3 files changed, 374 insertions, 0 deletions
diff --git a/scripts/coccinelle/null/deref_null.cocci b/scripts/coccinelle/null/deref_null.cocci
new file mode 100644
index 000000000000..cdac6cfcce92
--- /dev/null
+++ b/scripts/coccinelle/null/deref_null.cocci
@@ -0,0 +1,282 @@
+///
+/// A variable is dereference under a NULL test.
+/// Even though it is know to be NULL.
+///
+// Confidence: Moderate
+// Copyright: (C) 2010 Nicolas Palix, DIKU.  GPLv2.
+// Copyright: (C) 2010 Julia Lawall, DIKU.  GPLv2.
+// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6.  GPLv2.
+// URL: http://coccinelle.lip6.fr/
+// Comments: -I ... -all_includes can give more complete results
+// Options:
+virtual context
+virtual org
+virtual report
+@ifm@
+expression *E;
+statement S1,S2;
+position p1;
+@@
+if@p1 ((E == NULL && ...) || ...) S1 else S2
+// The following two rules are separate, because both can match a single
+// expression in different ways
+@pr1 expression@
+expression *ifm.E;
+identifier f;
+position p1;
+@@
+ (E != NULL && ...) ? <+...E->f@p1...+> : ...
+@pr2 expression@
+expression *ifm.E;
+identifier f;
+position p2;
+@@
+(
+  (E != NULL) && ... && <+...E->f@p2...+>
+|
+  (E == NULL) || ... || <+...E->f@p2...+>
+|
+ sizeof(<+...E->f@p2...+>)
+)
+// For org and report modes
+@r depends on !context && (org || report) exists@
+expression subE <= ifm.E;
+expression *ifm.E;
+expression E1,E2;
+identifier f;
+statement S1,S2,S3,S4;
+iterator iter;
+position p!={pr1.p1,pr2.p2};
+position ifm.p1;
+@@
+if@p1 ((E == NULL && ...) || ...)
+{
+  ... when != if (...) S1 else S2
+(
+ iter(subE,...) S4 // no use
+|
+ list_remove_head(E2,subE,...)
+|
+ subE = E1
+|
+ for(subE = E1;...;...) S4
+|
+ subE++
+|
+ ++subE
+|
+ --subE
+|
+ subE--
+|
+ &subE
+|
+ E->f@p // bad use
+)
+  ... when any
+  return ...;
+}
+else S3
+@script:python depends on !context && !org && report@
+p << r.p;
+p1 << ifm.p1;
+x << ifm.E;
+@@
+msg="ERROR: %s is NULL but dereferenced." % (x)
+coccilib.report.print_report(p[0], msg)
+cocci.include_match(False)
+@script:python depends on !context && org && !report@
+p << r.p;
+p1 << ifm.p1;
+x << ifm.E;
+@@
+msg="ERROR: %s is NULL but dereferenced." % (x)
+msg_safe=msg.replace("[","@(").replace("]",")")
+cocci.print_main(msg_safe,p)
+cocci.include_match(False)
+@s depends on !context && (org || report) exists@
+expression subE <= ifm.E;
+expression *ifm.E;
+expression E1,E2;
+identifier f;
+statement S1,S2,S3,S4;
+iterator iter;
+position p!={pr1.p1,pr2.p2};
+position ifm.p1;
+@@
+if@p1 ((E == NULL && ...) || ...)
+{
+  ... when != if (...) S1 else S2
+(
+ iter(subE,...) S4 // no use
+|
+ list_remove_head(E2,subE,...)
+|
+ subE = E1
+|
+ for(subE = E1;...;...) S4
+|
+ subE++
+|
+ ++subE
+|
+ --subE
+|
+ subE--
+|
+ &subE
+|
+ E->f@p // bad use
+)
+  ... when any
+}
+else S3
+@script:python depends on !context && !org && report@
+p << s.p;
+p1 << ifm.p1;
+x << ifm.E;
+@@
+msg="ERROR: %s is NULL but dereferenced." % (x)
+coccilib.report.print_report(p[0], msg)
+@script:python depends on !context && org && !report@
+p << s.p;
+p1 << ifm.p1;
+x << ifm.E;
+@@
+msg="ERROR: %s is NULL but dereferenced." % (x)
+msg_safe=msg.replace("[","@(").replace("]",")")
+cocci.print_main(msg_safe,p)
+// For context mode
+@depends on context && !org && !report exists@
+expression subE <= ifm.E;
+expression *ifm.E;
+expression E1,E2;
+identifier f;
+statement S1,S2,S3,S4;
+iterator iter;
+position p!={pr1.p1,pr2.p2};
+position ifm.p1;
+@@
+if@p1 ((E == NULL && ...) || ...)
+{
+  ... when != if (...) S1 else S2
+(
+ iter(subE,...) S4 // no use
+|
+ list_remove_head(E2,subE,...)
+|
+ subE = E1
+|
+ for(subE = E1;...;...) S4
+|
+ subE++
+|
+ ++subE
+|
+ --subE
+|
+ subE--
+|
+ &subE
+|
+* E->f@p // bad use
+)
+  ... when any
+  return ...;
+}
+else S3
+// The following three rules are duplicates of ifm, pr1 and pr2 respectively.
+// It is need because the previous rule as already made a "change".
+@ifm1@
+expression *E;
+statement S1,S2;
+position p1;
+@@
+if@p1 ((E == NULL && ...) || ...) S1 else S2
+@pr11 expression@
+expression *ifm1.E;
+identifier f;
+position p1;
+@@
+ (E != NULL && ...) ? <+...E->f@p1...+> : ...
+@pr12 expression@
+expression *ifm1.E;
+identifier f;
+position p2;
+@@
+(
+  (E != NULL) && ... && <+...E->f@p2...+>
+|
+  (E == NULL) || ... || <+...E->f@p2...+>
+|
+ sizeof(<+...E->f@p2...+>)
+)
+@depends on context && !org && !report exists@
+expression subE <= ifm1.E;
+expression *ifm1.E;
+expression E1,E2;
+identifier f;
+statement S1,S2,S3,S4;
+iterator iter;
+position p!={pr11.p1,pr12.p2};
+position ifm1.p1;
+@@
+if@p1 ((E == NULL && ...) || ...)
+{
+  ... when != if (...) S1 else S2
+(
+ iter(subE,...) S4 // no use
+|
+ list_remove_head(E2,subE,...)
+|
+ subE = E1
+|
+ for(subE = E1;...;...) S4
+|
+ subE++
+|
+ ++subE
+|
+ --subE
+|
+ subE--
+|
+ &subE
+|
+* E->f@p // bad use
+)
+  ... when any
+}
+else S3
diff --git a/scripts/coccinelle/null/eno.cocci b/scripts/coccinelle/null/eno.cocci
new file mode 100644
index 000000000000..4c9c52b9c413
--- /dev/null
+++ b/scripts/coccinelle/null/eno.cocci
@@ -0,0 +1,20 @@
+/// The various basic memory allocation functions don't return ERR_PTR
+///
+// Confidence: High
+// Copyright: (C) 2010 Nicolas Palix, DIKU.  GPLv2.
+// Copyright: (C) 2010 Julia Lawall, DIKU.  GPLv2.
+// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6.  GPLv2.
+// URL: http://coccinelle.lip6.fr/
+// Comments:
+// Options: -no_includes -include_headers
+virtual patch
+@@
+expression x,E;
+@@
+x = \(kmalloc\|kzalloc\|kcalloc\|kmem_cache_alloc\|kmem_cache_zalloc\|kmem_cache_alloc_node\|kmalloc_node\|kzalloc_node\)(...)
+... when != x = E
+- IS_ERR(x)
+ !x
diff --git a/scripts/coccinelle/null/kmerr.cocci b/scripts/coccinelle/null/kmerr.cocci
new file mode 100644
index 000000000000..949bf656c64c
--- /dev/null
+++ b/scripts/coccinelle/null/kmerr.cocci
@@ -0,0 +1,72 @@
+/// This semantic patch looks for kmalloc etc that are not followed by a
+/// NULL check.  It only gives a report in the case where there is some
+/// error handling code later in the function, which may be helpful
+/// in determining what the error handling code for the call to kmalloc etc
+/// should be.
+///
+// Confidence: High
+// Copyright: (C) 2010 Nicolas Palix, DIKU.  GPLv2.
+// Copyright: (C) 2010 Julia Lawall, DIKU.  GPLv2.
+// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6.  GPLv2.
+// URL: http://coccinelle.lip6.fr/
+// Comments:
+// Options: -no_includes -include_headers
+virtual context
+virtual org
+virtual report
+@withtest@
+expression x;
+position p;
+identifier f,fld;
+@@
+x@p = f(...);
+... when != x->fld
+\(x == NULL \| x != NULL\)
+@fixed depends on context && !org && !report@
+expression x,x1;
+position p1 != withtest.p;
+statement S;
+position any withtest.p;
+identifier f;
+@@
+*x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...);
+...
+*x1@p = f(...);
+if (!x1) S
+// ------------------------------------------------------------------------
+@rfixed depends on (org || report) && !context exists@
+expression x,x1;
+position p1 != withtest.p;
+position p2;
+statement S;
+position any withtest.p;
+identifier f;
+@@
+x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...);
+...
+x1@p = f@p2(...);
+if (!x1) S
+@script:python depends on org@
+p1 << rfixed.p1;
+p2 << rfixed.p2;
+@@
+cocci.print_main("alloc call",p1)
+cocci.print_secs("possible model",p2)
+@script:python depends on report@
+p1 << rfixed.p1;
+p2 << rfixed.p2;
+@@
+msg = "alloc with no test, possible model on line %s" % (p2[0].line)
+coccilib.report.print_report(p1[0],msg)

diff --git a/scripts/coccinelle/null/deref_null.cocci b/scripts/coccinelle/null/deref_null.cocci new file mode 100644 index 000000000000..cdac6cfcce92 --- /dev/null +++ b/scripts/coccinelle/null/deref_null.cocci
@@ -0,0 +1,282 @@
	1	///
	2	/// A variable is dereference under a NULL test.
	3	/// Even though it is know to be NULL.
	4	///
	5	// Confidence: Moderate
	6	// Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2.
	7	// Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2.
	8	// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2.
	9	// URL: http://coccinelle.lip6.fr/
	10	// Comments: -I ... -all_includes can give more complete results
	11	// Options:
	12
	13	virtual context
	14	virtual org
	15	virtual report
	16
	17	@ifm@
	18	expression *E;
	19	statement S1,S2;
	20	position p1;
	21	@@
	22
	23	if@p1 ((E == NULL && ...) \|\| ...) S1 else S2
	24
	25	// The following two rules are separate, because both can match a single
	26	// expression in different ways
	27	@pr1 expression@
	28	expression *ifm.E;
	29	identifier f;
	30	position p1;
	31	@@
	32
	33	(E != NULL && ...) ? <+...E->f@p1...+> : ...
	34
	35	@pr2 expression@
	36	expression *ifm.E;
	37	identifier f;
	38	position p2;
	39	@@
	40
	41	(
	42	(E != NULL) && ... && <+...E->f@p2...+>
	43	\|
	44	(E == NULL) \|\| ... \|\| <+...E->f@p2...+>
	45	\|
	46	sizeof(<+...E->f@p2...+>)
	47	)
	48
	49	// For org and report modes
	50
	51	@r depends on !context && (org \|\| report) exists@
	52	expression subE <= ifm.E;
	53	expression *ifm.E;
	54	expression E1,E2;
	55	identifier f;
	56	statement S1,S2,S3,S4;
	57	iterator iter;
	58	position p!={pr1.p1,pr2.p2};
	59	position ifm.p1;
	60	@@
	61
	62	if@p1 ((E == NULL && ...) \|\| ...)
	63	{
	64	... when != if (...) S1 else S2
	65	(
	66	iter(subE,...) S4 // no use
	67	\|
	68	list_remove_head(E2,subE,...)
	69	\|
	70	subE = E1
	71	\|
	72	for(subE = E1;...;...) S4
	73	\|
	74	subE++
	75	\|
	76	++subE
	77	\|
	78	--subE
	79	\|
	80	subE--
	81	\|
	82	&subE
	83	\|
	84	E->f@p // bad use
	85	)
	86	... when any
	87	return ...;
	88	}
	89	else S3
	90
	91	@script:python depends on !context && !org && report@
	92	p << r.p;
	93	p1 << ifm.p1;
	94	x << ifm.E;
	95	@@
	96
	97	msg="ERROR: %s is NULL but dereferenced." % (x)
	98	coccilib.report.print_report(p[0], msg)
	99	cocci.include_match(False)
	100
	101	@script:python depends on !context && org && !report@
	102	p << r.p;
	103	p1 << ifm.p1;
	104	x << ifm.E;
	105	@@
	106
	107	msg="ERROR: %s is NULL but dereferenced." % (x)
	108	msg_safe=msg.replace("[","@(").replace("]",")")
	109	cocci.print_main(msg_safe,p)
	110	cocci.include_match(False)
	111
	112	@s depends on !context && (org \|\| report) exists@
	113	expression subE <= ifm.E;
	114	expression *ifm.E;
	115	expression E1,E2;
	116	identifier f;
	117	statement S1,S2,S3,S4;
	118	iterator iter;
	119	position p!={pr1.p1,pr2.p2};
	120	position ifm.p1;
	121	@@
	122
	123	if@p1 ((E == NULL && ...) \|\| ...)
	124	{
	125	... when != if (...) S1 else S2
	126	(
	127	iter(subE,...) S4 // no use
	128	\|
	129	list_remove_head(E2,subE,...)
	130	\|
	131	subE = E1
	132	\|
	133	for(subE = E1;...;...) S4
	134	\|
	135	subE++
	136	\|
	137	++subE
	138	\|
	139	--subE
	140	\|
	141	subE--
	142	\|
	143	&subE
	144	\|
	145	E->f@p // bad use
	146	)
	147	... when any
	148	}
	149	else S3
	150
	151	@script:python depends on !context && !org && report@
	152	p << s.p;
	153	p1 << ifm.p1;
	154	x << ifm.E;
	155	@@
	156
	157	msg="ERROR: %s is NULL but dereferenced." % (x)
	158	coccilib.report.print_report(p[0], msg)
	159
	160	@script:python depends on !context && org && !report@
	161	p << s.p;
	162	p1 << ifm.p1;
	163	x << ifm.E;
	164	@@
	165
	166	msg="ERROR: %s is NULL but dereferenced." % (x)
	167	msg_safe=msg.replace("[","@(").replace("]",")")
	168	cocci.print_main(msg_safe,p)
	169
	170	// For context mode
	171
	172	@depends on context && !org && !report exists@
	173	expression subE <= ifm.E;
	174	expression *ifm.E;
	175	expression E1,E2;
	176	identifier f;
	177	statement S1,S2,S3,S4;
	178	iterator iter;
	179	position p!={pr1.p1,pr2.p2};
	180	position ifm.p1;
	181	@@
	182
	183	if@p1 ((E == NULL && ...) \|\| ...)
	184	{
	185	... when != if (...) S1 else S2
	186	(
	187	iter(subE,...) S4 // no use
	188	\|
	189	list_remove_head(E2,subE,...)
	190	\|
	191	subE = E1
	192	\|
	193	for(subE = E1;...;...) S4
	194	\|
	195	subE++
	196	\|
	197	++subE
	198	\|
	199	--subE
	200	\|
	201	subE--
	202	\|
	203	&subE
	204	\|
	205	* E->f@p // bad use
	206	)
	207	... when any
	208	return ...;
	209	}
	210	else S3
	211
	212	// The following three rules are duplicates of ifm, pr1 and pr2 respectively.
	213	// It is need because the previous rule as already made a "change".
	214
	215	@ifm1@
	216	expression *E;
	217	statement S1,S2;
	218	position p1;
	219	@@
	220
	221	if@p1 ((E == NULL && ...) \|\| ...) S1 else S2
	222
	223	@pr11 expression@
	224	expression *ifm1.E;
	225	identifier f;
	226	position p1;
	227	@@
	228
	229	(E != NULL && ...) ? <+...E->f@p1...+> : ...
	230
	231	@pr12 expression@
	232	expression *ifm1.E;
	233	identifier f;
	234	position p2;
	235	@@
	236
	237	(
	238	(E != NULL) && ... && <+...E->f@p2...+>
	239	\|
	240	(E == NULL) \|\| ... \|\| <+...E->f@p2...+>
	241	\|
	242	sizeof(<+...E->f@p2...+>)
	243	)
	244
	245	@depends on context && !org && !report exists@
	246	expression subE <= ifm1.E;
	247	expression *ifm1.E;
	248	expression E1,E2;
	249	identifier f;
	250	statement S1,S2,S3,S4;
	251	iterator iter;
	252	position p!={pr11.p1,pr12.p2};
	253	position ifm1.p1;
	254	@@
	255
	256	if@p1 ((E == NULL && ...) \|\| ...)
	257	{
	258	... when != if (...) S1 else S2
	259	(
	260	iter(subE,...) S4 // no use
	261	\|
	262	list_remove_head(E2,subE,...)
	263	\|
	264	subE = E1
	265	\|
	266	for(subE = E1;...;...) S4
	267	\|
	268	subE++
	269	\|
	270	++subE
	271	\|
	272	--subE
	273	\|
	274	subE--
	275	\|
	276	&subE
	277	\|
	278	* E->f@p // bad use
	279	)
	280	... when any
	281	}
	282	else S3


diff --git a/scripts/coccinelle/null/eno.cocci b/scripts/coccinelle/null/eno.cocci new file mode 100644 index 000000000000..4c9c52b9c413 --- /dev/null +++ b/scripts/coccinelle/null/eno.cocci
@@ -0,0 +1,20 @@
	1	/// The various basic memory allocation functions don't return ERR_PTR
	2	///
	3	// Confidence: High
	4	// Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2.
	5	// Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2.
	6	// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2.
	7	// URL: http://coccinelle.lip6.fr/
	8	// Comments:
	9	// Options: -no_includes -include_headers
	10
	11	virtual patch
	12
	13	@@
	14	expression x,E;
	15	@@
	16
	17	x = \(kmalloc\\|kzalloc\\|kcalloc\\|kmem_cache_alloc\\|kmem_cache_zalloc\\|kmem_cache_alloc_node\\|kmalloc_node\\|kzalloc_node\)(...)
	18	... when != x = E
	19	- IS_ERR(x)
	20	+ !x


diff --git a/scripts/coccinelle/null/kmerr.cocci b/scripts/coccinelle/null/kmerr.cocci new file mode 100644 index 000000000000..949bf656c64c --- /dev/null +++ b/scripts/coccinelle/null/kmerr.cocci
@@ -0,0 +1,72 @@
	1	/// This semantic patch looks for kmalloc etc that are not followed by a
	2	/// NULL check. It only gives a report in the case where there is some
	3	/// error handling code later in the function, which may be helpful
	4	/// in determining what the error handling code for the call to kmalloc etc
	5	/// should be.
	6	///
	7	// Confidence: High
	8	// Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2.
	9	// Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2.
	10	// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2.
	11	// URL: http://coccinelle.lip6.fr/
	12	// Comments:
	13	// Options: -no_includes -include_headers
	14
	15	virtual context
	16	virtual org
	17	virtual report
	18
	19	@withtest@
	20	expression x;
	21	position p;
	22	identifier f,fld;
	23	@@
	24
	25	x@p = f(...);
	26	... when != x->fld
	27	\(x == NULL \\| x != NULL\)
	28
	29	@fixed depends on context && !org && !report@
	30	expression x,x1;
	31	position p1 != withtest.p;
	32	statement S;
	33	position any withtest.p;
	34	identifier f;
	35	@@
	36
	37	*x@p1 = \(kmalloc\\|kzalloc\\|kcalloc\)(...);
	38	...
	39	*x1@p = f(...);
	40	if (!x1) S
	41
	42	// ------------------------------------------------------------------------
	43
	44	@rfixed depends on (org \|\| report) && !context exists@
	45	expression x,x1;
	46	position p1 != withtest.p;
	47	position p2;
	48	statement S;
	49	position any withtest.p;
	50	identifier f;
	51	@@
	52
	53	x@p1 = \(kmalloc\\|kzalloc\\|kcalloc\)(...);
	54	...
	55	x1@p = f@p2(...);
	56	if (!x1) S
	57
	58	@script:python depends on org@
	59	p1 << rfixed.p1;
	60	p2 << rfixed.p2;
	61	@@
	62
	63	cocci.print_main("alloc call",p1)
	64	cocci.print_secs("possible model",p2)
	65
	66	@script:python depends on report@
	67	p1 << rfixed.p1;
	68	p2 << rfixed.p2;
	69	@@
	70
	71	msg = "alloc with no test, possible model on line %s" % (p2[0].line)
	72	coccilib.report.print_report(p1[0],msg)