[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGG-pUSfBLeyktSP=u-rzjH+Q1LUcdKnh4H9ssTguL5WnKRkZw@mail.gmail.com>
Date: Tue, 5 Jan 2016 09:59:34 -0300
From: "Geyslan G. Bem" <geyslan@...il.com>
To: Andrzej Hajda <a.hajda@...sung.com>
Cc: Julia Lawall <Julia.Lawall@...6.fr>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>,
Marek Szyprowski <m.szyprowski@...sung.com>,
Gilles Muller <Gilles.Muller@...6.fr>,
Nicolas Palix <nicolas.palix@...g.fr>,
Michal Marek <mmarek@...e.com>,
open list <linux-kernel@...r.kernel.org>,
"moderated list:COCCINELLE/Semantic Patches (SmPL)"
<cocci@...teme.lip6.fr>
Subject: Re: [PATCH v6] coccinelle: tests: unsigned value cannot be lesser
than zero
Hello,
2016-01-04 4:45 GMT-03:00 Andrzej Hajda <a.hajda@...sung.com>:
> Unsigned expressions cannot be lesser than zero. Presence of comparisons
> 'unsigned (<|<=|>|>=) 0' often indicates a bug, usually wrong type of variable.
> The patch beside finding such comparisons tries to eliminate false positives,
> mainly by bypassing range checks.
>
> gcc can detect such comparisons also using -Wtype-limits switch, but it warns
> also in correct cases, making too much noise.
>
> Signed-off-by: Andrzej Hajda <a.hajda@...sung.com>
> ---
> v6: improved range check detection (according to Julia suggestion)
> v5: improved range check detection
> v4: added range check detection, added full check in case value holds a result
> of signed function
> v3: added bool type
> v2: added --all-includes option
> ---
> .../tests/unsigned_lesser_than_zero.cocci | 76 ++++++++++++++++++++++
> 1 file changed, 76 insertions(+)
> create mode 100644 scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci
>
> diff --git a/scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci b/scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci
> new file mode 100644
> index 0000000..b9c7ed8
> --- /dev/null
> +++ b/scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci
> @@ -0,0 +1,76 @@
> +/// Unsigned expressions cannot be lesser than zero. Presence of
> +/// comparisons 'unsigned (<|<=|>|>=) 0' often indicates a bug,
> +/// usually wrong type of variable.
> +///
> +/// To reduce number of false positives following tests have been added:
> +/// - parts of range checks are skipped, eg. "if (u < 0 || u > 15) ...",
> +/// developers prefer to keep such code,
> +/// - comparisons "<= 0" and "> 0" are performed only on results of
> +/// signed functions/macros,
Why common unsigned comparisons with <= 0 are not being detected? I
think that it misleads the code reading and induces further bugs.
Just reading "var <= 0" infers that var can receive signed value. The
be clear the comparison should be against zero only "var == 0" or
depending of the context "!var".
> +/// - hardcoded list of signed functions/macros with always non-negative
> +/// result is used to avoid false positives difficult to detect by other ways
> +///
> +// Confidence: Average
> +// Copyright: (C) 2016 Andrzej Hajda, Samsung Electronics Co., Ltd. GPLv2.
> +// URL: http://coccinelle.lip6.fr/
> +// Options: --all-includes
> +
> +virtual context
> +virtual org
> +virtual report
> +
> +@...mp@
> +position p;
> +typedef bool, u8, u16, u32, u64;
> +{unsigned char, unsigned short, unsigned int, unsigned long, unsigned long long,
> + size_t, bool, u8, u16, u32, u64} v;
> +expression e;
> +@@
> +
> + \( v = e \| &v \)
> + ...
> + (\( v@p < 0 \| v@p <= 0 \| v@p >= 0 \| v@p > 0 \))
> +
> +@r@
> +position r_cmp.p;
> +typedef s8, s16, s32, s64;
> +{char, short, int, long, long long, ssize_t, s8, s16, s32, s64} vs;
> +expression c, e, v;
> +identifier f !~ "^(ata_id_queue_depth|btrfs_copy_from_user|dma_map_sg|dma_map_sg_attrs|fls|fls64|gameport_time|get_write_extents|nla_len|ntoh24|of_flat_dt_match|of_get_child_count|uart_circ_chars_pending|[A-Z0-9_]+)$";
> +@@
> +
> +(
> + v = f(...)@vs;
> + ... when != v = e;
> +* (\( v@p <=@e 0 \| v@p >@e 0 \))
> + ... when any
> +|
> +(
> + (\( v@p < 0 \| v@p <= 0 \)) || ... || (\( v >= c \| v > c \))
> +|
> + (\( v >= c \| v > c \)) || ... || (\( v@p < 0 \| v@p <= 0 \))
> +|
> + (\( v@p >= 0 \| v@p > 0 \)) && ... && (\( v < c \| v <= c \))
> +|
> + ((\( v < c \| v <= c \) && ... && \( v@p >= 0 \| v@p > 0 \)))
> +|
> +* (\( v@p <@e 0 \| v@p >=@e 0 \))
> +)
> +)
> +
> +@...ipt:python depends on org@
> +p << r_cmp.p;
> +e << r.e = "";
> +@@
> +
> +msg = "WARNING: Unsigned expression compared with zero: %s" % (e)
> +coccilib.org.print_todo(p[0], msg)
> +
> +@...ipt:python depends on report@
> +p << r_cmp.p;
> +e << r.e = "";
> +@@
> +
> +msg = "WARNING: Unsigned expression compared with zero: %s" % (e)
> +if e:
> + coccilib.report.print_report(p[0], msg)
> --
> 1.9.1
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
This cocci triggered an error in spatch:
$ make coccicheck
COCCI=~/Projects/linuxtest/scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci
You have not explicitly specified the mode to use. Using default "report" mode.
Available modes are the following: patch, report, context, org
You can specify the mode with "make coccicheck MODE=<mode>"
Note however that some modes are not implemented by some semantic patches.
Please check for false positives in the output before submitting a patch.
When using "patch" mode, carefully review the patch before submitting it.
./drivers/staging/media/lirc/lirc_parallel.c:163:22-33: WARNING:
Unsigned expression compared with zero: timeelapsed > 0
./drivers/hwmon/amc6821.c:228:6-9: WARNING: Unsigned expression
compared with zero: reg > 0
./drivers/hwmon/amc6821.c:241:6-9: WARNING: Unsigned expression
compared with zero: reg > 0
*** Error in `/usr/lib/coccinelle/spatch': corrupted double-linked
list (not small): 0x0000000001c523d0 ***
======= Backtrace: =========
/usr/lib/libc.so.6(+0x72055)[0x7fb3ec683055]
/usr/lib/libc.so.6(+0x779a6)[0x7fb3ec6889a6]
/usr/lib/libc.so.6(+0x7a2d3)[0x7fb3ec68b2d3]
/usr/lib/libc.so.6(__libc_malloc+0x54)[0x7fb3ec68c3d4]
/usr/lib/coccinelle/spatch(caml_stat_alloc+0x9)[0x42dd14]
/usr/lib/coccinelle/spatch(caml_open_descriptor_in+0x12)[0x432fe2]
/usr/lib/coccinelle/spatch(caml_ml_open_descriptor_in+0xc)[0x43368f]
/usr/lib/coccinelle/spatch(caml_interprete+0x14ba)[0x43e9e1]
/usr/lib/coccinelle/spatch(caml_main+0x371)[0x42b327]
/usr/lib/coccinelle/spatch(main+0xc)[0x43d513]
/usr/lib/libc.so.6(__libc_start_main+0xf0)[0x7fb3ec631610]
/usr/lib/coccinelle/spatch(_start+0x29)[0x417609]
======= Memory map: ========
00400000-00452000 r-xp 00000000 08:03 1318169
/usr/lib/coccinelle/spatch
00651000-00656000 rw-p 00051000 08:03 1318169
/usr/lib/coccinelle/spatch
00656000-00664000 rw-p 00000000 00:00 0
019ea000-0c642000 rw-p 00000000 00:00 0 [heap]
7fb3e4000000-7fb3e4021000 rw-p 00000000 00:00 0
7fb3e4021000-7fb3e8000000 ---p 00000000 00:00 0
7fb3ea931000-7fb3eab32000 rw-p 00000000 00:00 0
7fb3eae36000-7fb3eaef6000 rw-p 00000000 00:00 0
7fb3eaef6000-7fb3eaef8000 r-xp 00000000 08:03 2365929
/usr/lib/python3.5/lib-dynload/_heapq.cpython-35m-x86_64-linux-gnu.so
7fb3eaef8000-7fb3eb0f7000 ---p 00002000 08:03 2365929
/usr/lib/python3.5/lib-dynload/_heapq.cpython-35m-x86_64-linux-gnu.so
7fb3eb0f7000-7fb3eb0f8000 r--p 00001000 08:03 2365929
/usr/lib/python3.5/lib-dynload/_heapq.cpython-35m-x86_64-linux-gnu.so
7fb3eb0f8000-7fb3eb0fa000 rw-p 00002000 08:03 2365929
/usr/lib/python3.5/lib-dynload/_heapq.cpython-35m-x86_64-linux-gnu.so
7fb3eb0fa000-7fb3eb13a000 rw-p 00000000 00:00 0
7fb3eb787000-7fb3ebb31000 r--p 00000000 08:03 2119451
/usr/lib/locale/locale-archive
7fb3ebb31000-7fb3ebe4a000 rw-p 00000000 00:00 0
7fb3ebfbe000-7fb3ebfd4000 r-xp 00000000 08:03 2100676
/usr/lib/libgcc_s.so.1
7fb3ebfd4000-7fb3ec1d3000 ---p 00016000 08:03 2100676
/usr/lib/libgcc_s.so.1
7fb3ec1d3000-7fb3ec1d4000 rw-p 00015000 08:03 2100676
/usr/lib/libgcc_s.so.1
7fb3ec20c000-7fb3ec40e000 rw-p 00000000 00:00 0
7fb3ec40e000-7fb3ec410000 r-xp 00000000 08:03 2100408
/usr/lib/libutil-2.22.so
7fb3ec410000-7fb3ec60f000 ---p 00002000 08:03 2100408
/usr/lib/libutil-2.22.so
7fb3ec60f000-7fb3ec610000 r--p 00001000 08:03 2100408
/usr/lib/libutil-2.22.so
7fb3ec610000-7fb3ec611000 rw-p 00002000 08:03 2100408
/usr/lib/libutil-2.22.so
7fb3ec611000-7fb3ec7ac000 r-xp 00000000 08:03 2100354
/usr/lib/libc-2.22.so
7fb3ec7ac000-7fb3ec9ab000 ---p 0019b000 08:03 2100354
/usr/lib/libc-2.22.so
7fb3ec9ab000-7fb3ec9af000 r--p 0019a000 08:03 2100354
/usr/lib/libc-2.22.so
7fb3ec9af000-7fb3ec9b1000 rw-p 0019e000 08:03 2100354
/usr/lib/libc-2.22.so
7fb3ec9b1000-7fb3ec9b5000 rw-p 00000000 00:00 0
7fb3ec9b5000-7fb3ec9cd000 r-xp 00000000 08:03 2100335
/usr/lib/libpthread-2.22.so
7fb3ec9cd000-7fb3ecbcc000 ---p 00018000 08:03 2100335
/usr/lib/libpthread-2.22.so
7fb3ecbcc000-7fb3ecbcd000 r--p 00017000 08:03 2100335
/usr/lib/libpthread-2.22.so
7fb3ecbcd000-7fb3ecbce000 rw-p 00018000 08:03 2100335
/usr/lib/libpthread-2.22.so
7fb3ecbce000-7fb3ecbd2000 rw-p 00000000 00:00 0
7fb3ecbd2000-7fb3ecc39000 r-xp 00000000 08:03 2100758
/usr/lib/libncursesw.so.6.0
7fb3ecc39000-7fb3ece39000 ---p 00067000 08:03 2100758
/usr/lib/libncursesw.so.6.0
7fb3ece39000-7fb3ece3d000 r--p 00067000 08:03 2100758
/usr/lib/libncursesw.so.6.0
7fb3ece3d000-7fb3ece3f000 rw-p 0006b000 08:03 2100758
/usr/lib/libncursesw.so.6.0
7fb3ece3f000-7fb3ece42000 r-xp 00000000 08:03 2100403
/usr/lib/libdl-2.22.so
7fb3ece42000-7fb3ed041000 ---p 00003000 08:03 2100403
/usr/lib/libdl-2.22.so
7fb3ed041000-7fb3ed042000 r--p 00002000 08:03 2100403
/usr/lib/libdl-2.22.so
7fb3ed042000-7fb3ed043000 rw-p 00003000 08:03 2100403
/usr/lib/libdl-2.22.so
7fb3ed043000-7fb3ed140000 r-xp 00000000 08:03 2100404
/usr/lib/libm-2.22.so
7fb3ed140000-7fb3ed33f000 ---p 000fd000 08:03 2100404
/usr/lib/libm-2.22.so
7fb3ed33f000-7fb3ed340000 r--p 000fc000 08:03 2100404
/usr/lib/libm-2.22.so
7fb3ed340000-7fb3ed341000 rw-p 000fd000 08:03 2100404
/usr/lib/libm-2.22.so
7fb3ed341000-7fb3ed578000 r-xp 00000000 08:03 2128110
/usr/lib/libpython3.5m.so.1.0
7fb3ed578000-7fb3ed778000 ---p 00237000 08:03 2128110
/usr/lib/libpython3.5m.so.1.0
7fb3ed778000-7fb3ed77a000 r--p 00237000 08:03 2128110
/usr/lib/libpython3.5m.so.1.0
7fb3ed77a000-7fb3ed7df000 rw-p 00239000 08:03 2128110
/usr/lib/libpython3.5m.so.1.0
7fb3ed7df000-7fb3ed80f000 rw-p 00000000 00:00 0
7fb3ed80f000-7fb3ed87e000 r-xp 00000000 08:03 2108758
/usr/lib/libpcre.so.1.2.6
7fb3ed87e000-7fb3eda7d000 ---p 0006f000 08:03 2108758
/usr/lib/libpcre.so.1.2.6
7fb3eda7d000-7fb3eda7e000 r--p 0006e000 08:03 2108758
/usr/lib/libpcre.so.1.2.6
7fb3eda7e000-7fb3eda7f000 rw-p 0006f000 08:03 2108758
/usr/lib/libpcre.so.1.2.6
7fb3eda7f000-7fb3edaa1000 r-xp 00000000 08:03 2100353
/usr/lib/ld-2.22.so
7fb3edaa2000-7fb3edc68000 rw-p 00000000 00:00 0
7fb3edc9f000-7fb3edca0000 rw-p 00000000 00:00 0
7fb3edca0000-7fb3edca1000 r--p 00021000 08:03 2100353
/usr/lib/ld-2.22.so
7fb3edca1000-7fb3edca2000 rw-p 00022000 08:03 2100353
/usr/lib/ld-2.22.so
7fb3edca2000-7fb3edca3000 rw-p 00000000 00:00 0
7ffdc8750000-7ffdc8773000 rw-p 00000000 00:00 0 [stack]
7ffdc8796000-7ffdc8798000 r--p 00000000 00:00 0 [vvar]
7ffdc8798000-7ffdc879a000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
./scripts/coccicheck: line 97: 18682 Segmentation fault (core
dumped) /usr/bin/spatch -D report --very-quiet --no-show-diff
--cocci-file /home/geyslan/Projects/linuxtest/scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci
--all-includes --dir . -I ./arch/x86/include -I
arch/x86/include/generated/uapi -I arch/x86/include/generated -I
include -I ./arch/x86/include/uapi -I arch/x86/include/generated/uapi
-I ./include/uapi -I include/generated/uapi --include
./include/linux/kconfig.h --max 8 --index 0
./scripts/coccicheck: line 97: 18684 Segmentation fault (core
dumped) /usr/bin/spatch -D report --very-quiet --no-show-diff
--cocci-file /home/geyslan/Projects/linuxtest/scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci
--all-includes --dir . -I ./arch/x86/include -I
arch/x86/include/generated/uapi -I arch/x86/include/generated -I
include -I ./arch/x86/include/uapi -I arch/x86/include/generated/uapi
-I ./include/uapi -I include/generated/uapi --include
./include/linux/kconfig.h --max 8 --index 2
./scripts/coccicheck: line 97: 18685 Aborted (core
dumped) /usr/bin/spatch -D report --very-quiet --no-show-diff
--cocci-file /home/geyslan/Projects/linuxtest/scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci
--all-includes --dir . -I ./arch/x86/include -I
arch/x86/include/generated/uapi -I arch/x86/include/generated -I
include -I ./arch/x86/include/uapi -I arch/x86/include/generated/uapi
-I ./include/uapi -I include/generated/uapi --include
./include/linux/kconfig.h --max 8 --index 3
./scripts/coccicheck: line 97: 18686 Segmentation fault (core
dumped) /usr/bin/spatch -D report --very-quiet --no-show-diff
--cocci-file /home/geyslan/Projects/linuxtest/scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci
--all-includes --dir . -I ./arch/x86/include -I
arch/x86/include/generated/uapi -I arch/x86/include/generated -I
include -I ./arch/x86/include/uapi -I arch/x86/include/generated/uapi
-I ./include/uapi -I include/generated/uapi --include
./include/linux/kconfig.h --max 8 --index 4
./scripts/coccicheck: line 97: 18689 Segmentation fault (core
dumped) /usr/bin/spatch -D report --very-quiet --no-show-diff
--cocci-file /home/geyslan/Projects/linuxtest/scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci
--all-includes --dir . -I ./arch/x86/include -I
arch/x86/include/generated/uapi -I arch/x86/include/generated -I
include -I ./arch/x86/include/uapi -I arch/x86/include/generated/uapi
-I ./include/uapi -I include/generated/uapi --include
./include/linux/kconfig.h --max 8 --index 7
./drivers/cpufreq/cpufreq-dt.c:87:20-28: WARNING: Unsigned expression
compared with zero: volt_old > 0
./drivers/cpufreq/scpi-cpufreq.c:36:5-11: WARNING: Unsigned expression
compared with zero: domain < 0
./drivers/hsi/controllers/omap_ssi.c:327:5-12: WARNING: Unsigned
expression compared with zero: ssi -> id < 0
./drivers/clk/clk-vt8500.c:462:16-20: WARNING: Unsigned expression
compared with zero: div1 >= 0
./drivers/clk/clk-vt8500.c:506:16-20: WARNING: Unsigned expression
compared with zero: div1 >= 0
./drivers/clk/clk-vt8500.c:395:17-21: WARNING: Unsigned expression
compared with zero: div2 >= 0
./drivers/clk/clk-vt8500.c:463:17-21: WARNING: Unsigned expression
compared with zero: div2 >= 0
./drivers/clk/clk-vt8500.c:507:17-21: WARNING: Unsigned expression
compared with zero: div2 >= 0
^CMakefile:1488: recipe for target 'coccicheck' failed
make: *** [coccicheck] Error 1
--
Regards,
Geyslan G. Bem
hackingbits.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists