On Thu, Jun 20, 2024 at 05:39:04PM +0300, Dan Carpenter wrote: > On Thu, Jun 20, 2024 at 10:12:28PM +0800, Hongyi Lu wrote: > > Oh, may I ask how to do that with Smatch? > > > > See the attached file and test file. The output should be: > > test.c:13 function() call: frob() state=[check_conditions] x & 1 (nil) = 'merged' [merged] (false, true, merged) > test.c:16 function() call: frob() state=[check_conditions] x & 1 (nil) = 'true' > > Except instead of 'x' you'd want some way to tie that back to the input > from the user. One of the things that Smatch saves is that value of variables in smatch_extra.c. So maybe instead of saving conditions you just want to save the values of variables. "x = 0-15" range when we call frob(). We also track values which the user controls. Or we could say (struct foo)->member_name which comes from the user is in 0-15 range when we call frob(). An earlier student group looked at system calls which referenced the same (struct foo)->member_name and tried to race them against each other in syzkaller. They did find some bugs that way. regards, dan carpenter
