[Cocci] Asking for help

[Cocci] Asking for help

[Zied Habtoul]

Hello,

First of all i want to thank your for your great work the coccinelle tool,
I am asking you if you can help me to implement a semantic patch which
allows to print out a warning before any pointer access, if the pointer
value not tested different from NULL.

I thank you in advance for your consideration of my request.

I am looking forward to hearing from you soon.

Sincerely,
Zied
Habtoul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://systeme.lip6.fr/pipermail/cocci/attachments/20150507/135f4ffa/attachment.html>

[Cocci] Checking for null pointers

[SF Markus Elfring]

> I am asking you if you can help me to implement a semantic patch

Yes, of course.


> which allows to print out a warning before any pointer access,

This is possible in principle.


> if the pointer value not tested different from NULL.

Will it be more useful to look only at the value sources?

Did you inspect any examples?
Where do you get difficulties in your evolving SmPL scripts?

Regards,
Markus

[Cocci] Checking for null pointers

[Zied Habtoul]

ok
i want that my script detects only the dereference of a pointer when it is
not checked different from NULL.
i will aplly my script to an embedded project. so it's so delicate.
 i want that my script detects only the dereference of a pointer and not
the declaration ( exemple : int *k ;)  or the cast ( exemple : int *k ;)  or
the initialisation ( (int) *s = &1;)
this my script
@r@
position p1 != {safe1.p,safe2.p};
expression x;
identifier y;
@@

*x at p1->y

@script:python@
x << r.x;
p1 << r.p1;

@@
l0= p1[0].file
l1 = p1[0].line

print " *file : (%s ) the pointer  %s must be tested different to NULL
before access on line %s"% (l0,x,l1)


@safe3 exists@
position po;
expression x1,e1;
statement S1;
@@

if (x1 != NULL || ...) {
  ... when != x1 = e1
      when any
   *x1 at po
  ...
} else S1

@safe4 exists@
position po;
expression x1,e1;
statement S1;
@@

if (x1 == NULL || ...) {
  ...
  return ...;
} else S1
... when != (x1 = e1)
    when any
  *x1 at po
@safe5 exists@
position po;
type T;
expression e1;
@@
(
  ((T)* e1 at po)

|

  ((T) *e1 at po)
)
@r1@
position po1 != {safe3.po,safe4.po,safe5.po};
expression x1;
@@

* *x1 at po1

@script:python@
x1<< r1.x1;
po1 << r1.po1;

@@
l2= po1[0].file
l3 = po1[0].line

print " *file : (%s ) the pointer  %s must be tested different to NULL
before access on line %s"% (l2,x1,l3)

*************************************

can you check it please ?



2015-05-09 9:11 GMT+02:00 SF Markus Elfring <elfring@users.sourceforge.net>:

> > I am asking you if you can help me to implement a semantic patch
>
> Yes, of course.
>
>
> > which allows to print out a warning before any pointer access,
>
> This is possible in principle.
>
>
> > if the pointer value not tested different from NULL.
>
> Will it be more useful to look only at the value sources?
>
> Did you inspect any examples?
> Where do you get difficulties in your evolving SmPL scripts?
>
> Regards,
> Markus
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://systeme.lip6.fr/pipermail/cocci/attachments/20150509/d841e477/attachment.html>

[Cocci] Checking for null pointers

[SF Markus Elfring]

> i want that my script detects only the dereference of a pointer
> when it is not checked different from NULL.

Does your goal belong to the usual software development challenges around
proper handling of return values?
https://cwe.mitre.org/data/definitions/252.html


> i want that my script detects only the dereference of a pointer
> and not the declaration ( exemple : int *k ;)  or the cast ( exemple : int *k ;)

I can understand that.


> or the initialisation ( (int) *s = &1;)

I would check also such source code places.


> @r@
> position p1 != {safe1.p,safe2.p};

Is such a SmPL constraint really needed?


> expression x;
> identifier y;
> @@
> 
> *x at p1->y

Which meaning should the asterisk get here?
- SmPL marker
- pointer dereference


Regards,
Markus

[Cocci] Checking for null pointers

[Zied Habtoul]

this an example pf my code


void main () {
    (int) *s = &1;
    *s =2;
    p = malloc( sizeof (int)) ;
    (int) *k;
    (int) *d;
    *p = *k;
    d = k;
    s = p;
    *p =5;

}



concerning *x at p1->y

it allows to detect the dereference of a pointer (x->y)

2015-05-09 13:01 GMT+02:00 SF Markus Elfring <elfring@users.sourceforge.net>
:

> > i want that my script detects only the dereference of a pointer
> > when it is not checked different from NULL.
>
> Does your goal belong to the usual software development challenges around
> proper handling of return values?
> https://cwe.mitre.org/data/definitions/252.html
>
>
> > i want that my script detects only the dereference of a pointer
> > and not the declaration ( exemple : int *k ;)  or the cast ( exemple :
> int *k ;)
>
> I can understand that.
>
>
> > or the initialisation ( (int) *s = &1;)
>
> I would check also such source code places.
>
>
> > @r@
> > position p1 != {safe1.p,safe2.p};
>
> Is such a SmPL constraint really needed?
>
>
> > expression x;
> > identifier y;
> > @@
> >
> > *x at p1->y
>
> Which meaning should the asterisk get here?
> - SmPL marker
> - pointer dereference
>
>
> Regards,
> Markus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://systeme.lip6.fr/pipermail/cocci/attachments/20150509/2fc2514f/attachment.html>

[Cocci] Checking for null pointers

[SF Markus Elfring]

> void main () {
>     (int) *s = &1;

I find the parentheses unnecessary for the data type specification.


>     *s =2;
>     p = malloc( sizeof (int)) ;

Is a single integer allocated for demonstration here?

Did you miss the data type specification for this variable?


> concerning *x at p1->y
> 
> it allows to detect the dereference of a pointer (x->y)

I would expect that the asterisk should not be placed
in the first text column of your SmPL script then.


How would you like to handle corresponding function calls?

https://cwe.mitre.org/data/definitions/690.html

Regards,
Markus

[Cocci] Checking for null pointers

[Zied Habtoul]

this code was implemented just to test the script.
my SmPL script will be applied to a big embedded project. it must detect
all the dereferences of all the pointers when the pointer is not checked
different from NULL before access.

2015-05-09 13:37 GMT+02:00 SF Markus Elfring <elfring@users.sourceforge.net>
:

> > void main () {
> >     (int) *s = &1;
>
> I find the parentheses unnecessary for the data type specification.
>
>
> >     *s =2;
> >     p = malloc( sizeof (int)) ;
>
> Is a single integer allocated for demonstration here?
>
> Did you miss the data type specification for this variable?
>
>
> > concerning *x at p1->y
> >
> > it allows to detect the dereference of a pointer (x->y)
>
> I would expect that the asterisk should not be placed
> in the first text column of your SmPL script then.
>
>
> How would you like to handle corresponding function calls?
>
> https://cwe.mitre.org/data/definitions/690.html
>
> Regards,
> Markus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://systeme.lip6.fr/pipermail/cocci/attachments/20150509/51c408ce/attachment.html>

[Cocci] Checking for null pointers

[SF Markus Elfring]

> this code was implemented just to test the script.

I find that such test code should generally also compile,
shouldn't it?


> my SmPL script will be applied to a big embedded project.

Did you try any other static source code analysis tools out?
https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#C.2FC.2B.2B

How many details need to be repeated by SmPL scripts for
more complete checking of return values?

Regards,
Markus

[Cocci] Checking for null pointers

[Zied Habtoul]

yes the code compiles , and the script detects the pointers , but as i
mentioned , i want that my scripts detects only the access to pointer and
not its declaration, cast or initialization.

2015-05-09 14:01 GMT+02:00 SF Markus Elfring <elfring@users.sourceforge.net>
:

> > this code was implemented just to test the script.
>
> I find that such test code should generally also compile,
> shouldn't it?
>
>
> > my SmPL script will be applied to a big embedded project.
>
> Did you try any other static source code analysis tools out?
>
> https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#C.2FC.2B.2B
>
> How many details need to be repeated by SmPL scripts for
> more complete checking of return values?
>
> Regards,
> Markus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://systeme.lip6.fr/pipermail/cocci/attachments/20150509/d01a3027/attachment.html>

[Cocci] Checking for null pointers

[Julia Lawall]

When there are things you are interested in and things you are not 
interested in, you can use a disjunction:

(
uninteresting
|
uninteresting
|
uninteresting
|
* interesting
)

In the place of uninteresting you could put for example *x = y, if you 
consider that to be uninteresting.  And in the place of interesting, you 
could put for example *x.

julia

[Cocci] Checking for null pointers

[SF Markus Elfring]

> ?, i want that my scripts detects only the access to pointer
> and not its declaration, cast or initialization.

Will it be more useful to find the source code places
where a null pointer occurs (before an access try will happen)?

How do you think about more fine-tuning for your SmPL scripts?

Would you like to extend my previous approaches for
return value checking?

Regards,
Markus

[Cocci] Checking for null pointers

[Zied Habtoul]

Thank you Julia,
Markus , i think that your previous approaches for
return value checking could be useful for me, where can i find the script?

2015-05-09 14:32 GMT+02:00 SF Markus Elfring <elfring@users.sourceforge.net>
:

> > ?, i want that my scripts detects only the access to pointer
> > and not its declaration, cast or initialization.
>
> Will it be more useful to find the source code places
> where a null pointer occurs (before an access try will happen)?
>
> How do you think about more fine-tuning for your SmPL scripts?
>
> Would you like to extend my previous approaches for
> return value checking?
>
> Regards,
> Markus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://systeme.lip6.fr/pipermail/cocci/attachments/20150509/b6ab9682/attachment.html>

[Cocci] Checking for null pointers

[SF Markus Elfring]

> i think that your previous approaches for
> return value checking could be useful for me,
> where can i find the script? 

Do you get further ideas from an archived discussion
on a topic like "Detection of ignored function return values"?
http://www.mail-archive.com/cocci at diku.dk/msg00157.html

https://www.mail-archive.com/cocci at diku.dk/msg00945.html
http://article.gmane.org/gmane.comp.version-control.coccinelle/1007

Regards,
Markus