/usr/src/usr.bin/find/operator.c

Bug Summary

File:	src/usr.bin/find/operator.c
Warning:	line 208, column 14 Access to field 'next' results in a dereference of a null pointer (loaded from variable 'tail')

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name operator.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/find/obj -resource-dir /usr/local/lib/clang/13.0.0 -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.bin/find/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/find/operator.c

1/*	$OpenBSD: operator.c,v 1.10 2009/10/27 23:59:38 deraadt Exp $	*/
2 
3/*-
4 * Copyright (c) 1990, 1993
5 *	The Regents of the University of California.  All rights reserved.
6 *
7 * This code is derived from software contributed to Berkeley by
8 * Cimarron D. Taylor of the University of California, Berkeley.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 *    notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 *    notice, this list of conditions and the following disclaimer in the
17 *    documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the University nor the names of its contributors
19 *    may be used to endorse or promote products derived from this software
20 *    without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34 
35#include <sys/types.h>
36#include <sys/stat.h>
37 
38#include <err.h>
39#include <fts.h>
40#include <stdio.h>
41 
42#include "find.h"
43#include "extern.h"
44    
45/*
46 * yanknode --
47 *	destructively removes the top from the plan
48 */
49static PLAN *
50yanknode(PLAN **planp)		/* pointer to top of plan (modified) */
51{
52	PLAN *node;		/* top node removed from the plan */
53    
54	if ((node = (*planp)) == NULL((void *)0))
55		return (NULL((void *)0));
56	(*planp) = (*planp)->next;
57	node->next = NULL((void *)0);
58	return (node);
59}
60 
61/*
62 * yankexpr --
63 *	Removes one expression from the plan.  This is used mainly by
64 *	paren_squish.  In comments below, an expression is either a
65 *	simple node or a N_EXPR node containing a list of simple nodes.
66 */
67static PLAN *
68yankexpr(PLAN **planp)		/* pointer to top of plan (modified) */
69{
70	PLAN *next;	/* temp node holding subexpression results */
71	PLAN *node;		/* pointer to returned node or expression */
72	PLAN *tail;		/* pointer to tail of subplan */
73	PLAN *subplan;		/* pointer to head of ( ) expression */
74	extern int f_expr(PLAN *, FTSENT *);
75    
76	/* first pull the top node from the plan */
77	if ((node = yanknode(planp)) == NULL((void *)0))
78		return (NULL((void *)0));
79    
80	/*
81	 * If the node is an '(' then we recursively slurp up expressions
82	 * until we find its associated ')'.  If it's a closing paren we
83	 * just return it and unwind our recursion; all other nodes are
84	 * complete expressions, so just return them.
85	 */
86	if (node->type == N_OPENPAREN)
87		for (tail = subplan = NULL((void *)0);;) {
88			if ((next = yankexpr(planp)) == NULL((void *)0))
89				errx(1, "(: missing closing ')'");
90			/*
91			 * If we find a closing ')' we store the collected
92			 * subplan in our '(' node and convert the node to
93			 * a N_EXPR.  The ')' we found is ignored.  Otherwise,
94			 * we just continue to add whatever we get to our
95			 * subplan.
96			 */
97			if (next->type == N_CLOSEPAREN) {
98				if (subplan == NULL((void *)0))
99					errx(1, "(): empty inner expression");
100				node->p_datap_un._p_data[0] = subplan;
101				node->type = N_EXPR;
102				node->eval = f_expr;
103				break;
104			} else {
105				if (subplan == NULL((void *)0))
106					tail = subplan = next;
107				else {
108					tail->next = next;
109					tail = next;
110				}
111				tail->next = NULL((void *)0);
112			}
113		}
114	return (node);
115}
116 
117/*
118 * paren_squish --
119 *	replaces "parentheisized" plans in our search plan with "expr" nodes.
120 */
121PLAN *
122paren_squish(PLAN *plan)		/* plan with ( ) nodes */
123{
124	PLAN *expr;	/* pointer to next expression */
125	PLAN *tail;	/* pointer to tail of result plan */
126	PLAN *result;		/* pointer to head of result plan */
127    
128	result = tail = NULL((void *)0);
129 
130	/*
131	 * the basic idea is to have yankexpr do all our work and just
132	 * collect it's results together.
133	 */
134	while ((expr = yankexpr(&plan)) != NULL((void *)0)) {
135		/*
136		 * if we find an unclaimed ')' it means there is a missing
137		 * '(' someplace.
138		 */
139		if (expr->type == N_CLOSEPAREN)
140			errx(1, "): no beginning '('");
141 
142		/* add the expression to our result plan */
143		if (result == NULL((void *)0))
144			tail = result = expr;
145		else {
146			tail->next = expr;
147			tail = expr;
148		}
149		tail->next = NULL((void *)0);
150	}
151	return (result);
152}
153 
154/*
155 * not_squish --
156 *	compresses "!" expressions in our search plan.
157 */
158PLAN *
159not_squish(PLAN *plan)		/* plan to process */
160{
161	PLAN *next;	/* next node being processed */
162	PLAN *node;	/* temporary node used in N_NOT processing */
163	PLAN *tail;	/* pointer to tail of result plan */
164	PLAN *result;		/* pointer to head of result plan */
165    
166	tail = result = next = NULL((void *)0);
167    
168	while ((next = yanknode(&plan)) != NULL((void *)0)) {
1
Loop condition is true.  Entering loop body→
5
←
Loop condition is true.  Entering loop body→
9
←
Loop condition is true.  Entering loop body→
13
←
Loop condition is true.  Entering loop body→
169		/*
170		 * if we encounter a ( expression ) then look for nots in
171		 * the expr subplan.
172		 */
173		if (next->type == N_EXPR)
2
←
Assuming field 'type' is equal to N_EXPR→
3
←
Taking true branch→
6
←
Assuming field 'type' is equal to N_EXPR→
7
←
Taking true branch→
10
←
Assuming field 'type' is equal to N_EXPR→
11
←
Taking true branch→
14
←
Assuming field 'type' is not equal to N_EXPR→
15
←
Taking false branch→
174			next->p_datap_un._p_data[0] = not_squish(next->p_datap_un._p_data[0]);
4
←
Calling 'not_squish'→
8
←
Calling 'not_squish'→
12
←
Calling 'not_squish'→
175 
176		/*
177		 * if we encounter a not, then snag the next node and place
178		 * it in the not's subplan.  As an optimization we compress
179		 * several not's to zero or one not.
180		 */
181		if (next->type == N_NOT) {
16
←
Assuming field 'type' is equal to N_NOT→
17
←
Taking true branch→
182			int notlevel = 1;
183 
184			node = yanknode(&plan);
185			while (node17.1
'node' is not equal to NULL
19.1
'node' is not equal to NULL
 != NULL((void *)0) && node->type == N_NOT) {
18
←
Assuming field 'type' is equal to N_NOT→
19
←
Loop condition is true.  Entering loop body→
20
←
Assuming field 'type' is not equal to N_NOT→
21
←
Loop condition is false. Execution continues on line 189→
186				++notlevel;
187				node = yanknode(&plan);
188			}
189			if (node21.1
'node' is not equal to NULL
 == NULL((void *)0))
22
←
Taking false branch→
190				errx(1, "!: no following expression");
191			if (node->type == N_OR)
23
←
Assuming field 'type' is not equal to N_OR→
24
←
Taking false branch→
192				errx(1, "!: nothing between ! and -o");
193			if (node->type == N_EXPR)
25
←
Assuming field 'type' is equal to N_EXPR→
26
←
Taking true branch→
194				node = not_squish(node);
195			if (notlevel % 2 != 1)
27
←
Taking true branch→
196				next = node;
197			else
198				next->p_datap_un._p_data[0] = node;
199		}
200 
201		/* add the node to our result plan */
202		if (result27.1
'result' is equal to NULL
 == NULL((void *)0))
28
←
Taking true branch→
203			tail = result = next;
29
←
Null pointer value stored to 'tail'→
204		else {
205			tail->next = next;
206			tail = next;
207		}
208		tail->next = NULL((void *)0);
30
←
Access to field 'next' results in a dereference of a null pointer (loaded from variable 'tail')
209	}
210	return (result);
211}
212 
213/*
214 * or_squish --
215 *	compresses -o expressions in our search plan.
216 */
217PLAN *
218or_squish(PLAN *plan)		/* plan with ors to be squished */
219{
220	PLAN *next;	/* next node being processed */
221	PLAN *tail;	/* pointer to tail of result plan */
222	PLAN *result;		/* pointer to head of result plan */
223    
224	tail = result = next = NULL((void *)0);
225    
226	while ((next = yanknode(&plan)) != NULL((void *)0)) {
227		/*
228		 * if we encounter a ( expression ) then look for or's in
229		 * the expr subplan.
230		 */
231		if (next->type == N_EXPR)
232			next->p_datap_un._p_data[0] = or_squish(next->p_datap_un._p_data[0]);
233 
234		/* if we encounter a not then look for not's in the subplan */
235		if (next->type == N_NOT)
236			next->p_datap_un._p_data[0] = or_squish(next->p_datap_un._p_data[0]);
237 
238		/*
239		 * if we encounter an or, then place our collected plan in the
240		 * or's first subplan and then recursively collect the
241		 * remaining stuff into the second subplan and return the or.
242		 */
243		if (next->type == N_OR) {
244			if (result == NULL((void *)0))
245				errx(1, "-o: no expression before -o");
246			next->p_datap_un._p_data[0] = result;
247			next->p_datap_un._p_data[1] = or_squish(plan);
248			if (next->p_datap_un._p_data[1] == NULL((void *)0))
249				errx(1, "-o: no expression after -o");
250			return (next);
251		}
252 
253		/* add the node to our result plan */
254		if (result == NULL((void *)0))
255			tail = result = next;
256		else {
257			tail->next = next;
258			tail = next;
259		}
260		tail->next = NULL((void *)0);
261	}
262	return (result);
263}