1 // SPDX-License-Identifier: GPL-2.0-only << 2 /// 1 /// 3 /// A variable is dereferenced under a NULL te 2 /// A variable is dereferenced under a NULL test. 4 /// Even though it is known to be NULL. 3 /// Even though it is known to be NULL. 5 /// 4 /// 6 // Confidence: Moderate 5 // Confidence: Moderate 7 // Copyright: (C) 2010 Nicolas Palix, DIKU. !! 6 // Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2. 8 // Copyright: (C) 2010 Julia Lawall, DIKU. !! 7 // Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2. 9 // Copyright: (C) 2010 Gilles Muller, INRIA/Li !! 8 // Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2. 10 // URL: https://coccinelle.gitlabpages.inria.f !! 9 // URL: http://coccinelle.lip6.fr/ 11 // Comments: -I ... -all_includes can give mor 10 // Comments: -I ... -all_includes can give more complete results 12 // Options: 11 // Options: 13 12 14 virtual context 13 virtual context 15 virtual org 14 virtual org 16 virtual report 15 virtual report 17 16 >> 17 @ifm@ >> 18 expression *E; >> 19 statement S1,S2; >> 20 position p1; >> 21 @@ >> 22 >> 23 if@p1 ((E == NULL && ...) || ...) S1 else S2 >> 24 18 // The following two rules are separate, becau 25 // The following two rules are separate, because both can match a single 19 // expression in different ways 26 // expression in different ways 20 @pr1 expression@ 27 @pr1 expression@ 21 expression E; !! 28 expression *ifm.E; 22 identifier f; 29 identifier f; 23 position p1; 30 position p1; 24 @@ 31 @@ 25 32 26 (E != NULL && ...) ? <+...E->f@p1...+> : ... 33 (E != NULL && ...) ? <+...E->f@p1...+> : ... 27 34 28 @pr2 expression@ 35 @pr2 expression@ 29 expression E; !! 36 expression *ifm.E; 30 identifier f; 37 identifier f; 31 position p2; 38 position p2; 32 @@ 39 @@ 33 40 34 ( 41 ( 35 (E != NULL) && ... && <+...E->f@p2...+> 42 (E != NULL) && ... && <+...E->f@p2...+> 36 | 43 | 37 (E == NULL) || ... || <+...E->f@p2...+> 44 (E == NULL) || ... || <+...E->f@p2...+> 38 | 45 | 39 sizeof(<+...E->f@p2...+>) 46 sizeof(<+...E->f@p2...+>) 40 ) 47 ) 41 48 42 @ifm@ << 43 expression *E; << 44 statement S1,S2; << 45 position p1; << 46 @@ << 47 << 48 if@p1 ((E == NULL && ...) || ...) S1 else S2 << 49 << 50 // For org and report modes 49 // For org and report modes 51 50 52 @r depends on !context && (org || report) exis 51 @r depends on !context && (org || report) exists@ 53 expression subE <= ifm.E; 52 expression subE <= ifm.E; 54 expression *ifm.E; 53 expression *ifm.E; 55 expression E1,E2; 54 expression E1,E2; 56 identifier f; 55 identifier f; 57 statement S1,S2,S3,S4; 56 statement S1,S2,S3,S4; 58 iterator iter; 57 iterator iter; 59 position p!={pr1.p1,pr2.p2}; 58 position p!={pr1.p1,pr2.p2}; 60 position ifm.p1; 59 position ifm.p1; 61 @@ 60 @@ 62 61 63 if@p1 ((E == NULL && ...) || ...) 62 if@p1 ((E == NULL && ...) || ...) 64 { 63 { 65 ... when != if (...) S1 else S2 64 ... when != if (...) S1 else S2 66 ( 65 ( 67 iter(subE,...) S4 // no use 66 iter(subE,...) S4 // no use 68 | 67 | 69 list_remove_head(E2,subE,...) 68 list_remove_head(E2,subE,...) 70 | 69 | 71 subE = E1 70 subE = E1 72 | 71 | 73 for(subE = E1;...;...) S4 72 for(subE = E1;...;...) S4 74 | 73 | 75 subE++ 74 subE++ 76 | 75 | 77 ++subE 76 ++subE 78 | 77 | 79 --subE 78 --subE 80 | 79 | 81 subE-- 80 subE-- 82 | 81 | 83 &subE 82 &subE 84 | 83 | 85 E->f@p // bad use 84 E->f@p // bad use 86 ) 85 ) 87 ... when any 86 ... when any 88 return ...; 87 return ...; 89 } 88 } 90 else S3 89 else S3 91 90 92 @script:python depends on !context && !org && 91 @script:python depends on !context && !org && report@ 93 p << r.p; 92 p << r.p; 94 p1 << ifm.p1; 93 p1 << ifm.p1; 95 x << ifm.E; 94 x << ifm.E; 96 @@ 95 @@ 97 96 98 msg="ERROR: %s is NULL but dereferenced." % (x 97 msg="ERROR: %s is NULL but dereferenced." % (x) 99 coccilib.report.print_report(p[0], msg) 98 coccilib.report.print_report(p[0], msg) 100 cocci.include_match(False) 99 cocci.include_match(False) 101 100 102 @script:python depends on !context && org && ! 101 @script:python depends on !context && org && !report@ 103 p << r.p; 102 p << r.p; 104 p1 << ifm.p1; 103 p1 << ifm.p1; 105 x << ifm.E; 104 x << ifm.E; 106 @@ 105 @@ 107 106 108 msg="ERROR: %s is NULL but dereferenced." % (x 107 msg="ERROR: %s is NULL but dereferenced." % (x) 109 msg_safe=msg.replace("[","@(").replace("]",")" 108 msg_safe=msg.replace("[","@(").replace("]",")") 110 cocci.print_main(msg_safe,p) 109 cocci.print_main(msg_safe,p) 111 cocci.include_match(False) 110 cocci.include_match(False) 112 111 113 @s depends on !context && (org || report) exis 112 @s depends on !context && (org || report) exists@ 114 expression subE <= ifm.E; 113 expression subE <= ifm.E; 115 expression *ifm.E; 114 expression *ifm.E; 116 expression E1,E2; 115 expression E1,E2; 117 identifier f; 116 identifier f; 118 statement S1,S2,S3,S4; 117 statement S1,S2,S3,S4; 119 iterator iter; 118 iterator iter; 120 position p!={pr1.p1,pr2.p2}; 119 position p!={pr1.p1,pr2.p2}; 121 position ifm.p1; 120 position ifm.p1; 122 @@ 121 @@ 123 122 124 if@p1 ((E == NULL && ...) || ...) 123 if@p1 ((E == NULL && ...) || ...) 125 { 124 { 126 ... when != if (...) S1 else S2 125 ... when != if (...) S1 else S2 127 ( 126 ( 128 iter(subE,...) S4 // no use 127 iter(subE,...) S4 // no use 129 | 128 | 130 list_remove_head(E2,subE,...) 129 list_remove_head(E2,subE,...) 131 | 130 | 132 subE = E1 131 subE = E1 133 | 132 | 134 for(subE = E1;...;...) S4 133 for(subE = E1;...;...) S4 135 | 134 | 136 subE++ 135 subE++ 137 | 136 | 138 ++subE 137 ++subE 139 | 138 | 140 --subE 139 --subE 141 | 140 | 142 subE-- 141 subE-- 143 | 142 | 144 &subE 143 &subE 145 | 144 | 146 E->f@p // bad use 145 E->f@p // bad use 147 ) 146 ) 148 ... when any 147 ... when any 149 } 148 } 150 else S3 149 else S3 151 150 152 @script:python depends on !context && !org && 151 @script:python depends on !context && !org && report@ 153 p << s.p; 152 p << s.p; 154 p1 << ifm.p1; 153 p1 << ifm.p1; 155 x << ifm.E; 154 x << ifm.E; 156 @@ 155 @@ 157 156 158 msg="ERROR: %s is NULL but dereferenced." % (x 157 msg="ERROR: %s is NULL but dereferenced." % (x) 159 coccilib.report.print_report(p[0], msg) 158 coccilib.report.print_report(p[0], msg) 160 159 161 @script:python depends on !context && org && ! 160 @script:python depends on !context && org && !report@ 162 p << s.p; 161 p << s.p; 163 p1 << ifm.p1; 162 p1 << ifm.p1; 164 x << ifm.E; 163 x << ifm.E; 165 @@ 164 @@ 166 165 167 msg="ERROR: %s is NULL but dereferenced." % (x 166 msg="ERROR: %s is NULL but dereferenced." % (x) 168 msg_safe=msg.replace("[","@(").replace("]",")" 167 msg_safe=msg.replace("[","@(").replace("]",")") 169 cocci.print_main(msg_safe,p) 168 cocci.print_main(msg_safe,p) 170 169 171 // For context mode 170 // For context mode 172 171 173 @depends on context && !org && !report exists@ 172 @depends on context && !org && !report exists@ 174 expression subE <= ifm.E; 173 expression subE <= ifm.E; 175 expression *ifm.E; 174 expression *ifm.E; 176 expression E1,E2; 175 expression E1,E2; 177 identifier f; 176 identifier f; 178 statement S1,S2,S3,S4; 177 statement S1,S2,S3,S4; 179 iterator iter; 178 iterator iter; 180 position p!={pr1.p1,pr2.p2}; 179 position p!={pr1.p1,pr2.p2}; 181 position ifm.p1; 180 position ifm.p1; 182 @@ 181 @@ 183 182 184 if@p1 ((E == NULL && ...) || ...) 183 if@p1 ((E == NULL && ...) || ...) 185 { 184 { 186 ... when != if (...) S1 else S2 185 ... when != if (...) S1 else S2 187 ( 186 ( 188 iter(subE,...) S4 // no use 187 iter(subE,...) S4 // no use 189 | 188 | 190 list_remove_head(E2,subE,...) 189 list_remove_head(E2,subE,...) 191 | 190 | 192 subE = E1 191 subE = E1 193 | 192 | 194 for(subE = E1;...;...) S4 193 for(subE = E1;...;...) S4 195 | 194 | 196 subE++ 195 subE++ 197 | 196 | 198 ++subE 197 ++subE 199 | 198 | 200 --subE 199 --subE 201 | 200 | 202 subE-- 201 subE-- 203 | 202 | 204 &subE 203 &subE 205 | 204 | 206 * E->f@p // bad use 205 * E->f@p // bad use 207 ) 206 ) 208 ... when any 207 ... when any 209 return ...; 208 return ...; 210 } 209 } 211 else S3 210 else S3 212 211 213 // The following three rules are duplicates of 212 // The following three rules are duplicates of ifm, pr1 and pr2 respectively. 214 // It is need because the previous rule as alr 213 // It is need because the previous rule as already made a "change". 215 214 216 @pr11 depends on context && !org && !report ex !! 215 @ifm1@ 217 expression E; !! 216 expression *E; >> 217 statement S1,S2; >> 218 position p1; >> 219 @@ >> 220 >> 221 if@p1 ((E == NULL && ...) || ...) S1 else S2 >> 222 >> 223 @pr11 expression@ >> 224 expression *ifm1.E; 218 identifier f; 225 identifier f; 219 position p1; 226 position p1; 220 @@ 227 @@ 221 228 222 (E != NULL && ...) ? <+...E->f@p1...+> : ... 229 (E != NULL && ...) ? <+...E->f@p1...+> : ... 223 230 224 @pr12 depends on context && !org && !report ex !! 231 @pr12 expression@ 225 expression E; !! 232 expression *ifm1.E; 226 identifier f; 233 identifier f; 227 position p2; 234 position p2; 228 @@ 235 @@ 229 236 230 ( 237 ( 231 (E != NULL) && ... && <+...E->f@p2...+> 238 (E != NULL) && ... && <+...E->f@p2...+> 232 | 239 | 233 (E == NULL) || ... || <+...E->f@p2...+> 240 (E == NULL) || ... || <+...E->f@p2...+> 234 | 241 | 235 sizeof(<+...E->f@p2...+>) 242 sizeof(<+...E->f@p2...+>) 236 ) 243 ) 237 << 238 @ifm1 depends on context && !org && !report@ << 239 expression *E; << 240 statement S1,S2; << 241 position p1; << 242 @@ << 243 << 244 if@p1 ((E == NULL && ...) || ...) S1 else S2 << 245 244 246 @depends on context && !org && !report exists@ 245 @depends on context && !org && !report exists@ 247 expression subE <= ifm1.E; 246 expression subE <= ifm1.E; 248 expression *ifm1.E; 247 expression *ifm1.E; 249 expression E1,E2; 248 expression E1,E2; 250 identifier f; 249 identifier f; 251 statement S1,S2,S3,S4; 250 statement S1,S2,S3,S4; 252 iterator iter; 251 iterator iter; 253 position p!={pr11.p1,pr12.p2}; 252 position p!={pr11.p1,pr12.p2}; 254 position ifm1.p1; 253 position ifm1.p1; 255 @@ 254 @@ 256 255 257 if@p1 ((E == NULL && ...) || ...) 256 if@p1 ((E == NULL && ...) || ...) 258 { 257 { 259 ... when != if (...) S1 else S2 258 ... when != if (...) S1 else S2 260 ( 259 ( 261 iter(subE,...) S4 // no use 260 iter(subE,...) S4 // no use 262 | 261 | 263 list_remove_head(E2,subE,...) 262 list_remove_head(E2,subE,...) 264 | 263 | 265 subE = E1 264 subE = E1 266 | 265 | 267 for(subE = E1;...;...) S4 266 for(subE = E1;...;...) S4 268 | 267 | 269 subE++ 268 subE++ 270 | 269 | 271 ++subE 270 ++subE 272 | 271 | 273 --subE 272 --subE 274 | 273 | 275 subE-- 274 subE-- 276 | 275 | 277 &subE 276 &subE 278 | 277 | 279 * E->f@p // bad use 278 * E->f@p // bad use 280 ) 279 ) 281 ... when any 280 ... when any 282 } 281 } 283 else S3 282 else S3
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.