1 /*
2 * Copyright (C) 2010 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 #include "symbol.h"
19 #include "smatch.h"
20 #include "smatch_slist.h"
21 #include "smatch_extra.h"
22
23 static bool get_rl_sval(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *sval_res);
24 static bool get_rl_internal(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res);
25 static bool handle_variable(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval);
26 static struct range_list *(*custom_handle_variable)(struct expression *expr);
27
28 static bool get_implied_value_internal(struct expression *expr, int *recurse_cnt, sval_t *res_sval);
29 static int get_absolute_rl_internal(struct expression *expr, struct range_list **rl, int *recurse_cnt);
30
31 static sval_t zero = {.type = &int_ctype, {.value = 0} };
32 static sval_t one = {.type = &int_ctype, {.value = 1} };
33
34 static int fast_math_only;
35
rl_zero(void)36 struct range_list *rl_zero(void)
37 {
38 static struct range_list *zero_perm;
39
40 if (!zero_perm)
41 zero_perm = clone_rl_permanent(alloc_rl(zero, zero));
42 return zero_perm;
43 }
44
rl_one(void)45 struct range_list *rl_one(void)
46 {
47 static struct range_list *one_perm;
48
49 if (!one_perm)
50 one_perm = clone_rl_permanent(alloc_rl(one, one));
51
52 return one_perm;
53 }
54
55 enum {
56 RL_EXACT,
57 RL_HARD,
58 RL_FUZZY,
59 RL_IMPLIED,
60 RL_ABSOLUTE,
61 RL_REAL_ABSOLUTE,
62 };
63
last_stmt_rl(struct statement * stmt,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)64 static bool last_stmt_rl(struct statement *stmt, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
65 {
66 struct expression *expr;
67
68 if (!stmt)
69 return false;
70
71 stmt = last_ptr_list((struct ptr_list *)stmt->stmts);
72 if (stmt->type == STMT_LABEL) {
73 if (stmt->label_statement &&
74 stmt->label_statement->type == STMT_EXPRESSION)
75 expr = stmt->label_statement->expression;
76 else
77 return false;
78 } else if (stmt->type == STMT_EXPRESSION) {
79 expr = stmt->expression;
80 } else {
81 return false;
82 }
83 return get_rl_sval(expr, implied, recurse_cnt, res, res_sval);
84 }
85
handle_expression_statement_rl(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)86 static bool handle_expression_statement_rl(struct expression *expr, int implied,
87 int *recurse_cnt, struct range_list **res, sval_t *res_sval)
88 {
89 return last_stmt_rl(get_expression_statement(expr), implied, recurse_cnt, res, res_sval);
90 }
91
handle_address(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)92 static bool handle_address(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
93 {
94 struct range_list *rl;
95 static int recursed;
96 sval_t sval;
97
98 if (recursed > 10)
99 return false;
100 if (implied == RL_EXACT)
101 return false;
102
103 if (custom_handle_variable) {
104 rl = custom_handle_variable(expr);
105 if (rl) {
106 *res = rl;
107 return true;
108 }
109 }
110
111 recursed++;
112 if (get_mtag_sval(expr, &sval)) {
113 recursed--;
114 *res_sval = sval;
115 return true;
116 }
117
118 if (get_address_rl(expr, res)) {
119 recursed--;
120 return true;
121 }
122 recursed--;
123 return 0;
124 }
125
handle_ampersand_rl(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)126 static bool handle_ampersand_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
127 {
128 return handle_address(expr, implied, recurse_cnt, res, res_sval);
129 }
130
handle_negate_rl(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)131 static bool handle_negate_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
132 {
133 if (known_condition_true(expr->unop)) {
134 *res_sval = zero;
135 return true;
136 }
137 if (known_condition_false(expr->unop)) {
138 *res_sval = one;
139 return true;
140 }
141
142 if (implied == RL_EXACT)
143 return false;
144
145 if (implied_condition_true(expr->unop)) {
146 *res_sval = zero;
147 return true;
148 }
149 if (implied_condition_false(expr->unop)) {
150 *res_sval = one;
151 return true;
152 }
153
154 *res = alloc_rl(zero, one);
155 return true;
156 }
157
handle_bitwise_negate(struct expression * expr,int implied,int * recurse_cnt,sval_t * res_sval)158 static bool handle_bitwise_negate(struct expression *expr, int implied, int *recurse_cnt, sval_t *res_sval)
159 {
160 struct range_list *rl;
161 sval_t sval = {};
162
163 if (!get_rl_sval(expr->unop, implied, recurse_cnt, &rl, &sval))
164 return false;
165 if (!sval.type && !rl_to_sval(rl, &sval))
166 return false;
167 sval = sval_preop(sval, '~');
168 sval_cast(get_type(expr->unop), sval);
169 *res_sval = sval;
170 return true;
171 }
172
untrusted_type_min(struct expression * expr)173 static bool untrusted_type_min(struct expression *expr)
174 {
175 struct range_list *rl;
176
177 rl = var_user_rl(expr);
178 return rl && sval_is_min(rl_min(rl));
179 }
180
handle_minus_preop(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)181 static bool handle_minus_preop(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
182 {
183 struct range_list *rl;
184 struct range_list *ret = NULL;
185 struct symbol *type;
186 sval_t neg_one = { 0 };
187 sval_t zero = { 0 };
188 sval_t sval = {};
189
190 neg_one.value = -1;
191 zero.value = 0;
192
193 if (!get_rl_sval(expr->unop, implied, recurse_cnt, &rl, &sval))
194 return false;
195 if (sval.type) {
196 *res_sval = sval_preop(sval, '-');
197 return true;
198 }
199 /*
200 * One complication is that -INT_MIN is still INT_MIN because of integer
201 * overflows... But how many times do we set a time out to INT_MIN?
202 * So normally when we call abs() then it does return a positive value.
203 *
204 */
205 type = rl_type(rl);
206 neg_one.type = zero.type = type;
207
208 if (sval_is_negative(rl_min(rl))) {
209 struct range_list *neg;
210 struct data_range *drange;
211 sval_t new_min, new_max;
212
213 neg = alloc_rl(sval_type_min(type), neg_one);
214 neg = rl_intersection(rl, neg);
215
216 if (sval_is_min(rl_min(neg)) && !sval_is_min(rl_max(neg)))
217 neg = remove_range(neg, sval_type_min(type), sval_type_min(type));
218
219 FOR_EACH_PTR(neg, drange) {
220 new_min = drange->max;
221 new_min.value = -new_min.value;
222 new_max = drange->min;
223 new_max.value = -new_max.value;
224 add_range(&ret, new_min, new_max);
225 } END_FOR_EACH_PTR(drange);
226
227 if (untrusted_type_min(expr))
228 add_range(&ret, sval_type_min(type), sval_type_min(type));
229 }
230
231 if (!sval_is_negative(rl_max(rl))) {
232 struct range_list *pos;
233 struct data_range *drange;
234 sval_t new_min, new_max;
235
236 pos = alloc_rl(zero, sval_type_max(type));
237 pos = rl_intersection(rl, pos);
238
239 FOR_EACH_PTR(pos, drange) {
240 new_min = drange->max;
241 new_min.value = -new_min.value;
242 new_max = drange->min;
243 new_max.value = -new_max.value;
244 add_range(&ret, new_min, new_max);
245 } END_FOR_EACH_PTR(drange);
246 }
247
248 *res = ret;
249 return true;
250 }
251
handle_preop_rl(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)252 static bool handle_preop_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
253 {
254 switch (expr->op) {
255 case '&':
256 return handle_ampersand_rl(expr, implied, recurse_cnt, res, res_sval);
257 case '!':
258 return handle_negate_rl(expr, implied, recurse_cnt, res, res_sval);
259 case '~':
260 return handle_bitwise_negate(expr, implied, recurse_cnt, res_sval);
261 case '-':
262 return handle_minus_preop(expr, implied, recurse_cnt, res, res_sval);
263 case '*':
264 return handle_variable(expr, implied, recurse_cnt, res, res_sval);
265 case '(':
266 return handle_expression_statement_rl(expr, implied, recurse_cnt, res, res_sval);
267 default:
268 return false;
269 }
270 }
271
handle_divide_rl(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res)272 static bool handle_divide_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
273 {
274 struct range_list *left_rl = NULL;
275 struct range_list *right_rl = NULL;
276 struct symbol *type;
277
278 type = get_type(expr);
279
280 get_rl_internal(expr->left, implied, recurse_cnt, &left_rl);
281 left_rl = cast_rl(type, left_rl);
282 get_rl_internal(expr->right, implied, recurse_cnt, &right_rl);
283 right_rl = cast_rl(type, right_rl);
284
285 if (!left_rl || !right_rl)
286 return false;
287
288 if (implied != RL_REAL_ABSOLUTE) {
289 if (is_whole_rl(left_rl) || is_whole_rl(right_rl))
290 return false;
291 }
292
293 *res = rl_binop(left_rl, '/', right_rl);
294 return true;
295 }
296
handle_offset_subtraction(struct expression * expr)297 static int handle_offset_subtraction(struct expression *expr)
298 {
299 struct expression *left, *right;
300 struct symbol *left_sym, *right_sym;
301 struct symbol *type;
302 int left_offset, right_offset;
303
304 type = get_type(expr);
305 if (!type || type->type != SYM_PTR)
306 return -1;
307 type = get_real_base_type(type);
308 if (!type || (type_bits(type) != 8 && (type != &void_ctype)))
309 return -1;
310
311 left = strip_expr(expr->left);
312 right = strip_expr(expr->right);
313
314 if (left->type != EXPR_PREOP || left->op != '&')
315 return -1;
316 left = strip_expr(left->unop);
317
318 left_sym = expr_to_sym(left);
319 right_sym = expr_to_sym(right);
320 if (!left_sym || left_sym != right_sym)
321 return -1;
322
323 left_offset = get_member_offset_from_deref(left);
324 if (right->type == EXPR_SYMBOL)
325 right_offset = 0;
326 else {
327 if (right->type != EXPR_PREOP || right->op != '&')
328 return -1;
329 right = strip_expr(right->unop);
330 right_offset = get_member_offset_from_deref(right);
331 }
332 if (left_offset < 0 || right_offset < 0)
333 return -1;
334
335 return left_offset - right_offset;
336 }
337
max_is_unknown_max(struct range_list * rl)338 static bool max_is_unknown_max(struct range_list *rl)
339 {
340 /*
341 * The issue with this code is that we had:
342 * if (foo > 1) return 1 - foo;
343 * Ideally we would say that returns s32min-(-1) but what Smatch
344 * was saying was that the lowest possible value was "1 - INT_MAX"
345 *
346 * My solution is to ignore max values for int or larger. I keep
347 * the max for shorts etc, because those might be worthwhile.
348 *
349 * The problem with just returning 1 - INT_MAX is that that is
350 * treated as useful information but s32min is treated as basically
351 * unknown.
352 */
353
354 if (type_bits(rl_type(rl)) < 31)
355 return false;
356 return sval_is_max(rl_max(rl));
357 }
358
handle_subtract_rl(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res)359 static bool handle_subtract_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
360 {
361 struct symbol *type;
362 struct range_list *left_orig, *right_orig;
363 struct range_list *left_rl, *right_rl;
364 sval_t min, max, tmp;
365 int comparison;
366 int offset;
367
368 type = get_type(expr);
369
370 offset = handle_offset_subtraction(expr);
371 if (offset >= 0) {
372 tmp.type = type;
373 tmp.value = offset;
374
375 *res = alloc_rl(tmp, tmp);
376 return true;
377 }
378
379 comparison = get_comparison(expr->left, expr->right);
380
381 left_orig = NULL;
382 get_rl_internal(expr->left, implied, recurse_cnt, &left_orig);
383 left_rl = cast_rl(type, left_orig);
384 right_orig = NULL;
385 get_rl_internal(expr->right, implied, recurse_cnt, &right_orig);
386 right_rl = cast_rl(type, right_orig);
387
388 if ((!left_rl || !right_rl) &&
389 (implied == RL_EXACT || implied == RL_HARD || implied == RL_FUZZY))
390 return false;
391
392 if (!left_rl)
393 left_rl = alloc_whole_rl(type);
394 if (!right_rl)
395 right_rl = alloc_whole_rl(type);
396
397 /* negative values complicate everything fix this later */
398 if (sval_is_negative(rl_min(right_rl)))
399 return false;
400 max = rl_max(left_rl);
401 min = sval_type_min(type);
402
403 switch (comparison) {
404 case '>':
405 case SPECIAL_UNSIGNED_GT:
406 min = sval_type_val(type, 1);
407 max = rl_max(left_rl);
408 break;
409 case SPECIAL_GTE:
410 case SPECIAL_UNSIGNED_GTE:
411 min = sval_type_val(type, 0);
412 max = rl_max(left_rl);
413 break;
414 case SPECIAL_EQUAL:
415 min = sval_type_val(type, 0);
416 max = sval_type_val(type, 0);
417 break;
418 case '<':
419 case SPECIAL_UNSIGNED_LT:
420 max = sval_type_val(type, -1);
421 break;
422 case SPECIAL_LTE:
423 case SPECIAL_UNSIGNED_LTE:
424 max = sval_type_val(type, 0);
425 break;
426 default:
427 if (!left_orig || !right_orig)
428 return false;
429 *res = rl_binop(left_rl, '-', right_rl);
430 return true;
431 }
432
433 if (!max_is_unknown_max(right_rl) &&
434 !sval_binop_overflows(rl_min(left_rl), '-', rl_max(right_rl))) {
435 tmp = sval_binop(rl_min(left_rl), '-', rl_max(right_rl));
436 if (sval_cmp(tmp, min) > 0)
437 min = tmp;
438 }
439
440 if (!sval_is_max(rl_max(left_rl))) {
441 tmp = sval_binop(rl_max(left_rl), '-', rl_min(right_rl));
442 if (sval_cmp(tmp, max) < 0)
443 max = tmp;
444 }
445
446 if (sval_is_min(min) && sval_is_max(max))
447 return false;
448
449 *res = cast_rl(type, alloc_rl(min, max));
450 return true;
451 }
452
handle_mod_rl(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res)453 static bool handle_mod_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
454 {
455 struct range_list *rl;
456 sval_t left, right, sval;
457
458 if (implied == RL_EXACT) {
459 if (!get_implied_value(expr->right, &right))
460 return false;
461 if (!get_implied_value(expr->left, &left))
462 return false;
463 sval = sval_binop(left, '%', right);
464 *res = alloc_rl(sval, sval);
465 return true;
466 }
467 /* if we can't figure out the right side it's probably hopeless */
468 if (!get_implied_value_internal(expr->right, recurse_cnt, &right))
469 return false;
470
471 right = sval_cast(get_type(expr), right);
472 right.value--;
473
474 if (get_rl_internal(expr->left, implied, recurse_cnt, &rl) && rl &&
475 rl_max(rl).uvalue < right.uvalue)
476 right.uvalue = rl_max(rl).uvalue;
477
478 *res = alloc_rl(sval_cast(right.type, zero), right);
479 return true;
480 }
481
handle_bitwise_AND(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res)482 static bool handle_bitwise_AND(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
483 {
484 struct symbol *type;
485 struct range_list *left_rl, *right_rl;
486 int new_recurse;
487
488 if (implied != RL_IMPLIED && implied != RL_ABSOLUTE && implied != RL_REAL_ABSOLUTE)
489 return false;
490
491 type = get_type(expr);
492
493 if (!get_rl_internal(expr->left, implied, recurse_cnt, &left_rl))
494 left_rl = alloc_whole_rl(type);
495 left_rl = cast_rl(type, left_rl);
496
497 new_recurse = *recurse_cnt;
498 if (*recurse_cnt >= 200)
499 new_recurse = 100; /* Let's try super hard to get the mask */
500 if (!get_rl_internal(expr->right, implied, &new_recurse, &right_rl))
501 right_rl = alloc_whole_rl(type);
502 right_rl = cast_rl(type, right_rl);
503 *recurse_cnt = new_recurse;
504
505 *res = rl_binop(left_rl, '&', right_rl);
506 return true;
507 }
508
use_rl_binop(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res)509 static bool use_rl_binop(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
510 {
511 struct symbol *type;
512 struct range_list *left_rl, *right_rl;
513
514 if (implied != RL_IMPLIED && implied != RL_ABSOLUTE && implied != RL_REAL_ABSOLUTE)
515 return false;
516
517 type = get_type(expr);
518
519 get_absolute_rl_internal(expr->left, &left_rl, recurse_cnt);
520 get_absolute_rl_internal(expr->right, &right_rl, recurse_cnt);
521 left_rl = cast_rl(type, left_rl);
522 right_rl = cast_rl(type, right_rl);
523 if (!left_rl || !right_rl)
524 return false;
525
526 *res = rl_binop(left_rl, expr->op, right_rl);
527 return true;
528 }
529
handle_right_shift(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res)530 static bool handle_right_shift(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
531 {
532 struct range_list *left_rl, *right_rl;
533 sval_t min, max;
534
535 if (implied == RL_EXACT || implied == RL_HARD)
536 return false;
537
538 if (get_rl_internal(expr->left, implied, recurse_cnt, &left_rl)) {
539 max = rl_max(left_rl);
540 min = rl_min(left_rl);
541 } else {
542 if (implied == RL_FUZZY)
543 return false;
544 max = sval_type_max(get_type(expr->left));
545 min = sval_type_val(get_type(expr->left), 0);
546 }
547
548 if (get_rl_internal(expr->right, implied, recurse_cnt, &right_rl) &&
549 !sval_is_negative(rl_min(right_rl))) {
550 min = sval_binop(min, SPECIAL_RIGHTSHIFT, rl_max(right_rl));
551 max = sval_binop(max, SPECIAL_RIGHTSHIFT, rl_min(right_rl));
552 } else if (!sval_is_negative(min)) {
553 min.value = 0;
554 max = sval_type_max(max.type);
555 } else {
556 return false;
557 }
558
559 *res = alloc_rl(min, max);
560 return true;
561 }
562
handle_left_shift(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res)563 static bool handle_left_shift(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
564 {
565 struct range_list *left_rl, *rl;
566 sval_t right;
567
568 if (implied == RL_EXACT || implied == RL_HARD)
569 return false;
570 /* this is hopeless without the right side */
571 if (!get_implied_value_internal(expr->right, recurse_cnt, &right))
572 return false;
573 if (!get_rl_internal(expr->left, implied, recurse_cnt, &left_rl)) {
574 if (implied == RL_FUZZY)
575 return false;
576 left_rl = alloc_whole_rl(get_type(expr->left));
577 }
578
579 rl = rl_binop(left_rl, SPECIAL_LEFTSHIFT, alloc_rl(right, right));
580 if (!rl)
581 return false;
582 *res = rl;
583 return true;
584 }
585
handle_known_binop(struct expression * expr,sval_t * res)586 static bool handle_known_binop(struct expression *expr, sval_t *res)
587 {
588 sval_t left, right;
589
590 if (!get_value(expr->left, &left))
591 return false;
592 if (!get_value(expr->right, &right))
593 return false;
594 *res = sval_binop(left, expr->op, right);
595 return true;
596 }
597
has_actual_ranges(struct range_list * rl)598 static int has_actual_ranges(struct range_list *rl)
599 {
600 struct data_range *tmp;
601
602 FOR_EACH_PTR(rl, tmp) {
603 if (sval_cmp(tmp->min, tmp->max) != 0)
604 return 1;
605 } END_FOR_EACH_PTR(tmp);
606 return 0;
607 }
608
handle_implied_binop(struct range_list * left_rl,int op,struct range_list * right_rl)609 static struct range_list *handle_implied_binop(struct range_list *left_rl, int op, struct range_list *right_rl)
610 {
611 struct range_list *res_rl;
612 struct data_range *left_drange, *right_drange;
613 sval_t res;
614
615 if (!left_rl || !right_rl)
616 return NULL;
617 if (has_actual_ranges(left_rl))
618 return NULL;
619 if (has_actual_ranges(right_rl))
620 return NULL;
621
622 if (ptr_list_size((struct ptr_list *)left_rl) * ptr_list_size((struct ptr_list *)right_rl) > 20)
623 return NULL;
624
625 res_rl = NULL;
626
627 FOR_EACH_PTR(left_rl, left_drange) {
628 FOR_EACH_PTR(right_rl, right_drange) {
629 if ((op == '%' || op == '/') &&
630 right_drange->min.value == 0)
631 return NULL;
632 res = sval_binop(left_drange->min, op, right_drange->min);
633 add_range(&res_rl, res, res);
634 } END_FOR_EACH_PTR(right_drange);
635 } END_FOR_EACH_PTR(left_drange);
636
637 return res_rl;
638 }
639
handle_binop_rl_helper(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)640 static bool handle_binop_rl_helper(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
641 {
642 struct symbol *type;
643 struct range_list *left_rl = NULL;
644 struct range_list *right_rl = NULL;
645 struct range_list *rl;
646 sval_t min, max;
647
648 type = get_promoted_type(get_type(expr->left), get_type(expr->right));
649 get_rl_internal(expr->left, implied, recurse_cnt, &left_rl);
650 left_rl = cast_rl(type, left_rl);
651 get_rl_internal(expr->right, implied, recurse_cnt, &right_rl);
652 right_rl = cast_rl(type, right_rl);
653 if (!left_rl && !right_rl)
654 return false;
655
656 rl = handle_implied_binop(left_rl, expr->op, right_rl);
657 if (rl) {
658 *res = rl;
659 return true;
660 }
661
662 switch (expr->op) {
663 case '%':
664 return handle_mod_rl(expr, implied, recurse_cnt, res);
665 case '&':
666 return handle_bitwise_AND(expr, implied, recurse_cnt, res);
667 case '|':
668 case '^':
669 return use_rl_binop(expr, implied, recurse_cnt, res);
670 case SPECIAL_RIGHTSHIFT:
671 return handle_right_shift(expr, implied, recurse_cnt, res);
672 case SPECIAL_LEFTSHIFT:
673 return handle_left_shift(expr, implied, recurse_cnt, res);
674 case '-':
675 return handle_subtract_rl(expr, implied, recurse_cnt, res);
676 case '/':
677 return handle_divide_rl(expr, implied, recurse_cnt, res);
678 }
679
680 if (!left_rl || !right_rl)
681 return false;
682
683 if (sval_binop_overflows(rl_min(left_rl), expr->op, rl_min(right_rl)))
684 return false;
685 if (sval_binop_overflows(rl_max(left_rl), expr->op, rl_max(right_rl)))
686 return false;
687
688 min = sval_binop(rl_min(left_rl), expr->op, rl_min(right_rl));
689 max = sval_binop(rl_max(left_rl), expr->op, rl_max(right_rl));
690
691 *res = alloc_rl(min, max);
692 return true;
693
694 }
695
handle_binop_rl(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)696 static bool handle_binop_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
697 {
698 struct smatch_state *state;
699 struct range_list *rl;
700 sval_t val;
701
702 if (handle_known_binop(expr, &val)) {
703 *res_sval = val;
704 return true;
705 }
706 if (implied == RL_EXACT)
707 return false;
708
709 if (custom_handle_variable) {
710 rl = custom_handle_variable(expr);
711 if (rl) {
712 *res = rl;
713 return true;
714 }
715 }
716
717 state = get_extra_state(expr);
718 if (state && !is_whole_rl(estate_rl(state))) {
719 if (implied != RL_HARD || estate_has_hard_max(state)) {
720 *res = clone_rl(estate_rl(state));
721 return true;
722 }
723 }
724
725 return handle_binop_rl_helper(expr, implied, recurse_cnt, res, res_sval);
726 }
727
do_comparison(struct expression * expr)728 static int do_comparison(struct expression *expr)
729 {
730 struct range_list *left_ranges = NULL;
731 struct range_list *right_ranges = NULL;
732 int poss_true, poss_false;
733 struct symbol *type;
734
735 type = get_type(expr);
736 get_absolute_rl(expr->left, &left_ranges);
737 get_absolute_rl(expr->right, &right_ranges);
738
739 left_ranges = cast_rl(type, left_ranges);
740 right_ranges = cast_rl(type, right_ranges);
741
742 poss_true = possibly_true_rl(left_ranges, expr->op, right_ranges);
743 poss_false = possibly_false_rl(left_ranges, expr->op, right_ranges);
744
745 if (!poss_true && !poss_false)
746 return 0x0;
747 if (poss_true && !poss_false)
748 return 0x1;
749 if (!poss_true && poss_false)
750 return 0x2;
751 return 0x3;
752 }
753
handle_comparison_rl(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)754 static bool handle_comparison_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
755 {
756 sval_t left, right;
757 int cmp;
758
759 if (expr->op == SPECIAL_EQUAL && expr->left->type == EXPR_TYPE) {
760 struct symbol *left, *right;
761
762 if (expr->right->type != EXPR_TYPE)
763 return false;
764
765 left = get_real_base_type(expr->left->symbol);
766 right = get_real_base_type(expr->right->symbol);
767 if (type_bits(left) == type_bits(right) &&
768 type_positive_bits(left) == type_positive_bits(right))
769 *res_sval = one;
770 else
771 *res_sval = zero;
772 return true;
773 }
774
775 if (get_value(expr->left, &left) && get_value(expr->right, &right)) {
776 struct data_range tmp_left, tmp_right;
777
778 tmp_left.min = left;
779 tmp_left.max = left;
780 tmp_right.min = right;
781 tmp_right.max = right;
782 if (true_comparison_range(&tmp_left, expr->op, &tmp_right))
783 *res_sval = one;
784 else
785 *res_sval = zero;
786 return true;
787 }
788
789 if (implied == RL_EXACT)
790 return false;
791
792 cmp = do_comparison(expr);
793 if (cmp == 1) {
794 *res_sval = one;
795 return true;
796 }
797 if (cmp == 2) {
798 *res_sval = zero;
799 return true;
800 }
801
802 *res = alloc_rl(zero, one);
803 return true;
804 }
805
handle_logical_rl(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)806 static bool handle_logical_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
807 {
808 sval_t left, right;
809 int left_known = 0;
810 int right_known = 0;
811
812 if (implied == RL_EXACT) {
813 if (get_value(expr->left, &left))
814 left_known = 1;
815 if (get_value(expr->right, &right))
816 right_known = 1;
817 } else {
818 if (get_implied_value_internal(expr->left, recurse_cnt, &left))
819 left_known = 1;
820 if (get_implied_value_internal(expr->right, recurse_cnt, &right))
821 right_known = 1;
822 }
823
824 switch (expr->op) {
825 case SPECIAL_LOGICAL_OR:
826 if (left_known && left.value)
827 goto one;
828 if (right_known && right.value)
829 goto one;
830 if (left_known && right_known)
831 goto zero;
832 break;
833 case SPECIAL_LOGICAL_AND:
834 if (left_known && right_known) {
835 if (left.value && right.value)
836 goto one;
837 goto zero;
838 }
839 break;
840 default:
841 return false;
842 }
843
844 if (implied == RL_EXACT)
845 return false;
846
847 *res = alloc_rl(zero, one);
848 return true;
849
850 zero:
851 *res_sval = zero;
852 return true;
853 one:
854 *res_sval = one;
855 return true;
856 }
857
handle_conditional_rl(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)858 static bool handle_conditional_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
859 {
860 struct expression *cond_true;
861 struct range_list *true_rl, *false_rl;
862 struct symbol *type;
863 int final_pass_orig = final_pass;
864
865 cond_true = expr->cond_true;
866 if (!cond_true)
867 cond_true = expr->conditional;
868
869 if (known_condition_true(expr->conditional))
870 return get_rl_sval(cond_true, implied, recurse_cnt, res, res_sval);
871 if (known_condition_false(expr->conditional))
872 return get_rl_sval(expr->cond_false, implied, recurse_cnt, res, res_sval);
873
874 if (implied == RL_EXACT)
875 return false;
876
877 if (implied_condition_true(expr->conditional))
878 return get_rl_sval(cond_true, implied, recurse_cnt, res, res_sval);
879 if (implied_condition_false(expr->conditional))
880 return get_rl_sval(expr->cond_false, implied, recurse_cnt, res, res_sval);
881
882 /* this becomes a problem with deeply nested conditional statements */
883 if (fast_math_only || low_on_memory())
884 return false;
885
886 type = get_type(expr);
887
888 __push_fake_cur_stree();
889 final_pass = 0;
890 __split_whole_condition(expr->conditional);
891 true_rl = NULL;
892 get_rl_internal(cond_true, implied, recurse_cnt, &true_rl);
893 __push_true_states();
894 __use_false_states();
895 false_rl = NULL;
896 get_rl_internal(expr->cond_false, implied, recurse_cnt, &false_rl);
897 __merge_true_states();
898 __free_fake_cur_stree();
899 final_pass = final_pass_orig;
900
901 if (!true_rl || !false_rl)
902 return false;
903 true_rl = cast_rl(type, true_rl);
904 false_rl = cast_rl(type, false_rl);
905
906 *res = rl_union(true_rl, false_rl);
907 return true;
908 }
909
get_fuzzy_max_helper(struct expression * expr,sval_t * max)910 static bool get_fuzzy_max_helper(struct expression *expr, sval_t *max)
911 {
912 struct smatch_state *state;
913 sval_t sval;
914
915 if (get_hard_max(expr, &sval)) {
916 *max = sval;
917 return true;
918 }
919
920 state = get_extra_state(expr);
921 if (!state || !estate_has_fuzzy_max(state))
922 return false;
923 *max = sval_cast(get_type(expr), estate_get_fuzzy_max(state));
924 return true;
925 }
926
get_fuzzy_min_helper(struct expression * expr,sval_t * min)927 static bool get_fuzzy_min_helper(struct expression *expr, sval_t *min)
928 {
929 struct smatch_state *state;
930 sval_t sval;
931
932 state = get_extra_state(expr);
933 if (!state || !estate_rl(state))
934 return false;
935
936 sval = estate_min(state);
937 if (sval_is_negative(sval) && sval_is_min(sval))
938 return false;
939
940 if (sval_is_max(sval))
941 return false;
942
943 *min = sval_cast(get_type(expr), sval);
944 return true;
945 }
946
get_const_value(struct expression * expr,sval_t * sval)947 int get_const_value(struct expression *expr, sval_t *sval)
948 {
949 struct symbol *sym;
950 sval_t right;
951
952 if (expr->type != EXPR_SYMBOL || !expr->symbol)
953 return 0;
954 sym = expr->symbol;
955 if (!(sym->ctype.modifiers & MOD_CONST))
956 return 0;
957 if (get_value(sym->initializer, &right)) {
958 *sval = sval_cast(get_type(expr), right);
959 return 1;
960 }
961 return 0;
962 }
963
var_to_absolute_rl(struct expression * expr)964 struct range_list *var_to_absolute_rl(struct expression *expr)
965 {
966 struct smatch_state *state;
967 struct range_list *rl;
968
969 state = get_extra_state(expr);
970 if (!state || is_whole_rl(estate_rl(state))) {
971 state = get_real_absolute_state(expr);
972 if (state && state->data && !estate_is_whole(state))
973 return clone_rl(estate_rl(state));
974 if (get_mtag_rl(expr, &rl))
975 return rl;
976 if (get_db_type_rl(expr, &rl) && !is_whole_rl(rl))
977 return rl;
978 return alloc_whole_rl(get_type(expr));
979 }
980 /* err on the side of saying things are possible */
981 if (!estate_rl(state))
982 return alloc_whole_rl(get_type(expr));
983 return clone_rl(estate_rl(state));
984 }
985
handle_variable(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)986 static bool handle_variable(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
987 {
988 struct smatch_state *state;
989 struct range_list *rl;
990 sval_t sval, min, max;
991 struct symbol *type;
992
993 if (get_const_value(expr, &sval)) {
994 *res_sval = sval;
995 return true;
996 }
997
998 if (implied == RL_EXACT)
999 return false;
1000
1001 if (custom_handle_variable) {
1002 rl = custom_handle_variable(expr);
1003 if (rl) {
1004 if (!rl_to_sval(rl, res_sval))
1005 *res = rl;
1006 } else {
1007 *res = var_to_absolute_rl(expr);
1008 }
1009 return true;
1010 }
1011
1012 if (get_mtag_sval(expr, &sval)) {
1013 *res_sval = sval;
1014 return true;
1015 }
1016
1017 type = get_type(expr);
1018 if (type &&
1019 (type->type == SYM_ARRAY ||
1020 type->type == SYM_FN))
1021 return handle_address(expr, implied, recurse_cnt, res, res_sval);
1022
1023 /* FIXME: call rl_to_sval() on the results */
1024
1025 switch (implied) {
1026 case RL_HARD:
1027 case RL_IMPLIED:
1028 case RL_ABSOLUTE:
1029 state = get_extra_state(expr);
1030 if (!state) {
1031 if (implied == RL_HARD)
1032 return false;
1033 if (get_mtag_rl(expr, res))
1034 return true;
1035 if (get_db_type_rl(expr, res))
1036 return true;
1037 if (is_array(expr) && get_array_rl(expr, res))
1038 return true;
1039 return false;
1040 }
1041 if (implied == RL_HARD && !estate_has_hard_max(state))
1042 return false;
1043 *res = clone_rl(estate_rl(state));
1044 return true;
1045 case RL_REAL_ABSOLUTE: {
1046 struct smatch_state *abs_state;
1047
1048 state = get_extra_state(expr);
1049 abs_state = get_real_absolute_state(expr);
1050
1051 if (estate_rl(state) && estate_rl(abs_state)) {
1052 *res = clone_rl(rl_intersection(estate_rl(state),
1053 estate_rl(abs_state)));
1054 return true;
1055 } else if (estate_rl(state)) {
1056 *res = clone_rl(estate_rl(state));
1057 return true;
1058 } else if (estate_is_empty(state)) {
1059 /*
1060 * FIXME: we don't handle empty extra states correctly.
1061 *
1062 * The real abs rl is supposed to be filtered by the
1063 * extra state if there is one. We don't bother keeping
1064 * the abs state in sync all the time because we know it
1065 * will be filtered later.
1066 *
1067 * It's not totally obvious to me how they should be
1068 * handled. Perhaps we should take the whole rl and
1069 * filter by the imaginary states. Perhaps we should
1070 * just go with the empty state.
1071 *
1072 * Anyway what we currently do is return NULL here and
1073 * that gets translated into the whole range in
1074 * get_real_absolute_rl().
1075 *
1076 */
1077 return false;
1078 } else if (estate_rl(abs_state)) {
1079 *res = clone_rl(estate_rl(abs_state));
1080 return true;
1081 }
1082
1083 if (get_mtag_rl(expr, res))
1084 return true;
1085 if (get_db_type_rl(expr, res))
1086 return true;
1087 if (is_array(expr) && get_array_rl(expr, res))
1088 return true;
1089 return false;
1090 }
1091 case RL_FUZZY:
1092 if (!get_fuzzy_min_helper(expr, &min))
1093 min = sval_type_min(get_type(expr));
1094 if (!get_fuzzy_max_helper(expr, &max))
1095 return false;
1096 /* fuzzy ranges are often inverted */
1097 if (sval_cmp(min, max) > 0) {
1098 sval = min;
1099 min = max;
1100 max = sval;
1101 }
1102 *res = alloc_rl(min, max);
1103 return true;
1104 }
1105 return false;
1106 }
1107
handle_sizeof(struct expression * expr)1108 static sval_t handle_sizeof(struct expression *expr)
1109 {
1110 struct symbol *sym;
1111 sval_t ret;
1112
1113 ret = sval_blank(expr);
1114 sym = expr->cast_type;
1115 if (!sym) {
1116 sym = evaluate_expression(expr->cast_expression);
1117 if (!sym) {
1118 __silence_warnings_for_stmt = true;
1119 sym = &int_ctype;
1120 }
1121 #if 0
1122 /*
1123 * Expressions of restricted types will possibly get
1124 * promoted - check that here. I'm not sure how this works,
1125 * the problem is that sizeof(le16) shouldn't be promoted and
1126 * the original code did that... Let's if zero this out and
1127 * see what breaks.
1128 */
1129
1130 if (is_restricted_type(sym)) {
1131 if (type_bits(sym) < bits_in_int)
1132 sym = &int_ctype;
1133 }
1134 #endif
1135 if (is_fouled_type(sym))
1136 sym = &int_ctype;
1137 }
1138 examine_symbol_type(sym);
1139
1140 ret.type = size_t_ctype;
1141 if (type_bits(sym) <= 0) /* sizeof(void) */ {
1142 if (get_real_base_type(sym) == &void_ctype)
1143 ret.value = 1;
1144 else
1145 ret.value = 0;
1146 } else
1147 ret.value = type_bytes(sym);
1148
1149 return ret;
1150 }
1151
handle_strlen(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)1152 static bool handle_strlen(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1153 {
1154 struct expression *arg, *tmp;
1155 sval_t tag;
1156 sval_t ret = { .type = &ulong_ctype };
1157 struct range_list *rl;
1158
1159 arg = get_argument_from_call_expr(expr->args, 0);
1160 if (!arg)
1161 return false;
1162 if (arg->type == EXPR_STRING) {
1163 ret.value = arg->string->length - 1;
1164 *res_sval = ret;
1165 return true;
1166 }
1167 if (implied == RL_EXACT)
1168 return false;
1169 if (get_implied_value(arg, &tag) &&
1170 (tmp = fake_string_from_mtag(tag.uvalue))) {
1171 ret.value = tmp->string->length - 1;
1172 *res_sval = ret;
1173 return true;
1174 }
1175
1176 if (implied == RL_HARD || implied == RL_FUZZY)
1177 return false;
1178
1179 if (get_implied_return(expr, &rl)) {
1180 *res = rl;
1181 return true;
1182 }
1183
1184 return false;
1185 }
1186
handle_builtin_constant_p(struct expression * expr,int implied,int * recurse_cnt,sval_t * res_sval)1187 static bool handle_builtin_constant_p(struct expression *expr, int implied, int *recurse_cnt, sval_t *res_sval)
1188 {
1189 struct expression *arg;
1190 struct range_list *rl;
1191
1192 arg = get_argument_from_call_expr(expr->args, 0);
1193 if (get_rl_internal(arg, RL_EXACT, recurse_cnt, &rl))
1194 *res_sval = one;
1195 else
1196 *res_sval = zero;
1197 return true;
1198 }
1199
handle__builtin_choose_expr(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)1200 static bool handle__builtin_choose_expr(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1201 {
1202 struct expression *const_expr, *expr1, *expr2;
1203 sval_t sval;
1204
1205 const_expr = get_argument_from_call_expr(expr->args, 0);
1206 expr1 = get_argument_from_call_expr(expr->args, 1);
1207 expr2 = get_argument_from_call_expr(expr->args, 2);
1208
1209 if (!get_value(const_expr, &sval) || !expr1 || !expr2)
1210 return false;
1211 if (sval.value)
1212 return get_rl_sval(expr1, implied, recurse_cnt, res, res_sval);
1213 else
1214 return get_rl_sval(expr2, implied, recurse_cnt, res, res_sval);
1215 }
1216
handle_call_rl(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)1217 static bool handle_call_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1218 {
1219 struct range_list *rl;
1220
1221 if (sym_name_is("__builtin_constant_p", expr->fn))
1222 return handle_builtin_constant_p(expr, implied, recurse_cnt, res_sval);
1223
1224 if (sym_name_is("__builtin_choose_expr", expr->fn))
1225 return handle__builtin_choose_expr(expr, implied, recurse_cnt, res, res_sval);
1226
1227 if (sym_name_is("__builtin_expect", expr->fn) ||
1228 sym_name_is("__builtin_bswap16", expr->fn) ||
1229 sym_name_is("__builtin_bswap32", expr->fn) ||
1230 sym_name_is("__builtin_bswap64", expr->fn)) {
1231 struct expression *arg;
1232
1233 arg = get_argument_from_call_expr(expr->args, 0);
1234 return get_rl_sval(arg, implied, recurse_cnt, res, res_sval);
1235 }
1236
1237 if (sym_name_is("strlen", expr->fn))
1238 return handle_strlen(expr, implied, recurse_cnt, res, res_sval);
1239
1240 if (implied == RL_EXACT || implied == RL_HARD)
1241 return false;
1242
1243 if (custom_handle_variable) {
1244 rl = custom_handle_variable(expr);
1245 if (rl) {
1246 *res = rl;
1247 return true;
1248 }
1249 }
1250
1251 /* Ugh... get_implied_return() sets *rl to NULL on failure */
1252 if (get_implied_return(expr, &rl)) {
1253 *res = rl;
1254 return true;
1255 }
1256 rl = db_return_vals(expr);
1257 if (rl) {
1258 *res = rl;
1259 return true;
1260 }
1261 return false;
1262 }
1263
handle_cast(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)1264 static bool handle_cast(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1265 {
1266 struct range_list *rl;
1267 struct symbol *type;
1268 sval_t sval = {};
1269
1270 type = get_type(expr);
1271 if (get_rl_sval(expr->cast_expression, implied, recurse_cnt, &rl, &sval)) {
1272 if (sval.type)
1273 *res_sval = sval_cast(type, sval);
1274 else
1275 *res = cast_rl(type, rl);
1276 return true;
1277 }
1278 if (implied == RL_ABSOLUTE || implied == RL_REAL_ABSOLUTE) {
1279 *res = alloc_whole_rl(type);
1280 return true;
1281 }
1282 if (implied == RL_IMPLIED && type &&
1283 type_bits(type) > 0 && type_bits(type) < 32) {
1284 *res = alloc_whole_rl(type);
1285 return true;
1286 }
1287 return false;
1288 }
1289
get_offset_from_down(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)1290 static bool get_offset_from_down(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1291 {
1292 struct expression *index;
1293 struct symbol *type = expr->in;
1294 struct range_list *rl;
1295 struct symbol *field;
1296 int offset = 0;
1297 sval_t sval = { .type = ssize_t_ctype };
1298 sval_t tmp_sval = {};
1299
1300 /*
1301 * FIXME: I don't really know what I'm doing here. I wish that I
1302 * could just get rid of the __builtin_offset() function and use:
1303 * "&((struct bpf_prog *)NULL)->insns[fprog->len]" instead...
1304 * Anyway, I have done the minimum ammount of work to get that
1305 * expression to work.
1306 *
1307 */
1308
1309 if (expr->op != '.' || !expr->down ||
1310 expr->down->type != EXPR_OFFSETOF ||
1311 expr->down->op != '[' ||
1312 !expr->down->index)
1313 return false;
1314
1315 index = expr->down->index;
1316
1317 examine_symbol_type(type);
1318 type = get_real_base_type(type);
1319 if (!type)
1320 return false;
1321 field = find_identifier(expr->ident, type->symbol_list, &offset);
1322 if (!field)
1323 return false;
1324
1325 type = get_real_base_type(field);
1326 if (!type || type->type != SYM_ARRAY)
1327 return false;
1328 type = get_real_base_type(type);
1329
1330 if (get_implied_value_internal(index, recurse_cnt, &sval)) {
1331 res_sval->type = ssize_t_ctype;
1332 res_sval->value = offset + sval.value * type_bytes(type);
1333 return true;
1334 }
1335
1336 if (!get_rl_sval(index, implied, recurse_cnt, &rl, &tmp_sval))
1337 return false;
1338
1339 /*
1340 * I'm not sure why get_rl_sval() would return an sval when
1341 * get_implied_value_internal() failed but it does when I
1342 * parse drivers/net/ethernet/mellanox/mlx5/core/en/monitor_stats.c
1343 *
1344 */
1345 if (tmp_sval.type) {
1346 res_sval->type = ssize_t_ctype;
1347 res_sval->value = offset + sval.value * type_bytes(type);
1348 return true;
1349 }
1350
1351 sval.value = type_bytes(type);
1352 rl = rl_binop(rl, '*', alloc_rl(sval, sval));
1353 sval.value = offset;
1354 *res = rl_binop(rl, '+', alloc_rl(sval, sval));
1355 return true;
1356 }
1357
get_offset_from_in(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)1358 static bool get_offset_from_in(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1359 {
1360 struct symbol *type = get_real_base_type(expr->in);
1361 struct symbol *field;
1362 int offset = 0;
1363
1364 if (expr->op != '.' || !type || !expr->ident)
1365 return false;
1366
1367 field = find_identifier(expr->ident, type->symbol_list, &offset);
1368 if (!field)
1369 return false;
1370
1371 res_sval->type = size_t_ctype;
1372 res_sval->value = offset;
1373
1374 return true;
1375 }
1376
handle_offsetof_rl(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * res_sval)1377 static bool handle_offsetof_rl(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *res_sval)
1378 {
1379 if (get_offset_from_down(expr, implied, recurse_cnt, res, res_sval))
1380 return true;
1381
1382 if (get_offset_from_in(expr, implied, recurse_cnt, res, res_sval))
1383 return true;
1384
1385 evaluate_expression(expr);
1386 if (expr->type == EXPR_VALUE) {
1387 *res_sval = sval_from_val(expr, expr->value);
1388 return true;
1389 }
1390 return false;
1391 }
1392
get_rl_sval(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res,sval_t * sval_res)1393 static bool get_rl_sval(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res, sval_t *sval_res)
1394 {
1395 struct range_list *rl = (void *)-1UL;
1396 struct symbol *type;
1397 sval_t sval = {};
1398
1399 type = get_type(expr);
1400 expr = strip_parens(expr);
1401 if (!expr)
1402 return false;
1403
1404 if (++(*recurse_cnt) >= 200)
1405 return false;
1406
1407 switch(expr->type) {
1408 case EXPR_CAST:
1409 case EXPR_FORCE_CAST:
1410 case EXPR_IMPLIED_CAST:
1411 handle_cast(expr, implied, recurse_cnt, &rl, &sval);
1412 goto out_cast;
1413 }
1414
1415 expr = strip_expr(expr);
1416 if (!expr)
1417 return false;
1418
1419 switch (expr->type) {
1420 case EXPR_VALUE:
1421 sval = sval_from_val(expr, expr->value);
1422 break;
1423 case EXPR_FVALUE:
1424 sval = sval_from_fval(expr, expr->fvalue);
1425 break;
1426 case EXPR_PREOP:
1427 handle_preop_rl(expr, implied, recurse_cnt, &rl, &sval);
1428 break;
1429 case EXPR_POSTOP:
1430 get_rl_sval(expr->unop, implied, recurse_cnt, &rl, &sval);
1431 break;
1432 case EXPR_BINOP:
1433 handle_binop_rl(expr, implied, recurse_cnt, &rl, &sval);
1434 break;
1435 case EXPR_COMPARE:
1436 handle_comparison_rl(expr, implied, recurse_cnt, &rl, &sval);
1437 break;
1438 case EXPR_LOGICAL:
1439 handle_logical_rl(expr, implied, recurse_cnt, &rl, &sval);
1440 break;
1441 case EXPR_PTRSIZEOF:
1442 case EXPR_SIZEOF:
1443 sval = handle_sizeof(expr);
1444 break;
1445 case EXPR_SELECT:
1446 case EXPR_CONDITIONAL:
1447 handle_conditional_rl(expr, implied, recurse_cnt, &rl, &sval);
1448 break;
1449 case EXPR_CALL:
1450 handle_call_rl(expr, implied, recurse_cnt, &rl, &sval);
1451 break;
1452 case EXPR_STRING:
1453 if (get_mtag_sval(expr, &sval))
1454 break;
1455 if (implied == RL_EXACT)
1456 break;
1457 rl = alloc_rl(valid_ptr_min_sval, valid_ptr_max_sval);
1458 break;
1459 case EXPR_OFFSETOF:
1460 handle_offsetof_rl(expr, implied, recurse_cnt, &rl, &sval);
1461 break;
1462 case EXPR_ALIGNOF:
1463 evaluate_expression(expr);
1464 if (expr->type == EXPR_VALUE)
1465 sval = sval_from_val(expr, expr->value);
1466 break;
1467 default:
1468 handle_variable(expr, implied, recurse_cnt, &rl, &sval);
1469 }
1470
1471 out_cast:
1472 if (rl == (void *)-1UL)
1473 rl = NULL;
1474
1475 if (sval.type || (rl && rl_to_sval(rl, &sval))) {
1476 *sval_res = sval;
1477 return true;
1478 }
1479 if (implied == RL_EXACT)
1480 return false;
1481
1482 if (rl) {
1483 *res = rl;
1484 return true;
1485 }
1486 if (type && (implied == RL_ABSOLUTE || implied == RL_REAL_ABSOLUTE)) {
1487 *res = alloc_whole_rl(type);
1488 return true;
1489 }
1490 return false;
1491 }
1492
get_rl_internal(struct expression * expr,int implied,int * recurse_cnt,struct range_list ** res)1493 static bool get_rl_internal(struct expression *expr, int implied, int *recurse_cnt, struct range_list **res)
1494 {
1495 struct range_list *rl = NULL;
1496 sval_t sval = {};
1497
1498 if (!get_rl_sval(expr, implied, recurse_cnt, &rl, &sval))
1499 return false;
1500
1501 if (sval.type)
1502 *res = alloc_rl(sval, sval);
1503 else
1504 *res = rl;
1505 return true;
1506 }
1507
get_rl_helper(struct expression * expr,int implied,struct range_list ** res)1508 static bool get_rl_helper(struct expression *expr, int implied, struct range_list **res)
1509 {
1510 struct range_list *rl = NULL;
1511 sval_t sval = {};
1512 int recurse_cnt = 0;
1513
1514 if (get_value(expr, &sval)) {
1515 *res = alloc_rl(sval, sval);
1516 return true;
1517 }
1518
1519 if (!get_rl_sval(expr, implied, &recurse_cnt, &rl, &sval))
1520 return false;
1521
1522 if (sval.type)
1523 *res = alloc_rl(sval, sval);
1524 else
1525 *res = rl;
1526 return true;
1527 }
1528
1529 struct {
1530 struct expression *expr;
1531 sval_t sval;
1532 } cached_results[24];
1533 static int cache_idx;
1534
clear_math_cache(void)1535 void clear_math_cache(void)
1536 {
1537 memset(cached_results, 0, sizeof(cached_results));
1538 }
1539
set_fast_math_only(void)1540 void set_fast_math_only(void)
1541 {
1542 fast_math_only++;
1543 }
1544
clear_fast_math_only(void)1545 void clear_fast_math_only(void)
1546 {
1547 fast_math_only--;
1548 }
1549
1550 /*
1551 * Don't cache EXPR_VALUE because values are fast already.
1552 *
1553 */
get_value_literal(struct expression * expr,sval_t * res_sval)1554 static bool get_value_literal(struct expression *expr, sval_t *res_sval)
1555 {
1556 struct expression *tmp;
1557 int recurse_cnt = 0;
1558
1559 tmp = strip_expr(expr);
1560 if (!tmp || tmp->type != EXPR_VALUE)
1561 return false;
1562
1563 return get_rl_sval(expr, RL_EXACT, &recurse_cnt, NULL, res_sval);
1564 }
1565
1566 /* returns 1 if it can get a value literal or else returns 0 */
get_value(struct expression * expr,sval_t * res_sval)1567 int get_value(struct expression *expr, sval_t *res_sval)
1568 {
1569 struct range_list *(*orig_custom_fn)(struct expression *expr);
1570 int recurse_cnt = 0;
1571 sval_t sval = {};
1572 int i;
1573
1574 if (get_value_literal(expr, res_sval))
1575 return 1;
1576
1577 /*
1578 * This only handles RL_EXACT because other expr statements can be
1579 * different at different points. Like the list iterator, for example.
1580 */
1581 for (i = 0; i < ARRAY_SIZE(cached_results); i++) {
1582 if (expr == cached_results[i].expr) {
1583 if (cached_results[i].sval.type) {
1584 *res_sval = cached_results[i].sval;
1585 return true;
1586 }
1587 return false;
1588 }
1589 }
1590
1591 orig_custom_fn = custom_handle_variable;
1592 custom_handle_variable = NULL;
1593 get_rl_sval(expr, RL_EXACT, &recurse_cnt, NULL, &sval);
1594
1595 custom_handle_variable = orig_custom_fn;
1596
1597 cached_results[cache_idx].expr = expr;
1598 cached_results[cache_idx].sval = sval;
1599 cache_idx = (cache_idx + 1) % ARRAY_SIZE(cached_results);
1600
1601 if (!sval.type)
1602 return 0;
1603
1604 *res_sval = sval;
1605 return 1;
1606 }
1607
get_implied_value_internal(struct expression * expr,int * recurse_cnt,sval_t * res_sval)1608 static bool get_implied_value_internal(struct expression *expr, int *recurse_cnt, sval_t *res_sval)
1609 {
1610 struct range_list *rl;
1611
1612 res_sval->type = NULL;
1613
1614 if (!get_rl_sval(expr, RL_IMPLIED, recurse_cnt, &rl, res_sval))
1615 return false;
1616 if (!res_sval->type && !rl_to_sval(rl, res_sval))
1617 return false;
1618 return true;
1619 }
1620
get_implied_value(struct expression * expr,sval_t * sval)1621 int get_implied_value(struct expression *expr, sval_t *sval)
1622 {
1623 struct range_list *rl;
1624
1625 if (!get_rl_helper(expr, RL_IMPLIED, &rl) ||
1626 !rl_to_sval(rl, sval))
1627 return 0;
1628 return 1;
1629 }
1630
get_implied_value_fast(struct expression * expr,sval_t * sval)1631 int get_implied_value_fast(struct expression *expr, sval_t *sval)
1632 {
1633 struct range_list *rl;
1634 static int recurse;
1635 int ret = 0;
1636
1637 if (recurse)
1638 return 0;
1639
1640 recurse = 1;
1641 set_fast_math_only();
1642 if (get_rl_helper(expr, RL_IMPLIED, &rl) &&
1643 rl_to_sval(rl, sval))
1644 ret = 1;
1645 clear_fast_math_only();
1646 recurse = 0;
1647
1648 return ret;
1649 }
1650
get_implied_min(struct expression * expr,sval_t * sval)1651 int get_implied_min(struct expression *expr, sval_t *sval)
1652 {
1653 struct range_list *rl;
1654
1655 if (!get_rl_helper(expr, RL_IMPLIED, &rl) || !rl)
1656 return 0;
1657 *sval = rl_min(rl);
1658 return 1;
1659 }
1660
get_implied_max(struct expression * expr,sval_t * sval)1661 int get_implied_max(struct expression *expr, sval_t *sval)
1662 {
1663 struct range_list *rl;
1664
1665 if (!get_rl_helper(expr, RL_IMPLIED, &rl) || !rl)
1666 return 0;
1667 *sval = rl_max(rl);
1668 return 1;
1669 }
1670
get_implied_rl(struct expression * expr,struct range_list ** rl)1671 int get_implied_rl(struct expression *expr, struct range_list **rl)
1672 {
1673 if (!get_rl_helper(expr, RL_IMPLIED, rl) || !*rl)
1674 return 0;
1675 return 1;
1676 }
1677
get_absolute_rl_internal(struct expression * expr,struct range_list ** rl,int * recurse_cnt)1678 static int get_absolute_rl_internal(struct expression *expr, struct range_list **rl, int *recurse_cnt)
1679 {
1680 *rl = NULL;
1681 get_rl_internal(expr, RL_ABSOLUTE, recurse_cnt, rl);
1682 if (!*rl)
1683 *rl = alloc_whole_rl(get_type(expr));
1684 return 1;
1685 }
1686
get_absolute_rl(struct expression * expr,struct range_list ** rl)1687 int get_absolute_rl(struct expression *expr, struct range_list **rl)
1688 {
1689 *rl = NULL;
1690 get_rl_helper(expr, RL_ABSOLUTE, rl);
1691 if (!*rl)
1692 *rl = alloc_whole_rl(get_type(expr));
1693 return 1;
1694 }
1695
get_real_absolute_rl(struct expression * expr,struct range_list ** rl)1696 int get_real_absolute_rl(struct expression *expr, struct range_list **rl)
1697 {
1698 *rl = NULL;
1699 get_rl_helper(expr, RL_REAL_ABSOLUTE, rl);
1700 if (!*rl)
1701 *rl = alloc_whole_rl(get_type(expr));
1702 return 1;
1703 }
1704
custom_get_absolute_rl(struct expression * expr,struct range_list * (* fn)(struct expression * expr),struct range_list ** rl)1705 int custom_get_absolute_rl(struct expression *expr,
1706 struct range_list *(*fn)(struct expression *expr),
1707 struct range_list **rl)
1708 {
1709 int ret;
1710
1711 *rl = NULL;
1712 custom_handle_variable = fn;
1713 ret = get_rl_helper(expr, RL_REAL_ABSOLUTE, rl);
1714 custom_handle_variable = NULL;
1715 return ret;
1716 }
1717
get_implied_rl_var_sym(const char * var,struct symbol * sym,struct range_list ** rl)1718 int get_implied_rl_var_sym(const char *var, struct symbol *sym, struct range_list **rl)
1719 {
1720 struct smatch_state *state;
1721
1722 state = get_state(SMATCH_EXTRA, var, sym);
1723 *rl = estate_rl(state);
1724 if (*rl)
1725 return 1;
1726 return 0;
1727 }
1728
get_hard_max(struct expression * expr,sval_t * sval)1729 int get_hard_max(struct expression *expr, sval_t *sval)
1730 {
1731 struct range_list *rl;
1732
1733 if (!get_rl_helper(expr, RL_HARD, &rl) || !rl)
1734 return 0;
1735 *sval = rl_max(rl);
1736 return 1;
1737 }
1738
get_fuzzy_min(struct expression * expr,sval_t * sval)1739 int get_fuzzy_min(struct expression *expr, sval_t *sval)
1740 {
1741 struct range_list *rl;
1742 sval_t tmp;
1743
1744 if (!get_rl_helper(expr, RL_FUZZY, &rl) || !rl)
1745 return 0;
1746 tmp = rl_min(rl);
1747 if (sval_is_negative(tmp) && sval_is_min(tmp))
1748 return 0;
1749 *sval = tmp;
1750 return 1;
1751 }
1752
get_fuzzy_max(struct expression * expr,sval_t * sval)1753 int get_fuzzy_max(struct expression *expr, sval_t *sval)
1754 {
1755 struct range_list *rl;
1756 sval_t max;
1757
1758 if (!get_rl_helper(expr, RL_FUZZY, &rl) || !rl)
1759 return 0;
1760 max = rl_max(rl);
1761 if (max.uvalue > INT_MAX - 10000)
1762 return 0;
1763 *sval = max;
1764 return 1;
1765 }
1766
get_absolute_min(struct expression * expr,sval_t * sval)1767 int get_absolute_min(struct expression *expr, sval_t *sval)
1768 {
1769 struct range_list *rl;
1770 struct symbol *type;
1771
1772 type = get_type(expr);
1773 if (!type)
1774 type = &llong_ctype; // FIXME: this is wrong but places assume get type can't fail.
1775 rl = NULL;
1776 get_rl_helper(expr, RL_REAL_ABSOLUTE, &rl);
1777 if (rl)
1778 *sval = rl_min(rl);
1779 else
1780 *sval = sval_type_min(type);
1781
1782 if (sval_cmp(*sval, sval_type_min(type)) < 0)
1783 *sval = sval_type_min(type);
1784 return 1;
1785 }
1786
get_absolute_max(struct expression * expr,sval_t * sval)1787 int get_absolute_max(struct expression *expr, sval_t *sval)
1788 {
1789 struct range_list *rl;
1790 struct symbol *type;
1791
1792 type = get_type(expr);
1793 if (!type)
1794 type = &llong_ctype;
1795 rl = NULL;
1796 get_rl_helper(expr, RL_REAL_ABSOLUTE, &rl);
1797 if (rl)
1798 *sval = rl_max(rl);
1799 else
1800 *sval = sval_type_max(type);
1801
1802 if (sval_cmp(sval_type_max(type), *sval) < 0)
1803 *sval = sval_type_max(type);
1804 return 1;
1805 }
1806
known_condition_true(struct expression * expr)1807 int known_condition_true(struct expression *expr)
1808 {
1809 sval_t tmp;
1810
1811 if (!expr)
1812 return 0;
1813
1814 if (__inline_fn && get_param_num(expr) >= 0) {
1815 if (get_implied_value(expr, &tmp) && tmp.value)
1816 return 1;
1817 return 0;
1818 }
1819
1820 if (get_value(expr, &tmp) && tmp.value)
1821 return 1;
1822
1823 return 0;
1824 }
1825
known_condition_false(struct expression * expr)1826 int known_condition_false(struct expression *expr)
1827 {
1828 sval_t tmp;
1829
1830 if (!expr)
1831 return 0;
1832
1833 if (__inline_fn && get_param_num(expr) >= 0) {
1834 if (get_implied_value(expr, &tmp) && tmp.value == 0)
1835 return 1;
1836 return 0;
1837 }
1838
1839 if (expr_is_zero(expr))
1840 return 1;
1841
1842 return 0;
1843 }
1844
implied_condition_true(struct expression * expr)1845 int implied_condition_true(struct expression *expr)
1846 {
1847 sval_t tmp;
1848
1849 if (!expr)
1850 return 0;
1851
1852 if (known_condition_true(expr))
1853 return 1;
1854 if (get_implied_value(expr, &tmp) && tmp.value)
1855 return 1;
1856
1857 if (expr->type == EXPR_POSTOP)
1858 return implied_condition_true(expr->unop);
1859
1860 if (expr->type == EXPR_PREOP && expr->op == SPECIAL_DECREMENT)
1861 return implied_not_equal(expr->unop, 1);
1862 if (expr->type == EXPR_PREOP && expr->op == SPECIAL_INCREMENT)
1863 return implied_not_equal(expr->unop, -1);
1864
1865 expr = strip_expr(expr);
1866 switch (expr->type) {
1867 case EXPR_COMPARE:
1868 if (do_comparison(expr) == 1)
1869 return 1;
1870 break;
1871 case EXPR_PREOP:
1872 if (expr->op == '!') {
1873 if (implied_condition_false(expr->unop))
1874 return 1;
1875 break;
1876 }
1877 break;
1878 default:
1879 if (implied_not_equal(expr, 0) == 1)
1880 return 1;
1881 break;
1882 }
1883 return 0;
1884 }
1885
implied_condition_false(struct expression * expr)1886 int implied_condition_false(struct expression *expr)
1887 {
1888 struct expression *tmp;
1889 sval_t sval;
1890
1891 if (!expr)
1892 return 0;
1893
1894 if (known_condition_false(expr))
1895 return 1;
1896
1897 switch (expr->type) {
1898 case EXPR_COMPARE:
1899 if (do_comparison(expr) == 2)
1900 return 1;
1901 case EXPR_PREOP:
1902 if (expr->op == '!') {
1903 if (implied_condition_true(expr->unop))
1904 return 1;
1905 break;
1906 }
1907 tmp = strip_expr(expr);
1908 if (tmp != expr)
1909 return implied_condition_false(tmp);
1910 break;
1911 default:
1912 if (get_implied_value(expr, &sval) && sval.value == 0)
1913 return 1;
1914 break;
1915 }
1916 return 0;
1917 }
1918
1919
1920