Commit | Line | Data |
---|---|---|
82c4340b | 1 | /// |
7c2aa611 JL |
2 | /// A variable is dereferenced under a NULL test. |
3 | /// Even though it is known to be NULL. | |
82c4340b NP |
4 | /// |
5 | // Confidence: Moderate | |
6 | // Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2. | |
7 | // Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2. | |
8 | // Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2. | |
9 | // URL: http://coccinelle.lip6.fr/ | |
10 | // Comments: -I ... -all_includes can give more complete results | |
11 | // Options: | |
12 | ||
13 | virtual context | |
82c4340b NP |
14 | virtual org |
15 | virtual report | |
16 | ||
a1087ef6 | 17 | @ifm@ |
82c4340b NP |
18 | expression *E; |
19 | statement S1,S2; | |
20 | position p1; | |
21 | @@ | |
22 | ||
23 | if@p1 ((E == NULL && ...) || ...) S1 else S2 | |
24 | ||
25 | // The following two rules are separate, because both can match a single | |
26 | // expression in different ways | |
a1087ef6 | 27 | @pr1 expression@ |
82c4340b NP |
28 | expression *ifm.E; |
29 | identifier f; | |
30 | position p1; | |
31 | @@ | |
32 | ||
33 | (E != NULL && ...) ? <+...E->f@p1...+> : ... | |
34 | ||
a1087ef6 | 35 | @pr2 expression@ |
82c4340b NP |
36 | expression *ifm.E; |
37 | identifier f; | |
38 | position p2; | |
39 | @@ | |
40 | ||
41 | ( | |
42 | (E != NULL) && ... && <+...E->f@p2...+> | |
43 | | | |
44 | (E == NULL) || ... || <+...E->f@p2...+> | |
45 | | | |
46 | sizeof(<+...E->f@p2...+>) | |
47 | ) | |
48 | ||
49 | // For org and report modes | |
50 | ||
a1087ef6 | 51 | @r depends on !context && (org || report) exists@ |
82c4340b NP |
52 | expression subE <= ifm.E; |
53 | expression *ifm.E; | |
54 | expression E1,E2; | |
55 | identifier f; | |
56 | statement S1,S2,S3,S4; | |
57 | iterator iter; | |
58 | position p!={pr1.p1,pr2.p2}; | |
59 | position ifm.p1; | |
60 | @@ | |
61 | ||
62 | if@p1 ((E == NULL && ...) || ...) | |
63 | { | |
64 | ... when != if (...) S1 else S2 | |
65 | ( | |
66 | iter(subE,...) S4 // no use | |
67 | | | |
68 | list_remove_head(E2,subE,...) | |
69 | | | |
70 | subE = E1 | |
71 | | | |
72 | for(subE = E1;...;...) S4 | |
73 | | | |
74 | subE++ | |
75 | | | |
76 | ++subE | |
77 | | | |
78 | --subE | |
79 | | | |
80 | subE-- | |
81 | | | |
82 | &subE | |
83 | | | |
84 | E->f@p // bad use | |
85 | ) | |
86 | ... when any | |
87 | return ...; | |
88 | } | |
89 | else S3 | |
90 | ||
a1087ef6 | 91 | @script:python depends on !context && !org && report@ |
82c4340b NP |
92 | p << r.p; |
93 | p1 << ifm.p1; | |
94 | x << ifm.E; | |
95 | @@ | |
96 | ||
97 | msg="ERROR: %s is NULL but dereferenced." % (x) | |
98 | coccilib.report.print_report(p[0], msg) | |
99 | cocci.include_match(False) | |
100 | ||
a1087ef6 | 101 | @script:python depends on !context && org && !report@ |
82c4340b NP |
102 | p << r.p; |
103 | p1 << ifm.p1; | |
104 | x << ifm.E; | |
105 | @@ | |
106 | ||
107 | msg="ERROR: %s is NULL but dereferenced." % (x) | |
108 | msg_safe=msg.replace("[","@(").replace("]",")") | |
109 | cocci.print_main(msg_safe,p) | |
110 | cocci.include_match(False) | |
111 | ||
a1087ef6 | 112 | @s depends on !context && (org || report) exists@ |
82c4340b NP |
113 | expression subE <= ifm.E; |
114 | expression *ifm.E; | |
115 | expression E1,E2; | |
116 | identifier f; | |
117 | statement S1,S2,S3,S4; | |
118 | iterator iter; | |
119 | position p!={pr1.p1,pr2.p2}; | |
120 | position ifm.p1; | |
121 | @@ | |
122 | ||
123 | if@p1 ((E == NULL && ...) || ...) | |
124 | { | |
125 | ... when != if (...) S1 else S2 | |
126 | ( | |
127 | iter(subE,...) S4 // no use | |
128 | | | |
129 | list_remove_head(E2,subE,...) | |
130 | | | |
131 | subE = E1 | |
132 | | | |
133 | for(subE = E1;...;...) S4 | |
134 | | | |
135 | subE++ | |
136 | | | |
137 | ++subE | |
138 | | | |
139 | --subE | |
140 | | | |
141 | subE-- | |
142 | | | |
143 | &subE | |
144 | | | |
145 | E->f@p // bad use | |
146 | ) | |
147 | ... when any | |
148 | } | |
149 | else S3 | |
150 | ||
a1087ef6 | 151 | @script:python depends on !context && !org && report@ |
82c4340b NP |
152 | p << s.p; |
153 | p1 << ifm.p1; | |
154 | x << ifm.E; | |
155 | @@ | |
156 | ||
157 | msg="ERROR: %s is NULL but dereferenced." % (x) | |
158 | coccilib.report.print_report(p[0], msg) | |
159 | ||
a1087ef6 | 160 | @script:python depends on !context && org && !report@ |
82c4340b NP |
161 | p << s.p; |
162 | p1 << ifm.p1; | |
163 | x << ifm.E; | |
164 | @@ | |
165 | ||
166 | msg="ERROR: %s is NULL but dereferenced." % (x) | |
167 | msg_safe=msg.replace("[","@(").replace("]",")") | |
168 | cocci.print_main(msg_safe,p) | |
169 | ||
170 | // For context mode | |
171 | ||
a1087ef6 | 172 | @depends on context && !org && !report exists@ |
82c4340b NP |
173 | expression subE <= ifm.E; |
174 | expression *ifm.E; | |
175 | expression E1,E2; | |
176 | identifier f; | |
177 | statement S1,S2,S3,S4; | |
178 | iterator iter; | |
179 | position p!={pr1.p1,pr2.p2}; | |
180 | position ifm.p1; | |
181 | @@ | |
182 | ||
183 | if@p1 ((E == NULL && ...) || ...) | |
184 | { | |
185 | ... when != if (...) S1 else S2 | |
186 | ( | |
187 | iter(subE,...) S4 // no use | |
188 | | | |
189 | list_remove_head(E2,subE,...) | |
190 | | | |
191 | subE = E1 | |
192 | | | |
193 | for(subE = E1;...;...) S4 | |
194 | | | |
195 | subE++ | |
196 | | | |
197 | ++subE | |
198 | | | |
199 | --subE | |
200 | | | |
201 | subE-- | |
202 | | | |
203 | &subE | |
204 | | | |
205 | * E->f@p // bad use | |
206 | ) | |
207 | ... when any | |
208 | return ...; | |
209 | } | |
210 | else S3 | |
211 | ||
212 | // The following three rules are duplicates of ifm, pr1 and pr2 respectively. | |
213 | // It is need because the previous rule as already made a "change". | |
214 | ||
a2b0fe74 | 215 | @ifm1 depends on context && !org && !report@ |
82c4340b NP |
216 | expression *E; |
217 | statement S1,S2; | |
218 | position p1; | |
219 | @@ | |
220 | ||
221 | if@p1 ((E == NULL && ...) || ...) S1 else S2 | |
222 | ||
a2b0fe74 | 223 | @pr11 depends on context && !org && !report expression@ |
82c4340b NP |
224 | expression *ifm1.E; |
225 | identifier f; | |
226 | position p1; | |
227 | @@ | |
228 | ||
229 | (E != NULL && ...) ? <+...E->f@p1...+> : ... | |
230 | ||
a2b0fe74 | 231 | @pr12 depends on context && !org && !report expression@ |
82c4340b NP |
232 | expression *ifm1.E; |
233 | identifier f; | |
234 | position p2; | |
235 | @@ | |
236 | ||
237 | ( | |
238 | (E != NULL) && ... && <+...E->f@p2...+> | |
239 | | | |
240 | (E == NULL) || ... || <+...E->f@p2...+> | |
241 | | | |
242 | sizeof(<+...E->f@p2...+>) | |
243 | ) | |
244 | ||
a1087ef6 | 245 | @depends on context && !org && !report exists@ |
82c4340b NP |
246 | expression subE <= ifm1.E; |
247 | expression *ifm1.E; | |
248 | expression E1,E2; | |
249 | identifier f; | |
250 | statement S1,S2,S3,S4; | |
251 | iterator iter; | |
252 | position p!={pr11.p1,pr12.p2}; | |
253 | position ifm1.p1; | |
254 | @@ | |
255 | ||
256 | if@p1 ((E == NULL && ...) || ...) | |
257 | { | |
258 | ... when != if (...) S1 else S2 | |
259 | ( | |
260 | iter(subE,...) S4 // no use | |
261 | | | |
262 | list_remove_head(E2,subE,...) | |
263 | | | |
264 | subE = E1 | |
265 | | | |
266 | for(subE = E1;...;...) S4 | |
267 | | | |
268 | subE++ | |
269 | | | |
270 | ++subE | |
271 | | | |
272 | --subE | |
273 | | | |
274 | subE-- | |
275 | | | |
276 | &subE | |
277 | | | |
278 | * E->f@p // bad use | |
279 | ) | |
280 | ... when any | |
281 | } | |
282 | else S3 |