forked from luck/tmp_suning_uos_patched
21195f8e9a
Move rules looking for some special cases of safe dereferences before the collection of NULL-tested values. The special cases are fairly rare, but somewhat costly to find, because isomorphisms create many variants of the rules. There is thus no need to search for them over and over for each NULL tested expression. Collecting them just once is sufficient and more efficient. Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
283 lines
4.4 KiB
Plaintext
283 lines
4.4 KiB
Plaintext
///
|
|
/// A variable is dereferenced under a NULL test.
|
|
/// Even though it is known to be NULL.
|
|
///
|
|
// Confidence: Moderate
|
|
// Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2.
|
|
// Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2.
|
|
// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2.
|
|
// URL: http://coccinelle.lip6.fr/
|
|
// Comments: -I ... -all_includes can give more complete results
|
|
// Options:
|
|
|
|
virtual context
|
|
virtual org
|
|
virtual report
|
|
|
|
// The following two rules are separate, because both can match a single
|
|
// expression in different ways
|
|
@pr1 expression@
|
|
expression E;
|
|
identifier f;
|
|
position p1;
|
|
@@
|
|
|
|
(E != NULL && ...) ? <+...E->f@p1...+> : ...
|
|
|
|
@pr2 expression@
|
|
expression E;
|
|
identifier f;
|
|
position p2;
|
|
@@
|
|
|
|
(
|
|
(E != NULL) && ... && <+...E->f@p2...+>
|
|
|
|
|
(E == NULL) || ... || <+...E->f@p2...+>
|
|
|
|
|
sizeof(<+...E->f@p2...+>)
|
|
)
|
|
|
|
@ifm@
|
|
expression *E;
|
|
statement S1,S2;
|
|
position p1;
|
|
@@
|
|
|
|
if@p1 ((E == NULL && ...) || ...) S1 else S2
|
|
|
|
// For org and report modes
|
|
|
|
@r depends on !context && (org || report) exists@
|
|
expression subE <= ifm.E;
|
|
expression *ifm.E;
|
|
expression E1,E2;
|
|
identifier f;
|
|
statement S1,S2,S3,S4;
|
|
iterator iter;
|
|
position p!={pr1.p1,pr2.p2};
|
|
position ifm.p1;
|
|
@@
|
|
|
|
if@p1 ((E == NULL && ...) || ...)
|
|
{
|
|
... when != if (...) S1 else S2
|
|
(
|
|
iter(subE,...) S4 // no use
|
|
|
|
|
list_remove_head(E2,subE,...)
|
|
|
|
|
subE = E1
|
|
|
|
|
for(subE = E1;...;...) S4
|
|
|
|
|
subE++
|
|
|
|
|
++subE
|
|
|
|
|
--subE
|
|
|
|
|
subE--
|
|
|
|
|
&subE
|
|
|
|
|
E->f@p // bad use
|
|
)
|
|
... when any
|
|
return ...;
|
|
}
|
|
else S3
|
|
|
|
@script:python depends on !context && !org && report@
|
|
p << r.p;
|
|
p1 << ifm.p1;
|
|
x << ifm.E;
|
|
@@
|
|
|
|
msg="ERROR: %s is NULL but dereferenced." % (x)
|
|
coccilib.report.print_report(p[0], msg)
|
|
cocci.include_match(False)
|
|
|
|
@script:python depends on !context && org && !report@
|
|
p << r.p;
|
|
p1 << ifm.p1;
|
|
x << ifm.E;
|
|
@@
|
|
|
|
msg="ERROR: %s is NULL but dereferenced." % (x)
|
|
msg_safe=msg.replace("[","@(").replace("]",")")
|
|
cocci.print_main(msg_safe,p)
|
|
cocci.include_match(False)
|
|
|
|
@s depends on !context && (org || report) exists@
|
|
expression subE <= ifm.E;
|
|
expression *ifm.E;
|
|
expression E1,E2;
|
|
identifier f;
|
|
statement S1,S2,S3,S4;
|
|
iterator iter;
|
|
position p!={pr1.p1,pr2.p2};
|
|
position ifm.p1;
|
|
@@
|
|
|
|
if@p1 ((E == NULL && ...) || ...)
|
|
{
|
|
... when != if (...) S1 else S2
|
|
(
|
|
iter(subE,...) S4 // no use
|
|
|
|
|
list_remove_head(E2,subE,...)
|
|
|
|
|
subE = E1
|
|
|
|
|
for(subE = E1;...;...) S4
|
|
|
|
|
subE++
|
|
|
|
|
++subE
|
|
|
|
|
--subE
|
|
|
|
|
subE--
|
|
|
|
|
&subE
|
|
|
|
|
E->f@p // bad use
|
|
)
|
|
... when any
|
|
}
|
|
else S3
|
|
|
|
@script:python depends on !context && !org && report@
|
|
p << s.p;
|
|
p1 << ifm.p1;
|
|
x << ifm.E;
|
|
@@
|
|
|
|
msg="ERROR: %s is NULL but dereferenced." % (x)
|
|
coccilib.report.print_report(p[0], msg)
|
|
|
|
@script:python depends on !context && org && !report@
|
|
p << s.p;
|
|
p1 << ifm.p1;
|
|
x << ifm.E;
|
|
@@
|
|
|
|
msg="ERROR: %s is NULL but dereferenced." % (x)
|
|
msg_safe=msg.replace("[","@(").replace("]",")")
|
|
cocci.print_main(msg_safe,p)
|
|
|
|
// For context mode
|
|
|
|
@depends on context && !org && !report exists@
|
|
expression subE <= ifm.E;
|
|
expression *ifm.E;
|
|
expression E1,E2;
|
|
identifier f;
|
|
statement S1,S2,S3,S4;
|
|
iterator iter;
|
|
position p!={pr1.p1,pr2.p2};
|
|
position ifm.p1;
|
|
@@
|
|
|
|
if@p1 ((E == NULL && ...) || ...)
|
|
{
|
|
... when != if (...) S1 else S2
|
|
(
|
|
iter(subE,...) S4 // no use
|
|
|
|
|
list_remove_head(E2,subE,...)
|
|
|
|
|
subE = E1
|
|
|
|
|
for(subE = E1;...;...) S4
|
|
|
|
|
subE++
|
|
|
|
|
++subE
|
|
|
|
|
--subE
|
|
|
|
|
subE--
|
|
|
|
|
&subE
|
|
|
|
|
* E->f@p // bad use
|
|
)
|
|
... when any
|
|
return ...;
|
|
}
|
|
else S3
|
|
|
|
// The following three rules are duplicates of ifm, pr1 and pr2 respectively.
|
|
// It is need because the previous rule as already made a "change".
|
|
|
|
@pr11 depends on context && !org && !report expression@
|
|
expression E;
|
|
identifier f;
|
|
position p1;
|
|
@@
|
|
|
|
(E != NULL && ...) ? <+...E->f@p1...+> : ...
|
|
|
|
@pr12 depends on context && !org && !report expression@
|
|
expression E;
|
|
identifier f;
|
|
position p2;
|
|
@@
|
|
|
|
(
|
|
(E != NULL) && ... && <+...E->f@p2...+>
|
|
|
|
|
(E == NULL) || ... || <+...E->f@p2...+>
|
|
|
|
|
sizeof(<+...E->f@p2...+>)
|
|
)
|
|
|
|
@ifm1 depends on context && !org && !report@
|
|
expression *E;
|
|
statement S1,S2;
|
|
position p1;
|
|
@@
|
|
|
|
if@p1 ((E == NULL && ...) || ...) S1 else S2
|
|
|
|
@depends on context && !org && !report exists@
|
|
expression subE <= ifm1.E;
|
|
expression *ifm1.E;
|
|
expression E1,E2;
|
|
identifier f;
|
|
statement S1,S2,S3,S4;
|
|
iterator iter;
|
|
position p!={pr11.p1,pr12.p2};
|
|
position ifm1.p1;
|
|
@@
|
|
|
|
if@p1 ((E == NULL && ...) || ...)
|
|
{
|
|
... when != if (...) S1 else S2
|
|
(
|
|
iter(subE,...) S4 // no use
|
|
|
|
|
list_remove_head(E2,subE,...)
|
|
|
|
|
subE = E1
|
|
|
|
|
for(subE = E1;...;...) S4
|
|
|
|
|
subE++
|
|
|
|
|
++subE
|
|
|
|
|
--subE
|
|
|
|
|
subE--
|
|
|
|
|
&subE
|
|
|
|
|
* E->f@p // bad use
|
|
)
|
|
... when any
|
|
}
|
|
else S3
|