tools/syz-declextract: support function scopes

Extract info about function scopes formed by switch'es on function arguments.
For example if we have:

void foo(..., int cmd, ...)
{
  ...
  switch (cmd) {
  case FOO:
    ... block 1 ...
  case BAR:
    ... block 2 ...
  }
  ...
}

We record that any data flow within block 1 is only relevant
when foo's arg cmd has value FOO, similarly for block 2 and BAR.

This allows to do 3 things:
1. Locate ioctl commands that are switched on within transitively
   called functions.
2. Infer return value for each ioctl command.
3. Infer argument type when it's not specified in _IO macro.

This will also allow to infer other multiplexed syscalls.

Descriptions generated on Linux commit c4b9570cfb63501.

2 files changed, 10 insertions, 1 deletions

diff --git a/tools/syz-declextract/testdata/include/fs.h b/tools/syz-declextract/testdata/include/fs.h
index a5c838595..33782d1ee 100644
--- a/tools/syz-declextract/testdata/include/fs.h
+++ b/tools/syz-declextract/testdata/include/fs.h
@@ -7,6 +7,11 @@ struct file_operations {
 	void (*write)(void);
 	void (*read_iter)(void);
 	void (*write_iter)(void);
-	void (*unlocked_ioctl)(unsigned int);
+	void (*unlocked_ioctl)(void*, unsigned int, unsigned long);
 	void (*mmap)(void);
 };
+
+int alloc_fd();
+void __fget_light(int fd);
+int from_kuid();
+
diff --git a/tools/syz-declextract/testdata/include/uapi/file_operations.h b/tools/syz-declextract/testdata/include/uapi/file_operations.h
index 6a2a8d259..f81d6886d 100644
--- a/tools/syz-declextract/testdata/include/uapi/file_operations.h
+++ b/tools/syz-declextract/testdata/include/uapi/file_operations.h
@@ -8,6 +8,10 @@
 #define FOO_IOCTL3		_IOR('c', 3, struct foo_ioctl_arg)
 #define FOO_IOCTL4		_IOW('c', 4, struct foo_ioctl_arg)
 #define FOO_IOCTL5		_IOWR('c', 5, struct foo_ioctl_arg)
+#define FOO_IOCTL6		_IO('c', 6)
+#define FOO_IOCTL7		_IO('c', 7)
+#define FOO_IOCTL8		_IO('c', 8)
+#define FOO_IOCTL9		_IO('c', 9)
 
 struct foo_ioctl_arg {
 	int a, b;