From 8aaf5d60aa0b3ddb05e117f52c0e30ec246b7aad Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Fri, 17 Jan 2025 10:39:49 +0100
Subject: tools/syz-declextract: support function scopes

Extract info about function scopes formed by switch'es on function arguments.
For example if we have:

void foo(..., int cmd, ...)
{
  ...
  switch (cmd) {
  case FOO:
    ... block 1 ...
  case BAR:
    ... block 2 ...
  }
  ...
}

We record that any data flow within block 1 is only relevant
when foo's arg cmd has value FOO, similarly for block 2 and BAR.

This allows to do 3 things:
1. Locate ioctl commands that are switched on within transitively
   called functions.
2. Infer return value for each ioctl command.
3. Infer argument type when it's not specified in _IO macro.

This will also allow to infer other multiplexed syscalls.

Descriptions generated on Linux commit c4b9570cfb63501.
---
 tools/syz-declextract/testdata/syscall.c.json | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'tools/syz-declextract/testdata/syscall.c.json')

diff --git a/tools/syz-declextract/testdata/syscall.c.json b/tools/syz-declextract/testdata/syscall.c.json
index 735ac7dc9..4e466a3ae 100644
--- a/tools/syz-declextract/testdata/syscall.c.json
+++ b/tools/syz-declextract/testdata/syscall.c.json
@@ -3,12 +3,22 @@
 		{
 			"name": "__do_sys_chmod",
 			"file": "syscall.c",
-			"loc": 1
+			"scopes": [
+				{
+					"arg": -1,
+					"loc": 1
+				}
+			]
 		},
 		{
 			"name": "__do_sys_open",
 			"file": "syscall.c",
-			"loc": 1
+			"scopes": [
+				{
+					"arg": -1,
+					"loc": 1
+				}
+			]
 		}
 	],
 	"syscalls": [
-- 
cgit mrf-deployment