check_bogus_address_param.c

   1 /*
   2  * Copyright (C) 2019 Oracle.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License
   6  * as published by the Free Software Foundation; either version 2
   7  * of the License, or (at your option) any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
  16  */
  17
  18 #include "smatch.h"
  19 #include "smatch_extra.h"
  20 #include "smatch_slist.h"
  21
  22 static int my_id;
  23
  24 STATE(suspicious);
  25
  26 static void check_param(struct expression *expr)
  27 {
  28         struct expression *tmp;
  29         sval_t sval;
  30
  31         tmp = get_assigned_expr(expr);
  32         if (tmp)
  33                 expr = tmp;
  34         expr = strip_expr(expr);
  35         if (!expr || expr->type != EXPR_PREOP || expr->op != '&')
  36                 return;
  37         if (!get_implied_value(expr, &sval) ||
  38             sval.value == 0 || sval.uvalue > 4096)
  39                 return;
  40
  41         expr = strip_expr(expr->unop);
  42         while (expr->type == EXPR_DEREF) {
  43                 expr = strip_expr(expr->deref);
  44                 if (expr->type == EXPR_PREOP && expr->op == '*')
  45                         expr = strip_expr(expr->unop);
  46                 if (get_implied_value(expr, &sval) && sval.value == 0) {
  47                         set_state_expr(my_id, expr, &suspicious);
  48                         return;
  49                 }
  50         }
  51 }
  52
  53 static void match_call(struct expression *expr)
  54 {
  55         struct expression *arg;
  56
  57         FOR_EACH_PTR(expr->args, arg) {
  58                 check_param(arg);
  59         } END_FOR_EACH_PTR(arg);
  60 }
  61
  62 static void check_variable(struct sm_state *sm)
  63 {
  64         struct sm_state *extra_sm, *tmp;
  65         int line = sm->line;
  66
  67         extra_sm = get_sm_state(SMATCH_EXTRA, sm->name, sm->sym);
  68         if (!extra_sm)
  69                 return;
  70
  71         FOR_EACH_PTR(sm->possible, tmp) {
  72                 if (tmp->state == &suspicious)
  73                         line = tmp->line;
  74         } END_FOR_EACH_PTR(tmp);
  75
  76         FOR_EACH_PTR(extra_sm->possible, tmp) {
  77                 if (!estate_rl(tmp->state))
  78                         continue;
  79                 if (rl_min(estate_rl(tmp->state)).value != 0) {
  80                         sm_warning_line(line, "address of NULL pointer '%s'",
  81                                         sm->name);
  82                         return;
  83                 }
  84         } END_FOR_EACH_PTR(tmp);
  85 }
  86
  87 static void process_states(void)
  88 {
  89         struct sm_state *tmp;
  90
  91         FOR_EACH_MY_SM(my_id, __get_cur_stree(), tmp) {
  92                 check_variable(tmp);
  93         } END_FOR_EACH_SM(tmp);
  94 }
  95
  96 void check_bogus_address_param(int id)
  97 {
  98         my_id = id;
  99
 100         add_hook(&match_call, FUNCTION_CALL_HOOK);
 101         all_return_states_hook(&process_states);
 102 }