CodeSonar : pvm3.4.6 : Null Pointer Dereference

pvm3.4.6 : pvm3.4.6 analysis 2 : Null Pointer Dereference at tdpro.c:1373

Categories:	LANG.MEM.NPD CWE:476
Warning ID:	22093.28956
Procedure:	assign_tasks
Trace:	view
Modified:	Thu Nov 26 11:29:11 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/src/tdpro.c

			Enter tm_spawn

tm_spawn(tp, mp)

struct task *tp;

struct pmsg *mp;

{

char *where = 0; /* location from req */

1088

struct waitc *wp; /* 'seed' waitc */

1089

struct waitc_spawn *wxp = 0; /* new task parameters */

1090

struct htab *htp; /* set of usable hosts */

struct hostd *hp;

int hh;

int i;

char *wd = 0;

char *wdenv = 0;

char *ptr;

int sz;

* unpack spawn command from task

1101

1102

1103

wxp = TALLOC(1, struct waitc_spawn, "waix");

1104

BZERO((char*)wxp, sizeof(struct waitc_spawn)); /* Null Pointer Dereference (ID: 288.28963) */

1105

1106

if (upkstralloc(mp, &wxp->w_file )

1107

|| upkint(mp, &wxp->w_flags )

1108

|| upkstralloc(mp, &where )

1109

|| upkint(mp, &wxp->w_veclen )

1110

|| upkint(mp, &wxp->w_argc ))

1111

goto bad;

1112

1113

if (wxp->w_veclen < 1)

1114

goto bad;

1115

1116

wxp->w_argv = TALLOC(wxp->w_argc + 1, char*, "argv"); /* Integer Overflow of Allocation Size (ID: 287.28962) */

1117

BZERO((char*)wxp->w_argv, (wxp->w_argc + 1) * sizeof(char*)); /* Null Pointer Dereference (ID: 286.28961) */

1118

for (i = 0; i < wxp->w_argc; i++)

1119

if (upkstralloc(mp, &wxp->w_argv[i]))

1120

goto bad;

1121

1122

if (upkuint(mp, &wxp->w_outtid )

1123

|| upkuint(mp, &wxp->w_outctx )

1124

|| upkuint(mp, &wxp->w_outtag )

1125

|| upkuint(mp, &wxp->w_trctid )

1126

|| upkuint(mp, &wxp->w_trcctx )

1127

|| upkuint(mp, &wxp->w_trctag ))

goto bad;

* extract any working directory string from "where"

ptr = where;

while ( *ptr != ':' && *ptr != '\0' )

1136

ptr++;

1137

if ( *ptr == ':' ) {

1138

*ptr++ = '\0'; /* close off actual "where" string */

1139

wd = ptr; /* save ptr to working directory */

}

* unpack environment from task

1144

1145

1146

if (upkuint(mp, &wxp->w_nenv ))

1147

goto bad;

1148

sz = wxp->w_nenv + 1 + (wd ? 1 : 0);

1149

wxp->w_env = TALLOC(sz, char*, "env"); /* Integer Overflow of Allocation Size (ID: 22097.28960) */

1150

BZERO((char*)wxp->w_env, sz * sizeof(char*)); /* Null Pointer Dereference (ID: 22096.28959) */

1151

for (i = 0; i < wxp->w_nenv; i++)

1152

if (upkstralloc(mp, &wxp->w_env[i]))

goto bad;

* add extra env string for working directory

if ( wd ) {

sz = strlen(wd) + strlen("PVMSPAWNWD=") + 1;

1161

wdenv = TALLOC(sz, char, "wdenv");

1162

sprintf( wdenv, "PVMSPAWNWD=%s", wd );

1163

wxp->w_env[ (wxp->w_nenv)++ ] = STRALLOC( wdenv );

}

* make host set containing hosts (matching where option)

1168

1169

1170

if ((wxp->w_flags & (PvmTaskHost|PvmTaskArch)) && !where)

goto bad;

htp = ht_new (1);

if (wxp->w_flags & PvmTaskHost) { /* given host */

1176

if (hp = nametohost (hosts, where ))

ht_insert(htp, hp );

} else {

if (wxp->w_flags & PvmTaskArch) { /* given arch */

1181

for (hh = hosts->ht_last; hh > 0; hh--)

1182

if ((hp = hosts->ht_hosts[hh])

1183

&& !strcmp(where, hp->hd_arch))

1184

ht_insert(htp, hp );

1185

1186

#ifdef IMA_BEOLIN

...

1188

} else if (wxp->w_flags & PvmMppFront) {

1189

hp = hosts->ht_hosts[hosts->ht_local];

ht_insert(htp, hp);

#endif

} else { /* anywhere */

1194

ht_merge(htp, hosts );

}

}

if (wxp->w_flags & PvmHostCompl) {

1199

for (hh = hosts->ht_last; hh > 0; hh--) {

1200

if (hh <= htp->ht_last && (hp = htp->ht_hosts[hh]))

1201

ht_delete(htp, hp );

1202

else

1203

if (hp = hosts->ht_hosts[hh])

ht_insert(htp, hp );

}

}

if (pvmdebmask & PDMTASK) {

1209

pvmlogerror("tm_spawn() host set:\n");

ht_dump(htp );

}

if ( !(wxp->w_flags & PvmNoSpawnParent) ) {

1214

wxp->w_ptid = tp->t_tid;

1215

}

1216

else

1217

wxp->w_ptid = PvmParentNotSet; /* indicate task unset parent */

1218

1219

1220

* assign each task to a host

wxp->w_ht = htp;

wxp->w_vec = TALLOC(wxp->w_veclen, int, "vec");

1225

BZERO((char*)wxp->w_vec, wxp->w_veclen * sizeof(int)); /* Null Pointer Dereference (ID: 22095.28958) */

1226

wxp->w_togo = wxp->w_veclen;

1227

1228

wp = wait_new (WT_SPAWN );

	1229		wp->wa_tid = tp->t_tid;
	1230		wp->wa_spec = (void*)wxp;
	1231		wxp = 0;

true

1232

wp->wa_mesg = replymessage (mp );

	1233

wp->wa_mesg <= 4095

1234

assign_tasks(wp );

					Enter tm_spawn / assign_tasks

1263

assign_tasks(wp)

1264

struct waitc *wp; /* (any) waitc in peer group for this op */

1265

{

1266

static int lasthh = -1; /* for assigning hosts */

1267

1268

struct waitc_spawn *wxp = (struct waitc_spawn*)wp->wa_spec;

1269

struct htab *htp; /* set of hosts to use */

1270

int *vec; /* result/status vector */

1271

int veclen; /* length of vector */

1272

int count = 0; /* num of tasks to be assigned */

1273

int nh; /* num of hosts to assign tasks */

1274

int a = 0; /* accum for finding hosts */

1275

int na = 0; /* num tasks assigned to a host */

struct waitc *wp2;

struct hostd *hp;

struct pmsg *mp;

int t;

int i;

int tid;

struct timeval now;

if (!wxp)

return 0;

htp = wxp->w_ht;

vec = wxp->w_vec;

veclen = wxp->w_veclen;

1290

1291

1292

* if no hosts left, fill unassigned entries with PvmNoHost

if (!htp->ht_cnt)

for (t = veclen; t-- > 0; )

if (!vec[t])

vec[t] = PvmNoHost;

* count tasks to be assigned, if none left reply to task

1302

1303

1304

for (t = veclen; t-- > 0; )

if (!vec[t])

count++;

if (!count) {

pkint(wp->wa_mesg, wxp->w_veclen );

1310

for (t = 0; t < wxp->w_veclen; t++) {

1311

tid = wxp->w_vec[t];

1312

pkint(wp->wa_mesg, tid );

1313

if (TIDISTASK(tid) && wxp->w_trctid > 0) {

1314

tev_send_spntask(

1315

wxp->w_trctid, wxp->w_trcctx, wxp->w_trctag,

1316

tid, wxp->w_ptid );

1317

}

1318

if (TIDISTASK(tid) && wxp->w_outtid > 0) {

...

1331

1332

free_wait_spawn(wxp );

wp->wa_spec = 0;

return 0;

}

* assign tasks to hosts

1339

1340

1341

nh = min(htp->ht_cnt, count);

1342

1343

/* find first host to assign */

1344

1345

if (lasthh == -1)

1346

lasthh = hosts->ht_local + 1;

1347

if (lasthh > htp->ht_last)

1348

lasthh = 0;

1349

while (!htp->ht_hosts[lasthh])

1350

if (++lasthh > htp->ht_last)

1351

lasthh = 1;

1352

hp = htp->ht_hosts[lasthh];

1353

1354

for (t = 0; t < veclen && vec[t]; t++);

while (t < veclen) {

pvmlogprintf("assign_tasks() %s <- %d\n", hp->hd_name, t);

1359

1360

1361

vec[t] = hp->hd_hostpart;

1362

na++;

1363

1364

/* when enough tasks for this host, move to next */

1365

1366

if ((a += nh) >= count) {

1367

a -= count;

1368

1369

wp2 = wait_new (WT_SPAWN );

1370

wp2->wa_tid = wp->wa_tid;

1371

wp2->wa_on = hp->hd_hostpart;

1372

wp2->wa_spec = wp->wa_spec;

wp->wa_mesg <= 4095

1373

wp->wa_mesg->m_ref++; /* Null Pointer Dereference */

1374

wp2->wa_mesg = wp->wa_mesg;

1375

LISTPUTBEFORE(wp, wp2, wa_peer, wa_rpeer);

1376

1377

mp = mesg_new (0);

1378

pkint(mp, wxp->w_ptid );

1379

pkstr(mp, wxp->w_file );

1380

pkint(mp, wxp->w_flags );

1381

pkint(mp, na );

1382

pkint(mp, wxp->w_argc );

1383

for (i = 0; i < wxp->w_argc; i++)

1384

pkstr(mp, wxp->w_argv[i]);

1385

pkint(mp, wxp->w_outtid );

1386

pkint(mp, wxp->w_outctx );

1387

pkint(mp, wxp->w_outtag );

1388

pkint(mp, wxp->w_trctid );

1389

pkint(mp, wxp->w_trcctx );

1390

pkint(mp, wxp->w_trctag );

1391

pkint(mp, wxp->w_nenv );

1392

for (i = 0; i < wxp->w_nenv; i++)

1393

pkstr(mp, wxp->w_env[i]);

1394

pkint(mp, (t+1)-na ); /* start proc location 0..count-1 */

1395

pkint(mp, count ); /* how many are there in total */

1396

mp->m_dst = hp->hd_hostpart | TIDPVMD; /* Null Pointer Dereference (ID: 37.28622) */

1397

mp->m_tag = DM_EXEC;

1398

mp->m_wid = wp2->wa_wid;

1399

1400

do {

1401

if (++lasthh > htp->ht_last)

1402

lasthh = 1;

1403

} while (!htp->ht_hosts[lasthh]);

sendmessage(mp );

hp = htp->ht_hosts[lasthh];

1408

na = 0;

1409

}

1410

for (t++ ; t < veclen && vec[t]; t++);

					Exit tm_spawn / assign_tasks

Preconditions

&$unknown_890249 >= 1
&$unknown_890263 >= &$heap_318152
&$unknown_890269 <= hosts->ht_local
&$unknown_890269 >= 1
&$unknown_890272 != 0
&$unknown_890272 <= ((char*)&$heap_318158)[8]
hosts->ht_hosts[1] = 0
hosts->ht_local >= 1
hosts->ht_last >= 2
$unknown_890263 != 0
$unknown_890263 != 58
strlen(&$unknown_890263) = 1
((char*)&$unknown_890263)[1] = 0
((char*)&$unknown_890270)[4] = 0
((char*)&$heap_318151)[24] >= 2
((char*)&$heap_318151)[56] >= 2
$heap_318152 != 0
$heap_318152 <= 46
strlen(&$heap_318152) > 0
((char*)&$heap_318158)[8] != 0
lasthh = -1
widrange >= lastwid + 1

Postconditions

waitlist->wa_rlink' = &$heap_318160
waitlist->wa_rlink->wa_link' = &$heap_318160
count' = &$unknown_890272
$heap_318151' = 0
bytes_after(&$heap_318151)' = 84
$heap_318151' is allocated by malloc
bytes_before(&$heap_318151)' = 0
((char*)&$heap_318151)[16]' = &$heap_318158
((char*)&$heap_318151)[20]' = &$heap_318159
((char*)&$heap_318151)[28]' = ((char*)&$heap_318151)[24]
((char*)&$heap_318151)[60]' = &$heap_318155
((char*)&$heap_318151)[64]' = tp->t_tid
((char*)&$heap_318151)[12]' = &$heap_318153
bytes_after(&$heap_318152)' = &$unknown_890249
$heap_318152' is allocated by malloc
bytes_before(&$heap_318152)' = 0
$heap_318153' = 0
$heap_318153' is allocated by malloc
bytes_before(&$heap_318153)' = 0
$heap_318155' = 0
bytes_after(&$heap_318155)' = 4 * ((char*)&$heap_318151)[56] + 4
$heap_318155' is allocated by malloc
bytes_before(&$heap_318155)' = 0
$heap_318158' = 0
bytes_after(&$heap_318158)' = 32
$heap_318158' is allocated by malloc
$heap_318158' is allocated
bytes_before(&$heap_318158)' = 0
((char*)&$heap_318158)[28]' = &$unknown_890270
((char*)&$heap_318158)[4]' = &$unknown_890269
$heap_318159' = 0
bytes_after(&$heap_318159)' = 4 * ((char*)&$heap_318151)[24]
$heap_318159' is allocated by malloc
$heap_318159' is allocated
bytes_before(&$heap_318159)' = 0
$heap_318160' = waitlist
bytes_after(&$heap_318160)' = 48
$heap_318160' is allocated by malloc
$heap_318160' is allocated
bytes_before(&$heap_318160)' = 0
((char*)&$heap_318160)[16]' = 0
((char*)&$heap_318160)[20]' = tp->t_tid
((char*)&$heap_318160)[24]' = 0
((char*)&$heap_318160)[36]' = 0
((char*)&$heap_318160)[40]' = 0
((char*)&$heap_318160)[4]' = waitlist->wa_rlink
((char*)&$heap_318160)[44]' = &$heap_318151
((char*)&$heap_318160)[8]' <= waitlist->wa_wid
((char*)&$heap_318160)[8]' <= waitlist->wa_wid - 1
((char*)&$heap_318160)[12]' = 2
bytes_after(&$heap_318161)' = 48
$heap_318161' is allocated by malloc
$heap_318161' is allocated
bytes_before(&$heap_318161)' = 0
((char*)&$heap_318161)[16]' = ((char*)&$unknown_890275)[4]
((char*)&$heap_318161)[20]' = tp->t_tid
((char*)&$heap_318161)[24]' = 0
((char*)&$heap_318161)[28]' = &$heap_318161
((char*)&$heap_318161)[32]' = &$heap_318161
((char*)&$heap_318161)[36]' = 0
((char*)&$heap_318161)[40]' = 0
((char*)&$heap_318161)[44]' = &$heap_318151
((char*)&$heap_318161)[12]' = 2
hh' = 0
hp' = hosts->ht_hosts[1]
hp' = &$unknown_890275
htp' = &$heap_318158
htp' = &$heap_318158
i' = ((char*)&$heap_318151)[56]
nh' = &$unknown_890272
ptr' = &$unknown_890263 + 1
sz' = ((char*)&$heap_318151)[56] + 1
t' <= ((char*)&$heap_318151)[24] - 1
vec' = &$heap_318159
veclen' = ((char*)&$heap_318151)[24]
wd' = 0
wdenv' = 0
where' = &$heap_318152
wp' = &$heap_318160
wp' = &$heap_318160
wp2' = &$heap_318161
wxp' = 0
wxp' = &$heap_318151

Change Warning 22093.28956 : Null Pointer Dereference

Priority:
State:
Finding:
Owner:
Note: