diff options
Diffstat (limited to 'scripts/coccinelle')
51 files changed, 4406 insertions, 0 deletions
diff --git a/scripts/coccinelle/api/alloc/alloc_cast.cocci b/scripts/coccinelle/api/alloc/alloc_cast.cocci new file mode 100644 index 000000000..6c308ee19 --- /dev/null +++ b/scripts/coccinelle/api/alloc/alloc_cast.cocci @@ -0,0 +1,72 @@ +/// Remove casting the values returned by memory allocation functions +/// like kmalloc, kzalloc, kmem_cache_alloc, kmem_cache_zalloc etc. +/// +//# This makes an effort to find cases of casting of values returned by +//# kmalloc, kzalloc, kcalloc, kmem_cache_alloc, kmem_cache_zalloc, +//# kmem_cache_alloc_node, kmalloc_node and kzalloc_node and removes +//# the casting as it is not required. The result in the patch case may +//#need some reformatting. +// +// Confidence: High +// Copyright: 2014, Himangi Saraogi GPLv2. +// Comments: +// Options: --no-includes --include-headers +// + +virtual context +virtual patch +virtual org +virtual report + +//---------------------------------------------------------- +// For context mode +//---------------------------------------------------------- + +@depends on context@ +type T; +@@ + +* (T *) + \(kmalloc\|kzalloc\|kcalloc\|kmem_cache_alloc\|kmem_cache_zalloc\| + kmem_cache_alloc_node\|kmalloc_node\|kzalloc_node\)(...) + +//---------------------------------------------------------- +// For patch mode +//---------------------------------------------------------- + +@depends on patch@ +type T; +@@ + +- (T *) + (\(kmalloc\|kzalloc\|kcalloc\|kmem_cache_alloc\|kmem_cache_zalloc\| + kmem_cache_alloc_node\|kmalloc_node\|kzalloc_node\)(...)) + +//---------------------------------------------------------- +// For org and report mode +//---------------------------------------------------------- + +@r depends on org || report@ +type T; +position p; +@@ + + (T@p *)\(kmalloc\|kzalloc\|kcalloc\|kmem_cache_alloc\|kmem_cache_zalloc\| + kmem_cache_alloc_node\|kmalloc_node\|kzalloc_node\)(...) + +@script:python depends on org@ +p << r.p; +t << r.T; +@@ + +coccilib.org.print_safe_todo(p[0], t) + +@script:python depends on report@ +p << r.p; +t << r.T; +@@ + +msg="WARNING: casting value returned by memory allocation function to (%s *) is useless." % (t) +coccilib.report.print_report(p[0], msg) + + diff --git a/scripts/coccinelle/api/alloc/kzalloc-simple.cocci b/scripts/coccinelle/api/alloc/kzalloc-simple.cocci new file mode 100644 index 000000000..52c55e4fa --- /dev/null +++ b/scripts/coccinelle/api/alloc/kzalloc-simple.cocci @@ -0,0 +1,86 @@ +/// +/// Use kzalloc rather than kmalloc followed by memset with 0 +/// +/// This considers some simple cases that are common and easy to validate +/// Note in particular that there are no ...s in the rule, so all of the +/// matched code has to be contiguous +/// +// Confidence: High +// Copyright: (C) 2009-2010 Julia Lawall, Nicolas Palix, DIKU. GPLv2. +// Copyright: (C) 2009-2010 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/rules/kzalloc.html +// Options: --no-includes --include-headers +// +// Keywords: kmalloc, kzalloc +// Version min: < 2.6.12 kmalloc +// Version min: 2.6.14 kzalloc +// + +virtual context +virtual patch +virtual org +virtual report + +//---------------------------------------------------------- +// For context mode +//---------------------------------------------------------- + +@depends on context@ +type T, T2; +expression x; +expression E1,E2; +statement S; +@@ + +* x = (T)kmalloc(E1,E2); + if ((x==NULL) || ...) S +* memset((T2)x,0,E1); + +//---------------------------------------------------------- +// For patch mode +//---------------------------------------------------------- + +@depends on patch@ +type T, T2; +expression x; +expression E1,E2; +statement S; +@@ + +- x = (T)kmalloc(E1,E2); ++ x = kzalloc(E1,E2); + if ((x==NULL) || ...) S +- memset((T2)x,0,E1); + +//---------------------------------------------------------- +// For org mode +//---------------------------------------------------------- + +@r depends on org || report@ +type T, T2; +expression x; +expression E1,E2; +statement S; +position p; +@@ + + x = (T)kmalloc@p(E1,E2); + if ((x==NULL) || ...) S + memset((T2)x,0,E1); + +@script:python depends on org@ +p << r.p; +x << r.x; +@@ + +msg="%s" % (x) +msg_safe=msg.replace("[","@(").replace("]",")") +coccilib.org.print_todo(p[0], msg_safe) + +@script:python depends on report@ +p << r.p; +x << r.x; +@@ + +msg="WARNING: kzalloc should be used for %s, instead of kmalloc/memset" % (x) +coccilib.report.print_report(p[0], msg) diff --git a/scripts/coccinelle/api/d_find_alias.cocci b/scripts/coccinelle/api/d_find_alias.cocci new file mode 100644 index 000000000..9594c9f7e --- /dev/null +++ b/scripts/coccinelle/api/d_find_alias.cocci @@ -0,0 +1,80 @@ +/// Make sure calls to d_find_alias() have a corresponding call to dput(). +// +// Keywords: d_find_alias, dput +// +// Confidence: Moderate +// URL: http://coccinelle.lip6.fr/ +// Options: --include-headers + +virtual context +virtual org +virtual patch +virtual report + +@r exists@ +local idexpression struct dentry *dent; +expression E, E1; +statement S1, S2; +position p1, p2; +@@ +( + if (!(dent@p1 = d_find_alias(...))) S1 +| + dent@p1 = d_find_alias(...) +) + +<...when != dput(dent) + when != if (...) { <+... dput(dent) ...+> } + when != true !dent || ... + when != dent = E + when != E = dent +if (!dent || ...) S2 +...> +( + return <+...dent...+>; +| + return @p2 ...; +| + dent@p2 = E1; +| + E1 = dent; +) + +@depends on context@ +local idexpression struct dentry *r.dent; +position r.p1,r.p2; +@@ +* dent@p1 = ... + ... +( +* return@p2 ...; +| +* dent@p2 +) + + +@script:python depends on org@ +p1 << r.p1; +p2 << r.p2; +@@ +cocci.print_main("Missing call to dput()",p1) +cocci.print_secs("",p2) + +@depends on patch@ +local idexpression struct dentry *r.dent; +position r.p2; +@@ +( ++ dput(dent); + return @p2 ...; +| ++ dput(dent); + dent@p2 = ...; +) + +@script:python depends on report@ +p1 << r.p1; +p2 << r.p2; +@@ +msg = "Missing call to dput() at line %s." +coccilib.report.print_report(p1[0], msg % (p2[0].line)) diff --git a/scripts/coccinelle/api/err_cast.cocci b/scripts/coccinelle/api/err_cast.cocci new file mode 100644 index 000000000..2ce115000 --- /dev/null +++ b/scripts/coccinelle/api/err_cast.cocci @@ -0,0 +1,56 @@ +/// +/// Use ERR_CAST inlined function instead of ERR_PTR(PTR_ERR(...)) +/// +// Confidence: High +// Copyright: (C) 2009, 2010 Nicolas Palix, DIKU. GPLv2. +// Copyright: (C) 2009, 2010 Julia Lawall, DIKU. GPLv2. +// Copyright: (C) 2009, 2010 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Options: +// +// Keywords: ERR_PTR, PTR_ERR, ERR_CAST +// Version min: 2.6.25 +// + +virtual context +virtual patch +virtual org +virtual report + + +@ depends on context && !patch && !org && !report@ +expression x; +@@ + +* ERR_PTR(PTR_ERR(x)) + +@ depends on !context && patch && !org && !report @ +expression x; +@@ + +- ERR_PTR(PTR_ERR(x)) ++ ERR_CAST(x) + +@r depends on !context && !patch && (org || report)@ +expression x; +position p; +@@ + + ERR_PTR@p(PTR_ERR(x)) + +@script:python depends on org@ +p << r.p; +x << r.x; +@@ + +msg="WARNING ERR_CAST can be used with %s" % (x) +msg_safe=msg.replace("[","@(").replace("]",")") +coccilib.org.print_todo(p[0], msg_safe) + +@script:python depends on report@ +p << r.p; +x << r.x; +@@ + +msg="WARNING: ERR_CAST can be used with %s" % (x) +coccilib.report.print_report(p[0], msg) diff --git a/scripts/coccinelle/api/kstrdup.cocci b/scripts/coccinelle/api/kstrdup.cocci new file mode 100644 index 000000000..09cba54ed --- /dev/null +++ b/scripts/coccinelle/api/kstrdup.cocci @@ -0,0 +1,104 @@ +/// Use kstrdup rather than duplicating its implementation +/// +// Confidence: High +// Copyright: (C) 2010-2012 Nicolas Palix. GPLv2. +// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual patch +virtual context +virtual org +virtual report + +@depends on patch@ +expression from,to; +expression flag,E1,E2; +statement S; +@@ + +- to = kmalloc(strlen(from) + 1,flag); ++ to = kstrdup(from, flag); + ... when != \(from = E1 \| to = E1 \) + if (to==NULL || ...) S + ... when != \(from = E2 \| to = E2 \) +- strcpy(to, from); + +@depends on patch@ +expression x,from,to; +expression flag,E1,E2,E3; +statement S; +@@ + +- x = strlen(from) + 1; + ... when != \( x = E1 \| from = E1 \) +- to = \(kmalloc\|kzalloc\)(x,flag); ++ to = kstrdup(from, flag); + ... when != \(x = E2 \| from = E2 \| to = E2 \) + if (to==NULL || ...) S + ... when != \(x = E3 \| from = E3 \| to = E3 \) +- memcpy(to, from, x); + +// --------------------------------------------------------------------- + +@r1 depends on !patch exists@ +expression from,to; +expression flag,E1,E2; +statement S; +position p1,p2; +@@ + +* to = kmalloc@p1(strlen(from) + 1,flag); + ... when != \(from = E1 \| to = E1 \) + if (to==NULL || ...) S + ... when != \(from = E2 \| to = E2 \) +* strcpy@p2(to, from); + +@r2 depends on !patch exists@ +expression x,from,to; +expression flag,E1,E2,E3; +statement S; +position p1,p2; +@@ + +* x = strlen(from) + 1; + ... when != \( x = E1 \| from = E1 \) +* to = \(kmalloc@p1\|kzalloc@p2\)(x,flag); + ... when != \(x = E2 \| from = E2 \| to = E2 \) + if (to==NULL || ...) S + ... when != \(x = E3 \| from = E3 \| to = E3 \) +* memcpy@p2(to, from, x); + +@script:python depends on org@ +p1 << r1.p1; +p2 << r1.p2; +@@ + +cocci.print_main("WARNING opportunity for kstrdep",p1) +cocci.print_secs("strcpy",p2) + +@script:python depends on org@ +p1 << r2.p1; +p2 << r2.p2; +@@ + +cocci.print_main("WARNING opportunity for kstrdep",p1) +cocci.print_secs("memcpy",p2) + +@script:python depends on report@ +p1 << r1.p1; +p2 << r1.p2; +@@ + +msg = "WARNING opportunity for kstrdep (strcpy on line %s)" % (p2[0].line) +coccilib.report.print_report(p1[0], msg) + +@script:python depends on report@ +p1 << r2.p1; +p2 << r2.p2; +@@ + +msg = "WARNING opportunity for kstrdep (memcpy on line %s)" % (p2[0].line) +coccilib.report.print_report(p1[0], msg) diff --git a/scripts/coccinelle/api/memdup.cocci b/scripts/coccinelle/api/memdup.cocci new file mode 100644 index 000000000..3d1aa71b7 --- /dev/null +++ b/scripts/coccinelle/api/memdup.cocci @@ -0,0 +1,66 @@ +/// Use kmemdup rather than duplicating its implementation +/// +// Confidence: High +// Copyright: (C) 2010-2012 Nicolas Palix. GPLv2. +// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual patch +virtual context +virtual org +virtual report + +@r1@ +expression from,to; +expression flag; +position p; +@@ + + to = \(kmalloc@p\|kzalloc@p\)(strlen(from) + 1,flag); + +@r2@ +expression x,from,to; +expression flag,E1; +position p; +@@ + + x = strlen(from) + 1; + ... when != \( x = E1 \| from = E1 \) + to = \(kmalloc@p\|kzalloc@p\)(x,flag); + +@depends on patch@ +expression from,to,size,flag; +position p != {r1.p,r2.p}; +statement S; +@@ + +- to = \(kmalloc@p\|kzalloc@p\)(size,flag); ++ to = kmemdup(from,size,flag); + if (to==NULL || ...) S +- memcpy(to, from, size); + +@r depends on !patch@ +expression from,to,size,flag; +position p != {r1.p,r2.p}; +statement S; +@@ + +* to = \(kmalloc@p\|kzalloc@p\)(size,flag); + to = kmemdup(from,size,flag); + if (to==NULL || ...) S +* memcpy(to, from, size); + +@script:python depends on org@ +p << r.p; +@@ + +coccilib.org.print_todo(p[0], "WARNING opportunity for kmemdep") + +@script:python depends on report@ +p << r.p; +@@ + +coccilib.report.print_report(p[0], "WARNING opportunity for kmemdep") diff --git a/scripts/coccinelle/api/memdup_user.cocci b/scripts/coccinelle/api/memdup_user.cocci new file mode 100644 index 000000000..c606231b0 --- /dev/null +++ b/scripts/coccinelle/api/memdup_user.cocci @@ -0,0 +1,60 @@ +/// Use memdup_user rather than duplicating its implementation +/// This is a little bit restricted to reduce false positives +/// +// Confidence: High +// Copyright: (C) 2010-2012 Nicolas Palix. GPLv2. +// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual patch +virtual context +virtual org +virtual report + +@depends on patch@ +expression from,to,size,flag; +identifier l1,l2; +@@ + +- to = \(kmalloc\|kzalloc\)(size,flag); ++ to = memdup_user(from,size); + if ( +- to==NULL ++ IS_ERR(to) + || ...) { + <+... when != goto l1; +- -ENOMEM ++ PTR_ERR(to) + ...+> + } +- if (copy_from_user(to, from, size) != 0) { +- <+... when != goto l2; +- -EFAULT +- ...+> +- } + +@r depends on !patch@ +expression from,to,size,flag; +position p; +statement S1,S2; +@@ + +* to = \(kmalloc@p\|kzalloc@p\)(size,flag); + if (to==NULL || ...) S1 + if (copy_from_user(to, from, size) != 0) + S2 + +@script:python depends on org@ +p << r.p; +@@ + +coccilib.org.print_todo(p[0], "WARNING opportunity for memdup_user") + +@script:python depends on report@ +p << r.p; +@@ + +coccilib.report.print_report(p[0], "WARNING opportunity for memdup_user") diff --git a/scripts/coccinelle/api/platform_no_drv_owner.cocci b/scripts/coccinelle/api/platform_no_drv_owner.cocci new file mode 100644 index 000000000..e065b9e71 --- /dev/null +++ b/scripts/coccinelle/api/platform_no_drv_owner.cocci @@ -0,0 +1,106 @@ +/// Remove .owner field if calls are used which set it automatically +/// +// Confidence: High +// Copyright: (C) 2014 Wolfram Sang. GPL v2. + +virtual patch +virtual context +virtual org +virtual report + +@match1@ +declarer name module_platform_driver; +declarer name module_platform_driver_probe; +identifier __driver; +@@ +( + module_platform_driver(__driver); +| + module_platform_driver_probe(__driver, ...); +) + +@fix1 depends on match1 && patch && !context && !org && !report@ +identifier match1.__driver; +@@ + static struct platform_driver __driver = { + .driver = { +- .owner = THIS_MODULE, + } + }; + +@match2@ +identifier __driver; +@@ +( + platform_driver_register(&__driver) +| + platform_driver_probe(&__driver, ...) +| + platform_create_bundle(&__driver, ...) +) + +@fix2 depends on match2 && patch && !context && !org && !report@ +identifier match2.__driver; +@@ + static struct platform_driver __driver = { + .driver = { +- .owner = THIS_MODULE, + } + }; + +// ---------------------------------------------------------------------------- + +@fix1_context depends on match1 && !patch && (context || org || report)@ +identifier match1.__driver; +position j0; +@@ + + static struct platform_driver __driver = { + .driver = { +* .owner@j0 = THIS_MODULE, + } + }; + +@fix2_context depends on match2 && !patch && (context || org || report)@ +identifier match2.__driver; +position j0; +@@ + + static struct platform_driver __driver = { + .driver = { +* .owner@j0 = THIS_MODULE, + } + }; + +// ---------------------------------------------------------------------------- + +@script:python fix1_org depends on org@ +j0 << fix1_context.j0; +@@ + +msg = "No need to set .owner here. The core will do it." +coccilib.org.print_todo(j0[0], msg) + +@script:python fix2_org depends on org@ +j0 << fix2_context.j0; +@@ + +msg = "No need to set .owner here. The core will do it." +coccilib.org.print_todo(j0[0], msg) + +// ---------------------------------------------------------------------------- + +@script:python fix1_report depends on report@ +j0 << fix1_context.j0; +@@ + +msg = "No need to set .owner here. The core will do it." +coccilib.report.print_report(j0[0], msg) + +@script:python fix2_report depends on report@ +j0 << fix2_context.j0; +@@ + +msg = "No need to set .owner here. The core will do it." +coccilib.report.print_report(j0[0], msg) + diff --git a/scripts/coccinelle/api/pm_runtime.cocci b/scripts/coccinelle/api/pm_runtime.cocci new file mode 100644 index 000000000..f01789e96 --- /dev/null +++ b/scripts/coccinelle/api/pm_runtime.cocci @@ -0,0 +1,109 @@ +/// Make sure pm_runtime_* calls does not use unnecessary IS_ERR_VALUE +// +// Keywords: pm_runtime +// Confidence: Medium +// Copyright (C) 2013 Texas Instruments Incorporated - GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Options: --include-headers + +virtual patch +virtual context +virtual org +virtual report + +//---------------------------------------------------------- +// Detection +//---------------------------------------------------------- + +@runtime_bad_err_handle exists@ +expression ret; +@@ +( +ret = \(pm_runtime_idle\| + pm_runtime_suspend\| + pm_runtime_autosuspend\| + pm_runtime_resume\| + pm_request_idle\| + pm_request_resume\| + pm_request_autosuspend\| + pm_runtime_get\| + pm_runtime_get_sync\| + pm_runtime_put\| + pm_runtime_put_autosuspend\| + pm_runtime_put_sync\| + pm_runtime_put_sync_suspend\| + pm_runtime_put_sync_autosuspend\| + pm_runtime_set_active\| + pm_schedule_suspend\| + pm_runtime_barrier\| + pm_generic_runtime_suspend\| + pm_generic_runtime_resume\)(...); +... +IS_ERR_VALUE(ret) +... +) + +//---------------------------------------------------------- +// For context mode +//---------------------------------------------------------- + +@depends on runtime_bad_err_handle && context@ +identifier pm_runtime_api; +expression ret; +@@ +( +ret = pm_runtime_api(...); +... +* IS_ERR_VALUE(ret) +... +) + +//---------------------------------------------------------- +// For patch mode +//---------------------------------------------------------- + +@depends on runtime_bad_err_handle && patch@ +identifier pm_runtime_api; +expression ret; +@@ +( +ret = pm_runtime_api(...); +... +- IS_ERR_VALUE(ret) ++ ret < 0 +... +) + +//---------------------------------------------------------- +// For org and report mode +//---------------------------------------------------------- + +@r depends on runtime_bad_err_handle exists@ +position p1, p2; +identifier pm_runtime_api; +expression ret; +@@ +( +ret = pm_runtime_api@p1(...); +... +IS_ERR_VALUE@p2(ret) +... +) + +@script:python depends on org@ +p1 << r.p1; +p2 << r.p2; +pm_runtime_api << r.pm_runtime_api; +@@ + +cocci.print_main(pm_runtime_api,p1) +cocci.print_secs("IS_ERR_VALUE",p2) + +@script:python depends on report@ +p1 << r.p1; +p2 << r.p2; +pm_runtime_api << r.pm_runtime_api; +@@ + +msg = "%s returns < 0 as error. Unecessary IS_ERR_VALUE at line %s" % (pm_runtime_api, p2[0].line) +coccilib.report.print_report(p1[0],msg) diff --git a/scripts/coccinelle/api/ptr_ret.cocci b/scripts/coccinelle/api/ptr_ret.cocci new file mode 100644 index 000000000..dd58dab5d --- /dev/null +++ b/scripts/coccinelle/api/ptr_ret.cocci @@ -0,0 +1,96 @@ +/// +/// Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR +/// +// Confidence: High +// Copyright: (C) 2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Options: --no-includes --include-headers +// +// Keywords: ERR_PTR, PTR_ERR, PTR_ERR_OR_ZERO +// Version min: 2.6.39 +// + +virtual context +virtual patch +virtual org +virtual report + +@depends on patch@ +expression ptr; +@@ + +- if (IS_ERR(ptr)) return PTR_ERR(ptr); else return 0; ++ return PTR_ERR_OR_ZERO(ptr); + +@depends on patch@ +expression ptr; +@@ + +- if (IS_ERR(ptr)) return PTR_ERR(ptr); return 0; ++ return PTR_ERR_OR_ZERO(ptr); + +@depends on patch@ +expression ptr; +@@ + +- (IS_ERR(ptr) ? PTR_ERR(ptr) : 0) ++ PTR_ERR_OR_ZERO(ptr) + +@r1 depends on !patch@ +expression ptr; +position p1; +@@ + +* if@p1 (IS_ERR(ptr)) return PTR_ERR(ptr); else return 0; + +@r2 depends on !patch@ +expression ptr; +position p2; +@@ + +* if@p2 (IS_ERR(ptr)) return PTR_ERR(ptr); return 0; + +@r3 depends on !patch@ +expression ptr; +position p3; +@@ + +* IS_ERR@p3(ptr) ? PTR_ERR(ptr) : 0 + +@script:python depends on org@ +p << r1.p1; +@@ + +coccilib.org.print_todo(p[0], "WARNING: PTR_ERR_OR_ZERO can be used") + + +@script:python depends on org@ +p << r2.p2; +@@ + +coccilib.org.print_todo(p[0], "WARNING: PTR_ERR_OR_ZERO can be used") + +@script:python depends on org@ +p << r3.p3; +@@ + +coccilib.org.print_todo(p[0], "WARNING: PTR_ERR_OR_ZERO can be used") + +@script:python depends on report@ +p << r1.p1; +@@ + +coccilib.report.print_report(p[0], "WARNING: PTR_ERR_OR_ZERO can be used") + +@script:python depends on report@ +p << r2.p2; +@@ + +coccilib.report.print_report(p[0], "WARNING: PTR_ERR_OR_ZERO can be used") + +@script:python depends on report@ +p << r3.p3; +@@ + +coccilib.report.print_report(p[0], "WARNING: PTR_ERR_OR_ZERO can be used") diff --git a/scripts/coccinelle/api/resource_size.cocci b/scripts/coccinelle/api/resource_size.cocci new file mode 100644 index 000000000..1935a58b3 --- /dev/null +++ b/scripts/coccinelle/api/resource_size.cocci @@ -0,0 +1,93 @@ +/// +/// Use resource_size function on resource object +/// instead of explicit computation. +/// +// Confidence: High +// Copyright: (C) 2009, 2010 Nicolas Palix, DIKU. GPLv2. +// Copyright: (C) 2009, 2010 Julia Lawall, DIKU. GPLv2. +// Copyright: (C) 2009, 2010 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Options: +// +// Keywords: resource_size +// Version min: 2.6.27 resource_size +// + +virtual context +virtual patch +virtual org +virtual report + +//---------------------------------------------------------- +// For context mode +//---------------------------------------------------------- + +@r_context depends on context && !patch && !org@ +struct resource *res; +@@ + +* (res->end - res->start) + 1 + +//---------------------------------------------------------- +// For patch mode +//---------------------------------------------------------- + +@r_patch depends on !context && patch && !org@ +struct resource *res; +@@ + +- (res->end - res->start) + 1 ++ resource_size(res) + +//---------------------------------------------------------- +// For org mode +//---------------------------------------------------------- + + +@r_org depends on !context && !patch && (org || report)@ +struct resource *res; +position p; +@@ + + (res->end@p - res->start) + 1 + +@rbad_org depends on !context && !patch && (org || report)@ +struct resource *res; +position p != r_org.p; +@@ + + res->end@p - res->start + +@script:python depends on org@ +p << r_org.p; +x << r_org.res; +@@ + +msg="ERROR with %s" % (x) +msg_safe=msg.replace("[","@(").replace("]",")") +coccilib.org.print_todo(p[0], msg_safe) + +@script:python depends on report@ +p << r_org.p; +x << r_org.res; +@@ + +msg="ERROR: Missing resource_size with %s" % (x) +coccilib.report.print_report(p[0], msg) + +@script:python depends on org@ +p << rbad_org.p; +x << rbad_org.res; +@@ + +msg="WARNING with %s" % (x) +msg_safe=msg.replace("[","@(").replace("]",")") +coccilib.org.print_todo(p[0], msg_safe) + +@script:python depends on report@ +p << rbad_org.p; +x << rbad_org.res; +@@ + +msg="WARNING: Suspicious code. resource_size is maybe missing with %s" % (x) +coccilib.report.print_report(p[0], msg) diff --git a/scripts/coccinelle/api/simple_open.cocci b/scripts/coccinelle/api/simple_open.cocci new file mode 100644 index 000000000..b67e174f3 --- /dev/null +++ b/scripts/coccinelle/api/simple_open.cocci @@ -0,0 +1,70 @@ +/// This removes an open coded simple_open() function +/// and replaces file operations references to the function +/// with simple_open() instead. +/// +// Confidence: High +// Comments: +// Options: --no-includes --include-headers + +virtual patch +virtual report + +@ open depends on patch @ +identifier open_f != simple_open; +identifier i, f; +@@ +-int open_f(struct inode *i, struct file *f) +-{ +( +-if (i->i_private) +-f->private_data = i->i_private; +| +-f->private_data = i->i_private; +) +-return 0; +-} + +@ has_open depends on open @ +identifier fops; +identifier open.open_f; +@@ +struct file_operations fops = { +..., +-.open = open_f, ++.open = simple_open, +... +}; + +@ openr depends on report @ +identifier open_f != simple_open; +identifier i, f; +position p; +@@ +int open_f@p(struct inode *i, struct file *f) +{ +( +if (i->i_private) +f->private_data = i->i_private; +| +f->private_data = i->i_private; +) +return 0; +} + +@ has_openr depends on openr @ +identifier fops; +identifier openr.open_f; +position p; +@@ +struct file_operations fops = { +..., +.open = open_f@p, +... +}; + +@script:python@ +pf << openr.p; +ps << has_openr.p; +@@ + +coccilib.report.print_report(pf[0],"WARNING opportunity for simple_open, see also structure on line %s"%(ps[0].line)) diff --git a/scripts/coccinelle/free/clk_put.cocci b/scripts/coccinelle/free/clk_put.cocci new file mode 100644 index 000000000..46747adfd --- /dev/null +++ b/scripts/coccinelle/free/clk_put.cocci @@ -0,0 +1,67 @@ +/// Find missing clk_puts. +/// +//# This only signals a missing clk_put when there is a clk_put later +//# in the same function. +//# False positives can be due to loops. +// +// Confidence: Moderate +// Copyright: (C) 2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: + +virtual context +virtual org +virtual report + +@clk@ +expression e; +statement S,S1; +int ret; +position p1,p2,p3; +@@ + +e = clk_get@p1(...) +... when != clk_put(e) +if (<+...e...+>) S +... when any + when != clk_put(e) + when != if (...) { ... clk_put(e); ... } +( + if (ret == 0) S1 +| +if (...) + { ... + return 0; } +| +if (...) + { ... + return <+...e...+>; } +| +*if@p2 (...) + { ... when != clk_put(e) + when forall + return@p3 ...; } +) +... when any +clk_put(e); + +@script:python depends on org@ +p1 << clk.p1; +p2 << clk.p2; +p3 << clk.p3; +@@ + +cocci.print_main("clk_get",p1) +cocci.print_secs("if",p2) +cocci.print_secs("needed clk_put",p3) + +@script:python depends on report@ +p1 << clk.p1; +p2 << clk.p2; +p3 << clk.p3; +@@ + +msg = "ERROR: missing clk_put; clk_get on line %s and execution via conditional on line %s" % (p1[0].line,p2[0].line) +coccilib.report.print_report(p3[0],msg) diff --git a/scripts/coccinelle/free/devm_free.cocci b/scripts/coccinelle/free/devm_free.cocci new file mode 100644 index 000000000..3d9349012 --- /dev/null +++ b/scripts/coccinelle/free/devm_free.cocci @@ -0,0 +1,71 @@ +/// Find uses of standard freeing functons on values allocated using devm_ +/// functions. Values allocated using the devm_functions are freed when +/// the device is detached, and thus the use of the standard freeing +/// function would cause a double free. +/// See Documentation/driver-model/devres.txt for more information. +/// +/// A difficulty of detecting this problem is that the standard freeing +/// function might be called from a different function than the one +/// containing the allocation function. It is thus necessary to make the +/// connection between the allocation function and the freeing function. +/// Here this is done using the specific argument text, which is prone to +/// false positives. There is no rule for the request_region and +/// request_mem_region variants because this heuristic seems to be a bit +/// less reliable in these cases. +/// +// Confidence: Moderate +// Copyright: (C) 2011 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2011 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual org +virtual report +virtual context + +@r depends on context || org || report@ +expression x; +@@ + +( + x = devm_kzalloc(...) +| + x = devm_request_irq(...) +| + x = devm_ioremap(...) +| + x = devm_ioremap_nocache(...) +| + x = devm_ioport_map(...) +) + +@pb@ +expression r.x; +position p; +@@ + +( +* kfree@p(x) +| +* free_irq@p(x) +| +* iounmap@p(x) +| +* ioport_unmap@p(x) +) + +@script:python depends on org@ +p << pb.p; +@@ + +msg="WARNING: invalid free of devm_ allocated data" +coccilib.org.print_todo(p[0], msg) + +@script:python depends on report@ +p << pb.p; +@@ + +msg="WARNING: invalid free of devm_ allocated data" +coccilib.report.print_report(p[0], msg) + diff --git a/scripts/coccinelle/free/ifnullfree.cocci b/scripts/coccinelle/free/ifnullfree.cocci new file mode 100644 index 000000000..a42d70bf8 --- /dev/null +++ b/scripts/coccinelle/free/ifnullfree.cocci @@ -0,0 +1,53 @@ +/// NULL check before some freeing functions is not needed. +/// +/// Based on checkpatch warning +/// "kfree(NULL) is safe this check is probably not required" +/// and kfreeaddr.cocci by Julia Lawall. +/// +// Copyright: (C) 2014 Fabian Frederick. GPLv2. +// Comments: - +// Options: --no-includes --include-headers + +virtual patch +virtual org +virtual report +virtual context + +@r2 depends on patch@ +expression E; +@@ +- if (E) +( +- kfree(E); ++ kfree(E); +| +- debugfs_remove(E); ++ debugfs_remove(E); +| +- debugfs_remove_recursive(E); ++ debugfs_remove_recursive(E); +| +- usb_free_urb(E); ++ usb_free_urb(E); +) + +@r depends on context || report || org @ +expression E; +position p; +@@ + +* if (E) +* \(kfree@p\|debugfs_remove@p\|debugfs_remove_recursive@p\|usb_free_urb\)(E); + +@script:python depends on org@ +p << r.p; +@@ + +cocci.print_main("NULL check before that freeing function is not needed", p) + +@script:python depends on report@ +p << r.p; +@@ + +msg = "WARNING: NULL check before freeing functions like kfree, debugfs_remove, debugfs_remove_recursive or usb_free_urb is not needed. Maybe consider reorganizing relevant code to avoid passing NULL values." +coccilib.report.print_report(p[0], msg) diff --git a/scripts/coccinelle/free/iounmap.cocci b/scripts/coccinelle/free/iounmap.cocci new file mode 100644 index 000000000..5384f4ba1 --- /dev/null +++ b/scripts/coccinelle/free/iounmap.cocci @@ -0,0 +1,67 @@ +/// Find missing iounmaps. +/// +//# This only signals a missing iounmap when there is an iounmap later +//# in the same function. +//# False positives can be due to loops. +// +// Confidence: Moderate +// Copyright: (C) 2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: + +virtual context +virtual org +virtual report + +@iom@ +expression e; +statement S,S1; +int ret; +position p1,p2,p3; +@@ + +e = \(ioremap@p1\|ioremap_nocache@p1\)(...) +... when != iounmap(e) +if (<+...e...+>) S +... when any + when != iounmap(e) + when != if (...) { ... iounmap(e); ... } +( + if (ret == 0) S1 +| +if (...) + { ... + return 0; } +| +if (...) + { ... + return <+...e...+>; } +| +*if@p2 (...) + { ... when != iounmap(e) + when forall + return@p3 ...; } +) +... when any +iounmap(e); + +@script:python depends on org@ +p1 << iom.p1; +p2 << iom.p2; +p3 << iom.p3; +@@ + +cocci.print_main("ioremap",p1) +cocci.print_secs("if",p2) +cocci.print_secs("needed iounmap",p3) + +@script:python depends on report@ +p1 << iom.p1; +p2 << iom.p2; +p3 << iom.p3; +@@ + +msg = "ERROR: missing iounmap; ioremap on line %s and execution via conditional on line %s" % (p1[0].line,p2[0].line) +coccilib.report.print_report(p3[0],msg) diff --git a/scripts/coccinelle/free/kfree.cocci b/scripts/coccinelle/free/kfree.cocci new file mode 100644 index 000000000..577b78056 --- /dev/null +++ b/scripts/coccinelle/free/kfree.cocci @@ -0,0 +1,121 @@ +/// Find a use after free. +//# Values of variables may imply that some +//# execution paths are not possible, resulting in false positives. +//# Another source of false positives are macros such as +//# SCTP_DBG_OBJCNT_DEC that do not actually evaluate their argument +/// +// Confidence: Moderate +// Copyright: (C) 2010-2012 Nicolas Palix. GPLv2. +// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual org +virtual report + +@free@ +expression E; +position p1; +@@ + +kfree@p1(E) + +@print expression@ +constant char [] c; +expression free.E,E2; +type T; +position p; +identifier f; +@@ + +( + f(...,c,...,(T)E@p,...) +| + E@p == E2 +| + E@p != E2 +| + E2 == E@p +| + E2 != E@p +| + !E@p +| + E@p || ... +) + +@sz@ +expression free.E; +position p; +@@ + + sizeof(<+...E@p...+>) + +@loop exists@ +expression E; +identifier l; +position ok; +@@ + +while (1) { ... + kfree@ok(E) + ... when != break; + when != goto l; + when forall +} + +@r exists@ +expression free.E, subE<=free.E, E2; +expression E1; +iterator iter; +statement S; +position free.p1!=loop.ok,p2!={print.p,sz.p}; +@@ + +kfree@p1(E,...) +... +( + iter(...,subE,...) S // no use +| + list_remove_head(E1,subE,...) +| + subE = E2 +| + subE++ +| + ++subE +| + --subE +| + subE-- +| + &subE +| + BUG(...) +| + BUG_ON(...) +| + return_VALUE(...) +| + return_ACPI_STATUS(...) +| + E@p2 // bad use +) + +@script:python depends on org@ +p1 << free.p1; +p2 << r.p2; +@@ + +cocci.print_main("kfree",p1) +cocci.print_secs("ref",p2) + +@script:python depends on report@ +p1 << free.p1; +p2 << r.p2; +@@ + +msg = "ERROR: reference preceded by free on line %s" % (p1[0].line) +coccilib.report.print_report(p2[0],msg) diff --git a/scripts/coccinelle/free/kfreeaddr.cocci b/scripts/coccinelle/free/kfreeaddr.cocci new file mode 100644 index 000000000..ce8aacc31 --- /dev/null +++ b/scripts/coccinelle/free/kfreeaddr.cocci @@ -0,0 +1,32 @@ +/// Free of a structure field +/// +// Confidence: High +// Copyright: (C) 2013 Julia Lawall, INRIA/LIP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual org +virtual report +virtual context + +@r depends on context || report || org @ +expression e; +identifier f; +position p; +@@ + +* kfree@p(&e->f) + +@script:python depends on org@ +p << r.p; +@@ + +cocci.print_main("kfree",p) + +@script:python depends on report@ +p << r.p; +@@ + +msg = "ERROR: kfree of structure field" +coccilib.report.print_report(p[0],msg) diff --git a/scripts/coccinelle/free/pci_free_consistent.cocci b/scripts/coccinelle/free/pci_free_consistent.cocci new file mode 100644 index 000000000..43600ccb6 --- /dev/null +++ b/scripts/coccinelle/free/pci_free_consistent.cocci @@ -0,0 +1,52 @@ +/// Find missing pci_free_consistent for every pci_alloc_consistent. +/// +// Confidence: Moderate +// Copyright: (C) 2013 Petr Strnad. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Keywords: pci_free_consistent, pci_alloc_consistent +// Options: --no-includes --include-headers + +virtual report +virtual org + +@search@ +local idexpression id; +expression x,y,z,e; +position p1,p2; +type T; +@@ + +id = pci_alloc_consistent@p1(x,y,&z) +... when != e = id +if (id == NULL || ...) { ... return ...; } +... when != pci_free_consistent(x,y,id,z) + when != if (id) { ... pci_free_consistent(x,y,id,z) ... } + when != if (y) { ... pci_free_consistent(x,y,id,z) ... } + when != e = (T)id + when exists +( +return 0; +| +return 1; +| +return id; +| +return@p2 ...; +) + +@script:python depends on report@ +p1 << search.p1; +p2 << search.p2; +@@ + +msg = "ERROR: missing pci_free_consistent; pci_alloc_consistent on line %s and return without freeing on line %s" % (p1[0].line,p2[0].line) +coccilib.report.print_report(p2[0],msg) + +@script:python depends on org@ +p1 << search.p1; +p2 << search.p2; +@@ + +msg = "ERROR: missing pci_free_consistent; pci_alloc_consistent on line %s and return without freeing on line %s" % (p1[0].line,p2[0].line) +cocci.print_main(msg,p1) +cocci.print_secs("",p2) diff --git a/scripts/coccinelle/iterators/fen.cocci b/scripts/coccinelle/iterators/fen.cocci new file mode 100644 index 000000000..48c152f22 --- /dev/null +++ b/scripts/coccinelle/iterators/fen.cocci @@ -0,0 +1,123 @@ +/// These iterators only exit normally when the loop cursor is NULL, so there +/// is no point to call of_node_put on the final value. +/// +// Confidence: High +// Copyright: (C) 2010-2012 Nicolas Palix. GPLv2. +// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual patch +virtual context +virtual org +virtual report + +@depends on patch@ +iterator name for_each_node_by_name; +expression np,E; +identifier l; +@@ + +for_each_node_by_name(np,...) { + ... when != break; + when != goto l; +} +... when != np = E +- of_node_put(np); + +@depends on patch@ +iterator name for_each_node_by_type; +expression np,E; +identifier l; +@@ + +for_each_node_by_type(np,...) { + ... when != break; + when != goto l; +} +... when != np = E +- of_node_put(np); + +@depends on patch@ +iterator name for_each_compatible_node; +expression np,E; +identifier l; +@@ + +for_each_compatible_node(np,...) { + ... when != break; + when != goto l; +} +... when != np = E +- of_node_put(np); + +@depends on patch@ +iterator name for_each_matching_node; +expression np,E; +identifier l; +@@ + +for_each_matching_node(np,...) { + ... when != break; + when != goto l; +} +... when != np = E +- of_node_put(np); + +// ---------------------------------------------------------------------- + +@r depends on !patch forall@ +//iterator name for_each_node_by_name; +//iterator name for_each_node_by_type; +//iterator name for_each_compatible_node; +//iterator name for_each_matching_node; +expression np,E; +identifier l; +position p1,p2; +@@ + +( +*for_each_node_by_name@p1(np,...) +{ + ... when != break; + when != goto l; +} +| +*for_each_node_by_type@p1(np,...) +{ + ... when != break; + when != goto l; +} +| +*for_each_compatible_node@p1(np,...) +{ + ... when != break; + when != goto l; +} +| +*for_each_matching_node@p1(np,...) +{ + ... when != break; + when != goto l; +} +) +... when != np = E +* of_node_put@p2(np); + +@script:python depends on org@ +p1 << r.p1; +p2 << r.p2; +@@ + +cocci.print_main("unneeded of_node_put",p2) +cocci.print_secs("iterator",p1) + +@script:python depends on report@ +p1 << r.p1; +p2 << r.p2; +@@ + +msg = "ERROR: of_node_put not needed after iterator on line %s" % (p1[0].line) +coccilib.report.print_report(p2[0], msg) diff --git a/scripts/coccinelle/iterators/itnull.cocci b/scripts/coccinelle/iterators/itnull.cocci new file mode 100644 index 000000000..f58732b56 --- /dev/null +++ b/scripts/coccinelle/iterators/itnull.cocci @@ -0,0 +1,94 @@ +/// Many iterators have the property that the first argument is always bound +/// to a real list element, never NULL. +//# False positives arise for some iterators that do not have this property, +//# or in cases when the loop cursor is reassigned. The latter should only +//# happen when the matched code is on the way to a loop exit (break, goto, +//# or return). +/// +// Confidence: Moderate +// Copyright: (C) 2010-2012 Nicolas Palix. GPLv2. +// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual patch +virtual context +virtual org +virtual report + +@depends on patch@ +iterator I; +expression x,E,E1,E2; +statement S,S1,S2; +@@ + +I(x,...) { <... +( +- if (x == NULL && ...) S +| +- if (x != NULL || ...) + S +| +- (x == NULL) || + E +| +- (x != NULL) && + E +| +- (x == NULL && ...) ? E1 : + E2 +| +- (x != NULL || ...) ? + E1 +- : E2 +| +- if (x == NULL && ...) S1 else + S2 +| +- if (x != NULL || ...) + S1 +- else S2 +| ++ BAD( + x == NULL ++ ) +| ++ BAD( + x != NULL ++ ) +) + ...> } + +@r depends on !patch exists@ +iterator I; +expression x,E; +position p1,p2; +@@ + +*I@p1(x,...) +{ ... when != x = E +( +* x@p2 == NULL +| +* x@p2 != NULL +) + ... when any +} + +@script:python depends on org@ +p1 << r.p1; +p2 << r.p2; +@@ + +cocci.print_main("iterator-bound variable",p1) +cocci.print_secs("useless NULL test",p2) + +@script:python depends on report@ +p1 << r.p1; +p2 << r.p2; +@@ + +msg = "ERROR: iterator variable bound on line %s cannot be NULL" % (p1[0].line) +coccilib.report.print_report(p2[0], msg) diff --git a/scripts/coccinelle/iterators/list_entry_update.cocci b/scripts/coccinelle/iterators/list_entry_update.cocci new file mode 100644 index 000000000..873f444e7 --- /dev/null +++ b/scripts/coccinelle/iterators/list_entry_update.cocci @@ -0,0 +1,62 @@ +/// list_for_each_entry uses its first argument to get from one element of +/// the list to the next, so it is usually not a good idea to reassign it. +/// The first rule finds such a reassignment and the second rule checks +/// that there is a path from the reassignment back to the top of the loop. +/// +// Confidence: High +// Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2. +// Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2. +// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual context +virtual org +virtual report + +@r@ +iterator name list_for_each_entry; +expression x,E; +position p1,p2; +@@ + +list_for_each_entry@p1(x,...) { <... x =@p2 E ...> } + +@depends on context && !org && !report@ +expression x,E; +position r.p1,r.p2; +statement S; +@@ + +*x =@p2 E +... +list_for_each_entry@p1(x,...) S + +// ------------------------------------------------------------------------ + +@back depends on (org || report) && !context exists@ +expression x,E; +position r.p1,r.p2; +statement S; +@@ + +x =@p2 E +... +list_for_each_entry@p1(x,...) S + +@script:python depends on back && org@ +p1 << r.p1; +p2 << r.p2; +@@ + +cocci.print_main("iterator",p1) +cocci.print_secs("update",p2) + +@script:python depends on back && report@ +p1 << r.p1; +p2 << r.p2; +@@ + +msg = "iterator with update on line %s" % (p2[0].line) +coccilib.report.print_report(p1[0],msg) diff --git a/scripts/coccinelle/iterators/use_after_iter.cocci b/scripts/coccinelle/iterators/use_after_iter.cocci new file mode 100644 index 000000000..f085f5968 --- /dev/null +++ b/scripts/coccinelle/iterators/use_after_iter.cocci @@ -0,0 +1,147 @@ +/// If list_for_each_entry, etc complete a traversal of the list, the iterator +/// variable ends up pointing to an address at an offset from the list head, +/// and not a meaningful structure. Thus this value should not be used after +/// the end of the iterator. +//#False positives arise when there is a goto in the iterator and the +//#reported reference is at the label of this goto. Some flag tests +//#may also cause a report to be a false positive. +/// +// Confidence: Moderate +// Copyright: (C) 2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2012 Gilles Muller, INRIA/LIP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual context +virtual org +virtual report + +@r exists@ +identifier c,member; +expression E,x; +iterator name list_for_each_entry; +iterator name list_for_each_entry_reverse; +iterator name list_for_each_entry_continue; +iterator name list_for_each_entry_continue_reverse; +iterator name list_for_each_entry_from; +iterator name list_for_each_entry_safe; +iterator name list_for_each_entry_safe_continue; +iterator name list_for_each_entry_safe_from; +iterator name list_for_each_entry_safe_reverse; +iterator name hlist_for_each_entry; +iterator name hlist_for_each_entry_continue; +iterator name hlist_for_each_entry_from; +iterator name hlist_for_each_entry_safe; +statement S; +position p1,p2; +@@ + +( +list_for_each_entry@p1(c,...,member) { ... when != break; + when forall + when strict +} +| +list_for_each_entry_reverse@p1(c,...,member) { ... when != break; + when forall + when strict +} +| +list_for_each_entry_continue@p1(c,...,member) { ... when != break; + when forall + when strict +} +| +list_for_each_entry_continue_reverse@p1(c,...,member) { ... when != break; + when forall + when strict +} +| +list_for_each_entry_from@p1(c,...,member) { ... when != break; + when forall + when strict +} +| +list_for_each_entry_safe@p1(c,...,member) { ... when != break; + when forall + when strict +} +| +list_for_each_entry_safe_continue@p1(c,...,member) { ... when != break; + when forall + when strict +} +| +list_for_each_entry_safe_from@p1(c,...,member) { ... when != break; + when forall + when strict +} +| +list_for_each_entry_safe_reverse@p1(c,...,member) { ... when != break; + when forall + when strict +} +) +... +( +list_for_each_entry(c,...) S +| +list_for_each_entry_reverse(c,...) S +| +list_for_each_entry_continue(c,...) S +| +list_for_each_entry_continue_reverse(c,...) S +| +list_for_each_entry_from(c,...) S +| +list_for_each_entry_safe(c,...) S +| +list_for_each_entry_safe(x,c,...) S +| +list_for_each_entry_safe_continue(c,...) S +| +list_for_each_entry_safe_continue(x,c,...) S +| +list_for_each_entry_safe_from(c,...) S +| +list_for_each_entry_safe_from(x,c,...) S +| +list_for_each_entry_safe_reverse(c,...) S +| +list_for_each_entry_safe_reverse(x,c,...) S +| +hlist_for_each_entry(c,...) S +| +hlist_for_each_entry_continue(c,...) S +| +hlist_for_each_entry_from(c,...) S +| +hlist_for_each_entry_safe(c,...) S +| +list_remove_head(x,c,...) +| +sizeof(<+...c...+>) +| +&c->member +| +c = E +| +*c@p2 +) + +@script:python depends on org@ +p1 << r.p1; +p2 << r.p2; +@@ + +cocci.print_main("invalid iterator index reference",p2) +cocci.print_secs("iterator",p1) + +@script:python depends on report@ +p1 << r.p1; +p2 << r.p2; +@@ + +msg = "ERROR: invalid reference to the index variable of the iterator on line %s" % (p1[0].line) +coccilib.report.print_report(p2[0], msg) diff --git a/scripts/coccinelle/locks/call_kern.cocci b/scripts/coccinelle/locks/call_kern.cocci new file mode 100644 index 000000000..669b24436 --- /dev/null +++ b/scripts/coccinelle/locks/call_kern.cocci @@ -0,0 +1,105 @@ +/// Find functions that refer to GFP_KERNEL but are called with locks held. +//# The proposed change of converting the GFP_KERNEL is not necessarily the +//# correct one. It may be desired to unlock the lock, or to not call the +//# function under the lock in the first place. +/// +// Confidence: Moderate +// Copyright: (C) 2012 Nicolas Palix. GPLv2. +// Copyright: (C) 2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual patch +virtual context +virtual org +virtual report + +@gfp exists@ +identifier fn; +position p; +@@ + +fn(...) { + ... when != read_unlock_irq(...) + when != write_unlock_irq(...) + when != read_unlock_irqrestore(...) + when != write_unlock_irqrestore(...) + when != spin_unlock(...) + when != spin_unlock_irq(...) + when != spin_unlock_irqrestore(...) + when != local_irq_enable(...) + when any + GFP_KERNEL@p + ... when any +} + +@locked exists@ +identifier gfp.fn; +position p1,p2; +@@ + +( +read_lock_irq@p1 +| +write_lock_irq@p1 +| +read_lock_irqsave@p1 +| +write_lock_irqsave@p1 +| +spin_lock@p1 +| +spin_trylock@p1 +| +spin_lock_irq@p1 +| +spin_lock_irqsave@p1 +| +local_irq_disable@p1 +) + (...) +... when != read_unlock_irq(...) + when != write_unlock_irq(...) + when != read_unlock_irqrestore(...) + when != write_unlock_irqrestore(...) + when != spin_unlock(...) + when != spin_unlock_irq(...) + when != spin_unlock_irqrestore(...) + when != local_irq_enable(...) +fn@p2(...) + +@depends on locked && patch@ +position gfp.p; +@@ + +- GFP_KERNEL@p ++ GFP_ATOMIC + +@depends on locked && !patch@ +position gfp.p; +@@ + +* GFP_KERNEL@p + +@script:python depends on !patch && org@ +p << gfp.p; +fn << gfp.fn; +p1 << locked.p1; +p2 << locked.p2; +@@ + +cocci.print_main("lock",p1) +cocci.print_secs("call",p2) +cocci.print_secs("GFP_KERNEL",p) + +@script:python depends on !patch && report@ +p << gfp.p; +fn << gfp.fn; +p1 << locked.p1; +p2 << locked.p2; +@@ + +msg = "ERROR: function %s called on line %s inside lock on line %s but uses GFP_KERNEL" % (fn,p2[0].line,p1[0].line) +coccilib.report.print_report(p[0], msg) diff --git a/scripts/coccinelle/locks/double_lock.cocci b/scripts/coccinelle/locks/double_lock.cocci new file mode 100644 index 000000000..002752f97 --- /dev/null +++ b/scripts/coccinelle/locks/double_lock.cocci @@ -0,0 +1,92 @@ +/// Find double locks. False positives may occur when some paths cannot +/// occur at execution, due to the values of variables, and when there is +/// an intervening function call that releases the lock. +/// +// Confidence: Moderate +// Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2. +// Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2. +// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual org +virtual report + +@locked@ +position p1; +expression E1; +position p; +@@ + +( +mutex_lock@p1 +| +mutex_trylock@p1 +| +spin_lock@p1 +| +spin_trylock@p1 +| +read_lock@p1 +| +read_trylock@p1 +| +write_lock@p1 +| +write_trylock@p1 +) (E1@p,...); + +@balanced@ +position p1 != locked.p1; +position locked.p; +identifier lock,unlock; +expression x <= locked.E1; +expression E,locked.E1; +expression E2; +@@ + +if (E) { + <+... when != E1 + lock(E1@p,...) + ...+> +} +... when != E1 + when != \(x = E2\|&x\) + when forall +if (E) { + <+... when != E1 + unlock@p1(E1,...) + ...+> +} + +@r depends on !balanced exists@ +expression x <= locked.E1; +expression locked.E1; +expression E2; +identifier lock; +position locked.p,p1,p2; +@@ + +lock@p1 (E1@p,...); +... when != E1 + when != \(x = E2\|&x\) +lock@p2 (E1,...); + +@script:python depends on org@ +p1 << r.p1; +p2 << r.p2; +lock << r.lock; +@@ + +cocci.print_main(lock,p1) +cocci.print_secs("second lock",p2) + +@script:python depends on report@ +p1 << r.p1; +p2 << r.p2; +lock << r.lock; +@@ + +msg = "second lock on line %s" % (p2[0].line) +coccilib.report.print_report(p1[0],msg) diff --git a/scripts/coccinelle/locks/flags.cocci b/scripts/coccinelle/locks/flags.cocci new file mode 100644 index 000000000..debd70e46 --- /dev/null +++ b/scripts/coccinelle/locks/flags.cocci @@ -0,0 +1,80 @@ +/// Find nested lock+irqsave functions that use the same flags variables +/// +// Confidence: High +// Copyright: (C) 2010-2012 Nicolas Palix. GPLv2. +// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual context +virtual org +virtual report + +@r exists@ +expression lock1,lock2,flags; +position p1,p2; +@@ + +( +spin_lock_irqsave@p1(lock1,flags) +| +read_lock_irqsave@p1(lock1,flags) +| +write_lock_irqsave@p1(lock1,flags) +) +... when != flags +( +spin_lock_irqsave(lock1,flags) +| +read_lock_irqsave(lock1,flags) +| +write_lock_irqsave(lock1,flags) +| +spin_lock_irqsave@p2(lock2,flags) +| +read_lock_irqsave@p2(lock2,flags) +| +write_lock_irqsave@p2(lock2,flags) +) + +@d exists@ +expression f <= r.flags; +expression lock1,lock2,flags; +position r.p1, r.p2; +@@ + +( +*spin_lock_irqsave@p1(lock1,flags) +| +*read_lock_irqsave@p1(lock1,flags) +| +*write_lock_irqsave@p1(lock1,flags) +) +... when != f +( +*spin_lock_irqsave@p2(lock2,flags) +| +*read_lock_irqsave@p2(lock2,flags) +| +*write_lock_irqsave@p2(lock2,flags) +) + +// ---------------------------------------------------------------------- + +@script:python depends on d && org@ +p1 << r.p1; +p2 << r.p2; +@@ + +cocci.print_main("original lock",p1) +cocci.print_secs("nested lock+irqsave that reuses flags",p2) + +@script:python depends on d && report@ +p1 << r.p1; +p2 << r.p2; +@@ + +msg="ERROR: nested lock+irqsave that reuses flags from line %s." % (p1[0].line) +coccilib.report.print_report(p2[0], msg) diff --git a/scripts/coccinelle/locks/mini_lock.cocci b/scripts/coccinelle/locks/mini_lock.cocci new file mode 100644 index 000000000..47f649b0e --- /dev/null +++ b/scripts/coccinelle/locks/mini_lock.cocci @@ -0,0 +1,96 @@ +/// Find missing unlocks. This semantic match considers the specific case +/// where the unlock is missing from an if branch, and there is a lock +/// before the if and an unlock after the if. False positives are due to +/// cases where the if branch represents a case where the function is +/// supposed to exit with the lock held, or where there is some preceding +/// function call that releases the lock. +/// +// Confidence: Moderate +// Copyright: (C) 2010-2012 Nicolas Palix. GPLv2. +// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual context +virtual org +virtual report + +@prelocked@ +position p1,p; +expression E1; +@@ + +( +mutex_lock@p1 +| +mutex_trylock@p1 +| +spin_lock@p1 +| +spin_trylock@p1 +| +read_lock@p1 +| +read_trylock@p1 +| +write_lock@p1 +| +write_trylock@p1 +| +read_lock_irq@p1 +| +write_lock_irq@p1 +| +read_lock_irqsave@p1 +| +write_lock_irqsave@p1 +| +spin_lock_irq@p1 +| +spin_lock_irqsave@p1 +) (E1@p,...); + +@looped@ +position r; +@@ + +for(...;...;...) { <+... return@r ...; ...+> } + +@err exists@ +expression E1; +position prelocked.p; +position up != prelocked.p1; +position r!=looped.r; +identifier lock,unlock; +@@ + +*lock(E1@p,...); +<+... when != E1 +if (...) { + ... when != E1 +* return@r ...; +} +...+> +*unlock@up(E1,...); + +@script:python depends on org@ +p << prelocked.p1; +lock << err.lock; +unlock << err.unlock; +p2 << err.r; +@@ + +cocci.print_main(lock,p) +cocci.print_secs(unlock,p2) + +@script:python depends on report@ +p << prelocked.p1; +lock << err.lock; +unlock << err.unlock; +p2 << err.r; +@@ + +msg = "preceding lock on line %s" % (p[0].line) +coccilib.report.print_report(p2[0],msg) diff --git a/scripts/coccinelle/misc/array_size.cocci b/scripts/coccinelle/misc/array_size.cocci new file mode 100644 index 000000000..81e279cd3 --- /dev/null +++ b/scripts/coccinelle/misc/array_size.cocci @@ -0,0 +1,87 @@ +/// Use ARRAY_SIZE instead of dividing sizeof array with sizeof an element +/// +//# This makes an effort to find cases where ARRAY_SIZE can be used such as +//# where there is a division of sizeof the array by the sizeof its first +//# element or by any indexed element or the element type. It replaces the +//# division of the two sizeofs by ARRAY_SIZE. +// +// Confidence: High +// Copyright: (C) 2014 Himangi Saraogi. GPLv2. +// Comments: +// Options: --no-includes --include-headers + +virtual patch +virtual context +virtual org +virtual report + +@i@ +@@ + +#include <linux/kernel.h> + +//---------------------------------------------------------- +// For context mode +//---------------------------------------------------------- + +@depends on i&&context@ +type T; +T[] E; +@@ +( +* (sizeof(E)/sizeof(*E)) +| +* (sizeof(E)/sizeof(E[...])) +| +* (sizeof(E)/sizeof(T)) +) + +//---------------------------------------------------------- +// For patch mode +//---------------------------------------------------------- + +@depends on i&&patch@ +type T; +T[] E; +@@ +( +- (sizeof(E)/sizeof(*E)) ++ ARRAY_SIZE(E) +| +- (sizeof(E)/sizeof(E[...])) ++ ARRAY_SIZE(E) +| +- (sizeof(E)/sizeof(T)) ++ ARRAY_SIZE(E) +) + +//---------------------------------------------------------- +// For org and report mode +//---------------------------------------------------------- + +@r@ +type T; +T[] E; +position p; +@@ +( + (sizeof(E)@p /sizeof(*E)) +| + (sizeof(E)@p /sizeof(E[...])) +| + (sizeof(E)@p /sizeof(T)) +) + +@script:python depends on i&&org@ +p << r.p; +@@ + +coccilib.org.print_todo(p[0], "WARNING should use ARRAY_SIZE") + +@script:python depends on i&&report@ +p << r.p; +@@ + +msg="WARNING: Use ARRAY_SIZE" +coccilib.report.print_report(p[0], msg) + diff --git a/scripts/coccinelle/misc/badty.cocci b/scripts/coccinelle/misc/badty.cocci new file mode 100644 index 000000000..2fc06fc71 --- /dev/null +++ b/scripts/coccinelle/misc/badty.cocci @@ -0,0 +1,76 @@ +/// Use ARRAY_SIZE instead of dividing sizeof array with sizeof an element +/// +//# This makes an effort to find cases where the argument to sizeof is wrong +//# in memory allocation functions by checking the type of the allocated memory +//# when it is a double pointer and ensuring the sizeof argument takes a pointer +//# to the the memory being allocated. There are false positives in cases the +//# sizeof argument is not used in constructing the return value. The result +//# may need some reformatting. +// +// Confidence: Moderate +// Copyright: (C) 2014 Himangi Saraogi. GPLv2. +// Comments: +// Options: + +virtual patch +virtual context +virtual org +virtual report + +//---------------------------------------------------------- +// For context mode +//---------------------------------------------------------- + +@depends on context disable sizeof_type_expr@ +type T; +T **x; +@@ + + x = + <+...sizeof( +* T + )...+> + +//---------------------------------------------------------- +// For patch mode +//---------------------------------------------------------- + +@depends on patch disable sizeof_type_expr@ +type T; +T **x; +@@ + + x = + <+...sizeof( +- T ++ *x + )...+> + +//---------------------------------------------------------- +// For org and report mode +//---------------------------------------------------------- + +@r disable sizeof_type_expr@ +type T; +T **x; +position p; +@@ + + x = + <+...sizeof( + T@p + )...+> + +@script:python depends on org@ +p << r.p; +@@ + +coccilib.org.print_todo(p[0], "WARNING sizeof argument should be pointer type, not structure type") + +@script:python depends on report@ +p << r.p; +@@ + +msg="WARNING: Use correct pointer type argument for sizeof" +coccilib.report.print_report(p[0], msg) + diff --git a/scripts/coccinelle/misc/boolinit.cocci b/scripts/coccinelle/misc/boolinit.cocci new file mode 100644 index 000000000..b9abed49c --- /dev/null +++ b/scripts/coccinelle/misc/boolinit.cocci @@ -0,0 +1,178 @@ +/// Bool initializations should use true and false. Bool tests don't need +/// comparisons. Based on contributions from Joe Perches, Rusty Russell +/// and Bruce W Allan. +/// +// Confidence: High +// Copyright: (C) 2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Options: --include-headers + +virtual patch +virtual context +virtual org +virtual report + +@depends on patch@ +bool t; +symbol true; +symbol false; +@@ + +( +- t == true ++ t +| +- true == t ++ t +| +- t != true ++ !t +| +- true != t ++ !t +| +- t == false ++ !t +| +- false == t ++ !t +| +- t != false ++ t +| +- false != t ++ t +) + +@depends on patch disable is_zero, isnt_zero@ +bool t; +@@ + +( +- t == 1 ++ t +| +- t != 1 ++ !t +| +- t == 0 ++ !t +| +- t != 0 ++ t +) + +@depends on patch@ +bool b; +@@ +( + b = +- 0 ++ false +| + b = +- 1 ++ true +) + +// --------------------------------------------------------------------- + +@r1 depends on !patch@ +bool t; +position p; +@@ + +( +* t@p == true +| +* true == t@p +| +* t@p != true +| +* true != t@p +| +* t@p == false +| +* false == t@p +| +* t@p != false +| +* false != t@p +) + +@r2 depends on !patch disable is_zero, isnt_zero@ +bool t; +position p; +@@ + +( +* t@p == 1 +| +* t@p != 1 +| +* t@p == 0 +| +* t@p != 0 +) + +@r3 depends on !patch@ +bool b; +position p1,p2; +constant c; +@@ +( +*b@p1 = 0 +| +*b@p1 = 1 +| +*b@p2 = c +) + +@script:python depends on org@ +p << r1.p; +@@ + +cocci.print_main("WARNING: Comparison to bool",p) + +@script:python depends on org@ +p << r2.p; +@@ + +cocci.print_main("WARNING: Comparison of bool to 0/1",p) + +@script:python depends on org@ +p1 << r3.p1; +@@ + +cocci.print_main("WARNING: Assignment of bool to 0/1",p1) + +@script:python depends on org@ +p2 << r3.p2; +@@ + +cocci.print_main("ERROR: Assignment of bool to non-0/1 constant",p2) + +@script:python depends on report@ +p << r1.p; +@@ + +coccilib.report.print_report(p[0],"WARNING: Comparison to bool") + +@script:python depends on report@ +p << r2.p; +@@ + +coccilib.report.print_report(p[0],"WARNING: Comparison of bool to 0/1") + +@script:python depends on report@ +p1 << r3.p1; +@@ + +coccilib.report.print_report(p1[0],"WARNING: Assignment of bool to 0/1") + +@script:python depends on report@ +p2 << r3.p2; +@@ + +coccilib.report.print_report(p2[0],"ERROR: Assignment of bool to non-0/1 constant") diff --git a/scripts/coccinelle/misc/boolreturn.cocci b/scripts/coccinelle/misc/boolreturn.cocci new file mode 100644 index 000000000..a43c7b0c3 --- /dev/null +++ b/scripts/coccinelle/misc/boolreturn.cocci @@ -0,0 +1,58 @@ +/// Return statements in functions returning bool should use +/// true/false instead of 1/0. +// +// Confidence: High +// Options: --no-includes --include-headers + +virtual patch +virtual report +virtual context + +@r1 depends on patch@ +identifier fn; +typedef bool; +symbol false; +symbol true; +@@ + +bool fn ( ... ) +{ +<... +return +( +- 0 ++ false +| +- 1 ++ true +) + ; +...> +} + +@r2 depends on report || context@ +identifier fn; +position p; +@@ + +bool fn ( ... ) +{ +<... +return +( +* 0@p +| +* 1@p +) + ; +...> +} + + +@script:python depends on report@ +p << r2.p; +fn << r2.fn; +@@ + +msg = "WARNING: return of 0/1 in function '%s' with return type bool" % fn +coccilib.report.print_report(p[0], msg) diff --git a/scripts/coccinelle/misc/bugon.cocci b/scripts/coccinelle/misc/bugon.cocci new file mode 100644 index 000000000..27c97f1f2 --- /dev/null +++ b/scripts/coccinelle/misc/bugon.cocci @@ -0,0 +1,62 @@ +/// Use BUG_ON instead of a if condition followed by BUG. +/// +//# This makes an effort to find cases where BUG() follows an if +//# condition on an expression and replaces the if condition and BUG() +//# with a BUG_ON having the conditional expression of the if statement +//# as argument. +// +// Confidence: High +// Copyright: (C) 2014 Himangi Saraogi. GPLv2. +// Comments: +// Options: --no-includes --include-headers + +virtual patch +virtual context +virtual org +virtual report + +//---------------------------------------------------------- +// For context mode +//---------------------------------------------------------- + +@depends on context@ +expression e; +@@ + +*if (e) BUG(); + +//---------------------------------------------------------- +// For patch mode +//---------------------------------------------------------- + +@depends on patch@ +expression e; +@@ + +-if (e) BUG(); ++BUG_ON(e); + +//---------------------------------------------------------- +// For org and report mode +//---------------------------------------------------------- + +@r@ +expression e; +position p; +@@ + + if (e) BUG@p (); + +@script:python depends on org@ +p << r.p; +@@ + +coccilib.org.print_todo(p[0], "WARNING use BUG_ON") + +@script:python depends on report@ +p << r.p; +@@ + +msg="WARNING: Use BUG_ON instead of if condition followed by BUG.\nPlease make sure the condition has no side effects (see conditional BUG_ON definition in include/asm-generic/bug.h)" +coccilib.report.print_report(p[0], msg) + diff --git a/scripts/coccinelle/misc/cstptr.cocci b/scripts/coccinelle/misc/cstptr.cocci new file mode 100644 index 000000000..f0368b3d4 --- /dev/null +++ b/scripts/coccinelle/misc/cstptr.cocci @@ -0,0 +1,41 @@ +/// PTR_ERR should be applied before its argument is reassigned, typically +/// to NULL +/// +// Confidence: High +// Copyright: (C) 2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual org +virtual report +virtual context + +@r exists@ +expression e,e1; +constant c; +position p1,p2; +@@ + +*e@p1 = c +... when != e = e1 + when != &e + when != true IS_ERR(e) +*PTR_ERR@p2(e) + +@script:python depends on org@ +p1 << r.p1; +p2 << r.p2; +@@ + +cocci.print_main("PTR_ERR",p2) +cocci.print_secs("assignment",p1) + +@script:python depends on report@ +p1 << r.p1; +p2 << r.p2; +@@ + +msg = "ERROR: PTR_ERR applied after initialization to constant on line %s" % (p1[0].line) +coccilib.report.print_report(p2[0],msg) diff --git a/scripts/coccinelle/misc/doubleinit.cocci b/scripts/coccinelle/misc/doubleinit.cocci new file mode 100644 index 000000000..c0c3371d2 --- /dev/null +++ b/scripts/coccinelle/misc/doubleinit.cocci @@ -0,0 +1,53 @@ +/// Find duplicate field initializations. This has a high rate of false +/// positives due to #ifdefs, which Coccinelle is not aware of in a structure +/// initialization. +/// +// Confidence: Low +// Copyright: (C) 2010-2012 Nicolas Palix. GPLv2. +// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: requires at least Coccinelle 0.2.4, lex or parse error otherwise +// Options: --no-includes --include-headers + +virtual org +virtual report + +@r@ +identifier I, s, fld; +position p0,p; +expression E; +@@ + +struct I s =@p0 { ..., .fld@p = E, ...}; + +@s@ +identifier I, s, r.fld; +position r.p0,p; +expression E; +@@ + +struct I s =@p0 { ..., .fld@p = E, ...}; + +@script:python depends on org@ +p0 << r.p0; +fld << r.fld; +ps << s.p; +pr << r.p; +@@ + +if int(ps[0].line) < int(pr[0].line) or (int(ps[0].line) == int(pr[0].line) and int(ps[0].column) < int(pr[0].column)): + cocci.print_main(fld,p0) + cocci.print_secs("s",ps) + cocci.print_secs("r",pr) + +@script:python depends on report@ +p0 << r.p0; +fld << r.fld; +ps << s.p; +pr << r.p; +@@ + +if int(ps[0].line) < int(pr[0].line) or (int(ps[0].line) == int(pr[0].line) and int(ps[0].column) < int(pr[0].column)): + msg = "%s: first occurrence line %s, second occurrence line %s" % (fld,ps[0].line,pr[0].line) + coccilib.report.print_report(p0[0],msg) diff --git a/scripts/coccinelle/misc/ifaddr.cocci b/scripts/coccinelle/misc/ifaddr.cocci new file mode 100644 index 000000000..8aebd1875 --- /dev/null +++ b/scripts/coccinelle/misc/ifaddr.cocci @@ -0,0 +1,35 @@ +/// the address of a variable or field is non-zero is likely always to bo +/// non-zero +/// +// Confidence: High +// Copyright: (C) 2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual org +virtual report +virtual context + +@r@ +expression x; +statement S1,S2; +position p; +@@ + +*if@p (&x) + S1 else S2 + +@script:python depends on org@ +p << r.p; +@@ + +cocci.print_main("test of a variable/field address",p) + +@script:python depends on report@ +p << r.p; +@@ + +msg = "ERROR: test of a variable/field address" +coccilib.report.print_report(p[0],msg) diff --git a/scripts/coccinelle/misc/ifcol.cocci b/scripts/coccinelle/misc/ifcol.cocci new file mode 100644 index 000000000..d0d00ef1f --- /dev/null +++ b/scripts/coccinelle/misc/ifcol.cocci @@ -0,0 +1,48 @@ +/// Find confusingly indented code in or after an if. An if branch should +/// be indented. The code following an if should not be indented. +/// Sometimes, code after an if that is indented is actually intended to be +/// part of the if branch. +/// +/// This has a high rate of false positives, because Coccinelle's column +/// calculation does not distinguish between spaces and tabs, so code that +/// is not visually aligned may be considered to be in the same column. +/// +// Confidence: Low +// Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2. +// Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2. +// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual org +virtual report + +@r disable braces4@ +position p1,p2; +statement S1,S2; +@@ + +( +if (...) { ... } +| +if (...) S1@p1 S2@p2 +) + +@script:python depends on org@ +p1 << r.p1; +p2 << r.p2; +@@ + +if (p1[0].column == p2[0].column): + cocci.print_main("branch",p1) + cocci.print_secs("after",p2) + +@script:python depends on report@ +p1 << r.p1; +p2 << r.p2; +@@ + +if (p1[0].column == p2[0].column): + msg = "code aligned with following code on line %s" % (p2[0].line) + coccilib.report.print_report(p1[0],msg) diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci b/scripts/coccinelle/misc/irqf_oneshot.cocci new file mode 100644 index 000000000..a24a754ae --- /dev/null +++ b/scripts/coccinelle/misc/irqf_oneshot.cocci @@ -0,0 +1,89 @@ +/// Make sure threaded IRQs without a primary handler are always request with +/// IRQF_ONESHOT +/// +// +// Confidence: Good +// Comments: +// Options: --no-includes + +virtual patch +virtual context +virtual org +virtual report + +@r1@ +expression dev; +expression irq; +expression thread_fn; +expression flags; +position p; +@@ +( +request_threaded_irq@p(irq, NULL, thread_fn, +( +flags | IRQF_ONESHOT +| +IRQF_ONESHOT +) +, ...) +| +devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, +( +flags | IRQF_ONESHOT +| +IRQF_ONESHOT +) +, ...) +) + +@depends on patch@ +expression dev; +expression irq; +expression thread_fn; +expression flags; +position p != r1.p; +@@ +( +request_threaded_irq@p(irq, NULL, thread_fn, +( +-0 ++IRQF_ONESHOT +| +-flags ++flags | IRQF_ONESHOT +) +, ...) +| +devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, +( +-0 ++IRQF_ONESHOT +| +-flags ++flags | IRQF_ONESHOT +) +, ...) +) + +@depends on context@ +position p != r1.p; +@@ +*request_threaded_irq@p(...) + +@match depends on report || org@ +expression irq; +position p != r1.p; +@@ +request_threaded_irq@p(irq, NULL, ...) + +@script:python depends on org@ +p << match.p; +@@ +msg = "ERROR: Threaded IRQ with no primary handler requested without IRQF_ONESHOT" +coccilib.org.print_todo(p[0],msg) + +@script:python depends on report@ +p << match.p; +@@ +msg = "ERROR: Threaded IRQ with no primary handler requested without IRQF_ONESHOT" +coccilib.report.print_report(p[0],msg) diff --git a/scripts/coccinelle/misc/noderef.cocci b/scripts/coccinelle/misc/noderef.cocci new file mode 100644 index 000000000..80a831c91 --- /dev/null +++ b/scripts/coccinelle/misc/noderef.cocci @@ -0,0 +1,65 @@ +/// sizeof when applied to a pointer typed expression gives the size of +/// the pointer +/// +// Confidence: High +// Copyright: (C) 2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual org +virtual report +virtual context +virtual patch + +@depends on patch@ +expression *x; +expression f; +type T; +@@ + +( +x = <+... sizeof( +- x ++ *x + ) ...+> +| +f(...,(T)(x),...,sizeof( +- x ++ *x + ),...) +| +f(...,sizeof(x),...,(T)( +- x ++ *x + ),...) +) + +@r depends on !patch@ +expression *x; +expression f; +position p; +type T; +@@ + +( +*x = <+... sizeof@p(x) ...+> +| +*f(...,(T)(x),...,sizeof@p(x),...) +| +*f(...,sizeof@p(x),...,(T)(x),...) +) + +@script:python depends on org@ +p << r.p; +@@ + +cocci.print_main("application of sizeof to pointer",p) + +@script:python depends on report@ +p << r.p; +@@ + +msg = "ERROR: application of sizeof to pointer" +coccilib.report.print_report(p[0],msg) diff --git a/scripts/coccinelle/misc/of_table.cocci b/scripts/coccinelle/misc/of_table.cocci new file mode 100644 index 000000000..3c934046a --- /dev/null +++ b/scripts/coccinelle/misc/of_table.cocci @@ -0,0 +1,62 @@ +/// Make sure of_device_id tables are NULL terminated +// +// Keywords: of_table +// Confidence: Medium +// Options: --include-headers + +virtual patch +virtual context +virtual org +virtual report + +@depends on context@ +identifier var, arr; +expression E; +@@ +struct of_device_id arr[] = { + ..., + { + .var = E, +* } +}; + +@depends on patch@ +identifier var, arr; +expression E; +@@ +struct of_device_id arr[] = { + ..., + { + .var = E, +- } ++ }, ++ { } +}; + +@r depends on org || report@ +position p1; +identifier var, arr; +expression E; +@@ +struct of_device_id arr[] = { + ..., + { + .var = E, + } + @p1 +}; + +@script:python depends on org@ +p1 << r.p1; +arr << r.arr; +@@ + +cocci.print_main(arr,p1) + +@script:python depends on report@ +p1 << r.p1; +arr << r.arr; +@@ + +msg = "%s is not NULL terminated at line %s" % (arr, p1[0].line) +coccilib.report.print_report(p1[0],msg) diff --git a/scripts/coccinelle/misc/orplus.cocci b/scripts/coccinelle/misc/orplus.cocci new file mode 100644 index 000000000..81fabf379 --- /dev/null +++ b/scripts/coccinelle/misc/orplus.cocci @@ -0,0 +1,55 @@ +/// Check for constants that are added but are used elsewhere as bitmasks +/// The results should be checked manually to ensure that the nonzero +/// bits in the two constants are actually disjoint. +/// +// Confidence: Moderate +// Copyright: (C) 2013 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2013 Gilles Muller, INRIA/LIP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual org +virtual report +virtual context + +@r@ +constant c; +identifier i; +expression e; +@@ + +( +e | c@i +| +e & c@i +| +e |= c@i +| +e &= c@i +) + +@s@ +constant r.c,c1; +identifier i1; +position p; +@@ + +( + c1 + c - 1 +| +*c1@i1 +@p c +) + +@script:python depends on org@ +p << s.p; +@@ + +cocci.print_main("sum of probable bitmasks, consider |",p) + +@script:python depends on report@ +p << s.p; +@@ + +msg = "WARNING: sum of probable bitmasks, consider |" +coccilib.report.print_report(p[0],msg) diff --git a/scripts/coccinelle/misc/returnvar.cocci b/scripts/coccinelle/misc/returnvar.cocci new file mode 100644 index 000000000..605955a91 --- /dev/null +++ b/scripts/coccinelle/misc/returnvar.cocci @@ -0,0 +1,66 @@ +/// +/// Removes unneeded variable used to store return value. +/// +// Confidence: Moderate +// Copyright: (C) 2012 Peter Senna Tschudin, INRIA/LIP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: Comments on code can be deleted if near code that is removed. +// "when strict" can be removed to get more hits, but adds false +// positives +// Options: --no-includes --include-headers + +virtual patch +virtual report +virtual context +virtual org + +@depends on patch@ +type T; +constant C; +identifier ret; +@@ +- T ret = C; +... when != ret + when strict +return +- ret ++ C +; + +@depends on context@ +type T; +constant C; +identifier ret; +@@ +* T ret = C; +... when != ret + when strict +* return ret; + +@r1 depends on report || org@ +type T; +constant C; +identifier ret; +position p1, p2; +@@ +T ret@p1 = C; +... when != ret + when strict +return ret@p2; + +@script:python depends on report@ +p1 << r1.p1; +p2 << r1.p2; +C << r1.C; +ret << r1.ret; +@@ +coccilib.report.print_report(p1[0], "Unneeded variable: \"" + ret + "\". Return \"" + C + "\" on line " + p2[0].line) + +@script:python depends on org@ +p1 << r1.p1; +p2 << r1.p2; +C << r1.C; +ret << r1.ret; +@@ +cocci.print_main("unneeded \"" + ret + "\" variable", p1) +cocci.print_sec("return " + C + " here", p2) diff --git a/scripts/coccinelle/misc/semicolon.cocci b/scripts/coccinelle/misc/semicolon.cocci new file mode 100644 index 000000000..a47eba2ed --- /dev/null +++ b/scripts/coccinelle/misc/semicolon.cocci @@ -0,0 +1,83 @@ +/// +/// Removes unneeded semicolon. +/// +// Confidence: Moderate +// Copyright: (C) 2012 Peter Senna Tschudin, INRIA/LIP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: Some false positives on empty default cases in switch statements. +// Options: --no-includes --include-headers + +virtual patch +virtual report +virtual context +virtual org + +@r_default@ +position p; +@@ +switch (...) +{ +default: ...;@p +} + +@r_case@ +position p; +@@ +( +switch (...) +{ +case ...:;@p +} +| +switch (...) +{ +case ...:... +case ...:;@p +} +| +switch (...) +{ +case ...:... +case ...: +case ...:;@p +} +) + +@r1@ +statement S; +position p1; +position p != {r_default.p, r_case.p}; +identifier label; +@@ +( +label:; +| +S@p1;@p +) + +@script:python@ +p << r1.p; +p1 << r1.p1; +@@ +if p[0].line != p1[0].line_end: + cocci.include_match(False) + +@depends on patch@ +position r1.p; +@@ +-;@p + +@script:python depends on report@ +p << r1.p; +@@ +coccilib.report.print_report(p[0],"Unneeded semicolon") + +@depends on context@ +position r1.p; +@@ +*;@p + +@script:python depends on org@ +p << r1.p; +@@ +cocci.print_main("Unneeded semicolon",p) diff --git a/scripts/coccinelle/misc/simple_return.cocci b/scripts/coccinelle/misc/simple_return.cocci new file mode 100644 index 000000000..47f7084b6 --- /dev/null +++ b/scripts/coccinelle/misc/simple_return.cocci @@ -0,0 +1,180 @@ +/// Simplify a trivial if-return sequence. Possibly combine with a +/// preceding function call. +// +// Confidence: High +// Copyright: (C) 2014 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2014 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual patch +virtual context +virtual org +virtual report + +@r depends on patch@ +local idexpression e; +identifier i,f,fn; +@@ + +fn(...) { <... +- e@i = ++ return + f(...); +-if (i != 0) return i; +-return 0; +...> } + +@depends on patch@ +identifier r.i; +type t; +@@ + +-t i; + ... when != i + +@depends on patch@ +expression e; +@@ + +-if (e != 0) + return e; +-return 0; + +// ----------------------------------------------------------------------- + +@s1 depends on context || org || report@ +local idexpression e; +identifier i,f,fn; +position p,p1,p2; +@@ + +fn(...) { <... +* e@i@p = f(...); + if (\(i@p1 != 0\|i@p2 < 0\)) + return i; + return 0; +...> } + +@s2 depends on context || org || report forall@ +identifier s1.i; +type t; +position q,s1.p; +expression e,f; +@@ + +* t i@q; + ... when != i + e@p = f(...); + +@s3 depends on context || org || report@ +expression e; +position p1!=s1.p1; +position p2!=s1.p2; +@@ + +*if (\(e@p1 != 0\|e@p2 < 0\)) + return e; + return 0; + +// ----------------------------------------------------------------------- + +@script:python depends on org@ +p << s1.p; +p1 << s1.p1; +q << s2.q; +@@ + +cocci.print_main("decl",q) +cocci.print_secs("use",p) +cocci.include_match(False) + +@script:python depends on org@ +p << s1.p; +p2 << s1.p2; +q << s2.q; +@@ + +cocci.print_main("decl",q) +cocci.print_secs("use with questionable test",p) +cocci.include_match(False) + +@script:python depends on org@ +p << s1.p; +p1 << s1.p1; +@@ + +cocci.print_main("use",p) + +@script:python depends on org@ +p << s1.p; +p2 << s1.p2; +@@ + +cocci.print_main("use with questionable test",p) + +@script:python depends on org@ +p << s3.p1; +@@ + +cocci.print_main("test",p) + +@script:python depends on org@ +p << s3.p2; +@@ + +cocci.print_main("questionable test",p) + +// ----------------------------------------------------------------------- + +@script:python depends on report@ +p << s1.p; +p1 << s1.p1; +q << s2.q; +@@ + +msg = "WARNING: end returns can be simpified and declaration on line %s can be dropped" % (q[0].line) +coccilib.report.print_report(p[0],msg) +cocci.include_match(False) + +@script:python depends on report@ +p << s1.p; +p1 << s1.p1; +q << s2.q +; +@@ + +msg = "WARNING: end returns may be simpified if negative or 0 value and declaration on line %s can be dropped" % (q[0].line) +coccilib.report.print_report(p[0],msg) +cocci.include_match(False) + +@script:python depends on report@ +p << s1.p; +p1 << s1.p1; +@@ + +msg = "WARNING: end returns can be simpified" +coccilib.report.print_report(p[0],msg) + +@script:python depends on report@ +p << s1.p; +p2 << s1.p2; +@@ + +msg = "WARNING: end returns can be simpified if negative or 0 value" +coccilib.report.print_report(p[0],msg) + +@script:python depends on report@ +p << s3.p1; +@@ + +msg = "WARNING: end returns can be simpified" +coccilib.report.print_report(p[0],msg) + +@script:python depends on report@ +p << s3.p2; +@@ + +msg = "WARNING: end returns can be simpified if tested value is negative or 0" +coccilib.report.print_report(p[0],msg) diff --git a/scripts/coccinelle/misc/warn.cocci b/scripts/coccinelle/misc/warn.cocci new file mode 100644 index 000000000..d2e5b6ced --- /dev/null +++ b/scripts/coccinelle/misc/warn.cocci @@ -0,0 +1,109 @@ +/// Use WARN(1,...) rather than printk followed by WARN_ON(1) +/// +// Confidence: High +// Copyright: (C) 2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual patch +virtual context +virtual org +virtual report + +@bad1@ +position p; +@@ + +printk(...); +printk@p(...); +WARN_ON(1); + +@r1 depends on context || report || org@ +position p != bad1.p; +@@ + + printk@p(...); +*WARN_ON(1); + +@script:python depends on org@ +p << r1.p; +@@ + +cocci.print_main("printk + WARN_ON can be just WARN",p) + +@script:python depends on report@ +p << r1.p; +@@ + +msg = "SUGGESTION: printk + WARN_ON can be just WARN" +coccilib.report.print_report(p[0],msg) + +@ok1 depends on patch@ +expression list es; +position p != bad1.p; +@@ + +-printk@p( ++WARN(1, + es); +-WARN_ON(1); + +@depends on patch@ +expression list ok1.es; +@@ + +if (...) +- { + WARN(1,es); +- } + +// -------------------------------------------------------------------- + +@bad2@ +position p; +@@ + +printk(...); +printk@p(...); +WARN_ON_ONCE(1); + +@r2 depends on context || report || org@ +position p != bad1.p; +@@ + + printk@p(...); +*WARN_ON_ONCE(1); + +@script:python depends on org@ +p << r2.p; +@@ + +cocci.print_main("printk + WARN_ON_ONCE can be just WARN_ONCE",p) + +@script:python depends on report@ +p << r2.p; +@@ + +msg = "SUGGESTION: printk + WARN_ON_ONCE can be just WARN_ONCE" +coccilib.report.print_report(p[0],msg) + +@ok2 depends on patch@ +expression list es; +position p != bad2.p; +@@ + +-printk@p( ++WARN_ONCE(1, + es); +-WARN_ON_ONCE(1); + +@depends on patch@ +expression list ok2.es; +@@ + +if (...) +- { + WARN_ONCE(1,es); +- } diff --git a/scripts/coccinelle/null/badzero.cocci b/scripts/coccinelle/null/badzero.cocci new file mode 100644 index 000000000..5551da2b4 --- /dev/null +++ b/scripts/coccinelle/null/badzero.cocci @@ -0,0 +1,238 @@ +/// Compare pointer-typed values to NULL rather than 0 +/// +//# This makes an effort to choose between !x and x == NULL. !x is used +//# if it has previously been used with the function used to initialize x. +//# This relies on type information. More type information can be obtained +//# using the option -all_includes and the option -I to specify an +//# include path. +// +// Confidence: High +// Copyright: (C) 2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: Requires Coccinelle version 1.0.0-rc20 or later +// Options: + +virtual patch +virtual context +virtual org +virtual report + +@initialize:ocaml@ +@@ +let negtable = Hashtbl.create 101 + +@depends on patch@ +expression *E; +identifier f; +@@ + +( + (E = f(...)) == +- 0 ++ NULL +| + (E = f(...)) != +- 0 ++ NULL +| +- 0 ++ NULL + == (E = f(...)) +| +- 0 ++ NULL + != (E = f(...)) +) + + +@t1 depends on !patch@ +expression *E; +identifier f; +position p; +@@ + +( + (E = f(...)) == +* 0@p +| + (E = f(...)) != +* 0@p +| +* 0@p + == (E = f(...)) +| +* 0@p + != (E = f(...)) +) + +@script:python depends on org@ +p << t1.p; +@@ + +coccilib.org.print_todo(p[0], "WARNING comparing pointer to 0") + +@script:python depends on report@ +p << t1.p; +@@ + +coccilib.report.print_report(p[0], "WARNING comparing pointer to 0") + +// Tests of returned values + +@s@ +identifier f; +expression E,E1; +@@ + + E = f(...) + ... when != E = E1 + !E + +@script:ocaml depends on s@ +f << s.f; +@@ + +try let _ = Hashtbl.find negtable f in () +with Not_found -> Hashtbl.add negtable f () + +@ r disable is_zero,isnt_zero exists @ +expression *E; +identifier f; +@@ + +E = f(...) +... +(E == 0 +|E != 0 +|0 == E +|0 != E +) + +@script:ocaml@ +f << r.f; +@@ + +try let _ = Hashtbl.find negtable f in () +with Not_found -> include_match false + +// This rule may lead to inconsistent path problems, if E is defined in two +// places +@ depends on patch disable is_zero,isnt_zero @ +expression *E; +expression E1; +identifier r.f; +@@ + +E = f(...) +<... +( +- E == 0 ++ !E +| +- E != 0 ++ E +| +- 0 == E ++ !E +| +- 0 != E ++ E +) +...> +?E = E1 + +@t2 depends on !patch disable is_zero,isnt_zero @ +expression *E; +expression E1; +identifier r.f; +position p1; +position p2; +@@ + +E = f(...) +<... +( +* E == 0@p1 +| +* E != 0@p2 +| +* 0@p1 == E +| +* 0@p1 != E +) +...> +?E = E1 + +@script:python depends on org@ +p << t2.p1; +@@ + +coccilib.org.print_todo(p[0], "WARNING comparing pointer to 0, suggest !E") + +@script:python depends on org@ +p << t2.p2; +@@ + +coccilib.org.print_todo(p[0], "WARNING comparing pointer to 0") + +@script:python depends on report@ +p << t2.p1; +@@ + +coccilib.report.print_report(p[0], "WARNING comparing pointer to 0, suggest !E") + +@script:python depends on report@ +p << t2.p2; +@@ + +coccilib.report.print_report(p[0], "WARNING comparing pointer to 0") + +@ depends on patch disable is_zero,isnt_zero @ +expression *E; +@@ + +( + E == +- 0 ++ NULL +| + E != +- 0 ++ NULL +| +- 0 ++ NULL + == E +| +- 0 ++ NULL + != E +) + +@ t3 depends on !patch disable is_zero,isnt_zero @ +expression *E; +position p; +@@ + +( +* E == 0@p +| +* E != 0@p +| +* 0@p == E +| +* 0@p != E +) + +@script:python depends on org@ +p << t3.p; +@@ + +coccilib.org.print_todo(p[0], "WARNING comparing pointer to 0") + +@script:python depends on report@ +p << t3.p; +@@ + +coccilib.report.print_report(p[0], "WARNING comparing pointer to 0") diff --git a/scripts/coccinelle/null/deref_null.cocci b/scripts/coccinelle/null/deref_null.cocci new file mode 100644 index 000000000..cdac6cfcc --- /dev/null +++ b/scripts/coccinelle/null/deref_null.cocci @@ -0,0 +1,282 @@ +/// +/// A variable is dereference under a NULL test. +/// Even though it is know to be NULL. +/// +// Confidence: Moderate +// Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2. +// Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2. +// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: -I ... -all_includes can give more complete results +// Options: + +virtual context +virtual org +virtual report + +@ifm@ +expression *E; +statement S1,S2; +position p1; +@@ + +if@p1 ((E == NULL && ...) || ...) S1 else S2 + +// The following two rules are separate, because both can match a single +// expression in different ways +@pr1 expression@ +expression *ifm.E; +identifier f; +position p1; +@@ + + (E != NULL && ...) ? <+...E->f@p1...+> : ... + +@pr2 expression@ +expression *ifm.E; +identifier f; +position p2; +@@ + +( + (E != NULL) && ... && <+...E->f@p2...+> +| + (E == NULL) || ... || <+...E->f@p2...+> +| + sizeof(<+...E->f@p2...+>) +) + +// For org and report modes + +@r depends on !context && (org || report) exists@ +expression subE <= ifm.E; +expression *ifm.E; +expression E1,E2; +identifier f; +statement S1,S2,S3,S4; +iterator iter; +position p!={pr1.p1,pr2.p2}; +position ifm.p1; +@@ + +if@p1 ((E == NULL && ...) || ...) +{ + ... when != if (...) S1 else S2 +( + iter(subE,...) S4 // no use +| + list_remove_head(E2,subE,...) +| + subE = E1 +| + for(subE = E1;...;...) S4 +| + subE++ +| + ++subE +| + --subE +| + subE-- +| + &subE +| + E->f@p // bad use +) + ... when any + return ...; +} +else S3 + +@script:python depends on !context && !org && report@ +p << r.p; +p1 << ifm.p1; +x << ifm.E; +@@ + +msg="ERROR: %s is NULL but dereferenced." % (x) +coccilib.report.print_report(p[0], msg) +cocci.include_match(False) + +@script:python depends on !context && org && !report@ +p << r.p; +p1 << ifm.p1; +x << ifm.E; +@@ + +msg="ERROR: %s is NULL but dereferenced." % (x) +msg_safe=msg.replace("[","@(").replace("]",")") +cocci.print_main(msg_safe,p) +cocci.include_match(False) + +@s depends on !context && (org || report) exists@ +expression subE <= ifm.E; +expression *ifm.E; +expression E1,E2; +identifier f; +statement S1,S2,S3,S4; +iterator iter; +position p!={pr1.p1,pr2.p2}; +position ifm.p1; +@@ + +if@p1 ((E == NULL && ...) || ...) +{ + ... when != if (...) S1 else S2 +( + iter(subE,...) S4 // no use +| + list_remove_head(E2,subE,...) +| + subE = E1 +| + for(subE = E1;...;...) S4 +| + subE++ +| + ++subE +| + --subE +| + subE-- +| + &subE +| + E->f@p // bad use +) + ... when any +} +else S3 + +@script:python depends on !context && !org && report@ +p << s.p; +p1 << ifm.p1; +x << ifm.E; +@@ + +msg="ERROR: %s is NULL but dereferenced." % (x) +coccilib.report.print_report(p[0], msg) + +@script:python depends on !context && org && !report@ +p << s.p; +p1 << ifm.p1; +x << ifm.E; +@@ + +msg="ERROR: %s is NULL but dereferenced." % (x) +msg_safe=msg.replace("[","@(").replace("]",")") +cocci.print_main(msg_safe,p) + +// For context mode + +@depends on context && !org && !report exists@ +expression subE <= ifm.E; +expression *ifm.E; +expression E1,E2; +identifier f; +statement S1,S2,S3,S4; +iterator iter; +position p!={pr1.p1,pr2.p2}; +position ifm.p1; +@@ + +if@p1 ((E == NULL && ...) || ...) +{ + ... when != if (...) S1 else S2 +( + iter(subE,...) S4 // no use +| + list_remove_head(E2,subE,...) +| + subE = E1 +| + for(subE = E1;...;...) S4 +| + subE++ +| + ++subE +| + --subE +| + subE-- +| + &subE +| +* E->f@p // bad use +) + ... when any + return ...; +} +else S3 + +// The following three rules are duplicates of ifm, pr1 and pr2 respectively. +// It is need because the previous rule as already made a "change". + +@ifm1@ +expression *E; +statement S1,S2; +position p1; +@@ + +if@p1 ((E == NULL && ...) || ...) S1 else S2 + +@pr11 expression@ +expression *ifm1.E; +identifier f; +position p1; +@@ + + (E != NULL && ...) ? <+...E->f@p1...+> : ... + +@pr12 expression@ +expression *ifm1.E; +identifier f; +position p2; +@@ + +( + (E != NULL) && ... && <+...E->f@p2...+> +| + (E == NULL) || ... || <+...E->f@p2...+> +| + sizeof(<+...E->f@p2...+>) +) + +@depends on context && !org && !report exists@ +expression subE <= ifm1.E; +expression *ifm1.E; +expression E1,E2; +identifier f; +statement S1,S2,S3,S4; +iterator iter; +position p!={pr11.p1,pr12.p2}; +position ifm1.p1; +@@ + +if@p1 ((E == NULL && ...) || ...) +{ + ... when != if (...) S1 else S2 +( + iter(subE,...) S4 // no use +| + list_remove_head(E2,subE,...) +| + subE = E1 +| + for(subE = E1;...;...) S4 +| + subE++ +| + ++subE +| + --subE +| + subE-- +| + &subE +| +* E->f@p // bad use +) + ... when any +} +else S3 diff --git a/scripts/coccinelle/null/eno.cocci b/scripts/coccinelle/null/eno.cocci new file mode 100644 index 000000000..9bd29aa83 --- /dev/null +++ b/scripts/coccinelle/null/eno.cocci @@ -0,0 +1,48 @@ +/// The various basic memory allocation functions don't return ERR_PTR +/// +// Confidence: High +// Copyright: (C) 2010-2012 Nicolas Palix. GPLv2. +// Copyright: (C) 2010-2012 Julia Lawall, INRIA/LIP6. GPLv2. +// Copyright: (C) 2010-2012 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual patch +virtual context +virtual org +virtual report + +@depends on patch@ +expression x,E; +@@ + +x = \(kmalloc\|kzalloc\|kcalloc\|kmem_cache_alloc\|kmem_cache_zalloc\|kmem_cache_alloc_node\|kmalloc_node\|kzalloc_node\)(...) +... when != x = E +- IS_ERR(x) ++ !x + +@r depends on !patch exists@ +expression x,E; +position p1,p2; +@@ + +*x = \(kmalloc@p1\|kzalloc@p1\|kcalloc@p1\|kmem_cache_alloc@p1\|kmem_cache_zalloc@p1\|kmem_cache_alloc_node@p1\|kmalloc_node@p1\|kzalloc_node@p1\)(...) +... when != x = E +* IS_ERR@p2(x) + +@script:python depends on org@ +p1 << r.p1; +p2 << r.p2; +@@ + +cocci.print_main("alloc call",p1) +cocci.print_secs("IS_ERR that should be NULL tests",p2) + +@script:python depends on report@ +p1 << r.p1; +p2 << r.p2; +@@ + +msg = "ERROR: allocation function on line %s returns NULL not ERR_PTR on failure" % (p1[0].line) +coccilib.report.print_report(p2[0], msg) diff --git a/scripts/coccinelle/null/kmerr.cocci b/scripts/coccinelle/null/kmerr.cocci new file mode 100644 index 000000000..5354a7903 --- /dev/null +++ b/scripts/coccinelle/null/kmerr.cocci @@ -0,0 +1,72 @@ +/// This semantic patch looks for kmalloc etc that are not followed by a +/// NULL check. It only gives a report in the case where there is some +/// error handling code later in the function, which may be helpful +/// in determining what the error handling code for the call to kmalloc etc +/// should be. +/// +// Confidence: High +// Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2. +// Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2. +// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual context +virtual org +virtual report + +@withtest@ +expression x; +position p; +identifier f,fld; +@@ + +x@p = f(...); +... when != x->fld +\(x == NULL \| x != NULL\) + +@fixed depends on context && !org && !report@ +expression x,x1; +position p1 != withtest.p; +statement S; +position any withtest.p; +identifier f; +@@ + +*x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...); +... +*x1@p = f(...); +if (!x1) S + +// ------------------------------------------------------------------------ + +@rfixed depends on (org || report) && !context exists@ +expression x,x1; +position p1 != withtest.p; +position p2; +statement S; +position any withtest.p; +identifier f; +@@ + +x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...); +... +x1@p = f@p2(...); +if (!x1) S + +@script:python depends on org@ +p1 << rfixed.p1; +p2 << rfixed.p2; +@@ + +cocci.print_main("alloc call",p1) +cocci.print_secs("possible model",p2) + +@script:python depends on report@ +p1 << rfixed.p1; +p2 << rfixed.p2; +@@ + +msg = "alloc with no test, possible model on line %s" % (p2[0].line) +coccilib.report.print_report(p1[0],msg) diff --git a/scripts/coccinelle/tests/doublebitand.cocci b/scripts/coccinelle/tests/doublebitand.cocci new file mode 100644 index 000000000..72f1572aa --- /dev/null +++ b/scripts/coccinelle/tests/doublebitand.cocci @@ -0,0 +1,54 @@ +/// Find bit operations that include the same argument more than once +//# One source of false positives is when the argument performs a side +//# effect. Another source of false positives is when a neutral value +//# such as 0 for | is used to indicate no information, to maintain the +//# same structure as other similar expressions +/// +// Confidence: Moderate +// Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2. +// Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2. +// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual context +virtual org +virtual report + +@r expression@ +expression E; +position p; +@@ + +( +* E@p + & ... & E +| +* E@p + | ... | E +| +* E@p + & ... & !E +| +* E@p + | ... | !E +| +* !E@p + & ... & E +| +* !E@p + | ... | E +) + +@script:python depends on org@ +p << r.p; +@@ + +cocci.print_main("duplicated argument to & or |",p) + +@script:python depends on report@ +p << r.p; +@@ + +coccilib.report.print_report(p[0],"duplicated argument to & or |") diff --git a/scripts/coccinelle/tests/doubletest.cocci b/scripts/coccinelle/tests/doubletest.cocci new file mode 100644 index 000000000..78d74c22c --- /dev/null +++ b/scripts/coccinelle/tests/doubletest.cocci @@ -0,0 +1,40 @@ +/// Find &&/|| operations that include the same argument more than once +//# A common source of false positives is when the argument performs a side +//# effect. +/// +// Confidence: Moderate +// Copyright: (C) 2010 Nicolas Palix, DIKU. GPLv2. +// Copyright: (C) 2010 Julia Lawall, DIKU. GPLv2. +// Copyright: (C) 2010 Gilles Muller, INRIA/LiP6. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual context +virtual org +virtual report + +@r expression@ +expression E; +position p; +@@ + +( +* E@p + || ... || E +| +* E@p + && ... && E +) + +@script:python depends on org@ +p << r.p; +@@ + +cocci.print_main("duplicated argument to && or ||",p) + +@script:python depends on report@ +p << r.p; +@@ + +coccilib.report.print_report(p[0],"duplicated argument to && or ||") diff --git a/scripts/coccinelle/tests/odd_ptr_err.cocci b/scripts/coccinelle/tests/odd_ptr_err.cocci new file mode 100644 index 000000000..cfe0a35cf --- /dev/null +++ b/scripts/coccinelle/tests/odd_ptr_err.cocci @@ -0,0 +1,65 @@ +/// PTR_ERR should access the value just tested by IS_ERR +//# There can be false positives in the patch case, where it is the call +//# IS_ERR that is wrong. +/// +// Confidence: High +// Copyright: (C) 2012 Julia Lawall, INRIA. GPLv2. +// Copyright: (C) 2012 Gilles Muller, INRIA. GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: --no-includes --include-headers + +virtual patch +virtual context +virtual org +virtual report + +@depends on patch@ +expression e,e1; +@@ + +( +if (IS_ERR(e)) { ... PTR_ERR(e) ... } +| +if (IS_ERR(e=e1)) { ... PTR_ERR(e) ... } +| +if (IS_ERR(e)) + { ... + PTR_ERR( +- e1 ++ e + ) + ... } +) + +@r depends on !patch@ +expression e,e1; +position p1,p2; +@@ + +( +if (IS_ERR(e)) { ... PTR_ERR(e) ... } +| +if (IS_ERR(e=e1)) { ... PTR_ERR(e) ... } +| +*if (IS_ERR@p1(e)) + { ... +* PTR_ERR@p2(e1) + ... } +) + +@script:python depends on org@ +p1 << r.p1; +p2 << r.p2; +@@ + +cocci.print_main("inconsistent IS_ERR and PTR_ERR",p1) +cocci.print_secs("PTR_ERR",p2) + +@script:python depends on report@ +p1 << r.p1; +p2 << r.p2; +@@ + +msg = "inconsistent IS_ERR and PTR_ERR, PTR_ERR on line %s" % (p2[0].line) +coccilib.report.print_report(p1[0],msg) |