Linux/scripts/coccinelle/null/deref

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

1 // SPDX-License-Identifier: GPL-2.0-only 1 // SPDX-License-Identifier: GPL-2.0-only 2 /// 2 /// 3 /// A variable is dereferenced under a NULL te 3 /// A variable is dereferenced under a NULL test. 4 /// Even though it is known to be NULL. 4 /// Even though it is known to be NULL. 5 /// 5 /// 6 // Confidence: Moderate 6 // Confidence: Moderate 7 // Copyright: (C) 2010 Nicolas Palix, DIKU. 7 // Copyright: (C) 2010 Nicolas Palix, DIKU. 8 // Copyright: (C) 2010 Julia Lawall, DIKU. 8 // Copyright: (C) 2010 Julia Lawall, DIKU. 9 // Copyright: (C) 2010 Gilles Muller, INRIA/Li 9 // Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. 10 // URL: https://coccinelle.gitlabpages.inria.f 10 // URL: https://coccinelle.gitlabpages.inria.fr/website 11 // Comments: -I ... -all_includes can give mor 11 // Comments: -I ... -all_includes can give more complete results 12 // Options: 12 // Options: 13 13 14 virtual context 14 virtual context 15 virtual org 15 virtual org 16 virtual report 16 virtual report 17 17 18 // The following two rules are separate, becau 18 // The following two rules are separate, because both can match a single 19 // expression in different ways 19 // expression in different ways 20 @pr1 expression@ 20 @pr1 expression@ 21 expression E; 21 expression E; 22 identifier f; 22 identifier f; 23 position p1; 23 position p1; 24 @@ 24 @@ 25 25 26 (E != NULL && ...) ? <+...E->f@p1...+> : ... 26 (E != NULL && ...) ? <+...E->f@p1...+> : ... 27 27 28 @pr2 expression@ 28 @pr2 expression@ 29 expression E; 29 expression E; 30 identifier f; 30 identifier f; 31 position p2; 31 position p2; 32 @@ 32 @@ 33 33 34 ( 34 ( 35 (E != NULL) && ... && <+...E->f@p2...+> 35 (E != NULL) && ... && <+...E->f@p2...+> 36 | 36 | 37 (E == NULL) || ... || <+...E->f@p2...+> 37 (E == NULL) || ... || <+...E->f@p2...+> 38 | 38 | 39 sizeof(<+...E->f@p2...+>) 39 sizeof(<+...E->f@p2...+>) 40 ) 40 ) 41 41 42 @ifm@ 42 @ifm@ 43 expression *E; 43 expression *E; 44 statement S1,S2; 44 statement S1,S2; 45 position p1; 45 position p1; 46 @@ 46 @@ 47 47 48 if@p1 ((E == NULL && ...) || ...) S1 else S2 48 if@p1 ((E == NULL && ...) || ...) S1 else S2 49 49 50 // For org and report modes 50 // For org and report modes 51 51 52 @r depends on !context && (org || report) exis 52 @r depends on !context && (org || report) exists@ 53 expression subE <= ifm.E; 53 expression subE <= ifm.E; 54 expression *ifm.E; 54 expression *ifm.E; 55 expression E1,E2; 55 expression E1,E2; 56 identifier f; 56 identifier f; 57 statement S1,S2,S3,S4; 57 statement S1,S2,S3,S4; 58 iterator iter; 58 iterator iter; 59 position p!={pr1.p1,pr2.p2}; 59 position p!={pr1.p1,pr2.p2}; 60 position ifm.p1; 60 position ifm.p1; 61 @@ 61 @@ 62 62 63 if@p1 ((E == NULL && ...) || ...) 63 if@p1 ((E == NULL && ...) || ...) 64 { 64 { 65 ... when != if (...) S1 else S2 65 ... when != if (...) S1 else S2 66 ( 66 ( 67 iter(subE,...) S4 // no use 67 iter(subE,...) S4 // no use 68 | 68 | 69 list_remove_head(E2,subE,...) 69 list_remove_head(E2,subE,...) 70 | 70 | 71 subE = E1 71 subE = E1 72 | 72 | 73 for(subE = E1;...;...) S4 73 for(subE = E1;...;...) S4 74 | 74 | 75 subE++ 75 subE++ 76 | 76 | 77 ++subE 77 ++subE 78 | 78 | 79 --subE 79 --subE 80 | 80 | 81 subE-- 81 subE-- 82 | 82 | 83 &subE 83 &subE 84 | 84 | 85 E->f@p // bad use 85 E->f@p // bad use 86 ) 86 ) 87 ... when any 87 ... when any 88 return ...; 88 return ...; 89 } 89 } 90 else S3 90 else S3 91 91 92 @script:python depends on !context && !org && 92 @script:python depends on !context && !org && report@ 93 p << r.p; 93 p << r.p; 94 p1 << ifm.p1; 94 p1 << ifm.p1; 95 x << ifm.E; 95 x << ifm.E; 96 @@ 96 @@ 97 97 98 msg="ERROR: %s is NULL but dereferenced." % (x 98 msg="ERROR: %s is NULL but dereferenced." % (x) 99 coccilib.report.print_report(p[0], msg) 99 coccilib.report.print_report(p[0], msg) 100 cocci.include_match(False) 100 cocci.include_match(False) 101 101 102 @script:python depends on !context && org && ! 102 @script:python depends on !context && org && !report@ 103 p << r.p; 103 p << r.p; 104 p1 << ifm.p1; 104 p1 << ifm.p1; 105 x << ifm.E; 105 x << ifm.E; 106 @@ 106 @@ 107 107 108 msg="ERROR: %s is NULL but dereferenced." % (x 108 msg="ERROR: %s is NULL but dereferenced." % (x) 109 msg_safe=msg.replace("[","@(").replace("]",")" 109 msg_safe=msg.replace("[","@(").replace("]",")") 110 cocci.print_main(msg_safe,p) 110 cocci.print_main(msg_safe,p) 111 cocci.include_match(False) 111 cocci.include_match(False) 112 112 113 @s depends on !context && (org || report) exis 113 @s depends on !context && (org || report) exists@ 114 expression subE <= ifm.E; 114 expression subE <= ifm.E; 115 expression *ifm.E; 115 expression *ifm.E; 116 expression E1,E2; 116 expression E1,E2; 117 identifier f; 117 identifier f; 118 statement S1,S2,S3,S4; 118 statement S1,S2,S3,S4; 119 iterator iter; 119 iterator iter; 120 position p!={pr1.p1,pr2.p2}; 120 position p!={pr1.p1,pr2.p2}; 121 position ifm.p1; 121 position ifm.p1; 122 @@ 122 @@ 123 123 124 if@p1 ((E == NULL && ...) || ...) 124 if@p1 ((E == NULL && ...) || ...) 125 { 125 { 126 ... when != if (...) S1 else S2 126 ... when != if (...) S1 else S2 127 ( 127 ( 128 iter(subE,...) S4 // no use 128 iter(subE,...) S4 // no use 129 | 129 | 130 list_remove_head(E2,subE,...) 130 list_remove_head(E2,subE,...) 131 | 131 | 132 subE = E1 132 subE = E1 133 | 133 | 134 for(subE = E1;...;...) S4 134 for(subE = E1;...;...) S4 135 | 135 | 136 subE++ 136 subE++ 137 | 137 | 138 ++subE 138 ++subE 139 | 139 | 140 --subE 140 --subE 141 | 141 | 142 subE-- 142 subE-- 143 | 143 | 144 &subE 144 &subE 145 | 145 | 146 E->f@p // bad use 146 E->f@p // bad use 147 ) 147 ) 148 ... when any 148 ... when any 149 } 149 } 150 else S3 150 else S3 151 151 152 @script:python depends on !context && !org && 152 @script:python depends on !context && !org && report@ 153 p << s.p; 153 p << s.p; 154 p1 << ifm.p1; 154 p1 << ifm.p1; 155 x << ifm.E; 155 x << ifm.E; 156 @@ 156 @@ 157 157 158 msg="ERROR: %s is NULL but dereferenced." % (x 158 msg="ERROR: %s is NULL but dereferenced." % (x) 159 coccilib.report.print_report(p[0], msg) 159 coccilib.report.print_report(p[0], msg) 160 160 161 @script:python depends on !context && org && ! 161 @script:python depends on !context && org && !report@ 162 p << s.p; 162 p << s.p; 163 p1 << ifm.p1; 163 p1 << ifm.p1; 164 x << ifm.E; 164 x << ifm.E; 165 @@ 165 @@ 166 166 167 msg="ERROR: %s is NULL but dereferenced." % (x 167 msg="ERROR: %s is NULL but dereferenced." % (x) 168 msg_safe=msg.replace("[","@(").replace("]",")" 168 msg_safe=msg.replace("[","@(").replace("]",")") 169 cocci.print_main(msg_safe,p) 169 cocci.print_main(msg_safe,p) 170 170 171 // For context mode 171 // For context mode 172 172 173 @depends on context && !org && !report exists@ 173 @depends on context && !org && !report exists@ 174 expression subE <= ifm.E; 174 expression subE <= ifm.E; 175 expression *ifm.E; 175 expression *ifm.E; 176 expression E1,E2; 176 expression E1,E2; 177 identifier f; 177 identifier f; 178 statement S1,S2,S3,S4; 178 statement S1,S2,S3,S4; 179 iterator iter; 179 iterator iter; 180 position p!={pr1.p1,pr2.p2}; 180 position p!={pr1.p1,pr2.p2}; 181 position ifm.p1; 181 position ifm.p1; 182 @@ 182 @@ 183 183 184 if@p1 ((E == NULL && ...) || ...) 184 if@p1 ((E == NULL && ...) || ...) 185 { 185 { 186 ... when != if (...) S1 else S2 186 ... when != if (...) S1 else S2 187 ( 187 ( 188 iter(subE,...) S4 // no use 188 iter(subE,...) S4 // no use 189 | 189 | 190 list_remove_head(E2,subE,...) 190 list_remove_head(E2,subE,...) 191 | 191 | 192 subE = E1 192 subE = E1 193 | 193 | 194 for(subE = E1;...;...) S4 194 for(subE = E1;...;...) S4 195 | 195 | 196 subE++ 196 subE++ 197 | 197 | 198 ++subE 198 ++subE 199 | 199 | 200 --subE 200 --subE 201 | 201 | 202 subE-- 202 subE-- 203 | 203 | 204 &subE 204 &subE 205 | 205 | 206 * E->f@p // bad use 206 * E->f@p // bad use 207 ) 207 ) 208 ... when any 208 ... when any 209 return ...; 209 return ...; 210 } 210 } 211 else S3 211 else S3 212 212 213 // The following three rules are duplicates of 213 // The following three rules are duplicates of ifm, pr1 and pr2 respectively. 214 // It is need because the previous rule as alr 214 // It is need because the previous rule as already made a "change". 215 215 216 @pr11 depends on context && !org && !report ex 216 @pr11 depends on context && !org && !report expression@ 217 expression E; 217 expression E; 218 identifier f; 218 identifier f; 219 position p1; 219 position p1; 220 @@ 220 @@ 221 221 222 (E != NULL && ...) ? <+...E->f@p1...+> : ... 222 (E != NULL && ...) ? <+...E->f@p1...+> : ... 223 223 224 @pr12 depends on context && !org && !report ex 224 @pr12 depends on context && !org && !report expression@ 225 expression E; 225 expression E; 226 identifier f; 226 identifier f; 227 position p2; 227 position p2; 228 @@ 228 @@ 229 229 230 ( 230 ( 231 (E != NULL) && ... && <+...E->f@p2...+> 231 (E != NULL) && ... && <+...E->f@p2...+> 232 | 232 | 233 (E == NULL) || ... || <+...E->f@p2...+> 233 (E == NULL) || ... || <+...E->f@p2...+> 234 | 234 | 235 sizeof(<+...E->f@p2...+>) 235 sizeof(<+...E->f@p2...+>) 236 ) 236 ) 237 237 238 @ifm1 depends on context && !org && !report@ 238 @ifm1 depends on context && !org && !report@ 239 expression *E; 239 expression *E; 240 statement S1,S2; 240 statement S1,S2; 241 position p1; 241 position p1; 242 @@ 242 @@ 243 243 244 if@p1 ((E == NULL && ...) || ...) S1 else S2 244 if@p1 ((E == NULL && ...) || ...) S1 else S2 245 245 246 @depends on context && !org && !report exists@ 246 @depends on context && !org && !report exists@ 247 expression subE <= ifm1.E; 247 expression subE <= ifm1.E; 248 expression *ifm1.E; 248 expression *ifm1.E; 249 expression E1,E2; 249 expression E1,E2; 250 identifier f; 250 identifier f; 251 statement S1,S2,S3,S4; 251 statement S1,S2,S3,S4; 252 iterator iter; 252 iterator iter; 253 position p!={pr11.p1,pr12.p2}; 253 position p!={pr11.p1,pr12.p2}; 254 position ifm1.p1; 254 position ifm1.p1; 255 @@ 255 @@ 256 256 257 if@p1 ((E == NULL && ...) || ...) 257 if@p1 ((E == NULL && ...) || ...) 258 { 258 { 259 ... when != if (...) S1 else S2 259 ... when != if (...) S1 else S2 260 ( 260 ( 261 iter(subE,...) S4 // no use 261 iter(subE,...) S4 // no use 262 | 262 | 263 list_remove_head(E2,subE,...) 263 list_remove_head(E2,subE,...) 264 | 264 | 265 subE = E1 265 subE = E1 266 | 266 | 267 for(subE = E1;...;...) S4 267 for(subE = E1;...;...) S4 268 | 268 | 269 subE++ 269 subE++ 270 | 270 | 271 ++subE 271 ++subE 272 | 272 | 273 --subE 273 --subE 274 | 274 | 275 subE-- 275 subE-- 276 | 276 | 277 &subE 277 &subE 278 | 278 | 279 * E->f@p // bad use 279 * E->f@p // bad use 280 ) 280 ) 281 ... when any 281 ... when any 282 } 282 } 283 else S3 283 else S3

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

TOMOYO Linux Cross Reference
Linux/scripts/coccinelle/null/deref_null.cocci

Diff markup

Differences between /scripts/coccinelle/null/deref_null.cocci (Architecture sparc) and /scripts/coccinelle/null/deref_null.cocci (Architecture i386)

TOMOYO Linux Cross Reference Linux/scripts/coccinelle/null/deref_null.cocci

Diff markup

Differences between /scripts/coccinelle/null/deref_null.cocci (Architecture sparc) and /scripts/coccinelle/null/deref_null.cocci (Architecture i386)

TOMOYO Linux Cross Reference
Linux/scripts/coccinelle/null/deref_null.cocci