search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
db/fixup_kernel.sh: fix clear_user() handling
[smatch.git] / smatch_untracked_param.c
bloba84889caaffdc2d83adb2a4617a15c4b88a42354
1 /*
2 * Copyright (C) 2014 Oracle.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * Sometimes we aren't able to track a variable through a function call. This
20 * usually happens because a function changes too many variables so we give up.
21 * Another reason this happens is because we call a function pointer and there
22 * are too many functions which implement that function pointer so we give up.
23 * Also maybe we don't have the database enabled.
24 *
25 * The goal here is to make a call back so what if we call:
26 *
27 * frob(&foo);
28 *
29 * but we're not able to say what happens to "foo", then let's assume that we
30 * don't know anything about "foo" if it's an untracked call.
31 *
32 */
33
34 #include "smatch.h"
35 #include "smatch_slist.h"
36 #include "smatch_extra.h"
37
38 static int my_id;
39
40 STATE(untracked);
41 STATE(lost);
42
43 typedef void (untracked_hook)(struct expression *call, int param);
44 DECLARE_PTR_LIST(untracked_hook_list, untracked_hook *);
45 static struct untracked_hook_list *untracked_hooks;
46 static struct untracked_hook_list *lost_hooks;
47
48 void add_untracked_param_hook(void (func)(struct expression *call, int param))
49 {
50 untracked_hook **p = malloc(sizeof(untracked_hook *));
51 *p = func;
52 add_ptr_list(&untracked_hooks, p);
53 }
54
55 static void call_untracked_callbacks(struct expression *expr, int param)
56 {
57 untracked_hook **fn;
58
59 FOR_EACH_PTR(untracked_hooks, fn) {
60 (*fn)(expr, param);
61 } END_FOR_EACH_PTR(fn);
62 }
63
64 void add_lost_param_hook(void (func)(struct expression *call, int param))
65 {
66 untracked_hook **p = malloc(sizeof(untracked_hook *));
67 *p = func;
68 add_ptr_list(&lost_hooks, p);
69 }
70
71 static void call_lost_callbacks(struct expression *expr, int param)
72 {
73 untracked_hook **fn;
74
75 FOR_EACH_PTR(lost_hooks, fn) {
76 (*fn)(expr, param);
77 } END_FOR_EACH_PTR(fn);
78 }
79
80 static char *get_array_from_key(struct expression *expr, int param, const char *key, struct symbol **sym)
81 {
82 struct expression *arg;
83
84 arg = get_argument_from_call_expr(expr->args, param);
85 if (!arg)
86 return NULL;
87 if (arg->type != EXPR_PREOP || arg->op != '&')
88 return NULL;
89 arg = arg->unop;
90 if (!is_array(arg))
91 return NULL;
92 arg = get_array_base(arg);
93
94 return expr_to_var_sym(arg, sym);
95 }
96
97 static void mark_untracked_lost(struct expression *expr, int param, const char *key, int type)
98 {
99 char *name;
100 struct symbol *sym;
101
102 while (expr->type == EXPR_ASSIGNMENT)
103 expr = strip_expr(expr->right);
104 if (expr->type != EXPR_CALL)
105 return;
106
107 name = get_name_sym_from_param_key(expr, param, key, &sym);
108 if (!name || !sym) {
109 name = get_array_from_key(expr, param, key, &sym);
110 if (!name || !sym)
111 goto free;
112 }
113
114 if (type == LOST_PARAM)
115 call_lost_callbacks(expr, param);
116 call_untracked_callbacks(expr, param);
117 set_state(my_id, name, sym, &untracked);
118 free:
119 free_string(name);
120
121 }
122
123 void mark_untracked(struct expression *expr, int param, char *key, char *value)
124 {
125 mark_untracked_lost(expr, param, key, UNTRACKED_PARAM);
126 }
127
128 void mark_lost(struct expression *expr, int param, char *key, char *value)
129 {
130 mark_untracked_lost(expr, param, key, LOST_PARAM);
131 }
132
133 void mark_call_params_untracked(struct expression *call)
134 {
135 struct expression *arg;
136 int i = 0;
137
138 FOR_EACH_PTR(call->args, arg) {
139 mark_untracked(call, i++, "$", NULL);
140 } END_FOR_EACH_PTR(arg);
141 }
142
143 static int lost_in_va_args(struct expression *expr)
144 {
145 struct symbol *fn;
146 char *name;
147 int is_lost;
148
149 fn = get_type(expr->fn);
150 if (!fn || !fn->variadic)
151 return 0;
152
153 is_lost = 1;
154 name = expr_to_var(expr->fn);
155 if (name && strstr(name, "print"))
156 is_lost = 0;
157 free_string(name);
158
159 return is_lost;
160 }
161
162 static void match_after_call(struct expression *expr)
163 {
164 struct expression *arg;
165 struct symbol *type;
166 int i;
167
168 if (!lost_in_va_args(expr))
169 return;
170
171 i = -1;
172 FOR_EACH_PTR(expr->args, arg) {
173 i++;
174
175 type = get_type(arg);
176 if (!type || type->type != SYM_PTR)
177 continue;
178
179 call_untracked_callbacks(expr, i);
180 call_lost_callbacks(expr, i);
181 set_state_expr(my_id, arg, &untracked);
182 } END_FOR_EACH_PTR(arg);
183 }
184
185 static void mark_all_params(int return_id, char *return_ranges, int type)
186 {
187 struct symbol *arg;
188 int param;
189
190 param = -1;
191 FOR_EACH_PTR(cur_func_sym->ctype.base_type->arguments, arg) {
192 param++;
193
194 if (!arg->ident)
195 continue;
196 sql_insert_return_states(return_id, return_ranges,
197 type, param, "$", "");
198 } END_FOR_EACH_PTR(arg);
199 }
200
201
202 void mark_all_params_untracked(int return_id, char *return_ranges, struct expression *expr)
203 {
204 mark_all_params(return_id, return_ranges, UNTRACKED_PARAM);
205 }
206
207 void mark_all_params_lost(int return_id, char *return_ranges, struct expression *expr)
208 {
209 mark_all_params(return_id, return_ranges, LOST_PARAM);
210 }
211
212 static void print_untracked_params(int return_id, char *return_ranges, struct expression *expr)
213 {
214 struct sm_state *sm;
215 struct symbol *arg;
216 int param;
217 int type;
218
219 param = -1;
220 FOR_EACH_PTR(cur_func_sym->ctype.base_type->arguments, arg) {
221 param++;
222
223 if (!arg->ident)
224 continue;
225
226 if (__bail_on_rest_of_function) {
227 /* hairy functions are lost */
228 type = LOST_PARAM;
229 } else if ((sm = get_sm_state(my_id, arg->ident->name, arg))) {
230 if (slist_has_state(sm->possible, &lost))
231 type = LOST_PARAM;
232 else
233 type = UNTRACKED_PARAM;
234 } else {
235 continue;
236 }
237
238 sql_insert_return_states(return_id, return_ranges,
239 type, param, "$", "");
240 } END_FOR_EACH_PTR(arg);
241 }
242
243 static void match_assign(struct expression *expr)
244 {
245 struct expression *right;
246 int param;
247
248 if (is_fake_var_assign(expr))
249 return;
250
251 right = strip_expr(expr->right);
252
253 if (right->type != EXPR_SYMBOL)
254 return;
255 if (!is_pointer(expr->right))
256 return;
257 param = get_param_num(right);
258 if (param < 0)
259 return;
260
261 set_state_expr(my_id, right, &untracked);
262 }
263
264 static void match_param_assign_in_asm(struct statement *stmt)
265 {
266 struct expression *expr;
267 struct asm_operand *op;
268 struct symbol *type;
269 int param;
270
271 FOR_EACH_PTR(stmt->asm_inputs, op) {
272 expr = strip_expr(op->expr);
273 type = get_type(expr);
274 if (!type || type->type != SYM_PTR)
275 continue;
276 param = get_param_num(expr);
277 if (param < 0)
278 continue;
279 set_state_expr(my_id, expr, &untracked);
280 } END_FOR_EACH_PTR(op);
281 }
282
283 void register_untracked_param(int id)
284 {
285 my_id = id;
286
287 select_return_states_hook(UNTRACKED_PARAM, &mark_untracked);
288 select_return_states_hook(LOST_PARAM, &mark_lost);
289 add_hook(&match_after_call, FUNCTION_CALL_HOOK_AFTER_DB);
290
291 add_split_return_callback(&print_untracked_params);
292
293 add_hook(&match_assign, ASSIGNMENT_HOOK);
294 add_hook(&match_param_assign_in_asm, ASM_HOOK);
295 }
Static analysis for C