Re: [Cocci] award for Coccinelle paper
On Tue, Apr 24, 2018 at 4:42 PM, Julia Lawallwrote: > The 2008 Eurosys paper: > > Documenting and automating collateral evolutions in Linux device drivers. > > received the Eurosys "Test of Time" award. Many thanks to everyone on > this list who has helped to make this possible. Wow, that's amazing. Congratulations to all who worked on this brilliant tool. Thanks for your work. > thanks, > julia > ___ > Cocci mailing list > Cocci@systeme.lip6.fr > https://systeme.lip6.fr/mailman/listinfo/cocci ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v2] Coccinelle: api: Add offset_in_page.cocci
Use of offset_in_page is preferable instead of open coding. This patch adds coccinelle script for suggesting the use of macro offset_in_page. Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> --- Changes since v1: - Add parenthesis around rule for patch mode to avoid extra parenthesis in end result --- scripts/coccinelle/api/offset_in_page.cocci | 77 + 1 file changed, 77 insertions(+) create mode 100644 scripts/coccinelle/api/offset_in_page.cocci diff --git a/scripts/coccinelle/api/offset_in_page.cocci b/scripts/coccinelle/api/offset_in_page.cocci new file mode 100644 index 000..4034864 --- /dev/null +++ b/scripts/coccinelle/api/offset_in_page.cocci @@ -0,0 +1,77 @@ +/// Use offset_in_page instead of duplicating its implementation +/// +// Confidence: High +// Copyright: (C) 2017 Vaishali Thakkar, Oracle. GPLv2. +// Options: --no-includes --include-headers +// Keywords: offset_in_page + +virtual patch +virtual context +virtual org +virtual report + +@r_patch depends on patch@ +expression e; +identifier i; +@@ +- unsigned long i = (unsigned long)e & ~PAGE_MASK; +... +- i ++ offset_in_page(e) + +@r1_patch depends on patch@ +expression e1; +@@ + +( +- ((unsigned long)e1 & ~PAGE_MASK) ++ offset_in_page(e1) +| +- ((unsigned long)e1 % PAGE_SIZE) ++ offset_in_page(e1) +) + +@r_context depends on !patch@ +expression e; +identifier i; +position p; +@@ + +* unsigned long i = (unsigned long)e@p & ~PAGE_MASK; +... +* i + +@r1_context depends on !patch@ +expression e1; +position p1; +@@ + +( +* (unsigned long)e1@p1 & ~PAGE_MASK +| +* (unsigned long)e1@p1 % PAGE_SIZE +) + +@script:python depends on org@ +p << r_context.p; +@@ + +coccilib.org.print_todo(p[0], "WARNING opportunity for offset_in_page") + +@script:python depends on org@ +p << r1_context.p1; +@@ + +coccilib.org.print_todo(p[0], "WARNING opportunity for offset_in_page") + +@script:python depends on report@ +p << r_context.p; +@@ + +coccilib.report.print_report(p[0], "WARNING opportunity for offset_in_page") + +@script:python depends on report@ +p << r1_context.p1; +@@ + +coccilib.report.print_report(p[0], "WARNING opportunity for offset_in_page") -- 2.7.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH] Coccinelle: api: Add offset_in_page.cocci
Use of offset_in_page is preferable instead of open coding. This patch adds coccinelle script for suggesting the use of macro offset_in_page. Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> --- scripts/coccinelle/api/offset_in_page.cocci | 77 + 1 file changed, 77 insertions(+) create mode 100644 scripts/coccinelle/api/offset_in_page.cocci diff --git a/scripts/coccinelle/api/offset_in_page.cocci b/scripts/coccinelle/api/offset_in_page.cocci new file mode 100644 index 000..d083109 --- /dev/null +++ b/scripts/coccinelle/api/offset_in_page.cocci @@ -0,0 +1,77 @@ +/// Use offset_in_page instead of duplicating its implementation +/// +// Confidence: High +// Copyright: (C) 2017 Vaishali Thakkar, Oracle. GPLv2. +// Options: --no-includes --include-headers +// Keywords: offset_in_page + +virtual patch +virtual context +virtual org +virtual report + +@r_patch depends on patch@ +expression e; +identifier i; +@@ +- unsigned long i = (unsigned long)e & ~PAGE_MASK; +... +- i ++ offset_in_page(e) + +@r1_patch depends on patch@ +expression e1; +@@ + +( +- (unsigned long)e1 & ~PAGE_MASK ++ offset_in_page(e1) +| +- (unsigned long)e1 % PAGE_SIZE ++ offset_in_page(e1) +) + +@r_context depends on !patch@ +expression e; +identifier i; +position p; +@@ + +* unsigned long i = (unsigned long)e@p & ~PAGE_MASK; +... +* i + +@r1_context depends on !patch@ +expression e1; +position p1; +@@ + +( +* (unsigned long)e1@p1 & ~PAGE_MASK +| +* (unsigned long)e1@p1 % PAGE_SIZE +) + +@script:python depends on org@ +p << r_context.p; +@@ + +coccilib.org.print_todo(p[0], "WARNING opportunity for offset_in_page") + +@script:python depends on org@ +p << r1_context.p1; +@@ + +coccilib.org.print_todo(p[0], "WARNING opportunity for offset_in_page") + +@script:python depends on report@ +p << r_context.p; +@@ + +coccilib.report.print_report(p[0], "WARNING opportunity for offset_in_page") + +@script:python depends on report@ +p << r1_context.p1; +@@ + +coccilib.report.print_report(p[0], "WARNING opportunity for offset_in_page") -- 2.7.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] position confusion?
On Saturday 28 January 2017 01:48 PM, Johannes Berg wrote: On Sat, 2017-01-28 at 12:10 +0530, Vaishali Thakkar wrote: On Saturday 28 January 2017 04:40 AM, Johannes Berg wrote: This is nonsense, but I don't see why it shouldn't parse: Hi, @a@ type T; identifier x; position p; @@ T x@p = { }; @b@ type T; identifier x; position p; This should be "position p != a.p;". That has no effect on the point I was trying to make. I told you the spatch was nonsense ... :) @@ T x@p = { }; @@ position p != a.p; position q != b.p; And here no need to put constraint for q. There was no need to put a constraint anyway, again, the whole patch made no sense. But assume I wanted to have p and q in different positions, or whatever. Note that I didn't even *use* @p in the rule, so you're making wrong assumptions. Got your point now. Just tried to solve the parsing error in the previous mail. :) position p != {a.p, b.p}; Nevertheless, that's something I learned. johannes ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] position confusion?
On Saturday 28 January 2017 04:40 AM, Johannes Berg wrote: This is nonsense, but I don't see why it shouldn't parse: Hi, @a@ type T; identifier x; position p; @@ T x@p = { }; @b@ type T; identifier x; position p; This should be "position p != a.p;". @@ T x@p = { }; @@ position p != a.p; position q != b.p; And here no need to put constraint for q. position p != {a.p, b.p}; position q; type T; identifier x; @@ *T x@q = {}; -> 148 149 Fatal error: exception Failure("meta: parse error: \n = File \"/tmp/test.spatch\", line 17, column 16, charpos = 148\naround = 'p', whole content = position q != b.p;\n") if I replace 'p' by 'q' in @b@, it works fine? johannes ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH] coccicheck: add a test for repeat copy_from_user
On Wednesday 11 January 2017 07:40 AM, Pengfei Wang wrote: 在 2017年1月11日,上午1:46,Vaishali Thakkar <vaishali.thak...@oracle.com <mailto:vaishali.thak...@oracle.com>> 写道: On Tuesday 10 January 2017 02:32 PM, Pengfei Wang wrote: 在 2017年1月10日,下午4:40,Vaishali Thakkar <vaishali.thak...@oracle.com <mailto:vaishali.thak...@oracle.com>> 写道: On Tuesday 10 January 2017 01:51 PM, Pengfei Wang wrote: 在 2017年1月10日,上午1:05,Vaishali Thakkar <vaishali.thak...@oracle.com <mailto:vaishali.thak...@oracle.com>> 写道: On Tuesday 27 December 2016 11:51 PM, Julia Lawall wrote: I totally dropped the ball on this. Many thanks to Vaishali for resurrecting it. Some changes are suggested below. On Tue, 26 Apr 2016, Kees Cook wrote: This is usually a sign of a resized request. This adds a check for potential races or confusions. The check isn't 100% accurate, so it needs some manual review. Signed-off-by: Kees Cook <keesc...@chromium.org <mailto:keesc...@chromium.org>> --- scripts/coccinelle/tests/reusercopy.cocci | 36 +++ 1 file changed, 36 insertions(+) create mode 100644 scripts/coccinelle/tests/reusercopy.cocci diff --git a/scripts/coccinelle/tests/reusercopy.cocci b/scripts/coccinelle/tests/reusercopy.cocci new file mode 100644 index ..53645de8ae95 --- /dev/null +++ b/scripts/coccinelle/tests/reusercopy.cocci @@ -0,0 +1,36 @@ +/// Recopying from the same user buffer frequently indicates a pattern of +/// Reading a size header, allocating, and then re-reading an entire +/// structure. If the structure's size is not re-validated, this can lead +/// to structure or data size confusions. +/// +// Confidence: Moderate +// Copyright: (C) 2016 Kees Cook, Google. License: GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: -no_includes -include_headers The options could be: --no-include --include-headers Actually, Coccinelle supports both, but it only officially supports the -- versions. + +virtual report +virtual org Add, the following for the *s: virtual context Then add the following rule: @ok@ position p; expression src,dest; @@ copy_from_user@p(, src, sizeof(dest)) + +@cfu_twice@ +position p; Change this to: position p != ok.p; +identifier src; +expression dest1, dest2, size1, size2, offset; +@@ + +*copy_from_user(dest1, src, size1) + ... when != src = offset + when != src += offset Here, may be we should add few more lines from Pengfei's script to avoid th potential FPs. Add the following lines: when != if (size2 > e1 || ...) { ... return ...; } when != if (size2 > e1 || ...) { ... size2 = e2 ... } These changes drop cases where the last argument to copy_from_usr is the size of the first argument, which seems safe enough, and where there is a test on the size value that can either update it or abort the function. These changes only eliminate false positives, as far as I could tell. If it would be more convenient, I could just send the complete revised patch, or whatever seems convenient. I was also thinking that probably we should also add other user space memory API functions. May be get_user and strncpy_from_user. Although I'm not sure how common it is to find such patterns for both of these functions. I strongly recommend you adding get_user() API , which is used pervasively within the kernel just like copy_from user(). Sure. I have changed regetuser-wang.cocci from Kees's RFC patches to include everything in the pattern matching rule. I'll send that as well. In many situations, there is a combination use, get_user() copies first then followed by a copy_from_user() copy. According to our investigation, this typical situation works by get_user() firstly copying a field of a specific struct to check, then copy_from_user() copies in the whole struct to use. Of course, the struct field is fetch twice. Do you mean that there is a problem when we have get_user() followed by copy_from_user()? Basically something like this: get_user(..., src.arg) //where src.arg = field of a structure ... copy_from_user(..., src, ...) //where src is a whole structure If that is the case then we would need to have one more new script or rule for such kind of combinational patterns. Disjunction can probably give FPs. Yes, I’ve seen these cases when examining the source code. Actually, copying a field first and then copying the whole struct is very common in the kernel especially the driver. For example, when a struct (or a message as we call it) is variable length, the first copy is used to check its size field, and allocate a kernel buffer based on it, then the second copy is to copy the whole message also based on the size. There are also situations of the variable type messages. The reason that they use get_user() instead of copy_from_user() for the first copy is because get_user() is defined as a macro, which works faster than a function call that copy_from_user() does wh
Re: [Cocci] [RFC] coccicheck: add a test for repeat memory fetches
On Wednesday 11 January 2017 05:34 AM, Kees Cook wrote: On Tue, Jan 10, 2017 at 1:14 PM, Julia Lawallwrote: OK, I have the impression that what you are looking for is the following, that currently does not seem to work well. Still maybe it gives an idea. The basic pattern is the following sequence: 1. copy_from_user 2. test on a field of the copied value 3. another copy_from_user 4. a use of the same field as tested in step 2 from the structure obtained by the second copy_from_user or a function call with the structure as an argument This looks pretty good! In the case where the second copy_from_user stores the result in a pointer, then a return with no reference of the tested field is also a concern, unless, the pointer was already kfreed. I think sequence "2" above missing just looking at a direct value, like if instead of a field it was a u32. Also, should binop include "=="? And we need to add back in get_user() too... hmmm May be having a separate script for get_user would be a good idea. get_user needs few more tests than copy_from_user. Also, for the both cases we can later add multi-function handling rules. And for the get_user, may be combinational usage rule as well. -Kees ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH] coccicheck: add a test for repeat copy_from_user
On Tuesday 10 January 2017 02:32 PM, Pengfei Wang wrote: 在 2017年1月10日,下午4:40,Vaishali Thakkar <vaishali.thak...@oracle.com> 写道: On Tuesday 10 January 2017 01:51 PM, Pengfei Wang wrote: 在 2017年1月10日,上午1:05,Vaishali Thakkar <vaishali.thak...@oracle.com> 写道: On Tuesday 27 December 2016 11:51 PM, Julia Lawall wrote: I totally dropped the ball on this. Many thanks to Vaishali for resurrecting it. Some changes are suggested below. On Tue, 26 Apr 2016, Kees Cook wrote: This is usually a sign of a resized request. This adds a check for potential races or confusions. The check isn't 100% accurate, so it needs some manual review. Signed-off-by: Kees Cook <keesc...@chromium.org> --- scripts/coccinelle/tests/reusercopy.cocci | 36 +++ 1 file changed, 36 insertions(+) create mode 100644 scripts/coccinelle/tests/reusercopy.cocci diff --git a/scripts/coccinelle/tests/reusercopy.cocci b/scripts/coccinelle/tests/reusercopy.cocci new file mode 100644 index ..53645de8ae95 --- /dev/null +++ b/scripts/coccinelle/tests/reusercopy.cocci @@ -0,0 +1,36 @@ +/// Recopying from the same user buffer frequently indicates a pattern of +/// Reading a size header, allocating, and then re-reading an entire +/// structure. If the structure's size is not re-validated, this can lead +/// to structure or data size confusions. +/// +// Confidence: Moderate +// Copyright: (C) 2016 Kees Cook, Google. License: GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: -no_includes -include_headers The options could be: --no-include --include-headers Actually, Coccinelle supports both, but it only officially supports the -- versions. + +virtual report +virtual org Add, the following for the *s: virtual context Then add the following rule: @ok@ position p; expression src,dest; @@ copy_from_user@p(, src, sizeof(dest)) + +@cfu_twice@ +position p; Change this to: position p != ok.p; +identifier src; +expression dest1, dest2, size1, size2, offset; +@@ + +*copy_from_user(dest1, src, size1) + ... when != src = offset + when != src += offset Here, may be we should add few more lines from Pengfei's script to avoid th potential FPs. Add the following lines: when != if (size2 > e1 || ...) { ... return ...; } when != if (size2 > e1 || ...) { ... size2 = e2 ... } These changes drop cases where the last argument to copy_from_usr is the size of the first argument, which seems safe enough, and where there is a test on the size value that can either update it or abort the function. These changes only eliminate false positives, as far as I could tell. If it would be more convenient, I could just send the complete revised patch, or whatever seems convenient. I was also thinking that probably we should also add other user space memory API functions. May be get_user and strncpy_from_user. Although I'm not sure how common it is to find such patterns for both of these functions. I strongly recommend you adding get_user() API , which is used pervasively within the kernel just like copy_from user(). Sure. I have changed regetuser-wang.cocci from Kees's RFC patches to include everything in the pattern matching rule. I'll send that as well. In many situations, there is a combination use, get_user() copies first then followed by a copy_from_user() copy. According to our investigation, this typical situation works by get_user() firstly copying a field of a specific struct to check, then copy_from_user() copies in the whole struct to use. Of course, the struct field is fetch twice. Do you mean that there is a problem when we have get_user() followed by copy_from_user()? Basically something like this: get_user(..., src.arg) //where src.arg = field of a structure ... copy_from_user(..., src, ...) //where src is a whole structure If that is the case then we would need to have one more new script or rule for such kind of combinational patterns. Disjunction can probably give FPs. Yes, I’ve seen these cases when examining the source code. Actually, copying a field first and then copying the whole struct is very common in the kernel especially the driver. For example, when a struct (or a message as we call it) is variable length, the first copy is used to check its size field, and allocate a kernel buffer based on it, then the second copy is to copy the whole message also based on the size. There are also situations of the variable type messages. The reason that they use get_user() instead of copy_from_user() for the first copy is because get_user() is defined as a macro, which works faster than a function call that copy_from_user() does when copy simple data type such as char and int. I see. If possible, can you point me to a code or actual bug [reported by you or others] which has this kind of pattern particularly? I wrote a separate rule for the kind of pattern you have described but I am not sure if this kind of code is s
Re: [Cocci] [RFC] coccicheck: add a test for repeat memory fetches
On Tue, Jan 10, 2017 at 1:31 PM, Julia Lawallwrote: > > > On Tue, 10 Jan 2017, Pengfei Wang wrote: > >> >> > 在 2017年1月10日,下午2:06,Julia Lawall 写道: >> > >> > >> > >> > On Mon, 9 Jan 2017, Kees Cook wrote: >> > >> >> Okay, this adds a few tests, for people to examine. >> >> >> >> reusercopy-cook.cocci: >> >> My original test, with recent updates from Julia. >> >> >> >> reusercopy-wang.cocci: >> >> This is Pengfei's test, but with heavily modified reporting to fit in the >> >> kernel coccicheck target, and with all the getuser checks removed so that >> >> Julia's size test could be added (this lets us compare the results between >> >> this and my original test). >> > >> > Thanks for the update. >> > >> > I'm not enthusiastic about all the python filtering. It would be better >> > to try to put it into the pattern matching rules. >> >> I agree with that. I used the python filtering because I could not filter >> out the false >> positives with the rules since I was a beginner to Coccinelle. I encourage >> you to use >> the pattern matching rules if possible. >> > >> > I'm not sure what is the point of func in the various rules. Is there a >> > need to ensure that the pattern appears only once in a function definition? >> >> It is unnecessary to use the “func” as long as it won’t cause an error when >> running the script. >> I used it because we found that this pattern usually takes place within a >> function. The pattern >> is not necessarily to appear only once, and our approach should be able to >> match multiple >> occurrences of this pattern within one function. >> >> However, our approach currently cannot match an inter-function pattern, >> within which the two >> copy operations reside in two functions respectively. The first function >> copies the user data first, >> and it calls the second function, then within the second function, the user >> data is copied again >> and used. This situation actually exists(CVE-2016-6516), and could cause bad >> consequences. Thanks for the inputs on this issue. Indeed finding things under one function are obvious cases. /kernel/kexec_core.c was removed from the output because of that approach. This can be easily done in the reusercopy-cook.cocci as well. Also, reusercopy-wang.cocci finds few more cases. I have done few changes in reusercopy-cook.cocci to cover them in pattern matching rule only so that we don't need the whole python rule from reusercopy-wang.cocci. Was supposed to send it but now that you have mentioned the issue with the inter function pattern, let me try to see if we can do that with Coccinelle. As far as it is within a single file, I think coccinelle would be able to do that. I'll send my proposed changes after testing the inter function pattern. >> I also suggest adding more copy function APIs, such as strncpy_from_user(). >> I didn’t do so for >> two reasons. >> 1. My script already looks redundant and I’m trying to use a better >> structure. >> 2. The other copy functions are not so prevalent as the four I used. >> But adding more copy functions could make it more accurate. I'll check about strncpy_from_user once we will have a coccinelle script in a good shape for both of these cases. Thanks! >> Please feel free to contact me if you have any questions about my script. > > Thanks for the feedback! Indeed Coccinelle is not well adapted to > interprocedural analysis, but it could be added to a limited extent, eg > one level of function call if it seems useful, once the rest is in good > shape. > > julia > > >> >> Regards >> Pengfei >> >> > >> > I'll look at this in more detail this evening, and try to remove more false >> > positives. If you know of some specifically, please let me know what they >> > are. >> > >> > thanks, >> > julia >> > >> > >> >> >> >> regetuser-wang.cocci: >> >> This is Pengfei's get_user() tests only (to compare against hits from just >> >> the copy_from_user() tests). >> >> >> >> Comparing reusercopy-cook.cocci with reusercopy-wang.cocci: >> >> -./arch/ia64/kernel/perfmon.c:4833 >> >> +./arch/powerpc/kernel/signal_32.c:742 >> >> +./arch/powerpc/kernel/signal_32.c:850 >> >> ./arch/powerpc/platforms/powernv/opal-prd.c:248 >> >> ./drivers/acpi/custom_method.c:54 >> >> -./drivers/firmware/efi/test/efi_test.c:617 >> >> -./drivers/hid/hid-picolcd_debugfs.c:283 >> >> +./drivers/gpu/drm/radeon/radeon_cs.c:635 >> >> ./drivers/hwtracing/stm/core.c:580 >> >> ./drivers/isdn/i4l/isdn_ppp.c:875 >> >> ./drivers/md/dm-ioctl.c:1741 >> >> -./drivers/misc/mic/vop/vop_vringh.c:775 >> >> +./drivers/md/md.c:7030 >> >> +./drivers/misc/lkdtm_usercopy.c:106 >> >> +./drivers/misc/lkdtm_usercopy.c:160 >> >> +./drivers/misc/lkdtm_usercopy.c:232 >> >> ./drivers/misc/mic/vop/vop_vringh.c:944 >> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2159 >> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2257 >> >> +./drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2302 >> >>
Re: [Cocci] [PATCH] coccicheck: add a test for repeat copy_from_user
On Tuesday 27 December 2016 11:51 PM, Julia Lawall wrote: I totally dropped the ball on this. Many thanks to Vaishali for resurrecting it. Some changes are suggested below. On Tue, 26 Apr 2016, Kees Cook wrote: This is usually a sign of a resized request. This adds a check for potential races or confusions. The check isn't 100% accurate, so it needs some manual review. Signed-off-by: Kees Cook--- scripts/coccinelle/tests/reusercopy.cocci | 36 +++ 1 file changed, 36 insertions(+) create mode 100644 scripts/coccinelle/tests/reusercopy.cocci diff --git a/scripts/coccinelle/tests/reusercopy.cocci b/scripts/coccinelle/tests/reusercopy.cocci new file mode 100644 index ..53645de8ae95 --- /dev/null +++ b/scripts/coccinelle/tests/reusercopy.cocci @@ -0,0 +1,36 @@ +/// Recopying from the same user buffer frequently indicates a pattern of +/// Reading a size header, allocating, and then re-reading an entire +/// structure. If the structure's size is not re-validated, this can lead +/// to structure or data size confusions. +/// +// Confidence: Moderate +// Copyright: (C) 2016 Kees Cook, Google. License: GPLv2. +// URL: http://coccinelle.lip6.fr/ +// Comments: +// Options: -no_includes -include_headers The options could be: --no-include --include-headers Actually, Coccinelle supports both, but it only officially supports the -- versions. + +virtual report +virtual org Add, the following for the *s: virtual context Then add the following rule: @ok@ position p; expression src,dest; @@ copy_from_user@p(, src, sizeof(dest)) + +@cfu_twice@ +position p; Change this to: position p != ok.p; +identifier src; +expression dest1, dest2, size1, size2, offset; +@@ + +*copy_from_user(dest1, src, size1) + ... when != src = offset + when != src += offset Here, may be we should add few more lines from Pengfei's script to avoid th potential FPs. Add the following lines: when != if (size2 > e1 || ...) { ... return ...; } when != if (size2 > e1 || ...) { ... size2 = e2 ... } These changes drop cases where the last argument to copy_from_usr is the size of the first argument, which seems safe enough, and where there is a test on the size value that can either update it or abort the function. These changes only eliminate false positives, as far as I could tell. If it would be more convenient, I could just send the complete revised patch, or whatever seems convenient. I was also thinking that probably we should also add other user space memory API functions. May be get_user and strncpy_from_user. Although I'm not sure how common it is to find such patterns for both of these functions. thanks, julia +*copy_from_user@p(dest2, src, size2) + +@script:python depends on org@ +p << cfu_twice.p; +@@ + +cocci.print_main("potentially dangerous second copy_from_user()",p) + +@script:python depends on report@ +p << cfu_twice.p; +@@ + +coccilib.report.print_report(p[0],"potentially dangerous second copy_from_user()") -- 2.6.3 -- Kees Cook Chrome OS & Brillo Security ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v4 2/3] Coccinelle: misc: Improve the result given by context mode
To eliminate false positives given by the context mode, add necessary arguments for the function request_threaded_irq. Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> Acked-by: Julia Lawall <julia.law...@lip6.fr> --- Changes since v3: - No changes in this patch Changes since v2: - Add missing declaration of metavariable irq Changes since v1: - Split patch in to the patch set --- scripts/coccinelle/misc/irqf_oneshot.cocci | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci b/scripts/coccinelle/misc/irqf_oneshot.cocci index bd3e140..cec3672 100644 --- a/scripts/coccinelle/misc/irqf_oneshot.cocci +++ b/scripts/coccinelle/misc/irqf_oneshot.cocci @@ -79,9 +79,10 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, ) @depends on context@ +expression irq; position p != {r1.p,r2.p}; @@ -*request_threaded_irq@p(...) +*request_threaded_irq@p(irq, NULL, ...) @match depends on report || org@ expression irq; -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v4 1/3] Coccinelle: misc: Improve the matching of rules
Currently because of the left associativity of the operators, pattern IRQF_ONESHOT | flags does not match with the pattern when we have more than one flag after the disjunction. This eventually results in giving false positives by the script. This patch eliminates these FPs by improving the rule. Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> --- Changes since v3: - Few more changes in the script to avoid some possible false positives - Moved initialization of all expressions in a single line Changes since v2: - No change in this patch Changes since v1: - Splitted patch in the patchset --- scripts/coccinelle/misc/irqf_oneshot.cocci | 36 +++--- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci b/scripts/coccinelle/misc/irqf_oneshot.cocci index b421150..bd3e140 100644 --- a/scripts/coccinelle/misc/irqf_oneshot.cocci +++ b/scripts/coccinelle/misc/irqf_oneshot.cocci @@ -15,16 +15,13 @@ virtual org virtual report @r1@ -expression dev; -expression irq; -expression thread_fn; -expression flags; +expression dev, irq, thread_fn; position p; @@ ( request_threaded_irq@p(irq, NULL, thread_fn, ( -flags | IRQF_ONESHOT +IRQF_ONESHOT | ... | IRQF_ONESHOT ) @@ -32,21 +29,34 @@ IRQF_ONESHOT | devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, ( -flags | IRQF_ONESHOT +IRQF_ONESHOT | ... | IRQF_ONESHOT ) , ...) ) -@depends on patch@ -expression dev; -expression irq; -expression thread_fn; -expression flags; +@r2@ +expression dev, irq, thread_fn, flags, e; position p != r1.p; @@ ( +flags = IRQF_ONESHOT | ... +| +flags |= IRQF_ONESHOT | ... +) +... when != flags = e +( +request_threaded_irq@p(irq, NULL, thread_fn, flags, ...); +| +devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...); +) + +@depends on patch@ +expression dev, irq, thread_fn, flags; +position p != {r1.p,r2.p}; +@@ +( request_threaded_irq@p(irq, NULL, thread_fn, ( -0 @@ -69,13 +79,13 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, ) @depends on context@ -position p != r1.p; +position p != {r1.p,r2.p}; @@ *request_threaded_irq@p(...) @match depends on report || org@ expression irq; -position p != r1.p; +position p != {r1.p,r2.p}; @@ request_threaded_irq@p(irq, NULL, ...) -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v4 0/3] Coccinelle: misc: Improve the script for more accurate results
Few changes to improve the results given by the irqf_oneshot.cocci: - Change in the matching rules to eliminate false postives in the patch mode - Change in the context mode to eliminate false postives in the context mode - Support for the missing devm_request_threaded_irq in context, report and org mode Changes since v3: - Few more changes in the script to avoid some possible false positives - Moved initialization of all expressions in a single line Changes since v2: - Add missing initialization of metavariables Changes since v1: - Split patch in to the patchset Vaishali Thakkar (3): Coccinelle: misc: Improve the matching of rules Coccinelle: misc: Improve the result given by context mode Coccinelle: misc: Add support for devm variant in all modes scripts/coccinelle/misc/irqf_oneshot.cocci | 52 +- 1 file changed, 36 insertions(+), 16 deletions(-) -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH v3 1/3] Coccinelle: misc: Improve the matching of rules
On Saturday 12 November 2016 11:36 PM, Julia Lawall wrote: > > > On Mon, 24 Oct 2016, Vaishali Thakkar wrote: > >> Currently because of the left associativity of the operators, pattern >> IRQF_ONESHOT | flags does not match with the pattern when we have more >> than one flag after the disjunction. This eventually results in giving >> false positives by the script. This patch eliminates these FPs by >> improving the rule. >> >> Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> >> --- >> Changes since v2: >> - No change in this patch >> Changes since v1: >> - Splitted patch in the patchset >> --- >> scripts/coccinelle/misc/irqf_oneshot.cocci | 30 >> -- >> 1 file changed, 24 insertions(+), 6 deletions(-) >> >> diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci >> b/scripts/coccinelle/misc/irqf_oneshot.cocci >> index b421150..a8537fb 100644 >> --- a/scripts/coccinelle/misc/irqf_oneshot.cocci >> +++ b/scripts/coccinelle/misc/irqf_oneshot.cocci >> @@ -18,13 +18,12 @@ virtual report >> expression dev; >> expression irq; >> expression thread_fn; >> -expression flags; >> position p; >> @@ >> ( >> request_threaded_irq@p(irq, NULL, thread_fn, >> ( >> -flags | IRQF_ONESHOT >> +IRQF_ONESHOT | ... >> | >> IRQF_ONESHOT >> ) >> @@ -32,20 +31,39 @@ IRQF_ONESHOT >> | >> devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, >> ( >> -flags | IRQF_ONESHOT >> +IRQF_ONESHOT | ... >> | >> IRQF_ONESHOT >> ) >> , ...) >> ) >> >> -@depends on patch@ >> +@r2@ >> expression dev; >> expression irq; >> expression thread_fn; >> expression flags; >> +expression ret; >> position p != r1.p; >> @@ >> +flags = IRQF_ONESHOT | ...; >> +( >> +ret = request_threaded_irq@p(irq, NULL, thread_fn, flags, ...); >> +| >> +ret = devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...); >> +| >> +return request_threaded_irq@p(irq, NULL, thread_fn, flags, ...); >> +| >> +return devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...); >> +) > > This rule needs some improvement. > > flags = IRQF_ONESHOT | ...; > > should be replaced by: > > ( > flags = IRQF_ONESHOT | ... > | > flags |= IRQF_ONESHOT | ... > ) > ... when != flags = e > > where e should be a new expression metavariable. This effects a number of > changes. 1) Dropping the ; after the assignment allows an isomorphism to > trigger that allows it to match a variable declaration as well, 2) > IRQF_ONESHOT can be added after the original initialization by a |=, 3) > there can be some instructions between the initialization of flags and the > use. Ok, this makes sense. > Afterwards, the big disjunction with the irq calls is too specific. > In particular, these calls can also occur in an if test. The disjunction > should be replaced by the following: > > ( > request_threaded_irq@p(irq, NULL, thread_fn, flags, ...) > | > devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...) > ) Ok, primary motivation with having specified pattern was to have less running time. But as discussed, it doesn't make much difference. So, going with the more general way sounds good. Thanks for the suggestions. I'll send the the revised version with these changes. > julia > > >> + >> +@depends on patch@ >> +expression dev; >> +expression irq; >> +expression thread_fn; >> +expression flags; >> +position p != {r1.p,r2.p}; >> +@@ >> ( >> request_threaded_irq@p(irq, NULL, thread_fn, >> ( >> @@ -69,13 +87,13 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, >> ) >> >> @depends on context@ >> -position p != r1.p; >> +position p != {r1.p,r2.p}; >> @@ >> *request_threaded_irq@p(...) >> >> @match depends on report || org@ >> expression irq; >> -position p != r1.p; >> +position p != {r1.p,r2.p}; >> @@ >> request_threaded_irq@p(irq, NULL, ...) >> >> -- >> 2.1.4 >> >> -- Vaishali ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v3 3/3] Coccinelle: misc: Add support for devm variant in all modes
Add missing support for the devm_request_threaded_irq in the rules of context, report and org modes. Misc: To be consistent with other scripts, change confidence level of the script to 'Moderate'. Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> --- Changes since v2: - Add missing initialization of metavariables Changes since v1: - Split patch in to the patchset --- scripts/coccinelle/misc/irqf_oneshot.cocci | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci b/scripts/coccinelle/misc/irqf_oneshot.cocci index e53372e..ca78125 100644 --- a/scripts/coccinelle/misc/irqf_oneshot.cocci +++ b/scripts/coccinelle/misc/irqf_oneshot.cocci @@ -5,7 +5,7 @@ /// So pass the IRQF_ONESHOT flag in this case. /// // -// Confidence: Good +// Confidence: Moderate // Comments: // Options: --no-includes @@ -87,16 +87,26 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, ) @depends on context@ +expression dev; expression irq; position p != {r1.p,r2.p}; @@ +( *request_threaded_irq@p(irq, NULL, ...) +| +*devm_request_threaded_irq@p(dev, irq, NULL, ...) +) @match depends on report || org@ +expression dev; expression irq; position p != {r1.p,r2.p}; @@ +( request_threaded_irq@p(irq, NULL, ...) +| +devm_request_threaded_irq@p(dev, irq, NULL, ...) +) @script:python depends on org@ p << match.p; -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v3 1/3] Coccinelle: misc: Improve the matching of rules
Currently because of the left associativity of the operators, pattern IRQF_ONESHOT | flags does not match with the pattern when we have more than one flag after the disjunction. This eventually results in giving false positives by the script. This patch eliminates these FPs by improving the rule. Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> --- Changes since v2: - No change in this patch Changes since v1: - Splitted patch in the patchset --- scripts/coccinelle/misc/irqf_oneshot.cocci | 30 -- 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci b/scripts/coccinelle/misc/irqf_oneshot.cocci index b421150..a8537fb 100644 --- a/scripts/coccinelle/misc/irqf_oneshot.cocci +++ b/scripts/coccinelle/misc/irqf_oneshot.cocci @@ -18,13 +18,12 @@ virtual report expression dev; expression irq; expression thread_fn; -expression flags; position p; @@ ( request_threaded_irq@p(irq, NULL, thread_fn, ( -flags | IRQF_ONESHOT +IRQF_ONESHOT | ... | IRQF_ONESHOT ) @@ -32,20 +31,39 @@ IRQF_ONESHOT | devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, ( -flags | IRQF_ONESHOT +IRQF_ONESHOT | ... | IRQF_ONESHOT ) , ...) ) -@depends on patch@ +@r2@ expression dev; expression irq; expression thread_fn; expression flags; +expression ret; position p != r1.p; @@ +flags = IRQF_ONESHOT | ...; +( +ret = request_threaded_irq@p(irq, NULL, thread_fn, flags, ...); +| +ret = devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...); +| +return request_threaded_irq@p(irq, NULL, thread_fn, flags, ...); +| +return devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...); +) + +@depends on patch@ +expression dev; +expression irq; +expression thread_fn; +expression flags; +position p != {r1.p,r2.p}; +@@ ( request_threaded_irq@p(irq, NULL, thread_fn, ( @@ -69,13 +87,13 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, ) @depends on context@ -position p != r1.p; +position p != {r1.p,r2.p}; @@ *request_threaded_irq@p(...) @match depends on report || org@ expression irq; -position p != r1.p; +position p != {r1.p,r2.p}; @@ request_threaded_irq@p(irq, NULL, ...) -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v3 0/3] Coccinelle: misc: Improve the script for more accurate results
Few changes to improve the results given by the irqf_oneshot.cocci: - Change in the matching rules to eliminate false postives in the patch mode - Change in the context mode to eliminate false postives in the context mode - Support for the missing devm_request_threaded_irq in context, report and org mode Changes since v2: - Add missing initialization of metavariables Changes since v1: - Split patch in to the patchset Vaishali Thakkar (3): Coccinelle: misc: Improve the matching of rules Coccinelle: misc: Improve the result given by context mode Coccinelle: misc: Add support for devm variant in all modes scripts/coccinelle/misc/irqf_oneshot.cocci | 45 -- 1 file changed, 37 insertions(+), 8 deletions(-) -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v3 2/3] Coccinelle: misc: Improve the result given by context mode
To eliminate false positives given by the context mode, add necessary arguments for the function request_threaded_irq. Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> --- Changes since v2: - Add missing declaration of metavariable irq Changes since v1: - Split patch in to the patch set --- scripts/coccinelle/misc/irqf_oneshot.cocci | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci b/scripts/coccinelle/misc/irqf_oneshot.cocci index a8537fb..e53372e 100644 --- a/scripts/coccinelle/misc/irqf_oneshot.cocci +++ b/scripts/coccinelle/misc/irqf_oneshot.cocci @@ -87,9 +87,10 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, ) @depends on context@ +expression irq; position p != {r1.p,r2.p}; @@ -*request_threaded_irq@p(...) +*request_threaded_irq@p(irq, NULL, ...) @match depends on report || org@ expression irq; -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH v2 0/3] Coccinelle: misc: Improve the script for more accurate results
On Tuesday 18 October 2016 10:31 PM, Julia Lawall wrote: > > > On Tue, 18 Oct 2016, Vaishali Thakkar wrote: > >> >> >> On Tuesday 18 October 2016 10:04 PM, Julia Lawall wrote: >>> I get the following in patch mode that I don't get in context mode: >> >> Hi, >> >> Are you getting same number of devm cases in your report for the context >> and patch mode? [except this case] > > The only devm case I get in context mode is: > > diff -u -p /var/linuxes/linux-next/drivers/acpi/evged.c > /tmp/nothing/drivers/ac\ > pi/evged.c > --- /var/linuxes/linux-next/drivers/acpi/evged.c > +++ /tmp/nothing/drivers/acpi/evged.c > @@ -116,8 +116,6 @@ static acpi_status acpi_ged_request_inte > if (r.flags & IORESOURCE_IRQ_SHAREABLE) > irqflags |= IRQF_SHARED; > > - if (devm_request_threaded_irq(dev, irq, NULL, acpi_ged_irq_handler, > - irqflags, "ACPI:Ged", event)) { > dev_err(dev, "failed to setup event handler for irq %u\n", > irq); > return AE_ERROR; > } > > This one has the property that the first argument is an identifier. The > other cases seem to have a & expression. There are around 20 of them. Although I got the issue with the patches, I am wondering why even context mode gave result for the identifiers even though they are not initialized? Does that mean it automatically assumes the type of meta variables even though they are not initialized? I think spatch gives warnings for such cases. But I am not sure about the coccicheck. > julia > > > >> >> >>> diff -u -p a/drivers/power/supply/tps65090-charger.c >>> b/drivers/power/supply/tps\ >>> 65090-charger.c >>> --- a/drivers/power/supply/tps65090-charger.c >>> +++ b/drivers/power/supply/tps65090-charger.c >>> @@ -311,7 +311,8 @@ static int tps65090_charger_probe(struct >>> >>> if (irq != -ENXIO) { >>> ret = devm_request_threaded_irq(>dev, irq, NULL, >>> - tps65090_charger_isr, 0, "tps65090-charger", cdata); >>> + tps65090_charger_isr, IRQF_ONESHOT, >>> + "tps65090-charger", cdata); >>> if (ret) { >>> dev_err(cdata->dev, >>> "Unable to register irq %d err %d\n", irq, >>> >>> >>> julia >>> >> >> -- >> Vaishali >> -- Vaishali ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH v2 3/3] Coccinelle: misc: Add support for devm variant in all modes
On Sunday 16 October 2016 10:37 PM, Vaishali Thakkar wrote: > Add missing support for the devm_request_threaded_irq in > the rules of context, report and org modes. > > Misc: > > To be consistent with other scripts, change confidence level > of the script to 'Moderate'. > > Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> > --- > scripts/coccinelle/misc/irqf_oneshot.cocci | 10 +- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci > b/scripts/coccinelle/misc/irqf_oneshot.cocci > index 03b748d..f6c93fd 100644 > --- a/scripts/coccinelle/misc/irqf_oneshot.cocci > +++ b/scripts/coccinelle/misc/irqf_oneshot.cocci > @@ -5,7 +5,7 @@ > /// So pass the IRQF_ONESHOT flag in this case. > /// > // > -// Confidence: Good > +// Confidence: Moderate > // Comments: > // Options: --no-includes > > @@ -89,13 +89,21 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, > @depends on context@ > position p != {r1.p,r2.p}; > @@ > +( > *request_threaded_irq@p(irq, NULL, ...) > +| > +*devm_request_threaded_irq@p(dev, irq, NULL, ...) > +) > > @match depends on report || org@ > expression irq; > position p != {r1.p,r2.p}; > @@ > +( > request_threaded_irq@p(irq, NULL, ...) > +| > +devm_request_threaded_irq@p(dev, irq, NULL, ...) > +) Oh, my bad here. :( Forgot the initialization of meta variables for the arguments. But I am wondering why coccicheck didn't fail here. Isn't it suppose to give parsing errors? Or it doesn't do that? In any case, I am sorry for this. I'll send the revised version of the patches. > @script:python depends on org@ > p << match.p; > -- Vaishali ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH v2 0/3] Coccinelle: misc: Improve the script for more accurate results
On Tuesday 18 October 2016 10:04 PM, Julia Lawall wrote: > I get the following in patch mode that I don't get in context mode: Hi, Are you getting same number of devm cases in your report for the context and patch mode? [except this case] > diff -u -p a/drivers/power/supply/tps65090-charger.c > b/drivers/power/supply/tps\ > 65090-charger.c > --- a/drivers/power/supply/tps65090-charger.c > +++ b/drivers/power/supply/tps65090-charger.c > @@ -311,7 +311,8 @@ static int tps65090_charger_probe(struct > > if (irq != -ENXIO) { > ret = devm_request_threaded_irq(>dev, irq, NULL, > - tps65090_charger_isr, 0, "tps65090-charger", cdata); > + tps65090_charger_isr, IRQF_ONESHOT, > + "tps65090-charger", cdata); > if (ret) { > dev_err(cdata->dev, > "Unable to register irq %d err %d\n", irq, > > > julia > -- Vaishali ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v2 3/3] Coccinelle: misc: Add support for devm variant in all modes
Add missing support for the devm_request_threaded_irq in the rules of context, report and org modes. Misc: To be consistent with other scripts, change confidence level of the script to 'Moderate'. Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> --- scripts/coccinelle/misc/irqf_oneshot.cocci | 10 +- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci b/scripts/coccinelle/misc/irqf_oneshot.cocci index 03b748d..f6c93fd 100644 --- a/scripts/coccinelle/misc/irqf_oneshot.cocci +++ b/scripts/coccinelle/misc/irqf_oneshot.cocci @@ -5,7 +5,7 @@ /// So pass the IRQF_ONESHOT flag in this case. /// // -// Confidence: Good +// Confidence: Moderate // Comments: // Options: --no-includes @@ -89,13 +89,21 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, @depends on context@ position p != {r1.p,r2.p}; @@ +( *request_threaded_irq@p(irq, NULL, ...) +| +*devm_request_threaded_irq@p(dev, irq, NULL, ...) +) @match depends on report || org@ expression irq; position p != {r1.p,r2.p}; @@ +( request_threaded_irq@p(irq, NULL, ...) +| +devm_request_threaded_irq@p(dev, irq, NULL, ...) +) @script:python depends on org@ p << match.p; -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v2 0/3] Coccinelle: misc: Improve the script for more accurate results
Few changes to improve the results given by the irqf_oneshot.cocci: - Change in the matching rules to eliminate false postives in the patch mode - Change in the context mode to eliminate false postives in the context mode - Support for the missing devm_request_threaded_irq in context, report and org mode Vaishali Thakkar (3): Coccinelle: misc: Improve the matching of rules Coccinelle: misc: Improve the result given by context mode Coccinelle: misc: Add support for devm variant in all modes scripts/coccinelle/misc/irqf_oneshot.cocci | 42 -- 1 file changed, 34 insertions(+), 8 deletions(-) -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v2 1/3] Coccinelle: misc: Improve the matching of rules
Currently because of the left associativity of the operators, pattern IRQF_ONESHOT | flags does not match with the pattern when we have more than one flag after the disjunction. This eventually results in giving false positives by the script. This patch eliminates these FPs by improving the rule. Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> --- scripts/coccinelle/misc/irqf_oneshot.cocci | 30 -- 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci b/scripts/coccinelle/misc/irqf_oneshot.cocci index b421150..b538d08 100644 --- a/scripts/coccinelle/misc/irqf_oneshot.cocci +++ b/scripts/coccinelle/misc/irqf_oneshot.cocci @@ -18,13 +18,12 @@ virtual report expression dev; expression irq; expression thread_fn; -expression flags; position p; @@ ( request_threaded_irq@p(irq, NULL, thread_fn, ( -flags | IRQF_ONESHOT +IRQF_ONESHOT | ... | IRQF_ONESHOT ) @@ -32,20 +31,39 @@ IRQF_ONESHOT | devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, ( -flags | IRQF_ONESHOT +IRQF_ONESHOT | ... | IRQF_ONESHOT ) , ...) ) -@depends on patch@ +@r2@ expression dev; expression irq; expression thread_fn; expression flags; +expression ret; position p != r1.p; @@ +flags = IRQF_ONESHOT | ...; +( +ret = request_threaded_irq@p(irq, NULL, thread_fn, flags, ...); +| +ret = devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...); +| +return request_threaded_irq@p(irq, NULL, thread_fn, flags, ...); +| +return devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...); +) + +@depends on patch@ +expression dev; +expression irq; +expression thread_fn; +expression flags; +position p != {r1.p,r2.p}; +@@ ( request_threaded_irq@p(irq, NULL, thread_fn, ( @@ -69,13 +87,13 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, ) @depends on context@ -position p != r1.p; +position p != {r1.p,r2.p}; @@ *request_threaded_irq@p(...) @match depends on report || org@ expression irq; -position p != r1.p; +position p != {r1.p,r2.p}; @@ request_threaded_irq@p(irq, NULL, ...) -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH] Coccinelle: misc: Improve the script for more accurate results
On Friday 14 October 2016 02:21 PM, Lars-Peter Clausen wrote: > On 10/13/2016 07:01 PM, Vaishali Thakkar wrote: >> >> >> On Thursday 13 October 2016 09:45 PM, Julia Lawall wrote: >>> >>> >>> On Thu, 13 Oct 2016, Vaishali Thakkar wrote: >>> >>>> Currently because of the left associativity of the operators, >>>> pattern IRQF_ONESHOT | flags does not match with the pattern >>>> when we have more than one flag after the disjunction. This >>>> eventually results in giving false positives by the script. >>>> The patch eliminates these FPs by improving the rule. >>>> >>>> Also, add a new rule to eliminate the false positives given by >>>> the new line issue. >>>> >>>> Misc: >>>> >>>> 1. Add support for the context, org and report mode in the case >>>>of devm_request_threaded_irq >>>> 2. To be consistent with other scripts, change the confidence >>>>level to 'Moderate' >>> >>> I'm getting a lot more reports for context mode than for patch mode, eg >>> for sound/pcmcia/vx/vxpocket.c. Is this normal? >> >> This seems to be because of the ... in '*request_threaded_irq@p(...)'. >> Usually I think we should have same rules for the patch and context mode. >> But the original code does not do that. So, I was not sure if that was >> intentional or not. >> [just in case, person wants to check all cases of these functions using >> context mode] > > To be honest, I don't remember if it was intentional or not. But looking at > it now, I'd say context mode should use the same pattern as the report mode. > The way it is right now context mode certainly generates a fair amount of > false positives. > > As for your patch I'd say split this into multiple patches, one patch to add > the missing devm_ variants to the context and report mode and one patch to > improve the matching, since these are two independent changes. Sure. I'll send the revised version with 3 patches. One more with changing the rule of context mode. > -- Vaishali ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH] Coccinelle: misc: Improve the script for more accurate results
Currently because of the left associativity of the operators, pattern IRQF_ONESHOT | flags does not match with the pattern when we have more than one flag after the disjunction. This eventually results in giving false positives by the script. The patch eliminates these FPs by improving the rule. Also, add a new rule to eliminate the false positives given by the new line issue. Misc: 1. Add support for the context, org and report mode in the case of devm_request_threaded_irq 2. To be consistent with other scripts, change the confidence level to 'Moderate' Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> --- scripts/coccinelle/misc/irqf_oneshot.cocci | 41 +- 1 file changed, 34 insertions(+), 7 deletions(-) diff --git a/scripts/coccinelle/misc/irqf_oneshot.cocci b/scripts/coccinelle/misc/irqf_oneshot.cocci index b421150..76fd0a2 100644 --- a/scripts/coccinelle/misc/irqf_oneshot.cocci +++ b/scripts/coccinelle/misc/irqf_oneshot.cocci @@ -5,7 +5,7 @@ /// So pass the IRQF_ONESHOT flag in this case. /// // -// Confidence: Good +// Confidence: Moderate // Comments: // Options: --no-includes @@ -18,13 +18,12 @@ virtual report expression dev; expression irq; expression thread_fn; -expression flags; position p; @@ ( request_threaded_irq@p(irq, NULL, thread_fn, ( -flags | IRQF_ONESHOT +IRQF_ONESHOT | ... | IRQF_ONESHOT ) @@ -32,20 +31,40 @@ IRQF_ONESHOT | devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, ( -flags | IRQF_ONESHOT +IRQF_ONESHOT | ... | IRQF_ONESHOT ) , ...) ) -@depends on patch@ +@r2@ expression dev; expression irq; expression thread_fn; expression flags; +expression ret; position p != r1.p; @@ +flags = IRQF_ONESHOT | ...; +( +ret = request_threaded_irq@p(irq, NULL, thread_fn, flags, ...); +| +ret = devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...); +| +return request_threaded_irq@p(irq, NULL, thread_fn, flags, ...); +| +return devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, flags, ...); +) + +@depends on patch@ +expression dev; +expression irq; +expression thread_fn; +expression flags; +position p != {r1.p,r2.p}; +@@ + ( request_threaded_irq@p(irq, NULL, thread_fn, ( @@ -69,15 +88,23 @@ devm_request_threaded_irq@p(dev, irq, NULL, thread_fn, ) @depends on context@ -position p != r1.p; +position p != {r1.p,r2.p}; @@ +( *request_threaded_irq@p(...) +| +*devm_request_threaded_irq@p(...) +) @match depends on report || org@ expression irq; -position p != r1.p; +position p != {r1.p,r2.p}; @@ +( request_threaded_irq@p(irq, NULL, ...) +| +devm_request_threaded_irq@p(dev, irq, NULL, ...) +) @script:python depends on org@ p << match.p; -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v3] Coccinelle: noderef: Add new rules and correct the old rule
Add new rules to detect the cases where sizeof is used in function calls as a argument. Also, for the patch mode third rule should behave same as second rule with arguments reversed. So, change that as well. Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> --- Changes since v2: - Add rules for function calls. This will behave as more general rules and covers cases which were covered by the rule in previous versions of the patch - Change subject and commit log accordingly. Changes since v1: - Declare i as an expression instead of identifier to cover more cases --- scripts/coccinelle/misc/noderef.cocci | 18 +- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/scripts/coccinelle/misc/noderef.cocci b/scripts/coccinelle/misc/noderef.cocci index 80a831c..007f0de 100644 --- a/scripts/coccinelle/misc/noderef.cocci +++ b/scripts/coccinelle/misc/noderef.cocci @@ -16,6 +16,7 @@ virtual patch @depends on patch@ expression *x; expression f; +expression i; type T; @@ @@ -30,15 +31,26 @@ f(...,(T)(x),...,sizeof( + *x ),...) | -f(...,sizeof(x),...,(T)( +f(...,sizeof( +- x ++ *x + ),...,(T)(x),...) +| +f(...,(T)(x),...,i*sizeof( - x + *x ),...) +| +f(...,i*sizeof( +- x ++ *x + ),...,(T)(x),...) ) @r depends on !patch@ expression *x; expression f; +expression i; position p; type T; @@ @@ -49,6 +61,10 @@ type T; *f(...,(T)(x),...,sizeof@p(x),...) | *f(...,sizeof@p(x),...,(T)(x),...) +| +*f(...,(T)(x),...,i*sizeof@p(x),...) +| +*f(...,i*sizeof@p(x),...,(T)(x),...) ) @script:python depends on org@ -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH v2] Coccinelle: noderef: Add a rule and correct the old rule
Add a new rule to detect the cases where sizeof is used as a subexpression rather than a top level argument. Also, for the patch mode third rule should behave same as second rule with arguments reversed. So, change that as well. Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> --- Changes since v1: - Declare i as an expression instead of identifier to cover more cases --- scripts/coccinelle/misc/noderef.cocci | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/scripts/coccinelle/misc/noderef.cocci b/scripts/coccinelle/misc/noderef.cocci index 80a831c..584dd01 100644 --- a/scripts/coccinelle/misc/noderef.cocci +++ b/scripts/coccinelle/misc/noderef.cocci @@ -16,6 +16,7 @@ virtual patch @depends on patch@ expression *x; expression f; +expression i; type T; @@ @@ -30,7 +31,12 @@ f(...,(T)(x),...,sizeof( + *x ),...) | -f(...,sizeof(x),...,(T)( +f(...,sizeof( +- x ++ *x + ),...,(T)(x),...) +| +x = f(...,i*sizeof( - x + *x ),...) @@ -39,6 +45,7 @@ f(...,sizeof(x),...,(T)( @r depends on !patch@ expression *x; expression f; +expression i; position p; type T; @@ @@ -49,6 +56,8 @@ type T; *f(...,(T)(x),...,sizeof@p(x),...) | *f(...,sizeof@p(x),...,(T)(x),...) +| +*x = f(...,i*sizeof@p(x),...) ) @script:python depends on org@ -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] [PATCH] Coccinelle: noderef: Add a rule and correct the old rule
On Friday 06 May 2016 01:40 AM, Julia Lawall wrote: > > > On Wed, 27 Apr 2016, Vaishali Thakkar wrote: > >> Add a new rule to detect the cases where sizeof is used as a >> subexpression rather than a top level argument. >> >> Also, for the patch mode third rule should behave same as >> second rule with arguments reversed. So, change that as well. >> >> Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> >> --- >> scripts/coccinelle/misc/noderef.cocci | 11 ++- >> 1 file changed, 10 insertions(+), 1 deletion(-) >> >> diff --git a/scripts/coccinelle/misc/noderef.cocci >> b/scripts/coccinelle/misc/noderef.cocci >> index 80a831c..9991ee9 100644 >> --- a/scripts/coccinelle/misc/noderef.cocci >> +++ b/scripts/coccinelle/misc/noderef.cocci >> @@ -16,6 +16,7 @@ virtual patch >> @depends on patch@ >> expression *x; >> expression f; >> +identifier i; > > I think that i could be an expression in both cases? Yeah, that would be fine I guess. I'll send the v2. > julia > >> type T; >> @@ >> >> @@ -30,7 +31,12 @@ f(...,(T)(x),...,sizeof( >> + *x >> ),...) >> | >> -f(...,sizeof(x),...,(T)( >> +f(...,sizeof( >> +- x >> ++ *x >> + ),...,(T)(x),...) >> +| >> +x = f(...,i*sizeof( >> - x >> + *x >> ),...) >> @@ -39,6 +45,7 @@ f(...,sizeof(x),...,(T)( >> @r depends on !patch@ >> expression *x; >> expression f; >> +identifier i; >> position p; >> type T; >> @@ >> @@ -49,6 +56,8 @@ type T; >> *f(...,(T)(x),...,sizeof@p(x),...) >> | >> *f(...,sizeof@p(x),...,(T)(x),...) >> +| >> +*x = f(...,i*sizeof@p(x),...) >> ) >> >> @script:python depends on org@ >> -- >> 2.1.4 >> >> -- Vaishali ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH] Coccinelle: noderef: Add a rule and correct the old rule
Add a new rule to detect the cases where sizeof is used as a subexpression rather than a top level argument. Also, for the patch mode third rule should behave same as second rule with arguments reversed. So, change that as well. Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> --- scripts/coccinelle/misc/noderef.cocci | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/scripts/coccinelle/misc/noderef.cocci b/scripts/coccinelle/misc/noderef.cocci index 80a831c..9991ee9 100644 --- a/scripts/coccinelle/misc/noderef.cocci +++ b/scripts/coccinelle/misc/noderef.cocci @@ -16,6 +16,7 @@ virtual patch @depends on patch@ expression *x; expression f; +identifier i; type T; @@ @@ -30,7 +31,12 @@ f(...,(T)(x),...,sizeof( + *x ),...) | -f(...,sizeof(x),...,(T)( +f(...,sizeof( +- x ++ *x + ),...,(T)(x),...) +| +x = f(...,i*sizeof( - x + *x ),...) @@ -39,6 +45,7 @@ f(...,sizeof(x),...,(T)( @r depends on !patch@ expression *x; expression f; +identifier i; position p; type T; @@ @@ -49,6 +56,8 @@ type T; *f(...,(T)(x),...,sizeof@p(x),...) | *f(...,sizeof@p(x),...,(T)(x),...) +| +*x = f(...,i*sizeof@p(x),...) ) @script:python depends on org@ -- 2.1.4 ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
Re: [Cocci] Red Hat Women in open source award
On Wednesday 17 February 2016 06:17 PM, Derek M Jones wrote: > Julia, > >> If you care to put in a vote for me/Coccinelle... > > I would be happy to vote for you, but do you really > want to win this? > > The women on the academic side are all students and > yours is the only name I recognise on the community list. > I think Community and Academic awards are different. Julia is in competition with Valeria Aurora, Jessica Mckellar, Heidi Hills and Carrie Anne Philbin. >> https://www.redhat.com/en/about/women-in-open-source >> >> julia >> ___ >> Cocci mailing list >> Cocci@systeme.lip6.fr >> https://systeme.lip6.fr/mailman/listinfo/cocci >> > -- Vaishali ___ Cocci mailing list Cocci@systeme.lip6.fr https://systeme.lip6.fr/mailman/listinfo/cocci
[Cocci] [PATCH] Coccinelle: Add api/setup_timer.cocci
Use the timer API function setup_timer instead of structure field assignments to initialize a timer. Signed-off-by: Vaishali Thakkar <vaishali.thak...@oracle.com> --- scripts/coccinelle/api/setup_timer.cocci | 199 +++ 1 file changed, 199 insertions(+) create mode 100644 scripts/coccinelle/api/setup_timer.cocci diff --git a/scripts/coccinelle/api/setup_timer.cocci b/scripts/coccinelle/api/setup_timer.cocci new file mode 100644 index 000..8ee0ac3 --- /dev/null +++ b/scripts/coccinelle/api/setup_timer.cocci @@ -0,0 +1,199 @@ +/// Use setup_timer function instead of initializing timer with the function +/// and data fields +// Confidence: High +// Copyright: (C) 2016 Vaishali Thakkar, Oracle. GPLv2 +// Options: --no-includes --include-headers +// Keywords: init_timer, setup_timer + +virtual patch +virtual context +virtual org +virtual report + +@match_immediate_function_data_after_init_timer +depends on patch && !context && !org && !report@ +expression e, func, da; +@@ + +-init_timer (); ++setup_timer (, func, da); + +( +-e.function = func; +-e.data = da; +| +-e.data = da; +-e.function = func; +) + +@match_function_and_data_after_init_timer +depends on patch && !context && !org && !report@ +expression e1, e2, e3, e4, e5, a, b; +@@ + +-init_timer (); ++setup_timer (, a, b); + +... when != a = e2 +when != b = e3 +( +-e1.function = a; +... when != b = e4 +-e1.data = b; +| +-e1.data = b; +... when != a = e5 +-e1.function = a; +) + +@r1 exists@ +identifier f; +position p; +@@ + +f(...) { ... when any + init_timer@p(...) + ... when any +} + +@r2 exists@ +identifier g != r1.f; +struct timer_list t; +expression e8; +@@ + +g(...) { ... when any + t.data = e8 + ... when any +} + +// It is dangerous to use setup_timer if data field is initialized +// in another function. + +@script:python depends on r2@ +p << r1.p; +@@ + +cocci.include_match(False) + +@r3 depends on patch && !context && !org && !report@ +expression e6, e7, c; +position r1.p; +@@ + +-init_timer@p (); ++setup_timer (, c, 0UL); +... when != c = e7 +-e6.function = c; + +// + +@match_immediate_function_data_after_init_timer_context +depends on !patch && (context || org || report)@ +expression da, e, func; +position j0, j1, j2; +@@ + +* init_timer@j0 (); +( +* e@j1.function = func; +* e...@j2.data = da; +| +* e...@j1.data = da; +* e@j2.function = func; +) + +@match_function_and_data_after_init_timer_context +depends on !patch && +!match_immediate_function_data_after_init_timer_context && +(context || org || report)@ +expression a, b, e1, e2, e3, e4, e5; +position j0, j1, j2; +@@ + +* init_timer@j0 (); +... when != a = e2 +when != b = e3 +( +* e1@j1.function = a; +... when != b = e4 +* e...@j2.data = b; +| +* e...@j1.data = b; +... when != a = e5 +* e1@j2.function = a; +) + +@r3_context depends on !patch && +!match_immediate_function_data_after_init_timer_context && +!match_function_and_data_after_init_timer_context && +(context || org || report)@ +expression c, e6, e7; +position r1.p; +position j0, j1; +@@ + +* init_timer@j0@p (); +... when != c = e7 +* e6@j1.function = c; + +// + +@script:python match_immediate_function_data_after_init_timer_org +depends on org@ +j0 << match_immediate_function_data_after_init_timer_context.j0; +j1 << match_immediate_function_data_after_init_timer_context.j1; +j2 << match_immediate_function_data_after_init_timer_context.j2; +@@ + +msg = "Use setup_timer function." +coccilib.org.print_todo(j0[0], msg) +coccilib.org.print_link(j1[0], "") +coccilib.org.print_link(j2[0], "") + +@script:python match_function_and_data_after_init_timer_org depends on org@ +j0 << match_function_and_data_after_init_timer_context.j0; +j1 << match_function_and_data_after_init_timer_context.j1; +j2 << match_function_and_data_after_init_timer_context.j2; +@@ + +msg = "Use setup_timer function." +coccilib.org.print_todo(j0[0], msg) +coccilib.org.print_link(j1[0], "") +coccilib.org.print_link(j2[0], "") + +@script:python r3_org depends on org@ +j0 << r3_context.j0; +j1 << r3_context.j1; +@@ + +msg = "Use setup_timer function." +coccilib.org.print_todo(j0[0], msg) +coccilib.org.print_link(j1[0], "") + +// + +@script:python match_immediate_function_data_after_init_timer_report +depends on report@ +j0 << match_immediate_function_data_after_init_timer_context.j0; +j1 << match_immediate_function_data_after_init_timer_context.j1; +@@ + +msg = "Use setup_timer function for function on line %s." % (j1[0].l