm_state *sm;
 539
 540         sm = get_sm_state_stree(stree, owner, name, sym);
 541         if (sm)
 542                 return sm->state;
 543         return NULL;
 544 }
 545
 546 /* FIXME: this is almost exactly the same as set_sm_state_slist() */
 547 void overwrite_sm_state_stree(struct stree **stree, struct sm_state *new)
 548 {
 549         avl_insert(stree, new);
 550 }
 551
 552 void overwrite_sm_state_stree_stack(struct stree_stack **stack,
 553                         struct sm_state *sm)
 554 {
 555         struct stree *stree;
 556
 557         stree = pop_stree(stack);
 558         overwrite_sm_state_stree(&stree, sm);
 559         push_stree(stack, stree);
 560 }
 561
 562 struct sm_state *set_state_stree(struct stree **stree, int owner, const char *name,
 563                      struct symbol *sym, struct smatch_state *state)
 564 {
 565         struct sm_state *new = alloc_sm_state(owner, name, sym, state);
 566
 567         avl_insert(stree, new);
 568         return new;
 569 }
 570
 571 void set_state_stree_perm(struct stree **stree, int owner, const char *name,
 572                      struct symbol *sym, struct smatch_state *state)
 573 {
 574         struct sm_state *sm;
 575
 576         sm = malloc(sizeof(*sm) + strlen(name) + 1);
 577         memset(sm, 0, sizeof(*sm));
 578         sm->owner = owner;
 579         sm->name = (char *)(sm + 1);
 580         strcpy((char *)sm->name, name);
 581         sm->sym = sym;
 582         sm->state = state;
 583
 584         overwrite_sm_state_stree(stree, sm);
 585 }
 586
 587 void delete_state_stree(struct stree **stree, int owner, const char *name,
 588                         struct symbol *sym)
 589 {
 590         struct tracker tracker = {
 591                 .owner = owner,
 592                 .name = (char *)name,
 593                 .sym = sym,
 594         };
 595
 596         avl_remove(stree, (struct sm_state *)&tracker);
 597 }
 598
 599 void delete_state_stree_stack(struct stree_stack **stack, int owner, const char *name,
 600                         struct symbol *sym)
 601 {
 602         struct stree *stree;
 603
 604         stree = pop_stree(stack);
 605         delete_state_stree(&stree, owner, name, sym);
 606         push_stree(stack, stree);
 607 }
 608
 609 void push_stree(struct stree_stack **stack, struct stree *stree)
 610 {
 611         add_ptr_list(stack, stree);
 612 }
 613
 614 struct stree *pop_stree(struct stree_stack **stack)
 615 {
 616         struct stree *stree;
 617
 618         stree = last_ptr_list((struct ptr_list *)*stack);
 619         delete_ptr_list_last((struct ptr_list **)stack);
 620         return stree;
 621 }
 622
 623 struct stree *top_stree(struct stree_stack *stack)
 624 {
 625         return last_ptr_list((struct ptr_list *)stack);
 626 }
 627
 628 void free_slist(struct state_list **slist)
 629 {
 630         __free_ptr_list((struct ptr_list **)slist);
 631 }
 632
 633 void free_stree_stack(struct stree_stack **stack)
 634 {
 635         __free_ptr_list((struct ptr_list **)stack);
 636 }
 637
 638 void free_stack_and_strees(struct stree_stack **stree_stack)
 639 {
 640         struct stree *stree;
 641
 642         FOR_EACH_PTR(*stree_stack, stree) {
 643                 free_stree(&stree);
 644         } END_FOR_EACH_PTR(stree);
 645         free_stree_stack(stree_stack);
 646 }
 647
 648 struct sm_state *set_state_stree_stack(struct stree_stack **stack, int owner, const char *name,
 649                                 struct symbol *sym, struct smatch_state *state)
 650 {
 651         struct stree *stree;
 652         struct sm_state *sm;
 653
 654         stree = pop_stree(stack);
 655         sm = set_state_stree(&stree, owner, name, sym, state);
 656         push_stree(stack, stree);
 657
 658         return sm;
 659 }
 660
 661 /*
 662  * get_sm_state_stack() gets the state for the top slist on the stack.
 663  */
 664 struct sm_state *get_sm_state_stree_stack(struct stree_stack *stack,
 665                                 int owner, const char *name,
 666                                 struct symbol *sym)
 667 {
 668         struct stree *stree;
 669         struct sm_state *ret;
 670
 671         stree = pop_stree(&stack);
 672         ret = get_sm_state_stree(stree, owner, name, sym);
 673         push_stree(&stack, stree);
 674         return ret;
 675 }
 676
 677 struct smatch_state *get_state_stree_stack(struct stree_stack *stack,
 678                                 int owner, const char *name,
 679                                 struct symbol *sym)
 680 {
 681         struct sm_state *sm;
 682
 683         sm = get_sm_state_stree_stack(stack, owner, name, sym);
 684         if (sm)
 685                 return sm->state;
 686         return NULL;
 687 }
 688
 689 static void match_states_stree(struct stree **one, struct stree **two)
 690 {
 691         struct smatch_state *tmp_state;
 692         struct sm_state *sm;
 693         struct state_list *add_to_one = NULL;
 694         struct state_list *add_to_two = NULL;
 695         AvlIter one_iter;
 696         AvlIter two_iter;
 697
 698         __set_cur_stree_readonly();
 699
 700         avl_iter_begin(&one_iter, *one, FORWARD);
 701         avl_iter_begin(&two_iter, *two, FORWARD);
 702
 703         for (;;) {
 704                 if (!one_iter.sm && !two_iter.sm)
 705                         break;
 706                 if (cmp_tracker(one_iter.sm, two_iter.sm) < 0) {
 707                         __set_fake_cur_stree_fast(*two);
 708                         __in_unmatched_hook++;
 709                         tmp_state = __client_unmatched_state_function(one_iter.sm);
 710                         __in_unmatched_hook--;
 711                         __pop_fake_cur_stree_fast();
 712                         sm = alloc_state_no_name(one_iter.sm->owner, one_iter.sm->name,
 713                                                   one_iter.sm->sym, tmp_state);
 714                         add_ptr_list(&add_to_two, sm);
 715                         avl_iter_next(&one_iter);
 716                 } else if (cmp_tracker(one_iter.sm, two_iter.sm) == 0) {
 717                         avl_iter_next(&one_iter);
 718                         avl_iter_next(&two_iter);
 719                 } else {
 720                         __set_fake_cur_stree_fast(*one);
 721                         __in_unmatched_hook++;
 722                         tmp_state = __client_unmatched_state_function(two_iter.sm);
 723                         __in_unmatched_hook--;
 724                         __pop_fake_cur_stree_fast();
 725                         sm = alloc_state_no_name(two_iter.sm->owner, two_iter.sm->name,
 726                                                   two_iter.sm->sym, tmp_state);
 727                         add_ptr_list(&add_to_one, sm);
 728                         avl_iter_next(&two_iter);
 729                 }
 730         }
 731
 732         __set_cur_stree_writable();
 733
 734         FOR_EACH_PTR(add_to_one, sm) {
 735                 avl_insert(one, sm);
 736         } END_FOR_EACH_PTR(sm);
 737
 738         FOR_EACH_PTR(add_to_two, sm) {
 739                 avl_insert(two, sm);
 740         } END_FOR_EACH_PTR(sm);
 741
 742         free_slist(&add_to_one);
 743         free_slist(&add_to_two);
 744 }
 745
 746 static void call_pre_merge_hooks(struct stree **one, struct stree **two)
 747 {
 748         struct sm_state *sm, *cur;
 749         struct stree *new;
 750
 751         __in_unmatched_hook++;
 752
 753         __set_fake_cur_stree_fast(*one);
 754         __push_fake_cur_stree();
 755         FOR_EACH_SM(*two, sm) {
 756                 cur = get_sm_state(sm->owner, sm->name, sm->sym);
 757                 if (cur == sm)
 758                         continue;
 759                 call_pre_merge_hook(cur, sm);
 760         } END_FOR_EACH_SM(sm);
 761         new = __pop_fake_cur_stree();
 762         overwrite_stree(new, one);
 763         free_stree(&new);
 764         __pop_fake_cur_stree_fast();
 765
 766         __set_fake_cur_stree_fast(*two);
 767         __push_fake_cur_stree();
 768         FOR_EACH_SM(*one, sm) {
 769                 cur = get_sm_state(sm->owner, sm->name, sm->sym);
 770                 if (cur == sm)
 771                         continue;
 772                 call_pre_merge_hook(cur, sm);
 773         } END_FOR_EACH_SM(sm);
 774         new = __pop_fake_cur_stree();
 775         overwrite_stree(new, two);
 776         free_stree(&new);
 777         __pop_fake_cur_stree_fast();
 778
 779         __in_unmatched_hook--;
 780 }
 781
 782 static void clone_pool_havers_stree(struct stree **stree)
 783 {
 784         struct sm_state *sm, *tmp;
 785         struct state_list *slist = NULL;
 786
 787         FOR_EACH_SM(*stree, sm) {
 788                 if (sm->pool) {
 789                         tmp = clone_sm(sm);
 790                         add_ptr_list(&slist, tmp);
 791                 }
 792         } END_FOR_EACH_SM(sm);
 793
 794         FOR_EACH_PTR(slist, sm) {
 795                 avl_insert(stree, sm);
 796         } END_FOR_EACH_PTR(sm);
 797
 798         free_slist(&slist);
 799 }
 800
 801 int __stree_id;
 802
 803 /*
 804  * merge_slist() is called whenever paths merge, such as after
 805  * an if statement.  It takes the two slists and creates one.
 806  */
 807 static void __merge_stree(struct stree **to, struct stree *stree, int add_pool)
 808 {
 809         struct stree *results = NULL;
 810         struct stree *implied_one = NULL;
 811         struct stree *implied_two = NULL;
 812         AvlIter one_iter;
 813         AvlIter two_iter;
 814         struct sm_state *one, *two, *res;
 815
 816         if (out_of_memory())
 817                 return;
 818
 819         /* merging a null and nonnull path gives you only the nonnull path */
 820         if (!stree)
 821                 return;
 822         if (*to == stree)
 823                 return;
 824
 825         if (!*to) {
 826                 *to = clone_stree(stree);
 827                 return;
 828         }
 829
 830         implied_one = clone_stree(*to);
 831         implied_two = clone_stree(stree);
 832
 833         match_states_stree(&implied_one, &implied_two);
 834         call_pre_merge_hooks(&implied_one, &implied_two);
 835
 836         if (add_pool) {
 837                 clone_pool_havers_stree(&implied_one);
 838                 clone_pool_havers_stree(&implied_two);
 839
 840                 set_stree_id(&implied_one, ++__stree_id);
 841                 set_stree_id(&implied_two, ++__stree_id);
 842                 if (implied_one->base_stree)
 843                         set_stree_id(&implied_one->base_stree, ++__stree_id);
 844                 if (implied_two->base_stree)
 845                         set_stree_id(&implied_two->base_stree, ++__stree_id);
 846         }
 847
 848         push_stree(&all_pools, implied_one);
 849         push_stree(&all_pools, implied_two);
 850
 851         avl_iter_begin(&one_iter, implied_one, FORWARD);
 852         avl_iter_begin(&two_iter, implied_two, FORWARD);
 853
 854         for (;;) {
 855                 if (!one_iter.sm || !two_iter.sm)
 856                         break;
 857
 858                 one = one_iter.sm;
 859                 two = two_iter.sm;
 860
 861                 if (one == two) {
 862                         avl_insert(&results, one);
 863                         goto next;
 864                 }
 865
 866                 if (add_pool) {
 867                         one->pool = implied_one;
 868                         if (implied_one->base_stree)
 869                                 one->pool = implied_one->base_stree;
 870                         two->pool = implied_two;
 871                         if (implied_two->base_stree)
 872                                 two->pool = implied_two->base_stree;
 873                 }
 874                 res = merge_sm_states(one, two);
 875                 add_possible_sm(res, one);
 876                 add_possible_sm(res, two);
 877                 avl_insert(&results, res);
 878 next:
 879                 avl_iter_next(&one_iter);
 880                 avl_iter_next(&two_iter);
 881         }
 882
 883         free_stree(to);
 884         *to = results;
 885 }
 886
 887 void merge_stree(struct stree **to, struct stree *stree)
 888 {
 889         __merge_stree(to, stree, 1);
 890 }
 891
 892 void merge_stree_no_pools(struct stree **to, struct stree *stree)
 893 {
 894         __merge_stree(to, stree, 0);
 895 }
 896
 897 /*
 898  * This is unfortunately a bit subtle...  The problem is that if a
 899  * state is set on one fake stree but not the other then we should
 900  * look up the the original state and use that as the unset state.
 901  * Fortunately, after you pop your fake stree then the cur_slist should
 902  * reflect the original state.
 903  */
 904 void merge_fake_stree(struct stree **to, struct stree *stree)
 905 {
 906         struct stree *one = *to;
 907         struct stree *two = stree;
 908         struct sm_state *sm;
 909         struct state_list *add_to_one = NULL;
 910         struct state_list *add_to_two = NULL;
 911         AvlIter one_iter;
 912         AvlIter two_iter;
 913
 914         if (!stree)
 915                 return;
 916         if (*to == stree)
 917                 return;
 918         if (!*to) {
 919                 *to = clone_stree(stree);
 920                 return;
 921         }
 922
 923         avl_iter_begin(&one_iter, one, FORWARD);
 924         avl_iter_begin(&two_iter, two, FORWARD);
 925
 926         for (;;) {
 927                 if (!one_iter.sm && !two_iter.sm)
 928                         break;
 929                 if (cmp_tracker(one_iter.sm, two_iter.sm) < 0) {
 930                         sm = get_sm_state(one_iter.sm->owner, one_iter.sm->name,
 931                                           one_iter.sm->sym);
 932                         if (sm)
 933                                 add_ptr_list(&add_to_two, sm);
 934                         avl_iter_next(&one_iter);
 935                 } else if (cmp_tracker(one_iter.sm, two_iter.sm) == 0) {
 936                         avl_iter_next(&one_iter);
 937                         avl_iter_next(&two_iter);
 938                 } else {
 939                         sm = get_sm_state(two_iter.sm->owner, two_iter.sm->name,
 940                                           two_iter.sm->sym);
 941                         if (sm)
 942                                 add_ptr_list(&add_to_one, sm);
 943                         avl_iter_next(&two_iter);
 944                 }
 945         }
 946
 947         FOR_EACH_PTR(add_to_one, sm) {
 948                 avl_insert(&one, sm);
 949         } END_FOR_EACH_PTR(sm);
 950
 951         FOR_EACH_PTR(add_to_two, sm) {
 952                 avl_insert(&two, sm);
 953         } END_FOR_EACH_PTR(sm);
 954
 955         one->base_stree = clone_stree(__get_cur_stree());
 956         FOR_EACH_SM(one, sm) {
 957                 avl_insert(&one->base_stree, sm);
 958         } END_FOR_EACH_SM(sm);
 959
 960         two->base_stree = clone_stree(__get_cur_stree());
 961         FOR_EACH_SM(two, sm) {
 962                 avl_insert(&two->base_stree, sm);
 963         } END_FOR_EACH_SM(sm);
 964
 965         free_slist(&add_to_one);
 966         free_slist(&add_to_two);
 967
 968         __merge_stree(&one, two, 1);
 969
 970         *to = one;
 971 }
 972
 973 /*
 974  * filter_slist() removes any sm states "slist" holds in common with "filter"
 975  */
 976 void filter_stree(struct stree **stree, struct stree *filter)
 977 {
 978         struct stree *results = NULL;
 979         AvlIter one_iter;
 980         AvlIter two_iter;
 981
 982         avl_iter_begin(&one_iter, *stree, FORWARD);
 983         avl_iter_begin(&two_iter, filter, FORWARD);
 984
 985         /* FIXME: This should probably be re-written with trees in mind */
 986
 987         for (;;) {
 988                 if (!one_iter.sm && !two_iter.sm)
 989                         break;
 990                 if (cmp_tracker(one_iter.sm, two_iter.sm) < 0) {
 991                         avl_insert(&results, one_iter.sm);
 992                         avl_iter_next(&one_iter);
 993                 } else if (cmp_tracker(one_iter.sm, two_iter.sm) == 0) {
 994                         if (one_iter.sm != two_iter.sm)
 995                                 avl_insert(&results, one_iter.sm);
 996                         avl_iter_next(&one_iter);
 997                         avl_iter_next(&two_iter);
 998                 } else {
 999                         avl_iter_next(&two_iter);
1000                 }
1001         }
1002
1003         free_stree(stree);
1004         *stree = results;
1005 }
1006
1007
1008 /*
1009  * and_slist_stack() pops the top two slists, overwriting the one with
1010  * the other and pushing it back on the stack.
1011  */
1012 void and_stree_stack(struct stree_stack **stack)
1013 {
1014         struct sm_state *tmp;
1015         struct stree *right_stree = pop_stree(stack);
1016
1017         FOR_EACH_SM(right_stree, tmp) {
1018                 overwrite_sm_state_stree_stack(stack, tmp);
1019         } END_FOR_EACH_SM(tmp);
1020         free_stree(&right_stree);
1021 }
1022
1023 /*
1024  * or_slist_stack() is for if we have:  if (foo || bar) { foo->baz;
1025  * It pops the two slists from the top of the stack and merges them
1026  * together in a way that preserves the things they have in common
1027  * but creates a merged state for most of the rest.
1028  * You could have code that had:  if (foo || foo) { foo->baz;
1029  * It's this function which ensures smatch does the right thing.
1030  */
1031 void or_stree_stack(struct stree_stack **pre_conds,
1032                     struct stree *cur_stree,
1033                     struct stree_stack **stack)
1034 {
1035         struct stree *new;
1036         struct stree *old;
1037         struct stree *pre_stree;
1038         struct stree *res;
1039         struct stree *tmp_stree;
1040
1041         new = pop_stree(stack);
1042         old = pop_stree(stack);
1043
1044         pre_stree = pop_stree(pre_conds);
1045         push_stree(pre_conds, clone_stree(pre_stree));
1046
1047         res = clone_stree(pre_stree);
1048         overwrite_stree(old, &res);
1049
1050         tmp_stree = clone_stree(cur_stree);
1051         overwrite_stree(new, &tmp_stree);
1052
1053         merge_stree(&res, tmp_stree);
1054         filter_stree(&res, pre_stree);
1055
1056         push_stree(stack, res);
1057         free_stree(&tmp_stree);
1058         free_stree(&pre_stree);
1059         free_stree(&new);
1060         free_stree(&old);
1061 }
1062
1063 /*
1064  * get_named_stree() is only used for gotos.
1065  */
1066 struct stree **get_named_stree(struct named_stree_stack *stack,
1067                                const char *name,
1068                                struct symbol *sym)
1069 {
1070         struct named_stree *tmp;
1071
1072         FOR_EACH_PTR(stack, tmp) {
1073                 if (tmp->sym == sym &&
1074                     strcmp(tmp->name, name) == 0)
1075                         return &tmp->stree;
1076         } END_FOR_EACH_PTR(tmp);
1077         return NULL;
1078 }
1079
1080 /* FIXME:  These parameters are in a different order from expected */
1081 void overwrite_stree(struct stree *from, struct stree **to)
1082 {
1083         struct sm_state *tmp;
1084
1085         FOR_EACH_SM(from, tmp) {
1086                 overwrite_sm_state_stree(to, tmp);
1087         } END_FOR_EACH_SM(tmp);
1088 }
1089