diff options
| author | Dmitry Vyukov <dvyukov@google.com> | 2025-01-17 10:39:49 +0100 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2025-01-22 17:12:18 +0000 |
| commit | 8aaf5d60aa0b3ddb05e117f52c0e30ec246b7aad (patch) | |
| tree | 63ddc4520d1e4b865925a014d3401b5e15c1fed3 /tools/syz-declextract/testdata/functions.c.json | |
| parent | ac680c7cc91ea82316471433537f3101c2af39ea (diff) | |
tools/syz-declextract: support function scopes
Extract info about function scopes formed by switch'es on function arguments.
For example if we have:
void foo(..., int cmd, ...)
{
...
switch (cmd) {
case FOO:
... block 1 ...
case BAR:
... block 2 ...
}
...
}
We record that any data flow within block 1 is only relevant
when foo's arg cmd has value FOO, similarly for block 2 and BAR.
This allows to do 3 things:
1. Locate ioctl commands that are switched on within transitively
called functions.
2. Infer return value for each ioctl command.
3. Infer argument type when it's not specified in _IO macro.
This will also allow to infer other multiplexed syscalls.
Descriptions generated on Linux commit c4b9570cfb63501.
Diffstat (limited to 'tools/syz-declextract/testdata/functions.c.json')
| -rw-r--r-- | tools/syz-declextract/testdata/functions.c.json | 433 |
1 files changed, 247 insertions, 186 deletions
diff --git a/tools/syz-declextract/testdata/functions.c.json b/tools/syz-declextract/testdata/functions.c.json index eb1b3b880..ecb95affc 100644 --- a/tools/syz-declextract/testdata/functions.c.json +++ b/tools/syz-declextract/testdata/functions.c.json @@ -3,256 +3,317 @@ { "name": "__do_sys_functions", "file": "functions.c", - "loc": 2, - "calls": [ - "__fget_light", - "func_baz" - ], - "facts": [ - { - "src": { - "argument": { - "func": "__do_sys_functions", - "arg": 0 - } - }, - "dst": { - "argument": { - "func": "__fget_light", - "arg": 0 - } - } - }, + "scopes": [ { - "src": { - "return": { - "func": "func_baz" + "arg": -1, + "loc": 2, + "calls": [ + "__fget_light", + "func_baz" + ], + "facts": [ + { + "src": { + "argument": { + "func": "__do_sys_functions", + "arg": 0 + } + }, + "dst": { + "argument": { + "func": "__fget_light", + "arg": 0 + } + } + }, + { + "src": { + "return": { + "func": "func_baz" + } + }, + "dst": { + "return": { + "func": "__do_sys_functions" + } + } } - }, - "dst": { - "return": { - "func": "__do_sys_functions" - } - } + ] } ] }, { "name": "__fget_light", - "file": "functions.c" + "file": "functions.c", + "scopes": [ + { + "arg": -1 + } + ] }, { "name": "alloc_fd", "file": "functions.c", - "loc": 1 + "scopes": [ + { + "arg": -1, + "loc": 1 + } + ] }, { "name": "atomic_load32", "file": "include/types.h", "is_static": true, - "loc": 1 + "scopes": [ + { + "arg": -1, + "loc": 1 + } + ] }, { "name": "atomic_load64", "file": "include/types.h", - "loc": 1 + "scopes": [ + { + "arg": -1, + "loc": 1 + } + ] }, { "name": "from_kuid", "file": "functions.c", - "loc": 1 + "scopes": [ + { + "arg": -1, + "loc": 1 + } + ] }, { "name": "func_bar", "file": "functions.c", "is_static": true, - "loc": 1, - "calls": [ - "func_foo" + "scopes": [ + { + "arg": -1, + "loc": 1, + "calls": [ + "func_foo" + ] + } ] }, { "name": "func_baz", "file": "functions.c", - "loc": 8, - "calls": [ - "func_foo", - "func_bar", - "from_kuid", - "alloc_fd" - ], - "facts": [ + "scopes": [ { - "src": { - "return": { - "func": "from_kuid" + "arg": -1, + "loc": 8, + "calls": [ + "func_foo", + "func_bar", + "func_bar", + "from_kuid", + "alloc_fd" + ], + "facts": [ + { + "src": { + "return": { + "func": "from_kuid" + } + }, + "dst": { + "return": { + "func": "func_baz" + } + } + }, + { + "src": { + "return": { + "func": "alloc_fd" + } + }, + "dst": { + "return": { + "func": "func_baz" + } + } } - }, - "dst": { - "return": { - "func": "func_baz" - } - } - }, - { - "src": { - "return": { - "func": "alloc_fd" - } - }, - "dst": { - "return": { - "func": "func_baz" - } - } + ] } ] }, { "name": "func_foo", "file": "functions.c", - "is_static": true + "is_static": true, + "scopes": [ + { + "arg": -1 + } + ] }, { "name": "func_qux", "file": "functions.c", - "loc": 2, - "calls": [ - "alloc_fd" - ], - "facts": [ + "scopes": [ { - "src": { - "return": { - "func": "alloc_fd" + "arg": -1, + "loc": 2, + "calls": [ + "alloc_fd" + ], + "facts": [ + { + "src": { + "return": { + "func": "alloc_fd" + } + }, + "dst": { + "local": { + "name": "fd" + } + } + }, + { + "src": { + "local": { + "name": "fd" + } + }, + "dst": { + "return": { + "func": "func_qux" + } + } } - }, - "dst": { - "local": { - "name": "fd" - } - } - }, - { - "src": { - "local": { - "name": "fd" - } - }, - "dst": { - "return": { - "func": "func_qux" - } - } + ] } ] }, { "name": "typing", "file": "functions.c", - "loc": 5, - "calls": [ - "typing1" - ], - "facts": [ - { - "src": { - "argument": { - "func": "typing", - "arg": 1 - } - }, - "dst": { - "argument": { - "func": "typing1", - "arg": 0 - } - } - }, - { - "src": { - "field": { - "struct": "Typed", - "field": "a" - } - }, - "dst": { - "argument": { - "func": "typing1", - "arg": 1 - } - } - }, - { - "src": { - "field": { - "struct": "Typed", - "field": "b" - } - }, - "dst": { - "field": { - "struct": "Typed", - "field": "a" - } - } - }, - { - "src": { - "local": { - "name": "l" - } - }, - "dst": { - "field": { - "struct": "Typed", - "field": "c" - } - } - }, + "scopes": [ { - "src": { - "return": { - "func": "typing1" + "arg": -1, + "loc": 5, + "calls": [ + "typing1" + ], + "facts": [ + { + "src": { + "field": { + "struct": "Typed", + "field": "b" + } + }, + "dst": { + "field": { + "struct": "Typed", + "field": "a" + } + } + }, + { + "src": { + "return": { + "func": "typing1" + } + }, + "dst": { + "local": { + "name": "l" + } + } + }, + { + "src": { + "argument": { + "func": "typing", + "arg": 1 + } + }, + "dst": { + "argument": { + "func": "typing1", + "arg": 0 + } + } + }, + { + "src": { + "field": { + "struct": "Typed", + "field": "a" + } + }, + "dst": { + "argument": { + "func": "typing1", + "arg": 1 + } + } + }, + { + "src": { + "local": { + "name": "l" + } + }, + "dst": { + "field": { + "struct": "Typed", + "field": "c" + } + } + }, + { + "src": { + "local": { + "name": "l" + } + }, + "dst": { + "return": { + "func": "typing" + } + } } - }, - "dst": { - "local": { - "name": "l" - } - } - }, - { - "src": { - "local": { - "name": "l" - } - }, - "dst": { - "return": { - "func": "typing" - } - } + ] } ] }, { "name": "typing1", "file": "functions.c", - "loc": 1, - "facts": [ + "scopes": [ { - "src": { - "argument": { - "func": "typing1", - "arg": 0 + "arg": -1, + "loc": 1, + "facts": [ + { + "src": { + "argument": { + "func": "typing1", + "arg": 0 + } + }, + "dst": { + "return": { + "func": "typing1" + } + } } - }, - "dst": { - "return": { - "func": "typing1" - } - } + ] } ] } |