On Thu, Jun 20, 2024 at 10:12:28PM +0800, Hongyi Lu wrote:
> Oh, may I ask how to do that with Smatch?
>
See the attached file and test file. The output should be:
test.c:13 function() call: frob() state=[check_conditions] x & 1 (nil) = 'merged' [merged] (false, true, merged)
test.c:16 function() call: frob() state=[check_conditions] x & 1 (nil) = 'true'
Except instead of 'x' you'd want some way to tie that back to the input
from the user.
> My pipeline is like this
>
> 1. Run syzkaller to have all the uncovered branches.
> 2. Extract conditions from these branch
> 3. Use dataflow/manual analysis to analyze these condition.
>
> I am kind of still in step 2, and I want to see what these conditions
> look like before deciding to use Smatch or something else.
> That's why I am trying to hook stuff with "WHOLE_CONDITION_HOOK" as
> it's more friendly to manual analysis.
>
> To switch the topic a little bit, is there any plan to add documents of Smatch?
> I'd like to get involved as I am also using it for my own project.
>
> Sorry if I am a bit annoying and keep asking questions.
Not at all.
The Smatch documentation does totally suck. I wrote some blogs as a
starting point. I should just copy and paste them into the
documentation directory.
https://staticthinking.wordpress.com/2023/04/25/first-smatch-check/
https://staticthinking.wordpress.com/2023/04/25/merging-states/
https://staticthinking.wordpress.com/2023/05/02/the-cross-function-db/
https://staticthinking.wordpress.com/2023/05/02/the-param-key-api/
https://staticthinking.wordpress.com/2023/05/02/smatch-hooks-and-modules/
https://staticthinking.wordpress.com/2023/05/02/debugging-smatch-checks/
regards,
dan carpenter
#include "smatch.h"
#include "smatch_slist.h"
static int my_id;
void match_condition(struct expression *expr)
{
char *str;
str = expr_to_str(expr);
if (!str) {
/* Too complicated. Give up */
return;
}
set_true_false_states(my_id, str, NULL, &true_state, &false_state);
free_string(str);
}
void match_call(struct expression *expr)
{
struct sm_state *sm;
char *call = expr_to_str(expr);
FOR_EACH_MY_SM(my_id, __get_cur_stree(), sm) {
sm_msg("call: %s state=%s", call, show_sm(sm));
} END_FOR_EACH_SM(sm);
free_string(call);
}
void check_conditions(int id)
{
my_id = id;
add_hook(&match_condition, CONDITION_HOOK);
add_hook(&match_call, FUNCTION_CALL_HOOK);
}
#include "check_debug.h"
int x, y;
void frob();
int function(void)
{
if (x & 1)
y = 1;
else
y = 2;
frob();
if (x & 1)
frob();
}
