search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
buf_size: improve resizable struct handling
[smatch.git] / smatch_math.c
blob0ea3a7e814103a075114ee56d7e546cc46a0b3c5
1 /*
2 * Copyright (C) 2010 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 #include "symbol.h"
19 #include "smatch.h"
20 #include "smatch_slist.h"
21 #include "smatch_extra.h"
22
23 static struct range_list *_get_rl(struct expression *expr, int implied);
24 static struct range_list *handle_variable(struct expression *expr, int implied);
25 static struct range_list *(*custom_handle_variable)(struct expression *expr);
26
27 static sval_t zero = {.type = &int_ctype, {.value = 0} };
28 static sval_t one = {.type = &int_ctype, {.value = 1} };
29
30 struct range_list *rl_zero(void)
31 {
32 return alloc_rl(zero, zero);
33 }
34
35 struct range_list *rl_one(void)
36 {
37 return alloc_rl(one, one);
38 }
39
40 enum {
41 RL_EXACT,
42 RL_HARD,
43 RL_FUZZY,
44 RL_IMPLIED,
45 RL_ABSOLUTE
46 };
47
48 static struct range_list *last_stmt_rl(struct statement *stmt, int implied)
49 {
50 if (!stmt)
51 return NULL;
52
53 stmt = last_ptr_list((struct ptr_list *)stmt->stmts);
54 if (stmt->type != STMT_EXPRESSION)
55 return NULL;
56 return _get_rl(stmt->expression, implied);
57 }
58
59 static struct range_list *handle_expression_statement_rl(struct expression *expr, int implied)
60 {
61 return last_stmt_rl(get_expression_statement(expr), implied);
62 }
63
64 static struct range_list *handle_ampersand_rl(struct expression *expr, int implied)
65 {
66 struct range_list *rl;
67
68 if (implied == RL_EXACT || implied == RL_HARD)
69 return NULL;
70 if (get_address_rl(expr, &rl))
71 return rl;
72 return alloc_rl(valid_ptr_min_sval, valid_ptr_max_sval);
73 }
74
75 static struct range_list *handle_negate_rl(struct expression *expr, int implied)
76 {
77 if (known_condition_true(expr->unop))
78 return rl_zero();
79 if (known_condition_false(expr->unop))
80 return rl_one();
81
82 if (implied == RL_EXACT)
83 return NULL;
84
85 if (implied_condition_true(expr->unop))
86 return rl_zero();
87 if (implied_condition_false(expr->unop))
88 return rl_one();
89 return alloc_rl(zero, one);
90 }
91
92 static struct range_list *handle_bitwise_negate(struct expression *expr, int implied)
93 {
94 struct range_list *rl;
95 sval_t sval;
96
97 rl = _get_rl(expr->unop, implied);
98 if (!rl_to_sval(rl, &sval))
99 return NULL;
100 sval = sval_preop(sval, '~');
101 sval_cast(get_type(expr->unop), sval);
102 return alloc_rl(sval, sval);
103 }
104
105 static struct range_list *handle_minus_preop(struct expression *expr, int implied)
106 {
107 struct range_list *rl;
108 sval_t sval;
109
110 rl = _get_rl(expr->unop, implied);
111 if (!rl_to_sval(rl, &sval))
112 return NULL;
113 sval = sval_preop(sval, '-');
114 return alloc_rl(sval, sval);
115 }
116
117 static struct range_list *handle_preop_rl(struct expression *expr, int implied)
118 {
119 switch (expr->op) {
120 case '&':
121 return handle_ampersand_rl(expr, implied);
122 case '!':
123 return handle_negate_rl(expr, implied);
124 case '~':
125 return handle_bitwise_negate(expr, implied);
126 case '-':
127 return handle_minus_preop(expr, implied);
128 case '*':
129 return handle_variable(expr, implied);
130 case '(':
131 return handle_expression_statement_rl(expr, implied);
132 default:
133 return NULL;
134 }
135 }
136
137 static struct range_list *handle_divide_rl(struct expression *expr, int implied)
138 {
139 struct range_list *left_rl, *right_rl;
140 struct symbol *type;
141
142 type = get_type(expr);
143
144 left_rl = _get_rl(expr->left, implied);
145 left_rl = cast_rl(type, left_rl);
146 right_rl = _get_rl(expr->right, implied);
147 right_rl = cast_rl(type, right_rl);
148
149 if (!left_rl || !right_rl)
150 return NULL;
151 if (is_whole_rl(left_rl) || is_whole_rl(right_rl))
152 return NULL;
153
154 return rl_binop(left_rl, '/', right_rl);
155 }
156
157 static struct range_list *handle_subtract_rl(struct expression *expr, int implied)
158 {
159 struct symbol *type;
160 struct range_list *left_rl, *right_rl;
161 sval_t max, min, tmp;
162 int comparison;
163
164 type = get_type(expr);
165 comparison = get_comparison(expr->left, expr->right);
166
167 left_rl = _get_rl(expr->left, implied);
168 left_rl = cast_rl(type, left_rl);
169 right_rl = _get_rl(expr->right, implied);
170 right_rl = cast_rl(type, right_rl);
171
172 if ((!left_rl || !right_rl) &&
173 (implied == RL_EXACT || implied == RL_HARD || implied == RL_FUZZY))
174 return NULL;
175
176 if (!left_rl)
177 left_rl = alloc_whole_rl(type);
178 if (!right_rl)
179 right_rl = alloc_whole_rl(type);
180
181 /* negative values complicate everything fix this later */
182 if (sval_is_negative(rl_min(right_rl)))
183 return NULL;
184 max = rl_max(left_rl);
185
186 switch (comparison) {
187 case '>':
188 case SPECIAL_UNSIGNED_GT:
189 min = sval_type_val(type, 1);
190 max = rl_max(left_rl);
191 break;
192 case SPECIAL_GTE:
193 case SPECIAL_UNSIGNED_GTE:
194 min = sval_type_val(type, 0);
195 max = rl_max(left_rl);
196 break;
197 default:
198 if (sval_binop_overflows(rl_min(left_rl), '-', rl_max(right_rl)))
199 return NULL;
200 min = sval_type_min(type);
201 }
202
203 if (!sval_binop_overflows(rl_min(left_rl), '-', rl_max(right_rl))) {
204 tmp = sval_binop(rl_min(left_rl), '-', rl_max(right_rl));
205 if (sval_cmp(tmp, min) > 0)
206 min = tmp;
207 }
208
209 if (!sval_is_max(rl_max(left_rl))) {
210 tmp = sval_binop(rl_max(left_rl), '-', rl_min(right_rl));
211 if (sval_cmp(tmp, max) < 0)
212 max = tmp;
213 }
214
215 if (sval_is_min(min) && sval_is_max(max))
216 return NULL;
217
218 return cast_rl(type, alloc_rl(min, max));
219 }
220
221 static struct range_list *handle_mod_rl(struct expression *expr, int implied)
222 {
223 struct range_list *rl;
224 sval_t left, right, sval;
225
226 if (implied == RL_EXACT) {
227 if (!get_value(expr->right, &right))
228 return NULL;
229 if (!get_value(expr->left, &left))
230 return NULL;
231 sval = sval_binop(left, '%', right);
232 return alloc_rl(sval, sval);
233 }
234 /* if we can't figure out the right side it's probably hopeless */
235 if (!get_implied_value(expr->right, &right))
236 return NULL;
237
238 right = sval_cast(get_type(expr), right);
239 right.value--;
240
241 rl = _get_rl(expr->left, implied);
242 if (rl && rl_max(rl).uvalue < right.uvalue)
243 right.uvalue = rl_max(rl).uvalue;
244
245 return alloc_rl(zero, right);
246 }
247
248 static sval_t sval_lowest_set_bit(sval_t sval)
249 {
250 int i;
251 int found = 0;
252
253 for (i = 0; i < 64; i++) {
254 if (sval.uvalue & 1ULL << i) {
255 if (!found++)
256 continue;
257 sval.uvalue &= ~(1ULL << i);
258 }
259 }
260 return sval;
261 }
262
263 static struct range_list *handle_bitwise_AND(struct expression *expr, int implied)
264 {
265 struct symbol *type;
266 struct range_list *left_rl, *right_rl;
267 sval_t known;
268
269 if (implied != RL_IMPLIED && implied != RL_ABSOLUTE)
270 return NULL;
271
272 type = get_type(expr);
273
274 if (get_implied_value(expr->left, &known)) {
275 sval_t min;
276
277 min = sval_lowest_set_bit(known);
278 left_rl = alloc_rl(min, known);
279 left_rl = cast_rl(type, left_rl);
280 add_range(&left_rl, sval_type_val(type, 0), sval_type_val(type, 0));
281 } else {
282 left_rl = _get_rl(expr->left, implied);
283 if (left_rl) {
284 left_rl = cast_rl(type, left_rl);
285 left_rl = alloc_rl(sval_type_val(type, 0), rl_max(left_rl));
286 } else {
287 if (implied == RL_HARD)
288 return NULL;
289 left_rl = alloc_whole_rl(type);
290 }
291 }
292
293 if (get_implied_value(expr->right, &known)) {
294 sval_t min, left_max, mod;
295
296 min = sval_lowest_set_bit(known);
297 right_rl = alloc_rl(min, known);
298 right_rl = cast_rl(type, right_rl);
299 add_range(&right_rl, sval_type_val(type, 0), sval_type_val(type, 0));
300
301 if (min.value != 0) {
302 left_max = rl_max(left_rl);
303 mod = sval_binop(left_max, '%', min);
304 if (mod.value) {
305 left_max = sval_binop(left_max, '-', mod);
306 left_max.value++;
307 if (left_max.value > 0 && sval_cmp(left_max, rl_max(left_rl)) < 0)
308 left_rl = remove_range(left_rl, left_max, rl_max(left_rl));
309 }
310 }
311 } else {
312 right_rl = _get_rl(expr->right, implied);
313 if (right_rl) {
314 right_rl = cast_rl(type, right_rl);
315 right_rl = alloc_rl(sval_type_val(type, 0), rl_max(right_rl));
316 } else {
317 if (implied == RL_HARD)
318 return NULL;
319 right_rl = alloc_whole_rl(type);
320 }
321 }
322
323 return rl_intersection(left_rl, right_rl);
324 }
325
326 static struct range_list *handle_bitwise_OR(struct expression *expr, int implied)
327 {
328 struct symbol *type;
329 struct range_list *left_rl, *right_rl;
330
331 if (implied != RL_IMPLIED && implied != RL_ABSOLUTE)
332 return NULL;
333
334 type = get_type(expr);
335
336 get_absolute_rl(expr->left, &left_rl);
337 get_absolute_rl(expr->right, &right_rl);
338 left_rl = cast_rl(type, left_rl);
339 right_rl = cast_rl(type, right_rl);
340 if (!left_rl || !right_rl)
341 return NULL;
342
343 return rl_binop(left_rl, '|', right_rl);
344 }
345
346 static struct range_list *handle_right_shift(struct expression *expr, int implied)
347 {
348 struct range_list *left_rl;
349 sval_t right;
350 sval_t min, max;
351
352 if (implied == RL_EXACT || implied == RL_HARD)
353 return NULL;
354
355 left_rl = _get_rl(expr->left, implied);
356 if (left_rl) {
357 max = rl_max(left_rl);
358 min = rl_min(left_rl);
359 } else {
360 if (implied == RL_FUZZY)
361 return NULL;
362 max = sval_type_max(get_type(expr->left));
363 min = sval_type_val(get_type(expr->left), 0);
364 }
365
366 if (get_implied_value(expr->right, &right)) {
367 min = sval_binop(min, SPECIAL_RIGHTSHIFT, right);
368 max = sval_binop(max, SPECIAL_RIGHTSHIFT, right);
369 } else if (!sval_is_negative(min)) {
370 min.value = 0;
371 max = sval_type_max(max.type);
372 } else {
373 return NULL;
374 }
375
376 return alloc_rl(min, max);
377 }
378
379 static struct range_list *handle_left_shift(struct expression *expr, int implied)
380 {
381 struct range_list *left_rl, *res;
382 sval_t right;
383 sval_t min, max;
384 int add_zero = 0;
385
386 if (implied == RL_EXACT || implied == RL_HARD)
387 return NULL;
388 /* this is hopeless without the right side */
389 if (!get_implied_value(expr->right, &right))
390 return NULL;
391 left_rl = _get_rl(expr->left, implied);
392 if (left_rl) {
393 max = rl_max(left_rl);
394 min = rl_min(left_rl);
395 if (min.value == 0) {
396 min.value = 1;
397 add_zero = 1;
398 }
399 } else {
400 if (implied == RL_FUZZY)
401 return NULL;
402 max = sval_type_max(get_type(expr->left));
403 min = sval_type_val(get_type(expr->left), 1);
404 add_zero = 1;
405 }
406
407 max = sval_binop(max, SPECIAL_LEFTSHIFT, right);
408 min = sval_binop(min, SPECIAL_LEFTSHIFT, right);
409 res = alloc_rl(min, max);
410 if (add_zero)
411 res = rl_union(res, rl_zero());
412 return res;
413 }
414
415 static struct range_list *handle_known_binop(struct expression *expr)
416 {
417 sval_t left, right;
418
419 if (!get_value(expr->left, &left))
420 return NULL;
421 if (!get_value(expr->right, &right))
422 return NULL;
423 left = sval_binop(left, expr->op, right);
424 return alloc_rl(left, left);
425 }
426
427 static int has_actual_ranges(struct range_list *rl)
428 {
429 struct data_range *tmp;
430
431 FOR_EACH_PTR(rl, tmp) {
432 if (sval_cmp(tmp->min, tmp->max) != 0)
433 return 1;
434 } END_FOR_EACH_PTR(tmp);
435 return 0;
436 }
437
438 static struct range_list *handle_implied_binop(struct range_list *left_rl, int op, struct range_list *right_rl)
439 {
440 struct range_list *res_rl;
441 struct data_range *left_drange, *right_drange;
442 sval_t res;
443
444 if (!left_rl || !right_rl)
445 return NULL;
446 if (has_actual_ranges(left_rl))
447 return NULL;
448 if (has_actual_ranges(right_rl))
449 return NULL;
450
451 if (ptr_list_size((struct ptr_list *)left_rl) * ptr_list_size((struct ptr_list *)right_rl) > 20)
452 return NULL;
453
454 res_rl = NULL;
455
456 FOR_EACH_PTR(left_rl, left_drange) {
457 FOR_EACH_PTR(right_rl, right_drange) {
458 if ((op == '%' || op == '/') &&
459 right_drange->min.value == 0)
460 return NULL;
461 res = sval_binop(left_drange->min, op, right_drange->min);
462 add_range(&res_rl, res, res);
463 } END_FOR_EACH_PTR(right_drange);
464 } END_FOR_EACH_PTR(left_drange);
465
466 return res_rl;
467 }
468
469 static struct range_list *handle_binop_rl(struct expression *expr, int implied)
470 {
471 struct symbol *type;
472 struct range_list *left_rl, *right_rl, *rl;
473 sval_t min, max;
474
475 rl = handle_known_binop(expr);
476 if (rl)
477 return rl;
478 if (implied == RL_EXACT)
479 return NULL;
480
481 type = get_type(expr);
482 left_rl = _get_rl(expr->left, implied);
483 left_rl = cast_rl(type, left_rl);
484 right_rl = _get_rl(expr->right, implied);
485 right_rl = cast_rl(type, right_rl);
486
487 rl = handle_implied_binop(left_rl, expr->op, right_rl);
488 if (rl)
489 return rl;
490
491 switch (expr->op) {
492 case '%':
493 return handle_mod_rl(expr, implied);
494 case '&':
495 return handle_bitwise_AND(expr, implied);
496 case '|':
497 return handle_bitwise_OR(expr, implied);
498 case SPECIAL_RIGHTSHIFT:
499 return handle_right_shift(expr, implied);
500 case SPECIAL_LEFTSHIFT:
501 return handle_left_shift(expr, implied);
502 case '-':
503 return handle_subtract_rl(expr, implied);
504 case '/':
505 return handle_divide_rl(expr, implied);
506 }
507
508 if (!left_rl || !right_rl)
509 return NULL;
510
511 if (sval_binop_overflows(rl_min(left_rl), expr->op, rl_min(right_rl)))
512 return NULL;
513 min = sval_binop(rl_min(left_rl), expr->op, rl_min(right_rl));
514
515 if (sval_binop_overflows(rl_max(left_rl), expr->op, rl_max(right_rl))) {
516 switch (implied) {
517 case RL_FUZZY:
518 case RL_HARD:
519 return NULL;
520 default:
521 max = sval_type_max(get_type(expr));
522 }
523 } else {
524 max = sval_binop(rl_max(left_rl), expr->op, rl_max(right_rl));
525 }
526
527 return alloc_rl(min, max);
528 }
529
530 static int do_comparison(struct expression *expr)
531 {
532 struct range_list *left_ranges = NULL;
533 struct range_list *right_ranges = NULL;
534 int poss_true, poss_false;
535 struct symbol *type;
536
537 type = get_type(expr);
538 get_absolute_rl(expr->left, &left_ranges);
539 get_absolute_rl(expr->right, &right_ranges);
540
541 left_ranges = cast_rl(type, left_ranges);
542 right_ranges = cast_rl(type, right_ranges);
543
544 poss_true = possibly_true_rl(left_ranges, expr->op, right_ranges);
545 poss_false = possibly_false_rl(left_ranges, expr->op, right_ranges);
546
547 free_rl(&left_ranges);
548 free_rl(&right_ranges);
549
550 if (!poss_true && !poss_false)
551 return 0x0;
552 if (poss_true && !poss_false)
553 return 0x1;
554 if (!poss_true && poss_false)
555 return 0x2;
556 return 0x3;
557 }
558
559 static struct range_list *handle_comparison_rl(struct expression *expr, int implied)
560 {
561 sval_t left, right;
562 int res;
563
564 if (get_value(expr->left, &left) && get_value(expr->right, &right)) {
565 struct data_range tmp_left, tmp_right;
566
567 tmp_left.min = left;
568 tmp_left.max = left;
569 tmp_right.min = right;
570 tmp_right.max = right;
571 if (true_comparison_range(&tmp_left, expr->op, &tmp_right))
572 return rl_one();
573 return rl_zero();
574 }
575
576 if (implied == RL_EXACT)
577 return NULL;
578
579 res = do_comparison(expr);
580 if (res == 1)
581 return rl_one();
582 if (res == 2)
583 return rl_zero();
584
585 return alloc_rl(zero, one);
586 }
587
588 static struct range_list *handle_logical_rl(struct expression *expr, int implied)
589 {
590 sval_t left, right;
591 int left_known = 0;
592 int right_known = 0;
593
594 if (implied == RL_EXACT) {
595 if (get_value(expr->left, &left))
596 left_known = 1;
597 if (get_value(expr->right, &right))
598 right_known = 1;
599 } else {
600 if (get_implied_value(expr->left, &left))
601 left_known = 1;
602 if (get_implied_value(expr->right, &right))
603 right_known = 1;
604 }
605
606 switch (expr->op) {
607 case SPECIAL_LOGICAL_OR:
608 if (left_known && left.value)
609 return rl_one();
610 if (right_known && right.value)
611 return rl_one();
612 if (left_known && right_known)
613 return rl_zero();
614 break;
615 case SPECIAL_LOGICAL_AND:
616 if (left_known && right_known) {
617 if (left.value && right.value)
618 return rl_one();
619 return rl_zero();
620 }
621 break;
622 default:
623 return NULL;
624 }
625
626 if (implied == RL_EXACT)
627 return NULL;
628
629 return alloc_rl(zero, one);
630 }
631
632 static struct range_list *handle_conditional_rl(struct expression *expr, int implied)
633 {
634 struct range_list *true_rl, *false_rl;
635 struct symbol *type;
636 int final_pass_orig = final_pass;
637
638 if (known_condition_true(expr->conditional))
639 return _get_rl(expr->cond_true, implied);
640 if (known_condition_false(expr->conditional))
641 return _get_rl(expr->cond_false, implied);
642
643 if (implied == RL_EXACT)
644 return NULL;
645
646 if (implied_condition_true(expr->conditional))
647 return _get_rl(expr->cond_true, implied);
648 if (implied_condition_false(expr->conditional))
649 return _get_rl(expr->cond_false, implied);
650
651
652 /* this becomes a problem with deeply nested conditional statements */
653 if (low_on_memory())
654 return NULL;
655
656 type = get_type(expr);
657
658 __push_fake_cur_stree();
659 final_pass = 0;
660 __split_whole_condition(expr->conditional);
661 true_rl = _get_rl(expr->cond_true, implied);
662 __push_true_states();
663 __use_false_states();
664 false_rl = _get_rl(expr->cond_false, implied);
665 __merge_true_states();
666 __free_fake_cur_stree();
667 final_pass = final_pass_orig;
668
669 if (!true_rl || !false_rl)
670 return NULL;
671 true_rl = cast_rl(type, true_rl);
672 false_rl = cast_rl(type, false_rl);
673
674 return rl_union(true_rl, false_rl);
675 }
676
677 static int get_fuzzy_max_helper(struct expression *expr, sval_t *max)
678 {
679 struct smatch_state *state;
680 sval_t sval;
681
682 if (get_hard_max(expr, &sval)) {
683 *max = sval;
684 return 1;
685 }
686
687 state = get_extra_state(expr);
688 if (!state || !estate_has_fuzzy_max(state))
689 return 0;
690 *max = sval_cast(get_type(expr), estate_get_fuzzy_max(state));
691 return 1;
692 }
693
694 static int get_fuzzy_min_helper(struct expression *expr, sval_t *min)
695 {
696 struct smatch_state *state;
697 sval_t sval;
698
699 state = get_extra_state(expr);
700 if (!state || !estate_rl(state))
701 return 0;
702
703 sval = estate_min(state);
704 if (sval_is_negative(sval) && sval_is_min(sval))
705 return 0;
706
707 if (sval_is_max(sval))
708 return 0;
709
710 *min = sval_cast(get_type(expr), sval);
711 return 1;
712 }
713
714 int get_const_value(struct expression *expr, sval_t *sval)
715 {
716 struct symbol *sym;
717 sval_t right;
718
719 if (expr->type != EXPR_SYMBOL || !expr->symbol)
720 return 0;
721 sym = expr->symbol;
722 if (!(sym->ctype.modifiers & MOD_CONST))
723 return 0;
724 if (get_value(sym->initializer, &right)) {
725 *sval = sval_cast(get_type(expr), right);
726 return 1;
727 }
728 return 0;
729 }
730
731 struct range_list *var_to_absolute_rl(struct expression *expr)
732 {
733 struct smatch_state *state;
734 struct range_list *rl;
735
736 state = get_extra_state(expr);
737 if (!state) {
738 if (get_local_rl(expr, &rl))
739 return rl;
740 if (get_db_type_rl(expr, &rl))
741 return rl;
742 return alloc_whole_rl(get_type(expr));
743 }
744 /* err on the side of saying things are possible */
745 if (!estate_rl(state))
746 return alloc_whole_rl(get_type(expr));
747 return clone_rl(estate_rl(state));
748 }
749
750 static struct range_list *handle_variable(struct expression *expr, int implied)
751 {
752 struct smatch_state *state;
753 struct range_list *rl;
754 sval_t sval, min, max;
755
756 if (get_const_value(expr, &sval))
757 return alloc_rl(sval, sval);
758
759 if (custom_handle_variable) {
760 rl = custom_handle_variable(expr);
761 if (!rl)
762 return var_to_absolute_rl(expr);
763 return rl;
764 }
765
766 switch (implied) {
767 case RL_EXACT:
768 return NULL;
769 case RL_HARD:
770 case RL_IMPLIED:
771 case RL_ABSOLUTE:
772 state = get_extra_state(expr);
773 if (!state || !state->data) {
774 if (implied == RL_HARD)
775 return NULL;
776 if (get_local_rl(expr, &rl))
777 return rl;
778 if (get_db_type_rl(expr, &rl))
779 return rl;
780 return NULL;
781 }
782 if (implied == RL_HARD && !estate_has_hard_max(state))
783 return NULL;
784 return clone_rl(estate_rl(state));
785 case RL_FUZZY:
786 if (!get_fuzzy_min_helper(expr, &min))
787 min = sval_type_min(get_type(expr));
788 if (!get_fuzzy_max_helper(expr, &max))
789 return NULL;
790 /* fuzzy ranges are often inverted */
791 if (sval_cmp(min, max) > 0) {
792 sval = min;
793 min = max;
794 max = sval;
795 }
796 return alloc_rl(min, max);
797 }
798 return NULL;
799 }
800
801 static sval_t handle_sizeof(struct expression *expr)
802 {
803 struct symbol *sym;
804 sval_t ret;
805
806 ret = sval_blank(expr);
807 sym = expr->cast_type;
808 if (!sym) {
809 sym = evaluate_expression(expr->cast_expression);
810 /*
811 * Expressions of restricted types will possibly get
812 * promoted - check that here
813 */
814 if (is_restricted_type(sym)) {
815 if (type_bits(sym) < bits_in_int)
816 sym = &int_ctype;
817 } else if (is_fouled_type(sym)) {
818 sym = &int_ctype;
819 }
820 }
821 examine_symbol_type(sym);
822
823 ret.type = size_t_ctype;
824 if (type_bits(sym) <= 0) /* sizeof(void) */ {
825 if (get_real_base_type(sym) == &void_ctype)
826 ret.value = 1;
827 else
828 ret.value = 0;
829 } else
830 ret.value = type_bytes(sym);
831
832 return ret;
833 }
834
835 static struct range_list *handle_call_rl(struct expression *expr, int implied)
836 {
837 struct range_list *rl;
838
839 if (sym_name_is("__builtin_expect", expr->fn)) {
840 struct expression *arg;
841
842 arg = get_argument_from_call_expr(expr->args, 0);
843 return _get_rl(arg, implied);
844 }
845
846 if (implied == RL_EXACT || implied == RL_HARD || implied == RL_FUZZY)
847 return NULL;
848
849 if (get_implied_return(expr, &rl))
850 return rl;
851 return db_return_vals(expr);
852 }
853
854 static struct range_list *handle_cast(struct expression *expr, int implied)
855 {
856 struct range_list *rl;
857 struct symbol *type;
858
859 type = get_type(expr);
860 rl = _get_rl(expr->cast_expression, implied);
861 if (rl)
862 return cast_rl(type, rl);
863 if (implied == RL_ABSOLUTE)
864 return alloc_whole_rl(type);
865 if (implied == RL_IMPLIED && type &&
866 type_bits(type) > 0 && type_bits(type) < 32)
867 return alloc_whole_rl(type);
868 return NULL;
869 }
870
871 static struct range_list *_get_rl(struct expression *expr, int implied)
872 {
873 struct range_list *rl;
874 struct symbol *type;
875 sval_t sval;
876
877 type = get_type(expr);
878 expr = strip_parens(expr);
879 if (!expr)
880 return NULL;
881
882 switch(expr->type) {
883 case EXPR_CAST:
884 case EXPR_FORCE_CAST:
885 case EXPR_IMPLIED_CAST:
886 rl = handle_cast(expr, implied);
887 goto out_cast;
888 }
889
890 expr = strip_expr(expr);
891 if (!expr)
892 return NULL;
893
894 switch (expr->type) {
895 case EXPR_VALUE:
896 sval = sval_from_val(expr, expr->value);
897 rl = alloc_rl(sval, sval);
898 break;
899 case EXPR_PREOP:
900 rl = handle_preop_rl(expr, implied);
901 break;
902 case EXPR_POSTOP:
903 rl = _get_rl(expr->unop, implied);
904 break;
905 case EXPR_BINOP:
906 rl = handle_binop_rl(expr, implied);
907 break;
908 case EXPR_COMPARE:
909 rl = handle_comparison_rl(expr, implied);
910 break;
911 case EXPR_LOGICAL:
912 rl = handle_logical_rl(expr, implied);
913 break;
914 case EXPR_PTRSIZEOF:
915 case EXPR_SIZEOF:
916 sval = handle_sizeof(expr);
917 rl = alloc_rl(sval, sval);
918 break;
919 case EXPR_SELECT:
920 case EXPR_CONDITIONAL:
921 rl = handle_conditional_rl(expr, implied);
922 break;
923 case EXPR_CALL:
924 rl = handle_call_rl(expr, implied);
925 break;
926 default:
927 rl = handle_variable(expr, implied);
928 }
929
930 out_cast:
931 if (rl)
932 return rl;
933 if (type && implied == RL_ABSOLUTE)
934 return alloc_whole_rl(type);
935 return NULL;
936 }
937
938 /* returns 1 if it can get a value literal or else returns 0 */
939 int get_value(struct expression *expr, sval_t *sval)
940 {
941 struct range_list *rl;
942
943 rl = _get_rl(expr, RL_EXACT);
944 if (!rl_to_sval(rl, sval))
945 return 0;
946 return 1;
947 }
948
949 int get_implied_value(struct expression *expr, sval_t *sval)
950 {
951 struct range_list *rl;
952
953 rl = _get_rl(expr, RL_IMPLIED);
954 if (!rl_to_sval(rl, sval))
955 return 0;
956 return 1;
957 }
958
959 int get_implied_min(struct expression *expr, sval_t *sval)
960 {
961 struct range_list *rl;
962
963 rl = _get_rl(expr, RL_IMPLIED);
964 if (!rl)
965 return 0;
966 *sval = rl_min(rl);
967 return 1;
968 }
969
970 int get_implied_max(struct expression *expr, sval_t *sval)
971 {
972 struct range_list *rl;
973
974 rl = _get_rl(expr, RL_IMPLIED);
975 if (!rl)
976 return 0;
977 *sval = rl_max(rl);
978 return 1;
979 }
980
981 int get_implied_rl(struct expression *expr, struct range_list **rl)
982 {
983 *rl = _get_rl(expr, RL_IMPLIED);
984 if (*rl)
985 return 1;
986 return 0;
987 }
988
989 int get_absolute_rl(struct expression *expr, struct range_list **rl)
990 {
991 *rl = _get_rl(expr, RL_ABSOLUTE);
992 if (!*rl)
993 *rl = alloc_whole_rl(get_type(expr));
994 return 1;
995 }
996
997 int custom_get_absolute_rl(struct expression *expr,
998 struct range_list *(*fn)(struct expression *expr),
999 struct range_list **rl)
1000 {
1001 *rl = NULL;
1002 custom_handle_variable = fn;
1003 *rl = _get_rl(expr, RL_ABSOLUTE);
1004 custom_handle_variable = NULL;
1005 return 1;
1006 }
1007
1008 int get_implied_rl_var_sym(const char *var, struct symbol *sym, struct range_list **rl)
1009 {
1010 struct smatch_state *state;
1011
1012 state = get_state(SMATCH_EXTRA, var, sym);
1013 *rl = estate_rl(state);
1014 if (*rl)
1015 return 1;
1016 return 0;
1017 }
1018
1019 int get_hard_max(struct expression *expr, sval_t *sval)
1020 {
1021 struct range_list *rl;
1022
1023 rl = _get_rl(expr, RL_HARD);
1024 if (!rl)
1025 return 0;
1026 *sval = rl_max(rl);
1027 return 1;
1028 }
1029
1030 int get_fuzzy_min(struct expression *expr, sval_t *sval)
1031 {
1032 struct range_list *rl;
1033 sval_t tmp;
1034
1035 rl = _get_rl(expr, RL_FUZZY);
1036 if (!rl)
1037 return 0;
1038 tmp = rl_min(rl);
1039 if (sval_is_negative(tmp) && sval_is_min(tmp))
1040 return 0;
1041 *sval = tmp;
1042 return 1;
1043 }
1044
1045 int get_fuzzy_max(struct expression *expr, sval_t *sval)
1046 {
1047 struct range_list *rl;
1048 sval_t max;
1049
1050 rl = _get_rl(expr, RL_FUZZY);
1051 if (!rl)
1052 return 0;
1053 max = rl_max(rl);
1054 if (max.uvalue > INT_MAX - 10000)
1055 return 0;
1056 *sval = max;
1057 return 1;
1058 }
1059
1060 int get_absolute_min(struct expression *expr, sval_t *sval)
1061 {
1062 struct range_list *rl;
1063 struct symbol *type;
1064
1065 type = get_type(expr);
1066 if (!type)
1067 type = &llong_ctype; // FIXME: this is wrong but places assume get type can't fail.
1068 rl = _get_rl(expr, RL_ABSOLUTE);
1069 if (rl)
1070 *sval = rl_min(rl);
1071 else
1072 *sval = sval_type_min(type);
1073
1074 if (sval_cmp(*sval, sval_type_min(type)) < 0)
1075 *sval = sval_type_min(type);
1076 return 1;
1077 }
1078
1079 int get_absolute_max(struct expression *expr, sval_t *sval)
1080 {
1081 struct range_list *rl;
1082 struct symbol *type;
1083
1084 type = get_type(expr);
1085 if (!type)
1086 type = &llong_ctype;
1087 rl = _get_rl(expr, RL_ABSOLUTE);
1088 if (rl)
1089 *sval = rl_max(rl);
1090 else
1091 *sval = sval_type_max(type);
1092
1093 if (sval_cmp(sval_type_max(type), *sval) < 0)
1094 *sval = sval_type_max(type);
1095 return 1;
1096 }
1097
1098 int known_condition_true(struct expression *expr)
1099 {
1100 sval_t tmp;
1101
1102 if (!expr)
1103 return 0;
1104
1105 if (get_value(expr, &tmp) && tmp.value)
1106 return 1;
1107
1108 return 0;
1109 }
1110
1111 int known_condition_false(struct expression *expr)
1112 {
1113 if (!expr)
1114 return 0;
1115
1116 if (is_zero(expr))
1117 return 1;
1118
1119 if (expr->type == EXPR_CALL) {
1120 if (sym_name_is("__builtin_constant_p", expr->fn))
1121 return 1;
1122 }
1123 return 0;
1124 }
1125
1126 int implied_condition_true(struct expression *expr)
1127 {
1128 sval_t tmp;
1129
1130 if (!expr)
1131 return 0;
1132
1133 if (known_condition_true(expr))
1134 return 1;
1135 if (get_implied_value(expr, &tmp) && tmp.value)
1136 return 1;
1137
1138 if (expr->type == EXPR_POSTOP)
1139 return implied_condition_true(expr->unop);
1140
1141 if (expr->type == EXPR_PREOP && expr->op == SPECIAL_DECREMENT)
1142 return implied_not_equal(expr->unop, 1);
1143 if (expr->type == EXPR_PREOP && expr->op == SPECIAL_INCREMENT)
1144 return implied_not_equal(expr->unop, -1);
1145
1146 expr = strip_expr(expr);
1147 switch (expr->type) {
1148 case EXPR_COMPARE:
1149 if (do_comparison(expr) == 1)
1150 return 1;
1151 break;
1152 case EXPR_PREOP:
1153 if (expr->op == '!') {
1154 if (implied_condition_false(expr->unop))
1155 return 1;
1156 break;
1157 }
1158 break;
1159 default:
1160 if (implied_not_equal(expr, 0) == 1)
1161 return 1;
1162 break;
1163 }
1164 return 0;
1165 }
1166
1167 int implied_condition_false(struct expression *expr)
1168 {
1169 struct expression *tmp;
1170 sval_t sval;
1171
1172 if (!expr)
1173 return 0;
1174
1175 if (known_condition_false(expr))
1176 return 1;
1177
1178 switch (expr->type) {
1179 case EXPR_COMPARE:
1180 if (do_comparison(expr) == 2)
1181 return 1;
1182 case EXPR_PREOP:
1183 if (expr->op == '!') {
1184 if (implied_condition_true(expr->unop))
1185 return 1;
1186 break;
1187 }
1188 tmp = strip_expr(expr);
1189 if (tmp != expr)
1190 return implied_condition_false(tmp);
1191 break;
1192 default:
1193 if (get_implied_value(expr, &sval) && sval.value == 0)
1194 return 1;
1195 break;
1196 }
1197 return 0;
1198 }
1199
1200 int can_integer_overflow(struct symbol *type, struct expression *expr)
1201 {
1202 int op;
1203 sval_t lmax, rmax, res;
1204
1205 if (!type)
1206 type = &int_ctype;
1207
1208 expr = strip_expr(expr);
1209
1210 if (expr->type == EXPR_ASSIGNMENT) {
1211 switch(expr->op) {
1212 case SPECIAL_MUL_ASSIGN:
1213 op = '*';
1214 break;
1215 case SPECIAL_ADD_ASSIGN:
1216 op = '+';
1217 break;
1218 case SPECIAL_SHL_ASSIGN:
1219 op = SPECIAL_LEFTSHIFT;
1220 break;
1221 default:
1222 return 0;
1223 }
1224 } else if (expr->type == EXPR_BINOP) {
1225 if (expr->op != '*' && expr->op != '+' && expr->op != SPECIAL_LEFTSHIFT)
1226 return 0;
1227 op = expr->op;
1228 } else {
1229 return 0;
1230 }
1231
1232 get_absolute_max(expr->left, &lmax);
1233 get_absolute_max(expr->right, &rmax);
1234
1235 if (sval_binop_overflows(lmax, op, rmax))
1236 return 1;
1237
1238 res = sval_binop(lmax, op, rmax);
1239 if (sval_cmp(res, sval_type_max(type)) > 0)
1240 return 1;
1241 return 0;
1242 }
Static analysis for C