As part of my project, while reading the reports, I came to know about bugs where incorrect sizeof expressions are used, typically leading to allocation of data of the wrong size. There were many in the versions 2.4.x and 2.6.x. I was also required to list FPs (false positives) by Coccinelle. This post will be about, what I found for the mentioned case.
What is a sizeof expression?
sizeof is a unary operator which is used to calculate the size of any datatype, in number of bytes. Sizeof are used alot while allocating memory.
Why incorrect usage of sizeof expression can cause a bug?
Incorrect usage of sizeof expression can lead to allocation of data of wrong size and hence a serious bug.
Types I studied?
I studied two types:
- Results for sizeof expressions that involve the wrong type
- Results for sizeof expressions lacking a dereference
What did I found?
Bugs were of different types. Some allocated a bigger size then what was required and some didn’t require a dereference of structure type at all.
In the FPs by Coccinelle, most were in the cases where it thought that the size allocated is large but it was not.
Look at this. here the size of structure is not large at all, it very small, so no issues with this.
More are coming!.