2 * Copyright (C) 2010 Dan Carpenter.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
20 #include "smatch_slist.h"
21 #include "smatch_extra.h"
23 static bool get_rl_sval(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*sval_res
);
24 static bool get_rl_helper(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
);
25 static bool handle_variable(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
);
26 static struct range_list
*(*custom_handle_variable
)(struct expression
*expr
);
28 static int get_implied_value_internal(struct expression
*expr
, sval_t
*sval
, int *recurse_cnt
);
29 static int get_absolute_rl_internal(struct expression
*expr
, struct range_list
**rl
, int *recurse_cnt
);
31 static sval_t zero
= {.type
= &int_ctype
, {.value
= 0} };
32 static sval_t one
= {.type
= &int_ctype
, {.value
= 1} };
34 struct range_list
*rl_zero(void)
36 static struct range_list
*zero_perm
;
39 zero_perm
= clone_rl_permanent(alloc_rl(zero
, zero
));
43 struct range_list
*rl_one(void)
45 static struct range_list
*one_perm
;
48 one_perm
= clone_rl_permanent(alloc_rl(one
, one
));
62 static bool last_stmt_rl(struct statement
*stmt
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
64 struct expression
*expr
;
69 stmt
= last_ptr_list((struct ptr_list
*)stmt
->stmts
);
70 if (stmt
->type
== STMT_LABEL
) {
71 if (stmt
->label_statement
&&
72 stmt
->label_statement
->type
== STMT_EXPRESSION
)
73 expr
= stmt
->label_statement
->expression
;
76 } else if (stmt
->type
== STMT_EXPRESSION
) {
77 expr
= stmt
->expression
;
81 return get_rl_sval(expr
, implied
, recurse_cnt
, res
, res_sval
);
84 static bool handle_expression_statement_rl(struct expression
*expr
, int implied
,
85 int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
87 return last_stmt_rl(get_expression_statement(expr
), implied
, recurse_cnt
, res
, res_sval
);
90 static bool handle_ampersand_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
94 if (implied
== RL_EXACT
|| implied
== RL_HARD
)
96 if (get_mtag_sval(expr
, &sval
)) {
100 if (get_address_rl(expr
, res
))
105 static bool handle_negate_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
107 if (known_condition_true(expr
->unop
)) {
111 if (known_condition_false(expr
->unop
)) {
116 if (implied
== RL_EXACT
)
119 if (implied_condition_true(expr
->unop
)) {
123 if (implied_condition_false(expr
->unop
)) {
128 *res
= alloc_rl(zero
, one
);
132 static bool handle_bitwise_negate(struct expression
*expr
, int implied
, int *recurse_cnt
, sval_t
*res_sval
)
134 struct range_list
*rl
;
137 if (!get_rl_helper(expr
->unop
, implied
, recurse_cnt
, &rl
))
139 if (!rl_to_sval(rl
, &sval
))
141 sval
= sval_preop(sval
, '~');
142 sval_cast(get_type(expr
->unop
), sval
);
147 static bool handle_minus_preop(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
149 struct range_list
*rl
;
153 if (!get_rl_sval(expr
->unop
, implied
, recurse_cnt
, &rl
, &sval
))
156 *res_sval
= sval_preop(sval
, '-');
159 min
= sval_preop(rl_max(rl
), '-');
160 max
= sval_preop(rl_min(rl
), '-');
161 *res
= alloc_rl(min
, max
);
165 static bool handle_preop_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
169 return handle_ampersand_rl(expr
, implied
, recurse_cnt
, res
, res_sval
);
171 return handle_negate_rl(expr
, implied
, recurse_cnt
, res
, res_sval
);
173 return handle_bitwise_negate(expr
, implied
, recurse_cnt
, res_sval
);
175 return handle_minus_preop(expr
, implied
, recurse_cnt
, res
, res_sval
);
177 return handle_variable(expr
, implied
, recurse_cnt
, res
, res_sval
);
179 return handle_expression_statement_rl(expr
, implied
, recurse_cnt
, res
, res_sval
);
185 static bool handle_divide_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
187 struct range_list
*left_rl
= NULL
;
188 struct range_list
*right_rl
= NULL
;
191 type
= get_type(expr
);
193 get_rl_helper(expr
->left
, implied
, recurse_cnt
, &left_rl
);
194 left_rl
= cast_rl(type
, left_rl
);
195 get_rl_helper(expr
->right
, implied
, recurse_cnt
, &right_rl
);
196 right_rl
= cast_rl(type
, right_rl
);
198 if (!left_rl
|| !right_rl
)
201 if (implied
!= RL_REAL_ABSOLUTE
) {
202 if (is_whole_rl(left_rl
) || is_whole_rl(right_rl
))
206 *res
= rl_binop(left_rl
, '/', right_rl
);
210 static int handle_offset_subtraction(struct expression
*expr
)
212 struct expression
*left
, *right
;
213 struct symbol
*left_sym
, *right_sym
;
215 int left_offset
, right_offset
;
217 type
= get_type(expr
);
218 if (!type
|| type
->type
!= SYM_PTR
)
220 type
= get_real_base_type(type
);
221 if (!type
|| (type_bits(type
) != 8 && (type
!= &void_ctype
)))
224 left
= strip_expr(expr
->left
);
225 right
= strip_expr(expr
->right
);
227 if (left
->type
!= EXPR_PREOP
|| left
->op
!= '&')
229 left
= strip_expr(left
->unop
);
231 left_sym
= expr_to_sym(left
);
232 right_sym
= expr_to_sym(right
);
233 if (!left_sym
|| left_sym
!= right_sym
)
236 left_offset
= get_member_offset_from_deref(left
);
237 if (right
->type
== EXPR_SYMBOL
)
240 if (right
->type
!= EXPR_PREOP
|| right
->op
!= '&')
242 right
= strip_expr(right
->unop
);
243 right_offset
= get_member_offset_from_deref(right
);
245 if (left_offset
< 0 || right_offset
< 0)
248 return left_offset
- right_offset
;
251 static bool handle_subtract_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
254 struct range_list
*left_orig
, *right_orig
;
255 struct range_list
*left_rl
, *right_rl
;
256 sval_t max
, min
, tmp
;
260 type
= get_type(expr
);
262 offset
= handle_offset_subtraction(expr
);
267 *res
= alloc_rl(tmp
, tmp
);
271 comparison
= get_comparison(expr
->left
, expr
->right
);
274 get_rl_helper(expr
->left
, implied
, recurse_cnt
, &left_orig
);
275 left_rl
= cast_rl(type
, left_orig
);
277 get_rl_helper(expr
->right
, implied
, recurse_cnt
, &right_orig
);
278 right_rl
= cast_rl(type
, right_orig
);
280 if ((!left_rl
|| !right_rl
) &&
281 (implied
== RL_EXACT
|| implied
== RL_HARD
|| implied
== RL_FUZZY
))
285 left_rl
= alloc_whole_rl(type
);
287 right_rl
= alloc_whole_rl(type
);
289 /* negative values complicate everything fix this later */
290 if (sval_is_negative(rl_min(right_rl
)))
292 max
= rl_max(left_rl
);
293 min
= sval_type_min(type
);
295 switch (comparison
) {
297 case SPECIAL_UNSIGNED_GT
:
298 min
= sval_type_val(type
, 1);
299 max
= rl_max(left_rl
);
302 case SPECIAL_UNSIGNED_GTE
:
303 min
= sval_type_val(type
, 0);
304 max
= rl_max(left_rl
);
307 min
= sval_type_val(type
, 0);
308 max
= sval_type_val(type
, 0);
311 case SPECIAL_UNSIGNED_LT
:
312 max
= sval_type_val(type
, -1);
315 case SPECIAL_UNSIGNED_LTE
:
316 max
= sval_type_val(type
, 0);
319 if (!left_orig
|| !right_orig
)
321 *res
= rl_binop(left_rl
, '-', right_rl
);
325 if (!sval_binop_overflows(rl_min(left_rl
), '-', rl_max(right_rl
))) {
326 tmp
= sval_binop(rl_min(left_rl
), '-', rl_max(right_rl
));
327 if (sval_cmp(tmp
, min
) > 0)
331 if (!sval_is_max(rl_max(left_rl
))) {
332 tmp
= sval_binop(rl_max(left_rl
), '-', rl_min(right_rl
));
333 if (sval_cmp(tmp
, max
) < 0)
337 if (sval_is_min(min
) && sval_is_max(max
))
340 *res
= cast_rl(type
, alloc_rl(min
, max
));
344 static bool handle_mod_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
346 struct range_list
*rl
;
347 sval_t left
, right
, sval
;
349 if (implied
== RL_EXACT
) {
350 if (!get_implied_value(expr
->right
, &right
))
352 if (!get_implied_value(expr
->left
, &left
))
354 sval
= sval_binop(left
, '%', right
);
355 *res
= alloc_rl(sval
, sval
);
358 /* if we can't figure out the right side it's probably hopeless */
359 if (!get_implied_value_internal(expr
->right
, &right
, recurse_cnt
))
362 right
= sval_cast(get_type(expr
), right
);
365 if (get_rl_helper(expr
->left
, implied
, recurse_cnt
, &rl
) && rl
&&
366 rl_max(rl
).uvalue
< right
.uvalue
)
367 right
.uvalue
= rl_max(rl
).uvalue
;
369 *res
= alloc_rl(sval_cast(right
.type
, zero
), right
);
373 static sval_t
sval_lowest_set_bit(sval_t sval
)
378 for (i
= 0; i
< 64; i
++) {
379 if (sval
.uvalue
& 1ULL << i
) {
382 sval
.uvalue
&= ~(1ULL << i
);
388 static bool handle_bitwise_AND(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
391 struct range_list
*left_rl
, *right_rl
;
395 if (implied
!= RL_IMPLIED
&& implied
!= RL_ABSOLUTE
&& implied
!= RL_REAL_ABSOLUTE
)
398 type
= get_type(expr
);
400 if (get_implied_value_internal(expr
->left
, &known
, recurse_cnt
)) {
403 min
= sval_lowest_set_bit(known
);
404 left_rl
= alloc_rl(min
, known
);
405 left_rl
= cast_rl(type
, left_rl
);
406 add_range(&left_rl
, sval_type_val(type
, 0), sval_type_val(type
, 0));
408 if (get_rl_helper(expr
->left
, implied
, recurse_cnt
, &left_rl
)) {
409 left_rl
= cast_rl(type
, left_rl
);
410 left_rl
= alloc_rl(sval_type_val(type
, 0), rl_max(left_rl
));
412 if (implied
== RL_HARD
)
414 left_rl
= alloc_whole_rl(type
);
418 new_recurse
= *recurse_cnt
;
419 if (*recurse_cnt
>= 200)
420 new_recurse
= 100; /* Let's try super hard to get the mask */
421 if (get_implied_value_internal(expr
->right
, &known
, &new_recurse
)) {
422 sval_t min
, left_max
, mod
;
424 *recurse_cnt
= new_recurse
;
426 min
= sval_lowest_set_bit(known
);
427 right_rl
= alloc_rl(min
, known
);
428 right_rl
= cast_rl(type
, right_rl
);
429 add_range(&right_rl
, sval_type_val(type
, 0), sval_type_val(type
, 0));
431 if (min
.value
!= 0) {
432 left_max
= rl_max(left_rl
);
433 mod
= sval_binop(left_max
, '%', min
);
435 left_max
= sval_binop(left_max
, '-', mod
);
437 if (left_max
.value
> 0 && sval_cmp(left_max
, rl_max(left_rl
)) < 0)
438 left_rl
= remove_range(left_rl
, left_max
, rl_max(left_rl
));
442 if (get_rl_helper(expr
->right
, implied
, recurse_cnt
, &right_rl
)) {
443 right_rl
= cast_rl(type
, right_rl
);
444 right_rl
= alloc_rl(sval_type_val(type
, 0), rl_max(right_rl
));
446 if (implied
== RL_HARD
)
448 right_rl
= alloc_whole_rl(type
);
452 *res
= rl_intersection(left_rl
, right_rl
);
456 static bool use_rl_binop(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
459 struct range_list
*left_rl
, *right_rl
;
461 if (implied
!= RL_IMPLIED
&& implied
!= RL_ABSOLUTE
&& implied
!= RL_REAL_ABSOLUTE
)
464 type
= get_type(expr
);
466 get_absolute_rl_internal(expr
->left
, &left_rl
, recurse_cnt
);
467 get_absolute_rl_internal(expr
->right
, &right_rl
, recurse_cnt
);
468 left_rl
= cast_rl(type
, left_rl
);
469 right_rl
= cast_rl(type
, right_rl
);
470 if (!left_rl
|| !right_rl
)
473 *res
= rl_binop(left_rl
, expr
->op
, right_rl
);
477 static bool handle_right_shift(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
479 struct range_list
*left_rl
;
483 if (implied
== RL_EXACT
|| implied
== RL_HARD
)
486 if (get_rl_helper(expr
->left
, implied
, recurse_cnt
, &left_rl
)) {
487 max
= rl_max(left_rl
);
488 min
= rl_min(left_rl
);
490 if (implied
== RL_FUZZY
)
492 max
= sval_type_max(get_type(expr
->left
));
493 min
= sval_type_val(get_type(expr
->left
), 0);
496 if (get_implied_value_internal(expr
->right
, &right
, recurse_cnt
)) {
497 min
= sval_binop(min
, SPECIAL_RIGHTSHIFT
, right
);
498 max
= sval_binop(max
, SPECIAL_RIGHTSHIFT
, right
);
499 } else if (!sval_is_negative(min
)) {
501 max
= sval_type_max(max
.type
);
506 *res
= alloc_rl(min
, max
);
510 static bool handle_left_shift(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
512 struct range_list
*left_rl
, *rl
;
517 if (implied
== RL_EXACT
|| implied
== RL_HARD
)
519 /* this is hopeless without the right side */
520 if (!get_implied_value_internal(expr
->right
, &right
, recurse_cnt
))
522 if (get_rl_helper(expr
->left
, implied
, recurse_cnt
, &left_rl
)) {
523 max
= rl_max(left_rl
);
524 min
= rl_min(left_rl
);
525 if (min
.value
== 0) {
530 if (implied
== RL_FUZZY
)
532 max
= sval_type_max(get_type(expr
->left
));
533 min
= sval_type_val(get_type(expr
->left
), 1);
537 max
= sval_binop(max
, SPECIAL_LEFTSHIFT
, right
);
538 min
= sval_binop(min
, SPECIAL_LEFTSHIFT
, right
);
539 rl
= alloc_rl(min
, max
);
541 rl
= rl_union(rl
, rl_zero());
546 static bool handle_known_binop(struct expression
*expr
, sval_t
*res
)
550 if (!get_value(expr
->left
, &left
))
552 if (!get_value(expr
->right
, &right
))
554 *res
= sval_binop(left
, expr
->op
, right
);
558 static int has_actual_ranges(struct range_list
*rl
)
560 struct data_range
*tmp
;
562 FOR_EACH_PTR(rl
, tmp
) {
563 if (sval_cmp(tmp
->min
, tmp
->max
) != 0)
565 } END_FOR_EACH_PTR(tmp
);
569 static struct range_list
*handle_implied_binop(struct range_list
*left_rl
, int op
, struct range_list
*right_rl
)
571 struct range_list
*res_rl
;
572 struct data_range
*left_drange
, *right_drange
;
575 if (!left_rl
|| !right_rl
)
577 if (has_actual_ranges(left_rl
))
579 if (has_actual_ranges(right_rl
))
582 if (ptr_list_size((struct ptr_list
*)left_rl
) * ptr_list_size((struct ptr_list
*)right_rl
) > 20)
587 FOR_EACH_PTR(left_rl
, left_drange
) {
588 FOR_EACH_PTR(right_rl
, right_drange
) {
589 if ((op
== '%' || op
== '/') &&
590 right_drange
->min
.value
== 0)
592 res
= sval_binop(left_drange
->min
, op
, right_drange
->min
);
593 add_range(&res_rl
, res
, res
);
594 } END_FOR_EACH_PTR(right_drange
);
595 } END_FOR_EACH_PTR(left_drange
);
600 static bool handle_binop_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
602 struct smatch_state
*state
;
604 struct range_list
*left_rl
, *right_rl
, *rl
;
605 sval_t val
, min
, max
;
607 if (handle_known_binop(expr
, &val
)) {
611 if (implied
== RL_EXACT
)
614 if (custom_handle_variable
) {
615 rl
= custom_handle_variable(expr
);
622 state
= get_extra_state(expr
);
623 if (state
&& !is_whole_rl(estate_rl(state
))) {
624 if (implied
!= RL_HARD
|| estate_has_hard_max(state
)) {
625 *res
= clone_rl(estate_rl(state
));
630 type
= get_type(expr
);
632 get_rl_helper(expr
->left
, implied
, recurse_cnt
, &left_rl
);
633 left_rl
= cast_rl(type
, left_rl
);
635 get_rl_helper(expr
->right
, implied
, recurse_cnt
, &right_rl
);
636 right_rl
= cast_rl(type
, right_rl
);
638 if (!left_rl
&& !right_rl
)
641 rl
= handle_implied_binop(left_rl
, expr
->op
, right_rl
);
649 return handle_mod_rl(expr
, implied
, recurse_cnt
, res
);
651 return handle_bitwise_AND(expr
, implied
, recurse_cnt
, res
);
654 return use_rl_binop(expr
, implied
, recurse_cnt
, res
);
655 case SPECIAL_RIGHTSHIFT
:
656 return handle_right_shift(expr
, implied
, recurse_cnt
, res
);
657 case SPECIAL_LEFTSHIFT
:
658 return handle_left_shift(expr
, implied
, recurse_cnt
, res
);
660 return handle_subtract_rl(expr
, implied
, recurse_cnt
, res
);
662 return handle_divide_rl(expr
, implied
, recurse_cnt
, res
);
665 if (!left_rl
|| !right_rl
)
668 if (sval_binop_overflows(rl_min(left_rl
), expr
->op
, rl_min(right_rl
)))
670 if (sval_binop_overflows(rl_max(left_rl
), expr
->op
, rl_max(right_rl
)))
673 min
= sval_binop(rl_min(left_rl
), expr
->op
, rl_min(right_rl
));
674 max
= sval_binop(rl_max(left_rl
), expr
->op
, rl_max(right_rl
));
676 *res
= alloc_rl(min
, max
);
680 static int do_comparison(struct expression
*expr
)
682 struct range_list
*left_ranges
= NULL
;
683 struct range_list
*right_ranges
= NULL
;
684 int poss_true
, poss_false
;
687 type
= get_type(expr
);
688 get_absolute_rl(expr
->left
, &left_ranges
);
689 get_absolute_rl(expr
->right
, &right_ranges
);
691 left_ranges
= cast_rl(type
, left_ranges
);
692 right_ranges
= cast_rl(type
, right_ranges
);
694 poss_true
= possibly_true_rl(left_ranges
, expr
->op
, right_ranges
);
695 poss_false
= possibly_false_rl(left_ranges
, expr
->op
, right_ranges
);
697 if (!poss_true
&& !poss_false
)
699 if (poss_true
&& !poss_false
)
701 if (!poss_true
&& poss_false
)
706 static bool handle_comparison_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
711 if (expr
->op
== SPECIAL_EQUAL
&& expr
->left
->type
== EXPR_TYPE
) {
712 struct symbol
*left
, *right
;
714 left
= get_real_base_type(expr
->left
->symbol
);
715 right
= get_real_base_type(expr
->left
->symbol
);
723 if (get_value(expr
->left
, &left
) && get_value(expr
->right
, &right
)) {
724 struct data_range tmp_left
, tmp_right
;
728 tmp_right
.min
= right
;
729 tmp_right
.max
= right
;
730 if (true_comparison_range(&tmp_left
, expr
->op
, &tmp_right
))
737 if (implied
== RL_EXACT
)
740 cmp
= do_comparison(expr
);
750 *res
= alloc_rl(zero
, one
);
754 static bool handle_logical_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
760 if (implied
== RL_EXACT
) {
761 if (get_value(expr
->left
, &left
))
763 if (get_value(expr
->right
, &right
))
766 if (get_implied_value_internal(expr
->left
, &left
, recurse_cnt
))
768 if (get_implied_value_internal(expr
->right
, &right
, recurse_cnt
))
773 case SPECIAL_LOGICAL_OR
:
774 if (left_known
&& left
.value
)
776 if (right_known
&& right
.value
)
778 if (left_known
&& right_known
)
781 case SPECIAL_LOGICAL_AND
:
782 if (left_known
&& right_known
) {
783 if (left
.value
&& right
.value
)
792 if (implied
== RL_EXACT
)
795 *res
= alloc_rl(zero
, one
);
806 static bool handle_conditional_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
808 struct expression
*cond_true
;
809 struct range_list
*true_rl
, *false_rl
;
811 int final_pass_orig
= final_pass
;
813 cond_true
= expr
->cond_true
;
815 cond_true
= expr
->conditional
;
817 if (known_condition_true(expr
->conditional
))
818 return get_rl_sval(cond_true
, implied
, recurse_cnt
, res
, res_sval
);
819 if (known_condition_false(expr
->conditional
))
820 return get_rl_sval(expr
->cond_false
, implied
, recurse_cnt
, res
, res_sval
);
822 if (implied
== RL_EXACT
)
825 if (implied_condition_true(expr
->conditional
))
826 return get_rl_sval(cond_true
, implied
, recurse_cnt
, res
, res_sval
);
827 if (implied_condition_false(expr
->conditional
))
828 return get_rl_sval(expr
->cond_false
, implied
, recurse_cnt
, res
, res_sval
);
830 /* this becomes a problem with deeply nested conditional statements */
834 type
= get_type(expr
);
836 __push_fake_cur_stree();
838 __split_whole_condition(expr
->conditional
);
840 get_rl_helper(cond_true
, implied
, recurse_cnt
, &true_rl
);
841 __push_true_states();
842 __use_false_states();
844 get_rl_helper(expr
->cond_false
, implied
, recurse_cnt
, &false_rl
);
845 __merge_true_states();
846 __free_fake_cur_stree();
847 final_pass
= final_pass_orig
;
849 if (!true_rl
|| !false_rl
)
851 true_rl
= cast_rl(type
, true_rl
);
852 false_rl
= cast_rl(type
, false_rl
);
854 *res
= rl_union(true_rl
, false_rl
);
858 static bool get_fuzzy_max_helper(struct expression
*expr
, sval_t
*max
)
860 struct smatch_state
*state
;
863 if (get_hard_max(expr
, &sval
)) {
868 state
= get_extra_state(expr
);
869 if (!state
|| !estate_has_fuzzy_max(state
))
871 *max
= sval_cast(get_type(expr
), estate_get_fuzzy_max(state
));
875 static bool get_fuzzy_min_helper(struct expression
*expr
, sval_t
*min
)
877 struct smatch_state
*state
;
880 state
= get_extra_state(expr
);
881 if (!state
|| !estate_rl(state
))
884 sval
= estate_min(state
);
885 if (sval_is_negative(sval
) && sval_is_min(sval
))
888 if (sval_is_max(sval
))
891 *min
= sval_cast(get_type(expr
), sval
);
895 int get_const_value(struct expression
*expr
, sval_t
*sval
)
900 if (expr
->type
!= EXPR_SYMBOL
|| !expr
->symbol
)
903 if (!(sym
->ctype
.modifiers
& MOD_CONST
))
905 if (get_value(sym
->initializer
, &right
)) {
906 *sval
= sval_cast(get_type(expr
), right
);
912 struct range_list
*var_to_absolute_rl(struct expression
*expr
)
914 struct smatch_state
*state
;
915 struct range_list
*rl
;
917 state
= get_extra_state(expr
);
918 if (!state
|| is_whole_rl(estate_rl(state
))) {
919 state
= get_real_absolute_state(expr
);
920 if (state
&& state
->data
&& !estate_is_whole(state
))
921 return clone_rl(estate_rl(state
));
922 if (get_local_rl(expr
, &rl
) && !is_whole_rl(rl
))
924 if (get_mtag_rl(expr
, &rl
))
926 if (get_db_type_rl(expr
, &rl
) && !is_whole_rl(rl
))
928 return alloc_whole_rl(get_type(expr
));
930 /* err on the side of saying things are possible */
931 if (!estate_rl(state
))
932 return alloc_whole_rl(get_type(expr
));
933 return clone_rl(estate_rl(state
));
936 static bool handle_variable(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
938 struct smatch_state
*state
;
939 struct range_list
*rl
;
940 sval_t sval
, min
, max
;
943 if (get_const_value(expr
, &sval
)) {
948 if (custom_handle_variable
) {
949 rl
= custom_handle_variable(expr
);
951 if (!rl_to_sval(rl
, res_sval
))
954 *res
= var_to_absolute_rl(expr
);
959 if (implied
== RL_EXACT
)
962 if (get_mtag_sval(expr
, &sval
)) {
967 type
= get_type(expr
);
968 if (type
&& type
->type
== SYM_FN
) {
969 *res
= alloc_rl(fn_ptr_min
, fn_ptr_max
);
973 /* FIXME: call rl_to_sval() on the results */
979 state
= get_extra_state(expr
);
980 if (!state
|| !state
->data
) {
981 if (implied
== RL_HARD
)
983 if (get_local_rl(expr
, res
))
985 if (get_mtag_rl(expr
, res
))
987 if (get_db_type_rl(expr
, res
))
989 if (is_array(expr
) && get_array_rl(expr
, res
))
993 if (implied
== RL_HARD
&& !estate_has_hard_max(state
))
995 *res
= clone_rl(estate_rl(state
));
997 case RL_REAL_ABSOLUTE
: {
998 struct smatch_state
*abs_state
;
1000 state
= get_extra_state(expr
);
1001 abs_state
= get_real_absolute_state(expr
);
1003 if (estate_rl(state
) && estate_rl(abs_state
)) {
1004 *res
= clone_rl(rl_intersection(estate_rl(state
),
1005 estate_rl(abs_state
)));
1007 } else if (estate_rl(state
)) {
1008 *res
= clone_rl(estate_rl(state
));
1010 } else if (estate_is_empty(state
)) {
1012 * FIXME: we don't handle empty extra states correctly.
1014 * The real abs rl is supposed to be filtered by the
1015 * extra state if there is one. We don't bother keeping
1016 * the abs state in sync all the time because we know it
1017 * will be filtered later.
1019 * It's not totally obvious to me how they should be
1020 * handled. Perhaps we should take the whole rl and
1021 * filter by the imaginary states. Perhaps we should
1022 * just go with the empty state.
1024 * Anyway what we currently do is return NULL here and
1025 * that gets translated into the whole range in
1026 * get_real_absolute_rl().
1030 } else if (estate_rl(abs_state
)) {
1031 *res
= clone_rl(estate_rl(abs_state
));
1035 if (get_local_rl(expr
, res
))
1037 if (get_mtag_rl(expr
, res
))
1039 if (get_db_type_rl(expr
, res
))
1041 if (is_array(expr
) && get_array_rl(expr
, res
))
1046 if (!get_fuzzy_min_helper(expr
, &min
))
1047 min
= sval_type_min(get_type(expr
));
1048 if (!get_fuzzy_max_helper(expr
, &max
))
1050 /* fuzzy ranges are often inverted */
1051 if (sval_cmp(min
, max
) > 0) {
1056 *res
= alloc_rl(min
, max
);
1062 static sval_t
handle_sizeof(struct expression
*expr
)
1067 ret
= sval_blank(expr
);
1068 sym
= expr
->cast_type
;
1070 sym
= evaluate_expression(expr
->cast_expression
);
1072 __silence_warnings_for_stmt
= true;
1077 * Expressions of restricted types will possibly get
1078 * promoted - check that here. I'm not sure how this works,
1079 * the problem is that sizeof(le16) shouldn't be promoted and
1080 * the original code did that... Let's if zero this out and
1084 if (is_restricted_type(sym
)) {
1085 if (type_bits(sym
) < bits_in_int
)
1089 if (is_fouled_type(sym
))
1092 examine_symbol_type(sym
);
1094 ret
.type
= size_t_ctype
;
1095 if (type_bits(sym
) <= 0) /* sizeof(void) */ {
1096 if (get_real_base_type(sym
) == &void_ctype
)
1101 ret
.value
= type_bytes(sym
);
1106 static bool handle_strlen(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
1108 struct expression
*arg
, *tmp
;
1110 sval_t ret
= { .type
= &ulong_ctype
};
1111 struct range_list
*rl
;
1113 arg
= get_argument_from_call_expr(expr
->args
, 0);
1116 if (arg
->type
== EXPR_STRING
) {
1117 ret
.value
= arg
->string
->length
- 1;
1121 if (implied
== RL_EXACT
)
1123 if (get_implied_value(arg
, &tag
) &&
1124 (tmp
= fake_string_from_mtag(tag
.uvalue
))) {
1125 ret
.value
= tmp
->string
->length
- 1;
1130 if (implied
== RL_HARD
|| implied
== RL_FUZZY
)
1133 if (get_implied_return(expr
, &rl
)) {
1141 static bool handle_builtin_constant_p(struct expression
*expr
, int implied
, int *recurse_cnt
, sval_t
*res_sval
)
1143 struct expression
*arg
;
1144 struct range_list
*rl
;
1146 arg
= get_argument_from_call_expr(expr
->args
, 0);
1147 if (get_rl_helper(arg
, RL_EXACT
, recurse_cnt
, &rl
))
1154 static bool handle__builtin_choose_expr(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
1156 struct expression
*const_expr
, *expr1
, *expr2
;
1159 const_expr
= get_argument_from_call_expr(expr
->args
, 0);
1160 expr1
= get_argument_from_call_expr(expr
->args
, 1);
1161 expr2
= get_argument_from_call_expr(expr
->args
, 2);
1163 if (!get_value(const_expr
, &sval
) || !expr1
|| !expr2
)
1166 return get_rl_sval(expr1
, implied
, recurse_cnt
, res
, res_sval
);
1168 return get_rl_sval(expr2
, implied
, recurse_cnt
, res
, res_sval
);
1171 static bool handle_call_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
1173 struct range_list
*rl
;
1175 if (sym_name_is("__builtin_constant_p", expr
->fn
))
1176 return handle_builtin_constant_p(expr
, implied
, recurse_cnt
, res_sval
);
1178 if (sym_name_is("__builtin_choose_expr", expr
->fn
))
1179 return handle__builtin_choose_expr(expr
, implied
, recurse_cnt
, res
, res_sval
);
1181 if (sym_name_is("__builtin_expect", expr
->fn
) ||
1182 sym_name_is("__builtin_bswap16", expr
->fn
) ||
1183 sym_name_is("__builtin_bswap32", expr
->fn
) ||
1184 sym_name_is("__builtin_bswap64", expr
->fn
)) {
1185 struct expression
*arg
;
1187 arg
= get_argument_from_call_expr(expr
->args
, 0);
1188 return get_rl_sval(arg
, implied
, recurse_cnt
, res
, res_sval
);
1191 if (sym_name_is("strlen", expr
->fn
))
1192 return handle_strlen(expr
, implied
, recurse_cnt
, res
, res_sval
);
1194 if (implied
== RL_EXACT
|| implied
== RL_HARD
|| implied
== RL_FUZZY
)
1197 if (custom_handle_variable
) {
1198 rl
= custom_handle_variable(expr
);
1205 /* Ugh... get_implied_return() sets *rl to NULL on failure */
1206 if (get_implied_return(expr
, &rl
)) {
1210 rl
= db_return_vals(expr
);
1218 static bool handle_cast(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
1220 struct range_list
*rl
;
1221 struct symbol
*type
;
1224 type
= get_type(expr
);
1225 if (get_rl_sval(expr
->cast_expression
, implied
, recurse_cnt
, &rl
, &sval
)) {
1227 *res_sval
= sval_cast(type
, sval
);
1229 *res
= cast_rl(type
, rl
);
1232 if (implied
== RL_ABSOLUTE
|| implied
== RL_REAL_ABSOLUTE
) {
1233 *res
= alloc_whole_rl(type
);
1236 if (implied
== RL_IMPLIED
&& type
&&
1237 type_bits(type
) > 0 && type_bits(type
) < 32) {
1238 *res
= alloc_whole_rl(type
);
1244 static bool get_rl_sval(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*sval_res
)
1246 struct range_list
*rl
= (void *)-1UL;
1247 struct symbol
*type
;
1251 type
= get_type(expr
);
1252 expr
= strip_parens(expr
);
1256 if (++(*recurse_cnt
) >= 200)
1259 switch(expr
->type
) {
1261 case EXPR_FORCE_CAST
:
1262 case EXPR_IMPLIED_CAST
:
1263 ret
= handle_cast(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1267 expr
= strip_expr(expr
);
1271 switch (expr
->type
) {
1273 sval
= sval_from_val(expr
, expr
->value
);
1277 ret
= handle_preop_rl(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1280 ret
= get_rl_sval(expr
->unop
, implied
, recurse_cnt
, &rl
, &sval
);
1283 ret
= handle_binop_rl(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1286 ret
= handle_comparison_rl(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1289 ret
= handle_logical_rl(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1291 case EXPR_PTRSIZEOF
:
1293 sval
= handle_sizeof(expr
);
1297 case EXPR_CONDITIONAL
:
1298 ret
= handle_conditional_rl(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1301 ret
= handle_call_rl(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1304 if (!get_mtag_sval(expr
, &sval
))
1305 rl
= alloc_rl(valid_ptr_min_sval
, valid_ptr_max_sval
);
1309 ret
= handle_variable(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1313 if ((ret
== 1 && rl
== (void *)-1UL && sval
.type
== NULL
) ||
1314 (ret
== 0 && (rl
!= (void *)-1UL && sval
.type
== NULL
)) ||
1315 (sval
.type
&& rl
!= (void *)-1UL)) {
1317 sm_msg("DIE: expr = '%s' ret = %d rl = '%s'", expr_to_str(expr
), ret
, show_rl(rl
));
1320 if (rl
== (void *)-1UL)
1332 if (type
&& (implied
== RL_ABSOLUTE
|| implied
== RL_REAL_ABSOLUTE
)) {
1333 *res
= alloc_whole_rl(type
);
1339 static bool get_rl_helper(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
1341 struct range_list
*rl
= NULL
;
1344 if (!get_rl_sval(expr
, implied
, recurse_cnt
, &rl
, &sval
))
1347 *res
= alloc_rl(sval
, sval
);
1354 struct expression
*expr
;
1355 struct range_list
*rl
;
1356 } cached_results
[24];
1357 static int cache_idx
;
1359 void clear_math_cache(void)
1361 memset(cached_results
, 0, sizeof(cached_results
));
1364 /* returns 1 if it can get a value literal or else returns 0 */
1365 int get_value(struct expression
*expr
, sval_t
*sval
)
1367 struct range_list
*(*orig_custom_fn
)(struct expression
*expr
);
1368 struct range_list
*rl
;
1369 int recurse_cnt
= 0;
1374 * This only handles RL_EXACT because other expr statements can be
1375 * different at different points. Like the list iterator, for example.
1377 for (i
= 0; i
< ARRAY_SIZE(cached_results
); i
++) {
1378 if (expr
== cached_results
[i
].expr
)
1379 return rl_to_sval(cached_results
[i
].rl
, sval
);
1382 orig_custom_fn
= custom_handle_variable
;
1383 custom_handle_variable
= NULL
;
1384 // FIXME: clean up this function
1385 if (!get_rl_helper(expr
, RL_EXACT
, &recurse_cnt
, &rl
) ||
1386 !rl_to_sval(rl
, &tmp
))
1388 custom_handle_variable
= orig_custom_fn
;
1390 cached_results
[cache_idx
].expr
= expr
;
1391 cached_results
[cache_idx
].rl
= rl
;
1392 cache_idx
= (cache_idx
+ 1) % ARRAY_SIZE(cached_results
);
1401 static int get_implied_value_internal(struct expression
*expr
, sval_t
*sval
, int *recurse_cnt
)
1403 struct range_list
*rl
;
1405 if (!get_rl_helper(expr
, RL_IMPLIED
, recurse_cnt
, &rl
) ||
1406 !rl_to_sval(rl
, sval
))
1411 int get_implied_value(struct expression
*expr
, sval_t
*sval
)
1413 struct range_list
*rl
;
1414 int recurse_cnt
= 0;
1416 if (! get_rl_helper(expr
, RL_IMPLIED
, &recurse_cnt
, &rl
) ||
1417 !rl_to_sval(rl
, sval
))
1422 int get_implied_min(struct expression
*expr
, sval_t
*sval
)
1424 struct range_list
*rl
;
1425 int recurse_cnt
= 0;
1427 if (!get_rl_helper(expr
, RL_IMPLIED
, &recurse_cnt
, &rl
) || !rl
)
1433 int get_implied_max(struct expression
*expr
, sval_t
*sval
)
1435 struct range_list
*rl
;
1436 int recurse_cnt
= 0;
1438 if (!get_rl_helper(expr
, RL_IMPLIED
, &recurse_cnt
, &rl
) || !rl
)
1444 int get_implied_rl(struct expression
*expr
, struct range_list
**rl
)
1446 int recurse_cnt
= 0;
1448 if (!get_rl_helper(expr
, RL_IMPLIED
, &recurse_cnt
, rl
) || !*rl
)
1453 static int get_absolute_rl_internal(struct expression
*expr
, struct range_list
**rl
, int *recurse_cnt
)
1456 get_rl_helper(expr
, RL_ABSOLUTE
, recurse_cnt
, rl
);
1458 *rl
= alloc_whole_rl(get_type(expr
));
1462 int get_absolute_rl(struct expression
*expr
, struct range_list
**rl
)
1464 int recurse_cnt
= 0;
1467 get_rl_helper(expr
, RL_ABSOLUTE
, &recurse_cnt
, rl
);
1469 *rl
= alloc_whole_rl(get_type(expr
));
1473 int get_real_absolute_rl(struct expression
*expr
, struct range_list
**rl
)
1475 int recurse_cnt
= 0;
1478 get_rl_helper(expr
, RL_REAL_ABSOLUTE
, &recurse_cnt
, rl
);
1480 *rl
= alloc_whole_rl(get_type(expr
));
1484 int custom_get_absolute_rl(struct expression
*expr
,
1485 struct range_list
*(*fn
)(struct expression
*expr
),
1486 struct range_list
**rl
)
1488 int recurse_cnt
= 0;
1492 custom_handle_variable
= fn
;
1493 ret
= get_rl_helper(expr
, RL_REAL_ABSOLUTE
, &recurse_cnt
, rl
);
1494 custom_handle_variable
= NULL
;
1498 int get_implied_rl_var_sym(const char *var
, struct symbol
*sym
, struct range_list
**rl
)
1500 struct smatch_state
*state
;
1502 state
= get_state(SMATCH_EXTRA
, var
, sym
);
1503 *rl
= estate_rl(state
);
1509 int get_hard_max(struct expression
*expr
, sval_t
*sval
)
1511 struct range_list
*rl
;
1512 int recurse_cnt
= 0;
1514 if (!get_rl_helper(expr
, RL_HARD
, &recurse_cnt
, &rl
) || !rl
)
1520 int get_fuzzy_min(struct expression
*expr
, sval_t
*sval
)
1522 struct range_list
*rl
;
1524 int recurse_cnt
= 0;
1526 if (!get_rl_helper(expr
, RL_FUZZY
, &recurse_cnt
, &rl
) || !rl
)
1529 if (sval_is_negative(tmp
) && sval_is_min(tmp
))
1535 int get_fuzzy_max(struct expression
*expr
, sval_t
*sval
)
1537 struct range_list
*rl
;
1539 int recurse_cnt
= 0;
1541 if (!get_rl_helper(expr
, RL_FUZZY
, &recurse_cnt
, &rl
) || !rl
)
1544 if (max
.uvalue
> INT_MAX
- 10000)
1550 int get_absolute_min(struct expression
*expr
, sval_t
*sval
)
1552 struct range_list
*rl
;
1553 struct symbol
*type
;
1554 int recurse_cnt
= 0;
1556 type
= get_type(expr
);
1558 type
= &llong_ctype
; // FIXME: this is wrong but places assume get type can't fail.
1560 get_rl_helper(expr
, RL_REAL_ABSOLUTE
, &recurse_cnt
, &rl
);
1564 *sval
= sval_type_min(type
);
1566 if (sval_cmp(*sval
, sval_type_min(type
)) < 0)
1567 *sval
= sval_type_min(type
);
1571 int get_absolute_max(struct expression
*expr
, sval_t
*sval
)
1573 struct range_list
*rl
;
1574 struct symbol
*type
;
1575 int recurse_cnt
= 0;
1577 type
= get_type(expr
);
1579 type
= &llong_ctype
;
1581 get_rl_helper(expr
, RL_REAL_ABSOLUTE
, &recurse_cnt
, &rl
);
1585 *sval
= sval_type_max(type
);
1587 if (sval_cmp(sval_type_max(type
), *sval
) < 0)
1588 *sval
= sval_type_max(type
);
1592 int known_condition_true(struct expression
*expr
)
1599 if (get_value(expr
, &tmp
) && tmp
.value
)
1605 int known_condition_false(struct expression
*expr
)
1616 int implied_condition_true(struct expression
*expr
)
1623 if (known_condition_true(expr
))
1625 if (get_implied_value(expr
, &tmp
) && tmp
.value
)
1628 if (expr
->type
== EXPR_POSTOP
)
1629 return implied_condition_true(expr
->unop
);
1631 if (expr
->type
== EXPR_PREOP
&& expr
->op
== SPECIAL_DECREMENT
)
1632 return implied_not_equal(expr
->unop
, 1);
1633 if (expr
->type
== EXPR_PREOP
&& expr
->op
== SPECIAL_INCREMENT
)
1634 return implied_not_equal(expr
->unop
, -1);
1636 expr
= strip_expr(expr
);
1637 switch (expr
->type
) {
1639 if (do_comparison(expr
) == 1)
1643 if (expr
->op
== '!') {
1644 if (implied_condition_false(expr
->unop
))
1650 if (implied_not_equal(expr
, 0) == 1)
1657 int implied_condition_false(struct expression
*expr
)
1659 struct expression
*tmp
;
1665 if (known_condition_false(expr
))
1668 switch (expr
->type
) {
1670 if (do_comparison(expr
) == 2)
1673 if (expr
->op
== '!') {
1674 if (implied_condition_true(expr
->unop
))
1678 tmp
= strip_expr(expr
);
1680 return implied_condition_false(tmp
);
1683 if (get_implied_value(expr
, &sval
) && sval
.value
== 0)
1690 int can_integer_overflow(struct symbol
*type
, struct expression
*expr
)
1693 sval_t lmax
, rmax
, res
;
1698 expr
= strip_expr(expr
);
1700 if (expr
->type
== EXPR_ASSIGNMENT
) {
1702 case SPECIAL_MUL_ASSIGN
:
1705 case SPECIAL_ADD_ASSIGN
:
1708 case SPECIAL_SHL_ASSIGN
:
1709 op
= SPECIAL_LEFTSHIFT
;
1714 } else if (expr
->type
== EXPR_BINOP
) {
1715 if (expr
->op
!= '*' && expr
->op
!= '+' && expr
->op
!= SPECIAL_LEFTSHIFT
)
1722 get_absolute_max(expr
->left
, &lmax
);
1723 get_absolute_max(expr
->right
, &rmax
);
1725 if (sval_binop_overflows(lmax
, op
, rmax
))
1728 res
= sval_binop(lmax
, op
, rmax
);
1729 if (sval_cmp(res
, sval_type_max(type
)) > 0)
