search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kernel.ignored_macros: add ASSERT() to ignored macros
[smatch.git] / smatch_function_hooks.c
bloba26fe16b5b00904c9d965b075ca4d2668027c99a
1 /*
2 * Copyright (C) 2009 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * There are several types of function hooks.
20 *
21 * The param_key hooks are probably the right things to use going forward.
22 * They give you a name/sym pair so it means less code in the checks.
23 *
24 * The add_function_hook() functions are trigger for every call. The
25 * "return_implies" are triggered for specific return ranges. The "exact"
26 * variants will be triggered if it's *definitely* in the range where the
27 * others will be triggered if it's *possibly* in the range. The "late"
28 * variants will be triggered after the others have run.
29 *
30 * There are a few miscellaneous things like add_function_assign_hook() and
31 * add_macro_assign_hook() which are only triggered for assignments. The
32 * add_implied_return_hook() let's you manually adjust the return range.
33 *
34 * Every call:
35 * add_function_param_key_hook()
36 * add_function_param_key_hook_late()
37 * add_function_hook()
38 *
39 * Just for some return ranges:
40 * return_implies_param_key()
41 * return_implies_param_key_exact()
42 * return_implies_state()
43 * select_return_param_key() (It's weird that this is not in smatch_db.c)
44 *
45 * For Assignments:
46 * add_function_assign_hook()
47 *
48 * For Macro Assignments:
49 * add_macro_assign_hook()
50 *
51 * Manipulate the return range.
52 * add_implied_return_hook()
53 */
54
55 #include <stdlib.h>
56 #include <stdio.h>
57 #include <ctype.h>
58 #include "smatch.h"
59 #include "smatch_slist.h"
60 #include "smatch_extra.h"
61 #include "smatch_function_hashtable.h"
62 #include "smatch_expression_stacks.h"
63
64 struct fcall_back {
65 int type;
66 struct data_range *range;
67 union {
68 func_hook *call_back;
69 implication_hook *ranged;
70 implied_return_hook *implied_return;
71 } u;
72 void *info;
73 };
74
75 ALLOCATOR(fcall_back, "call backs");
76 DECLARE_PTR_LIST(call_back_list, struct fcall_back);
77
78 DEFINE_FUNCTION_HASHTABLE_STATIC(callback, struct fcall_back, struct call_back_list);
79 static struct hashtable *func_hash;
80
81 int __in_fake_parameter_assign;
82
83 enum fn_hook_type {
84 REGULAR_CALL,
85 REGULAR_CALL_LATE,
86 RANGED_CALL,
87 RANGED_EXACT,
88 ASSIGN_CALL,
89 IMPLIED_RETURN,
90 MACRO_ASSIGN,
91 MACRO_ASSIGN_EXTRA,
92 };
93
94 struct param_key_data {
95 param_key_hook *call_back;
96 int param;
97 const char *key;
98 void *info;
99 };
100
101 struct return_implies_callback {
102 int type;
103 bool param_key;
104 union {
105 return_implies_hook *callback;
106 param_key_hook *pk_callback;
107 };
108 };
109 ALLOCATOR(return_implies_callback, "return_implies callbacks");
110 DECLARE_PTR_LIST(db_implies_list, struct return_implies_callback);
111 static struct db_implies_list *db_return_states_list;
112
113 typedef void (void_fn)(void);
114 DECLARE_PTR_LIST(void_fn_list, void_fn *);
115 static struct void_fn_list *return_states_before;
116 static struct void_fn_list *return_states_after;
117
118 static struct fcall_back *alloc_fcall_back(int type, void *call_back,
119 void *info)
120 {
121 struct fcall_back *cb;
122
123 cb = __alloc_fcall_back(0);
124 cb->type = type;
125 cb->u.call_back = call_back;
126 cb->info = info;
127 return cb;
128 }
129
130 void add_function_hook(const char *look_for, func_hook *call_back, void *info)
131 {
132 struct fcall_back *cb;
133
134 cb = alloc_fcall_back(REGULAR_CALL, call_back, info);
135 add_callback(func_hash, look_for, cb);
136 }
137
138 void add_function_hook_late(const char *look_for, func_hook *call_back, void *info)
139 {
140 struct fcall_back *cb;
141
142 cb = alloc_fcall_back(REGULAR_CALL_LATE, call_back, info);
143 add_callback(func_hash, look_for, cb);
144 }
145
146 void add_function_assign_hook(const char *look_for, func_hook *call_back,
147 void *info)
148 {
149 struct fcall_back *cb;
150
151 cb = alloc_fcall_back(ASSIGN_CALL, call_back, info);
152 add_callback(func_hash, look_for, cb);
153 }
154
155 static void register_funcs_from_file_helper(const char *file,
156 func_hook *call_back, void *info,
157 bool assign)
158 {
159 struct token *token;
160 const char *func;
161 char name[64];
162
163 snprintf(name, sizeof(name), "%s.%s", option_project_str, file);
164 token = get_tokens_file(name);
165 if (!token)
166 return;
167 if (token_type(token) != TOKEN_STREAMBEGIN)
168 return;
169 token = token->next;
170 while (token_type(token) != TOKEN_STREAMEND) {
171 if (token_type(token) != TOKEN_IDENT)
172 return;
173 func = show_ident(token->ident);
174 if (assign)
175 add_function_assign_hook(func, call_back, info);
176 else
177 add_function_hook(func, call_back, info);
178 token = token->next;
179 }
180 clear_token_alloc();
181 }
182
183 void register_func_hooks_from_file(const char *file,
184 func_hook *call_back, void *info)
185 {
186 register_funcs_from_file_helper(file, call_back, info, false);
187 }
188
189 void register_assign_hooks_from_file(const char *file,
190 func_hook *call_back, void *info)
191 {
192 register_funcs_from_file_helper(file, call_back, info, true);
193 }
194
195 void add_implied_return_hook(const char *look_for,
196 implied_return_hook *call_back,
197 void *info)
198 {
199 struct fcall_back *cb;
200
201 cb = alloc_fcall_back(IMPLIED_RETURN, call_back, info);
202 add_callback(func_hash, look_for, cb);
203 }
204
205 static void db_helper(struct expression *expr, param_key_hook *call_back, int param, const char *key, void *info)
206 {
207 char *name;
208 struct symbol *sym;
209
210 if (param == -2) {
211 call_back(expr, key, NULL, info);
212 return;
213 }
214
215 name = get_name_sym_from_key(expr, param, key, &sym);
216 if (!name || !sym)
217 goto free;
218
219 call_back(expr, name, sym, info);
220 free:
221 free_string(name);
222 }
223
224 static void param_key_function(const char *fn, struct expression *expr, void *data)
225 {
226 struct param_key_data *pkd = data;
227 struct expression *parent;
228 int cnt = 0;
229
230 parent = expr;
231 while (true) {
232 parent = expr_get_parent_expr(parent);
233 if (!parent || ++cnt >= 5)
234 break;
235 if (parent->type == EXPR_CAST)
236 continue;
237 if (parent->type == EXPR_PREOP && parent->op == '(')
238 continue;
239 break;
240 }
241
242 if (parent && parent->type == EXPR_ASSIGNMENT)
243 expr = parent;
244
245 db_helper(expr, pkd->call_back, pkd->param, pkd->key, pkd->info);
246 }
247
248 static void param_key_implies_function(const char *fn, struct expression *call_expr,
249 struct expression *assign_expr, void *data)
250 {
251 struct param_key_data *pkd = data;
252
253 db_helper(assign_expr ?: call_expr, pkd->call_back, pkd->param, pkd->key, pkd->info);
254 }
255
256 static struct param_key_data *alloc_pkd(param_key_hook *call_back, int param, const char *key, void *info)
257 {
258 struct param_key_data *pkd;
259
260 pkd = malloc(sizeof(*pkd));
261 pkd->call_back = call_back;
262 pkd->param = param;
263 pkd->key = alloc_string(key);
264 pkd->info = info;
265
266 return pkd;
267 }
268
269 void add_function_param_key_hook(const char *look_for, param_key_hook *call_back,
270 int param, const char *key, void *info)
271 {
272 struct param_key_data *pkd;
273
274 pkd = alloc_pkd(call_back, param, key, info);
275 add_function_hook(look_for, &param_key_function, pkd);
276 }
277
278 void add_function_param_key_hook_late(const char *look_for, param_key_hook *call_back,
279 int param, const char *key, void *info)
280 {
281 struct param_key_data *pkd;
282
283 pkd = alloc_pkd(call_back, param, key, info);
284 add_function_hook_late(look_for, &param_key_function, pkd);
285 }
286
287 void return_implies_param_key(const char *look_for, sval_t start, sval_t end,
288 param_key_hook *call_back,
289 int param, const char *key, void *info)
290 {
291 struct param_key_data *pkd;
292
293 pkd = alloc_pkd(call_back, param, key, info);
294 return_implies_state_sval(look_for, start, end, &param_key_implies_function, pkd);
295 }
296
297 void return_implies_param_key_exact(const char *look_for, sval_t start, sval_t end,
298 param_key_hook *call_back,
299 int param, const char *key, void *info)
300 {
301 struct param_key_data *pkd;
302
303 pkd = alloc_pkd(call_back, param, key, info);
304 return_implies_exact(look_for, start, end, &param_key_implies_function, pkd);
305 }
306
307 void add_macro_assign_hook(const char *look_for, func_hook *call_back,
308 void *info)
309 {
310 struct fcall_back *cb;
311
312 cb = alloc_fcall_back(MACRO_ASSIGN, call_back, info);
313 add_callback(func_hash, look_for, cb);
314 }
315
316 void add_macro_assign_hook_extra(const char *look_for, func_hook *call_back,
317 void *info)
318 {
319 struct fcall_back *cb;
320
321 cb = alloc_fcall_back(MACRO_ASSIGN_EXTRA, call_back, info);
322 add_callback(func_hash, look_for, cb);
323 }
324
325 void return_implies_state(const char *look_for, long long start, long long end,
326 implication_hook *call_back, void *info)
327 {
328 struct fcall_back *cb;
329
330 cb = alloc_fcall_back(RANGED_CALL, call_back, info);
331 cb->range = alloc_range_perm(ll_to_sval(start), ll_to_sval(end));
332 add_callback(func_hash, look_for, cb);
333 }
334
335 void return_implies_state_sval(const char *look_for, sval_t start, sval_t end,
336 implication_hook *call_back, void *info)
337 {
338 struct fcall_back *cb;
339
340 cb = alloc_fcall_back(RANGED_CALL, call_back, info);
341 cb->range = alloc_range_perm(start, end);
342 add_callback(func_hash, look_for, cb);
343 }
344
345 void return_implies_exact(const char *look_for, sval_t start, sval_t end,
346 implication_hook *call_back, void *info)
347 {
348 struct fcall_back *cb;
349
350 cb = alloc_fcall_back(RANGED_EXACT, call_back, info);
351 cb->range = alloc_range_perm(start, end);
352 add_callback(func_hash, look_for, cb);
353 }
354
355 static struct return_implies_callback *alloc_db_return_callback(int type, bool param_key, void *callback)
356 {
357 struct return_implies_callback *cb;
358
359 cb = __alloc_return_implies_callback(0);
360 cb->type = type;
361 cb->param_key = param_key;
362 cb->callback = callback;
363
364 return cb;
365 }
366
367 void select_return_states_hook(int type, return_implies_hook *callback)
368 {
369 struct return_implies_callback *cb;
370
371 cb = alloc_db_return_callback(type, false, callback);
372 add_ptr_list(&db_return_states_list, cb);
373 }
374
375 static void call_db_return_callback(struct return_implies_callback *cb,
376 struct expression *expr, int param, char *key, char *value)
377 {
378 if (cb->param_key) {
379 // FIXME check if cb->pk_callback was already called
380 db_helper(expr, cb->pk_callback, param, key, NULL);
381 } else {
382 cb->callback(expr, param, key, value);
383 }
384 }
385
386 void select_return_param_key(int type, param_key_hook *callback)
387 {
388 struct return_implies_callback *cb;
389
390 cb = alloc_db_return_callback(type, true, callback);
391 add_ptr_list(&db_return_states_list, cb);
392 }
393
394 void select_return_states_before(void_fn *fn)
395 {
396 void_fn **p = malloc(sizeof(void_fn *));
397 *p = fn;
398 add_ptr_list(&return_states_before, p);
399 }
400
401 void select_return_states_after(void_fn *fn)
402 {
403 void_fn **p = malloc(sizeof(void_fn *));
404 *p = fn;
405 add_ptr_list(&return_states_after, p);
406 }
407
408 static void call_return_states_before_hooks(void)
409 {
410 void_fn **fn;
411
412 FOR_EACH_PTR(return_states_before, fn) {
413 (*fn)();
414 } END_FOR_EACH_PTR(fn);
415 }
416
417 static int call_call_backs(struct call_back_list *list, int type,
418 const char *fn, struct expression *expr)
419 {
420 struct fcall_back *tmp;
421 int handled = 0;
422
423 FOR_EACH_PTR(list, tmp) {
424 if (tmp->type == type) {
425 (tmp->u.call_back)(fn, expr, tmp->info);
426 handled = 1;
427 }
428 } END_FOR_EACH_PTR(tmp);
429
430 return handled;
431 }
432
433 static void call_function_hooks(struct expression *expr, enum fn_hook_type type)
434 {
435 struct call_back_list *call_backs;
436 struct expression *fn;
437
438 while (expr->type == EXPR_ASSIGNMENT)
439 expr = strip_expr(expr->right);
440 if (expr->type != EXPR_CALL)
441 return;
442
443 fn = strip_expr(expr->fn);
444 if (fn->type != EXPR_SYMBOL || !fn->symbol)
445 return;
446
447 call_backs = search_callback(func_hash, (char *)fn->symbol->ident->name);
448 if (!call_backs)
449 return;
450
451 call_call_backs(call_backs, type, fn->symbol->ident->name, expr);
452 }
453
454 static void call_return_states_after_hooks(struct expression *expr)
455 {
456 void_fn **fn;
457
458 FOR_EACH_PTR(return_states_after, fn) {
459 (*fn)();
460 } END_FOR_EACH_PTR(fn);
461 __pass_to_client(expr, FUNCTION_CALL_HOOK_AFTER_DB);
462 call_function_hooks(expr, REGULAR_CALL_LATE);
463 }
464
465 static void call_ranged_call_backs(struct call_back_list *list,
466 const char *fn, struct expression *call_expr,
467 struct expression *assign_expr)
468 {
469 struct fcall_back *tmp;
470
471 FOR_EACH_PTR(list, tmp) {
472 (tmp->u.ranged)(fn, call_expr, assign_expr, tmp->info);
473 } END_FOR_EACH_PTR(tmp);
474 }
475
476 static struct call_back_list *get_same_ranged_call_backs(struct call_back_list *list,
477 struct data_range *drange)
478 {
479 struct call_back_list *ret = NULL;
480 struct fcall_back *tmp;
481
482 FOR_EACH_PTR(list, tmp) {
483 if (tmp->type != RANGED_CALL &&
484 tmp->type != RANGED_EXACT)
485 continue;
486 if (ranges_equiv(tmp->range, drange))
487 add_ptr_list(&ret, tmp);
488 } END_FOR_EACH_PTR(tmp);
489 return ret;
490 }
491
492 static int in_list_exact_sval(struct range_list *list, struct data_range *drange)
493 {
494 struct data_range *tmp;
495
496 FOR_EACH_PTR(list, tmp) {
497 if (ranges_equiv(tmp, drange))
498 return 1;
499 } END_FOR_EACH_PTR(tmp);
500 return 0;
501 }
502
503 static int assign_ranged_funcs(const char *fn, struct expression *expr,
504 struct call_back_list *call_backs)
505 {
506 struct fcall_back *tmp;
507 struct sm_state *sm;
508 char *var_name;
509 struct symbol *sym;
510 struct smatch_state *estate;
511 struct stree *tmp_stree;
512 struct stree *final_states = NULL;
513 struct range_list *handled_ranges = NULL;
514 struct call_back_list *same_range_call_backs = NULL;
515 struct range_list *rl;
516 int handled = 0;
517
518 if (!call_backs)
519 return 0;
520
521 var_name = expr_to_var_sym(expr->left, &sym);
522 if (!var_name || !sym)
523 goto free;
524
525 FOR_EACH_PTR(call_backs, tmp) {
526 if (tmp->type != RANGED_CALL &&
527 tmp->type != RANGED_EXACT)
528 continue;
529
530 if (in_list_exact_sval(handled_ranges, tmp->range))
531 continue;
532 __push_fake_cur_stree();
533 tack_on(&handled_ranges, tmp->range);
534
535 same_range_call_backs = get_same_ranged_call_backs(call_backs, tmp->range);
536 call_ranged_call_backs(same_range_call_backs, fn, expr->right, expr);
537 __free_ptr_list((struct ptr_list **)&same_range_call_backs);
538
539 rl = alloc_rl(tmp->range->min, tmp->range->max);
540 rl = cast_rl(get_type(expr->left), rl);
541 estate = alloc_estate_rl(rl);
542 set_extra_mod(var_name, sym, expr->left, estate);
543
544 tmp_stree = __pop_fake_cur_stree();
545 merge_fake_stree(&final_states, tmp_stree);
546 free_stree(&tmp_stree);
547 handled = 1;
548 } END_FOR_EACH_PTR(tmp);
549
550 FOR_EACH_SM(final_states, sm) {
551 __set_sm(sm);
552 } END_FOR_EACH_SM(sm);
553
554 free_stree(&final_states);
555 free:
556 free_string(var_name);
557 return handled;
558 }
559
560 static void call_implies_callbacks(int comparison, struct expression *expr, sval_t sval, int left, struct stree **implied_true, struct stree **implied_false)
561 {
562 struct call_back_list *call_backs;
563 struct fcall_back *tmp;
564 const char *fn;
565 struct data_range *value_range;
566 struct stree *true_states = NULL;
567 struct stree *false_states = NULL;
568 struct stree *tmp_stree;
569
570 *implied_true = NULL;
571 *implied_false = NULL;
572 if (expr->fn->type != EXPR_SYMBOL || !expr->fn->symbol)
573 return;
574 fn = expr->fn->symbol->ident->name;
575 call_backs = search_callback(func_hash, (char *)expr->fn->symbol->ident->name);
576 if (!call_backs)
577 return;
578 value_range = alloc_range(sval, sval);
579
580 /* set true states */
581 __push_fake_cur_stree();
582 FOR_EACH_PTR(call_backs, tmp) {
583 if (tmp->type != RANGED_CALL &&
584 tmp->type != RANGED_EXACT)
585 continue;
586 if (!true_comparison_range_LR(comparison, tmp->range, value_range, left))
587 continue;
588 (tmp->u.ranged)(fn, expr, NULL, tmp->info);
589 } END_FOR_EACH_PTR(tmp);
590 tmp_stree = __pop_fake_cur_stree();
591 merge_fake_stree(&true_states, tmp_stree);
592 free_stree(&tmp_stree);
593
594 /* set false states */
595 __push_fake_cur_stree();
596 FOR_EACH_PTR(call_backs, tmp) {
597 if (tmp->type != RANGED_CALL &&
598 tmp->type != RANGED_EXACT)
599 continue;
600 if (!false_comparison_range_LR(comparison, tmp->range, value_range, left))
601 continue;
602 (tmp->u.ranged)(fn, expr, NULL, tmp->info);
603 } END_FOR_EACH_PTR(tmp);
604 tmp_stree = __pop_fake_cur_stree();
605 merge_fake_stree(&false_states, tmp_stree);
606 free_stree(&tmp_stree);
607
608 *implied_true = true_states;
609 *implied_false = false_states;
610 }
611
612 struct db_callback_info {
613 int true_side;
614 int comparison;
615 struct expression *expr;
616 struct range_list *rl;
617 int left;
618 struct stree *stree;
619 struct stree *implied;
620 struct db_implies_list *callbacks;
621 int prev_return_id;
622 int cull;
623 int has_states;
624 char *ret_str;
625 struct smatch_state *ret_state;
626 struct expression *var_expr;
627 struct expression_list *fake_param_assign_stack;
628 int handled;
629 };
630
631 static void set_implied_states(struct db_callback_info *db_info)
632 {
633 struct sm_state *sm;
634
635 FOR_EACH_SM(db_info->implied, sm) {
636 __set_sm(sm);
637 } END_FOR_EACH_SM(sm);
638
639 free_stree(&db_info->implied);
640 }
641
642 static void store_return_state(struct db_callback_info *db_info, const char *ret_str, struct smatch_state *state)
643 {
644 db_info->ret_str = alloc_sname(ret_str),
645 db_info->ret_state = state;
646 }
647
648 static bool fake_a_param_assignment(struct expression *expr, const char *ret_str, struct smatch_state *orig)
649 {
650 struct expression *arg, *left, *right, *tmp, *fake_assign;
651 char *p;
652 int param;
653 char buf[256];
654 char *str;
655
656 if (expr->type != EXPR_ASSIGNMENT || expr->op != '=')
657 return false;
658 left = expr->left;
659 right = expr->right;
660
661 while (right->type == EXPR_ASSIGNMENT)
662 right = strip_expr(right->right);
663 if (!right || right->type != EXPR_CALL)
664 return false;
665
666 p = strchr(ret_str, '[');
667 if (!p)
668 return false;
669
670 p++;
671 if (p[0] == '=' && p[1] == '=')
672 p += 2;
673 if (p[0] != '$')
674 return false;
675
676 snprintf(buf, sizeof(buf), "%s", p);
677
678 p = buf;
679 p += 1;
680 param = strtol(p, &p, 10);
681
682 p = strchr(p, ']');
683 if (!p || *p != ']')
684 return false;
685 *p = '\0';
686
687 arg = get_argument_from_call_expr(right->args, param);
688 if (!arg)
689 return false;
690
691 /* There should be a get_other_name() function which returns an expr */
692 tmp = get_assigned_expr(arg);
693 if (tmp)
694 arg = tmp;
695
696 /*
697 * This is a sanity check to prevent side effects from evaluating stuff
698 * twice.
699 */
700 str = expr_to_chunk_sym_vsl(arg, NULL, NULL);
701 if (!str)
702 return false;
703 free_string(str);
704
705 right = gen_expression_from_key(arg, buf);
706 if (!right) /* Mostly fails for binops like [$0 + 4032] */
707 return false;
708 fake_assign = assign_expression(left, '=', right);
709 __in_fake_parameter_assign++;
710 __split_expr(fake_assign);
711 __in_fake_parameter_assign--;
712
713 /*
714 * If the return is "0-65531[$0->nla_len - 4]" the faked expression
715 * is maybe (-4)-65531 but we know it is in the 0-65531 range so both
716 * parts have to be considered. We use _nomod() because it's not really
717 * another modification, it's just a clarification.
718 *
719 */
720 if (estate_rl(orig)) {
721 struct smatch_state *faked;
722 struct range_list *rl;
723
724 faked = get_extra_state(left);
725 if (estate_rl(faked)) {
726 rl = rl_intersection(estate_rl(faked), estate_rl(orig));
727 if (rl)
728 set_extra_expr_nomod(expr, alloc_estate_rl(rl));
729 }
730 }
731
732 return true;
733 }
734
735 static void fake_return_assignment(struct db_callback_info *db_info, int type, int param, char *key, char *value)
736 {
737 struct expression *call, *left, *right, *assign;
738 int right_param;
739
740 if (type != PARAM_COMPARE)
741 return;
742
743 call = db_info->expr;
744 while (call && call->type == EXPR_ASSIGNMENT)
745 call = strip_expr(call->right);
746 if (!call || call->type != EXPR_CALL)
747 return;
748
749 // TODO: This only handles "$->foo = arg" and not "$->foo = arg->bar".
750 if (param != -1)
751 return;
752 if (!value || strncmp(value, "== $", 4) != 0)
753 return;
754 if (!isdigit(value[4]) || value[5] != '\0')
755 return;
756 right_param = atoi(value + 4);
757
758 left = gen_expr_from_param_key(db_info->expr, param, key);
759 if (!left)
760 return;
761 right = get_argument_from_call_expr(call->args, right_param);
762
763 assign = assign_expression(left, '=', right);
764 push_expression(&db_info->fake_param_assign_stack, assign);
765 }
766
767 static void set_fresh_mtag_returns(struct db_callback_info *db_info)
768 {
769 struct expression *expr = db_info->expr->left;
770 struct smatch_state *state;
771
772 if (!db_info->ret_state)
773 return;
774
775 state = alloc_estate_rl(cast_rl(get_type(expr), clone_rl(estate_rl(db_info->ret_state))));
776 state = get_mtag_return(db_info->expr, state);
777 if (!state)
778 return;
779
780 set_real_absolute(expr, state);
781 set_extra_expr_mod(expr, state);
782
783 db_info->ret_state = NULL;
784 db_info->ret_str = NULL;
785 }
786
787 static void set_return_assign_state(struct db_callback_info *db_info)
788 {
789 struct expression *expr = db_info->expr->left;
790 struct expression *fake_assign;
791 struct smatch_state *state;
792
793 if (!db_info->ret_state)
794 return;
795
796 state = alloc_estate_rl(cast_rl(get_type(expr), clone_rl(estate_rl(db_info->ret_state))));
797 if (!fake_a_param_assignment(db_info->expr, db_info->ret_str, state))
798 set_extra_expr_mod(expr, state);
799
800 while ((fake_assign = pop_expression(&db_info->fake_param_assign_stack))) {
801 struct range_list *left, *right;
802
803 /*
804 * Originally, I tried to do this as a assignment to record that
805 * a = frob(b) implies that "a->foo == b->foo" etc. But that
806 * caused a problem because then it was recorded that "a->foo"
807 * was modified and recorded as a PARAM_SET in the database.
808 *
809 * So now, instead of faking an assignment we use
810 * set_extra_expr_nomod() but it's still recorded as an
811 * assignment in the ->fake_param_assign_stack for legacy
812 * reasons and because it's a handy way to store a left/right
813 * pair.
814 */
815
816 get_absolute_rl(fake_assign->left, &left);
817 get_absolute_rl(fake_assign->right, &right);
818 right = cast_rl(get_type(fake_assign->left), right);
819 // FIXME: add some sanity checks
820 // FIXME: preserve the sm state if possible
821 set_extra_expr_nomod(fake_assign->left, alloc_estate_rl(right));
822 }
823
824 db_info->ret_state = NULL;
825 db_info->ret_str = NULL;
826 }
827
828 static void set_other_side_state(struct db_callback_info *db_info)
829 {
830 struct expression *expr = db_info->var_expr;
831 struct smatch_state *state;
832
833 if (!db_info->ret_state)
834 return;
835
836 state = alloc_estate_rl(cast_rl(get_type(expr), clone_rl(estate_rl(db_info->ret_state))));
837 set_extra_expr_nomod(expr, state);
838 db_info->ret_state = NULL;
839 db_info->ret_str = NULL;
840 }
841
842 static void handle_ret_equals_param(char *ret_string, struct range_list *rl, struct expression *call)
843 {
844 char *str;
845 long long param;
846 struct expression *arg;
847 struct range_list *orig;
848
849 str = strstr(ret_string, "==$");
850 if (!str)
851 return;
852 str += 3;
853 param = strtoll(str, NULL, 10);
854 arg = get_argument_from_call_expr(call->args, param);
855 if (!arg)
856 return;
857 get_absolute_rl(arg, &orig);
858 rl = rl_intersection(orig, rl);
859 if (!rl)
860 return;
861 set_extra_expr_nomod(arg, alloc_estate_rl(rl));
862 }
863
864 static int impossible_limit(struct db_callback_info *db_info, int param, char *key, char *value)
865 {
866 struct expression *expr = db_info->expr;
867 struct expression *arg;
868 struct smatch_state *state;
869 struct range_list *passed;
870 struct range_list *limit;
871 struct symbol *compare_type;
872
873 while (expr->type == EXPR_ASSIGNMENT)
874 expr = strip_expr(expr->right);
875 if (expr->type != EXPR_CALL)
876 return 0;
877
878 arg = get_argument_from_call_expr(expr->args, param);
879 if (!arg)
880 return 0;
881
882 if (strcmp(key, "$") == 0) {
883 if (!get_implied_rl(arg, &passed))
884 return 0;
885
886 compare_type = get_arg_type(expr->fn, param);
887 } else {
888 char *name;
889 struct symbol *sym;
890
891 name = get_variable_from_key(arg, key, &sym);
892 if (!name || !sym)
893 return 0;
894
895 state = get_state(SMATCH_EXTRA, name, sym);
896 if (!state) {
897 free_string(name);
898 return 0;
899 }
900 passed = estate_rl(state);
901 if (!passed || is_whole_rl(passed)) {
902 free_string(name);
903 return 0;
904 }
905
906 compare_type = get_member_type_from_key(arg, key);
907 }
908
909 passed = cast_rl(compare_type, passed);
910 call_results_to_rl(expr, compare_type, value, &limit);
911 if (!limit || is_whole_rl(limit))
912 return 0;
913 if (possibly_true_rl(passed, SPECIAL_EQUAL, limit))
914 return 0;
915 if (option_debug || local_debug)
916 sm_msg("impossible: %d '%s' limit '%s' == '%s' return='%s'", param, key, show_rl(passed), value, db_info->ret_str);
917 return 1;
918 }
919
920 static int is_impossible_data(int type, struct db_callback_info *db_info, int param, char *key, char *value)
921 {
922 if (type == PARAM_LIMIT && impossible_limit(db_info, param, key, value))
923 return 1;
924 if (type == COMPARE_LIMIT && param_compare_limit_is_impossible(db_info->expr, param, key, value)) {
925 if (local_debug)
926 sm_msg("param_compare_limit_is_impossible: %d %s %s", param, key, value);
927 return 1;
928 }
929 return 0;
930 }
931
932 static int func_type_mismatch(struct expression *expr, const char *value)
933 {
934 struct symbol *type;
935
936 /* This makes faking returns easier */
937 if (!value || value[0] == '\0')
938 return 0;
939
940 while (expr->type == EXPR_ASSIGNMENT)
941 expr = strip_expr(expr->right);
942
943 /*
944 * Short cut: We only care about function pointers that are struct
945 * members.
946 *
947 */
948 if (expr->fn->type == EXPR_SYMBOL)
949 return 0;
950
951 type = get_type(expr->fn);
952 if (!type)
953 return 0;
954 if (type->type == SYM_PTR)
955 type = get_real_base_type(type);
956
957 if (strcmp(type_to_str(type), value) == 0)
958 return 0;
959
960 return 1;
961 }
962
963 static int db_compare_callback(void *_info, int argc, char **argv, char **azColName)
964 {
965 struct db_callback_info *db_info = _info;
966 struct range_list *var_rl = db_info->rl;
967 struct range_list *ret_range;
968 int type, param;
969 char *ret_str, *key, *value;
970 struct return_implies_callback *tmp;
971 struct stree *stree;
972 int return_id;
973 int comparison;
974
975 if (argc != 6)
976 return 0;
977
978 return_id = atoi(argv[0]);
979 ret_str = argv[1];
980 type = atoi(argv[2]);
981 param = atoi(argv[3]);
982 key = argv[4];
983 value = argv[5];
984
985 db_info->has_states = 1;
986 if (db_info->prev_return_id != -1 && type == INTERNAL) {
987 set_other_side_state(db_info);
988 set_implied_states(db_info);
989 stree = __pop_fake_cur_stree();
990 if (!db_info->cull)
991 merge_fake_stree(&db_info->stree, stree);
992 free_stree(&stree);
993 __push_fake_cur_stree();
994 db_info->cull = 0;
995 }
996 db_info->prev_return_id = return_id;
997
998 if (type == INTERNAL && func_type_mismatch(db_info->expr, value))
999 db_info->cull = 1;
1000 if (db_info->cull)
1001 return 0;
1002 if (type == CULL_PATH) {
1003 db_info->cull = 1;
1004 return 0;
1005 }
1006
1007 if (is_impossible_data(type, db_info, param, key, value)) {
1008 db_info->cull = 1;
1009 return 0;
1010 }
1011
1012 call_results_to_rl(db_info->expr, get_type(strip_expr(db_info->expr)), ret_str, &ret_range);
1013 ret_range = cast_rl(get_type(db_info->expr), ret_range);
1014 if (!ret_range)
1015 ret_range = alloc_whole_rl(get_type(db_info->expr));
1016
1017 comparison = db_info->comparison;
1018 if (db_info->left)
1019 comparison = flip_comparison(comparison);
1020
1021 if (db_info->true_side) {
1022 if (!possibly_true_rl(var_rl, comparison, ret_range))
1023 return 0;
1024 if (type == PARAM_LIMIT)
1025 param_limit_implications(db_info->expr, param, key, value, &db_info->implied);
1026 else if (type > PARAM_LIMIT)
1027 set_implied_states(db_info);
1028 filter_by_comparison(&var_rl, comparison, ret_range);
1029 filter_by_comparison(&ret_range, flip_comparison(comparison), var_rl);
1030 } else {
1031 if (!possibly_false_rl(var_rl, comparison, ret_range))
1032 return 0;
1033 if (type == PARAM_LIMIT)
1034 param_limit_implications(db_info->expr, param, key, value, &db_info->implied);
1035 else if (type > PARAM_LIMIT)
1036 set_implied_states(db_info);
1037 filter_by_comparison(&var_rl, negate_comparison(comparison), ret_range);
1038 filter_by_comparison(&ret_range, flip_comparison(negate_comparison(comparison)), var_rl);
1039 }
1040
1041 handle_ret_equals_param(ret_str, ret_range, db_info->expr);
1042
1043 if (type == INTERNAL) {
1044 set_state(-1, "unnull_path", NULL, &true_state);
1045 __add_return_comparison(strip_expr(db_info->expr), ret_str);
1046 __add_return_to_param_mapping(db_info->expr, ret_str);
1047 store_return_state(db_info, ret_str, alloc_estate_rl(clone_rl(var_rl)));
1048 }
1049
1050 FOR_EACH_PTR(db_info->callbacks, tmp) {
1051 if (tmp->type == type)
1052 call_db_return_callback(tmp, db_info->expr, param, key, value);
1053 } END_FOR_EACH_PTR(tmp);
1054
1055 fake_return_assignment(db_info, type, param, key, value);
1056
1057 return 0;
1058 }
1059
1060 static void compare_db_return_states_callbacks(struct expression *left, int comparison, struct expression *right, struct stree *implied_true, struct stree *implied_false)
1061 {
1062 struct stree *orig_states;
1063 struct stree *stree;
1064 struct stree *true_states;
1065 struct stree *false_states;
1066 struct sm_state *sm;
1067 struct db_callback_info db_info = {};
1068 struct expression *var_expr;
1069 struct expression *call_expr;
1070 struct range_list *rl;
1071 int call_on_left;
1072
1073 orig_states = clone_stree(__get_cur_stree());
1074
1075 /* legacy cruft. need to fix call_implies_callbacks(). */
1076 call_on_left = 1;
1077 call_expr = left;
1078 var_expr = right;
1079 if (left->type != EXPR_CALL) {
1080 call_on_left = 0;
1081 call_expr = right;
1082 var_expr = left;
1083 }
1084
1085 get_absolute_rl(var_expr, &rl);
1086
1087 db_info.comparison = comparison;
1088 db_info.expr = call_expr;
1089 db_info.rl = rl;
1090 db_info.left = call_on_left;
1091 db_info.callbacks = db_return_states_list;
1092 db_info.var_expr = var_expr;
1093
1094 call_return_states_before_hooks();
1095
1096 db_info.true_side = 1;
1097 db_info.stree = NULL;
1098 db_info.prev_return_id = -1;
1099 __push_fake_cur_stree();
1100 sql_select_return_states("return_id, return, type, parameter, key, value",
1101 call_expr, db_compare_callback, &db_info);
1102 set_other_side_state(&db_info);
1103 set_implied_states(&db_info);
1104 stree = __pop_fake_cur_stree();
1105 if (!db_info.cull)
1106 merge_fake_stree(&db_info.stree, stree);
1107 free_stree(&stree);
1108 true_states = db_info.stree;
1109 if (!true_states && db_info.has_states) {
1110 __push_fake_cur_stree();
1111 set_path_impossible();
1112 true_states = __pop_fake_cur_stree();
1113 }
1114
1115 nullify_path();
1116 __unnullify_path();
1117 FOR_EACH_SM(orig_states, sm) {
1118 __set_sm_cur_stree(sm);
1119 } END_FOR_EACH_SM(sm);
1120
1121 db_info.true_side = 0;
1122 db_info.stree = NULL;
1123 db_info.prev_return_id = -1;
1124 db_info.cull = 0;
1125 __push_fake_cur_stree();
1126 sql_select_return_states("return_id, return, type, parameter, key, value", call_expr,
1127 db_compare_callback, &db_info);
1128 set_other_side_state(&db_info);
1129 set_implied_states(&db_info);
1130 stree = __pop_fake_cur_stree();
1131 if (!db_info.cull)
1132 merge_fake_stree(&db_info.stree, stree);
1133 free_stree(&stree);
1134 false_states = db_info.stree;
1135 if (!false_states && db_info.has_states) {
1136 __push_fake_cur_stree();
1137 set_path_impossible();
1138 false_states = __pop_fake_cur_stree();
1139 }
1140
1141 nullify_path();
1142 __unnullify_path();
1143 FOR_EACH_SM(orig_states, sm) {
1144 __set_sm_cur_stree(sm);
1145 } END_FOR_EACH_SM(sm);
1146
1147 free_stree(&orig_states);
1148
1149 FOR_EACH_SM(true_states, sm) {
1150 __set_true_false_sm(sm, NULL);
1151 } END_FOR_EACH_SM(sm);
1152 FOR_EACH_SM(false_states, sm) {
1153 __set_true_false_sm(NULL, sm);
1154 } END_FOR_EACH_SM(sm);
1155
1156 free_stree(&true_states);
1157 free_stree(&false_states);
1158
1159 call_return_states_after_hooks(call_expr);
1160
1161 FOR_EACH_SM(implied_true, sm) {
1162 __set_true_false_sm(sm, NULL);
1163 } END_FOR_EACH_SM(sm);
1164 FOR_EACH_SM(implied_false, sm) {
1165 __set_true_false_sm(NULL, sm);
1166 } END_FOR_EACH_SM(sm);
1167 }
1168
1169 void function_comparison(struct expression *left, int comparison, struct expression *right)
1170 {
1171 struct expression *var_expr;
1172 struct expression *call_expr;
1173 struct stree *implied_true = NULL;
1174 struct stree *implied_false = NULL;
1175 struct range_list *rl;
1176 sval_t sval;
1177 int call_on_left;
1178
1179 if (unreachable())
1180 return;
1181
1182 /* legacy cruft. need to fix call_implies_callbacks(). */
1183 call_on_left = 1;
1184 call_expr = left;
1185 var_expr = right;
1186 if (left->type != EXPR_CALL) {
1187 call_on_left = 0;
1188 call_expr = right;
1189 var_expr = left;
1190 }
1191
1192 get_absolute_rl(var_expr, &rl);
1193
1194 if (rl_to_sval(rl, &sval))
1195 call_implies_callbacks(comparison, call_expr, sval, call_on_left, &implied_true, &implied_false);
1196
1197 compare_db_return_states_callbacks(left, comparison, right, implied_true, implied_false);
1198 free_stree(&implied_true);
1199 free_stree(&implied_false);
1200 }
1201
1202 static void call_ranged_return_hooks(struct db_callback_info *db_info)
1203 {
1204 struct call_back_list *call_backs;
1205 struct range_list *range_rl;
1206 struct expression *expr;
1207 struct fcall_back *tmp;
1208 char *fn;
1209
1210 expr = strip_expr(db_info->expr);
1211 while (expr->type == EXPR_ASSIGNMENT)
1212 expr = strip_expr(expr->right);
1213 if (expr->type != EXPR_CALL ||
1214 expr->fn->type != EXPR_SYMBOL)
1215 return;
1216
1217 fn = expr->fn->symbol_name->name;
1218
1219 call_backs = search_callback(func_hash, fn);
1220 FOR_EACH_PTR(call_backs, tmp) {
1221 if (tmp->type != RANGED_CALL)
1222 continue;
1223 range_rl = alloc_rl(tmp->range->min, tmp->range->max);
1224 range_rl = cast_rl(estate_type(db_info->ret_state), range_rl);
1225 if (possibly_true_rl(range_rl, SPECIAL_EQUAL, estate_rl(db_info->ret_state)))
1226 (tmp->u.ranged)(fn, expr, db_info->expr, tmp->info);
1227 } END_FOR_EACH_PTR(tmp);
1228
1229 FOR_EACH_PTR(call_backs, tmp) {
1230 if (tmp->type != RANGED_EXACT)
1231 continue;
1232 if (!estate_rl(db_info->ret_state))
1233 continue;
1234
1235 range_rl = alloc_rl(tmp->range->min, tmp->range->max);
1236 range_rl = cast_rl(estate_type(db_info->ret_state), range_rl);
1237
1238 /*
1239 * If there is an returned value out of range then this is not
1240 * an exact match. In other words, "0,4096-ptr_max" is not
1241 * necessarily a valid match.
1242 *
1243 */
1244 if (remove_range(estate_rl(db_info->ret_state),
1245 rl_min(range_rl), rl_max(range_rl)))
1246 continue;
1247 (tmp->u.ranged)(fn, expr, db_info->expr, tmp->info);
1248 } END_FOR_EACH_PTR(tmp);
1249 }
1250
1251 static int db_assign_return_states_callback(void *_info, int argc, char **argv, char **azColName)
1252 {
1253 struct db_callback_info *db_info = _info;
1254 struct range_list *ret_range;
1255 int type, param;
1256 char *ret_str, *key, *value;
1257 struct return_implies_callback *tmp;
1258 struct stree *stree;
1259 int return_id;
1260
1261 if (argc != 6)
1262 return 0;
1263
1264 return_id = atoi(argv[0]);
1265 ret_str = argv[1];
1266 type = atoi(argv[2]);
1267 param = atoi(argv[3]);
1268 key = argv[4];
1269 value = argv[5];
1270
1271 if (db_info->prev_return_id != -1 && type == INTERNAL) {
1272 call_ranged_return_hooks(db_info);
1273 set_return_assign_state(db_info);
1274 set_implied_states(db_info);
1275 stree = __pop_fake_cur_stree();
1276 if (!db_info->cull)
1277 merge_fake_stree(&db_info->stree, stree);
1278 free_stree(&stree);
1279 __push_fake_cur_stree();
1280 db_info->cull = 0;
1281 }
1282 db_info->prev_return_id = return_id;
1283
1284 if (type == INTERNAL && func_type_mismatch(db_info->expr, value))
1285 db_info->cull = 1;
1286 if (db_info->cull)
1287 return 0;
1288 if (type == CULL_PATH) {
1289 db_info->cull = 1;
1290 return 0;
1291 }
1292 if (is_impossible_data(type, db_info, param, key, value)) {
1293 db_info->cull = 1;
1294 return 0;
1295 }
1296
1297 if (type == PARAM_LIMIT)
1298 param_limit_implications(db_info->expr, param, key, value, &db_info->implied);
1299 else if (type > PARAM_LIMIT)
1300 set_implied_states(db_info);
1301
1302 db_info->handled = 1;
1303 call_results_to_rl(db_info->expr->right, get_type(strip_expr(db_info->expr->right)), ret_str, &ret_range);
1304 if (!ret_range)
1305 ret_range = alloc_whole_rl(get_type(strip_expr(db_info->expr->right)));
1306 ret_range = cast_rl(get_type(db_info->expr->right), ret_range);
1307
1308 if (type == INTERNAL) {
1309 set_state(-1, "unnull_path", NULL, &true_state);
1310 __add_return_comparison(strip_expr(db_info->expr->right), ret_str);
1311 __add_comparison_info(db_info->expr->left, strip_expr(db_info->expr->right), ret_str);
1312 __add_return_to_param_mapping(db_info->expr, ret_str);
1313 store_return_state(db_info, ret_str, alloc_estate_rl(ret_range));
1314 set_fresh_mtag_returns(db_info);
1315 }
1316
1317 FOR_EACH_PTR(db_return_states_list, tmp) {
1318 if (tmp->type == type)
1319 call_db_return_callback(tmp, db_info->expr, param, key, value);
1320 } END_FOR_EACH_PTR(tmp);
1321
1322 fake_return_assignment(db_info, type, param, key, value);
1323
1324 return 0;
1325 }
1326
1327 static int db_return_states_assign(struct expression *expr)
1328 {
1329 struct expression *right;
1330 struct sm_state *sm;
1331 struct stree *stree;
1332 struct db_callback_info db_info = {};
1333
1334 right = strip_expr(expr->right);
1335
1336 db_info.prev_return_id = -1;
1337 db_info.expr = expr;
1338 db_info.stree = NULL;
1339 db_info.handled = 0;
1340
1341 call_return_states_before_hooks();
1342
1343 __push_fake_cur_stree();
1344 sql_select_return_states("return_id, return, type, parameter, key, value",
1345 right, db_assign_return_states_callback, &db_info);
1346 if (option_debug) {
1347 sm_msg("%s return_id %d return_ranges %s",
1348 db_info.cull ? "culled" : "merging",
1349 db_info.prev_return_id,
1350 db_info.ret_state ? db_info.ret_state->name : "'<empty>'");
1351 }
1352 if (db_info.handled)
1353 call_ranged_return_hooks(&db_info);
1354 set_return_assign_state(&db_info);
1355 set_implied_states(&db_info);
1356 stree = __pop_fake_cur_stree();
1357 if (!db_info.cull)
1358 merge_fake_stree(&db_info.stree, stree);
1359 free_stree(&stree);
1360
1361 if (!db_info.stree && db_info.cull) { /* this means we culled everything */
1362 set_extra_expr_mod(expr->left, alloc_estate_whole(get_type(expr->left)));
1363 set_path_impossible();
1364 }
1365 FOR_EACH_SM(db_info.stree, sm) {
1366 __set_sm(sm);
1367 } END_FOR_EACH_SM(sm);
1368
1369 free_stree(&db_info.stree);
1370 call_return_states_after_hooks(right);
1371
1372 return db_info.handled;
1373 }
1374
1375 static int handle_implied_return(struct expression *expr)
1376 {
1377 struct range_list *rl;
1378
1379 if (!get_implied_return(expr->right, &rl))
1380 return 0;
1381 rl = cast_rl(get_type(expr->left), rl);
1382 set_extra_expr_mod(expr->left, alloc_estate_rl(rl));
1383 return 1;
1384 }
1385
1386 static void match_assign_call(struct expression *expr)
1387 {
1388 struct call_back_list *call_backs;
1389 const char *fn;
1390 struct expression *right;
1391 int handled = 0;
1392 struct range_list *rl;
1393
1394 if (expr->op != '=')
1395 return;
1396
1397 right = strip_expr(expr->right);
1398 if (right->fn->type != EXPR_SYMBOL || !right->fn->symbol) {
1399 handled |= db_return_states_assign(expr);
1400 if (!handled)
1401 goto assigned_unknown;
1402 return;
1403 }
1404 if (is_fake_call(right))
1405 return;
1406
1407 fn = right->fn->symbol->ident->name;
1408 call_backs = search_callback(func_hash, (char *)fn);
1409
1410 /*
1411 * The ordering here is sort of important.
1412 * One example, of how this matters is that when we do:
1413 *
1414 * len = strlen(str);
1415 *
1416 * That is handled by smatch_common_functions.c and smatch_strlen.c.
1417 * They use implied_return and function_assign_hook respectively.
1418 * We want to get the implied return first before we do the function
1419 * assignment hook otherwise we end up writing the wrong thing for len
1420 * in smatch_extra.c because we assume that it already holds the
1421 * strlen() when we haven't set it yet.
1422 */
1423
1424 if (db_return_states_assign(expr))
1425 handled = 1;
1426 else
1427 handled = assign_ranged_funcs(fn, expr, call_backs);
1428 handled |= handle_implied_return(expr);
1429
1430
1431 call_call_backs(call_backs, ASSIGN_CALL, fn, expr);
1432
1433 if (handled)
1434 return;
1435
1436 assigned_unknown:
1437 get_absolute_rl(expr->right, &rl);
1438 rl = cast_rl(get_type(expr->left), rl);
1439 set_extra_expr_mod(expr->left, alloc_estate_rl(rl));
1440 }
1441
1442 static int db_return_states_callback(void *_info, int argc, char **argv, char **azColName)
1443 {
1444 struct db_callback_info *db_info = _info;
1445 struct range_list *ret_range;
1446 int type, param;
1447 char *ret_str, *key, *value;
1448 struct return_implies_callback *tmp;
1449 struct stree *stree;
1450 int return_id;
1451 char buf[64];
1452
1453 if (argc != 6)
1454 return 0;
1455
1456 return_id = atoi(argv[0]);
1457 ret_str = argv[1];
1458 type = atoi(argv[2]);
1459 param = atoi(argv[3]);
1460 key = argv[4];
1461 value = argv[5];
1462
1463 if (db_info->prev_return_id != -1 && type == INTERNAL) {
1464 call_ranged_return_hooks(db_info);
1465 set_implied_states(db_info);
1466 stree = __pop_fake_cur_stree();
1467 if (!db_info->cull)
1468 merge_fake_stree(&db_info->stree, stree);
1469 free_stree(&stree);
1470 __push_fake_cur_stree();
1471 __unnullify_path();
1472 db_info->cull = 0;
1473 }
1474 db_info->prev_return_id = return_id;
1475
1476 if (type == INTERNAL && func_type_mismatch(db_info->expr, value))
1477 db_info->cull = 1;
1478 if (db_info->cull)
1479 return 0;
1480 if (type == CULL_PATH) {
1481 db_info->cull = 1;
1482 return 0;
1483 }
1484 if (is_impossible_data(type, db_info, param, key, value)) {
1485 db_info->cull = 1;
1486 return 0;
1487 }
1488
1489 if (type == PARAM_LIMIT)
1490 param_limit_implications(db_info->expr, param, key, value, &db_info->implied);
1491 else if (type > PARAM_LIMIT)
1492 set_implied_states(db_info);
1493
1494 call_results_to_rl(db_info->expr, get_type(strip_expr(db_info->expr)), ret_str, &ret_range);
1495 ret_range = cast_rl(get_type(db_info->expr), ret_range);
1496
1497 if (type == INTERNAL) {
1498 struct smatch_state *state;
1499
1500 set_state(-1, "unnull_path", NULL, &true_state);
1501 __add_return_comparison(strip_expr(db_info->expr), ret_str);
1502 __add_return_to_param_mapping(db_info->expr, ret_str);
1503 /*
1504 * We want to store the return values so that we can split the strees
1505 * in smatch_db.c. This uses set_state() directly because it's not a
1506 * real smatch_extra state.
1507 */
1508 snprintf(buf, sizeof(buf), "return %p", db_info->expr);
1509 state = alloc_estate_rl(ret_range);
1510 set_state(SMATCH_EXTRA, buf, NULL, state);
1511 store_return_state(db_info, ret_str, state);
1512 }
1513
1514 FOR_EACH_PTR(db_return_states_list, tmp) {
1515 if (tmp->type == type)
1516 call_db_return_callback(tmp, db_info->expr, param, key, value);
1517 } END_FOR_EACH_PTR(tmp);
1518
1519 fake_return_assignment(db_info, type, param, key, value);
1520
1521 return 0;
1522 }
1523
1524 static void db_return_states(struct expression *expr)
1525 {
1526 struct sm_state *sm;
1527 struct stree *stree;
1528 struct db_callback_info db_info = {};
1529
1530 if (!__get_cur_stree()) /* no return functions */
1531 return;
1532
1533 db_info.prev_return_id = -1;
1534 db_info.expr = expr;
1535 db_info.stree = NULL;
1536
1537 call_return_states_before_hooks();
1538
1539 __push_fake_cur_stree();
1540 __unnullify_path();
1541 sql_select_return_states("return_id, return, type, parameter, key, value",
1542 expr, db_return_states_callback, &db_info);
1543 call_ranged_return_hooks(&db_info);
1544 set_implied_states(&db_info);
1545 stree = __pop_fake_cur_stree();
1546 if (!db_info.cull)
1547 merge_fake_stree(&db_info.stree, stree);
1548 free_stree(&stree);
1549
1550 FOR_EACH_SM(db_info.stree, sm) {
1551 __set_sm(sm);
1552 } END_FOR_EACH_SM(sm);
1553
1554 free_stree(&db_info.stree);
1555 call_return_states_after_hooks(expr);
1556 }
1557
1558 static int is_condition_call(struct expression *expr)
1559 {
1560 struct expression *tmp;
1561
1562 FOR_EACH_PTR_REVERSE(big_condition_stack, tmp) {
1563 if (expr == tmp || expr_get_parent_expr(expr) == tmp)
1564 return 1;
1565 if (tmp->pos.line < expr->pos.line)
1566 return 0;
1567 } END_FOR_EACH_PTR_REVERSE(tmp);
1568
1569 return 0;
1570 }
1571
1572 static void db_return_states_call(struct expression *expr)
1573 {
1574 if (unreachable())
1575 return;
1576
1577 if (is_assigned_call(expr) || is_fake_assigned_call(expr))
1578 return;
1579 if (is_condition_call(expr))
1580 return;
1581 db_return_states(expr);
1582 }
1583
1584 static void match_function_call(struct expression *expr)
1585 {
1586 call_function_hooks(expr, REGULAR_CALL);
1587 db_return_states_call(expr);
1588 }
1589
1590 static void match_macro_assign(struct expression *expr)
1591 {
1592 struct call_back_list *call_backs;
1593 const char *macro;
1594 struct expression *right;
1595
1596 right = strip_expr(expr->right);
1597 macro = get_macro_name(right->pos);
1598 call_backs = search_callback(func_hash, (char *)macro);
1599 if (!call_backs)
1600 return;
1601 call_call_backs(call_backs, MACRO_ASSIGN, macro, expr);
1602 call_call_backs(call_backs, MACRO_ASSIGN_EXTRA, macro, expr);
1603 }
1604
1605 int get_implied_return(struct expression *expr, struct range_list **rl)
1606 {
1607 struct call_back_list *call_backs;
1608 struct fcall_back *tmp;
1609 int handled = 0;
1610 char *fn;
1611
1612 *rl = NULL;
1613
1614 expr = strip_expr(expr);
1615 fn = expr_to_var(expr->fn);
1616 if (!fn)
1617 goto out;
1618
1619 call_backs = search_callback(func_hash, fn);
1620
1621 FOR_EACH_PTR(call_backs, tmp) {
1622 if (tmp->type == IMPLIED_RETURN)
1623 handled |= (tmp->u.implied_return)(expr, tmp->info, rl);
1624 } END_FOR_EACH_PTR(tmp);
1625
1626 out:
1627 free_string(fn);
1628 return handled;
1629 }
1630
1631 struct range_list *get_range_implications(const char *fn)
1632 {
1633 struct call_back_list *call_backs;
1634 struct range_list *ret = NULL;
1635 struct fcall_back *tmp;
1636
1637 call_backs = search_callback(func_hash, (char *)fn);
1638
1639 FOR_EACH_PTR(call_backs, tmp) {
1640 if (tmp->type != RANGED_CALL &&
1641 tmp->type != RANGED_EXACT)
1642 continue;
1643 add_ptr_list(&ret, tmp->range);
1644 } END_FOR_EACH_PTR(tmp);
1645
1646 return ret;
1647 }
1648
1649 void create_function_hook_hash(void)
1650 {
1651 func_hash = create_function_hashtable(5000);
1652 }
1653
1654 void register_function_hooks(int id)
1655 {
1656 add_hook(&match_function_call, CALL_HOOK_AFTER_INLINE);
1657 add_hook(&match_assign_call, CALL_ASSIGNMENT_HOOK);
1658 add_hook(&match_macro_assign, MACRO_ASSIGNMENT_HOOK);
1659 }
Static analysis for C