search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smatch_scripts/new_bugs.pl: total re-write of the script in Perl
[smatch.git] / smatch_math.c
blob54ee97077eb211bf390dd4a5586d531f5b15527d
1 /*
2 * Copyright (C) 2010 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 #define _GNU_SOURCE
19 #include <string.h>
20
21 #include "symbol.h"
22 #include "smatch.h"
23 #include "smatch_slist.h"
24 #include "smatch_extra.h"
25
26 static bool get_rl_sval(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *sval_res);
27 static bool get_rl_internal(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res);
28 static bool handle_variable(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval);
29 static struct range_list *(*custom_handle_variable)(struct expression *expr);
30
31 static bool get_implied_value_internal(struct expression *expr, int *recurse_cnt, sval_t *res_sval);
32 static int get_absolute_rl_internal(struct expression *expr, struct range_list **rl, int *recurse_cnt);
33
34 static sval_t zero = {.type = &int_ctype, {.value = 0} };
35 static sval_t one = {.type = &int_ctype, {.value = 1} };
36
37 static int fast_math_only;
38
39 struct range_list *rl_zero(void)
40 {
41 static struct range_list *zero_perm;
42
43 if (!zero_perm)
44 zero_perm = clone_rl_permanent(alloc_rl(zero, zero));
45 return zero_perm;
46 }
47
48 struct range_list *rl_one(void)
49 {
50 static struct range_list *one_perm;
51
52 if (!one_perm)
53 one_perm = clone_rl_permanent(alloc_rl(one, one));
54
55 return one_perm;
56 }
57
58 enum {
59 RL_EXACT,
60 RL_HARD,
61 RL_FUZZY,
62 RL_IMPLIED,
63 RL_ABSOLUTE,
64 RL_REAL_ABSOLUTE,
65 };
66
67 static bool last_stmt_rl(struct statement *stmt, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
68 {
69 struct expression *expr;
70
71 if (!stmt)
72 return false;
73
74 stmt = last_ptr_list((struct ptr_list *)stmt->stmts);
75 if (stmt->type == STMT_LABEL) {
76 if (stmt->label_statement &&
77 stmt->label_statement->type == STMT_EXPRESSION)
78 expr = stmt->label_statement->expression;
79 else
80 return false;
81 } else if (stmt->type == STMT_EXPRESSION) {
82 expr = stmt->expression;
83 } else {
84 return false;
85 }
86 return get_rl_sval(expr, implied, recurse_cnt, res, res_sval);
87 }
88
89 static bool handle_expression_statement_rl(struct expression *expr, int implied,
90 int *recurse_cnt, struct range_list **res, sval_t *res_sval)
91 {
92 return last_stmt_rl(get_expression_statement(expr), implied, recurse_cnt, res, res_sval);
93 }
94
95 static bool handle_address(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
96 {
97 struct range_list *rl;
98 static int recursed;
99 sval_t sval;
100
101 if (recursed > 10)
102 return false;
103 if (implied == RL_EXACT)
104 return false;
105
106 if (custom_handle_variable) {
107 rl = custom_handle_variable(expr);
108 if (rl) {
109 *res = rl;
110 return true;
111 }
112 }
113
114 recursed++;
115 if (get_mtag_sval(expr, &sval)) {
116 recursed--;
117 *res_sval = sval;
118 return true;
119 }
120
121 if (get_address_rl(expr, res)) {
122 recursed--;
123 return true;
124 }
125 recursed--;
126 return 0;
127 }
128
129 static bool handle_ampersand_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
130 {
131 return handle_address(expr, implied, recurse_cnt, res, res_sval);
132 }
133
134 static bool handle_negate_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
135 {
136 if (known_condition_true(expr->unop)) {
137 *res_sval = zero;
138 return true;
139 }
140 if (known_condition_false(expr->unop)) {
141 *res_sval = one;
142 return true;
143 }
144
145 if (implied == RL_EXACT)
146 return false;
147
148 if (implied_condition_true(expr->unop)) {
149 *res_sval = zero;
150 return true;
151 }
152 if (implied_condition_false(expr->unop)) {
153 *res_sval = one;
154 return true;
155 }
156
157 *res = alloc_rl(zero, one);
158 return true;
159 }
160
161 static bool handle_bitwise_negate(struct expression *expr, int implied, int *recurse_cnt, sval_t *res_sval)
162 {
163 struct range_list *rl;
164 sval_t sval = {};
165
166 if (!get_rl_sval(expr->unop, implied, recurse_cnt, &rl, &sval))
167 return false;
168 if (!sval.type && !rl_to_sval(rl, &sval))
169 return false;
170 sval = sval_preop(sval, '~');
171 sval_cast(get_type(expr->unop), sval);
172 *res_sval = sval;
173 return true;
174 }
175
176 static bool untrusted_type_min(struct expression *expr)
177 {
178 struct range_list *rl;
179
180 rl = var_user_rl(expr);
181 return rl && sval_is_min(rl_min(rl));
182 }
183
184 static bool handle_minus_preop(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
185 {
186 struct range_list *rl;
187 struct range_list *ret = NULL;
188 struct symbol *type;
189 sval_t neg_one = { .value = -1 };
190 sval_t zero = { .value = 0 };
191 sval_t sval = {};
192
193 if (!get_rl_sval(expr->unop, implied, recurse_cnt, &rl, &sval))
194 return false;
195 if (sval.type) {
196 *res_sval = sval_preop(sval, '-');
197 return true;
198 }
199 /*
200 * One complication is that -INT_MIN is still INT_MIN because of integer
201 * overflows... But how many times do we set a time out to INT_MIN?
202 * So normally when we call abs() then it does return a positive value.
203 *
204 */
205 type = rl_type(rl);
206 neg_one.type = zero.type = type;
207
208 if (sval_is_negative(rl_min(rl))) {
209 struct range_list *neg;
210 struct data_range *drange;
211 sval_t new_min, new_max;
212
213 neg = alloc_rl(sval_type_min(type), neg_one);
214 neg = rl_intersection(rl, neg);
215
216 if (sval_is_min(rl_min(neg)) && !sval_is_min(rl_max(neg)))
217 neg = remove_range(neg, sval_type_min(type), sval_type_min(type));
218
219 FOR_EACH_PTR(neg, drange) {
220 new_min = drange->max;
221 new_min.value = -new_min.value;
222 new_max = drange->min;
223 new_max.value = -new_max.value;
224 add_range(&ret, new_min, new_max);
225 } END_FOR_EACH_PTR(drange);
226
227 if (untrusted_type_min(expr))
228 add_range(&ret, sval_type_min(type), sval_type_min(type));
229 }
230
231 if (!sval_is_negative(rl_max(rl))) {
232 struct range_list *pos;
233 struct data_range *drange;
234 sval_t new_min, new_max;
235
236 pos = alloc_rl(zero, sval_type_max(type));
237 pos = rl_intersection(rl, pos);
238
239 FOR_EACH_PTR(pos, drange) {
240 new_min = drange->max;
241 new_min.value = -new_min.value;
242 new_max = drange->min;
243 new_max.value = -new_max.value;
244 add_range(&ret, new_min, new_max);
245 } END_FOR_EACH_PTR(drange);
246 }
247
248 *res = ret;
249 return true;
250 }
251
252 static bool handle_preop_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
253 {
254 switch (expr->op) {
255 case '&':
256 return handle_ampersand_rl(expr, implied, recurse_cnt, res, res_sval);
257 case '!':
258 return handle_negate_rl(expr, implied, recurse_cnt, res, res_sval);
259 case '~':
260 return handle_bitwise_negate(expr, implied, recurse_cnt, res_sval);
261 case '-':
262 return handle_minus_preop(expr, implied, recurse_cnt, res, res_sval);
263 case '*':
264 return handle_variable(expr, implied, recurse_cnt, res, res_sval);
265 case '(':
266 return handle_expression_statement_rl(expr, implied, recurse_cnt, res, res_sval);
267 default:
268 return false;
269 }
270 }
271
272 static bool handle_divide_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
273 {
274 struct range_list *left_rl = NULL;
275 struct range_list *right_rl = NULL;
276 struct symbol *type;
277
278 type = get_type(expr);
279
280 get_rl_internal(expr->left, implied, recurse_cnt, &left_rl);
281 left_rl = cast_rl(type, left_rl);
282 get_rl_internal(expr->right, implied, recurse_cnt, &right_rl);
283 right_rl = cast_rl(type, right_rl);
284
285 if (!left_rl || !right_rl)
286 return false;
287
288 if (implied != RL_REAL_ABSOLUTE) {
289 if (is_whole_rl(left_rl) || is_whole_rl(right_rl))
290 return false;
291 }
292
293 *res = rl_binop(left_rl, '/', right_rl);
294 return true;
295 }
296
297 static int handle_offset_subtraction(struct expression *expr)
298 {
299 struct expression *left, *right;
300 struct symbol *left_sym, *right_sym;
301 struct symbol *type;
302 int left_offset, right_offset;
303
304 type = get_type(expr);
305 if (!type || type->type != SYM_PTR)
306 return -1;
307 type = get_real_base_type(type);
308 if (!type || (type_bits(type) != 8 && (type != &void_ctype)))
309 return -1;
310
311 left = strip_expr(expr->left);
312 right = strip_expr(expr->right);
313
314 if (left->type != EXPR_PREOP || left->op != '&')
315 return -1;
316 left = strip_expr(left->unop);
317
318 left_sym = expr_to_sym(left);
319 right_sym = expr_to_sym(right);
320 if (!left_sym || left_sym != right_sym)
321 return -1;
322
323 left_offset = get_member_offset_from_deref(left);
324 if (right->type == EXPR_SYMBOL)
325 right_offset = 0;
326 else {
327 if (right->type != EXPR_PREOP || right->op != '&')
328 return -1;
329 right = strip_expr(right->unop);
330 right_offset = get_member_offset_from_deref(right);
331 }
332 if (left_offset < 0 || right_offset < 0)
333 return -1;
334
335 return left_offset - right_offset;
336 }
337
338 static bool max_is_unknown_max(struct range_list *rl)
339 {
340 /*
341 * The issue with this code is that we had:
342 * if (foo > 1) return 1 - foo;
343 * Ideally we would say that returns s32min-(-1) but what Smatch
344 * was saying was that the lowest possible value was "1 - INT_MAX"
345 *
346 * My solution is to ignore max values for int or larger. I keep
347 * the max for shorts etc, because those might be worthwhile.
348 *
349 * The problem with just returning 1 - INT_MAX is that that is
350 * treated as useful information but s32min is treated as basically
351 * unknown.
352 */
353
354 if (type_bits(rl_type(rl)) < 31)
355 return false;
356 return sval_is_max(rl_max(rl));
357 }
358
359 static bool handle_add_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
360 {
361 struct range_list *left_rl = NULL;
362 struct range_list *right_rl = NULL;
363 struct range_list *valid;
364 struct symbol *type;
365 sval_t min, max;
366
367 type = get_type(expr);
368
369 get_rl_internal(expr->left, implied, recurse_cnt, &left_rl);
370 left_rl = cast_rl(type, left_rl);
371 get_rl_internal(expr->right, implied, recurse_cnt, &right_rl);
372 right_rl = cast_rl(type, right_rl);
373
374 if (!left_rl)
375 return false;
376
377 if (type_is_ptr(type) && !var_user_rl(expr->right)) {
378 valid = rl_intersection(left_rl, valid_ptr_rl);
379 if (valid && rl_equiv(valid, left_rl))
380 return valid_ptr_rl;
381 }
382
383 if (!right_rl)
384 return false;
385
386 if (sval_binop_overflows(rl_min(left_rl), expr->op, rl_min(right_rl)))
387 return false;
388 if (sval_binop_overflows(rl_max(left_rl), expr->op, rl_max(right_rl)))
389 return false;
390
391 min = sval_binop(rl_min(left_rl), expr->op, rl_min(right_rl));
392 max = sval_binop(rl_max(left_rl), expr->op, rl_max(right_rl));
393
394 *res = alloc_rl(min, max);
395 return true;
396 }
397
398 static bool handle_subtract_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
399 {
400 struct symbol *type;
401 struct range_list *left_orig, *right_orig;
402 struct range_list *left_rl, *right_rl;
403 sval_t min, max, tmp;
404 int comparison;
405 int offset;
406
407 type = get_type(expr);
408
409 offset = handle_offset_subtraction(expr);
410 if (offset >= 0) {
411 tmp.type = type;
412 tmp.value = offset;
413
414 *res = alloc_rl(tmp, tmp);
415 return true;
416 }
417
418 comparison = get_comparison(expr->left, expr->right);
419
420 left_orig = NULL;
421 get_rl_internal(expr->left, implied, recurse_cnt, &left_orig);
422 left_rl = cast_rl(type, left_orig);
423 right_orig = NULL;
424 get_rl_internal(expr->right, implied, recurse_cnt, &right_orig);
425 right_rl = cast_rl(type, right_orig);
426
427 if ((!left_rl || !right_rl) &&
428 (implied == RL_EXACT || implied == RL_HARD || implied == RL_FUZZY))
429 return false;
430
431 if (!left_rl)
432 left_rl = alloc_whole_rl(type);
433 if (!right_rl)
434 right_rl = alloc_whole_rl(type);
435
436 /* negative values complicate everything fix this later */
437 if (sval_is_negative(rl_min(right_rl)))
438 return false;
439 max = rl_max(left_rl);
440 min = sval_type_min(type);
441
442 switch (comparison) {
443 case '>':
444 case SPECIAL_UNSIGNED_GT:
445 min = sval_type_val(type, 1);
446 max = rl_max(left_rl);
447 break;
448 case SPECIAL_GTE:
449 case SPECIAL_UNSIGNED_GTE:
450 min = sval_type_val(type, 0);
451 max = rl_max(left_rl);
452 break;
453 case SPECIAL_EQUAL:
454 min = sval_type_val(type, 0);
455 max = sval_type_val(type, 0);
456 break;
457 case '<':
458 case SPECIAL_UNSIGNED_LT:
459 max = sval_type_val(type, -1);
460 break;
461 case SPECIAL_LTE:
462 case SPECIAL_UNSIGNED_LTE:
463 max = sval_type_val(type, 0);
464 break;
465 default:
466 if (!left_orig || !right_orig)
467 return false;
468 *res = rl_binop(left_rl, '-', right_rl);
469 return true;
470 }
471
472 if (!max_is_unknown_max(right_rl) &&
473 !sval_binop_overflows(rl_min(left_rl), '-', rl_max(right_rl))) {
474 tmp = sval_binop(rl_min(left_rl), '-', rl_max(right_rl));
475 if (sval_cmp(tmp, min) > 0)
476 min = tmp;
477 }
478
479 if (!sval_is_max(rl_max(left_rl))) {
480 tmp = sval_binop(rl_max(left_rl), '-', rl_min(right_rl));
481 if (sval_cmp(tmp, max) < 0)
482 max = tmp;
483 }
484
485 if (sval_is_min(min) && sval_is_max(max))
486 return false;
487
488 *res = cast_rl(type, alloc_rl(min, max));
489 return true;
490 }
491
492 static bool handle_mod_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
493 {
494 struct range_list *rl;
495 sval_t left, right, sval;
496
497 if (implied == RL_EXACT) {
498 if (!get_implied_value(expr->right, &right))
499 return false;
500 if (!get_implied_value(expr->left, &left))
501 return false;
502 sval = sval_binop(left, '%', right);
503 *res = alloc_rl(sval, sval);
504 return true;
505 }
506 /* if we can't figure out the right side it's probably hopeless */
507 if (!get_implied_value_internal(expr->right, recurse_cnt, &right))
508 return false;
509
510 right = sval_cast(get_type(expr), right);
511 right.value--;
512
513 if (get_rl_internal(expr->left, implied, recurse_cnt, &rl) && rl &&
514 rl_max(rl).uvalue < right.uvalue)
515 right.uvalue = rl_max(rl).uvalue;
516
517 *res = alloc_rl(sval_cast(right.type, zero), right);
518 return true;
519 }
520
521 static bool handle_bitwise_AND(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
522 {
523 struct symbol *type;
524 struct range_list *left_rl, *right_rl;
525 int new_recurse;
526
527 if (implied != RL_IMPLIED && implied != RL_ABSOLUTE && implied != RL_REAL_ABSOLUTE)
528 return false;
529
530 type = get_type(expr);
531
532 if (!get_rl_internal(expr->left, implied, recurse_cnt, &left_rl))
533 left_rl = alloc_whole_rl(type);
534 left_rl = cast_rl(type, left_rl);
535
536 new_recurse = *recurse_cnt;
537 if (*recurse_cnt >= 200)
538 new_recurse = 100; /* Let's try super hard to get the mask */
539 if (!get_rl_internal(expr->right, implied, &new_recurse, &right_rl))
540 right_rl = alloc_whole_rl(type);
541 right_rl = cast_rl(type, right_rl);
542 *recurse_cnt = new_recurse;
543
544 *res = rl_binop(left_rl, '&', right_rl);
545 return true;
546 }
547
548 static bool use_rl_binop(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
549 {
550 struct symbol *type;
551 struct range_list *left_rl, *right_rl;
552
553 if (implied != RL_IMPLIED && implied != RL_ABSOLUTE && implied != RL_REAL_ABSOLUTE)
554 return false;
555
556 type = get_type(expr);
557
558 get_absolute_rl_internal(expr->left, &left_rl, recurse_cnt);
559 get_absolute_rl_internal(expr->right, &right_rl, recurse_cnt);
560 left_rl = cast_rl(type, left_rl);
561 right_rl = cast_rl(type, right_rl);
562 if (!left_rl || !right_rl)
563 return false;
564
565 *res = rl_binop(left_rl, expr->op, right_rl);
566 return true;
567 }
568
569 static bool handle_right_shift(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
570 {
571 struct range_list *left_rl, *right_rl;
572 sval_t min, max;
573
574 if (implied == RL_EXACT || implied == RL_HARD)
575 return false;
576
577 if (get_rl_internal(expr->left, implied, recurse_cnt, &left_rl)) {
578 max = rl_max(left_rl);
579 min = rl_min(left_rl);
580 } else {
581 if (implied == RL_FUZZY)
582 return false;
583 max = sval_type_max(get_type(expr->left));
584 min = sval_type_val(get_type(expr->left), 0);
585 }
586
587 if (get_rl_internal(expr->right, implied, recurse_cnt, &right_rl) &&
588 !sval_is_negative(rl_min(right_rl))) {
589 min = sval_binop(min, SPECIAL_RIGHTSHIFT, rl_max(right_rl));
590 max = sval_binop(max, SPECIAL_RIGHTSHIFT, rl_min(right_rl));
591 } else if (!sval_is_negative(min)) {
592 min.value = 0;
593 max = sval_type_max(max.type);
594 } else {
595 return false;
596 }
597
598 *res = alloc_rl(min, max);
599 return true;
600 }
601
602 static bool handle_left_shift(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
603 {
604 struct range_list *left_rl, *rl;
605 sval_t right;
606
607 if (implied == RL_EXACT || implied == RL_HARD)
608 return false;
609 /* this is hopeless without the right side */
610 if (!get_implied_value_internal(expr->right, recurse_cnt, &right))
611 return false;
612 if (!get_rl_internal(expr->left, implied, recurse_cnt, &left_rl)) {
613 if (implied == RL_FUZZY)
614 return false;
615 left_rl = alloc_whole_rl(get_type(expr->left));
616 }
617
618 rl = rl_binop(left_rl, SPECIAL_LEFTSHIFT, alloc_rl(right, right));
619 if (!rl)
620 return false;
621 *res = rl;
622 return true;
623 }
624
625 static bool handle_known_binop(struct expression *expr, sval_t *res)
626 {
627 sval_t left, right;
628
629 if (!get_value(expr->left, &left))
630 return false;
631 if (!get_value(expr->right, &right))
632 return false;
633 *res = sval_binop(left, expr->op, right);
634 return true;
635 }
636
637 static int has_actual_ranges(struct range_list *rl)
638 {
639 struct data_range *tmp;
640
641 FOR_EACH_PTR(rl, tmp) {
642 if (sval_cmp(tmp->min, tmp->max) != 0)
643 return 1;
644 } END_FOR_EACH_PTR(tmp);
645 return 0;
646 }
647
648 static struct range_list *handle_implied_binop(struct range_list *left_rl, int op, struct range_list *right_rl)
649 {
650 struct range_list *res_rl;
651 struct data_range *left_drange, *right_drange;
652 sval_t res;
653
654 if (!left_rl || !right_rl)
655 return NULL;
656 if (has_actual_ranges(left_rl))
657 return NULL;
658 if (has_actual_ranges(right_rl))
659 return NULL;
660
661 if (ptr_list_size((struct ptr_list *)left_rl) * ptr_list_size((struct ptr_list *)right_rl) > 20)
662 return NULL;
663
664 res_rl = NULL;
665
666 FOR_EACH_PTR(left_rl, left_drange) {
667 FOR_EACH_PTR(right_rl, right_drange) {
668 if ((op == '%' || op == '/') &&
669 right_drange->min.value == 0)
670 return NULL;
671 res = sval_binop(left_drange->min, op, right_drange->min);
672 add_range(&res_rl, res, res);
673 } END_FOR_EACH_PTR(right_drange);
674 } END_FOR_EACH_PTR(left_drange);
675
676 return res_rl;
677 }
678
679 static bool handle_binop_rl_helper(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
680 {
681 struct symbol *type;
682 struct range_list *left_rl = NULL;
683 struct range_list *right_rl = NULL;
684 struct range_list *rl;
685 sval_t min, max;
686
687 type = get_promoted_type(get_type(expr->left), get_type(expr->right));
688 get_rl_internal(expr->left, implied, recurse_cnt, &left_rl);
689 left_rl = cast_rl(type, left_rl);
690 get_rl_internal(expr->right, implied, recurse_cnt, &right_rl);
691 right_rl = cast_rl(type, right_rl);
692
693 rl = handle_implied_binop(left_rl, expr->op, right_rl);
694 if (rl) {
695 *res = rl;
696 return true;
697 }
698
699 switch (expr->op) {
700 case '%':
701 return handle_mod_rl(expr, implied, recurse_cnt, res);
702 case '&':
703 return handle_bitwise_AND(expr, implied, recurse_cnt, res);
704 case '|':
705 case '^':
706 return use_rl_binop(expr, implied, recurse_cnt, res);
707 case SPECIAL_RIGHTSHIFT:
708 return handle_right_shift(expr, implied, recurse_cnt, res);
709 case SPECIAL_LEFTSHIFT:
710 return handle_left_shift(expr, implied, recurse_cnt, res);
711 case '+':
712 return handle_add_rl(expr, implied, recurse_cnt, res);
713 case '-':
714 return handle_subtract_rl(expr, implied, recurse_cnt, res);
715 case '/':
716 return handle_divide_rl(expr, implied, recurse_cnt, res);
717 }
718
719 if (!left_rl || !right_rl)
720 return false;
721
722 if (sval_binop_overflows(rl_min(left_rl), expr->op, rl_min(right_rl)))
723 return false;
724 if (sval_binop_overflows(rl_max(left_rl), expr->op, rl_max(right_rl)))
725 return false;
726
727 min = sval_binop(rl_min(left_rl), expr->op, rl_min(right_rl));
728 max = sval_binop(rl_max(left_rl), expr->op, rl_max(right_rl));
729
730 *res = alloc_rl(min, max);
731 return true;
732
733 }
734
735 static bool handle_binop_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
736 {
737 struct smatch_state *state;
738 struct range_list *rl;
739 sval_t val;
740
741 if (handle_known_binop(expr, &val)) {
742 *res_sval = val;
743 return true;
744 }
745 if (implied == RL_EXACT)
746 return false;
747
748 if (custom_handle_variable) {
749 rl = custom_handle_variable(expr);
750 if (rl) {
751 *res = rl;
752 return true;
753 }
754 }
755
756 state = get_extra_state(expr);
757 if (state && !is_whole_rl(estate_rl(state))) {
758 if (implied != RL_HARD || estate_has_hard_max(state)) {
759 *res = clone_rl(estate_rl(state));
760 return true;
761 }
762 }
763
764 return handle_binop_rl_helper(expr, implied, recurse_cnt, res, res_sval);
765 }
766
767 static int do_comparison(struct expression *expr)
768 {
769 struct range_list *left_ranges = NULL;
770 struct range_list *right_ranges = NULL;
771 int poss_true, poss_false;
772 struct symbol *type;
773
774 type = get_type(expr);
775 get_absolute_rl(expr->left, &left_ranges);
776 get_absolute_rl(expr->right, &right_ranges);
777
778 left_ranges = cast_rl(type, left_ranges);
779 right_ranges = cast_rl(type, right_ranges);
780
781 poss_true = possibly_true_rl(left_ranges, expr->op, right_ranges);
782 poss_false = possibly_false_rl(left_ranges, expr->op, right_ranges);
783
784 if (!poss_true && !poss_false)
785 return 0x0;
786 if (poss_true && !poss_false)
787 return 0x1;
788 if (!poss_true && poss_false)
789 return 0x2;
790 return 0x3;
791 }
792
793 static bool handle_comparison_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
794 {
795 sval_t left, right;
796 int cmp;
797
798 if (expr->op == SPECIAL_EQUAL && expr->left->type == EXPR_TYPE) {
799 struct symbol *left, *right;
800
801 if (expr->right->type != EXPR_TYPE)
802 return false;
803
804 left = get_real_base_type(expr->left->symbol);
805 right = get_real_base_type(expr->right->symbol);
806 if (type_bits(left) == type_bits(right) &&
807 type_positive_bits(left) == type_positive_bits(right))
808 *res_sval = one;
809 else
810 *res_sval = zero;
811 return true;
812 }
813
814 if (get_value(expr->left, &left) && get_value(expr->right, &right)) {
815 struct data_range tmp_left, tmp_right;
816
817 tmp_left.min = left;
818 tmp_left.max = left;
819 tmp_right.min = right;
820 tmp_right.max = right;
821 if (true_comparison_range(&tmp_left, expr->op, &tmp_right))
822 *res_sval = one;
823 else
824 *res_sval = zero;
825 return true;
826 }
827
828 if (implied == RL_EXACT)
829 return false;
830
831 cmp = do_comparison(expr);
832 if (cmp == 1) {
833 *res_sval = one;
834 return true;
835 }
836 if (cmp == 2) {
837 *res_sval = zero;
838 return true;
839 }
840
841 *res = alloc_rl(zero, one);
842 return true;
843 }
844
845 static bool handle_logical_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
846 {
847 sval_t left, right;
848 int left_known = 0;
849 int right_known = 0;
850
851 if (implied == RL_EXACT) {
852 if (get_value(expr->left, &left))
853 left_known = 1;
854 if (get_value(expr->right, &right))
855 right_known = 1;
856 } else {
857 if (get_implied_value_internal(expr->left, recurse_cnt, &left))
858 left_known = 1;
859 if (get_implied_value_internal(expr->right, recurse_cnt, &right))
860 right_known = 1;
861 }
862
863 switch (expr->op) {
864 case SPECIAL_LOGICAL_OR:
865 if (left_known && left.value)
866 goto one;
867 if (right_known && right.value)
868 goto one;
869 if (left_known && right_known)
870 goto zero;
871 break;
872 case SPECIAL_LOGICAL_AND:
873 if (left_known && right_known) {
874 if (left.value && right.value)
875 goto one;
876 goto zero;
877 }
878 break;
879 default:
880 return false;
881 }
882
883 if (implied == RL_EXACT)
884 return false;
885
886 *res = alloc_rl(zero, one);
887 return true;
888
889 zero:
890 *res_sval = zero;
891 return true;
892 one:
893 *res_sval = one;
894 return true;
895 }
896
897 static bool handle_conditional_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
898 {
899 struct expression *cond_true;
900 struct range_list *true_rl, *false_rl;
901 struct symbol *type;
902 int final_pass_orig = final_pass;
903
904 cond_true = expr->cond_true;
905 if (!cond_true)
906 cond_true = expr->conditional;
907
908 if (known_condition_true(expr->conditional))
909 return get_rl_sval(cond_true, implied, recurse_cnt, res, res_sval);
910 if (known_condition_false(expr->conditional))
911 return get_rl_sval(expr->cond_false, implied, recurse_cnt, res, res_sval);
912
913 if (implied == RL_EXACT)
914 return false;
915
916 if (implied_condition_true(expr->conditional))
917 return get_rl_sval(cond_true, implied, recurse_cnt, res, res_sval);
918 if (implied_condition_false(expr->conditional))
919 return get_rl_sval(expr->cond_false, implied, recurse_cnt, res, res_sval);
920
921 /* this becomes a problem with deeply nested conditional statements */
922 if (fast_math_only || low_on_memory())
923 return false;
924
925 type = get_type(expr);
926
927 __push_fake_cur_stree();
928 final_pass = 0;
929 __split_whole_condition(expr->conditional);
930 true_rl = NULL;
931 get_rl_internal(cond_true, implied, recurse_cnt, &true_rl);
932 __push_true_states();
933 __use_false_states();
934 false_rl = NULL;
935 get_rl_internal(expr->cond_false, implied, recurse_cnt, &false_rl);
936 __merge_true_states();
937 __free_fake_cur_stree();
938 final_pass = final_pass_orig;
939
940 if (!true_rl || !false_rl)
941 return false;
942 true_rl = cast_rl(type, true_rl);
943 false_rl = cast_rl(type, false_rl);
944
945 *res = rl_union(true_rl, false_rl);
946 return true;
947 }
948
949 static bool get_fuzzy_max_helper(struct expression *expr, sval_t *max)
950 {
951 struct smatch_state *state;
952 sval_t sval;
953
954 if (get_hard_max(expr, &sval)) {
955 *max = sval;
956 return true;
957 }
958
959 state = get_extra_state(expr);
960 if (!state || !estate_has_fuzzy_max(state))
961 return false;
962 *max = sval_cast(get_type(expr), estate_get_fuzzy_max(state));
963 return true;
964 }
965
966 static bool get_fuzzy_min_helper(struct expression *expr, sval_t *min)
967 {
968 struct smatch_state *state;
969 sval_t sval;
970
971 state = get_extra_state(expr);
972 if (!state || !estate_rl(state))
973 return false;
974
975 sval = estate_min(state);
976 if (sval_is_negative(sval) && sval_is_min(sval))
977 return false;
978
979 if (sval_is_max(sval))
980 return false;
981
982 *min = sval_cast(get_type(expr), sval);
983 return true;
984 }
985
986 int get_const_value(struct expression *expr, sval_t *sval)
987 {
988 struct symbol *sym;
989 sval_t right;
990
991 if (expr->type != EXPR_SYMBOL || !expr->symbol)
992 return 0;
993 sym = expr->symbol;
994 if (!(sym->ctype.modifiers & MOD_CONST))
995 return 0;
996 if (get_value(sym->initializer, &right)) {
997 *sval = sval_cast(get_type(expr), right);
998 return 1;
999 }
1000 return 0;
1001 }
1002
1003 struct range_list *var_to_absolute_rl(struct expression *expr)
1004 {
1005 struct smatch_state *state;
1006 struct range_list *rl;
1007
1008 state = get_extra_state(expr);
1009 if (!state || is_whole_rl(estate_rl(state))) {
1010 state = get_real_absolute_state(expr);
1011 if (state && state->data && !estate_is_whole(state))
1012 return clone_rl(estate_rl(state));
1013 if (get_mtag_rl(expr, &rl))
1014 return rl;
1015 if (get_db_type_rl(expr, &rl) && !is_whole_rl(rl))
1016 return rl;
1017 return alloc_whole_rl(get_type(expr));
1018 }
1019 /* err on the side of saying things are possible */
1020 if (!estate_rl(state))
1021 return alloc_whole_rl(get_type(expr));
1022 return clone_rl(estate_rl(state));
1023 }
1024
1025 static bool is_param_sym(struct expression *expr)
1026 {
1027 if (expr->type != EXPR_SYMBOL)
1028 return false;
1029 if (get_param_num(expr) < 0)
1030 return false;
1031 return true;
1032 }
1033
1034 static bool handle_variable(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1035 {
1036 struct smatch_state *state;
1037 struct range_list *rl;
1038 sval_t sval, min, max;
1039 struct symbol *type;
1040
1041 if (get_const_value(expr, &sval)) {
1042 *res_sval = sval;
1043 return true;
1044 }
1045
1046 if (implied == RL_EXACT)
1047 return false;
1048
1049 if (custom_handle_variable) {
1050 rl = custom_handle_variable(expr);
1051 if (rl) {
1052 if (!rl_to_sval(rl, res_sval))
1053 *res = rl;
1054 } else {
1055 *res = var_to_absolute_rl(expr);
1056 }
1057 return true;
1058 }
1059
1060 if (get_mtag_sval(expr, &sval)) {
1061 *res_sval = sval;
1062 return true;
1063 }
1064
1065 type = get_type(expr);
1066 if (type &&
1067 ((type->type == SYM_ARRAY && !is_param_sym(expr)) ||
1068 type->type == SYM_FN))
1069 return handle_address(expr, implied, recurse_cnt, res, res_sval);
1070
1071 /* FIXME: call rl_to_sval() on the results */
1072
1073 switch (implied) {
1074 case RL_HARD:
1075 case RL_IMPLIED:
1076 case RL_ABSOLUTE:
1077 state = get_extra_state(expr);
1078 if (!state) {
1079 if (implied == RL_HARD)
1080 return false;
1081 if (get_mtag_rl(expr, res))
1082 return true;
1083 if (get_db_type_rl(expr, res))
1084 return true;
1085 if (is_array(expr) && get_array_rl(expr, res))
1086 return true;
1087 return false;
1088 }
1089 if (implied == RL_HARD && !estate_has_hard_max(state))
1090 return false;
1091 *res = clone_rl(estate_rl(state));
1092 return true;
1093 case RL_REAL_ABSOLUTE: {
1094 struct smatch_state *abs_state;
1095
1096 state = get_extra_state(expr);
1097 abs_state = get_real_absolute_state(expr);
1098
1099 if (estate_rl(state) && estate_rl(abs_state)) {
1100 *res = clone_rl(rl_intersection(estate_rl(state),
1101 estate_rl(abs_state)));
1102 return true;
1103 } else if (estate_rl(state)) {
1104 *res = clone_rl(estate_rl(state));
1105 return true;
1106 } else if (estate_is_empty(state)) {
1107 /*
1108 * FIXME: we don't handle empty extra states correctly.
1109 *
1110 * The real abs rl is supposed to be filtered by the
1111 * extra state if there is one. We don't bother keeping
1112 * the abs state in sync all the time because we know it
1113 * will be filtered later.
1114 *
1115 * It's not totally obvious to me how they should be
1116 * handled. Perhaps we should take the whole rl and
1117 * filter by the imaginary states. Perhaps we should
1118 * just go with the empty state.
1119 *
1120 * Anyway what we currently do is return NULL here and
1121 * that gets translated into the whole range in
1122 * get_real_absolute_rl().
1123 *
1124 */
1125 return false;
1126 } else if (estate_rl(abs_state)) {
1127 *res = clone_rl(estate_rl(abs_state));
1128 return true;
1129 }
1130
1131 if (get_mtag_rl(expr, res))
1132 return true;
1133 if (get_db_type_rl(expr, res))
1134 return true;
1135 if (is_array(expr) && get_array_rl(expr, res))
1136 return true;
1137 return false;
1138 }
1139 case RL_FUZZY:
1140 if (!get_fuzzy_min_helper(expr, &min))
1141 min = sval_type_min(get_type(expr));
1142 if (!get_fuzzy_max_helper(expr, &max))
1143 return false;
1144 /* fuzzy ranges are often inverted */
1145 if (sval_cmp(min, max) > 0) {
1146 sval = min;
1147 min = max;
1148 max = sval;
1149 }
1150 *res = alloc_rl(min, max);
1151 return true;
1152 }
1153 return false;
1154 }
1155
1156 static sval_t handle_sizeof(struct expression *expr)
1157 {
1158 struct symbol *sym;
1159 sval_t ret;
1160
1161 ret = sval_blank(expr);
1162 sym = expr->cast_type;
1163 if (!sym) {
1164 sym = evaluate_expression(expr->cast_expression);
1165 if (!sym) {
1166 __silence_warnings_for_stmt = true;
1167 sym = &int_ctype;
1168 }
1169 #if 0
1170 /*
1171 * Expressions of restricted types will possibly get
1172 * promoted - check that here. I'm not sure how this works,
1173 * the problem is that sizeof(le16) shouldn't be promoted and
1174 * the original code did that... Let's if zero this out and
1175 * see what breaks.
1176 */
1177
1178 if (is_restricted_type(sym)) {
1179 if (type_bits(sym) < bits_in_int)
1180 sym = &int_ctype;
1181 }
1182 #endif
1183 if (is_fouled_type(sym))
1184 sym = &int_ctype;
1185 }
1186 examine_symbol_type(sym);
1187
1188 ret.type = size_t_ctype;
1189 if (type_bits(sym) <= 0) /* sizeof(void) */ {
1190 if (get_real_base_type(sym) == &void_ctype)
1191 ret.value = 1;
1192 else
1193 ret.value = 0;
1194 } else
1195 ret.value = type_bytes(sym);
1196
1197 return ret;
1198 }
1199
1200 static bool handle_strlen(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1201 {
1202 struct expression *arg, *tmp;
1203 sval_t tag;
1204 sval_t ret = { .type = &ulong_ctype };
1205 struct range_list *rl;
1206
1207 arg = get_argument_from_call_expr(expr->args, 0);
1208 if (!arg)
1209 return false;
1210 if (arg->type == EXPR_STRING) {
1211 ret.value = arg->string->length - 1;
1212 *res_sval = ret;
1213 return true;
1214 }
1215 if (implied == RL_EXACT)
1216 return false;
1217 if (get_implied_value(arg, &tag) &&
1218 (tmp = fake_string_from_mtag(tag.uvalue))) {
1219 ret.value = tmp->string->length - 1;
1220 *res_sval = ret;
1221 return true;
1222 }
1223
1224 if (implied == RL_HARD || implied == RL_FUZZY)
1225 return false;
1226
1227 if (get_implied_return(expr, &rl)) {
1228 *res = rl;
1229 return true;
1230 }
1231
1232 return false;
1233 }
1234
1235 static bool handle_builtin_constant_p(struct expression *expr, int implied, int *recurse_cnt, sval_t *res_sval)
1236 {
1237 struct expression *arg;
1238 struct range_list *rl;
1239
1240 arg = get_argument_from_call_expr(expr->args, 0);
1241 if (get_rl_internal(arg, RL_EXACT, recurse_cnt, &rl))
1242 *res_sval = one;
1243 else
1244 *res_sval = zero;
1245 return true;
1246 }
1247
1248 static bool handle__builtin_choose_expr(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1249 {
1250 struct expression *const_expr, *expr1, *expr2;
1251 sval_t sval;
1252
1253 const_expr = get_argument_from_call_expr(expr->args, 0);
1254 expr1 = get_argument_from_call_expr(expr->args, 1);
1255 expr2 = get_argument_from_call_expr(expr->args, 2);
1256
1257 if (!get_value(const_expr, &sval) || !expr1 || !expr2)
1258 return false;
1259 if (sval.value)
1260 return get_rl_sval(expr1, implied, recurse_cnt, res, res_sval);
1261 else
1262 return get_rl_sval(expr2, implied, recurse_cnt, res, res_sval);
1263 }
1264
1265 int smatch_fls(unsigned long long value)
1266 {
1267 int i;
1268
1269 for (i = 63; i >= 0; i--) {
1270 if (value & 1ULL << i)
1271 return i + 1;
1272 }
1273 return 0;
1274 }
1275
1276 static bool handle_ffs(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1277 {
1278 struct expression *arg;
1279 struct bit_info *bits;
1280 sval_t high = { .type = &int_ctype };
1281 sval_t low = { .type = &int_ctype };
1282
1283 arg = get_argument_from_call_expr(expr->args, 0);
1284
1285 bits = get_bit_info(arg);
1286 if (bits->possible == 0) {
1287 high.value = 0;
1288 *res_sval = high;
1289 return true;
1290 }
1291
1292 high.value = ffsll(bits->set);
1293 if (!high.value)
1294 high.value = smatch_fls(bits->possible);
1295
1296 low.value = ffsll(bits->possible);
1297
1298 *res = alloc_rl(low, high);
1299 return false;
1300 }
1301
1302 static bool handle_call_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1303 {
1304 struct range_list *rl;
1305
1306 if (sym_name_is("__builtin_constant_p", expr->fn))
1307 return handle_builtin_constant_p(expr, implied, recurse_cnt, res_sval);
1308
1309 if (sym_name_is("__builtin_choose_expr", expr->fn))
1310 return handle__builtin_choose_expr(expr, implied, recurse_cnt, res, res_sval);
1311
1312 if (sym_name_is("__builtin_expect", expr->fn) ||
1313 sym_name_is("__builtin_bswap16", expr->fn) ||
1314 sym_name_is("__builtin_bswap32", expr->fn) ||
1315 sym_name_is("__builtin_bswap64", expr->fn)) {
1316 struct expression *arg;
1317
1318 arg = get_argument_from_call_expr(expr->args, 0);
1319 return get_rl_sval(arg, implied, recurse_cnt, res, res_sval);
1320 }
1321
1322 if (sym_name_is("__builtin_ffs", expr->fn) ||
1323 sym_name_is("__builtin_ffsl", expr->fn) ||
1324 sym_name_is("__builtin_ffsll", expr->fn))
1325 return handle_ffs(expr, implied, recurse_cnt, res, res_sval);
1326
1327 if (sym_name_is("strlen", expr->fn))
1328 return handle_strlen(expr, implied, recurse_cnt, res, res_sval);
1329
1330 if (implied == RL_EXACT || implied == RL_HARD)
1331 return false;
1332
1333 if (custom_handle_variable) {
1334 rl = custom_handle_variable(expr);
1335 if (rl) {
1336 *res = rl;
1337 return true;
1338 }
1339 }
1340
1341 /* Ugh... get_implied_return() sets *rl to NULL on failure */
1342 if (get_implied_return(expr, &rl)) {
1343 *res = rl;
1344 return true;
1345 }
1346 rl = db_return_vals(expr);
1347 if (rl) {
1348 *res = rl;
1349 return true;
1350 }
1351 return false;
1352 }
1353
1354 static bool handle_cast(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1355 {
1356 struct range_list *rl;
1357 struct symbol *type;
1358 sval_t sval = {};
1359
1360 type = get_type(expr);
1361 if (get_rl_sval(expr->cast_expression, implied, recurse_cnt, &rl, &sval)) {
1362 if (sval.type)
1363 *res_sval = sval_cast(type, sval);
1364 else
1365 *res = cast_rl(type, rl);
1366 return true;
1367 }
1368 if (implied == RL_ABSOLUTE || implied == RL_REAL_ABSOLUTE) {
1369 *res = alloc_whole_rl(type);
1370 return true;
1371 }
1372 if (implied == RL_IMPLIED && type &&
1373 type_bits(type) > 0 && type_bits(type) < 32) {
1374 *res = alloc_whole_rl(type);
1375 return true;
1376 }
1377 return false;
1378 }
1379
1380 static bool get_offset_from_down(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1381 {
1382 struct expression *index;
1383 struct symbol *type = expr->in;
1384 struct range_list *rl;
1385 struct symbol *field;
1386 int offset = 0;
1387 sval_t sval = { .type = ssize_t_ctype };
1388 sval_t tmp_sval = {};
1389
1390 /*
1391 * FIXME: I don't really know what I'm doing here. I wish that I
1392 * could just get rid of the __builtin_offset() function and use:
1393 * "&((struct bpf_prog *)NULL)->insns[fprog->len]" instead...
1394 * Anyway, I have done the minimum ammount of work to get that
1395 * expression to work.
1396 *
1397 */
1398
1399 if (expr->op != '.' || !expr->down ||
1400 expr->down->type != EXPR_OFFSETOF ||
1401 expr->down->op != '[' ||
1402 !expr->down->index)
1403 return false;
1404
1405 index = expr->down->index;
1406
1407 examine_symbol_type(type);
1408 type = get_real_base_type(type);
1409 if (!type)
1410 return false;
1411 field = find_identifier(expr->ident, type->symbol_list, &offset);
1412 if (!field)
1413 return false;
1414
1415 type = get_real_base_type(field);
1416 if (!type || type->type != SYM_ARRAY)
1417 return false;
1418 type = get_real_base_type(type);
1419
1420 if (get_implied_value_internal(index, recurse_cnt, &sval)) {
1421 res_sval->type = ssize_t_ctype;
1422 res_sval->value = offset + sval.value * type_bytes(type);
1423 return true;
1424 }
1425
1426 if (!get_rl_sval(index, implied, recurse_cnt, &rl, &tmp_sval))
1427 return false;
1428
1429 /*
1430 * I'm not sure why get_rl_sval() would return an sval when
1431 * get_implied_value_internal() failed but it does when I
1432 * parse drivers/net/ethernet/mellanox/mlx5/core/en/monitor_stats.c
1433 *
1434 */
1435 if (tmp_sval.type) {
1436 res_sval->type = ssize_t_ctype;
1437 res_sval->value = offset + sval.value * type_bytes(type);
1438 return true;
1439 }
1440
1441 sval.value = type_bytes(type);
1442 rl = rl_binop(rl, '*', alloc_rl(sval, sval));
1443 sval.value = offset;
1444 *res = rl_binop(rl, '+', alloc_rl(sval, sval));
1445 return true;
1446 }
1447
1448 static bool get_offset_from_in(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1449 {
1450 struct symbol *type = get_real_base_type(expr->in);
1451 struct symbol *field;
1452 int offset = 0;
1453
1454 if (expr->op != '.' || !type || !expr->ident)
1455 return false;
1456
1457 field = find_identifier(expr->ident, type->symbol_list, &offset);
1458 if (!field)
1459 return false;
1460
1461 res_sval->type = size_t_ctype;
1462 res_sval->value = offset;
1463
1464 return true;
1465 }
1466
1467 static bool handle_offsetof_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1468 {
1469 if (get_offset_from_down(expr, implied, recurse_cnt, res, res_sval))
1470 return true;
1471
1472 if (get_offset_from_in(expr, implied, recurse_cnt, res, res_sval))
1473 return true;
1474
1475 evaluate_expression(expr);
1476 if (expr->type == EXPR_VALUE) {
1477 *res_sval = sval_from_val(expr, expr->value);
1478 return true;
1479 }
1480 return false;
1481 }
1482
1483 static bool get_rl_sval(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *sval_res)
1484 {
1485 struct range_list *rl = (void *)-1UL;
1486 struct symbol *type;
1487 sval_t sval = {};
1488
1489 type = get_type(expr);
1490 expr = strip_parens(expr);
1491 if (!expr)
1492 return false;
1493
1494 if (++(*recurse_cnt) >= 200)
1495 return false;
1496
1497 switch(expr->type) {
1498 case EXPR_CAST:
1499 case EXPR_FORCE_CAST:
1500 case EXPR_IMPLIED_CAST:
1501 handle_cast(expr, implied, recurse_cnt, &rl, &sval);
1502 goto out_cast;
1503 }
1504
1505 expr = strip_expr(expr);
1506 if (!expr)
1507 return false;
1508
1509 switch (expr->type) {
1510 case EXPR_VALUE:
1511 sval = sval_from_val(expr, expr->value);
1512 break;
1513 case EXPR_FVALUE:
1514 sval = sval_from_fval(expr, expr->fvalue);
1515 break;
1516 case EXPR_PREOP:
1517 handle_preop_rl(expr, implied, recurse_cnt, &rl, &sval);
1518 break;
1519 case EXPR_POSTOP:
1520 get_rl_sval(expr->unop, implied, recurse_cnt, &rl, &sval);
1521 break;
1522 case EXPR_BINOP:
1523 handle_binop_rl(expr, implied, recurse_cnt, &rl, &sval);
1524 break;
1525 case EXPR_COMPARE:
1526 handle_comparison_rl(expr, implied, recurse_cnt, &rl, &sval);
1527 break;
1528 case EXPR_LOGICAL:
1529 handle_logical_rl(expr, implied, recurse_cnt, &rl, &sval);
1530 break;
1531 case EXPR_PTRSIZEOF:
1532 case EXPR_SIZEOF:
1533 sval = handle_sizeof(expr);
1534 break;
1535 case EXPR_SELECT:
1536 case EXPR_CONDITIONAL:
1537 handle_conditional_rl(expr, implied, recurse_cnt, &rl, &sval);
1538 break;
1539 case EXPR_CALL:
1540 handle_call_rl(expr, implied, recurse_cnt, &rl, &sval);
1541 break;
1542 case EXPR_STRING:
1543 if (get_mtag_sval(expr, &sval))
1544 break;
1545 if (implied == RL_EXACT)
1546 break;
1547 rl = alloc_rl(valid_ptr_min_sval, valid_ptr_max_sval);
1548 break;
1549 case EXPR_OFFSETOF:
1550 handle_offsetof_rl(expr, implied, recurse_cnt, &rl, &sval);
1551 break;
1552 case EXPR_ALIGNOF:
1553 evaluate_expression(expr);
1554 if (expr->type == EXPR_VALUE)
1555 sval = sval_from_val(expr, expr->value);
1556 break;
1557 default:
1558 handle_variable(expr, implied, recurse_cnt, &rl, &sval);
1559 }
1560
1561 out_cast:
1562 if (rl == (void *)-1UL)
1563 rl = NULL;
1564
1565 if (sval.type || (rl && rl_to_sval(rl, &sval))) {
1566 *sval_res = sval;
1567 return true;
1568 }
1569 if (implied == RL_EXACT)
1570 return false;
1571
1572 if (rl) {
1573 *res = rl;
1574 return true;
1575 }
1576 if (type && (implied == RL_ABSOLUTE || implied == RL_REAL_ABSOLUTE)) {
1577 *res = alloc_whole_rl(type);
1578 return true;
1579 }
1580 return false;
1581 }
1582
1583 static bool get_rl_internal(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
1584 {
1585 struct range_list *rl = NULL;
1586 sval_t sval = {};
1587
1588 if (!get_rl_sval(expr, implied, recurse_cnt, &rl, &sval))
1589 return false;
1590
1591 if (sval.type)
1592 *res = alloc_rl(sval, sval);
1593 else
1594 *res = rl;
1595 return true;
1596 }
1597
1598 static bool get_rl_helper(struct expression *expr, int implied, struct range_list **res)
1599 {
1600 struct range_list *rl = NULL;
1601 sval_t sval = {};
1602 int recurse_cnt = 0;
1603
1604 if (get_value(expr, &sval)) {
1605 *res = alloc_rl(sval, sval);
1606 return true;
1607 }
1608
1609 if (!get_rl_sval(expr, implied, &recurse_cnt, &rl, &sval))
1610 return false;
1611
1612 if (sval.type)
1613 *res = alloc_rl(sval, sval);
1614 else
1615 *res = rl;
1616 return true;
1617 }
1618
1619 struct {
1620 struct expression *expr;
1621 sval_t sval;
1622 } cached_results[24];
1623 static int cache_idx;
1624
1625 void clear_math_cache(void)
1626 {
1627 memset(cached_results, 0, sizeof(cached_results));
1628 }
1629
1630 void set_fast_math_only(void)
1631 {
1632 fast_math_only++;
1633 }
1634
1635 void clear_fast_math_only(void)
1636 {
1637 fast_math_only--;
1638 }
1639
1640 /*
1641 * Don't cache EXPR_VALUE because values are fast already.
1642 *
1643 */
1644 static bool get_value_literal(struct expression *expr, sval_t *res_sval)
1645 {
1646 struct expression *tmp;
1647 int recurse_cnt = 0;
1648
1649 tmp = strip_expr(expr);
1650 if (!tmp || tmp->type != EXPR_VALUE)
1651 return false;
1652
1653 return get_rl_sval(expr, RL_EXACT, &recurse_cnt, NULL, res_sval);
1654 }
1655
1656 /* returns 1 if it can get a value literal or else returns 0 */
1657 int get_value(struct expression *expr, sval_t *res_sval)
1658 {
1659 struct range_list *(*orig_custom_fn)(struct expression *expr);
1660 int recurse_cnt = 0;
1661 sval_t sval = {};
1662 int i;
1663
1664 if (get_value_literal(expr, res_sval))
1665 return 1;
1666
1667 /*
1668 * This only handles RL_EXACT because other expr statements can be
1669 * different at different points. Like the list iterator, for example.
1670 */
1671 for (i = 0; i < ARRAY_SIZE(cached_results); i++) {
1672 if (expr == cached_results[i].expr) {
1673 if (cached_results[i].sval.type) {
1674 *res_sval = cached_results[i].sval;
1675 return true;
1676 }
1677 return false;
1678 }
1679 }
1680
1681 orig_custom_fn = custom_handle_variable;
1682 custom_handle_variable = NULL;
1683 get_rl_sval(expr, RL_EXACT, &recurse_cnt, NULL, &sval);
1684
1685 custom_handle_variable = orig_custom_fn;
1686
1687 cached_results[cache_idx].expr = expr;
1688 cached_results[cache_idx].sval = sval;
1689 cache_idx = (cache_idx + 1) % ARRAY_SIZE(cached_results);
1690
1691 if (!sval.type)
1692 return 0;
1693
1694 *res_sval = sval;
1695 return 1;
1696 }
1697
1698 static bool get_implied_value_internal(struct expression *expr, int *recurse_cnt, sval_t *res_sval)
1699 {
1700 struct range_list *rl;
1701
1702 res_sval->type = NULL;
1703
1704 if (!get_rl_sval(expr, RL_IMPLIED, recurse_cnt, &rl, res_sval))
1705 return false;
1706 if (!res_sval->type && !rl_to_sval(rl, res_sval))
1707 return false;
1708 return true;
1709 }
1710
1711 int get_implied_value(struct expression *expr, sval_t *sval)
1712 {
1713 struct range_list *rl;
1714
1715 if (!get_rl_helper(expr, RL_IMPLIED, &rl) ||
1716 !rl_to_sval(rl, sval))
1717 return 0;
1718 return 1;
1719 }
1720
1721 int get_implied_value_fast(struct expression *expr, sval_t *sval)
1722 {
1723 struct range_list *rl;
1724 static int recurse;
1725 int ret = 0;
1726
1727 if (recurse)
1728 return 0;
1729
1730 recurse = 1;
1731 set_fast_math_only();
1732 if (get_rl_helper(expr, RL_IMPLIED, &rl) &&
1733 rl_to_sval(rl, sval))
1734 ret = 1;
1735 clear_fast_math_only();
1736 recurse = 0;
1737
1738 return ret;
1739 }
1740
1741 int get_implied_min(struct expression *expr, sval_t *sval)
1742 {
1743 struct range_list *rl;
1744
1745 if (!get_rl_helper(expr, RL_IMPLIED, &rl) || !rl)
1746 return 0;
1747 *sval = rl_min(rl);
1748 return 1;
1749 }
1750
1751 int get_implied_max(struct expression *expr, sval_t *sval)
1752 {
1753 struct range_list *rl;
1754
1755 if (!get_rl_helper(expr, RL_IMPLIED, &rl) || !rl)
1756 return 0;
1757 *sval = rl_max(rl);
1758 return 1;
1759 }
1760
1761 int get_implied_rl(struct expression *expr, struct range_list **rl)
1762 {
1763 if (!get_rl_helper(expr, RL_IMPLIED, rl) || !*rl)
1764 return 0;
1765 return 1;
1766 }
1767
1768 static int get_absolute_rl_internal(struct expression *expr, struct range_list **rl, int *recurse_cnt)
1769 {
1770 *rl = NULL;
1771 get_rl_internal(expr, RL_ABSOLUTE, recurse_cnt, rl);
1772 if (!*rl)
1773 *rl = alloc_whole_rl(get_type(expr));
1774 return 1;
1775 }
1776
1777 int get_absolute_rl(struct expression *expr, struct range_list **rl)
1778 {
1779 *rl = NULL;
1780 get_rl_helper(expr, RL_ABSOLUTE, rl);
1781 if (!*rl)
1782 *rl = alloc_whole_rl(get_type(expr));
1783 return 1;
1784 }
1785
1786 int get_real_absolute_rl(struct expression *expr, struct range_list **rl)
1787 {
1788 *rl = NULL;
1789 get_rl_helper(expr, RL_REAL_ABSOLUTE, rl);
1790 if (!*rl)
1791 *rl = alloc_whole_rl(get_type(expr));
1792 return 1;
1793 }
1794
1795 int custom_get_absolute_rl(struct expression *expr,
1796 struct range_list *(*fn)(struct expression *expr),
1797 struct range_list **rl)
1798 {
1799 int ret;
1800
1801 *rl = NULL;
1802 custom_handle_variable = fn;
1803 ret = get_rl_helper(expr, RL_REAL_ABSOLUTE, rl);
1804 custom_handle_variable = NULL;
1805 return ret;
1806 }
1807
1808 int get_implied_rl_var_sym(const char *var, struct symbol *sym, struct range_list **rl)
1809 {
1810 struct smatch_state *state;
1811
1812 state = get_state(SMATCH_EXTRA, var, sym);
1813 *rl = estate_rl(state);
1814 if (*rl)
1815 return 1;
1816 return 0;
1817 }
1818
1819 int get_hard_max(struct expression *expr, sval_t *sval)
1820 {
1821 struct range_list *rl;
1822
1823 if (!get_rl_helper(expr, RL_HARD, &rl) || !rl)
1824 return 0;
1825 *sval = rl_max(rl);
1826 return 1;
1827 }
1828
1829 int get_fuzzy_min(struct expression *expr, sval_t *sval)
1830 {
1831 struct range_list *rl;
1832 sval_t tmp;
1833
1834 if (!get_rl_helper(expr, RL_FUZZY, &rl) || !rl)
1835 return 0;
1836 tmp = rl_min(rl);
1837 if (sval_is_negative(tmp) && sval_is_min(tmp))
1838 return 0;
1839 *sval = tmp;
1840 return 1;
1841 }
1842
1843 int get_fuzzy_max(struct expression *expr, sval_t *sval)
1844 {
1845 struct range_list *rl;
1846 sval_t max;
1847
1848 if (!get_rl_helper(expr, RL_FUZZY, &rl) || !rl)
1849 return 0;
1850 max = rl_max(rl);
1851 if (max.uvalue > INT_MAX - 10000)
1852 return 0;
1853 *sval = max;
1854 return 1;
1855 }
1856
1857 int get_absolute_min(struct expression *expr, sval_t *sval)
1858 {
1859 struct range_list *rl;
1860 struct symbol *type;
1861
1862 type = get_type(expr);
1863 if (!type)
1864 type = &llong_ctype; // FIXME: this is wrong but places assume get type can't fail.
1865 rl = NULL;
1866 get_rl_helper(expr, RL_REAL_ABSOLUTE, &rl);
1867 if (rl)
1868 *sval = rl_min(rl);
1869 else
1870 *sval = sval_type_min(type);
1871
1872 if (sval_cmp(*sval, sval_type_min(type)) < 0)
1873 *sval = sval_type_min(type);
1874 return 1;
1875 }
1876
1877 int get_absolute_max(struct expression *expr, sval_t *sval)
1878 {
1879 struct range_list *rl;
1880 struct symbol *type;
1881
1882 type = get_type(expr);
1883 if (!type)
1884 type = &llong_ctype;
1885 rl = NULL;
1886 get_rl_helper(expr, RL_REAL_ABSOLUTE, &rl);
1887 if (rl)
1888 *sval = rl_max(rl);
1889 else
1890 *sval = sval_type_max(type);
1891
1892 if (sval_cmp(sval_type_max(type), *sval) < 0)
1893 *sval = sval_type_max(type);
1894 return 1;
1895 }
1896
1897 int known_condition_true(struct expression *expr)
1898 {
1899 sval_t tmp;
1900
1901 if (!expr)
1902 return 0;
1903
1904 if (__inline_fn && get_param_num(expr) >= 0) {
1905 if (get_implied_value(expr, &tmp) && tmp.value)
1906 return 1;
1907 return 0;
1908 }
1909
1910 if (get_value(expr, &tmp) && tmp.value)
1911 return 1;
1912
1913 return 0;
1914 }
1915
1916 int known_condition_false(struct expression *expr)
1917 {
1918 sval_t tmp;
1919
1920 if (!expr)
1921 return 0;
1922
1923 if (__inline_fn && get_param_num(expr) >= 0) {
1924 if (get_implied_value(expr, &tmp) && tmp.value == 0)
1925 return 1;
1926 return 0;
1927 }
1928
1929 if (expr_is_zero(expr))
1930 return 1;
1931
1932 return 0;
1933 }
1934
1935 int implied_condition_true(struct expression *expr)
1936 {
1937 sval_t tmp;
1938
1939 if (!expr)
1940 return 0;
1941
1942 if (known_condition_true(expr))
1943 return 1;
1944 if (get_implied_value(expr, &tmp) && tmp.value)
1945 return 1;
1946
1947 if (expr->type == EXPR_POSTOP)
1948 return implied_condition_true(expr->unop);
1949
1950 if (expr->type == EXPR_PREOP && expr->op == SPECIAL_DECREMENT)
1951 return implied_not_equal(expr->unop, 1);
1952 if (expr->type == EXPR_PREOP && expr->op == SPECIAL_INCREMENT)
1953 return implied_not_equal(expr->unop, -1);
1954
1955 expr = strip_expr(expr);
1956 switch (expr->type) {
1957 case EXPR_COMPARE:
1958 if (do_comparison(expr) == 1)
1959 return 1;
1960 break;
1961 case EXPR_PREOP:
1962 if (expr->op == '!') {
1963 if (implied_condition_false(expr->unop))
1964 return 1;
1965 break;
1966 }
1967 break;
1968 default:
1969 if (implied_not_equal(expr, 0) == 1)
1970 return 1;
1971 break;
1972 }
1973 return 0;
1974 }
1975
1976 int implied_condition_false(struct expression *expr)
1977 {
1978 struct expression *tmp;
1979 sval_t sval;
1980
1981 if (!expr)
1982 return 0;
1983
1984 if (known_condition_false(expr))
1985 return 1;
1986
1987 switch (expr->type) {
1988 case EXPR_COMPARE:
1989 if (do_comparison(expr) == 2)
1990 return 1;
1991 case EXPR_PREOP:
1992 if (expr->op == '!') {
1993 if (implied_condition_true(expr->unop))
1994 return 1;
1995 break;
1996 }
1997 tmp = strip_expr(expr);
1998 if (tmp != expr)
1999 return implied_condition_false(tmp);
2000 break;
2001 default:
2002 if (get_implied_value(expr, &sval) && sval.value == 0)
2003 return 1;
2004 break;
2005 }
2006 return 0;
2007 }
2008
2009
Static analysis for C