search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
implied: update to stree
[smatch.git] / smatch_clear_buffer.c
blob7061f9e265519e5cd8a91f35de5a76bac1134807
1 /*
2 * Copyright (C) 2013 Oracle.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 #include "smatch.h"
19 #include "smatch_slist.h"
20 #include "smatch_extra.h"
21
22 static int my_id;
23
24 STATE(uninitialized);
25 STATE(initialized);
26
27 static int type_sym_array(struct expression *expr)
28 {
29 struct symbol *type;
30
31 /* remove casting the array to a pointer */
32 expr = strip_expr(expr);
33 type = get_type(expr);
34 if (type && type->type == SYM_ARRAY)
35 return 1;
36 return 0;
37 }
38
39 static void set_members_uninitialized(struct expression *expr)
40 {
41 struct symbol *type, *sym, *tmp;
42 char *name;
43 char buf[256];
44
45 type = get_type(expr);
46 if (!type)
47 return;
48
49 if (type->type != SYM_PTR)
50 return;
51 type = get_real_base_type(type);
52
53 name = expr_to_var_sym(expr, &sym);
54 if (!name || !sym)
55 goto free;
56
57 FOR_EACH_PTR(type->symbol_list, tmp) {
58 if (!tmp->ident)
59 continue;
60 snprintf(buf, sizeof(buf), "%s->%s", name, tmp->ident->name);
61 set_state(my_id, buf, sym, &uninitialized);
62 } END_FOR_EACH_PTR(tmp);
63
64 free:
65 free_string(name);
66 }
67
68 static void initialize_struct_members(struct symbol *type, struct expression *expr, struct expression *to)
69 {
70 struct symbol *tmp;
71 struct expression *member;
72 struct expression *assign;
73 int op = '*';
74
75 if (expr->type == EXPR_PREOP && expr->op == '&') {
76 expr = strip_expr(expr->unop);
77 op = '.';
78 }
79
80 FOR_EACH_PTR(type->symbol_list, tmp) {
81 if (!tmp->ident)
82 continue;
83 member = member_expression(expr, op, tmp->ident);
84 if (type_sym_array(member))
85 continue;
86
87 /*
88 * FIXME: the problem here is that sometimes we have:
89 * memset(&my_struct, 0xff, sizeof(my_struct));
90 * and my_struct->foo is a 1 bit bitfield. There is a check
91 * which complains that "255 doesn't fit in ->foo".
92 *
93 * For now I just have this ugly hack. But really it's not
94 * handling the memset(..., 0xff, ...) correctly at all so one
95 * more hack barely makes a difference.
96 *
97 */
98 if (to && type_positive_bits(get_type(member)) >= type_positive_bits(get_type(to)))
99 assign = assign_expression(member, to);
100 else
101 assign = assign_expression(member, member);
102
103 __pass_to_client(assign, ASSIGNMENT_HOOK);
104 } END_FOR_EACH_PTR(tmp);
105 }
106
107 static void initialize_base_type(struct symbol *type, struct expression *expr,
108 struct expression *to)
109 {
110 struct expression *assign;
111
112 if (type == &void_ctype)
113 return;
114 if (expr->type == EXPR_PREOP && expr->op == '&')
115 expr = strip_expr(expr->unop);
116 else
117 expr = deref_expression(expr);
118 if (!to)
119 to = expr;
120 /* FIXME: see the FIXME in initialize_struct_members() */
121 if (type_positive_bits(get_type(expr)) < type_positive_bits(get_type(to)))
122 to = expr;
123 assign = assign_expression(expr, to);
124 __pass_to_client(assign, ASSIGNMENT_HOOK);
125 }
126
127 static void set_initialized(struct expression *expr, struct expression *to)
128 {
129 struct symbol *type;
130
131 expr = strip_expr(expr);
132
133 type = get_type(expr);
134 if (!type || type->type != SYM_PTR)
135 return;
136 type = get_real_base_type(type);
137 if (!type)
138 return;
139 if (type->type == SYM_BASETYPE)
140 initialize_base_type(type, expr, to);
141 if (type->type == SYM_STRUCT) {
142 if (expr->type != EXPR_PREOP || expr->op != '&')
143 expr = deref_expression(expr);
144 initialize_struct_members(type, expr, to);
145 }
146 }
147
148 int is_uninitialized(struct expression *expr)
149 {
150 struct sm_state *sm;
151
152 sm = get_sm_state_expr(my_id, expr);
153 if (!sm)
154 return 0;
155 return slist_has_state(sm->possible, &uninitialized);
156 }
157
158 int has_uninitialized_members(struct expression *expr)
159 {
160 struct symbol *sym;
161 struct symbol *tmp;
162 char *name;
163 char buf[256];
164 struct sm_state *sm;
165
166 sym = get_type(expr);
167 if (!sym)
168 return 0;
169
170 if (sym->type == SYM_PTR)
171 sym = get_real_base_type(sym);
172
173 name = expr_to_var(expr);
174 if (!name)
175 return 0;
176
177 FOR_EACH_PTR(sym->symbol_list, tmp) {
178 if (!tmp->ident)
179 continue;
180 snprintf(buf, sizeof(buf), "%s->%s", name, tmp->ident->name);
181 sm = get_sm_state(my_id, buf, sym);
182 if (!sm)
183 continue;
184 if (slist_has_state(sm->possible, &uninitialized))
185 return 1;
186 } END_FOR_EACH_PTR(tmp);
187
188 free_string(name);
189 return 0;
190 }
191
192 static void match_assign(struct expression *expr)
193 {
194 struct symbol *type;
195
196 type = get_type(expr->left);
197 if (!type || type->type != SYM_STRUCT)
198 return;
199 initialize_struct_members(type, expr->left, NULL);
200 }
201
202 static void match_alloc(const char *fn, struct expression *expr, void *_size_arg)
203 {
204 set_members_uninitialized(expr->left);
205 }
206
207 static void db_param_cleared(struct expression *expr, int param, char *key, char *value)
208 {
209 struct expression *arg;
210
211 while (expr->type == EXPR_ASSIGNMENT)
212 expr = strip_expr(expr->right);
213 if (expr->type != EXPR_CALL)
214 return;
215
216 arg = get_argument_from_call_expr(expr->args, param);
217 if (!arg)
218 return;
219
220 if (strcmp(value, "0") == 0)
221 set_initialized(arg, zero_expr());
222 else
223 set_initialized(arg, NULL);
224 }
225
226 static void match_memcpy(const char *fn, struct expression *expr, void *_arg)
227 {
228 struct expression *buf;
229 int arg = PTR_INT(_arg);
230
231 buf = get_argument_from_call_expr(expr->args, arg);
232
233 set_initialized(buf, NULL);
234 }
235
236 static void reset_initialized(struct sm_state *sm, struct expression *mod_expr)
237 {
238 set_state(my_id, sm->name, sm->sym, &initialized);
239 }
240
241 #define USB_DIR_IN 0x80
242 static void match_usb_control_msg(const char *fn, struct expression *expr, void *_size_arg)
243 {
244 struct expression *inout;
245 struct expression *buf;
246 sval_t sval;
247
248 inout = get_argument_from_call_expr(expr->args, 3);
249 buf = get_argument_from_call_expr(expr->args, 6);
250
251 if (get_value(inout, &sval) && !(sval.uvalue & USB_DIR_IN))
252 return;
253
254 set_initialized(buf, NULL);
255 }
256
257 void register_clear_buffer(int id)
258 {
259 my_id = id;
260 if (option_project == PROJ_KERNEL) {
261 add_function_assign_hook("kmalloc", &match_alloc, NULL);
262 add_function_hook("usb_control_msg", &match_usb_control_msg, NULL);
263 }
264 add_modification_hook(my_id, &reset_initialized);
265 add_hook(&match_assign, ASSIGNMENT_HOOK);
266
267 select_return_states_hook(PARAM_CLEARED, &db_param_cleared);
268 }
269
Static analysis for C