CodeSonar : pvm3.4.6 : Null Pointer Dereference

pvm3.4.6 : pvm3.4.6 analysis 2 : Null Pointer Dereference at pvmd.c:3715

Categories:	LANG.MEM.NPD CWE:476
Warning ID:	22094.28957
Procedure:	sendmessage
Trace:	view
Modified:	Thu Nov 26 11:29:13 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/src/tdpro.c

			Enter tm_spawn

tm_spawn(tp, mp)

struct task *tp;

struct pmsg *mp;

{

char *where = 0; /* location from req */

1088

struct waitc *wp; /* 'seed' waitc */

1089

struct waitc_spawn *wxp = 0; /* new task parameters */

1090

struct htab *htp; /* set of usable hosts */

struct hostd *hp;

int hh;

int i;

char *wd = 0;

char *wdenv = 0;

char *ptr;

int sz;

* unpack spawn command from task

1101

1102

1103

wxp = TALLOC(1, struct waitc_spawn, "waix");

1104

BZERO((char*)wxp, sizeof(struct waitc_spawn)); /* Null Pointer Dereference (ID: 288.28963) */

1105

1106

if (upkstralloc(mp, &wxp->w_file )

1107

|| upkint(mp, &wxp->w_flags )

1108

|| upkstralloc(mp, &where )

1109

|| upkint(mp, &wxp->w_veclen )

1110

|| upkint(mp, &wxp->w_argc ))

1111

goto bad;

1112

1113

if (wxp->w_veclen < 1)

1114

goto bad;

1115

1116

wxp->w_argv = TALLOC(wxp->w_argc + 1, char*, "argv"); /* Integer Overflow of Allocation Size (ID: 287.28962) */

1117

BZERO((char*)wxp->w_argv, (wxp->w_argc + 1) * sizeof(char*)); /* Null Pointer Dereference (ID: 286.28961) */

1118

for (i = 0; i < wxp->w_argc; i++)

1119

if (upkstralloc(mp, &wxp->w_argv[i]))

1120

goto bad;

1121

1122

if (upkuint(mp, &wxp->w_outtid )

1123

|| upkuint(mp, &wxp->w_outctx )

1124

|| upkuint(mp, &wxp->w_outtag )

1125

|| upkuint(mp, &wxp->w_trctid )

1126

|| upkuint(mp, &wxp->w_trcctx )

1127

|| upkuint(mp, &wxp->w_trctag ))

goto bad;

* extract any working directory string from "where"

ptr = where;

while ( *ptr != ':' && *ptr != '\0' )

1136

ptr++;

1137

if ( *ptr == ':' ) {

1138

*ptr++ = '\0'; /* close off actual "where" string */

1139

wd = ptr; /* save ptr to working directory */

}

* unpack environment from task

1144

1145

1146

if (upkuint(mp, &wxp->w_nenv ))

1147

goto bad;

1148

sz = wxp->w_nenv + 1 + (wd ? 1 : 0);

1149

wxp->w_env = TALLOC(sz, char*, "env"); /* Integer Overflow of Allocation Size (ID: 22097.28960) */

1150

BZERO((char*)wxp->w_env, sz * sizeof(char*)); /* Null Pointer Dereference (ID: 22096.28959) */

1151

for (i = 0; i < wxp->w_nenv; i++)

1152

if (upkstralloc(mp, &wxp->w_env[i]))

goto bad;

* add extra env string for working directory

if ( wd ) {

sz = strlen(wd) + strlen("PVMSPAWNWD=") + 1;

1161

wdenv = TALLOC(sz, char, "wdenv");

1162

sprintf( wdenv, "PVMSPAWNWD=%s", wd );

1163

wxp->w_env[ (wxp->w_nenv)++ ] = STRALLOC( wdenv );

}

* make host set containing hosts (matching where option)

1168

1169

1170

if ((wxp->w_flags & (PvmTaskHost|PvmTaskArch)) && !where)

goto bad;

htp = ht_new (1);

if (wxp->w_flags & PvmTaskHost) { /* given host */

1176

if (hp = nametohost (hosts, where ))

ht_insert(htp, hp );

} else {

if (wxp->w_flags & PvmTaskArch) { /* given arch */

1181

for (hh = hosts->ht_last; hh > 0; hh--)

1182

if ((hp = hosts->ht_hosts[hh])

1183

&& !strcmp(where, hp->hd_arch))

1184

ht_insert(htp, hp );

1185

1186

#ifdef IMA_BEOLIN

...

1188

} else if (wxp->w_flags & PvmMppFront) {

1189

hp = hosts->ht_hosts[hosts->ht_local];

ht_insert(htp, hp);

#endif

} else { /* anywhere */

1194

ht_merge(htp, hosts );

}

}

if (wxp->w_flags & PvmHostCompl) {

1199

for (hh = hosts->ht_last; hh > 0; hh--) {

1200

if (hh <= htp->ht_last && (hp = htp->ht_hosts[hh]))

1201

ht_delete(htp, hp );

1202

else

1203

if (hp = hosts->ht_hosts[hh])

ht_insert(htp, hp );

}

}

if (pvmdebmask & PDMTASK) {

1209

pvmlogerror("tm_spawn() host set:\n");

ht_dump(htp );

}

if ( !(wxp->w_flags & PvmNoSpawnParent) ) {

1214

wxp->w_ptid = tp->t_tid;

1215

}

1216

else

1217

wxp->w_ptid = PvmParentNotSet; /* indicate task unset parent */

1218

1219

1220

* assign each task to a host

wxp->w_ht = htp;

wxp->w_vec = TALLOC(wxp->w_veclen, int, "vec");

1225

BZERO((char*)wxp->w_vec, wxp->w_veclen * sizeof(int)); /* Null Pointer Dereference (ID: 22095.28958) */

1226

wxp->w_togo = wxp->w_veclen;

1227

1228

wp = wait_new (WT_SPAWN );

	1229		wp->wa_tid = tp->t_tid;
	1230		wp->wa_spec = (void*)wxp;
	1231		wxp = 0;

true

1232

wp->wa_mesg = replymessage (mp );

	1233

wp->wa_mesg <= 4095

1234

assign_tasks(wp );

					Enter tm_spawn / assign_tasks

1263

assign_tasks(wp)

1264

struct waitc *wp; /* (any) waitc in peer group for this op */

1265

{

1266

static int lasthh = -1; /* for assigning hosts */

1267

1268

struct waitc_spawn *wxp = (struct waitc_spawn*)wp->wa_spec;

1269

struct htab *htp; /* set of hosts to use */

1270

int *vec; /* result/status vector */

1271

int veclen; /* length of vector */

1272

int count = 0; /* num of tasks to be assigned */

1273

int nh; /* num of hosts to assign tasks */

1274

int a = 0; /* accum for finding hosts */

1275

int na = 0; /* num tasks assigned to a host */

struct waitc *wp2;

struct hostd *hp;

struct pmsg *mp;

int t;

int i;

int tid;

struct timeval now;

if (!wxp)

return 0;

htp = wxp->w_ht;

vec = wxp->w_vec;

veclen = wxp->w_veclen;

1290

1291

1292

* if no hosts left, fill unassigned entries with PvmNoHost

if (!htp->ht_cnt)

for (t = veclen; t-- > 0; )

if (!vec[t])

vec[t] = PvmNoHost;

* count tasks to be assigned, if none left reply to task

1302

1303

1304

for (t = veclen; t-- > 0; )

if (!vec[t])

count++;

if (!count) {

pkint(wp->wa_mesg, wxp->w_veclen );

1310

for (t = 0; t < wxp->w_veclen; t++) {

1311

tid = wxp->w_vec[t];

1312

pkint(wp->wa_mesg, tid );

1313

if (TIDISTASK(tid) && wxp->w_trctid > 0) {

1314

tev_send_spntask(

1315

wxp->w_trctid, wxp->w_trcctx, wxp->w_trctag,

1316

tid, wxp->w_ptid );

1317

}

1318

if (TIDISTASK(tid) && wxp->w_outtid > 0) {

1319

mp = mesg_new (0);

1320

mp->m_dst = wxp->w_outtid; /* Null Pointer Dereference (ID: 38.28623) */

1321

mp->m_ctx = wxp->w_outctx;

1322

mp->m_tag = wxp->w_outtag;

1323

pkint(mp, tid );

1324

pkint(mp, TO_SPAWN );

1325

pkint(mp, wxp->w_ptid );

sendmessage(mp );

}

}

sendmessage(wp->wa_mesg );

							/kat0/fletcher/SATE/2010/pvm3/src/pvmd.c

							Enter tm_spawn / assign_tasks / sendmessage

sendmessage(mp)

struct pmsg *mp;

{

struct hostd *hp = 0;

struct task *tp;

struct frag *fp;

struct pkt *pp;

int ff = FFSOM;

int dst = mp->m_dst; /* Null Pointer Dereference */ /* 13 more... */

							Exit tm_spawn / assign_tasks / sendmessage

					Exit tm_spawn / assign_tasks

Preconditions

&$unknown_898008 >= 1
&$unknown_898028 >= 1
&$heap_321035 <= &$unknown_898022
hosts->ht_hosts[1] = 0
hosts->ht_last >= 2
$unknown_898022 != 0
$unknown_898022 != 58
strlen(&$unknown_898022) = 1
((char*)&$unknown_898022)[1] = 0
((char*)&$unknown_898029)[4] = 0
((char*)&$heap_321034)[24] = 1
((char*)&$heap_321034)[56] >= 2
$heap_321035 != 0
$heap_321035 <= 46
strlen(&$heap_321035) > 0
((char*)&$heap_321041)[8] = 0
widrange >= lastwid + 1

Postconditions

waitlist->wa_rlink' = &$heap_321043
waitlist->wa_rlink->wa_link' = &$heap_321043
a' = 0
count' = 0
errno' != 0
ff' = 1
freepmsgs.m_link' = &freepmsgs.m_link
freepmsgs.m_rlink' = &freepmsgs.m_link
$heap_321034' = 0
bytes_after(&$heap_321034)' = 84
$heap_321034' is allocated by malloc
bytes_before(&$heap_321034)' = 0
((char*)&$heap_321034)[16]' = &$heap_321041
((char*)&$heap_321034)[20]' = &$heap_321042
((char*)&$heap_321034)[28]' = ((char*)&$heap_321034)[24]
((char*)&$heap_321034)[60]' = &$heap_321038
((char*)&$heap_321034)[64]' = tp->t_tid
((char*)&$heap_321034)[12]' = &$heap_321036
bytes_after(&$heap_321035)' = &$unknown_898008
$heap_321035' is allocated by malloc
bytes_before(&$heap_321035)' = 0
$heap_321036' = 0
$heap_321036' is allocated by malloc
bytes_before(&$heap_321036)' = 0
$heap_321038' = 0
bytes_after(&$heap_321038)' = 4 * ((char*)&$heap_321034)[56] + 4
$heap_321038' is allocated by malloc
bytes_before(&$heap_321038)' = 0
$heap_321041' = 0
bytes_after(&$heap_321041)' = 32
$heap_321041' is allocated by malloc
$heap_321041' is allocated
bytes_before(&$heap_321041)' = 0
((char*)&$heap_321041)[28]' = &$unknown_898029
((char*)&$heap_321041)[4]' = &$unknown_898028
$heap_321042' = 0
bytes_after(&$heap_321042)' = 4 * ((char*)&$heap_321034)[24]
$heap_321042' is allocated by malloc
$heap_321042' is allocated
bytes_before(&$heap_321042)' = 0
$heap_321043' = waitlist
bytes_after(&$heap_321043)' = 48
$heap_321043' is allocated by malloc
$heap_321043' is allocated
bytes_before(&$heap_321043)' = 0
((char*)&$heap_321043)[16]' = 0
((char*)&$heap_321043)[20]' = tp->t_tid
((char*)&$heap_321043)[24]' = 0
((char*)&$heap_321043)[36]' = 0
((char*)&$heap_321043)[40]' = 0
((char*)&$heap_321043)[4]' = waitlist->wa_rlink
((char*)&$heap_321043)[44]' = &$heap_321034
((char*)&$heap_321043)[8]' <= waitlist->wa_wid
((char*)&$heap_321043)[8]' <= waitlist->wa_wid - 1
((char*)&$heap_321043)[12]' = 2
hh' = 0
hp' = 0
hp' = hosts->ht_hosts[1]
htp' = &$heap_321041
htp' = &$heap_321041
i' = ((char*)&$heap_321034)[56]
lastwid' = lastwid + 1
mp' = 0
na' = 0
numpmsgs' = 0
ptr' = &$unknown_898022 + 1
sz' = ((char*)&$heap_321034)[56] + 1
t' = 1
tid' = 0
vec' = &$heap_321042
veclen' = ((char*)&$heap_321034)[24]
wd' = 0
wdenv' = 0
where' = &$heap_321035
wp' = &$heap_321043
wp' = &$heap_321043
wxp' = 0
wxp' = &$heap_321034

Change Warning 22094.28957 : Null Pointer Dereference

Priority:
State:
Finding:
Owner:
Note: