search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
states: rename unreachable() to is_unreachable()
[smatch.git] / check_check_deref.c
blob1589392ebbcedb46043dfe339c1aa17f610c0027
1 /*
2 * Copyright (C) 2010 Dan Carpenter.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; either version 2
7 * of the License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16 */
17
18 /*
19 * This is like check_deref_check.c except that it complains about code like:
20 * if (a)
21 * a->foo = 42;
22 * a->bar = 7;
23 *
24 * Of course, Smatch has complained about these for forever but the problem is
25 * the old scripts were too messy and complicated and generated too many false
26 * positives.
27 *
28 * This check is supposed to be simpler because it only looks for one kind of
29 * null dereference bug instead of every kind. It also gets rid of the false
30 * positives caused by the checks that happen inside macros.
31 *
32 */
33
34 #include "smatch.h"
35 #include "smatch_slist.h"
36 #include "smatch_extra.h"
37
38 static int my_id;
39
40 STATE(null);
41 STATE(ok);
42
43 static void is_ok(struct sm_state *sm, struct expression *mod_expr)
44 {
45 set_state(my_id, sm->name, sm->sym, &ok);
46 }
47
48 static int get_checked_line_var_sym(char *name, struct symbol *sym)
49 {
50 struct sm_state *sm;
51 struct sm_state *tmp;
52
53 sm = get_sm_state(my_id, name, sym);
54 if (!sm)
55 return 0;
56 if (is_ignored(my_id, sm->name, sm->sym))
57 return 0;
58 if (implied_not_equal_name_sym(name, sym, 0))
59 return 0;
60
61 FOR_EACH_PTR(sm->possible, tmp) {
62 if (tmp->state == &merged)
63 continue;
64 if (tmp->state == &ok)
65 continue;
66 if (tmp->state == &null)
67 return tmp->line;
68 } END_FOR_EACH_PTR(tmp);
69
70 return 0;
71 }
72
73 static int get_checked_line(struct expression *expr)
74 {
75 char *name;
76 struct symbol *sym;
77 int line = 0;
78
79 name = expr_to_var_sym(expr, &sym);
80 if (!name || !sym)
81 goto free;
82 line = get_checked_line_var_sym(name, sym);
83 free:
84 free_string(name);
85 return line;
86 }
87
88 static void deref_hook(struct expression *expr)
89 {
90 char *name;
91 struct symbol *sym;
92 struct range_list *rl;
93 int line;
94
95 if (__in_fake_assign || __in_fake_parameter_assign)
96 return;
97
98 line = get_checked_line(expr);
99 if (!line)
100 return;
101
102 get_absolute_rl(expr, &rl);
103 if (!rl_has_sval(rl, sval_type_val(rl_type(rl), 0)))
104 return;
105
106 name = expr_to_var_sym(expr, &sym);
107 if (!name || !sym)
108 goto free;
109
110 sm_error("we previously assumed '%s' could be null (see line %d)",
111 name, line);
112
113 add_ignore(my_id, name, sym);
114 free:
115 free_string(name);
116 }
117
118 static void match_condition(struct expression *expr)
119 {
120 struct smatch_state *true_state = NULL;
121 char *name;
122
123 name = get_macro_name(expr->pos);
124 if (name &&
125 (strcmp(name, "likely") != 0 && strcmp(name, "unlikely") != 0))
126 return;
127
128 if (!is_pointer(expr))
129 return;
130
131 if (expr->type == EXPR_ASSIGNMENT) {
132 match_condition(expr->right);
133 match_condition(expr->left);
134 }
135
136 if (implied_not_equal(expr, 0))
137 return;
138
139 if (get_state_expr(my_id, expr))
140 true_state = &ok;
141
142 set_true_false_states_expr(my_id, expr, true_state, &null);
143 }
144
145 void check_check_deref(int id)
146 {
147 my_id = id;
148
149 add_modification_hook(my_id, &is_ok);
150 add_hook(&match_condition, CONDITION_HOOK);
151 add_dereference_hook(deref_hook);
152 }
Static analysis for C