1*53ee8cc1Swenshuai.xi/// 2*53ee8cc1Swenshuai.xi/// A variable is dereference under a NULL test. 3*53ee8cc1Swenshuai.xi/// Even though it is know to be NULL. 4*53ee8cc1Swenshuai.xi/// 5*53ee8cc1Swenshuai.xi// Confidence: Moderate 6*53ee8cc1Swenshuai.xi// Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2. 7*53ee8cc1Swenshuai.xi// Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2. 8*53ee8cc1Swenshuai.xi// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2. 9*53ee8cc1Swenshuai.xi// URL: http://coccinelle.lip6.fr/ 10*53ee8cc1Swenshuai.xi// Comments: -I ... -all_includes can give more complete results 11*53ee8cc1Swenshuai.xi// Options: 12*53ee8cc1Swenshuai.xi 13*53ee8cc1Swenshuai.xivirtual context 14*53ee8cc1Swenshuai.xivirtual org 15*53ee8cc1Swenshuai.xivirtual report 16*53ee8cc1Swenshuai.xi 17*53ee8cc1Swenshuai.xi@ifm@ 18*53ee8cc1Swenshuai.xiexpression *E; 19*53ee8cc1Swenshuai.xistatement S1,S2; 20*53ee8cc1Swenshuai.xiposition p1; 21*53ee8cc1Swenshuai.xi@@ 22*53ee8cc1Swenshuai.xi 23*53ee8cc1Swenshuai.xiif@p1 ((E == NULL && ...) || ...) S1 else S2 24*53ee8cc1Swenshuai.xi 25*53ee8cc1Swenshuai.xi// The following two rules are separate, because both can match a single 26*53ee8cc1Swenshuai.xi// expression in different ways 27*53ee8cc1Swenshuai.xi@pr1 expression@ 28*53ee8cc1Swenshuai.xiexpression *ifm.E; 29*53ee8cc1Swenshuai.xiidentifier f; 30*53ee8cc1Swenshuai.xiposition p1; 31*53ee8cc1Swenshuai.xi@@ 32*53ee8cc1Swenshuai.xi 33*53ee8cc1Swenshuai.xi (E != NULL && ...) ? <+...E->f@p1...+> : ... 34*53ee8cc1Swenshuai.xi 35*53ee8cc1Swenshuai.xi@pr2 expression@ 36*53ee8cc1Swenshuai.xiexpression *ifm.E; 37*53ee8cc1Swenshuai.xiidentifier f; 38*53ee8cc1Swenshuai.xiposition p2; 39*53ee8cc1Swenshuai.xi@@ 40*53ee8cc1Swenshuai.xi 41*53ee8cc1Swenshuai.xi( 42*53ee8cc1Swenshuai.xi (E != NULL) && ... && <+...E->f@p2...+> 43*53ee8cc1Swenshuai.xi| 44*53ee8cc1Swenshuai.xi (E == NULL) || ... || <+...E->f@p2...+> 45*53ee8cc1Swenshuai.xi| 46*53ee8cc1Swenshuai.xi sizeof(<+...E->f@p2...+>) 47*53ee8cc1Swenshuai.xi) 48*53ee8cc1Swenshuai.xi 49*53ee8cc1Swenshuai.xi// For org and report modes 50*53ee8cc1Swenshuai.xi 51*53ee8cc1Swenshuai.xi@r depends on !context && (org || report) exists@ 52*53ee8cc1Swenshuai.xiexpression subE <= ifm.E; 53*53ee8cc1Swenshuai.xiexpression *ifm.E; 54*53ee8cc1Swenshuai.xiexpression E1,E2; 55*53ee8cc1Swenshuai.xiidentifier f; 56*53ee8cc1Swenshuai.xistatement S1,S2,S3,S4; 57*53ee8cc1Swenshuai.xiiterator iter; 58*53ee8cc1Swenshuai.xiposition p!={pr1.p1,pr2.p2}; 59*53ee8cc1Swenshuai.xiposition ifm.p1; 60*53ee8cc1Swenshuai.xi@@ 61*53ee8cc1Swenshuai.xi 62*53ee8cc1Swenshuai.xiif@p1 ((E == NULL && ...) || ...) 63*53ee8cc1Swenshuai.xi{ 64*53ee8cc1Swenshuai.xi ... when != if (...) S1 else S2 65*53ee8cc1Swenshuai.xi( 66*53ee8cc1Swenshuai.xi iter(subE,...) S4 // no use 67*53ee8cc1Swenshuai.xi| 68*53ee8cc1Swenshuai.xi list_remove_head(E2,subE,...) 69*53ee8cc1Swenshuai.xi| 70*53ee8cc1Swenshuai.xi subE = E1 71*53ee8cc1Swenshuai.xi| 72*53ee8cc1Swenshuai.xi for(subE = E1;...;...) S4 73*53ee8cc1Swenshuai.xi| 74*53ee8cc1Swenshuai.xi subE++ 75*53ee8cc1Swenshuai.xi| 76*53ee8cc1Swenshuai.xi ++subE 77*53ee8cc1Swenshuai.xi| 78*53ee8cc1Swenshuai.xi --subE 79*53ee8cc1Swenshuai.xi| 80*53ee8cc1Swenshuai.xi subE-- 81*53ee8cc1Swenshuai.xi| 82*53ee8cc1Swenshuai.xi &subE 83*53ee8cc1Swenshuai.xi| 84*53ee8cc1Swenshuai.xi E->f@p // bad use 85*53ee8cc1Swenshuai.xi) 86*53ee8cc1Swenshuai.xi ... when any 87*53ee8cc1Swenshuai.xi return ...; 88*53ee8cc1Swenshuai.xi} 89*53ee8cc1Swenshuai.xielse S3 90*53ee8cc1Swenshuai.xi 91*53ee8cc1Swenshuai.xi@script:python depends on !context && !org && report@ 92*53ee8cc1Swenshuai.xip << r.p; 93*53ee8cc1Swenshuai.xip1 << ifm.p1; 94*53ee8cc1Swenshuai.xix << ifm.E; 95*53ee8cc1Swenshuai.xi@@ 96*53ee8cc1Swenshuai.xi 97*53ee8cc1Swenshuai.ximsg="ERROR: %s is NULL but dereferenced." % (x) 98*53ee8cc1Swenshuai.xicoccilib.report.print_report(p[0], msg) 99*53ee8cc1Swenshuai.xicocci.include_match(False) 100*53ee8cc1Swenshuai.xi 101*53ee8cc1Swenshuai.xi@script:python depends on !context && org && !report@ 102*53ee8cc1Swenshuai.xip << r.p; 103*53ee8cc1Swenshuai.xip1 << ifm.p1; 104*53ee8cc1Swenshuai.xix << ifm.E; 105*53ee8cc1Swenshuai.xi@@ 106*53ee8cc1Swenshuai.xi 107*53ee8cc1Swenshuai.ximsg="ERROR: %s is NULL but dereferenced." % (x) 108*53ee8cc1Swenshuai.ximsg_safe=msg.replace("[","@(").replace("]",")") 109*53ee8cc1Swenshuai.xicocci.print_main(msg_safe,p) 110*53ee8cc1Swenshuai.xicocci.include_match(False) 111*53ee8cc1Swenshuai.xi 112*53ee8cc1Swenshuai.xi@s depends on !context && (org || report) exists@ 113*53ee8cc1Swenshuai.xiexpression subE <= ifm.E; 114*53ee8cc1Swenshuai.xiexpression *ifm.E; 115*53ee8cc1Swenshuai.xiexpression E1,E2; 116*53ee8cc1Swenshuai.xiidentifier f; 117*53ee8cc1Swenshuai.xistatement S1,S2,S3,S4; 118*53ee8cc1Swenshuai.xiiterator iter; 119*53ee8cc1Swenshuai.xiposition p!={pr1.p1,pr2.p2}; 120*53ee8cc1Swenshuai.xiposition ifm.p1; 121*53ee8cc1Swenshuai.xi@@ 122*53ee8cc1Swenshuai.xi 123*53ee8cc1Swenshuai.xiif@p1 ((E == NULL && ...) || ...) 124*53ee8cc1Swenshuai.xi{ 125*53ee8cc1Swenshuai.xi ... when != if (...) S1 else S2 126*53ee8cc1Swenshuai.xi( 127*53ee8cc1Swenshuai.xi iter(subE,...) S4 // no use 128*53ee8cc1Swenshuai.xi| 129*53ee8cc1Swenshuai.xi list_remove_head(E2,subE,...) 130*53ee8cc1Swenshuai.xi| 131*53ee8cc1Swenshuai.xi subE = E1 132*53ee8cc1Swenshuai.xi| 133*53ee8cc1Swenshuai.xi for(subE = E1;...;...) S4 134*53ee8cc1Swenshuai.xi| 135*53ee8cc1Swenshuai.xi subE++ 136*53ee8cc1Swenshuai.xi| 137*53ee8cc1Swenshuai.xi ++subE 138*53ee8cc1Swenshuai.xi| 139*53ee8cc1Swenshuai.xi --subE 140*53ee8cc1Swenshuai.xi| 141*53ee8cc1Swenshuai.xi subE-- 142*53ee8cc1Swenshuai.xi| 143*53ee8cc1Swenshuai.xi &subE 144*53ee8cc1Swenshuai.xi| 145*53ee8cc1Swenshuai.xi E->f@p // bad use 146*53ee8cc1Swenshuai.xi) 147*53ee8cc1Swenshuai.xi ... when any 148*53ee8cc1Swenshuai.xi} 149*53ee8cc1Swenshuai.xielse S3 150*53ee8cc1Swenshuai.xi 151*53ee8cc1Swenshuai.xi@script:python depends on !context && !org && report@ 152*53ee8cc1Swenshuai.xip << s.p; 153*53ee8cc1Swenshuai.xip1 << ifm.p1; 154*53ee8cc1Swenshuai.xix << ifm.E; 155*53ee8cc1Swenshuai.xi@@ 156*53ee8cc1Swenshuai.xi 157*53ee8cc1Swenshuai.ximsg="ERROR: %s is NULL but dereferenced." % (x) 158*53ee8cc1Swenshuai.xicoccilib.report.print_report(p[0], msg) 159*53ee8cc1Swenshuai.xi 160*53ee8cc1Swenshuai.xi@script:python depends on !context && org && !report@ 161*53ee8cc1Swenshuai.xip << s.p; 162*53ee8cc1Swenshuai.xip1 << ifm.p1; 163*53ee8cc1Swenshuai.xix << ifm.E; 164*53ee8cc1Swenshuai.xi@@ 165*53ee8cc1Swenshuai.xi 166*53ee8cc1Swenshuai.ximsg="ERROR: %s is NULL but dereferenced." % (x) 167*53ee8cc1Swenshuai.ximsg_safe=msg.replace("[","@(").replace("]",")") 168*53ee8cc1Swenshuai.xicocci.print_main(msg_safe,p) 169*53ee8cc1Swenshuai.xi 170*53ee8cc1Swenshuai.xi// For context mode 171*53ee8cc1Swenshuai.xi 172*53ee8cc1Swenshuai.xi@depends on context && !org && !report exists@ 173*53ee8cc1Swenshuai.xiexpression subE <= ifm.E; 174*53ee8cc1Swenshuai.xiexpression *ifm.E; 175*53ee8cc1Swenshuai.xiexpression E1,E2; 176*53ee8cc1Swenshuai.xiidentifier f; 177*53ee8cc1Swenshuai.xistatement S1,S2,S3,S4; 178*53ee8cc1Swenshuai.xiiterator iter; 179*53ee8cc1Swenshuai.xiposition p!={pr1.p1,pr2.p2}; 180*53ee8cc1Swenshuai.xiposition ifm.p1; 181*53ee8cc1Swenshuai.xi@@ 182*53ee8cc1Swenshuai.xi 183*53ee8cc1Swenshuai.xiif@p1 ((E == NULL && ...) || ...) 184*53ee8cc1Swenshuai.xi{ 185*53ee8cc1Swenshuai.xi ... when != if (...) S1 else S2 186*53ee8cc1Swenshuai.xi( 187*53ee8cc1Swenshuai.xi iter(subE,...) S4 // no use 188*53ee8cc1Swenshuai.xi| 189*53ee8cc1Swenshuai.xi list_remove_head(E2,subE,...) 190*53ee8cc1Swenshuai.xi| 191*53ee8cc1Swenshuai.xi subE = E1 192*53ee8cc1Swenshuai.xi| 193*53ee8cc1Swenshuai.xi for(subE = E1;...;...) S4 194*53ee8cc1Swenshuai.xi| 195*53ee8cc1Swenshuai.xi subE++ 196*53ee8cc1Swenshuai.xi| 197*53ee8cc1Swenshuai.xi ++subE 198*53ee8cc1Swenshuai.xi| 199*53ee8cc1Swenshuai.xi --subE 200*53ee8cc1Swenshuai.xi| 201*53ee8cc1Swenshuai.xi subE-- 202*53ee8cc1Swenshuai.xi| 203*53ee8cc1Swenshuai.xi &subE 204*53ee8cc1Swenshuai.xi| 205*53ee8cc1Swenshuai.xi* E->f@p // bad use 206*53ee8cc1Swenshuai.xi) 207*53ee8cc1Swenshuai.xi ... when any 208*53ee8cc1Swenshuai.xi return ...; 209*53ee8cc1Swenshuai.xi} 210*53ee8cc1Swenshuai.xielse S3 211*53ee8cc1Swenshuai.xi 212*53ee8cc1Swenshuai.xi// The following three rules are duplicates of ifm, pr1 and pr2 respectively. 213*53ee8cc1Swenshuai.xi// It is need because the previous rule as already made a "change". 214*53ee8cc1Swenshuai.xi 215*53ee8cc1Swenshuai.xi@ifm1@ 216*53ee8cc1Swenshuai.xiexpression *E; 217*53ee8cc1Swenshuai.xistatement S1,S2; 218*53ee8cc1Swenshuai.xiposition p1; 219*53ee8cc1Swenshuai.xi@@ 220*53ee8cc1Swenshuai.xi 221*53ee8cc1Swenshuai.xiif@p1 ((E == NULL && ...) || ...) S1 else S2 222*53ee8cc1Swenshuai.xi 223*53ee8cc1Swenshuai.xi@pr11 expression@ 224*53ee8cc1Swenshuai.xiexpression *ifm1.E; 225*53ee8cc1Swenshuai.xiidentifier f; 226*53ee8cc1Swenshuai.xiposition p1; 227*53ee8cc1Swenshuai.xi@@ 228*53ee8cc1Swenshuai.xi 229*53ee8cc1Swenshuai.xi (E != NULL && ...) ? <+...E->f@p1...+> : ... 230*53ee8cc1Swenshuai.xi 231*53ee8cc1Swenshuai.xi@pr12 expression@ 232*53ee8cc1Swenshuai.xiexpression *ifm1.E; 233*53ee8cc1Swenshuai.xiidentifier f; 234*53ee8cc1Swenshuai.xiposition p2; 235*53ee8cc1Swenshuai.xi@@ 236*53ee8cc1Swenshuai.xi 237*53ee8cc1Swenshuai.xi( 238*53ee8cc1Swenshuai.xi (E != NULL) && ... && <+...E->f@p2...+> 239*53ee8cc1Swenshuai.xi| 240*53ee8cc1Swenshuai.xi (E == NULL) || ... || <+...E->f@p2...+> 241*53ee8cc1Swenshuai.xi| 242*53ee8cc1Swenshuai.xi sizeof(<+...E->f@p2...+>) 243*53ee8cc1Swenshuai.xi) 244*53ee8cc1Swenshuai.xi 245*53ee8cc1Swenshuai.xi@depends on context && !org && !report exists@ 246*53ee8cc1Swenshuai.xiexpression subE <= ifm1.E; 247*53ee8cc1Swenshuai.xiexpression *ifm1.E; 248*53ee8cc1Swenshuai.xiexpression E1,E2; 249*53ee8cc1Swenshuai.xiidentifier f; 250*53ee8cc1Swenshuai.xistatement S1,S2,S3,S4; 251*53ee8cc1Swenshuai.xiiterator iter; 252*53ee8cc1Swenshuai.xiposition p!={pr11.p1,pr12.p2}; 253*53ee8cc1Swenshuai.xiposition ifm1.p1; 254*53ee8cc1Swenshuai.xi@@ 255*53ee8cc1Swenshuai.xi 256*53ee8cc1Swenshuai.xiif@p1 ((E == NULL && ...) || ...) 257*53ee8cc1Swenshuai.xi{ 258*53ee8cc1Swenshuai.xi ... when != if (...) S1 else S2 259*53ee8cc1Swenshuai.xi( 260*53ee8cc1Swenshuai.xi iter(subE,...) S4 // no use 261*53ee8cc1Swenshuai.xi| 262*53ee8cc1Swenshuai.xi list_remove_head(E2,subE,...) 263*53ee8cc1Swenshuai.xi| 264*53ee8cc1Swenshuai.xi subE = E1 265*53ee8cc1Swenshuai.xi| 266*53ee8cc1Swenshuai.xi for(subE = E1;...;...) S4 267*53ee8cc1Swenshuai.xi| 268*53ee8cc1Swenshuai.xi subE++ 269*53ee8cc1Swenshuai.xi| 270*53ee8cc1Swenshuai.xi ++subE 271*53ee8cc1Swenshuai.xi| 272*53ee8cc1Swenshuai.xi --subE 273*53ee8cc1Swenshuai.xi| 274*53ee8cc1Swenshuai.xi subE-- 275*53ee8cc1Swenshuai.xi| 276*53ee8cc1Swenshuai.xi &subE 277*53ee8cc1Swenshuai.xi| 278*53ee8cc1Swenshuai.xi* E->f@p // bad use 279*53ee8cc1Swenshuai.xi) 280*53ee8cc1Swenshuai.xi ... when any 281*53ee8cc1Swenshuai.xi} 282*53ee8cc1Swenshuai.xielse S3 283