11f5207b7SJohn Levon /*
21f5207b7SJohn Levon * Copyright (C) 2010 Dan Carpenter.
31f5207b7SJohn Levon *
41f5207b7SJohn Levon * This program is free software; you can redistribute it and/or
51f5207b7SJohn Levon * modify it under the terms of the GNU General Public License
61f5207b7SJohn Levon * as published by the Free Software Foundation; either version 2
71f5207b7SJohn Levon * of the License, or (at your option) any later version.
81f5207b7SJohn Levon *
91f5207b7SJohn Levon * This program is distributed in the hope that it will be useful,
101f5207b7SJohn Levon * but WITHOUT ANY WARRANTY; without even the implied warranty of
111f5207b7SJohn Levon * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
121f5207b7SJohn Levon * GNU General Public License for more details.
131f5207b7SJohn Levon *
141f5207b7SJohn Levon * You should have received a copy of the GNU General Public License
151f5207b7SJohn Levon * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
161f5207b7SJohn Levon */
171f5207b7SJohn Levon
181f5207b7SJohn Levon /*
191f5207b7SJohn Levon * There was a previous null dereference test but it was too confusing and
201f5207b7SJohn Levon * difficult to debug. This test is much simpler in its goals and scope.
211f5207b7SJohn Levon *
221f5207b7SJohn Levon * This test only complains about:
231f5207b7SJohn Levon * 1) dereferencing uninitialized variables
241f5207b7SJohn Levon * 2) dereferencing variables which were assigned as null.
251f5207b7SJohn Levon * 3) dereferencing variables which were assigned a function the returns
261f5207b7SJohn Levon * null.
271f5207b7SJohn Levon *
281f5207b7SJohn Levon * If we dereference something then we complain if any of those three
291f5207b7SJohn Levon * are possible.
301f5207b7SJohn Levon *
311f5207b7SJohn Levon */
321f5207b7SJohn Levon
331f5207b7SJohn Levon #include "smatch.h"
341f5207b7SJohn Levon #include "smatch_slist.h"
351f5207b7SJohn Levon #include "smatch_extra.h"
361f5207b7SJohn Levon
371f5207b7SJohn Levon static int my_id;
381f5207b7SJohn Levon
391f5207b7SJohn Levon #define __GFP_NOFAIL 0x800
401f5207b7SJohn Levon
411f5207b7SJohn Levon STATE(null);
421f5207b7SJohn Levon STATE(ok);
431f5207b7SJohn Levon STATE(uninitialized);
441f5207b7SJohn Levon
alloc_my_state(const char * name)451f5207b7SJohn Levon static struct smatch_state *alloc_my_state(const char *name)
461f5207b7SJohn Levon {
471f5207b7SJohn Levon struct smatch_state *state;
481f5207b7SJohn Levon
491f5207b7SJohn Levon state = __alloc_smatch_state(0);
501f5207b7SJohn Levon state->name = name;
511f5207b7SJohn Levon return state;
521f5207b7SJohn Levon }
531f5207b7SJohn Levon
unmatched_state(struct sm_state * sm)541f5207b7SJohn Levon static struct smatch_state *unmatched_state(struct sm_state *sm)
551f5207b7SJohn Levon {
561f5207b7SJohn Levon return &ok;
571f5207b7SJohn Levon }
581f5207b7SJohn Levon
is_ok(struct sm_state * sm,struct expression * mod_expr)591f5207b7SJohn Levon static void is_ok(struct sm_state *sm, struct expression *mod_expr)
601f5207b7SJohn Levon {
611f5207b7SJohn Levon set_state(my_id, sm->name, sm->sym, &ok);
621f5207b7SJohn Levon }
631f5207b7SJohn Levon
check_dereference(struct expression * expr)641f5207b7SJohn Levon static void check_dereference(struct expression *expr)
651f5207b7SJohn Levon {
661f5207b7SJohn Levon struct sm_state *sm;
671f5207b7SJohn Levon struct sm_state *tmp;
681f5207b7SJohn Levon
691f5207b7SJohn Levon expr = strip_expr(expr);
701f5207b7SJohn Levon if (is_static(expr))
711f5207b7SJohn Levon return;
721f5207b7SJohn Levon sm = get_sm_state_expr(my_id, expr);
731f5207b7SJohn Levon if (!sm)
741f5207b7SJohn Levon return;
751f5207b7SJohn Levon if (is_ignored(my_id, sm->name, sm->sym))
761f5207b7SJohn Levon return;
771f5207b7SJohn Levon if (implied_not_equal(expr, 0))
781f5207b7SJohn Levon return;
791f5207b7SJohn Levon if (is_impossible_path())
801f5207b7SJohn Levon return;
811f5207b7SJohn Levon
821f5207b7SJohn Levon FOR_EACH_PTR(sm->possible, tmp) {
831f5207b7SJohn Levon if (tmp->state == &merged)
841f5207b7SJohn Levon continue;
851f5207b7SJohn Levon if (tmp->state == &ok)
861f5207b7SJohn Levon continue;
871f5207b7SJohn Levon add_ignore(my_id, sm->name, sm->sym);
881f5207b7SJohn Levon if (tmp->state == &null) {
891f5207b7SJohn Levon if (option_spammy)
901f5207b7SJohn Levon sm_error("potential NULL dereference '%s'.", tmp->name);
911f5207b7SJohn Levon return;
921f5207b7SJohn Levon }
931f5207b7SJohn Levon if (tmp->state == &uninitialized) {
941f5207b7SJohn Levon if (option_spammy)
951f5207b7SJohn Levon sm_error("potentially dereferencing uninitialized '%s'.", tmp->name);
961f5207b7SJohn Levon return;
971f5207b7SJohn Levon }
981f5207b7SJohn Levon sm_error("potential null dereference '%s'. (%s returns null)",
991f5207b7SJohn Levon tmp->name, tmp->state->name);
1001f5207b7SJohn Levon return;
1011f5207b7SJohn Levon } END_FOR_EACH_PTR(tmp);
1021f5207b7SJohn Levon }
1031f5207b7SJohn Levon
check_dereference_name_sym(char * name,struct symbol * sym)1041f5207b7SJohn Levon static void check_dereference_name_sym(char *name, struct symbol *sym)
1051f5207b7SJohn Levon {
1061f5207b7SJohn Levon struct sm_state *sm;
1071f5207b7SJohn Levon struct sm_state *tmp;
1081f5207b7SJohn Levon
1091f5207b7SJohn Levon sm = get_sm_state(my_id, name, sym);
1101f5207b7SJohn Levon if (!sm)
1111f5207b7SJohn Levon return;
1121f5207b7SJohn Levon if (is_ignored(my_id, sm->name, sm->sym))
1131f5207b7SJohn Levon return;
1141f5207b7SJohn Levon if (implied_not_equal_name_sym(name, sym, 0))
1151f5207b7SJohn Levon return;
1161f5207b7SJohn Levon if (is_impossible_path())
1171f5207b7SJohn Levon return;
1181f5207b7SJohn Levon
1191f5207b7SJohn Levon FOR_EACH_PTR(sm->possible, tmp) {
1201f5207b7SJohn Levon if (tmp->state == &merged)
1211f5207b7SJohn Levon continue;
1221f5207b7SJohn Levon if (tmp->state == &ok)
1231f5207b7SJohn Levon continue;
1241f5207b7SJohn Levon add_ignore(my_id, sm->name, sm->sym);
1251f5207b7SJohn Levon if (tmp->state == &null) {
1261f5207b7SJohn Levon if (option_spammy)
1271f5207b7SJohn Levon sm_error("potential NULL dereference '%s'.", tmp->name);
1281f5207b7SJohn Levon return;
1291f5207b7SJohn Levon }
1301f5207b7SJohn Levon if (tmp->state == &uninitialized) {
1311f5207b7SJohn Levon if (option_spammy)
1321f5207b7SJohn Levon sm_error("potentially dereferencing uninitialized '%s'.", tmp->name);
1331f5207b7SJohn Levon return;
1341f5207b7SJohn Levon }
1351f5207b7SJohn Levon sm_error("potential null dereference '%s'. (%s returns null)",
1361f5207b7SJohn Levon tmp->name, tmp->state->name);
1371f5207b7SJohn Levon return;
1381f5207b7SJohn Levon } END_FOR_EACH_PTR(tmp);
1391f5207b7SJohn Levon }
1401f5207b7SJohn Levon
match_dereferences(struct expression * expr)1411f5207b7SJohn Levon static void match_dereferences(struct expression *expr)
1421f5207b7SJohn Levon {
1431f5207b7SJohn Levon if (expr->type != EXPR_PREOP)
1441f5207b7SJohn Levon return;
1451f5207b7SJohn Levon check_dereference(expr->unop);
1461f5207b7SJohn Levon }
1471f5207b7SJohn Levon
match_pointer_as_array(struct expression * expr)1481f5207b7SJohn Levon static void match_pointer_as_array(struct expression *expr)
1491f5207b7SJohn Levon {
1501f5207b7SJohn Levon if (!is_array(expr))
1511f5207b7SJohn Levon return;
1521f5207b7SJohn Levon check_dereference(get_array_base(expr));
1531f5207b7SJohn Levon }
1541f5207b7SJohn Levon
set_param_dereferenced(struct expression * call,struct expression * arg,char * key,char * unused)1551f5207b7SJohn Levon static void set_param_dereferenced(struct expression *call, struct expression *arg, char *key, char *unused)
1561f5207b7SJohn Levon {
1571f5207b7SJohn Levon struct symbol *sym;
1581f5207b7SJohn Levon char *name;
1591f5207b7SJohn Levon
1601f5207b7SJohn Levon name = get_variable_from_key(arg, key, &sym);
1611f5207b7SJohn Levon if (!name || !sym)
1621f5207b7SJohn Levon goto free;
1631f5207b7SJohn Levon
1641f5207b7SJohn Levon check_dereference_name_sym(name, sym);
1651f5207b7SJohn Levon free:
1661f5207b7SJohn Levon free_string(name);
1671f5207b7SJohn Levon }
1681f5207b7SJohn Levon
match_declarations(struct symbol * sym)1691f5207b7SJohn Levon static void match_declarations(struct symbol *sym)
1701f5207b7SJohn Levon {
1711f5207b7SJohn Levon const char *name;
1721f5207b7SJohn Levon
1731f5207b7SJohn Levon if ((get_base_type(sym))->type == SYM_ARRAY)
1741f5207b7SJohn Levon return;
1751f5207b7SJohn Levon
1761f5207b7SJohn Levon if (!sym->ident)
1771f5207b7SJohn Levon return;
1781f5207b7SJohn Levon name = sym->ident->name;
1791f5207b7SJohn Levon if (!sym->initializer) {
1801f5207b7SJohn Levon set_state(my_id, name, sym, &uninitialized);
1811f5207b7SJohn Levon scoped_state(my_id, name, sym);
1821f5207b7SJohn Levon }
1831f5207b7SJohn Levon }
1841f5207b7SJohn Levon
match_assign(struct expression * expr)1851f5207b7SJohn Levon static void match_assign(struct expression *expr)
1861f5207b7SJohn Levon {
1871f5207b7SJohn Levon struct statement *stmt;
1881f5207b7SJohn Levon
189*c85f09ccSJohn Levon if (!expr_is_zero(expr->right))
1901f5207b7SJohn Levon return;
1911f5207b7SJohn Levon
1921f5207b7SJohn Levon if (__in_fake_assign)
1931f5207b7SJohn Levon return;
1941f5207b7SJohn Levon
1951f5207b7SJohn Levon FOR_EACH_PTR_REVERSE(big_statement_stack, stmt) {
1961f5207b7SJohn Levon if (stmt->type == STMT_DECLARATION)
1971f5207b7SJohn Levon return;
1981f5207b7SJohn Levon break;
1991f5207b7SJohn Levon } END_FOR_EACH_PTR_REVERSE(stmt);
2001f5207b7SJohn Levon
2011f5207b7SJohn Levon set_state_expr(my_id, expr->left, &null);
2021f5207b7SJohn Levon }
2031f5207b7SJohn Levon
match_assigns_address(struct expression * expr)2041f5207b7SJohn Levon static void match_assigns_address(struct expression *expr)
2051f5207b7SJohn Levon {
2061f5207b7SJohn Levon struct expression *right;
2071f5207b7SJohn Levon
2081f5207b7SJohn Levon right = strip_expr(expr->right);
2091f5207b7SJohn Levon if (right->type != EXPR_PREOP || right->op != '&')
2101f5207b7SJohn Levon return;
2111f5207b7SJohn Levon set_state_expr(my_id, right, &ok);
2121f5207b7SJohn Levon }
2131f5207b7SJohn Levon
match_condition(struct expression * expr)2141f5207b7SJohn Levon static void match_condition(struct expression *expr)
2151f5207b7SJohn Levon {
2161f5207b7SJohn Levon if (expr->type == EXPR_ASSIGNMENT) {
2171f5207b7SJohn Levon match_condition(expr->right);
2181f5207b7SJohn Levon match_condition(expr->left);
2191f5207b7SJohn Levon }
2201f5207b7SJohn Levon if (!get_state_expr(my_id, expr))
2211f5207b7SJohn Levon return;
2221f5207b7SJohn Levon set_true_false_states_expr(my_id, expr, &ok, NULL);
2231f5207b7SJohn Levon }
2241f5207b7SJohn Levon
called_with_no_fail(struct expression * call,int param)2251f5207b7SJohn Levon static int called_with_no_fail(struct expression *call, int param)
2261f5207b7SJohn Levon {
2271f5207b7SJohn Levon struct expression *arg;
2281f5207b7SJohn Levon sval_t sval;
2291f5207b7SJohn Levon
2301f5207b7SJohn Levon if (param == -1)
2311f5207b7SJohn Levon return 0;
2321f5207b7SJohn Levon call = strip_expr(call);
2331f5207b7SJohn Levon if (call->type != EXPR_CALL)
2341f5207b7SJohn Levon return 0;
2351f5207b7SJohn Levon arg = get_argument_from_call_expr(call->args, param);
2361f5207b7SJohn Levon if (get_value(arg, &sval) && (sval.uvalue & __GFP_NOFAIL))
2371f5207b7SJohn Levon return 1;
2381f5207b7SJohn Levon return 0;
2391f5207b7SJohn Levon }
2401f5207b7SJohn Levon
match_assign_returns_null(const char * fn,struct expression * expr,void * _gfp)2411f5207b7SJohn Levon static void match_assign_returns_null(const char *fn, struct expression *expr, void *_gfp)
2421f5207b7SJohn Levon {
2431f5207b7SJohn Levon struct smatch_state *state;
2441f5207b7SJohn Levon int gfp_param = PTR_INT(_gfp);
2451f5207b7SJohn Levon
2461f5207b7SJohn Levon if (called_with_no_fail(expr->right, gfp_param))
2471f5207b7SJohn Levon return;
2481f5207b7SJohn Levon state = alloc_my_state(fn);
2491f5207b7SJohn Levon set_state_expr(my_id, expr->left, state);
2501f5207b7SJohn Levon }
2511f5207b7SJohn Levon
register_allocation_funcs(void)2521f5207b7SJohn Levon static void register_allocation_funcs(void)
2531f5207b7SJohn Levon {
2541f5207b7SJohn Levon struct token *token;
2551f5207b7SJohn Levon const char *func;
2561f5207b7SJohn Levon int arg;
2571f5207b7SJohn Levon
2581f5207b7SJohn Levon token = get_tokens_file("kernel.allocation_funcs_gfp");
2591f5207b7SJohn Levon if (!token)
2601f5207b7SJohn Levon return;
2611f5207b7SJohn Levon if (token_type(token) != TOKEN_STREAMBEGIN)
2621f5207b7SJohn Levon return;
2631f5207b7SJohn Levon token = token->next;
2641f5207b7SJohn Levon while (token_type(token) != TOKEN_STREAMEND) {
2651f5207b7SJohn Levon if (token_type(token) != TOKEN_IDENT)
2661f5207b7SJohn Levon return;
2671f5207b7SJohn Levon func = show_ident(token->ident);
2681f5207b7SJohn Levon token = token->next;
2691f5207b7SJohn Levon if (token_type(token) == TOKEN_IDENT)
2701f5207b7SJohn Levon arg = -1;
2711f5207b7SJohn Levon else if (token_type(token) == TOKEN_NUMBER)
2721f5207b7SJohn Levon arg = atoi(token->number);
2731f5207b7SJohn Levon else
2741f5207b7SJohn Levon return;
2751f5207b7SJohn Levon add_function_assign_hook(func, &match_assign_returns_null, INT_PTR(arg));
2761f5207b7SJohn Levon token = token->next;
2771f5207b7SJohn Levon }
2781f5207b7SJohn Levon clear_token_alloc();
2791f5207b7SJohn Levon }
2801f5207b7SJohn Levon
check_deref(int id)2811f5207b7SJohn Levon void check_deref(int id)
2821f5207b7SJohn Levon {
2831f5207b7SJohn Levon my_id = id;
2841f5207b7SJohn Levon
2851f5207b7SJohn Levon add_unmatched_state_hook(my_id, &unmatched_state);
2861f5207b7SJohn Levon add_modification_hook(my_id, &is_ok);
2871f5207b7SJohn Levon add_hook(&match_dereferences, DEREF_HOOK);
2881f5207b7SJohn Levon add_hook(&match_pointer_as_array, OP_HOOK);
2891f5207b7SJohn Levon select_return_implies_hook(DEREFERENCE, &set_param_dereferenced);
2901f5207b7SJohn Levon add_hook(&match_condition, CONDITION_HOOK);
2911f5207b7SJohn Levon add_hook(&match_declarations, DECLARATION_HOOK);
2921f5207b7SJohn Levon add_hook(&match_assign, ASSIGNMENT_HOOK);
2931f5207b7SJohn Levon add_hook(&match_assigns_address, ASSIGNMENT_HOOK);
2941f5207b7SJohn Levon if (option_project == PROJ_KERNEL)
2951f5207b7SJohn Levon register_allocation_funcs();
2961f5207b7SJohn Levon }
297