db/fixup_kernel.sh: delete some impossible returns
[smatch.git] / check_err_ptr_deref.c
blobb2f74e2349f7f58503410e6e670858632e772104
1 /*
2 * Copyright (C) 2009 Dan Carpenter.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
18 #include "smatch.h"
19 #include "smatch_slist.h"
20 #include "smatch_extra.h"
22 static int my_id;
24 STATE(err_ptr);
25 STATE(checked);
27 struct range_list *err_ptr_rl;
29 static void ok_to_use(struct sm_state *sm, struct expression *mod_expr)
31 if (sm->state != &checked)
32 set_state(my_id, sm->name, sm->sym, &checked);
35 static void check_is_err_ptr(struct expression *expr)
37 struct sm_state *sm;
38 struct range_list *rl;
40 sm = get_sm_state_expr(my_id, expr);
41 if (!sm)
42 return;
44 if (!slist_has_state(sm->possible, &err_ptr))
45 return;
47 get_absolute_rl(expr, &rl);
48 if (!possibly_true_rl(rl, SPECIAL_EQUAL, err_ptr_rl))
49 return;
51 sm_error("'%s' dereferencing possible ERR_PTR()", sm->name);
52 set_state(my_id, sm->name, sm->sym, &checked);
55 static void match_returns_err_ptr(const char *fn, struct expression *expr,
56 void *info)
58 set_state_expr(my_id, expr->left, &err_ptr);
61 static void set_param_dereferenced(struct expression *call, struct expression *arg, char *key, char *unused)
63 struct sm_state *sm;
64 struct smatch_state *estate;
65 struct symbol *sym;
66 char *name;
68 name = get_variable_from_key(arg, key, &sym);
69 if (!name || !sym)
70 goto free;
72 sm = get_sm_state(my_id, name, sym);
73 if (!sm)
74 goto free;
76 if (!slist_has_state(sm->possible, &err_ptr))
77 goto free;
79 estate = get_state(SMATCH_EXTRA, name, sym);
80 if (!estate || !possibly_true_rl(estate_rl(estate), SPECIAL_EQUAL, err_ptr_rl))
81 goto free;
83 sm_error("'%s' dereferencing possible ERR_PTR()", sm->name);
84 set_state(my_id, sm->name, sm->sym, &checked);
86 free:
87 free_string(name);
90 static void match_checked(const char *fn, struct expression *call_expr,
91 struct expression *assign_expr, void *unused)
93 struct expression *arg;
95 arg = get_argument_from_call_expr(call_expr->args, 0);
96 arg = strip_expr(arg);
97 while (arg->type == EXPR_ASSIGNMENT)
98 arg = strip_expr(arg->left);
99 set_state_expr(my_id, arg, &checked);
102 static void match_err(const char *fn, struct expression *call_expr,
103 struct expression *assign_expr, void *unused)
105 struct expression *arg;
107 arg = get_argument_from_call_expr(call_expr->args, 0);
108 arg = strip_expr(arg);
109 while (arg->type == EXPR_ASSIGNMENT)
110 arg = strip_expr(arg->left);
111 set_state_expr(my_id, arg, &err_ptr);
114 static void match_dereferences(struct expression *expr)
116 if (expr->type != EXPR_PREOP)
117 return;
118 check_is_err_ptr(expr->unop);
121 static void match_kfree(const char *fn, struct expression *expr, void *_arg_nr)
123 int arg_nr = PTR_INT(_arg_nr);
124 struct expression *arg;
126 arg = get_argument_from_call_expr(expr->args, arg_nr);
127 check_is_err_ptr(arg);
130 static void match_condition(struct expression *expr)
132 if (expr->type == EXPR_ASSIGNMENT) {
133 match_condition(expr->right);
134 match_condition(expr->left);
136 if (!get_state_expr(my_id, expr))
137 return;
138 /* If we know the variable is zero that means it's not an ERR_PTR */
139 set_true_false_states_expr(my_id, expr, NULL, &checked);
142 static void register_err_ptr_funcs(void)
144 struct token *token;
145 const char *func;
147 token = get_tokens_file("kernel.returns_err_ptr");
148 if (!token)
149 return;
150 if (token_type(token) != TOKEN_STREAMBEGIN)
151 return;
152 token = token->next;
153 while (token_type(token) != TOKEN_STREAMEND) {
154 if (token_type(token) != TOKEN_IDENT)
155 return;
156 func = show_ident(token->ident);
157 add_function_assign_hook(func, &match_returns_err_ptr, NULL);
158 token = token->next;
160 clear_token_alloc();
163 static void match_err_ptr_positive_const(const char *fn, struct expression *expr, void *unused)
165 struct expression *arg;
166 sval_t sval;
168 arg = get_argument_from_call_expr(expr->args, 0);
170 if (!get_value(arg, &sval))
171 return;
172 if (sval_is_positive(sval) && sval_cmp_val(sval, 0) != 0)
173 sm_error("passing non negative %s to ERR_PTR", sval_to_str(sval));
176 static void match_err_ptr(const char *fn, struct expression *expr, void *unused)
178 struct expression *arg;
179 struct sm_state *sm;
180 struct sm_state *tmp;
181 sval_t tmp_min;
182 sval_t tmp_max;
183 sval_t min = sval_type_max(&llong_ctype);
184 sval_t max = sval_type_min(&llong_ctype);
186 arg = get_argument_from_call_expr(expr->args, 0);
187 sm = get_sm_state_expr(SMATCH_EXTRA, arg);
188 if (!sm)
189 return;
190 FOR_EACH_PTR(sm->possible, tmp) {
191 tmp_min = estate_min(tmp->state);
192 if (!sval_is_a_min(tmp_min) && sval_cmp(tmp_min, min) < 0)
193 min = tmp_min;
194 tmp_max = estate_max(tmp->state);
195 if (!sval_is_a_max(tmp_max) && sval_cmp(tmp_max, max) > 0)
196 max = tmp_max;
197 } END_FOR_EACH_PTR(tmp);
198 if (sval_is_negative(min) && sval_cmp_val(min, -4095) < 0)
199 sm_error("%s too low for ERR_PTR", sval_to_str(min));
200 if (sval_is_positive(max) && sval_cmp_val(max, 0) != 0)
201 sm_error("passing non negative %s to ERR_PTR", sval_to_str(max));
204 void check_err_ptr_deref(int id)
206 if (option_project != PROJ_KERNEL)
207 return;
209 my_id = id;
210 return_implies_state("IS_ERR", 0, 0, &match_checked, NULL);
211 return_implies_state("IS_ERR", 1, 1, &match_err, NULL);
212 return_implies_state("IS_ERR_OR_NULL", 0, 0, &match_checked, NULL);
213 return_implies_state("IS_ERR_OR_NULL", 1, 1, &match_err, NULL);
214 return_implies_state("PTR_RET", 0, 0, &match_checked, NULL);
215 return_implies_state("PTR_RET", -4095, -1, &match_err, NULL);
216 register_err_ptr_funcs();
217 add_hook(&match_dereferences, DEREF_HOOK);
218 add_function_hook("ERR_PTR", &match_err_ptr_positive_const, NULL);
219 add_function_hook("ERR_PTR", &match_err_ptr, NULL);
220 add_hook(&match_condition, CONDITION_HOOK);
221 add_modification_hook(my_id, &ok_to_use);
222 add_function_hook("kfree", &match_kfree, INT_PTR(0));
223 add_function_hook("brelse", &match_kfree, INT_PTR(0));
224 add_function_hook("kmem_cache_free", &match_kfree, INT_PTR(1));
225 add_function_hook("vfree", &match_kfree, INT_PTR(0));
227 err_ptr_rl = clone_rl_permanent(alloc_rl(err_min, err_max));
229 select_return_implies_hook(DEREFERENCE, &set_param_dereferenced);