CodeSonar : pvm3.4.6 : Null Pointer Dereference

pvm3.4.6 : pvm3.4.6 analysis 2 : Null Pointer Dereference at pvmd.c:1927

Categories:	LANG.MEM.NPD CWE:476
Warning ID:	98.28691
Procedure:	work
Trace:	view
Modified:	Thu Nov 26 11:27:24 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/pvm3/src/pvmd.c

			Enter work

1696

work()

1697

{

1698

static int lastpinged = 0; /* host that got last keepalive msg */

1699

#ifdef FDSETNOTSTRUCT

1700

fd_set rfds, wfds; /* result of select */

1701

/* fd_set efds; */

1702

#else

1703

struct fd_set rfds, wfds; /* result of select */

1704

/* struct fd_set efds; */

1705

#endif

1706

int nrdy; /* number of fds ready after select */

...

1718

double tbpl; /* time at beginning of probe loop */

1719

double toutpl; /* timeout in the probe loop */

1720

int timed_out;

1721

extern double dclock();

#endif

#endif

#ifdef SHMEM

int someclosed;

#endif

gettimeofday(&tnow, (struct timezone*)0);

1729

if (pvmdebmask || myhostpart) {

1730

PVM_TIMET time_temp;

1731

pvmlogprintf("%s (%s) %s %s\n",

1732

hosts->ht_hosts[hosts->ht_local]->hd_name,

1733

inadport_decimal (&hosts->ht_hosts[hosts->ht_local]->hd_sad ), /* Buffer Overrun (ID: 22089.28936) */ /* Buffer Underrun (ID: 22088.28935) */

1734

myarchname,

1735

PVM_VER );

1736

pvmlogprintf("ready ");

1737

time_temp = (PVM_TIMET) tnow.tv_sec;

1738

pvmlogprintf(ctime(&time_temp)); /* Format String (ID: 22201.29376) */

}

* check for default plug-in modules (& start them)

1743

* (only if pvmd, not for pvmd'...)

if ( myhostpart ) {

char *av[5];

char *buf;

char *cmd;

int ac;

int i;

for ( i=0 ; modulenames[i] ; i++ ) {

1754

cmd = getenv( modulenames[i] );

1755

if ( cmd != NULL )

1756

{

...

1765

}

1766

if (buf) PVM_FREE( buf );

}

}

}

* remind myself to start those pesky slave pvmds

if (addmesg) {

struct pmsg *mp = addmesg;

addmesg = 0;

sendmessage(mp );

}

* init bail (for PVMDSTARTUP) and ping times

pvmgetclock(&tnow );

tout.tv_sec = DDBAILTIME;

1788

tout.tv_usec = 0;

1789

TVXADDY(&tbail, &tnow, &tout);

1790

1791

tout.tv_sec = DDPINGTIME;

1792

tout.tv_usec = 0;

1793

TVXADDY(&tping, &tnow, &tout);

1794

1795

/* init select fd sets */

wrk_fds_init();

if (loclsock >= 0)

wrk_fds_add(loclsock, 1);

1801

wrk_fds_add(netsock, 1);

for (; ; ) {

* clean up after any tasks that we got SIGCHLDs for

#ifdef IMA_BEOSCYLD

reap(SIGCLD);

#endif

while (rdead != wdead) {

1812

if (deads[rdead].dd_pid == pprime) {

1813

int cc;

1814

#ifdef SOCKLENISUINT

1815

#if defined(IMA_AIX4SP2) || defined(IMA_AIX5SP2) \

1816

|| defined(IMA_AIX56K64) || defined(IMA_LINUXALPHA)

unsigned int oslen;

#else

size_t oslen;

#endif

#else

int oslen;

#endif

struct sockaddr_in osad;

struct timeval t;

char buf[DDFRAGHDR];

hostfailentry(hosts->ht_hosts[0]);

1829

clear_opq_of((int)(TIDPVMD | hosts->ht_hosts[0]->hd_hostpart));

pprime = 0;

while (1) {

FD_ZERO(&rfds);

FD_SET(ppnetsock, &rfds);

1835

t.tv_sec = 0;

1836

t.tv_usec = 0;

1837

cc = select(ppnetsock + 1,

1838

#ifdef FDSETISINT

1839

(int *)&rfds, (int *)0, (int *)0,

1840

#else

1841

(fd_set *)&rfds, (fd_set *)0, (fd_set *)0,

#endif

&t);

if (cc == 1) {

oslen = sizeof(osad);

1846

recvfrom(ppnetsock, buf, sizeof(buf),

1847

0, (struct sockaddr*)&osad, &oslen);

1848

1849

} else if (cc != -1 || errno != EINTR)

break;

}

} else {

if (tp = task_findpid (deads[rdead].dd_pid )) {

1855

1856

/* check for output one last time

1857

XXX this could be cleaner by going through main select again

1858

XXX before flushing the task */

1859

1860

tp->t_status = deads[rdead].dd_es;

1861

tp->t_utime = deads[rdead].dd_ut;

1862

tp->t_stime = deads[rdead].dd_st;

1863

while (tp->t_out >= 0) {

1864

1865

#ifdef FDSETNOTSTRUCT

fd_set rfds;

#else

struct fd_set rfds;

#endif

FD_ZERO(&rfds);

FD_SET(tp->t_out, &rfds);

1873

TVCLEAR(&tout);

1874

if (select(tp->t_out + 1,

1875

#ifdef FDSETISINT

1876

(int *)&rfds, (int *)0, (int *)0,

1877

#else

1878

(fd_set *)&rfds, (fd_set *)0, (fd_set *)0,

#endif

&tout) == 1)

loclstout(tp );

else

break;

}

#if defined(IMA_PGON) || defined(IMA_SP2MPI) || defined(IMA_AIX4SP2) \

1887

|| defined(IMA_AIX5SP2) || defined(IMA_BEOLIN)

mpp_free(tp);

#endif

task_cleanup(tp );

task_free(tp );

}

}

if (++rdead >= ndead)

rdead = 0;

}

netoutput();

if (runstate == PVMDHALTING) {

1901

pvmlogerror("work() pvmd halting\n");

pvmbailout(0);

}

/* bail if new slave and haven't been configured for too long */

1906

pvmgetclock(&tnow );

1907

if (runstate == PVMDSTARTUP && TVXLTY(&tbail, &tnow)) {

1908

pvmlogerror("work() run = STARTUP, timed out waiting for master\n");

pvmbailout(0);

}

* send keepalive message to remote pvmd once in a while

1914

1915

if (TVXLTY(&tping, &tnow)) {

1916

if (pvmdebmask & (PDMPACKET|PDMSELECT))

1917

pvmlogerror("work() ping timer\n");

1918

if (runstate == PVMDNORMAL || runstate == PVMDHTUPD) {

1919

do {

1920

if (++lastpinged > hosts->ht_last)

1921

lastpinged = 1;

1922

} while (!(hp = hosts->ht_hosts[lastpinged]));

1923

1924

if (hp->hd_hostpart != myhostpart

1925

&& hp->hd_txq->pk_link == hp->hd_txq) {

mp = mesg_new (0);

mp->m_tag = DM_NULL; /* Null Pointer Dereference */

1928

mp->m_dst = hp->hd_hostpart | TIDPVMD;

sendmessage(mp );

}

}

tout.tv_sec = DDPINGTIME;

1933

tout.tv_usec = 0;

1934

TVXADDY(&tping, &tnow, &tout);

}

* figure select timeout

1939

1940

1941

if (opq->pk_tlink == opq)

1942

tout = tping;

1943

else

1944

tout = opq->pk_tlink->pk_rtv; /* Use After Free (ID: 22033.28690) */

1945

1946

if (TVXLTY(&tout, &tnow)) {

TVCLEAR(&tout);

} else {

TVXSUBY(&tout, &tout, &tnow);

1951

}

1952

1953

if (pvmdebmask & PDMSELECT) {

1954

pvmlogprintf("work() select tout is %d.%06d\n",

1955

tout.tv_sec, tout.tv_usec );

}

#ifdef SHMEM

if ((nodemsg = mpp_probe()) == 1) {

mpp_input();

TVCLEAR(&tout);

}

#endif

rfds = wrk_rfds;

wfds = wrk_wfds;

efds = wrk_efds;

if (pvmdebmask & PDMSELECT) {

1972

pvmlogprintf("work() wrk_nfds=%d\n", wrk_nfds );

1973

print_fdset("work() rfds=", wrk_nfds, &rfds );

1974

print_fdset("work() wfds=", wrk_nfds, &wfds );

1975

}

1976

1977

#if !defined(IMA_PGON) && !defined(IMA_I860)

1978

1979

if ((nrdy = select(wrk_nfds,

1980

#ifdef FDSETISINT

1981

(int *)&rfds, (int *)&wfds, (int *)0,

1982

#else

1983

(fd_set *)&rfds, (fd_set *)&wfds, (fd_set *)0,

1984

#endif

1985

&tout)) == -1) {

1986

if (errno != EINTR) {

1987

pvmlogperror("work() select");

1988

pvmlogprintf(" wrk_nfds=%d\n", wrk_nfds );

1989

print_fdset(" rfds=", wrk_nfds, &wrk_rfds );

1990

print_fdset(" wfds=", wrk_nfds, &wrk_wfds );

1991

pvmlogprintf(" netsock=%d, ppnetsock=%d, loclsock=%d\n",

1992

netsock, ppnetsock, loclsock );

task_dump();

pvmbailout(0);

}

}

...

2054

}

2055

2056

/* Try to send packets that are still on the mpp output q */

2057

mpp_output( (struct task *) NULL, (struct pkt *) NULL);

2058

2059

} while(!(nrdy || nodemsg || timed_out));

2060

2061

#endif /*IMA_PGON/IMA_I860*/

#ifdef STATISTICS

switch (nrdy) {

case -1:

stats.selneg++;

break;

case 0:

stats.selzer++;

break;

default:

stats.selrdy++;

break;

}

#endif

if (pvmdebmask & PDMSELECT) {

2077

pvmlogprintf("work() SELECT returns %d\n", nrdy );

}

* check network socket and local master socket for action

if (nrdy > 0) {

if (FD_ISSET(netsock, &rfds)) {

nrdy--;

netinput();

}

if (loclsock >= 0 && FD_ISSET(loclsock, &rfds)) {

nrdy--;

loclconn();

}

}

* check tasks for action

#ifdef SHMEM

someclosed = 0;

#endif

if (loclsock >= 0) {

for (tp = locltasks->t_link;

2104

nrdy > 0 && tp != locltasks;

2105

tp = tp->t_link) {

2106

2107

if (tp->t_sock >= 0 && FD_ISSET(tp->t_sock, &rfds)) {

2108

FD_CLR(tp->t_sock, &rfds);

2109

nrdy--;

2110

if (loclinput(tp )) {

#ifdef SHMEM

if (tp->t_tid == 0)

someclosed++;

#endif

if (pvmdebmask & PDMTASK) {

2116

pvmlogprintf(

2117

"work() error reading from t%x, marking dead\n",

2118

tp->t_tid );

2119

}

2120

if (!(tp->t_flag & TF_FORKD)) {

2121

tp = tp->t_rlink;

2122

task_cleanup(tp->t_link );

2123

task_free(tp->t_link );

2124

2125

} else

2126

wrk_fds_delete(tp->t_sock, 3);

continue;

}

}

if (tp->t_sock >= 0 && FD_ISSET(tp->t_sock, &wfds)) {

2132

FD_CLR(tp->t_sock, &wfds);

2133

nrdy--;

2134

if (locloutput(tp )) {

#ifdef SHMEM

if (tp->t_tid == 0)

someclosed++;

#endif

if (!(tp->t_flag & TF_FORKD)) {

2140

tp = tp->t_rlink;

2141

task_cleanup(tp->t_link );

2142

task_free(tp->t_link );

2143

2144

} else

2145

wrk_fds_delete(tp->t_sock, 3);

continue;

}

}

if (tp->t_out >= 0 && FD_ISSET(tp->t_out, &rfds)) {

2151

FD_CLR(tp->t_out, &rfds);

2152

nrdy--;

2153

loclstout(tp );

Preconditions

locltasks->t_ccs >= 0
locltasks->t_wait >= 0
locltasks->t_txq >= 0
locltasks->t_rxp >= 0
locltasks->t_rxm >= 0
locltasks->t_authnam >= 0
((char*)$unknown_234584)[80] = ((char*)&$unknown_234584)[80]
((char*)&$unknown_234584)[4] != 0
loclsock <= -1
myhostpart = 0
pvmdebmask != 0
runstate != 5
$input_12 <= 25
$input_12 >= 0
tnow.tv_usec >= 1000000
wdead <= ndead - 1

Postconditions

locltasks->t_out' <= -1
locltasks->t_mca' = 0
*locltasks' is freed
addmesg' = 0
ctime_buf[0]' = $input_444
strlen(&ctime_buf[0])' = $input_12
errno' != 0
freepmsgs.m_link' = &freepmsgs.m_link
freepmsgs.m_rlink' = &freepmsgs.m_link
hp' = &$unknown_234584
mp' = 0
mp' = addmesg
numpmsgs' = 0
rdead' = wdead
runstate' = 1
tbail.tv_usec' = tnow.tv_usec - 1000000
time_temp' = &$unknown_234540
tp' = locltasks

Change Warning 98.28691 : Null Pointer Dereference

Priority:
State:
Finding:
Owner:
Note: