[Cocci] array addressing range checking by coccinelle

[Cocci] array addressing range checking by coccinelle

[Zied Habtoul]

hello,
i want to implement a script to check this rule
Before any array access, the addressing range must be checked.

example
in this code

void main ()
{

int T[10];
 T[20] = 5 ;

}


the script must detect an error on ( T[20] = 5 ;)  because there is an
overflow of the array size.

any suggestions please to implement this script ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://systeme.lip6.fr/pipermail/cocci/attachments/20150521/f481d227/attachment.html>

[Cocci] array index range checking

[SF Markus Elfring]

> the script must detect an error on ( T[20] = 5 ;)
> because there is an overflow of the array size.

Did you experiment with any SmPL script already?


> any suggestions please to implement this script ?

Would you like to analyse affected source code
only with constant array indexes?

Do you need to check for inappropriate numbers with
a bit of additional Python or OCaml programming?

Regards,
Markus

[Cocci] array index range checking

[Zied Habtoul]

i tried this script

@r@
position p1;
identifier  arr;
constant i , var;
type T;
@@
 T arr[var];
... when != (i < var/ )
...
* arr[i]@p1

2015-05-21 23:13 GMT+02:00 SF Markus Elfring <elfring@users.sourceforge.net>
:

> > the script must detect an error on ( T[20] = 5 ;)
> > because there is an overflow of the array size.
>
> Did you experiment with any SmPL script already?
>
>
> > any suggestions please to implement this script ?
>
> Would you like to analyse affected source code
> only with constant array indexes?
>
> Do you need to check for inappropriate numbers with
> a bit of additional Python or OCaml programming?
>
> Regards,
> Markus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://systeme.lip6.fr/pipermail/cocci/attachments/20150521/3ce0a78f/attachment.html>

[Cocci] array index range checking

[SF Markus Elfring]

> i tried this script
>
> @r@
> position p1;
> identifier  arr;
> constant i , var;
> type T;
> @@
>  T arr[var];

Does this SmPL approach work a bit as you expect?
Which details did not satisfy you so far?


> ... when != (i < var/ )

How do you think about to omit parentheses here?


> ...
> * arr[i]@p1

Would you like to reuse the data from the position variable anywhere?

How do you want to handle scopes for the involved array indexes?
http://en.cppreference.com/w/c/language/scope

Regards,
Markus

[Cocci] array index range checking

[Zied Habtoul]

i don't get the expected result , because my goal is to detect the overflow
of the array size.
when we have a defined array, when we access to this array the script must
print a warning when the index is superior to the size of the array. this
index can be a constant or a variable. the script must detect all the
possible cases of the array size overflow.

2015-05-22 7:47 GMT+02:00 SF Markus Elfring <elfring@users.sourceforge.net>:

> > i tried this script
> >
> > @r@
> > position p1;
> > identifier  arr;
> > constant i , var;
> > type T;
> > @@
> >  T arr[var];
>
> Does this SmPL approach work a bit as you expect?
> Which details did not satisfy you so far?
>
>
> > ... when != (i < var/ )
>
> How do you think about to omit parentheses here?
>
>
> > ...
> > * arr[i]@p1
>
> Would you like to reuse the data from the position variable anywhere?
>
> How do you want to handle scopes for the involved array indexes?
> http://en.cppreference.com/w/c/language/scope
>
> Regards,
> Markus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://systeme.lip6.fr/pipermail/cocci/attachments/20150522/627757b5/attachment-0001.html>

[Cocci] array index range checking

[SF Markus Elfring]

> i don't get the expected result , ?

How does it differ from your expectations?


> the script must detect all the possible cases of the array size overflow.

The goal is clear. How many software development challenges
are you going to consider for such a purpose?

Regards,
Markus

[Cocci] array index range checking

[Zied Habtoul]

i want that the script compare the index to the size of the array. if the
index is superior to the size , a warning must be printed.
i don't know if coccinelle can do this.

2015-05-22 12:05 GMT+02:00 SF Markus Elfring <elfring@users.sourceforge.net>
:

> > i don't get the expected result , ?
>
> How does it differ from your expectations?
>
>
> > the script must detect all the possible cases of the array size overflow.
>
> The goal is clear. How many software development challenges
> are you going to consider for such a purpose?
>
> Regards,
> Markus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://systeme.lip6.fr/pipermail/cocci/attachments/20150522/31802bd9/attachment.html>

[Cocci] array index range checking

[SF Markus Elfring]

> i want that the script compare the index to the size of the array.

How do you think about to try this comparison by Python or OCaml scripts
(within SmPL)?


> i don't know if coccinelle can do this.

I have got the impression that this software can also find some update
candidates for your search pattern in principle. But I imagine that the
software development efforts will increase significantly to make its
application safer to some degree.

How would you like to handle scopes around array variables generally?

Regards,
Markus

[Cocci] array index range checking

[Julia Lawall]

On Fri, 22 May 2015, Zied Habtoul wrote:

> i want that the script compare the index to the size of the array. if the
> index is superior to the size , a warning must be printed.
> i don't know if coccinelle can do this.
>

I doubt that Coccinelle is really the right tecnique for this problem. 
Coccinelle can detect when there are no checks at all.  But it will not 
detect the case where you check but on the wrong value.  Coccinelle 
doesn't know anything about eg the values of particular variables.  Maybe 
some other tools in the Linux kernel such as smatch or sparse would be 
more helpful in this case.

julia


> 2015-05-22 12:05 GMT+02:00 SF Markus Elfring
> <elfring@users.sourceforge.net>:
>       > i don't get the expected result , ?
>
>       How does it differ from your expectations?
> 
>
>       > the script must detect all the possible cases of the array
>       size overflow.
>
>       The goal is clear. How many software development challenges
>       are you going to consider for such a purpose?
>
>       Regards,
>       Markus
> 
> 
> 
>

[Cocci] array index range checking

[SF Markus Elfring]

> But it will not detect the case where you check but on the wrong value.
> Coccinelle doesn't know anything about eg the values of particular
> variables.

Will any more software developers dare to fiddle with data flow analysis
by the help of your tool?

Regards,
Markus