search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kernel_user_data: don't set *my_struct to user data
[smatch.git] / smatch_mtag.c
blobe1a2a915507db4a509797816277f9e964575f77d
1 /*
2 * Copyright (C) 2017 Oracle. All rights reserved.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * One problem that I have is that it's really hard to track how pointers are
20 * passed around. For example, it would be nice to know that the probe() and
21 * remove() functions get the same pci_dev pointer. It would be good to know
22 * what pointers we're passing to the open() and close() functions. But that
23 * information gets lost in a call tree full of function pointer calls.
24 *
25 * I think the first step is to start naming specific pointers. So when a
26 * pointer is allocated, then it gets a tag. So calls to kmalloc() generate a
27 * tag. But we might not use that, because there might be a better name like
28 * framebuffer_alloc(). The framebuffer_alloc() is interesting because there is
29 * one per driver and it's passed around to all the file operations.
30 *
31 * Perhaps we could make a list of functions like framebuffer_alloc() which take
32 * a size and say that those are the interesting alloc functions.
33 *
34 * Another place where we would maybe name the pointer is when they are passed
35 * to the probe(). Because that's an important pointer, since there is one
36 * per driver (sort of).
37 *
38 * My vision is that you could take a pointer and trace it back to a global. So
39 * I'm going to track that pointer_tag - 28 bytes takes you to another pointer
40 * tag. You could follow that one back and so on. Also when we pass a pointer
41 * to a function that would be recorded as sort of a link or path or something.
42 *
43 */
44
45 #include "smatch.h"
46 #include "smatch_slist.h"
47 #include "smatch_extra.h"
48
49 static int my_id;
50
51 static void store_hash(const char *str, unsigned long long hash)
52 {
53 sql_insert_cache_or_ignore(hash_string, "0x%llx, '%s'", hash, str);
54 }
55
56 unsigned long long str_to_llu_hash(const char *str)
57 {
58 unsigned long long hash;
59
60 hash = str_to_llu_hash_helper(str);
61 store_hash(str, hash);
62
63 return hash;
64 }
65
66 mtag_t str_to_mtag(const char *str)
67 {
68 unsigned long long tag;
69
70 tag = str_to_llu_hash_helper(str);
71
72 tag &= ~MTAG_OFFSET_MASK;
73
74 return tag;
75 }
76
77 static int save_allocator(void *_allocator, int argc, char **argv, char **azColName)
78 {
79 char **allocator = _allocator;
80
81 if (*allocator) {
82 if (strcmp(*allocator, argv[0]) == 0)
83 return 0;
84 /* should be impossible */
85 free_string(*allocator);
86 *allocator = alloc_string("unknown");
87 return 0;
88 }
89 *allocator = alloc_string(argv[0]);
90 return 0;
91 }
92
93 char *get_allocator_info_from_tag(mtag_t tag)
94 {
95 char *allocator = NULL;
96
97 run_sql(save_allocator, &allocator,
98 "select value from mtag_info where tag = %lld and type = %d;",
99 tag, ALLOCATOR);
100
101 return allocator;
102 }
103
104 static char *get_allocator_info(struct expression *expr, struct smatch_state *state)
105 {
106 sval_t sval;
107
108 if (expr->type != EXPR_ASSIGNMENT)
109 return NULL;
110 if (estate_get_single_value(state, &sval))
111 return get_allocator_info_from_tag(sval.value);
112
113 expr = strip_expr(expr->right);
114 if (expr->type != EXPR_CALL ||
115 !expr->fn ||
116 expr->fn->type != EXPR_SYMBOL)
117 return NULL;
118 return expr_to_str(expr->fn);
119 }
120
121 static void update_mtag_info(struct expression *expr, mtag_t tag,
122 const char *left_name, const char *tag_info,
123 struct smatch_state *state)
124 {
125 char *allocator;
126
127 sql_insert_mtag_about(tag, left_name, tag_info);
128
129 allocator = get_allocator_info(expr, state);
130 if (allocator)
131 sql_insert_mtag_info(tag, ALLOCATOR, allocator);
132 }
133
134 struct smatch_state *get_mtag_return(struct expression *expr, struct smatch_state *state)
135 {
136 struct expression *left, *right;
137 char *left_name, *right_name;
138 struct symbol *left_sym;
139 struct range_list *rl;
140 char buf[256];
141 mtag_t tag;
142 sval_t tag_sval;
143
144 if (!expr || expr->type != EXPR_ASSIGNMENT || expr->op != '=')
145 return NULL;
146 if (!is_fresh_alloc(expr->right))
147 return NULL;
148 if (!rl_intersection(estate_rl(state), valid_ptr_rl))
149 return NULL;
150
151 left = strip_expr(expr->left);
152 right = strip_expr(expr->right);
153
154 left_name = expr_to_str_sym(left, &left_sym);
155 if (!left_name || !left_sym)
156 return NULL;
157 right_name = expr_to_str(right);
158
159 snprintf(buf, sizeof(buf), "%s %s %s %s", get_filename(), get_function(),
160 left_name, right_name);
161 tag = str_to_mtag(buf);
162 tag_sval.type = estate_type(state);
163 tag_sval.uvalue = tag;
164
165 rl = rl_filter(estate_rl(state), valid_ptr_rl);
166 rl = clone_rl(rl);
167 add_range(&rl, tag_sval, tag_sval);
168
169 update_mtag_info(expr, tag, left_name, buf, state);
170
171 free_string(left_name);
172 free_string(right_name);
173
174 return alloc_estate_rl(rl);
175 }
176
177 int get_string_mtag(struct expression *expr, mtag_t *tag)
178 {
179 mtag_t xor;
180
181 if (expr->type != EXPR_STRING || !expr->string)
182 return 0;
183
184 /* I was worried about collisions so I added a xor */
185 xor = str_to_mtag("__smatch string");
186 *tag = str_to_mtag(expr->string->data);
187 *tag = *tag ^ xor;
188
189 return 1;
190 }
191
192 int get_toplevel_mtag(struct symbol *sym, mtag_t *tag)
193 {
194 char buf[256];
195
196 if (!sym)
197 return 0;
198
199 if (!sym->ident ||
200 !(sym->ctype.modifiers & MOD_TOPLEVEL))
201 return 0;
202
203 snprintf(buf, sizeof(buf), "%s %s",
204 (sym->ctype.modifiers & MOD_STATIC) ? get_filename() : "extern",
205 sym->ident->name);
206 *tag = str_to_mtag(buf);
207 return 1;
208 }
209
210 bool get_symbol_mtag(struct symbol *sym, mtag_t *tag)
211 {
212 char buf[256];
213
214 if (!sym || !sym->ident)
215 return false;
216
217 if (get_toplevel_mtag(sym, tag))
218 return true;
219
220 if (get_param_num_from_sym(sym) >= 0)
221 return false;
222
223 snprintf(buf, sizeof(buf), "%s %s %s",
224 get_filename(), get_function(), sym->ident->name);
225 *tag = str_to_mtag(buf);
226 return true;
227 }
228
229 static void global_variable(struct symbol *sym)
230 {
231 mtag_t tag;
232
233 if (!get_toplevel_mtag(sym, &tag))
234 return;
235
236 sql_insert_mtag_about(tag,
237 sym->ident->name,
238 (sym->ctype.modifiers & MOD_STATIC) ? get_filename() : "extern");
239 }
240
241 static int get_array_mtag_offset(struct expression *expr, mtag_t *tag, int *offset)
242 {
243 struct expression *array, *offset_expr;
244 struct symbol *type;
245 sval_t sval;
246 int start_offset;
247
248 if (!is_array(expr))
249 return 0;
250
251 array = get_array_base(expr);
252 if (!array)
253 return 0;
254 type = get_type(array);
255 if (!type || type->type != SYM_ARRAY)
256 return 0;
257 type = get_real_base_type(type);
258 if (!type_bytes(type))
259 return 0;
260
261 if (!expr_to_mtag_offset(array, tag, &start_offset))
262 return 0;
263
264 offset_expr = get_array_offset(expr);
265 if (!get_value(offset_expr, &sval))
266 return 0;
267 *offset = start_offset + sval.value * type_bytes(type);
268
269 return 1;
270 }
271
272 struct range_list *swap_mtag_seed(struct expression *expr, struct range_list *rl)
273 {
274 char buf[256];
275 char *name;
276 sval_t sval;
277 mtag_t tag;
278
279 if (!rl_to_sval(rl, &sval))
280 return rl;
281 if (sval.type->type != SYM_PTR || sval.uvalue != MTAG_SEED)
282 return rl;
283
284 name = expr_to_str(expr);
285 snprintf(buf, sizeof(buf), "%s %s %s", get_filename(), get_function(), name);
286 free_string(name);
287 tag = str_to_mtag(buf);
288 sval.value = tag;
289 return alloc_rl(sval, sval);
290 }
291
292 int create_mtag_alias(mtag_t tag, struct expression *expr, mtag_t *new)
293 {
294 char buf[256];
295 int lines_from_start;
296 char *str;
297
298 /*
299 * We need the alias to be unique. It's not totally required that it
300 * be the same from one DB build to then next, but it makes debugging
301 * a bit simpler.
302 *
303 */
304
305 if (!cur_func_sym)
306 return 0;
307
308 lines_from_start = expr->pos.line - cur_func_sym->pos.line;
309 str = expr_to_str(expr);
310 snprintf(buf, sizeof(buf), "%lld %d %s", tag, lines_from_start, str);
311 free_string(str);
312
313 *new = str_to_mtag(buf);
314 sql_insert_mtag_alias(tag, *new);
315
316 return 1;
317 }
318
319 static int get_implied_mtag_offset(struct expression *expr, mtag_t *tag, int *offset)
320 {
321 struct smatch_state *state;
322 struct symbol *type;
323 sval_t sval;
324
325 type = get_type(expr);
326 if (!type_is_ptr(type))
327 return 0;
328 state = get_extra_state(expr);
329 if (!state || !estate_get_single_value(state, &sval) || sval.value == 0)
330 return 0;
331
332 *tag = sval.uvalue & ~MTAG_OFFSET_MASK;
333 *offset = sval.uvalue & MTAG_OFFSET_MASK;
334 return 1;
335 }
336
337 /*
338 * The point of this function is to give you the mtag and the offset so
339 * you can look up the data in the DB. It takes an expression.
340 *
341 * So say you give it "foo->bar". Then it would give you the offset of "bar"
342 * and the implied value of "foo". Or if you lookup "*foo" then the offset is
343 * zero and we look up the implied value of "foo. But if the expression is
344 * foo, then if "foo" is a global variable, then we get the mtag and the offset
345 * is zero. If "foo" is a local variable, then there is nothing to look up in
346 * the mtag_data table because that's handled by smatch_extra.c to this returns
347 * false.
348 *
349 */
350 int expr_to_mtag_offset(struct expression *expr, mtag_t *tag, int *offset)
351 {
352 *tag = 0;
353 *offset = 0;
354
355 if (bits_in_pointer != 64)
356 return 0;
357
358 expr = strip_expr(expr);
359 if (!expr)
360 return 0;
361
362 if (is_array(expr))
363 return get_array_mtag_offset(expr, tag, offset);
364
365 if (expr->type == EXPR_PREOP && expr->op == '*') {
366 expr = strip_expr(expr->unop);
367 return get_implied_mtag_offset(expr, tag, offset);
368 } else if (expr->type == EXPR_DEREF) {
369 int tmp, tmp_offset = 0;
370
371 while (expr->type == EXPR_DEREF) {
372 tmp = get_member_offset_from_deref(expr);
373 if (tmp < 0)
374 return 0;
375 tmp_offset += tmp;
376 expr = strip_expr(expr->deref);
377 }
378 *offset = tmp_offset;
379 if (expr->type == EXPR_PREOP && expr->op == '*') {
380 expr = strip_expr(expr->unop);
381
382 if (get_implied_mtag_offset(expr, tag, &tmp_offset)) {
383 // FIXME: look it up recursively?
384 if (tmp_offset)
385 return 0;
386 return 1;
387 }
388 return 0;
389 } else if (expr->type == EXPR_SYMBOL) {
390 return get_symbol_mtag(expr->symbol, tag);
391 }
392 return 0;
393 } else if (expr->type == EXPR_SYMBOL) {
394 return get_symbol_mtag(expr->symbol, tag);
395 }
396 return 0;
397 }
398
399 /*
400 * This function takes an address and returns an sval. Let's take some
401 * example things you might pass to it:
402 * foo->bar:
403 * If we were only called from smatch_math, we wouldn't need to bother with
404 * this because it's already been looked up in smatch_extra.c but this is
405 * also called from other places so we have to check smatch_extra.c.
406 * &foo
407 * If "foo" is global return the mtag for "foo".
408 * &foo.bar
409 * If "foo" is global return the mtag for "foo" + the offset of ".bar".
410 * It also handles string literals.
411 *
412 */
413 int get_mtag_sval(struct expression *expr, sval_t *sval)
414 {
415 struct symbol *type;
416 mtag_t tag;
417 int offset = 0;
418
419 if (bits_in_pointer != 64)
420 return 0;
421
422 expr = strip_expr(expr);
423
424 type = get_type(expr);
425 if (!type_is_ptr(type))
426 return 0;
427 /*
428 * There are several options:
429 *
430 * If the expr is a string literal, that's an address/mtag.
431 * SYM_ARRAY and SYM_FN are mtags. There are "&foo" type addresses.
432 * And there are saved pointers "p = &foo;"
433 *
434 */
435
436 if (expr->type == EXPR_STRING && get_string_mtag(expr, &tag))
437 goto found;
438
439 if (expr->type == EXPR_SYMBOL &&
440 (type->type == SYM_ARRAY || type->type == SYM_FN) &&
441 get_toplevel_mtag(expr->symbol, &tag))
442 goto found;
443
444 if (expr->type == EXPR_PREOP && expr->op == '&') {
445 expr = strip_expr(expr->unop);
446 if (expr_to_mtag_offset(expr, &tag, &offset))
447 goto found;
448 return 0;
449 }
450
451 if (get_implied_mtag_offset(expr, &tag, &offset))
452 goto found;
453
454 return 0;
455 found:
456 if (offset >= MTAG_OFFSET_MASK)
457 return 0;
458
459 sval->type = type;
460 sval->uvalue = tag | offset;
461
462 return 1;
463 }
464
465 void register_mtag(int id)
466 {
467 my_id = id;
468
469
470 /*
471 * The mtag stuff only works on 64 systems because we store the
472 * information in the pointer itself.
473 * bit 63 : set for alias mtags
474 * bit 62-12: mtag hash
475 * bit 11-0 : offset
476 *
477 */
478
479 add_hook(&global_variable, BASE_HOOK);
480 }
Static analysis for C