2 * Copyright (C) 2010 Dan Carpenter.
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
20 #include "smatch_slist.h"
21 #include "smatch_extra.h"
23 static bool get_rl_sval(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*sval_res
);
24 static bool get_rl_internal(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
);
25 static bool handle_variable(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
);
26 static struct range_list
*(*custom_handle_variable
)(struct expression
*expr
);
28 static bool get_implied_value_internal(struct expression
*expr
, int *recurse_cnt
, sval_t
*res_sval
);
29 static int get_absolute_rl_internal(struct expression
*expr
, struct range_list
**rl
, int *recurse_cnt
);
31 static int low_overhead
;
33 static sval_t zero
= {.type
= &int_ctype
, {.value
= 0} };
34 static sval_t one
= {.type
= &int_ctype
, {.value
= 1} };
36 struct range_list
*rl_zero(void)
38 static struct range_list
*zero_perm
;
41 zero_perm
= clone_rl_permanent(alloc_rl(zero
, zero
));
45 struct range_list
*rl_one(void)
47 static struct range_list
*one_perm
;
50 one_perm
= clone_rl_permanent(alloc_rl(one
, one
));
64 static bool last_stmt_rl(struct statement
*stmt
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
66 struct expression
*expr
;
71 stmt
= last_ptr_list((struct ptr_list
*)stmt
->stmts
);
72 if (stmt
->type
== STMT_LABEL
) {
73 if (stmt
->label_statement
&&
74 stmt
->label_statement
->type
== STMT_EXPRESSION
)
75 expr
= stmt
->label_statement
->expression
;
78 } else if (stmt
->type
== STMT_EXPRESSION
) {
79 expr
= stmt
->expression
;
83 return get_rl_sval(expr
, implied
, recurse_cnt
, res
, res_sval
);
86 static bool handle_expression_statement_rl(struct expression
*expr
, int implied
,
87 int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
89 return last_stmt_rl(get_expression_statement(expr
), implied
, recurse_cnt
, res
, res_sval
);
92 static bool handle_address(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
99 if (implied
== RL_EXACT
)
103 if (get_mtag_sval(expr
, &sval
)) {
109 if (get_address_rl(expr
, res
)) {
117 static bool handle_ampersand_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
119 return handle_address(expr
, implied
, recurse_cnt
, res
, res_sval
);
122 static bool handle_negate_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
124 if (known_condition_true(expr
->unop
)) {
128 if (known_condition_false(expr
->unop
)) {
133 if (implied
== RL_EXACT
)
136 if (implied_condition_true(expr
->unop
)) {
140 if (implied_condition_false(expr
->unop
)) {
145 *res
= alloc_rl(zero
, one
);
149 static bool handle_bitwise_negate(struct expression
*expr
, int implied
, int *recurse_cnt
, sval_t
*res_sval
)
151 struct range_list
*rl
;
154 if (!get_rl_sval(expr
->unop
, implied
, recurse_cnt
, &rl
, &sval
))
156 if (!sval
.type
&& !rl_to_sval(rl
, &sval
))
158 sval
= sval_preop(sval
, '~');
159 sval_cast(get_type(expr
->unop
), sval
);
164 static bool handle_minus_preop(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
166 struct range_list
*rl
;
170 if (!get_rl_sval(expr
->unop
, implied
, recurse_cnt
, &rl
, &sval
))
173 *res_sval
= sval_preop(sval
, '-');
176 min
= sval_preop(rl_max(rl
), '-');
177 max
= sval_preop(rl_min(rl
), '-');
178 *res
= alloc_rl(min
, max
);
182 static bool handle_preop_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
186 return handle_ampersand_rl(expr
, implied
, recurse_cnt
, res
, res_sval
);
188 return handle_negate_rl(expr
, implied
, recurse_cnt
, res
, res_sval
);
190 return handle_bitwise_negate(expr
, implied
, recurse_cnt
, res_sval
);
192 return handle_minus_preop(expr
, implied
, recurse_cnt
, res
, res_sval
);
194 return handle_variable(expr
, implied
, recurse_cnt
, res
, res_sval
);
196 return handle_expression_statement_rl(expr
, implied
, recurse_cnt
, res
, res_sval
);
202 static bool handle_divide_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
204 struct range_list
*left_rl
= NULL
;
205 struct range_list
*right_rl
= NULL
;
208 type
= get_type(expr
);
210 get_rl_internal(expr
->left
, implied
, recurse_cnt
, &left_rl
);
211 left_rl
= cast_rl(type
, left_rl
);
212 get_rl_internal(expr
->right
, implied
, recurse_cnt
, &right_rl
);
213 right_rl
= cast_rl(type
, right_rl
);
215 if (!left_rl
|| !right_rl
)
218 if (implied
!= RL_REAL_ABSOLUTE
) {
219 if (is_whole_rl(left_rl
) || is_whole_rl(right_rl
))
223 *res
= rl_binop(left_rl
, '/', right_rl
);
227 static int handle_offset_subtraction(struct expression
*expr
)
229 struct expression
*left
, *right
;
230 struct symbol
*left_sym
, *right_sym
;
232 int left_offset
, right_offset
;
234 type
= get_type(expr
);
235 if (!type
|| type
->type
!= SYM_PTR
)
237 type
= get_real_base_type(type
);
238 if (!type
|| (type_bits(type
) != 8 && (type
!= &void_ctype
)))
241 left
= strip_expr(expr
->left
);
242 right
= strip_expr(expr
->right
);
244 if (left
->type
!= EXPR_PREOP
|| left
->op
!= '&')
246 left
= strip_expr(left
->unop
);
248 left_sym
= expr_to_sym(left
);
249 right_sym
= expr_to_sym(right
);
250 if (!left_sym
|| left_sym
!= right_sym
)
253 left_offset
= get_member_offset_from_deref(left
);
254 if (right
->type
== EXPR_SYMBOL
)
257 if (right
->type
!= EXPR_PREOP
|| right
->op
!= '&')
259 right
= strip_expr(right
->unop
);
260 right_offset
= get_member_offset_from_deref(right
);
262 if (left_offset
< 0 || right_offset
< 0)
265 return left_offset
- right_offset
;
268 static bool handle_subtract_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
271 struct range_list
*left_orig
, *right_orig
;
272 struct range_list
*left_rl
, *right_rl
;
273 sval_t max
, min
, tmp
;
277 type
= get_type(expr
);
279 offset
= handle_offset_subtraction(expr
);
284 *res
= alloc_rl(tmp
, tmp
);
288 comparison
= get_comparison(expr
->left
, expr
->right
);
291 get_rl_internal(expr
->left
, implied
, recurse_cnt
, &left_orig
);
292 left_rl
= cast_rl(type
, left_orig
);
294 get_rl_internal(expr
->right
, implied
, recurse_cnt
, &right_orig
);
295 right_rl
= cast_rl(type
, right_orig
);
297 if ((!left_rl
|| !right_rl
) &&
298 (implied
== RL_EXACT
|| implied
== RL_HARD
|| implied
== RL_FUZZY
))
302 left_rl
= alloc_whole_rl(type
);
304 right_rl
= alloc_whole_rl(type
);
306 /* negative values complicate everything fix this later */
307 if (sval_is_negative(rl_min(right_rl
)))
309 max
= rl_max(left_rl
);
310 min
= sval_type_min(type
);
312 switch (comparison
) {
314 case SPECIAL_UNSIGNED_GT
:
315 min
= sval_type_val(type
, 1);
316 max
= rl_max(left_rl
);
319 case SPECIAL_UNSIGNED_GTE
:
320 min
= sval_type_val(type
, 0);
321 max
= rl_max(left_rl
);
324 min
= sval_type_val(type
, 0);
325 max
= sval_type_val(type
, 0);
328 case SPECIAL_UNSIGNED_LT
:
329 max
= sval_type_val(type
, -1);
332 case SPECIAL_UNSIGNED_LTE
:
333 max
= sval_type_val(type
, 0);
336 if (!left_orig
|| !right_orig
)
338 *res
= rl_binop(left_rl
, '-', right_rl
);
342 if (!sval_binop_overflows(rl_min(left_rl
), '-', rl_max(right_rl
))) {
343 tmp
= sval_binop(rl_min(left_rl
), '-', rl_max(right_rl
));
344 if (sval_cmp(tmp
, min
) > 0)
348 if (!sval_is_max(rl_max(left_rl
))) {
349 tmp
= sval_binop(rl_max(left_rl
), '-', rl_min(right_rl
));
350 if (sval_cmp(tmp
, max
) < 0)
354 if (sval_is_min(min
) && sval_is_max(max
))
357 *res
= cast_rl(type
, alloc_rl(min
, max
));
361 static bool handle_mod_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
363 struct range_list
*rl
;
364 sval_t left
, right
, sval
;
366 if (implied
== RL_EXACT
) {
367 if (!get_implied_value(expr
->right
, &right
))
369 if (!get_implied_value(expr
->left
, &left
))
371 sval
= sval_binop(left
, '%', right
);
372 *res
= alloc_rl(sval
, sval
);
375 /* if we can't figure out the right side it's probably hopeless */
376 if (!get_implied_value_internal(expr
->right
, recurse_cnt
, &right
))
379 right
= sval_cast(get_type(expr
), right
);
382 if (get_rl_internal(expr
->left
, implied
, recurse_cnt
, &rl
) && rl
&&
383 rl_max(rl
).uvalue
< right
.uvalue
)
384 right
.uvalue
= rl_max(rl
).uvalue
;
386 *res
= alloc_rl(sval_cast(right
.type
, zero
), right
);
390 static sval_t
sval_lowest_set_bit(sval_t sval
)
395 for (i
= 0; i
< 64; i
++) {
396 if (sval
.uvalue
& 1ULL << i
) {
399 sval
.uvalue
&= ~(1ULL << i
);
405 static bool handle_bitwise_AND(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
408 struct range_list
*left_rl
, *right_rl
;
412 if (implied
!= RL_IMPLIED
&& implied
!= RL_ABSOLUTE
&& implied
!= RL_REAL_ABSOLUTE
)
415 type
= get_type(expr
);
417 if (get_implied_value_internal(expr
->left
, recurse_cnt
, &known
)) {
420 min
= sval_lowest_set_bit(known
);
421 left_rl
= alloc_rl(min
, known
);
422 left_rl
= cast_rl(type
, left_rl
);
423 add_range(&left_rl
, sval_type_val(type
, 0), sval_type_val(type
, 0));
425 if (get_rl_internal(expr
->left
, implied
, recurse_cnt
, &left_rl
)) {
426 left_rl
= cast_rl(type
, left_rl
);
427 left_rl
= alloc_rl(sval_type_val(type
, 0), rl_max(left_rl
));
429 if (implied
== RL_HARD
)
431 left_rl
= alloc_whole_rl(type
);
435 new_recurse
= *recurse_cnt
;
436 if (*recurse_cnt
>= 200)
437 new_recurse
= 100; /* Let's try super hard to get the mask */
438 if (get_implied_value_internal(expr
->right
, &new_recurse
, &known
)) {
439 sval_t min
, left_max
, mod
;
441 *recurse_cnt
= new_recurse
;
443 min
= sval_lowest_set_bit(known
);
444 right_rl
= alloc_rl(min
, known
);
445 right_rl
= cast_rl(type
, right_rl
);
446 add_range(&right_rl
, sval_type_val(type
, 0), sval_type_val(type
, 0));
448 if (min
.value
!= 0) {
449 left_max
= rl_max(left_rl
);
450 mod
= sval_binop(left_max
, '%', min
);
452 left_max
= sval_binop(left_max
, '-', mod
);
454 if (left_max
.value
> 0 && sval_cmp(left_max
, rl_max(left_rl
)) < 0)
455 left_rl
= remove_range(left_rl
, left_max
, rl_max(left_rl
));
459 if (get_rl_internal(expr
->right
, implied
, recurse_cnt
, &right_rl
)) {
460 right_rl
= cast_rl(type
, right_rl
);
461 right_rl
= alloc_rl(sval_type_val(type
, 0), rl_max(right_rl
));
463 if (implied
== RL_HARD
)
465 right_rl
= alloc_whole_rl(type
);
469 *res
= rl_intersection(left_rl
, right_rl
);
473 static bool use_rl_binop(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
476 struct range_list
*left_rl
, *right_rl
;
478 if (implied
!= RL_IMPLIED
&& implied
!= RL_ABSOLUTE
&& implied
!= RL_REAL_ABSOLUTE
)
481 type
= get_type(expr
);
483 get_absolute_rl_internal(expr
->left
, &left_rl
, recurse_cnt
);
484 get_absolute_rl_internal(expr
->right
, &right_rl
, recurse_cnt
);
485 left_rl
= cast_rl(type
, left_rl
);
486 right_rl
= cast_rl(type
, right_rl
);
487 if (!left_rl
|| !right_rl
)
490 *res
= rl_binop(left_rl
, expr
->op
, right_rl
);
494 static bool handle_right_shift(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
496 struct range_list
*left_rl
;
500 if (implied
== RL_EXACT
|| implied
== RL_HARD
)
503 if (get_rl_internal(expr
->left
, implied
, recurse_cnt
, &left_rl
)) {
504 max
= rl_max(left_rl
);
505 min
= rl_min(left_rl
);
507 if (implied
== RL_FUZZY
)
509 max
= sval_type_max(get_type(expr
->left
));
510 min
= sval_type_val(get_type(expr
->left
), 0);
513 if (get_implied_value_internal(expr
->right
, recurse_cnt
, &right
)) {
514 min
= sval_binop(min
, SPECIAL_RIGHTSHIFT
, right
);
515 max
= sval_binop(max
, SPECIAL_RIGHTSHIFT
, right
);
516 } else if (!sval_is_negative(min
)) {
518 max
= sval_type_max(max
.type
);
523 *res
= alloc_rl(min
, max
);
527 static bool handle_left_shift(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
529 struct range_list
*left_rl
, *rl
;
534 if (implied
== RL_EXACT
|| implied
== RL_HARD
)
536 /* this is hopeless without the right side */
537 if (!get_implied_value_internal(expr
->right
, recurse_cnt
, &right
))
539 if (get_rl_internal(expr
->left
, implied
, recurse_cnt
, &left_rl
)) {
540 max
= rl_max(left_rl
);
541 min
= rl_min(left_rl
);
542 if (min
.value
== 0) {
547 if (implied
== RL_FUZZY
)
549 max
= sval_type_max(get_type(expr
->left
));
550 min
= sval_type_val(get_type(expr
->left
), 1);
554 max
= sval_binop(max
, SPECIAL_LEFTSHIFT
, right
);
555 min
= sval_binop(min
, SPECIAL_LEFTSHIFT
, right
);
556 rl
= alloc_rl(min
, max
);
558 rl
= rl_union(rl
, rl_zero());
563 static bool handle_known_binop(struct expression
*expr
, sval_t
*res
)
567 if (!get_value(expr
->left
, &left
))
569 if (!get_value(expr
->right
, &right
))
571 *res
= sval_binop(left
, expr
->op
, right
);
575 static int has_actual_ranges(struct range_list
*rl
)
577 struct data_range
*tmp
;
579 FOR_EACH_PTR(rl
, tmp
) {
580 if (sval_cmp(tmp
->min
, tmp
->max
) != 0)
582 } END_FOR_EACH_PTR(tmp
);
586 static struct range_list
*handle_implied_binop(struct range_list
*left_rl
, int op
, struct range_list
*right_rl
)
588 struct range_list
*res_rl
;
589 struct data_range
*left_drange
, *right_drange
;
592 if (!left_rl
|| !right_rl
)
594 if (has_actual_ranges(left_rl
))
596 if (has_actual_ranges(right_rl
))
599 if (ptr_list_size((struct ptr_list
*)left_rl
) * ptr_list_size((struct ptr_list
*)right_rl
) > 20)
604 FOR_EACH_PTR(left_rl
, left_drange
) {
605 FOR_EACH_PTR(right_rl
, right_drange
) {
606 if ((op
== '%' || op
== '/') &&
607 right_drange
->min
.value
== 0)
609 res
= sval_binop(left_drange
->min
, op
, right_drange
->min
);
610 add_range(&res_rl
, res
, res
);
611 } END_FOR_EACH_PTR(right_drange
);
612 } END_FOR_EACH_PTR(left_drange
);
617 static bool handle_binop_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
619 struct smatch_state
*state
;
621 struct range_list
*left_rl
= NULL
;
622 struct range_list
*right_rl
= NULL
;
623 struct range_list
*rl
;
624 sval_t val
, min
, max
;
626 if (handle_known_binop(expr
, &val
)) {
630 if (implied
== RL_EXACT
)
633 if (custom_handle_variable
) {
634 rl
= custom_handle_variable(expr
);
641 state
= get_extra_state(expr
);
642 if (state
&& !is_whole_rl(estate_rl(state
))) {
643 if (implied
!= RL_HARD
|| estate_has_hard_max(state
)) {
644 *res
= clone_rl(estate_rl(state
));
649 type
= get_promoted_type(get_type(expr
->left
), get_type(expr
->right
));
650 get_rl_internal(expr
->left
, implied
, recurse_cnt
, &left_rl
);
651 left_rl
= cast_rl(type
, left_rl
);
652 get_rl_internal(expr
->right
, implied
, recurse_cnt
, &right_rl
);
653 right_rl
= cast_rl(type
, right_rl
);
654 if (!left_rl
&& !right_rl
)
657 rl
= handle_implied_binop(left_rl
, expr
->op
, right_rl
);
665 return handle_mod_rl(expr
, implied
, recurse_cnt
, res
);
667 return handle_bitwise_AND(expr
, implied
, recurse_cnt
, res
);
670 return use_rl_binop(expr
, implied
, recurse_cnt
, res
);
671 case SPECIAL_RIGHTSHIFT
:
672 return handle_right_shift(expr
, implied
, recurse_cnt
, res
);
673 case SPECIAL_LEFTSHIFT
:
674 return handle_left_shift(expr
, implied
, recurse_cnt
, res
);
676 return handle_subtract_rl(expr
, implied
, recurse_cnt
, res
);
678 return handle_divide_rl(expr
, implied
, recurse_cnt
, res
);
681 if (!left_rl
|| !right_rl
)
684 if (sval_binop_overflows(rl_min(left_rl
), expr
->op
, rl_min(right_rl
)))
686 if (sval_binop_overflows(rl_max(left_rl
), expr
->op
, rl_max(right_rl
)))
689 min
= sval_binop(rl_min(left_rl
), expr
->op
, rl_min(right_rl
));
690 max
= sval_binop(rl_max(left_rl
), expr
->op
, rl_max(right_rl
));
692 *res
= alloc_rl(min
, max
);
696 static int do_comparison(struct expression
*expr
)
698 struct range_list
*left_ranges
= NULL
;
699 struct range_list
*right_ranges
= NULL
;
700 int poss_true
, poss_false
;
703 type
= get_type(expr
);
704 get_absolute_rl(expr
->left
, &left_ranges
);
705 get_absolute_rl(expr
->right
, &right_ranges
);
707 left_ranges
= cast_rl(type
, left_ranges
);
708 right_ranges
= cast_rl(type
, right_ranges
);
710 poss_true
= possibly_true_rl(left_ranges
, expr
->op
, right_ranges
);
711 poss_false
= possibly_false_rl(left_ranges
, expr
->op
, right_ranges
);
713 if (!poss_true
&& !poss_false
)
715 if (poss_true
&& !poss_false
)
717 if (!poss_true
&& poss_false
)
722 static bool handle_comparison_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
727 if (expr
->op
== SPECIAL_EQUAL
&& expr
->left
->type
== EXPR_TYPE
) {
728 struct symbol
*left
, *right
;
730 left
= get_real_base_type(expr
->left
->symbol
);
731 right
= get_real_base_type(expr
->left
->symbol
);
739 if (get_value(expr
->left
, &left
) && get_value(expr
->right
, &right
)) {
740 struct data_range tmp_left
, tmp_right
;
744 tmp_right
.min
= right
;
745 tmp_right
.max
= right
;
746 if (true_comparison_range(&tmp_left
, expr
->op
, &tmp_right
))
753 if (implied
== RL_EXACT
)
756 cmp
= do_comparison(expr
);
766 *res
= alloc_rl(zero
, one
);
770 static bool handle_logical_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
776 if (implied
== RL_EXACT
) {
777 if (get_value(expr
->left
, &left
))
779 if (get_value(expr
->right
, &right
))
782 if (get_implied_value_internal(expr
->left
, recurse_cnt
, &left
))
784 if (get_implied_value_internal(expr
->right
, recurse_cnt
, &right
))
789 case SPECIAL_LOGICAL_OR
:
790 if (left_known
&& left
.value
)
792 if (right_known
&& right
.value
)
794 if (left_known
&& right_known
)
797 case SPECIAL_LOGICAL_AND
:
798 if (left_known
&& right_known
) {
799 if (left
.value
&& right
.value
)
808 if (implied
== RL_EXACT
)
811 *res
= alloc_rl(zero
, one
);
822 static bool handle_conditional_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
824 struct expression
*cond_true
;
825 struct range_list
*true_rl
, *false_rl
;
827 int final_pass_orig
= final_pass
;
829 cond_true
= expr
->cond_true
;
831 cond_true
= expr
->conditional
;
833 if (known_condition_true(expr
->conditional
))
834 return get_rl_sval(cond_true
, implied
, recurse_cnt
, res
, res_sval
);
835 if (known_condition_false(expr
->conditional
))
836 return get_rl_sval(expr
->cond_false
, implied
, recurse_cnt
, res
, res_sval
);
838 if (implied
== RL_EXACT
)
841 if (implied_condition_true(expr
->conditional
))
842 return get_rl_sval(cond_true
, implied
, recurse_cnt
, res
, res_sval
);
843 if (implied_condition_false(expr
->conditional
))
844 return get_rl_sval(expr
->cond_false
, implied
, recurse_cnt
, res
, res_sval
);
846 /* this becomes a problem with deeply nested conditional statements */
847 if (low_overhead
|| low_on_memory())
850 type
= get_type(expr
);
852 __push_fake_cur_stree();
854 __split_whole_condition(expr
->conditional
);
856 get_rl_internal(cond_true
, implied
, recurse_cnt
, &true_rl
);
857 __push_true_states();
858 __use_false_states();
860 get_rl_internal(expr
->cond_false
, implied
, recurse_cnt
, &false_rl
);
861 __merge_true_states();
862 __free_fake_cur_stree();
863 final_pass
= final_pass_orig
;
865 if (!true_rl
|| !false_rl
)
867 true_rl
= cast_rl(type
, true_rl
);
868 false_rl
= cast_rl(type
, false_rl
);
870 *res
= rl_union(true_rl
, false_rl
);
874 static bool get_fuzzy_max_helper(struct expression
*expr
, sval_t
*max
)
876 struct smatch_state
*state
;
879 if (get_hard_max(expr
, &sval
)) {
884 state
= get_extra_state(expr
);
885 if (!state
|| !estate_has_fuzzy_max(state
))
887 *max
= sval_cast(get_type(expr
), estate_get_fuzzy_max(state
));
891 static bool get_fuzzy_min_helper(struct expression
*expr
, sval_t
*min
)
893 struct smatch_state
*state
;
896 state
= get_extra_state(expr
);
897 if (!state
|| !estate_rl(state
))
900 sval
= estate_min(state
);
901 if (sval_is_negative(sval
) && sval_is_min(sval
))
904 if (sval_is_max(sval
))
907 *min
= sval_cast(get_type(expr
), sval
);
911 int get_const_value(struct expression
*expr
, sval_t
*sval
)
916 if (expr
->type
!= EXPR_SYMBOL
|| !expr
->symbol
)
919 if (!(sym
->ctype
.modifiers
& MOD_CONST
))
921 if (get_value(sym
->initializer
, &right
)) {
922 *sval
= sval_cast(get_type(expr
), right
);
928 struct range_list
*var_to_absolute_rl(struct expression
*expr
)
930 struct smatch_state
*state
;
931 struct range_list
*rl
;
933 state
= get_extra_state(expr
);
934 if (!state
|| is_whole_rl(estate_rl(state
))) {
935 state
= get_real_absolute_state(expr
);
936 if (state
&& state
->data
&& !estate_is_whole(state
))
937 return clone_rl(estate_rl(state
));
938 if (get_local_rl(expr
, &rl
) && !is_whole_rl(rl
))
940 if (get_mtag_rl(expr
, &rl
))
942 if (get_db_type_rl(expr
, &rl
) && !is_whole_rl(rl
))
944 return alloc_whole_rl(get_type(expr
));
946 /* err on the side of saying things are possible */
947 if (!estate_rl(state
))
948 return alloc_whole_rl(get_type(expr
));
949 return clone_rl(estate_rl(state
));
952 static bool handle_variable(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
954 struct smatch_state
*state
;
955 struct range_list
*rl
;
956 sval_t sval
, min
, max
;
959 if (get_const_value(expr
, &sval
)) {
964 if (implied
== RL_EXACT
)
967 if (custom_handle_variable
) {
968 rl
= custom_handle_variable(expr
);
970 if (!rl_to_sval(rl
, res_sval
))
973 *res
= var_to_absolute_rl(expr
);
978 if (get_mtag_sval(expr
, &sval
)) {
983 type
= get_type(expr
);
985 (type
->type
== SYM_ARRAY
||
986 type
->type
== SYM_FN
))
987 return handle_address(expr
, implied
, recurse_cnt
, res
, res_sval
);
989 /* FIXME: call rl_to_sval() on the results */
995 state
= get_extra_state(expr
);
996 if (!state
|| !state
->data
) {
997 if (implied
== RL_HARD
)
999 if (get_local_rl(expr
, res
))
1001 if (get_mtag_rl(expr
, res
))
1003 if (get_db_type_rl(expr
, res
))
1005 if (is_array(expr
) && get_array_rl(expr
, res
))
1009 if (implied
== RL_HARD
&& !estate_has_hard_max(state
))
1011 *res
= clone_rl(estate_rl(state
));
1013 case RL_REAL_ABSOLUTE
: {
1014 struct smatch_state
*abs_state
;
1016 state
= get_extra_state(expr
);
1017 abs_state
= get_real_absolute_state(expr
);
1019 if (estate_rl(state
) && estate_rl(abs_state
)) {
1020 *res
= clone_rl(rl_intersection(estate_rl(state
),
1021 estate_rl(abs_state
)));
1023 } else if (estate_rl(state
)) {
1024 *res
= clone_rl(estate_rl(state
));
1026 } else if (estate_is_empty(state
)) {
1028 * FIXME: we don't handle empty extra states correctly.
1030 * The real abs rl is supposed to be filtered by the
1031 * extra state if there is one. We don't bother keeping
1032 * the abs state in sync all the time because we know it
1033 * will be filtered later.
1035 * It's not totally obvious to me how they should be
1036 * handled. Perhaps we should take the whole rl and
1037 * filter by the imaginary states. Perhaps we should
1038 * just go with the empty state.
1040 * Anyway what we currently do is return NULL here and
1041 * that gets translated into the whole range in
1042 * get_real_absolute_rl().
1046 } else if (estate_rl(abs_state
)) {
1047 *res
= clone_rl(estate_rl(abs_state
));
1051 if (get_local_rl(expr
, res
))
1053 if (get_mtag_rl(expr
, res
))
1055 if (get_db_type_rl(expr
, res
))
1057 if (is_array(expr
) && get_array_rl(expr
, res
))
1062 if (!get_fuzzy_min_helper(expr
, &min
))
1063 min
= sval_type_min(get_type(expr
));
1064 if (!get_fuzzy_max_helper(expr
, &max
))
1066 /* fuzzy ranges are often inverted */
1067 if (sval_cmp(min
, max
) > 0) {
1072 *res
= alloc_rl(min
, max
);
1078 static sval_t
handle_sizeof(struct expression
*expr
)
1083 ret
= sval_blank(expr
);
1084 sym
= expr
->cast_type
;
1086 sym
= evaluate_expression(expr
->cast_expression
);
1088 __silence_warnings_for_stmt
= true;
1093 * Expressions of restricted types will possibly get
1094 * promoted - check that here. I'm not sure how this works,
1095 * the problem is that sizeof(le16) shouldn't be promoted and
1096 * the original code did that... Let's if zero this out and
1100 if (is_restricted_type(sym
)) {
1101 if (type_bits(sym
) < bits_in_int
)
1105 if (is_fouled_type(sym
))
1108 examine_symbol_type(sym
);
1110 ret
.type
= size_t_ctype
;
1111 if (type_bits(sym
) <= 0) /* sizeof(void) */ {
1112 if (get_real_base_type(sym
) == &void_ctype
)
1117 ret
.value
= type_bytes(sym
);
1122 static bool handle_strlen(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
1124 struct expression
*arg
, *tmp
;
1126 sval_t ret
= { .type
= &ulong_ctype
};
1127 struct range_list
*rl
;
1129 arg
= get_argument_from_call_expr(expr
->args
, 0);
1132 if (arg
->type
== EXPR_STRING
) {
1133 ret
.value
= arg
->string
->length
- 1;
1137 if (implied
== RL_EXACT
)
1139 if (get_implied_value(arg
, &tag
) &&
1140 (tmp
= fake_string_from_mtag(tag
.uvalue
))) {
1141 ret
.value
= tmp
->string
->length
- 1;
1146 if (implied
== RL_HARD
|| implied
== RL_FUZZY
)
1149 if (get_implied_return(expr
, &rl
)) {
1157 static bool handle_builtin_constant_p(struct expression
*expr
, int implied
, int *recurse_cnt
, sval_t
*res_sval
)
1159 struct expression
*arg
;
1160 struct range_list
*rl
;
1162 arg
= get_argument_from_call_expr(expr
->args
, 0);
1163 if (get_rl_internal(arg
, RL_EXACT
, recurse_cnt
, &rl
))
1170 static bool handle__builtin_choose_expr(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
1172 struct expression
*const_expr
, *expr1
, *expr2
;
1175 const_expr
= get_argument_from_call_expr(expr
->args
, 0);
1176 expr1
= get_argument_from_call_expr(expr
->args
, 1);
1177 expr2
= get_argument_from_call_expr(expr
->args
, 2);
1179 if (!get_value(const_expr
, &sval
) || !expr1
|| !expr2
)
1182 return get_rl_sval(expr1
, implied
, recurse_cnt
, res
, res_sval
);
1184 return get_rl_sval(expr2
, implied
, recurse_cnt
, res
, res_sval
);
1187 static bool handle_call_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
1189 struct range_list
*rl
;
1191 if (sym_name_is("__builtin_constant_p", expr
->fn
))
1192 return handle_builtin_constant_p(expr
, implied
, recurse_cnt
, res_sval
);
1194 if (sym_name_is("__builtin_choose_expr", expr
->fn
))
1195 return handle__builtin_choose_expr(expr
, implied
, recurse_cnt
, res
, res_sval
);
1197 if (sym_name_is("__builtin_expect", expr
->fn
) ||
1198 sym_name_is("__builtin_bswap16", expr
->fn
) ||
1199 sym_name_is("__builtin_bswap32", expr
->fn
) ||
1200 sym_name_is("__builtin_bswap64", expr
->fn
)) {
1201 struct expression
*arg
;
1203 arg
= get_argument_from_call_expr(expr
->args
, 0);
1204 return get_rl_sval(arg
, implied
, recurse_cnt
, res
, res_sval
);
1207 if (sym_name_is("strlen", expr
->fn
))
1208 return handle_strlen(expr
, implied
, recurse_cnt
, res
, res_sval
);
1210 if (implied
== RL_EXACT
|| implied
== RL_HARD
|| implied
== RL_FUZZY
)
1213 if (custom_handle_variable
) {
1214 rl
= custom_handle_variable(expr
);
1221 /* Ugh... get_implied_return() sets *rl to NULL on failure */
1222 if (get_implied_return(expr
, &rl
)) {
1226 rl
= db_return_vals(expr
);
1234 static bool handle_cast(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
1236 struct range_list
*rl
;
1237 struct symbol
*type
;
1240 type
= get_type(expr
);
1241 if (get_rl_sval(expr
->cast_expression
, implied
, recurse_cnt
, &rl
, &sval
)) {
1243 *res_sval
= sval_cast(type
, sval
);
1245 *res
= cast_rl(type
, rl
);
1248 if (implied
== RL_ABSOLUTE
|| implied
== RL_REAL_ABSOLUTE
) {
1249 *res
= alloc_whole_rl(type
);
1252 if (implied
== RL_IMPLIED
&& type
&&
1253 type_bits(type
) > 0 && type_bits(type
) < 32) {
1254 *res
= alloc_whole_rl(type
);
1260 static bool handle_offsetof_rl(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*res_sval
)
1263 * FIXME: I don't really know what I'm doing here. I wish that I
1264 * could just get rid of the __builtin_offset() function and use:
1265 * "&((struct bpf_prog *)NULL)->insns[fprog->len]" instead...
1266 * Anyway, I have done the minimum ammount of work to get that
1267 * expression to work.
1271 if (expr
->op
== '.' && expr
->down
&&
1272 expr
->down
->type
== EXPR_OFFSETOF
&&
1273 expr
->down
->op
== '[' &&
1274 expr
->down
->index
) {
1275 struct expression
*index
= expr
->down
->index
;
1276 struct symbol
*type
= expr
->in
;
1277 struct range_list
*rl
;
1278 struct symbol
*field
;
1280 sval_t sval
= { .type
= ssize_t_ctype
};
1282 examine_symbol_type(type
);
1283 type
= get_real_base_type(type
);
1286 field
= find_identifier(expr
->ident
, type
->symbol_list
, &offset
);
1290 type
= get_real_base_type(field
);
1291 if (!type
|| type
->type
!= SYM_ARRAY
)
1293 type
= get_real_base_type(type
);
1295 if (get_implied_value_internal(index
, recurse_cnt
, &sval
)) {
1296 res_sval
->type
= ssize_t_ctype
;
1297 res_sval
->value
= offset
+ sval
.value
* type_bytes(type
);
1301 if (!get_rl_sval(index
, implied
, recurse_cnt
, &rl
, NULL
))
1304 sval
.value
= type_bytes(type
);
1305 rl
= rl_binop(rl
, '*', alloc_rl(sval
, sval
));
1306 sval
.value
= offset
;
1307 *res
= rl_binop(rl
, '+', alloc_rl(sval
, sval
));
1311 evaluate_expression(expr
);
1312 if (expr
->type
== EXPR_VALUE
) {
1313 *res_sval
= sval_from_val(expr
, expr
->value
);
1319 static bool get_rl_sval(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
, sval_t
*sval_res
)
1321 struct range_list
*rl
= (void *)-1UL;
1322 struct symbol
*type
;
1325 type
= get_type(expr
);
1326 expr
= strip_parens(expr
);
1330 if (++(*recurse_cnt
) >= 200)
1333 switch(expr
->type
) {
1335 case EXPR_FORCE_CAST
:
1336 case EXPR_IMPLIED_CAST
:
1337 handle_cast(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1341 expr
= strip_expr(expr
);
1345 switch (expr
->type
) {
1347 sval
= sval_from_val(expr
, expr
->value
);
1350 handle_preop_rl(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1353 get_rl_sval(expr
->unop
, implied
, recurse_cnt
, &rl
, &sval
);
1356 handle_binop_rl(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1359 handle_comparison_rl(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1362 handle_logical_rl(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1364 case EXPR_PTRSIZEOF
:
1366 sval
= handle_sizeof(expr
);
1369 case EXPR_CONDITIONAL
:
1370 handle_conditional_rl(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1373 handle_call_rl(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1376 if (get_mtag_sval(expr
, &sval
))
1378 if (implied
== RL_EXACT
)
1380 rl
= alloc_rl(valid_ptr_min_sval
, valid_ptr_max_sval
);
1383 handle_offsetof_rl(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1386 evaluate_expression(expr
);
1387 if (expr
->type
== EXPR_VALUE
)
1388 sval
= sval_from_val(expr
, expr
->value
);
1391 handle_variable(expr
, implied
, recurse_cnt
, &rl
, &sval
);
1395 if (rl
== (void *)-1UL)
1398 if (sval
.type
|| (rl
&& rl_to_sval(rl
, &sval
))) {
1402 if (implied
== RL_EXACT
)
1409 if (type
&& (implied
== RL_ABSOLUTE
|| implied
== RL_REAL_ABSOLUTE
)) {
1410 *res
= alloc_whole_rl(type
);
1416 static bool get_rl_internal(struct expression
*expr
, int implied
, int *recurse_cnt
, struct range_list
**res
)
1418 struct range_list
*rl
= NULL
;
1421 if (!get_rl_sval(expr
, implied
, recurse_cnt
, &rl
, &sval
))
1425 *res
= alloc_rl(sval
, sval
);
1431 static bool get_rl_helper(struct expression
*expr
, int implied
, struct range_list
**res
)
1433 struct range_list
*rl
= NULL
;
1435 int recurse_cnt
= 0;
1437 if (get_value(expr
, &sval
)) {
1438 *res
= alloc_rl(sval
, sval
);
1442 if (!get_rl_sval(expr
, implied
, &recurse_cnt
, &rl
, &sval
))
1446 *res
= alloc_rl(sval
, sval
);
1453 struct expression
*expr
;
1455 } cached_results
[24];
1456 static int cache_idx
;
1458 void clear_math_cache(void)
1460 memset(cached_results
, 0, sizeof(cached_results
));
1464 * Don't cache EXPR_VALUE because values are fast already.
1467 static bool get_value_literal(struct expression
*expr
, sval_t
*res_sval
)
1469 struct expression
*tmp
;
1470 int recurse_cnt
= 0;
1472 tmp
= strip_expr(expr
);
1473 if (!tmp
|| tmp
->type
!= EXPR_VALUE
)
1476 return get_rl_sval(expr
, RL_EXACT
, &recurse_cnt
, NULL
, res_sval
);
1479 /* returns 1 if it can get a value literal or else returns 0 */
1480 int get_value(struct expression
*expr
, sval_t
*res_sval
)
1482 struct range_list
*(*orig_custom_fn
)(struct expression
*expr
);
1483 int recurse_cnt
= 0;
1487 if (get_value_literal(expr
, res_sval
))
1491 * This only handles RL_EXACT because other expr statements can be
1492 * different at different points. Like the list iterator, for example.
1494 for (i
= 0; i
< ARRAY_SIZE(cached_results
); i
++) {
1495 if (expr
== cached_results
[i
].expr
) {
1496 if (cached_results
[i
].sval
.type
) {
1497 *res_sval
= cached_results
[i
].sval
;
1504 orig_custom_fn
= custom_handle_variable
;
1505 custom_handle_variable
= NULL
;
1506 get_rl_sval(expr
, RL_EXACT
, &recurse_cnt
, NULL
, &sval
);
1508 custom_handle_variable
= orig_custom_fn
;
1510 cached_results
[cache_idx
].expr
= expr
;
1511 cached_results
[cache_idx
].sval
= sval
;
1512 cache_idx
= (cache_idx
+ 1) % ARRAY_SIZE(cached_results
);
1521 static bool get_implied_value_internal(struct expression
*expr
, int *recurse_cnt
, sval_t
*res_sval
)
1523 struct range_list
*rl
;
1525 res_sval
->type
= NULL
;
1527 if (!get_rl_sval(expr
, RL_IMPLIED
, recurse_cnt
, &rl
, res_sval
))
1529 if (!res_sval
->type
&& !rl_to_sval(rl
, res_sval
))
1534 int get_implied_value(struct expression
*expr
, sval_t
*sval
)
1536 struct range_list
*rl
;
1538 if (!get_rl_helper(expr
, RL_IMPLIED
, &rl
) ||
1539 !rl_to_sval(rl
, sval
))
1544 int get_implied_value_low_overhead(struct expression
*expr
, sval_t
*sval
)
1549 ret
= get_implied_value(expr
, sval
);
1555 int get_implied_min(struct expression
*expr
, sval_t
*sval
)
1557 struct range_list
*rl
;
1559 if (!get_rl_helper(expr
, RL_IMPLIED
, &rl
) || !rl
)
1565 int get_implied_max(struct expression
*expr
, sval_t
*sval
)
1567 struct range_list
*rl
;
1569 if (!get_rl_helper(expr
, RL_IMPLIED
, &rl
) || !rl
)
1575 int get_implied_rl(struct expression
*expr
, struct range_list
**rl
)
1577 if (!get_rl_helper(expr
, RL_IMPLIED
, rl
) || !*rl
)
1582 static int get_absolute_rl_internal(struct expression
*expr
, struct range_list
**rl
, int *recurse_cnt
)
1585 get_rl_internal(expr
, RL_ABSOLUTE
, recurse_cnt
, rl
);
1587 *rl
= alloc_whole_rl(get_type(expr
));
1591 int get_absolute_rl(struct expression
*expr
, struct range_list
**rl
)
1594 get_rl_helper(expr
, RL_ABSOLUTE
, rl
);
1596 *rl
= alloc_whole_rl(get_type(expr
));
1600 int get_real_absolute_rl(struct expression
*expr
, struct range_list
**rl
)
1603 get_rl_helper(expr
, RL_REAL_ABSOLUTE
, rl
);
1605 *rl
= alloc_whole_rl(get_type(expr
));
1609 int custom_get_absolute_rl(struct expression
*expr
,
1610 struct range_list
*(*fn
)(struct expression
*expr
),
1611 struct range_list
**rl
)
1616 custom_handle_variable
= fn
;
1617 ret
= get_rl_helper(expr
, RL_REAL_ABSOLUTE
, rl
);
1618 custom_handle_variable
= NULL
;
1622 int get_implied_rl_var_sym(const char *var
, struct symbol
*sym
, struct range_list
**rl
)
1624 struct smatch_state
*state
;
1626 state
= get_state(SMATCH_EXTRA
, var
, sym
);
1627 *rl
= estate_rl(state
);
1633 int get_hard_max(struct expression
*expr
, sval_t
*sval
)
1635 struct range_list
*rl
;
1637 if (!get_rl_helper(expr
, RL_HARD
, &rl
) || !rl
)
1643 int get_fuzzy_min(struct expression
*expr
, sval_t
*sval
)
1645 struct range_list
*rl
;
1648 if (!get_rl_helper(expr
, RL_FUZZY
, &rl
) || !rl
)
1651 if (sval_is_negative(tmp
) && sval_is_min(tmp
))
1657 int get_fuzzy_max(struct expression
*expr
, sval_t
*sval
)
1659 struct range_list
*rl
;
1662 if (!get_rl_helper(expr
, RL_FUZZY
, &rl
) || !rl
)
1665 if (max
.uvalue
> INT_MAX
- 10000)
1671 int get_absolute_min(struct expression
*expr
, sval_t
*sval
)
1673 struct range_list
*rl
;
1674 struct symbol
*type
;
1676 type
= get_type(expr
);
1678 type
= &llong_ctype
; // FIXME: this is wrong but places assume get type can't fail.
1680 get_rl_helper(expr
, RL_REAL_ABSOLUTE
, &rl
);
1684 *sval
= sval_type_min(type
);
1686 if (sval_cmp(*sval
, sval_type_min(type
)) < 0)
1687 *sval
= sval_type_min(type
);
1691 int get_absolute_max(struct expression
*expr
, sval_t
*sval
)
1693 struct range_list
*rl
;
1694 struct symbol
*type
;
1696 type
= get_type(expr
);
1698 type
= &llong_ctype
;
1700 get_rl_helper(expr
, RL_REAL_ABSOLUTE
, &rl
);
1704 *sval
= sval_type_max(type
);
1706 if (sval_cmp(sval_type_max(type
), *sval
) < 0)
1707 *sval
= sval_type_max(type
);
1711 int known_condition_true(struct expression
*expr
)
1718 if (get_value(expr
, &tmp
) && tmp
.value
)
1724 int known_condition_false(struct expression
*expr
)
1735 int implied_condition_true(struct expression
*expr
)
1742 if (known_condition_true(expr
))
1744 if (get_implied_value(expr
, &tmp
) && tmp
.value
)
1747 if (expr
->type
== EXPR_POSTOP
)
1748 return implied_condition_true(expr
->unop
);
1750 if (expr
->type
== EXPR_PREOP
&& expr
->op
== SPECIAL_DECREMENT
)
1751 return implied_not_equal(expr
->unop
, 1);
1752 if (expr
->type
== EXPR_PREOP
&& expr
->op
== SPECIAL_INCREMENT
)
1753 return implied_not_equal(expr
->unop
, -1);
1755 expr
= strip_expr(expr
);
1756 switch (expr
->type
) {
1758 if (do_comparison(expr
) == 1)
1762 if (expr
->op
== '!') {
1763 if (implied_condition_false(expr
->unop
))
1769 if (implied_not_equal(expr
, 0) == 1)
1776 int implied_condition_false(struct expression
*expr
)
1778 struct expression
*tmp
;
1784 if (known_condition_false(expr
))
1787 switch (expr
->type
) {
1789 if (do_comparison(expr
) == 2)
1792 if (expr
->op
== '!') {
1793 if (implied_condition_true(expr
->unop
))
1797 tmp
= strip_expr(expr
);
1799 return implied_condition_false(tmp
);
1802 if (get_implied_value(expr
, &sval
) && sval
.value
== 0)
