Bug Summary

File:obj-scan-build/../ddb/db_sym.c
Location:line 417, column 2
Description:Access to field 'type' results in a dereference of a null pointer (loaded from variable 'stab')

Annotated Source Code

1/*
2 * Mach Operating System
3 * Copyright (c) 1992,1991,1990 Carnegie Mellon University
4 * All Rights Reserved.
5 *
6 * Permission to use, copy, modify and distribute this software and its
7 * documentation is hereby granted, provided that both the copyright
8 * notice and this permission notice appear in all copies of the
9 * software, derivative works or modified versions, and any portions
10 * thereof, and that both notices appear in supporting documentation.
11 *
12 * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
13 * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
14 * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
15 *
16 * Carnegie Mellon requests users of this software to return to
17 *
18 * Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU
19 * School of Computer Science
20 * Carnegie Mellon University
21 * Pittsburgh PA 15213-3890
22 *
23 * any improvements or extensions that they make and grant Carnegie Mellon
24 * the rights to redistribute these changes.
25 */
26/*
27 * Author: David B. Golub, Carnegie Mellon University
28 * Date: 7/90
29 */
30
31#if MACH_KDB1
32
33#include <string.h>
34#include <mach/std_types.h>
35#include <machine/db_machdep.h>
36#include <ddb/db_command.h>
37#include <ddb/db_output.h>
38#include <ddb/db_sym.h>
39#include <ddb/db_task_thread.h>
40#include <ddb/db_aout.h>
41
42#include <vm/vm_map.h> /* vm_map_t */
43
44/*
45 * Multiple symbol tables
46 */
47#define MAXNOSYMTABS5 5 /* mach, bootstrap, ux, emulator, 1 spare */
48
49db_symtab_t db_symtabs[MAXNOSYMTABS5] = {{0,},};
50int db_nsymtab = 0;
51
52db_symtab_t *db_last_symtab;
53
54/*
55 * Add symbol table, with given name, to list of symbol tables.
56 */
57boolean_t
58db_add_symbol_table(type, start, end, name, ref, map_pointer)
59 int type;
60 char *start;
61 char *end;
62 char *name;
63 char *ref;
64 char *map_pointer;
65{
66 db_symtab_t *st;
67 extern vm_map_t kernel_map;
68
69 if (db_nsymtab >= MAXNOSYMTABS5)
70 return (FALSE((boolean_t) 0));
71
72 st = &db_symtabs[db_nsymtab];
73 st->type = type;
74 st->start = start;
75 st->end = end;
76 st->private = ref;
77 st->map_pointer = (map_pointer == (char *)kernel_map)? 0: map_pointer;
78 strncpy(st->name, name, sizeof st->name - 1);
79 st->name[sizeof st->name - 1] = '\0';
80
81 db_nsymtab++;
82
83 return (TRUE((boolean_t) 1));
84}
85
86/*
87 * db_qualify("vm_map", "ux") returns "ux::vm_map".
88 *
89 * Note: return value points to static data whose content is
90 * overwritten by each call... but in practice this seems okay.
91 */
92static char * __attribute__ ((pure))
93db_qualify(symname, symtabname)
94 const char *symname;
95 const char *symtabname;
96{
97 static char tmp[256];
98 char *s;
99
100 s = tmp;
101 while ((*s++ = *symtabname++)) {
102 }
103 s[-1] = ':';
104 *s++ = ':';
105 while ((*s++ = *symname++)) {
106 }
107 return tmp;
108}
109
110
111boolean_t
112db_eqname( const char* src, const char* dst, char c )
113{
114 if (!strcmp(src, dst))
115 return (TRUE((boolean_t) 1));
116 if (src[0] == c)
117 return (!strcmp(src+1,dst));
118 return (FALSE((boolean_t) 0));
119}
120
121boolean_t
122db_value_of_name(name, valuep)
123 char *name;
124 db_expr_t *valuep;
125{
126 db_sym_t sym;
127
128 sym = db_lookup(name);
129 if (sym == DB_SYM_NULL((db_sym_t)0))
130 return (FALSE((boolean_t) 0));
131 db_symbol_values(0, sym, &name, valuep);
132
133 db_free_symbol(sym);
134 return (TRUE((boolean_t) 1));
135}
136
137/*
138 * Lookup a symbol.
139 * If the symbol has a qualifier (e.g., ux::vm_map),
140 * then only the specified symbol table will be searched;
141 * otherwise, all symbol tables will be searched.
142 */
143db_sym_t
144db_lookup(symstr)
145 char *symstr;
146{
147 db_sym_t sp;
148 int i;
149 int symtab_start = 0;
150 int symtab_end = db_nsymtab;
151 char *cp;
152
153 /*
154 * Look for, remove, and remember any symbol table specifier.
155 */
156 for (cp = symstr; *cp; cp++) {
157 if (*cp == ':' && cp[1] == ':') {
158 *cp = '\0';
159 for (i = 0; i < db_nsymtab; i++) {
160 if (! strcmp(symstr, db_symtabs[i].name)) {
161 symtab_start = i;
162 symtab_end = i + 1;
163 break;
164 }
165 }
166 *cp = ':';
167 if (i == db_nsymtab)
168 db_error("Invalid symbol table name\n");
169 symstr = cp+2;
170 }
171 }
172
173 /*
174 * Look in the specified set of symbol tables.
175 * Return on first match.
176 */
177 for (i = symtab_start; i < symtab_end; i++) {
178 if ((sp = X_db_lookup(&db_symtabs[i], symstr)x_db[(&db_symtabs[i])->type].lookup(&db_symtabs[i]
,symstr))) {
179 db_last_symtab = &db_symtabs[i];
180 return sp;
181 }
182 db_free_symbol(sp);
183 }
184 return 0;
185}
186
187/*
188 * Common utility routine to parse a symbol string into a file
189 * name, a symbol name and line number.
190 * This routine is called from X_db_lookup if the object dependent
191 * handler supports qualified search with a file name or a line number.
192 * It parses the symbol string, and call an object dependent routine
193 * with parsed file name, symbol name and line number.
194 */
195db_sym_t
196db_sym_parse_and_lookup(func, symtab, symstr)
197 db_sym_t (*func)();
198 db_symtab_t *symtab;
199 char *symstr;
200{
201 char *p;
202 int n;
203 int n_name;
204 int line_number;
205 char *file_name = 0;
206 char *sym_name = 0;
207 char *component[3];
208 db_sym_t found = DB_SYM_NULL((db_sym_t)0);
209
210 /*
211 * disassemble the symbol into components:
212 * [file_name:]symbol[:line_nubmer]
213 */
214 component[0] = symstr;
215 component[1] = component[2] = 0;
216 for (p = symstr, n = 1; *p; p++) {
217 if (*p == ':') {
218 if (n >= 3)
219 break;
220 *p = 0;
221 component[n++] = p+1;
222 }
223 }
224 if (*p != 0)
225 goto out;
226 line_number = 0;
227 n_name = n;
228 p = component[n-1];
229 if (*p >= '0' && *p <= '9') {
230 if (n == 1)
231 goto out;
232 for (line_number = 0; *p; p++) {
233 if (*p < '0' || *p > '9')
234 goto out;
235 line_number = line_number*10 + *p - '0';
236 }
237 n_name--;
238 } else if (n >= 3)
239 goto out;
240 if (n_name == 1) {
241 for (p = component[0]; *p && *p != '.'; p++);
242 if (*p == '.') {
243 file_name = component[0];
244 sym_name = 0;
245 } else {
246 file_name = 0;
247 sym_name = component[0];
248 }
249 } else {
250 file_name = component[0];
251 sym_name = component[1];
252 }
253 found = func(symtab, file_name, sym_name, line_number);
254
255out:
256 while (--n >= 1)
257 component[n][-1] = ':';
258 return(found);
259}
260
261/*
262 * Does this symbol name appear in more than one symbol table?
263 * Used by db_symbol_values to decide whether to qualify a symbol.
264 */
265boolean_t db_qualify_ambiguous_names = FALSE((boolean_t) 0);
266
267boolean_t
268db_name_is_ambiguous(sym_name)
269 char *sym_name;
270{
271 int i;
272 boolean_t found_once = FALSE((boolean_t) 0);
273
274 if (!db_qualify_ambiguous_names)
275 return FALSE((boolean_t) 0);
276
277 for (i = 0; i < db_nsymtab; i++) {
278 db_sym_t sp = X_db_lookup(&db_symtabs[i], sym_name)x_db[(&db_symtabs[i])->type].lookup(&db_symtabs[i]
,sym_name);
279 if (sp) {
280 if (found_once)
281 {
282 db_free_symbol(sp);
283 return TRUE((boolean_t) 1);
284 }
285 found_once = TRUE((boolean_t) 1);
286 }
287 db_free_symbol(sp);
288 }
289 return FALSE((boolean_t) 0);
290}
291
292/*
293 * Find the closest symbol to val, and return its name
294 * and the difference between val and the symbol found.
295 *
296 * Logic change. If the task argument is non NULL and a
297 * matching symbol is found in a symbol table which explictly
298 * specifies its map to be task->map, that symbol will have
299 * precedence over any symbol from a symbol table will a null
300 * map. This allows overlapping kernel/user maps to work correctly.
301 *
302 */
303db_sym_t
304db_search_task_symbol(val, strategy, offp, task)
305 db_addr_t val;
306 db_strategy_t strategy;
307 db_addr_t *offp; /* better be unsigned */
308 task_t task;
309{
310 db_sym_t ret;
311
312 if (task != TASK_NULL((task_t) 0))
313 ret = db_search_in_task_symbol(val, strategy, offp, task);
314 else
315 {
316 ret = db_search_in_task_symbol(val, strategy, offp, task);
317 /*
318 db_search_in_task_symbol will return success with
319 a very large offset when it should have failed.
320 */
321 if (ret == DB_SYM_NULL((db_sym_t)0) || (*offp) > 0x1000000)
322 {
323 db_free_symbol(ret);
324 task = db_current_task()(((active_threads[(0)]))? (active_threads[(0)])->task: ((task_t
) 0));
325 ret = db_search_in_task_symbol(val, strategy, offp, task);
326 }
327 }
328
329 return ret;
330}
331
332db_sym_t
333db_search_in_task_symbol(val, strategy, offp, task)
334 db_addr_t val;
335 db_strategy_t strategy;
336 db_addr_t *offp;
337 task_t task;
338{
339 vm_size_t diff;
340 vm_size_t newdiff;
341 int i;
342 db_symtab_t *sp;
343 db_sym_t ret = DB_SYM_NULL((db_sym_t)0), sym;
344 vm_map_t map_for_val;
345
346 map_for_val = (task == TASK_NULL((task_t) 0))? VM_MAP_NULL((vm_map_t) 0): task->map;
347 newdiff = diff = ~0;
348 db_last_symtab = (db_symtab_t *) 0;
349 for (sp = &db_symtabs[0], i = 0; i < db_nsymtab; sp++, i++)
350 {
351 newdiff = ~0;
352 if ((vm_map_t)sp->map_pointer == VM_MAP_NULL((vm_map_t) 0) ||
353 (vm_map_t)sp->map_pointer == map_for_val)
354 {
355 sym = X_db_search_symbol(sp, val, strategy, (db_expr_t*)&newdiff)x_db[(sp)->type].search_symbol(sp,val,strategy,(db_expr_t*
)&newdiff);
356 if (sym == DB_SYM_NULL((db_sym_t)0))
357 continue;
358 if (db_last_symtab == (db_symtab_t *) 0)
359 { /* first hit */
360 db_last_symtab = sp;
361 diff = newdiff;
362 db_free_symbol(ret);
363 ret = sym;
364 continue;
365 }
366 if ((vm_map_t) sp->map_pointer == VM_MAP_NULL((vm_map_t) 0) &&
367 (vm_map_t) db_last_symtab->map_pointer == VM_MAP_NULL((vm_map_t) 0) &&
368 newdiff < diff )
369 { /* closer null map match */
370 db_last_symtab = sp;
371 diff = newdiff;
372 db_free_symbol(ret);
373 ret = sym;
374 continue;
375 }
376 if ((vm_map_t) sp->map_pointer != VM_MAP_NULL((vm_map_t) 0) &&
377 (newdiff < 0x100000) &&
378 ((vm_map_t) db_last_symtab->map_pointer == VM_MAP_NULL((vm_map_t) 0) ||
379 newdiff < diff ))
380 { /* update if new is in matching map and symbol is "close",
381 and
382 old is VM_MAP_NULL or old in is matching map but is further away
383 */
384 db_last_symtab = sp;
385 diff = newdiff;
386 db_free_symbol(ret);
387 ret = sym;
388 continue;
389 }
390 }
391 }
392
393 *offp = diff;
394 return ret;
395}
396
397/*
398 * Return name and value of a symbol
399 */
400void
401db_symbol_values(stab, sym, namep, valuep)
402 db_symtab_t *stab;
403 db_sym_t sym;
404 char **namep;
405 db_expr_t *valuep;
406{
407 db_expr_t value;
408 char *name;
409
410 if (sym == DB_SYM_NULL((db_sym_t)0)) {
4
Assuming 'sym' is not equal to null
5
Taking false branch
411 *namep = 0;
412 return;
413 }
414 if (stab == 0)
6
Taking true branch
415 stab = db_last_symtab;
416
417 X_db_symbol_values(stab, sym, &name, &value)x_db[(stab)->type].symbol_values(stab,sym,&name,&value
);
7
Within the expansion of the macro 'X_db_symbol_values':
a
Access to field 'type' results in a dereference of a null pointer (loaded from variable 'stab')
418
419 if (db_name_is_ambiguous(name))
420 *namep = db_qualify(name, db_last_symtab->name);
421 else
422 *namep = name;
423 if (valuep)
424 *valuep = value;
425}
426
427
428/*
429 * Print the closest symbol to value
430 *
431 * After matching the symbol according to the given strategy
432 * we print it in the name+offset format, provided the symbol's
433 * value is close enough (eg smaller than db_maxoff).
434 * We also attempt to print [filename:linenum] when applicable
435 * (eg for procedure names).
436 *
437 * If we could not find a reasonable name+offset representation,
438 * then we just print the value in hex. Small values might get
439 * bogus symbol associations, e.g. 3 might get some absolute
440 * value like _INCLUDE_VERSION or something, therefore we do
441 * not accept symbols whose value is zero (and use plain hex).
442 */
443
444unsigned long db_maxoff = 0x4000;
445
446void
447db_task_printsym(off, strategy, task)
448 db_addr_t off;
449 db_strategy_t strategy;
450 task_t task;
451{
452 db_addr_t d;
453 char *filename;
454 char *name;
455 db_expr_t value;
456 int linenum;
457 db_sym_t cursym;
458
459 cursym = db_search_task_symbol(off, strategy, &d, task);
460 db_symbol_values(0, cursym, &name, &value);
2
Passing null pointer value via 1st parameter 'stab'
3
Calling 'db_symbol_values'
461 if (name == 0 || d >= db_maxoff || value == 0 || *name == 0) {
462 db_printf("%#n", off);
463 db_free_symbol(cursym);
464 return;
465 }
466 db_printf("%s", name);
467 if (d)
468 db_printf("+0x%x", d);
469 if (strategy == DB_STGY_PROC2) {
470 if (db_line_at_pc(cursym, &filename, &linenum, off)) {
471 db_printf(" [%s", filename);
472 if (linenum > 0)
473 db_printf(":%d", linenum);
474 db_printf("]");
475 }
476 }
477 db_free_symbol(cursym);
478}
479
480void
481db_printsym(off, strategy)
482 db_expr_t off;
483 db_strategy_t strategy;
484{
485 db_task_printsym(off, strategy, TASK_NULL((task_t) 0));
1
Calling 'db_task_printsym'
486}
487
488boolean_t
489db_line_at_pc( sym, filename, linenum, pc)
490 db_sym_t sym;
491 char **filename;
492 int *linenum;
493 db_addr_t pc;
494{
495 return (db_last_symtab) ?
496 X_db_line_at_pc( db_last_symtab, sym, filename, linenum, pc)x_db[(db_last_symtab)->type].line_at_pc(db_last_symtab,sym
,filename,linenum,pc) :
497 FALSE((boolean_t) 0);
498}
499
500void db_free_symbol(db_sym_t s)
501{
502 return (db_last_symtab) ?
503 X_db_free_symbol( db_last_symtab, s)x_db[(db_last_symtab)->type].free_symbol(s) :
504 FALSE((boolean_t) 0);
505}
506
507/*
508 * Switch into symbol-table specific routines
509 */
510
511void dummy_db_free_symbol(db_sym_t symbol) { }
512
513struct db_sym_switch x_db[] = {
514
515 /* BSD a.out format (really, sdb/dbx(1) symtabs) */
516#ifdef DB_NO_AOUT
517 { 0,},
518#else /* DB_NO_AOUT */
519 { aout_db_sym_init, aout_db_lookup, aout_db_search_symbol,
520 aout_db_line_at_pc, aout_db_symbol_values, dummy_db_free_symbol },
521#endif /* DB_NO_AOUT */
522
523 { 0,},
524
525 /* Machdep, not inited here */
526 { 0,}
527
528};
529
530#endif /* MACH_KDB */