Coccinelle: Bug Finding for the Linux Community

Size: px

Start display at page:

Download "Coccinelle: Bug Finding for the Linux Community"

Hollie Walton
6 years ago
Views:

1 Coccinelle: Bug Finding for the Linux Community Julia Lawall (INRIA) Gilles Muller (INRIA), René Rydhof Hansen (Aalborg), Nicolas Palix (Grenoble) January 6, 2012

2 Overview Goal: Improving the robustness of systems code, eg Linux. Approach: Static analysis to find bugs. Automatic program transformation to fix them. Our contribution: A domain-specific language for specifying matching and transformation rules. An engine for applying these specifications. Lots of Linux patches.

3 What is the problem with this code? drivers/staging/et131x/et131x netdev.c void et131x_tx_timeout(struct net_device *netdev) { struct et131x_adapter *adapter = netdev_priv(netdev); struct tcb *tcb; unsigned long flags; /* Any nonrecoverable hardware error? * Checks adapter->flags for any failure in phy reading */ if (adapter->flags & MP_ADAPTER_NON_RECOVER_ERROR); return;

4 What is the problem with this code? drivers/staging/et131x/et131x netdev.c void et131x_tx_timeout(struct net_device *netdev) { struct et131x_adapter *adapter = netdev_priv(netdev); struct tcb *tcb; unsigned long flags; /* Any nonrecoverable hardware error? * Checks adapter->flags for any failure in phy reading */ if (adapter->flags & MP_ADAPTER_NON_RECOVER_ERROR); return;

5 What is the problem with this code? drivers/media/video/pwc/pwc-v4l.c int pwc_init_controls(struct pwc_device *pdev) { if (!pdev->features & FEATURE_MOTOR_PANTILT) return hdl->error;

6 What is the problem with this code? drivers/media/video/pwc/pwc-v4l.c int pwc_init_controls(struct pwc_device *pdev) { if (!pdev->features & FEATURE_MOTOR_PANTILT) return hdl->error;

7 What is the problem with this code? drivers/staging/brcm80211/brcmsmac/mac80211 if.c static int brcms_suspend(struct pci_dev *pdev, pm_message_t state) { hw = pci_get_drvdata(pdev); wl = hw->priv; if (!wl) { wiphy_err(wl->wiphy, "brcms_suspend: pci_get_drvdata failed"); return -ENODEV;

8 What is the problem with this code? drivers/staging/brcm80211/brcmsmac/mac80211 if.c static int brcms_suspend(struct pci_dev *pdev, pm_message_t state) { hw = pci_get_drvdata(pdev); wl = hw->priv; if (!wl) { wiphy_err(wl->wiphy, "brcms_suspend: pci_get_drvdata failed"); return -ENODEV;

9 Impact Faults may occur in corner cases. Corrupted error logs. Corrupted device state. Deadlocks, memory leaks. Finding faults by testing is difficult. Many different possible interactions. Many different possible compile-time configurations.

10 Issues How can we find these problems in large software? Linux: files, over 8 million lines of code. Debian: Over projects. How can we fix these problems reliably? Manual changes can introduce more faults. There is a need for automated tools.

11 Our goals Automatically find code containing bugs or defects. Automatically fix bugs or defects. Provide a system that is accessible to software developers.

12 Requirements for automation The ability to abstract over irrelevant information: Example: if (adapter->flags & MP ADAPTER NON RECOVER ERROR); The ability to match scattered code fragments: Example: wl->wiphy may occur anywhere within if (!wl) {. The ability to transform code fragments: Example: Replace!pdev->features & FEATURE MOTOR PANTILT by!(pdev->features & FEATURE MOTOR PANTILT).

13 Coccinelle Program matching and transformation for unpreprocessed C code. Fits with the existing habits of C programmers. C-like, patch-like notation Semantic patch language (SmPL): Metavariables for abstracting over subterms.... for abstracting over code sequences. Patch-like notation ( /+) for expressing transformations.

14 An example patch commit 4264a8b6388f5ba16a5c362857cb8bda0b14167f Author: Dan Carpenter Date: Sat Jul 23 15:53: [media] pwc: precedence bug in pwc_init_controls()! has higher precedence than & so we need parenthesis here. Signed-off-by: Dan Carpenter diff --git a/drivers/media/video/pwc/pwc-v4l.c b/drivers/media/video/pwc/pwc-v4l --- a/drivers/media/video/pwc/pwc-v4l.c +++ b/drivers/media/video/pwc/pwc-v4l.c -338,7 +338,7 int pwc_init_controls(struct pwc_device *pdev) if (pdev->restore_factory) pdev->restore_factory->flags = V4L2_CTRL_FLAG_UPDATE; - if (!pdev->features & FEATURE_MOTOR_PANTILT) + if (!(pdev->features & FEATURE_MOTOR_PANTILT)) return hdl->error; /* Motor pan / tilt / reset */

15 Semantic patches: Bug finding (and fixing) expression E; constant C; -!E & C +!(E & C)

16 Semantic patches: Bug finding (and fixing) expression E; constant C; -!E & C +!(E & C)

17 Potential impact of the semantic patch Defects next linux linux linux linux linux linux linux linux linux linux linux linux linux linux linux linux linux linux

18 A more complex example static int brcms_suspend(struct pci_dev *pdev, pm_message_t state) { if (!wl) { wiphy_err(wl->wiphy, "brcms_suspend: pci_get_drvdata failed"); return -ENODEV; Issues: wl can be any expression. wiphy can be any field name (identifier). wl->wiphy can appear anywhere after the test, within the if braces.

19 Semantic patch expression wl; identifier wiphy; if (!wl) { wiphy_err(wl->wiphy, "brcms_suspend: pci_get_drvdata failed"); return -ENODEV;

20 Semantic patch expression wl; identifier wiphy; if (!wl) { wiphy_err(wl->wiphy, "brcms_suspend: pci_get_drvdata failed"); return -ENODEV;

21 Semantic patch expression wl; identifier wiphy; if (!wl) { * wl->wiphy

22 A false positive diff -u -p a/crypto/api.c b/crypto/api.c --- a/crypto/api.c +++ b/crypto/api.c -146,7 +146,6 static struct crypto_alg *crypto_larval_ alg = crypto_alg_lookup(name, type, mask); if (!alg) { alg = &larval->alg; - list_add(&alg->cra_list, &crypto_alg_list); up_write(&crypto_alg_sem);

23 Eliminating the false positive expression wl,e; identifier wiphy; if (!wl) { when!= wl = E * wl->wiphy

24 A further refinement expression wl,e; identifier wiphy; if (!wl) { when!= wl = E * wl->wiphy when any

25 Faults in Linux: Fault rate % of faulty notes Average Staging Drivers Sound Arch FS Net Other

26 Faults in Linux: Fault kinds % of faulty notes Average BlockLock Null Var IsNull NullRef Range Lock Intr LockIntr Free Size hello

27 How does it work? Semantic patch C code AX(A[(ϕ 1 ϕ 2 )Uϕ 3 ]...) CTL formula Control Flow Graph Model checking algorithm Identification of the nodes to be modified Modification of the identified code

28 Current status Over 800 patches based on Coccinelle accepted into the Linux kernel. A collection of semantic patches integrated into the Linux kernel source tree. Several LWN articles by Linux developers. Seems to be easy to learn. Used by developers of Linux and other software. Articles in EuroSys, DSN, POPL, ASE, AOSD, etc. on the language and methodology.

29 Conclusion Coccinelle provides a declarative language for program matching and transformation. Coccinelle semantic patches look like patches; fit with Linux programmers habits. Quite easy to learn; already accepted by the Linux community. Future work will build on Coccinelle to develop tools motivated by problems observed in Linux development.

Inside the Mind of a Coccinelle Programmer

Inside the Mind of a Coccinelle Programmer Julia Lawall (Inria/LIP6) Linux Security Summit August 25, 2016 2 What is Coccinelle? Find once, fix everywhere. Approach: Coccinelle: http://coccinelle.lip6.fr/