Faults in Linux: Making Inconsistent Assumptions About Whether a Pointer is NULL

As part of my project, while reading the reports, I came to know about bugs, where incorrect assumptions about a pointer being null or not were taken.  There were many in the versions 2.4.x and 2.6.x. I was also required to list FPs (false positives) by Coccinelle. This post will be about, what I found for the case of making incorrect assumptions about whether a pointer is null.

You can view the complete report as a PDF here and as a HTML file here.

What is a pointer?

You know it. Right? That’s why the title excited you? 🙂

What do you mean by incorrect assumptions?

You cannot dereference a pointer and then check for null at later lines, until there is something which can make it null in between. You cannot dereference pointer if it null, which is implied by a test some lines before the dereference.

Why using freed memory is a bug?

You should not make inconsistent assumptions about a pointer being null, which can cause harm, if dereferenced, after being null.

Types I studied?

I studied two types:

  • Results for the case of a NULL test preceding a dereference
  • Results for the case of a NULL test following a dereference 

What did I found?

In case of bugs, most of them were similar. For the case 1, if a line a pointer is checked for null, and turned out to be true then it is later dereferenced without checking for null. It will get more clear by reading the example below.

In the FPs by Coccinelle, the most were where some intermediate operations is doing what is needed.

Example Bug?

You can find bugs of each type above in the report linked. Have a look at this, at line 473 std is checked for null. It is is null then if will be true, then it should not be dereferenced at line 477 without a check!

Example FP?

Look at this. In this case either of else if or else will be executed, so not a bug.