tags:

views:

310

answers:

1
+2  Q: 

Adding missing NULL checks after malloc with coccinelle

I want to write a semantic patch for coccinelle, so that it will add if (ptr == NULL) ... checks after calls to malloc where they are missing.

Let's say I have the following input source code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// memory leaks ignored

static void OK_simple(void)
{
 char *ptr;
 ptr = malloc(100);
 if (ptr == NULL) {
  return;
 }
 strcpy(ptr, "abcd");
}

static void NOT_OK_missing_NULL_check(void)
{
 char *ptr;
 ptr = malloc(100);
 strcpy(ptr, "abcd");
}

static void NOT_OK_NULL_check_too_late(void)
{
 char *ptr;
 ptr = malloc(100);
 strcpy(ptr, "abcd");
 if (ptr == NULL) {
  return;
 }
}

static void OK_code_between_allocation_and_NULL_check(void)
{
 char *ptr;
 ptr = malloc(100);
 printf("The NULL test does not have to be put immediately after\n");
 if (ptr == NULL) {
  return;
 }
 strcpy(ptr, "abcd");
}

static void OK_two_allocations(void)
{
 char *ptr1, *ptr2;
 ptr1 = malloc(100);
 ptr2 = malloc(100);
 if (ptr1 == NULL) {
  return;
 }
 if (ptr2 == NULL) {
  return;
 }
 strcpy(ptr1, "abcd");
 strcpy(ptr2, "abcd");
}

static void NOT_OK_two_allocations_with_one_missing_NULL_check(void)
{
 char *ptr1, *ptr2;
 ptr1 = malloc(100);
 ptr2 = malloc(100);
 if (ptr1 == NULL) {
  return;
 }
 strcpy(ptr1, "abcd");
 strcpy(ptr2, "abcd");
}

int main(int argc, char *argv[])
{
 (void)argc;
 (void)argv;
 OK_simple();
 NOT_OK_missing_NULL_check();
 NOT_OK_NULL_check_too_late();
 OK_code_between_allocation_and_NULL_check();
 OK_two_allocations();
 NOT_OK_two_allocations_with_one_missing_NULL_check();
 return 0;
}

I have been trying to come up with a semantic patch which does this, but I have trouble getting it to do what I want. Just adding NULL tests unconditionally is no problem, the trouble is to not do it when not needed. The following is what I currently have:

// this rule matches code that already have a NULL test

@already_have_proper_check@
statement S;
type T;
T* ptr;
expression E;
@@

ptr = malloc(E);
... when != ptr
if (ptr == NULL) S
//+dummy_change_just_to_verify_that_this_rule_matches();


// this rule adds NULL tests where missing

//@add_NULL_check depends on !already_have_proper_check@
@add_NULL_check@
type T;
//T* ptr != already_have_proper_check.ptr;
T* ptr;
expression E;
@@

ptr = malloc(E);
+if (ptr == NULL) {
+ insert_error_handling_here();
+}

The trouble with this is that it does not exclude the OK cases, and I do not understand how to connect the two rules. Can anyone help me with this?

Just to be 100% clear, the output I want after running coccinelle is the following:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// memory leaks ignored

static void OK_simple(void)
{
 char *ptr;
 ptr = malloc(100);
 if (ptr == NULL) {
  return;
 }
 strcpy(ptr, "abcd");
}

static void NOT_OK_missing_NULL_check(void)
{
 char *ptr;
 ptr = malloc(100);
 if (ptr == NULL) {
  insert_error_handling_here();
 }
 strcpy(ptr, "abcd");
}

static void NOT_OK_NULL_check_too_late(void)
{
 char *ptr;
 ptr = malloc(100);
 if (ptr == NULL) {
  insert_error_handling_here();
 }
 strcpy(ptr, "abcd");
 if (ptr == NULL) {
  return;
 }
}

static void OK_code_between_allocation_and_NULL_check(void)
{
 char *ptr;
 ptr = malloc(100);
 printf("The NULL test does not have to be put immediately after\n");
 if (ptr == NULL) {
  return;
 }
 strcpy(ptr, "abcd");
}

static void OK_two_allocations(void)
{
 char *ptr1, *ptr2;
 ptr1 = malloc(100);
 ptr2 = malloc(100);
 if (ptr1 == NULL) {
  return;
 }
 if (ptr2 == NULL) {
  return;
 }
 strcpy(ptr1, "abcd");
 strcpy(ptr2, "abcd");
}

static void NOT_OK_two_allocations_with_one_missing_NULL_check(void)
{
 char *ptr1, *ptr2;
 ptr1 = malloc(100);
 ptr2 = malloc(100);
 if (ptr2 == NULL) {
  insert_error_handling_here();
 }
 if (ptr1 == NULL) {
  return;
 }
 strcpy(ptr1, "abcd");
 strcpy(ptr2, "abcd");
}

int main(int argc, char *argv[])
{
 (void)argc;
 (void)argv;
 OK_simple();
 NOT_OK_missing_NULL_check();
 NOT_OK_NULL_check_too_late();
 OK_code_between_allocation_and_NULL_check();
 OK_two_allocations();
 NOT_OK_two_allocations_with_one_missing_NULL_check();
 return 0;
}
+2  A:  
// find calls to malloc
@call@
expression ptr;
position p;
@@

ptr@p = malloc(...);

// find ok calls to malloc
@ok@
expression ptr;
position call.p;
@@

ptr@p = malloc(...);
... when != ptr
(
 (ptr == NULL || ...)
|
 (ptr != NULL || ...)
)

// fix bad calls to malloc
@depends on !ok@
expression ptr;
position call.p;
@@

ptr@p = malloc(...);
+ if (ptr == NULL) return;
julia  2009-11-15 16:37:54
This patch will not handle variables that are assigned in the declaration statement (e.g. "char *ptr = malloc(100);"). See http://lists.diku.dk/pipermail/cocci/2009-November/000479.html for hints on how to add.
hlovdal  2009-11-19 16:40:55

related questions

any good tool for makefile generation?
How do you pass a function as a parameter in C?
Where should a veteran C programmer start in order to master Java ?
Any good book on best practice and guidelines in developing a SDK in C?
How do you determine the size of a file in C?
Decoding printf statements in C (Printf Primer)
Shift operator in C
How to avoid redefining VERSION, PACKAGE, etc.
Alpha blending sprites in Nintendo DS Homebrew
When should I use type abstraction in embedded systems
How to implement continuations?
What are the barriers to understanding pointers and what can be done to overcome them?
Anyone have experience creating a shared library in MATLAB?
String.indexOf function in C
Passing multidimensional arrays as function arguments in C
C/C++ library for reading MIDI signals from a USB MIDI device
Choosing a static code analysis tool
How do you printf an unsigned long long int?
Good STL-like library for C.
Rockbox audio format
Why am I getting a malloc: double free error with realloc()?
Should I learn C?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS