search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
rosenberg: handle bit fields better
[smatch.git] / check_checking_for_null_instead_of_err_ptr.c
blobce60faf650a9fee5a7a278b2e6e9325fb9ae596a
1 /*
2 * Copyright (C) 2017 Oracle.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 #include "smatch.h"
19 #include "smatch_slist.h"
20 #include "smatch_extra.h"
21
22 static int my_id;
23
24 STATE(err_ptr);
25
26 static void ok_to_use(struct sm_state *sm, struct expression *mod_expr)
27 {
28 set_state(my_id, sm->name, sm->sym, &undefined);
29 }
30
31 static void match_returns_err_ptr(const char *fn, struct expression *expr,
32 void *info)
33 {
34 set_state_expr(my_id, expr->left, &err_ptr);
35 }
36
37 static void match_condition(struct expression *expr)
38 {
39 struct sm_state *sm;
40 struct range_list *rl;
41 sval_t zero = {
42 .type = NULL,
43 { .value = 0, }
44 };
45 char *name;
46 struct range_list *err_rl;
47
48 while (expr->type == EXPR_ASSIGNMENT)
49 expr = strip_expr(expr->left);
50
51 if (!is_pointer(expr))
52 return;
53
54 sm = get_sm_state_expr(my_id, expr);
55 if (!sm)
56 return;
57 if (!slist_has_state(sm->possible, &err_ptr))
58 return;
59 if (!get_implied_rl(expr, &rl))
60 return;
61 zero.type = rl_type(rl);
62 if (rl_has_sval(rl, zero))
63 return;
64
65 /*
66 * At this point we already know that the condition is bogus because
67 * it's non-NULL. But let's do another filter to make sure it really is
68 * a possible error pointer.
69 *
70 */
71
72 err_rl = alloc_rl(err_min, err_max);
73 if (!possibly_true_rl(rl, SPECIAL_EQUAL, err_rl))
74 return;
75
76 name = expr_to_str(expr);
77 sm_msg("warn: '%s' is an error pointer or valid", name);
78 free_string(name);
79 }
80
81 static void match_condition2(struct expression *expr)
82 {
83 struct range_list *rl;
84 struct data_range *drange;
85 char *name;
86
87 if (!is_pointer(expr))
88 return;
89 if (!get_implied_rl(expr, &rl))
90 return;
91
92 FOR_EACH_PTR(rl, drange) {
93 if (sval_cmp(drange->min, drange->max) != 0)
94 continue;
95 if (drange->min.value >= -4095 && drange->min.value < 0)
96 goto warn;
97 } END_FOR_EACH_PTR(drange);
98
99 return;
100
101 warn:
102 name = expr_to_str(expr);
103 if (option_spammy)
104 sm_warning("'%s' could be an error pointer", name);
105 free_string(name);
106 }
107
108 static void register_err_ptr_funcs(void)
109 {
110 struct token *token;
111 const char *func;
112
113 token = get_tokens_file("kernel.returns_err_ptr");
114 if (!token)
115 return;
116 if (token_type(token) != TOKEN_STREAMBEGIN)
117 return;
118 token = token->next;
119 while (token_type(token) != TOKEN_STREAMEND) {
120 if (token_type(token) != TOKEN_IDENT)
121 return;
122 func = show_ident(token->ident);
123 add_function_assign_hook(func, &match_returns_err_ptr, NULL);
124 token = token->next;
125 }
126 clear_token_alloc();
127 }
128
129 void check_checking_for_null_instead_of_err_ptr(int id)
130 {
131 if (option_project != PROJ_KERNEL)
132 return;
133
134 my_id = id;
135 register_err_ptr_funcs();
136 add_hook(&match_condition, CONDITION_HOOK);
137 add_hook(&match_condition2, CONDITION_HOOK);
138 add_modification_hook(my_id, &ok_to_use);
139 }
140
Static analysis for C