Oh, may I ask how to do that with Smatch?
My pipeline is like this
1. Run syzkaller to have all the uncovered branches.
2. Extract conditions from these branch
3. Use dataflow/manual analysis to analyze these condition.
I am kind of still in step 2, and I want to see what these conditions
look like before deciding to use Smatch or something else.
That's why I am trying to hook stuff with "WHOLE_CONDITION_HOOK" as
it's more friendly to manual analysis.
To switch the topic a little bit, is there any plan to add documents of Smatch?
I'd like to get involved as I am also using it for my own project.
Sorry if I am a bit annoying and keep asking questions.
Best,
Hongyi
Dan Carpenter <dan.carpenter@xxxxxxxxxx> 于 2024年6月20日周四 20:33写道:
>
> On Thu, Jun 20, 2024 at 08:10:06PM +0800, Hongyi Lu wrote:
> > Oh, thank you for the suggestions.
> >
> > I'll give CONDITION_HOOK a try. It's just that I really need to know the
> > "source location" of the condition so the WHOLE_CONDITION_HOOK makes sure
> > composited conditions like A and B in (A && B) appear together.
>
> I mean, if you want to and it's working then that's great. But
> generally we wouldn't want to differentiate between:
>
> ONE:
> if (A && B)
> return;
> TWO:
> if (A) {
> if (B)
> return;
> }
>
> I guess, what I'm imagining you want is something like this. How is
> some_function() reachable from the user?
>
> int driver_ioctl(...)
> {
>
> if (!foo)
> return -EINVAL;
> if (bar)
> return -EINVAL;
>
> return some_function();
> }
>
> If we did something like stored conditions we could make a list of all
> the conditions which are true and which are false when we call
> some_function().
>
> regards,
> dan carpenter
>
