Some more.  There are bugs where the code checks for NULL after using the
pointer.  Usually means the check should be earlier, or is unnecessary.
############################################################
# New errors.
#
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/twe/twe_freebsd.c|747|twed_dump|ERROR|REVERSE_NULL| 746|747| 
dereference of twed_sc preceeds check! 

    int                 error;
    struct disk         *dp;

    dp = arg;
    twed_sc = (struct twed_softc *)dp->d_drv1;
Start --->
    twe_sc  = (struct twe_softc *)twed_sc->twed_controller;
Error --->
    if (!twed_sc || !twe_sc)
        return(ENXIO);

    if (length > 0) {
        if ((error = twe_dump_blocks(twe_sc, twed_sc->twed_drive->td_twe_unit, offset 
/ TWE_BLOCK_SIZE, virtual, length / TWE_BLOCK_SIZE)) != 0)
            return(error);
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/netgraph/atm/uni/ng_uni.c|590|uni_uni_output|ERROR|REVERSE_NULL| 
589|590| dereference of msg preceeds check! 
[START_RELAX0=filename|/home/tedu/sys/netgraph/atm/ngatmbase.c,fn|uni_msg_pack_mbuf,line1|152,line2|-1,argno|0]

                return;
        }
        arg.sig = sig;
        arg.cookie = cookie;

Start --->
        m = uni_msg_pack_mbuf(msg, &arg, sizeof(arg));
Error --->
        if (msg != NULL)
                uni_msg_destroy(msg);
        if (m == NULL)
                return;

        NG_SEND_DATA_ONLY(error, priv->upper, m);
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/cam/scsi/scsi_da.c|461|daopen|ERROR|REVERSE_NULL| 460|461| dereference 
of periph preceeds check! 

        int error;
        int s;

        s = splsoftcam();
        periph = (struct cam_periph *)dp->d_drv1;
Start --->
        unit = periph->unit_number;
Error --->
        if (periph == NULL) {
                splx(s);
                return (ENXIO); 
        }

        softc = (struct da_softc *)periph->softc;
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/trm/trm.c|1341|trm_Interrupt|ERROR|REVERSE_NULL| 1340|1341| 
dereference of pDCB preceeds check! 

                return;
        }

        if (scsi_intstatus & (INT_BUSSERVICE | INT_CMDDONE)) {
                pDCB = pACB->pActiveDCB;
Start --->
                pSRB = pDCB->pActiveSRB;
Error --->
                if (pDCB) {
                        if (pDCB->DCBFlag & ABORT_DEV_)
                                trm_EnableMsgOutAbort1(pACB, pSRB);
                }
                phase = (u_int16_t) pSRB->ScsiPhase;  /* phase: */
                stateV = (void *) trm_SCSI_phase0[phase];
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/amr/amr_disk.c|161|amrd_dump|ERROR|REVERSE_NULL| 160|161| 
dereference of amrd_sc preceeds check! 

    int                 error;
    struct disk         *dp;

    dp = arg;
    amrd_sc = (struct amrd_softc *)dp->d_drv1;
Start --->
    amr_sc  = (struct amr_softc *)amrd_sc->amrd_controller;
Error --->
    if (!amrd_sc || !amr_sc)
        return(ENXIO);

    if (length > 0) {
        int     driveno = amrd_sc->amrd_drive - amr_sc->amr_drive;
        if ((error = amr_dump_blocks(amr_sc,driveno,offset / AMR_BLKSIZE ,(void 
*)virtual,(int) length / AMR_BLKSIZE  )) != 0)
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/kern/uipc_usrreq.c|1097|unp_init|ERROR|REVERSE_NULL| 1096|1097| 
dereference of unp_zone preceeds check! 
[START_RELAX0=filename|/home/tedu/sys/vm/uma_core.c,fn|uma_zone_set_max,line1|1913,line2|-1,argno|0]

void
unp_init(void)
{
        unp_zone = uma_zcreate("unpcb", sizeof(struct unpcb), NULL, NULL,
            NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
Start --->
        uma_zone_set_max(unp_zone, nmbclusters);
Error --->
        if (unp_zone == 0)
                panic("unp_init");
        LIST_INIT(&unp_dhead);
        LIST_INIT(&unp_shead);
}

---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/netgraph/ng_gif.c|270|ng_gif_detach|ERROR|REVERSE_NULL| 268|270| 
dereference of node preceeds check! 
[START_RELAX0=filename|/home/tedu/sys/i386/compile/GENERIC/modules/home/tedu/sys/modules/netgraph/gif/@/netgraph/netgraph.h,fn|_ng_node_private,line1|472,line2|-1,argno|0]

 */
static void
ng_gif_detach(struct ifnet *ifp)
{
        const node_p node = IFP2NG(ifp);
Start --->
        const priv_p priv = NG_NODE_PRIVATE(node);

Error --->
        if (node == NULL)               /* no node (why not?), ignore */
                return;
        NG_NODE_REALLY_DIE(node);       /* Force real removal of node */
        /*
         * We can't assume the ifnet is still around when we run shutdown
         * So zap it now. XXX We HOPE that anything running at this time
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/raidframe/rf_paritylog.c|695|rf_ParityLogAppend|ERROR|REVERSE_NULL| 
693|695| dereference of logData preceeds check! 

         * Later, as conditions which required the block are removed, the work
         * reenters this routine with the "finish" parameter set to "RF_TRUE."
         * 
         * NON-BLOCKING */

Start --->
        raidPtr = logData->common->raidPtr;
        /* lock the region for the first item in logData */
Error --->
        RF_ASSERT(logData != NULL);
        regionID = logData->regionID;
        RF_LOCK_MUTEX(raidPtr->regionInfo[regionID].mutex);
        RF_ASSERT(raidPtr->regionInfo[regionID].loggingEnabled);

        if (clearReintFlag) {
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/firewire/firewire.c|955|fw_xfer_alloc_buf|ERROR|REVERSE_NULL| 
953|955| dereference of xfer preceeds check! 

fw_xfer_alloc_buf(struct malloc_type *type, int send_len, int recv_len)
{
        struct fw_xfer *xfer;

        xfer = fw_xfer_alloc(type);
Start --->
        xfer->send.pay_len = send_len;
        xfer->recv.pay_len = recv_len;
Error --->
        if (xfer == NULL)
                return(NULL);
        if (send_len > 0) {
                xfer->send.payload = malloc(send_len, type, M_NOWAIT | M_ZERO);
                if (xfer->send.payload == NULL) {
                        fw_xfer_free(xfer);
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to