This comment needs an update.

Please clarify this comment -- it might be better to state a list of specific buggy conditions.

E.g, are writes into heap-allocated allowed? Where are return statements allowed?

This comment isn't needed -- a description to this effect can go in the top-of-file comment.

This comment doesn't add much, please remove it.

Why not nullptr? If there's a good reason, please explain it with a comment.

This is hard to read, please simplify this. E.g;

if (PD = dyn-cast(P)) { /* handle cases where P is-a DeclStmt */ }
else if (Assign = dyn-cast(P)) { /* handle cases where P is-a binop */ }

Using loop constructs here shouldn't be necessary.

Typically nullptr is used here.

Actually, if this is the case, wouldn't it be worthwhile to flag calls to vfork() in child processes?

The convention here is to not have a '.' after the help text.

LLVM convention is to use capitalization and punctuation for comments. (See http://llvm.org/docs/CodingStandards.html#commenting).

Is it possible to use a name that implies a more semantic notion? For example, "VforkResultRegion"?

I think it is better to use SmallSet for VforkWhitelist rather than duplicate that functionality here.

What do you think about making the warnings more descriptive here? For example, you could one warning saying that "Child can only modify variable used to store result of vfork()", one that says "Child can only call _exit() or exec() family of functions", "Child must not return from function calling vfork()", etc.

These descriptions would help the user not have to guess what they are doing wrong.

You should use C.generateErrorNode() here, which expresses the intent to create a node for the purposes of error reporting.

For dyn_cast and friends and you use auto to avoid repeating the type twice. For example:

const auto *PD = dyn_cast_or_null<DeclStmt>(P);

This will get caught by checkPreCall, right? Because vfork is not in the white list.

Tests generally need to have all of core turned on (e.g., -analyzer-checker=core,alpha.unix.Vfork) because the analyzer implements key functionality in the core checkers. (It is not safe to run a path-sensitive checker without core turned on).

I think it would be good to add // no-warning on the lines that shouldn't warn. This will make it easier for people tracking down test failures to know that there really shouldn't be a warning on that line.

Is it possible to combine this with the other test file? If not, can you rename the files to be more descriptive than "-1" or "-2". This will help people adding future tests decide which file they should go in.

Yikes, thanks for pointing this out.

This primitive scheme simply mirrors the manpage which is very strict about this - write to _any_ data besides return value of vfork is disallowed, ditto for function calls (and so "return" only applies to current function).

Right.

Ok.

Ok, this indeed deserves a comment. FTR: nullptr means parent process, VFORK_LHS_NONE means vforked process without explicit LHS and rest means LHS variable.

In this case each statement depends on the previous one so we'll have to resort to deeply nested conditionals. I thought that do-while-false is a common pattern for simplifying such constructs but I may be wrong.

See my comment above, these two encode two different things.

They will be flagged in checkPreCall. But I should probably add a comment as you're the second reviewer who complained about this.

Got it.

Thanks, I should probably re-read the std once again.

That would be the fourth iteration of the name) But yes, "Result region" sounds more descriptive.

Ok.

Yes, given the public ignorance about vfork's idiosyncrasies that makes good sense.

Will do.

True. This was forward-ported from our ancient version so lacks C++11 beauties.

Ok, good to know.

Sounds like a good maintenance practice, I'll definitely add it.

Vfork-2.c is actually dedicated to model the bug in libxtables. I can surely merge both tests.

I think it's a good idea to make some functions static and/or move them out of class definition.

What about combination of std::transform + std::sort + std::binary_search?

You can use early return to escape do{}.

Is check for non-concrete value is really required?

Right. Which one is preferred btw?

I think I should use SmallSet here as suggested by Devin.

In this particular case - yes. But what's wrong about original do-while-false? I thought it's a common idiom...

This may be remains of old code, I'll re-check.

FYI there are several uses of do-while-false in CSA codebase.

isChildProcess(), getAssignedVariable() are good candidates since they don't use any class member.

Let's move the more detailed comment that describes what the checker does here.

This should be added as a utility function. Does this exist elsewhere?

Can this be rewritten so that it is more clear why this terminates?
Also, I'd prefer to use "while(true)".

"a vforked process"?

"after successful vfork" -> "after a successful vfork"?
Devin, are we missing an article here and in the other error messages?

Ideally, we would point out where the vfork has occurred along the path with a BugReportVisitor. (But it's not a blocker.)

We are not listing the full whitelist here. Should we drop the "(except ..)" from the message?

"except return value" -> "except the return value"? Or maybe we should drop the "(except ...)" here as well to make the message shorter.

We should check for the exact expected warning in regression tests.

Frankly this function only handles two common patterns right now (assignment and initialization). This was enough for all uses of vfork which I've seen but I'm afraid that general case may require much more work.

I'll try to find any dups.

Actually this isn't really a loop - it's a common do-while-false idiom which allows to reduce amount of nesting. You can check for similar pattern in ArrayBoundCheckerV2.cpp and also other parts of codebase.

Right.

Yeah, that would be nice. But vfork code blocks are typically very small (5-10 LOC) so it'll all be clear anyway.

What about

except exec*() or _exit()

?

I'd rather keep it.

Ok.

It seems that other checkers do more or less the same throw-away predicates (e.g. see isAssignmentOp in DereferenceChecker.cpp).

I've added a TODO.

Frankly this function only handles two common patterns right now

It seems that other checkers do more or less the same throw-away
predicates

Both of these just highlight that it's best to make this a utility function:

• New checkers will not have to roll their own predicates.
• The reusable code will get enhanced in the future and all checkers will benefit from it.

Ah, right!

Using regex in a diagnostic is not user friendly. See the comment below.

It is very important to keep the diagnostics as succinct as possible.

The diagnostics in this checker are long as is and I do not think the "except" clauses are helping the user to understand or fix the problem. They will not get the warning in the cases that are described in the "except" clause so why are we talking about this..

Most likely you are using it to make sure that the message is true. How about rephrasing the message to address that issue. For example, you could use something like:
"Assigning variables (except return value of vfork) is prohibited after a successful fork"
->
"This assignment is prohibited after a successful vfork"

Semantics is slightly changed for assignment case here: originally S would have been changed iff Init is not NULL but now I also require valid VarDecl on LHS. Frankly I'm not sure if it's a serious change (probably not).

Shouldn't the warning appear here as well?

You need to register for ReturnStmt callback instead of the checkEndFunction.

I think "from this function" is redundant in this particular error message.
"Return from this function is prohibited after a successful vfork" -> "Return is prohibited after a successful vfork; call _exit() instead."