1 /*
2 * Copyright (C) 2010 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * There was a previous null dereference test but it was too confusing and
20 * difficult to debug. This test is much simpler in its goals and scope.
21 *
22 * This test only complains about:
23 * 1) dereferencing uninitialized variables
24 * 2) dereferencing variables which were assigned as null.
25 * 3) dereferencing variables which were assigned a function the returns
26 * null.
27 *
28 * If we dereference something then we complain if any of those three
29 * are possible.
30 *
31 */
32
33 #include "smatch.h"
34 #include "smatch_slist.h"
35 #include "smatch_extra.h"
36
37 static int my_id;
38
39 #define __GFP_NOFAIL 0x800
40
41 STATE(null);
42 STATE(ok);
43 STATE(uninitialized);
44
alloc_my_state(const char * name)45 static struct smatch_state *alloc_my_state(const char *name)
46 {
47 struct smatch_state *state;
48
49 state = __alloc_smatch_state(0);
50 state->name = name;
51 return state;
52 }
53
unmatched_state(struct sm_state * sm)54 static struct smatch_state *unmatched_state(struct sm_state *sm)
55 {
56 return &ok;
57 }
58
is_ok(struct sm_state * sm,struct expression * mod_expr)59 static void is_ok(struct sm_state *sm, struct expression *mod_expr)
60 {
61 set_state(my_id, sm->name, sm->sym, &ok);
62 }
63
check_dereference(struct expression * expr)64 static void check_dereference(struct expression *expr)
65 {
66 struct sm_state *sm;
67 struct sm_state *tmp;
68
69 expr = strip_expr(expr);
70 if (is_static(expr))
71 return;
72 sm = get_sm_state_expr(my_id, expr);
73 if (!sm)
74 return;
75 if (is_ignored(my_id, sm->name, sm->sym))
76 return;
77 if (implied_not_equal(expr, 0))
78 return;
79 if (is_impossible_path())
80 return;
81
82 FOR_EACH_PTR(sm->possible, tmp) {
83 if (tmp->state == &merged)
84 continue;
85 if (tmp->state == &ok)
86 continue;
87 add_ignore(my_id, sm->name, sm->sym);
88 if (tmp->state == &null) {
89 if (option_spammy)
90 sm_error("potential NULL dereference '%s'.", tmp->name);
91 return;
92 }
93 if (tmp->state == &uninitialized) {
94 if (option_spammy)
95 sm_error("potentially dereferencing uninitialized '%s'.", tmp->name);
96 return;
97 }
98 sm_error("potential null dereference '%s'. (%s returns null)",
99 tmp->name, tmp->state->name);
100 return;
101 } END_FOR_EACH_PTR(tmp);
102 }
103
check_dereference_name_sym(char * name,struct symbol * sym)104 static void check_dereference_name_sym(char *name, struct symbol *sym)
105 {
106 struct sm_state *sm;
107 struct sm_state *tmp;
108
109 sm = get_sm_state(my_id, name, sym);
110 if (!sm)
111 return;
112 if (is_ignored(my_id, sm->name, sm->sym))
113 return;
114 if (implied_not_equal_name_sym(name, sym, 0))
115 return;
116 if (is_impossible_path())
117 return;
118
119 FOR_EACH_PTR(sm->possible, tmp) {
120 if (tmp->state == &merged)
121 continue;
122 if (tmp->state == &ok)
123 continue;
124 add_ignore(my_id, sm->name, sm->sym);
125 if (tmp->state == &null) {
126 if (option_spammy)
127 sm_error("potential NULL dereference '%s'.", tmp->name);
128 return;
129 }
130 if (tmp->state == &uninitialized) {
131 if (option_spammy)
132 sm_error("potentially dereferencing uninitialized '%s'.", tmp->name);
133 return;
134 }
135 sm_error("potential null dereference '%s'. (%s returns null)",
136 tmp->name, tmp->state->name);
137 return;
138 } END_FOR_EACH_PTR(tmp);
139 }
140
match_dereferences(struct expression * expr)141 static void match_dereferences(struct expression *expr)
142 {
143 if (expr->type != EXPR_PREOP)
144 return;
145 check_dereference(expr->unop);
146 }
147
match_pointer_as_array(struct expression * expr)148 static void match_pointer_as_array(struct expression *expr)
149 {
150 if (!is_array(expr))
151 return;
152 check_dereference(get_array_base(expr));
153 }
154
set_param_dereferenced(struct expression * call,struct expression * arg,char * key,char * unused)155 static void set_param_dereferenced(struct expression *call, struct expression *arg, char *key, char *unused)
156 {
157 struct symbol *sym;
158 char *name;
159
160 name = get_variable_from_key(arg, key, &sym);
161 if (!name || !sym)
162 goto free;
163
164 check_dereference_name_sym(name, sym);
165 free:
166 free_string(name);
167 }
168
match_declarations(struct symbol * sym)169 static void match_declarations(struct symbol *sym)
170 {
171 const char *name;
172
173 if ((get_base_type(sym))->type == SYM_ARRAY)
174 return;
175
176 if (!sym->ident)
177 return;
178 name = sym->ident->name;
179 if (!sym->initializer) {
180 set_state(my_id, name, sym, &uninitialized);
181 scoped_state(my_id, name, sym);
182 }
183 }
184
match_assign(struct expression * expr)185 static void match_assign(struct expression *expr)
186 {
187 struct statement *stmt;
188
189 if (!expr_is_zero(expr->right))
190 return;
191
192 if (__in_fake_assign)
193 return;
194
195 FOR_EACH_PTR_REVERSE(big_statement_stack, stmt) {
196 if (stmt->type == STMT_DECLARATION)
197 return;
198 break;
199 } END_FOR_EACH_PTR_REVERSE(stmt);
200
201 set_state_expr(my_id, expr->left, &null);
202 }
203
match_assigns_address(struct expression * expr)204 static void match_assigns_address(struct expression *expr)
205 {
206 struct expression *right;
207
208 right = strip_expr(expr->right);
209 if (right->type != EXPR_PREOP || right->op != '&')
210 return;
211 set_state_expr(my_id, right, &ok);
212 }
213
match_condition(struct expression * expr)214 static void match_condition(struct expression *expr)
215 {
216 if (expr->type == EXPR_ASSIGNMENT) {
217 match_condition(expr->right);
218 match_condition(expr->left);
219 }
220 if (!get_state_expr(my_id, expr))
221 return;
222 set_true_false_states_expr(my_id, expr, &ok, NULL);
223 }
224
called_with_no_fail(struct expression * call,int param)225 static int called_with_no_fail(struct expression *call, int param)
226 {
227 struct expression *arg;
228 sval_t sval;
229
230 if (param == -1)
231 return 0;
232 call = strip_expr(call);
233 if (call->type != EXPR_CALL)
234 return 0;
235 arg = get_argument_from_call_expr(call->args, param);
236 if (get_value(arg, &sval) && (sval.uvalue & __GFP_NOFAIL))
237 return 1;
238 return 0;
239 }
240
match_assign_returns_null(const char * fn,struct expression * expr,void * _gfp)241 static void match_assign_returns_null(const char *fn, struct expression *expr, void *_gfp)
242 {
243 struct smatch_state *state;
244 int gfp_param = PTR_INT(_gfp);
245
246 if (called_with_no_fail(expr->right, gfp_param))
247 return;
248 state = alloc_my_state(fn);
249 set_state_expr(my_id, expr->left, state);
250 }
251
register_allocation_funcs(void)252 static void register_allocation_funcs(void)
253 {
254 struct token *token;
255 const char *func;
256 int arg;
257
258 token = get_tokens_file("kernel.allocation_funcs_gfp");
259 if (!token)
260 return;
261 if (token_type(token) != TOKEN_STREAMBEGIN)
262 return;
263 token = token->next;
264 while (token_type(token) != TOKEN_STREAMEND) {
265 if (token_type(token) != TOKEN_IDENT)
266 return;
267 func = show_ident(token->ident);
268 token = token->next;
269 if (token_type(token) == TOKEN_IDENT)
270 arg = -1;
271 else if (token_type(token) == TOKEN_NUMBER)
272 arg = atoi(token->number);
273 else
274 return;
275 add_function_assign_hook(func, &match_assign_returns_null, INT_PTR(arg));
276 token = token->next;
277 }
278 clear_token_alloc();
279 }
280
check_deref(int id)281 void check_deref(int id)
282 {
283 my_id = id;
284
285 add_unmatched_state_hook(my_id, &unmatched_state);
286 add_modification_hook(my_id, &is_ok);
287 add_hook(&match_dereferences, DEREF_HOOK);
288 add_hook(&match_pointer_as_array, OP_HOOK);
289 select_return_implies_hook(DEREFERENCE, &set_param_dereferenced);
290 add_hook(&match_condition, CONDITION_HOOK);
291 add_hook(&match_declarations, DECLARATION_HOOK);
292 add_hook(&match_assign, ASSIGNMENT_HOOK);
293 add_hook(&match_assigns_address, ASSIGNMENT_HOOK);
294 if (option_project == PROJ_KERNEL)
295 register_allocation_funcs();
296 }
297