search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
array: store possible array values for simple arrays
[smatch.git] / smatch_math.c
blobc68705d855ffd98750e2a9bd0e7d4d6f119f6e78
1 /*
2 * Copyright (C) 2010 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 #include "symbol.h"
19 #include "smatch.h"
20 #include "smatch_slist.h"
21 #include "smatch_extra.h"
22
23 static struct range_list *_get_rl(struct expression *expr, int implied, int *recurse_cnt);
24 static struct range_list *handle_variable(struct expression *expr, int implied, int *recurse_cnt);
25 static struct range_list *(*custom_handle_variable)(struct expression *expr);
26
27 static int get_implied_value_internal(struct expression *expr, sval_t *sval, int *recurse_cnt);
28 static int get_absolute_rl_internal(struct expression *expr, struct range_list **rl, int *recurse_cnt);
29
30 static sval_t zero = {.type = &int_ctype, {.value = 0} };
31 static sval_t one = {.type = &int_ctype, {.value = 1} };
32
33 struct range_list *rl_zero(void)
34 {
35 static struct range_list *zero_perm;
36
37 if (!zero_perm)
38 zero_perm = clone_rl_permanent(alloc_rl(zero, zero));
39 return zero_perm;
40 }
41
42 struct range_list *rl_one(void)
43 {
44 static struct range_list *one_perm;
45
46 if (!one_perm)
47 one_perm = clone_rl_permanent(alloc_rl(one, one));
48
49 return one_perm;
50 }
51
52 enum {
53 RL_EXACT,
54 RL_HARD,
55 RL_FUZZY,
56 RL_IMPLIED,
57 RL_ABSOLUTE,
58 RL_REAL_ABSOLUTE,
59 };
60
61 static struct range_list *last_stmt_rl(struct statement *stmt, int implied, int *recurse_cnt)
62 {
63 struct expression *expr;
64
65 if (!stmt)
66 return NULL;
67
68 stmt = last_ptr_list((struct ptr_list *)stmt->stmts);
69 if (stmt->type == STMT_LABEL) {
70 if (stmt->label_statement &&
71 stmt->label_statement->type == STMT_EXPRESSION)
72 expr = stmt->label_statement->expression;
73 else
74 return NULL;
75 } else if (stmt->type == STMT_EXPRESSION) {
76 expr = stmt->expression;
77 } else {
78 return NULL;
79 }
80 return _get_rl(expr, implied, recurse_cnt);
81 }
82
83 static struct range_list *handle_expression_statement_rl(struct expression *expr, int implied, int *recurse_cnt)
84 {
85 return last_stmt_rl(get_expression_statement(expr), implied, recurse_cnt);
86 }
87
88 static struct range_list *handle_ampersand_rl(struct expression *expr, int implied, int *recurse_cnt)
89 {
90 struct range_list *rl;
91 sval_t sval;
92
93 if (implied == RL_EXACT || implied == RL_HARD)
94 return NULL;
95 if (get_mtag_sval(expr, &sval))
96 return alloc_rl(sval, sval);
97 if (get_address_rl(expr, &rl))
98 return rl;
99 return alloc_rl(valid_ptr_min_sval, valid_ptr_max_sval);
100 }
101
102 static struct range_list *handle_negate_rl(struct expression *expr, int implied, int *recurse_cnt)
103 {
104 if (known_condition_true(expr->unop))
105 return rl_zero();
106 if (known_condition_false(expr->unop))
107 return rl_one();
108
109 if (implied == RL_EXACT)
110 return NULL;
111
112 if (implied_condition_true(expr->unop))
113 return rl_zero();
114 if (implied_condition_false(expr->unop))
115 return rl_one();
116 return alloc_rl(zero, one);
117 }
118
119 static struct range_list *handle_bitwise_negate(struct expression *expr, int implied, int *recurse_cnt)
120 {
121 struct range_list *rl;
122 sval_t sval;
123
124 rl = _get_rl(expr->unop, implied, recurse_cnt);
125 if (!rl_to_sval(rl, &sval))
126 return NULL;
127 sval = sval_preop(sval, '~');
128 sval_cast(get_type(expr->unop), sval);
129 return alloc_rl(sval, sval);
130 }
131
132 static struct range_list *handle_minus_preop(struct expression *expr, int implied, int *recurse_cnt)
133 {
134 struct range_list *rl;
135 sval_t min, max;
136
137 rl = _get_rl(expr->unop, implied, recurse_cnt);
138 min = sval_preop(rl_max(rl), '-');
139 max = sval_preop(rl_min(rl), '-');
140 return alloc_rl(min, max);
141 }
142
143 static struct range_list *handle_preop_rl(struct expression *expr, int implied, int *recurse_cnt)
144 {
145 switch (expr->op) {
146 case '&':
147 return handle_ampersand_rl(expr, implied, recurse_cnt);
148 case '!':
149 return handle_negate_rl(expr, implied, recurse_cnt);
150 case '~':
151 return handle_bitwise_negate(expr, implied, recurse_cnt);
152 case '-':
153 return handle_minus_preop(expr, implied, recurse_cnt);
154 case '*':
155 return handle_variable(expr, implied, recurse_cnt);
156 case '(':
157 return handle_expression_statement_rl(expr, implied, recurse_cnt);
158 default:
159 return NULL;
160 }
161 }
162
163 static struct range_list *handle_divide_rl(struct expression *expr, int implied, int *recurse_cnt)
164 {
165 struct range_list *left_rl, *right_rl;
166 struct symbol *type;
167
168 type = get_type(expr);
169
170 left_rl = _get_rl(expr->left, implied, recurse_cnt);
171 left_rl = cast_rl(type, left_rl);
172 right_rl = _get_rl(expr->right, implied, recurse_cnt);
173 right_rl = cast_rl(type, right_rl);
174
175 if (!left_rl || !right_rl)
176 return NULL;
177
178 if (implied != RL_REAL_ABSOLUTE) {
179 if (is_whole_rl(left_rl) || is_whole_rl(right_rl))
180 return NULL;
181 }
182
183 return rl_binop(left_rl, '/', right_rl);
184 }
185
186 static int handle_offset_subtraction(struct expression *expr)
187 {
188 struct expression *left, *right;
189 struct symbol *left_sym, *right_sym;
190 struct symbol *type;
191 int left_offset, right_offset;
192
193 type = get_type(expr);
194 if (!type || type->type != SYM_PTR)
195 return -1;
196 type = get_real_base_type(type);
197 if (!type || (type_bits(type) != 8 && (type != &void_ctype)))
198 return -1;
199
200 left = strip_expr(expr->left);
201 right = strip_expr(expr->right);
202
203 if (left->type != EXPR_PREOP || left->op != '&')
204 return -1;
205 left = strip_expr(left->unop);
206
207 left_sym = expr_to_sym(left);
208 right_sym = expr_to_sym(right);
209 if (!left_sym || left_sym != right_sym)
210 return -1;
211
212 left_offset = get_member_offset_from_deref(left);
213 if (right->type == EXPR_SYMBOL)
214 right_offset = 0;
215 else {
216 if (right->type != EXPR_PREOP || right->op != '&')
217 return -1;
218 right = strip_expr(right->unop);
219 right_offset = get_member_offset_from_deref(right);
220 }
221 if (left_offset < 0 || right_offset < 0)
222 return -1;
223
224 return left_offset - right_offset;
225 }
226
227 static struct range_list *handle_subtract_rl(struct expression *expr, int implied, int *recurse_cnt)
228 {
229 struct symbol *type;
230 struct range_list *left_orig, *right_orig;
231 struct range_list *left_rl, *right_rl;
232 sval_t max, min, tmp;
233 int comparison;
234 int offset;
235
236 type = get_type(expr);
237
238 offset = handle_offset_subtraction(expr);
239 if (offset >= 0) {
240 tmp.type = type;
241 tmp.value = offset;
242
243 return alloc_rl(tmp, tmp);
244 }
245
246 comparison = get_comparison(expr->left, expr->right);
247
248 left_orig = _get_rl(expr->left, implied, recurse_cnt);
249 left_rl = cast_rl(type, left_orig);
250 right_orig = _get_rl(expr->right, implied, recurse_cnt);
251 right_rl = cast_rl(type, right_orig);
252
253 if ((!left_rl || !right_rl) &&
254 (implied == RL_EXACT || implied == RL_HARD || implied == RL_FUZZY))
255 return NULL;
256
257 if (!left_rl)
258 left_rl = alloc_whole_rl(type);
259 if (!right_rl)
260 right_rl = alloc_whole_rl(type);
261
262 /* negative values complicate everything fix this later */
263 if (sval_is_negative(rl_min(right_rl)))
264 return NULL;
265 max = rl_max(left_rl);
266 min = sval_type_min(type);
267
268 switch (comparison) {
269 case '>':
270 case SPECIAL_UNSIGNED_GT:
271 min = sval_type_val(type, 1);
272 max = rl_max(left_rl);
273 break;
274 case SPECIAL_GTE:
275 case SPECIAL_UNSIGNED_GTE:
276 min = sval_type_val(type, 0);
277 max = rl_max(left_rl);
278 break;
279 case SPECIAL_EQUAL:
280 min = sval_type_val(type, 0);
281 max = sval_type_val(type, 0);
282 break;
283 case '<':
284 case SPECIAL_UNSIGNED_LT:
285 max = sval_type_val(type, -1);
286 break;
287 case SPECIAL_LTE:
288 case SPECIAL_UNSIGNED_LTE:
289 max = sval_type_val(type, 0);
290 break;
291 default:
292 if (!left_orig || !right_orig)
293 return NULL;
294 return rl_binop(left_rl, '-', right_rl);
295 }
296
297 if (!sval_binop_overflows(rl_min(left_rl), '-', rl_max(right_rl))) {
298 tmp = sval_binop(rl_min(left_rl), '-', rl_max(right_rl));
299 if (sval_cmp(tmp, min) > 0)
300 min = tmp;
301 }
302
303 if (!sval_is_max(rl_max(left_rl))) {
304 tmp = sval_binop(rl_max(left_rl), '-', rl_min(right_rl));
305 if (sval_cmp(tmp, max) < 0)
306 max = tmp;
307 }
308
309 if (sval_is_min(min) && sval_is_max(max))
310 return NULL;
311
312 return cast_rl(type, alloc_rl(min, max));
313 }
314
315 static struct range_list *handle_mod_rl(struct expression *expr, int implied, int *recurse_cnt)
316 {
317 struct range_list *rl;
318 sval_t left, right, sval;
319
320 if (implied == RL_EXACT) {
321 if (!get_implied_value(expr->right, &right))
322 return NULL;
323 if (!get_implied_value(expr->left, &left))
324 return NULL;
325 sval = sval_binop(left, '%', right);
326 return alloc_rl(sval, sval);
327 }
328 /* if we can't figure out the right side it's probably hopeless */
329 if (!get_implied_value_internal(expr->right, &right, recurse_cnt))
330 return NULL;
331
332 right = sval_cast(get_type(expr), right);
333 right.value--;
334
335 rl = _get_rl(expr->left, implied, recurse_cnt);
336 if (rl && rl_max(rl).uvalue < right.uvalue)
337 right.uvalue = rl_max(rl).uvalue;
338
339 return alloc_rl(sval_cast(right.type, zero), right);
340 }
341
342 static sval_t sval_lowest_set_bit(sval_t sval)
343 {
344 int i;
345 int found = 0;
346
347 for (i = 0; i < 64; i++) {
348 if (sval.uvalue & 1ULL << i) {
349 if (!found++)
350 continue;
351 sval.uvalue &= ~(1ULL << i);
352 }
353 }
354 return sval;
355 }
356
357 static struct range_list *handle_bitwise_AND(struct expression *expr, int implied, int *recurse_cnt)
358 {
359 struct symbol *type;
360 struct range_list *left_rl, *right_rl;
361 sval_t known;
362 int new_recurse;
363
364 if (implied != RL_IMPLIED && implied != RL_ABSOLUTE && implied != RL_REAL_ABSOLUTE)
365 return NULL;
366
367 type = get_type(expr);
368
369 if (get_implied_value_internal(expr->left, &known, recurse_cnt)) {
370 sval_t min;
371
372 min = sval_lowest_set_bit(known);
373 left_rl = alloc_rl(min, known);
374 left_rl = cast_rl(type, left_rl);
375 add_range(&left_rl, sval_type_val(type, 0), sval_type_val(type, 0));
376 } else {
377 left_rl = _get_rl(expr->left, implied, recurse_cnt);
378 if (left_rl) {
379 left_rl = cast_rl(type, left_rl);
380 left_rl = alloc_rl(sval_type_val(type, 0), rl_max(left_rl));
381 } else {
382 if (implied == RL_HARD)
383 return NULL;
384 left_rl = alloc_whole_rl(type);
385 }
386 }
387
388 new_recurse = *recurse_cnt;
389 if (*recurse_cnt >= 200)
390 new_recurse = 100; /* Let's try super hard to get the mask */
391 if (get_implied_value_internal(expr->right, &known, &new_recurse)) {
392 sval_t min, left_max, mod;
393
394 *recurse_cnt = new_recurse;
395
396 min = sval_lowest_set_bit(known);
397 right_rl = alloc_rl(min, known);
398 right_rl = cast_rl(type, right_rl);
399 add_range(&right_rl, sval_type_val(type, 0), sval_type_val(type, 0));
400
401 if (min.value != 0) {
402 left_max = rl_max(left_rl);
403 mod = sval_binop(left_max, '%', min);
404 if (mod.value) {
405 left_max = sval_binop(left_max, '-', mod);
406 left_max.value++;
407 if (left_max.value > 0 && sval_cmp(left_max, rl_max(left_rl)) < 0)
408 left_rl = remove_range(left_rl, left_max, rl_max(left_rl));
409 }
410 }
411 } else {
412 right_rl = _get_rl(expr->right, implied, recurse_cnt);
413 if (right_rl) {
414 right_rl = cast_rl(type, right_rl);
415 right_rl = alloc_rl(sval_type_val(type, 0), rl_max(right_rl));
416 } else {
417 if (implied == RL_HARD)
418 return NULL;
419 right_rl = alloc_whole_rl(type);
420 }
421 }
422
423 return rl_intersection(left_rl, right_rl);
424 }
425
426 static struct range_list *use_rl_binop(struct expression *expr, int implied, int *recurse_cnt)
427 {
428 struct symbol *type;
429 struct range_list *left_rl, *right_rl;
430
431 if (implied != RL_IMPLIED && implied != RL_ABSOLUTE && implied != RL_REAL_ABSOLUTE)
432 return NULL;
433
434 type = get_type(expr);
435
436 get_absolute_rl_internal(expr->left, &left_rl, recurse_cnt);
437 get_absolute_rl_internal(expr->right, &right_rl, recurse_cnt);
438 left_rl = cast_rl(type, left_rl);
439 right_rl = cast_rl(type, right_rl);
440 if (!left_rl || !right_rl)
441 return NULL;
442
443 return rl_binop(left_rl, expr->op, right_rl);
444 }
445
446 static struct range_list *handle_right_shift(struct expression *expr, int implied, int *recurse_cnt)
447 {
448 struct range_list *left_rl;
449 sval_t right;
450 sval_t min, max;
451
452 if (implied == RL_EXACT || implied == RL_HARD)
453 return NULL;
454
455 left_rl = _get_rl(expr->left, implied, recurse_cnt);
456 if (left_rl) {
457 max = rl_max(left_rl);
458 min = rl_min(left_rl);
459 } else {
460 if (implied == RL_FUZZY)
461 return NULL;
462 max = sval_type_max(get_type(expr->left));
463 min = sval_type_val(get_type(expr->left), 0);
464 }
465
466 if (get_implied_value_internal(expr->right, &right, recurse_cnt)) {
467 min = sval_binop(min, SPECIAL_RIGHTSHIFT, right);
468 max = sval_binop(max, SPECIAL_RIGHTSHIFT, right);
469 } else if (!sval_is_negative(min)) {
470 min.value = 0;
471 max = sval_type_max(max.type);
472 } else {
473 return NULL;
474 }
475
476 return alloc_rl(min, max);
477 }
478
479 static struct range_list *handle_left_shift(struct expression *expr, int implied, int *recurse_cnt)
480 {
481 struct range_list *left_rl, *res;
482 sval_t right;
483 sval_t min, max;
484 int add_zero = 0;
485
486 if (implied == RL_EXACT || implied == RL_HARD)
487 return NULL;
488 /* this is hopeless without the right side */
489 if (!get_implied_value_internal(expr->right, &right, recurse_cnt))
490 return NULL;
491 left_rl = _get_rl(expr->left, implied, recurse_cnt);
492 if (left_rl) {
493 max = rl_max(left_rl);
494 min = rl_min(left_rl);
495 if (min.value == 0) {
496 min.value = 1;
497 add_zero = 1;
498 }
499 } else {
500 if (implied == RL_FUZZY)
501 return NULL;
502 max = sval_type_max(get_type(expr->left));
503 min = sval_type_val(get_type(expr->left), 1);
504 add_zero = 1;
505 }
506
507 max = sval_binop(max, SPECIAL_LEFTSHIFT, right);
508 min = sval_binop(min, SPECIAL_LEFTSHIFT, right);
509 res = alloc_rl(min, max);
510 if (add_zero)
511 res = rl_union(res, rl_zero());
512 return res;
513 }
514
515 static struct range_list *handle_known_binop(struct expression *expr)
516 {
517 sval_t left, right;
518
519 if (!get_value(expr->left, &left))
520 return NULL;
521 if (!get_value(expr->right, &right))
522 return NULL;
523 left = sval_binop(left, expr->op, right);
524 return alloc_rl(left, left);
525 }
526
527 static int has_actual_ranges(struct range_list *rl)
528 {
529 struct data_range *tmp;
530
531 FOR_EACH_PTR(rl, tmp) {
532 if (sval_cmp(tmp->min, tmp->max) != 0)
533 return 1;
534 } END_FOR_EACH_PTR(tmp);
535 return 0;
536 }
537
538 static struct range_list *handle_implied_binop(struct range_list *left_rl, int op, struct range_list *right_rl)
539 {
540 struct range_list *res_rl;
541 struct data_range *left_drange, *right_drange;
542 sval_t res;
543
544 if (!left_rl || !right_rl)
545 return NULL;
546 if (has_actual_ranges(left_rl))
547 return NULL;
548 if (has_actual_ranges(right_rl))
549 return NULL;
550
551 if (ptr_list_size((struct ptr_list *)left_rl) * ptr_list_size((struct ptr_list *)right_rl) > 20)
552 return NULL;
553
554 res_rl = NULL;
555
556 FOR_EACH_PTR(left_rl, left_drange) {
557 FOR_EACH_PTR(right_rl, right_drange) {
558 if ((op == '%' || op == '/') &&
559 right_drange->min.value == 0)
560 return NULL;
561 res = sval_binop(left_drange->min, op, right_drange->min);
562 add_range(&res_rl, res, res);
563 } END_FOR_EACH_PTR(right_drange);
564 } END_FOR_EACH_PTR(left_drange);
565
566 return res_rl;
567 }
568
569 static struct range_list *handle_binop_rl(struct expression *expr, int implied, int *recurse_cnt)
570 {
571 struct smatch_state *state;
572 struct symbol *type;
573 struct range_list *left_rl, *right_rl, *rl;
574 sval_t min, max;
575
576 rl = handle_known_binop(expr);
577 if (rl)
578 return rl;
579 if (implied == RL_EXACT)
580 return NULL;
581
582 if (custom_handle_variable) {
583 rl = custom_handle_variable(expr);
584 if (rl)
585 return rl;
586 }
587
588 state = get_extra_state(expr);
589 if (state && !is_whole_rl(estate_rl(state))) {
590 if (implied != RL_HARD || estate_has_hard_max(state))
591 return clone_rl(estate_rl(state));
592 }
593
594 type = get_type(expr);
595 left_rl = _get_rl(expr->left, implied, recurse_cnt);
596 left_rl = cast_rl(type, left_rl);
597 right_rl = _get_rl(expr->right, implied, recurse_cnt);
598 right_rl = cast_rl(type, right_rl);
599
600 if (!left_rl && !right_rl)
601 return NULL;
602
603 rl = handle_implied_binop(left_rl, expr->op, right_rl);
604 if (rl)
605 return rl;
606
607 switch (expr->op) {
608 case '%':
609 return handle_mod_rl(expr, implied, recurse_cnt);
610 case '&':
611 return handle_bitwise_AND(expr, implied, recurse_cnt);
612 case '|':
613 case '^':
614 return use_rl_binop(expr, implied, recurse_cnt);
615 case SPECIAL_RIGHTSHIFT:
616 return handle_right_shift(expr, implied, recurse_cnt);
617 case SPECIAL_LEFTSHIFT:
618 return handle_left_shift(expr, implied, recurse_cnt);
619 case '-':
620 return handle_subtract_rl(expr, implied, recurse_cnt);
621 case '/':
622 return handle_divide_rl(expr, implied, recurse_cnt);
623 }
624
625 if (!left_rl || !right_rl)
626 return NULL;
627
628 if (sval_binop_overflows(rl_min(left_rl), expr->op, rl_min(right_rl)))
629 return NULL;
630 if (sval_binop_overflows(rl_max(left_rl), expr->op, rl_max(right_rl)))
631 return NULL;
632
633 min = sval_binop(rl_min(left_rl), expr->op, rl_min(right_rl));
634 max = sval_binop(rl_max(left_rl), expr->op, rl_max(right_rl));
635
636 return alloc_rl(min, max);
637 }
638
639 static int do_comparison(struct expression *expr)
640 {
641 struct range_list *left_ranges = NULL;
642 struct range_list *right_ranges = NULL;
643 int poss_true, poss_false;
644 struct symbol *type;
645
646 type = get_type(expr);
647 get_absolute_rl(expr->left, &left_ranges);
648 get_absolute_rl(expr->right, &right_ranges);
649
650 left_ranges = cast_rl(type, left_ranges);
651 right_ranges = cast_rl(type, right_ranges);
652
653 poss_true = possibly_true_rl(left_ranges, expr->op, right_ranges);
654 poss_false = possibly_false_rl(left_ranges, expr->op, right_ranges);
655
656 if (!poss_true && !poss_false)
657 return 0x0;
658 if (poss_true && !poss_false)
659 return 0x1;
660 if (!poss_true && poss_false)
661 return 0x2;
662 return 0x3;
663 }
664
665 static struct range_list *handle_comparison_rl(struct expression *expr, int implied, int *recurse_cnt)
666 {
667 sval_t left, right;
668 int res;
669
670 if (expr->op == SPECIAL_EQUAL && expr->left->type == EXPR_TYPE) {
671 struct symbol *left, *right;
672
673 left = get_real_base_type(expr->left->symbol);
674 right = get_real_base_type(expr->left->symbol);
675 if (left == right)
676 return rl_one();
677 return rl_zero();
678 }
679
680 if (get_value(expr->left, &left) && get_value(expr->right, &right)) {
681 struct data_range tmp_left, tmp_right;
682
683 tmp_left.min = left;
684 tmp_left.max = left;
685 tmp_right.min = right;
686 tmp_right.max = right;
687 if (true_comparison_range(&tmp_left, expr->op, &tmp_right))
688 return rl_one();
689 return rl_zero();
690 }
691
692 if (implied == RL_EXACT)
693 return NULL;
694
695 res = do_comparison(expr);
696 if (res == 1)
697 return rl_one();
698 if (res == 2)
699 return rl_zero();
700
701 return alloc_rl(zero, one);
702 }
703
704 static struct range_list *handle_logical_rl(struct expression *expr, int implied, int *recurse_cnt)
705 {
706 sval_t left, right;
707 int left_known = 0;
708 int right_known = 0;
709
710 if (implied == RL_EXACT) {
711 if (get_value(expr->left, &left))
712 left_known = 1;
713 if (get_value(expr->right, &right))
714 right_known = 1;
715 } else {
716 if (get_implied_value_internal(expr->left, &left, recurse_cnt))
717 left_known = 1;
718 if (get_implied_value_internal(expr->right, &right, recurse_cnt))
719 right_known = 1;
720 }
721
722 switch (expr->op) {
723 case SPECIAL_LOGICAL_OR:
724 if (left_known && left.value)
725 return rl_one();
726 if (right_known && right.value)
727 return rl_one();
728 if (left_known && right_known)
729 return rl_zero();
730 break;
731 case SPECIAL_LOGICAL_AND:
732 if (left_known && right_known) {
733 if (left.value && right.value)
734 return rl_one();
735 return rl_zero();
736 }
737 break;
738 default:
739 return NULL;
740 }
741
742 if (implied == RL_EXACT)
743 return NULL;
744
745 return alloc_rl(zero, one);
746 }
747
748 static struct range_list *handle_conditional_rl(struct expression *expr, int implied, int *recurse_cnt)
749 {
750 struct range_list *true_rl, *false_rl;
751 struct symbol *type;
752 int final_pass_orig = final_pass;
753
754 if (known_condition_true(expr->conditional))
755 return _get_rl(expr->cond_true, implied, recurse_cnt);
756 if (known_condition_false(expr->conditional))
757 return _get_rl(expr->cond_false, implied, recurse_cnt);
758
759 if (implied == RL_EXACT)
760 return NULL;
761
762 if (implied_condition_true(expr->conditional))
763 return _get_rl(expr->cond_true, implied, recurse_cnt);
764 if (implied_condition_false(expr->conditional))
765 return _get_rl(expr->cond_false, implied, recurse_cnt);
766
767
768 /* this becomes a problem with deeply nested conditional statements */
769 if (low_on_memory())
770 return NULL;
771
772 type = get_type(expr);
773
774 __push_fake_cur_stree();
775 final_pass = 0;
776 __split_whole_condition(expr->conditional);
777 true_rl = _get_rl(expr->cond_true, implied, recurse_cnt);
778 __push_true_states();
779 __use_false_states();
780 false_rl = _get_rl(expr->cond_false, implied, recurse_cnt);
781 __merge_true_states();
782 __free_fake_cur_stree();
783 final_pass = final_pass_orig;
784
785 if (!true_rl || !false_rl)
786 return NULL;
787 true_rl = cast_rl(type, true_rl);
788 false_rl = cast_rl(type, false_rl);
789
790 return rl_union(true_rl, false_rl);
791 }
792
793 static int get_fuzzy_max_helper(struct expression *expr, sval_t *max)
794 {
795 struct smatch_state *state;
796 sval_t sval;
797
798 if (get_hard_max(expr, &sval)) {
799 *max = sval;
800 return 1;
801 }
802
803 state = get_extra_state(expr);
804 if (!state || !estate_has_fuzzy_max(state))
805 return 0;
806 *max = sval_cast(get_type(expr), estate_get_fuzzy_max(state));
807 return 1;
808 }
809
810 static int get_fuzzy_min_helper(struct expression *expr, sval_t *min)
811 {
812 struct smatch_state *state;
813 sval_t sval;
814
815 state = get_extra_state(expr);
816 if (!state || !estate_rl(state))
817 return 0;
818
819 sval = estate_min(state);
820 if (sval_is_negative(sval) && sval_is_min(sval))
821 return 0;
822
823 if (sval_is_max(sval))
824 return 0;
825
826 *min = sval_cast(get_type(expr), sval);
827 return 1;
828 }
829
830 int get_const_value(struct expression *expr, sval_t *sval)
831 {
832 struct symbol *sym;
833 sval_t right;
834
835 if (expr->type != EXPR_SYMBOL || !expr->symbol)
836 return 0;
837 sym = expr->symbol;
838 if (!(sym->ctype.modifiers & MOD_CONST))
839 return 0;
840 if (get_value(sym->initializer, &right)) {
841 *sval = sval_cast(get_type(expr), right);
842 return 1;
843 }
844 return 0;
845 }
846
847 struct range_list *var_to_absolute_rl(struct expression *expr)
848 {
849 struct smatch_state *state;
850 struct range_list *rl;
851
852 state = get_extra_state(expr);
853 if (!state || is_whole_rl(estate_rl(state))) {
854 state = get_real_absolute_state(expr);
855 if (state && state->data && !estate_is_whole(state))
856 return clone_rl(estate_rl(state));
857 if (get_local_rl(expr, &rl) && !is_whole_rl(rl))
858 return rl;
859 if (get_mtag_rl(expr, &rl))
860 return rl;
861 if (get_db_type_rl(expr, &rl) && !is_whole_rl(rl))
862 return rl;
863 return alloc_whole_rl(get_type(expr));
864 }
865 /* err on the side of saying things are possible */
866 if (!estate_rl(state))
867 return alloc_whole_rl(get_type(expr));
868 return clone_rl(estate_rl(state));
869 }
870
871 static struct range_list *handle_variable(struct expression *expr, int implied, int *recurse_cnt)
872 {
873 struct smatch_state *state;
874 struct range_list *rl;
875 sval_t sval, min, max;
876 struct symbol *type;
877
878 if (get_const_value(expr, &sval))
879 return alloc_rl(sval, sval);
880
881 if (custom_handle_variable) {
882 rl = custom_handle_variable(expr);
883 if (!rl)
884 return var_to_absolute_rl(expr);
885 return rl;
886 }
887
888 if (implied == RL_EXACT)
889 return NULL;
890
891 if (get_mtag_sval(expr, &sval))
892 return alloc_rl(sval, sval);
893
894 type = get_type(expr);
895 if (type && type->type == SYM_FN)
896 return alloc_rl(fn_ptr_min, fn_ptr_max);
897
898 switch (implied) {
899 case RL_HARD:
900 case RL_IMPLIED:
901 case RL_ABSOLUTE:
902 state = get_extra_state(expr);
903 if (!state || !state->data) {
904 if (implied == RL_HARD)
905 return NULL;
906 if (get_local_rl(expr, &rl))
907 return rl;
908 if (get_mtag_rl(expr, &rl))
909 return rl;
910 if (get_db_type_rl(expr, &rl))
911 return rl;
912 if (is_array(expr) && get_array_rl(expr, &rl))
913 return rl;
914 return NULL;
915 }
916 if (implied == RL_HARD && !estate_has_hard_max(state))
917 return NULL;
918 return clone_rl(estate_rl(state));
919 case RL_REAL_ABSOLUTE: {
920 struct smatch_state *abs_state;
921
922 state = get_extra_state(expr);
923 abs_state = get_real_absolute_state(expr);
924
925 if (estate_rl(state) && estate_rl(abs_state)) {
926 return clone_rl(rl_intersection(estate_rl(state),
927 estate_rl(abs_state)));
928 } else if (estate_rl(state)) {
929 return clone_rl(estate_rl(state));
930 } else if (estate_is_empty(state)) {
931 /*
932 * FIXME: we don't handle empty extra states correctly.
933 *
934 * The real abs rl is supposed to be filtered by the
935 * extra state if there is one. We don't bother keeping
936 * the abs state in sync all the time because we know it
937 * will be filtered later.
938 *
939 * It's not totally obvious to me how they should be
940 * handled. Perhaps we should take the whole rl and
941 * filter by the imaginary states. Perhaps we should
942 * just go with the empty state.
943 *
944 * Anyway what we currently do is return NULL here and
945 * that gets translated into the whole range in
946 * get_real_absolute_rl().
947 *
948 */
949 return NULL;
950 } else if (estate_rl(abs_state)) {
951 return clone_rl(estate_rl(abs_state));
952 }
953
954 if (get_local_rl(expr, &rl))
955 return rl;
956 if (get_mtag_rl(expr, &rl))
957 return rl;
958 if (get_db_type_rl(expr, &rl))
959 return rl;
960 if (is_array(expr) && get_array_rl(expr, &rl))
961 return rl;
962 return NULL;
963 }
964 case RL_FUZZY:
965 if (!get_fuzzy_min_helper(expr, &min))
966 min = sval_type_min(get_type(expr));
967 if (!get_fuzzy_max_helper(expr, &max))
968 return NULL;
969 /* fuzzy ranges are often inverted */
970 if (sval_cmp(min, max) > 0) {
971 sval = min;
972 min = max;
973 max = sval;
974 }
975 return alloc_rl(min, max);
976 }
977 return NULL;
978 }
979
980 static sval_t handle_sizeof(struct expression *expr)
981 {
982 struct symbol *sym;
983 sval_t ret;
984
985 ret = sval_blank(expr);
986 sym = expr->cast_type;
987 if (!sym) {
988 sym = evaluate_expression(expr->cast_expression);
989 if (!sym) {
990 __silence_warnings_for_stmt = true;
991 sym = &int_ctype;
992 }
993 #if 0
994 /*
995 * Expressions of restricted types will possibly get
996 * promoted - check that here. I'm not sure how this works,
997 * the problem is that sizeof(le16) shouldn't be promoted and
998 * the original code did that... Let's if zero this out and
999 * see what breaks.
1000 */
1001
1002 if (is_restricted_type(sym)) {
1003 if (type_bits(sym) < bits_in_int)
1004 sym = &int_ctype;
1005 }
1006 #endif
1007 if (is_fouled_type(sym))
1008 sym = &int_ctype;
1009 }
1010 examine_symbol_type(sym);
1011
1012 ret.type = size_t_ctype;
1013 if (type_bits(sym) <= 0) /* sizeof(void) */ {
1014 if (get_real_base_type(sym) == &void_ctype)
1015 ret.value = 1;
1016 else
1017 ret.value = 0;
1018 } else
1019 ret.value = type_bytes(sym);
1020
1021 return ret;
1022 }
1023
1024 static struct range_list *handle_strlen(struct expression *expr, int implied, int *recurse_cnt)
1025 {
1026 struct range_list *rl;
1027 struct expression *arg, *tmp;
1028 sval_t tag;
1029 sval_t ret = { .type = &ulong_ctype };
1030
1031 if (implied == RL_EXACT)
1032 return NULL;
1033
1034 arg = get_argument_from_call_expr(expr->args, 0);
1035 if (!arg)
1036 return NULL;
1037 if (arg->type == EXPR_STRING) {
1038 ret.value = arg->string->length - 1;
1039 return alloc_rl(ret, ret);
1040 }
1041 if (get_implied_value(arg, &tag) &&
1042 (tmp = fake_string_from_mtag(tag.uvalue))) {
1043 ret.value = tmp->string->length - 1;
1044 return alloc_rl(ret, ret);
1045 }
1046
1047 if (implied == RL_HARD || implied == RL_FUZZY)
1048 return NULL;
1049
1050 if (get_implied_return(expr, &rl))
1051 return rl;
1052
1053 return NULL;
1054 }
1055
1056 static struct range_list *handle_builtin_constant_p(struct expression *expr, int implied, int *recurse_cnt)
1057 {
1058 struct expression *arg;
1059 struct range_list *rl;
1060 sval_t sval;
1061
1062 arg = get_argument_from_call_expr(expr->args, 0);
1063 rl = _get_rl(arg, RL_EXACT, recurse_cnt);
1064 if (rl_to_sval(rl, &sval))
1065 return rl_one();
1066 return rl_zero();
1067 }
1068
1069 static struct range_list *handle__builtin_choose_expr(struct expression *expr, int implied, int *recurse_cnt)
1070 {
1071 struct expression *const_expr, *expr1, *expr2;
1072 sval_t sval;
1073
1074 const_expr = get_argument_from_call_expr(expr->args, 0);
1075 expr1 = get_argument_from_call_expr(expr->args, 1);
1076 expr2 = get_argument_from_call_expr(expr->args, 2);
1077
1078 if (!get_value(const_expr, &sval) || !expr1 || !expr2)
1079 return NULL;
1080 if (sval.value)
1081 return _get_rl(expr1, implied, recurse_cnt);
1082 return _get_rl(expr2, implied, recurse_cnt);
1083 }
1084
1085 static struct range_list *handle_call_rl(struct expression *expr, int implied, int *recurse_cnt)
1086 {
1087 struct range_list *rl;
1088
1089 if (sym_name_is("__builtin_constant_p", expr->fn))
1090 return handle_builtin_constant_p(expr, implied, recurse_cnt);
1091
1092 if (sym_name_is("__builtin_choose_expr", expr->fn))
1093 return handle__builtin_choose_expr(expr, implied, recurse_cnt);
1094
1095 if (sym_name_is("__builtin_expect", expr->fn) ||
1096 sym_name_is("__builtin_bswap16", expr->fn) ||
1097 sym_name_is("__builtin_bswap32", expr->fn) ||
1098 sym_name_is("__builtin_bswap64", expr->fn)) {
1099 struct expression *arg;
1100
1101 arg = get_argument_from_call_expr(expr->args, 0);
1102 return _get_rl(arg, implied, recurse_cnt);
1103 }
1104
1105 if (sym_name_is("strlen", expr->fn))
1106 return handle_strlen(expr, implied, recurse_cnt);
1107
1108 if (implied == RL_EXACT || implied == RL_HARD || implied == RL_FUZZY)
1109 return NULL;
1110
1111 if (custom_handle_variable) {
1112 rl = custom_handle_variable(expr);
1113 if (rl)
1114 return rl;
1115 }
1116
1117 if (get_implied_return(expr, &rl))
1118 return rl;
1119 return db_return_vals(expr);
1120 }
1121
1122 static struct range_list *handle_cast(struct expression *expr, int implied, int *recurse_cnt)
1123 {
1124 struct range_list *rl;
1125 struct symbol *type;
1126
1127 type = get_type(expr);
1128 rl = _get_rl(expr->cast_expression, implied, recurse_cnt);
1129 if (rl)
1130 return cast_rl(type, rl);
1131 if (implied == RL_ABSOLUTE || implied == RL_REAL_ABSOLUTE)
1132 return alloc_whole_rl(type);
1133 if (implied == RL_IMPLIED && type &&
1134 type_bits(type) > 0 && type_bits(type) < 32)
1135 return alloc_whole_rl(type);
1136 return NULL;
1137 }
1138
1139 static struct range_list *_get_rl(struct expression *expr, int implied, int *recurse_cnt)
1140 {
1141 struct range_list *rl;
1142 struct symbol *type;
1143 sval_t sval;
1144
1145 type = get_type(expr);
1146 expr = strip_parens(expr);
1147 if (!expr)
1148 return NULL;
1149
1150 if (++(*recurse_cnt) >= 200)
1151 return NULL;
1152
1153 switch(expr->type) {
1154 case EXPR_CAST:
1155 case EXPR_FORCE_CAST:
1156 case EXPR_IMPLIED_CAST:
1157 rl = handle_cast(expr, implied, recurse_cnt);
1158 goto out_cast;
1159 }
1160
1161 expr = strip_expr(expr);
1162 if (!expr)
1163 return NULL;
1164
1165 switch (expr->type) {
1166 case EXPR_VALUE:
1167 sval = sval_from_val(expr, expr->value);
1168 rl = alloc_rl(sval, sval);
1169 break;
1170 case EXPR_PREOP:
1171 rl = handle_preop_rl(expr, implied, recurse_cnt);
1172 break;
1173 case EXPR_POSTOP:
1174 rl = _get_rl(expr->unop, implied, recurse_cnt);
1175 break;
1176 case EXPR_BINOP:
1177 rl = handle_binop_rl(expr, implied, recurse_cnt);
1178 break;
1179 case EXPR_COMPARE:
1180 rl = handle_comparison_rl(expr, implied, recurse_cnt);
1181 break;
1182 case EXPR_LOGICAL:
1183 rl = handle_logical_rl(expr, implied, recurse_cnt);
1184 break;
1185 case EXPR_PTRSIZEOF:
1186 case EXPR_SIZEOF:
1187 sval = handle_sizeof(expr);
1188 rl = alloc_rl(sval, sval);
1189 break;
1190 case EXPR_SELECT:
1191 case EXPR_CONDITIONAL:
1192 rl = handle_conditional_rl(expr, implied, recurse_cnt);
1193 break;
1194 case EXPR_CALL:
1195 rl = handle_call_rl(expr, implied, recurse_cnt);
1196 break;
1197 case EXPR_STRING:
1198 rl = NULL;
1199 if (get_mtag_sval(expr, &sval))
1200 rl = alloc_rl(sval, sval);
1201 break;
1202 default:
1203 rl = handle_variable(expr, implied, recurse_cnt);
1204 }
1205
1206 out_cast:
1207 if (rl)
1208 return rl;
1209 if (type && (implied == RL_ABSOLUTE || implied == RL_REAL_ABSOLUTE))
1210 return alloc_whole_rl(type);
1211 return NULL;
1212 }
1213
1214 struct {
1215 struct expression *expr;
1216 struct range_list *rl;
1217 } cached_results[24];
1218 static int cache_idx;
1219
1220 void clear_math_cache(void)
1221 {
1222 memset(cached_results, 0, sizeof(cached_results));
1223 }
1224
1225 /* returns 1 if it can get a value literal or else returns 0 */
1226 int get_value(struct expression *expr, sval_t *sval)
1227 {
1228 struct range_list *(*orig_custom_fn)(struct expression *expr);
1229 struct range_list *rl;
1230 int recurse_cnt = 0;
1231 sval_t tmp;
1232 int i;
1233
1234 /*
1235 * This only handles RL_EXACT because other expr statements can be
1236 * different at different points. Like the list iterator, for example.
1237 */
1238 for (i = 0; i < ARRAY_SIZE(cached_results); i++) {
1239 if (expr == cached_results[i].expr)
1240 return rl_to_sval(cached_results[i].rl, sval);
1241 }
1242
1243 orig_custom_fn = custom_handle_variable;
1244 custom_handle_variable = NULL;
1245 rl = _get_rl(expr, RL_EXACT, &recurse_cnt);
1246 if (!rl_to_sval(rl, &tmp))
1247 rl = NULL;
1248 custom_handle_variable = orig_custom_fn;
1249
1250 cached_results[cache_idx].expr = expr;
1251 cached_results[cache_idx].rl = rl;
1252 cache_idx = (cache_idx + 1) % ARRAY_SIZE(cached_results);
1253
1254 if (!rl)
1255 return 0;
1256
1257 *sval = tmp;
1258 return 1;
1259 }
1260
1261 static int get_implied_value_internal(struct expression *expr, sval_t *sval, int *recurse_cnt)
1262 {
1263 struct range_list *rl;
1264
1265 rl = _get_rl(expr, RL_IMPLIED, recurse_cnt);
1266 if (!rl_to_sval(rl, sval))
1267 return 0;
1268 return 1;
1269 }
1270
1271 int get_implied_value(struct expression *expr, sval_t *sval)
1272 {
1273 struct range_list *rl;
1274 int recurse_cnt = 0;
1275
1276 rl = _get_rl(expr, RL_IMPLIED, &recurse_cnt);
1277 if (!rl_to_sval(rl, sval))
1278 return 0;
1279 return 1;
1280 }
1281
1282 int get_implied_min(struct expression *expr, sval_t *sval)
1283 {
1284 struct range_list *rl;
1285 int recurse_cnt = 0;
1286
1287 rl = _get_rl(expr, RL_IMPLIED, &recurse_cnt);
1288 if (!rl)
1289 return 0;
1290 *sval = rl_min(rl);
1291 return 1;
1292 }
1293
1294 int get_implied_max(struct expression *expr, sval_t *sval)
1295 {
1296 struct range_list *rl;
1297 int recurse_cnt = 0;
1298
1299 rl = _get_rl(expr, RL_IMPLIED, &recurse_cnt);
1300 if (!rl)
1301 return 0;
1302 *sval = rl_max(rl);
1303 return 1;
1304 }
1305
1306 int get_implied_rl(struct expression *expr, struct range_list **rl)
1307 {
1308 int recurse_cnt = 0;
1309
1310 *rl = _get_rl(expr, RL_IMPLIED, &recurse_cnt);
1311 if (*rl)
1312 return 1;
1313 return 0;
1314 }
1315
1316 static int get_absolute_rl_internal(struct expression *expr, struct range_list **rl, int *recurse_cnt)
1317 {
1318 *rl = _get_rl(expr, RL_ABSOLUTE, recurse_cnt);
1319 if (!*rl)
1320 *rl = alloc_whole_rl(get_type(expr));
1321 return 1;
1322 }
1323
1324 int get_absolute_rl(struct expression *expr, struct range_list **rl)
1325 {
1326 int recurse_cnt = 0;
1327
1328 *rl = _get_rl(expr, RL_ABSOLUTE, &recurse_cnt);
1329 if (!*rl)
1330 *rl = alloc_whole_rl(get_type(expr));
1331 return 1;
1332 }
1333
1334 int get_real_absolute_rl(struct expression *expr, struct range_list **rl)
1335 {
1336 int recurse_cnt = 0;
1337
1338 *rl = _get_rl(expr, RL_REAL_ABSOLUTE, &recurse_cnt);
1339 if (!*rl)
1340 *rl = alloc_whole_rl(get_type(expr));
1341 return 1;
1342 }
1343
1344 int custom_get_absolute_rl(struct expression *expr,
1345 struct range_list *(*fn)(struct expression *expr),
1346 struct range_list **rl)
1347 {
1348 int recurse_cnt = 0;
1349
1350 *rl = NULL;
1351 custom_handle_variable = fn;
1352 *rl = _get_rl(expr, RL_REAL_ABSOLUTE, &recurse_cnt);
1353 custom_handle_variable = NULL;
1354 return 1;
1355 }
1356
1357 int get_implied_rl_var_sym(const char *var, struct symbol *sym, struct range_list **rl)
1358 {
1359 struct smatch_state *state;
1360
1361 state = get_state(SMATCH_EXTRA, var, sym);
1362 *rl = estate_rl(state);
1363 if (*rl)
1364 return 1;
1365 return 0;
1366 }
1367
1368 int get_hard_max(struct expression *expr, sval_t *sval)
1369 {
1370 struct range_list *rl;
1371 int recurse_cnt = 0;
1372
1373 rl = _get_rl(expr, RL_HARD, &recurse_cnt);
1374 if (!rl)
1375 return 0;
1376 *sval = rl_max(rl);
1377 return 1;
1378 }
1379
1380 int get_fuzzy_min(struct expression *expr, sval_t *sval)
1381 {
1382 struct range_list *rl;
1383 sval_t tmp;
1384 int recurse_cnt = 0;
1385
1386 rl = _get_rl(expr, RL_FUZZY, &recurse_cnt);
1387 if (!rl)
1388 return 0;
1389 tmp = rl_min(rl);
1390 if (sval_is_negative(tmp) && sval_is_min(tmp))
1391 return 0;
1392 *sval = tmp;
1393 return 1;
1394 }
1395
1396 int get_fuzzy_max(struct expression *expr, sval_t *sval)
1397 {
1398 struct range_list *rl;
1399 sval_t max;
1400 int recurse_cnt = 0;
1401
1402 rl = _get_rl(expr, RL_FUZZY, &recurse_cnt);
1403 if (!rl)
1404 return 0;
1405 max = rl_max(rl);
1406 if (max.uvalue > INT_MAX - 10000)
1407 return 0;
1408 *sval = max;
1409 return 1;
1410 }
1411
1412 int get_absolute_min(struct expression *expr, sval_t *sval)
1413 {
1414 struct range_list *rl;
1415 struct symbol *type;
1416 int recurse_cnt = 0;
1417
1418 type = get_type(expr);
1419 if (!type)
1420 type = &llong_ctype; // FIXME: this is wrong but places assume get type can't fail.
1421 rl = _get_rl(expr, RL_REAL_ABSOLUTE, &recurse_cnt);
1422 if (rl)
1423 *sval = rl_min(rl);
1424 else
1425 *sval = sval_type_min(type);
1426
1427 if (sval_cmp(*sval, sval_type_min(type)) < 0)
1428 *sval = sval_type_min(type);
1429 return 1;
1430 }
1431
1432 int get_absolute_max(struct expression *expr, sval_t *sval)
1433 {
1434 struct range_list *rl;
1435 struct symbol *type;
1436 int recurse_cnt = 0;
1437
1438 type = get_type(expr);
1439 if (!type)
1440 type = &llong_ctype;
1441 rl = _get_rl(expr, RL_REAL_ABSOLUTE, &recurse_cnt);
1442 if (rl)
1443 *sval = rl_max(rl);
1444 else
1445 *sval = sval_type_max(type);
1446
1447 if (sval_cmp(sval_type_max(type), *sval) < 0)
1448 *sval = sval_type_max(type);
1449 return 1;
1450 }
1451
1452 int known_condition_true(struct expression *expr)
1453 {
1454 sval_t tmp;
1455
1456 if (!expr)
1457 return 0;
1458
1459 if (get_value(expr, &tmp) && tmp.value)
1460 return 1;
1461
1462 return 0;
1463 }
1464
1465 int known_condition_false(struct expression *expr)
1466 {
1467 if (!expr)
1468 return 0;
1469
1470 if (is_zero(expr))
1471 return 1;
1472
1473 return 0;
1474 }
1475
1476 int implied_condition_true(struct expression *expr)
1477 {
1478 sval_t tmp;
1479
1480 if (!expr)
1481 return 0;
1482
1483 if (known_condition_true(expr))
1484 return 1;
1485 if (get_implied_value(expr, &tmp) && tmp.value)
1486 return 1;
1487
1488 if (expr->type == EXPR_POSTOP)
1489 return implied_condition_true(expr->unop);
1490
1491 if (expr->type == EXPR_PREOP && expr->op == SPECIAL_DECREMENT)
1492 return implied_not_equal(expr->unop, 1);
1493 if (expr->type == EXPR_PREOP && expr->op == SPECIAL_INCREMENT)
1494 return implied_not_equal(expr->unop, -1);
1495
1496 expr = strip_expr(expr);
1497 switch (expr->type) {
1498 case EXPR_COMPARE:
1499 if (do_comparison(expr) == 1)
1500 return 1;
1501 break;
1502 case EXPR_PREOP:
1503 if (expr->op == '!') {
1504 if (implied_condition_false(expr->unop))
1505 return 1;
1506 break;
1507 }
1508 break;
1509 default:
1510 if (implied_not_equal(expr, 0) == 1)
1511 return 1;
1512 break;
1513 }
1514 return 0;
1515 }
1516
1517 int implied_condition_false(struct expression *expr)
1518 {
1519 struct expression *tmp;
1520 sval_t sval;
1521
1522 if (!expr)
1523 return 0;
1524
1525 if (known_condition_false(expr))
1526 return 1;
1527
1528 switch (expr->type) {
1529 case EXPR_COMPARE:
1530 if (do_comparison(expr) == 2)
1531 return 1;
1532 case EXPR_PREOP:
1533 if (expr->op == '!') {
1534 if (implied_condition_true(expr->unop))
1535 return 1;
1536 break;
1537 }
1538 tmp = strip_expr(expr);
1539 if (tmp != expr)
1540 return implied_condition_false(tmp);
1541 break;
1542 default:
1543 if (get_implied_value(expr, &sval) && sval.value == 0)
1544 return 1;
1545 break;
1546 }
1547 return 0;
1548 }
1549
1550 int can_integer_overflow(struct symbol *type, struct expression *expr)
1551 {
1552 int op;
1553 sval_t lmax, rmax, res;
1554
1555 if (!type)
1556 type = &int_ctype;
1557
1558 expr = strip_expr(expr);
1559
1560 if (expr->type == EXPR_ASSIGNMENT) {
1561 switch(expr->op) {
1562 case SPECIAL_MUL_ASSIGN:
1563 op = '*';
1564 break;
1565 case SPECIAL_ADD_ASSIGN:
1566 op = '+';
1567 break;
1568 case SPECIAL_SHL_ASSIGN:
1569 op = SPECIAL_LEFTSHIFT;
1570 break;
1571 default:
1572 return 0;
1573 }
1574 } else if (expr->type == EXPR_BINOP) {
1575 if (expr->op != '*' && expr->op != '+' && expr->op != SPECIAL_LEFTSHIFT)
1576 return 0;
1577 op = expr->op;
1578 } else {
1579 return 0;
1580 }
1581
1582 get_absolute_max(expr->left, &lmax);
1583 get_absolute_max(expr->right, &rmax);
1584
1585 if (sval_binop_overflows(lmax, op, rmax))
1586 return 1;
1587
1588 res = sval_binop(lmax, op, rmax);
1589 if (sval_cmp(res, sval_type_max(type)) > 0)
1590 return 1;
1591 return 0;
1592 }
Static analysis for C