use_after_iter.cocci 3.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /// If list_for_each_entry, etc complete a traversal of the list, the iterator
  3. /// variable ends up pointing to an address at an offset from the list head,
  4. /// and not a meaningful structure. Thus this value should not be used after
  5. /// the end of the iterator.
  6. //#False positives arise when there is a goto in the iterator and the
  7. //#reported reference is at the label of this goto. Some flag tests
  8. //#may also cause a report to be a false positive.
  9. ///
  10. // Confidence: Moderate
  11. // Copyright: (C) 2012 Julia Lawall, INRIA/LIP6.
  12. // Copyright: (C) 2012 Gilles Muller, INRIA/LIP6.
  13. // URL: https://coccinelle.gitlabpages.inria.fr/website
  14. // Comments:
  15. // Options: --no-includes --include-headers
  16. virtual context
  17. virtual org
  18. virtual report
  19. @r exists@
  20. identifier c,member;
  21. expression E,x;
  22. iterator name list_for_each_entry;
  23. iterator name list_for_each_entry_reverse;
  24. iterator name list_for_each_entry_continue;
  25. iterator name list_for_each_entry_continue_reverse;
  26. iterator name list_for_each_entry_from;
  27. iterator name list_for_each_entry_safe;
  28. iterator name list_for_each_entry_safe_continue;
  29. iterator name list_for_each_entry_safe_from;
  30. iterator name list_for_each_entry_safe_reverse;
  31. iterator name hlist_for_each_entry;
  32. iterator name hlist_for_each_entry_continue;
  33. iterator name hlist_for_each_entry_from;
  34. iterator name hlist_for_each_entry_safe;
  35. statement S;
  36. position p1,p2;
  37. type T;
  38. @@
  39. (
  40. list_for_each_entry@p1(c,...,member) { ... when != break;
  41. when forall
  42. when strict
  43. }
  44. |
  45. list_for_each_entry_reverse@p1(c,...,member) { ... when != break;
  46. when forall
  47. when strict
  48. }
  49. |
  50. list_for_each_entry_continue@p1(c,...,member) { ... when != break;
  51. when forall
  52. when strict
  53. }
  54. |
  55. list_for_each_entry_continue_reverse@p1(c,...,member) { ... when != break;
  56. when forall
  57. when strict
  58. }
  59. |
  60. list_for_each_entry_from@p1(c,...,member) { ... when != break;
  61. when forall
  62. when strict
  63. }
  64. |
  65. list_for_each_entry_safe@p1(c,...,member) { ... when != break;
  66. when forall
  67. when strict
  68. }
  69. |
  70. list_for_each_entry_safe_continue@p1(c,...,member) { ... when != break;
  71. when forall
  72. when strict
  73. }
  74. |
  75. list_for_each_entry_safe_from@p1(c,...,member) { ... when != break;
  76. when forall
  77. when strict
  78. }
  79. |
  80. list_for_each_entry_safe_reverse@p1(c,...,member) { ... when != break;
  81. when forall
  82. when strict
  83. }
  84. )
  85. ...
  86. (
  87. list_for_each_entry(c,...) S
  88. |
  89. list_for_each_entry_reverse(c,...) S
  90. |
  91. list_for_each_entry_continue(c,...) S
  92. |
  93. list_for_each_entry_continue_reverse(c,...) S
  94. |
  95. list_for_each_entry_from(c,...) S
  96. |
  97. list_for_each_entry_safe(c,...) S
  98. |
  99. list_for_each_entry_safe(x,c,...) S
  100. |
  101. list_for_each_entry_safe_continue(c,...) S
  102. |
  103. list_for_each_entry_safe_continue(x,c,...) S
  104. |
  105. list_for_each_entry_safe_from(c,...) S
  106. |
  107. list_for_each_entry_safe_from(x,c,...) S
  108. |
  109. list_for_each_entry_safe_reverse(c,...) S
  110. |
  111. list_for_each_entry_safe_reverse(x,c,...) S
  112. |
  113. hlist_for_each_entry(c,...) S
  114. |
  115. hlist_for_each_entry_continue(c,...) S
  116. |
  117. hlist_for_each_entry_from(c,...) S
  118. |
  119. hlist_for_each_entry_safe(c,...) S
  120. |
  121. list_remove_head(x,c,...)
  122. |
  123. list_entry_is_head(c,...)
  124. |
  125. sizeof(<+...c...+>)
  126. |
  127. &c->member
  128. |
  129. T c;
  130. |
  131. c = E
  132. |
  133. *c@p2
  134. )
  135. @script:python depends on org@
  136. p1 << r.p1;
  137. p2 << r.p2;
  138. @@
  139. cocci.print_main("invalid iterator index reference",p2)
  140. cocci.print_secs("iterator",p1)
  141. @script:python depends on report@
  142. p1 << r.p1;
  143. p2 << r.p2;
  144. @@
  145. msg = "ERROR: invalid reference to the index variable of the iterator on line %s" % (p1[0].line)
  146. coccilib.report.print_report(p2[0], msg)