1 /* 2 * Copyright (C) 2015 Oracle. 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU General Public License 6 * as published by the Free Software Foundation; either version 2 7 * of the License, or (at your option) any later version. 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 * 14 * You should have received a copy of the GNU General Public License 15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt 16 */ 17 18 #include "smatch.h" 19 #include "smatch_slist.h" 20 #include "smatch_extra.h" 21 22 static bool is_non_null_array(struct expression *expr) 23 { 24 struct symbol *type; 25 struct symbol *sym; 26 struct symbol *tmp; 27 int i; 28 29 type = get_type(expr); 30 if (!type || type->type != SYM_ARRAY) 31 return 0; 32 if (expr->type == EXPR_SYMBOL) 33 return 1; 34 if (implied_not_equal(expr, 0)) 35 return 1; 36 37 /* verify that it's not the first member of the struct */ 38 if (expr->type != EXPR_DEREF || !expr->member) 39 return 0; 40 sym = expr_to_sym(expr); 41 if (!sym) 42 return 0; 43 type = get_real_base_type(sym); 44 if (!type || type->type != SYM_PTR) 45 return 0; 46 type = get_real_base_type(type); 47 if (type->type != SYM_STRUCT) 48 return 0; 49 50 i = 0; 51 FOR_EACH_PTR(type->symbol_list, tmp) { 52 i++; 53 if (!tmp->ident) 54 continue; 55 if (strcmp(expr->member->name, tmp->ident->name) == 0) { 56 if (i == 1) 57 return 0; 58 return 1; 59 } 60 } END_FOR_EACH_PTR(tmp); 61 62 return 0; 63 } 64 65 int get_member_offset(struct symbol *type, const char *member_name) 66 { 67 struct symbol *tmp; 68 int offset; 69 70 if (!type || type->type != SYM_STRUCT) 71 return -1; 72 73 offset = 0; 74 FOR_EACH_PTR(type->symbol_list, tmp) { 75 offset = ALIGN(offset, tmp->ctype.alignment); 76 if (tmp->ident && 77 strcmp(member_name, tmp->ident->name) == 0) { 78 return offset; 79 } 80 offset += type_bytes(tmp); 81 } END_FOR_EACH_PTR(tmp); 82 return -1; 83 } 84 85 int get_member_offset_from_deref(struct expression *expr) 86 { 87 struct symbol *type; 88 struct ident *member; 89 int offset; 90 91 if (expr->type != EXPR_DEREF) /* hopefully, this doesn't happen */ 92 return -1; 93 94 if (expr->member_offset >= 0) 95 return expr->member_offset; 96 97 member = expr->member; 98 if (!member) 99 return -1; 100 101 type = get_type(expr->deref); 102 if (!type || type->type != SYM_STRUCT) 103 return -1; 104 105 offset = get_member_offset(type, member->name); 106 if (offset >= 0) 107 expr->member_offset = offset; 108 return offset; 109 } 110 111 static struct range_list *filter_unknown_negatives(struct range_list *rl) 112 { 113 struct data_range *first; 114 struct range_list *filter = NULL; 115 116 first = first_ptr_list((struct ptr_list *)rl); 117 118 if (sval_is_min(first->min) && 119 sval_is_negative(first->max) && 120 first->max.value == -1) { 121 add_ptr_list(&filter, first); 122 return rl_filter(rl, filter); 123 } 124 125 return rl; 126 } 127 128 static void add_offset_to_pointer(struct range_list **rl, int offset) 129 { 130 sval_t min, max, remove, sval; 131 struct range_list *orig = *rl; 132 133 /* 134 * Ha ha. Treating zero as a special case means I'm correct at least a 135 * tiny fraction of the time. Which is better than nothing. 136 * 137 */ 138 if (offset == 0) 139 return; 140 141 /* 142 * This function doesn't necessarily work how you might expect... 143 * 144 * Say you have s64min-(-1),1-s64max and you add 8 then I guess what 145 * we want to say is maybe something like 9-s64max. This shows that the 146 * min it could be is 9 which is potentially useful information. But 147 * if we start with (-12),5000000-57777777 and we add 8 then we'd want 148 * the result to be (-4),5000008-57777777 but (-4),5000000-57777777 is 149 * also probably acceptable. If you start with s64min-s64max then the 150 * result should be 8-s64max. 151 * 152 */ 153 154 /* We do the math on void pointer type, because this isn't "&v + 16" it 155 * is &v->sixteenth_byte. 156 */ 157 orig = cast_rl(&ptr_ctype, orig); 158 min = sval_type_min(&ptr_ctype); 159 min.value = offset; 160 max = sval_type_max(&ptr_ctype); 161 162 if (!orig || is_whole_rl(orig)) { 163 *rl = alloc_rl(min, max); 164 return; 165 } 166 167 orig = filter_unknown_negatives(orig); 168 /* 169 * FIXME: This is not really accurate but we're a bit screwed anyway 170 * when we start doing pointer math with error pointers so it's probably 171 * not important. 172 * 173 */ 174 if (sval_is_negative(rl_min(orig))) 175 return; 176 177 /* no wrap around */ 178 max.uvalue = rl_max(orig).uvalue; 179 if (max.uvalue > sval_type_max(&ptr_ctype).uvalue - offset) { 180 remove = sval_type_max(&ptr_ctype); 181 remove.uvalue -= offset; 182 orig = remove_range(orig, remove, max); 183 } 184 185 sval.type = &int_ctype; 186 sval.value = offset; 187 188 *rl = rl_binop(orig, '+', alloc_rl(sval, sval)); 189 } 190 191 static struct range_list *where_allocated_rl(struct symbol *sym) 192 { 193 if (!sym) 194 return NULL; 195 196 if (sym->ctype.modifiers & (MOD_TOPLEVEL | MOD_STATIC)) { 197 if (sym->initializer) 198 return alloc_rl(data_seg_min, data_seg_max); 199 else 200 return alloc_rl(bss_seg_min, bss_seg_max); 201 } 202 return alloc_rl(stack_seg_min, stack_seg_max); 203 } 204 205 int get_address_rl(struct expression *expr, struct range_list **rl) 206 { 207 expr = strip_expr(expr); 208 if (!expr) 209 return 0; 210 211 if (expr->type == EXPR_STRING) { 212 *rl = alloc_rl(text_seg_min, text_seg_max); 213 return 1; 214 } 215 216 if (expr->type == EXPR_PREOP && expr->op == '&') { 217 struct expression *unop; 218 219 unop = strip_expr(expr->unop); 220 if (unop->type == EXPR_SYMBOL) { 221 *rl = where_allocated_rl(unop->symbol); 222 return 1; 223 } 224 225 if (unop->type == EXPR_DEREF) { 226 int offset = get_member_offset_from_deref(unop); 227 228 unop = strip_expr(unop->unop); 229 if (unop->type == EXPR_SYMBOL) { 230 *rl = where_allocated_rl(unop->symbol); 231 } else if (unop->type == EXPR_PREOP && unop->op == '*') { 232 unop = strip_expr(unop->unop); 233 get_absolute_rl(unop, rl); 234 } else { 235 return 0; 236 } 237 238 add_offset_to_pointer(rl, offset); 239 return 1; 240 } 241 242 return 0; 243 } 244 245 if (is_non_null_array(expr)) { 246 *rl = alloc_rl(array_min_sval, array_max_sval); 247 return 1; 248 } 249 250 return 0; 251 } 252