Powered by Linux
Smatch for Xen — Semantic Matching Tool

Smatch for Xen

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Dan,

I use my one-line-scan tool [1] to run smatch against non-kernel
projects. However, for Xen I still use -p=kernel, to have all the
analysis enabled. I did not write an evaluation routine to present the
defects or statistics for smatch in a nice way, but smatch can be
invoked. For the latest Xen, smatch (actually sparse) seems to struggle
with the attribute __pointer__ token, as that's not defined.

A typical invocation for smatch would look like the following:

export SMATCH_EXTRA_ARG="-p=kernel --file-output"
one-line-scan -o SMATCH --smatch --no-gotocc --no-analysis \
  -- make xen -j $(nproc) -B

I will look into using the debug info next, and see how taint
information is propagated.

Best,
Norbert

[1] https://github.com/awslabs/one-line-scan

On 07/30/2018 07:28 AM, Dan Carpenter wrote:
> It doesn't feel like anything in this email is secret.  It would be
> better to move it to the public smatch mailing list:
> smatch@xxxxxxxxxxxxxxx
>
> On Wed, Jul 25, 2018 at 07:59:17AM +0200, Norbert Manthey wrote:
>> Dear Dan,
>>
>> I recently looked into smatch a little closer, and tried to get it
>> working on Xen - the goal is to get the spectre analysis done for Xen as
>> well. Some of the other kernel analysis might be nice to have there as
>> well. A first swipe produced some warnings that actually look
>> interesting, and a bunch of output that might be noise. I did not fully
>> investigate all of them yet.
>>
>
> I downloaded the xen git tree.  How did you enable the Smatch build?
>
>> I wonder what else it takes to get taint analysis producing useful
>> results. UI already added some labels to function parameters and  guest
>> controllable variables with "__user", similarly to kernel code. Is there
>> a way I can extract all the variables that have been flagged as tainted
>> by smatch? That would help me debugging a lot.
>>
>
> Smatch doesn't use __user labels at all.  It just looks for the actual
> copy_from_user() function and marks *dest as tainted.
> See check_user_data2.c for how that works.
>
> There are a bunch of ways to look at Smatch's internals.  The
> smatch_data/db/smdb.py script will show what information is passed to
> a function or what it returns.  Also you can include the "check_debug.h"
> file and add a call to __smatch_states("check_user_data2"); or
> __smatch_user_rl(variable);.  The __smatch_states() takes the name of
> the function in check_list.h and prints out any states.  The
> __smatch_user_rl() function prints out what the user can set like "0-9".
> Look through check_debug.h.
>
>
> regards,
> dan carpenter
>
Amazon Development Center Germany GmbH
Berlin - Dresden - Aachen
main office: Krausenstr. 38, 10117 Berlin
Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger
Ust-ID: DE289237879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B
��.n��������+%������w��{.n������\���ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux