check_err_ptr_deref.c

   1 /*
   2  * sparse/check_err_ptr_deref.c
   3  *
   4  * Copyright (C) 2009 Dan Carpenter.
   5  *
   6  * Licensed under the Open Software License version 1.1
   7  *
   8  */
   9
  10 #include "smatch.h"
  11 #include "smatch_slist.h"
  12 #include "smatch_extra.h"
  13
  14 static int my_id;
  15
  16 STATE(err_ptr);
  17 STATE(checked);
  18
  19 static void ok_to_use(struct sm_state *sm)
  20 {
  21         if (sm->state != &checked)
  22                 set_state(my_id, sm->name, sm->sym, &checked);
  23 }
  24
  25 static void check_is_err_ptr(struct sm_state *sm)
  26 {
  27         if (!sm)
  28                 return;
  29
  30         if (slist_has_state(sm->possible, &err_ptr)) {
  31                 sm_msg("error: '%s' dereferencing possible ERR_PTR()",
  32                            sm->name);
  33                 set_state(my_id, sm->name, sm->sym, &checked);
  34         }
  35 }
  36
  37 static void match_returns_err_ptr(const char *fn, struct expression *expr,
  38                                 void *info)
  39 {
  40         set_state_expr(my_id, expr->left, &err_ptr);
  41 }
  42
  43
  44 static void match_checked(const char *fn, struct expression *call_expr,
  45                         struct expression *assign_expr, void *unused)
  46 {
  47         struct expression *arg;
  48
  49         arg = get_argument_from_call_expr(call_expr->args, 0);
  50         arg = strip_expr(arg);
  51         while (arg->type == EXPR_ASSIGNMENT)
  52                 arg = strip_expr(arg->left);
  53         set_state_expr(my_id, arg, &checked);
  54 }
  55
  56 static void match_err(const char *fn, struct expression *call_expr,
  57                         struct expression *assign_expr, void *unused)
  58 {
  59         struct expression *arg;
  60
  61         arg = get_argument_from_call_expr(call_expr->args, 0);
  62         arg = strip_expr(arg);
  63         while (arg->type == EXPR_ASSIGNMENT)
  64                 arg = strip_expr(arg->left);
  65         set_state_expr(my_id, arg, &err_ptr);
  66 }
  67
  68 static void match_dereferences(struct expression *expr)
  69 {
  70         struct sm_state *sm;
  71
  72         if (expr->type != EXPR_PREOP)
  73                 return;
  74         expr = strip_expr(expr->unop);
  75
  76         sm = get_sm_state_expr(my_id, expr);
  77         check_is_err_ptr(sm);
  78 }
  79
  80 static void match_condition(struct expression *expr)
  81 {
  82         if (expr->type == EXPR_ASSIGNMENT) {
  83                 match_condition(expr->right);
  84                 match_condition(expr->left);
  85         }
  86         if (!get_state_expr(my_id, expr))
  87                 return;
  88         /* If we know the variable is zero that means it's not an ERR_PTR */
  89         set_true_false_states_expr(my_id, expr, NULL, &checked);
  90 }
  91
  92 static void register_err_ptr_funcs(void)
  93 {
  94         struct token *token;
  95         const char *func;
  96
  97         token = get_tokens_file("kernel.returns_err_ptr");
  98         if (!token)
  99                 return;
 100         if (token_type(token) != TOKEN_STREAMBEGIN)
 101                 return;
 102         token = token->next;
 103         while (token_type(token) != TOKEN_STREAMEND) {
 104                 if (token_type(token) != TOKEN_IDENT)
 105                         return;
 106                 func = show_ident(token->ident);
 107                 add_function_assign_hook(func, &match_returns_err_ptr, NULL);
 108                 token = token->next;
 109         }
 110         clear_token_alloc();
 111 }
 112
 113 static void match_err_ptr(const char *fn, struct expression *expr, void *unused)
 114 {
 115         struct expression *arg;
 116         struct sm_state *sm;
 117         struct sm_state *tmp;
 118         sval_t tmp_min;
 119         sval_t tmp_max;
 120         sval_t min = sval_type_max(&llong_ctype);
 121         sval_t max = sval_type_min(&llong_ctype);
 122
 123         arg = get_argument_from_call_expr(expr->args, 0);
 124         sm = get_sm_state_expr(SMATCH_EXTRA, arg);
 125         if (!sm)
 126                 return;
 127         FOR_EACH_PTR(sm->possible, tmp) {
 128                 tmp_min = estate_min(tmp->state);
 129                 if (!sval_is_a_min(tmp_min) && sval_cmp(tmp_min, min) < 0)
 130                         min = tmp_min;
 131                 tmp_max = estate_max(tmp->state);
 132                 if (!sval_is_a_max(tmp_max) && sval_cmp(tmp_max, max) > 0)
 133                         max = tmp_max;
 134         } END_FOR_EACH_PTR(tmp);
 135         if (sval_is_negative(min) && sval_cmp_val(min, -4095) < 0)
 136                 sm_msg("error: %s too low for ERR_PTR", sval_to_str(min));
 137         if (sval_is_positive(max) && sval_cmp_val(max, 0) != 0)
 138                 sm_msg("error: passing non neg %s to ERR_PTR", sval_to_str(max));
 139 }
 140
 141 void check_err_ptr_deref(int id)
 142 {
 143         if (option_project != PROJ_KERNEL)
 144                 return;
 145
 146         my_id = id;
 147         return_implies_state("IS_ERR", 0, 0, &match_checked, NULL);
 148         return_implies_state("IS_ERR", 1, 1, &match_err, NULL);
 149         return_implies_state("IS_ERR_OR_NULL", 0, 0, &match_checked, NULL);
 150         return_implies_state("IS_ERR_OR_NULL", 1, 1, &match_err, NULL);
 151         return_implies_state("PTR_RET", 0, 0, &match_checked, NULL);
 152         return_implies_state("PTR_RET", -4096, -1, &match_err, NULL);
 153         register_err_ptr_funcs();
 154         add_hook(&match_dereferences, DEREF_HOOK);
 155         add_function_hook("ERR_PTR", &match_err_ptr, NULL);
 156         add_hook(&match_condition, CONDITION_HOOK);
 157         add_modification_hook(my_id, &ok_to_use);
 158 }
 159