Coccinelle Archive on lore.kernel.org
 help / color / Atom feed
* [Cocci] [PATCH] scripts/coccinelle: Add script to detect sign extension
@ 2021-03-19  3:36 Evan Benn
  2021-03-19  8:36 ` Julia Lawall
  0 siblings, 1 reply; 2+ messages in thread
From: Evan Benn @ 2021-03-19  3:36 UTC (permalink / raw)
  To: Julia Lawall; +Cc: Michal Marek, Nicolas Palix, linux-kernel, Evan Benn, cocci

Hello,

I am attempting to create a coccinelle script that will detect possibly buggy
usage of the bitwise operators where integer promotion may result in bugs,
usually due to sign extension.

I know this script needs a lot more work, but I am just beginning to learn the
syntax of coccinelle. At this stage I am mainly looking for advice if this is
even worth continuing, or if I am on the wrong track entirely. 

Here is an example of the bug I hope to find:

https://lore.kernel.org/lkml/20210317013758.GA134033@roeck-us.net/

Where ints and unsigned are mixed in bitwise operations, and the sizes differ.

Thanks

Evan Benn

Signed-off-by: Evan Benn <evanbenn@chromium.org>
---

 .../coccinelle/tests/int_sign_extend.cocci    | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 scripts/coccinelle/tests/int_sign_extend.cocci

diff --git a/scripts/coccinelle/tests/int_sign_extend.cocci b/scripts/coccinelle/tests/int_sign_extend.cocci
new file mode 100644
index 000000000000..bad61e37e4e7
--- /dev/null
+++ b/scripts/coccinelle/tests/int_sign_extend.cocci
@@ -0,0 +1,35 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/// Mixing signed and unsigned types in bitwise operations risks problems when
+/// the 'Usual arithmetic conversions' are applied.
+/// For example:
+/// https://lore.kernel.org/lkml/20210317013758.GA134033@roeck-us.net/
+/// When a signed int and an unsigned int are compared there is no problem.
+/// But if the unsigned is changed to a unsigned long, for example by using BIT
+/// the signed value will be sign-extended and could result in incorrect logic.
+// Confidence:
+// Copyright: (C) 2021 Evan Benn <evanbenn@chromium.org>
+// Comments:
+// Options:
+
+virtual context
+virtual org
+virtual report
+
+@r@
+position p;
+{int} s;
+{unsigned long} u;
+@@
+    s@p & u
+
+@script:python depends on org@
+p << r.p;
+@@
+
+cocci.print_main("sign extension when comparing bits of signed and unsigned values", p)
+
+@script:python depends on report@
+p << r.p;
+@@
+
+coccilib.report.print_report(p[0],"sign extension when comparing bits of signed and unsigned values")
-- 
2.31.0.291.g576ba9dcdaf-goog

_______________________________________________
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [Cocci] [PATCH] scripts/coccinelle: Add script to detect sign extension
  2021-03-19  3:36 [Cocci] [PATCH] scripts/coccinelle: Add script to detect sign extension Evan Benn
@ 2021-03-19  8:36 ` Julia Lawall
  0 siblings, 0 replies; 2+ messages in thread
From: Julia Lawall @ 2021-03-19  8:36 UTC (permalink / raw)
  To: Evan Benn; +Cc: Michal Marek, Nicolas Palix, cocci, linux-kernel



On Fri, 19 Mar 2021, Evan Benn wrote:

> Hello,
>
> I am attempting to create a coccinelle script that will detect possibly buggy
> usage of the bitwise operators where integer promotion may result in bugs,
> usually due to sign extension.
>
> I know this script needs a lot more work, but I am just beginning to learn the
> syntax of coccinelle. At this stage I am mainly looking for advice if this is
> even worth continuing, or if I am on the wrong track entirely.

I'm not really an expert in the problem, so I don't know exactly what are
the kinds of code you want to find.  Coccinelle is good at matching the
types of things and the structure of things.  If you need to know the
actual values of things, you may want to try smatch.  Coccinelle probably
doesn't have complete knowledge of how various operators affect C types.
For example, it would not have known that BIT results in a long.

The best you can do is try some rules and see what the results are, and
try to collect some relevant examples and see if you can match them with
your rules.  Please write back if there is some specific code that is not
matched as expected.

julia


>
> Here is an example of the bug I hope to find:
>
> https://lore.kernel.org/lkml/20210317013758.GA134033@roeck-us.net/
>
> Where ints and unsigned are mixed in bitwise operations, and the sizes differ.
>
> Thanks
>
> Evan Benn
>
> Signed-off-by: Evan Benn <evanbenn@chromium.org>
> ---
>
>  .../coccinelle/tests/int_sign_extend.cocci    | 35 +++++++++++++++++++
>  1 file changed, 35 insertions(+)
>  create mode 100644 scripts/coccinelle/tests/int_sign_extend.cocci
>
> diff --git a/scripts/coccinelle/tests/int_sign_extend.cocci b/scripts/coccinelle/tests/int_sign_extend.cocci
> new file mode 100644
> index 000000000000..bad61e37e4e7
> --- /dev/null
> +++ b/scripts/coccinelle/tests/int_sign_extend.cocci
> @@ -0,0 +1,35 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/// Mixing signed and unsigned types in bitwise operations risks problems when
> +/// the 'Usual arithmetic conversions' are applied.
> +/// For example:
> +/// https://lore.kernel.org/lkml/20210317013758.GA134033@roeck-us.net/
> +/// When a signed int and an unsigned int are compared there is no problem.
> +/// But if the unsigned is changed to a unsigned long, for example by using BIT
> +/// the signed value will be sign-extended and could result in incorrect logic.
> +// Confidence:
> +// Copyright: (C) 2021 Evan Benn <evanbenn@chromium.org>
> +// Comments:
> +// Options:
> +
> +virtual context
> +virtual org
> +virtual report
> +
> +@r@
> +position p;
> +{int} s;
> +{unsigned long} u;
> +@@
> +    s@p & u
> +
> +@script:python depends on org@
> +p << r.p;
> +@@
> +
> +cocci.print_main("sign extension when comparing bits of signed and unsigned values", p)
> +
> +@script:python depends on report@
> +p << r.p;
> +@@
> +
> +coccilib.report.print_report(p[0],"sign extension when comparing bits of signed and unsigned values")
> --
> 2.31.0.291.g576ba9dcdaf-goog
>
>
_______________________________________________
Cocci mailing list
Cocci@systeme.lip6.fr
https://systeme.lip6.fr/mailman/listinfo/cocci

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-19  3:36 [Cocci] [PATCH] scripts/coccinelle: Add script to detect sign extension Evan Benn
2021-03-19  8:36 ` Julia Lawall

Coccinelle Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/cocci/0 cocci/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 cocci cocci/ https://lore.kernel.org/cocci \
		cocci@systeme.lip6.fr
	public-inbox-index cocci

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/fr.lip6.systeme.cocci


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git