views:

310

answers:

1

I want to write a semantic patch for coccinelle, so that it will add if (ptr == NULL) ... checks after calls to malloc where they are missing.

Let's say I have the following input source code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// memory leaks ignored

static void OK_simple(void)
{
 char *ptr;
 ptr = malloc(100);
 if (ptr == NULL) {
  return;
 }
 strcpy(ptr, "abcd");
}

static void NOT_OK_missing_NULL_check(void)
{
 char *ptr;
 ptr = malloc(100);
 strcpy(ptr, "abcd");
}

static void NOT_OK_NULL_check_too_late(void)
{
 char *ptr;
 ptr = malloc(100);
 strcpy(ptr, "abcd");
 if (ptr == NULL) {
  return;
 }
}

static void OK_code_between_allocation_and_NULL_check(void)
{
 char *ptr;
 ptr = malloc(100);
 printf("The NULL test does not have to be put immediately after\n");
 if (ptr == NULL) {
  return;
 }
 strcpy(ptr, "abcd");
}

static void OK_two_allocations(void)
{
 char *ptr1, *ptr2;
 ptr1 = malloc(100);
 ptr2 = malloc(100);
 if (ptr1 == NULL) {
  return;
 }
 if (ptr2 == NULL) {
  return;
 }
 strcpy(ptr1, "abcd");
 strcpy(ptr2, "abcd");
}

static void NOT_OK_two_allocations_with_one_missing_NULL_check(void)
{
 char *ptr1, *ptr2;
 ptr1 = malloc(100);
 ptr2 = malloc(100);
 if (ptr1 == NULL) {
  return;
 }
 strcpy(ptr1, "abcd");
 strcpy(ptr2, "abcd");
}

int main(int argc, char *argv[])
{
 (void)argc;
 (void)argv;
 OK_simple();
 NOT_OK_missing_NULL_check();
 NOT_OK_NULL_check_too_late();
 OK_code_between_allocation_and_NULL_check();
 OK_two_allocations();
 NOT_OK_two_allocations_with_one_missing_NULL_check();
 return 0;
}

I have been trying to come up with a semantic patch which does this, but I have trouble getting it to do what I want. Just adding NULL tests unconditionally is no problem, the trouble is to not do it when not needed. The following is what I currently have:

// this rule matches code that already have a NULL test

@already_have_proper_check@
statement S;
type T;
T* ptr;
expression E;
@@

ptr = malloc(E);
... when != ptr
if (ptr == NULL) S
//+dummy_change_just_to_verify_that_this_rule_matches();


// this rule adds NULL tests where missing

//@add_NULL_check depends on !already_have_proper_check@
@add_NULL_check@
type T;
//T* ptr != already_have_proper_check.ptr;
T* ptr;
expression E;
@@

ptr = malloc(E);
+if (ptr == NULL) {
+ insert_error_handling_here();
+}

The trouble with this is that it does not exclude the OK cases, and I do not understand how to connect the two rules. Can anyone help me with this?

Just to be 100% clear, the output I want after running coccinelle is the following:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// memory leaks ignored

static void OK_simple(void)
{
 char *ptr;
 ptr = malloc(100);
 if (ptr == NULL) {
  return;
 }
 strcpy(ptr, "abcd");
}

static void NOT_OK_missing_NULL_check(void)
{
 char *ptr;
 ptr = malloc(100);
 if (ptr == NULL) {
  insert_error_handling_here();
 }
 strcpy(ptr, "abcd");
}

static void NOT_OK_NULL_check_too_late(void)
{
 char *ptr;
 ptr = malloc(100);
 if (ptr == NULL) {
  insert_error_handling_here();
 }
 strcpy(ptr, "abcd");
 if (ptr == NULL) {
  return;
 }
}

static void OK_code_between_allocation_and_NULL_check(void)
{
 char *ptr;
 ptr = malloc(100);
 printf("The NULL test does not have to be put immediately after\n");
 if (ptr == NULL) {
  return;
 }
 strcpy(ptr, "abcd");
}

static void OK_two_allocations(void)
{
 char *ptr1, *ptr2;
 ptr1 = malloc(100);
 ptr2 = malloc(100);
 if (ptr1 == NULL) {
  return;
 }
 if (ptr2 == NULL) {
  return;
 }
 strcpy(ptr1, "abcd");
 strcpy(ptr2, "abcd");
}

static void NOT_OK_two_allocations_with_one_missing_NULL_check(void)
{
 char *ptr1, *ptr2;
 ptr1 = malloc(100);
 ptr2 = malloc(100);
 if (ptr2 == NULL) {
  insert_error_handling_here();
 }
 if (ptr1 == NULL) {
  return;
 }
 strcpy(ptr1, "abcd");
 strcpy(ptr2, "abcd");
}

int main(int argc, char *argv[])
{
 (void)argc;
 (void)argv;
 OK_simple();
 NOT_OK_missing_NULL_check();
 NOT_OK_NULL_check_too_late();
 OK_code_between_allocation_and_NULL_check();
 OK_two_allocations();
 NOT_OK_two_allocations_with_one_missing_NULL_check();
 return 0;
}
+2  A: 
// find calls to malloc
@call@
expression ptr;
position p;
@@

ptr@p = malloc(...);

// find ok calls to malloc
@ok@
expression ptr;
position call.p;
@@

ptr@p = malloc(...);
... when != ptr
(
 (ptr == NULL || ...)
|
 (ptr != NULL || ...)
)

// fix bad calls to malloc
@depends on !ok@
expression ptr;
position call.p;
@@

ptr@p = malloc(...);
+ if (ptr == NULL) return;
julia
This patch will not handle variables that are assigned in the declaration statement (e.g. "char *ptr = malloc(100);"). See http://lists.diku.dk/pipermail/cocci/2009-November/000479.html for hints on how to add.
hlovdal