* Re: analyzer: implement five new warnings for misuse of POSIX
[not found] <mailman.394.1656804030.3030988.gcc-patches@gcc.gnu.org>
@ 2022-07-03 2:46 ` Jay K
2022-07-03 19:47 ` David Malcolm
0 siblings, 1 reply; 2+ messages in thread
From: Jay K @ 2022-07-03 2:46 UTC (permalink / raw)
To: gcc, dmalcolm, mirimmad17
> check for double "close" of a FD (CWE-1341).
> check for read/write of a closed file descriptor
These sound good but kinda non general or incomplete to me.
I mean, isn't the "right" thing, to disallow passing
a closed fd to "almost any" function?
But I realize "almost any" is difficult to pin down.
fd = open();
close(fd);
printf("%d", fd);
is often ok (assuming nobody reads the output, string to int,
back to close/read/write). It is any path leading to,
a long list, like close, read, write, ioctl, send, recv, etc.
and I don't know if "path leading to" is possible to model here, haven't looked, sorry.
- Jay
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: analyzer: implement five new warnings for misuse of POSIX
2022-07-03 2:46 ` analyzer: implement five new warnings for misuse of POSIX Jay K
@ 2022-07-03 19:47 ` David Malcolm
0 siblings, 0 replies; 2+ messages in thread
From: David Malcolm @ 2022-07-03 19:47 UTC (permalink / raw)
To: Jay K, gcc, mirimmad17
On Sun, 2022-07-03 at 02:46 +0000, Jay K wrote:
> > check for double "close" of a FD (CWE-1341).
> > check for read/write of a closed file descriptor
>
> These sound good but kinda non general or incomplete to me.
> I mean, isn't the "right" thing, to disallow passing
> a closed fd to "almost any" function?
>
> But I realize "almost any" is difficult to pin down.
> fd = open();
> close(fd);
> printf("%d", fd);
>
> is often ok (assuming nobody reads the output, string to int,
> back to close/read/write). It is any path leading to,
> a long list, like close, read, write, ioctl, send, recv, etc.
> and I don't know if "path leading to" is possible to model here,
> haven't looked, sorry.
Jay: right now, the only function calls that these FD warnings know
about are open, close, read, and write: the only "use" that -Wanalyzer-
fd-use-after-close currently cares about is "read" and "write" (and
double-close is its own diagnostic).
I put together an example on Compiler Explorer here which tries to show
as many of the new warnings as possible:
https://godbolt.org/z/rsc51PYoK [1]
I think we're going to want to add a new function attribute that
signifies
"this 'int' parameter is expected to be an open file descriptor"
so that e.g. glibc's headers can use the attribute to mark up all the
places expecting such FDs, and thus -fanalyzer can warn about misuses,
lacking checks, etc.
Probably some sort of support for dup, dup2, etc.
Immad: we might want some test coverage that Jay's example doesn't
generate a warning from -fanalyzer.
Hope this makes sense
Dave
[1] I also put in a bounds-check bug in the first "write" call, which
sadly we don't complain about yet. I've added a note about that to
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106000
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-07-03 19:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <mailman.394.1656804030.3030988.gcc-patches@gcc.gnu.org>
2022-07-03 2:46 ` analyzer: implement five new warnings for misuse of POSIX Jay K
2022-07-03 19:47 ` David Malcolm
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).