error27 / smatch Goto Github PK
View Code? Open in Web Editor NEWStatic Analyser for C
License: Other
smatch's People
Contributors
Stargazers
Watchers
Forkers
chubbymaggie nmanthey colinianking xp4ns3 tititiou36 lnocturno rzezeski carolforever javiercarrascocruz nosajmik linkeli0421 harshimogalapalli cristicc walshbsmatch's Issues
smatch false positive warning for uninitialized symbol, when creating a block with "for()"
When proposing some patches to overlayfs, I was notified that those changes were introducing new smatch warnings:
https://lore.kernel.org/all/[email protected]/
The warnings in the proposed patch are in places in which I use scoped_guard(), that uses a "special" 'for' to create a new block. And sorry for the confusing title, I don't know the correct name for that "for" idiom.
I could come up with the following reproducer:
#include <stdio.h>
#include <stdbool.h>
int main(void)
{
int n;
for (bool done = false; !done; done = true) {
n = printf("did it!\n");
}
return n > 1 ? 0 : 1;
}
smatch gives: repro.c:12 main() error: uninitialized symbol 'n'.
It compiles without warnings with gcc -Wextra -Wall -o repro repro.c.
smatch misidentifies uninitialized variable after switch with no default:
I've got a simple reproducer for the issue that I found when scanning our ice driver in the kernel with smatch.
original repro against smatch HEAD 0951ed5 ("db: fix uninitialized variable false positives")
smatch reported:
~/git/smatch/smatch_scripts/kchecker drivers/net/ethernet/intel/ice/ice_ptp_hw.c
drivers/net/ethernet/intel/ice/ice_ptp_hw.c:2852 ice_ptp_port_cmd_e810() error: uninitialized symbol 'cmd_val'.
Below is a simple c-code reproducer, compile with:
gcc -o srt -Wextra -Wall smatch_switch_repro.c
see error with
~/git/smatch/smatch smatch_switch_repro.c
smatch_switch_repro.c:43 badfunc() error: uninitialized symbol 'my_int'.
One bit of data that might be useful: it works fine with badfunc content inline in main() and fails when badfunc is a function with the enum argument. It also succeeds when there is a "default:" label and a simple assignment in that case (see the reproducer below and bit of commented out code)
// SPDX-License-Identifier: BSD-3-Clause
/*
* Copyright 2021, Intel Corporation
*
* A quick demo of a smatch false positive
*/
#include <stdio.h>
enum three_values
{
value_one,
value_two,
value_three
};
void badfunc(const enum three_values cmd)
{
unsigned int my_int, new_int; //uninitialized
switch (cmd) {
case value_one:
printf("one\n");
my_int = 1;
break;
case value_two:
printf("two\n");
my_int = 2;
break;
case value_three:
printf("three\n");
my_int = 3;
break;
/* no default because all enum values handled, which has value
* to developers because it forces compile error if not all enum values
* handled and enum is changed */
//default:
//my_int = 4;
//break;
}
new_int = 0;
new_int |= my_int;
printf("data: %d\n", new_int);
}
int main(int argc __attribute__((unused)), char **argv __attribute__((unused)))
{
enum three_values my_enum = value_two;
badfunc(my_enum);
return 0;
}
Treat inline function and macro invocations like ordinary function.
Hi, I am trying to use smatch to extract some conditions out of the kernel source code.
For example, in the following code:
VM_BUG_ON_PGFLAGS(n > 0 && !test_bit(PG_head, &page->flags), page);
I want to capture things like n > 0, test_bit(PG_head, &page->flags).
However, I don't want to smatch to parse further inside, e.g., the macro expansion of test_bit or similar inlined functions.
I tried digging into some of the example codes and found __inline_fn and is_macro, but I am a little confused about how to use them...
I wonder if there exists some idiomatic way of achieving this in smatch?
Many thanks!!!
Please ignore the following if you feel it is lengthy. I want to show what I am trying to do.
#include "glib-2.0/glib.h"
#include "smatch.h"
#include "smatch_extra.h"
#include "smatch_slist.h"
static int my_id;
void decomposite(struct expression *expr, GList **p_list) {
if (p_list == NULL)
return;
if (expr == NULL) {
sm_warning("Expression is NULL\n");
return;
}
GList *list = NULL;
switch (expr->type) {
/* Simple Opaque */
case EXPR_VALUE:
case EXPR_STRING:
case EXPR_SYMBOL:
case EXPR_FVALUE:
sm_warning("Simple Opaque\n");
list = g_list_append(list, expr);
break;
/* Complex Opaque */
case EXPR_DEREF:
case EXPR_CALL:
case EXPR_OFFSETOF:
sm_warning("Complex Opaque\n");
list = g_list_append(list, expr);
break;
case EXPR_COMPARE:
case EXPR_BINOP:
case EXPR_LOGICAL:
sm_warning("BinOp Expr\n");
decomposite(expr->left, &list);
decomposite(expr->right, &list);
break;
case EXPR_COMMA:
case EXPR_ASSIGNMENT:
sm_warning("Comma/Assign\n");
decomposite(expr->right, &list);
break;
case EXPR_PREOP:
case EXPR_POSTOP:
sm_warning("Unary\n");
decomposite(expr->unop, &list);
break;
case EXPR_CAST:
case EXPR_FORCE_CAST:
case EXPR_IMPLIED_CAST:
case EXPR_SIZEOF:
case EXPR_ALIGNOF:
case EXPR_PTRSIZEOF:
sm_warning("Cast\n");
decomposite(expr->cast_expression, &list);
break;
default:
case EXPR_TYPE:
case EXPR_SLICE:
case EXPR_CONDITIONAL:
case EXPR_SELECT:
sm_warning("Unsupported Type\n");
}
*p_list = list;
}
void match_if_cond(struct statement *stmt) {
GList *list = NULL;
if (stmt->type != STMT_IF)
return;
struct expression *if_expr = stmt->if_conditional;
if (stmt->if_conditional == NULL) {
sm_warning("No if_conditional\n");
return;
}
decomposite(if_expr, &list);
g_list_free(list);
}
void check_kfuzz(int id) {
my_id = id;
add_hook(&match_if_cond, STMT_HOOK);
}Placeholder: Fuzzing with AFL
I set up AFL to run smatch against some of the validation files & it has found a few crashes so far. This is a placeholder to note that. What is the best way (vis-ร -vis, your workflow) to report these crashes?
Errors when running build_kernel_data.sh
Got this error when running build_kernel_data.sh
BUILD arch/x86/boot/bzImage
Kernel: arch/x86/boot/bzImage is ready (#8)
Done. Build with status 0. The warnings are saved to smatch_warns.txt
smatch_warns.txt built.
Done. List saved as 'kernel.allocation_funcs'
Done. List saved as 'kernel.bit_shifters'
Done. List saved as 'kernel.dma_funcs'
Done. List saved as 'kernel.returns_err_ptr'
Done. List saved as 'kernel.expects_err_ptr'
Done. List saved as 'kernel.frees_argument'
Done. List saved as 'kernel.gfp_flags'
Done. List saved as 'kernel.implicit_dependencies
Done. List saved as 'kernel.no_return_funcs'
Copy it to smatch_data/<project>.no_return_funcs
Done. List saved as 'kernel.puts_argument'
Done. List saved as 'kernel.rosenberg_funcs'
Done. List saved as 'kernel.sizeof_param'
Done. List saved as 'kernel.unwind_functions'
2147483646
delete
delete
Parse error near line 158: no such column:
update return_states set value = "" where function = 'gfs2_ea_find' and return
error here ---^
Parse error near line 167: no such column: __write_once_size
delete from return_states where function = "__write_once_size";
error here ---^
Parse error near line 169: no such column: s32min-s32max[$1]
update return_states set value = "s32min-s32max[$1]" where function = 'atomic_
error here ---^
Parse error near line 214: no such column: fixup_kernel.sh
insert into function_ptr values ("fixup_kernel.sh", "r get_handler()", "ioctl_
error here ---^
Parse error near line 215: no such column: fixup_kernel.sh
insert into function_ptr values ("fixup_kernel.sh", "r get_handler()", "ioctl_
error here ---^
Parse error near line 1: no such column: 0-u64max[<=$1]
update return_states set return = "0-u64max[<=$1]" where return = "0-u64max" a
error here ---^
Parse error near line 1: no such column: 1-u64max[==$1][<=$1]
update return_states set return = "1-u64max[==$1][<=$1]" where return = "1-u64
error here ---^
Parse error near line 1: no such column: 40[<=$1]
update return_states set return = "40[<=$1]" where return = "40" and function
error here ---^
Parse error near line 1: no such column: 0-65536[==$1][<=$1]
update return_states set return = "0-65536[==$1][<=$1]" where return = "0-6553
error here ---^
Parse error near line 1: no such column: 1-4096[==$1][<=$1]
update return_states set return = "1-4096[==$1][<=$1]" where return = "1-4096[
error here ---^
Parse error near line 1: no such column: 0-s32max,18446744071562067968-u64max[==$1][<=$1]
update return_states set return = "0-s32max,18446744071562067968-u64max[==$1][
error here ---^
Parse error near line 1: no such column: 128[<=$1]
update return_states set return = "128[<=$1]" where return = "128" and functio
error here ---^
Parse error near line 1: no such column: 0-u64max[==$1][<=$1]
update return_states set return = "0-u64max[==$1][<=$1]" where return = "0-u64
error here ---^
Parse error near line 1: no such column: 1-4095[==$1][<=$1]
update return_states set return = "1-4095[==$1][<=$1]" where return = "1-4095[
error here ---^
Parse error near line 1: no such column: 80[<=$1]
update return_states set return = "80[<=$1]" where return = "80" and function
error here ---^
Parse error near line 1: no such column: 305-1073741824[==$1][<=$1]
update return_states set return = "305-1073741824[==$1][<=$1]" where return =
error here ---^
Parse error near line 1: no such column: 1-u32max[==$1][<=$1]
update return_states set return = "1-u32max[==$1][<=$1]" where return = "1-u32
error here ---^
Parse error near line 1: no such column: 124[<=$1]
update return_states set return = "124[<=$1]" where return = "124" and functio
error here ---^
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.