| Nicolas Palix | 82c4340 | 2010-06-06 17:15:07 +0200 | [diff] [blame] | 1 | /// |
| 2 | /// A variable is dereference under a NULL test. |
| 3 | /// Even though it is know to be NULL. |
| 4 | /// |
| 5 | // Confidence: Moderate |
| 6 | // Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2. |
| 7 | // Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2. |
| 8 | // Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2. |
| 9 | // URL: http://coccinelle.lip6.fr/ |
| 10 | // Comments: -I ... -all_includes can give more complete results |
| 11 | // Options: |
| 12 | |
| 13 | virtual context |
| 14 | virtual patch |
| 15 | virtual org |
| 16 | virtual report |
| 17 | |
| 18 | @initialize:python depends on !context && patch && !org && !report@ |
| 19 | |
| 20 | import sys |
| 21 | print >> sys.stderr, "This semantic patch does not support the 'patch' mode." |
| 22 | |
| 23 | @depends on patch@ |
| 24 | @@ |
| 25 | |
| 26 | this_rule_should_never_matches(); |
| 27 | |
| 28 | @ifm depends on !patch@ |
| 29 | expression *E; |
| 30 | statement S1,S2; |
| 31 | position p1; |
| 32 | @@ |
| 33 | |
| 34 | if@p1 ((E == NULL && ...) || ...) S1 else S2 |
| 35 | |
| 36 | // The following two rules are separate, because both can match a single |
| 37 | // expression in different ways |
| 38 | @pr1 depends on !patch expression@ |
| 39 | expression *ifm.E; |
| 40 | identifier f; |
| 41 | position p1; |
| 42 | @@ |
| 43 | |
| 44 | (E != NULL && ...) ? <+...E->f@p1...+> : ... |
| 45 | |
| 46 | @pr2 depends on !patch expression@ |
| 47 | expression *ifm.E; |
| 48 | identifier f; |
| 49 | position p2; |
| 50 | @@ |
| 51 | |
| 52 | ( |
| 53 | (E != NULL) && ... && <+...E->f@p2...+> |
| 54 | | |
| 55 | (E == NULL) || ... || <+...E->f@p2...+> |
| 56 | | |
| 57 | sizeof(<+...E->f@p2...+>) |
| 58 | ) |
| 59 | |
| 60 | // For org and report modes |
| 61 | |
| 62 | @r depends on !context && !patch && (org || report) exists@ |
| 63 | expression subE <= ifm.E; |
| 64 | expression *ifm.E; |
| 65 | expression E1,E2; |
| 66 | identifier f; |
| 67 | statement S1,S2,S3,S4; |
| 68 | iterator iter; |
| 69 | position p!={pr1.p1,pr2.p2}; |
| 70 | position ifm.p1; |
| 71 | @@ |
| 72 | |
| 73 | if@p1 ((E == NULL && ...) || ...) |
| 74 | { |
| 75 | ... when != if (...) S1 else S2 |
| 76 | ( |
| 77 | iter(subE,...) S4 // no use |
| 78 | | |
| 79 | list_remove_head(E2,subE,...) |
| 80 | | |
| 81 | subE = E1 |
| 82 | | |
| 83 | for(subE = E1;...;...) S4 |
| 84 | | |
| 85 | subE++ |
| 86 | | |
| 87 | ++subE |
| 88 | | |
| 89 | --subE |
| 90 | | |
| 91 | subE-- |
| 92 | | |
| 93 | &subE |
| 94 | | |
| 95 | E->f@p // bad use |
| 96 | ) |
| 97 | ... when any |
| 98 | return ...; |
| 99 | } |
| 100 | else S3 |
| 101 | |
| 102 | @script:python depends on !context && !patch && !org && report@ |
| 103 | p << r.p; |
| 104 | p1 << ifm.p1; |
| 105 | x << ifm.E; |
| 106 | @@ |
| 107 | |
| 108 | msg="ERROR: %s is NULL but dereferenced." % (x) |
| 109 | coccilib.report.print_report(p[0], msg) |
| 110 | cocci.include_match(False) |
| 111 | |
| 112 | @script:python depends on !context && !patch && org && !report@ |
| 113 | p << r.p; |
| 114 | p1 << ifm.p1; |
| 115 | x << ifm.E; |
| 116 | @@ |
| 117 | |
| 118 | msg="ERROR: %s is NULL but dereferenced." % (x) |
| 119 | msg_safe=msg.replace("[","@(").replace("]",")") |
| 120 | cocci.print_main(msg_safe,p) |
| 121 | cocci.include_match(False) |
| 122 | |
| 123 | @s depends on !context && !patch && (org || report) exists@ |
| 124 | expression subE <= ifm.E; |
| 125 | expression *ifm.E; |
| 126 | expression E1,E2; |
| 127 | identifier f; |
| 128 | statement S1,S2,S3,S4; |
| 129 | iterator iter; |
| 130 | position p!={pr1.p1,pr2.p2}; |
| 131 | position ifm.p1; |
| 132 | @@ |
| 133 | |
| 134 | if@p1 ((E == NULL && ...) || ...) |
| 135 | { |
| 136 | ... when != if (...) S1 else S2 |
| 137 | ( |
| 138 | iter(subE,...) S4 // no use |
| 139 | | |
| 140 | list_remove_head(E2,subE,...) |
| 141 | | |
| 142 | subE = E1 |
| 143 | | |
| 144 | for(subE = E1;...;...) S4 |
| 145 | | |
| 146 | subE++ |
| 147 | | |
| 148 | ++subE |
| 149 | | |
| 150 | --subE |
| 151 | | |
| 152 | subE-- |
| 153 | | |
| 154 | &subE |
| 155 | | |
| 156 | E->f@p // bad use |
| 157 | ) |
| 158 | ... when any |
| 159 | } |
| 160 | else S3 |
| 161 | |
| 162 | @script:python depends on !context && !patch && !org && report@ |
| 163 | p << s.p; |
| 164 | p1 << ifm.p1; |
| 165 | x << ifm.E; |
| 166 | @@ |
| 167 | |
| 168 | msg="ERROR: %s is NULL but dereferenced." % (x) |
| 169 | coccilib.report.print_report(p[0], msg) |
| 170 | |
| 171 | @script:python depends on !context && !patch && org && !report@ |
| 172 | p << s.p; |
| 173 | p1 << ifm.p1; |
| 174 | x << ifm.E; |
| 175 | @@ |
| 176 | |
| 177 | msg="ERROR: %s is NULL but dereferenced." % (x) |
| 178 | msg_safe=msg.replace("[","@(").replace("]",")") |
| 179 | cocci.print_main(msg_safe,p) |
| 180 | |
| 181 | // For context mode |
| 182 | |
| 183 | @depends on context && !patch && !org && !report exists@ |
| 184 | expression subE <= ifm.E; |
| 185 | expression *ifm.E; |
| 186 | expression E1,E2; |
| 187 | identifier f; |
| 188 | statement S1,S2,S3,S4; |
| 189 | iterator iter; |
| 190 | position p!={pr1.p1,pr2.p2}; |
| 191 | position ifm.p1; |
| 192 | @@ |
| 193 | |
| 194 | if@p1 ((E == NULL && ...) || ...) |
| 195 | { |
| 196 | ... when != if (...) S1 else S2 |
| 197 | ( |
| 198 | iter(subE,...) S4 // no use |
| 199 | | |
| 200 | list_remove_head(E2,subE,...) |
| 201 | | |
| 202 | subE = E1 |
| 203 | | |
| 204 | for(subE = E1;...;...) S4 |
| 205 | | |
| 206 | subE++ |
| 207 | | |
| 208 | ++subE |
| 209 | | |
| 210 | --subE |
| 211 | | |
| 212 | subE-- |
| 213 | | |
| 214 | &subE |
| 215 | | |
| 216 | * E->f@p // bad use |
| 217 | ) |
| 218 | ... when any |
| 219 | return ...; |
| 220 | } |
| 221 | else S3 |
| 222 | |
| 223 | // The following three rules are duplicates of ifm, pr1 and pr2 respectively. |
| 224 | // It is need because the previous rule as already made a "change". |
| 225 | |
| 226 | @ifm1 depends on !patch@ |
| 227 | expression *E; |
| 228 | statement S1,S2; |
| 229 | position p1; |
| 230 | @@ |
| 231 | |
| 232 | if@p1 ((E == NULL && ...) || ...) S1 else S2 |
| 233 | |
| 234 | @pr11 depends on !patch expression@ |
| 235 | expression *ifm1.E; |
| 236 | identifier f; |
| 237 | position p1; |
| 238 | @@ |
| 239 | |
| 240 | (E != NULL && ...) ? <+...E->f@p1...+> : ... |
| 241 | |
| 242 | @pr12 depends on !patch expression@ |
| 243 | expression *ifm1.E; |
| 244 | identifier f; |
| 245 | position p2; |
| 246 | @@ |
| 247 | |
| 248 | ( |
| 249 | (E != NULL) && ... && <+...E->f@p2...+> |
| 250 | | |
| 251 | (E == NULL) || ... || <+...E->f@p2...+> |
| 252 | | |
| 253 | sizeof(<+...E->f@p2...+>) |
| 254 | ) |
| 255 | |
| 256 | @depends on context && !patch && !org && !report exists@ |
| 257 | expression subE <= ifm1.E; |
| 258 | expression *ifm1.E; |
| 259 | expression E1,E2; |
| 260 | identifier f; |
| 261 | statement S1,S2,S3,S4; |
| 262 | iterator iter; |
| 263 | position p!={pr11.p1,pr12.p2}; |
| 264 | position ifm1.p1; |
| 265 | @@ |
| 266 | |
| 267 | if@p1 ((E == NULL && ...) || ...) |
| 268 | { |
| 269 | ... when != if (...) S1 else S2 |
| 270 | ( |
| 271 | iter(subE,...) S4 // no use |
| 272 | | |
| 273 | list_remove_head(E2,subE,...) |
| 274 | | |
| 275 | subE = E1 |
| 276 | | |
| 277 | for(subE = E1;...;...) S4 |
| 278 | | |
| 279 | subE++ |
| 280 | | |
| 281 | ++subE |
| 282 | | |
| 283 | --subE |
| 284 | | |
| 285 | subE-- |
| 286 | | |
| 287 | &subE |
| 288 | | |
| 289 | * E->f@p // bad use |
| 290 | ) |
| 291 | ... when any |
| 292 | } |
| 293 | else S3 |