Bug Finding using Coccinelle     Julia Lawall (Inria/LIP6)            Joint work with Gilles Muller, René Rydhof Hansen,  ...
Bugs: They’re everywhere!                            2
Our focus  Bugs in the Linux kernel     Linux is critical software.         – Used in embedded systems, desktops, servers,...
Bug: !x&y  Author: Al Viro <viro@ZenIV.linux.org.uk>      wmi: (!x & y) strikes again  diff --git a/drivers/acpi/wmi.c b/d...
Bug: dereference of a possibly NULL value  Author: Mariusz Kozlowski <m.kozlowski@tuxland.pl>      tun/tap: Fix crashes if...
Isolated problems, but these bug types can occur many times                                                               ...
Goal: Find and fix bugs in C code                   Find once, fix everywhere.  Approach: Coccinelle: http://coccinelle.lip6...
Bug: !x&y  Author: Al Viro <viro@ZenIV.linux.org.uk>      wmi: (!x & y) strikes again  diff --git a/drivers/acpi/wmi.c b/d...
Finding and fixing !x&y bugs using Coccinelle   @@   expression E;   constant C;   @@   - !E & C   + !(E & C)      E is an ...
Example  Original code:    if (!state->card->       ac97_status & CENTER_LFE_ON)            val &= ~DSP_BIND_CENTER_LFE;  ...
xt        .3                                                                                        0                     ...
Other examples: dereference of a possibly NULL value  @@  type T;  identifier i,fld;  expression E;  statement S;  @@    T...
Other examples: dereference of a possibly NULL value  @@  type T;  identifier i,fld;  expression E;  statement S;  @@  - T...
Other examples     Forgetting to initialize the return value.     Testing the wrong value.     Forgetting to free data, un...
Conclusion  A patch-like program matching and transformation language  Over 1000 Coccinelle-based patches accepted into Li...
Upcoming SlideShare
Loading in...5
×

Coccinelle, a bug finding tool

706

Published on

Coccinelle is a program matching and transformation tool that has been extensively used for finding bugs in Linux code and for automating source code evolutions.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
706
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Coccinelle, a bug finding tool"

  1. 1. Bug Finding using Coccinelle Julia Lawall (Inria/LIP6) Joint work with Gilles Muller, René Rydhof Hansen, Nicolas Palix, Arie Middelkoop September 21, 2012 1
  2. 2. Bugs: They’re everywhere! 2
  3. 3. Our focus Bugs in the Linux kernel Linux is critical software. – Used in embedded systems, desktops, servers, etc. Linux is very large. – Almost 18 000 .c files – Over 10.5 million lines of code – Increase of 8% since July 2011 (Linux 3.0). Linux has both more and less experienced developers. – Maintainers, contributers, developers of proprietary drivers 3
  4. 4. Bug: !x&y Author: Al Viro <viro@ZenIV.linux.org.uk> wmi: (!x & y) strikes again diff --git a/drivers/acpi/wmi.c b/drivers/acpi/wmi.c @@ -247,7 +247,7 @@ block = &wblock->gblock; handle = wblock->handle; - if (!block->flags & ACPI_WMI_METHOD) + if (!(block->flags & ACPI_WMI_METHOD)) return AE_BAD_DATA; if (block->instance_count < instance)
  5. 5. Bug: dereference of a possibly NULL value Author: Mariusz Kozlowski <m.kozlowski@tuxland.pl> tun/tap: Fix crashes if open() /dev/net/tun and then poll() it. diff --git a/drivers/net/tun.c b/drivers/net/tun.c @@ -486,12 +486,14 @@ - struct sock *sk = tun->sk; + struct sock *sk; unsigned int mask = 0; if (!tun) return POLLERR; + sk = tun->sk; 5
  6. 6. Isolated problems, but these bug types can occur many times 0 xt .3 bug present ne -2.6 9 file absent ux .2 lin -2.6 8 ux .2 lin -2.6 7 ux .2 lin -2.6 6 ux .2 lin -2.6 5 ux .2 lin -2.6 4 ux .2 lin -2.6 3 ux .2 lin -2.6 2 ux .2 lin -2.6 1 ux .2 Linux lin -2.6 0 6 ux .2 lin -2.6 9 ux .1 lin -2.6 8 ux .1 lin -2.6 7 ux .1 lin -2.6 6 ux .1 lin -2.6 5 ux .1 lin -2.6 4 ux .1 lin -2.6 3 ux .1 lin -2.6 ux lin !x&y case: DefectsIssue
  7. 7. Goal: Find and fix bugs in C code Find once, fix everywhere. Approach: Coccinelle: http://coccinelle.lip6.fr/ Static analysis to find patterns in C code. Automatic transformation to fix bugs. User scriptable, based on patch notation (semantic patches). 7
  8. 8. Bug: !x&y Author: Al Viro <viro@ZenIV.linux.org.uk> wmi: (!x & y) strikes again diff --git a/drivers/acpi/wmi.c b/drivers/acpi/wmi.c @@ -247,7 +247,7 @@ block = &wblock->gblock; handle = wblock->handle; - if (!block->flags & ACPI_WMI_METHOD) + if (!(block->flags & ACPI_WMI_METHOD)) return AE_BAD_DATA; if (block->instance_count < instance) 8
  9. 9. Finding and fixing !x&y bugs using Coccinelle @@ expression E; constant C; @@ - !E & C + !(E & C) E is an arbitrary expression. C is an arbitrary constant. 9
  10. 10. Example Original code: if (!state->card-> ac97_status & CENTER_LFE_ON) val &= ~DSP_BIND_CENTER_LFE; Semantic patch: @@ expression E; constant C; @@ - !E & C + !(E & C) Generated code: if (!(state->card->ac97_status & CENTER_LFE_ON)) val &= ~DSP_BIND_CENTER_LFE; 10
  11. 11. xt .3 0 ne .6 -2 ux .2 9 lin .6 -2 96 instances in Linux from 2.6.13 (August 2005) to ux .2 8 lin .6 -2 ux .2 7 lin .6 -2 ux .2 6 lin .6 -2 ux .2 5 lin .6 -2 ux .2 4 lin .6 -2 ux .2 3 lin .6 -2 ux .2 2 lin .6 -2 ux Linux 1 lin .2 .6 11 -2 ux .2 0 v2.6.28 (December 2008) lin .6 -2 ux .1 9 lin .6 -2 ux .1 8 lin .6 -2 ux .1 7 lin .6 -2 ux .1 6 lin .6 -2 ux .1 5 lin .6 -2 ux .1 4 lin .6 -2 ux .1 3 lin .6 -2 ux linResults Defects
  12. 12. Other examples: dereference of a possibly NULL value @@ type T; identifier i,fld; expression E; statement S; @@ T i = E->fld; + T i; ... when != E when != i if (E == NULL) S + i = E->fld;
  13. 13. Other examples: dereference of a possibly NULL value @@ type T; identifier i,fld; expression E; statement S; @@ - T i = E->fld; + T i; ... when != E when != i if (E == NULL) S + i = E->fld; 13
  14. 14. Other examples Forgetting to initialize the return value. Testing the wrong value. Forgetting to free data, unlock locks, etc. Dereferencing freed data. Double-initializing the same variable, field, etc. And many others... 14
  15. 15. Conclusion A patch-like program matching and transformation language Over 1000 Coccinelle-based patches accepted into Linux Coccinelle semantic patches available in the Linux source code Used by other Linux developers Probable bugs found in gcc, postgresql, vim, amsn, pidgin, mplayer, openssl, vlc, wine http://coccinelle.lip6.fr/ 15

×