Coccinelle is a program matching and transformation tool for C code that
has been under development since 2004. It allows developers to write
"semantic patches" that express code matches and changes in a generic way,
while remaining close to the program source code. Coccinelle allows
developers to address issues that are specific to their code base, and
supports a flexible development process, where Coccinelle can be used for
frequently occurring issues, coupled by manual analysis or the use of more
heavyweight tools for analyzing specific instances. We illustrate the use
of Coccinelle with the ongoing effort of the Linux Kernel Self-Protection
Project to address a security concern in the Linux kernel, the use and
misuse of flexible arrays.