Hi all,
I've spotted some bugs in the code, where *malloc() functions were
called with variable address instead of size.
I've developed a checker:
@@
type T;
T *x;
@@
(
malloc
|
my_malloc
|
other_malloc
)
- (x)
+ (*(x))
It generally works fine, however fails when using array name as a pointer:
--- src/b.c
+++ /tmp/cocci-output-7286-034148-b.c
int * ala;
char b[12] = "mmm";
char *c = b + 1;
- malloc(ala + 1);
- my_malloc(ala + 2);
+ malloc(*(ala + 1)); // OK
+ my_malloc(*(ala + 2)); // OK
- malloc(c - b);
+ malloc(*(c - b)); // NOT OK
return 0;
}
When I replace b declaration with char * b it works fine and doesn't
suggest changing last malloc. Do I miss anything from C spec? Or is it
a bug?
One more question - can I write more general rule for all functions
ending with malloc?
Something like that was not working:
@@
type T;
identifier malloc ~= ".*malloc";
T *x;
@@
- malloc (x)
+ malloc (*(x))
Best regards,
Robert
_______________________________________________
Cocci mailing list
[email protected]
http://lists.diku.dk/mailman/listinfo/cocci
(Web access from inside DIKUs LAN only)
