/* * Cppcheck - A tool for static C/C++ code analysis * Copyright (C) 2007-2014 Daniel Marjamäki and Cppcheck team. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ //--------------------------------------------------------------------------- #include "checknullpointer.h" #include "mathlib.h" #include "symboldatabase.h" #include //--------------------------------------------------------------------------- // Register this check class (by creating a static instance of it) namespace { CheckNullPointer instance; } //--------------------------------------------------------------------------- /** * @brief parse a function call and extract information about variable usage * @param tok first token * @param var variables that the function read / write. * @param library --library files data * @param value 0 => invalid with null pointers as parameter. * 1-.. => only invalid with uninitialized data. */ void CheckNullPointer::parseFunctionCall(const Token &tok, std::list &var, const Library *library, unsigned char value) { if (Token::Match(&tok, "%var% ( )") || !tok.tokAt(2)) return; const Token* firstParam = tok.tokAt(2); const Token* secondParam = firstParam->nextArgument(); // 1st parameter.. if ((Token::Match(firstParam, "%var% ,|)") && firstParam->varId() > 0) || (value == 0 && Token::Match(firstParam, "0|NULL ,|)"))) { if (value == 0 && Token::Match(&tok, "snprintf|vsnprintf|fnprintf|vfnprintf") && secondParam && secondParam->str() != "0") // Only if length (second parameter) is not zero var.push_back(firstParam); else if (value == 0 && library != nullptr && library->isnullargbad(tok.str(),1)) var.push_back(firstParam); else if (value == 1 && library != nullptr && library->isuninitargbad(tok.str(),1)) var.push_back(firstParam); } // 2nd parameter.. if ((value == 0 && Token::Match(secondParam, "0|NULL ,|)")) || (secondParam && secondParam->varId() > 0 && Token::Match(secondParam->next(),"[,)]"))) { if (value == 0 && library != nullptr && library->isnullargbad(tok.str(),2)) var.push_back(secondParam); else if (value == 1 && library != nullptr && library->isuninitargbad(tok.str(),2)) var.push_back(secondParam); } if (Token::Match(&tok, "printf|sprintf|snprintf|fprintf|fnprintf|scanf|sscanf|fscanf|wprintf|swprintf|fwprintf|wscanf|swscanf|fwscanf")) { const Token* argListTok = 0; // Points to first va_list argument std::string formatString; bool scan = Token::Match(&tok, "scanf|sscanf|fscanf|wscanf|swscanf|fwscanf"); if (Token::Match(&tok, "printf|scanf|wprintf|wscanf ( %str%")) { formatString = firstParam->strValue(); argListTok = secondParam; } else if (Token::Match(&tok, "sprintf|fprintf|sscanf|fscanf|fwprintf|fwscanf|swscanf")) { const Token* formatStringTok = secondParam; // Find second parameter (format string) if (formatStringTok && formatStringTok->type() == Token::eString) { argListTok = formatStringTok->nextArgument(); // Find third parameter (first argument of va_args) formatString = formatStringTok->strValue(); } } else if (Token::Match(&tok, "snprintf|fnprintf|swprintf") && secondParam) { const Token* formatStringTok = secondParam->nextArgument(); // Find third parameter (format string) if (formatStringTok && formatStringTok->type() == Token::eString) { argListTok = formatStringTok->nextArgument(); // Find fourth parameter (first argument of va_args) formatString = formatStringTok->strValue(); } } if (argListTok) { bool percent = false; for (std::string::iterator i = formatString.begin(); i != formatString.end(); ++i) { if (*i == '%') { percent = !percent; } else if (percent) { percent = false; bool _continue = false; while (!std::isalpha((unsigned char)*i)) { if (*i == '*') { if (scan) _continue = true; else argListTok = argListTok->nextArgument(); } ++i; if (!argListTok || i == formatString.end()) return; } if (_continue) continue; if ((*i == 'n' || *i == 's' || scan) && (!scan || value == 0)) { if ((value == 0 && argListTok->str() == "0") || (argListTok->varId() > 0 && Token::Match(argListTok,"%var% [,)]"))) { var.push_back(argListTok); } } if (*i != 'm') // %m is a non-standard glibc extension that requires no parameter argListTok = argListTok->nextArgument(); // Find next argument if (!argListTok) break; } } } } } /** * Is there a pointer dereference? Everything that should result in * a nullpointer dereference error message will result in a true * return value. If it's unknown if the pointer is dereferenced false * is returned. * @param tok token for the pointer * @param unknown it is not known if there is a pointer dereference (could be reported as a debug message) * @return true => there is a dereference */ bool CheckNullPointer::isPointerDeRef(const Token *tok, bool &unknown) { // THIS ARRAY MUST BE ORDERED ALPHABETICALLY static const char* const stl_stream [] = { "fstream", "ifstream", "iostream", "istream", "istringstream", "ofstream", "ostream", "ostringstream", "stringstream", "wistringstream", "wostringstream", "wstringstream" }; unknown = false; const Token* parent = tok->astParent(); if (!parent) return false; bool firstOperand = parent->astOperand1() == tok; while (parent->str() == "(" && (parent->astOperand2() == nullptr && parent->strAt(1) != ")")) { // Skip over casts parent = parent->astParent(); if (!parent) return false; } // Dereferencing pointer.. if (parent->str() == "*" && !parent->astOperand2() && !Token::Match(parent->tokAt(-2), "sizeof|decltype|typeof")) return true; // array access if (parent->str() == "[" && (!parent->astParent() || parent->astParent()->str() != "&")) return true; // read/write member variable if (firstOperand && parent->str() == "." && (!parent->astParent() || parent->astParent()->str() != "&")) { if (!parent->astParent() || parent->astParent()->str() != "(" || parent->astParent() == tok->previous()) return true; unknown = true; return false; } if (Token::Match(tok, "%var% (")) return true; if (Token::Match(tok, "%var% = %var% .") && tok->varId() > 0 && tok->varId() == tok->tokAt(2)->varId()) return true; // std::string dereferences nullpointers if (Token::Match(parent->tokAt(-3), "std :: string|wstring (") && tok->strAt(1) == ")") return true; if (Token::Match(parent->previous(), "%var% (") && tok->strAt(1) == ")") { const Variable* var = tok->tokAt(-2)->variable(); if (var && !var->isPointer() && !var->isArray() && var->isStlStringType()) return true; } // streams dereference nullpointers if (Token::Match(parent, "<<|>>") && !firstOperand) { const Variable* var = tok->variable(); if (var && var->isPointer() && Token::Match(var->typeStartToken(), "char|wchar_t")) { // Only outputting or reading to char* can cause problems const Token* tok2 = parent; // Find start of statement for (; tok2; tok2 = tok2->previous()) { if (Token::Match(tok2->previous(), ";|{|}|:")) break; } if (Token::Match(tok2, "std :: cout|cin|cerr")) return true; if (tok2 && tok2->varId() != 0) { const Variable* var2 = tok2->variable(); if (var2 && var2->isStlType(stl_stream)) return true; } } } const Variable *ovar = nullptr; if (Token::Match(parent, "+|==|!=") || (parent->str() == "=" && !firstOperand)) { if (parent->astOperand1() == tok && parent->astOperand2()) ovar = parent->astOperand2()->variable(); else if (parent->astOperand1() && parent->astOperand2() == tok) ovar = parent->astOperand1()->variable(); } if (ovar && !ovar->isPointer() && !ovar->isArray() && ovar->isStlStringType()) return true; // assume that it's not a dereference (no false positives) return false; } void CheckNullPointer::nullPointerLinkedList() { const SymbolDatabase* const symbolDatabase = _tokenizer->getSymbolDatabase(); // looping through items in a linked list in a inner loop. // Here is an example: // for (const Token *tok = tokens; tok; tok = tok->next) { // if (tok->str() == "hello") // tok = tok->next; // <- tok might become a null pointer! // } for (std::list::const_iterator i = symbolDatabase->scopeList.begin(); i != symbolDatabase->scopeList.end(); ++i) { const Token* const tok1 = i->classDef; // search for a "for" scope.. if (i->type != Scope::eFor || !tok1) continue; // is there any dereferencing occurring in the for statement const Token* end2 = tok1->linkAt(1); for (const Token *tok2 = tok1->tokAt(2); tok2 != end2; tok2 = tok2->next()) { // Dereferencing a variable inside the "for" parentheses.. if (Token::Match(tok2, "%var% . %var%")) { // Is this variable a pointer? const Variable *var = tok2->variable(); if (!var || !var->isPointer()) continue; // Variable id for dereferenced variable const unsigned int varid(tok2->varId()); // We don't support variables without a varid if (varid == 0) continue; if (Token::Match(tok2->tokAt(-2), "%varid% ?", varid)) continue; // Check usage of dereferenced variable in the loop.. for (std::list::const_iterator j = i->nestedList.begin(); j != i->nestedList.end(); ++j) { Scope* scope = *j; if (scope->type != Scope::eWhile) continue; // TODO: are there false negatives for "while ( %varid% ||" if (Token::Match(scope->classDef->next(), "( %varid% &&|)", varid)) { // Make sure there is a "break" or "return" inside the loop. // Without the "break" a null pointer could be dereferenced in the // for statement. for (const Token *tok4 = scope->classStart; tok4; tok4 = tok4->next()) { if (tok4 == i->classEnd) { nullPointerError(tok1, var->name(), scope->classDef); break; } // There is a "break" or "return" inside the loop. // TODO: there can be false negatives. There could still be // execution paths that are not properly terminated else if (tok4->str() == "break" || tok4->str() == "return") break; } } } } } } } void CheckNullPointer::nullPointerByDeRefAndChec() { for (const Token *tok = _tokenizer->tokens(); tok; tok = tok->next()) { const Variable *var = tok->variable(); if (!var || !var->isPointer() || tok == var->nameToken()) continue; // Can pointer be NULL? const ValueFlow::Value *value = tok->getValue(0); if (!value) continue; if (!_settings->inconclusive && value->inconclusive) continue; // Is pointer used as function parameter? if (Token::Match(tok->previous(), "[(,] %var% [,)]")) { const Token *ftok = tok->previous(); while (ftok && ftok->str() != "(") { if (ftok->str() == ")") ftok = ftok->link(); ftok = ftok->previous(); } if (!ftok || !ftok->previous()) continue; std::list varlist; parseFunctionCall(*ftok->previous(), varlist, &_settings->library, 0); if (std::find(varlist.begin(), varlist.end(), tok) != varlist.end()) { if (value->condition == nullptr) nullPointerError(tok, tok->str()); else if (_settings->isEnabled("warning")) nullPointerError(tok, tok->str(), value->condition, value->inconclusive); } continue; } // Pointer dereference. bool unknown = false; if (!isPointerDeRef(tok,unknown)) { if (_settings->inconclusive && unknown) { if (value->condition == nullptr) nullPointerError(tok, tok->str(), true); else nullPointerError(tok, tok->str(), value->condition, true); } continue; } if (value->condition == nullptr) nullPointerError(tok, tok->str(), value->inconclusive); else if (_settings->isEnabled("warning")) nullPointerError(tok, tok->str(), value->condition, value->inconclusive); } } void CheckNullPointer::nullPointer() { nullPointerLinkedList(); nullPointerByDeRefAndChec(); nullPointerDefaultArgument(); } /** Dereferencing null constant (simplified token list) */ void CheckNullPointer::nullConstantDereference() { const SymbolDatabase *symbolDatabase = _tokenizer->getSymbolDatabase(); // THIS ARRAY MUST BE ORDERED ALPHABETICALLY static const char* const stl_stream[] = { "fstream", "ifstream", "iostream", "istream", "istringstream", "stringstream", "wistringstream", "wstringstream" }; const std::size_t functions = symbolDatabase->functionScopes.size(); for (std::size_t i = 0; i < functions; ++i) { const Scope * scope = symbolDatabase->functionScopes[i]; if (scope->function == 0 || !scope->function->hasBody) // We only look for functions with a body continue; const Token *tok = scope->classStart; if (scope->function && scope->function->isConstructor()) tok = scope->function->token; // Check initialization list for (; tok != scope->classEnd; tok = tok->next()) { if (Token::Match(tok, "sizeof|decltype|typeid|typeof (")) tok = tok->next()->link(); else if (Token::simpleMatch(tok, "* 0")) { if (Token::Match(tok->previous(), "return|throw|;|{|}|:|[|(|,") || tok->previous()->isOp()) { nullPointerError(tok); } } else if (Token::Match(tok, "0 [") && (tok->previous()->str() != "&" || !Token::Match(tok->next()->link()->next(), "[.(]"))) nullPointerError(tok); else if (Token::Match(tok->previous(), "!!. %var% (") && (tok->previous()->str() != "::" || tok->strAt(-2) == "std")) { if (Token::simpleMatch(tok->tokAt(2), "0 )") && tok->varId()) { // constructor call const Variable *var = tok->variable(); if (var && !var->isPointer() && !var->isArray() && var->isStlStringType()) nullPointerError(tok); } else { // function call std::list var; parseFunctionCall(*tok, var, &_settings->library, 0); // is one of the var items a NULL pointer? for (std::list::const_iterator it = var.begin(); it != var.end(); ++it) { if (Token::Match(*it, "0|NULL [,)]")) { nullPointerError(*it); } } } } else if (Token::Match(tok, "std :: string|wstring ( 0 )")) nullPointerError(tok); else if (Token::simpleMatch(tok->previous(), ">> 0")) { // Only checking input stream operations is safe here, because otherwise 0 can be an integer as well const Token* tok2 = tok->previous(); // Find start of statement for (; tok2; tok2 = tok2->previous()) { if (Token::Match(tok2->previous(), ";|{|}|:|(")) break; } if (tok2 && tok2->previous() && tok2->previous()->str()=="(") continue; if (Token::simpleMatch(tok2, "std :: cin")) nullPointerError(tok); if (tok2 && tok2->varId() != 0) { const Variable *var = tok2->variable(); if (var && var->isStlType(stl_stream)) nullPointerError(tok); } } const Variable *ovar = nullptr; if (Token::Match(tok, "0 ==|!=|>|>=|<|<= %var% !!.")) ovar = tok->tokAt(2)->variable(); else if (Token::Match(tok, "%var% ==|!=|>|>=|<|<= 0")) ovar = tok->variable(); else if (Token::Match(tok, "%var% =|+ 0 )|]|,|;|+")) ovar = tok->variable(); if (ovar && !ovar->isPointer() && !ovar->isArray() && ovar->isStlStringType() && tok->tokAt(2)->originalName() != "'\\0'") nullPointerError(tok); } } } /** * @brief If tok is a function call that passes in a pointer such that * the pointer may be modified, this function will remove that * pointer from pointerArgs. */ void CheckNullPointer::removeAssignedVarFromSet(const Token* tok, std::set& pointerArgs) { // If a pointer's address is passed into a function, stop considering it if (Token::Match(tok->previous(), "[;{}] %var% (")) { // Common functions that are known NOT to modify their pointer argument const char safeFunctions[] = "printf|sprintf|fprintf|vprintf"; const Token* endParen = tok->next()->link(); for (const Token* tok2 = tok->next(); tok2 != endParen; tok2 = tok2->next()) { if (tok2->isName() && tok2->varId() > 0 && !Token::Match(tok, safeFunctions)) { pointerArgs.erase(tok2->varId()); } } } } /** * @brief Does one part of the check for nullPointer(). * -# default argument that sets a pointer to 0 * -# dereference pointer */ void CheckNullPointer::nullPointerDefaultArgument() { if (!_settings->isEnabled("warning")) return; const SymbolDatabase *symbolDatabase = _tokenizer->getSymbolDatabase(); const std::size_t functions = symbolDatabase->functionScopes.size(); for (std::size_t i = 0; i < functions; ++i) { const Scope * scope = symbolDatabase->functionScopes[i]; if (scope->function == 0 || !scope->function->hasBody) // We only look for functions with a body continue; // Scan the argument list for default arguments that are pointers and // which default to a NULL pointer if no argument is specified. std::set pointerArgs; for (const Token *tok = scope->function->arg; tok != scope->function->arg->link(); tok = tok->next()) { if (Token::Match(tok, "%var% = 0 ,|)") && tok->varId() != 0) { const Variable *var = tok->variable(); if (var && var->isPointer()) pointerArgs.insert(tok->varId()); } } // Report an error if any of the default-NULL arguments are dereferenced if (!pointerArgs.empty()) { for (const Token *tok = scope->classStart; tok != scope->classEnd; tok = tok->next()) { // If we encounter a possible NULL-pointer check, skip over its body if (tok->str() == "?") { // TODO: Skip this if the condition is unrelated to the variables // Find end of statement tok = tok->astOperand2(); while (tok && !Token::Match(tok, ")|;")) { if (tok->link() && Token::Match(tok, "(|[|<|{")) tok = tok->link(); tok = tok->next(); } if (!tok) break; } else if (Token::simpleMatch(tok, "if (")) { bool dependsOnPointer = false; const Token *endOfCondition = tok->next()->link(); if (!endOfCondition) continue; const Token *startOfIfBlock = Token::simpleMatch(endOfCondition, ") {") ? endOfCondition->next() : nullptr; if (!startOfIfBlock) continue; // If this if() statement may return, it may be a null // pointer check for the pointers referenced in its condition const Token *endOfIf = startOfIfBlock->link(); bool isExitOrReturn = Token::findmatch(startOfIfBlock, "exit|return|throw", endOfIf) != nullptr; if (Token::Match(tok, "if ( %var% == 0 )")) { const unsigned int var = tok->tokAt(2)->varId(); if (var > 0 && pointerArgs.count(var) > 0) { if (isExitOrReturn) pointerArgs.erase(var); else dependsOnPointer = true; } } else { for (const Token *tok2 = tok->next(); tok2 != endOfCondition; tok2 = tok2->next()) { if (tok2->isName() && tok2->varId() > 0 && pointerArgs.count(tok2->varId()) > 0) { // If the if() depends on a pointer and may return, stop // considering that pointer because it may be a NULL-pointer // check that returns if the pointer is NULL. if (isExitOrReturn) pointerArgs.erase(tok2->varId()); else dependsOnPointer = true; } } } if (dependsOnPointer && endOfIf) { for (; tok != endOfIf; tok = tok->next()) { // If a pointer is assigned a new value, stop considering it. if (Token::Match(tok, "%var% =")) pointerArgs.erase(tok->varId()); else removeAssignedVarFromSet(tok, pointerArgs); } continue; } } // If there is a noreturn function (e.g. exit()), stop considering the rest of // this function. bool unknown = false; if (Token::Match(tok, "return|throw|exit") || (_tokenizer->IsScopeNoReturn(tok, &unknown) && !unknown)) break; removeAssignedVarFromSet(tok, pointerArgs); if (tok->varId() == 0 || pointerArgs.count(tok->varId()) == 0) continue; // If a pointer is assigned a new value, stop considering it. if (Token::Match(tok, "%var% =")) pointerArgs.erase(tok->varId()); // If a pointer dereference is preceded by an && or ||, // they serve as a sequence point so the dereference // may not be executed. if (isPointerDeRef(tok, unknown) && !unknown && tok->strAt(-1) != "&&" && tok->strAt(-1) != "||" && tok->strAt(-2) != "&&" && tok->strAt(-2) != "||") nullPointerDefaultArgError(tok, tok->str()); } } } } void CheckNullPointer::nullPointerError(const Token *tok) { reportError(tok, Severity::error, "nullPointer", "Null pointer dereference"); } void CheckNullPointer::nullPointerError(const Token *tok, const std::string &varname, bool inconclusive) { reportError(tok, Severity::error, "nullPointer", "Possible null pointer dereference: " + varname, inconclusive); } void CheckNullPointer::nullPointerError(const Token *tok, const std::string &varname, const Token* nullCheck, bool inconclusive) { std::list callstack; callstack.push_back(tok); callstack.push_back(nullCheck); const std::string errmsg("Possible null pointer dereference: " + varname + " - otherwise it is redundant to check it against null."); reportError(callstack, Severity::warning, "nullPointer", errmsg, inconclusive); } void CheckNullPointer::nullPointerDefaultArgError(const Token *tok, const std::string &varname) { reportError(tok, Severity::warning, "nullPointer", "Possible null pointer dereference if the default parameter value is used: " + varname); }