18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only
28c2ecf20Sopenharmony_ci///
38c2ecf20Sopenharmony_ci/// A variable is dereferenced under a NULL test.
48c2ecf20Sopenharmony_ci/// Even though it is known to be NULL.
58c2ecf20Sopenharmony_ci///
68c2ecf20Sopenharmony_ci// Confidence: Moderate
78c2ecf20Sopenharmony_ci// Copyright: (C) 2010 Nicolas Palix, DIKU.
88c2ecf20Sopenharmony_ci// Copyright: (C) 2010 Julia Lawall, DIKU.
98c2ecf20Sopenharmony_ci// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6.
108c2ecf20Sopenharmony_ci// URL: http://coccinelle.lip6.fr/
118c2ecf20Sopenharmony_ci// Comments: -I ... -all_includes can give more complete results
128c2ecf20Sopenharmony_ci// Options:
138c2ecf20Sopenharmony_ci
148c2ecf20Sopenharmony_civirtual context
158c2ecf20Sopenharmony_civirtual org
168c2ecf20Sopenharmony_civirtual report
178c2ecf20Sopenharmony_ci
188c2ecf20Sopenharmony_ci// The following two rules are separate, because both can match a single
198c2ecf20Sopenharmony_ci// expression in different ways
208c2ecf20Sopenharmony_ci@pr1 expression@
218c2ecf20Sopenharmony_ciexpression E;
228c2ecf20Sopenharmony_ciidentifier f;
238c2ecf20Sopenharmony_ciposition p1;
248c2ecf20Sopenharmony_ci@@
258c2ecf20Sopenharmony_ci
268c2ecf20Sopenharmony_ci (E != NULL && ...) ? <+...E->f@p1...+> : ...
278c2ecf20Sopenharmony_ci
288c2ecf20Sopenharmony_ci@pr2 expression@
298c2ecf20Sopenharmony_ciexpression E;
308c2ecf20Sopenharmony_ciidentifier f;
318c2ecf20Sopenharmony_ciposition p2;
328c2ecf20Sopenharmony_ci@@
338c2ecf20Sopenharmony_ci
348c2ecf20Sopenharmony_ci(
358c2ecf20Sopenharmony_ci  (E != NULL) && ... && <+...E->f@p2...+>
368c2ecf20Sopenharmony_ci|
378c2ecf20Sopenharmony_ci  (E == NULL) || ... || <+...E->f@p2...+>
388c2ecf20Sopenharmony_ci|
398c2ecf20Sopenharmony_ci sizeof(<+...E->f@p2...+>)
408c2ecf20Sopenharmony_ci)
418c2ecf20Sopenharmony_ci
428c2ecf20Sopenharmony_ci@ifm@
438c2ecf20Sopenharmony_ciexpression *E;
448c2ecf20Sopenharmony_cistatement S1,S2;
458c2ecf20Sopenharmony_ciposition p1;
468c2ecf20Sopenharmony_ci@@
478c2ecf20Sopenharmony_ci
488c2ecf20Sopenharmony_ciif@p1 ((E == NULL && ...) || ...) S1 else S2
498c2ecf20Sopenharmony_ci
508c2ecf20Sopenharmony_ci// For org and report modes
518c2ecf20Sopenharmony_ci
528c2ecf20Sopenharmony_ci@r depends on !context && (org || report) exists@
538c2ecf20Sopenharmony_ciexpression subE <= ifm.E;
548c2ecf20Sopenharmony_ciexpression *ifm.E;
558c2ecf20Sopenharmony_ciexpression E1,E2;
568c2ecf20Sopenharmony_ciidentifier f;
578c2ecf20Sopenharmony_cistatement S1,S2,S3,S4;
588c2ecf20Sopenharmony_ciiterator iter;
598c2ecf20Sopenharmony_ciposition p!={pr1.p1,pr2.p2};
608c2ecf20Sopenharmony_ciposition ifm.p1;
618c2ecf20Sopenharmony_ci@@
628c2ecf20Sopenharmony_ci
638c2ecf20Sopenharmony_ciif@p1 ((E == NULL && ...) || ...)
648c2ecf20Sopenharmony_ci{
658c2ecf20Sopenharmony_ci  ... when != if (...) S1 else S2
668c2ecf20Sopenharmony_ci(
678c2ecf20Sopenharmony_ci iter(subE,...) S4 // no use
688c2ecf20Sopenharmony_ci|
698c2ecf20Sopenharmony_ci list_remove_head(E2,subE,...)
708c2ecf20Sopenharmony_ci|
718c2ecf20Sopenharmony_ci subE = E1
728c2ecf20Sopenharmony_ci|
738c2ecf20Sopenharmony_ci for(subE = E1;...;...) S4
748c2ecf20Sopenharmony_ci|
758c2ecf20Sopenharmony_ci subE++
768c2ecf20Sopenharmony_ci|
778c2ecf20Sopenharmony_ci ++subE
788c2ecf20Sopenharmony_ci|
798c2ecf20Sopenharmony_ci --subE
808c2ecf20Sopenharmony_ci|
818c2ecf20Sopenharmony_ci subE--
828c2ecf20Sopenharmony_ci|
838c2ecf20Sopenharmony_ci &subE
848c2ecf20Sopenharmony_ci|
858c2ecf20Sopenharmony_ci E->f@p // bad use
868c2ecf20Sopenharmony_ci)
878c2ecf20Sopenharmony_ci  ... when any
888c2ecf20Sopenharmony_ci  return ...;
898c2ecf20Sopenharmony_ci}
908c2ecf20Sopenharmony_cielse S3
918c2ecf20Sopenharmony_ci
928c2ecf20Sopenharmony_ci@script:python depends on !context && !org && report@
938c2ecf20Sopenharmony_cip << r.p;
948c2ecf20Sopenharmony_cip1 << ifm.p1;
958c2ecf20Sopenharmony_cix << ifm.E;
968c2ecf20Sopenharmony_ci@@
978c2ecf20Sopenharmony_ci
988c2ecf20Sopenharmony_cimsg="ERROR: %s is NULL but dereferenced." % (x)
998c2ecf20Sopenharmony_cicoccilib.report.print_report(p[0], msg)
1008c2ecf20Sopenharmony_cicocci.include_match(False)
1018c2ecf20Sopenharmony_ci
1028c2ecf20Sopenharmony_ci@script:python depends on !context && org && !report@
1038c2ecf20Sopenharmony_cip << r.p;
1048c2ecf20Sopenharmony_cip1 << ifm.p1;
1058c2ecf20Sopenharmony_cix << ifm.E;
1068c2ecf20Sopenharmony_ci@@
1078c2ecf20Sopenharmony_ci
1088c2ecf20Sopenharmony_cimsg="ERROR: %s is NULL but dereferenced." % (x)
1098c2ecf20Sopenharmony_cimsg_safe=msg.replace("[","@(").replace("]",")")
1108c2ecf20Sopenharmony_cicocci.print_main(msg_safe,p)
1118c2ecf20Sopenharmony_cicocci.include_match(False)
1128c2ecf20Sopenharmony_ci
1138c2ecf20Sopenharmony_ci@s depends on !context && (org || report) exists@
1148c2ecf20Sopenharmony_ciexpression subE <= ifm.E;
1158c2ecf20Sopenharmony_ciexpression *ifm.E;
1168c2ecf20Sopenharmony_ciexpression E1,E2;
1178c2ecf20Sopenharmony_ciidentifier f;
1188c2ecf20Sopenharmony_cistatement S1,S2,S3,S4;
1198c2ecf20Sopenharmony_ciiterator iter;
1208c2ecf20Sopenharmony_ciposition p!={pr1.p1,pr2.p2};
1218c2ecf20Sopenharmony_ciposition ifm.p1;
1228c2ecf20Sopenharmony_ci@@
1238c2ecf20Sopenharmony_ci
1248c2ecf20Sopenharmony_ciif@p1 ((E == NULL && ...) || ...)
1258c2ecf20Sopenharmony_ci{
1268c2ecf20Sopenharmony_ci  ... when != if (...) S1 else S2
1278c2ecf20Sopenharmony_ci(
1288c2ecf20Sopenharmony_ci iter(subE,...) S4 // no use
1298c2ecf20Sopenharmony_ci|
1308c2ecf20Sopenharmony_ci list_remove_head(E2,subE,...)
1318c2ecf20Sopenharmony_ci|
1328c2ecf20Sopenharmony_ci subE = E1
1338c2ecf20Sopenharmony_ci|
1348c2ecf20Sopenharmony_ci for(subE = E1;...;...) S4
1358c2ecf20Sopenharmony_ci|
1368c2ecf20Sopenharmony_ci subE++
1378c2ecf20Sopenharmony_ci|
1388c2ecf20Sopenharmony_ci ++subE
1398c2ecf20Sopenharmony_ci|
1408c2ecf20Sopenharmony_ci --subE
1418c2ecf20Sopenharmony_ci|
1428c2ecf20Sopenharmony_ci subE--
1438c2ecf20Sopenharmony_ci|
1448c2ecf20Sopenharmony_ci &subE
1458c2ecf20Sopenharmony_ci|
1468c2ecf20Sopenharmony_ci E->f@p // bad use
1478c2ecf20Sopenharmony_ci)
1488c2ecf20Sopenharmony_ci  ... when any
1498c2ecf20Sopenharmony_ci}
1508c2ecf20Sopenharmony_cielse S3
1518c2ecf20Sopenharmony_ci
1528c2ecf20Sopenharmony_ci@script:python depends on !context && !org && report@
1538c2ecf20Sopenharmony_cip << s.p;
1548c2ecf20Sopenharmony_cip1 << ifm.p1;
1558c2ecf20Sopenharmony_cix << ifm.E;
1568c2ecf20Sopenharmony_ci@@
1578c2ecf20Sopenharmony_ci
1588c2ecf20Sopenharmony_cimsg="ERROR: %s is NULL but dereferenced." % (x)
1598c2ecf20Sopenharmony_cicoccilib.report.print_report(p[0], msg)
1608c2ecf20Sopenharmony_ci
1618c2ecf20Sopenharmony_ci@script:python depends on !context && org && !report@
1628c2ecf20Sopenharmony_cip << s.p;
1638c2ecf20Sopenharmony_cip1 << ifm.p1;
1648c2ecf20Sopenharmony_cix << ifm.E;
1658c2ecf20Sopenharmony_ci@@
1668c2ecf20Sopenharmony_ci
1678c2ecf20Sopenharmony_cimsg="ERROR: %s is NULL but dereferenced." % (x)
1688c2ecf20Sopenharmony_cimsg_safe=msg.replace("[","@(").replace("]",")")
1698c2ecf20Sopenharmony_cicocci.print_main(msg_safe,p)
1708c2ecf20Sopenharmony_ci
1718c2ecf20Sopenharmony_ci// For context mode
1728c2ecf20Sopenharmony_ci
1738c2ecf20Sopenharmony_ci@depends on context && !org && !report exists@
1748c2ecf20Sopenharmony_ciexpression subE <= ifm.E;
1758c2ecf20Sopenharmony_ciexpression *ifm.E;
1768c2ecf20Sopenharmony_ciexpression E1,E2;
1778c2ecf20Sopenharmony_ciidentifier f;
1788c2ecf20Sopenharmony_cistatement S1,S2,S3,S4;
1798c2ecf20Sopenharmony_ciiterator iter;
1808c2ecf20Sopenharmony_ciposition p!={pr1.p1,pr2.p2};
1818c2ecf20Sopenharmony_ciposition ifm.p1;
1828c2ecf20Sopenharmony_ci@@
1838c2ecf20Sopenharmony_ci
1848c2ecf20Sopenharmony_ciif@p1 ((E == NULL && ...) || ...)
1858c2ecf20Sopenharmony_ci{
1868c2ecf20Sopenharmony_ci  ... when != if (...) S1 else S2
1878c2ecf20Sopenharmony_ci(
1888c2ecf20Sopenharmony_ci iter(subE,...) S4 // no use
1898c2ecf20Sopenharmony_ci|
1908c2ecf20Sopenharmony_ci list_remove_head(E2,subE,...)
1918c2ecf20Sopenharmony_ci|
1928c2ecf20Sopenharmony_ci subE = E1
1938c2ecf20Sopenharmony_ci|
1948c2ecf20Sopenharmony_ci for(subE = E1;...;...) S4
1958c2ecf20Sopenharmony_ci|
1968c2ecf20Sopenharmony_ci subE++
1978c2ecf20Sopenharmony_ci|
1988c2ecf20Sopenharmony_ci ++subE
1998c2ecf20Sopenharmony_ci|
2008c2ecf20Sopenharmony_ci --subE
2018c2ecf20Sopenharmony_ci|
2028c2ecf20Sopenharmony_ci subE--
2038c2ecf20Sopenharmony_ci|
2048c2ecf20Sopenharmony_ci &subE
2058c2ecf20Sopenharmony_ci|
2068c2ecf20Sopenharmony_ci* E->f@p // bad use
2078c2ecf20Sopenharmony_ci)
2088c2ecf20Sopenharmony_ci  ... when any
2098c2ecf20Sopenharmony_ci  return ...;
2108c2ecf20Sopenharmony_ci}
2118c2ecf20Sopenharmony_cielse S3
2128c2ecf20Sopenharmony_ci
2138c2ecf20Sopenharmony_ci// The following three rules are duplicates of ifm, pr1 and pr2 respectively.
2148c2ecf20Sopenharmony_ci// It is need because the previous rule as already made a "change".
2158c2ecf20Sopenharmony_ci
2168c2ecf20Sopenharmony_ci@pr11 depends on context && !org && !report expression@
2178c2ecf20Sopenharmony_ciexpression E;
2188c2ecf20Sopenharmony_ciidentifier f;
2198c2ecf20Sopenharmony_ciposition p1;
2208c2ecf20Sopenharmony_ci@@
2218c2ecf20Sopenharmony_ci
2228c2ecf20Sopenharmony_ci (E != NULL && ...) ? <+...E->f@p1...+> : ...
2238c2ecf20Sopenharmony_ci
2248c2ecf20Sopenharmony_ci@pr12 depends on context && !org && !report expression@
2258c2ecf20Sopenharmony_ciexpression E;
2268c2ecf20Sopenharmony_ciidentifier f;
2278c2ecf20Sopenharmony_ciposition p2;
2288c2ecf20Sopenharmony_ci@@
2298c2ecf20Sopenharmony_ci
2308c2ecf20Sopenharmony_ci(
2318c2ecf20Sopenharmony_ci  (E != NULL) && ... && <+...E->f@p2...+>
2328c2ecf20Sopenharmony_ci|
2338c2ecf20Sopenharmony_ci  (E == NULL) || ... || <+...E->f@p2...+>
2348c2ecf20Sopenharmony_ci|
2358c2ecf20Sopenharmony_ci sizeof(<+...E->f@p2...+>)
2368c2ecf20Sopenharmony_ci)
2378c2ecf20Sopenharmony_ci
2388c2ecf20Sopenharmony_ci@ifm1 depends on context && !org && !report@
2398c2ecf20Sopenharmony_ciexpression *E;
2408c2ecf20Sopenharmony_cistatement S1,S2;
2418c2ecf20Sopenharmony_ciposition p1;
2428c2ecf20Sopenharmony_ci@@
2438c2ecf20Sopenharmony_ci
2448c2ecf20Sopenharmony_ciif@p1 ((E == NULL && ...) || ...) S1 else S2
2458c2ecf20Sopenharmony_ci
2468c2ecf20Sopenharmony_ci@depends on context && !org && !report exists@
2478c2ecf20Sopenharmony_ciexpression subE <= ifm1.E;
2488c2ecf20Sopenharmony_ciexpression *ifm1.E;
2498c2ecf20Sopenharmony_ciexpression E1,E2;
2508c2ecf20Sopenharmony_ciidentifier f;
2518c2ecf20Sopenharmony_cistatement S1,S2,S3,S4;
2528c2ecf20Sopenharmony_ciiterator iter;
2538c2ecf20Sopenharmony_ciposition p!={pr11.p1,pr12.p2};
2548c2ecf20Sopenharmony_ciposition ifm1.p1;
2558c2ecf20Sopenharmony_ci@@
2568c2ecf20Sopenharmony_ci
2578c2ecf20Sopenharmony_ciif@p1 ((E == NULL && ...) || ...)
2588c2ecf20Sopenharmony_ci{
2598c2ecf20Sopenharmony_ci  ... when != if (...) S1 else S2
2608c2ecf20Sopenharmony_ci(
2618c2ecf20Sopenharmony_ci iter(subE,...) S4 // no use
2628c2ecf20Sopenharmony_ci|
2638c2ecf20Sopenharmony_ci list_remove_head(E2,subE,...)
2648c2ecf20Sopenharmony_ci|
2658c2ecf20Sopenharmony_ci subE = E1
2668c2ecf20Sopenharmony_ci|
2678c2ecf20Sopenharmony_ci for(subE = E1;...;...) S4
2688c2ecf20Sopenharmony_ci|
2698c2ecf20Sopenharmony_ci subE++
2708c2ecf20Sopenharmony_ci|
2718c2ecf20Sopenharmony_ci ++subE
2728c2ecf20Sopenharmony_ci|
2738c2ecf20Sopenharmony_ci --subE
2748c2ecf20Sopenharmony_ci|
2758c2ecf20Sopenharmony_ci subE--
2768c2ecf20Sopenharmony_ci|
2778c2ecf20Sopenharmony_ci &subE
2788c2ecf20Sopenharmony_ci|
2798c2ecf20Sopenharmony_ci* E->f@p // bad use
2808c2ecf20Sopenharmony_ci)
2818c2ecf20Sopenharmony_ci  ... when any
2828c2ecf20Sopenharmony_ci}
2838c2ecf20Sopenharmony_cielse S3
284