search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
shift_to_zero: be even more conservative (avoid false positives)
[smatch.git] / smatch_capped.c
blobce290b9630413f5d95dd760e4ef79a2ff1de3106
1 /*
2 * Copyright (C) 2011 Oracle. All rights reserved.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * This is trying to make a list of the variables which
20 * have capped values. Sometimes we don't know what the
21 * cap is, for example if we are comparing variables but
22 * we don't know the values of the variables. In that
23 * case we only know that our variable is capped and we
24 * sort that information here.
25 */
26
27 #include "smatch.h"
28 #include "smatch_slist.h"
29 #include "smatch_extra.h"
30
31 static int my_id;
32
33 STATE(capped);
34 STATE(uncapped);
35
36 static void set_uncapped(struct sm_state *sm, struct expression *mod_expr)
37 {
38 set_state(my_id, sm->name, sm->sym, &uncapped);
39 }
40
41 static struct smatch_state *unmatched_state(struct sm_state *sm)
42 {
43 struct smatch_state *state;
44
45 state = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
46 if (state && !estate_is_whole(state))
47 return &capped;
48 return &uncapped;
49 }
50
51 static int is_capped_macro(struct expression *expr)
52 {
53 char *name;
54
55 name = get_macro_name(expr->pos);
56 if (!name)
57 return 0;
58
59 if (strcmp(name, "min") == 0)
60 return 1;
61 if (strcmp(name, "MIN") == 0)
62 return 1;
63 if (strcmp(name, "min_t") == 0)
64 return 1;
65
66 return 0;
67 }
68
69 int is_capped(struct expression *expr)
70 {
71 struct symbol *type;
72 sval_t dummy;
73
74 expr = strip_expr(expr);
75 while (expr && expr->type == EXPR_POSTOP) {
76 expr = strip_expr(expr->unop);
77 }
78 if (!expr)
79 return 0;
80
81 type = get_type(expr);
82 if (is_ptr_type(type))
83 return 0;
84 if (type == &bool_ctype)
85 return 0;
86 if (type_bits(type) >= 0 && type_bits(type) <= 2)
87 return 0;
88
89 if (get_hard_max(expr, &dummy))
90 return 1;
91
92 if (is_capped_macro(expr))
93 return 1;
94
95 if (expr->type == EXPR_BINOP) {
96 struct range_list *left_rl, *right_rl;
97 sval_t sval;
98
99 if (expr->op == '&' && !get_value(expr->right, &sval))
100 return 1;
101 if (expr->op == SPECIAL_RIGHTSHIFT)
102 return 0;
103 if (expr->op == '%' &&
104 !get_value(expr->right, &sval) && is_capped(expr->right))
105 return 1;
106 if (!is_capped(expr->left))
107 return 0;
108 if (expr->op == '/')
109 return 1;
110 if (!is_capped(expr->right))
111 return 0;
112 if (expr->op == '*') {
113 get_absolute_rl(expr->left, &left_rl);
114 get_absolute_rl(expr->right, &right_rl);
115 if (sval_is_negative(rl_min(left_rl)) ||
116 sval_is_negative(rl_min(right_rl)))
117 return 0;
118 }
119 return 1;
120 }
121 if (get_state_expr(my_id, expr) == &capped)
122 return 1;
123 return 0;
124 }
125
126 int is_capped_var_sym(const char *name, struct symbol *sym)
127 {
128 if (get_state(my_id, name, sym) == &capped)
129 return 1;
130 return 0;
131 }
132
133 void set_param_capped_data(const char *name, struct symbol *sym, char *key, char *value)
134 {
135 char fullname[256];
136
137 if (strncmp(key, "$", 1))
138 return;
139 snprintf(fullname, 256, "%s%s", name, key + 1);
140 set_state(my_id, fullname, sym, &capped);
141 }
142
143 static void match_condition(struct expression *expr)
144 {
145 struct expression *left, *right;
146 struct smatch_state *left_true = NULL;
147 struct smatch_state *left_false = NULL;
148 struct smatch_state *right_true = NULL;
149 struct smatch_state *right_false = NULL;
150 sval_t sval;
151
152
153 if (expr->type != EXPR_COMPARE)
154 return;
155
156 left = strip_expr(expr->left);
157 right = strip_expr(expr->right);
158
159 while (left->type == EXPR_ASSIGNMENT)
160 left = strip_expr(left->left);
161
162 /* If we're dealing with known expressions, that's for smatch_extra.c */
163 if (get_implied_value(left, &sval) ||
164 get_implied_value(right, &sval))
165 return;
166
167 switch (expr->op) {
168 case '<':
169 case SPECIAL_LTE:
170 case SPECIAL_UNSIGNED_LT:
171 case SPECIAL_UNSIGNED_LTE:
172 left_true = &capped;
173 right_false = &capped;
174 break;
175 case '>':
176 case SPECIAL_GTE:
177 case SPECIAL_UNSIGNED_GT:
178 case SPECIAL_UNSIGNED_GTE:
179 left_false = &capped;
180 right_true = &capped;
181 break;
182 case SPECIAL_EQUAL:
183 left_true = &capped;
184 right_true = &capped;
185 break;
186 case SPECIAL_NOTEQUAL:
187 left_false = &capped;
188 right_false = &capped;
189 break;
190
191 default:
192 return;
193 }
194
195 set_true_false_states_expr(my_id, left, left_true, left_false);
196 set_true_false_states_expr(my_id, right, right_true, right_false);
197 }
198
199 static void match_assign(struct expression *expr)
200 {
201 struct symbol *type;
202
203 type = get_type(expr);
204 if (is_ptr_type(type))
205 return;
206 if (type == &bool_ctype)
207 return;
208 if (type_bits(type) >= 0 && type_bits(type) <= 2)
209 return;
210
211 if (is_capped(expr->right)) {
212 set_state_expr(my_id, expr->left, &capped);
213 } else {
214 if (get_state_expr(my_id, expr->left))
215 set_state_expr(my_id, expr->left, &uncapped);
216 }
217 }
218
219 static void match_caller_info(struct expression *expr)
220 {
221 struct expression *tmp;
222 sval_t sval;
223 int i;
224
225 i = -1;
226 FOR_EACH_PTR(expr->args, tmp) {
227 i++;
228 if (get_implied_value(tmp, &sval))
229 continue;
230 if (!is_capped(tmp))
231 continue;
232 sql_insert_caller_info(expr, CAPPED_DATA, i, "$", "1");
233 } END_FOR_EACH_PTR(tmp);
234 }
235
236 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
237 {
238 struct smatch_state *estate;
239 sval_t sval;
240
241 if (sm->state != &capped)
242 return;
243 estate = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
244 if (estate_get_single_value(estate, &sval))
245 return;
246 sql_insert_caller_info(call, CAPPED_DATA, param, printed_name, "1");
247 }
248
249 static void print_return_implies_capped(int return_id, char *return_ranges, struct expression *expr)
250 {
251 struct smatch_state *orig, *estate;
252 struct sm_state *sm;
253 struct symbol *ret_sym;
254 const char *param_name;
255 char *return_str;
256 int param;
257 sval_t sval;
258 bool return_found = false;
259
260 expr = strip_expr(expr);
261 return_str = expr_to_str(expr);
262 ret_sym = expr_to_sym(expr);
263
264 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
265 if (sm->state != &capped)
266 continue;
267
268 param = get_param_num_from_sym(sm->sym);
269 if (param < 0)
270 continue;
271
272 estate = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
273 if (estate_get_single_value(estate, &sval))
274 continue;
275
276 orig = get_state_stree(get_start_states(), my_id, sm->name, sm->sym);
277 if (orig == &capped && !param_was_set_var_sym(sm->name, sm->sym))
278 continue;
279
280 param_name = get_param_name(sm);
281 if (!param_name)
282 continue;
283
284 sql_insert_return_states(return_id, return_ranges, CAPPED_DATA,
285 param, param_name, "1");
286 } END_FOR_EACH_SM(sm);
287
288 FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
289 if (!ret_sym)
290 break;
291 if (sm->state != &capped)
292 continue;
293 if (ret_sym != sm->sym)
294 continue;
295
296 estate = __get_state(SMATCH_EXTRA, sm->name, sm->sym);
297 if (estate_get_single_value(estate, &sval))
298 continue;
299
300 param_name = state_name_to_param_name(sm->name, return_str);
301 if (!param_name)
302 continue;
303 if (strcmp(param_name, "$") == 0)
304 return_found = true;
305 sql_insert_return_states(return_id, return_ranges, CAPPED_DATA,
306 -1, param_name, "1");
307 } END_FOR_EACH_SM(sm);
308
309 if (return_found)
310 goto free_string;
311
312 if (option_project == PROJ_KERNEL && get_function() &&
313 strstr(get_function(), "nla_get_"))
314 sql_insert_return_states(return_id, return_ranges, CAPPED_DATA,
315 -1, "$", "1");
316
317 free_string:
318 free_string(return_str);
319 }
320
321 static void db_return_states_capped(struct expression *expr, int param, char *key, char *value)
322 {
323 char *name;
324 struct symbol *sym;
325
326 name = return_state_to_var_sym(expr, param, key, &sym);
327 if (!name || !sym)
328 goto free;
329
330 set_state(my_id, name, sym, &capped);
331 free:
332 free_string(name);
333 }
334
335 void register_capped(int id)
336 {
337 my_id = id;
338
339 add_unmatched_state_hook(my_id, &unmatched_state);
340 select_caller_info_hook(set_param_capped_data, CAPPED_DATA);
341 add_hook(&match_condition, CONDITION_HOOK);
342 add_hook(&match_assign, ASSIGNMENT_HOOK);
343 add_modification_hook(my_id, &set_uncapped);
344
345 add_hook(&match_caller_info, FUNCTION_CALL_HOOK);
346 add_member_info_callback(my_id, struct_member_callback);
347
348 add_split_return_callback(print_return_implies_capped);
349 select_return_states_hook(CAPPED_DATA, &db_return_states_capped);
350 }
Static analysis for C