Smatch Static Analysis Tool
[kernel linux c static-analysis software-development Smatch is a static analysis tool to detect potential issues, such as conditions that will always (or never) be true, null pointers, and locks that end up in different states depending on which path is taken through the code.
It was initially based on the Sparse tool to extend its functionalities and perform extra analysis and can be very helpful for validating error paths and other rarely tested code. It has a particular focus on looking for bugs in the Linux kernel, so many of its tests are for patterns present in the kernel and which often result in buggy or confusing code.
In 2015, more than 3000 kernel bugs have been patched thanks to warnings from Smatch and many more has been fixed in the later years. Many are minor bugs in particular corner cases, but others had serious, real-world consequences.
It can be used to detect security or related bugs, concerning:
- Null pointer dereference, error pointer dereference, buffer overflow etc
- Off by one bugs
- Locking related bugs — Double locks/unlocks, missing unlock etc
- Unintialized variable/data and signedness related bugs
- Use are free, double free etc
- Information leak
- Unnecessary null check and missing null check
How to install it
First, install the prerequisites:
# For Debian-like distros
sudo apt-get install gcc make sqlite3 libsqlite3-dev libdbd-sqlite3-perl libssl-dev lib
# For RHEL-like distros
yum install gcc make sqlite3 sqlite-devel sqlite perl-DBD-SQLite openssl-devel perl-Try-Tiny
Clone the repository and compiles it:
$ git clone git://repo.or.cz/smatch.git
$ cd smatch
$ make
Enter into the Linux kernel source code folder .
$ git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
$ cd linux
Getting started
Enter into your C project folder and compile it. Please if your project is the Kernel Linux uses the specific command:
$ make clean
# For Linux kernel
$ make CHECK="~/path/to/smatch/smatch -p=kernel" C=1 bzImage modules | tee warns.txt
# For any other project
$ make CHECK="~/path/to/smatch/smatch --full-path" CC=~/path/to/smatch/cgcc | tee warns.txt
Now, Smatch can check the project code vulnerabilities with kchecker
$ cd <path-to-project>
# Towards a single file
$ <smatch-path>/smatch_scripts/kchecker <file-name.c>
# Towards a directory
$ <smatch-path>/smatch_scripts/kchecker <folder-path>/
# Towards the whole Linux kernel
$ <smatch-path>/smatch_scripts/test_kernel.sh
Smatch output
Smatch raises several errors and warnings. There are 35 syntax-directed hooks that trigger on particular syntactic constructs:
- CONDITION_HOOK called when Smatch finds a condition that affects the flow of code
- WHOLE_CONDITION_HOOK when you really need the whole condition rather than the parts, though no current checker uses it.
- EXPR_HOOK for expressions
- STMT_HOOK for statements
- ASSIGNMENT_HOOK
- RETURN_HOOK
- and many more…
From those hooks, Smatch raises multiple errors and warnings. Just to mention the most popular:
error: we previously assumed 'var' could be null (see line xxx)
error: uninitialized symbol 'var'
style: The scope of the variable 'var' can be reduced. [variableScope]
warning: Uninitialized variable: ret [uninitvar]