Coccinelle is a program matching and transformation tool that has been extensively used for finding bugs in Linux code and for automating source code evolutions.

1. Bug Finding using Coccinelle
Julia Lawall (Inria/LIP6)
Joint work with
Gilles Muller, René Rydhof Hansen,
Nicolas Palix, Arie Middelkoop
September 21, 2012
1

2. Bugs: They’re everywhere!
2

3. Our focus
Bugs in the Linux kernel
Linux is critical software.
– Used in embedded systems, desktops, servers, etc.
Linux is very large.
– Almost 18 000 .c files
– Over 10.5 million lines of code
– Increase of 8% since July 2011 (Linux 3.0).
Linux has both more and less experienced developers.
– Maintainers, contributers, developers of proprietary drivers
3

4. Bug: !x&y
Author: Al Viro <viro@ZenIV.linux.org.uk>
wmi: (!x & y) strikes again
diff --git a/drivers/acpi/wmi.c b/drivers/acpi/wmi.c
@@ -247,7 +247,7 @@
block = &wblock->gblock;
handle = wblock->handle;
- if (!block->flags & ACPI_WMI_METHOD)
+ if (!(block->flags & ACPI_WMI_METHOD))
return AE_BAD_DATA;
if (block->instance_count < instance)

5. Bug: dereference of a possibly NULL value
Author: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
tun/tap: Fix crashes if open() /dev/net/tun and
then poll() it.
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
@@ -486,12 +486,14 @@
- struct sock *sk = tun->sk;
+ struct sock *sk;
unsigned int mask = 0;
if (!tun)
return POLLERR;
+ sk = tun->sk;
5

6. Isolated problems, but these bug types can occur many times
0
xt .3
bug present
ne -2.6 9
file absent
ux .2
lin -2.6 8
ux .2
lin -2.6 7
ux .2
lin -2.6 6
ux .2
lin -2.6 5
ux .2
lin -2.6 4
ux .2
lin -2.6 3
ux .2
lin -2.6 2
ux .2
lin -2.6 1
ux .2
Linux
lin -2.6 0
6
ux .2
lin -2.6 9
ux .1
lin -2.6 8
ux .1
lin -2.6 7
ux .1
lin -2.6 6
ux .1
lin -2.6 5
ux .1
lin -2.6 4
ux .1
lin -2.6 3
ux .1
lin -2.6
ux
lin
!x&y case:
Defects
Issue

7. Goal: Find and fix bugs in C code
Find once, fix everywhere.
Approach: Coccinelle: http://coccinelle.lip6.fr/
Static analysis to find patterns in C code.
Automatic transformation to fix bugs.
User scriptable, based on patch notation
(semantic patches).
7

8. Bug: !x&y
Author: Al Viro <viro@ZenIV.linux.org.uk>
wmi: (!x & y) strikes again
diff --git a/drivers/acpi/wmi.c b/drivers/acpi/wmi.c
@@ -247,7 +247,7 @@
block = &wblock->gblock;
handle = wblock->handle;
- if (!block->flags & ACPI_WMI_METHOD)
+ if (!(block->flags & ACPI_WMI_METHOD))
return AE_BAD_DATA;
if (block->instance_count < instance)
8

9. Finding and fixing !x&y bugs using Coccinelle
@@
expression E;
constant C;
@@
- !E & C
+ !(E & C)
E is an arbitrary expression.
C is an arbitrary constant.
9

10. Example
Original code:
if (!state->card->
ac97_status & CENTER_LFE_ON)
val &= ~DSP_BIND_CENTER_LFE;
Semantic patch:
@@ expression E; constant C; @@
- !E & C
+ !(E & C)
Generated code:
if (!(state->card->ac97_status & CENTER_LFE_ON))
val &= ~DSP_BIND_CENTER_LFE;
10

11. xt .3
0
ne .6
-2
ux .2
9
lin .6
-2
96 instances in Linux from 2.6.13 (August 2005) to
ux .2
8
lin .6
-2
ux .2
7
lin .6
-2
ux .2
6
lin .6
-2
ux .2
5
lin .6
-2
ux .2
4
lin .6
-2
ux .2
3
lin .6
-2
ux .2
2
lin .6
-2
ux
Linux
1
lin .2
.6
11
-2
ux .2
0
v2.6.28 (December 2008)
lin .6
-2
ux .1
9
lin .6
-2
ux .1
8
lin .6
-2
ux .1
7
lin .6
-2
ux .1
6
lin .6
-2
ux .1
5
lin .6
-2
ux .1
4
lin .6
-2
ux .1
3
lin .6
-2
ux
lin
Results
Defects

12. Other examples: dereference of a possibly NULL value
@@
type T;
identifier i,fld;
expression E;
statement S;
@@
T i = E->fld;
+ T i;
... when != E
when != i
if (E == NULL) S
+ i = E->fld;

13. Other examples: dereference of a possibly NULL value
@@
type T;
identifier i,fld;
expression E;
statement S;
@@
- T i = E->fld;
+ T i;
... when != E
when != i
if (E == NULL) S
+ i = E->fld;
13

14. Other examples
Forgetting to initialize the return value.
Testing the wrong value.
Forgetting to free data, unlock locks, etc.
Dereferencing freed data.
Double-initializing the same variable, field, etc.
And many others...
14

15. Conclusion
A patch-like program matching and transformation language
Over 1000 Coccinelle-based patches accepted into Linux
Coccinelle semantic patches available in the Linux source code
Used by other Linux developers
Probable bugs found in gcc, postgresql, vim, amsn, pidgin,
mplayer, openssl, vlc, wine
http://coccinelle.lip6.fr/
15