--- a/manifest	Wed Nov 20 15:03:31 2019 +0000
+++ b/manifest	Thu Nov 21 12:33:13 2019 +0000
@@ -15601,6 +15601,7 @@
 f usr/share/man/man3ext/efi_alloc_and_init.3ext 0444 root bin
 s usr/share/man/man3ext/efi_alloc_and_read.3ext=efi_alloc_and_init.3ext
 s usr/share/man/man3ext/efi_free.3ext=efi_alloc_and_init.3ext
+s usr/share/man/man3ext/efi_reserved_sectors.3ext=efi_alloc_and_init.3ext
 s usr/share/man/man3ext/efi_use_whole_disk.3ext=efi_alloc_and_init.3ext
 s usr/share/man/man3ext/efi_write.3ext=efi_alloc_and_init.3ext
 s usr/share/man/man3ext/encrypt.3ext=crypt.3ext

--- a/usr/src/boot/Makefile.version	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/boot/Makefile.version	Thu Nov 21 12:33:13 2019 +0000
@@ -33,4 +33,4 @@
 # Use date like formatting here, YYYY.MM.DD.XX, without leading zeroes.
 # The version is processed from left to right, the version number can only
 # be increased.
-BOOT_VERSION = $(LOADER_VERSION)-2019.11.06.1
+BOOT_VERSION = $(LOADER_VERSION)-2019.11.15.1

--- a/usr/src/boot/sys/boot/common/tem.c	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/boot/sys/boot/common/tem.c	Thu Nov 21 12:33:13 2019 +0000
@@ -2815,23 +2815,22 @@
 static void
 tem_get_color(text_color_t *fg, text_color_t *bg, term_char_t c)
 {
-	if (c.tc_fg_color < 16) {
+	*fg = c.tc_fg_color;
+	*bg = c.tc_bg_color;
+
+	if (c.tc_fg_color < XLATE_NCOLORS) {
 		if (TEM_CHAR_ATTR(c.tc_char) &
 		    (TEM_ATTR_BRIGHT_FG | TEM_ATTR_BOLD))
 			*fg = brt_xlate[c.tc_fg_color];
 		else
 			*fg = dim_xlate[c.tc_fg_color];
-	} else {
-		*fg = c.tc_fg_color;
 	}
 
-	if (c.tc_bg_color < 16) {
+	if (c.tc_bg_color < XLATE_NCOLORS) {
 		if (TEM_CHAR_ATTR(c.tc_char) & TEM_ATTR_BRIGHT_BG)
 			*bg = brt_xlate[c.tc_bg_color];
 		else
 			*bg = dim_xlate[c.tc_bg_color];
-	} else {
-		*bg = c.tc_bg_color;
 	}
 }
 

--- a/usr/src/cmd/auditreduce/Makefile	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/cmd/auditreduce/Makefile	Thu Nov 21 12:33:13 2019 +0000
@@ -24,7 +24,7 @@
 # Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
-# Copyright (c) 2018, Joyent, Inc.
+# Copyright 2019 Joyent, Inc.
 
 TABLEDIR = ../praudit
 
@@ -44,8 +44,8 @@
 CERRWARN += $(CNOWARN_UNINIT)
 CERRWARN += -_gcc=-Wno-parentheses
 
-# false positives / need cleanup
-SMOFF += indenting,no_if_block,strcpy_overflow
+# false positive
+SMOFF += strcpy_overflow
 
 .KEEP_STATE:
 

--- a/usr/src/cmd/auditreduce/main.c	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/cmd/auditreduce/main.c	Thu Nov 21 12:33:13 2019 +0000
@@ -25,6 +25,10 @@
  */
 
 /*
+ * Copyright 2019 Joyent, Inc.
+ */
+
+/*
  * The Secure SunOS audit reduction tool - auditreduce.
  * Document SM0071 is the primary source of information on auditreduce.
  *
@@ -247,11 +251,13 @@
 			 * Convert descriptors to streams.
 			 */
 			if ((pcbn->pcb_fpr = fdopen(fildes[0], "r")) == NULL) {
-	perror(gettext("auditreduce: couldn't get read stream for pipe"));
+				perror(gettext("auditreduce: couldn't get read "
+				    "stream for pipe"));
 				return (-1);
 			}
 			if ((pcbn->pcb_fpw = fdopen(fildes[1], "w")) == NULL) {
-	perror(gettext("auditreduce: couldn't get write stream for pipe"));
+				perror(gettext("auditreduce: couldn't get "
+				    "write stream for pipe"));
 				return (-1);
 			}
 			if ((procno = fork()) == -1) {
@@ -400,8 +406,10 @@
 	for (j = 0; j <= i; j++) {
 		pcbt = &pcb->pcb_below[j];
 		if (fclose(pcbt->pcb_fpr) == EOF) {
-			if (!f_quiet)
-		perror(gettext("auditreduce: initial close on pipe failed"));
+			if (!f_quiet) {
+				perror(gettext("auditreduce: initial close "
+				    "on pipe failed"));
+			}
 		}
 		/*
 		 * Free the buffer allocated to hold incoming records.
@@ -426,8 +434,10 @@
 p_close(audit_pcb_t *pcbn)
 {
 	if (fclose(pcbn->pcb_fpw) == EOF) {
-		if (!f_quiet)
-		perror(gettext("auditreduce: close for write pipe failed"));
+		if (!f_quiet) {
+			perror(gettext("auditreduce: close for write "
+			    "pipe failed"));
+		}
 	}
 }
 

--- a/usr/src/common/font/font.c	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/common/font/font.c	Thu Nov 21 12:33:13 2019 +0000
@@ -48,9 +48,9 @@
 
 /* ANSI color to sun color translation. */
 /* BEGIN CSTYLED */
-/*                            Bk  Rd  Gr  Br  Bl  Mg  Cy  Wh */
-const uint8_t dim_xlate[] = {  1,  5,  3,  7,  2,  6,  4,  8 };
-const uint8_t brt_xlate[] = {  9, 13, 11, 15, 10, 14, 12,  0 };
+/*                                         Bk  Rd  Gr  Br  Bl  Mg  Cy  Wh */
+const uint8_t dim_xlate[XLATE_NCOLORS] = {  1,  5,  3,  7,  2,  6,  4,  8 };
+const uint8_t brt_xlate[XLATE_NCOLORS] = {  9, 13, 11, 15, 10, 14, 12,  0 };
 
 const uint8_t solaris_color_to_pc_color[16] = {
 	pc_brt_white,		/*  0 - brt_white	*/

--- a/usr/src/lib/libefi/common/mapfile-vers	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/lib/libefi/common/mapfile-vers	Thu Nov 21 12:33:13 2019 +0000
@@ -38,6 +38,11 @@
 
 $mapfile_version 2
 
+SYMBOL_VERSION ILLUMOS_0.1 {
+    global:
+	efi_reserved_sectors;
+} SUNW_1.2;
+
 SYMBOL_VERSION SUNW_1.2 {
     global:
 	efi_use_whole_disk;

--- a/usr/src/lib/libefi/common/rdwr_efi.c	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/lib/libefi/common/rdwr_efi.c	Thu Nov 21 12:33:13 2019 +0000
@@ -240,6 +240,19 @@
 #define	MAX_PARTS	((4294967295UL - sizeof (struct dk_gpt)) / \
 			    sizeof (struct dk_part))
 
+/*
+ * The EFI reserved partition size is 8 MiB. This calculates the number of
+ * sectors required to store 8 MiB, taking into account the device's sector
+ * size.
+ */
+uint_t
+efi_reserved_sectors(dk_gpt_t *efi)
+{
+	/* roundup to sector size */
+	return ((EFI_MIN_RESV_SIZE * DEV_BSIZE + efi->efi_lbasize - 1) /
+	    efi->efi_lbasize);
+}
+
 int
 efi_alloc_and_init(int fd, uint32_t nparts, struct dk_gpt **vtoc)
 {
@@ -1013,7 +1026,7 @@
 	 * physically non-zero partition.
 	 */
 	if (pl_start + pl_size - 1 == efi_label->efi_last_u_lba -
-	    EFI_MIN_RESV_SIZE) {
+	    efi_reserved_sectors(efi_label)) {
 		efi_label->efi_parts[phy_last_slice].p_size +=
 		    efi_label->efi_last_lba - efi_label->efi_altern_lba;
 	}
@@ -1270,10 +1283,12 @@
 	int			i, j;
 	diskaddr_t		istart, jstart, isize, jsize, endsect;
 	int			overlap = 0;
+	uint_t			reserved;
 
 	/*
 	 * make sure no partitions overlap
 	 */
+	reserved = efi_reserved_sectors(vtoc);
 	for (i = 0; i < vtoc->efi_nparts; i++) {
 		/* It can't be unassigned and have an actual size */
 		if ((vtoc->efi_parts[i].p_tag == V_UNASSIGNED) &&
@@ -1292,10 +1307,10 @@
 				    "%d\n", i);
 			}
 			resv_part = i;
-			if (vtoc->efi_parts[i].p_size != EFI_MIN_RESV_SIZE)
+			if (vtoc->efi_parts[i].p_size != reserved)
 				(void) fprintf(stderr,
 				    "Warning: reserved partition size must "
-				    "be %d sectors\n", EFI_MIN_RESV_SIZE);
+				    "be %u sectors\n", reserved);
 		}
 		if ((vtoc->efi_parts[i].p_start < vtoc->efi_first_u_lba) ||
 		    (vtoc->efi_parts[i].p_start > vtoc->efi_last_u_lba)) {

--- a/usr/src/lib/libproc/common/Psymtab.c	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/lib/libproc/common/Psymtab.c	Thu Nov 21 12:33:13 2019 +0000
@@ -3355,7 +3355,7 @@
     const char *object_name, int which, int mask, proc_sym_f *func, void *cd)
 {
 	return (Psymbol_iter_com(P, lmid, object_name, which, mask,
-	    PRO_NATURAL, (proc_xsym_f *)func, cd));
+	    PRO_NATURAL, (proc_xsym_f *)(uintptr_t)func, cd));
 }
 
 int
@@ -3363,7 +3363,7 @@
     const char *object_name, int which, int mask, proc_sym_f *func, void *cd)
 {
 	return (Psymbol_iter_com(P, PR_LMID_EVERY, object_name, which, mask,
-	    PRO_NATURAL, (proc_xsym_f *)func, cd));
+	    PRO_NATURAL, (proc_xsym_f *)(uintptr_t)func, cd));
 }
 
 int
@@ -3371,7 +3371,7 @@
     const char *object_name, int which, int mask, proc_sym_f *func, void *cd)
 {
 	return (Psymbol_iter_com(P, PR_LMID_EVERY, object_name, which, mask,
-	    PRO_BYADDR, (proc_xsym_f *)func, cd));
+	    PRO_BYADDR, (proc_xsym_f *)(uintptr_t)func, cd));
 }
 
 int
@@ -3379,7 +3379,7 @@
     const char *object_name, int which, int mask, proc_sym_f *func, void *cd)
 {
 	return (Psymbol_iter_com(P, PR_LMID_EVERY, object_name, which, mask,
-	    PRO_BYNAME, (proc_xsym_f *)func, cd));
+	    PRO_BYNAME, (proc_xsym_f *)(uintptr_t)func, cd));
 }
 
 /*

--- a/usr/src/lib/udapl/libdat/Makefile.com	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/lib/udapl/libdat/Makefile.com	Thu Nov 21 12:33:13 2019 +0000
@@ -22,6 +22,8 @@
 # Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
+# Copyright 2019 Joyent, Inc.
+#
 
 LIBRARY=	libdat.a
 VERS=		.1
@@ -40,19 +42,19 @@
 
 include ../../../Makefile.lib
 
-LIBS =	$(DYNLIB) $(LINTLIB)
+LIBS =	$(DYNLIB)
 LDLIBS += -lc
 
 SRCDIR =	../common
 
 CPPFLAGS +=     -I../include
 CFLAGS +=	$(CCVERBOSE)
-LINTFLAGS +=	-DDEBUG
-LINTFLAGS64 +=	-DDEBUG
-$(LINTLIB):=	SRCS = $(SRCDIR)/$(LINTSRC)
 
 CERRWARN +=	-_gcc=-Wno-type-limits
 
+# false positive
+SMOFF += signed
+
 $(NOT_RELEASE_BUILD)CPPFLAGS += -DDEBUG
 
 .KEEP_STATE:
@@ -61,6 +63,4 @@
 
 debug: all
 
-lint: lintcheck
-
 include ../../../Makefile.targ

--- a/usr/src/man/man3ext/Makefile	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/man/man3ext/Makefile	Thu Nov 21 12:33:13 2019 +0000
@@ -16,28 +16,28 @@
 
 include		$(SRC)/Makefile.master
 
-MANSECT= 	3ext
+MANSECT=	3ext
 
-MANFILES= 	NOTE.3ext			\
-	 	SUNW_C_GetMechSession.3ext	\
-	 	auto_ef.3ext			\
-	 	crypt.3ext			\
-	 	demangle.3ext			\
-	 	ecb_crypt.3ext			\
-	 	efi_alloc_and_init.3ext		\
-	 	ld_support.3ext			\
-	 	md4.3ext			\
-	 	md5.3ext			\
-	 	read_vtoc.3ext			\
-	 	rtld_audit.3ext			\
-	 	rtld_db.3ext			\
-	 	sendfile.3ext			\
-	 	sendfilev.3ext			\
-	 	sha1.3ext			\
-	 	sha2.3ext			\
-	 	stdarg.3ext			\
-	 	tsalarm_get.3ext		\
-	 	varargs.3ext
+MANFILES=	NOTE.3ext			\
+		SUNW_C_GetMechSession.3ext	\
+		auto_ef.3ext			\
+		crypt.3ext			\
+		demangle.3ext			\
+		ecb_crypt.3ext			\
+		efi_alloc_and_init.3ext		\
+		ld_support.3ext			\
+		md4.3ext			\
+		md5.3ext			\
+		read_vtoc.3ext			\
+		rtld_audit.3ext			\
+		rtld_db.3ext			\
+		sendfile.3ext			\
+		sendfilev.3ext			\
+		sha1.3ext			\
+		sha2.3ext			\
+		stdarg.3ext			\
+		tsalarm_get.3ext		\
+		varargs.3ext
 
 MANLINKS=	DES_FAILED.3ext			\
 		MD4Final.3ext			\
@@ -77,6 +77,7 @@
 		des_setparity.3ext		\
 		efi_alloc_and_read.3ext		\
 		efi_free.3ext			\
+		efi_reserved_sectors.3ext	\
 		efi_use_whole_disk.3ext		\
 		efi_write.3ext			\
 		encrypt.3ext			\
@@ -154,6 +155,7 @@
 
 efi_alloc_and_read.3ext		:= LINKSRC = efi_alloc_and_init.3ext
 efi_free.3ext			:= LINKSRC = efi_alloc_and_init.3ext
+efi_reserved_sectors.3ext	:= LINKSRC = efi_alloc_and_init.3ext
 efi_use_whole_disk.3ext		:= LINKSRC = efi_alloc_and_init.3ext
 efi_write.3ext			:= LINKSRC = efi_alloc_and_init.3ext
 

--- a/usr/src/man/man3ext/efi_alloc_and_init.3ext	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/man/man3ext/efi_alloc_and_init.3ext	Thu Nov 21 12:33:13 2019 +0000
@@ -4,12 +4,11 @@
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH EFI_ALLOC_AND_INIT 3EXT "February 6, 2018"
+.TH EFI_ALLOC_AND_INIT 3EXT "November 20, 2019"
 .SH NAME
-efi_alloc_and_init, efi_alloc_and_read, efi_free, efi_write, efi_use_whole_disk
-\- manipulate a disk's EFI Partition Table
+efi_alloc_and_init, efi_alloc_and_read, efi_free, efi_write, efi_use_whole_disk,
+efi_reserved_sectors \- manipulate a disk's EFI Partition Table
 .SH SYNOPSIS
-.LP
 .nf
 cc [ \fIflag \&.\|.\|.\fR ] \fIfile\fR\&.\|.\|. \fB-lefi\fR [ \fIlibrary \&.\|.\|.\fR ]
 #include <sys/vtoc.h>
@@ -38,8 +37,12 @@
 \fBint\fR \fBefi_use_whole_disk\fR(\fBint\fR \fIfd\fR);
 .fi
 
+.LP
+.nf
+\fBuint_t\fR \fBefi_reserved_sectors\fR(\fBdk_gpt_t *\fR\fIvtoc\fR);
+.fi
+
 .SH DESCRIPTION
-.LP
 The \fBefi_alloc_and_init()\fR function initializes the \fBdk_gpt_t\fR
 structure specified by \fIvtoc\fR in preparation for a call to
 \fBefi_write()\fR. It calculates and initializes the \fBefi_version\fR,
@@ -65,6 +68,14 @@
 reserved slice (from slice 0 to slice 6 or unallocated space).
 .sp
 .LP
+The \fBefi_reserved_sectors()\fR function calculates number of sectors
+needed to create the reserved partition. The reserved partition is used
+by the operating system for internal purposes. The sector size used is
+based on the device and is recorded in the \fBefi_lbasize\fR member of
+the \fBdkgpt_t\fR structure indicated by the \fIvtoc\fR argument.
+A full description of the \fBdk_gpt_t\fR structure appears later in the manual.
+.sp
+.LP
 The \fIfd\fR argument refers to any slice on a raw disk, opened with
 \fBO_NDELAY\fR. See \fBopen\fR(2).
 .sp
@@ -88,7 +99,6 @@
 .in -2
 
 .SS "Protective Master Boot Record"
-.LP
 When a disk receives an EFI label, a protective MBR (\fBPMBR\fR) is also
 written containing a single partiton of type \fBEEh\fR and spanning the
 entire disk (up to the limit of what can be represented in an MBR). By
@@ -100,7 +110,6 @@
 information.
 
 .SH RETURN VALUES
-.LP
 Upon successful completion, \fBefi_alloc_and_init()\fR returns 0. Otherwise it
 returns \fBVT_EIO\fR if an I/O operation to the disk fails.
 .sp
@@ -137,6 +146,11 @@
 
 .sp
 .LP
+The \fBefi_reserved_sectors()\fR function always returns the number of
+reserved sectors required. It will always succeed.
+
+.sp
+.LP
 Upon successful completion, \fBefi_write()\fR returns 0. Otherwise, it returns
 a negative integer to indicate one of the following:
 .sp
@@ -207,14 +221,12 @@
 .RE
 
 .SH USAGE
-.LP
 The EFI label is used on disks with more than 1^32-1 blocks. For compatibility
 reasons, the \fBread_vtoc\fR(3EXT) and \fBwrite_vtoc()\fR functions should be
 used on smaller disks. The application should attempt the \fBread_vtoc()\fR or
 \fBwrite_vtoc()\fR call, check for an error of \fBVT_ENOTSUP\fR, then call the
 analogous EFI function.
 .SH ATTRIBUTES
-.LP
 See \fBattributes\fR(5) for descriptions of the following attributes:
 .sp
 
@@ -231,7 +243,6 @@
 .TE
 
 .SH SEE ALSO
-.LP
 \fBfmthard\fR(1M), \fBformat\fR(1M), \fBprtvtoc\fR(1M), \fBioctl\fR(2),
 \fBopen\fR(2), \fBlibefi\fR(3LIB), \fBread_vtoc\fR(3EXT), \fBattributes\fR(5),
 \fBdkio\fR(7I)

--- a/usr/src/man/man3lib/libefi.3lib	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/man/man3lib/libefi.3lib	Thu Nov 21 12:33:13 2019 +0000
@@ -3,22 +3,17 @@
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH LIBEFI 3LIB "May 8, 2008"
+.TH LIBEFI 3LIB "November 20, 2019"
 .SH NAME
 libefi \- EFI partition table library
 .SH SYNOPSIS
-.LP
 .nf
 cc [ \fIflag\fR... ] \fIfile\fR... \fB-lefi\fR [ \fIlibrary\fR... ]
 .fi
 
 .SH DESCRIPTION
-.sp
-.LP
 The functions in this library manipulate a disk's EFI partition table.
 .SH INTERFACES
-.sp
-.LP
 The shared object \fBlibefi.so.1\fR provides the public interfaces defined
 below. See \fBIntro\fR(3) for additional information on shared object
 interfaces.
@@ -29,12 +24,11 @@
 l l
 l l .
 \fBefi_alloc_and_init\fR	\fBefi_alloc_and_read\fR
-\fBefi_free\fR	\fBefi_use_whole_disk\fR
-\fBefi_write\fR	
+\fBefi_free\fR	\fBefi_reserved_sectors\fR
+\fBefi_use_whole_disk\fR	\fBefi_write\fR
 .TE
 
 .SH FILES
-.sp
 .ne 2
 .na
 \fB\fB/lib/libefi.so.1\fR\fR
@@ -53,8 +47,6 @@
 .RE
 
 .SH ATTRIBUTES
-.sp
-.LP
 See \fBattributes\fR(5) for descriptions of the following attributes:
 .sp
 
@@ -71,6 +63,4 @@
 .TE
 
 .SH SEE ALSO
-.sp
-.LP
 \fBIntro\fR(3), \fBefi_alloc_and_init\fR(3EXT), \fBattributes\fR(5)

--- a/usr/src/pkg/manifests/system-library.man3ext.inc	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/pkg/manifests/system-library.man3ext.inc	Thu Nov 21 12:33:13 2019 +0000
@@ -74,6 +74,8 @@
 link path=usr/share/man/man3ext/efi_alloc_and_read.3ext \
     target=efi_alloc_and_init.3ext
 link path=usr/share/man/man3ext/efi_free.3ext target=efi_alloc_and_init.3ext
+link path=usr/share/man/man3ext/efi_reserved_sectors.3ext \
+    target=efi_alloc_and_init.3ext
 link path=usr/share/man/man3ext/efi_use_whole_disk.3ext \
     target=efi_alloc_and_init.3ext
 link path=usr/share/man/man3ext/efi_write.3ext target=efi_alloc_and_init.3ext

--- a/usr/src/test/libc-tests/runfiles/default.run	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/test/libc-tests/runfiles/default.run	Thu Nov 21 12:33:13 2019 +0000
@@ -12,14 +12,14 @@
 #
 # Copyright (c) 2012 by Delphix. All rights reserved.
 # Copyright 2014 Garrett D'Amore <garrett@damore.org>
-# Copyright 2018 Joyent, Inc.
+# Copyright 2019 Joyent, Inc.
 #
 
 [DEFAULT]
 pre =
 verbose = False
 quiet = False
-timeout = 60
+timeout = 120
 post =
 outputdir = /var/tmp/test_results
 

--- a/usr/src/tools/smatch/Makefile	Wed Nov 20 15:03:31 2019 +0000
+++ b/usr/src/tools/smatch/Makefile	Thu Nov 21 12:33:13 2019 +0000
@@ -13,14 +13,14 @@
 
 #
 # The src/ sub-directory is un-modified copy of
-# https://github.com/illumos/smatch/tree/0.5.1-il-6
+# https://github.com/illumos/smatch/tree/$SPARSE_VERSION
 #
 # This Makefile installs just enough for us to be able to run smatch
 # locally.
 #
 
 PROG = smatch
-SPARSE_VERSION = 0.5.1-il-6
+SPARSE_VERSION = 0.6.1-rc1-il-1
 
 include ../Makefile.tools
 
@@ -60,78 +60,168 @@
 INS.file = $(RM) $@; $(CP) $< $(@D); $(CHMOD) $(FILEMODE) $@
 INS.dir = mkdir -p $@; $(CHMOD) $(DIRMODE) $@
 
+# fine for us
+OS=linux
+
+LIB_OBJS =
+LIB_OBJS += allocate.o
+LIB_OBJS += builtin.o
+LIB_OBJS += char.o
+LIB_OBJS += compat-$(OS).o
+LIB_OBJS += cse.o
+LIB_OBJS += dissect.o
+LIB_OBJS += dominate.o
+LIB_OBJS += evaluate.o
+LIB_OBJS += expand.o
+LIB_OBJS += expression.o
+LIB_OBJS += flow.o
+LIB_OBJS += flowgraph.o
+LIB_OBJS += inline.o
+LIB_OBJS += ir.o
+LIB_OBJS += lib.o
+LIB_OBJS += linearize.o
+LIB_OBJS += liveness.o
+LIB_OBJS += memops.o
+LIB_OBJS += opcode.o
+LIB_OBJS += optimize.o
+LIB_OBJS += parse.o
+LIB_OBJS += pre-process.o
+LIB_OBJS += ptrlist.o
+LIB_OBJS += ptrmap.o
+LIB_OBJS += scope.o
+LIB_OBJS += show-parse.o
+LIB_OBJS += simplify.o
+LIB_OBJS += sort.o
+LIB_OBJS += ssa.o
+LIB_OBJS += sset.o
+LIB_OBJS += stats.o
+LIB_OBJS += storage.o
+LIB_OBJS += symbol.o
+LIB_OBJS += target.o
+LIB_OBJS += tokenize.o
+LIB_OBJS += unssa.o
+LIB_OBJS += utils.o
+LIB_OBJS += macro_table.o
+LIB_OBJS += token_store.o
+LIB_OBJS += hashtable.o
+
+SMATCH_OBJS =
+SMATCH_OBJS += avl.o
+SMATCH_OBJS += smatch_about_fn_ptr_arg.o
+SMATCH_OBJS += smatch_address.o
+SMATCH_OBJS += smatch_annotate.o
+SMATCH_OBJS += smatch_array_values.o
+SMATCH_OBJS += smatch_assigned_expr.o
+SMATCH_OBJS += smatch_bits.o
+SMATCH_OBJS += smatch_buf_comparison.o
+SMATCH_OBJS += smatch_buf_size.o
+SMATCH_OBJS += smatch_capped.o
+SMATCH_OBJS += smatch_common_functions.o
+SMATCH_OBJS += smatch_comparison.o
+SMATCH_OBJS += smatch_conditions.o
+SMATCH_OBJS += smatch_constraints.o
+SMATCH_OBJS += smatch_constraints_required.o
+SMATCH_OBJS += smatch_container_of.o
+SMATCH_OBJS += smatch_data_source.o
+SMATCH_OBJS += smatch_db.o
+SMATCH_OBJS += smatch_equiv.o
+SMATCH_OBJS += smatch_estate.o
+SMATCH_OBJS += smatch_expressions.o
+SMATCH_OBJS += smatch_expression_stacks.o
+SMATCH_OBJS += smatch_extra.o
+SMATCH_OBJS += smatch_files.o
+SMATCH_OBJS += smatch_flow.o
+SMATCH_OBJS += smatch_fn_arg_link.o
+SMATCH_OBJS += smatch_function_hooks.o
+SMATCH_OBJS += smatch_function_info.o
+SMATCH_OBJS += smatch_function_ptrs.o
+SMATCH_OBJS += smatch_helper.o
+SMATCH_OBJS += smatch_hooks.o
+SMATCH_OBJS += smatch_ignore.o
+SMATCH_OBJS += smatch_imaginary_absolute.o
+SMATCH_OBJS += smatch_implied.o
+SMATCH_OBJS += smatch_impossible.o
+SMATCH_OBJS += smatch_integer_overflow.o
+SMATCH_OBJS += smatch_kernel_user_data.o
+SMATCH_OBJS += smatch_links.o
+SMATCH_OBJS += smatch_math.o
+SMATCH_OBJS += smatch_mem_tracker.o
+SMATCH_OBJS += smatch_modification_hooks.o
+SMATCH_OBJS += smatch_mtag_data.o
+SMATCH_OBJS += smatch_mtag_map.o
+SMATCH_OBJS += smatch_mtag.o
+SMATCH_OBJS += smatch_nul_terminator.o
+SMATCH_OBJS += smatch_param_cleared.o
+SMATCH_OBJS += smatch_param_compare_limit.o
+SMATCH_OBJS += smatch_parameter_names.o
+SMATCH_OBJS += smatch_param_filter.o
+SMATCH_OBJS += smatch_param_limit.o
+SMATCH_OBJS += smatch_param_set.o
+SMATCH_OBJS += smatch_param_to_mtag_data.o
+SMATCH_OBJS += smatch_param_used.o
+SMATCH_OBJS += smatch_parse_call_math.o
+SMATCH_OBJS += smatch_passes_array_size.o
+SMATCH_OBJS += smatch_project.o
+SMATCH_OBJS += smatch_ranges.o
+SMATCH_OBJS += smatch_real_absolute.o
+SMATCH_OBJS += smatch_recurse.o
+SMATCH_OBJS += smatch_returns.o
+SMATCH_OBJS += smatch_return_to_param.o
+SMATCH_OBJS += smatch_scope.o
+SMATCH_OBJS += smatch_slist.o
+SMATCH_OBJS += smatch_start_states.o
+SMATCH_OBJS += smatch_statement_count.o
+SMATCH_OBJS += smatch_states.o
+SMATCH_OBJS += smatch_stored_conditions.o
+SMATCH_OBJS += smatch_string_list.o
+SMATCH_OBJS += smatch_strings.o
+SMATCH_OBJS += smatch_strlen.o
+SMATCH_OBJS += smatch_struct_assignment.o
+SMATCH_OBJS += smatch_sval.o
+SMATCH_OBJS += smatch_tracker.o
+SMATCH_OBJS += smatch_type_links.o
+SMATCH_OBJS += smatch_type.o
+SMATCH_OBJS += smatch_type_val.o
+SMATCH_OBJS += smatch_unknown_value.o
+SMATCH_OBJS += smatch_untracked_param.o
+SMATCH_OBJS += smatch_var_sym.o
+
 SMATCH_CHECK_OBJS:sh=ls src/check_*.c | sed -e 's+\.c+.o+;s+src/++;'
 
-OBJS = smatch.o $(SMATCH_CHECK_OBJS)
-
-OBJS += smatch_flow.o smatch_conditions.o smatch_slist.o smatch_states.o \
-	smatch_helper.o smatch_type.o smatch_hooks.o smatch_function_hooks.o \
-	smatch_modification_hooks.o smatch_extra.o smatch_estate.o smatch_math.o \
-	smatch_sval.o smatch_ranges.o smatch_implied.o smatch_ignore.o smatch_project.o \
-	smatch_var_sym.o smatch_tracker.o smatch_files.o smatch_expression_stacks.o \
-	smatch_equiv.o smatch_buf_size.o smatch_strlen.o smatch_capped.o smatch_db.o \
-	smatch_expressions.o smatch_returns.o smatch_parse_call_math.o \
-	smatch_param_limit.o smatch_param_filter.o \
-	smatch_param_set.o smatch_comparison.o smatch_param_compare_limit.o smatch_local_values.o \
-	smatch_function_ptrs.o smatch_annotate.o smatch_string_list.o \
-	smatch_param_cleared.o smatch_start_states.o \
-	smatch_recurse.o smatch_data_source.o smatch_type_val.o \
-	smatch_common_functions.o smatch_struct_assignment.o \
-	smatch_unknown_value.o smatch_stored_conditions.o avl.o \
-	smatch_function_info.o smatch_links.o smatch_auto_copy.o \
-	smatch_type_links.o smatch_untracked_param.o smatch_impossible.o \
-	smatch_strings.o smatch_param_used.o smatch_container_of.o smatch_address.o \
-	smatch_buf_comparison.o smatch_real_absolute.o smatch_scope.o \
-	smatch_imaginary_absolute.o smatch_parameter_names.o \
-	smatch_return_to_param.o smatch_passes_array_size.o \
-	smatch_constraints.o smatch_constraints_required.o \
-	smatch_fn_arg_link.o smatch_about_fn_ptr_arg.o smatch_mtag.o \
-	smatch_mtag_map.o smatch_mtag_data.o \
-	smatch_param_to_mtag_data.o smatch_mem_tracker.o smatch_array_values.o \
-	smatch_nul_terminator.o smatch_assigned_expr.o smatch_kernel_user_data.o \
-	smatch_statement_count.o smatch_bits.o smatch_integer_overflow.o
-
-OBJS += target.o parse.o tokenize.o pre-process.o symbol.o lib.o scope.o \
-	expression.o show-parse.o evaluate.o expand.o inline.o linearize.o \
-	char.o sort.o allocate.o compat-linux.o ptrlist.o \
-	builtin.o \
-	stats.o \
-	flow.o cse.o simplify.o memops.o liveness.o storage.o unssa.o \
-	dissect.o \
-	macro_table.o token_store.o hashtable.o
+OBJS = smatch.o $(LIB_OBJS) $(SMATCH_OBJS) $(SMATCH_CHECK_OBJS)
 
 SMATCH_DATA = \
 	illumos_kernel.skipped_functions \
 	illumos_user.skipped_functions
 
-SMATCH_DB_DATA = \
-	return_states.schema \
-	call_implies.schema \
-	type_value.schema \
-	param_map.schema \
-	function_type_size.schema \
-	parameter_name.schema \
-	fn_ptr_data_link.schema \
-	constraints.schema \
-	mtag_about.schema \
-	type_info.schema \
-	function_type_info.schema \
-	caller_info.schema \
-	function_type_value.schema \
-	return_implies.schema \
-	type_size.schema \
-	constraints_required.schema \
-	fn_data_link.schema \
-	mtag_alias.schema \
-	common_caller_info.schema \
-	data_info.schema \
-	function_type.schema \
-	db.schema \
-	mtag_data.schema \
-	function_ptr.schema \
-	sink_info.schema \
-	local_values.schema \
-	mtag_map.schema
+SMATCH_DB_DATA =
+SMATCH_DB_DATA += call_implies.schema
+SMATCH_DB_DATA += function_ptr.schema
+SMATCH_DB_DATA += mtag_map.schema
+SMATCH_DB_DATA += caller_info.schema
+SMATCH_DB_DATA += function_type.schema
+SMATCH_DB_DATA += param_map.schema
+SMATCH_DB_DATA += common_caller_info.schema
+SMATCH_DB_DATA += function_type_info.schema
+SMATCH_DB_DATA += parameter_name.schema
+SMATCH_DB_DATA += constraints.schema
+SMATCH_DB_DATA += function_type_size.schema
+SMATCH_DB_DATA += return_implies.schema
+SMATCH_DB_DATA += constraints_required.schema
+SMATCH_DB_DATA += function_type_value.schema
+SMATCH_DB_DATA += return_states.schema
+SMATCH_DB_DATA += data_info.schema
+SMATCH_DB_DATA += local_values.schema
+SMATCH_DB_DATA += sink_info.schema
+SMATCH_DB_DATA += db.schema
+SMATCH_DB_DATA += mtag_about.schema
+SMATCH_DB_DATA += type_info.schema
+SMATCH_DB_DATA += fn_data_link.schema
+SMATCH_DB_DATA += mtag_alias.schema
+SMATCH_DB_DATA += type_size.schema
+SMATCH_DB_DATA += fn_ptr_data_link.schema
+SMATCH_DB_DATA += mtag_data.schema
+SMATCH_DB_DATA += type_value.schema
 
 ROOTONBLDDATAFILES = $(SMATCH_DATA:%=$(SMATCHDATADIR)/smatch_data/%)
 ROOTONBLDDATAFILES += $(SMATCH_DB_DATA:%=$(SMATCHDATADIR)/smatch_data/db/%)

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/tools/smatch/src/Documentation/.gitignore	Thu Nov 21 12:33:13 2019 +0000
@@ -0,0 +1,2 @@
+build
+dev-options.1

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/tools/smatch/src/Documentation/IR.rst	Thu Nov 21 12:33:13 2019 +0000
@@ -0,0 +1,427 @@
+.. default-domain:: ir
+
+Sparse's Intermediate Representation
+====================================
+
+Instructions
+~~~~~~~~~~~~
+
+This document briefly describes which field of struct instruction is
+used by which operation.
+
+Some of those fields are used by almost all instructions,
+some others are specific to only one or a few instructions.
+The common ones are:
+
+* .src1, .src2, .src3: (pseudo_t) operands of binops or ternary ops.
+* .src: (pseudo_t) operand of unary ops (alias for .src1).
+* .target: (pseudo_t) result of unary, binary & ternary ops, is
+  sometimes used otherwise by some others instructions.
+* .cond: (pseudo_t) input operands for condition (alias .src/.src1)
+* .type: (symbol*) usually the type of .result, sometimes of the operands
+
+Terminators
+-----------
+.. op:: OP_RET
+	Return from subroutine.
+
+	* .src : returned value (NULL if void)
+	* .type: type of .src
+
+.. op:: OP_BR
+	Unconditional branch
+
+	* .bb_true: destination basic block
+
+.. op:: OP_CBR
+	Conditional branch
+
+	* .cond: condition
+	* .type: type of .cond, must be an integral type
+	* .bb_true, .bb_false: destination basic blocks
+
+.. op:: OP_SWITCH
+	Switch / multi-branch
+
+	* .cond: condition
+	* .type: type of .cond, must be an integral type
+	* .multijmp_list: pairs of case-value - destination basic block
+
+.. op:: OP_COMPUTEDGOTO
+	Computed goto / branch to register
+
+	* .src: address to branch to (void*)
+	* .multijmp_list: list of possible destination basic blocks
+
+Arithmetic binops
+-----------------
+They all follow the same signature:
+	* .src1, .src1: operands (types must be compatible with .target)
+	* .target: result of the operation (must be an integral type)
+	* .type: type of .target
+
+.. op:: OP_ADD
+	Integer addition.
+
+.. op:: OP_SUB
+	Integer subtraction.
+
+.. op:: OP_MUL
+	Integer multiplication.
+
+.. op:: OP_DIVU
+	Integer unsigned division.
+
+.. op:: OP_DIVS
+	Integer signed division.
+
+.. op:: OP_MODU
+	Integer unsigned remainder.
+
+.. op:: OP_MODS
+	Integer signed remainder.
+
+.. op:: OP_SHL
+	Shift left (integer only)
+
+.. op:: OP_LSR
+	Logical Shift right (integer only)
+
+.. op:: OP_ASR
+	Arithmetic Shift right (integer only)
+
+Floating-point binops
+---------------------
+They all follow the same signature:
+	* .src1, .src1: operands (types must be compatible with .target)
+	* .target: result of the operation (must be a floating-point type)
+	* .type: type of .target
+
+.. op:: OP_FADD
+	Floating-point addition.
+
+.. op:: OP_FSUB
+	Floating-point subtraction.
+
+.. op:: OP_FMUL
+	Floating-point multiplication.
+
+.. op:: OP_FDIV
+	Floating-point division.
+
+Logical ops
+-----------
+They all follow the same signature:
+	* .src1, .src2: operands (types must be compatible with .target)
+	* .target: result of the operation
+	* .type: type of .target, must be an integral type
+
+.. op:: OP_AND
+	Logical AND
+
+.. op:: OP_OR
+	Logical OR
+
+.. op:: OP_XOR
+	Logical XOR
+
+Integer compares
+----------------
+They all have the following signature:
+	* .src1, .src2: operands (types must be compatible)
+	* .target: result of the operation (0/1 valued integer)
+	* .type: type of .target, must be an integral type
+
+.. op:: OP_SET_EQ
+	Compare equal.
+
+.. op:: OP_SET_NE
+	Compare not-equal.
+
+.. op:: OP_SET_LE
+	Compare less-than-or-equal (signed).
+
+.. op:: OP_SET_GE
+	Compare greater-than-or-equal (signed).
+
+.. op:: OP_SET_LT
+	Compare less-than (signed).
+
+.. op:: OP_SET_GT
+	Compare greater-than (signed).
+
+.. op:: OP_SET_B
+	Compare less-than (unsigned).
+
+.. op:: OP_SET_A
+	Compare greater-than (unsigned).
+
+.. op:: OP_SET_BE
+	Compare less-than-or-equal (unsigned).
+
+.. op:: OP_SET_AE
+	Compare greater-than-or-equal (unsigned).
+
+Floating-point compares
+-----------------------
+They all have the same signature as the integer compares.
+
+The usual 6 operations exist in two versions: 'ordered' and
+'unordered'. These operations first check if any operand is a
+NaN and if it is the case the ordered compares return false
+and then unordered return true, otherwise the result of the
+comparison, now guaranteed to be done on non-NaNs, is returned.
+
+.. op:: OP_FCMP_OEQ
+	Floating-point compare ordered equal
+
+.. op:: OP_FCMP_ONE
+	Floating-point compare ordered not-equal
+
+.. op:: OP_FCMP_OLE
+	Floating-point compare ordered less-than-or-equal
+
+.. op:: OP_FCMP_OGE
+	Floating-point compare ordered greater-or-equal
+
+.. op:: OP_FCMP_OLT
+	Floating-point compare ordered less-than
+
+.. op:: OP_FCMP_OGT
+	Floating-point compare ordered greater-than
+
+
+.. op:: OP_FCMP_UEQ
+	Floating-point compare unordered equal
+
+.. op:: OP_FCMP_UNE
+	Floating-point compare unordered not-equal
+
+.. op:: OP_FCMP_ULE
+	Floating-point compare unordered less-than-or-equal
+
+.. op:: OP_FCMP_UGE
+	Floating-point compare unordered greater-or-equal
+
+.. op:: OP_FCMP_ULT
+	Floating-point compare unordered less-than
+
+.. op:: OP_FCMP_UGT
+	Floating-point compare unordered greater-than
+
+
+.. op:: OP_FCMP_ORD
+	Floating-point compare ordered: return true if both operands are ordered
+	(none of the operands are a NaN) and false otherwise.
+
+.. op:: OP_FCMP_UNO
+	Floating-point compare unordered: return false if no operands is ordered
+	and true otherwise.
+
+Unary ops
+---------
+.. op:: OP_NOT
+	Logical not.
+
+	* .src: operand (type must be compatible with .target)
+	* .target: result of the operation
+	* .type: type of .target, must be an integral type
+
+.. op:: OP_NEG
+	Integer negation.
+
+	* .src: operand (type must be compatible with .target)
+	* .target: result of the operation (must be an integral type)
+	* .type: type of .target
+
+.. op:: OP_FNEG
+	Floating-point negation.
+
+	* .src: operand (type must be compatible with .target)
+	* .target: result of the operation (must be a floating-point type)
+	* .type: type of .target
+
+.. op:: OP_SYMADDR
+	Create a pseudo corresponding to the address of a symbol.
+
+	* .src: input symbol (must be a PSEUDO_SYM)
+	* .target: symbol's address
+
+.. op:: OP_COPY
+	Copy (only needed after out-of-SSA).
+
+	* .src: operand (type must be compatible with .target)
+	* .target: result of the operation
+	* .type: type of .target
+
+Type conversions
+----------------
+They all have the following signature:
+	* .src: source value
+	* .orig_type: type of .src
+	* .target: result value
+	* .type: type of .target
+
+Currently, a cast to a void pointer is treated like a cast to
+an unsigned integer of the same size.
+
+.. op:: OP_TRUNC
+	Cast from integer to an integer of a smaller size.
+
+.. op:: OP_SEXT
+	Cast from integer to an integer of a bigger size with sign extension.
+
+.. op:: OP_ZEXT
+	Cast from integer to an integer of a bigger size with zero extension.
+
+.. op:: OP_UTPTR
+	Cast from pointer-sized unsigned integer to pointer type.
+
+.. op:: OP_PTRTU
+	Cast from pointer type to pointer-sized unsigned integer.
+
+.. op:: OP_PTRCAST
+	Cast between pointers.
+
+.. op:: OP_FCVTU
+	Conversion from float type to unsigned integer.
+
+.. op:: OP_FCVTS
+	Conversion from float type to signed integer.
+
+.. op:: OP_UCVTF
+	Conversion from unsigned integer to float type.
+
+.. op:: OP_SCVTF
+	Conversion from signed integer to float type.
+
+.. op:: OP_FCVTF
+	Conversion between float types.
+
+Ternary ops
+-----------
+.. op:: OP_SEL
+	* .src1: condition, must be of integral type
+	* .src2, .src3: operands (types must be compatible with .target)
+	* .target: result of the operation
+	* .type: type of .target
+
+.. op:: OP_RANGE
+	Range/bounds checking (only used for an unused sparse extension).
+
+	* .src1: value to be checked
+	* .src2, src3: bound of the value (must be constants?)
+	* .type: type of .src[123]?
+
+Memory ops
+----------
+.. op:: OP_LOAD
+	Load.
+
+	* .src: base address to load from
+	* .offset: address offset
+	* .target: loaded value
+	* .type: type of .target
+
+.. op:: OP_STORE
+	Store.
+
+	* .src: base address to store to
+	* .offset: address offset
+	* .target: value to be stored
+	* .type: type of .target
+
+Others
+------
+.. op:: OP_SETFVAL
+	Create a pseudo corresponding to a floating-point literal.
+
+	* .fvalue: the literal's value (long double)
+	* .target: the corresponding pseudo
+	* .type: type of the literal & .target
+
+.. op:: OP_SETVAL
+	Create a pseudo corresponding to a string literal or a label-as-value.
+	The value is given as an expression EXPR_STRING or EXPR_LABEL.
+
+	* .val: (expression) input expression
+	* .target: the resulting value
+	* .type: type of .target, the value
+
+.. op:: OP_PHI
+	Phi-node (for SSA form).
+
+	* .phi_list: phi-operands (type must be compatible with .target)
+	* .target: "result"
+	* .type: type of .target
+
+.. op:: OP_PHISOURCE
+	Phi-node source.
+	Like OP_COPY but exclusively used to give a defining instructions
+	(and thus also a type) to *all* OP_PHI operands.
+
+	* .phi_src: operand (type must be compatible with .target, alias .src)
+	* .target: the "result" PSEUDO_PHI
+	* .type: type of .target
+	* .phi_users: list of phi instructions using the target pseudo
+
+.. op:: OP_CALL
+	Function call.
+
+	* .func: (pseudo_t) the function (can be a symbol or a "register",
+	  alias .src))
+	* .arguments: (pseudo_list) list of the associated arguments
+	* .target: function return value (if any)
+	* .type: type of .target
+	* .fntypes: (symbol_list) list of the function's types: the first
+	  entry is the full function type, the next ones are the type of
+	  each arguments
+
+.. op:: OP_INLINED_CALL
+	Only used as an annotation to show that the instructions just above
+	correspond to a function that have been inlined.
+
+	* .func: (pseudo_t) the function (must be a symbol, alias .src))
+	* .arguments: list of pseudos that where the function's arguments
+	* .target: function return value (if any)
+	* .type: type of .target
+
+.. op:: OP_SLICE
+	Extract a "slice" from an aggregate.
+
+	* .base: (pseudo_t) aggregate (alias .src)
+	* .from, .len: offet & size of the "slice" within the aggregate
+	* .target: result
+	* .type: type of .target
+
+.. op:: OP_ASM
+	Inlined assembly code.
+
+	* .string: asm template
+	* .asm_rules: asm constraints, rules
+
+Sparse tagging (line numbers, context, whatever)
+------------------------------------------------
+.. op:: OP_CONTEXT
+	Currently only used for lock/unlock tracking.
+
+	* .context_expr: unused
+	* .increment: (1 for locking, -1 for unlocking)
+	* .check: (ignore the instruction if 0)
+
+Misc ops
+--------
+.. op:: OP_ENTRY
+	Function entry point (no associated semantic).
+
+.. op:: OP_BADOP
+	Invalid operation (should never be generated).
+
+.. op:: OP_NOP
+	No-op (should never be generated).
+
+.. op:: OP_DEATHNOTE
+	Annotation telling the pseudo will be death after the next
+	instruction (other than some other annotation, that is).
+
+.. # vim: tabstop=4

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/tools/smatch/src/Documentation/Makefile	Thu Nov 21 12:33:13 2019 +0000
@@ -0,0 +1,26 @@
+# Minimal makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS    = -a
+SPHINXBUILD   = sphinx-build
+SPHINXPROJ    = sparse
+SOURCEDIR     = .
+BUILDDIR      = build
+
+targets := help
+targets += html
+targets += man
+
+
+# Put it first so that "make" without argument is like "make help".
+help:
+
+# route all targets to Sphinx using the new "make mode" option.
+$(targets): conf.py Makefile
+	@$(SPHINXBUILD) -M  $@  "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS)
+
+%.1: %.rst man
+	@mv build/man/$@ $@
+
+.PHONY: Makefile	# avoid circular deps with the catch-all rule

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/tools/smatch/src/Documentation/TODO.md	Thu Nov 21 12:33:13 2019 +0000
@@ -0,0 +1,98 @@
+TODO
+====
+
+Essential
+---------
+* SSA is broken by simplify_loads() & branches rewriting/simplification
+* attributes of struct, union & enums are ignored (and possibly in other
+  cases too).
+* add support for bitwise enums
+
+Documentation
+-------------
+* document the extensions
+* document the API
+* document the limitations of modifying ptrlists during list walking
+* document the data structures
+* document flow of data / architecture / code structure
+
+Core
+----
+* if a variable has its address taken but in an unreachable BB then
+  its MOD_ADDRESSABLE may be wrong and it won't be SSA converted.
+  - let kill_insn() check killing of SYMADDR,
+  - add the sym into a list and
+  - recalculate the addressability before memops's SSA conversion
+* bool_ctype should be split into internal 1-bit / external 8-bit
+* Previous declarations and the definition need to be merged. For example,
+  in the code here below, the function definition is **not** static:
+  ```
+	static void foo(void);
+	void foo(void) { ... }
+  ```
+
+Testsuite
+--------
+* there are more than 50 failing tests. They should be fixed
+  (but most are non-trivial to fix).
+
+Misc
+----
+* GCC's -Wenum-compare / clangs's -Wenum-conversion -Wassign-enum
+* parse __attribute_((fallthrough))
+* add support for __builtin_unreachable()
+* add support for format(printf())  (WIP by Ben Dooks)
+* make use of UNDEFs (issues warnings, simplification, ... ?)
+* add a pass to inline small functions during simplification.
+
+Optimization
+------------
+* the current way of doing CSE uses a lot of time
+* add SSA based DCE
+* add SSA based PRE
+* Add SSA based SCCP
+* use better/more systematic use of internal verification framework
+
+IR
+--
+* OP_SET should return a bool, always
+* add IR instructions for va_arg() & friends
+* add a possibility to import of file in "IR assembly"
+* dump the symtable
+* dump the CFG
+
+LLVM
+----
+* fix ...
+
+Internal backends
+-----------------
+* add some basic register allocation
+* add a pass to transform 3-addresses code to 2-addresses
+* what can be done for x86?
+
+Longer term/to investigate
+--------------------------
+* better architecture handling than current machine.h + target.c
+* attributes are represented as ctypes's alignment, modifiers & contexts
+  but plenty of attributes doesn't fit, for example they need arguments.
+  * format(printf, ...),
+  * section("...")
+  * assume_aligned(alignment[, offsert])
+  * error("message"), warning("message")
+  * ...
+* should support "-Werror=..." ?
+* All warning messages should include the option how to disable it.
+  For example:
+  	"warning: Variable length array is used."
+  should be something like:
+	"warning: Variable length array is used. (-Wno-vla)"
+* ptrlists must have elements be removed while being iterated but this
+  is hard to insure it is not done.
+* having 'struct symbol' used to represent symbols *and* types is
+  quite handy but it also creates lots of problems and complications
+* Possible mixup of symbol for a function designator being not a pointer?
+  This seems to make evaluation of function pointers much more complex
+  than needed.
+* extend test-inspect to inspect more AST fields.
+* extend test-inspect to inspect instructions.

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/tools/smatch/src/Documentation/api.rst	Thu Nov 21 12:33:13 2019 +0000
@@ -0,0 +1,27 @@
+Sparse API
+==========
+
+.. contents::
+	:local:
+	:depth: 2
+
+Utilities
+~~~~~~~~~
+
+.. c:autodoc:: ptrlist.c
+.. c:autodoc:: utils.h
+
+Parsing
+~~~~~~~
+
+.. c:autodoc:: expression.h
+
+Typing
+~~~~~~
+
+.. c:autodoc:: evaluate.h
+
+Optimization
+~~~~~~~~~~~~
+
+.. c:autodoc:: simplify.c

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/tools/smatch/src/Documentation/arm64-detecting-tagged-addresses.txt	Thu Nov 21 12:33:13 2019 +0000
@@ -0,0 +1,207 @@
+Detecting ARM64 tagged pointers
+===============================
+
+The ARM64 ABI allows tagged memory addresses to be passed through the
+user-kernel syscall ABI boundary. Tagged memory addresses are those which
+contain a non-zero top byte - the hardware will always ignore this top
+byte, however software does not. Therefore it is helpful to be able to
+detect code that erroneously compares tagged memory addresses with
+untagged memory addresses. This document describes how smatch can be used
+for this.
+
+Smatch will provide a warning when it detects that a comparison is being
+made between a user originated 64 bit data where the top byte may be
+non-zero and any variable which may contain an untagged address.
+
+Untagged variables are detected by looking for hard-coded known struct
+members (such as vm_start, vm_end and addr_limit) and hard-coded known
+macros (such as PAGE_SIZE, PAGE_MASK and TASK_SIZE). This check is
+also able to detect when comparisons are made against variables that
+have been assigned from these known untagged variables, though this
+tracking is limited to the scope of the function.
+
+This check is only performed when the ARCH environment variable is set to
+arm64. To provide a worked example, consider the following command which is
+used to perform Smatch static analysis on the Linux kernel:
+
+$ ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- ~/smatch/smatch_scripts/build_kernel_data.sh
+
+It is recommended that this command is run multiple times (6 or more) to
+provide Smatch with a deeper knowledge of the call stack. Before running
+multiple iterations of Smatch, it may be beneficial to delete any smatch*
+files in the root of the linux tree.
+
+Once Smatch has run, you can observe warnings as follows:
+
+$ cat smatch_warns.txt | grep "tagged address"
+mm/gup.c:818 __get_user_pages() warn: comparison of a potentially tagged
+address (__get_user_pages, 2, start)
+...
+
+This warning tells us that on line 818 of mm/gup.c an erroneous comparison
+may have been made between a tagged address (variable 'start' which originated
+from parameter 2 of the function) and existing kernel addresses (untagged).
+
+The code that this relates to follows:
+
+790: static long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
+791:                unsigned long start, unsigned long nr_pages,
+792:                unsigned int gup_flags, struct page **pages,
+793:                struct vm_area_struct **vmas, int *nonblocking)
+794:{
+...
+818:                if (!vma || start >= vma->vm_end) {
+
+Through manual inspection of this code, we can verify that the variable 'start'
+originated from parameter 2 of its function '__get_user_pages'.
+
+A suggested fix at this point may be to call the untagged_addr macro prior
+to the comparison on line 818. However it's often helpful to follow the
+parameter up the call stack, we can do this with the following Smatch command:
+
+$ ~/smatch/smatch_data/db/smdb.py find_tagged __get_user_pages 2
+    copy_strings (param ?) -> get_arg_page (param 1)
+    vfio_pin_map_dma (param ?) -> vfio_pin_pages_remote (param 1)
+    __se_sys_ptrace (param 2)
+    environ_read (param ?) -> access_remote_vm (param 1)
+    io_sqe_buffer_register (param ?) -> get_user_pages (param 0)
+    gntdev_grant_copy_seg (param ?) -> gntdev_get_page (param 1)
+    get_futex_key (param ?) -> get_user_pages_fast (param 0)
+    __se_sys_madvise (param 0)
+    __mm_populate (param ?) -> populate_vma_page_range (param 1)
+    __se_sys_mprotect (param 0)
+
+
+This script will examine all of the possible callers of __get_user_pages where
+parameter 2 contains user data and where the top byte of the parameter may be
+non-zero. It will recurse up the possible call stacks as far as it can go. This
+will leave a list of functions that provide tagged addresses to __get_user_pages
+and the parameter of interest (or variable if Smatch cannot determine the
+function parameter).
+
+Sometimes Smatch is able to determine a caller of a function but is unable
+to determine which parameter of that function relates to the parameter of the
+called function, when this happens the following output it shown:
+
+get_futex_key (param ?) -> get_user_pages_fast (param 0)
+
+This shows that when following up the call tree from __get_user_pages, we stop
+at get_user_pages_fast with parameter 0 of that function containing user data.
+Smatch knows that get_futex_key calls get_user_pages_fast but cannot determine
+which parameter of get_futex_key provided the data of interest. In these cases
+manual inspection of the source tree can help and if necessary re-run the
+smdb.py script with new parameters (e.g. smdb.py find_tagged get_futex_key 0).
+
+To provide a summary of all of the tagged issues found, the following command
+can be run directly on the smatch_warns.txt file:
+
+$ ~/smatch/smatch_data/db/smdb.py parse_warns_tagged smatch_warns.txt
+
+This will run find_tagged for each issue found, e.g.
+
+mm/mmap.c:2918 (func: __do_sys_remap_file_pages, param: 0:start) may be caused by:
+    __se_sys_remap_file_pages (param 0)
+
+mm/mmap.c:2963 (func: __do_sys_remap_file_pages, param: -1:__UNIQUE_ID___y73) may be caused by:
+    __do_sys_remap_file_pages (variable __UNIQUE_ID___y73 (can't walk call tree)
+
+mm/mmap.c:3000 (func: do_brk_flags, param: -1:error) may be caused by:
+    do_brk_flags (variable error (can't walk call tree)
+
+mm/mmap.c:540 (func: find_vma_links, param: 1:addr) may be caused by:
+    find_vma_links (param 1) (can't walk call tree)
+
+mm/mmap.c:570 (func: count_vma_pages_range, param: -1:__UNIQUE_ID___x64) may be caused by:
+    count_vma_pages_range (variable __UNIQUE_ID___x64 (can't walk call tree)
+
+mm/mmap.c:580 (func: count_vma_pages_range, param: -1:__UNIQUE_ID___x68) may be caused by:
+    count_vma_pages_range (variable __UNIQUE_ID___x68 (can't walk call tree)
+
+mm/mmap.c:856 (func: __vma_adjust, param: 1:start) may be caused by:
+    __se_sys_mprotect (param 0)
+    __se_sys_mlock (param 0)
+    __se_sys_mlock2 (param 0)
+    __se_sys_munlock (param 0)
+    mbind_range (param ?) -> vma_merge (param 2)
+    __se_sys_madvise (param 0)
+    __se_sys_mbind (param 0)
+
+
+The above commands do not output a call stack, instead they provide the 'highest'
+caller found, to provide a call stack perform the following:
+
+$ ~/smatch/smatch_data/db/smdb.py call_tree __get_user_pages
+__get_user_pages()
+  __get_user_pages_locked()
+    get_user_pages_remote()
+      get_arg_page()
+        copy_strings()
+        remove_arg_zero()
+      vaddr_get_pfn()
+        vfio_pin_pages_remote()
+        vfio_pin_page_external()
+      process_vm_rw_single_vec()
+        process_vm_rw_core()
+      __access_remote_vm()
+        ptrace_access_vm()
+        access_remote_vm()
+        access_process_vm()
+    check_and_migrate_cma_pages()
+      __gup_longterm_locked()
+        get_user_pages()
+        __gup_longterm_unlocked()
+    get_user_pages_locked()
+      get_vaddr_frames()
+        vb2_create_framevec()
+      lookup_node()
+        do_get_mempolicy()
+    get_user_pages_unlocked()
+      hva_to_pfn_slow()
+        hva_to_pfn()
+
+Please note that this will show all the callers and is not filtered for those
+carrying tagged addresses in their parameters.
+
+It is possible to filter out false positives by annotating function parameters
+with __untagged. For example:
+
+unsigned long do_mmap(struct file *file, unsigned long addr,
+			unsigned long __untagged len, unsigned long prot,
+			unsigned long flags, vm_flags_t vm_flags,
+			unsigned long pgoff, unsigned long *populate,
+			struct list_head *uf)
+{
+
+This annotation tells smatch that regardless to the value stored in 'len' it
+should be treated as an untagged address. As Smatch is able to track the
+potential ranges of values a variable may hold, it will also track the
+annotation - therefore it is not necessary to use the annotation in every
+function that do_mmap calls. When using this annotation smdb.py will filter
+out functions that carry a value which has been annotated as untagged. Please
+note that due to limitations in parameter tracking some annotations will be
+ignored and not propogated all the way down the call tree.
+
+Finally, the following patch is required to add annotations to the Linux
+kernel:
+
+diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
+index 19e58b9138a0..755e8df375a5 100644
+--- a/include/linux/compiler_types.h
++++ b/include/linux/compiler_types.h
+@@ -19,6 +19,7 @@
+ # define __cond_lock(x,c)      ((c) ? ({ __acquire(x); 1; }) : 0)
+ # define __percpu      __attribute__((noderef, address_space(3)))
+ # define __rcu         __attribute__((noderef, address_space(4)))
++# define __untagged    __attribute__((address_space(5)))
+ # define __private     __attribute__((noderef))
+ extern void __chk_user_ptr(const volatile void __user *);
+ extern void __chk_io_ptr(const volatile void __iomem *);
+@@ -45,6 +46,7 @@ extern void __chk_io_ptr(const volatile void __iomem *);
+ # define __cond_lock(x,c) (c)
+ # define __percpu
+ # define __rcu
++# define __untagged
+ # define __private
+ # define ACCESS_PRIVATE(p, member) ((p)->member)
+ #endif /* __CHECKER__ */
+