Faults in Linux: Using incorrect sizeof expressions

As part of my project, while reading the reports, I came to know about bugs where incorrect sizeof expressions are used, typically leading to allocation of data of the wrong size.  There were many in the versions 2.4.x and 2.6.x. I was also required to list FPs (false positives) by Coccinelle. This post will be about, what I found for the mentioned case.

You can view the complete report as a PDF here and as a HTML file here.

What is a sizeof expression?

sizeof is a unary operator which is used to calculate the size of any datatype, in number of bytes. Sizeof are used alot while allocating memory.

Why incorrect usage of sizeof expression can cause a bug?

Incorrect usage of sizeof expression can lead to allocation of data of wrong size and hence a serious bug.

Types I studied?

I studied two types:

  • Results for sizeof expressions that involve the wrong type
  • Results for sizeof expressions lacking a dereference

What did I found?

Bugs were of different types. Some allocated a bigger size then what was required and some didn’t require a dereference of structure type at all.

In the FPs by Coccinelle, most were in the cases where it thought that the size allocated is large but it was not.

Example Bug?

You can find bugs of each type above in the report linked. Have a look at this, here is the structure definition. It’s too big!

Example FP?

Look at this. here the size of structure is not large at all, it very small, so no issues with this.



#coccinelle, #faults, #foss-2, #incorrect-usage, #linux-kernel, #opw, #sizeof, #sizeof-expressions